Advertisement

Tight Security Bounds for Key-Alternating Ciphers

  • Shan Chen
  • John Steinberger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8441)

Abstract

A t-round key-alternating cipher (also called iterated Even-Mansour cipher) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P 1,..., P t : {0,1} n  → {0,1} n and a key k = k 0 ∥ ... ∥ k t  ∈ {0,1} n(t + 1) by setting E k (x) = k t  ⊕ P t (k t − 1 ⊕ P t − 1( ⋯ k 1 ⊕ P 1(k 0 ⊕ x) ⋯ )). The indistinguishability of E k from a truly random permutation by an adversary who also has oracle access to the (public) random permutations P 1, …, P t was investigated in 1997 by Even and Mansour for t = 1 and for higher values of t in a series of recent papers. For t = 1, Even and Mansour proved indistinguishability security up to 2 n/2 queries, which is tight. Much later Bogdanov et al. (2011) conjectured that security should be \(2^{\frac{t}{t+1}n}\) queries for general t, which matches an easy distinguishing attack (so security cannot be more). A number of partial results have been obtained supporting this conjecture, besides Even and Mansour’s original result for t = 1: Bogdanov et al. proved security of \(2^{\frac{2}{3}n}\) for t ≥ 2, Steinberger (2012) proved security of \(2^{\frac{3}{4}n}\) for t ≥ 3, and Lampe, Patarin and Seurin (2012) proved security of \(2^{\frac{t}{t+2}n}\) for all even values of t, thus “barely” falling short of the desired \(2^{\frac{t}{t+1}n}\).

Our contribution in this work is to prove the long-sought-for security bound of \(2^{\frac{t}{t+1}n}\), up to a constant multiplicative factor depending on t. Our method is essentially an application of Patarin’s H-coefficient technique.

References

  1. 1.
    Andreeva, E., Bogdanov, A., Dodis, Y., Mennink, B., Steinberger, J.: Indifferentiability of Key-Alternating CiphersGoogle Scholar
  2. 2.
    Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  3. 3.
    Chen, S., Steinberger, J.: Tight Security Bounds for Key-Alternating Ciphers. IACR eprint, http://eprint.iacr.org/2013/222.pdf (full version of this paper)
  4. 4.
    Daemen, J.: Limitations of the Even-Mansour Construction. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 495–498. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  5. 5.
    Daemen, J., Rijmen, V.: The Design of Rijndael. Springer (2002)Google Scholar
  6. 6.
    Daemen, J., Rijmen, V.: The Wide Trail Design Strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Even, S., Mansour, Y.: A Construction of a Cipher From a Single Pseudorandom Permutation. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  8. 8.
    Even, S., Mansour, Y.: A Construction of a Cipher from a Single Pseudorandom Permutation. J. Cryptology 10(3), 151–162 (1997)CrossRefzbMATHMathSciNetGoogle Scholar
  9. 9.
    Gaži, P., Tessaro, S.: Efficient and optimally secure key-length extension for block ciphers via randomized cascading. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 63–80. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Gaži, P.: Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 551–570. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Gaži, P.: Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 551–570. Springer, Heidelberg (2013), http://eprint.iacr.org/2013/019.pdf CrossRefGoogle Scholar
  12. 12.
    Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search (an analysis of DESX). Journal of Cryptology 14(1), 17–35 (2001)CrossRefzbMATHMathSciNetGoogle Scholar
  13. 13.
    Lampe, R., Patarin, J., Seurin, Y.: An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Lampe, R., Seurin, Y.: How to Construct an Ideal Cipher from a Small Set of Public Permutations. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 444–463. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  15. 15.
    Luby, M., Rackoff, C.: How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM J. Comput. 17(2), 373–386 (1988)CrossRefzbMATHMathSciNetGoogle Scholar
  16. 16.
    Maurer, U.M., Pietrzak, K.: Composition of Random Systems: When Two Weak Make One Strong. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 410–427. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Maurer, U.M., Pietrzak, K., Renner, R.S.: Indistinguishability Amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    Patarin, J.: The “Coefficients H” Technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Steinberger, J.: Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance, http://eprint.iacr.org/2012/481.pdf

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Shan Chen
    • 1
  • John Steinberger
    • 1
  1. 1.Institute for Interdisciplinary Information SciencesTsinghua UniversityBeijingChina

Personalised recommendations