Abstract
In this paper, we present new key-recovery attacks on AES with a single secret S-Box. Several attacks for this model have been proposed in literature, the most recent ones at Crypto’16 and FSE’17. Both these attacks exploit a particular property of the MixColumns matrix to recover the secret-key.
In this work, we show that the same attacks work exploiting a weaker property of the MixColumns matrix. As first result, this allows to (largely) increase the number of MixColumns matrices for which it is possible to set up all these attacks. As a second result, we present new attacks on 5-round AES with a single secret S-Box that exploit the new multiple-of-n property recently proposed at Eurocrypt’17. This property is based on the fact that choosing a particular set of plaintexts, the number of pairs of ciphertexts that lie in a particular subspace is a multiple of n.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For completeness, we mention that a randomly chosen S-Box is likely to have good properties against differential and linear cryptanalysis, as shown in [22].
- 2.
A pair of texts has a certain difference if and only if the texts belong to the same coset of a particular subspace \(\mathcal X\).
- 3.
We mention that 5-round AES has been replaced by 6-round AES in ELmD v2.0.
- 4.
For completeness, we remark that bounding characteristic probability is not enough to prove resistance against other kinds of differential and linear attacks.
- 5.
SR makes sure column values are spread, MC makes sure each column is mixed.
- 6.
Sometimes we use the notation \(R_{k}\) instead of R to highlight the round key k.
- 7.
The i-th diagonal of a \(4 \times 4\) matrix A is defined as the elements that lie on row r and column c such that \(r- c = i\) mod 4. The i-th anti-diagonal of a \(4 \times 4\) matrix A is defined as the elements that lie on row r and column c such that \(r+c = i\) mod 4.
- 8.
Two pairs \((c^i, c^j)\) and \((c^j, c^i)\) are considered equivalent.
- 9.
In this case, one needs that for each one of the \(2^8-1\) wrong possible values for \(\delta \), at least one set \(\mathcal A_\delta \) for which the number of collision is odd exists with probability higher than \((0.9998)^{1/12} = 99.99835\%\).
- 10.
The source codes of this and the other attacks on AES with a secret S-Box are available at https://github.com/Krypto-iaik/Attacks_AES_SecretSBox2.
- 11.
The source codes are available at https://github.com/Krypto-iaik/Attacks_AES_SecretSBox2.
- 12.
A matrix \(M \in \mathbb F^{n\times n}_{2^m}\) is called Maximum Distance Separable (MDS) matrix if and only if it has branch number \(\mathcal B(M)\) equal to \(B(M ) = n + 1\). Equivalently, a matrix M is MDS if and only if all square sub-matrices of M are of full rank. It follows immediately that if a matrix is not invertible, it can not be MDS.
References
CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html
Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_2
Biham, E., Keller, N.: Cryptanalysis of reduced variants of Rijndael (2001). http://csrc.nist.gov/archive/aes/round2/conf3/papers/35-ebiham.pdf
Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993). https://doi.org/10.1007/978-1-4613-9314-6
Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: black-box, white-box, and public-key (extended abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_4
Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. J. Cryptol. 23(4), 505–518 (2010)
Blondeau, C., Leander, G., Nyberg, K.: Differential-linear cryptanalysis revisited. J. Cryptol. 30(3), 859–888 (2017)
Bogdanov, A., Rijmen, V.: Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Des. Codes Crypt. 70(3), 369–383 (2014)
Borghoff, J., Knudsen, L.R., Leander, G., Thomsen, S.S.: Cryptanalysis of PRESENT-like ciphers with secret S-boxes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 270–289. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_16
Cid, C., Murphy, S., Robshaw, M.J.B.: Small scale variants of the AES. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 145–162. Springer, Heidelberg (2005). https://doi.org/10.1007/11502760_10
Daemen, J., Knudsen, L., Rijmen, V.: The block cipher square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052343
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002). https://doi.org/10.1007/978-3-662-04722-4
Datta, N., Nandi, M.: ELmD. https://competitions.cr.yp.to/round1/elmdv10.pdf
Gilbert, H., Chauvaud, P.: A chosen plaintext attack of the 16-round Khufu cryptosystem. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 359–368. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_33
Grassi, L.: MixColumns properties and attacks on (round-reduced) AES with a single secret S-box, Cryptology ePrint Archive, Report 2017/1200 (2017)
Grassi, L., Rechberger, C., Rønjom, S.: A new structural-differential property of 5-round AES. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 289–317. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_10
Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2017). http://ojs.ub.rub.de/index.php/ToSC/article/view/571
Knudsen, L.R.: DEAL - a 128-bit block cipher, Technical report 151. University of Bergen, Norway, Department of Informatics (1998)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33
Mennink, B., Neves, S.: Optimal PRFs from blockcipher designs. IACR Trans. Symmetric Cryptol. 2017(3), 228–252 (2017)
Sun, B., Liu, M., Guo, J., Qu, L., Rijmen, V.: New Insights on AES-like SPN ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 605–624. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_22
Tiessen, T., Knudsen, L.R., Kölbl, S., Lauridsen, M.M.: Security of the AES with a secret S-box. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 175–189. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_9
Vaudenay, S.: On the weak keys of blowfish. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 27–32. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_39
Wu, H., Preneel, B.: A Fast Authenticated Encryption Algorithm. http://competitions.cr.yp.to/round1/aegisv11.pdf
Acknowledgements
The author thanks Christian Rechberger for fruitful discussions and comments that helped to improve the quality of the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Grassi, L. (2018). MixColumns Properties and Attacks on (Round-Reduced) AES with a Single Secret S-Box. In: Smart, N. (eds) Topics in Cryptology – CT-RSA 2018. CT-RSA 2018. Lecture Notes in Computer Science(), vol 10808. Springer, Cham. https://doi.org/10.1007/978-3-319-76953-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-76953-0_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76952-3
Online ISBN: 978-3-319-76953-0
eBook Packages: Computer ScienceComputer Science (R0)