key: cord-0046996-xus30o7i
authors: An, Xin; Hu, Kai; Wang, Meiqin
title: MixColumns Coefficient Property and Security of the AES with A Secret S-Box
date: 2020-06-06
journal: Progress in Cryptology - AFRICACRYPT 2020
DOI: 10.1007/978-3-030-51938-4_6
sha: 3f859d44d44e0ac1cb235004b96a55c6fe5edb8f
doc_id: 46996
cord_uid: xus30o7i

The MixColumns operation is an important component providing diffusion for the AES. The branch number of it ensures that any continuous four rounds of the AES have at least 25 active S-Boxes, which makes the AES secure against the differential and linear cryptanalysis. However, the choices of the coefficients of the MixColumns matrix may undermine the AES security against some novel-type attacks. A particular property of the AES MixColumns matrix coefficient has been noticed in recent papers that each row or column of the matrix has elements that sum to zero. Several attacks have been developed taking advantage of the coefficient property. In this paper we investigate further the influence of the specific coefficient property on the AES security. Our target, which is also one of the targets of the previous works, is a 5-round AES variant with a secret S-Box. We will show how we take advantage of the coefficient property to extract the secret key directly without any assistance of the S-Box information. Compared with the previous similar attacks, the present attacks here are the best in terms of the complexity under the chosen-plaintext scenario.

The Advanced Encryption Standard (AES) [7] is designed to achieve good resistance against the differential [3] and linear cryptanalysis [13] . This includes the selection of the S-Box and linear components such as the MixColumns matrix. For the AES, the branch number of its MixColumns matrix is chosen as five then it ensures that any four continuous rounds of differential (linear) characteristics have at least 25 active S-Boxes [7, 8] . Considering that the maximum correlation and the maximum difference propagation probability over the AES S-Box are 2 −3 and 2 −6 , respectively, there are no effective differential or linear characteristics for four or more rounds of the AES.

For the performance reasons, the coefficients of the AES MixColumns are chosen from a group of low-weight numbers. Therefore it is not surprising that there are elements in each row or column that will add up to zero. For example, its first row is 02, 03, 01, 01 thus 01 ⊕ 01 = 0 and 01 ⊕ 02 ⊕ 03 = 0. Several attacks have been developed facilitated by this property and show that the property can be a potential weakness [2, 9, 10, 12, 15] . For convenience, we conclude it into two types concretely as follows as did in [12] , Property 1. Each row or column of the MixColumns matrix has two elements that sum to zero.

Each row or column of the MixColumns matrix has three elements that sum to zero.

At Crypto 2016, Sun et al. noticed Property 1 for the first time and established the first zero-correlation linear hull and the first integral distinguisher for the 5-round AES [15] . The two attacks exploited the existing 4-round corresponding properties and extended them one more round based on the MixColumns coefficient property. We take the 5-round zero-correlation linear hull as an example. As is well-known, the previous zero-correlation linear hull can cover at most 3.5 rounds of the AES (without last MixColumns) [4] which is illustrated in Fig. 1 Let the first column of the input mask and the output mask of the Mix-Columns after the 3.5-round zero-correlation linear hull be Γ in and Γ out , respectively. According to the propagation of the mask over a linear map [4] , we have Γ in = M T AES Γ out , where M T AES is the transpose of the matrix used by the AES MixColumns. Then if we can ensure that the two active masks of Γ out are equal, we can make certain that Γ in has only three active bytes like Fig. 1 . Finally, the zero-correlation linear can be extended to 5 rounds.

Although the two distinguishers in [15] cost the whole codebook, they spawned a sequence of new fundamental results that are based on Property 1 or 2.

Soon after, two following improvements were proposed which aimed to reduce the complexities [6, 12] . At FSE 2017, Grassi et al. took Property 1 proposing the first impossible differential distinguisher for the 5-round AES [10] . Later at CT-RSA 2018, the impossible differential distinguisher was further improved by Grassi exploiting Property 2 [9] . In the same paper, he also discussed the attacks on an AES variant with a secret S-Box. By combining the MixColumns coefficient property and the multiple-of-n attack [11] , Grassi managed to extract the secret key from the 5-round AES without knowing any information of the S-Box or recovering it in advance as it was done in [16] .

