MixColumns Properties and Attacks on (Round-Reduced) AES with a Single Secret S-Box
In this paper, we present new key-recovery attacks on AES with a single secret S-Box. Several attacks for this model have been proposed in literature, the most recent ones at Crypto’16 and FSE’17. Both these attacks exploit a particular property of the MixColumns matrix to recover the secret-key.
In this work, we show that the same attacks work exploiting a weaker property of the MixColumns matrix. As first result, this allows to (largely) increase the number of MixColumns matrices for which it is possible to set up all these attacks. As a second result, we present new attacks on 5-round AES with a single secret S-Box that exploit the new multiple-of-n property recently proposed at Eurocrypt’17. This property is based on the fact that choosing a particular set of plaintexts, the number of pairs of ciphertexts that lie in a particular subspace is a multiple of n.
KeywordsAES MixColumns Key-recovery attack Secret S-Box
The author thanks Christian Rechberger for fruitful discussions and comments that helped to improve the quality of the paper.
- 1.CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html
- 3.Biham, E., Keller, N.: Cryptanalysis of reduced variants of Rijndael (2001). http://csrc.nist.gov/archive/aes/round2/conf3/papers/35-ebiham.pdf
- 5.Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: black-box, white-box, and public-key (extended abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_4 Google Scholar
- 13.Datta, N., Nandi, M.: ELmD. https://competitions.cr.yp.to/round1/elmdv10.pdf
- 15.Grassi, L.: MixColumns properties and attacks on (round-reduced) AES with a single secret S-box, Cryptology ePrint Archive, Report 2017/1200 (2017)Google Scholar
- 17.Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2017). http://ojs.ub.rub.de/index.php/ToSC/article/view/571 Google Scholar
- 18.Knudsen, L.R.: DEAL - a 128-bit block cipher, Technical report 151. University of Bergen, Norway, Department of Informatics (1998)Google Scholar
- 20.Mennink, B., Neves, S.: Optimal PRFs from blockcipher designs. IACR Trans. Symmetric Cryptol. 2017(3), 228–252 (2017)Google Scholar
- 24.Wu, H., Preneel, B.: A Fast Authenticated Encryption Algorithm. http://competitions.cr.yp.to/round1/aegisv11.pdf