On the Resilience of Even-Mansour to Invariant Permutations

Abstract Symmetric cryptographic primitives are often exposed to invariances: deterministic relations between plaintexts and ciphertexts that propagate through the primitive. Recent invariant subspace attacks have shown these can be a serious issue. One way mitigate is at primitive level, namely by proper use of round constants (Beierle et al., CRYPTO 2017). In this work, we investigate how thwart invariance exploitation mode assuring never evaluates its underlying under any invariance. We first formalize permutations from security perspective, analyze Even-Mansour block cipher construction. further demonstrate model composes, apply it keyed sponge The analyses exactly pinpoint presence linear invariances affects bounds compared with in random permutation model. As such, they give an exact indication exploited. From practical side, derived case where construction instantiated 512-bit ChaCha permutation, derive distinguishing attack against Even-Mansour-ChaCha $$2^{128}$$ 2 128 queries, faster than birthday bound. Comparable results for instantiation using 200-bit Keccak without (attack $$2^{50}$$ 50 queries), 1024-bit CubeHash $$2^{256}$$ 256 384-bit Gimli $$2^{96}$$ 96 queries). do not invalidate themselves, but rather tightness our confirm care should taken when employing has nontrivial invariances.