The security of the AES variant with a secret S-Box was firstly studied by Tiessen et al. at FSE 2015 [16] . Assuming that the choice of the S-Box is made uniformly at random from all 8-bit S-Boxes and keeping all other components unchanged, the size of the secret information increases from 128 bits to 1812 bits 2 (we focus on the AES-128). Generally speaking, a key-recovery attack requires the details of the S-Box since we have to peel off some key-involved components. Consequently, the authors of [16] needed to recover an equivalent S-Box by the square attack [16] and then found the equivalent secret key. However, the works in [9] showed that it is possible to recover the key information directly without recovering the S-Box in advance if we take advantage of Property 1 or 2 appropriately. At Africacrypt 2019, Bardeh and Rønjom further studied the influence of Property 1 under the adaptive-chosen-ciphertext scenario, which is the newest result in this direction. The AES variant with a secret S-Box has been a popular target for studying the MixColumns coefficient property. In this paper, we also study how to take the MixColumns coefficient property to extract the key information without any knowledge of the S-Box.

To explore the influence of the MixColumns coefficient property on the security of the AES, in this paper we propose two new attacks on the 5-round AES variant with a secret S-Box based on Property 1 and 2 respectively. Our attacks are developed upon the newest technique called the exchange attack [1] , we manage to transform the 5-round exchange attack to two key-recovery attacks. Compared with those previous attacks based on the MixColumns coefficient property, our 5-round attacks need only 2 42.6 or 2 46 chosen plaintexts, which are new records under the chosen-plaintext scenario. All the attacks on the 5-round AES related to the MixColumns coefficient property are listed in Table 1 for a convenient comparison.

In Sect. 2, we introduce some background knowledge needed in this paper. In Sect. 3 and 4, we present two new attacks exploiting Property 1 and Property 2, respectively. We conclude this paper in Sect. 5. 2 The number of all the 8-bit S-Boxes is 2 8 ! which is about log

≈ 1684 bits information. Totally, the security information is about 1684 + 128 = 1812 bits. [9, 10] , the authors used the scale that 100 times of memory access are approximately equivalent to 1 times of 5-round AES. In this paper, we use the same scale.

The AES (Advanced Encryption Standard) [7] is an iterated block cipher with the substitution-permutation network (SPN). It has three versions with the key size 128, 192, 256 bits and the number of rounds is 10, 12, 14, respectively. The length of the block cipher is 128-bit and it will be initialized as a 4 × 4 matrix of bytes as values in the finite field F 2 8 defined over the the irreducible polynomial 

-AddRoundKey(AK) -the state of the AES is XORed with the 128-bit round key.

In the first round an additional AK will be applied to the plaintext ahead the SB operation. And in the last round the MixColumns operation is omitted for convenient decryption. In this paper, we focus on the 5-round AES variant where we consider the five full rounds of the AES keeping the last MC only for convenient description.

The target of this paper is an AES variant with a secret S-Box, i.e., the S-Box is replaced by a secret one and other structure and components are as the same as the original AES.

Let x denote a plaintext, a ciphertext, an intermediate state or a key. Then x i,j with i, j ∈ {0, 1, 2, 3} denotes the byte located at the intersection of the i-th row and the j-th column. The secret key is usually denoted by k. We denote one round of the AES by R and denote r full rounds of the AES by R r 3 . In this paper, we will also adopt the notations of the subspaces for the AES proposed initially in [10] . For a pair (x, x ), its dual pair (x,x ) is generated by exchanging the first diagonal between x and x . We call a pair and its dual pair, i.e., (x, x ,x,x ) a pair-of-pair. For a matrix or a vector v, we denote its transpose by v T .

Subspaces of the AES. The subspace trial of the AES works with vectors and vector spaces over F 4×4 2 8 . We denote the unit vectors of F 4×4 2 8

by e 0,0 , e 0,1 , ..., e 3,3 where e i,j has a single 1 in the intersection of the i-th row and the j-th column. [10] ). The column space C i are defined as C i = e 0,i , e 1,i , e 2,i , e 3,i . [10] ). The diagonal spaces D i and inverse-diagonal spaces ID i are defined as D i = SR −1 (C i ) and ID i = SR(C i ). [10] ). The i-th mixed spaces M i are defined as

M i = MC(ID i ).

