Editing Weak key (section)

==No weak keys as a design goal==
The goal of having a 'flat' keyspace (i.e., all keys equally strong) is always a cipher design goal. As in the case of DES, sometimes a small number of weak keys is acceptable, provided that they are all identified or identifiable. An algorithm that has unknown weak keys does not inspire much trust.{{Citation needed|date=March 2011}}

The two main countermeasures against inadvertently using a weak key:
* Checking generated keys against a list of known weak keys, or building rejection of weak keys into the key scheduling.
* When the number of weak keys is known to be very small (in comparison to the size of the keyspace), generating a key uniformly at random ensures that the probability of it being weak is a (known) very small number.

A large number of weak keys is a serious flaw in any cipher design, since there will then be a (perhaps too) large chance that a randomly generated one will be a weak one, compromising the security of messages encrypted under it. It will also take longer to check randomly generated keys for weakness in such cases, which will tempt shortcuts in the interest of 'efficiency'.

However, weak keys are much more often a problem where the adversary has some control over what keys are used, such as when a block cipher is used in a [[block cipher modes of operation|mode of operation]] intended to construct a secure [[cryptographic hash function]] (e.g. [[Davies–Meyer]]).