Keywords

1 Introduction

1.1 Background

Formal analyses of cryptographic protocols often assume that cryptosystems are run on keys that are independently generated and bear no relation to each other. Implicit in this assumption is the premise that user keys are stored in protected areas that are hard to tamper with. Security under related-key attacks (RKAs), first identified by Biham and Knudsen [9, 10, 38], considers a setting where an adversary might be able to disturb user keys by injecting faults [2], and consequently run a cryptosystem on related keys. Resilience against RKAs has become a desirable security goal, particularly for blockciphers.

The need for RKA security is further highlighted by the fact that through (improper) design, a higher-level protocol might run a lower-level one on related keys. Prominent examples are the key derivation procedures in standardized protocols such as EMV [25] and the 3GPP integrity and confidentiality algorithms [34], where efficiency considerations have led the designers to use a blockcipher under related keys. Similar considerations can arise in the construction of tweakable blockciphers [41], if a blockcipher is called on keys that are offset by xoring tweak values. An RKA-secure primitive can offer security safeguards against such protocol misuse.

Bellare and Kohno (BK) [7] initiated the theoretical treatment of security under related-key attacks and propose definitions for RKA-secure pseudorandom functions (PRFs) and pseudorandom permutations (PRPs). The BK model were subsequently extended by Albrecht et al. [1] to idealized models of computation to account for the possibility that key might be derived in ways that depend on the ideal primitive. Both works prove that the ideal cipher is RKA secure against wide sets of related-key deriving (RKD) functions. Bellare and Cash [5] present an RKA-secure pseudorandom function from standard intractability assumptions and Bellare, Cash, and Miller [6] give a comprehensive treatment of RKA security for various cryptographic primitives, leveraging the RKA resilience of PRGs to construct RKA-secure instances of various other primitives. In this work we are interested in the RKA security of blockciphers.

1.2 The Even–Mansour Ciphers

Key-alternating ciphers were introduced by Daemen and Rijmen [23] with the aim of facilitating a theoretical discussion of the design of AES. The key-alternating cipher has since become a popular paradigm for blockcipher design, with notable examples including AES [22, 45], Present [14], LED [32], PRINCE [16], KLEIN [31], and Zorro [30]. Key-alternating ciphers originate in the work of Even and Mansour [26, 27], who considered a single round of the construction show in Fig. 1; their motivation was to design the simplest blockcipher possible. This design is closely related to Rivest’s DES-X construction, proposed as a means to protect DES against brute-force attacks [36], which itself builds on principles dating back to Shannon [49, p. 713]. In this work, we use the terms ‘key-alternating cipher’ and ‘iterated Even–Mansour cipher’ interchangeably.

Fig. 1.
figure 1

The \({t}\) -round iterated Even–Mansour scheme.

Full size image

Provable security. Even and Mansour’s original analysis [26, 27] considers ‘cracking’ and ‘forging’ attacks in the random-permutation model and shows that no adversary can predict x given \(\mathsf {E}(k,x)\) or \(\mathsf {E}(k,x)\) given x with reasonable probability, without making \(q_1\) queries to the permutation and \(q_{em}\) to the encryption/decryption oracle, where \(q_1q_{em} \approx 2^n\). The indistinguishability of the Even–Mansour scheme from a random permutation is shown by Kilian and Rogaway [36, 37, Theorem 3.1 with \(\kappa =0\)] and Lampe, Patarin and Seurin [39, App. Bofthefullversion]. Both works show that an adversary making \(q_{1}\) and \(q_{em}\) queries to the permutation oracle and the encryption/decryption oracles respectively, has a success probability of approximately \({q_1q_{em}}/{2^{n-1}}\). Gentry and Ramzan [29] show that the permutation oracle can be instantiated by a Feistel network with a random oracle without loss of security.

At Eurocrypt 2012, Dunkelman, Keller, and Shamir [24] showed that the Even–Mansour scheme retains the same level of security using only a single key, that is \(\mathsf {E}(k,{x}) = \mathsf {P}(x \oplus k) \oplus k\). Bogdanov et al. [15] show that the \({t}\)-round Even–Mansour cipher with independent keys and permutations and at least two rounds (\({t}\ge 2\)) provides security up to approximately \(2^{2n/3}\) queries but can be broken in \({t}\cdot 2^{{t}n/({t}+1)}\) queries. Following this work, several papers have moved towards proving a bound that meets this attack [39, 50], with Chen and Steinberger [18] able to prove optimal bounds using Patarin’s H-coefficient technique [47]. Chen et al. [17] consider two variants of the two-round Even–Mansour scheme: one with independent permutations and identical round keys, the other with identical permutations but a more complex key schedule. In both cases (under certain assumptions about the key schedule), security is maintained up to roughly \(2^{2n/3}\) queries.

Maurer, Renner, and Holenstein (MRH) [43] introduce a framework which formalizes what it means for a non-monolithic object to be able to replace another in arbitrary cryptosystems. This framework, know as indifferentiability, has been used to validate the design principle behind many cryptographic constructions, and in particular that of the iterated Even–Mansour constructions. Lampe and Seurin [40] show that the 12-round Even–Mansour cipher using a single key is indifferentiable from the ideal cipher. Andreeva et al. [3] show that a modification of the single-key, 5-round Even–Mansour cipher, where the key is first processed through a random oracle, is indifferentiable from the ideal cipher.

Cryptanalysis. Daemen [21] describes a chosen-plaintext attack that recovers the key of Even–Mansour in approximately \(q_1 \approx q_{em} \approx 2^{n/2}\) queries. Biryukov and Wagner [13] are able to give a known-plaintext attack against the Even–Mansour scheme with the same complexity as Daemen’s chosen-plaintext attack. Dunkelman, Keller, and Shamir [24] introduce the slidex attack that uses only known plaintexts and can be carried out with any number of queries as long as \(q_1 \cdot q_{em} \approx 2^{n}\).

Mendel et al. [44] describe how to extend Daemen’s attack [21] to a related-key version, and are able to recover the keys when all round keys are independent. Bogdanov et al. [15] remark that related-key distinguishing attacks against the iterated Even–Mansour scheme with independent round keys “exist trivially,” and describe a key-recovery attack, requiring roughly \(2^{n/2}\) queries against the two-round Even–Mansour scheme with identical round keys, assuming that an adversary can xor constants into the round key.

Many key-alternating ciphers such as AES [11, 12], Present [46], LED [44], and Prince [35] have been analyzed in the related-key model. One of the security claims of the LED blockcipher [32] is a high resistance to related-key attacks, which is justified by giving a lower bound on the number of active S-boxes.

1.3 Contributions

Despite extensive literature on the provable security of iterated Even–Mansour ciphers and (RKA) cryptanalysis of schemes using this design strategy, their formal related-key analysis has received little attention. In this work we initiate the provable RKA security analysis of such key-alternating ciphers. Our results build on the work of Barbosa and Farshim [4] who study the RKA of security of Feistel constructions. They show that by appropriate reuse of keys across the rounds, the 3-round Feistel construction achieves RKA security under chosen-plaintext attacks. With four rounds the authors are able to prove RKA security for chosen-ciphertext attacks. The authors also formalize a random-oracle model transform by Lucks [42] which processes the key via the random oracle before application. Our results are similar and we show that key reuse is also a viable strategy to protect against related-key attacks in key-alternating ciphers. In contrast to the Feistel constructions, key-alternating ciphers operate intrinsically in an idealized model of computation, and our analyses draw on techniques used in the formalization of Lucks’s heuristic in [4].

