Paper 2017/475

Security of Even--Mansour Ciphers under Key-Dependent Messages

Pooya Farshim, Louiza Khati, and Damien Vergnaud

Abstract

The iterated Even--Mansour (EM) ciphers form the basis of many block cipher designs. Several results have established their security in the CPA/CCA models, under related-key attacks, and in the indifferentiability framework. In this work, we study the Even--Mansour ciphers under key-dependent message (KDM) attacks. KDM security is particularly relevant for block ciphers since non-expanding mechanisms are convenient in setting such as full disk encryption (where various forms of key-dependency might exist). We formalize the folklore result that the ideal cipher is KDM secure. We then show that EM ciphers meet varying levels of KDM security depending on the number of rounds and permutations used. One-round EM achieves some form of KDM security, but this excludes security against offsets of keys. With two rounds we obtain KDM security against offsets, and using different round permutations we achieve KDM security against all permutation-independent claw-free functions. As a contribution of independent interest, we present a modular framework that can facilitate the security treatment of symmetric constructions in models such as RKA or KDM that allow for correlated inputs.

Metadata
Available format(s)
PDF
Publication info
Published by the IACR in TOSC 2017 ISSUE 2
Keywords
Even--MansourKDM securityIdeal CipherProvable Security
Contact author(s)
pooya fashim @ ens fr
louiza khati @ di ens fr
damien vergnaud @ ens fr
pooya farshim @ gmail com
History
2017-05-28: received
Short URL
https://ia.cr/2017/475
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/475,
      author = {Pooya Farshim and Louiza Khati and Damien Vergnaud},
      title = {Security of Even--Mansour Ciphers under Key-Dependent Messages},
      howpublished = {Cryptology {ePrint} Archive, Paper 2017/475},
      year = {2017},
      url = {https://eprint.iacr.org/2017/475}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.