Cryptanalysis, Cryptographic Attacks and Diffie-Hellman Key Exchange

The Kerckhoffs-style classification of attacks is the foundation. It sorts attacks by the kind of access the attacker is assumed to have, from the weakest (ciphertext only) to the strongest (adaptive chosen-ciphertext with side-channel access). The point of the classification is that a cipher claimed to be secure under chosen-ciphertext attack is much stronger than one only secure against ciphertext-only adversaries. Modern AEAD ciphers like AES-GCM are designed to resist the strongest model.

Practical examiner work crosses the levels. A WPA2 capture is a known-plaintext scenario where the four-way handshake exposes structured material that a dictionary attack on the PSK can exploit. A captured Indian government tender encrypted with a misconfigured AES-CBC blob without authentication may admit a padding-oracle attack if the server returns distinguishable errors. A side-channel attack on a smart-card-based Class 3 DSC token is a research-grade exercise and is one of the threats CCA-licensed CAs explicitly require their tokens to be certified against.

Two attacks reshaped modern block-cipher design. Differential cryptanalysis, published openly by Biham and Shamir in 1990 (and known internally to IBM and the NSA when they designed DES in the 1970s, which is why DES's S-boxes look the way they do), studies how chosen differences between plaintext pairs propagate through the rounds of a cipher to ciphertext differences. If a particular input difference produces a particular output difference with probability much higher than uniform, that bias can be exploited to recover key bits. Differential cryptanalysis is the reason AES uses an S-box with provable maximum differential probability and a wide-trail strategy that bounds differential propagation across rounds.

Linear cryptanalysis, due to Matsui in 1993, looks for linear approximations between plaintext bits, ciphertext bits and key bits that hold with probability significantly different from one-half. The first attack on full DES with practical data complexity (2^43 known plaintexts) was Matsui's linear cryptanalysis. AES's S-box is also designed to bound linear bias, which is why AES has resisted both kinds of statistical attack across 25 years of study.

1. Pick a candidate bias
   For differential, choose an input difference delta_x with a non-uniform output-difference distribution after one or two rounds. For linear, find a linear equation over plaintext, ciphertext and key bits that holds with probability one-half plus epsilon.
2. Build a multi-round characteristic
   Chain the single-round bias across multiple rounds. The end-to-end probability is roughly the product of per-round probabilities for differential, or compounded by Matsui's piling-up lemma for linear.
3. Collect data
   For differential, gather chosen-plaintext pairs with the chosen input difference. For linear, gather known plaintext-ciphertext pairs. The data complexity scales as 1 / epsilon^2.
4. Recover key bits
   Guess the last-round subkey, partially decrypt each pair, count how often the predicted bias appears. The correct guess produces the strongest signal.
5. Extend to full key
   Iterate over rounds or use a meet-in-the-middle layer to recover remaining key bits, then verify with one trial decryption.

Algebraic cryptanalysis models a cipher as a system of polynomial equations and attempts to solve it. The XL and XSL families were proposed against AES in the early 2000s; in practice they have not yielded a break of AES, and the consensus is that AES is not vulnerable to currently known algebraic attacks. Meet-in-the-middle attacks apply to multi-encryption schemes: 2DES (double-encrypting under two independent DES keys) gives only about 57 bits of effective security against a meet-in-the-middle attack rather than the 112 bits naive analysis would suggest, which is precisely why Triple DES uses three encryptions in EDE mode to land at 112 bits of effective security.

A cipher can be mathematically secure and still bleed key material through the physics of the device running it. Side-channel attacks treat the implementation as the target, not the algebra. They are the reason modern crypto code spends extra cycles to run in constant time, the reason HSMs are tamper-resistant in a specific certified way, and the reason a Class 3 DSC USB token must be FIPS 140-2 Level 2 or higher.

