Strengthening the KnownKey Security Notion for Block Ciphers
 5 Citations
 931 Downloads
Abstract
We reconsider the formalization of knownkey attacks against ideal primitivebased block ciphers. This was previously tackled by Andreeva, Bogdanov, and Mennink (FSE 2013), who introduced the notion of knownkey indifferentiability. Our starting point is the observation, previously made by Cogliati and Seurin (EUROCRYPT 2015), that this notion, which considers only a single known key available to the attacker, is too weak in some settings to fully capture what one might expect from a block cipher informally deemed resistant to knownkey attacks. Hence, we introduce a stronger variant of knownkey indifferentiability, where the adversary is given multiple known keys to “play” with, the informal goal being that the block cipher construction must behave as an independent random permutation for each of these known keys. Our main result is that the 9round iterated EvenMansour construction (with the trivial keyschedule, i.e., the same round key xored between permutations) achieves our new “multiple” knownkeys indifferentiability notion, which contrasts with the previous result of Andreeva et al. that one single round is sufficient when only a single known key is considered. We also show that the 3round iterated EvenMansour construction achieves the weaker notion of multiple knownkeys sequential indifferentiability, which implies in particular that it is correlation intractable with respect to relations involving any (polynomial) number of known keys.
Keywords
Block cipher Ideal cipher Knownkey attacks Iterated EvenMansour cipher Keyalternating cipher Indifferentiability Correlation intractability1 Introduction
Background on KnownKey Attacks. Informally, a knownkey attack against a block cipher E consists in the following: the adversary is given a key k from the key space of E, and must find a “nontrivial” property of the permutation \(E_k\) associated with k faster than what it would cost given only blackbox access to a truly random permutation. An example of such a nontrivial property would be a plaintext/ciphertext pair (x, y) under the key k such that, say, the first half of x and the first half of y seen as bit strings are both zero (for a random permutation P over nbit strings, it is easy to see that this requires roughly \(2^{n/2}\) queries to P). Knownkey attacks against block ciphers were first introduced by Knudsen and Rijmen [18], who exhibited such attacks against a reducedround version of AES and against certain kinds of Feistel ciphers. These attacks were extended in a number of followup papers, e.g. [14, 15, 23, 24, 28].
Even though the informal idea underlying knownkey security might intuitively seem clear (given a key k, the permutation \(E_k\) associated with k must “look random”), how to put knownkey attacks on theoretical sound grounds has remained elusive. Indeed, any attempt to rigorously formalize what is a knownattack against a fixed block cipher runs into impossibility results similar to those undermining a sound definition of what a “good” hash function should be [4]. In particular, seeing a block cipher as a family of permutations indexed by the key, the fact that the keylength is similar to the inputlength of the permutations (i.e., the blocklength of the block cipher) leads to the following “diagonal” problem: consider the set of pairs \((k,E_k(k))\) for k ranging over the key space (we assume that the blocklength and the keylength are equal for ease of exposition); then it is hard, given oracle access to a random permutation, to find an input/output pair in this set, whereas given any key k for E it is very easy to find an input/output pair for \(E_k\) in this set.
A way to circumvent these impossibilities is to consider block cipher constructions based on some ideal primitive (for example, a Feistel cipher based on public random round functions or (iterated) EvenMansour ciphers based on public permutations). In that case, even though the adversary is given the known key, it only has oracle access to the underlying primitive, which effectively acts as an (exponentially long) seed indexing the permutation associated with the key. A first step towards formalizing knownkey attacks for ideal primitivebased block ciphers was taken by Andreeva, Bogdanov, and Mennink (ABM) [2] through what they called knownkey indifferentiability (KKindifferentiability for short), a variant of the standard indifferentiability notion [22]. A block cipher construction \(\mathcal {C}^F\) from some underlying primitive F is said indifferentiable from an ideal cipher E if there exists an efficient simulator \(\mathcal {S}\) with black box access to E such that the two pairs of oracles \((\mathcal {C}^F,F)\) and \((E,\mathcal {S}^E)\) are indistinguishable. Hence the simulator must make E “look like” \(\mathcal {C}^F\) by returning answers that are coherent with the distinguisher’s queries to E (without, in general, knowing these Equeries) and that are statistically close to answers of a real F oracle.
The KKindifferentiability notion of ABM modifies the security experiment as follows: a key k is drawn at random and made available to the distinguisher and the simulator; the distinguisher is then allowed to query its left oracle (construction/ideal cipher) only for this specific key k. Hence the simulator’s job is somehow made simpler since it has a “hint” about which queries the distinguisher can make to its left oracle. Note that in the ideal (simulated) world, the distinguisher effectively has access to a single random permutation (since an ideal cipher behaves as an independent random permutation for each key). Hence this KKindifferentiability notion intuitively captures the requirement that for each key k, the block cipher construction \(\mathcal {C}^F\) must “look like” a random permutation. In contrast, the standard indifferentiability notion is related with chosenkey attacks, since the distinguisher is allowed to freely choose the keys it examines.