We start with the simplest of the key-alternating ciphers, namely the (one-round) EM cipher. We recall that for xor related-key attacks, where an adversary can offset keys by values of its choice, this construction does not provide RKA security [3, 15, 16, 40]. Indeed, it is easy to check that \(\mathsf {E}((k_1,k_2 ),x) = \mathsf {E}((k_1\oplus \mathrm {\Delta },k_2), x\oplus \mathrm {\Delta })\), which only holds with negligible probability for the ideal cipher. We term this pattern of adversarial behaviour offset switching. One idea to thwart the above attack here would be to enforce key reuse in the construction; although the above equality no longer holds, a close variant still applies:

$$ \mathsf {E}(k,x)= \mathsf {E}(k \oplus \mathrm {\Delta },x \oplus \mathrm {\Delta }) \oplus \mathrm {\Delta } ~. $$

Despite this negative result, we show that the minimal EM cipher with key-reuse enjoys a non-trivial level of RKA security (even in the chosen-ciphertext setting). For a set of allowed relate-key queries \({\Phi }\), we identify a set of sufficient conditions that allow us to argue that \(\mathsf {E}(\phi (k),x)\) and \(\mathsf {E}(\phi '(k),x')\) for \(\phi ,\phi '\in {\Phi }\) look random and independent from an adversary’s point of view. As usual, our conditions impose that the RKD functions have unpredictable outputs, as otherwise RKA security is trivially unachievable. (For \(\phi (k)=c\), a predictable value, consider an adversary which computes \(\mathsf {E}(c,0)\) and compares it \(\mathsf {E}(\phi (k),0)\).) Our second condition looks at the generalization of the offset-switching attack above and requires it to be infeasible to find offset claws, i.e., for any pair of functions \((\phi _1,\phi _2)\) and any value \(\mathrm {\Delta }\) of adversary’s choice, over a random choice of \(k\)

$$ \phi _1(k) \oplus \phi _2(k) \ne \mathrm {\Delta }~. $$

This strengthens the standard claw-freeness condition [1, 4, 7], which corresponds to the \(\mathrm {\Delta }=0\) case. In our work, we also consider RKD functions that depend on the underlying permutations by placing queries to them. As mentioned above, this is particularly relevant for the Even–Mansour ciphers as they inherently operate in the random-permutation model. We build on previous work in the analysis of such functions [1, 4] and formulate adequate restrictions on oracle queries that allow a security proof to be established. Informally, our condition requires that the queries made by \(\phi \)’s have empty intersection with the outputs of \(\phi \)’s, even with offsets.

The search for xor-RKA security leads us to consider the two-round EM constructions. The first attack discussed above, where the key is offset by a constant, still applies in this setting and once again we consider key reuse. (The two permutations are still independent.) For this cipher, the offset-switching attack no longer applies, which raises the possibility that the two-round Even–Mansour might provide xor-RKA security. We start with chosen-plaintext attacks, formulate three new conditions (analogous to those given for the basic scheme), and prove security under them. These conditions, as before, decouple the queries made to the permutation oracle and allow us to simulate the outer \(\mathsf {P}_2\) oracle forgetfully in a reduction. We then show that this new set of restrictions are weak enough to follow from the standard output-unpredictability and claw-freeness properties. Since xoring with constants is output unpredictable and claw-free [7], the xor-RKA security of the single-key, two-round EM construction follows. Under chosen-ciphertext attacks, however, this construction falls prey to an attack of Andreeva et al. [3] on the indifferentiability of two-round EM (adapted to the RKA setting). For CCA security, we turn to three-round constructions, where we show of the 14 possible way to reuse keys, all but one fall prey to either offset switching attacks or Andreeva et al.’s attack [3]. On the other hand, the three-round construction which uses a single key meets the desired xor-RKA security in the CCA setting.

Dunkelman, Keller, and Shamir [24] consider several variants of the Even–Mansour scheme, such as addition Even–Mansour where the xors are replaced with modular additions, and involution Even–Mansour, where random permutations are replaced with random involutions. It is reasonable to expect that our results can be modified to also apply to these schemes. Another possible variant of the Even–Mansour scheme is one where the same permutation is used across the rounds [17]; we briefly argue that our proof techniques carry over to this permutation reuse setting.

As mentioned above, Lampe and Seurin [40] show that the 12-round EM construction is indifferentiable from the ideal cipher when a single key is used throughout the rounds. Ristenpart, Shacham and Shrimpton [48], on the other hand, point out that indifferentiability does not necessarily guarantee composition in multi-stage settings and go on to note that the RKA game is multi-staged. This leaves open the question of whether indifferentiability provides any form of RKA security. We show that if RKD functions query the underlying primitive indirectly via the construction only, then composition holds. This level of RKA security is fairly strong as, in our opinion, it is unclear what it menas to syntactically changing the RKD functions from those in the ideal setting which have access to the ideal cipher to those which (suddenly) get access to permutations. Our result, in particular, implies that Lampe and Seurin’s constructions [40] and Holenstein, Künzler, and Tessaro’s 14-round Feistel construction [33] are RKA secure against key offsets in the CCA setting.

Independently and concurrently to this work, Cogliati and Seurin [19, 20] also study the related-key security of iterated EM ciphers. Their Theorem 2 is very similar to our Corollary 3; they analyze more general key schedules and obtain tighter bounds, while our approach deals with a wider range of RKD functions.

2 Preliminaries

Notation. We write \(x \leftarrow y\) for assigning value y to variable x. We write for the action of sampling x from a finite set \(\mathsf {X}\) uniformly at random. If \(\mathcal {A}\) is a probabilistic algorithm we write for the action of running \(\mathcal {A}\) on inputs \(x_1,\ldots ,x_n\) with randomly chosen coins, and assigning the results to y. We let \([n]:=\{1,\ldots ,n\}\), and we denote the bitwise complement of a bit string x by \(\overline{x}\).

Blockciphers. A (block)cipher is a function \(\mathsf {E}:\mathcal {K}\times \mathcal {M}\longrightarrow \mathcal {M}\) such that for every \(k\in \mathcal {K}\) the map \(\mathsf {E}(k,\cdot )\) is a permutation on \(\mathcal {M}\). Such an \(\mathsf {E}\) uniquely defines its inverse map \(\mathsf {D}(k,\cdot )\) for each key \(k\). We write \(\mathsf {BC}:=(\mathsf {E},\mathsf {D})\) to denote a blockcipher, which also implicitly defines the cipher’s key space \(\mathcal {K}\) and message space or domain \(\mathcal {M}\). We denote the set of all blockciphers with key space \(\mathcal {K}\) and domain \(\mathcal {M}\) by \(\mathrm {Block}(\mathcal {K},\mathcal {M})\). The ideal cipher with key space \(\mathcal {K}\) and message space \(\mathcal {M}\) corresponds to a model of computation where all parties have oracle access to a uniformly chosen random element of \(\mathrm {Block}(\mathcal {K},\mathcal {M})\) in both the forward and backward directions. For a blockcipher \(\mathsf {BC}:=(\mathsf {E},\mathsf {D})\), notation \(\mathcal {A}^\mathsf {BC}\) denotes oracle access to both \(\mathsf {E}\) and \(\mathsf {D}\) for \(\mathcal {A}\).

Permutations. An ideal permutation can be viewed as a blockcipher whose key space contains a single key. In this work, we are interested in building blockciphers with large key spaces from a small number of ideal permutations \(\mathsf {P}_1,\ldots ,\mathsf {P}_{t}\) and their inverses. This is equivalent to access to a blockcipher with key space \([{t}]\), where \(\mathsf {P}_i(x):=\mathsf {P}(i,x)\). In order to ease notation, we define a single oracle \(\pi \), which provides access to all \({t}\) ideal permutations in both directions. This oracle takes as input \((i,x,\sigma )\), where \(i \in [{t}]\), \(x\in \mathcal {M}\), and \(\sigma \in \{+,-\}\) and returns \(\mathsf {P}_i(x)\) if \(\sigma =+\) and \(\mathsf {P}_i^{-1}(x)\) if \(\sigma =-\). Slightly abusing notation, we define \(\mathsf {P}_i^\sigma (x):=\mathsf {P}^\sigma (i,x):=\pi (i,x,\sigma )\), and assume \(\sigma =+\) whenever it is omitted from the superscript. A blockcipher constructed from \({t}\) ideal permutations \(\pi \) is written \(\mathsf {BC}^\pi :=(\mathsf {E}^\pi ,\mathsf {D}^\pi )\).

RKD functions. A related-key deriving (RKD) function maps keys to keys in some key space \(\mathcal {K}\). In this paper, we view RKD functions as circuits that may contain special oracles gates \(\pi \). An RKD set \({\Phi }\) is a set of RKD functions \(\phi ^{\pi }: \mathcal {K}\longrightarrow \mathcal {K}\), where \(\pi \) is an oracle. (The oracle will be instantiated with \(\pi \) as defined above.) Throughout the paper we assume that membership in RKD sets can be efficiently decided.

RKA security. Following [1, 7], we formalize the RKA security of a blockcipher \(\mathsf {BC}^\pi :=(\mathsf {E}^\pi ,\mathsf {D}^\pi )\) in the (multiple) ideal-permutation model via the game shown in Fig. 2. The RKA game is parametrized by an RKD set \({\Phi }\) which specifies the RKD functions that an adversary is permitted to query during its attack. This game also includes a procedure for oracle \(\pi \) defined above. We define the \(\mathsf {RKCCA}\) advantage of an adversary \(\mathcal {A}\) via

$$\begin{aligned} \mathbf {Adv}^{\mathsf {rkcca}}_{\mathsf {BC}^\pi ,\mathrm {\Phi },{t}}(\mathcal {A}) := 2\cdot \Pr \left[ \mathsf {RKCCA}_{\mathsf {BC}^\pi ,\mathcal {A},\mathrm {\Phi },{t}} \right] -1~. \end{aligned}$$

The \(\mathsf {RKCPA}\) game and advantage are defined similarly by considering adversaries that do not make any \(\textsc {RKDec}\) queries (backwards queries to the permutations are still permitted).

