Paper 2014/953

The Related-Key Security of Iterated Even-Mansour Ciphers

Pooya Farshim and Gordon Procter


The simplicity and widespread use of blockciphers based on the iterated Even--Mansour (EM) construction has sparked recent interest in the theoretical study of their security. Previous work has established their strong pseudorandom permutation and indifferentiability properties, with some matching lower bounds presented to demonstrate tightness. In this work we initiate the study of the EM ciphers under related-key attacks which, despite extensive prior work, has received little attention. We show that the simplest one-round EM cipher is strong enough to achieve non-trivial levels of RKA security even under chosen-ciphertext attacks. This class, however, does not include the practically relevant case of offsetting keys by constants. We show that two rounds suffice to reach this level under chosen-plaintext attacks and that three rounds can boost security to resist chosen-ciphertext attacks. We also formalize how indifferentiability relates to RKA security, showing strong positive results despite counterexamples presented for indifferentiability in multi-stage games.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Even-Mansourrelated-key attackpublic permutationideal cipherindifferentiability
Contact author(s)
gtprocter @ gmail com
2014-11-21: last of 2 revisions
2014-11-21: received
See all versions
Short URL
Creative Commons Attribution


      author = {Pooya Farshim and Gordon Procter},
      title = {The Related-Key Security of Iterated Even-Mansour Ciphers},
      howpublished = {Cryptology ePrint Archive, Paper 2014/953},
      year = {2014},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.