Transposition of AES Key Schedule

In this paper, we target the poor diffusion pattern in the key schedule of AES. More specifically, the column-by-column word-wise property in the key schedule matches closely with the MixColumns operation in the round diffusion, which leads to several attacks in both single-key and related-key model. Therefore, we propose a new key schedule by switching the interaction from between different columns to between different rows, which offers stronger security than the original AES key schedule and better efficiency than other key schedule proposals. First, our proposal reduces the number of rounds of several single-key attacks, such as popular SQUARE attacks and meet-in-the-middle attacks, e.g. Derbez et al., EUROCYRPT 2013 and Li et al., FSE 2014. Meanwhile, it increases the security margin for AES in the related-key model, namely making the related-key differential attacks with local collisions which broke the full rounds of AES impossible.

[1]  Stefan Lucks,et al.  Attacking 9 and 10 Rounds of AES-256 , 2009, ACISP.

[2]  Jérémy Jean,et al.  Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..

[3]  Xuejia Lai,et al.  Revisiting key schedule’s diffusion in relation with round function’s diffusion , 2014, Des. Codes Cryptogr..

[4]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[5]  Yvo Desmedt,et al.  Related-Key Differential Cryptanalysis of 192-bit Key AES Variants , 2003, Selected Areas in Cryptography.

[6]  Stefan Lucks,et al.  Attacking Seven Rounds of Rijndael under 192-bit and 256-bit Keys , 2000, AES Candidate Conference.

[7]  Frederik Armknecht,et al.  Linearity of the AES Key Schedule , 2004, AES Conference.

[8]  Alex Biryukov,et al.  Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others , 2010, EUROCRYPT.

[9]  Adi Shamir,et al.  Improved Single-Key Attacks on 8-Round AES-192 and AES-256 , 2010, Journal of Cryptology.

[10]  Matt Henricksen,et al.  AES Variants Secure against Related-Key Differential and Boomerang Attacks , 2011, WISTP.

[11]  Bruce Schneier,et al.  Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES , 1996, CRYPTO.

[12]  Jongsung Kim,et al.  Related-Key Rectangle Attacks on Reduced AES-192 and AES-256 , 2007, FSE.

[13]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[14]  Jiqiang Lu,et al.  Meet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits , 2011, ISPEC.

[15]  R. Stephenson A and V , 1962, The British journal of ophthalmology.

[16]  Keting Jia,et al.  Improved Single-Key Attacks on 9-Round AES-192/256 , 2014, FSE.

[17]  Ali Aydin Selçuk,et al.  A Meet-in-the-Middle Attack on 8-Round AES , 2008, FSE.

[18]  William Millan,et al.  Strengthening the Key Schedule of the AES , 2002, ACISP.

[19]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[20]  Chenhui Jin,et al.  Meet-in-the-middle attacks on 10-round AES-256 , 2016, Des. Codes Cryptogr..

[21]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[22]  Bruce Schneier,et al.  Improved Cryptanalysis of Rijndael , 2000, FSE.

[23]  Adi Shamir,et al.  Improved Single-Key Attacks on 8-Round AES-192 and AES-256 , 2010, Journal of Cryptology.

[24]  Eli Biham,et al.  Related-Key Boomerang and Rectangle Attacks , 2005, EUROCRYPT.