We refer readers to [10] for more details.

Next we introduce a useful one round subspace trail.

D I ⊕ a there exists a unique b ∈ C ⊥ I such that after one round R(D I ⊕ a) belongs to a coset of column space, i.e., R(D I ⊕ a) = C I ⊕ b. In other words, if x ⊕ x ∈ D I , then R(x) ⊕ R(x ) ∈ C I .

The exchange attack is a new distinguisher proposed at Asiacrypt 2019 which can be used to attack the 5-and 6-round AES [1] . Since this paper only use the distinguishing attack on the 5-round AES, we only introduce some basic ideas about its application to the 5-round AES.

For a pair of states, if we exchange their first diagonals between the two values and get its dual pair, it is equivalent to swap the corresponding column after one round encryption. Furthermore, in some special cases, to exchange a column is equivalent to exchange a diagnoal. For example, if the difference of the state pair behaves like the rightmost state in Fig. 2 , exchanging its first column is equivalent to exchange its first diagonal, because only the byte at the intersection of the first column and the first diagnoal is active. In [1] , the authors modified a theorem from [14] , which states an exchangedifference relation over 4 rounds of the AES. [14] ). Let x, x ∈ F 4×4 2 8 , exchange some diagonals between x and x and getx,x , then for J ⊆ {0, 1, 2, 3} and 0 < |J| ≤ 3,

According to the exchange attack illustrated in Fig. 2 [1], we choose a pair of plaintext x, x ∈ D J ⊕ a where J = {0, 1}, and exchange the first diagonal to get its dual pairx,x ∈ C I ⊕ a. With some probability x ⊕ x andx ⊕x may satisfy a special difference pattern making that it is equivalent to exchange some diagonals of (R(x), R(x )) to get (R(x), R(x )). Then it meets the starting condition of Theorem 1, we can get a 5-round exchange-equivalent relation for the AES.

In this section, we show how to combine Property 1 with the exchange attack to establish an improved key-recovery attack on the 5-round AES with a secret S-Box. The basic idea of this attack is to extend the 4-round exchange-difference relation (Theorem 1) to 5 rounds. In the attack, we first choose two plaintexts p, p from a subspace S 0 = a ⊕ D I where I = {0, 1}, and expect that R(p), R(p ) will be in a specific subspace S 1 = b ⊕ C I as follows,

For two randomly drawn plaintexts p, p ∈ S 0 , the probability that R(p)⊕R(p ) ∈ S 1 is 2 −32 . However, taking Property 1 into consideration and choosing p, p carefully according to some secret key information, we can vary the probability of R(p) ⊕ R(p ) ∈ S 1 between the wrong and right key guess.

Once R(p) ⊕ R(p ) ∈ S 1 , we can exchange the first diagonal between p and p and get its dual pair (p,p ), thus (R(p), R(p )) and (R(p), R(p )) are two pairs satisfying the starting condition of Theorem 1. Hence, R 5 (p) ⊕ R 5 (p ) and 

It can be seen that the second value of the output difference must be zero. Then if the second column of the input difference of MC is really the patten such as [a, 0, 0, a] T where a ∈ F 2 8 \{0}, the probability that R(p) ⊕ R(p ) ∈ S 1 (Eq. 2) will be 2 −24 rather than 2 −32 . For this reason, we define the set A z,δ as follows,

and then choose two different plaintexts p ∈ A z0,δ and p ∈ A z1,δ where z 0 = z 1 . Let the two secret key bytes which are XORed with p 0,1 (Resp. p 0,1 ) and p 3,0 (Resp. p 3,0 ) be k 0,1 and k 3,0 , respectively. After f SR • SB • AK operation, the second column of f(p) ⊕ f(p ) is

To meet the condition shown in Eq. 3, Eq. 5 should be met, S-Box(z 0 ⊕k 0,1 )⊕S-Box(z 1 ⊕k 0,1 ) = S-Box(z 0 ⊕δ⊕k 3,0 )⊕S-Box(z 1 ⊕δ⊕k 3,0 ) (5) Since the S-Box is a secret permutation, Eq. 5 has only two solutions, i.e.,

If we let δ run through all values in F 2 8 , we can guarantee that there are at least two values of δ leading that Eq. 5 holds. For sake of simplicity, we call the two δ right δ and other values wrong δ. For right δ, the probability that R(p)⊕R(p ) ∈ S 1 will be 2 −24 . For wrong δ, the probability is still 2 −32 . Combinining with Theorem 1, we conclude the following proposition, Proposition 1. Let p ∈ A z0,δ and p ∈ A z1,δ . (p,p ) is the dual pair of (p, p ).

