On the Resilience of Even-Mansour to Invariant Permutations
نویسندگان
چکیده
Abstract Symmetric cryptographic primitives are often exposed to invariances: deterministic relations between plaintexts and ciphertexts that propagate through the primitive. Recent invariant subspace attacks have shown these can be a serious issue. One way mitigate is at primitive level, namely by proper use of round constants (Beierle et al., CRYPTO 2017). In this work, we investigate how thwart invariance exploitation mode assuring never evaluates its underlying under any invariance. We first formalize permutations from security perspective, analyze Even-Mansour block cipher construction. further demonstrate model composes, apply it keyed sponge The analyses exactly pinpoint presence linear invariances affects bounds compared with in random permutation model. As such, they give an exact indication exploited. From practical side, derived case where construction instantiated 512-bit ChaCha permutation, derive distinguishing attack against Even-Mansour-ChaCha $$2^{128}$$ 2 128 queries, faster than birthday bound. Comparable results for instantiation using 200-bit Keccak without (attack $$2^{50}$$ 50 queries), 1024-bit CubeHash $$2^{256}$$ 256 384-bit Gimli $$2^{96}$$ 96 queries). do not invalidate themselves, but rather tightness our confirm care should taken when employing has nontrivial invariances.
منابع مشابه
Balanced permutations Even-Mansour ciphers
The r-rounds Even–Mansour block cipher is a generalization of the well known Even–Mansour block cipher to r iterations. Attacks on this construction were described by Nikolić et al. and Dinur et al. for r = 2, 3. These attacks are only marginally better than brute force but are based on an interesting observation (due to Nikolić et al.): for a “typical” permutation P, the distribution of P(x)⊕ ...
متن کاملHow to Generate Pseudorandom Permutations Over Other Groups: Even-Mansour and Feistel Revisited
Recent results by Alagic and Russell have given some evidence that the Even-Mansour cipher may be secure against quantum adversaries with quantum queries, if considered over other groups than (Z/2)n. This prompts the question as to whether or not other classical schemes may be generalized to arbitrary groups and whether classical results still apply to those generalized schemes. In this paper, ...
متن کاملTweaking Even-Mansour Ciphers
We study how to construct efficient tweakable block ciphers in the Random Permutation model, where all parties have access to public random permutation oracles. We propose a construction that combines, more efficiently than by mere black-box composition, the CLRW construction (which turns a traditional block cipher into a tweakable block cipher) of Landecker et al. (CRYPTO 2012) and the iterate...
متن کاملLimitations of the Even-Mansour Construction
In [1] a construction of a block cipher from a single pseudorandom permutation is proposed. In a complexity theoretical setting they prove that this scheme is secure against a polynomially bounded adversary. In this paper it is shown that this construction suffers from severe limitations that are immediately apparent if differential cryptanalysis [3] is performed. The fact that these limitation...
متن کاملMinimizing the Two-Round Even-Mansour Cipher
The r-round (iterated) Even-Mansour cipher (also known as key-alternating cipher) defines a block cipher from r fixed public n-bit permutations P1, . . . , Pr as follows: given a sequence of n-bit round keys k0, . . . , kr, an n-bit plaintext x is encrypted by xoring round key k0, applying permutation P1, xoring round key k1, etc. The (strong) pseudorandomness of this construction in the random...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
ژورنال
عنوان ژورنال: Designs, Codes and Cryptography
سال: 2021
ISSN: ['0925-1022', '1573-7586']
DOI: https://doi.org/10.1007/s10623-021-00850-2