Minimizing the Two-Round Even-Mansour Cipher Shan Chen 1 Rodolphe - - PowerPoint PPT Presentation

Minimizing the Two-Round Even-Mansour Cipher

Shan Chen1 Rodolphe Lampe2 Jooyoung Lee3 Yannick Seurin4 John Steinberger1

1Tsinghua University, China 2University of Versailles, France 3Sejong University, Korea 4ANSSI, France

August 18, 2014 - CRYPTO 2014

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 1 / 29

Outline

1

Context: Security Proofs for Key-Alternating Ciphers

2

Overview of our Results

3

Sketch of the Security Proof

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 2 / 29

Key-alternating ciphers

x n P1 P2 Pr y k0 k1 kr k n γ0 γ1 γr

An r-round key-alternating cipher k ∈ {0, 1}n is the (master) key, x the plaintext, y the ciphertext The Pi’s are public permutations on {0, 1}n The γi’s are key derivation functions mapping k to n-bit “round keys” prominent example: AES-128

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 3 / 29

Key-alternating ciphers

x n P1 P2 Pr y k0 k1 kr k n γ0 γ1 γr

An r-round key-alternating cipher k ∈ {0, 1}n is the (master) key, x the plaintext, y the ciphertext The Pi’s are public permutations on {0, 1}n The γi’s are key derivation functions mapping k to n-bit “round keys” prominent example: AES-128

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 3 / 29

Proving the security of key-alternating ciphers

x k n n P1 γ0 P2 γ1 Pr y γr

Question

How can we “prove” security? (for this talk, security = pseudorandomness) against a general adversary: too hard! (unconditional complexity lower bound) against specific attacks (differential, linear. . . ): use specific design of P1, . . . , Pr, count active S-boxes, etc. against generic attacks: Random Permutation Model for P1, . . . , Pr

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 4 / 29

Proving the security of key-alternating ciphers

x k n n P1 γ0 P2 γ1 Pr y γr

Question

How can we “prove” security? (for this talk, security = pseudorandomness) against a general adversary: too hard! (unconditional complexity lower bound) against specific attacks (differential, linear. . . ): use specific design of P1, . . . , Pr, count active S-boxes, etc. against generic attacks: Random Permutation Model for P1, . . . , Pr

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 4 / 29

Proving the security of key-alternating ciphers

x k n n P1 γ0 P2 γ1 Pr y γr

Question

How can we “prove” security? (for this talk, security = pseudorandomness) against a general adversary: too hard! (unconditional complexity lower bound) against specific attacks (differential, linear. . . ): use specific design of P1, . . . , Pr, count active S-boxes, etc. against generic attacks: Random Permutation Model for P1, . . . , Pr

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 4 / 29

Proving the security of key-alternating ciphers

x k n n P1 γ0 P2 γ1 Pr y γr

Question

How can we “prove” security? (for this talk, security = pseudorandomness) against a general adversary: too hard! (unconditional complexity lower bound) against specific attacks (differential, linear. . . ): use specific design of P1, . . . , Pr, count active S-boxes, etc. against generic attacks: Random Permutation Model for P1, . . . , Pr

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 4 / 29

Analyzing KA ciphers in the Random Permutation Model

x k n n P1 γ0 P2 γ1 Pr y γr

the Pi’s are viewed as public random permutation oracles to which the adversary can only make black-box queries (both to Pi and P−1

i

). trades complexity for randomness and allows for a completely information-theoretic proof (≃ Random Oracle Model) complexity measure of the adversary:

qe = number of queries to the cipher (plaintext/ciphertext pairs) qp = number of queries to each internal permutation oracle

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 5 / 29

Analyzing KA ciphers in the Random Permutation Model

x k n n P1 γ0 P2 γ1 Pr y γr

the Pi’s are viewed as public random permutation oracles to which the adversary can only make black-box queries (both to Pi and P−1

i

). trades complexity for randomness and allows for a completely information-theoretic proof (≃ Random Oracle Model) complexity measure of the adversary:

qe = number of queries to the cipher (plaintext/ciphertext pairs) qp = number of queries to each internal permutation oracle

