Minimalism in Cryptography: The Even-Mansour Scheme Revisited

  • Orr Dunkelman
  • Nathan Keller
  • Adi Shamir
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7237)


In this paper we consider the following fundamental problem: What is the simplest possible construction of a block cipher which is provably secure in some formal sense? This problem motivated Even and Mansour to develop their scheme in 1991, but its exact security remained open for more than 20 years in the sense that the lower bound proof considered known plaintexts, whereas the best published attack (which was based on differential cryptanalysis) required chosen plaintexts. In this paper we solve this open problem by describing the new Slidex attack which matches the T = Ω(2 n /D) lower bound on the time T for any number of known plaintexts D. Once we obtain this tight bound, we can show that the original two-key Even-Mansour scheme is not minimal in the sense that it can be simplified into a single key scheme with half as many key bits which provides exactly the same security, and which can be argued to be the simplest conceivable provably secure block cipher. We then show that there can be no comparable lower bound on the memory requirements of such attacks, by developing a new memoryless attack which can be applied with the same time complexity but only in the special case of D = 2 n/2. In the last part of the paper we analyze the security of several other variants of the Even-Mansour scheme, showing that some of them provide the same level of security while in others the lower bound proof fails for very delicate reasons.


Even-Mansour block cipher whitening keys minimalism provable security tight security bounds slide attacks slidex attack 


  1. 1.
    Biham, E., Dunkelman, O., Keller, N.: Improved Slide Attacks. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 153–166. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer (1993)Google Scholar
  3. 3.
    Biryukov, A., Wagner, D.: Slide Attacks. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  4. 4.
    Biryukov, A., Wagner, D.: Advanced Slide Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Daemen, J.: Limitations of the Even-Mansour Construction. In: [11], pp. 495–498Google Scholar
  6. 6.
    Dinur, I., Dunkelman, O., Shamir, A.: Improved Attacks on GOST. Technical report, to appear (2011)Google Scholar
  7. 7.
    Dunkelman, O., Keller, N., Shamir, A.: Minimalism in Cryptography: The Even-Mansour Scheme Revisited. Cryptology ePrint Archive, Report 2011/541 (2011),
  8. 8.
    Even, S., Mansour, Y.: A Construction of a Cipher From a Single Pseudorandom Permutation. In: [11], pp. 210–224Google Scholar
  9. 9.
    Even, S., Mansour, Y.: A Construction of a Cipher from a Single Pseudorandom Permutation. J. Cryptology 10(3), 151–162 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  10. 10.
    Floyd, R.W.: Nondeterministic Algorithms. J. ACM 14(4), 636–644 (1967)zbMATHCrossRefGoogle Scholar
  11. 11.
    Imai, H., Rivest, R.L., Matsumoto, T. (eds.): ASIACRYPT 1991. LNCS, vol. 739. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  12. 12.
    Kilian, J., Rogaway, P.: How to Protect DES Against Exhaustive Key Search (an Analysis of DESX). J. Cryptology 14(1), 17–35 (2001)MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Kurosawa, K.: Power of a Public Random Permutation and Its Application to Authenticated Encryption. IEEE Transactions on Information Theory 56(10), 5366–5374 (2010)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Nivasch, G.: Cycle Detection Using a Stack. Inf. Process. Lett. 90(3), 135–140 (2004)MathSciNetzbMATHCrossRefGoogle Scholar
  15. 15.
    Rivest, R.L.: DESX. Never published (1984)Google Scholar
  16. 16.
    Russian National Bureau of Standards: Federal Information Processing Standard-Cryptographic Protection - Cryptographic Algorithm. GOST 28147-89 (1989)Google Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Orr Dunkelman
    • 1
    • 2
  • Nathan Keller
    • 2
    • 3
  • Adi Shamir
    • 2
  1. 1.Computer Science DepartmentUniversity of HaifaHaifaIsrael
  2. 2.Faculty of Mathematics and Computer ScienceWeizmann Institute of ScienceRehovotIsrael
  3. 3.Department of MathematicsBar-Ilan UniversityRamat GanIsrael

Personalised recommendations