Minimalism in cryptography: the even-mansour scheme revisited

Authors:
Orr Dunkelman;Nathan Keller;Adi Shamir
Affiliations:
Computer Science Department, University of Haifa, Haifa, Israel and Faculty of Mathematics and Computer Science, Weizmann Institute of Science, Rehovot, Israel;Faculty of Mathematics and Computer Science, Weizmann Institute of Science, Rehovot, Israel and Department of Mathematics, Bar-Ilan University, Ramat Gan, Israel;Faculty of Mathematics and Computer Science, Weizmann Institute of Science, Rehovot, Israel
Venue:
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Year:
2012

Citing 9
Cited 4

Differential cryptanalysis of the data encryption standard

Differential cryptanalysis of the data encryption standard
Nondeterministic Algorithms

Journal of the ACM (JACM)
Limitations of the Even-Mansour Construction

ASIACRYPT '91 Proceedings of the International Conference on the Theory and Applications of Cryptology: Advances in Cryptology
A Construction of a Cioher From a Single Pseudorandom Permutation

ASIACRYPT '91 Proceedings of the International Conference on the Theory and Applications of Cryptology: Advances in Cryptology
Slide Attacks

FSE '99 Proceedings of the 6th International Workshop on Fast Software Encryption
Cycle detection using a stack

Information Processing Letters
Advanced slide attacks

EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Power of a public random permutation and its application to authenticated encryption

IEEE Transactions on Information Theory
Improved slide attacks

FSE'07 Proceedings of the 14th international conference on Fast Software Encryption

Differential analysis of the LED block cipher

ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
PRINCE: a low-latency block cipher for pervasive computing applications

ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
An asymptotically tight security analysis of the iterated even-mansour cipher

ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
A compress slide attack on the full GOST block cipher

Information Processing Letters

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we consider the following fundamental problem: What is the simplest possible construction of a block cipher which is provably secure in some formal sense? This problem motivated Even and Mansour to develop their scheme in 1991, but its exact security remained open for more than 20 years in the sense that the lower bound proof considered known plaintexts, whereas the best published attack (which was based on differential cryptanalysis) required chosen plaintexts. In this paper we solve this open problem by describing the new Slidex attack which matches the T=Ω(2n/D) lower bound on the time T for any number of known plaintexts D. Once we obtain this tight bound, we can show that the original two-key Even-Mansour scheme is not minimal in the sense that it can be simplified into a single key scheme with half as many key bits which provides exactly the same security, and which can be argued to be the simplest conceivable provably secure block cipher. We then show that there can be no comparable lower bound on the memory requirements of such attacks, by developing a new memoryless attack which can be applied with the same time complexity but only in the special case of D=2n/2. In the last part of the paper we analyze the security of several other variants of the Even-Mansour scheme, showing that some of them provide the same level of security while in others the lower bound proof fails for very delicate reasons.