From Distinguishers to Key Recovery: Improved Related-Key Attacks on Even-Mansour

  • Pierre Karpman
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9290)


We show that a distinguishing attack in the related key model on an Even-Mansour block cipher can readily be converted into an extremely efficient key recovery attack. Concerned ciphers include in particular all iterated Even-Mansour schemes with independent keys. We apply this observation to the Caesar candidate Prøst-OTR and are able to recover the whole key with a number of requests linear in its size. This improves on recent forgery attacks in a similar setting.


Even-Mansour Related-key attacks Prøst-OTR 



I am grateful to Jérémy Jean, Brice Minaud and the anonymous reviewers for their comments on this work.

Supplementary material


  1. 1.
    Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656. Springer, Heidelberg (2003). Google Scholar
  2. 2.
    Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E.B., Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S.S., Yalçın, T.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). Google Scholar
  3. 3.
    Chen, S., Steinberger, J.P.: Tight security bounds for key-alternating ciphers. In: Nguyen and Oswald [13], pp. 327–350.
  4. 4.
    Cogliati, B., Seurin, Y.: On the provable security of the iterated even-mansour cipher against related-key and chosen-key attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 584–613. Springer, Heidelberg (2015). Google Scholar
  5. 5.
    Dobraunig, C., Eichlseder, M., Mendel, F.: Related-key forgeries for Prøst-OTR. IACR Cryptology ePrint Archive 2015, 91 (2015). To appear in the proceedings of FSE 2015
  6. 6.
    Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the even-mansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012). Google Scholar
  7. 7.
    Even, S., Mansour, Y.: A construction of a cioher from a single pseudorandom permutation. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993). Google Scholar
  8. 8.
    Farshim, P., Procter, G.: The related-key security of iterated even-mansour ciphers. IACR Cryptology ePrint Archive 2014, 953 (2014). To appear in the proceedings of FSE 2015
  9. 9.
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011) Google Scholar
  10. 10.
    Kavun, E.B., Lauridsen, M.M., Leander, G., Rechberger, C., Schwabe, P., Yalçın, T.: Prøst. CAESAR Proposal (2014).
  11. 11.
    Mennink, B.: XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees. IACR Cryptology ePrint Archive 2015, 476 (2015).
  12. 12.
    Minematsu, K.: Parallelizable rate-1 authenticated encryption from pseudorandom functions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 275–292. Springer, Heidelberg (2014) Google Scholar
  13. 13.
    Nguyen, P.Q., Oswald, E. (eds.): Advances in Cryptology – EUROCRYPT 2014–33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques. Lecture Notes in Computer Science, vol. 8441. Springer, Heidelberg (2014). Google Scholar
  14. 14.
    Sasaki, Y., Todo, Y., Aoki, K., Naito, Y., Sugawara, T., Murakami, Y., Matsui, M., Hirose, S.: Minalpher. CAESAR Proposal (2014).

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.InriaSaclayFrance
  2. 2.Nanyang Technological UniversitySingaporeSingapore

Personalised recommendations