**On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks**

*Benoît Cogliati and Yannick Seurin*

**Abstract: **The iterated Even-Mansour cipher is a construction of a block cipher from $r$ public permutations $P_1,\ldots,P_r$ which abstracts in a generic way the structure of key-alternating ciphers. The indistinguishability of this construction from a truly random permutation by an adversary with oracle access to the inner permutations $P_1,\ldots,P_r$ has been investigated in a series of recent papers. This construction has also been shown to be (fully) indifferentiable from an ideal cipher for a sufficient number of rounds (five or twelve depending on the assumptions on the key-schedule). In this paper, we extend this line of work by considering the resistance of the iterated Even-Mansour cipher to xor-induced related-key attacks (i.e., related-key attacks where the adversary is allowed to xor any constant of its choice to the secret key) and to chosen-key attacks. For xor-induced related-key attacks, we first provide a distinguishing attack for two rounds, assuming the key-schedule is linear. We then prove that for a linear key-schedule, three rounds yield a cipher which is secure against xor-induced related-key attacks up to $O(2^{\frac{n}{2}})$ queries of the adversary, whereas for a nonlinear key-schedule, one round is sufficient to obtain a similar security bound. We also show that the iterated Even-Mansour cipher with four rounds offers some form of provable resistance to chosen-key attacks, which is the minimal number of rounds to achieve this property. The main technical tool that we use to prove this result is \emph{sequential indifferentiability}, a weakened variant of (full) indifferentiability introduced by Mandal \emph{et al.} (TCC~2010).

**Category / Keywords: **secret-key cryptography / block cipher, ideal cipher, related-key attacks, chosen-key attacks, iterated Even-Mansour cipher, key-alternating cipher, indifferentiability, correlation intractability

**Original Publication**** (with major differences): **IACR-EUROCRYPT-2015
**DOI: **10.1007/978-3-662-46800-5_23

**Date: **received 29 Jan 2015, last revised 26 May 2015

**Contact author: **benoitcogliati at hotmail fr, yannick seurin@m4x org

**Available format(s): **PDF | BibTeX Citation

**Note: **An abridged version appears in the proceedings of EUROCRYPT 2015. This is the full version. The revised version of April 20, 2015 includes an application of our results to the construction of tweakable block ciphers and a more detailed discussion of the tightness of our security bounds. The revised version of May 26, 2015 includes an attack matching (for some parameters) the security bound of Theorem 2.

**Version: **20150526:081718 (All versions of this report)

**Short URL: **ia.cr/2015/069

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]