Cryptology ePrint Archive: Report 2013/255

How to Construct an Ideal Cipher from a Small Set of Public Permutations

Rodolphe Lampe and Yannick Seurin

Abstract: We show how to construct an ideal cipher with $n$-bit blocks and $n$-bit keys (\emph{i.e.} a set of $2^n$ public $n$-bit permutations) from a small constant number of $n$-bit random public permutations. The construction that we consider is the \emph{single-key iterated Even-Mansour cipher}, which encrypts a plaintext $x\in\{0,1\}^n$ under a key $k\in\{0,1\}^n$ by alternatively xoring the key $k$ and applying independent random public $n$-bit permutations $P_1,\ldots, P_r$ (this construction is also named a \emph{key-alternating cipher}). We analyze this construction in the plain indifferentiability framework of Maurer, Renner, and Holenstein (TCC 2004), and show that twelve rounds are sufficient to achieve indifferentiability from an ideal cipher. We also show that four rounds are necessary by exhibiting attacks for three rounds or less.

Category / Keywords: foundations / block cipher, ideal cipher, iterated Even-Mansour cipher, key-alternating cipher, indifferentiability

Date: received 5 May 2013, last revised 6 May 2013

Contact author: yannick seurin at m4x org

Available format(s): PDF | BibTeX Citation

Version: 20130508:201919 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]