This is a potential security issue, you are being redirected to https://csrc.nist.gov.
Abstract: In this talk I will present new representations of the AES key schedule, with some implications to the security of AES-based schemes. In particular, I will show that the AES-128 key schedule can be split into four independent parallel computations operating on 32 bits chunks, up to linear transformation. I will show two consequences of our new representations. First, we will observe that iterating an odd number of key schedule rounds results in a permutation with short cycles. This explains an observation of Khairallah on mixFeed, and leads to a novel attack on ALE. Our new representation also gives efficient ways to combine information from the first subkeys and information from the last subkeys, in order to reconstruct the corresponding master key. This results in small improvements to previous attacks: we improve impossible differential attacks against several variants of AES (and Rijndael), and a square attack against AES-192.
Based on joint work with Gaëtan Leurent, which appeared at Eurocrypt 2021.
Suggested reading: ia.cr/2020/1253