Fig. 2.
figure 2

Game defining the security of a blockcipher \(\mathsf {BC}^\pi :=(\mathsf {E}^\pi ,\mathsf {D}^\pi )\) with access to \({t}\) ideal permutations. An adversary can query the \(\textsc {RKEnc}\) and \(\textsc {RKDec}\) oracles with a \(\phi ^\pi \in {\Phi }\) only. In the \(\mathsf {RKCPA}\) game the adversary cannot query the \(\textsc {RKDec}\) oracle.

Full size image

RKA security of the ideal cipher. Following [7] we define the RKA security of the ideal cipher \(\mathsf {IC}':=(\mathsf {iE}',\mathsf {iD}')\) by augmenting the procedures of the above game with those for computing the ideal cipher in both directions, i.e., \((\mathsf {iE}',\mathsf {iD}')\). When working with the ideal cipher, \({t}\) is often 0, but we consider RKD functions which have oracle access to the ideal procedures \(\mathsf {iE}'\) and \(\mathsf {iD}'\) as in [1].

Even–Mansour ciphers. The \({t}\)-round Even–Mansour (EM) cipher \(\mathsf {EM}^\pi :=(\mathsf {E}^\pi ,\mathsf {D}^\pi )\) with respect to \({t}\) permutations \(\mathsf {P}_1\),...,\(\mathsf {P}_{t}\) on domain \(\{0,1\}^n\) has key space \(\mathcal {K}=\{0,1\}^{n({t}+1)}\), domain \(\mathcal {M}=\{0,1\}^n\), and is defined via

$$\begin{aligned} \mathsf {E}^\pi ((k_1,\dots ,k_{{t}+1}), x)&:= \mathsf {P}_{t}(\cdots \mathsf {P}_2(\mathsf {P}_1(x \oplus k_1) \oplus k_2) \cdots ) \oplus k_{{t}+1}~, \\ \mathsf {D}^\pi ((k_1,\dots ,k_{{t}+1}), x)&:= \mathsf {P}_1^{-1}(\cdots \mathsf {P}_{{t}-1}^{-1}(\mathsf {P}_{t}^{-1}(x \oplus k_{{t}+1}) \oplus k_{{t}}) \cdots ) \oplus k_1~. \end{aligned}$$

In this work we are interested in EM ciphers where keys are reused in various rounds. Following notation adopted in [4], we denote the EM construction where key \(k_{i_j}\) is used before round j by \(\mathsf {EM}^\pi [i_1,i_2,\ldots ,i_{{t}+1}]\). We call such key schedules simple. Note that \(\mathcal {K}=\{0,1\}^{n\cdot |\{i_1,i_2,\ldots ,i_{{t}+1}\}|}\) in these constructions. Of particular interest to us are the \(\mathsf {EM}^\pi [1,1]\), \(\mathsf {EM}^\pi [1,1,1]\) and \(\mathsf {EM}^\pi [1,1,1,1]\) constructions, where a single key is used in all rounds. We emphasize that the round permutations in all these constructions are independently chosen, unless stated otherwise.

3 Indifferentiability and RKA Security

Given the indifferentiability results for the EM and Feistel constructions discussed in the introduction, in this section we study to what extent (if any) an indifferentiable construction can provide resilience against related-key attacks. We start by recalling what it means for a blockcipher construction to be indifferentiable from the ideal cipher [43].

Indifferentiability. Let \(\mathsf {BC}^\pi :=(\mathsf {E}^\pi ,\mathsf {D}^\pi )\) be a blockcipher and let \(\mathcal {S}^{\mathsf {IC}}\) be a simulator with oracle access to the ideal cipher having the same key and message spaces as those of \(\mathsf {BC}^\pi \). We define the indifferentiability advantage of a distinguished \(\mathcal {D}\) with respect to \(\mathcal {S}\) against \(\mathsf {BC}^\pi \) via

$$\begin{aligned} \mathbf {Adv}^{\mathsf {indiff}}_{\mathsf {BC}^\pi ,{t}} (\mathcal {S},\mathcal {D}) := \Pr \left[ \mathcal {D}^{\mathsf {BC}^\pi ,\pi } \right] - \Pr \left[ \mathcal {D}^{\mathsf {IC},\mathcal {S}^{\mathsf {IC}}} \right] ~, \end{aligned}$$

where the first probability is taken over a random choice of \(\pi \) (as defined in Fig. 2), and the second probability is taken over a random choice of a blockcipher \(\mathsf {IC}:=(\mathsf {iE},\mathsf {iD})\). Note that in this definition we require a universal simulator that does not depend on the indifferentiability distinguisher. We prove the following theorem in the full version of the paper [28].

Theorem 1

Let \({\Phi }\) be an RKD set consisting of function \(\phi ^{\mathsf {OC}}\) having access to a blockcipher oracle \(\mathsf {OC}\). Let \(\pi \) be as before, \(\mathsf {BC}^\pi \) be a blockcipher construction, and \(\mathcal {S}\) be an indifferentiability simulator. Then for any adversary \(\mathcal {A}\) against the security of \(\mathsf {BC}^\pi \), where the oracles in the RKD functions are instantiated with \(\mathsf {BC}^\pi \), there are adversaries \(\mathcal {D}_1\) and \(\mathcal {D}_2\) against the indifferentiability of \(\mathsf {BC}^\pi \), and an adversary \(\mathcal {B}\) against the of the ideal cipher, where the oracles in the RKD functions are instantiated with the ideal cipher, such that

$$\begin{aligned} \mathbf {Adv}^{\mathsf {rkcca}}_{\mathsf {BC}^\pi ,{\Phi },{t}}(\mathcal {A}) \le \mathbf {Adv}^{\mathsf {indiff}}_{\mathsf {BC}^\pi ,{t}} (\mathcal {S},\mathcal {D}_1) + \mathbf {Adv}^{\mathsf {indiff}}_{\mathsf {BC}^\pi ,{t}} (\mathcal {S},\mathcal {D}_2)+ \mathbf {Adv}^{\mathsf {rkcca}}_{\mathsf {IC},{\Phi },{t}}(\mathcal {B})~. \end{aligned}$$

Care with composition. Ristenpart, Shacham, and Shrimpton [48] show that indifferentiability does not always guarantee secure composition in multi-stage settings where multiple adversaries can only communicate in restricted ways. The authors then remark that RKA security is multi-staged. To see this, note that the RKA game can be viewed as consisting of two adversaries \(\mathcal {A}^\pi _1\) and \(\mathcal {A}^\pi _2\) where \(\mathcal {A}^\pi _1\) corresponds to the standard RKA adversary \(\mathcal {A}^\pi \) and \(\mathcal {A}^\pi _2\) is an adversary which has access to the key \(k\), receives an input from \(\mathcal {A}^\pi _1\) containing the description of an RKD function \(\phi ^\pi \) and a value x, computes \(\phi ^\pi (k)\) using its access to \(\pi \) to get \(k'\), and returns \(\mathsf {E}^\pi (k',x)\) or \(\mathsf {D}^\pi (k',x)\) to \(\mathcal {A}^\pi _1\) as needed. With this formalization adversary \(\mathcal {A}^\pi _2\) cannot freely communicate with \(\mathcal {A}^\pi _1\) as it is restricted to send only encryption and decryption outputs. Our theorem above essentially states that in settings where \(\mathcal {A}^\pi _2\) takes the restricted form \(\mathcal {A}_2^{\mathsf {BC}^\pi }\) indifferentiability suffices. In our opinion, this restricted access to \(\pi \) suits the RKA security model particularly well. Indeed, when starting in the ideal setting where the RKD functions have access to the ideal cipher, one needs to address how the oracles are instantiated when moved to a construction. A natural way to do this is to simply instantiate the oracles with those of the construction as well (and in this setting, as we show, indifferentiability suffices). Giving the RKD functions direct access to \(\pi \) would constitute a syntactic change in the two RKD sets for the ideal cipher and the construction, and it is unclear one should compare RKA security in these settings.

