4

Is there a simple proof that shows AES is not a uniform permutation on any $n$-bit string?

Since I'm just starting with crypto, I'd like to see a simple yet elegant proof for the said property. Thanks!

Trina
  • 694
  • 7
  • 21
Tarun Verma
  • 65
  • 4

1 Answers1

7

There is no uniform permutation; there is a permutation uniformly chosen from the set of all possible permutations over $Z_2^{128}$.

It is evident that AES is not a uniformly chosen permutation, since its permutation is fixed for any key.

One can consider a family $\{AES_K\}$ of AES permutations under all possible keys $K$. Even if the key is chosen uniformly, the resulting permutation is not uniformly chosen, as not every permutation is an AES permutation with some key. This comes from a simple counting argument: there are $2^{128}$ 128-bit keys and thus $2^{128}$ AES-128 permutations, but the total number of bijections over $Z_2^{128}$ is $$ (2^{128})! \approx \frac{2^{128\cdot 2^{128}}}{e^{2^{128}}} \approx 2^{2^{133.5}}. $$

Dmitry Khovratovich
  • 5,647
  • 21
  • 24
  • 1
    You could expand the last part by showing that the number of AES permutations is less than the number of permutations. – otus Aug 18 '14 at 13:19
  • I read a paper (an extract, actually) once that showed how all permutations used in cryptology have the same sign (positive , if I remember correctly). I cannot find it now, but that will show that AES permutations are strictly included into all possible permutations. – ddddavidee Aug 18 '14 at 13:33
  • an partial answer can be found in this question and its answer: https://crypto.stackexchange.com/questions/15612/block-cipher-and-parity-of-permutation – ddddavidee Aug 18 '14 at 13:39
  • @ddddavidee: actually, there are block ciphers that can implement an odd permutation; they're not common, but they most certainly do exist. AES (as well as the vast majority of block ciphers) will always do an even permutation. – poncho Aug 24 '14 at 16:06