Abstract
In this work, we study the security of Even–Mansour type ciphers whose encryption and decryption are based on a common primitive, namely an involution. Such ciphers possibly allow efficient hardware implementation as the same circuit is shared for encryption and decryption, and thus expected to be more suitable for lightweight environment in which low power consumption and implementation costs are desirable. With this motivation, we consider a single-round Even–Mansour cipher using an involution as its underlying primitive. The decryption of such a cipher is the same as encryption only with the order of the round keys reversed. It is known that such a cipher permits a birthday-bound attack using only construction queries, but whether it provides provable security in the range below the birthday bound has remained. We prove that the Even–Mansour cipher based on a random involution is as secure as the permutation-based one when the number of construction queries is limited by the birthday bound. In order to achieve security beyond the birthday bound, we propose a two-round Even–Mansour-like construction, dubbed \(\mathsf {EMSI}\), based on a single involution I using a fixed permutation \(\sigma \) in the middle layer. Specifically, \(\mathsf {EMSI}\) encrypts a plaintext u by computing
with the key schedule \(\gamma =(\gamma _0,\gamma _1,\gamma _2)\) generating three round keys \(k_0=\gamma _0(k)\), \(k_1=\gamma _1(k)\) and \(k_2=\gamma _2(k)\) from an n-bit master key k. We prove that if the key schedule \(\gamma =(\gamma _0,\gamma _1,\gamma _2)\) satisfies a certain condition, and \(\sigma \) is a linear orthomorphism, then this construction is secure up to \(2^{\frac{2n}{3}}\) construction and permutation queries. \(\mathsf {EMSI}\) is the first construction that uses a single involution—a primitive weaker than a truly random permutation—and that provides security beyond the birthday bound at the same time. Encryption and decryption of \(\mathsf {EMSI}\) are the same except for the key schedule and the middle layer. Since encryption and decryption are both based on a common primitive, \(\mathsf {EMSI}\) is expected to be particularly suitable for modes of operation that use both encryption and decryption of the underlying block cipher such as OCB3.
Similar content being viewed by others
Notes
A permutation \(\pi \) on \(\{0,1\}^n\) is called an orthomorphism if \(x\mapsto x\oplus \pi (x)\) is also a permutation.
The attack using only construction queries [9] works when the master key k is related to \(k_0\oplus k_1\), but even if this is not the case, security cannot exceed the birthday bound due to “standard” attacks on the Even–Mansour cipher.
No linear orthomorphism can be an involution.
In [4], the union bound over all possible pairs \((\alpha ,\beta )\) is missing. To correct the proof, we should take \(\delta \) as a larger value.
When we consider an element \((\{w,x\},a,b)\in \mu ^2_{{\varGamma }}({\mathcal {Q}}_I,A,B)\) for some \({\varGamma }\), A and B, the key k can be computed in two ways by exchanging the positions of w and x, so we need to multiply by two when we upper bound the probability of obtaining the corresponding type of bad transcripts.
References
Barreto P., Rijmen V.: The Anubis block cipher. Submission to the NESSIE Project (2000).
Barreto P., Rijmen V.: The Khazad legacy-level block cipher. Submission to the NESSIE Project (2000).
Borghoff J., Canteaut A., Güneysu T., Kavun E.B., Knežević M., Knudsen L.R., Leander G., Nikov V., Paar C., Rechberger C., Rombouts P., Thomsen S.S., Yalçın T.: PRINCE: a low-latency block cipher for pervasive computing applications. In: Asiacrypt 2012. LNCS, vol. 7658, pp. 208–225. Springer, Berlin (2012).
Chen S., Lampe R., Lee J., Seurin Y., Steinberger J.: Minimizing the two-round Even–Mansour cipher. In: Crypto 2014 (Part I). LNCS, vol. 8616, pp. 39–56. Springer, Berlin (2014).
Chen S., Steinberger J.P.: Tight security bounds for key-alternating ciphers. In: Eurocrypt 2014. LNCS, vol. 8441, pp. 327–350. Springer, Berlin (2014).
Chowla S., Herstein I.N., Moore K.: On recursions connected with symmetric groups I. Can. J. Math. 3, 328–334 (1951).
Dai Y., Lee J., Mennink B., Steinberger J.: The security of multiple encryption in the ideal cipher model. In: Crypto 2014 (Part I). LNCS, vol. 8616, pp. 20–38, Springer, Berlin (2014).
Dinur I., Dunkelman O., Keller N., Shamir A.: Key recovery attacks on 3-round Even–Mansour, 8-step LED-128, and full AES2. In: ASIACRYPT 2013. LNCS, vol. 8269, pp. 337–356. Springer, Berlin (2013).
Dunkelman O., Keller N., Shamir A.: Minimalism in cryptography: the Even-Mansour Scheme Revisited. In: Eurocrypt 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012).
