Also known as: brute-force attack, exhaustive key search

A brute-force attack (exhaustive key search) simply tries every candidate key or parameter set until one reproduces the observed ciphertext.¹ It always works in principle; in practice it is bounded by the size of the search space and the cost of testing each candidate, so it is decisive only when that space is small — or when a cheap early-exit test rejects most candidates quickly.

Enumerate, test, reject. A fast rejection test on a small sample lets a huge space be swept before the rare survivor is fully verified.

How it works

The attacker fixes a candidate structure with a few unknown constants and loops over all their values, simulating the cipher and comparing against the data. Two practices make large sweeps tractable: a cheap early-exit — reject a candidate after a few mismatched bytes on a small sample, before running the full corpus — and parallelism across cores. When the unknowns number in the millions it is feasible; when they number a full 256-entry table it is not, and an algebraic or SAT/SMT approach is needed instead.

Relevance to SDR

Reverse-engineering an undocumented encoder often reduces to a few unknown constants — a multiplier, an additive step, a seed. GopherTrunk’s clean-room analysis of the Motorola P25 talker-alias obfuscation (issue #773) used parallel brute-force sweeps over such constants to rule out whole families of update rules (linear congruential, multiplicative-mod-prime, multiply-with-carry) against a known-plaintext corpus, each with a fast early-exit on the longest messages.

Sources

1. Brute-force attack — Wikipedia, for exhaustive key search and its dependence on key-space size. ↩

See also

• Known-plaintext attack
• Algebraic attack
• SAT/SMT solving
• Differential cryptanalysis
• RC4 (ARC4) cipher