Shortcoming of the ABM Security Notion. The starting point of this paper is an observation, previously made by Cogliati and Seurin (Appendix C of the full version of [7]) that the ABM security notion might be too restrictive in some situations because it considers one single knownkey. This might be problematic in some cryptosystems where intuitively resistance to knownkey attacks should be sufficient to provide security, but where the ABM security notion fails because the cryptosystem uses multiple known keys. Think for example of the permutationbased hashed functions by Rogaway and Steinberger [26, 27]: these constructions are based on a few (typically 3 to 6) public permutations, which would typically be instantiated by a block cipher used with distinct publicly known keys. A crucial requirement for the security proof of these constructions to hold (in the ideal permutation model) is that the permutations are independent. Since this is not ensured by the ABM security notion, it is not applicable here, even though one would like to say that a block cipher which is secure against knownkey attacks can safely be used in the RogawaySteinberger constructions. (Jumping ahead, our new KKindifferentiability notion will be sufficient to safely instantiate the block cipher in the same constructions.)
Our Contribution. Our first contribution is definitional: in order to remedy the limitation that we just pointed out, we extend and strengthen the knownkey security definition of [2], by allowing the distinguisher to be given multiple known keys. Our new notion is parameterized by an integer \(\mu \), the number of known keys that the adversary is given. For \(\mu =1\), one recovers the ABM definition. If one lets \(\mu =\mathcal {K}\), where \(\mathcal {K}\) is the key space of the block cipher, one recovers the standard indifferentiability notion. In fact, our KKindifferentiability notion will emerge as a special case of a more general notion that we name restrictedinputindifferentiability, which might be of independent interest. We also formulate our KKindifferentiability notion in a “worstcase” fashion (it must hold for any subset of keys of size \(\mu \)), whereas the ABM notion was in the “averagecase” style (the known key being randomly drawn). In addition, we define a weaker “sequential” variant [7, 21] of our new \(\mu \)KKindifferentiability notion, called \(\mu \)KKseqindifferentiability, where the adversary must query its two oracles in a specific order. This notion is useful since it implies the weaker notion of correlation intractability.
Our second contribution is about constructions: we show that KKindifferentiability is a meaningful notion by proving that the iterated EvenMansour (IEM) construction with nine rounds is \(\mu \)KKindifferentiable from an ideal cipher for any \(\mu =\mathtt{poly}(n)\) (where n is a security parameter indexing the construction), which contrasts with the fact that one round is sufficient when considering one single knownkey, and also with the best number of rounds known to be sufficient to achieve full indifferentiability from an ideal cipher, namely twelve [20]. We also show that three rounds are necessary and sufficient to achieve the weaker \(\mu \)KKseqindifferentiability notion, which again contrast with the fact that four rounds are necessary and sufficient to achieve (full) seqindifferentiability from an ideal cipher [7]. See Table 1 for a summary of known results on the IEM construction.
More Related Work. A number of papers have studied the indifferentiability of variants of the IEM construction. In particular, Andreeva et al. [1] have studied the case where the keyschedule is modeled as a random oracle, and Guo and Lin have studied the case of EvenMansour ciphers with two interleaved keys [16] and of keyalternating Feistel ciphers [17].
Summary of provable security results for the iterated EvenMansour cipher with independent inner permutations and the trivial keyschedule. The first two notions are secretkey notions, the other ones are indifferentiabilitybased.
Sec. notion  # rounds  Sec. bound  Sim. complexity (query/time)  Ref. 

Singlekey (pseudorandomness)  1  \(q^2/2^n\)  —  
2  \(q^{3/2}/2^n\)  —  [5]  
XOR relatedkey  3  \(q^2/2^n\)  —  
1KKindiff.  1  0  q / q  [2] 
\(\mu \)KKseqindiff., \(\mu >1\)  3  \(\mu ^2q^2/2^n\)  \(\mu q\) / \(\mu q\)  This paper 
Full seqindiff.  4  \(q^4/2^n\)  \(q^2\) / \(q^2\)  [7] 
\(\mu \)KKindiff., \(\mu >1\)  9  \(\mu ^6 q^6/2^n\)  \(\mu ^2 q\) / \(\mu ^2 q\)  This paper 
Full indiff.  12  \(q^{12}/2^n\)  \(q^4\) / \(q^6\)  [20] 
2 Preliminaries
General Notation. In all the following, we fix an integer \(n\ge 1\) and denote \(N=2^n\). Given a nonempty set \(\mathcal {M}\), the set of all permutations of \(\mathcal {M}\) will be denoted \(\mathsf {Perm}(\mathcal {M})\). We simply denote \(\mathsf {Perm}(n)\) the set of all permutations over \(\{0,1\}^n\). A block cipher with key space \(\mathcal {K}\) and message space \(\mathcal {M}\) is a mapping \(E:\mathcal {K}\times \mathcal {M}\rightarrow \mathcal {M}\) such that for any key \(k\in \mathcal {K}\), \(x\mapsto E(k,x)\) is a permutation. We interchangeably use the notations E(k, x) and \(E_k(x)\). We denote \(\mathsf {BC}(\mathcal {K},\mathcal {M})\) the set of all block ciphers with key space \(\mathcal {K}\) and message space \(\mathcal {M}\), and \(\mathsf {BC}(n,n)\) the set of block ciphers with key space and message space \(\{0,1\}^n\). For integers \(1\le s\le t\), we will write \((t)_s=t(t1)\cdots (ts+1)\) and \((t)_0=1\) by convention.
