Security of the AES with a Secret S-Box

Research output: Chapter in Book/Report/Conference proceedingArticle in proceedings – Annual report year: 2015Researchpeer-review

View graph of relations

How does the security of the AES change when the S-box is replaced by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds?

In this paper, we demonstrate attacks based on integral cryptanalysis which allow to recover both the secret key and the secret S-box for respectively four, five, and six rounds of the AES. Despite the significantly larger amount of secret information which an adversary needs to recover, the attacks are very efficient with time/data complexities of 217/216, 238/240 and 290/264, respectively.

Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks.
Original languageEnglish
Title of host publicationRevised Selected Papers of the 22nd International Workshop on Fast Software Encryption (FSE 2015)
EditorsGregor Leander
PublisherSpringer
Publication date2015
Pages175-189
ISBN (Print)978-3-662-48115-8
ISBN (Electronic)978-3-662-48116-5
DOIs
Publication statusPublished - 2015
Event22nd International Workshop on Fast Software Encryption (FSE 2015) - Istanbul, Turkey
Duration: 8 Mar 201511 Mar 2015
Conference number: 22
http://www.lightsec.org/fse2015/

Workshop

Workshop22nd International Workshop on Fast Software Encryption (FSE 2015)
Number22
CountryTurkey
CityIstanbul
Period08/03/201511/03/2015
Internet address
CitationsWeb of Science® Times Cited: No match on DOI

    Research areas

  • AES, Integral cryptanalysis, Secret S-box

ID: 117543552