Timing attacks exploit the variation in how long an operation takes when it branches on secret data. Kocher's 1996 paper showed that RSA private operations leaked the private exponent bit by bit through measurable timing differences. The fix is constant-time arithmetic: every code path takes the same number of cycles regardless of the secret. Lucky 13 (AlFardan and Paterson 2013) was a timing attack against TLS 1.0 record processing that recovered plaintext through the timing of MAC computation; it forced the move to AEAD ciphers.

Power analysis comes in two flavours. Simple Power Analysis (SPA) reads off the power trace of a single operation and identifies key bits directly from the visible structure of the trace (the difference between a multiply step and a square step in an RSA exponent ladder, for example). Differential Power Analysis (DPA), introduced by Kocher, Jaffe and Jun in 1999, statistically correlates power traces across many operations with hypotheses about intermediate values to recover the key. Smartcards and HSMs are designed and certified specifically against DPA, with randomised power profiles, dummy operations and masking.

Cache-timing attacks exploit shared L1/L2/L3 caches on modern CPUs. Flush+Reload (Yarom and Falkner 2014) and Prime+Probe attacks can recover AES keys across virtual machines on the same physical host by observing cache line access timings. Cloud deployments running AES without the AES-NI instruction (which executes in constant time) on shared hosts are the realistic target; this is one reason every major Indian bank has migrated its core AES paths to AES-NI hardware.

Several major cryptographic failures of the past 25 years were not weaknesses in the underlying algorithms. They arose from protocols that wrapped a correct cipher in a structure leaking information through error messages, length fields, or random-number generation.

The padding-oracle attack on CBC mode was first published by Vaudenay in 2002. CBC-mode ciphertexts use PKCS#7 padding so the plaintext length matches a block boundary; a decryptor checks the padding after decrypting. If the protocol returns one error for "bad padding" and a different error (or even just a different timing) for "padding fine but authentication failed", an attacker can recover plaintext byte by byte by sending crafted ciphertexts and watching which response comes back. BEAST (Duong and Rizzo 2011) and POODLE (Moller et al 2014) are the famous TLS realisations. The structural fix is encrypt-then-MAC or true AEAD: AES-GCM and ChaCha20-Poly1305 verify authenticity before any padding check, so the oracle never opens.

Length-extension attacks against bare SHA-1 and SHA-256 in MAC constructions (computing H(key + message) and treating the result as a tag) let an attacker append data to the message and compute a valid tag without knowing the key. HMAC (RFC 2104) eliminates this by its double-hashing construction. Forensic candidates frequently see this in legacy Indian banking APIs that signed requests with naive concatenation hashing before migrating to HMAC-SHA-256.

The Indian-context lesson is concrete. CCA-licensed CAs require their HSMs and DSC tokens to be FIPS 140-2 Level 3 certified specifically to defend against the class of failures that produced Debian OpenSSL 2008 (weak RNG) and PS3 (predictable nonce). When a forensic examiner is asked whether a signature is valid, the algebra of the signature is only the start; the question of whether the private key generation was sound is what separates a confident report from a hedged one.

Quantum computing changes the cryptanalytic threat model in a specific, predictable way. Two algorithms matter. Shor's algorithm (1994) factorises integers and solves discrete logarithms in polynomial time on a sufficient-scale quantum computer, which breaks RSA, DSA, ECDSA and classical Diffie-Hellman completely. Grover's algorithm (1996) gives a quadratic speed-up for unstructured search, which halves the effective security of symmetric ciphers: AES-256 retains about 128 bits of post-quantum security, while AES-128 drops to about 64 bits.

The practical timeline is uncertain but the policy response is not. NIST ran a multi-year Post-Quantum Cryptography standardisation process and in 2024 published the first set of finalists as standards. CRYSTALS-Kyber became ML-KEM (Module-Lattice Key Encapsulation Mechanism, FIPS 203) for key establishment. CRYSTALS-Dilithium became ML-DSA (Module-Lattice Digital Signature Algorithm, FIPS 204) for signatures. SPHINCS+ became SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, FIPS 205) as a conservative hash-based signature backup. Falcon, a compact lattice-based signature, was queued as a fourth standard. The Indian dimension is active: CCA India's working group on PQC has issued draft guidance for licensed CAs and IDRBT has published pilot papers on hybrid TLS (ECDHE + ML-KEM) for banking-sector trials.

