Paper 2015/069

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks

Benoît Cogliati and Yannick Seurin


The iterated Even-Mansour cipher is a construction of a block cipher from $r$ public permutations $P_1,\ldots,P_r$ which abstracts in a generic way the structure of key-alternating ciphers. The indistinguishability of this construction from a truly random permutation by an adversary with oracle access to the inner permutations $P_1,\ldots,P_r$ has been investigated in a series of recent papers. This construction has also been shown to be (fully) indifferentiable from an ideal cipher for a sufficient number of rounds (five or twelve depending on the assumptions on the key-schedule). In this paper, we extend this line of work by considering the resistance of the iterated Even-Mansour cipher to xor-induced related-key attacks (i.e., related-key attacks where the adversary is allowed to xor any constant of its choice to the secret key) and to chosen-key attacks. For xor-induced related-key attacks, we first provide a distinguishing attack for two rounds, assuming the key-schedule is linear. We then prove that for a linear key-schedule, three rounds yield a cipher which is secure against xor-induced related-key attacks up to $O(2^{\frac{n}{2}})$ queries of the adversary, whereas for a nonlinear key-schedule, one round is sufficient to obtain a similar security bound. We also show that the iterated Even-Mansour cipher with four rounds offers some form of provable resistance to chosen-key attacks, which is the minimal number of rounds to achieve this property. The main technical tool that we use to prove this result is \emph{sequential indifferentiability}, a weakened variant of (full) indifferentiability introduced by Mandal \emph{et al.} (TCC~2010).

Note: An abridged version appears in the proceedings of EUROCRYPT 2015. This is the full version. The revised version of April 20, 2015 includes an application of our results to the construction of tweakable block ciphers and a more detailed discussion of the tightness of our security bounds. The revised version of May 26, 2015 includes an attack matching (for some parameters) the security bound of Theorem 2.

Available format(s)
Secret-key cryptography
Publication info
A major revision of an IACR publication in EUROCRYPT 2015
block cipherideal cipherrelated-key attackschosen-key attacksiterated Even-Mansour cipherkey-alternating cipherindifferentiabilitycorrelation intractability
Contact author(s)
benoitcogliati @ hotmail fr
yannick seurin @ m4x org
2015-05-26: last of 2 revisions
2015-01-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Benoît Cogliati and Yannick Seurin},
      title = {On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks},
      howpublished = {Cryptology ePrint Archive, Paper 2015/069},
      year = {2015},
      doi = {10.1007/978-3-662-46800-5_23},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.