Re: AES-128 keys unique for fixed plaintext/ciphertext pair?

Arnold G. Reinhold
Fri, 21 Feb 2003 07:41:56 -0800

At 2:18 PM -0800 2/19/03, Ed Gerck wrote:

Anton Stiglic wrote:

 > The statement was for a plaintext/ciphertext pair, not for a random-bit/
 > random-bit pair. Thus, if we model it terms of a bijection on random-bit
 > pairs, we confuse the different statistics for plaintext, ciphertext, keys
 and
 > we include non-AES bijections.

 While your reformulation of the problem is interesting, the initial question
 was regarding plaintext/ciphertext pairs, which usually just refers to the
 pair
 of elements from {0,1}^n, {0,1}^n, where n is the block cipher length.

The previous considerations hinted at but did not consider that a
plaintext/ciphertext pair is not only a random bit pair.

Also, if you consider plaintext to be random bits you're considering a very
special -- and least used -- subset of what plaintext can be. And, it's a
much easier problem to securely encrypt random bits.

The most interesting solution space for the problem, I submit, is in the
encryption of human-readable text such as English, for which the previous
considerations I read in this list do not apply, and provide a false sense of
strength. For this case, the proposition applies -- when qualified for  the
unicity.

Maybe I'm missing something here, but the unicity rule as I understand it is a probabilistic result. The likelihood of two keys producing different natural language plaintexts from the same cipher text falls exponentially as the message length exceeds the unicity distance, but it never goes to zero. So unicity can't be used to answer the original question* definitively.

I'd also point out that modern ciphers are expected to be secure against know plaintext attacks, which is generally a harsher condition than knowing the plaintext is in natural language. Furthermore they are usually subject to chosen plaintext attack which is always harsher.

Arnold Reinhold

* Here is the original question. It seems clear to me that he is asking about all possible plaintext bit patterns:

At 2:06 PM +0100 2/17/03, Ralf-Philipp Weinmann wrote:

I was wondering whether the following is true:

"For each AES-128 plaintext/ciphertext (c,p) pair there
 exists exactly one key k such that c=AES-128-Encrypt(p, k)."

Of course we can look at the generalized case of Rijndael
with block size == key size and ask the same question. I'd
be happy with an answer for AES-128 nonetheless.

At first I thought this was a trivial question since the round
function minus AddRoundKey is bijective. But I haven't been
able to come up with anything thus far, so I thought I'd
ask the list.

Any ideas?

Cheers,
Ralf

p.s.: I am familiar with Wernsdorf's paper, but it hasn't
      helped me thus far.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to