# Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes

## Abstract

Iterated Even–Mansour (EM) encryption schemes (also named “key-alternating ciphers”) were extensively studied in recent years as an abstraction of commonly used block ciphers. A large amount of previous works on iterated EM concentrated on security in an *information-theoretic* model. A central question studied in these papers is: What is the minimal number of rounds for which the resulting cipher is indistinguishable from an ideal cipher? In this paper, we study a similar question in the *computational* model: What is the minimal number of rounds, assuring that no attack can recover the secret key faster than trivial attacks (such as exhaustive search)? We study this question for the two natural key scheduling variants that were considered in most previous papers: the *identical subkeys* variant and the *independent subkeys* variant. In the identical subkeys variant, we improve the best known attack by an additional round and show that \(r=3\) rounds are insufficient for assuring security, by devising a key recovery attack whose running time is about \(n/\log (n)\) times faster than exhaustive search for an \(n\)-bit key. In the independent subkeys variant, we also extend the known results by one round and show that for \(r=2\), there exists a key recovery attack whose running time is faster than the benchmark meet-in-the-middle attack. Despite their generic nature, we show that the attacks can be applied to improve the best known attacks on several concrete ciphers, including the full \({\hbox {AES}^{2}}\) (proposed at Eurocrypt 2012) and reduced-round LED-128 (proposed at CHES 2012).

### Keywords

Cryptanalysis Key recovery attacks Iterated Even–Mansour LED block cipher \({\hbox {AES}^{2}}\) block cipher Backdoors in cryptography### References