While for wrong δ,

Proof. If two pairs satisfy the starting condition of Theorem 1, they will be in the same M J at the same time after 4 rounds of encryption. Let |J| = 3, the probability for the two pairs being a right pair-of-pair is 2 −30 since we have four choices of J.

For wrong δ, the starting condition of Theorem 1 is statisfied with probability 2 −32 . Then, the probability for the two pairs being a right pair-of-pair is about 2 −62 , which is consistent with the random case. While for right δ, the starting condition is met with probability 2 −24 , so the probability for the two pairs being a right pair-of-pair is 2 −54 .

Finding δ Candidates. We can take advantage of Proposition 1 to find the right δ that implies k 0,1 ⊕ k 3,0 . The process for finding δ is illustrated in Algorithm 1. For each candidate δ ∈ F 2 8 , we find collision pairs and check whether there is at least one collision pair satisfying that its dual pair is also a collision pair. We explain briefly some crucial lines in Algorithm 1. A z0,δ and A z1 ,δ , we require that the i-th plaintexts in A z0,δ and A z1,δ should have the same value in the first diagonal. In this way, (c i z0 , c j z1 ) must be the dual pair of (c i z1 , c j z0 ). We can prepare a subset of D 0 with size 2 N and use it to generate the two sets A z0,δ and A z1,δ where z 0 = z 1 .

Since we have stored all the ciphertexts in tables, we only need to store the indexes of ciphertexts into the two hash tables. If the i-th lines of T z0 and T z1 are not empty simultaneously, we find a collision pair pointed by the corresponding indexes.

1: procedure Core(z0, z1, r, c) Return a set containing the possible right δ 2:

for Each δ ∈ F 2 8 do 3:

Initialize 2 sequence tables Cz 0 , Cz 1 , 1 table Δ 4:

Prepare two sets A z 0 ,δ , A z 1 ,δ with 2 29 plaintexts Make sure

Store c i z j 9: end for 10: end for 11:

for k = 0; k < 4; k = k + 1 do For each M k space, search for collisions 12:

Initialize 2 hash tables Tz 0 , Tz 1 13:

for i = 0; i < 2 29 ; i = i + 1 do 14:

for j = 0; j < 2; j = j + 1 do 15: if there is a collision pair with indexes (i0, i1) and i0 = i1 then 20: (2 2N −1 , 2 −54 ) when δ is right. Otherwise, it will obey B (2 2N −1 , 2 −62 ) . Let N r and N w be the number of right pair-of-pairs for right and wrong δ, respectively. For right δ,

For wrong δ,

When we take N = 29, P r(N r ≥ 1) ≈ 0.9997 while P r(N w ≥ 1) ≈ 0.0308, which means we can distinguish the right δ from the wrong δ.

Determining the Exact k 0,1 ⊕ k 3,0 . Either of the right δ including δ = k 0,1 ⊕ k 3,0 and δ = k 0,1 ⊕ k 3,0 ⊕ z 0 ⊕ z 1 will bring at least one right pair-of-pair with probability about 0.9997. Therefore, they will be both returned by Algorithm 1 with probability 0.9997 2 ≈ 0.9994. At the same time, the probability for a wrong δ being recommended is 0.0308. For all the 2 8 −2 wrong δ, on average there will be (2 8 − 2) × 0.0308 ≈ 8 wrong δ which are also recommended. All the δ candidates are inserted into a set Δ, which is returned by Algorithm 1 finally.

