2

For example AES-128 starting with a 128-bit message $m_0$ and static 128 key $k$

$AES128(m_0,k)\rightarrow c_0$
$c_0\rightarrow m_1$
$AES128(m_1,k)\rightarrow c_1$
$c_1\rightarrow m_2$
...
continue until $m_i$ is equal to any $m_j, j<i$

The period length would be $l = i-j$

Any theory about how big that $l$ will be?
Will it be equal for any possible $m_0$?
Is $l=j$ for every $m_0$?

(edit: in AES $j$ is always 0 because symmetric algorithm. Each cipher value has only one possible plain text)

J. Doe
  • 573
  • 4
  • 15
  • 1
    Yes, there is a theory about this. By fixing the key randomly you selected a random permutation among the permutations of AES. Actually, you are asking about the distribution of the cycles of a permutation. See this answer of Cycles in SHA256 They i.e. Squeamish Ossifrage – kelalaka Oct 27 '19 at 13:42
  • @kelalaka sure about this? Sha256 is a hash algorithm. AES a symmetric block cipher. SHA256 can have many inverse results (or many values can give one SHA256 value). At AES only one inverse value. AES not a normal permutation. – J. Doe Oct 27 '19 at 23:13

1 Answers1

9

Since AES under any fixed key is a permutation, we necessarily have $j = 0$ and $i = l$—iterating a permutation enough times will always return you to the starting point.

From Harris 1960 (paywall-free), if we model AES as a uniform random permutation, every period length $l$ has equal probability $1/n$ (Eq. 5.2) for any particular starting point, where $n = 2^{128}$ is the size of the domain, so the expected cycle length is $\sum_{i=1}^n i/n = (n + 1)/2 \approx 2^{127}$.

(Any substantial deviation from this would imply an attack on AES.)

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
  • So it is same as a real uniform random permutation? "if we model AES as a uniform random permutation" <-- Is it proven that this can be done. With this an assumption is made there is no kind of inner structure. – J. Doe Oct 27 '19 at 15:49
  • 2
    @J.Doe Any substantial deviation from this would imply an attack on AES. – Squeamish Ossifrage Oct 27 '19 at 15:52
  • Not sure why that is that case (the attack thing). But this might be the topic of a new question. – J. Doe Oct 27 '19 at 16:39
  • 3
    It would imply a PRP distinguisher: Given an oracle $\mathcal O$ (which may be either $\operatorname{AES}_k$ for uniform random $k$, or a uniform random permutation), pick an arbitrary input $x$, query the oracle for $\mathcal O(x)$, $\mathcal O(\mathcal O(x))$, $\dotsc$, $\mathcal O^q(x)$, and check for a duplicate (maybe use a constant-memory cycle-detection algorithm). If there's a duplicate substantially more often, or substantially less often, for AES than for a uniform random permutation, then that's a distinguishing attack on the central security conjecture of AES. – Squeamish Ossifrage Oct 27 '19 at 16:43
  • @SqueamishOssifrage so not an answer? But your answer makes more sense than fgrieu comment oO. – J. Doe Oct 27 '19 at 17:18
  • @J.Doe I fixed it. fgrieu was correct (well, off by 1/2, for a relative error of $1/2^{128}$ which is a rounding error in binary64 floating-point!). – Squeamish Ossifrage Oct 27 '19 at 17:27
  • @fgrieu because it is symmetric! I thought about this before writing but forgot it during it. Thanks for reminding again. Now your comment/edited answer makes sense again. – J. Doe Oct 27 '19 at 17:43
  • Well, there are two parts here: 1. the probability distributions of uniform random permutations, which you might experiment with by simulations—repeatedly apply a Knuth shuffle to a small sequence of integers, and draw a histogram of the cycle lengths, for instance—and 2. the pseudorandomness of AES, which a lot of cryptanalysts have been banging their heads against for a long time without coming up with anything good. – Squeamish Ossifrage Oct 27 '19 at 17:44
  • @Aleph Citation? I know AES lies entirely in the alternating group, but that only means that the number of odd-length cycles is even—not that it's zero. – Squeamish Ossifrage Oct 27 '19 at 18:33
  • @SqueamishOssifrage Sorry, that's exactly what I meant to write. – Aleph Oct 28 '19 at 08:42