AES-128 keys unique for fixed plaintext/ciphertext pair?

Arnold G. Reinhold reinhold at
Fri Feb 21 07:56:39 EST 2003

At 2:18 PM -0800 2/19/03, Ed Gerck wrote:
>Anton Stiglic wrote:
>>  > The statement was for a plaintext/ciphertext pair, not for a random-bit/
>>  > random-bit pair. Thus, if we model it terms of a bijection on random-bit
>>  > pairs, we confuse the different statistics for plaintext, ciphertext, keys
>>  and
>>  > we include non-AES bijections.
>>  While your reformulation of the problem is interesting, the initial question
>>  was regarding plaintext/ciphertext pairs, which usually just refers to the
>>  pair
>>  of elements from {0,1}^n, {0,1}^n, where n is the block cipher length.
>The previous considerations hinted at but did not consider that a
>plaintext/ciphertext pair is not only a random bit pair.
>Also, if you consider plaintext to be random bits you're considering a very
>special -- and least used -- subset of what plaintext can be. And, it's a
>much easier problem to securely encrypt random bits.
>The most interesting solution space for the problem, I submit, is in the
>encryption of human-readable text such as English, for which the previous
>considerations I read in this list do not apply, and provide a false sense of
>strength. For this case, the proposition applies -- when qualified for  the

Maybe I'm missing something here, but the unicity rule as I 
understand it is a probabilistic result.  The likelihood of two keys 
producing different natural language plaintexts from the same cipher 
text falls exponentially as the message length exceeds the unicity 
distance, but it never goes to zero. So unicity can't be used to 
answer the original question* definitively.

I'd also point out that modern ciphers are expected to be secure 
against know plaintext attacks, which is generally a harsher 
condition than knowing the plaintext is in natural language. 
Furthermore they are usually subject to chosen plaintext attack which 
is always harsher.

Arnold Reinhold

* Here is the original question. It seems clear to me that he is 
asking about all possible plaintext bit patterns:

At 2:06 PM +0100 2/17/03, Ralf-Philipp Weinmann wrote:
>I was wondering whether the following is true:
>"For each AES-128 plaintext/ciphertext (c,p) pair there
>  exists exactly one key k such that c=AES-128-Encrypt(p, k)."
>Of course we can look at the generalized case of Rijndael
>with block size == key size and ask the same question. I'd
>be happy with an answer for AES-128 nonetheless.
>At first I thought this was a trivial question since the round
>function minus AddRoundKey is bijective. But I haven't been
>able to come up with anything thus far, so I thought I'd
>ask the list.
>Any ideas?
>p.s.: I am familiar with Wernsdorf's paper, but it hasn't
>       helped me thus far.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list