TY - GEN
T1 - Weak-Key Distinguishers for AES
AU - Grassi, Lorenzo
AU - Leander, Gregor
AU - Rechberger, Christian
AU - Tezcan, Cihangir
AU - Wiemer, Friedrich
N1 - Publisher Copyright:
© 2021, Springer Nature Switzerland AG.
PY - 2021
Y1 - 2021
N2 - In this paper, we analyze the security of AES in the case in which the whitening key is a weak key. After a systematization of the classes of weak-keys of AES, we perform an extensive analysis of weak-key distinguishers (in the single-key setting) for AES instantiated with the original key-schedule and with the new key-schedule proposed at ToSC/FSE’18. As one of the main results, we show that (almost) all the secret-key distinguishers for round-reduced AES currently present in the literature can be set up for a higher number of rounds of AES if the whitening key is a weak-key. Using these results as starting point, we describe a property for 9-round AES-128 and 12-round AES-256 in the chosen-key setting with complexity 264 without requiring related keys. These new chosen-key distinguishers – set up by exploiting a variant of the multiple-of-8 property introduced at Eurocrypt’17 – improve all the AES chosen-key distinguishers in the single-key setting. The entire analysis has been performed using a new framework that we introduce here – called “weak-key subspace trails”, which is obtained by combining invariant subspaces (Crypto’11) and subspace trails (FSE’17) into a new, more powerful, attack.
AB - In this paper, we analyze the security of AES in the case in which the whitening key is a weak key. After a systematization of the classes of weak-keys of AES, we perform an extensive analysis of weak-key distinguishers (in the single-key setting) for AES instantiated with the original key-schedule and with the new key-schedule proposed at ToSC/FSE’18. As one of the main results, we show that (almost) all the secret-key distinguishers for round-reduced AES currently present in the literature can be set up for a higher number of rounds of AES if the whitening key is a weak-key. Using these results as starting point, we describe a property for 9-round AES-128 and 12-round AES-256 in the chosen-key setting with complexity 264 without requiring related keys. These new chosen-key distinguishers – set up by exploiting a variant of the multiple-of-8 property introduced at Eurocrypt’17 – improve all the AES chosen-key distinguishers in the single-key setting. The entire analysis has been performed using a new framework that we introduce here – called “weak-key subspace trails”, which is obtained by combining invariant subspaces (Crypto’11) and subspace trails (FSE’17) into a new, more powerful, attack.
KW - AES
KW - Chosen-key distinguisher
KW - Key schedule
KW - Weak-keys
UR - http://www.scopus.com/inward/record.url?scp=85113519967&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-81652-0_6
DO - 10.1007/978-3-030-81652-0_6
M3 - Conference paper
AN - SCOPUS:85113519967
SN - 9783030816513
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 141
EP - 170
BT - Selected Areas in Cryptography - 27th International Conference, 2020, Revised Selected Papers
A2 - Dunkelman, Orr
A2 - Jacobson, Jr., Michael J.
A2 - O’Flynn, Colin
PB - Springer Science and Business Media Deutschland GmbH
T2 - 27th International Conference on Selected Areas in Cryptography
Y2 - 19 October 2020 through 23 October 2020
ER -