Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance

A t-round key alternating cipher can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P1, . . . , Pt : {0, 1}n → {0, 1}n and a key k = k0‖ · · · ‖kt ∈ {0, 1}n(t+1) by setting Ek(x) = kt ⊕ Pt(kt−1 ⊕ Pt−1(· · · k1 ⊕ P1(k0 ⊕ x) · · · )). The indistinguishability of Ek from a random truly random permutation by an adversary who also has oracle access to the (public) random permutations P1, . . . , Pt was investigated for t = 2 by Even and Mansour [5] and, much later, by Bogdanov et al. [1]. The former proved indistinguishability up to 2 queries for t = 1 while the latter proved indistinguishability up to 2 queries for t ≥ 2 (ignoring low-order terms). Our contribution is to improve the analysis of Bogdanov et al. by showing security up to 2 queries for t ≥ 3. Given that security cannot exceed 2 t t+1n queries, this is in particular achieves a tight bound for the case t = 3, whereas, previously, tight bounds had only been achieved for t = 1 (by Even and Mansour) and for t = 2 (by Bogdanov et al.). Our main technique is an improved analysis of the elegant sample distinguishability game introduced by Bogdanov et al. [1]. More specifically, we succeed in eliminating adaptivity by considering the Hellinger advantage of an adversary, a notion that we introduce here. To our knowledge, our result constitutes the first time Hellinger distance (a standard measure of “distance” between random variables, and a cousin of statistical distance) is used in a cryptographic indistinguishability proof. Introduction Given t permutations P1, . . ., Pt : {0, 1}n → {0, 1}n the t-round key-alternating cipher based on P1, . . . , Pt is a blockcipher E : {0, 1}(t+1)n × {0, 1}n → {0, 1}n of keyspace {0, 1}(t+1)n and message space {0, 1}n, where for a key k = k0‖k1‖ · · · ‖kt ∈ {0, 1}(t+1)n and a message x ∈ {0, 1}n we set E(k, x) = kt ⊕ Pt(kt−1 ⊕ Pt−1(· · ·P1(k0 ⊕ x) · · · )). (1) (See Figure 1.) Plainly, E(k, ·) is a permutation of {0, 1}n for each fixed k ∈ {0, 1}(t+1)n ; we let E−1(k, ·) denote the inverse permutation. The Pi’s are called the round permutations of E and t is the number of rounds of E. Thus t and the permutations P1, . . . , Pt are parameters determining E. Key-alternating ciphers were first proposed (for values of t greater than 1) by the designers of AES [3, 4], the Advanced Encryption Standard. Indeed, AES-128 itself can be viewed as a particular instantiation of the key-alternating cipher paradigm in which the round permutations P1, . . . , Pt equal a single permutation P (the Rijndael round function, in this case), in which t = 10, and in which only a subset of the {0, 1}(t+1)n = {0, 1}11n possible keys are used (more precisely, the 11n bits of key are derived pseudorandomly from a seed of n bits, making the key space {0, 1}n = {0, 1}128). However, for t = 1 the design was proposed much earlier by Even and Mansour as a means of constructing a blockcipher from a fixed permutation [5]. Even and Mansour accompanied their proposal with “provable security” guarantees by showing that, for t = 1, an adversary needs roughly 2n/2 queries to distinguish E(k, ·) for a random key k (k being