Slidex Attacks on the Even–Mansour Encryption Scheme

The Even–Mansour cryptosystem was developed in 1991 in an attempt to obtain the simplest possible block cipher, using only one publicly known random permutation and two whitening keys. Its exact security remained open for more than 20 years in the sense that the lower bound proof considered known plaintexts, whereas the best published attack (which is based on differential cryptanalysis) required chosen plaintexts. In this paper, we solve this open problem by introducing the new extended slide attack (abbreviated as slidex) which matches the T=Ω(2n/D) lower bound on the time T for any number of known plaintextsD. By using this tight security result, we show that a simplified single-key variant of the Even–Mansour scheme has exactly the same security as the original two-key scheme. We then show how to apply variants of the slidex attack to several other cryptosystems, including an Even–Mansour variant which adds rather than XORs its whitening keys, DES protected with decorrelation modules, various flavors of DESX, and a reduced-round version of GOST. In addition, we show how to apply the slidex attack in extreme scenarios in which the cryptanalyst is only given some partial information about the plaintexts, or when he can only use a tiny amount of memory.

[1]  Kazue Sako,et al.  Advances in cryptology -- ASIACRYPT 2012 : 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2-6 2012 : proceedings , 2012 .

[2]  Joe Kilian,et al.  How to Protect DES Against Exhaustive Key Search (an Analysis of DESX) , 2015, Journal of Cryptology.

[3]  Yannick Seurin,et al.  How to Construct an Ideal Cipher from a Small Set of Public Permutations , 2013, ASIACRYPT.

[4]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[5]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[6]  David Pointcheval,et al.  Advances in Cryptology – EUROCRYPT 2012 , 2012, Lecture Notes in Computer Science.

[7]  Yannick Seurin,et al.  An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher , 2012, ASIACRYPT.

[8]  Shuang Wu,et al.  Cryptanalysis of Round-Reduced \mathttLED , 2013, FSE.

[9]  Daniel J. Bernstein,et al.  The Salsa20 Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[10]  Shuang Wu,et al.  Cryptanalysis of Round-Reduced LED , 2015, IACR Cryptol. ePrint Arch..

[11]  John P. Steinberger,et al.  Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations , 2012, IACR Cryptol. ePrint Arch..

[12]  Kyoji Shibutani,et al.  Security Analysis of the Lightweight Block Ciphers XTEA, LED and Piccolo , 2012, ACISP.

[13]  Roy M. Jenevein (was Never Published) , 1993 .

[14]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[15]  Adi Shamir,et al.  Key Recovery Attacks on 3-round Even-Mansour, 8-step LED-128, and Full AES2 , 2013, IACR Cryptol. ePrint Arch..

[16]  Alex Biryukov,et al.  Advanced Slide Attacks , 2000, EUROCRYPT.

[17]  Serge Vaudenay,et al.  Decorrelation: A Theory for Block Cipher Security , 2003, Journal of Cryptology.

[18]  Eli Biham,et al.  Improved Slide Attacks , 2007, FSE.

[19]  Adi Shamir,et al.  Minimalism in Cryptography: The Even-Mansour Scheme Revisited , 2012, EUROCRYPT.

[20]  Mitsuru Matsui,et al.  The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[21]  Adi Shamir,et al.  Improved Attacks on Full GOST , 2012, IACR Cryptol. ePrint Arch..

[22]  John P. Steinberger,et al.  Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance , 2012, IACR Cryptol. ePrint Arch..

[23]  Gabriel Nivasch,et al.  Cycle detection using a stack , 2004, Inf. Process. Lett..

[24]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[25]  Kaoru Kurosawa,et al.  Power of a Public Random Permutation and Its Application to Authenticated Encryption , 2010, IEEE Transactions on Information Theory.

[26]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[27]  Hideki Imai,et al.  Advances in Cryptology — ASIACRYPT '91 , 1991, Lecture Notes in Computer Science.

[28]  Joan Daemen,et al.  Limitations of the Even-Mansour Construction , 1991, ASIACRYPT.

[29]  Serge Vaudenay,et al.  Provable Security for Block Ciphers by Decorrelation , 1998, STACS.

[30]  John P. Steinberger,et al.  On the Indifferentiability of Key-Alternating Ciphers , 2013, IACR Cryptol. ePrint Arch..

[31]  Vincent Rijmen,et al.  Differential Analysis of the LED Block Cipher , 2012, IACR Cryptol. ePrint Arch..

[32]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[33]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[34]  Robert W. Floyd,et al.  Nondeterministic Algorithms , 1967, JACM.

[35]  David Pointcheval,et al.  Advances in Cryptology : EUROCRYPT 2012 : 31st annual international conference on the theory and applications of cryptographic techniques, Cambridge, UK, April 15-19, 2012 : Proceedings , 2012 .