8

A key schedule that generates round keys by XORing a round constant with the key is linear and can be vulnerable to related key attacks, but let's ignore that for now. Constants are necessary to avoid the slide attack. How complex do these constants need to be and how much must they differ?

For example, would a trivial key schedule composed of $r_i = k \oplus c_i$ to generate the $i^\text{th}$ round key $r_i$ using round constant $c_i$ and secret key $k$ be weak to any form of cryptanalysis if $c_i = i$?

forest
  • 15,626
  • 2
  • 49
  • 103

1 Answers1

4

It depends on the actual block cipher and is quite an open problem. For example, SCREAM, iSCREAM and Midori64 use such key schedule (i.e., its absense) with sparse round constants. They were broken with a practical attack on quite large weak key space [1]. Though, the linear layer has some special property.

I would add that its not the slide attack that matters, but symmetries/invariants and these things are not yet well understood.

[1] https://eprint.iacr.org/2016/732

Fractalice
  • 3,107
  • 13
  • 10