Post-Quantum Security of the Even-Mansour Cipher

Abstract

The Even-Mansour cipher is a simple method for constructing a (keyed) pseudorandom permutation E from a public random permutation \(P:\{0,1\}^n \rightarrow \{0,1\}^n\). It is secure against classical attacks, with optimal attacks requiring \(q_E\) queries to E and \(q_P\) queries to P such that \(q_E \cdot q_P \approx 2^n\). If the attacker is given quantum access to both E and P, however, the cipher is completely insecure, with attacks using \(q_E, q_P = O(n)\) queries known.

In any plausible real-world setting, however, a quantum attacker would have only classical access to the keyed permutation E implemented by honest parties, while retaining quantum access to P. Attacks in this setting with \(q_E \cdot q_P^2 \approx 2^n\) are known, showing that security degrades as compared to the purely classical case, but leaving open the question as to whether the Even-Mansour cipher can still be proven secure in that natural, “post-quantum” setting.

We resolve this question, showing that any attack in that setting requires \(q_E \cdot q^2_P + q_P \cdot q_E^2 \approx 2^n\). Our results apply to both the two-key and single-key variants of Even-Mansour. Along the way, we establish several generalizations of results from prior work on quantum-query lower bounds that may be of independent interest.

Appendices

A  Security of Forward-Only Even-Mansour

In this section we consider a simpler case, where \(E_k[F](x) := F(x \oplus k)\) for \(F:\{0,1\}^n \rightarrow \{0,1\}^n\) a uniform function and k a uniform n-bit string. Here we restrict the adversary to forward queries only, i.e., the adversary has classical access to \(E_k[F]\) and quantum access to F; note that \(E^{-1}_k[F]\) and \(F^{-1}\) may not even be well-defined. This setting was also analyzed by Jaeger et al. [16] using different techniques.

We let \(\mathcal {F}_n\) denote the set of all functions from \(\{0,1\}^n\) to \(\{0,1\}^n\).

Theorem 4

Let \({\mathcal A}\) be a quantum algorithm making \(q_E\) classical queries to its first oracle and \(q_F\) quantum queries to its second oracle. Then

Proof

We make the same assumptions about \({\mathcal A}\) as in the initial paragraphs of the proof of Theorem 3. We also adopt analogous notation for the stages of \({\mathcal A}\), now using \(q_E\), \(q_F\), and \(q_{F, j}\) as appropriate.

Given a function \(F : \{0,1\}^n \rightarrow \{0,1\}^n\), a set T of pairs where any \(x \in \{0,1\}^n\) is the first element of at most one pair in T, and a key \(k \in \{0,1\}^n\), we define the function \(F_{T, k}:\{0,1\}^n\rightarrow \{0,1\}^n\) as

$$ F_{T, k}(x) := {\left\{ \begin{array}{ll} y &{}\text {if } (x \oplus k, y) \in T\\ F(x) &{}\text {otherwise.} \end{array}\right. } $$

Note that, in contrast to the analogous definition in Theorem 3, here the order of the tuples in T does not matter and so we may take it to be a set. Note also that we are redefining the notation \(F_{T, k}\) from how it was used in Theorem 3; this notation applies to this appendix only.

We now define a sequence of experiments \({\mathbf {H}}_j\), for \(j=0, \ldots , q_E\):

Experiment \({\mathbf {H}}_j\). Sample \(R, F \leftarrow \mathcal {F}_n\) and \(k \leftarrow \{0,1\}^n\). Then:

1. 1.

   Run \({\mathcal A}\), answering its classical queries using R and its quantum queries using F, stopping immediately before its \((j+1)\)st classical query. Let \(T_j = \{(x_1, y_1), \dots , (x_j, y_j)\}\) be the set of all classical queries made by \({\mathcal A}\) thus far and their corresponding responses.

2. 2.

   For the remainder of the execution of \({\mathcal A}\), answer its classical queries using \(E_k[F]\) and its quantum queries using \(F_{T_j, k}\).

