I'm interested in knowing whether a cryptosystem is broken given access to a few primitives. $\DeclareMathOperator{\KEYEXP}{KEY\_EXP}$ $\DeclareMathOperator{\E}{E}$
Suppose that you have access to an oracle that can provide you $\E(k, m)$ for any message $m$ (so you can obtain the AES-128-ECB encryption of any block with a key that you want to learn).
Obviously, AES-128 is resilient to chosen plaintext normally.
However, what happens if there is another primitive that allows one to perform crypto with the final round key of key expansion (and the equivalent inverse)?
That is, in addition to $\E(k, m)$, the adversary has access to $\E(\KEYEXP(k), m)$ and $\E(\KEYEXP^{-1}(k), m)$ for any $m$. (Even more generally, the adversary has access to $\E(\KEYEXP^n(k), m)$ and $\E(\KEYEXP^{-n}(k), m)$ for all $n, m$ and wants to obtain $k$.)
Is AES-128 resilient against this, or is key recovery possible?
(For example, if k was equal to all zeroes, then $\KEYEXP(k)$ would give the final round key as B4EF5B...)
