Annual International Conference on the Theory and Applications of Cryptographic Techniques

EUROCRYPT 2012: Advances in Cryptology – EUROCRYPT 2012 pp 45-62

Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations

(Extended Abstract)
  • Andrey Bogdanov
  • Lars R. Knudsen
  • Gregor Leander
  • Francois-Xavier Standaert
  • John Steinberger
  • Elmar Tischhauser
Conference paper

DOI: 10.1007/978-3-642-29011-4_5

Volume 7237 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Bogdanov A., Knudsen L.R., Leander G., Standaert FX., Steinberger J., Tischhauser E. (2012) Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations. In: Pointcheval D., Johansson T. (eds) Advances in Cryptology – EUROCRYPT 2012. EUROCRYPT 2012. Lecture Notes in Computer Science, vol 7237. Springer, Berlin, Heidelberg

Abstract

This paper considers—for the first time—the concept of key-alternating ciphers in a provable security setting. Key-alternating ciphers can be seen as a generalization of a construction proposed by Even and Mansour in 1991. This construction builds a block cipher PX from an n-bit permutation P and two n-bit keys k0 and k1, setting \(PX_{k_0,k_1}(x)=k_1\oplus P(x\oplus k_0)\). Here we consider a (natural) extension of the Even-Mansour construction with t permutations P1,…,Pt and t + 1 keys, k0,…, kt. We demonstrate in a formal model that such a cipher is secure in the sense that an attacker needs to make at least 22n/3 queries to the underlying permutations to be able to distinguish the construction from random. We argue further that the bound is tight for t = 2 but there is a gap in the bounds for t > 2, which is left as an open and interesting problem. Additionally, in terms of statistical attacks, we show that the distribution of Fourier coefficients for the cipher over all keys is close to ideal. Lastly, we define a practical instance of the construction with t = 2 using AES referred to as AES2. Any attack on AES2 with complexity below 285 will have to make use of AES with a fixed known key in a non-black box manner. However, we conjecture its security is 2128.

Keywords

Block ciphersprovable securityEven-Mansour constructionAES
Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Andrey Bogdanov
    • 1
  • Lars R. Knudsen
    • 2
  • Gregor Leander
    • 2
  • Francois-Xavier Standaert
    • 3
  • John Steinberger
    • 4
  • Elmar Tischhauser
    • 1
  1. 1.KU Leuven and IBBTBelgium
  2. 2.Technical University of DenmarkDenmark
  3. 3.UCL Crypto GroupUniversité catholique de LouvainBelgium
  4. 4.Tsinghua UniversityChina