Advertisement

On the Provable Security of the Iterated Even-Mansour Cipher Against Related-Key and Chosen-Key Attacks

  • Benoît CogliatiEmail author
  • Yannick Seurin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9056)

Abstract

The iterated Even-Mansour cipher is a construction of a block cipher from \(r\) public permutations \(P_1,\ldots ,P_r\) which abstracts in a generic way the structure of key-alternating ciphers. The indistinguishability of this construction from a truly random permutation by an adversary with oracle access to the inner permutations \(P_1,\ldots ,P_r\) has been investigated in a series of recent papers. This construction has also been shown to be (fully) indifferentiable from an ideal cipher for a sufficient number of rounds (five or twelve depending on the assumptions on the key-schedule). In this paper, we extend this line of work by considering the resistance of the iterated Even-Mansour cipher to xor-induced related-key attacks (i.e., related-key attacks where the adversary is allowed to xor any constant of its choice to the secret key) and to chosen-key attacks. For xor-induced related-key attacks, we first provide a distinguishing attack for two rounds, assuming the key-schedule is linear. We then prove that for a linear key-schedule, three rounds yield a cipher which is secure against xor-induced related-key attacks up to \( \mathcal {O} (2^{\frac{n}{2}})\) queries of the adversary, whereas for a nonlinear key-schedule, one round is sufficient to obtain a similar security bound. We also show that the iterated Even-Mansour cipher with four rounds offers some form of provable resistance to chosen-key attacks, which is the minimal number of rounds to achieve this property. The main technical tool that we use to prove this result is sequential indifferentiability, a weakened variant of (full) indifferentiability introduced by Mandal et al. (TCC 2010).

Keywords

Block cipher Ideal cipher Related-key attacks Chosen-key attacks Iterated Even-Mansour cipher Key-alternating cipher Indifferentiability Correlation intractability 

References

  1. 1.
    Andreeva, E., Bogdanov, A., Dodis, Y., Mennink, B., Steinberger, J.P.: On the indifferentiability of key-alternating ciphers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 531–550. Springer, Heidelberg (2013). http://eprint.iacr.org/2013/061 CrossRefGoogle Scholar
  2. 2.
    Andreeva, E., Bogdanov, A., Mennink, B.: Towards Understanding the Known-Key Security of Block Ciphers. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 348–366. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Cash, D.: Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 666–684. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Kohno, T.: A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Biham, E., Dunkelman, O., Keller, N.: Related-Key Boomerang and Rectangle Attacks. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 507–525. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  6. 6.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and Related-Key Attack on the Full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  7. 7.
    Black, J.A., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  8. 8.
    Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  9. 9.
    Canetti, R., Goldreich, O., Halevi, S.: The Random Oracle Methodology, Revisited (Preliminary Version). In: Symposium on Theory of Computing, STOC 1998, pp. 209–218. ACM (1998). Full version available at http://arxiv.org/abs/cs.CR/0010019
  10. 10.
    Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.: Minimizing the Two-Round Even-Mansour Cipher. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 39–56. Springer, Heidelberg (2014). http://eprint.iacr.org/2014/443 CrossRefGoogle Scholar
  11. 11.
    Chen, S., Steinberger, J.: Tight Security Bounds for Key-Alternating Ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). http://eprint.iacr.org/2013/222 CrossRefGoogle Scholar
  12. 12.
    Cogliati, B., Seurin, Y.: On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks. Full version of this paper. Available at http://eprint.iacr.org/2015/069
  13. 13.
    Daemen, J.: Limitations of the Even-Mansour construction. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 495–498. Springer, Heidelberg (1993)Google Scholar
  14. 14.
    Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging Merkle-Damgård for Practical Applications. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 371–388. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  15. 15.
    Dunkelman, O., Keller, N., Shamir, A.: Minimalism in Cryptography: The Even-Mansour Scheme Revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  16. 16.
    Even, S., Mansour, Y.: A Construction of a Cipher from a Single Pseudorandom Permutation. Journal of Cryptology 10(3), 151–162 (1997)CrossRefzbMATHMathSciNetGoogle Scholar
  17. 17.
    Farshim, P., Procter, G.: The Related-Key Security of Iterated Even-Mansour Ciphers. In: Fast Software Encryption, FSE 2015 (to appear, 2015). Full version available at http://eprint.iacr.org/2014/953
  18. 18.
    Goldenberg, D., Liskov, M.: On Related-Secret Pseudorandomness. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 255–272. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  19. 19.
    Holenstein, T., Künzler, R., Tessaro, S.: The Equivalence of the Random Oracle Model and the Ideal Cipher Model, Revisited. In: Symposium on Theory of Computing, STOC 2011, pp. 89–98. ACM (2011). Full version available at http://arxiv.org/abs/1011.1264
  20. 20.
    Iwata, T., Kohno, T.: New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 427–445. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  21. 21.
    Kiltz, E., Pietrzak, K., Szegedy, M.: Digital Signatures with Minimal Overhead from Indifferentiable Random Invertible Functions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 571–588. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  22. 22.
    Knudsen, L.R., Rijmen, V.: Known-Key Distinguishers for Some Block Ciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 315–324. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  23. 23.
    Lampe, R., Patarin, J., Seurin, Y.: An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  24. 24.
    Lampe, R., Seurin, Y.: How to Construct an Ideal Cipher from a Small Set of Public Permutations. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 444–463. Springer, Heidelberg (2013). http://eprint.iacr.org/2013/255 CrossRefGoogle Scholar
  25. 25.
    Lucks, S.: Ciphers Secure against Related-Key Attacks. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 359–370. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  26. 26.
    Mandal, A., Patarin, J., Seurin, Y.: On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel Construction. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 285–302. Springer, Heidelberg (2012). http://eprint.iacr.org/2011/496 CrossRefGoogle Scholar
  27. 27.
    Maurer, U.M., Renner, R.S., Holenstein, C.: Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  28. 28.
    Nyberg, K., Knudsen, L.R.: Provable Security against Differential Cryptanalysis. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 566–574. Springer, Heidelberg (1993) CrossRefGoogle Scholar
  29. 29.
    Patarin, J.: The “Coefficients H” Technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  30. 30.
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with Composition: Limitations of the Indifferentiability Framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  31. 31.
    Rogaway, P.: Formalizing Human Ignorance. In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 211–228. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  32. 32.
    Steinberger, J.: Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance. IACR Cryptology ePrint Archive, Report 2012/481 (2012). Available at http://eprint.iacr.org/2012/481
  33. 33.
    Winternitz, R.S.: A Secure One-Way Hash Function Built from DES. In: IEEE Symposium on Security and Privacy, pp. 88–90 (1984)Google Scholar
  34. 34.
    Yoneyama, K., Miyagawa, S., Ohta, K.: Leaky Random Oracle. IEICE Transactions 92-A(8), 1795–1807 (2009)Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.University of VersaillesVersaillesFrance
  2. 2.ANSSIParisFrance

Personalised recommendations