| > Beyond that:  Are weak keys even detectable using a ciphertext-only
| > attack (beyond simply trying them - but that can be done with *any* small
| > set of keys)?
| Yes, generally, that's the definition of a weak key.
Which weak keys would those be?  The DES weak keys are self-inverting:
Encryption and decryption are the same.  The only way to test whether
the ciphertext you are looking at was encrypted with a weak key is
to try to encrypt it again with each of the weak keys and see if
you get something that makes sense.  Of course, for exactly the same
cost, you could *decrypt* with all the weak keys.

For the semi-weak keys, the story is pretty much the same except that
you have pairs of keys to try.

Looking at Wikipedia's summary of cryptosystems with weak keys:

        RC4 weak keys allow a known-plaintext attack.
        IDEA weak keys are subject to a chosen-plaintext attack (the
                XOR of plaintext and ciphertext is predictable)
        Blowfish weak keys are subject to a chosen plaintext
                attack against a reduced-round variant.

Are you aware of any cryptosystem with weak keys identifiable from
plaintext only?

| > But that's an odd
| > attack to defend against - why not just try all the weak keys (or,
| > again, any small subset of keys) and see if they work?
| Because that's the definition of brute forcing, and generally the key
| distribution
| is close to uniform in any [symmetric] system that is worth a second glance?
I have no idea what this means.
                                                        -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to