Security of the AES with a Secret S-box

How does the security of the AES change when the S-box is replaced by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds? In this paper, we demonstrate attacks based on integral cryptanalysis which allows to recover both the secret key and the secret S-box for respectively four, five, and six rounds of the AES. Despite the significantly larger amount of secret information which an adversary needs to recover, the attacks are very efficient with time/data complexities of $2^{17}/2^{16}$, $2^{38}/2^{40}$ and $2^{90}/2^{64}$, respectively. Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks

Improved Slender-Set Linear Cryptanalysis

Abstract. In 2013, Borghoff et al. introduced a slender-set linear crypt-analysis on PRESENT-like ciphers with key-dependent secret S-boxes. In this paper, we propose an improved slender-set linear attack to PRESENT-like ciphers with secret S-boxes. We investigate three new cryptanalytic techniques, and use them to recover the secret S-boxes efficiently. Our first new idea is that we propose a new technique to support consis-tency of partitions of the input to the secret S-boxes. Our second new technique is that we present a more efficient method to recover the coor-dinate functions of secret S-boxes based on more information than that of Borghoff’s attack. The third new technique is that we propose a method of constructing all correct coordinate function of secret S-boxes by prun-ing search algorithm. In particular, we implemented a successful linear attack on the full round Maya in practice. In our experiments, the correct S-box can be recovered with 236 known plaintexts, 218.9 time complexity and negligible memory complexity at a success rate of 87.5%. Our at-tack is the improvement and sequel of Borghoff’s work on PRESENT-like cipher with secret S-boxes