Ideal Primitives. An ideal primitive \(\mathsf {F}\) is a triplet \((\mathsf {F}.\mathsf {Dom},\mathsf {F}.\mathsf {Rng},\mathsf {F}.\mathsf {Inst})\): the domain \(\mathsf {F}.\mathsf {Dom}\) and the range \(\mathsf {F}.\mathsf {Rng}\) are two nonempty sets, and the instance space \(\mathsf {F}.\mathsf {Inst}\) is a set of functions \(F:\mathsf {F}.\mathsf {Dom}\rightarrow \mathsf {F}.\mathsf {Rng}\).
3 RestrictedInput Indifferentiability and Variants
For any subset of X of \(\mathsf {E}.\mathsf {Dom}\), \(\mathcal {D}\) is said Xrestricted if it only makes queries to its left oracle (E or \(\mathcal {C}^F\)) from the set X.
Definition 1
Informally, we simply say that \(\mathcal {C}\) is \(\mathcal {X}\)RIindifferentiable from \(\mathsf {E}\) if it is \((\mathcal {X},q,\sigma ,t,\varepsilon )\)RIindifferentiable for “reasonable” values of \(\sigma \), t, and \(\varepsilon \) expressed as functions of q (in particular, when \(\mathcal {C}\) is indexed by some security parameter \(n\in \mathbb {N}\), if \(\sigma ,t\in \mathtt{poly}(n)\) and \(\varepsilon \in \mathtt{negl}(n)\) for any \(q\in \mathtt{poly}(n)\)).
As is standard in works on indifferentiability, this definition is informationtheoretic, i.e., the distinguisher is allowed to be computationally unbounded (this is sometimes called statistical indifferentiability), and demands the existence of a universal simulator which does not depend on the distinguisher (this is sometimes called strong indifferentiability; when the simulator is allowed to depend on the distinguisher, this is called weak indifferentiability).

by letting \(\mathcal {X}=\{\mathsf {E}.\mathsf {Dom}\}\) in the definition above, one recovers the standard definition of indifferentiability [22];

when \(\mathcal {X}=\{X\}\) is reduced to a single subset of \(\mathsf {E}.\mathsf {Dom}\), the definition is equivalent to the standard definition of indifferentiability of the restriction of \(\mathcal {C}^F\) to X from the restriction of \(\mathsf {E}\) to X; hence this definition is only “new” when considering at least two distinct subsets X and \(X'\) such that \(X\nsubseteq X'\) and \(X'\nsubseteq X\) (since a Xrestricted distinguisher is also a \(X'\)restricted distinguisher when \(X\subseteq X'\)), and can be equivalently rephrased as the indifferentiability of the family of restrictions of \(\mathcal {C}\) to sets in \(\mathcal {X}\), with a uniform upper bound on the simulator’s complexity and the distinguisher’s advantage;

the simulator is allowed to depend on the specific set \(X\in \mathcal {X}\) considered;

the upper bound on the advantage of the distinguisher must hold for any \(X\in \mathcal {X}\) (not, say, on average on the random draw of X from \(\mathcal {X}\)).
The RI version of indifferentiability can be combined with other flavors of indifferentiability, in particular with public indifferentiability [10, 29] and sequential indifferentiability [7, 21]. Let us elaborate for the case of sequential indifferentiability. A distinguisher is called sequential if after its first query to its left (\(\mathsf {E}\)/\(\mathcal {C}^F\)) oracle, it does not make any query to its right (\(\mathcal {S}^E\)/F) oracle any more. In other words, it works in two phases: first it only queries its right oracle, and then only its left oracle. Then we can define RIseqindifferentiability exactly as in Definition 1, except that we quantify over Xrestricted sequential distinguishers only. (Hence this is a weaker definition since for each subset \(X\in \mathcal {X}\), the simulator has to be effective only against a smaller class of distinguishers, namely sequential ones.)
