In this paper, we demonstrate attacks based on integral cryptanalysis which allows to recover both the secret key and the secret S-box for respectively four, five, and six rounds of the AES. Despite the significantly larger amount of secret information which an adversary needs to recover, the attacks are very efficient with time/data complexities of $2^{17}/2^{16}$, $2^{38}/2^{40}$ and $2^{90}/2^{64}$, respectively.
Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks.
Category / Keywords: secret-key cryptography / AES, integral cryptanalysis, secret S-box Original Publication (in the same form): IACR-FSE-2015 Date: received 20 Feb 2015, last revised 2 Mar 2015 Contact author: tyti at dtu dk Available format(s): PDF | BibTeX Citation Note: Added acknowledgements. Version: 20150302:110553 (All versions of this report) Short URL: ia.cr/2015/144 Discussion forum: Show discussion | Start new discussion