Fast Software Encryption

Volume 6147 of the series Lecture Notes in Computer Science pp 365-383

Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations

  • Henri GilbertAffiliated withOrange Labs
  • , Thomas PeyrinAffiliated withIngenico


In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grøstl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.


hash function cryptanalysis AES Grøstl ECHO