Key alternating ciphers based on involutions

Abstract

In this work, we study the security of Even–Mansour type ciphers whose encryption and decryption are based on a common primitive, namely an involution. Such ciphers possibly allow efficient hardware implementation as the same circuit is shared for encryption and decryption, and thus expected to be more suitable for lightweight environment in which low power consumption and implementation costs are desirable. With this motivation, we consider a single-round Even–Mansour cipher using an involution as its underlying primitive. The decryption of such a cipher is the same as encryption only with the order of the round keys reversed. It is known that such a cipher permits a birthday-bound attack using only construction queries, but whether it provides provable security in the range below the birthday bound has remained. We prove that the Even–Mansour cipher based on a random involution is as secure as the permutation-based one when the number of construction queries is limited by the birthday bound. In order to achieve security beyond the birthday bound, we propose a two-round Even–Mansour-like construction, dubbed \(\mathsf {EMSI}\), based on a single involution I using a fixed permutation \(\sigma \) in the middle layer. Specifically, \(\mathsf {EMSI}\) encrypts a plaintext u by computing

$$\begin{aligned} v=I\left( \sigma \left( I(u\oplus k_0)\right) \oplus k_1\right) \oplus k_2 \end{aligned}$$

with the key schedule \(\gamma =(\gamma _0,\gamma _1,\gamma _2)\) generating three round keys \(k_0=\gamma _0(k)\), \(k_1=\gamma _1(k)\) and \(k_2=\gamma _2(k)\) from an n-bit master key k. We prove that if the key schedule \(\gamma =(\gamma _0,\gamma _1,\gamma _2)\) satisfies a certain condition, and \(\sigma \) is a linear orthomorphism, then this construction is secure up to \(2^{\frac{2n}{3}}\) construction and permutation queries. \(\mathsf {EMSI}\) is the first construction that uses a single involution—a primitive weaker than a truly random permutation—and that provides security beyond the birthday bound at the same time. Encryption and decryption of \(\mathsf {EMSI}\) are the same except for the key schedule and the middle layer. Since encryption and decryption are both based on a common primitive, \(\mathsf {EMSI}\) is expected to be particularly suitable for modes of operation that use both encryption and decryption of the underlying block cipher such as OCB3.

Appendices

Appendix A: A generic attack on involution-based Even–Mansour ciphers

We first review the key recovery attack in [9] on the Even–Mansour cipher based on an involution.

1. 1.

   Adversary \({\mathcal {D}}\) is given \(2^{\frac{n}{2}}\) random plaintext-ciphertext pairs \((u_i,v_i)\), where

   $$\begin{aligned}v_i=I(u_i\oplus k_0)\oplus k_1 \end{aligned}$$

   for \(i=1,\ldots ,2^{\frac{n}{2}}\).

2. 2.

   \({\mathcal {D}}\) finds two indices \(i^*\) and \(i^{**}\) such that

   $$\begin{aligned}u_{i^*}\oplus v_{i^*}=u_{i^{**}}\oplus v_{i^{**}}. \end{aligned}$$
3. 3.

   \({\mathcal {D}}\) guesses \(k_0\oplus k_1=(\gamma _0\oplus \gamma _1)(k)=u_{i^*}\oplus v_{i^{**}}\) and recovers the master key k (when \(\gamma _0\oplus \gamma _1\) is a permutation).

If \(k_0\oplus k_1=u_{i^*}\oplus v_{i^{**}}\) for some indices \(i^*\) and \(i^{**}\), then it follows that \(u_{i^*}\oplus k_0=v_{i^{**}}\oplus k_1\) which means \(I\left( u_{i^*}\oplus k_0\right) =I\left( v_{i^{**}}\oplus k_1\right) \) and hence

$$\begin{aligned} v_{i^*}\oplus u_{i^{**}}=\left( I\left( u_{i^*}\oplus k_0\right) \oplus k_1\right) \oplus \left( I\left( v_{i^{**}}\oplus k_1\right) \oplus k_0\right) =k_0\oplus k_1=u_{i^*}\oplus v_{i^{**}} \end{aligned}$$

namely, \(u_{i^*}\oplus v_{i^*}=u_{i^{**}}\oplus v_{i^{**}}\) since I is an involution. From the set of \(2^{\frac{n}{2}}\) queries, one would find a pair of queries satisfying \(u_{i^*}\oplus v_{i^*}=u_{i^{**}}\oplus v_{i^{**}}\) with a high probability, while there would be only a small number of such pairs. Therefore \({\mathcal {D}}\) would be able to find a small number of candidates for the master key via this attack.

Appendix B: Proof of (2)

In this section, we review the proof of the recursion formula (2) given in [6]. For an element \(1\in [N+1]\), the number of involutions on \([N+1]\) such that 1 is a fixed point is T(N). Otherwise, there are N possibilities for a cycle of length two containing the element 1. Once any cycle containing 1 is determined, we have \(T(N-1)\) possibilities for the involution on the remaining elements. Therefore, we have

$$\begin{aligned} T(N+1)=T(N)+NT(N-1). \end{aligned}$$

for \(N\ge 1\) assuming \(T(0)=1\). In order to prove the recursion formula

$$\begin{aligned} \frac{1}{\sqrt{N}+1} \le \frac{T(N-1)}{T(N)}\le \frac{1}{\sqrt{N}} \end{aligned}$$

we will use induction on \(N\ge 1\). Since \(T(1)=1\), the formula holds for \(N=1\). Fix \(K\ge 1\) and assume that

$$\begin{aligned} \frac{1}{\sqrt{K}+1} \le \frac{T(K-1)}{T(K)}\le \frac{1}{\sqrt{K}}. \end{aligned}$$

Then we have

$$\begin{aligned} \frac{T(K+1)}{T(K)}=1+\frac{K}{T(K)/T(K-1)}\le 1+\frac{K}{K^{\frac{1}{2}}}\le 1+\sqrt{K+1} \end{aligned}$$

(16)

and

$$\begin{aligned} \frac{T(K+1)}{T(K)}=1+\frac{KT(K-1)}{T(K)}\ge 1+\frac{K}{1+\sqrt{K}}\ge \sqrt{K+1} \end{aligned}$$

(17)

where the last inequality follows since

$$\begin{aligned} K=\left( \sqrt{K+1}-1\right) \left( \sqrt{K+1}+1\right) >\left( \sqrt{K+1}-1\right) \left( \sqrt{K}+1\right) . \end{aligned}$$

The proof is complete since (16) and (17) imply

$$\begin{aligned} \frac{1}{\sqrt{K+1}+1} \le \frac{T(K)}{T(K+1)}\le \frac{1}{\sqrt{K+1}}. \end{aligned}$$