Is symmetric encryption vulnerable to known plaintext attack?

Question

If Bob sends some plaintext to Alice for encryption before sending the ciphertext to Carol, can Bob deduce the key by comparing the plaintext and ciphertext assuming only Alice and Carol knows the key and it is a symmetric encryption scheme?

Answer 1

It sounds like you're describing a "chosen plaintext attack" where Bob can craft a series of special messages that he can use to break the encryption through differential cryptanalysis.

(You might also be thinking of the "known plaintext attack" where Bob knows the plaintext and the ciphertext but can't make special ones - e.g. if Alice is reading the plain texts then she might notice Bob is sending weird messages.)

(And as a0video points out, there are also attacks where the attacker can encrypt the same plain text with different keys.)

Some symmetric encryption algorithms are indeed vulnerable to these attacks.

On a practical note, though, if you are properly using a modern, well established symmetric algorithm, such as AES - and you should be! - then you have little to worry about. The best crypto attacks on AES still don't reduce the time needed to break them to anything remotely do-able.

Answer 2

It depends on what construction you are using. For example Graham mentioned AES, which its known to be a semantic secure block cipher. However, all ciphers are vulnerable to exhaustive search attack and in the case of AES, even four times better key recovery attack is known - this paper from BKR '11

Answer 3

This kind of attack would work no problem if the key is not strong. So the weak key, the known plain text does help a lot. I mean, with AES and truly random key the known plain text would not help.