International Association
for Cryptologic Research

While the symmetric-key cryptography community has now a good

experience on how to build a secure and efficient fixed permutation,

it remains an open problem how to design a key-schedule for block

ciphers, as shown by the numerous candidates broken in the related-key

model or in a hash function setting. Provable security against

differential and linear cryptanalysis in the related-key scenario is

an important step towards a better understanding of its construction.

Using a structural analysis, we show that the full AES-128 cannot be

proven secure unless the exact coefficients of the MDS matrix and the

S-Box differential properties are taken into account since its

structure is vulnerable to a related-key differential attack. We then

exhibit a chosen-key distinguisher for AES-128 reduced to 9 rounds,

which solves an open problem of the symmetric community. We obtain

these results by revisiting algorithmic theory and graph-based ideas

to compute all the best differential characteristics in SPN ciphers,

with a special focus on AES-like ciphers subject to related-keys. We

use a variant of Dijkstra\'s algorithm to efficiently find the most

efficient related-key attacks on SPN ciphers with an algorithm linear

in the number of rounds.