We present a proof for the indifferentiability of 3 rounds and thus closing the aforementioned gap. This also separates EM ciphers with non-invertible key derivations from those with invertible ones in the full indifferentiability setting. Prior work only established such a separation in the weaker sequential-indifferentiability setting (ours, DCC, 2015). Our results also imply 3-round EM indifferentiable under multiple random known-keys, partially settling a problem left by Cogliati and Seurin (FSE 2016).
The key point for our indifferentiability simulator is to pre-emptively obtain some chains of ideal-cipher-queries to simulate the structures due to the related-key boomerang property in the 3-round case. The length of such chains have to be as large as the number of queries issued by the distinguisher. Thus the situation somehow resembles the context of hash-of-hash $H^2$ considered by Dodis et al. (CRYPTO 2012). Besides, a technical novelty of our proof is the absence of the so-called distinguisher that completes all chains.Category / Keywords: blockcipher, ideal cipher, indifferentiability, key-alternating cipher, iterated Even-Mansour cipher, H-coefficients technique. Date: received 13 Sep 2016, last revised 12 Jan 2017 Contact author: guochun at iie ac cn Available format(s): PDF | BibTeX Citation Note: In the earlier versions, the definitions for a G3-tuple to be "bad" are silly (although correct). We revise them. This leads to a slightly improved bound. Version: 20170113:060627 (All versions of this report) Short URL: ia.cr/2016/894 Discussion forum: Show discussion | Start new discussion