Diffie-Hellman key exchange was published by Diffie, Hellman and Merkle in 1976 as the first practical mechanism for two parties to agree on a shared secret over an eavesdropped channel without prior contact. The mathematics is compact enough to present in full.

1. Public parameters
   A large prime p (2048-bit or larger today) and a generator g of a multiplicative subgroup mod p. These are public; everyone uses the same parameters.
2. Alice's contribution
   Alice picks a random secret integer a (her private key). She computes A = g^a mod p and sends A to Bob over the public channel.
3. Bob's contribution
   Bob picks a random secret integer b. He computes B = g^b mod p and sends B to Alice.
4. Shared secret
   Alice computes K = B^a mod p = g^(ab) mod p. Bob computes K = A^b mod p = g^(ab) mod p. They now share K.
5. Eavesdropper's problem
   An eavesdropper sees p, g, A and B but not a or b. Recovering K requires solving the discrete logarithm problem in the group, which is computationally infeasible for the right group sizes.

DH on its own does not authenticate. An active attacker can sit between Alice and Bob, run two separate DH exchanges (one with each), and read everything that passes. The fix is to sign the DH exchange with a long-term key (the server's RSA or ECDSA private key in a TLS handshake), which lets the client verify it is talking to the holder of the certificate. TLS 1.2 and 1.3 do exactly this: ECDHE for the key exchange and an RSA or ECDSA signature over the handshake transcript for authentication.

Ephemeral DH (DHE for finite-field, ECDHE for elliptic-curve) delivers Perfect Forward Secrecy. Each session generates fresh DH parameters that are discarded at session end. Even if the server's long-term private key is later compromised, recorded session traffic stays unreadable because the session keys cannot be reconstructed without the discarded ephemeral secrets. TLS 1.3 makes ECDHE mandatory; static RSA key transport, which lacked PFS, was removed. UPI message-layer cryptography still uses RSA key transport for backward compatibility, which is one of the reasons CCA and NPCI roadmaps include a planned move to ECDHE-style ephemeral channels.

Logjam (Adrian et al 2015) is the cautionary tale on the DH side. Many TLS servers in 2015 still supported export-grade 512-bit DH groups for backward compatibility with 1990s clients. An active attacker could downgrade the handshake to a 512-bit group and then break the discrete log in under a minute with precomputation. Worse, many servers shared the same 1024-bit DH group, which made one-time precomputation worthwhile against a large pool of targets. The fix is to disable export ciphers, use unique 2048-bit or larger DH parameters per server, and prefer ECDHE on standardised curves (P-256, X25519) which have no equivalent precomputation shortcut. Indian government sites took several years after Logjam to complete this migration; CERT-In advisories in 2016 and 2017 specifically called it out.

ElGamal is the signature variant of Diffie-Hellman and a building block in DSA and in OpenPGP encryption. It appears in DNSSEC algorithm allocations and in some legacy PKI material; for current Indian PKI work the practical scheme is ECDSA on P-256 or Ed25519 rather than ElGamal directly.

Key management determines whether the mathematics above translates into actual security in practice. Generation must use a vetted RNG. Distribution must not pass private keys over the network. Escrow is politically controversial in India (the IT Act decryption rules under Section 69 sit at the edge of the issue). Rotation must be scheduled and tested. Revocation must publish through CRL and OCSP. Destruction must be verifiable. Hardware Security Modules (HSMs) handle high-value keys (CCA root keys, NPCI signing keys, IDRBT bank-grade keys) inside FIPS 140-2 Level 3 or higher tamper-resistant boundaries. Cross-link with Asymmetric Cryptosystems, Hashing, PKI and Digital Signatures for the PKI and DSC detail and with Cryptography Fundamentals for the historical attack vocabulary.