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 5 / 29

Analyzing KA ciphers in the Random Permutation Model

x k n n P1 γ0 P2 γ1 Pr y γr

the Pi’s are viewed as public random permutation oracles to which the adversary can only make black-box queries (both to Pi and P−1

i

). trades complexity for randomness and allows for a completely information-theoretic proof (≃ Random Oracle Model) complexity measure of the adversary:

qe = number of queries to the cipher (plaintext/ciphertext pairs) qp = number of queries to each internal permutation oracle

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 5 / 29

Analyzing KA ciphers in the Random Permutation Model

This model was already considered 15 years ago by Even and Mansour [EM97] for r = 1 round: they showed that the following cipher is secure up to O(2

n 2 ) queries of the adversary to P and E:

x P k0 y k1

• E

Similar result when k0 = k1 [DKS12] Wording: “(iterated) Even-Mansour cipher” = shorthand for “analyzing the class of key-alternating ciphers in the Random Permutation Model”

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 6 / 29

Analyzing KA ciphers in the Random Permutation Model

This model was already considered 15 years ago by Even and Mansour [EM97] for r = 1 round: they showed that the following cipher is secure up to O(2

n 2 ) queries of the adversary to P and E:

x P k y k

• E

Similar result when k0 = k1 [DKS12] Wording: “(iterated) Even-Mansour cipher” = shorthand for “analyzing the class of key-alternating ciphers in the Random Permutation Model”

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 6 / 29

Analyzing KA ciphers in the Random Permutation Model

This model was already considered 15 years ago by Even and Mansour [EM97] for r = 1 round: they showed that the following cipher is secure up to O(2

n 2 ) queries of the adversary to P and E:

x P k y k

• E

Similar result when k0 = k1 [DKS12] Wording: “(iterated) Even-Mansour cipher” = shorthand for “analyzing the class of key-alternating ciphers in the Random Permutation Model”

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 6 / 29

Outline

1

Context: Security Proofs for Key-Alternating Ciphers

2

Overview of our Results

3

Sketch of the Security Proof

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 7 / 29

State of the art

x P1 k0 P2 k1 Pr y kr

Closing a series of recent results [BKL+12, Ste12, LPS12], Chen and Steinberger [CS14] showed that assuming

1 independent round keys (k0, k1, . . . , kr), 2 independent inner permutations P1, . . . , Pr,

KA ciphers are secure against generic attacks as long as qe and qp ≪ O(2

rn r+1 ).

This result is tight (in terms of query complexity).

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 8 / 29

State of the art

x P1 k0 P2 k1 Pr y kr

Closing a series of recent results [BKL+12, Ste12, LPS12], Chen and Steinberger [CS14] showed that assuming

1 independent round keys (k0, k1, . . . , kr), 2 independent inner permutations P1, . . . , Pr,

KA ciphers are secure against generic attacks as long as qe and qp ≪ O(2

rn r+1 ).

This result is tight (in terms of query complexity).

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 8 / 29

Our problem

Main question

Is it possible to prove a similar O(2

rn r+1 ) bound when:

the round keys (k0, . . . , kr) are derived from an n-bit master key and/or when the same permutation P is used at each round as is the case in many concrete designs (AES-128, etc.)?

x n P1 P2 Pr y k0 k1 kr k n γ0 γ1 γr

We give a positive answer for r = 2 rounds: O(2

2n 3 )-security bound. Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 9 / 29

Our problem

Main question

Is it possible to prove a similar O(2

rn r+1 ) bound when:

the round keys (k0, . . . , kr) are derived from an n-bit master key and/or when the same permutation P is used at each round as is the case in many concrete designs (AES-128, etc.)?

x n P1 P2 Pr y k0 k1 kr k n γ0 γ1 γr

We give a positive answer for r = 2 rounds: O(2

2n 3 )-security bound. Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 9 / 29

