Paper 2020/1253

New Representations of the AES Key Schedule

Gaëtan Leurent and Clara Pernot


In this paper we present a new representation of the AES key schedule, with some implications to the security of AES-based schemes. In particular, we show that the AES-128 key schedule can be split into four independent parallel computations operating on 32 bits chunks, up to linear transformation. Surprisingly, this property has not been described in the literature after more than 20 years of analysis of AES. We show two consequences of our new representation, improving previous cryptanalysis results of AES-based schemes. First, we observe that iterating an odd number of key schedule rounds results in a function with short cycles. This explains an observation of Khairallah on mixFeed, a second-round candidate in the NIST lightweight competition. Our analysis actually shows that his forgery attack on mixFeed succeeds with probability 0.44 (with data complexity 220GB), breaking the scheme in practice. The same observation also leads to a novel attack on ALE, another AES-based AEAD scheme. Our new representation also gives efficient ways to combine information from the first sub-keys and information from the last sub-keys, in order to reconstruct the corresponding master keys. In particular we improve previous impossible-differential attacks against AES-128.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
AESKey schedulemixFeedALEImpossible Differential Attack
Contact author(s)
gaetan leurent @ inria fr
clara pernot @ inria fr
2020-10-14: received
Short URL
Creative Commons Attribution


      author = {Gaëtan Leurent and Clara Pernot},
      title = {New Representations of the AES Key Schedule},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1253},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.