Advances in Cryptology – CRYPTO 2013

Volume 8042 of the series Lecture Notes in Computer Science pp 531-550

On the Indifferentiability of Key-Alternating Ciphers

  • Elena AndreevaAffiliated withKU Leuven and iMinds
  • , Andrey BogdanovAffiliated withTechnical University of Denmark
  • , Yevgeniy DodisAffiliated withNew York University
  • , Bart MenninkAffiliated withKU Leuven and iMinds
  • , John P. SteinbergerAffiliated withTsinghua University

* Final gross prices may vary according to local VAT.

Get Access


The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KA t consists of a small number t of fixed permutations P i on n bits, separated by key addition:
$$ \text{KA}_t(K,m)= k_t\oplus P_t(\dots k_2\oplus P_2(k_1\oplus P_1(k_0 \oplus m))\dots), $$
where (k0,…,k t ) are obtained from the master key K using some key derivation function.

For t = 1, KA1 collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P1 is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers — indifferentiability from an ideal cipher — and ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KA t indifferentiable from the ideal cipher, assuming P1,…,P t are (public) random permutations?

As our main result, we give an affirmative answer for t = 5, showing that the 5-round key-alternating cipher KA5 is indifferentiable from an ideal cipher, assuming P1,…,P5 are five independent random permutations, and the key derivation function sets all rounds keys k i  = f(K), where 0 ≤ i ≤ 5 and f is modeled as a random oracle. Moreover, when |K| = |m|, we show we can set f(K) = P0(K) ⊕ K, giving an n-bit block cipher with an n-bit key, making only six calls to n-bit permutations P0,P1,P2,P3,P4,P5.


Even-Mansour ideal cipher key-alternating cipher indifferentiability