Our problem

Main question

Is it possible to prove a similar O(2

rn r+1 ) bound when:

the round keys (k0, . . . , kr) are derived from an n-bit master key and/or when the same permutation P is used at each round as is the case in many concrete designs (AES-128, etc.)?

x n P P P y k0 k1 kr k n γ0 γ1 γr

We give a positive answer for r = 2 rounds: O(2

2n 3 )-security bound. Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 9 / 29

Our problem

Main question

Is it possible to prove a similar O(2

rn r+1 ) bound when:

the round keys (k0, . . . , kr) are derived from an n-bit master key and/or when the same permutation P is used at each round as is the case in many concrete designs (AES-128, etc.)?

x n P P P y k0 k1 kr k n γ0 γ1 γr

We give a positive answer for r = 2 rounds: O(2

2n 3 )-security bound. Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 9 / 29

Our problem

Main question

Is it possible to prove a similar O(2

rn r+1 ) bound when:

the round keys (k0, . . . , kr) are derived from an n-bit master key and/or when the same permutation P is used at each round as is the case in many concrete designs (AES-128, etc.)?

x n P P P y k0 k1 kr k n γ0 γ1 γr

We give a positive answer for r = 2 rounds: O(2

2n 3 )-security bound. Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 9 / 29

Our results (1/2): two independent permutations

First, we deal with the (simpler) case where the two inner permutations are independent. Then the trivial key-schedule is sufficient.

Theorem

The 2-round EM cipher with independent random permutations and identical round keys is secure up to O(2

2n 3 ) queries of the adversary.

x P1 k P2 k y k

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 10 / 29

Our results (2/2): one single permutation

Theorem

The 2-round EM cipher below is secure up to O(2

2n 3 ) queries of the

adversary.

x k P P π y

π can be any fixed (F2-linear) orthomorphism (i.e., π is a permutation and k → k ⊕ π(k) is a permutation), for instance π :(kL, kR) → (kR, kL ⊕ kR) (Feistel) π :k → c ⊙ k, for c = 0, 1 (field mult.)

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 11 / 29

Our results (2/2): one single permutation

Theorem (more general)

The 2-round EM cipher below is secure up to O(2

2n 3 ) queries when

(i) γ0, γ1, γ2 are F2-linear permutations; (ii) γ0 ⊕ γ1 and γ1 ⊕ γ2 are permutations; (iii) γ0 ⊕ γ1 ⊕ γ2 is a permutation.

x k P γ0 k0 P γ1 k1 y γ2 k2

Conjecture: F2-linearity and (iii) are not needed.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 12 / 29

Our results (2/2): one single permutation

Theorem (more general)

The 2-round EM cipher below is secure up to O(2

2n 3 ) queries when

(i) γ0, γ1, γ2 are F2-linear permutations; (ii) γ0 ⊕ γ1 and γ1 ⊕ γ2 are permutations; OK for (k, π(k), k) (iii) γ0 ⊕ γ1 ⊕ γ2 is a permutation.

x k P γ0 k0 P γ1 k1 y γ2 k2

Conjecture: F2-linearity and (iii) are not needed.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 12 / 29

Our results (2/2): one single permutation

Theorem (more general)

The 2-round EM cipher below is secure up to O(2

2n 3 ) queries when

(i) γ0, γ1, γ2 are F2-linear permutations; (ii) γ0 ⊕ γ1 and γ1 ⊕ γ2 are permutations; OK for (k, π(k), k) (iii) γ0 ⊕ γ1 ⊕ γ2 is a permutation.

x k P γ0 k0 P γ1 k1 y γ2 k2

Conjecture: F2-linearity and (iii) are not needed.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 12 / 29

Minimality of the construction

x k P P π y x ′ P y ′ k

This construction is “minimal” to achieve O(2

2n 3 ) security.

