Security of AES with a Secret S-box

Feb 1, 2015·
Tyge Tiessen
,
Lars R. Knudsen
Stefan Kölbl
Stefan Kölbl
,
Martin M. Lauridsen
· 0 min read
Abstract
How does the security of the AES change when the S-box is replaced by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds? In this paper, we demonstrate attacks based on integral cryptanalysis which allows to recover both the secret key and the secret S-box for respectively four, five, and six rounds of the AES. Despite the significantly larger amount of secret information which an adversary needs to recover, the attacks are very efficient with time/data complexities of $2^{17}/2^{16}$, $2^{38}/2^{40}$ and $2^{90}/2^{64}$, respectively. Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks.
Type
Publication
publications
Block Cipher AES Cryptanalysis Integral Cryptanalysis
Authors
Tyge Tiessen
Authors
Lars R. Knudsen
Stefan Kölbl
Authors
Stefan Kölbl
Staff Engineer, Tech Lead Manager

I am a Staff Engineer and Tech Lead Manager at Google, where I work in the Security Engineering team. My focus is on post-quantum cryptography and enabling developers at Google and across the internet to use cryptography safely and correctly.

I have a PhD in cryptography and an extensive background in the design and analysis of symmetric-key algorithms, post-quantum cryptography, and lightweight cryptography. I have contributed to several cryptographic standardization efforts, including the SKINNY cipher, which is part of the ISO/IEC 29192-2 standard. I also contributed to the SPHINCS+ signature scheme, which was standardized by NIST as FIPS 205. I currently represent Switzerland in the ISO/IEC JTC 1/SC 27/WG 2 committee for cryptography and security mechanisms.

Before joining Google, I was a Senior Technology Manager at Cybercrypt and a postdoctoral researcher at the Technical University of Denmark, working on the H2020 PQCRYPTO project.

%!s() %!s()
Authors
Martin M. Lauridsen