Paper 2015/144

Security of the AES with a Secret S-box

Tyge Tiessen, Lars R. Knudsen, Stefan Kölbl, and Martin M. Lauridsen

Abstract

How does the security of the AES change when the S-box is replaced by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds? In this paper, we demonstrate attacks based on integral cryptanalysis which allows to recover both the secret key and the secret S-box for respectively four, five, and six rounds of the AES. Despite the significantly larger amount of secret information which an adversary needs to recover, the attacks are very efficient with time/data complexities of $2^{17}/2^{16}$, $2^{38}/2^{40}$ and $2^{90}/2^{64}$, respectively. Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks.

Note: Added acknowledgements.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published by the IACR in FSE 2015
Keywords
AESintegral cryptanalysissecret S-box
Contact author(s)
tyti @ dtu dk
History
2015-03-02: revised
2015-02-27: received
See all versions
Short URL
https://ia.cr/2015/144
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/144,
      author = {Tyge Tiessen and Lars R.  Knudsen and Stefan Kölbl and Martin M.  Lauridsen},
      title = {Security of the AES with a Secret S-box},
      howpublished = {Cryptology ePrint Archive, Paper 2015/144},
      year = {2015},
      note = {\url{https://eprint.iacr.org/2015/144}},
      url = {https://eprint.iacr.org/2015/144}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.