Tight Security Bounds for Key-Alternating Ciphers

A t-round key-alternating cipher (also called iterated Even-Mansour cipher) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P 1,..., P t : {0,1} n → {0,1} n and a key k = k 0 ∥ ... ∥ k t ∈ {0,1} n(t + 1) by setting E k (x) = k t ⊕ P t (k t − 1 ⊕ P t − 1( ⋯ k 1 ⊕ P 1(k 0 ⊕ x) ⋯ )). The indistinguishability of E k from a truly random permutation by an adversary who also has oracle access to the (public) random permutations P 1, …, P t was investigated in 1997 by Even and Mansour for t = 1 and for higher values of t in a series of recent papers. For t = 1, Even and Mansour proved indistinguishability security up to 2 n/2 queries, which is tight. Much later Bogdanov et al. (2011) conjectured that security should be \(2^{\frac{t}{t+1}n}\) queries for general t, which matches an easy distinguishing attack (so security cannot be more). A number of partial results have been obtained supporting this conjecture, besides Even and Mansour’s original result for t = 1: Bogdanov et al. proved security of \(2^{\frac{2}{3}n}\) for t ≥ 2, Steinberger (2012) proved security of \(2^{\frac{3}{4}n}\) for t ≥ 3, and Lampe, Patarin and Seurin (2012) proved security of \(2^{\frac{t}{t+2}n}\) for all even values of t, thus “barely” falling short of the desired \(2^{\frac{t}{t+1}n}\).

[1]  Yannick Seurin,et al.  How to Construct an Ideal Cipher from a Small Set of Public Permutations , 2013, ASIACRYPT.

[2]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[3]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[4]  Stefano Tessaro,et al.  Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading , 2012, IACR Cryptol. ePrint Arch..

[5]  Phillip Rogaway,et al.  How to Encipher Messages on a Small Domain , 2009, CRYPTO.

[6]  Yannick Seurin,et al.  An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher , 2012, ASIACRYPT.

[7]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[8]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[9]  John P. Steinberger,et al.  Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance , 2012, IACR Cryptol. ePrint Arch..

[10]  Joe Kilian,et al.  How to Protect DES Against Exhaustive Key Search (an Analysis of DESX) , 2015, Journal of Cryptology.

[11]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[12]  Joan Daemen,et al.  Limitations of the Even-Mansour Construction , 1991, ASIACRYPT.

[13]  Ueli Maurer,et al.  Indistinguishability Amplification , 2007, CRYPTO.

[14]  Serge Vaudenay,et al.  Decorrelation: A Theory for Block Cipher Security , 2003, Journal of Cryptology.

[15]  Peter Gazi,et al.  Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers , 2013, CRYPTO.

[16]  John P. Steinberger,et al.  Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations , 2012, IACR Cryptol. ePrint Arch..

[17]  Ueli Maurer,et al.  Composition of Random Systems: When Two Weak Make One Strong , 2004, TCC.

[18]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.