Module 7 · Social Media Forensics & Cryptography
Cryptanalysis, Cryptographic Attacks and Diffie-Hellman Key Exchange
Classical and modern cryptanalysis, side channels, padding oracles, post-quantum readiness and the Diffie-Hellman key exchange.
Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
Classical and modern cryptanalysis, side channels, padding oracles, post-quantum readiness and the Diffie-Hellman key exchange.
Cryptanalysis is the half of cryptography that breaks things. The discipline is older than digital computing (Al-Kindi's frequency analysis dates to the ninth century, and Alan Turing's Bombe broke Enigma in the 1940s) and is what keeps the algorithms in active use honest. A digital forensic examiner is rarely the cryptanalyst, but is regularly the person who has to recognise a broken cipher in evidence: a TLS 1.0 server still serving CBC with no MAC, a .zip file with a known-plaintext header, an Android backup encrypted with a derived key from a four-digit PIN, or an Indian CA's CRL signed with SHA-1 in 2018. Knowing the names of the attacks lets the examiner write a report that survives cross-examination on Section 39 BSA grounds.
This topic walks the canonical attack catalogue (ciphertext-only through adaptive chosen-ciphertext), the statistical attacks that shaped modern block-cipher design (differential and linear cryptanalysis), the side channels that break correct algorithms running on real hardware (timing, power, cache, EM), the deployment-level failures that have produced famous cases (Debian OpenSSL 2008, the PS3 ECDSA disaster, POODLE, Logjam), and the quantum threat that is reshaping standards (Shor and Grover, with NIST's 2024 PQC finalists). It closes with the Diffie-Hellman key exchange in detail, because DH (and its elliptic-curve cousin ECDHE) is the single primitive that powers Perfect Forward Secrecy in TLS 1.3, IPSec IKEv2, SSH and Signal. The Indian dimension is concrete: the CCA roadmap on post-quantum migration and IDRBT's published papers on banking-sector PQC pilots.
What the attacker has, and what the attacker is trying to do.
The Kerckhoffs-style classification of attacks is the foundation. It sorts attacks by the kind of access the attacker is assumed to have, from the weakest (ciphertext only) to the strongest (adaptive chosen-ciphertext with side-channel access). The point of the classification is that a cipher claimed to be secure under chosen-ciphertext attack is much stronger than one only secure against ciphertext-only adversaries. Modern AEAD ciphers like AES-GCM are designed to resist the strongest model.
| Attack model | Attacker has | Goal | Example real-world setting |
|---|---|---|---|
| Ciphertext-only | Only ciphertexts | Recover key or plaintext | Intercepted radio traffic of unknown protocol |
| Known-plaintext | Plaintext + ciphertext pairs from past traffic | Recover the key used | A captured WPA2 handshake with a known SSID |
| Chosen-plaintext (CPA) | Can ask for encryption of any plaintext | Distinguish ciphertexts or recover key | Attacker who can inject HTTP requests through a victim's browser |
| Chosen-ciphertext (CCA1, CCA2) |
The maths that taught us how to build block ciphers properly.
Two attacks reshaped modern block-cipher design. Differential cryptanalysis, published openly by Biham and Shamir in 1990 (and known internally to IBM and the NSA when they designed DES in the 1970s, which is why DES's S-boxes look the way they do), studies how chosen differences between plaintext pairs propagate through the rounds of a cipher to ciphertext differences. If a particular input difference produces a particular output difference with probability much higher than uniform, that bias can be exploited to recover key bits. Differential cryptanalysis is the reason AES uses an S-box with provable maximum differential probability and a wide-trail strategy that bounds differential propagation across rounds.
Linear cryptanalysis, due to Matsui in 1993, looks for linear approximations between plaintext bits, ciphertext bits and key bits that hold with probability significantly different from one-half. The first attack on full DES with practical data complexity (2^43 known plaintexts) was Matsui's linear cryptanalysis. AES's S-box is also designed to bound linear bias, which is why AES has resisted both kinds of statistical attack across 25 years of study.
