LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the difference between key length and key space, and why does key length alone not determine security?

Key length is the number of bits in the key representation; key space is the number of actually possible keys. A defective RNG can make a 28-bit key have a key space of only 2.

Key length vs key space with a defective RNG

* Key length is the container; a weak RNG can shrink the real key space far below 2^length. *

A critical example:

Consider a 28-bit key where:

  • The first bit is generated truly randomly (entropy = 1 bit)
  • The remaining 27 bits follow a deterministic pattern based on the first bit
  • Key length = 28 bits → naively suggests $2^{28} \approx 268$ million possible keys
  • Key space = 2 keys → the attacker only needs to try 2 keys!

The distinction:

  • Key length = number of bits in the binary representation
  • Key space = number of distinct keys that can actually be generated
  • Entropy of the key = $\log_2(\text{key space})$ = the true security measure

$$\text{Key space} = 2^{\text{entropy}} \leq 2^{\text{key length}}$$

Real-world implication: A key is only as strong as the randomness used to generate it. If the random number generator (RNG) is flawed, even a "256-bit key" might have only a few bits of actual entropy. This is why cryptographically secure PRNGs (CSPRNGs) are essential.

Tip: Always think in terms of entropy, not key length. The key length is the container; the entropy is the actual content.

Go deeper:

From Quiz: KRYPTOG / Fundamentals of Cryptography | Updated: Jul 14, 2026