To remove the wrong δ from Δ, we XOR z 0 ⊕ z 1 with each value in Δ. For right δ, δ ⊕ z 0 ⊕ z 1 should be also in Δ in a high probability (0.9994) while for wrong δ, the probability is about 2 −8 . The method of removing wrong δ is shown in Algorithm 2. Now the set Δ contains only k 0,1 ⊕ k 3,0 and k 0,1 ⊕ k 3,0 ⊕ z 0 ⊕ z 1 . To determine the exact right key byte, we have to call Algorithm 1 and Algorithm 2 again with

we can easily determine the right k 0,1 ⊕ k 3,0 by comparing Δ and Δ . Therefore we recover one byte key information with 0.9994 2 ≈ 0.9988 success probability. The process is illustrated in Algorithm 3.

The procedure RecoverKeyByte(r, c) (Algorithm 3) can be used to recover k r,c ⊕ k r+1,c+1 4 . Since the equal bytes in MC matrix are all adjacent, for the i-th diagonal of the key state, we can recover k 0,i ⊕k 1,i+1 , k 1,i+1 ⊕k 2,i+2 , k 2,i+2 ⊕k 3,i+3 and k 3,i+3 ⊕k 0,i . However, from any three out of the four values we can derive the remaining one, which means we can recover three bytes of useful key information for one diagonal. For the four diagonals of key state, we can recover 12 bytes of key information, i.e. we can get the secret key up to 2 32 variants. Algorithm 3. Recover the real key k r,c ⊕ k r+1,c+1 (Property 1) end if 20: end procedure Data Complexity. From Algorithm 1, for every δ ∈ F 2 8 we use four sets A zi,δ for i = 0, 1, 2, 3 each with 2 29 plaintexts. Therefore we need 2 29 × 2 8 × 4 = 2 39 chosen plaintexts to recover one byte key. In order to recover 12 key bytes, the total data complexity is 2 39 × 12 ≈ 2 42.6 chosen plaintexts.

Computation Complexity. Firstly, we evaluate the complexity of Algorithm 1. For each possible δ ∈ F 2 8 we encrypt two sets A z0,δ and A z1,δ each with 2 29 plaintexts, this operation needs 2 29 × 2 = 2 30 5-round encryptions. After obtaining 2 30 ciphertexts, we insert them into C z0 and C z1 with 2 30 table-lookups. To insert all the ciphertexts to T z0 and T z1 , we need 2 30 table-lookups again. Then we compare each line of T z0 and T z1 to find collision pairs, it requires 2×2 32 = 2 33 table-lookups. For the two sets A z0,δ and A z1,δ each with 2 29 chosen plaintexts, on average we can obtain 2 29 × 2 29 × 2 −32 = 2 26 collision pairs. Once we find a collision pair (c i z0 , c j z1 ), we need a time of XOR to check whether (c i z1 , c j z0 ) is collided. These memory operations above need about 2 33 table-lookups. Considering we have four possible M k , the whole memory operations cost 2 35 table-lookups. We use the convention that 100 times of table look-ups are equivalent to one time 5-round encryption. Hence, encrypting the plaintexts is dominant in the time complexity, which requires 2 30 5-round encryptions for each δ.

To determine the exact one byte information of key (Algorithm 3), the time complexity is 2 8 × 2 × 2 30 = 2 39 5-round encryptions. Recovering 12 bytes key requires 2 39 × 12 ≈ 2 42.6 times of 5-round encryption.

Memory Complexity. We allocate 2 sequence tables with size 2 29 and 2 hash tables with size 2 32 . Since these tables can be reused, the total memory complexity is about 2 32 × 2 + 2 29 × 2 ≈ 2 33 128-bit blocks.

Practical Verification. Using C/C++ implementation, we practically verified our key-recovery attack on a small-scale variant of the AES as presented in [5] . The block size of the small-scale AES is 64 bits, and each word is a 4-bit nibble in the state matrix. We simply recover one byte of the secret key XOR in our experiment. The experimental result supports our theory. 5

Similar to the exchange attack based on Property 1, we can also combine Property 2 of MC matrix with exchange attack to realize the key recovery attack with a secret S-Box. To exploit Property 2, we focus on another subspace S 1 that two plaintexts p, p ∈ D I , I = {0, 1} should fall into after the first round encryption.

If we exchange the first diagonal between p and p , it is equivalent to exchange the first column between R(p) and R(p ). Since R(p), R(p ) ∈ S 1 , it is also equivalent to exchange the first and the fourth diagonals between R(p) and R(p ).

