Abstract | ||
---|---|---|
In this paper, we analyze the security of AES in the case in which the whitening key is a weak key. After a systematization of the classes of weak-keys of AES, we perform an extensive analysis of weak-key distinguishers (in the single-key setting) for AES instantiated with the original key-schedule and with the new key-schedule proposed at ToSC/FSE'18. As one of the main results, we show that (almost) all the secret-key distinguishers for round-reduced AES currently present in the literature can be set up for a higher number of rounds of AES if the whitening key is a weak-key. Using these results as starting point, we describe a property for 9round AES-128 and 12-round AES-256 in the chosen-key setting with complexity 2(64) without requiring related keys. These new chosen-key distinguishers - set up by exploiting a variant of the multiple-of-8 property introduced at Eurocrypt'17 - improve all the AES chosen-key distinguishers in the single-key setting. The entire analysis has been performed using a new framework that we introduce here - called "weak-key subspace trails", which is obtained by combining invariant subspaces (Crypto'11) and subspace trails (FSE'17) into a new, more powerful, attack. |
Year | DOI | Venue |
---|---|---|
2020 | 10.1007/978-3-030-81652-0_6 | SELECTED AREAS IN CRYPTOGRAPHY |
Keywords | DocType | Volume |
AES, Key schedule, Weak-keys, Chosen-key distinguisher | Conference | 12804 |
ISSN | Citations | PageRank |
0302-9743 | 0 | 0.34 |
References | Authors | |
0 | 5 |
Name | Order | Citations | PageRank |
---|---|---|---|
Lorenzo Grassi | 1 | 0 | 1.69 |
Gregor Leander | 2 | 1287 | 77.03 |
Christian Rechberger | 3 | 1671 | 96.13 |
Cihangir Tezcan | 4 | 77 | 6.75 |
Friedrich Wiemer | 5 | 5 | 1.52 |