Weak-Key Distinguishers for AES

Grassi, Lorenzo
Rechberger, Christian
Leander, Gregor
Tezcan, Cihangir
Wiemer, Friedrich
In this paper, we analyze the security of AES in the case in which the whitening key is a weak key.After a systematization of the classes of weak-keys of AES, we perform an extensive analysis of weak-key distinguishers (in the single-key setting) for AES instantiated with the original key-schedule and with the new key-schedule proposed at ToSC/FSE’18. As one of the main results, we show that (almost) all the secret-key distinguishers for round-reduced AES currently present in the literature can be set up for a higher number of rounds of AES if the whitening key is a weak-key.Using these results as starting point, we describe a property for 9-round AES-128 and 12-round AES-256 in the chosen-key setting with complexity 2^64without requiring related keys. These new chosen-key distinguishers – set up by exploiting a variant of the multiple-of-8 property introduced at Eurocrypt’17 – improve all the AES chosen-key distinguishers in the single-key setting.The entire analysis has been performed using a new framework that we introduce here – called “weak-key subspace trails”, which is obtained by combining invariant subspaces (Crypto’11) and subspace trails (FSE’17) into a new, more powerful, attack.


Weak-Key Distinguishers for AES
Grassi, Lorenzo; Leander, Gregor; Rechberger, Christian; Tezcan, Cihangir; Wiemer, Friedrich (2021-01-01)
In this paper, we analyze the security of AES in the case in which the whitening key is a weak key.
Verification of delay insensitivity in bit-level pipelined dual-rail threshold logic adders
Ismailoglu, A. Neslin; Askar, Murat (2008-02-22)
A delay-insensitivity verification method is proposed for bit-level pipelined systolic dual-rail threshold logic adders, which achieve speed-up through early and input-incomplete carry output generation and which employ bit-wise completion at pipeline registers. The proposed method simplifies the verification task significantly, regardless of the operand length of the adder, such that analysis of three adjacent systoles for the eight possible early/late carry output generation scenarios is sufficient for de...
Reference database for seismic ground-motion in Europe (RESORCE)
AKKAR, SİNAN; SANDIKKAYA, M. A.; SENYURT, M.; SISI, A. Azari; Ay, Bekir Özer; TRAVERSA, P.; DOUGLAS, J.; COTTON, F.; LUZI, L.; HERNANDEZ, B.; GODEY, S. (Springer Science and Business Media LLC, 2014-02-01)
This paper presents the overall procedure followed in order to assemble the most recent pan-European strong-motion databank: Reference Database for Seismic Ground-Motion in Europe (RESORCE). RESORCE is one of the products of the SeIsmic Ground Motion Assessment (SIGMA; projet-sigma.com) project. RESORCE is intended to be a single integrated accelerometric databank for Europe and surrounding areas for use in the development and testing of ground-motion models and for other engineering seismology and earthqua...
Asymptotical lower limits on required number of examples for learning boolean networks
Abul, Osman; Alhajj, Reda; Polat, Faruk (2006-11-03)
This paper studies the asymptotical lower limits on the required number of samples for identifying Boolean Networks, which is given as Omega(logn) in the literature for fully random samples. It has also been found that; O(logn) samples are sufficient with high probability. Our main motivation is to provide tight lower asymptotical limits for samples obtained from time series experiments. Using the results from the literature on random boolean networks, lower limits on the required number of samples from tim...
Efficient Abstractions for the Supervisory Control of Modular Discrete Event Systems
Schmidt, Klaus Verner (2012-12-01)
The topic of this technical note is the nonblocking and maximally permissive abstraction-based supervisory control for modular discrete event systems (DES). It is shown, that an efficient abstraction technique, that was developed for the nonconflict verification of modular DES, is also suitable for the nonblocking supervisory control. Moreover, it is proved that this abstraction technique can be extended by the condition of local control consistency, in order to achieve maximally permissive supervision. Dif...
Citation Formats
L. Grassi, C. Rechberger, G. Leander, C. Tezcan, and F. Wiemer, Weak-Key Distinguishers for AES. 2021.