3

Suppose that:

  • $MK \in \{0, 1\}^{n}$ and the main key of a block cipher.
  • $RK_{r} \in \{0, 1\}^{n}$ and is the $r$th round key.
  • $RC_{r} \in \{0, 1\}^{n}$ and is the $r$th round constant.
  • $RK_{r} = MK \oplus RC_{r}$

What's the security of this key schedule. I'm imagining that it is not very strong.

Henno Brandsma
  • 3,862
  • 17
  • 20
Melab
  • 4,178
  • 4
  • 24
  • 49

2 Answers2

4

This key schedule is Totally Linear. If two Master Keys $MK$1 and $MK$2 have a difference of d, all the round keys will have difference of d with probability of 1. This makes the cipher vulnerable to Related key Attack. But its hard to workout and comment without the knowledge of the cipher description that how badly such key-schedule effects the security of cipher

The PRINCE – A Low-latency Block Cipher for Pervasive Computing Applications have very simple key-schedule, and its designers say

for our cipher it holds that decryption for one key corresponds to encryption with a related key. This property we refer to as α-reflection

For more information about key-schedule requirements see "What are the requirements of a key schedule?"

crypt
  • 2,522
  • 22
  • 33
2

The addition of round constants in key-scheduling is to remove self-simlarity. Related key attack (is not practical attack in real life other than academia) will remove the effect of round constants in the analysis ( both keys are xored with the same round constant).

Invariant subspace a attack exploits the weakness of constant addition to the master key. this is what happens in Midori cipher, a class of weak keys found by this approach.

it is important to choose round constant carefully to provide secure key scheduling of key and round constant.

For more details , I recommend to read the paper Proving Resistance against Invariant Attacks: How to Choose the Round Constants

hardyrama
  • 2,288
  • 1
  • 17
  • 41