Composition Theorem. The meaningfulness of the indifferentiability notion comes from the following composition theorem [22]: if a cryptosystem is proven secure when implemented with ideal primitive \(\mathsf {E}\), then it remains provably secure when \(\mathsf {E}\) is replaced with \(\mathcal {C}\) based on ideal primitive \(\mathsf {F}\), assuming \(\mathcal {C}\) is indifferentiable from \(\mathsf {E}\). (For this theorem to hold, the security of the cryptosystem must be defined with respect to a class of adversaries which “supports” the simulator used to prove that \(\mathcal {C}\) is indifferentiable from \(\mathsf {E}\) [9, 25].) This theorem straightforwardly translates to \(\mathcal {X}\)RIindifferentiability as follows: if a cryptosystem is proven secure when implemented with ideal primitive \(\mathsf {E}\) and if for any adversary \(\mathcal {A}\) , there is \(X\in \mathcal {X}\) such that the challenger of the security game only queries \(\mathsf {E}\) on inputs \(x\in X\) when interacting with \(\mathcal {A}\), then it remains provably secure when \(\mathsf {E}\) is replaced with \(\mathcal {C}\) based on ideal primitive \(\mathsf {F}\), assuming \(\mathcal {C}\) is \(\mathcal {X}\)RIindifferentiable from \(\mathsf {E}\). The short proof is as follows: denote \(\varGamma \) the challenger for the security game, which has access to an instance of \(\mathsf {E}\), and fix an adversary \(\mathcal {A}\) against the cryptosystem implemented with \(\mathcal {C}^F\) (hence \(\mathcal {A}\) has oracle access to the instance F of the ideal primitive \(\mathsf {F}\)); see the combination of \(\varGamma \) and \(\mathcal {A}\) as a single Xrestricted distinguisher \(\mathcal {D}\); by the \(\mathcal {X}\)RIindifferentiability assumption, there is a simulator \(\mathcal {S}\) such that \((\mathcal {C}^F,F)\) cannot be distinguished from \((E,\mathcal {S}^E)\); then the combination of \(\mathcal {A}\) and \(\mathcal {S}\) constitutes an attacker against the cryptosystem implemented with \(\mathsf {E}\), and the winning probability of \(\mathcal {A}'\) is small by the assumption that the cryptosystem is secure when implemented with \(\mathsf {E}\); hence the winning probability of \(\mathcal {A}\) is small as well.
Definition 2
( \(\mu \) KnownKey Indifferentiability). Let \(\mathcal {C}\) be a construction of a block cipher with key space \(\mathcal {K}\) and message space \(\mathcal {M}\) from an ideal primitive \(\mathsf {F}\). Let \(\mu ,q,\sigma ,t\in \mathbb {N}\) and \(\varepsilon \in \mathbb {R}^+\). Construction \(\mathcal {C}\) is said to be \((\mu ,q,\sigma ,t,\varepsilon )\)KKindifferentiable from an ideal cipher if and only if it is \((\mathcal {X}_\mu ,q,\sigma ,t,\varepsilon )\)RIindifferentiable from an ideal cipher, with \(\mathcal {X}_{\mu }\) defined as above.
The KKindifferentiability notion of Andreeva et al. [2] corresponds to the definition above for \(\mu =1\). In fact, this is slightly more subtle. Their variant is rather an “average” version of this definition over the random draw of the known key, resulting from the following changes: the security experiment starts by drawing a random key k which is given as input to both the distinguisher and the simulator, and the two probabilities involved in the Definition (1) of the advantage of the distinguisher are also taken over the random draw of the challenge key \(k\leftarrow _{\$}\mathcal {K}\). It is not hard to see that our “worstcase” variant of the definition is stronger (i.e., implies) the averagecase version (the averagecase simulator simply has a copy of each worstcase simulator \(\mathcal {S}_{\mathcal {K}'}\) for each possible subset \(\mathcal {K}'\subseteq \mathcal {K}\) of size \(\mu \), and on input the challenge subset of keys runs the corresponding worstcase simulator).
KnownKey Correlation Intractability. As for the general notion of RIindifferentiability, KKindifferentiability can be combined with the notion of sequential indifferentiability. Hence, if we restrict Definition 2 by quantifying only over sequential distinguishers, we obtain the notion of KKseqindifferentiability (see also Fig. 2). This notion is interesting because it implies the (arguably more natural) notion of knownkey correlation intractability, as we explain now.
For this, we first recall the concept of evasive relation and correlation intractability [4, 7, 21]. Let \(\mathsf {E}\) be an ideal primitive. For an integer \(m\ge 1\), an mary relation \(\mathcal {R}\) (for \(\mathsf {E}\)) is simply a subset \(\mathcal {R}\subset (\mathsf {E}.\mathsf {Dom})^m\times (\mathsf {E}.\mathsf {Rng})^m\). Informally, a relation is evasive with respect to \(\mathsf {E}\) if it is hard, on average, for an adversary with oracle access to a random instance E of \(\mathsf {E}\) to find a tuple of inputs \((\alpha _1,\ldots ,\alpha _m)\) such that \(((\alpha _1,\ldots ,\alpha _m),(E(\alpha _1),\ldots ,E(\alpha _m)))\) satisfies this relation. The definition below is very general and applies to any ideal primitive.
Definition 3
Recall that the domain and the range of an ideal cipher \(\mathsf {E}\) with key space \(\mathcal {K}\) and message space \(\mathcal {M}\) are \(\mathsf {E}.\mathsf {Dom}=\{+,\}\times \mathcal {K}\times \mathcal {M}\) and \(\mathsf {E}.\mathsf {Rng}=\mathcal {M}\) so that, if we particularize the definition above for an ideal cipher, each \(\alpha _i\) is a triplet in \(\mathsf {E}.\mathsf {Dom}\), and \(E(\alpha _i)\in \mathcal {M}\).
If we now consider a construction \(\mathcal {C}\) implementing \(\mathsf {E}\) from some other ideal primitive \(\mathsf {F}\), a natural thing to ask is that any relation which is evasive with respect to \(\mathsf {E}\) remains hard to find for \(\mathcal {C}^F\), on average over the random draw of F, for any adversary with oracle access to F. This is formalized by the following definition.
