1

Assume an attacker captures a piece of ciphertext encrypted with a symmetric key.

He knows all the details of the algorithm used to encrypt except for the size of the key used in this case.

Can he deduce the size of the key used to encrypt that particular piece of ciphertext?

My research:

According to this answer about the more general question of telling what algorithm is used, since ciphertext encrypted with a symmetric key looks like random, one cannot answer the question what key size it is using. https://crypto.stackexchange.com/a/138/15012

Community
  • 1
dandroid
  • 113
  • 2
  • In that link there is plenty of information to answer your question, just read it again carefully. Anyway, usually the key size is fixed in symmetric encryption algorithms, and therefore we give that information to the attacker anyway. If you assume that this isn't the case, your attacker model is weaker than "ciphertext only"... which is already considered too weak for today's standards. – tylo Jan 13 '15 at 14:50
  • yeah, you are right, that's why i linked it. i wanted to get a confirmation that my reasoning is correct. My security model does not assume the key length is unknown.

    I was asking this question to understand whether in the situation in which a country's laws specify that you cannot use keys larger than a given threshold whether they can actually learn how strong is your key by just capturing cyphertext you emitted (by capturing your network traffic for example)

     – dandroid Jan 14 '15 at 00:59

1 Answers1

0

No, that's not possible because of the reasons given in the other answer. Unless the block size is linked with the key size, or if the cipher is not cryptographically secure, you should not be able to find out the key size by just looking at the ciphertext. This is true even if you know the algorithm.

Note that this does not take side channel attacks into account. It's pretty reasonable to assume that ciphers take longer to compute when a larger key size is used. This is for instance true for AES, where there is a difference in the number of rounds used for each defined key size. Even if this is not the case then you should expect that e.g. the key expansion that is usually used will take more time for larger key sizes.

Note that the key size - just like the algorithm - is usually not considered to be a secret. So most protocols simply define the key as a constant or as part of protocol negotiations.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313