Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes

Iterated Even–Mansour (EM) encryption schemes (also named “key-alternating ciphers”) were extensively studied in recent years as an abstraction of commonly used block ciphers. A large amount of previous works on iterated EM concentrated on security in an information-theoretic model. A central question studied in these papers is: What is the minimal number of rounds for which the resulting cipher is indistinguishable from an ideal cipher? In this paper, we study a similar question in the computational model: What is the minimal number of rounds, assuring that no attack can recover the secret key faster than trivial attacks (such as exhaustive search)? We study this question for the two natural key scheduling variants that were considered in most previous papers: the identical subkeys variant and the independent subkeys variant. In the identical subkeys variant, we improve the best known attack by an additional round and show that $$r=3$$r=3 rounds are insufficient for assuring security, by devising a key recovery attack whose running time is about $$n/\log (n)$$n/log(n) times faster than exhaustive search for an $$n$$n-bit key. In the independent subkeys variant, we also extend the known results by one round and show that for $$r=2$$r=2, there exists a key recovery attack whose running time is faster than the benchmark meet-in-the-middle attack. Despite their generic nature, we show that the attacks can be applied to improve the best known attacks on several concrete ciphers, including the full $${\hbox {AES}^{2}}$$AES2 (proposed at Eurocrypt 2012) and reduced-round LED-128 (proposed at CHES 2012).

[1]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[2]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[3]  Yannick Seurin,et al.  How to Construct an Ideal Cipher from a Small Set of Public Permutations , 2013, ASIACRYPT.

[4]  Eli Biham,et al.  Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys , 2014, IACR Cryptol. ePrint Arch..

[5]  Adi Shamir,et al.  Key Recovery Attacks on 3-round Even-Mansour, 8-step LED-128, and Full AES2 , 2013, IACR Cryptol. ePrint Arch..

[6]  Joan Daemen,et al.  Limitations of the Even-Mansour Construction , 1991, ASIACRYPT.

[7]  Adi Shamir,et al.  Improved Linear Sieving Techniques with Applications to Step-Reduced LED-64 , 2014, FSE.

[8]  Lars R. Knudsen Fast software encryption : 6th International Workshop, FSE'99, Rome, Italy, March 24-26, 1999 : proceedings , 1999, FSE 1999.

[9]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[10]  Hadi Soleimany,et al.  Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro , 2014, FSE.

[11]  John P. Steinberger,et al.  Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance , 2012, IACR Cryptol. ePrint Arch..

[12]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[13]  Shuang Wu,et al.  Cryptanalysis of Round-Reduced \mathttLED , 2013, FSE.

[14]  Vincent Rijmen,et al.  Differential Analysis of the LED Block Cipher , 2012, IACR Cryptol. ePrint Arch..

[15]  P. Flajolet,et al.  Analytic Combinatorics: RANDOM STRUCTURES , 2009 .

[16]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[17]  Vincent Rijmen,et al.  The KHAZAD Legacy-Level Block Cipher , 2001 .

[18]  Jongsung Kim,et al.  Truncated Differential Attacks on 8-Round CRYPTON , 2003, ICISC.

[19]  Chae Hoon Lim,et al.  A Revised Version of Crypton - Crypton V1.0 , 1999, FSE.

[20]  María Naya-Plasencia,et al.  Block Ciphers That Are Easier to Mask: How Far Can We Go? , 2013, CHES.

[21]  Kazue Sako,et al.  Advances in cryptology -- ASIACRYPT 2012 : 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2-6 2012 : proceedings , 2012 .

[22]  Philippe Flajolet,et al.  Random Mapping Statistics , 1990, EUROCRYPT.

[23]  Moni Naor,et al.  Fast Software Encryption , 2002, Lecture Notes in Computer Science.

[24]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[25]  John P. Steinberger,et al.  On the Indifferentiability of Key-Alternating Ciphers , 2013, IACR Cryptol. ePrint Arch..

[26]  Sheldon M. Ross,et al.  Introduction to Probability and Statistics for Engineers and Scientists , 1987 .

[27]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[28]  Luke O'Connor On the Distribution of Characteristics in Bijective Mappings , 1993, EUROCRYPT.

[29]  David Pointcheval,et al.  Advances in Cryptology : EUROCRYPT 2012 : 31st annual international conference on the theory and applications of cryptographic techniques, Cambridge, UK, April 15-19, 2012 : Proceedings , 2012 .

[30]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[31]  Adi Shamir,et al.  Minimalism in Cryptography: The Even-Mansour Scheme Revisited , 2012, EUROCRYPT.

[32]  Yannick Seurin,et al.  An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher , 2012, ASIACRYPT.

[33]  Philippe Flajolet,et al.  Analytic Combinatorics , 2009 .

[34]  Shuang Wu,et al.  Cryptanalysis of Round-Reduced LED , 2015, IACR Cryptol. ePrint Arch..

[35]  John P. Steinberger,et al.  Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations , 2012, IACR Cryptol. ePrint Arch..

[36]  Marine Minier,et al.  Stochastic Cryptanalysis of Crypton , 2000, FSE.

[37]  Bing Sun,et al.  Related-K ey Impossible Differential Attacks on Crypton , 2011 .

[38]  Kazue Sako,et al.  Advances in cryptology - ASIACRYPT 2013 : 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1-5, 2013 : proceedings , 2013 .