Abstract
The iterated Even–Mansour (EM) ciphers form the basis of many blockcipher designs. Several results have established their security in the CPA/CCA models, under related-key attacks, and in the indifferentiability framework. In this work, we study the Even–Mansour ciphers under key-dependent message (KDM) attacks. KDM security is particularly relevant for blockciphers since non-expanding mechanisms are convenient in setting such as full disk encryption (where various forms of key-dependency might exist). We formalize the folklore result that the ideal cipher is KDM secure. We then show that EM ciphers meet varying levels of KDM security depending on the number of rounds and permutations used. One-round EM achieves some form of KDM security, but this excludes security against offsets of keys. With two rounds we obtain KDM security against offsets, and using different round permutations we achieve KDM security against all permutation-independent claw-free functions. As a contribution of independent interest, we present a modular framework that can facilitate the security treatment of symmetric constructions in models that allow for correlated inputs.
Highlights
1.1 BackgroundEarly on, the seminal paper of Goldwasser and Micali [GM84] pointed out that semantic security may not hold if the adversary gets to see an encryption of the secret key
This practice was generally perceived as a dangerous use of an encryption scheme but several studies have revealed that this security notion is both theoretically and practically important
An encryption scheme is said to be Key-Dependent Message (KDM) secure if it is secure even against an attacker who can encrypt messages that depend on the secret key
Summary
The seminal paper of Goldwasser and Micali [GM84] pointed out that semantic security may not hold if the adversary gets to see an encryption of the secret key. The Even–Mansour (EM) construction introduced in [EM93] is the simplest blockcipher known based on a single public permutation P on n-bit strings. It uses two Licensed under Creative Commons License CC-BY 4.0. If the adversary is only given black-box oracle access to these random permutations, the iterated Even–Mansour cipher was proved to achieve several security notions such as traditional indistinguishability (see [CLL+14] and references therein), security against related-key attacks [FP15, CS15], security in the multi-user setting [ML15, HT16] or indifferentiability from ideal ciphers[1] (see [DSST17] and references therein). We continue this line of work and study the iterated Even–Mansour ciphers under key-dependent message attacks
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
