Can someone explain to me why does using a key schedule make's AES more secure if instead of calculating and adding your round key's, you just keep on adding the cipher key. ?
Asked
Active
Viewed 409 times
0
-
1Well, how would AES-256 work without a key-schedule? – SEJPM Apr 09 '20 at 10:24
-
Instead of calculating and adding your round key's, you just keep on adding the cypher key. – Gessio26 Apr 09 '20 at 10:34
-
How would you do that with a 256-bit key on 128-bit blocks? (or even better with AES-192 with 192-bit keys on 128-bit blocks) – SEJPM Apr 09 '20 at 10:35
-
Ok, thanks for your answer, I see what you mean now. But say, I have a 128-bit key on 128-bit blocks, what would the use of the schedule be? – Gessio26 Apr 09 '20 at 10:41
-
1Possible duplicate of How secure would AES be with all round keys equal?, AES and DES - reusing the same round keys, Why do block ciphers use key schedules instead of round constants? (Even-Mansour), – kelalaka Apr 09 '20 at 12:32
-
and Security of key schedule that only XORs a key with constants – kelalaka Apr 09 '20 at 12:32
-
2Does this answer your question? AES and DES - reusing the same round keys – Yunus Karakaya Apr 09 '20 at 13:45
2 Answers
4
Not using separate keys for each AES round would make your cipher vulnerable to slide attacks. Using two plaintexts M and M' with M' being the result of an AES round after calculating M as input, you can differentiate between those plaintexts by calculating the output of an AES round which takes the ciphertext C as input.
Due to the birthday problem, this attack schould reduce the complexity of breaking the AES to $\mathcal{O}(2^{n/2})$.
Source: Silde attack
AleksanderCH
- 6,435
- 10
- 29
- 62
Niklas Entschladen
- 41
- 5
2
Many block ciphers, including AES, encrypt using multiple/iterated rounds (10, 12 or 14 for AES depending on key size). Each round requires a key, called sub-key or round key (always 128-bit for AES), and it would be a weakness¹ if the same sub-key was used at each round.
The key schedule's job is to expand the original key (128, 192 or 256-bit for AES) into one sub-key per round. Without somewhat executing the key schedule, we would not get the right sub-keys, and the result of AES encryption or decryption would be wrong.
The key schedule does not really need to be performed before executing AES, at least for encryption: it can be performed while executing AES, and that's pretty common in hardware, and even in software when speed is less important than key ability and memory size.
¹ This other answer gives an attack, I would not bet there are not others even for AES-128, and for larger key sizes much of the key bits would go unused.
PS: much of the question is about the reasons for multiple subkeys, thus my answer is lacking; upvote another!
fgrieu
- 140,762
- 12
- 307
- 587
-
1" it would be a weakness if the same sub-key was used at each round." <- I think the OP is interested in said weakness – SEJPM Apr 09 '20 at 11:53
-
@SEJPM: yes, but something comprehensive on this would make the answer may times bigger, even if I stick to AES; and I'm not sure how I would start. – fgrieu Apr 09 '20 at 11:59
-
+1 for mentioning the subkey derivation during each round rather than all at once. – tum_ Apr 09 '20 at 12:02