Breaches, Breaches, Breaches — The Unrecognized Cause

The centerpiece of cyber security is the communication between two coordinating parties sharing a symmetric key. They usually use AES, or a variant thereto. Unfortunately the resultant cyphertext hides in it the key that was used in generating it. The common wisdom is that no one is smart enough to excavate the key from the exposed ciphertext , so any and all secrets are transported over the Internet in the form of this committed ciphertext. Among them are access secrets used by hackers to impose a ransomware attack and massive theft of data.

The common argument in favor of the security of these class of ciphers that hide the key inside them is that one will have to apply “brute force”, namely to try every possible key to find the single right one. And if there are enough keys to go through then the cipher is secure. A large unpublished body of mathematical development generates “accelerated brute force” searches where the right key is found pretty fast. And then there are weak keys — keys that have some mathematical properties that allow a positive algorithm to carve out the key from the ciphertext.

We know that clients which used the class of ciphers where the ciphertext does not point to the key used to generate it, are resilient to these accelerated brute force attack. The hackers can’t dig out the plaintext from the ciphertext, and will no longer humble their pray with devastating ransomware demands.

See https://eprint.iacr.org/2020/389 and https://eprint.iacr.org/2017/366