AES-128 keys unique for fixed plaintext/ciphertext pair?
Greg Rose
ggr at qualcomm.com
Mon Feb 17 21:09:55 EST 2003
At 02:06 PM 2/17/2003 +0100, Ralf-Philipp Weinmann wrote:
>"For each AES-128 plaintext/ciphertext (c,p) pair there
> exists exactly one key k such that c=AES-128-Encrypt(p, k)."
I'd be very surprised if this were true, and if it was, it might have bad
implications for related key attacks and the use of AES for hashing/MACing.
Basically, block encryption with a given key should form a pseudo-random
permutation of its inputs, but encryption of a constant input with a
varying key is usually expected to behave like a pseudo-random *function*
instead.
Greg.
Greg Rose INTERNET: ggr at qualcomm.com
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list