Details. Property 2 of MC says that three elements in each row can be XORed to zero. If the input difference of the four bytes of MC has three equal values and the remaining one value is zero, the output difference will have two zerodifference byte with probability 1. 

It can be seen that there are two zero-difference values in the output difference with probability 1. Then if the input difference of MC is really the pattern such as [a, a, a, 0] T for any a ∈ F 2 8 \{0}. To achieve it, we define the set A w,δ1,δ2 as follows,

We choose two different plaintexts p ∈ A w0,δ1,δ2 , p ∈ A w1,δ1,δ2 . Let the key bytes XORed with p 0,1 , p 1,2 , p 2,3 (Resp. p 0,1 , p 1,2 , p 2,3 ) are k 0,1 , k 1,2 , k 2,3 , respectively.

After the operation f = SR • SB • AK, the difference between the second column of f(p) and f(p ) is

To meet the condition shown in Eq. 7, the following equation should be satisfied (denote S-Box(·) by S(·) for short),

Since the S-Box is a secret permutation, there can be only four kinds of solutions,

Similar with the attack in Sect. 3, we let (δ 1 , δ 2 ) run through all possible values in F 2 8 × F 2 8 . There will be at least four values of (δ 1 , δ 2 ) that make Eq. 10 hold. We call the four (δ 1 , δ 2 ) in Eq. 11 right (δ 1 , δ 2 ) and the other values wrong (δ 1 , δ 2 ). For right (δ 1 , δ 2 ), the probability of R(p 1 ) ⊕ R(p 2 ) ∈ S 1 is 2 −16 while for wrong (δ 1 , δ 2 ) the probability is still 2 −32 . Combining with Theorem 1, we conclude the following proposition.

Let p ∈ A w0,δ1,δ2 and p ∈ A w1,δ1,δ2 . (p,p ) is generated by exchanging the first diagonal between p and p . If (δ 1 , δ 2 ) is right, for certain M J with |J| = 3,

while for wrong (δ 1 , δ 2 ),

The proof of Proposition 2 is similar to the Proposition 1, we omit it here.

Finding (δ 1 , δ 2 ) Candidates. We can also take advantage of Proposition 2 to find the right (δ 1 , δ 2 ) which implies the key byte information k 0,1 ⊕ k 1,2 and k 0,1 ⊕ k 2,3 . The process for finding (δ 1 , δ 2 ) candidates is similar to Algorithm 1 except we need to guess two key byte difference. The process is illustrated in Algorithm 4. A w 0 ,δ1,δ2 And A w 1 ,δ1,δ2 . If the size of A w0,δ1,δ2 and A w1,δ1,δ2 are both 2 M , we can obtain 2 2M pairs of (p, p ) by choosing p ∈ A w0,δ1,δ2 and p ∈ A w1,δ1,δ2 . By exchanging the first diagonal, we can get totally 2 2M −1 pair-of-pairs such as (p, p ,p,p ). If R 5 (p)⊕R 5 (p ) ∈ M J and R 5 (p)⊕R 5 (p ) ∈ M J for |J| = 3 hold at the same time, then we call such (p, p ,p,p ) a right pair-ofpair. Consider the number of right pair-of-pairs, For right (δ 1 , δ 2 ), When we take M = 25, P r(M r ≥ 1) ≈ 0.9997 while P r(M w ≥ 1) ≈ 0.0001 which means we can distinguish the right (δ 1 , δ 2 ) from the wrong ones.