We can represent \({\mathbf {H}}_j\) as the experiment in which \({\mathcal A}\)’s queries are answered using the oracle sequence

$$ \underbrace{F, R, F, \cdots , R, F}_{ j \text { classical queries}}, \underbrace{E_k[F], F_{T_j, k}, \cdots , E_k[F], F_{T_j, k}}_{ q_E-j\text { classical queries}}\,. $$

Note that \({\mathbf {H}}_0\) is exactly the real world (i.e., \({\mathcal A}^{E_k[F], F}\)) and \({\mathbf {H}}_{q_E}\) is exactly the ideal world (i.e., \({\mathcal A}^{R, F}\).)

For \(j=0, \ldots , q_E-1\), we define an additional experiment \({\mathbf {H}}_j'\):

Experiment \({\mathbf {H}}_j'\). Sample \(R, F \leftarrow \mathcal {F}_n\) and \(k \leftarrow \{0,1\}^n\). Then:

1. 1.

   Run \({\mathcal A}\), answering its classical queries using R and its quantum queries using F, stopping immediately after its \((j+1)\)st classical query. Let \(T_{j+1} = \big ((x_1, y_1), \dots , (x_{j+1}, y_{j+1})\big )\) be the set of all classical queries made by \({\mathcal A}\) thus far and their corresponding responses.

2. 2.

   For the remainder of the execution of \({\mathcal A}\), answer its classical queries using \(E_k[F]\) and its quantum queries using \(F_{T_{j+1}, k}\).

I.e., \({\mathbf {H}}'_j\) corresponds to answering \({\mathcal A}\)’s queries using the oracle sequence

$$ \underbrace{F, R, F, \cdots , R, F}_{ j\text { classical queries}}, R, F_{T_{j+1}, k}, \underbrace{E_k[F], F_{T_{j+1}, k} \cdots , E_k[F], F_{T_{j+1}, k}}_{ q_E-j-1\text { classical queries}}\,. $$

We now show that \({\mathbf {H}}_j'\) is close to \({\mathbf {H}}_{j+1}\) and \({\mathbf {H}}_j\) is close to \({\mathbf {H}}_j'\) for \(0 \le j < q_E\).

Lemma 9

For \(j=0, \ldots , q_E-1\),

$$|\Pr [{\mathcal A}({\mathbf {H}}'_{j})=1] - \Pr [{\mathcal A}({\mathbf {H}}_{j+1})=1] | \le 2\cdot q_{F,j+1} \sqrt{(j+1)/2^n}.$$

Proof

Given an adversary \({\mathcal A}\), we construct a distinguisher \(\mathcal {D}\) for the “blinding game” of Lemma 3 that works as follows:

• Phase 1: \(\mathcal {D}\) samples \(F, R \leftarrow \mathcal {F}_n\). It then runs \({\mathcal A}\), answering its quantum queries with F and its classical queries with R, until it replies to \({\mathcal A}\)’s \((j+1)\)st classical query. Let \(T_{j+1} = \{(x_1, y_1), \ldots , (x_{j+1}, y_{j+1})\}\) be the set of classical queries/answers thus far. \(\mathcal {D}\) defines algorithm \(\mathcal B\) as follows: on randomness \(k \in \{0,1\}^n\), output \(B=\{(x_j \oplus k, y_j)\}_{j=1}^{j+1}\). Finally, \(\mathcal {D}\) outputs F and \(\mathcal {B}\).

• Phase 2: \(\mathcal {D}\) is given quantum access to a function \(F_b\). It continues to run \({\mathcal A}\), answering its quantum queries with \(F_b\) until \({\mathcal A}\) makes its next classical query.

• Phase 3: \(\mathcal {D}\) is given the randomness k used to run \(\mathcal {B}\). It continues running \({\mathcal A}\), answering its classical queries with \(E_k[F]\) and its quantum queries with \(F_{T_{j+1}, k}\). Finally, \(\mathcal {D}\) outputs whatever \({\mathcal A}\) outputs.

