Designs, Codes and Cryptography

, Volume 86, Issue 5, pp 955–988 | Cite as

Key alternating ciphers based on involutions

  • Jooyoung Lee


In this work, we study the security of Even–Mansour type ciphers whose encryption and decryption are based on a common primitive, namely an involution. Such ciphers possibly allow efficient hardware implementation as the same circuit is shared for encryption and decryption, and thus expected to be more suitable for lightweight environment in which low power consumption and implementation costs are desirable. With this motivation, we consider a single-round Even–Mansour cipher using an involution as its underlying primitive. The decryption of such a cipher is the same as encryption only with the order of the round keys reversed. It is known that such a cipher permits a birthday-bound attack using only construction queries, but whether it provides provable security in the range below the birthday bound has remained. We prove that the Even–Mansour cipher based on a random involution is as secure as the permutation-based one when the number of construction queries is limited by the birthday bound. In order to achieve security beyond the birthday bound, we propose a two-round Even–Mansour-like construction, dubbed \(\mathsf {EMSI}\), based on a single involution I using a fixed permutation \(\sigma \) in the middle layer. Specifically, \(\mathsf {EMSI}\) encrypts a plaintext u by computing
$$\begin{aligned} v=I\left( \sigma \left( I(u\oplus k_0)\right) \oplus k_1\right) \oplus k_2 \end{aligned}$$
with the key schedule \(\gamma =(\gamma _0,\gamma _1,\gamma _2)\) generating three round keys \(k_0=\gamma _0(k)\), \(k_1=\gamma _1(k)\) and \(k_2=\gamma _2(k)\) from an n-bit master key k. We prove that if the key schedule \(\gamma =(\gamma _0,\gamma _1,\gamma _2)\) satisfies a certain condition, and \(\sigma \) is a linear orthomorphism, then this construction is secure up to \(2^{\frac{2n}{3}}\) construction and permutation queries. \(\mathsf {EMSI}\) is the first construction that uses a single involution—a primitive weaker than a truly random permutation—and that provides security beyond the birthday bound at the same time. Encryption and decryption of \(\mathsf {EMSI}\) are the same except for the key schedule and the middle layer. Since encryption and decryption are both based on a common primitive, \(\mathsf {EMSI}\) is expected to be particularly suitable for modes of operation that use both encryption and decryption of the underlying block cipher such as OCB3.


Even–Mansour cipher Key alternating cipher Involution Pseudorandom permutation Indistinguishability 

Mathematics Subject Classification



  1. 1.
    Barreto P., Rijmen V.: The Anubis block cipher. Submission to the NESSIE Project (2000).Google Scholar
  2. 2.
    Barreto P., Rijmen V.: The Khazad legacy-level block cipher. Submission to the NESSIE Project (2000).Google Scholar
  3. 3.
    Borghoff J., Canteaut A., Güneysu T., Kavun E.B., Knežević M., Knudsen L.R., Leander G., Nikov V., Paar C., Rechberger C., Rombouts P., Thomsen S.S., Yalçın T.: PRINCE: a low-latency block cipher for pervasive computing applications. In: Asiacrypt 2012. LNCS, vol. 7658, pp. 208–225. Springer, Berlin (2012).Google Scholar
  4. 4.
    Chen S., Lampe R., Lee J., Seurin Y., Steinberger J.: Minimizing the two-round Even–Mansour cipher. In: Crypto 2014 (Part I). LNCS, vol. 8616, pp. 39–56. Springer, Berlin (2014).Google Scholar
  5. 5.
    Chen S., Steinberger J.P.: Tight security bounds for key-alternating ciphers. In: Eurocrypt 2014. LNCS, vol. 8441, pp. 327–350. Springer, Berlin (2014).Google Scholar
  6. 6.
    Chowla S., Herstein I.N., Moore K.: On recursions connected with symmetric groups I. Can. J. Math. 3, 328–334 (1951).MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Dai Y., Lee J., Mennink B., Steinberger J.: The security of multiple encryption in the ideal cipher model. In: Crypto 2014 (Part I). LNCS, vol. 8616, pp. 20–38, Springer, Berlin (2014).Google Scholar
  8. 8.
    Dinur I., Dunkelman O., Keller N., Shamir A.: Key recovery attacks on 3-round Even–Mansour, 8-step LED-128, and full AES2. In: ASIACRYPT 2013. LNCS, vol. 8269, pp. 337–356. Springer, Berlin (2013).Google Scholar
  9. 9.
    Dunkelman O., Keller N., Shamir A.: Minimalism in cryptography: the Even-Mansour Scheme Revisited. In: Eurocrypt 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012).Google Scholar
  10. 10.
    Even S., Mansour Y.: A construction of a cipher from a single pseudorandom permutation. In: Asiacrypt 1991. LNCS, vol. 739, pp. 210–224. Springer, New York (1993).Google Scholar
  11. 11.
    Gaži P.: Plain versus randomized cascading-based key-length extension for block ciphers. In: Crypto 2013. LNCS, vol. 8042, pp. 551–570. Springer, Berlin (2013).Google Scholar
  12. 12.
    Gentry, C., Ramzan, Z.: Eliminating random permutation oracles in the Even-Mansour cipher. In: ASIACRYPT 2004. LNCS, vol. 3329, pp. 32–47. Springer, Heidelberg (2004).Google Scholar
  13. 13.
    Gilboa S., Shay G., Nandi M.: Balanced permutations Even–Mansour ciphers. arXiv preprint arXiv:1409.0421 (2014).
  14. 14.
    Krovetz T., Rogaway P.: The software performance of authenticated-encryption modes. In: FSE 2011. LNCS, vol. 6733, pp. 306–327 (2011).Google Scholar
  15. 15.
    Lampe R., Seurin Y.: Security analysis of key-alternating Feistel ciphers. In: FSE 2014. LNCS, vol. 8540, pp. 243–264 (2015).Google Scholar
  16. 16.
    Lee J., Koo B.: Security of the misty structure using involutions as round functions. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E93–A(9), 1612–1619 (2010).CrossRefGoogle Scholar
  17. 17.
    Maurer U., Pietrzak K., Renner R.: Indistinguishability amplification. In: CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007).Google Scholar
  18. 18.
    Nikolić I., Wang L., Wu S.: Cryptanalysis of round-reduced LED. In: FSE 2014. LNCS, vol. 8424, pp. 112–129. Springer, Heidelberg (2014).Google Scholar
  19. 19.
    Piret G., Quisquater J.: Security of the MISTY Structure in the Luby–Rackoff model: improved results. In: SAC 2004. LNCS, vol. 3357, pp. 100–113. Springer, Berlin (2004).Google Scholar
  20. 20.
    Standaert F.-X., Piret G., Rourvoy G., Quisquater J.-J., Legat J.-D.: ICEBERG: an involutional cipher efficient for block encryption on reconfigurable hardware. In: FSE 2004. LNCS, vol. 3017, pp. 279–299. Springer, Berlin (2004).Google Scholar

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  1. 1.Korea Advanced Institute of Science and TechnologyDaejeonRepublic of Korea

Personalised recommendations