MixColumns Properties and Attacks on (Round-Reduced) AES with a Single Secret S-Box

  • Lorenzo Grassi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)


In this paper, we present new key-recovery attacks on AES with a single secret S-Box. Several attacks for this model have been proposed in literature, the most recent ones at Crypto’16 and FSE’17. Both these attacks exploit a particular property of the MixColumns matrix to recover the secret-key.

In this work, we show that the same attacks work exploiting a weaker property of the MixColumns matrix. As first result, this allows to (largely) increase the number of MixColumns matrices for which it is possible to set up all these attacks. As a second result, we present new attacks on 5-round AES with a single secret S-Box that exploit the new multiple-of-n property recently proposed at Eurocrypt’17. This property is based on the fact that choosing a particular set of plaintexts, the number of pairs of ciphertexts that lie in a particular subspace is a multiple of n.


AES MixColumns Key-recovery attack Secret S-Box 



The author thanks Christian Rechberger for fruitful discussions and comments that helped to improve the quality of the paper.


  1. 1.
    CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness.
  2. 2.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). Google Scholar
  3. 3.
    Biham, E., Keller, N.: Cryptanalysis of reduced variants of Rijndael (2001).
  4. 4.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993). CrossRefzbMATHGoogle Scholar
  5. 5.
    Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: black-box, white-box, and public-key (extended abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014). Google Scholar
  6. 6.
    Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. J. Cryptol. 23(4), 505–518 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Blondeau, C., Leander, G., Nyberg, K.: Differential-linear cryptanalysis revisited. J. Cryptol. 30(3), 859–888 (2017)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Bogdanov, A., Rijmen, V.: Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Des. Codes Crypt. 70(3), 369–383 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Borghoff, J., Knudsen, L.R., Leander, G., Thomsen, S.S.: Cryptanalysis of PRESENT-like ciphers with secret S-boxes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 270–289. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  10. 10.
    Cid, C., Murphy, S., Robshaw, M.J.B.: Small scale variants of the AES. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 145–162. Springer, Heidelberg (2005). CrossRefGoogle Scholar
  11. 11.
    Daemen, J., Knudsen, L., Rijmen, V.: The block cipher square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). CrossRefGoogle Scholar
  12. 12.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002). CrossRefzbMATHGoogle Scholar
  13. 13.
  14. 14.
    Gilbert, H., Chauvaud, P.: A chosen plaintext attack of the 16-round Khufu cryptosystem. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 359–368. Springer, Heidelberg (1994). Google Scholar
  15. 15.
    Grassi, L.: MixColumns properties and attacks on (round-reduced) AES with a single secret S-box, Cryptology ePrint Archive, Report 2017/1200 (2017)Google Scholar
  16. 16.
    Grassi, L., Rechberger, C., Rønjom, S.: A new structural-differential property of 5-round AES. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 289–317. Springer, Cham (2017). CrossRefGoogle Scholar
  17. 17.
    Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2017). Google Scholar
  18. 18.
    Knudsen, L.R.: DEAL - a 128-bit block cipher, Technical report 151. University of Bergen, Norway, Department of Informatics (1998)Google Scholar
  19. 19.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). Google Scholar
  20. 20.
    Mennink, B., Neves, S.: Optimal PRFs from blockcipher designs. IACR Trans. Symmetric Cryptol. 2017(3), 228–252 (2017)Google Scholar
  21. 21.
    Sun, B., Liu, M., Guo, J., Qu, L., Rijmen, V.: New Insights on AES-like SPN ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 605–624. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  22. 22.
    Tiessen, T., Knudsen, L.R., Kölbl, S., Lauridsen, M.M.: Security of the AES with a secret S-box. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 175–189. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  23. 23.
    Vaudenay, S.: On the weak keys of blowfish. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 27–32. Springer, Heidelberg (1996). CrossRefGoogle Scholar
  24. 24.
    Wu, H., Preneel, B.: A Fast Authenticated Encryption Algorithm.

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.IAIKGraz University of TechnologyGrazAustria

Personalised recommendations