Removing any component causes security to drop back to O(2

n 2 ):

removing one of the P’s: 1-round Even-Mansour, O(2

n 2 )-secure

removing π: slide attack with O(2

n 2 ) complexity:

find (x, y), (x′, y ′) such that x′ = P(x ⊕ k) (slid pair) can be detected by checking that x ⊕ P(y) = y ′ ⊕ P−1(x′) works for any number of rounds for id. round keys and id. permutations

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 13 / 29

Minimality of the construction

x k P π y x ′ P y ′ k

This construction is “minimal” to achieve O(2

2n 3 ) security.

Removing any component causes security to drop back to O(2

n 2 ):

removing one of the P’s: 1-round Even-Mansour, O(2

n 2 )-secure

removing π: slide attack with O(2

n 2 ) complexity:

find (x, y), (x′, y ′) such that x′ = P(x ⊕ k) (slid pair) can be detected by checking that x ⊕ P(y) = y ′ ⊕ P−1(x′) works for any number of rounds for id. round keys and id. permutations

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 13 / 29

Minimality of the construction

x k P P y x ′ P y ′ k

This construction is “minimal” to achieve O(2

2n 3 ) security.

Removing any component causes security to drop back to O(2

n 2 ):

removing one of the P’s: 1-round Even-Mansour, O(2

n 2 )-secure

removing π: slide attack with O(2

n 2 ) complexity:

find (x, y), (x′, y ′) such that x′ = P(x ⊕ k) (slid pair) can be detected by checking that x ⊕ P(y) = y ′ ⊕ P−1(x′) works for any number of rounds for id. round keys and id. permutations

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 13 / 29

Minimality of the construction

x k P P y x ′ P y ′ k

This construction is “minimal” to achieve O(2

2n 3 ) security.

Removing any component causes security to drop back to O(2

n 2 ):

removing one of the P’s: 1-round Even-Mansour, O(2

n 2 )-secure

removing π: slide attack with O(2

n 2 ) complexity:

find (x, y), (x′, y ′) such that x′ = P(x ⊕ k) (slid pair) can be detected by checking that x ⊕ P(y) = y ′ ⊕ P−1(x′) works for any number of rounds for id. round keys and id. permutations

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 13 / 29

Minimality of the construction

x k P P π y x ′ P y ′ k

This construction is “minimal” to achieve O(2

2n 3 ) security.

Removing any component causes security to drop back to O(2

n 2 ):

removing one of the P’s: 1-round Even-Mansour, O(2

n 2 )-secure

removing π: slide attack with O(2

n 2 ) complexity:

find (x, y), (x′, y ′) such that x′ = P(x ⊕ k) (slid pair) can be detected by checking that x ⊕ P(y) = y ′ ⊕ P−1(x′) works for any number of rounds for id. round keys and id. permutations

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 13 / 29

Outline

1

Context: Security Proofs for Key-Alternating Ciphers

2

Overview of our Results

3

Sketch of the Security Proof

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 14 / 29

Formalizing indistinguishability (in the RP Model)

D 0/1

qe

P

qp

Real world

x k P P π y

D 0/1 E

qe

P

qp

Ideal world

real world: cipher with a random key k ←$ {0, 1}n ideal world: E is a random permutation independent from P Random Permutation Model: D has oracle access to P in both worlds for this talk, qe = qp = q

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 15 / 29

Formalizing indistinguishability (in the RP Model)

D 0/1

qe

P

qp

Real world

x k P P π y

D 0/1 E

qe

P

qp

Ideal world

real world: cipher with a random key k ←$ {0, 1}n ideal world: E is a random permutation independent from P Random Permutation Model: D has oracle access to P in both worlds for this talk, qe = qp = q

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 15 / 29

Formalizing indistinguishability (in the RP Model)

D 0/1

qe

P

qp

Real world

x k P P π y

D 0/1 E

qe

P

qp

Ideal world

real world: cipher with a random key k ←$ {0, 1}n ideal world: E is a random permutation independent from P Random Permutation Model: D has oracle access to P in both worlds for this talk, qe = qp = q