Even S., Mansour Y.: A construction of a cipher from a single pseudorandom permutation. In: Asiacrypt 1991. LNCS, vol. 739, pp. 210–224. Springer, New York (1993).
Gaži P.: Plain versus randomized cascading-based key-length extension for block ciphers. In: Crypto 2013. LNCS, vol. 8042, pp. 551–570. Springer, Berlin (2013).
Gentry, C., Ramzan, Z.: Eliminating random permutation oracles in the Even-Mansour cipher. In: ASIACRYPT 2004. LNCS, vol. 3329, pp. 32–47. Springer, Heidelberg (2004).
Gilboa S., Shay G., Nandi M.: Balanced permutations Even–Mansour ciphers. arXiv preprint arXiv:1409.0421 (2014).
Krovetz T., Rogaway P.: The software performance of authenticated-encryption modes. In: FSE 2011. LNCS, vol. 6733, pp. 306–327 (2011).
Lampe R., Seurin Y.: Security analysis of key-alternating Feistel ciphers. In: FSE 2014. LNCS, vol. 8540, pp. 243–264 (2015).
Lee J., Koo B.: Security of the misty structure using involutions as round functions. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E93–A(9), 1612–1619 (2010).
Maurer U., Pietrzak K., Renner R.: Indistinguishability amplification. In: CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007).
Nikolić I., Wang L., Wu S.: Cryptanalysis of round-reduced LED. In: FSE 2014. LNCS, vol. 8424, pp. 112–129. Springer, Heidelberg (2014).
Piret G., Quisquater J.: Security of the MISTY Structure in the Luby–Rackoff model: improved results. In: SAC 2004. LNCS, vol. 3357, pp. 100–113. Springer, Berlin (2004).
Standaert F.-X., Piret G., Rourvoy G., Quisquater J.-J., Legat J.-D.: ICEBERG: an involutional cipher efficient for block encryption on reconfigurable hardware. In: FSE 2004. LNCS, vol. 3017, pp. 279–299. Springer, Berlin (2004).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by L. R. Knudsen.
Appendices
Appendix A: A generic attack on involution-based Even–Mansour ciphers
We first review the key recovery attack in [9] on the Even–Mansour cipher based on an involution.
-
1.
Adversary \({\mathcal {D}}\) is given \(2^{\frac{n}{2}}\) random plaintext-ciphertext pairs \((u_i,v_i)\), where
$$\begin{aligned}v_i=I(u_i\oplus k_0)\oplus k_1 \end{aligned}$$for \(i=1,\ldots ,2^{\frac{n}{2}}\).
-
2.
\({\mathcal {D}}\) finds two indices \(i^*\) and \(i^{**}\) such that
$$\begin{aligned}u_{i^*}\oplus v_{i^*}=u_{i^{**}}\oplus v_{i^{**}}. \end{aligned}$$ -
3.
\({\mathcal {D}}\) guesses \(k_0\oplus k_1=(\gamma _0\oplus \gamma _1)(k)=u_{i^*}\oplus v_{i^{**}}\) and recovers the master key k (when \(\gamma _0\oplus \gamma _1\) is a permutation).
If \(k_0\oplus k_1=u_{i^*}\oplus v_{i^{**}}\) for some indices \(i^*\) and \(i^{**}\), then it follows that \(u_{i^*}\oplus k_0=v_{i^{**}}\oplus k_1\) which means \(I\left( u_{i^*}\oplus k_0\right) =I\left( v_{i^{**}}\oplus k_1\right) \) and hence
namely, \(u_{i^*}\oplus v_{i^*}=u_{i^{**}}\oplus v_{i^{**}}\) since I is an involution. From the set of \(2^{\frac{n}{2}}\) queries, one would find a pair of queries satisfying \(u_{i^*}\oplus v_{i^*}=u_{i^{**}}\oplus v_{i^{**}}\) with a high probability, while there would be only a small number of such pairs. Therefore \({\mathcal {D}}\) would be able to find a small number of candidates for the master key via this attack.
Appendix B: Proof of (2)
In this section, we review the proof of the recursion formula (2) given in [6]. For an element \(1\in [N+1]\), the number of involutions on \([N+1]\) such that 1 is a fixed point is T(N). Otherwise, there are N possibilities for a cycle of length two containing the element 1. Once any cycle containing 1 is determined, we have \(T(N-1)\) possibilities for the involution on the remaining elements. Therefore, we have
for \(N\ge 1\) assuming \(T(0)=1\). In order to prove the recursion formula
we will use induction on \(N\ge 1\). Since \(T(1)=1\), the formula holds for \(N=1\). Fix \(K\ge 1\) and assume that
Then we have
and
where the last inequality follows since
The proof is complete since (16) and (17) imply
Rights and permissions
About this article
Cite this article
Lee, J. Key alternating ciphers based on involutions. Des. Codes Cryptogr. 86, 955–988 (2018). https://doi.org/10.1007/s10623-017-0371-3
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-017-0371-3