Lampe and Seurin [40, Theorem 2] show that the 12-round \(\mathsf {EM}^\pi [1,\cdots ,1]\) construction is indifferentiable from the ideal cipher (with a universal simulator). Bellare and Kohno [7], on the other hand, show that the ideal cipher is secure, where

$$\begin{aligned} {\Phi }^\oplus : = \{ k \mapsto k \oplus \mathrm {\Delta }: \mathrm {\Delta } \in \mathcal {K}\}~. \end{aligned}$$

We therefore obtain as a corollary of the above theorem that the 12-round construction \(\mathsf {EM}^\pi [1,\cdots ,1]\) is secure. The same conclusion applies to the 14-round Feistel construction of Holenstein, Künzler, and Tessaro [33]. These construction, however, are suboptimal in terms rounds with respect to RKA security. Barbosa and Farshim [4] show that 4 rounds with key reuse suffices for Feistel networks. In the following sections, we study the Even–Mansour ciphers with smaller number of rounds while maintaining RKA security.

4 The RKA Security of \(\mathsf {EM}^\pi [1,1]\)

In this section we study RKD sets \({\Phi }\) for which the single-key Even–Mansour construction provides security. Our results are similar to those of Bellare and Kohno [7], Albrecht et al. [1], and Barbosa and Farshim [4] in that we identify a set of restrictions on the RKD set \({\Phi }\) that allow us to establish a security proof. For the one-round construction there are two simple key schedules up to relabeling: \(\mathsf {EM}^\pi [1,1]\) and \(\mathsf {EM}^\pi [1,2]\). Neither of these constructions can provide security due to the offset-switching attacks discussed in the introduction. Despite this, we show that the most simple of the EM constructions, \(\mathsf {EM}^\pi [1,1]\), provides a non-trivial level of RKA security. The results of this section will also serve as a warm up to the end goal of achieving strong forms of RKA security, which will encompass key offsets as a special case.

4.1 Restricting RKD Sets

Bellare and Kohno [7] observe that if an adversary is able to choose a \(\phi \in {\Phi }\) that has predictable outputs on a randomly chosen key, then security is not achievable. To see this, let \(\phi \) be the constant zero (or any predictable) function. An adversary can simply test if it is interacting with the real or the ideal cipher by enciphering x under the zero key and comparing it to the value it receives from its \(\textsc {RKEnc}\) oracle on \((\phi ,x)\). This motivates the following definition of unpredictability, adapted to the ideal-permutation model.

Output unpredictability (OUP). The advantage of an adversary \(\mathcal {A}\) against the output unpredictability of an RKD set \({\Phi }\) with access to \({t}\) ideal permutations is defined via

Here \(\mathsf {List}\) contains pairs of the form \((\phi ^\pi ,c)\) for \(\phi ^\pi \in {\Phi }\) and \(c \in \mathcal {K}\), and \(\pi \) is the oracle containing \({t}\) ideal permutations. The probability is taken over a random choice of , the \({t}\) random permutations implicit in \(\pi \), and the coins of the adversary. Note that via a simple guessing argument, this definition can be shown to be equivalent to one where the adversary is required to output a single pair, with a loss of \(1/|\mathsf {List}|\) in the reduction.

A second condition that Bellare and Kohno [7] introduce is claw-freeness. Roughly speaking, a set \({\Phi }\) has claws if there are two distinct \(\phi _1,\phi _2\in {\Phi }\) such that \(\phi _1(k)=\phi _2(k)\). Although this condition is not in general necessary—given an arbitrary claw there isn’t necessarily an attack—it turns out that existence of claws prevent natural approaches to proofs of security. We lift claw-freeness to the ideal-permutation model below.

Claw-freeness (CF). The advantage of an adversary \(\mathcal {A}\) against the claw-freeness of an RKD set \({\Phi }\) with access to \({t}\) ideal permutations is defined via

Here \(\mathsf {List}\) contains pairs of RKD functions, \(\pi \) is as before, and the probability space is defined similarly to that for output unpredictability. Once again this definition is equivalent to one where \(\mathsf {List}\) is restricted to be of size one.

Claw-freeness is not a strong enough condition for the one-round EM construction to be RKA secure. Indeed, consider an adversary that queries its encryption oracle with two pairs \((\phi _1,x_1)\) and \((\phi _2,x_2)\), possibly with \(x_1\ne x_2\), such that

$$\begin{aligned} x_1 \oplus \phi _1(k) = x_2 \oplus \phi _2(k)~. \end{aligned}$$

Then the permutation underlying the construction will be queried at the same point and the resulting ciphertexts will differ by \(\phi _1(k) \oplus \phi _2(k) = x_1\oplus x_2\), a predictable value. This observation motivates a strengthening of the claw-freeness property.

Xor claw-freeness (XCF). The advantage of an adversary \(\mathcal {A}\) against the xor claw-freeness of an RKD set \({\Phi }\) with access to \({t}\) ideal permutations is defined via

The variables and probability space are defined similarly to those for claw-freeness.

Xor claw-freeness implies claw-freeness as the latter is a special case with \(c=0\). That claw-freeness is weaker than xor claw-freeness can be seen by considering the set \({\Phi }^\oplus \) corresponding to xoring with constants. This set can be easily shown to be output unpredictable and claw-free [7], but is not xor claw-free as

$$ \phi _{\mathrm {\Delta }_1}(k) \oplus \phi _{\mathrm {\Delta }_2}(k) = \mathrm {\Delta }_1 \oplus \mathrm {\Delta }_2 \quad \text{ where } \quad \phi _\mathrm {\Delta }(k) := k\oplus \mathrm {\Delta }~. $$

We also observe that xor claw-freeness of \({\Phi }\) implies that there is at most one \(\phi \in {\Phi }\) which is predictable as any two predictable RKD functions can be used to break xor claw-freeness.

Let us now consider oracle access in the RKD functions. Following the attacks identified in [1, 4], we consider the oracle-dependent RKD set

$$ {\Phi }:=\left\{ id: k \mapsto k,\, \phi ^\mathsf {P}:k \mapsto \mathsf {P}(k) \right\} ~. $$

Consider the following adversary against \(\mathsf {EM}^\pi [1,1]\). Query \((id,0)\) and get \(y=\mathsf {P}(k) \oplus k\). Query \((\phi ^\mathsf {P},y)\) and get z. Return \((z=0)\). When interacting with \(\mathsf {EM}^\pi [1,1]\) we have that

$$\begin{aligned} z = \mathsf {E}^\mathsf {P}(\mathsf {P}(k),\mathsf {P}(k)\oplus k) = \mathsf {P}(\mathsf {P}(k) \oplus k \oplus \mathsf {P}(k)) \oplus \mathsf {P}(k) = \mathsf {P}(k) \oplus \mathsf {P}(k) =0 ~. \end{aligned}$$

On the other hand, this identity is true with probability at most \(1/(2^{n}-1)\) with respect to the ideal cipher. This attack stems from the fact that when answering an \(\textsc {RKEnc}\) query, \(\pi \) is evaluated at a point already queried by an RKD function. Our final restriction below formalizes what it means for the oracle queries of the RKD function to be disjoint from those of the adversary, including those made implicitly through the encryption or decryption procedures, even up to xoring constants.

Xor query independence (XQI). The advantage of an adversary \(\mathcal {A}\) against the xor query independence of an RKD set \({\Phi }\) with access to \({t}\) ideal permutations is defined via

where

$$\begin{aligned} \mathsf {Qry}[\phi ^{\pi }(k)]&:= \{ (i,x,\sigma ) : (i,x,\sigma ) \text { queried to}~ \pi ~ \text {by } \phi ^\pi (k) \}~, \\ \overline{\mathsf {Qry}}[{k}^{\pi }(k)]&:= \mathsf {Qry}[\phi ^{\pi }(k)] \cup \{ (i,\pi (i,x,\sigma ),-\sigma ) : (i,x,\sigma ) \in \mathsf {Qry}[\phi ^{\pi }(k)] \}~. \end{aligned}$$

Note that for the EM cipher, restricting the above definition to \(i=1\) suffices. We also define query independence [1] as above but demand that \(c=0\).

Examples. The OUP, XCF, and XQI conditions introduced above do not lead to vacuous RKD sets. As an example of an RKD set which is independent of the permutations consider

$$ {\Phi }^{\mathsf {xu}} := \{ k\mapsto H(k,x) : x \in \mathcal {K}'\} ~, $$

where H is an xor-universal hash function from \(\mathcal {K}\) to \(\mathcal {K}\) with key space \(\mathcal {K}'\). As a simple instantiation, let \(\mathcal {K}'=\{0,1\}^k\setminus 0^k\) and for \(k\in \mathcal {K}'\) define \(H(k,x):= k\cdot x\), where \(\{0,1\}^k\) is interpreted as \(\mathrm {GF}(2^k)\) with respect to a fixed irreducible polynomial, and multiplication is defined over \(\mathrm {GF}(2^k)\).

