| > Beyond that: Are weak keys even detectable using a ciphertext-only | > attack (beyond simply trying them - but that can be done with *any* small | > set of keys)? | | Yes, generally, that's the definition of a weak key. Which weak keys would those be? The DES weak keys are self-inverting: Encryption and decryption are the same. The only way to test whether the ciphertext you are looking at was encrypted with a weak key is to try to encrypt it again with each of the weak keys and see if you get something that makes sense. Of course, for exactly the same cost, you could *decrypt* with all the weak keys.

For the semi-weak keys, the story is pretty much the same except that you have pairs of keys to try. Looking at Wikipedia's summary of cryptosystems with weak keys: RC4 weak keys allow a known-plaintext attack. IDEA weak keys are subject to a chosen-plaintext attack (the XOR of plaintext and ciphertext is predictable) Blowfish weak keys are subject to a chosen plaintext attack against a reduced-round variant. Are you aware of any cryptosystem with weak keys identifiable from plaintext only? | > But that's an odd | > attack to defend against - why not just try all the weak keys (or, | > again, any small subset of keys) and see if they work? | | Because that's the definition of brute forcing, and generally the key | distribution | is close to uniform in any [symmetric] system that is worth a second glance? I have no idea what this means. -- Jerry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]