Eliminating Random Permutation Oracles in the Even-Mansour Cipher

Even and Mansour [EM97] proposed a block cipher construction that takes a publicly computable random permutation oracle P and XORs different keys prior to and after applying P : C = k2 ⊕P (M ⊕ k1). They did not, however, describe how one could instantiate such a permutation securely. It is a fundamental open problem whether their construction could be proved secure outside the random permutation oracle model. We resolve this question in the affirmative by showing that the construction can be proved secure in the random function oracle model. In particular, we show that the random permutation oracle in their scheme can be replaced by a construction that utilizes a four-round Feistel network (where each round function is a random function oracle publicly computable by all parties including the adversary). Further, we prove that the resulting cipher is super pseudorandom – the adversary’s distinguishing advantage is at most 2q/2 if he makes q total queries to the cipher, its inverse, as well as any random oracles. Even and Mansour, on the other hand, only showed security against inversion and forgery. One noteworthy aspect of this result is that the cipher remains secure even though the adversary is permitted separate oracle access to all of the round functions. One can achieve a two-fold and four-fold reduction respectively in the amount of key material by a closer inspection of the proof and by instantiating the scheme using group operations other than exclusive-OR. On the negative side, a straightforward adaption of an advanced slide attack recovers the 4n-bit key with approximately √ 2 · 2n work using roughly √ 2 · 2n known plaintexts. Finally, if only three Feistel rounds are used, the resulting cipher is pseudorandom, but not super pseudorandom.