As an example of an oracle-dependent RKD set, one can take

$$\begin{aligned} {\Phi }:=\{ k\mapsto \mathsf {P}(k\oplus \mathrm {\Delta }): \mathrm {\Delta } \in \mathcal {K}\}~. \end{aligned}$$

4.2 Sufficiency of the Conditions

We now show that if an RKD set \({\Phi }\) meets the output unpredictability, xor claw-freeness and xor query independence properties defined above, then \(\mathsf {EM}^\pi [1,1]\) provides security. Throughput the paper we denote the number of queries to various oracles in an attack as follows:

  • \(q_i\): the number of direct, distinct queries to \(\pi \) with index i made by the adversary \(\mathcal {A}\).

  • \(q_{em}\): the number of distinct queries to the \(\textsc {RKEnc}\) and (if present) \(\textsc {RKDec}\) oracles by \(\mathcal {A}\).

  • \(q^\phi _{i}\): the number of distinct queries to \(\pi \) with index i made by the RKD function \(\phi ^\pi \).

We call an RKA adversary repeat-free if it does not query its \(\textsc {RKEnc}\) or \(\textsc {RKDec}\) oracle on a pair \((\phi ,x)\) twice. We call an RKA adversary redundancy-free if it does not query \(\textsc {RKEnc}\) on \((\phi ,x)\) to get y and then \(\textsc {RKDec}\) on \((\phi ,y)\) to get x, or vice versa. Without loss of generality, we assume that all adversaries in this paper are repeat-free and redundancy-free.

Theorem 2

( security of \(\mathsf {EM}^\pi \) [1,1]). Let \({\Phi }\) be an RKD set. Then for any adversary \(\mathcal {A}\) against the security of \(\mathsf {EM}^\pi [1,1]\) with parameters as defined above, there are adversaries \(\mathcal {B}_1\), \(\mathcal {B}_2\), \(\mathcal {B}_3\) and \(\mathcal {B}_4\) such that

$$\begin{aligned} \mathbf {Adv}^{\mathsf {rkcca}}_{\mathsf {EM}^\pi [1,1],{\Phi },1}(\mathcal {A}) \le&\mathbf {Adv}^{\mathsf {oup}}_{{\Phi },1}(\mathcal {B}^{}_1) + \mathbf {Adv}^{\mathsf {xqi}}_{{\Phi },1}(\mathcal {B}^{}_2) + \mathbf {Adv}^{\mathsf {xcf}}_{{\Phi },1}(\mathcal {B}^{}_3) + \mathbf {Adv}^{\mathsf {cf}}_{{\Phi }}(\mathcal {B}^{}_4) \\&+ \frac{q_{em}(q_{1} + \sum _{\phi }{q_{1}^{\phi }})}{2^n- (q_{1} + \sum _{\phi }{q_{1}^{\phi }})} + \frac{2q_{em}^2}{2^{n}}~, \end{aligned}$$

where \(\mathcal {B}_1\), \(\mathcal {B}_2\), \(\mathcal {B}_3\) and \(\mathcal {B}_4\) output lists of sizes \(2q_1q_{em}\), \(2q_{em}^2\), \(q_{em}^2\), and \(q_{em}^2\) respectively and they all make \(q_1\) queries to \(\pi \).

We give the intuition behind the proof here and leave the details to the full version [28]. The adversary \(\mathcal {A}\) in the game is run with respect to the oracles

$$ \mathsf {P}(x), \quad \mathsf {P}^{-1}(x), \quad \mathsf {P}(x \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k), \quad \mathsf {P}^{-1}(x \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)~. $$

Our goal is to make a transition to an environment with the oracles

$$ \mathsf {P}(x), \quad \mathsf {P}^{-1}(x), \quad \mathsf {iE}(\phi ^\pi (k),x),\quad \mathsf {iD}(\phi ^\pi (k),x)~, $$

where \((\mathsf {iE},\mathsf {iD})\) denotes the ideal cipher. To this end, we consider two intermediate environments where the last two oracles corresponding to \(\textsc {RKEnc}\) and \(\textsc {RKDec}\) are handled via a forgetful oracle \(\mathsf {{\$}}\) that returns uniform strings on each invocation, irrespectively of its inputs. Applying this change to the first environment above gives

$$ \mathsf {P}(x), \quad \mathsf {P}^{-1}(x), \quad \mathsf {{\$}}(x \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k), \quad \mathsf {{\$}}( x \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)~, $$

while the second gives

$$ \mathsf {P}(x), \quad \mathsf {P}^{-1}(x), \quad \mathsf {{\$}}(\phi ^\pi (k),x),\quad \mathsf {{\$}}(\phi ^\pi (k),x)~, $$

both of which are identical to the environment \((\mathsf {P}(x), \mathsf {P}^{-1}(x), \mathsf {{\$}}(),\mathsf {{\$}}())\). We will now argue that the above changes alter \(\mathcal {A}\)’s winning probabilities negligibly, down to the conditions on \({\Phi }\) that we introduced in the previous section.

Let us first look at the change where we replace \(\mathsf {iE}(\phi ^\pi (k),x)\) and \(\mathsf {iD}(\phi ^\pi (k),x)\) with \(\mathsf {{\$}}(\phi ^\pi (k),x)\). We introduce another game and replace the random keyed permutations \(\mathsf {iE}\) and \(\mathsf {iD}\) by random keyed functions \(\mathsf {iF}\) and \(\mathsf {iC}\):

$$ \mathsf {P}(x), \quad \mathsf {P}^{-1}(x), \quad \mathsf {iF}(\phi ^\pi (k), x), \quad \mathsf {iC}(\phi ^\pi (k), x)~. $$

Via (a keyed extension of) the random permutation/random function (RP/RF) switching lemma [8], the environments containing \((\mathsf {iF},\mathsf {iC})\) and \((\mathsf {iE},\mathsf {iD})\) can be shown to be indistinguishable up to the birthday bound \(q_{em}^2/2^n\). The environments containing \(\mathsf {iF}(\phi ^\pi (k), x)\) and \(\mathsf {iC}(\phi ^\pi (k), x)\) and two copies of \(\mathsf {{\$}}(\phi ^\pi (k),x)\) and can be shown to be identical down to the \(\mathsf {CF}\) property. Indeed, an inconsistency could arise whenever \((\phi _1^\pi , x_1) \ne (\phi _2^\pi , x_2)\) but \((\phi _1^\pi (k), x_1) = (\phi _2^\pi (k), x_2)\). This means \(x_1=x_2\) and hence we must have that \(\phi _1^\pi \ne \phi _2^\pi \). But \(\phi _1^\pi (k) = \phi _2^\pi (k)\) and this leads to a break of the claw-freeness.

Let us now look at the changes made when we replace \(\mathsf {P}^\pm (x \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)\) with \(\mathsf {{\$}}(x \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)\). We need to consider the points where a forgetful simulation of \(\mathsf {P}\) or \(\mathsf {P}^{-1}\) via \(\mathsf {{\$}}\) in the last two oracles leads to inconsistencies. Let us define the following six lists.

$$\begin{aligned} \mathsf {List}_\mathsf {P}^+&:= [(a,\mathsf {P}(a)): \mathcal {A}\text { queries } a \text { to } \mathsf {P}], \mathsf {List}_\mathsf {P}^- := [(\mathsf {P}^{-1}(b),b): \mathcal {A}\text { queries } b \text { to } \mathsf {P}^{-1} ]~, \\ \mathsf {List}_{\phi }^+&\!:= \! [(a,\mathsf {P}(a)): \!\phi ^\pi (k) \text { queries } \mathsf {P}(a) ], \mathsf {List}_{\phi }^- \! :=\! [(\mathsf {P}^{-1}(b),b): \!\phi ^\pi (k) \text { queries } \mathsf {P}^{-1}(b) ] \\ \mathsf {List}^+_\mathsf {{\$}}&:= [(x \oplus \phi ^\pi (k) ,\mathsf {{\$}}(x \oplus \phi ^\pi (k))): \mathcal {A}\text { queries } (\phi ^\pi ,x) \text { to } \textsc {RKEnc}]~, \\ \mathsf {List}^-_\mathsf {{\$}}&:= [(\mathsf {{\$}}(\phi ^\pi (k) \oplus y) , \phi ^\pi (k) \oplus y): \mathcal {A}\text { queries } (\phi ^\pi ,y) \text { to } \textsc {RKDec}]~. \end{aligned}$$

Let \(\mathsf {List}_\star \) be the union of the above lists over all \(\phi \) queried to \(\textsc {RKEnc}\) or \(\textsc {RKDec}\). This list encodes the trace of the attack, as in the forgetful environment no queries to \(\mathsf {P}\) or \(\mathsf {P}^{-1}\) are made while handling \(\textsc {RKEnc}\) and \(\textsc {RKDec}\) queries. This trace is consistent with one coming from a permutation unless \(\mathsf {List}_\star \) does not respect the permutivity properties, i.e., there are two entries \((a,b), (a',b') \in \mathsf {List}_\star \) such that it is not the case that \((a=a' \iff b=b')\). Note that one of these pairs must be in \(\mathsf {List}_{\mathsf {{\$}}} := \mathsf {List}^+_\mathsf {{\$}}\cup \mathsf {List}^-_\mathsf {{\$}}\) as the other oracles are faithfully implemented. There is an inconsistency on \(\mathsf {List}_\star \) if and only if there is an inconsistency among two lists (one of which is either \(\mathsf {List}^+_\mathsf {{\$}}\) or \(\mathsf {List}^-_\mathsf {{\$}}\)). There are 20 possibilities to consider, including the order that queries are made. We consider first query of a pair being on \(\mathsf {List}^+_\mathsf {{\$}}\); the other cases are dealt with symmetrically.

