Hello,
I was wondering whether it is theoretically possible to use Grover alrogithm to break AES in CBC mode. Assume that I have ~1000 plaintext/ciphertext pairs and key length is 128 bits. I thought about it this way:
- For each pair of plaintext and ciphertext use only first 16 bytes of plaintext and first 16 bytes of ciphertext. (They will be labeled as Pn, Cn where n is n-th pair)
- Write down set of equations with one unknown variable - key. (Key is labeled as K)
AES-128d(C1, K) ⊕ AES-128d(C2, K) = P1 ⊕ P2
AES-128d(C3, K) ⊕ AES-128d(C4, K) = P3 ⊕ P4
AES-128d(C5, K) ⊕ AES-128d(C6, K) = P5 ⊕ P6
...
AES-128d is AES-128 decryption function
⊕ is XOR - Use Grover algorithm to find K from the equations given above. If key is found determining IV is easy by using this equation:
AES-128d(C1, K) = P1 ⊕ IV
Can Grover algorithm be used to invert set of equations from step 2? How many plaintext/ciphertext pairs would I need to uniquely dertermine key and IV for keylengths of 128, 192 and 256 bits?