When \(b=0\) (so \(F_b=F_0=F\)), then \({\mathcal A}\)’s output is identically distributed to its output in \({\mathbf {H}}_{j+1}\). On the other hand, when \(b=1\) then \(F_b=F_1=F^{(B)} = F_{T_{j+1},k}\) and so \({\mathcal A}\)’s output is identically distributed to its output in \({\mathbf {H}}'_j\). The expected number of queries made by \(\mathcal {D}\) in phase 2 when \(F=F_0\) is the expected number of queries made by \({\mathcal A}\) in stage \((j+1)\) in \({\mathbf {H}}_{j+1}\). Since \({\mathbf {H}}_{j+1}\) and \({\mathbf {H}}_{q_E}\) are identical until after the \((j+1)\)st stage, this is precisely \(q_{F,j+1}\). Because k is uniform, we can apply Lemma 3 with \(\epsilon =(j+1)/2^n\). The lemma follows.    \(\square \)

Lemma 10

For \(j=0, \ldots , q_E\),

$$\begin{aligned} |\Pr [{\mathcal A}({\mathbf {H}}_j) = 1] - \Pr [{\mathcal A}({\mathbf {H}}'_j)=1]| \le 1.5 \cdot \sqrt{q_F/2^n}\,. \end{aligned}$$

Proof

From any adversary \({\mathcal A}\), we construct a distinguisher \(\mathcal D\) for the game of Lemma 4. \(\mathcal {D}\) works as follows:

• Phase 1: \(\mathcal {D}\) is given quantum access to a (random) function F. It samples \(R \leftarrow \mathcal {F}_n\) and then runs \({\mathcal A}\), answering its quantum queries using F and its classical queries using R, until \({\mathcal A}\) submits its \((j+1)\)st classical query \(x_{j+1}\). At that point, let \(T_j=\{(x_1,y_1), \ldots , (x_j, y_j)\}\) be the set of input/output pairs \({\mathcal A}\) has received from its classical oracle thus far.

• Phase 2: \(\mathcal {D}\) is given (uniform) \(s \in \{0,1\}^n\) and quantum oracle access to a function \(F_b\). Then \(\mathcal {D}\) sets \(k := s \oplus x_{j+1}\), and then continues running \({\mathcal A}\), answering its classical queries (including the \((j+1)\)st) using \(E_k[F_b]\) and its quantum queries using the function \((F_b)_{T_j, k}\), i.e.,

  $$ x \mapsto {\left\{ \begin{array}{ll} y &{}\text {if } (x \oplus k, y) \in T_j \\ F_b(x) &{}\text {otherwise.} \end{array}\right. } $$

  Finally, \(\mathcal {D}\) outputs whatever \({\mathcal A}\) outputs.

We analyze the execution of \(\mathcal D\) in the two cases of the game of Lemma 4. In either case, the quantum queries of \({\mathcal A}\) in stages \(0, \ldots , j\) are answered using a random function F, and \({\mathcal A}\)’s first j classical queries are answered using an independent random function R. Note further that since s is uniform, so is k.

Case 1: \(b=0\) . In this case, all the remaining classical queries of \({\mathcal A}\) (i.e., from the \((j+1)\)st on) are answered using \(E_k[F]\), and the remaining quantum queries of \({\mathcal A}\) are answered using \(F_{T_j, k}\). The output of \({\mathcal A}\) is thus distributed identically to its output in \({\mathbf {H}}_j\) in this case.

Case 2: \(b=1\) . Here, \(F_b=F_1=F_{s \rightarrow y}\) for a uniform y. Now, the response to the \((j+1)\)st classical query of \({\mathcal A}\) is

$$\begin{aligned} E_k[F_b](x_{j+1}) = E_k[F_{s \rightarrow y}](x_{j+1}) = F_{s \mapsto y}(k \oplus x_{j+1}) = F_{s \rightarrow y}(s) = y. \end{aligned}$$

Since y is uniform and independent of anything else, and since \({\mathcal A}\) has never previously queried \(x_{j+1}\) to its classical oracle, this is equivalent to answering the first \(j+1\) classical queries of \({\mathcal A}\) using a random function R. The remaining classical queries of \({\mathcal A}\) are also answered using \(E_k[F_{s \mapsto y}]\). However, since \(E_k[F_{s \rightarrow y}](x)=E_k[F](x)\) for all \(x \ne x_{j+1}\) and \({\mathcal A}\) never repeats the query \(x_{j+1}\), this is equivalent to answering the remaining classical queries of \({\mathcal A}\) using \(E_k[F]\).