  • \(\mathsf {List}_\mathsf {{\$}}^+\) and \(\mathsf {List}_\mathsf {P}^+\): (1) The first component of a pair on \(\mathsf {List}_\mathsf {{\$}}^+\)—we call this a first entry on \(\mathsf {List}_\mathsf {{\$}}^+\)—matches a first entry a on \(\mathsf {List}_\mathsf {P}^+\). This means that for some query \((\phi ^\pi ,x)\) to \(\textsc {RKEnc}\) we have that \(a=\phi ^\pi (k) \oplus x\). This leads to a break of output unpredictability. (2) The second entry on these lists match. More explicitly, we are looking at the probability that \(\mathsf {P}(a)=R\), for R the output of \(\mathsf {{\$}}\) on a forward query. Here we can assume that R is known and this addresses the adaptivity of choice of a. But even in this case the probability of this event is small as \(\mathsf {P}\) is a random permutation.

  • \(\mathsf {List}_\mathsf {{\$}}^+\) and \(\mathsf {List}_\mathsf {P}^-\): (1) A second entry on \(\mathsf {List}_\mathsf {{\$}}^+\) matches a second entry \(b'\) on \(\mathsf {List}_\mathsf {P}^-\). This means that for some query \((\phi ^\pi ,x)\) to \(\textsc {RKEnc}\) with output y we have that \(b'= \phi ^\pi (k) \oplus y\). This leads to a break of output unpredictability. (2) The first entries match on these lists. The argument is similar to case (2) above, but now is for \(\mathsf {P}^{-1}\).

  • \(\mathsf {List}_\mathsf {{\$}}^+\) and \(\mathsf {List}_\phi ^+\): (1) A first entry on \(\mathsf {List}_\mathsf {{\$}}^+\) matches a first entry \(\mathsf {List}_\phi ^+\). This means that for some query \((\phi _1^\pi ,x)\) to \(\textsc {RKEnc}\) we have that \(a=\phi _1^\pi (k) \oplus x\) for a query a of some other \(\phi _2^\pi \). This leads to a break of xor query independence. (2) The second entries match on these lists. The argument is as in case (2) of first pair of lists.

  • \(\mathsf {List}_\mathsf {{\$}}^+\) and \(\mathsf {List}_\phi ^-\): (1) A second entry on \(\mathsf {List}_\mathsf {{\$}}^+\) matches a second entry \(b'\) on \(\mathsf {List}_\phi ^-\). This means that for some query \((\phi _1^\pi ,x)\) to \(\textsc {RKEnc}\) with output y we have that \(b'=\phi _1^\pi (k) \oplus y\) for a query \(b'\) of some other \(\phi _2^\pi \). This leads to a break of xor query independence. (2) The first entries match on these lists. The argument is as in case (2) of the second pair of lists.

  • \(\mathsf {List}_\mathsf {{\$}}^+\) and \(\mathsf {List}_\mathsf {{\$}}^+\): Two first entries on \(\mathsf {List}_\mathsf {{\$}}^+\) match. This means that for two queries \((\phi _1^\pi ,x_1)\) and \((\phi _2^\pi ,x_2)\) to \(\textsc {RKEnc}\) we have that \(\phi _1^\pi (k) \oplus x_1 =\phi _2^\pi (k) \oplus x_2\). Repeat-freeness ensures that \(\phi _1 \ne \phi _2\) as otherwise \(x_1=x_2\) as well. This leads to a break of xor claw-freeness. (2) The second entries match on these lists. Since the oracle returns independent random values, this probability can be bounded by the birthday bound.

  • \(\mathsf {List}_\mathsf {{\$}}^+\) and \(\mathsf {List}_\mathsf {{\$}}^-\): A second entry on \(\mathsf {List}_\mathsf {{\$}}^+\) matches a second entry on \(\mathsf {List}_\mathsf {{\$}}^-\). This means that for a queries \((\phi _1^\pi ,x_1)\) to \(\textsc {RKEnc}\) with outputs \(y_1\) and \((\phi _2^\pi ,x_2)\) to \(\textsc {RKDec}\), we have that \(\phi _1^\pi (k) \oplus y_1 = \phi _2^\pi (k) \oplus x_2\). Redundancy-freeness ensures that \(\phi _1 \ne \phi _2\) as otherwise \(x_2\) would be an encryption of \(x_1\). This leads to a break of xor claw-freeness. (2) The first entries match on these lists. The probability of this event can be also bounded by the birthday bound.

Hence inconsistencies among any two pairs of lists happen with small probability, and this shows that \(\mathsf {List}_\star \) is also inconsistent with small probability.

5 The Security of \(\mathsf {EM}^\pi [1,1,1]\)

The theorem established in the previous section does not encompass security as this set is not xor claw-free. In this section, we investigate whether an extra round of iteration can extend RKA security to the \({\Phi }^\oplus \) set. For the two-round EM constructions, up to relabelling, there are 5 simple key schedules: [1, 1, 1], [1, 1, 2], [1, 2, 1], [1, 2, 2], and [1, 2, 3]. It is easy to see that offset-switching attacks can be used to attack the security of all but the first of these. In the following subsections we study the RKA security of the only remaining construction, \(\mathsf {EM}^\pi [1,1,1]\).

5.1 Weakening the Conditions

We start by following a similar proof strategy to that given for \(\mathsf {EM}^\pi [1,1]\) and identify a set of restrictions which are strong enough to enable a security proof, yet weak enough to encompass the \({\Phi }^\oplus \) set. Starting from the CPA environment

$$ \pi (i,x,\sigma ), \quad \mathsf {P}_2(\mathsf {P}_1(x \oplus \phi ^{\pi }(k)) \oplus \phi ^{\pi }(k)) \oplus \phi ^{\pi }(k) ~, $$

we simulate the \(\mathsf {P}_2\) oracle forgetfully and move to a setting with oracles

$$ \pi (i,x,\sigma ), \quad \mathsf {{\$}}(\mathsf {P}_1(x \oplus \phi ^{\pi }(k)) \oplus \phi ^{\pi }(k)) \oplus \phi ^{\pi }(k) \qquad \equiv \qquad \pi (i,x,\sigma ), \quad \mathsf {{\$}}()~. $$

This game can be also be reached from the ideal game \( \pi (i,x,\sigma ), \mathsf {iE}(\phi ^{\pi }(k),x) \) via an application of the RP/RF switching lemma [8] and the claw-freeness property as in the analysis of \(\mathsf {EM}^\pi [1,1]\).

We now analyze the probability that the second environment simulates the first one in an inconsistent way. We look at inconsistencies which arise due to oracles being queried on the same inputs. The first place such an inconsistency might arise is when \(\mathcal {A}\) makes an explicit \(\pi \) query \((2,a,+)\) that matches a query made to \(\mathsf {{\$}}\), i.e., \(\mathsf {P}_1(x \oplus \phi ^{\pi }(k)) \oplus \phi ^{\pi }(k) = a\) for some \((\phi ^\pi ,x)\). Our first condition below addresses this event; we give a slight strengthening of the condition as we will be using it later on.

First-order output unpredictability. Let \({t}\ge 1\). The advantage of an adversary \(\mathcal {A}\) against the first-order output unpredictability of an RKD set \({\Phi }\) with access to \({t}\) ideal permutations is defined via

Oracle \(\pi \), the probability space, and \(\mathsf {List}\) are defined analogously to the previous definitions. Note that in the \(\mathsf {RKCPA}\) setting we do not need to consider inconsistencies resulting from inputs to \(\mathsf {P}_1^{-1}\) or \(\mathsf {P}_2^{-1}\) arising through \(\textsc {RKDec}\) queries, and only need to consider \((i,\sigma )=(1,+)\) above.

