Cryptology ePrint Archive: Report 2016/025

Human-readable Proof of the Related-Key Security of AES-128

Khoongming Khoo and Eugene Lee and Thomas Peyrin and Siang Meng Sim

Abstract: The related-key model is now considered an important scenario for block cipher security and many schemes were broken in this model, even AES-192 and AES-256. Recently were introduced efficient computer-based search tools that can produce the best possible related-key truncated differential paths for AES. However, one has to trust the implementation of these tools and they do not provide any meaningful information on how to design a good key schedule, which remains a challenge for the community as of today.

We provide in this article the first human-readable proof on the minimal number of active Sboxes in the related-key model for AES-128, without any help from a computer. More precisely, we show that any related-key differential paths for AES-128 will respectively contain at least 0, 1, 3 and 9 active Sboxes for 1, 2, 3 and 4 rounds. Our proof is tight, not trivial, and actually exhibits for the first time the interplay between the key state and the internal state of an AES-like block cipher with an AES-like key schedule. As application example, we leverage our proofs to propose a new key schedule, that is not only faster (a simple permutation on the byte positions) but also ensures a higher number of active Sboxes than AES-128's key schedule. We believe this is an important step towards a good understanding of efficient and secure key schedule designs.

Category / Keywords: secret-key cryptography / AES, related-key differential attack, security proof, key schedule

Date: received 11 Jan 2016

Contact author: ssim011 at e ntu edu sg

Available format(s): PDF | BibTeX Citation

Version: 20160112:080102 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]