**How to Construct an Ideal Cipher from a Small Set of Public Permutations**

*Rodolphe Lampe and Yannick Seurin*

**Abstract: **We show how to construct an ideal cipher with $n$-bit blocks and $n$-bit keys (\emph{i.e.} a set of $2^n$ public $n$-bit permutations) from a small constant number of $n$-bit random public permutations. The construction that we consider is the \emph{single-key iterated Even-Mansour cipher}, which encrypts a plaintext $x\in\{0,1\}^n$ under a key $k\in\{0,1\}^n$ by alternatively xoring the key $k$ and applying independent random public $n$-bit permutations $P_1,\ldots, P_r$ (this construction is also named a \emph{key-alternating cipher}). We analyze this construction in the plain indifferentiability framework of Maurer, Renner, and Holenstein (TCC 2004), and show that twelve rounds are sufficient to achieve indifferentiability from an ideal cipher. We also show that four rounds are necessary by exhibiting attacks for three rounds or less.

**Category / Keywords: **foundations / block cipher, ideal cipher, iterated Even-Mansour cipher, key-alternating cipher, indifferentiability

**Date: **received 5 May 2013, last revised 6 May 2013

**Contact author: **yannick seurin at m4x org

**Available format(s): **PDF | BibTeX Citation

**Version: **20130508:201919 (All versions of this report)

**Short URL: **ia.cr/2013/255

[ Cryptology ePrint archive ]