On the Indifferentiability of Key-Alternating Ciphers

  • Elena Andreeva
  • Andrey Bogdanov
  • Yevgeniy Dodis
  • Bart Mennink
  • John P. Steinberger
Conference paper

DOI: 10.1007/978-3-642-40041-4_29

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8042)
Cite this paper as:
Andreeva E., Bogdanov A., Dodis Y., Mennink B., Steinberger J.P. (2013) On the Indifferentiability of Key-Alternating Ciphers. In: Canetti R., Garay J.A. (eds) Advances in Cryptology – CRYPTO 2013. Lecture Notes in Computer Science, vol 8042. Springer, Berlin, Heidelberg

Abstract

The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition:
$$ \text{KA}_t(K,m)= k_t\oplus P_t(\dots k_2\oplus P_2(k_1\oplus P_1(k_0 \oplus m))\dots), $$
where (k0,…,kt) are obtained from the master key K using some key derivation function.

For t = 1, KA1 collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P1 is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers — indifferentiability from an ideal cipher — and ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KAt indifferentiable from the ideal cipher, assuming P1,…,Pt are (public) random permutations?

As our main result, we give an affirmative answer for t = 5, showing that the 5-round key-alternating cipher KA5is indifferentiable from an ideal cipher, assuming P1,…,P5 are five independent random permutations, and the key derivation function sets all rounds keys ki = f(K), where 0 ≤ i ≤ 5 and f is modeled as a random oracle. Moreover, when |K| = |m|, we show we can set f(K) = P0(K) ⊕ K, giving an n-bit block cipher with an n-bit key, making only six calls to n-bit permutations P0,P1,P2,P3,P4,P5.

Keywords

Even-Mansour ideal cipher key-alternating cipher indifferentiability 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Elena Andreeva
    • 1
  • Andrey Bogdanov
    • 2
  • Yevgeniy Dodis
    • 3
  • Bart Mennink
    • 1
  • John P. Steinberger
    • 4
  1. 1.KU Leuven and iMindsBelgium
  2. 2.Technical University of DenmarkDenmark
  3. 3.New York UniversityUSA
  4. 4.Tsinghua UniversityChina

Personalised recommendations