Counter mode with $\operatorname{AES}_k(m)$ vs $\operatorname{AES}_m(k)$

Question

In theory, for an ideal cipher $E_k: \{0,1\}^{128} \to \{0,1\}^{128}$, it would be completely fine to use the key and the input interchangeably, but obviously AES is not perfect. For AES128, the key size and the block size are the same. What would the security implications of using the key in place of the input block and vise versa be? I understand that it would be quite inefficient as the key schedule would need to be re-calculated for every block, but would it make cryptanalysis easier?

Encryption and decryption would be possible by putting the cipher in a modified counter mode. Where $n$ is the nonce, $i$ is the counter/position of the block, $C$ is ciphertext, and $P$ is plaintext:

\begin{align*} C_i &= E_{n \mathbin\| i}(k) \oplus P_i\\ P_i &= E_{n \mathbin\| i}(k) \oplus C_i \end{align*}

Actual counter mode is:

\begin{align*} C_i &= E_k(n \mathbin\| i) \oplus P_i\\ P_i &= E_k(n \mathbin\| i) \oplus C_i \end{align*}

This is a purely hypothetical question and I have no intention of doing something so silly.

Answer 1

I understand that it would be quite inefficient as the key schedule would need to be re-calculated for every block, but would it make cryptanalysis easier?

It would make cryptanalysis trivial.

If the attacker knows that

$$P_i \oplus C_i = E_{n \mathbin\| i}(k)$$

and he knows $n, i, C_i$ and has a guess for $P_i$, he can recover $k$, and use that to decrypt everything else.

This works because, with AES, $E_k$ has an inverse $E^{-1}_k$ that's efficiently computable, assuming you know $k$. There's no corresponding "inverse" corresponding to the message block, and so the "message block" and the "key" inputs to AES are not interchangable from a security standpoint.

Answer 2

A PRP is one permutation. It is safe to say an instance of AES is a PRP. The AES algorithm is a family of PRPs. A block cipher may only have been evaluated with enough scrutiny under the assumption that keys are chosen from a uniform random distribution. And there might not be any claim to security for weak key attacks, related key attacks, or chosen key attacks.

It can be the case that there is no practical way to distinguish a randomly chosen instance of AES (the algorithm with some fixed random key) from an ideal PRP without it being the case that AES is a perfect pseudorandom family of PRPs. (I don't know such a construct's real name.) This is the distinction between the standard model of block ciphers and the ideal cipher model

There are related-key/chosen-key/weak-key attacks on AES-192 and AES-256. Stronger ones on AES-256 so I guess it's a problem with AES's key schedule. AES-128 might be better. It might not.

An algorithm could be designed to resist such attacks. The Davies–Meyer is a construct that uses chosen-keys.