Abstract
The r-rounds Even–Mansour block cipher is a generalization of the well known Even–Mansour block cipher to r iterations. Attacks on this construction were described by Nikolić et al. and Dinur et al. for r = 2 , 3 . These attacks are only marginally better than brute force but are based on an interesting observation (due to Nikolić et al.): for a “typical” permutation P, the distribution of P ( x ) ⊕ x is not uniform. This naturally raises the following question. Let us call permutations for which the distribution of P ( x ) ⊕ x is uniformly “balanced” — is there a sufficiently large family of balanced permutations, and what is the security of the resulting Even–Mansour block cipher? We show how to generate families of balanced permutations from the Luby–Rackoff construction and use them to define a 2 n -bit block cipher from the 2-round Even–Mansour scheme. We prove that this cipher is indistinguishable from a random permutation of { 0 , 1 } 2 n , for any adversary who has oracle access to the public permutations and to an encryption/decryption oracle, as long as the number of queries is o ( 2 n / 2 ) . As a practical example, we discuss the properties and the performance of a 256-bit block cipher that is based on our construction, and uses the Advanced Encryption Standard (AES), with a fixed key, as the public permutation.
Highlights
The r-round Even–Mansour (EM) block cipher, suggested by Bogdanov et al [1], encrypts an n-bit plaintext m by EMK10,K21,...,Kr r (m) = Pr (
Bogdanov et al defined the 128-bit block cipher AES2, which is an instantiation of the 2-round EM cipher where the two public permutations are Advanced Encryption Standard (AES) with two publicly known “arbitrary” keys
We show how to generate a large family of balanced permutations of {0, 1}2n, by observing that a 2-round Luby–Rackoff construction with any two identical permutations of {0, 1}n, always yields a balanced permutation
Summary
The r-round Even–Mansour (EM) block cipher, suggested by Bogdanov et al [1], encrypts an n-bit plaintext m by. Bogdanov et al [1] showed, for the r-round EM cipher, r ≥ 2, that an adversary who sees only O(22n/3 ) chosen plaintext-ciphertext pairs cannot distinguish the encryption oracle from a random permutation of {0, 1}n. This result has been recently improved by Chen and Steinberger [4], superseding intermediate progress made by Steinberger [5] and by r. We prove that a smaller number of chosen plaintext-ciphertext queries is not enough to distinguish the block cipher from a random permutation of {0, 1}2n.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
