Can one claim that AES has perfect secrecy for a key size and message size of 128 bits?

Question

While looking at this question I discovered the following here (question 5), and wanted to ask it as a separate question.

Alice knows that she will want to send a single 128-bit message to Bob at some point in the future. To prepare, Alice and Bob first select a 128-bit key k ∈ {0, 1}¹²⁸ uniformly at random.
    When the time comes to send a message x ∈ {0, 1}¹²⁸ to Bob, Alice considers two ways of doing so. She can use the key as a one time pad, sending Bob k ⊕ x. Alternatively, she can use AES to encrypt x. Recall that AES is a 128-bit block cipher which can use a 128-bit key, so in this case she would encrypt x as a single block and send Bob AES_k(x).
    Assume Eve will see either k ⊕ x or AES_k(x), that Eve knows an initial portion of x (a standard header), and that she wishes to recover the remaining portion of x. If Eve is an all powerful adversary and has time to try out every possible key k ∈ {0, 1}¹²⁸, which scheme would be more secure?

And the answer in the document is:

They would be equally secure. Either way, Eve would not be able to learn the unknown portion of x.
Even after trying every possible key (including the actual one), Eve will have no way of recognizing the correct plaintext or even narrowing down the possibilities in any way.     Why is this? Well, since AES is a distinct permutation on {0, 1}¹²⁸ under each possible key, and the key was selected uniformly at random, given any plaintext, each possible ciphertext is equally likely. So when AES is used for a single block with a random key of the same length, the effect is exactly the same as using a one time pad: the ciphertext reveals no information about the plaintext.

The question mentions a standard header, so I think its fair to assume we know all the plaintext except the very last bit. So my question, is this answer correct?

Answer 1

The answer is incorrect, but it's a bit more subtle than it seems. To make this clear, note that encrypting $x$ by computing $c=\operatorname{AES}_{0}(k) \oplus x$ would be perfectly secure (here the key is fixed to 0, but any fixed key value would give the same effect). This is due to the fact that AES is a permutation and so when $k$ is uniformly distributed, then $\operatorname{AES}_0(k)$ is a uniformly distributed value. More formally, for every $c$ and every $x$ there exists a $k$ such that $c=\operatorname{AES}_0(k)\oplus x$. In order to find this, compute $k = \operatorname{AES}_0^{-1}(c \oplus x)$.

Now, when encrypting $\operatorname{AES}_k(x)$ the same argument fails. This is because for $c=\operatorname{AES}_k(x)$ there is no guarantee that decrypting $c$ under all possible keys gives all possible plaintexts. Thus, it is possible that there is only one $k$ (or a few $k$'s) that give you the known initial portion.

Answer 2

No, one can not claim that AES has perfect secrecy for a key size and message size of 128 bits. The answer quoted in the second part of the question is seriously wrong.

Perfect secrecy is an information-theoretic concept, assuming an adversary with infinite computing power, and AES is not safe against that.

In the context of the question: revealing $\operatorname{AES}_k(x)$ to an indefinitely powerful adversary, even with uniformly random $k$ used for no other purpose, has overwhelming chances to allow elimination of many possible values of $x$; that can be done by deciphering what's given with all keys $k$ and finding values never reached. Assimilating AES to a perfect cipher, there will be about $2^{128-1/\log(2)}\approx2^{126.56}$ such values. That gives the adversary sizable probability (about $1/e\approx0.368$ ) to eliminate with certainty a random value as a possible $x$ . Computing the exact advantage given by revealing $\operatorname{AES}_k(x)$ is left as an exercise to the reader, but I guess it is in the order of one bit of information about $x$.

As rightly pointed out, things would be different for the different question of what would happen if $\operatorname{AES}_0(k)\oplus x$ was revealed.