Security of the AES with a Secret S-Box

  • Tyge TiessenEmail author
  • Lars R. Knudsen
  • Stefan Kölbl
  • Martin M. Lauridsen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9054)


How does the security of the AES change when the S-box is replaced by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds?

In this paper, we demonstrate attacks based on integral cryptanalysis which allow to recover both the secret key and the secret S-box for respectively four, five, and six rounds of the AES. Despite the significantly larger amount of secret information which an adversary needs to recover, the attacks are very efficient with time/data complexities of \(2^{17}/2^{16}\), \(2^{38}/2^{40}\) and \(2^{90}/2^{64}\), respectively.

Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks.


AES Integral cryptanalysis Secret S-box 



The work in this paper has partially been funded by the Nasjonal sikkerhetsmyndighet (NSM).


  1. 1.
    Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 394–405. Springer, Heidelberg (2001) Google Scholar
  2. 2.
    Borghoff, J., Knudsen, L.R., Leander, G., Thomsen, S.S.: Cryptanalysis of PRESENT-like ciphers with secret S-boxes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 270–289. Springer, Heidelberg (2011) Google Scholar
  3. 3.
    Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher SQUARE. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997) Google Scholar
  4. 4.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002) Google Scholar
  5. 5.
    Daemen, J., Rijmen, V.: Understanding two-round differentials in AES. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 78–94. Springer, Heidelberg (2006) Google Scholar
  6. 6.
    Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, M., Wagner, D., Whiting, D.L.: Improved cryptanalysis of rijndael. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 213–230. Springer, Heidelberg (2001) Google Scholar
  7. 7.
    Gomathisankaran, M., Lee, R.B.: Maya: A novel block encryption function. In: International Workshop on Coding and Cryptography (2009)Google Scholar
  8. 8.
    Liu, G.-Q., Jin, C.-H., Qi, C.-D.: Improved slender-set linear cryptanalysis. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 431–450. Springer, Heidelberg (2015) Google Scholar
  9. 9.
    Merkle, R.C.: Fast software encryption functions. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 476–500. Springer, Heidelberg (1991) Google Scholar
  10. 10.
    National Institute of Standards and Technology. Advanced Encryption Standard. Federal Information Processing Standard (FIPS), Publication 197, U.S. Department of Commerce, Washington D.C., November 2001Google Scholar
  11. 11.
    O’Connor, L.: On the distribution of characteristics in bijective mappings. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 360–370. Springer, Heidelberg (1994) Google Scholar
  12. 12.
    O’Connor, L.: Properties of linear approximation tables. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 131–136. Springer, Heidelberg (1995) Google Scholar
  13. 13.
    Rivain, M., Roche, T.: SCARE of secret ciphers with SPN structures. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 526–544. Springer, Heidelberg (2013) Google Scholar
  14. 14.
    Schneier, B.: Description of a new variable-length key, 64-bit block cipher (Blowfish). In: Anderson, R. (ed.) FSE 1994. LNCS, vol. 809, pp. 191–204. Springer, Heidelberg (1994) Google Scholar
  15. 15.
    Schneier, B., Kelsey, J., Whiting, D., Wagner, D., Hall, C., Ferguson, N.: Twofish: A 128-Bit Block CipherGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Tyge Tiessen
    • 1
    Email author
  • Lars R. Knudsen
    • 1
  • Stefan Kölbl
    • 1
  • Martin M. Lauridsen
    • 1
  1. 1.DTU ComputeTechnical University of DenmarkKgs. LyngbyDenmark

Personalised recommendations