The remaining quantum queries of \({\mathcal A}\) are answered with the function

$$ x \mapsto {\left\{ \begin{array}{ll} y' &{}\text {if } (x \oplus k, y') \in T_j\\ F_{s \rightarrow y}(x) &{}\text {otherwise.} \end{array}\right. } $$

This, in turn, is precisely the function \(F_{T_{j+1}, k}\), where \(T_{j+1}\) is obtained by adding \((x_{j+1}, y)\) to \(T_j\) (and thus consists of the first \(j+1\) classical queries made by \({\mathcal A}\) and their corresponding responses). Thus, the output of \({\mathcal A}\) in this case is distributed identically to its output in \({\mathbf {H}}_j'\).

The number of quantum queries made by \(\mathcal {D}\) in phase 1 is at most \(q_F\). The claimed result thus follows from Lemma 4.    \(\square \)

Using Lemmas 9 and 10, and the fact that \(\sum _{j=1}^{q_E}q_{F,j}=q_F\), we have

$$\begin{aligned} \left| \Pr [{\mathcal A}({\mathbf {H}}_0)=1] - \Pr [{\mathcal A}({\mathbf {H}}_{q_E})=1] \right|\le & {} 1.5 q_E\sqrt{q_F/2^n}+ 2\sum _{j=1}^{q_E}q_{F,j}\sqrt{j/2^n} \\\le & {} 1.5 q_E\sqrt{q_F/2^n}+ 2\sqrt{q_E/2^n}\sum _{j=1}^{q_E}q_{F,j} \\\le & {} 1.5 q_E\sqrt{q_F/2^n} + 2q_F \sqrt{q_E/2^n}\,, \end{aligned}$$

as required.    \(\square \)

Fig. 2.

Syntactic rewritings of \(\mathsf{Expt}'_j\).

B  Further Details for the Proof of Lemma 7

1.1 B.1  Equivalence of \(\mathsf{Expt}'_j\) and \({\mathbf {H}}'_j\)

The code in the top portion of Fig. 2 is a syntactic rewriting of \(\mathsf{Expt}'_j\). (Flags that have no effect on the output of \({\mathcal A}\) are omitted.) In line 27, the computation of \(y_{j+1}\) has been expanded (note that \(E_k[P_1](x_{j+1}) = P_1(s_0) \oplus k_2 = P(s_1) \oplus k_2\)). In line 31, Q has been replaced with \(P_{T_{j+1},k}\) and \(\mathcal {O}\) has been replaced with \(E_k[P]\) as justified in the proof of Lemma 7.

The code in the middle portion of Fig. 2 results from the following changes: first, rather than sampling uniform \(s_0\) and then setting \(k_1:=s_0 \oplus x_{j+1}\), the code now samples a uniform \(k_1\). Similarly, rather than choosing uniform \(s_1\) and then setting \(y_{j+1}:=P(s_1) \oplus k_2\), the code now samples a uniform \(y_{j+1}\) (note that P is a permutation, so \(P(s_1)\) is uniform). Since neither \(s_0\) nor \(s_1\) is used anywhere else, each can now be omitted.

The code in the bottom portion of Fig. 2 simply chooses \(k=(k_1, k_2)\) according to distribution D, and chooses uniform \(y_{j+1} \in \{0,1\}^n \setminus \{y_1, \ldots , y_j\}\). It can be verified by inspection that this final experiment is equivalent to \({\mathbf {H}}'_j\).

