Post-Quantum Security of the Even-Mansour Cipher

The Even-Mansour cipher is a simple method for constructing (keyed) pseudorandom permutation E from public random $$P:\{0,1\}^n \rightarrow \{0,1\}^n$$ . It secure against classical attacks, with optimal attacks requiring $$q_E$$ queries to and $$q_P$$ P such that $$q_E \cdot q_P \approx 2^n$$ If the attacker given quantum access both P, however, completely insecure, using $$q_E, = O(n)$$ known. In any plausible real-world setting, would have only keyed implemented by honest parties, while retaining P. Attacks in this setting q_P^2 are known, showing security degrades as compared purely case, but leaving open question whether can still be proven natural, “post-quantum” setting. We resolve question, attack requires q^2_P + q_E^2 Our results apply two-key single-key variants of Even-Mansour. Along way, we establish several generalizations prior work on quantum-query lower bounds may independent interest.