The cipher is correct, the implementation leaks.
A cipher can be mathematically secure and still bleed key material through the physics of the device running it. Side-channel attacks treat the implementation as the target, not the algebra. They are the reason modern crypto code spends extra cycles to run in constant time, the reason HSMs are tamper-resistant in a specific certified way, and the reason a Class 3 DSC USB token must be FIPS 140-2 Level 2 or higher.
Timing attacks exploit the variation in how long an operation takes when it branches on secret data. Kocher's 1996 paper showed that RSA private operations leaked the private exponent bit by bit through measurable timing differences. The fix is constant-time arithmetic: every code path takes the same number of cycles regardless of the secret. Lucky 13 (AlFardan and Paterson 2013) was a timing attack against TLS 1.0 record processing that recovered plaintext through the timing of MAC computation; it forced the move to AEAD ciphers.
Power analysis comes in two flavours. Simple Power Analysis (SPA) reads off the power trace of a single operation and identifies key bits directly from the visible structure of the trace (the difference between a multiply step and a square step in an RSA exponent ladder, for example). Differential Power Analysis (DPA), introduced by Kocher, Jaffe and Jun in 1999, statistically correlates power traces across many operations with hypotheses about intermediate values to recover the key. Smartcards and HSMs are designed and certified specifically against DPA, with randomised power profiles, dummy operations and masking.
Cache-timing attacks exploit shared L1/L2/L3 caches on modern CPUs. Flush+Reload (Yarom and Falkner 2014) and Prime+Probe attacks can recover AES keys across virtual machines on the same physical host by observing cache line access timings. Cloud deployments running AES without the AES-NI instruction (which executes in constant time) on shared hosts are the realistic target; this is one reason every major Indian bank has migrated its core AES paths to AES-NI hardware.
| Side channel | What leaks | Real attack |
|---|
The cipher was fine; the protocol that wrapped it was not.
Some of the most consequential crypto failures of the last 25 years had nothing to do with the underlying algorithms. They came from protocols that wrapped a correct cipher in a structure that leaked information through error messages, length fields, or random-number generation.
The padding-oracle attack on CBC mode was first published by Vaudenay in 2002. CBC-mode ciphertexts use PKCS#7 padding so the plaintext length matches a block boundary; a decryptor checks the padding after decrypting. If the protocol returns one error for "bad padding" and a different error (or even just a different timing) for "padding fine but authentication failed", an attacker can recover plaintext byte by byte by sending crafted ciphertexts and watching which response comes back. BEAST (Duong and Rizzo 2011) and POODLE (Moller et al 2014) are the famous TLS realisations. The structural fix is encrypt-then-MAC or true AEAD: AES-GCM and ChaCha20-Poly1305 verify authenticity before any padding check, so the oracle never opens.
Length-extension attacks against bare SHA-1 and SHA-256 in MAC constructions (computing H(key + message) and treating the result as a tag) let an attacker append data to the message and compute a valid tag without knowing the key. HMAC (RFC 2104) eliminates this by its double-hashing construction. Forensic candidates frequently see this in legacy Indian banking APIs that signed requests with naive concatenation hashing before migrating to HMAC-SHA-256.
Shor and Grover, and the Indian PQC roadmap.
Quantum computing changes the cryptanalytic threat model in a specific, predictable way. Two algorithms matter. Shor's algorithm (1994) factorises integers and solves discrete logarithms in polynomial time on a sufficient-scale quantum computer, which breaks RSA, DSA, ECDSA and classical Diffie-Hellman completely. Grover's algorithm (1996) gives a quadratic speed-up for unstructured search, which halves the effective security of symmetric ciphers: AES-256 retains about 128 bits of post-quantum security, while AES-128 drops to about 64 bits.