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 15 / 29

Query transcript

P P X U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

Query transcript

P P

• X

U V U V Y E

The distinguisher can query:

• racle E forward: E(x) = y, and backward: E −1(y) = x
• racle P forward: P(u) = v, and backward: P−1(v) = u

This results in a query transcript τ = (QE, QP): QE = {(x1, y1), . . . , (xq, yq)} QP = {(u1, v1), . . . , (uq, vq)}.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 16 / 29

H-coefficient framework

P P

• X

U V U V Y E

Adv(D) ≤ Treal − Tideal (statistical distance) Treal/ideal = distribution of transcript (QE, QP) in the real/ideal world

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 17 / 29

H-coefficient framework

P P

• X

U V U V Y E

Lemma

Partition the set of transcripts into “good” ones Tgood and “bad” ones

• Tbad. Then

∀τ ∈ Tgood, Pr[Treal=τ]

Pr[Tideal=τ] ≥ 1 − ε1

Pr[Tideal ∈ Tbad] ≤ ε2

        

⇒ Adv(D) ≤ ε1 + ε2

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 18 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

• A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

• k′

A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

• k′
• k′

A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

• k′
• k′

π(k′)?

A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

• A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

• k′

A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

• k′
• π(k′)

A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

• k′
• π(k′)

k′?

A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

• A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

• k′

A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

• k′
• π(k′)

A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

• k′
• π(k′)

k′?

A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Bad keys and bad transcripts (simplified)

P P

• X

U V U V Y E

A key k′ is bad if D can check its “compatibility” with the transcript:

1 ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v 2 ∃(u, v) ∈ QP, x ∈ X, u′ ∈ U: k′ = x ⊕ u and π(k′) = v ⊕ u′ 3 ∃(u, v) ∈ QP, y ∈ Y , v′ ∈ V : k′ = v ⊕ y and π(k′) = v′ ⊕ u

A transcript (QE, QP) is bad if it has too many bad keys. We must show that with high probability, # bad keys ≪ 2n.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 19 / 29

Upper bounding the number of bad keys

P P

• X

U V U V Y E

• k′
• k′

Focus on case 1: ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v Then # bad keys ≤ #{((x, y), u, v) ∈ QE × U × V : x ⊕ y ≃ random = u ⊕ v}

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 20 / 29

Upper bounding the number of bad keys

P P

• X

U V U V Y E

• k′
• k′

Focus on case 1: ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v Then # bad keys ≤ #{((x, y), u, v) ∈ QE × U × V : x ⊕ y ≃ random = u ⊕ v}

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 20 / 29

Upper bounding the number of bad keys

P P

• X

U V U V Y E

• k′
• k′

Focus on case 1: ∃(x, y) ∈ QE, u ∈ U, v ∈ V : k′ = x ⊕ u = y ⊕ v Then # bad keys ≤ #{((x, y), u, v) ∈ QE × U × V : x ⊕ y ≃ random = u ⊕ v}

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 20 / 29

The sum-capture problem

For A = {a1, . . . , aq} ⊆ {0, 1}n, let µ(A) = max

U,V ⊆{0,1}n |U|=|V |=q

|{(a, u, v) ∈ A × U × V : a = u ⊕ v}| If A is “structured”, e.g. a vector space, then µ(A) = q2 Sum-capture problem: find upper bounds on µ(A) for a random set A

Theorem ([Bab89, Ste13])

For q ≤ 2

2n 3 , then with overwhelming probability for a random set A,

µ(A) q

3 2 .

(Hence µ(A) ≪ 2n when q ≪ 2

2n 3 .) Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 21 / 29

The sum-capture problem

For A = {a1, . . . , aq} ⊆ {0, 1}n, let µ(A) = max

U,V ⊆{0,1}n |U|=|V |=q

|{(a, u, v) ∈ A × U × V : a = u ⊕ v}| If A is “structured”, e.g. a vector space, then µ(A) = q2 Sum-capture problem: find upper bounds on µ(A) for a random set A

Theorem ([Bab89, Ste13])

For q ≤ 2

2n 3 , then with overwhelming probability for a random set A,

µ(A) q

3 2 .