Definition 4
A theorem by Mandal et al. [21] (see also [7, Theorem 4]) establishes that seqindifferentiability allows, for any relation \(\mathcal {R}\), to “reduce” the correlation intractability of \(\mathcal {C}\) with respect to \(\mathcal {R}\) to the evasiveness of \(\mathcal {R}\) (with respect to \(\mathsf {E}\)). More precisely, if \(\mathcal {C}\) is seqindifferentiable from \(\mathsf {E}\) and if a relation \(\mathcal {R}\) is \((q,\varepsilon )\)evasive with respect to \(\mathsf {E}\), then \(\mathcal {C}\) is (\(q',\varepsilon ')\)correlation intractable with respect to \(\mathcal {R}\), and the “degradation” of security parameters \((q',\varepsilon ')\) compared with \((q,\varepsilon )\) depends on the seqindifferentiability parameters. In other words, if \(\mathcal {C}\) is seqindifferentiable from \(\mathsf {E}\), then any relation which is hard to find for \(\mathsf {E}\) remains hard to find for \(\mathcal {C}^F\) (on average over the random draw of F).
This result can be straightforwardly declined for the case of KKseqindifferentiability (and more generally RIseqindifferentiability): if \(\mathcal {C}\) is \(\mathcal {X}\)RIseqindifferentiable from \(\mathsf {E}\) for some family \(\mathcal {X}\) of subsets of \(\mathsf {E}.\mathsf {Dom}\), then a similar result holds, but only for relations \(\mathcal {R}\) such that all inputs involved in \(\mathcal {R}\) belong to some subset \(X\in \mathcal {X}\); similarly, if \(\mathcal {C}\) is \(\mu \)KKseqindifferentiable from an ideal cipher \(\mathsf {E}\) with key space \(\mathcal {K}\), then the result holds for relations \(\mathcal {R}\) such that all inputs involved in \(\mathcal {R}\) use the same \(\mu \) keys.
Theorem 1
Let \(\mathsf {E}\) and \(\mathsf {F}\) be two ideal primitives, and let \(\mathcal {C}\) be a construction implementing \(\mathsf {E}\) from \(\mathsf {F}\) such that \(\mathcal {C}\) makes at most c queries to its oracle on any input. Let \(\mathcal {X}\) be a family of subsets of \(\mathsf {E}.\mathsf {Dom}\). Assume that \(\mathcal {C}\) is \((\mathcal {X},q+cm,\sigma ,t,\varepsilon )\)RIseqindifferentiable from \(\mathsf {E}\). Then for any mary relation \(\mathcal {R}\) which is Xrestricted for some \(X\in \mathcal {X}\), if \(\mathcal {R}\) is \((\sigma +m,\varepsilon _{\mathcal {R}})\)evasive with respect to \(\mathsf {E}\), then \(\mathcal {C}\) is \((q,\varepsilon +\varepsilon _{\mathcal {R}})\)correlation intractable with respect to \(\mathcal {R}\).
In particular, let \(\mathsf {E}\) be an ideal cipher with key space \(\mathcal {K}\), and assume that \(\mathcal {C}\) is \((\mu ,q+cm,\sigma ,t,\varepsilon )\)KKseqindifferentiable from \(\mathsf {E}\). Then for any \(\mu \)restricted mary relation \(\mathcal {R}\), if \(\mathcal {R}\) is \((\sigma +m,\varepsilon _{\mathcal {R}})\)evasive with respect to \(\mathsf {E}\), then \(\mathcal {C}\) is \((q,\varepsilon +\varepsilon _{\mathcal {R}})\)correlation intractable with respect to \(\mathcal {R}\).
Remark 1
4 KKAttack on the TwoRound IEM Construction
We explained in Sect. 1 that the 1round EM construction is not resistant to \(\mu \)knownkey attacks for \(\mu \ge 2\). We show here that this extends to the 2round IEM construction (with independent inner permutations and the trivial keyschedule), more formally, that this construction is not \(\mu \)KKseqindifferentiable from an ideal cipher for \(\mu \ge 2\). Our attack shares some similarities with the relatedkey attack against the same construction of [7]. Formally, we prove the following theorem.
Theorem 2
The 2round IEM construction \(\mathsf {EM}[n,2,\mathbf {f}]\) with independent inner permutations and the trivial key schedule^{3} \(\mathbf {f}\) is not 2KKseqindifferentiable from an ideal cipher. More precisely, for any pair of distinct keys \((k_1,k_2)\), there is an adversary which distinguishes the construction from an ideal cipher with advantage close to 1 by making only queries to its left (construction/ideal cipher) oracle involving these two keys. The adversary makes no queries to its right (inner permutations/simulator) oracle.
Proof
 (1)
choose an arbitrary value \(x_1 \in \{0,1\}^n\), and query \(y_1:=E(+,k_1,x_1)\);
 (2)
compute \(x_2:=x_1\oplus k_2\oplus k_1\), and query \(y_2:=E(+,k_2,x_2)\);
 (3)
compute \(y_3:=y_1 \oplus k_1\oplus k_2\), and query \(x_3:=E(,k_2,y_3)\);
 (4)
compute \(y_4:=y_2\oplus k_2\oplus k_1\), and query \(x_4:=E(,k_1,y_4)\);
 (5)
check whether \(x_4 = x_3\oplus k_1\oplus k_2\).
