Eliminating Random Permutation Oracles in the Even-Mansour Cipher

نویسندگان

  • Craig Gentry
  • Zulfikar Ramzan
چکیده

Even and Mansour [EM97] proposed a block cipher construction that takes a publicly computable random permutation oracle P and XORs different keys prior to and after applying P : C = k2 ⊕P (M ⊕ k1). They did not, however, describe how one could instantiate such a permutation securely. It is a fundamental open problem whether their construction could be proved secure outside the random permutation oracle model. We resolve this question in the affirmative by showing that the construction can be proved secure in the random function oracle model. In particular, we show that the random permutation oracle in their scheme can be replaced by a construction that utilizes a four-round Feistel network (where each round function is a random function oracle publicly computable by all parties including the adversary). Further, we prove that the resulting cipher is super pseudorandom – the adversary’s distinguishing advantage is at most 2q/2 if he makes q total queries to the cipher, its inverse, as well as any random oracles. Even and Mansour, on the other hand, only showed security against inversion and forgery. One noteworthy aspect of this result is that the cipher remains secure even though the adversary is permitted separate oracle access to all of the round functions. One can achieve a two-fold and four-fold reduction respectively in the amount of key material by a closer inspection of the proof and by instantiating the scheme using group operations other than exclusive-OR. On the negative side, a straightforward adaption of an advanced slide attack recovers the 4n-bit key with approximately √ 2 · 2n work using roughly √ 2 · 2n known plaintexts. Finally, if only three Feistel rounds are used, the resulting cipher is pseudorandom, but not super pseudorandom.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Minimizing the Two-Round Even-Mansour Cipher

The r-round (iterated) Even-Mansour cipher (also known as key-alternating cipher) defines a block cipher from r fixed public n-bit permutations P1, . . . , Pr as follows: given a sequence of n-bit round keys k0, . . . , kr, an n-bit plaintext x is encrypted by xoring round key k0, applying permutation P1, xoring round key k1, etc. The (strong) pseudorandomness of this construction in the random...

متن کامل

Tweaking Even-Mansour Ciphers

We study how to construct efficient tweakable block ciphers in the Random Permutation model, where all parties have access to public random permutation oracles. We propose a construction that combines, more efficiently than by mere black-box composition, the CLRW construction (which turns a traditional block cipher into a tweakable block cipher) of Landecker et al. (CRYPTO 2012) and the iterate...

متن کامل

Balanced permutations Even-Mansour ciphers

The r-rounds Even–Mansour block cipher is a generalization of the well known Even–Mansour block cipher to r iterations. Attacks on this construction were described by Nikolić et al. and Dinur et al. for r = 2, 3. These attacks are only marginally better than brute force but are based on an interesting observation (due to Nikolić et al.): for a “typical” permutation P, the distribution of P(x)⊕ ...

متن کامل

Beyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing

The iterated Even-Mansour construction defines a block cipher from a tuple of public n-bit permutations (P1, . . . , Pr) by alternatively xoring some n-bit round key ki, i = 0, . . . , r, and applying permutation Pi to the state. The tweakable Even-Mansour construction generalizes the conventional Even-Mansour construction by replacing the n-bit round keys by n-bit strings derived from a master...

متن کامل

Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance

A t-round key alternating cipher can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P1, . . . , Pt : {0, 1}n → {0, 1}n and a key k = k0‖ · · · ‖kt ∈ {0, 1}n(t+1) by setting Ek(x) = kt ⊕ Pt(kt−1 ⊕ Pt−1(· · · k1 ⊕ P1(k0 ⊕ x) · · · )). The indistinguishability of Ek from a random truly random permutation by an adversary who also has oracle access to the ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2004