Security of the AES with a Secret S-Box

Tyge Tiessen; Lars Ramkilde Knudsen; Stefan Kölbl; Martin Mehl Lauridsen

doi:10.1007/978-3-662-48116-5_9

Security of the AES with a Secret S-Box

Tyge Tiessen, Lars Ramkilde Knudsen, Stefan Kölbl, Martin Mehl Lauridsen

Department of Applied Mathematics and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

1 Downloads (Pure)

Abstract

How does the security of the AES change when the S-box is replaced by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds?

In this paper, we demonstrate attacks based on integral cryptanalysis which allow to recover both the secret key and the secret S-box for respectively four, five, and six rounds of the AES. Despite the significantly larger amount of secret information which an adversary needs to recover, the attacks are very efficient with time/data complexities of 2¹⁷/2¹⁶, 2³⁸/2⁴⁰ and 2⁹⁰/2⁶⁴, respectively.

Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks.

Original language	English
Title of host publication	Revised Selected Papers of the 22nd International Workshop on Fast Software Encryption (FSE 2015)
Editors	Gregor Leander
Publisher	Springer
Publication date	2015
Pages	175-189
ISBN (Print)	978-3-662-48115-8
ISBN (Electronic)	978-3-662-48116-5
DOIs	https://doi.org/10.1007/978-3-662-48116-5_9
Publication status	Published - 2015
Event	22nd International Workshop on Fast Software Encryption (FSE 2015) - Istanbul, Turkey Duration: 8 Mar 2015 → 11 Mar 2015 Conference number: 22 http://www.lightsec.org/fse2015/

Workshop

Workshop	22nd International Workshop on Fast Software Encryption (FSE 2015)
Number	22
Country	Turkey
City	Istanbul
Period	08/03/2015 → 11/03/2015
Internet address	http://www.lightsec.org/fse2015/

Keywords

AES
Integral cryptanalysis
Secret S-box

Cite this

Tiessen, T., Knudsen, L. R., Kölbl, S., & Lauridsen, M. M. (2015). Security of the AES with a Secret S-Box. In G. Leander (Ed.), Revised Selected Papers of the 22nd International Workshop on Fast Software Encryption (FSE 2015) (pp. 175-189). Springer. https://doi.org/10.1007/978-3-662-48116-5_9

Tiessen, Tyge ; Knudsen, Lars Ramkilde ; Kölbl, Stefan ; Lauridsen, Martin Mehl. / Security of the AES with a Secret S-Box. Revised Selected Papers of the 22nd International Workshop on Fast Software Encryption (FSE 2015). editor / Gregor Leander. Springer, 2015. pp. 175-189

@inproceedings{19d928e171ca4f0a824937e59178fdf2,

title = "Security of the AES with a Secret S-Box",

abstract = "How does the security of the AES change when the S-box is replaced by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds? In this paper, we demonstrate attacks based on integral cryptanalysis which allow to recover both the secret key and the secret S-box for respectively four, five, and six rounds of the AES. Despite the significantly larger amount of secret information which an adversary needs to recover, the attacks are very efficient with time/data complexities of 217/216, 238/240 and 290/264, respectively. Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks.",

keywords = "AES, Integral cryptanalysis, Secret S-box",

author = "Tyge Tiessen and Knudsen, {Lars Ramkilde} and Stefan K{\"o}lbl and Lauridsen, {Martin Mehl}",

year = "2015",

doi = "10.1007/978-3-662-48116-5_9",

language = "English",

isbn = "978-3-662-48115-8",

pages = "175--189",

editor = "Leander, {Gregor }",

booktitle = "Revised Selected Papers of the 22nd International Workshop on Fast Software Encryption (FSE 2015)",

publisher = "Springer",

}

Tiessen, T, Knudsen, LR, Kölbl, S & Lauridsen, MM 2015, Security of the AES with a Secret S-Box. in G Leander (ed.), Revised Selected Papers of the 22nd International Workshop on Fast Software Encryption (FSE 2015). Springer, pp. 175-189, 22nd International Workshop on Fast Software Encryption (FSE 2015), Istanbul, Turkey, 08/03/2015. https://doi.org/10.1007/978-3-662-48116-5_9

Security of the AES with a Secret S-Box. / Tiessen, Tyge; Knudsen, Lars Ramkilde; Kölbl, Stefan; Lauridsen, Martin Mehl.

Revised Selected Papers of the 22nd International Workshop on Fast Software Encryption (FSE 2015). ed. / Gregor Leander. Springer, 2015. p. 175-189.

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

TY - GEN

T1 - Security of the AES with a Secret S-Box

AU - Tiessen, Tyge

AU - Knudsen, Lars Ramkilde

AU - Kölbl, Stefan

AU - Lauridsen, Martin Mehl

PY - 2015

Y1 - 2015

N2 - How does the security of the AES change when the S-box is replaced by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds? In this paper, we demonstrate attacks based on integral cryptanalysis which allow to recover both the secret key and the secret S-box for respectively four, five, and six rounds of the AES. Despite the significantly larger amount of secret information which an adversary needs to recover, the attacks are very efficient with time/data complexities of 217/216, 238/240 and 290/264, respectively. Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks.

AB - How does the security of the AES change when the S-box is replaced by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds? In this paper, we demonstrate attacks based on integral cryptanalysis which allow to recover both the secret key and the secret S-box for respectively four, five, and six rounds of the AES. Despite the significantly larger amount of secret information which an adversary needs to recover, the attacks are very efficient with time/data complexities of 217/216, 238/240 and 290/264, respectively. Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks.

KW - AES

KW - Integral cryptanalysis

KW - Secret S-box

U2 - 10.1007/978-3-662-48116-5_9

DO - 10.1007/978-3-662-48116-5_9

M3 - Article in proceedings

SN - 978-3-662-48115-8

SP - 175

EP - 189

BT - Revised Selected Papers of the 22nd International Workshop on Fast Software Encryption (FSE 2015)

A2 - Leander, Gregor

PB - Springer

ER -

Tiessen T, Knudsen LR, Kölbl S, Lauridsen MM. Security of the AES with a Secret S-Box. In Leander G, editor, Revised Selected Papers of the 22nd International Workshop on Fast Software Encryption (FSE 2015). Springer. 2015. p. 175-189 https://doi.org/10.1007/978-3-662-48116-5_9

Access to Document

10.1007/978-3-662-48116-5_9