### Weak-Key Distinguishers for AES

Lorenzo Grassi, Gregor Leander, Christian Rechberger, Cihangir Tezcan, and Friedrich Wiemer

##### Abstract

In this paper, we analyze the security of AES in the case in which the whitening key is a weak key. After a systematization of the classes of weak-keys of AES, we perform an extensive analysis of weak-key distinguishers (in the single-key setting) for AES instantiated with the original key-schedule and with the new key-schedule proposed at ToSC/FSE'18 (which is faster than the standard key schedule and ensures a higher number of active S-Boxes). As one of the main results, we show that (almost) all the secret-key distinguishers for round-reduced AES currently present in the literature can be set up for a higher number of rounds of AES if the whitening key is a weak-key. Using these results as starting point, we describe a property for 9-round AES-128 and 12-round AES-256 in the chosen-key setting with complexity 264 without requiring related keys. These new chosen-key distinguishers -- set up by exploiting a variant of the multiple-of-8 property introduced at Eurocrypt'17 -- improve all the AES chosen-key distinguishers in the single-key setting. The entire analysis has been performed using a new framework that we introduce here -- called "weak-key subspace trails", which is obtained by combining invariant subspaces (Crypto'11) and subspace trails (FSE'17) into a new, more powerful, attack. Weak-key subspace trails are defined by extending the invariant subspace approach to allow for different subspaces in every round, something that so far only the subspace trail approach and a generalization for invariant subspace and invariant set attacks (Asiacrypt'18) were able to do. For an easier detection, we also provide an algorithm which finds these weak-key subspace trails.

Note: - Minor mistakes have been corrected. - Acknowledgment has been updated.

Available format(s)
Category
Secret-key cryptography
Publication info
Published elsewhere. MINOR revision.SAC 2020
Keywords
AESKey ScheduleWeak-KeysInvariant SubspacesChosen-Key Distinguisher
Contact author(s)
lgrassi @ science ru nl
History
2020-12-16: last of 3 revisions
See all versions
Short URL
https://ia.cr/2019/852

CC BY

BibTeX

@misc{cryptoeprint:2019/852,
author = {Lorenzo Grassi and Gregor Leander and Christian Rechberger and Cihangir Tezcan and Friedrich Wiemer},
title = {Weak-Key Distinguishers for AES},
howpublished = {Cryptology ePrint Archive, Paper 2019/852},
year = {2019},
note = {\url{https://eprint.iacr.org/2019/852}},
url = {https://eprint.iacr.org/2019/852}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.