Inconsistencies arising as a result of two \(\textsc {RKEnc}\) queries (this oracle places queries to \(\mathsf {{\$}}\)) lead to the following modification of claw-freeness.

First-order claw-freeness. Let \({t}\ge 1\). The advantage of an adversary \(\mathcal {A}\) against the first-order claw-freeness of an RKD set \({\Phi }\) with access to \({t}\) ideal permutations is defined via

We now look at inconsistencies in the simulation due to a mismatch in an RKD query to \(\pi \) and a query to \(\mathsf {{\$}}\) made via the \(\textsc {RKEnc}\) oracle. Since only the second function is forgetfully simulated, we require independence of queries for \(\mathsf {P}_2\) only. Once again, in the \(\mathsf {RKCPA}\) setting, restricting the definition to \((i,\sigma )=(1,+)\) suffices.

First-order query independence. Let \({t}\ge 2\). The advantage of an adversary \(\mathcal {A}\) against the first-order query independence of an RKD set \({\Phi }\) with access to \({t}\) ideal permutations is defined via

where, as before,

$$\begin{aligned} \mathsf {Qry}[\phi ^{\pi }(k)]&:= \{ (i,x,\sigma ) : (i,x,\sigma ) \text { queried to } \pi \, \text {by } \phi ^\pi (k) \}~, \\ \overline{\mathsf {Qry}}[{k}^{\pi }(k)]&:= \mathsf {Qry}[\phi ^{\pi }(k)] \cup \{ (i,\pi (i,x,\sigma ),-\sigma ) : (i,x,\sigma ) \in \mathsf {Qry}[\phi ^{\pi }(k)] \}~. \end{aligned}$$

The new set of conditions identified above allow us to carry out a similar proof strategy to that of Theorem 2 and establish the following result. (See the full version [28] for the details of the proof.)

Theorem 3

( security of \(\mathsf {EM}^\pi [1,1,1]\)). Let \({{\Phi }}\) be an RKD set. Then for any adversary \(\mathcal {A}\) against the security of \(\mathsf {EM}^\pi [1,1,1]\) with parameters as defined before there are \(\mathcal {B}_{1a}\) against \(\mathsf {OUP1}\), \(\mathcal {B}_{1b}\) against \(\mathsf {OUP}\), \(\mathcal {B}_{2a}\) against \(\mathsf {QI1}\), \(\mathcal {B}_{2b}\) against \(\mathsf {XQI}\), \(\mathcal {B}_3\) against \(\mathsf {CF1}\), and \(\mathcal {B}_4\) against \(\mathsf {CF}\) such that

$$\begin{aligned} \mathbf {Adv}^{\mathsf {rkcpa}}_{\mathsf {EM}^\pi [1,1,1],{\Phi },2}&(\mathcal {A}) \le \mathbf {Adv}^{\mathsf {oup1}}_{{\Phi },2}(\mathcal {B}^{}_{1a}) \!+ \!\mathbf {Adv}^{\mathsf {oup}}_{{\Phi },2}(\mathcal {B}^{}_{1b}) \!+\! \mathbf {Adv}^{\mathsf {qi1}}_{{\Phi },2}(\mathcal {B}^{}_{2a}) \!+\! \mathbf {Adv}^{\mathsf {xqi}}_{{\Phi },2}(\mathcal {B}^{}_{2b}) \\&+ 2 \mathbf {Adv}^{\mathsf {cf1}}_{{\Phi },2}(\mathcal {B}^{}_3) + \mathbf {Adv}^{\mathsf {cf}}_{{\Phi },2}(\mathcal {B}^{}_4)+ \frac{q_{em}(q_{2}+\sum _{\phi }{q_{2}^{\phi }})}{2^n- (q_{2} + \sum _{\phi }{q_{2}^{\phi })}} + \frac{2q_{em}^2}{2^n} ~, \end{aligned}$$

where \(\mathcal {B}^{}_{1a}\) and \(\mathcal {B}^{}_{1b}\) output lists of length \(q_{2}q_{em}\), \(\mathcal {B}^{}_{2a}\) and \(\mathcal {B}^{}_{2b}\) lists of length \(q_{em}^2\), \(\mathcal {B}^{}_3\) a list of length \(q_{em}^2\), and \(\mathcal {B}^{}_4\) a list of length at most \(q_{em}^2\).

5.2 Security

We show that the restrictions identified above are weak enough so that the offset RKD set \({\Phi }^\oplus \) can be shown to satisfy them. We start by showing that for oracle-independent sets, \({\Phi }\) is output unpredictable and claw-free if and only if it is first-order output unpredictable and first-order claw-free.

Proposition 1

(\(\mathsf {OUP} \wedge \mathsf {CF} \iff \mathsf {OUP1} \wedge \mathsf {CF1}\)). Let \({\Phi }\) be an oracle-independent RKD set and let \({t}\ge 1\). Then for any adversary \(\mathcal {A}\) against the \(\mathsf {OUP}\) (resp. \(\mathsf {CF}\)) game outputting a list of size \(\ell \) and placing \(q_i\) permutation queries with index i, there is an adversary \(\mathcal {B}_1\) (resp. \(\mathcal {B}_2\)) outputting a list of size \(\ell \) (resp. \(\ell \)) and placing \(q_i+\delta _{1i}\ell \) (resp. \(q_i\)) permutation queries with index i such that

$$ \mathbf {Adv}^{\mathsf {oup}}_{{\Phi },{t}}(\mathcal {A}) \le \mathbf {Adv}^{\mathsf {oup1}}_{{\Phi },{t}}(\mathcal {B}_1) \quad \text{ and } \quad \mathbf {Adv}^{\mathsf {cf}}_{{\Phi },{t}}(\mathcal {A}) \le \mathbf {Adv}^{\mathsf {cf1}}_{{\Phi },{t}}(\mathcal {B}_2)~. $$

Moreover, for any adversary \(\mathcal {A}\) against \(\mathsf {OUP1}\) with parameters as before, there is an adversary \(\mathcal {B}_1\) against \(\mathsf {OUP}\) outputting a list of size \(\ell \cdot q_\pi := \ell \cdot \sum _i q_i\), where it places \(q_i\) permutation queries with index i such that

$$ \mathbf {Adv}^{\mathsf {oup1}}_{{\Phi },{t}}(\mathcal {A}) \le \mathbf {Adv}^{\mathsf {oup}}_{{\Phi },{t}}(\mathcal {B}_1) + \frac{\ell (q_\pi +1)}{2^n-\ell } ~. $$

Finally, for any adversary \(\mathcal {A}\) against \(\mathsf {CF1}\) with parameters as before, there are adversaries \(\mathcal {B}_1\) and \(\mathcal {B}_2\), where \(\mathcal {B}_1\) is as in the previous case, and \(\mathcal {B}_2\) outputs a list of size \(\ell \) and makes \(q_i\) permutation queries with index i such that

$$ \mathbf {Adv}^{\mathsf {cf1}}_{{\Phi },{t}}(\mathcal {A}) \le \mathbf {Adv}^{\mathsf {oup}}_{{\Phi },{t}}(\mathcal {B}_1) + 2\cdot \mathbf {Adv}^{\mathsf {cf}}_{{\Phi },{t}}(\mathcal {B}_2)+ \frac{\ell }{2^n-\ell } + \frac{\ell }{2^n-2\ell }~. $$

Bellare and Kohno [7] show that the RKD set \({\Phi }^\oplus \) is output unpredictable with advantage \(\ell /2^n\) for any adversary outputting a list of size \(\ell \), and claw-free with advantage 0. The above proposition allow us to conclude that this set is also first-order output unpredictable and first-order claw-free.

Corollary 1

Let \({t}\ge 1\) and suppose \({\Phi }^\oplus \) is defined with respect to a key space of size \(2^n\). Then for any \(\mathcal {A}\) outputting a list of at most \(\ell \le 2^n/4\) and making at most \(q_1\) queries to its \(\mathsf {P}_1\) oracle,

$$ \mathbf {Adv}^{\mathsf {oup1}}_{{\Phi }^\oplus ,{t}}(\mathcal {A}) \le \frac{\ell \cdot (q_1+1)}{2^{n-1}} \quad \text {and} \quad \mathbf {Adv}^{\mathsf {cf1}}_{{\Phi }^\oplus ,{t}}(\mathcal {A}) \le \frac{\ell \cdot (q_1+2)}{2^{n-1}}~. $$

This corollary together with Theorem 3 allow us to establish that \(\mathsf {EM}^\pi [1,1,1]\) is secure.

