Paper 2022/1445

Minimizing Even-Mansour Ciphers for Sequential Indifferentiability (Without Key Schedules)

Shanjie Xu, Key Laboratory of Cryptologic Technology and Information Security of Ministry of Education, Shandong University, Qingdao, Shandong 266237, China, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China
Qi Da, Key Laboratory of Cryptologic Technology and Information Security of Ministry of Education, Shandong University, Qingdao, Shandong 266237, China, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China
Chun Guo, Key Laboratory of Cryptologic Technology and Information Security of Ministry of Education, Shandong University, Qingdao, Shandong 266237, China, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China, Shandong Research Institute of Industrial Technology, Jinan, Shandong, China
Abstract

Iterated Even-Mansour (IEM) schemes consist of a small number of fixed permutations separated by round key additions. They enjoy provable security, assuming the permutations are public and random. In particular, regarding chosen-key security in the sense of sequential indifferentiability (seq-indifferentiability), Cogliati and Seurin (EUROCRYPT 2015) showed that without key schedule functions, the 4-round Even-Mansour with Independent Permutations and no key schedule $EMIP_4(k,u) = k \oplus p_4 ( k \oplus p_3( k \oplus p_2( k\oplus p_1(k \oplus u))))$ is sequentially indifferentiable. Minimizing IEM variants for classical strong (tweakable) pseudorandom security has stimulated an attractive line of research. In this paper, we seek for minimizing the $EMIP_4$ construction while retaining seq-indifferentiability. We first consider $EMSP$, a natural variant of $EMIP$ using a single round permutation. Unfortunately, we exhibit a slide attack against $EMSP$ with any number of rounds. In light of this, we show that the 4-round $EM2P_4^{p_1,p_2} (k,u)=k\oplus p_1(k \oplus p_2(k\oplus p_2(k\oplus p_1(k\oplus u))))$ using 2 independent random permutations $p_1,p_2$ is seq-indifferentiable. This provides the minimal seq-indifferentiable IEM without key schedule.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Indocrypt 2022
Keywords
blockcipher sequential indifferentiability key-alternating cipher iterated Even-Mansour cipher
Contact author(s)
shanjie1997 @ mail sdu edu cn
daqi @ mail sdu edu cn
chun guo @ sdu edu cn
History
2022-10-25: approved
2022-10-23: received
See all versions
Short URL
https://ia.cr/2022/1445
License
Creative Commons Attribution-NonCommercial-NoDerivs
CC BY-NC-ND

BibTeX 

@misc{cryptoeprint:2022/1445,
      author = {Shanjie Xu and Qi Da and Chun Guo},
      title = {Minimizing Even-Mansour Ciphers for Sequential Indifferentiability (Without Key Schedules)},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1445},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/1445}},
      url = {https://eprint.iacr.org/2022/1445}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.