Score:0

If keeping the S-Boxes secret in SPN ciphers increase they security, does using one different S-Box set per round in them increases even more?

pf flag

I read in this paper that keeping the S-boxes secret in AES raise its security from 128-256-bits to 1812-1940-bits.

Let's suppose I use one different S-Boxes set per single round.

/\ Does this increases security even more than using only the same S-boxes set in entire cipher?

forest avatar
vn flag
You can't just randomize the S-box and call it a day. A random S-box may actually be _less_ secure than one that's chosen with specific security properties, which is the case of the AES S-box. Note that some ciphers actually do use a different S-box on each round, [like Serpent](https://crypto.stackexchange.com/a/67986/54184), but this is done because the S-boxes are very small (only 4 bits), so it's easy to exhaustively iterate through all $2^4!$ possible tables to find ideal properties.
phantomcraft avatar
pf flag
@forest I already read that book, what I asked is if using different S-boxes sets per per each round could possible increase the security of the encipherment,
forest avatar
vn flag
I think there are other answers here which discuss AES with changing S-boxes.
Score:3
sa flag

I think you are confused. The abstract states the opposite:

Abstract:

How does the security of the AES change when the S-box is replaced by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds? In this paper, we demonstrate attacks based on integral cryptanalysis which allow to recover both the secret key and the secret S-box for respectively four, five, and six rounds of the AES.

Despite the significantly larger amount of secret information which an adversary needs to recover, the attacks are very efficient with time/data complexities of $2^{17}/2^{16},2^{38}/2^{40}$ and $2^{90}/2^{64},$ respectively.

Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks.

In conclusion even though the nominal keylength is much longer the attacks demonstrated do not exhibit a corresponding increase in computational complexity.

Remark: An attack complexity of $2^f$ is equivalent to $f$ bits of security, typically measured by $2^f$ encryptions/decryptions in terms of time and $2^f$ blocks of memory in terms of space.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.