Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys
نویسندگان
چکیده
The iterated Even-Mansour (EM) scheme is a generalization of the original 1-round construction proposed in 1991, and can use one key, two keys, or completely independent keys. In this paper, we methodically analyze the security of all the possible iterated Even-Mansour schemes with two n-bit keys and up to four rounds, and show that none of them provides more than n-bit security. In particular, we can apply one of our new attacks to 4 steps of the LED-128 block cipher, reducing the time complexity of the best known attack on this scheme from 2 to 2. As another example of the broad applicability of our techniques, we show how to reduce the time complexity of the attack on two-key triple-DES (which is an extremely well studied and widely deployed scheme) when fewer than 2 known plaintext-ciphertext pairs are given. Our attacks are based on a novel cryptanalytic technique called multibridge which connects different parts of the cipher such that they can be analyzed independently, exploiting its self-similarity properties. Finally, the key suggestions of the different parts are efficiently joined using a meet-in-the-middle attack.
منابع مشابه
From Related-Key Distinguishers to Related-Key-Recovery on Even-Mansour Constructions
We show that a distinguishing attack in the related key model on an EvenMansour block cipher can readily be converted into an extremely efficient key recovery attack. Concerned ciphers include in particular all iterated Even-Mansour schemes with independent keys. We apply this observation to the Caesar candidate Prøst-OTR and are able to recover the whole key with a number of requests linear in...
متن کاملPreuves de sécurité en cryptographie symétrique à l'aide de la technique du coupling. (Security proofs in symmetric cryptography using the coupling technique)
In this thesis, we study blockciphers, meaning that the encryption (and decryption)sends a block of n bits on a block of n bits. There is essentially two main structures usedfor a blockcipher: the Feistel structure (used for DES) and the SPN structure (used forAES). The study of the security of these structures and schemes has led to many practicaland theoretical advances. We pr...
متن کاملKey Recovery Attacks on 3-round Even-Mansour, 8-step LED-128, and Full AES
The Even-Mansour (EM) encryption scheme received a lot of attention in the last couple of years due to its exceptional simplicity and tight security proofs. The original 1-round construction was naturally generalized into r-round structures with one key, two alternating keys, and completely independent keys. In this paper we describe the first key recovery attack on the one-key 3-round version ...
متن کاملKey Recovery Attacks on 3-round Even-Mansour, 8-step LED-128, and Full AES2
The Even-Mansour (EM) encryption scheme received a lot of attention in the last couple of years due to its exceptional simplicity and tight security proofs. The original 1-round construction was naturally generalized into r-round structures with one key, two alternating keys, and completely independent keys. In this paper we describe the first key recovery attack on the one-key 3-round version ...
متن کاملMinimizing the Two-Round Even-Mansour Cipher
The r-round (iterated) Even-Mansour cipher (also known as key-alternating cipher) defines a block cipher from r fixed public n-bit permutations P1, . . . , Pr as follows: given a sequence of n-bit round keys k0, . . . , kr, an n-bit plaintext x is encrypted by xoring round key k0, applying permutation P1, xoring round key k1, etc. The (strong) pseudorandomness of this construction in the random...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2013 شماره
صفحات -
تاریخ انتشار 2013