When the distinguisher is interacting with an ideal cipher E, two cases can occur. Either \(y_4=y_1\), or \(y_4 \ne y_1\). In the first case, this means that \(y_1 \oplus y_2 = k_1 \oplus k_2\), which happens with probability \(2^{n}\) since \(x_1\) and \(x_2\) are the first queries to the uniformly random and independent permutations \(E_{k_1}\) and \(E_{k_2}\). If \(y_4 \ne y_1\), then \(y_4\) is the second query to the uniformly random permutation \(E_{k_1}\), thus \(x_4\) is uniformly random and this equality happens with probability at most \(1/(2^n1)\). Moreover one has \(y_2 \ne y_1 \oplus k_1 \oplus k_2\) which happens with probability \(12^{n}\) since \(x_2\) is the first query to \(E_{k_2}\). Since E is a uniformly randomly drawn blockcipher, \(E_{k_1}\) and \(E_{k_2}\) are independent permutations and this case happens with probability at most \(2^{n}\). Overall, when E is an ideal cipher, this relation is satisfied with a probability at most \(2^{n1}\).
5 KKSeqIndifferentiability for Three Rounds
We have just given a 2knownkeys attack against the 2round IEM cipher. This implies that the 2round IEM construction cannot be \(\mu \)KKseqindifferentiable from an ideal cipher as soon as \(\mu \ge 2\). (Remember on the other hand that the 1round EM construction is 1KKindifferentiable from an ideal cipher [2].) Hence, at least three rounds are necessary (and, as we will see now, sufficient) to achieve \(\mu \)KKseqindifferentiability from an ideal cipher for \(\mu \ge 2\).
Concretely, the main result of this section regarding the KKseqindifferentiability of the 3round IEM cipher is as follows.
Theorem 3
As a corollary, we obtain from Theorem 1 that for any mary relation \(\mathcal {R}\) which is \(\mu \)restricted and \((\mu q,\varepsilon )\)evasive w.r.t. an ideal cipher (and assuming q is large compared with \(c=3\) and m), the 3round IEM cipher is \(\left( q,\varepsilon +\mathcal {O}\left( \mu ^2 q^2/2^n\right) \right) \)correlation intractable with respect to \(\mathcal {R}\).
It is also known [21] that for stateless ideal primitives (i.e., primitives whose answers do not depend on the order of the queries it receives), seqindifferentiability implies public indifferentiability [10, 29], a variant of indifferentiability where the simulator gets to know all queries of the distinguisher to the ideal primitive E. Since an ideal cipher is stateless, Theorem 3 implies that the 3round IEM construction is also KKpublicly indifferentiable from an ideal cipher.
We only give an informal description of the simulator here and defer the formal description in pseudocode and the full proof of Theorem 3 to the full version of the paper [8]. The simulator is given the subset \(\mathcal {K}'\) of keys that the distinguisher is bound to use. It offers an interface \(\mathsf {Query}(i,\delta ,w)\) to the distinguisher for querying the internal permutations, where \(i\in \{1,2,3\}\) names the permutation, \(\delta \in \{+,\}\) indicates whether this a direct or inverse query, and \(w\in \{0,1\}^n\) is the actual value queried. For each \(i=1,\ldots ,3\), the simulator internally maintains a table \(\varPi _i\) reflecting which values have been already internally set for each simulated permutation. Each table maps entries \((\delta ,w)\in \{+,\}\times \{0,1\}^n\) to values \(w'\in \{0,1\}^n\), initially undefined for all entries. We denote \(\varPi _i^+\), resp. \(\varPi _i^\), the (timedependent) sets of strings \(w\in \{0,1\}^n\) such that \(\varPi _i(+,w)\), resp. \(\varPi _i(,w)\), is defined. When the simulator receives a query \((i,\delta ,w)\), it checks in table \(\varPi _i\) whether the corresponding answer \(\varPi _i(\delta ,w)\) is already defined. When this is the case, it returns the answer to the distinguisher and waits for the next query. Otherwise, it randomly draws an answer \(w'\in \{0,1\}^n\) and defines \(\varPi _i(\delta ,w):=w'\) as well as the answer to the opposite query \(\varPi _i(\bar{\delta },w'):=w\). The randomness used by the simulator is made explicit through a tuple of random permutations \(\mathbf {P}=(P_1,P_2,P_3)\) with \(P_i:=\{+,\}\times \{0,1\}^n\rightarrow \{0,1\}^n\), and for any \(u,v\in \{0,1\}^n\), \(P_i(+,u)=v\Leftrightarrow P_i(,v)=u\). We assume that the tuple \((P_1,P_2,P_3)\) is drawn uniformly at random at the beginning of the experiment, but we note that \(\mathcal {S}\) could equivalently lazily sample these permutations throughout its execution. Then \(w'\) is simply defined by the simulator as \(w':=P_i(\delta ,w)\).^{4}
