AES-128 keys unique for fixed plaintext/ciphertext pair?

Dave Howe DaveHowe at
Fri Feb 21 19:13:36 EST 2003

Ed Gerck wrote:
> This may sound intuitive but is not correct. Shannon proved that if
> "n" (bits, bytes, letters, etc.) is the unicity distance of a
> ciphersystem, then ANY message  that is larger than "n" bits CAN be
> uniquely deciphered from an analysis of its ciphertext -- even though
> that may require some large (actually, unspecified) amount of work.
> Thus, the likelihood of of two keys producing valid decipherments (as
> plaintexts that can be enciphered to the same ciphertext, natural
> language or not), from the same ciphertext is ZERO after the message
> length exceeds the unicity distance -- otherwise the message could
> not be uniquely deciphered after the unicity condition is reached,
> breaking Shannon's result.
This is not necessarily the case. Beyond the Unicity distance it is possible
to determine the unique plaintext for each cyphertext. if the unicity
distance for AES is one block or less, then you can uniquely determine the
plaintext matching the cyphertext - even if two keys could possibly generate
the same mapping for that unique plaintext to cyphertext pair.
AFAIK, shannon doesn't mention *how* you resolve the mapping, just that it
exists. as a Known Plaintext attack usually cannot trivially obtain the key,
I don't know how a theoretical "shannon" attack could be expected to yield a
key in addition to the plaintext.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list