Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
The random oracle methodology, revisited (preliminary version)
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
(Not So) Random Shuffles of RC4
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
New Results on Pseudorandom Permutation Generators Based on the DES Scheme
CRYPTO '91 Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology
Limitations of the Even-Mansour Construction
ASIACRYPT '91 Proceedings of the International Conference on the Theory and Applications of Cryptology: Advances in Cryptology
How to Encipher Messages on a Small Domain
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Indistinguishability amplification
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
On generalized Feistel networks
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Minimalism in cryptography: the even-mansour scheme revisited
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Hi-index | 0.00 |
We analyze the security of the iterated Even-Mansour cipher (a.k.a. key-alternating cipher), a very simple and natural construction of a blockcipher in the random permutation model. This construction, first considered by Even and Mansour (J. Cryptology, 1997) with a single permutation, was recently generalized to use t permutations in the work of Bogdanov et al. (EUROCRYPT 2012). They proved that the construction is secure up to $ \mathcal{O} (N^{2/3})$ queries (where N is the domain size of the permutations), as soon as the number t of rounds is 2 or more. This is tight for t=2, however in the general case the best known attack requires Ω(Nt/(t+1)) queries. In this paper, we give asymptotically tight security proofs for two types of adversaries: 1 for non-adaptive chosen-plaintext adversaries, we prove that the construction achieves an optimal security bound of $ \mathcal{O} (N^{t/(t+1)})$ queries; 2 for adaptive chosen-plaintext and ciphertext adversaries, we prove that the construction achieves security up to $ \mathcal{O} (N^{t/(t+2)})$ queries (for t even). This improves previous results for t≥6. Our proof crucially relies on the use of a coupling to upper-bound the statistical distance of the outputs of the iterated Even-Mansour cipher to the uniform distribution.