Before returning \(w'\) to the distinguisher, the simulator takes additional steps to ensure that the whole IEM construction matches the ideal cipher E by running a chain completion mechanism. Namely, if the distinguisher called \(\mathsf {Query}(i,\delta ,w)\) with \(i=2\), the simulator completes the “chains” for each known key \(k\in \mathcal {K}'\) by executing a procedure \(\mathsf {CompleteChain}(u_2,v_2,k,\ell )\), where \(\ell \) indicates where the chain will be “adapted” and \((u_2,v_2)\) is the pair of values that was just added to \(\varPi _2\). For example, assume that the distinguisher called \(\mathsf {Query}(2,+,u_2)\) and that the answer randomly chosen by the simulator was \(v_2\). Then for each \(k\in \mathcal {K}'\), the simulator computes the corresponding value \(u_3=v_2 \oplus k\), and evaluates the IEM construction backward, letting \(v_1:=u_2\oplus k\), \(u_1:=\varPi _1(,v_1)\) (setting this value at random in case it was not in \(\varPi _1\)), \(x:=u_1\oplus k\), \(y:=E(+,k,x)\) (hence making a query to E to “wrap around”), and \(v_3:= y\oplus k\), until the corresponding input/output values \((u_3,v_3)\) for the third permutation are defined. It then “adapts” (rather than setting randomly) table \(\varPi _3\) by calling procedure \(\mathsf {ForceVal}(u_3,v_3,3)\) which sets \(\varPi _3(+,u_3):=v_3\) and \(\varPi _3(,v_3):=u_3\) in order to ensure consistency of the simulated IEM construction with E. (A crucial point of the proof will be to show that this does not cause an overwrite, i.e., that these two values are undefined before the adaptation occurs.) In case the query was to \(\mathsf {Query}(2,,\cdot )\), the behavior of the simulator is symmetric, namely adaptation of the chain takes place in table \(\varPi _1\).
6 KKIndifferentiability for Nine Rounds
In this section, we show that nine rounds of the IEM construction are sufficient to achieve \(\mu \)KKindifferentiability from an ideal cipher. Note that this is less than what is currently known to be sufficient to achieve full indifferentiability from an ideal cipher, namely twelve rounds, as shown by Lampe and Seurin [20]. We conjecture that four rounds are actually sufficient.
We only give an informal description of the simulator and sketch how to modify the indifferentiability proof of [20], so that the result should rather be considered as a (substantiated) conjecture. (Given that nine is unlikely to be the minimal number of rounds needed to achieve \(\mu \)KKindifferentiability, and that we already known that twelve rounds are sufficient to achieve full indifferentiability and hence \(\mu \)KKindifferentiability, the benefit of writing down the full proof is rather low.) The highlevel principle of how the simulator works is similar to Sect. 5 except that there are now additional detection zones besides the middle one preventing the distinguisher from creating “wrap around” chains (remember that the distinguisher is not bound to be sequential here, so it can make an ideal cipher query \(y:=E(+,k,x)\) and evaluate the IEM construction from both extremities by making permutation queries until the simulator is trapped into a contradiction). Moreover, since the simulator can now recurse (i.e., completing a chain can create new chains to be completed), it uses a queue of chains detected and to be completed as in [20].
As before, the simulator reacts on any query to \(P_5\), and completes the chains for any key \(k\in \mathcal {K}'\) by adapting at \(P_7\) if this is a direct query and adapting at \(P_3\) if this is an inverse query. Moreover, the simulator also reacts on direct queries to \(P_1\) or inverse queries to \(P_9\). Let us consider the case of a query \(P_1(+,u_1)\). Then for each key \(k\in \mathcal {K}'\), the simulator computes \(x:=u_1\oplus k\), queries \(y:=E(+,k,x)\), lets \(v_9:=y \oplus k\), and checks if \(v_9\in \varPi _9^\). If this is the case, then the chain \((u_1,k)\) is enqueued to be completed and adapted at \(P_3\). For an inverse query to \(P_9\), adaptation takes place at \(P_7\). As in [20], the four “buffer” rounds \(P_2\), \(P_4\), \(P_6\) and \(P_8\) surrounding adaptation rounds ensure that no collision can occur when adapting distinct chains.
The analysis of this simulator then follows the same lines as in [20]. Its complexity can be upper bounded as follows: first, one applies the standard argument that the number of wraparound chains that will be detected is upper bounded (with very high probability) by the number of ideal cipher queries of the distinguisher, hence by q. This implies that the size of table \(\varPi _5\) is always at most 2q (since it increases only because of a distinguisher’s query or when completing a wraparound chain). It follows that the number of middle chains completed is at most \(2\mu q\), and the size of all tables \(\varPi _i\) for \(i\ne 5\) is at most \(q+q+2\mu q=2(\mu +1)q\). Also, the number of calls made by the simulator to the ideal cipher can be upper bounded by \(2\mu q\) (number of middle chains that are completed), plus \(4\mu (\mu +1)q\) (number of wraparound chains that are checked), hence it is \(O(\mu ^2 q)\) (the running time is similar).
Finally, proving a rigorous upper bound on the distinguishing advantage is a cumbersome task that remains to be done. A rough estimation following the lines of [20] would be that bad events that would make the simulator to overwrite a value when adapting chains (which is what dominates the security bound) happen with probability at most \((\max \varPi _i)^6/2^n\), hence \(O(\mu ^6 q^6)\).
