AES-128 keys unique for fixed plaintext/ciphertext pair?
Arnold G. Reinhold
reinhold at world.std.com
Fri Feb 21 07:56:39 EST 2003
At 2:18 PM -0800 2/19/03, Ed Gerck wrote:
>Anton Stiglic wrote:
>
>> > The statement was for a plaintext/ciphertext pair, not for a random-bit/
>> > random-bit pair. Thus, if we model it terms of a bijection on random-bit
>> > pairs, we confuse the different statistics for plaintext, ciphertext, keys
>> and
>> > we include non-AES bijections.
>>
>> While your reformulation of the problem is interesting, the initial question
>> was regarding plaintext/ciphertext pairs, which usually just refers to the
>> pair
>> of elements from {0,1}^n, {0,1}^n, where n is the block cipher length.
>
>The previous considerations hinted at but did not consider that a
>plaintext/ciphertext pair is not only a random bit pair.
>
>Also, if you consider plaintext to be random bits you're considering a very
>special -- and least used -- subset of what plaintext can be. And, it's a
>much easier problem to securely encrypt random bits.
>
>The most interesting solution space for the problem, I submit, is in the
>encryption of human-readable text such as English, for which the previous
>considerations I read in this list do not apply, and provide a false sense of
>strength. For this case, the proposition applies -- when qualified for the
>unicity.
>
Maybe I'm missing something here, but the unicity rule as I
understand it is a probabilistic result. The likelihood of two keys
producing different natural language plaintexts from the same cipher
text falls exponentially as the message length exceeds the unicity
distance, but it never goes to zero. So unicity can't be used to
answer the original question* definitively.
I'd also point out that modern ciphers are expected to be secure
against know plaintext attacks, which is generally a harsher
condition than knowing the plaintext is in natural language.
Furthermore they are usually subject to chosen plaintext attack which
is always harsher.
Arnold Reinhold
* Here is the original question. It seems clear to me that he is
asking about all possible plaintext bit patterns:
At 2:06 PM +0100 2/17/03, Ralf-Philipp Weinmann wrote:
>I was wondering whether the following is true:
>
>"For each AES-128 plaintext/ciphertext (c,p) pair there
> exists exactly one key k such that c=AES-128-Encrypt(p, k)."
>
>Of course we can look at the generalized case of Rijndael
>with block size == key size and ask the same question. I'd
>be happy with an answer for AES-128 nonetheless.
>
>At first I thought this was a trivial question since the round
>function minus AddRoundKey is bijective. But I haven't been
>able to come up with anything thus far, so I thought I'd
>ask the list.
>
>Any ideas?
>
>Cheers,
>Ralf
>
>p.s.: I am familiar with Wernsdorf's paper, but it hasn't
> helped me thus far.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list