Security of the AES with a Secret S-box

Question

In this paper they change the $AES$ S-box to a uniformly random one and answer the questions:

1. How does the security of AES change when the S-box is changed by a secret S-box?

2. Would it be safe to reduce the number of rounds?

I have tried reading the paper but there are some things I do not understand.

1. Are the S-boxes they are considering just random permutations of bytes that fit into an $8 \times 8$ table? How might they have chosen all the entries to get the S-box?
2. Are they choosing a random S-box and then leaving it unchanged thereafter?
3. In Section $3.1$ they state differential cryptanalysis will not pose a threat to variants of $AES$ where the S-box is replaced by a randomly chosen $8$-bit box. This is confusing. Do they mean one $8$-bit element in the S-box? I thought the S-box was $256$-bit, not $8$.
4. Still referring to Section $3.1$. If a random S-box is secure against DCA and LCA, why make such an effort to design the one currently in use?
5. How does a random S-box cause the secret information to go from $128$ to $256$ bits (depending on the key size) to $1812$ to $1940$. I understand there is now more secret information owing to the secret S-box but I cannot see where these numbers ($1812$ to $1940$) come from.

Answer 1

Are the S-boxes they are considering just random permutations of bytes that fit into an 8×8 table? How might they have chosen all the entries to get the S-box?

Yes, they chose a random s-box.

Are they choosing a random S-box and then leaving it unchanged thereafter

Yes, it was unchanged.

In Section 3.1 they state differential cryptanalysis will not pose a threat to variants of AES where the S-box is replaced by a randomly chosen 8-bit box. This is confusing. Do they mean one 8-bit element in the S-box? I thought the S-box was 256-bit, not 8.

AES s-box size is 8-bit (8-bits in X 8-bits out), which is 256 entries, represented as a 16x16 table of bytes, which is 4+4 input bits with 8 output bits.

Still referring to Section 3.1. If a random S-box is secure against DCA and LCA, why make such an effort to design the one currently in use?

A random s-box must be represented as a table in both machine code as well as in analysis of the cipher, the one chosen for Rijndael can be represented as an equation or a much smaller block of code. It also has better differential and linear properties than a random s-box, even if random was sufficient.

How does a random S-box cause the secret information to go from 128 to 256 bits (depending on the key size) to 1812 to 1940. I understand there is now more secret information owing to the secret S-box but I cannot see where these numbers (1812 to 1940) come from.

I am guessing the extra bits was the information required to generate the s-box, apparently 1684 bits.

Despite that fact, and the fact an attacker does not know the s-box, they were sill able to create practical attacks up to 6 rounds, there are other properties of s-boxes, and random ones usually suck in regards to those properties, where they do well is in algebraic complexity.

Answer 2

A random 8 bit permutation has $log_2(256!)=1684$ bits of information in it. Add thar to the regular AES key and you get the required number. You would not need/want to change the s box. You initalize a secret s box presumably implemented as a lookup table and don't change the s box. A random s box may be vulnerable to differnetial cryptanalysis but this is unlikely. Most random s boxes will be resilient. Though note the bottom line is you still need a similar number of rounds so it is not clear what benefit a secret s box gives over normal 256 bit AES.