The practical timeline is uncertain but the policy response is not. NIST ran a multi-year Post-Quantum Cryptography standardisation process and in 2024 published the first set of finalists as standards. CRYSTALS-Kyber became ML-KEM (Module-Lattice Key Encapsulation Mechanism, FIPS 203) for key establishment. CRYSTALS-Dilithium became ML-DSA (Module-Lattice Digital Signature Algorithm, FIPS 204) for signatures. SPHINCS+ became SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, FIPS 205) as a conservative hash-based signature backup. Falcon, a compact lattice-based signature, was queued as a fourth standard. The Indian dimension is active: CCA India's working group on PQC has issued draft guidance for licensed CAs and IDRBT has published pilot papers on hybrid TLS (ECDHE + ML-KEM) for banking-sector trials.
| Primitive | Classical security | Post-quantum security | PQC successor |
|---|---|---|---|
| RSA-2048 | 112-bit | Broken (Shor) | ML-KEM (for KEM); ML-DSA (for signatures) |
| RSA-3072 | 128-bit |
A shared secret across a public channel without ever sending it.
Diffie-Hellman key exchange is the older sibling of RSA and arguably the more elegant idea. Diffie, Hellman and Merkle published it in 1976; it gave the world the first practical mechanism for two parties to agree on a shared secret over an eavesdropped channel without prior contact. The maths is small enough to set out completely.
Which cryptanalysis technique introduced by Biham and Shamir in 1990 studies how chosen differences between plaintext pairs propagate to ciphertext differences?
| Can ask for decryption of chosen ciphertexts (not the target) |
| Recover plaintext or distinguish |
| Bleichenbacher attack on PKCS#1 v1.5 RSA |
| Adaptive chosen-ciphertext | Decryption oracle queries can depend on previous answers | Stronger plaintext recovery | POODLE on SSL 3.0 padding |
| Side-channel | Timing, power, EM or cache observations from a correct implementation | Recover key or nonce | Cache-timing attack on AES on a shared cloud VM |
Practical examiner work crosses the levels. A WPA2 capture is a known-plaintext scenario where the four-way handshake exposes structured material that a dictionary attack on the PSK can exploit. A captured Indian government tender encrypted with a misconfigured AES-CBC blob without authentication may admit a padding-oracle attack if the server returns distinguishable errors. A side-channel attack on a smart-card-based Class 3 DSC token is a research-grade exercise and is one of the threats CCA-licensed CAs explicitly require their tokens to be certified against.
Algebraic cryptanalysis models a cipher as a system of polynomial equations and attempts to solve it. The XL and XSL families were proposed against AES in the early 2000s; in practice they have not yielded a break of AES, and the consensus is that AES is not vulnerable to currently known algebraic attacks. Meet-in-the-middle attacks apply to multi-encryption schemes: 2DES (double-encrypting under two independent DES keys) gives only about 57 bits of effective security against a meet-in-the-middle attack rather than the 112 bits naive analysis would suggest, which is precisely why Triple DES uses three encryptions in EDE mode to land at 112 bits of effective security.
| Mitigation |
|---|
| Timing | Variable-time operations leak secret-dependent branches | Kocher 1996 on RSA; Lucky 13 on TLS CBC-MAC | Constant-time implementations; AEAD |
| Simple Power Analysis (SPA) | Power trace of one operation reveals structure | SPA on smartcard RSA exponent ladder | Square-and-multiply-always; Montgomery ladder |
| Differential Power Analysis (DPA) | Correlation across many traces | DPA on smartcard AES | Masking; randomisation; certified tokens |
| Cache timing | Cache hit/miss reveals access pattern | Flush+Reload on AES T-tables across cloud VMs | AES-NI constant-time; table-free AES; bitsliced AES |
| Electromagnetic (EM) | EM emanation correlates with computation | Tromer et al on RSA via near-field probe | Shielded enclosures; TEMPEST-rated rooms |
| Acoustic | CPU noise correlates with computation | Genkin et al RSA key extraction from coil whine | Standard physical security; environment noise |
The Indian-context lesson is concrete. CCA-licensed CAs require their HSMs and DSC tokens to be FIPS 140-2 Level 3 certified specifically to defend against the class of failures that produced Debian OpenSSL 2008 (weak RNG) and PS3 (predictable nonce). When a forensic examiner is asked whether a signature is valid, the algebra of the signature is only the start; the question of whether the private key generation was sound is what separates a confident report from a hedged one.
