Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes

Abstract

Iterated Even---Mansour (EM) encryption schemes (also named "key-alternating ciphers") were extensively studied in recent years as an abstraction of commonly used block ciphers. A large amount of previous works on iterated EM concentrated on security in an information-theoretic model. A central question studied in these papers is: What is the minimal number of rounds for which the resulting cipher is indistinguishable from an ideal cipher? In this paper, we study a similar question in the computational model: What is the minimal number of rounds, assuring that no attack can recover the secret key faster than trivial attacks (such as exhaustive search)? We study this question for the two natural key scheduling variants that were considered in most previous papers: the identical subkeys variant and the independent subkeys variant. In the identical subkeys variant, we improve the best known attack by an additional round and show that $$r=3$$r=3 rounds are insufficient for assuring security, by devising a key recovery attack whose running time is about $$n/\log (n)$$n/log(n) times faster than exhaustive search for an $$n$$n-bit key. In the independent subkeys variant, we also extend the known results by one round and show that for $$r=2$$r=2, there exists a key recovery attack whose running time is faster than the benchmark meet-in-the-middle attack. Despite their generic nature, we show that the attacks can be applied to improve the best known attacks on several concrete ciphers, including the full $${\hbox {AES}^{2}}$$AES2 (proposed at Eurocrypt 2012) and reduced-round LED-128 (proposed at CHES 2012).