Minimizing the Two-Round Even–Mansour Cipher

  • Shan Chen
  • Rodolphe Lampe
  • Jooyoung Lee
  • Yannick Seurin
  • John Steinberger


The r-round (iterated) Even–Mansour cipher (also known as key-alternating cipher) defines a block cipher from r fixed public n-bit permutations \(P_1,\ldots ,P_r\) as follows: Given a sequence of n-bit round keys \(k_0,\ldots ,k_r\), an n-bit plaintext x is encrypted by xoring round key \(k_0\), applying permutation \(P_1\), xoring round key \(k_1\), etc. The (strong) pseudorandomness of this construction in the random permutation model (i.e., when the permutations \(P_1,\ldots ,P_r\) are public random permutation oracles that the adversary can query in a black-box way) was studied in a number of recent papers, culminating with the work of Chen and Steinberger (EUROCRYPT 2014), who proved that the r-round Even–Mansour cipher is indistinguishable from a truly random permutation up to \(\mathcal {O}(2^{\frac{rn}{r+1}})\) queries of any adaptive adversary (which is an optimal security bound since it matches a simple distinguishing attack). All results in this entire line of work share the common restriction that they only hold under the assumption that the round keys \(k_0,\ldots ,k_r\) and the permutations \(P_1,\ldots ,P_r\) are independent. In particular, for two rounds, the current state of knowledge is that the block cipher \(E(x)=k_2\oplus P_2(k_1\oplus P_1(k_0\oplus x))\) is provably secure up to \(\mathcal {O}(2^{2n/3})\) queries of the adversary, when \(k_0\), \(k_1\), and \(k_2\) are three independent n-bit keys, and \(P_1\) and \(P_2\) are two independent random n-bit permutations. In this paper, we ask whether one can obtain a similar bound for the two-round Even–Mansour cipher from just one n-bit key and one n-bit permutation. Our answer is positive: When the three n-bit round keys \(k_0\), \(k_1\), and \(k_2\) are adequately derived from an n-bit master key k, and the same permutation P is used in place of \(P_1\) and \(P_2\), we prove a qualitatively similar \(\widetilde{\mathcal {O}}(2^{2n/3})\) security bound (in the random permutation model). To the best of our knowledge, this is the first “beyond the birthday bound” security result for AES-like ciphers that does not assume independent round keys.


Generalized Even–Mansour cipher Key-alternating cipher Indistinguishability Pseudorandom permutation Random permutation model Sum-capture problem 


