Journal of Cryptology

, Volume 29, Issue 4, pp 697–728 | Cite as

Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes

  • Itai Dinur
  • Orr Dunkelman
  • Nathan Keller
  • Adi Shamir
Article

Abstract

Iterated Even–Mansour (EM) encryption schemes (also named “key-alternating ciphers”) were extensively studied in recent years as an abstraction of commonly used block ciphers. A large amount of previous works on iterated EM concentrated on security in an information-theoretic model. A central question studied in these papers is: What is the minimal number of rounds for which the resulting cipher is indistinguishable from an ideal cipher? In this paper, we study a similar question in the computational model: What is the minimal number of rounds, assuring that no attack can recover the secret key faster than trivial attacks (such as exhaustive search)? We study this question for the two natural key scheduling variants that were considered in most previous papers: the identical subkeys variant and the independent subkeys variant. In the identical subkeys variant, we improve the best known attack by an additional round and show that \(r=3\) rounds are insufficient for assuring security, by devising a key recovery attack whose running time is about \(n/\log (n)\) times faster than exhaustive search for an \(n\)-bit key. In the independent subkeys variant, we also extend the known results by one round and show that for \(r=2\), there exists a key recovery attack whose running time is faster than the benchmark meet-in-the-middle attack. Despite their generic nature, we show that the attacks can be applied to improve the best known attacks on several concrete ciphers, including the full \({\hbox {AES}^{2}}\) (proposed at Eurocrypt 2012) and reduced-round LED-128 (proposed at CHES 2012).

Keywords

Cryptanalysis Key recovery attacks Iterated Even–Mansour  LED block cipher \({\hbox {AES}^{2}}\) block cipher Backdoors in cryptography 

