Post-Quantum Security of the Even-Mansour Cipher

نویسندگان

چکیده

The Even-Mansour cipher is a simple method for constructing (keyed) pseudorandom permutation E from public random $$P:\{0,1\}^n \rightarrow \{0,1\}^n$$ . It secure against classical attacks, with optimal attacks requiring $$q_E$$ queries to and $$q_P$$ P such that $$q_E \cdot q_P \approx 2^n$$ If the attacker given quantum access both P, however, completely insecure, using $$q_E, = O(n)$$ known. In any plausible real-world setting, would have only keyed implemented by honest parties, while retaining P. Attacks in this setting q_P^2 are known, showing security degrades as compared purely case, but leaving open question whether can still be proven natural, “post-quantum” setting. We resolve question, attack requires q^2_P + q_E^2 Our results apply two-key single-key variants of Even-Mansour. Along way, we establish several generalizations prior work on quantum-query lower bounds may independent interest.

برای دانلود باید عضویت طلایی داشته باشید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Minimizing the Two-Round Even-Mansour Cipher

The r-round (iterated) Even-Mansour cipher (also known as key-alternating cipher) defines a block cipher from r fixed public n-bit permutations P1, . . . , Pr as follows: given a sequence of n-bit round keys k0, . . . , kr, an n-bit plaintext x is encrypted by xoring round key k0, applying permutation P1, xoring round key k1, etc. The (strong) pseudorandomness of this construction in the random...

متن کامل

Towards a Characterization of the Related-Key Attack Security of the Iterated Even-Mansour Cipher

We prove the related-key security of the Iterated Even-Mansour cipher under broad classes of related key derivation (RKD) functions. Our result extends the classes of RKD functions considered by Farshim and Procter (FSE, 15). Moreover, we present a far simpler proof which uses techniques similar to those used by Cogliati and Seurin (EUROCRYPT, 15) in their proof that the four-round Even-Mansour...

متن کامل

Eliminating Random Permutation Oracles in the Even-Mansour Cipher

Even and Mansour [EM97] proposed a block cipher construction that takes a publicly computable random permutation oracle P and XORs different keys prior to and after applying P : C = k2 ⊕P (M ⊕ k1). They did not, however, describe how one could instantiate such a permutation securely. It is a fundamental open problem whether their construction could be proved secure outside the random permutatio...

متن کامل

An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher

We analyze the security of the iterated Even-Mansour cipher (a.k.a. key-alternating cipher), a very simple and natural construction of a blockcipher in the random permutation model. This construction, first considered by Even and Mansour (J. Cryptology, 1997) with a single permutation, was recently generalized to use t permutations in the work of Bogdanov et al. (EUROCRYPT 2012). They proved th...

متن کامل

The Related-Key Security of Iterated Even-Mansour Ciphers

The simplicity and widespread use of blockciphers based on the iterated Even–Mansour (EM) construction has sparked recent interest in the theoretical study of their security. Previous work has established their strong pseudorandom permutation and indifferentiability properties, with some matching lower bounds presented to demonstrate tightness. In this work we initiate the study of the EM ciphe...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

ژورنال

عنوان ژورنال: Lecture Notes in Computer Science

سال: 2022

ISSN: ['1611-3349', '0302-9743']

DOI: https://doi.org/10.1007/978-3-031-07082-2_17