A generic attack to ciphers

In this paper, we present a generic attack for ciphers, which is in essence a collision attack on the secret keys of ciphers .

💡 Research Summary

The paper claims to introduce a generic attack on symmetric ciphers that exploits collisions among secret keys. The authors model a cipher as a function Cₖ(x) that takes a secret key k and a plaintext x and produces a ciphertext. Under the strong assumption that, for a fixed plaintext X, the mapping k ↦ Cₖ(X) behaves like a random function over the key space, the output distribution is essentially as large as the key space itself.

Based on this assumption, the attack proceeds as follows: choose a public n‑bit plaintext X, generate ciphertexts C_{kᵢ}(X) for a large set of distinct keys {k₁,…,k_N}, and store the pairs (C_{kᵢ}(X), kᵢ) in a dictionary D sorted by the ciphertext component. When an adversary obtains a target ciphertext C* = C_{k*}(X) for some unknown key k*, they simply look up C* in D; a match yields the secret key k*.

The authors support the feasibility of this approach with two propositions reminiscent of the birthday paradox. Proposition 1 estimates the probability p that all N ciphertexts are distinct, showing p > 1 – 2^{–n}. Proposition 2 states that if the adversary collects t ciphertexts, then the probability \hat{p} that at least one of them appears in D satisfies \hat{p} ≥ 0.98 provided 2·t·n·m ≥ N + m, where m denotes the number of comparisons needed to search D. They argue that with modern computing resources a dictionary of about 2^{50} entries is attainable, implying that any cipher using keys of 50 bits or fewer would be vulnerable.

The paper claims the method applies to block ciphers, stream ciphers, and MACs, and that only a few ciphertexts per key (e.g., a 48‑byte plaintext for a 128‑bit key) are needed, making the attack “feasible.”

Critical analysis reveals several fundamental flaws. First, the central assumption—that the key‑dependent encryption function behaves as a truly random mapping for a fixed plaintext—is unrealistic for well‑designed ciphers. Modern designs incorporate diffusion and confusion mechanisms that deliberately prevent such simple key‑ciphertext collisions; the probability of two distinct keys producing the same ciphertext on the same plaintext is negligible, far below the 2^{–n} bound used in the paper.

Second, the storage requirement is grossly underestimated. A dictionary containing 2^{50} entries, each storing an n‑bit ciphertext and an n‑bit key, would need on the order of 2^{50} × 2n bits, i.e., tens of petabytes of memory. Current commercial hardware cannot sustain such a dataset at reasonable cost, and the time required to generate it (2^{50} encryptions) is prohibitive.

Third, the attack’s success hinges on the existence of a matching ciphertext in the pre‑computed dictionary. In practice, an adversary does not control the plaintext X used by the victim; unless the victim encrypts exactly the same X, the probability of a collision is essentially zero. The claim that “only a few ciphertexts are needed” ignores the necessity of matching both the plaintext and the key, which is not guaranteed in real‑world scenarios.

Fourth, the mathematical derivations are vague and contain inconsistent notation. The inequality p > 1 – 2^{–n} merely restates that distinct ciphertexts are highly likely, offering no insight into the attack’s advantage over brute‑force key search. The condition 2·t·n·m ≥ N + m is derived without a clear definition of m, and the proof does not account for the cost of dictionary look‑ups, cache effects, or parallelization.

Finally, the paper does not situate its contribution within the extensive literature on key‑related attacks. Collisions are a well‑studied phenomenon for hash functions, but applying them directly to secret keys requires specific weaknesses such as poor key schedules or key reuse—issues the authors never address. Consequently, the proposed “generic attack” lacks novelty, practical relevance, and rigorous justification.

In summary, while the paper presents an interesting theoretical construct, its assumptions are unrealistic, its resource estimates are infeasible, and its security implications are negligible for properly designed ciphers with adequately sized keys (e.g., ≥ 128 bits). The work does not constitute a credible threat to contemporary symmetric cryptography.