  1. 1.
    E. Andreeva, A. Bogdanov, Y. Dodis, B. Mennink, J.P. Steinberger, On the Indifferentiability of Key-Alternating Ciphers. in Ran Canetti and Juan A. Garay, editors, Advances in Cryptology—CRYPTO 2013 (Proceedings, Part I), volume 8042 of LNCS (Springer, 2013), pp. 531–550.
  2. 2.
    N. Alon, T. Kaufman, M. Krivelevich, D. Ron, Testing triangle-freeness in general graphs. SIAM J. Discrete Math., 22(2), 786–819 (2008)MathSciNetCrossRefMATHGoogle Scholar
  3. 3.
    L. Babai, The Fourier transform and equations over finite Abelian groups: an introduction to the method of trigonometric sums. Lecture notes, (December 1989).
  4. 4.
    A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, C. Vikkelsoe, PRESENT: an ultra-lightweight block cipher, in Pascal Paillier and Ingrid Verbauwhede, editors, Cryptographic Hardware and Embedded Systems—CHES 2007, volume 4727 of LNCS (Springer, 2007), pp. 450–466Google Scholar
  5. 5.
    A. Bogdanov, L.R. Knudsen, G. Leander, F.-X. Standaert, J.P. Steinberger, E. Tischhauser, Key-alternating ciphers in a provable setting: encryption using a small number of public permutations–(extended abstract), in David Pointcheval and Thomas Johansson, editors, Advances in Cryptology—EUROCRYPT 2012, volume 7237 of LNCS (Springer, 2012), pp. 45–62Google Scholar
  6. 6.
    A. Biryukov, D. Wagner, S. Attacks, in L.R. Knudsen, editor, Fast Software Encryption–FSE ’99, volume 1636 of LNCS (Springer, 1999), pp. 245–259Google Scholar
  7. 7.
    A. Biryukov, D. Wagner, Advanced slide attacks, in Bart Preneel, editor, Advances in Cryptology—UROCRYPT 2000, volume 1807 of LNCS (Springer, 2000), pp. 589–606Google Scholar
  8. 8.
    S. Chen, J. Steinberger, Tight security bounds for key-alternating ciphers. In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology—EUROCRYPT 2014, volume 8441 of LNCS (Springer, 2014), pp. 327–350.
  9. 9.
    J. Daemen, Limitations of the Even–Mansour construction. In Hideki Imai, Ronald L. Rivest, and Tsutomu Matsumoto, editors, Advances in Cryptology—ASIACRYPT ’91, volume 739 of LNCS (Springer, 1991), pp. 495–498Google Scholar
  10. 10.
    I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Key recovery attacks on 3-round Even–Mansour, 8-step LED-128, and full \(\text{AES}^{2}\). In Kazue Sako and Palash Sarkar, editors, Advances in Cryptology–ASIACRYPT 2013 (Proceedings, Part I), volume 8269 of LNCS (Springer, 2013), pp. 337–356.
  11. 11.
    I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Cryptanalysis of iterated Even–Mansour schemes with two keys. In Palash Sarkar and Tetsu Iwata, editors, Advances in Cryptology–ASIACRYPT 2014 (Proceedings, Part I), volume 8873 of LNCS (Springer, 2014), pp. 439–457.
  12. 12.
    O. Dunkelman, N. Keller, A. Shamir, Minimalism in cryptography: the Even–Mansour scheme revisited, in David Pointcheval and Thomas Johansson, editors, Advances in Cryptology—EUROCRYPT 2012, volume 7237 of LNCS (Springer, 2012), pp. 336–354.Google Scholar
  13. 13.
    J. Daemen, V. Rijmen, The design of Rijndael: AES—the advanced encryption standard. Springer, Berlin(2002)CrossRefMATHGoogle Scholar
  14. 14.
    J. Daemen, V. Rijmen, Probability distributions of correlations and differentials in block ciphers. IACR Cryptology ePrint Archive, Report 2005/212, (2005).
  15. 15.
    S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation. J. Cryptol., 10(3), 151–162 (1997)MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    P. Gazi, Plain versus randomized cascading-based key-length extension for block ciphers, in Ran Canetti and Juan A. Garay, editors, Advances in Cryptology—CRYPTO 2013 (Proceedings, Part I), volume 8042 of LNCS (Springer, 2013), pp. 551–570Google Scholar
  17. 17.