Determining k 0,1 ⊕ k 1,2 and k 0,1 ⊕ k 2,3 . In this attack, we also have a probability 1 − (1 − 0.0001) 2 16 −4 ≈ 0.9986 nearly close to 1 to return at least one wrong (δ 1 , δ 2 ). On average, approximately (2 16 − 4) × 0.0001 ≈ 7 wrong (δ 1 , δ 2 ) will be returned. To remove the wrong (δ 1 , δ 2 ) from Δ, we XOR w 0 ⊕ w 1 with the two components of each value in Δ and check whether the result is in Δ or not as Algorithm 5. To determine the exact (k 0,1 ⊕ k 1,2 , k 0,1 ⊕ k 2,3 ), we need to use additional two sets A w2,δ1,δ2 A w3,δ1,δ2 where (w 0 , w 1 ) = (w 2 , w 3 ) with 2 25 plaintexts and do the same. Finally, the probability that we succeed to recover the two key bytes with probability 0.9997 4×2 ≈ 0.9976. The process is illustrated in Algorithm 6 . After we recover two key bytes information, we can take the same strategy to recover another different key byte information in the same diagonal. At last we can recover 12 key byte difference, i.e., we can get the entire secret key up to 2 32 variants. Data Complexity. According to Algorithm 4, for each (δ 1 , δ 2 ) we use two sets A w0,δ1,δ2 and A w1,δ1,δ2 each with 2 25 plaintexts. Additional two sets A w2,δ1,δ2 and A w3,δ1,δ2 are also required to find the exact two key byte information. Therefore, totally we need 2 25 × 2 16 × 2 × 2 = 2 43 chosen plaintexts to recover two key bytes. To find the 12 bytes key information, the total data complexity is about 2 43 × 8 = 2 46 . Computation Complexity. Encrypting two sets with 2 25 plaintexts we need 2 25 × 2 = 2 26 5-round encryption which is the donimant in the complexity of Algorithm 4. The total time complexity is about 2 26 × 2 16 × 2 × 8 = 2 46 5-round encryption.

Memory Complexity. We allocate two sequence tables with size 2 25 to store the two ciphertext sets and additionally 2 hash tables with size 2 32 . The memory complexity is finally 2 33 128-bit blocks. 

The exchange attack: how to distinguish six rounds of AES with 2ˆ88.2 chosen plaintexts

Practical attacks on reduced-round AES

Differential cryptanalysis of DES-like cryptosystems

Linear hulls with correlation zero and linear cryptanalysis of block ciphers

Small scale variants of the AES

Statistical integral distinguisher with multistructure and its application on AES

The Design of Rijndael: AES -The Advanced Encryption Standard. Information Security and Cryptography

Security of a wide trail design

Mixcolumns properties and attacks on (round-reduced) AES with a single secret S-box

Subspace trail cryptanalysis and its applications to AES

A new structural-differential property of 5-round AES

Towards key-dependent integral and impossible differential distinguishers on 5-round AES

Linear cryptanalysis method for DES cipher

Yoyo tricks with AES

New insights on AES-Like SPN ciphers

Security of the AES with a secret S-box

We thank the anonymous reviewers for their valuable comments. This work is supported by the National Key Research and Development Project No. 2018YFA0704702, Major Scientific and Technological Innovation Project of Shandong

Finding (δ 1 , δ 2 ) Candidates (Property 2) 1: procedure Core (w0, w1, r, c)Return a set containing possible (δ1, δ2) 2:for Each (δ1, δ2) ∈ F 2 8 × F 2 8 do 3:Initialize 2 sequence tables Cw 0 and Cw 1 , 1 table Δ 4:Prepare two sets A w 0 ,δ 1 ,δ 2 , A w 1 ,δ 1 ,δ 2 with 2 25 plaintexts each as Eq. 8 5:Push back c i w j into sequence table 9: end for 10: end for 11:for k = 0; k < 4; k = k + 1 do 12:Initialize 2 hash tables Tw 0 , Tw 1 13: if there is a collision pair with indexes (i0, i1) and i0 = i1 then 20: 

In this paper, we explore the impact of the MC coefficient property on the security of the AES variant with a secret S-Box. We provide two attacks based on Property 1 and Property 2 respectively and achieve the best record in terms of the complexity under chosen-plaintext scenario. Such attacks remind us to notice the choice of MC matrix for AES-like ciphers.To our best knowledge, no previous attacks on the AES have taken advantage of other properties except the branch number of the MC matrix. It means that we may substitute any other MDS matrix free of Property 1 or 2 6 for the AES MC matrix without hazarding its security against other attacks. In [9] , Grassi showed that about only 6.87% among all the MDS matrices have the two kinds of properties. Nevertheless, the choice of MC is still a difficult work since we should consider the performance of the cipher. The MC matrix of AES is already qualified for its pretty low weight, thus it is an interesting open question how to choose a proper MDS matrix without the particular coefficient property and achieve the same or even higher efficiency simultaneously.