Corollary 2

For any adversary \(\mathcal {A}\) against the security of \(\mathsf {EM}^\pi [1,1,1]\) that makes at most \(q_\pi \) queries to its \(\pi \) oracle (of which \(q_{i}\) are to \(\pi (i,\cdot ,\cdot )\)) and at most \(q_{em}\) queries to its \(\textsc {RKEnc}\) oracle, with \(q_{2}q_{em}\), \(q_{em}^2 \le 2^n/ 4\), we have

$$ \mathbf {Adv}^{\mathsf {rkcpa}}_{\mathsf {EM}^\pi [1,1,1],{\Phi }^\oplus ,2} (\mathcal {A})\le \frac{q_{em}(q_{2} + q_{em})(2q_{1}+5)}{2^{n} } + \frac{q_{2}q_{em}}{2^n- q_{2}} ~. $$

We remark that via a direct analysis (but at the expense of modularity) the cubic bound above can be tightened to a quadratic one.

Remark. The above results raises the question if the security proof can be extended to the CCA setting. Adapting an attack due to Andreeva et al. [3] on the indifferentiability of the two-round EM construction to the RKA setting, it can be seen that \(\mathsf {EM}^\pi [1,1,1]\) is insecure. Details are given in the full version [28]. This attack also applies if \(\mathsf {P}_2=\mathsf {P}_1\).

6 The Security of \(\mathsf {EM}^\pi [1,1,1,1]\)

Building on the results of the previous sections, we set out to find a key schedule for the iterated Even–Mansour construction that provides security. Our previous results show that at least three rounds are necessary. We start by showing that of the fourteen possible simple key schedules for three-round EM, all but one fall prey to attacks. We then show that the remaining \(\mathsf {EM}^\pi [1,1,1,1]\) construction does indeed provide security.

Up to relabeling, then there are 14 possible key schedules for the three-round Even–Mansour schemes. Of these, 9 are susceptible to offset-switching attacks. These are key schedules where a key appears only in the first or the last round and nowhere else, e.g., [1, 2, 2, 2], [1, 2, 2, 3], or [1, 2, 2, 1]. This rules out 9 key schedules. Another 4 can be attacked using Andreeva et al.’s attack [3]. These are the [1, 1, 2, 1], [1, 2, 1, 1], [1, 1, 2, 2], and [1, 2, 1, 2] schedules. Details are given in the full version of the paper [28].

These attacks give a generic 4-query related-key distinguisher for reduced-round LED [32] (8 out of 32 rounds for LED-64 and 16 out of 48 for LED-128). Our results lend support to the designers’ claim that LED provides good related-key attack security in spite of the simple key schedule, even though they do not apply directly to LED as the round functions are neither random permutations nor independent.

We now show that \(\mathsf {EM}^\pi [1,1,1,1]\) achieves security for sets \({\Phi }\) which include, amongst others, the \({\Phi }^\oplus \) set. As before, we motivate a number of restrictions on \({\Phi }\) by considering a simulation strategy and analyzing the inconsistencies that could arise. The adversary in the game with respect to the construction has access to \(\pi \) and the oracles

$$ \mathsf {P}_3(\mathsf {P}_2(\mathsf {P}_1(x\oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)~, $$
$$ \mathsf {P}_1^{-1}(\mathsf {P}_2^{-1}(\mathsf {P}_3^{-1}(x\oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)~. $$

Once again we aim to simulate the above two oracles by returning uniformly random values. There are at least two way to perform this:

  1. (a)

    Simulate the outer permutations in \(\textsc {RKEnc}\) and \(\textsc {RKDec}\) forgetfully. That is, the \(\mathsf {P}_3\) oracle in \(\textsc {RKEnc}\) and the \(\mathsf {P}^{-1}_1\) oracle in \(\textsc {RKDec}\) are forgetfully implemented.

  2. (b)

    Simulate the middle oracles \(\mathsf {P}_2\) and \(\mathsf {P}^{-1}_2\) forgetfully. This will ensure that the inputs to \(\mathsf {P}^\pm _1\) and \(\mathsf {P}^\pm _3\) are randomized, and hence their outputs will be also random.

The first approach, although in some sense the more natural one, does not work. This is due to the fact that \(\mathsf {P}_1\) (resp. \(\mathsf {P}_3\)) also appear as the first-round permutation in \(\textsc {RKEnc}\) (resp. \(\textsc {RKDec}\)). An adversary which performs an offset switch can trigger collisions in these oracles without being detected. We therefore adapt the second simulation strategy and for forgetful oracle \(\mathsf {{\$}}\) consider

$$ \mathsf {P}_3(\mathsf {{\$}}(\mathsf {P}_1(x\oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)~, $$
$$ \mathsf {P}_1^{-1}(\mathsf {{\$}}(\mathsf {P}_3^{-1}(x\oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)) \oplus \phi ^\pi (k)~. $$

We now consider inconsistencies, starting with a query collision between \(\pi \) (from a query of \(\mathcal {A}\)) and \(\mathsf {{\$}}\) arising from either the forward or backwards direction. Here we rely on first-order output unpredictability, but note that \((i,\sigma )= (1,+)\) and \((i,\sigma )= (3,-)\) will be critically relied on. Collisions arising between an RKD query to \(\pi \) and a \(\mathsf {{\$}}\) query in either direction can be ruled out down to first-order query independence; once again \((i,\sigma ) \in \{(1,+), (3,-)\}\) will be used. Finally, the probability that a collision occurs as a result of two queries to \(\mathsf {{\$}}\) (due to forward or backward queries) can be bounded by the first-order claw freeness property. As before, inconsistencies also arise due to collisions between the outputs of oracle queries; the probability of this occurring can be bounded information theoretically. Note that here we also rely on independence of queries to the second permutation, but both cases \((i,\sigma ) \in \{(1,+), (3,-)\}\) in the definition will be used. We formally prove the following theorem in [28].

Theorem 4

( Security of \(\mathsf {EM}^\pi [1,1,1,1]\)). Let \({\Phi }\) be an RKD set. Then for any adversary \(\mathcal {A}\) against the security of \(\mathsf {EM}^\pi [1,1,1,1]\) with parameters as before, we have adversaries \(\mathcal {B}_1\), \(\mathcal {B}_2\), \(\mathcal {B}_3\), and \(\mathcal {B}_4\) such that

$$\begin{aligned} \mathbf {Adv}^{\mathsf {rkcca}}_{\mathsf {EM}^\pi [1,1,1,1],{\Phi },3} (\mathcal {A})\le&\mathbf {Adv}^{\mathsf {oup1}}_{{\Phi },3}(\mathcal {B}^{}_1) + \mathbf {Adv}^{\mathsf {xqi1}}_{{\Phi },3}(\mathcal {B}^{}_2)+ 2\mathbf {Adv}^{\mathsf {cf1}}_{{\Phi },3}(\mathcal {B}^{}_3) \\&+ \mathbf {Adv}^{\mathsf {cf}}_{{\Phi },3}(\mathcal {B}^{}_4) + \frac{2q_{em}^2}{2^{n}} + \frac{2q_{em}(q_{2}+\sum _{\phi }{q_{2}^{\phi }})}{2^n- (q_{2} + \sum _{\phi }{q_{2}^{\phi }})}~, \end{aligned}$$

where \(\mathcal {B}^{}_1\) outputs a list of length \(2q_{2}q_{em}\), \(\mathcal {B}^{}_2\) a list of length \(2 q_{em}^2\), \(\mathcal {B}^{}_3\) a list of length \(q_{em}^2\), and \(\mathcal {B}^{}_4\) a list of length at most \(q_{em}^2\).

Corollary 1 together with Theorem 4 allow us to establish that the three-round single-key Even–Manour construction with independent round permutations is secure:

Corollary 3

For any adversary \(\mathcal {A}\) against the security of \(\mathsf {EM}^\pi [1,1,1,1]\) with parameters defined as before. Then

$$\begin{aligned} \mathbf {Adv}^{\mathsf {rkcca}}_{\mathsf {EM}^\pi [1,1,1,1],{\Phi }^\oplus ,3} (\mathcal {A})\le \frac{2q_{em} (q_{2} + q_{em})(2q_{1}+2q_{3}+9)}{2^{n}} + \frac{2q_{em}q_{2}}{2^n- q_{2}}~. \end{aligned}$$

Once again, via a direct analysis (but at the expense of modularity) the cubic bound above can be tightened to a quadratic one.