2

For example AES-128 starting with a 128-bit message $m_0$ and static 128 key $k$

$AES128(m_0,k)\rightarrow c_0$
$c_0\rightarrow m_1$
$AES128(m_1,k)\rightarrow c_1$
$c_1\rightarrow m_2$
...
continue until $m_i$ is equal to any $m_j, j<i$

The period length would be $l = i-j$

Any theory about how big that $l$ will be?
Will it be equal for any possible $m_0$?
Is $l=j$ for every $m_0$?

(edit: in AES $j$ is always 0 because symmetric algorithm. Each cipher value has only one possible plain text)

J. Doe
  • 463
  • 4
  • 15

1 Answers1

9

Since AES under any fixed key is a permutation, we necessarily have $j = 0$ and $i = l$—iterating a permutation enough times will always return you to the starting point.

From Harris 1960 (paywall-free), if we model AES as a uniform random permutation, every period length $l$ has equal probability $1/n$ (Eq. 5.2) for any particular starting point, where $n = 2^{128}$ is the size of the domain, so the expected cycle length is $\sum_{i=1}^n i/n = (n + 1)/2 \approx 2^{127}$.

(Any substantial deviation from this would imply an attack on AES.)

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230