Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box

Lorenzo Grassi, Markus Schofnegger*

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review


In this work, we present new low-data secret-key distinguishers and key-recovery attacks on reduced-round AES. The starting point of our work is “Mixture Differential Cryptanalysis” recently introduced at FSE/ToSC 2019, a way to turn the “multiple-of-8” 5-round AES secret-key distinguisher presented at Eurocrypt 2017 into a simpler and more convenient one (though, on a smaller number of rounds). By reconsidering this result on a smaller number of rounds, we present as our main contribution a new secret-key distinguisher on 3-round AES with the smallest data complexity in the literature (that does not require adaptive chosen plaintexts/ciphertexts), namely approximately half of the data necessary to set up a 3-round truncated differential distinguisher (which is currently the distinguisher in the literature with the lowest data complexity). For a success probability of 95%, our distinguisher requires just 10 chosen plaintexts versus 20 chosen plaintexts necessary to set up the truncated differential attack. Besides that, we present new competitive low-data key-recovery attacks on 3- and 4-round AES, both in the case in which the S-box is known and in the case in which it is secret.

Original languageEnglish
Title of host publicationProgress in Cryptology – INDOCRYPT 2020
Subtitle of host publication21st International Conference on Cryptology in India, Bangalore, India, December 13–16, 2020, Proceedings
EditorsKarthikeyan Bhargavan, Elisabeth Oswald, Manoj Prabhakaran
Place of PublicationCham
Number of pages20
ISBN (Print) 978-3-030-65276-0
Publication statusPublished - 2020
Event21st International Conference on Cryptology in India - Virtuell, India
Duration: 13 Dec 202016 Dec 2020

Publication series

NameLecture Notes in Computer Science


Conference21st International Conference on Cryptology in India
Abbreviated titleIndocrypt 2020


  • AES
  • Mixture Differential Cryptanalysis
  • Secret-Key Distinguisher
  • Low-Data Attack
  • Secret S-Box
  • Low-data attack
  • Secret-key distinguisher
  • Secret S-box

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box'. Together they form a unique fingerprint.

Cite this