At 2:18 PM -0800 2/19/03, Ed Gerck wrote:
Maybe I'm missing something here, but the unicity rule as I understand it is a probabilistic result. The likelihood of two keys producing different natural language plaintexts from the same cipher text falls exponentially as the message length exceeds the unicity distance, but it never goes to zero. So unicity can't be used to answer the original question* definitively.Anton Stiglic wrote:> The statement was for a plaintext/ciphertext pair, not for a random-bit/ > random-bit pair. Thus, if we model it terms of a bijection on random-bit > pairs, we confuse the different statistics for plaintext, ciphertext, keys and > we include non-AES bijections. While your reformulation of the problem is interesting, the initial question was regarding plaintext/ciphertext pairs, which usually just refers to the pair of elements from {0,1}^n, {0,1}^n, where n is the block cipher length.The previous considerations hinted at but did not consider that a plaintext/ciphertext pair is not only a random bit pair. Also, if you consider plaintext to be random bits you're considering a very special -- and least used -- subset of what plaintext can be. And, it's a much easier problem to securely encrypt random bits. The most interesting solution space for the problem, I submit, is in the encryption of human-readable text such as English, for which the previous considerations I read in this list do not apply, and provide a false sense of strength. For this case, the proposition applies -- when qualified for the unicity.
I'd also point out that modern ciphers are expected to be secure against know plaintext attacks, which is generally a harsher condition than knowing the plaintext is in natural language. Furthermore they are usually subject to chosen plaintext attack which is always harsher.
Arnold Reinhold
* Here is the original question. It seems clear to me that he is asking about all possible plaintext bit patterns:
At 2:06 PM +0100 2/17/03, Ralf-Philipp Weinmann wrote:
I was wondering whether the following is true:
"For each AES-128 plaintext/ciphertext (c,p) pair there
exists exactly one key k such that c=AES-128-Encrypt(p, k)."
Of course we can look at the generalized case of Rijndael
with block size == key size and ask the same question. I'd
be happy with an answer for AES-128 nonetheless.
At first I thought this was a trivial question since the round
function minus AddRoundKey is bijective. But I haven't been
able to come up with anything thus far, so I thought I'd
ask the list.
Any ideas?
Cheers,
Ralf
p.s.: I am familiar with Wernsdorf's paper, but it hasn't
helped me thus far.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