- 1.E. Andreeva, A. Bogdanov, Y. Dodis, B. Mennink, J. P. Steinberger, On the indifferentiability of key-alternating ciphers. in
*CRYPTO (1)*, volume 8042 of*Lecture Notes in Computer Science*, ed. by R. Canetti, J.A. Garay (Springer, Berlin, 2013), pp. 531–550Google Scholar - 2.K. Aoki, Y. Sasaki, Preimage attacks on one-block MD4, 63-step MD5 and more. in
*Selected Areas in Cryptography*, volume 5381 of*Lecture Notes in Computer Science*, ed. by R.M. Avanzi, L. Keliher, F. Sica (Springer, Berlin, 2008), pp. 103–119Google Scholar - 3.P.S.L.M. Barreto, V. Rijmen, The ANUBIS Block Cipher. Submission to the NESSIE project, 2000Google Scholar
- 4.P.S.L.M. Barreto, V. Rijmen, The Khazad Legacy-Level Block Cipher. Submission to the NESSIE project, 2000Google Scholar
- 5.A. Biryukov, D. Wagner, Slide attacks. in Knudsen [23], pp. 245–259Google Scholar
- 6.A. Bogdanov, D. Khovratovich, C. Rechberger, Biclique cryptanalysis of the full AES. in
*ASIACRYPT*, volume 7073 of*Lecture Notes in Computer Science*, ed. by D.H. Lee, X. Wang (Springer, Berlin, 2011), pp. 344–371Google Scholar - 7.A. Bogdanov, L.R. Knudsen, G. Leander, F.-X. Standaert, J. P. Steinberger, E. Tischhauser, Key-alternating ciphers in a provable setting: encryption using a small number of public permutations - (extended abstract). in Pointcheval and Johansson [31], pp. 45–62Google Scholar
- 8.S. Chen, J.P. Steinberger, Tight security bounds for key-alternating ciphers. in
*EUROCRYPT*, volume 8441 of*Lecture Notes in Computer Science*, ed. by P.Q. Nguyen, E. Oswald (Springer, Berlin, 2014), pp. 327–350Google Scholar - 9.J. Daemen, Limitations of the Even-Mansour construction. in
*ASIACRYPT*, volume 739 of*Lecture Notes in Computer Science*, ed. by H. Imai, R.L. Rivest, T. Matsumoto (Springer, Berlin, 1991), pp. 495–498Google Scholar - 10.J. Daemen, M. Peeters, G.V. Assche, V. Rijmen, Nessie Proposal: NOEKEON. Submission to the NESSIE project, 2000Google Scholar
- 11.I. Dinur, O. Dunkelman, N. Keller, A. Shamir. Key recovery attacks on 3-round Even-Mansour, 8-step LED-128, and full \(AES^2\). in Sako and Sarkar [33], pp. 337–356Google Scholar
- 12.I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Cryptanalysis of iterated Even-Mansour schemes with two keys. in P. Sarkar, T. Iwata, eds.
*Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Proceedings, Part I*, volume 8873 of*Lecture Notes in Computer Science*(Springer, Berlin, 2014), pp. 439–457Google Scholar - 13.I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Improved linear sieving techniques with applications to step-reduced LED-64. Presented at FSE 2014, to Appear to Lecture Notes in Computer Science, 2014Google Scholar
- 14.O. Dunkelman, N. Keller, A. Shamir, Minimalism in cryptography: the Even-Mansour scheme revisited. in Pointcheval and Johansson [31], pp. 336–354Google Scholar
- 15.S. Even and Y. Mansour. A Construction of a Cipher from a Single Pseudorandom Permutation.
*J. Cryptology*, 10(3):151–162, 1997.MathSciNetCrossRefMATHGoogle Scholar - 16.P. Flajolet, A.M. Odlyzko, Random mapping statistics. in
*EUROCRYPT*, volume 434 of*Lecture Notes in Computer Science*, ed. by J.-J. Quisquater, J. Vandewalle (Springer, Berlin, 1989), pp. 329–354Google Scholar - 17.P. Flajolet, R. Sedgewick.
*Analytic Combinatorics*. (Cambridge University Press, Cambridge, 2009)Google Scholar - 18.B. Gérard, V. Grosso, M. Naya-Plasencia, F.-X. Standaert, Block ciphers that are easier to mask: how far can we go? in
*CHES*, volume 8086 of*Lecture Notes in Computer Science*, ed. by G. Bertoni, J.-S. Coron (Springer, Berlin, 2013), pp. 383–399Google Scholar - 19.B. Gérard, V. Grosso, M. Naya-Plasencia, F.-X. Standaert, Block ciphers that are easier to mask: how far can we go? Cryptology ePrint Archive, Report 2013/369, 2013. http://eprint.iacr.org/
- 20.J. Guo, T. Peyrin, A. Poschmann, M.J.B. Robshaw, The LED block cipher. in
*CHES*, volume 6917 of*Lecture Notes in Computer Science*, ed. by B. Preneel, T. Takagi (Springer, Berlin, 2011), pp. 326–341Google Scholar - 21.M. E. Hellman. A cryptanalytic time-memory trade-off.
*IEEE Transactions on Information Theory*, 26(4):401–406, 1980.MathSciNetCrossRefMATHGoogle Scholar - 22.J. Kim, S. Hong, S. Lee, J. H. Song, H. Yang, Truncated differential attacks on 8-round CRYPTON. in
*ICISC*, volume 2971 of*Lecture Notes in Computer Science*, ed. by J.I. Lim, D.H. Lee (Springer, Berlin, 2003), pp. 446–456Google Scholar - 23.L.R. Knudsen, ed.
*Fast Software Encryption, 6th International Workshop, FSE ’99, Rome, Italy, March 24–26, 1999, Proceedings*, volume 1636 of*Lecture Notes in Computer Science*(Springer, Berlin, 1999)Google Scholar - 24.R. Lampe, J. Patarin, Y. Seurin, An asymptotically tight security analysis of the iterated Even-Mansour cipher. in Wang and Sako [36], pp. 278–295Google Scholar
- 25.R. Lampe, Y. Seurin, How to construct an ideal cipher from a small set of public permutations. in Sako and Sarkar [33], pp. 444–463Google Scholar
- 26.C.H. Lim, A revised version of crypton - crypton V1.0. in Knudsen [23], pp. 31–45Google Scholar
- 27.F. Mendel, V. Rijmen, D. Toz, K. Varici, Differential analysis of the LED block cipher. in Wang and Sako [36], pp. 190–207Google Scholar
- 28.M. Minier, H. Gilbert, Stochastic cryptanalysis of Crypton. in
*FSE*, volume 1978 of*Lecture Notes in Computer Science*, ed. by B. Schneier (Springer, Berlin, 2000), pp. 121–133Google Scholar - 29.I. Nikolic, L. Wang, S. Wu, Cryptanalysis of round-reduced LED. in
*FSE*, volume 8424 of*Lecture Notes in Computer Science*, ed. by S. Moriai (Springer, Berlin, 2013), pp. 112–129Google Scholar - 30.L. O’Connor, On the distribution of characteristics in bijective mappings. in
*EUROCRYPT*, volume 765 of*Lecture Notes in Computer Science*, ed. by T. Helleseth (Springer, Berlin, 1993), pp. 360–370Google Scholar - 31.D. Pointcheval, T. Johansson, eds.
*Advances in Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15–19, 2012. Proceedings*, volume 7237 of*Lecture Notes in Computer Science*(Springer, Berlin, 2012)Google Scholar - 32.S.M. Ross.
*Introduction to Probability and Statistics for Engineers and Scientists*, 2 edn. (Academic Press, New York, 2000)Google Scholar - 33.K. Sako, P. Sarkar, eds.
*Advances in Cryptology - ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1–5, 2013, Proceedings, Part I*, volume 8269 of*Lecture Notes in Computer Science*(Springer, Berlin, 2013)Google Scholar - 34.H. Soleimany, Probabilistic slide cryptanalysis and its applications to LED-64 and Zorro. Presented at FSE 2014, to appear to Lecture Notes in Computer Science. 2014Google Scholar
- 35.J. Steinberger, Improved security bounds for key-alternating ciphers via Hellinger distance. Cryptology ePrint Archive, Report 2012/481, 2012. http://eprint.iacr.org/
- 36.X. Wang, K. Sako, eds.
*Advances in Cryptology - ASIACRYPT 2012 - 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2–6, 2012. Proceedings*, volume 7658 of*Lecture Notes in Computer Science*(Springer, Berlin, 2012)Google Scholar - 37.Y. Wei, C. Li, and B. Sun. Related-Key Impossible Differential Attacks on Crypton.
*International Journal of Intelligent Computing Research*, 1(4):168–175, 2010.Google Scholar