Footnotes
 1.
This might be any ideal primitives, in particular \(\mathsf {E}\) might not be an ideal cipher.
 2.
Since we will consider computationally unbounded distinguishers, this is without loss of generality.
 3.
In fact, the attack applies whenever the keyschedule is linear.
 4.
Note that for \(i=1\) and \(i=3\), this is not equivalent to letting \(w'\leftarrow _{\$}\{0,1\}^n\setminus \varPi _i^{\bar{\delta }}\) since the simulator sometimes “adapts” the value of these tables, so that the tables \(\varPi _i\) and the permutations \(P_i\) will differ (with overwhelming probability) on adapted entries.
References
 1.Andreeva, E., Bogdanov, A., Dodis, Y., Mennink, B., Steinberger, J.P.: On the indifferentiability of keyalternating ciphers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 531–550. Springer, Heidelberg (2013). http://eprint.iacr.org/2013/061 CrossRefGoogle Scholar
 2.Andreeva, E., Bogdanov, A., Mennink, B.: Towards understanding the knownkey security of block ciphers. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 348–366. Springer, Heidelberg (2014)Google Scholar
 3.Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.X., Steinberger, J., Tischhauser, E.: Keyalternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 4.Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: Symposium on Theory of Computing  STOC 1998, pp. 209–218. ACM (1998). Full version available at http://arxiv.org/abs/cs.CR/0010019
 5.Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.: Minimizing the tworound EvenMansour cipher. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 39–56. Springer, Heidelberg (2014). http://eprint.iacr.org/2014/443 CrossRefGoogle Scholar
 6.Chen, S., Steinberger, J.: Tight security bounds for keyalternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). http://eprint.iacr.org/2013/222 CrossRefGoogle Scholar
 7.Cogliati, B., Seurin, Y.: On the provable security of the iterated EvenMansour cipher against relatedkey and chosenkey attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 584–613. Springer, Heidelberg (2015). http://eprint.iacr.org/2015/069 Google Scholar
 8.Cogliati, B., Seurin, Y.: Strengthening the KnownKey Security Notion for Block Ciphers. Full version of this paper. http://eprint.iacr.org/2016/394
 9.Demay, G., Gaži, P., Hirt, M., Maurer, U.: Resourcerestricted indifferentiability. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 664–683. Springer, Heidelberg (2013). http://eprint.iacr.org/2012/613 CrossRefGoogle Scholar
 10.Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging MerkleDamgård for practical applications. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 371–388. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 11.Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the EvenMansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 12.Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 13.Farshim, P., Procter, G.: The relatedkey security of iterated Even–Mansour ciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 342–363. Springer, Heidelberg (2015). http://eprint.iacr.org/2014/953 CrossRefGoogle Scholar
 14.Gilbert, H.: A simplified representation of AES. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 200–222. Springer, Heidelberg (2014)Google Scholar
 15.Gilbert, H., Peyrin, T.: Supersbox cryptanalysis: improved attacks for AESlike permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 16.Guo, C., Lin, D.: A synthetic indifferentiability analysis of interleaved doublekey EvenMansour ciphers. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 389–410. Springer, Heidelberg (2015). doi: 10.1007/9783662488003_16 CrossRefGoogle Scholar
 17.Guo, C., Lin, D.: On the indifferentiability of keyalternating Feistel ciphers with no key derivation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 110–133. Springer, Heidelberg (2015)Google Scholar
 18.Knudsen, L.R., Rijmen, V.: Knownkey distinguishers for some block ciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 315–324. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 19.Lampe, R., Patarin, J., Seurin, Y.: An asymptotically tight security analysis of the iterated EvenMansour cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 20.Lampe, R., Seurin, Y.: How to construct an ideal cipher from a small set of public permutations. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 444–463. Springer, Heidelberg (2013). http://eprint.iacr.org/2013/255 CrossRefGoogle Scholar
 21.Mandal, A., Patarin, J., Seurin, Y.: On the public indifferentiability and correlation intractability of the 6round Feistel construction. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 285–302. Springer, Heidelberg (2012). http://eprint.iacr.org/2011/496 CrossRefGoogle Scholar
 22.Maurer, U.M., Renner, R.S., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 23.Minier, M., Phan, R.C.W., Pousse, B.: Distinguishers for ciphers and known key attack against Rijndael with large blocks. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 60–76. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 24.Nikolić, I., Pieprzyk, J., Sokołowski, P., Steinfeld, R.: Known and chosen key differential distinguishers for block ciphers. In: Rhee, K.H., Nyang, D.H. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 29–48. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 25.Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 26.Rogaway, P., Steinberger, J.P.: Constructing cryptographic hash functions from fixedkey blockciphers. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 433–450. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 27.Rogaway, P., Steinberger, J.P.: Security/efficiency tradeoffs for permutationbased hashing. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 220–236. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 28.Sasaki, Y., Yasuda, K.: Knownkey distinguishers on 11round Feistel and collision attacks on its hashing modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 397–415. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 29.Yoneyama, K., Miyagawa, S., Ohta, K.: Leaky random oracle. IEICE Trans. 92–A(8), 1795–1807 (2009)CrossRefzbMATHGoogle Scholar