IACR News item: 27 February 2015
Tyge Tiessen, Lars R. Knudsen, Stefan Kölbl, Martin M. Lauridsen
ePrint Reportby a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds?
In this paper, we demonstrate attacks based on integral cryptanalysis
which allows to recover both the secret key and the secret S-box for respectively four, five,
and six rounds of the AES. Despite the significantly larger amount of secret information which an
adversary needs to recover, the attacks are very efficient with
time/data complexities of $2^{17}/2^{16}$, $2^{38}/2^{40}$ and $2^{90}/2^{64}$, respectively.
Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks.
Additional news items may be found on the IACR news page.