| Broken (Shor) |
| ML-KEM; ML-DSA |
| ECDH P-256 | 128-bit | Broken (Shor) | ML-KEM |
| ECDSA P-256 | 128-bit | Broken (Shor) | ML-DSA; SLH-DSA; Falcon |
| AES-128 | 128-bit | ~64-bit (Grover) | Move to AES-256 |
| AES-256 | 256-bit | ~128-bit (Grover) | Stay on AES-256 |
| SHA-256 | 256-bit (pre-image) | ~128-bit (Grover) | Acceptable; consider SHA-384 / SHA-512 for long horizons |
DH on its own does not authenticate. An active attacker can sit between Alice and Bob, run two separate DH exchanges (one with each), and read everything that passes. The fix is to sign the DH exchange with a long-term key (the server's RSA or ECDSA private key in a TLS handshake), which lets the client verify it is talking to the holder of the certificate. TLS 1.2 and 1.3 do exactly this: ECDHE for the key exchange and an RSA or ECDSA signature over the handshake transcript for authentication.
Ephemeral DH (DHE for finite-field, ECDHE for elliptic-curve) delivers Perfect Forward Secrecy. Each session generates fresh DH parameters that are discarded at session end. Even if the server's long-term private key is later compromised, recorded session traffic stays unreadable because the session keys cannot be reconstructed without the discarded ephemeral secrets. TLS 1.3 makes ECDHE mandatory; static RSA key transport, which lacked PFS, was removed. UPI message-layer cryptography still uses RSA key transport for backward compatibility, which is one of the reasons CCA and NPCI roadmaps include a planned move to ECDHE-style ephemeral channels.
Logjam (Adrian et al 2015) is the cautionary tale on the DH side. Many TLS servers in 2015 still supported export-grade 512-bit DH groups for backward compatibility with 1990s clients. An active attacker could downgrade the handshake to a 512-bit group and then break the discrete log in under a minute with precomputation. Worse, many servers shared the same 1024-bit DH group, which made one-time precomputation worthwhile against a large pool of targets. The fix is to disable export ciphers, use unique 2048-bit or larger DH parameters per server, and prefer ECDHE on standardised curves (P-256, X25519) which have no equivalent precomputation shortcut. Indian government sites took several years after Logjam to complete this migration; CERT-In advisories in 2016 and 2017 specifically called it out.
ElGamal is the signature variant of Diffie-Hellman and a building block in DSA and in OpenPGP encryption. It appears in DNSSEC algorithm allocations and in some legacy PKI material; for current Indian PKI work the practical scheme is ECDSA on P-256 or Ed25519 rather than ElGamal directly.
Key management is the boring part that decides whether all of this maths is worth anything. Generation must use a vetted RNG. Distribution must not pass private keys over the network. Escrow is politically controversial in India (the IT Act decryption rules under Section 69 sit at the edge of the issue). Rotation must be scheduled and tested. Revocation must publish through CRL and OCSP. Destruction must be verifiable. Hardware Security Modules (HSMs) handle high-value keys (CCA root keys, NPCI signing keys, IDRBT bank-grade keys) inside FIPS 140-2 Level 3 or higher tamper-resistant boundaries. Cross-link with Asymmetric Cryptosystems, Hashing, PKI and Digital Signatures for the PKI and DSC detail and with Cryptography Fundamentals for the historical attack vocabulary.