current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. It's 100% free, no registration required.

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 17 down vote favorite
2

Is there a key for AES-128, 256 etc, where cleartext equals ciphertext? (regardless of modes like chaining or ctr-cbc)

share|improve this question
4  
Please clarify what you are asking. Are you asking whether there exists a key k and a plaintext x such that E_k(x)=x? Or are you asking whether there exists a key k such that E_k(x)=x for all x? – D.W. 14 hours ago
up vote 30 down vote accepted

In the "ideal cipher" model, the block cipher is a permutation of the space of input blocks, chosen uniformly among all such permutations. A plaintext that gets encrypted to itself is a fixed point for the permutation; it is expected that about 63.21% of all permutations have at least one fixed point (a permutation with no fixed point is called a derangement).

Thus, assuming that AES is an ideal cipher, then it is expected that for about two thirds of possible keys, there will be at least one plaintext block that is encrypted to itself.

Now, finding that fixed point is quite another thing; we in fact expect not to be able to easily find that fixed point or even ascertain whether it exists or not -- the "moral" reason is that finding a fixed point on a random permutation requires hitting it exactly, which is akin to a brute force on the whole input space, of size 2128 in the case of AES. In other words, if we could find fixed points or even prove (non-constructively) their existence or non-existence for any specific key, then this would mean that we could differentiate AES from the ideal cipher model, and that would be worrying.

(See also that answer on crypto.SE.)

Note: while a majority of AES keys should have at least one fixed point, it is strongly expected that there is no key that turns AES into an identity function (i.e. all plaintexts being fixed points): there are 128! possible permutations, a number waaaay larger than the 2256+2192+2128 possible AES keys, thus the identity permutation is very unlikely to correspond to a key. But there again, we don't expect to be able to prove it.

share|improve this answer
1  
I suspect one could create a handwaving 'proof' for the last para. Let's suppose AES key X had a fixed point with plaintext Y (where Y is at least as large as the key size). If any given bit of Y is altered, then for X to be an identity key, exactly the same bit (but no others) of Y must be changed. But by looking at how AES's 'stirring' works, it cannot be true that changing any one bit of the input changes exactly the same bit (and only that bit) of the output. Therefore X cannot be an identity key. – abligh 2 hours ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.