Cryptology ePrint Archive: Report 2017/1200

MixColumns Properties and Attacks on (round-reduced) AES with a Single Secret S-Box

Lorenzo Grassi

Abstract: In this paper, we present new key-recovery attacks on AES with a single secret S-Box. Several attacks for this model have been proposed in literature, the most recent ones at Crypto’16 and FSE’17. Both these attacks exploit a particular property of the MixColumns matrix to recover the secret-key.

In this work, we show that the same attacks work exploiting a weaker property of the MixColumns matrix. As first result, this allows to (largely) increase the number of MixColumns matrices for which it is possible to set up all these attacks. As a second result, we present new attacks on 5-round AES with a single secret S-Box that exploit the new multiple-of-n property recently proposed at Eurocrypt’17. This property is based on the fact that choosing a particular set of plaintexts, the number of pairs of ciphertexts that lie in a particular subspace is a multiple of n.

Category / Keywords: AES, MixColumns, key-recovery attack, secret S-Box

Original Publication (with major differences): CT-RSA 2018

Date: received 14 Dec 2017, last revised 8 Jan 2018

Contact author: lorenzo grassi at iaik tugraz at

Available format(s): PDF | BibTeX Citation

Version: 20180108:092906 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]