Weak-Key Distinguishers for AES

Grassi L., Rechberger C., Leander G., Tezcan C., Wiemer F.

in: Selected Areas in Cryptography, Orr Dunkelman,Michael J. Jacobson,Colin O’Flynn, Editor, Springer, Cham, Zug, pp.141-170, 2021

  • Publication Type: Book Chapter / Chapter Vocational Book
  • Publication Date: 2021
  • Publisher: Springer, Cham
  • City: Zug
  • Page Numbers: pp.141-170
  • Editors: Orr Dunkelman,Michael J. Jacobson,Colin O’Flynn, Editor
  • Middle East Technical University Affiliated: Yes


In this paper, we analyze the security of AES in the case in which the whitening key is a weak key.

After a systematization of the classes of weak-keys of AES, we perform an extensive analysis of weak-key distinguishers (in the single-key setting) for AES instantiated with the original key-schedule and with the new key-schedule proposed at ToSC/FSE’18. As one of the main results, we show that (almost) all the secret-key distinguishers for round-reduced AES currently present in the literature can be set up for a higher number of rounds of AES if the whitening key is a weak-key.

Using these results as starting point, we describe a property for 9-round AES-128 and 12-round AES-256 in the chosen-key setting with complexity 2^64

without requiring related keys. These new chosen-key distinguishers – set up by exploiting a variant of the multiple-of-8 property introduced at Eurocrypt’17 – improve all the AES chosen-key distinguishers in the single-key setting.

The entire analysis has been performed using a new framework that we introduce here – called “weak-key subspace trails”, which is obtained by combining invariant subspaces (Crypto’11) and subspace trails (FSE’17) into a new, more powerful, attack.