Indifferentiability of Iterated Even-Mansour Ciphers with Non-idealized Key-Schedules: Five Rounds Are Necessary and Sufficient
نویسندگان
چکیده
We prove that the 5-round iterated Even-Mansour (IEM) construction with a non-idealized key-schedule (such as the trivial keyschedule, where all round keys are equal) is indifferentiable from an ideal cipher. In a separate result, we also prove that five rounds are necessary by describing an attack against the corresponding 4-round construction. This closes the gap regarding the exact number of rounds for which the IEM construction with a non-idealized key-schedule is indifferentiable from an ideal cipher, which was previously only known to lie between four and twelve. Moreover, the security bound we achieve is comparable to (in fact, slightly better than) the previously established 12-round bound.
منابع مشابه
The Related-Key Security of Iterated Even-Mansour Ciphers
The simplicity and widespread use of blockciphers based on the iterated Even–Mansour (EM) construction has sparked recent interest in the theoretical study of their security. Previous work has established their strong pseudorandom permutation and indifferentiability properties, with some matching lower bounds presented to demonstrate tightness. In this work we initiate the study of the EM ciphe...
متن کاملOn the Provable Security of the Iterated Even-Mansour Cipher Against Related-Key and Chosen-Key Attacks
The iterated Even-Mansour cipher is a construction of a block cipher from r public permutations P1, . . . , Pr which abstracts in a generic way the structure of key-alternating ciphers. The indistinguishability of this construction from a truly random permutation by an adversary with oracle access to the inner permutations P1, . . . , Pr has been investigated in a series of recent papers. This ...
متن کاملA Synthetic Indifferentiability Analysis of Interleaved Double-Key Even-Mansour Ciphers
Iterated Even-Mansour scheme (IEM) is a generalization of the basic 1-round proposal (ASIACRYPT ’91). The scheme can use one key, two keys, or completely independent keys. Most of the published security proofs for IEM against relate-key and chosen-key attacks focus on the case where all the round-keys are derived from a single master key. Whereas results beyond this barrier are relevant to the ...
متن کاملSecurity of Even-Mansour Ciphers under Key-Dependent Messages
The iterated Even–Mansour (EM) ciphers form the basis of many blockcipher designs. Several results have established their security in the CPA/CCA models, under related-key attacks, and in the indifferentiability framework. In this work, we study the Even–Mansour ciphers under key-dependent message (KDM) attacks. KDM security is particularly relevant for blockciphers since non-expanding mechanis...
متن کاملTowards Understanding the Known-Key Security of Block Ciphers
Known-key distinguishers for block ciphers were proposed by Knudsen and Rijmen at ASIACRYPT 2007 and have been a major research topic in cryptanalysis since then. A formalization of known-key attacks in general is known to be difficult. In this paper, we tackle this problem for the case of block ciphers based on ideal components such as random permutations and random functions as well as propos...
متن کامل