References

  1. 1.
    E. Andreeva, A. Bogdanov, Y. Dodis, B. Mennink, J. P. Steinberger, On the indifferentiability of key-alternating ciphers. in CRYPTO (1), volume 8042 of Lecture Notes in Computer Science, ed. by R. Canetti, J.A. Garay (Springer, Berlin, 2013), pp. 531–550Google Scholar
  2. 2.
    K. Aoki, Y. Sasaki, Preimage attacks on one-block MD4, 63-step MD5 and more. in Selected Areas in Cryptography, volume 5381 of Lecture Notes in Computer Science, ed. by R.M. Avanzi, L. Keliher, F. Sica (Springer, Berlin, 2008), pp. 103–119Google Scholar
  3. 3.
    P.S.L.M. Barreto, V. Rijmen, The ANUBIS Block Cipher. Submission to the NESSIE project, 2000Google Scholar
  4. 4.
    P.S.L.M. Barreto, V. Rijmen, The Khazad Legacy-Level Block Cipher. Submission to the NESSIE project, 2000Google Scholar
  5. 5.
    A. Biryukov, D. Wagner, Slide attacks. in Knudsen [23], pp. 245–259Google Scholar
  6. 6.
    A. Bogdanov, D. Khovratovich, C. Rechberger, Biclique cryptanalysis of the full AES. in ASIACRYPT, volume 7073 of Lecture Notes in Computer Science, ed. by D.H. Lee, X. Wang (Springer, Berlin, 2011), pp. 344–371Google Scholar
  7. 7.
    A. Bogdanov, L.R. Knudsen, G. Leander, F.-X. Standaert, J. P. Steinberger, E. Tischhauser, Key-alternating ciphers in a provable setting: encryption using a small number of public permutations - (extended abstract). in Pointcheval and Johansson [31], pp. 45–62Google Scholar
  8. 8.
    S. Chen, J.P. Steinberger, Tight security bounds for key-alternating ciphers. in EUROCRYPT, volume 8441 of Lecture Notes in Computer Science, ed. by P.Q. Nguyen, E. Oswald (Springer, Berlin, 2014), pp. 327–350Google Scholar
  9. 9.
    J. Daemen, Limitations of the Even-Mansour construction. in ASIACRYPT, volume 739 of Lecture Notes in Computer Science, ed. by H. Imai, R.L. Rivest, T. Matsumoto (Springer, Berlin, 1991), pp. 495–498Google Scholar
  10. 10.
    J. Daemen, M. Peeters, G.V. Assche, V. Rijmen, Nessie Proposal: NOEKEON. Submission to the NESSIE project, 2000Google Scholar
  11. 11.
    I. Dinur, O. Dunkelman, N. Keller, A. Shamir. Key recovery attacks on 3-round Even-Mansour, 8-step LED-128, and full \(AES^2\). in Sako and Sarkar [33], pp. 337–356Google Scholar
  12. 12.
    I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Cryptanalysis of iterated Even-Mansour schemes with two keys. in P. Sarkar, T. Iwata, eds. Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Proceedings, Part I, volume 8873 of Lecture Notes in Computer Science (Springer, Berlin, 2014), pp. 439–457Google Scholar
  13. 13.
    I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Improved linear sieving techniques with applications to step-reduced LED-64. Presented at FSE 2014, to Appear to Lecture Notes in Computer Science, 2014Google Scholar
  14. 14.
    O. Dunkelman, N. Keller, A. Shamir, Minimalism in cryptography: the Even-Mansour scheme revisited. in Pointcheval and Johansson [31], pp. 336–354Google Scholar
  15. 15.
    S. Even and Y. Mansour. A Construction of a Cipher from a Single Pseudorandom Permutation. J. Cryptology, 10(3):151–162, 1997.MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    P. Flajolet, A.M. Odlyzko, Random mapping statistics. in EUROCRYPT, volume 434 of Lecture Notes in Computer Science, ed. by J.-J. Quisquater, J. Vandewalle (Springer, Berlin, 1989), pp. 329–354Google Scholar
  17. 17.
    P. Flajolet, R. Sedgewick. Analytic Combinatorics. (Cambridge University Press, Cambridge, 2009)Google Scholar
  18. 18.
    B. Gérard, V. Grosso, M. Naya-Plasencia, F.-X. Standaert, Block ciphers that are easier to mask: how far can we go? in CHES, volume 8086 of Lecture Notes in Computer Science, ed. by G. Bertoni, J.-S. Coron (Springer, Berlin, 2013), pp. 383–399Google Scholar
  19. 19.
    B. Gérard, V. Grosso, M. Naya-Plasencia, F.-X. Standaert, Block ciphers that are easier to mask: how far can we go? Cryptology ePrint Archive, Report 2013/369, 2013. http://eprint.iacr.org/
  20. 20.
    J. Guo, T. Peyrin, A. Poschmann, M.J.B. Robshaw, The LED block cipher. in CHES, volume 6917 of Lecture Notes in Computer Science, ed. by B. Preneel, T. Takagi (Springer, Berlin, 2011), pp. 326–341Google Scholar
  21. 21.
    M. E. Hellman. A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory, 26(4):401–406, 1980.MathSciNetCrossRefMATHGoogle Scholar
  22. 22.
    J. Kim, S. Hong, S. Lee, J. H. Song, H. Yang, Truncated differential attacks on 8-round CRYPTON. in ICISC, volume 2971 of Lecture Notes in Computer Science, ed. by J.I. Lim, D.H. Lee (Springer, Berlin, 2003), pp. 446–456Google Scholar
  23. 23.
    L.R. Knudsen, ed. Fast Software Encryption, 6th International Workshop, FSE ’99, Rome, Italy, March 24–26, 1999, Proceedings, volume 1636 of Lecture Notes in Computer Science (Springer, Berlin, 1999)Google Scholar
  24. 24.
    R. Lampe, J. Patarin, Y. Seurin, An asymptotically tight security analysis of the iterated Even-Mansour cipher. in Wang and Sako [36], pp. 278–295Google Scholar
  25. 25.
    R. Lampe, Y. Seurin, How to construct an ideal cipher from a small set of public permutations. in Sako and Sarkar [33], pp. 444–463Google Scholar
  26. 26.
    C.H. Lim, A revised version of crypton - crypton V1.0. in Knudsen [23], pp. 31–45Google Scholar
  27. 27.
    F. Mendel, V. Rijmen, D. Toz, K. Varici, Differential analysis of the LED block cipher. in Wang and Sako [36], pp. 190–207Google Scholar
  28. 28.
    M. Minier, H. Gilbert, Stochastic cryptanalysis of Crypton. in FSE, volume 1978 of Lecture Notes in Computer Science, ed. by B. Schneier (Springer, Berlin, 2000), pp. 121–133Google Scholar
  29. 29.
    I. Nikolic, L. Wang, S. Wu, Cryptanalysis of round-reduced LED. in FSE, volume 8424 of Lecture Notes in Computer Science, ed. by S. Moriai (Springer, Berlin, 2013), pp. 112–129Google Scholar
  30. 30.
    L. O’Connor, On the distribution of characteristics in bijective mappings. in EUROCRYPT, volume 765 of Lecture Notes in Computer Science, ed. by T. Helleseth (Springer, Berlin, 1993), pp. 360–370Google Scholar
  31. 31.
    D. Pointcheval, T. Johansson, eds. Advances in Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15–19, 2012. Proceedings, volume 7237 of Lecture Notes in Computer Science (Springer, Berlin, 2012)Google Scholar
  32. 32.
    S.M. Ross. Introduction to Probability and Statistics for Engineers and Scientists, 2 edn. (Academic Press, New York, 2000)Google Scholar
  33. 33.
    K. Sako, P. Sarkar, eds. Advances in Cryptology - ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1–5, 2013, Proceedings, Part I, volume 8269 of Lecture Notes in Computer Science (Springer, Berlin, 2013)Google Scholar
  34. 34.
    H. Soleimany, Probabilistic slide cryptanalysis and its applications to LED-64 and Zorro. Presented at FSE 2014, to appear to Lecture Notes in Computer Science. 2014Google Scholar
  35. 35.
    J. Steinberger, Improved security bounds for key-alternating ciphers via Hellinger distance. Cryptology ePrint Archive, Report 2012/481, 2012. http://eprint.iacr.org/
  36. 36.
    X. Wang, K. Sako, eds. Advances in Cryptology - ASIACRYPT 2012 - 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2–6, 2012. Proceedings, volume 7658 of Lecture Notes in Computer Science (Springer, Berlin, 2012)Google Scholar
  37. 37.
    Y. Wei, C. Li, and B. Sun. Related-Key Impossible Differential Attacks on Crypton. International Journal of Intelligent Computing Research, 1(4):168–175, 2010.Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Itai Dinur
    • 1
  • Orr Dunkelman
    • 2
    • 4
  • Nathan Keller
    • 3
    • 4
  • Adi Shamir
    • 4
  1. 1.Département d’InformatiqueÉcole Normale SupérieureParisFrance
  2. 2.Computer Science DepartmentUniversity of HaifaHaifaIsrael
  3. 3.Department of MathematicsBar-Ilan UniversityRamat GanIsrael
  4. 4.Computer Science DepartmentThe Weizmann InstituteRehovotIsrael

Personalised recommendations