New Key Recovery Attacks on Minimal Two-Round Even-Mansour Ciphers

We propose new key recovery attacks on the two minimal two-round n-bit Even-Mansour ciphers that are secure up to 2 queries against distinguishing attacks proved by Chen et al. Our attacks are based on the meet-in-the-middle technique which can significantly reduce the data complexity. In particular, we introduce novel matching techniques which enable us to compute one of the two permutations without knowing a part of the key information. Moreover, we present two improvements of the proposed attack: one significantly reduces the data complexity and the other reduces the time complexity. Compared with the previously known attacks, our attack first breaks the birthday barrier on the data complexity although it requires chosen plaintexts. When the block size is 64 bits, our attack reduces the required data from 2 known plaintexts to 2 chosen plaintexts with keeping the time complexity required by the previous attacks. Furthermore, by increasing the time complexity up to 2, the required data is further reduced to 2, and DT = 2, where DT is the product of data and time complexities. We show that our low-data attack on the minimal n-bit two-round EvenMansour ciphers requires DT = 2 in general cases. Since the proved lower bound on the required DT for the one-round n-bit Even-Mansour ciphers is 2, our results imply that adding one round to the one-round Even-Mansour ciphers does not sufficiently improve the security against key recovery attacks.