If an attackers sets out to crack the symmetric key of e.g. AES-CTR, would they

Question

If an attackers sets out to crack the symmetric key of e.g. AES-CTR, would they prefer to have access to many small cryptotexts or one large cryptotext? I.e. is it more interesting for the attacker to see cryptotexts of many IVs than of a single IV?

Does the answer change if also the plaintexts (many small, possibly similar, plaintexts or one large) are available to the cracker?

Does the answer differ per (approved) crypto algorithm and mode?

I assume perfect implementations, IVs etc. but assume nothing about the properties of the plaintext, except that the attacker does not get to choose it.

If these are too many questions, requiring too long an answer, focus on the first.

Explanation / Answer

Assuming perfect implementations and good block ciphers, it doesn't matter (for any of your questions).

As long as the underlying block cipher is good and has a long enough block length (e.g., 128 bits, as all versions of AES have), any good mode of operation has a security theorem guaranteeing security against chosen plaintext attack for a total of about 2b/2 blocks of data, where b is the block length. For b=128, that's 264 blocks, which is more than anyone could ever have time to generate or encrypt (or store).

All this applies to CPA security, which is an even stronger property than resistance to key cracking.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.