1.2 B.2  Handling an Inverse Query

In this section we discuss the case where the \((j+1)\)st classical query of \({\mathcal A}\) is a inverse query in the proof of Lemma 7. Phase 1 is exactly as described in the proof of Lemma 7, though we now let \(y_{j+1}\) denote the \((j+1)\)st classical query made by \({\mathcal A}\), and now \(b_{j+1}=1\).

• Phase 2: \(\mathcal {D}\) receives \(s_0, s_1 \in \{0,1\}^n\) and quantum oracle access to a permutation \(P_b\). First, \(\mathcal {D}\) sets \(t_0:=P_b(s_0)\) and \(t_1:=P_b(s_1)\). It then sets \(k_2:=t_0 \oplus y_{j+1}\), chooses \(k_1 \leftarrow D_{|k_2}\) (where this represents the conditional distribution on \(k_1\) given \(k_2\)), and sets \(k:=(k_1, k_2)\). \(\mathcal {D}\) continues running \({\mathcal A}\), answering its remaining classical queries (including the \((j+1)\)st one) using \(E_k[P_b]\), and its remaining quantum queries using

  $$\begin{aligned} (P_b)_{T_j, k}&= \overleftarrow{S}_{T_j,P_b,k}\circ \overrightarrow{S}_{T_j,P_b,k} \circ P_b= P_b \circ \overleftarrow{Q}_{T_j,P_b,k} \circ \overrightarrow{Q}_{T_j,P_b,k}\,. \end{aligned}$$

  Finally, \(\mathcal {D}\) outputs whatever \({\mathcal A}\) outputs.

Note that \(t_0, t_1\) are uniform, and so k is distributed according to D. Then:

Case \(b=0\) (No Reprogramming). In this case, \({\mathcal A}\)’s remaining classical queries (including its \((j+1)\)st classical query) are answered using \(E_k[P_0] = E_k[P]\), and its remaining quantum queries are answered using \((P_0)_{T_j, k} = P_{T_j, k}\). The output of \({\mathcal A}\) is thus distributed identically to its output in \({\mathbf {H}}_j\) in this case.

Case \(b=1\) (Reprogramming). In this case, \(k_2=P_1(s_0) \oplus y_{j+1}=P(s_1)\oplus y_{j+1}\) and so

$$\begin{aligned} P_b^{-1} = P_1^{-1} = (P \circ \mathsf{swap}_{s_0,s_1})^{-1}= & {} (\mathsf{swap}_{P(s_0), P(s_1)} \circ P)^{-1} \\= & {} P^{-1} \circ \mathsf{swap}_{P(s_0), P(s_1)} \\= & {} P^{-1} \circ \mathsf{swap}_{P(s_0), y_{j+1}\oplus k_2} . \end{aligned}$$

The response to \({\mathcal A}\)’s \((j+1)\)st classical query is thus

$$ x_{j+1} {\mathop {=}\limits ^\mathrm{def}} E_k^{-1}[P_1](y_{j+1}) = P_1^{-1}(y_{j+1} \oplus k_2) \oplus k_1 = P_1^{-1}(P(s_1)) \oplus k_1 = s_0 \oplus k_1\,. $$

The remaining classical queries of \({\mathcal A}\) are then answered using \(E_k[P_1]\), while its remaining quantum queries are answered using \((P_1)_{T_j, k}\).

Now we define the following three events:

1. 1.

   \(\mathsf{bad}_1\) is the event that \(x_{j+1} \in \{x_1, \ldots , x_j\}\).

2. 2.

   \(\mathsf{bad}_2\) is the event that \(P(s_0) \oplus k_2 \in \{y_1, \ldots , y_j\}\).

3. 3.

   \(\mathsf{bad}_3\) is the event that, in phase 2, \({\mathcal A}\) queries its classical oracle in the forward direction on \(s_1 \oplus k_1\), or the inverse direction on \(P(s_0) \oplus k_2\).

Comparing the above to the proof of Lemma 7, we see (because P is a permutation) that the situation is entirely symmetric, and the analysis is therefore the same.