AES-128 keys unique for fixed plaintext/ciphertext pair?

Ed Gerck egerck at
Tue Feb 18 22:23:06 EST 2003

The relevant aspect is that the plaintext and key statistics are the
determining factors as to whether the assertion is correct or not.

In your case, for example, with random keys and ASCII text in English,
one expects that a 128-bit ciphertext segment would NOT satisfy the
requirement for a unique solution -- which is 150 bits of ciphertext.
However, since most cipher systems begin with a "magic number" or
has a message format that begins with the usual "Received", "To:", "From:",
etc., it may be safer to consider a much lower unicity, for example less than
128 bits. In that case, even one block of AES would satisfy the requirements
-- and compression would NOT help.

Of course, keeping the same key while encrypting the next block would
also satisfy the requirements for the resulting 256-bit ciphertext/plaintext
pair to have a unique solution.[*]

Ed Gerck

[*] But note that if the plaintext has the full entropy of ASCII text in English
(as in your example) and compression is used, then the unicity should
increase to above 300 bits of ciphertext. The result is that a two-block
segment of ASCII text in English that is encrypted with the same key would
NOT satisfy the requirement for a unique solution.

Sidney Markowitz wrote:

> Ed Gerck <egerck at> wrote:
>  > For each AES-128 plaintext/ciphertext (c,p) pair with length
> > equal to or larger than the unicity distance, there exists exactly
> > one key k such that c=AES-128-Encrypt(p, k).
> Excuse my naivete in the math for this, but is it relevant that the unicity
> distance of ASCII text encrypted with a 128 bit key is about 150 bits
> [Schneier, p 236] and the AES block size is only 128 bits? If you use plain
> ECB mode is the plaintext/ciphertext length in the above statement 128 bits,
> or does the statement imply that you have an arbitrary length (c,p) pair
> using whatever mode, possibly chaining, makes sense for your purpose?
>  -- sidney

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list