    S.W. Golomb, G. Gong, L. Mittenthal, Constructions of orthomorphisms of \(\mathbb{Z}_n^2\), in Dieter Jungnickel and Harald Niederreiter, editors, Proceedings of The Fifth International Conference on Finite Fields and Applications (Springer, 1999), pp. 178–195Google Scholar
  18. 18.
    J. Guo, T. Peyrin, A. Poschmann, M.J.B. Robshaw, The LED block cipher, in Bart Preneel and Tsuyoshi Takagi, editors, Cryptographic Hardware and Embedded Systems–CHES 2011, volume 6917 of LNCS (Springer, 2011), pp. 326–341Google Scholar
  19. 19.
    P. Gazi, S. Tessaro, Efficient and optimally secure key-length extension for block ciphers via randomized cascading, in David Pointcheval and Thomas Johansson, editors, Advances in Cryptology–EUROCRYPT 2012, volume 7237 of LNCS (Springer, 2012), pp. 63–80Google Scholar
  20. 20.
    T.P. Hayes, A large-deviation inequality for vector-valued martingales. (2005)
  21. 21.
    P. Junod, S. Vaudenay, FOX: a new family of block ciphers, in Helena Handschuh, M. Anwar Hasan, editors, Selected Areas in Cryptography–SAC 2004, volume 3357 of LNCS (Springer, 2004), pp. 114–129Google Scholar
  22. 22.
    E. Kiltz, K. Pietrzak, M. Szegedy, Digital signatures with minimal overhead from indifferentiable random invertible functions, in Ran Canetti, Juan A. Garay, editors, Advances in Cryptology—CRYPTO 2013 (Proceedings, Part I), volume 8042 of LNCS (Springer, 2013), pp. 571–588Google Scholar
  23. 23.
    J. Kilian, P. Rogaway, How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptol. 14(1), 17–35 (2001)MathSciNetCrossRefMATHGoogle Scholar
  24. 24.
    J. Lee, Towards key-length extension with optimal security: cascade encryption and xor-cascade encryption, in Thomas Johansson, Phong Q. Nguyen, editors, Advances in Cryptology—EUROCRYPT 2013, volume 7881 of LNCS (Springer, 2013), pp. 405–425Google Scholar
  25. 25.
    X. Lai, J.L. Massey, A proposal for a new block encryption standard, in Ivan Damgård, editor, Advances in Cryptology—EUROCRYPT ’90, volume 473 of LNCS (Springer, 1990), pp. 389–404Google Scholar
  26. 26.
    R. Lampe, J. Patarin, Y. Seurin, An asymptotically tight security analysis of the iterated even–mansour cipher, in Xiaoyun Wang, Kazue Sako, editors, Advances in Cryptology—ASIACRYPT 2012, volume 7658 of LNCS (Springer, 2012), pp. 278–295Google Scholar
  27. 27.
    R. Lampe, Y. Seurin, How to construct an ideal cipher from a small set of public permutations, in Kazue Sako, Palash Sarkar, editors, Advances in Cryptology—ASIACRYPT 2013 (Proceedings, Part I), volume 8269 of LNCS (Springer, 2013) pp. 444–463.
  28. 28.
    L. Mittenthal, Block substitutions using orthomorphic mappings. Adv. Appl. Math. 16(1), 59–71 (1995)MathSciNetCrossRefMATHGoogle Scholar
  29. 29.
    I. Nikolic, L. Wang, S. Wu, Cryptanalysis of round-reduced LED, in Shiho Moriai, editor, Fast Software Encryption—FSE 2013, volume 8424 of LNCS (Springer, 2013), pp. 112–129Google Scholar
  30. 30.
    J. Patarin, The “Coefficients H” technique, in Roberto Maria Avanzi, Liam Keliher, Francesco Sica, editors, Selected Areas in Cryptography—SAC 2008, volume 5381 o fLNCS (Springer, 2008), pp. 328–345Google Scholar
  31. 31.
    J. Steinberger, Improved security bounds for key-alternating ciphers via Hellinger distance. IACR Cryptology ePrint Archive, Report 2012/481, (2012).
  32. 32.
    J. Steinberger, Counting solutions to additive equations in random sets. arXiv Report 1309.5582, (2013).
  33. 33.
    S. Vaudenay, On the lai-massey scheme, in Kwok-Yan Lam, Eiji Okamoto, Chaoping Xing, editors, Advances in Cryptology—ASIACRYPT ’99, volume 1716 of LNCS (Springer, 1999), pp. 8–19Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Shan Chen
    • 1
  • Rodolphe Lampe
    • 2
  • Jooyoung Lee
    • 3
  • Yannick Seurin
    • 4
  • John Steinberger
    • 1
  1. 1.Tsinghua UniversityBeijingPeople’s Republic of China
  2. 2.University of VersaillesVersaillesFrance
  3. 3.KAISTDaejeonKorea
  4. 4.ANSSIParisFrance

Personalised recommendations