(Hence µ(A) ≪ 2n when q ≪ 2

2n 3 .) Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 21 / 29

The sum-capture problem

For A = {a1, . . . , aq} ⊆ {0, 1}n, let µ(A) = max

U,V ⊆{0,1}n |U|=|V |=q

|{(a, u, v) ∈ A × U × V : a = u ⊕ v}| If A is “structured”, e.g. a vector space, then µ(A) = q2 Sum-capture problem: find upper bounds on µ(A) for a random set A

Theorem ([Bab89, Ste13])

For q ≤ 2

2n 3 , then with overwhelming probability for a random set A,

µ(A) q

3 2 .

(Hence µ(A) ≪ 2n when q ≪ 2

2n 3 .) Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 21 / 29

A new sum-capture theorem

In our case, we need to adapt the theorem to the case where A = {x1 ⊕ y1, . . . , xq ⊕ yq} ≃ random

Theorem

Let D be an adversary interacting with a random permutation E of {0, 1}n, resulting in a query transcript QE = {(x1, y1), . . . , (xq, yq)}. Let µ(QE) = max

U,V ⊆{0,1}n |U|=|V |=q

|{((x, y), u, v) ∈ QE × U × V : x ⊕ y = u ⊕ v}| If q ≤ 2

2n 3 , then with overwhelming probability,

# bad keys ≤ µ(QE) ≤ 3(√n + 1)q

3 2 .

Proof: Fourier analysis.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 22 / 29

A new sum-capture theorem

In our case, we need to adapt the theorem to the case where A = {x1 ⊕ y1, . . . , xq ⊕ yq} ≃ random

Theorem

Let D be an adversary interacting with a random permutation E of {0, 1}n, resulting in a query transcript QE = {(x1, y1), . . . , (xq, yq)}. Let µ(QE) = max

U,V ⊆{0,1}n |U|=|V |=q

|{((x, y), u, v) ∈ QE × U × V : x ⊕ y = u ⊕ v}| If q ≤ 2

2n 3 , then with overwhelming probability,

# bad keys ≤ µ(QE) ≤ 3(√n + 1)q

3 2 .

Proof: Fourier analysis.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 22 / 29

A new sum-capture theorem

In our case, we need to adapt the theorem to the case where A = {x1 ⊕ y1, . . . , xq ⊕ yq} ≃ random

Theorem

Let D be an adversary interacting with a random permutation E of {0, 1}n, resulting in a query transcript QE = {(x1, y1), . . . , (xq, yq)}. Let µ(QE) = max

U,V ⊆{0,1}n |U|=|V |=q

|{((x, y), u, v) ∈ QE × U × V : x ⊕ y = u ⊕ v}| If q ≤ 2

2n 3 , then with overwhelming probability,

# bad keys ≤ µ(QE) ≤ 3(√n + 1)q

3 2 .

Proof: Fourier analysis.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 22 / 29

Good transcripts

For a “good” transcript τ = (QE, QP) with the expected number of bad keys, we are reduced to the following permutation counting problem.

Permutation counting problem (simplified)

Let X = {x1, . . . , xq} and Y = {y1, . . . , yq} with X ∩ Y “small”. Compare preal = Pr[P ←$ Pn : P ◦ P(xi) = yi for i = 1, . . . , q] and pideal = 1 2n(2n − 1) · · · (2n − q + 1) (Pr[E(xi) = yi])

Lemma

Assume |X ∩Y | ≤ q/2n/3. Then preal ≥ (1 − ε1) pideal with ε1 = O

• q3

22n

• .

Proof: intricate counting

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 23 / 29

Good transcripts

For a “good” transcript τ = (QE, QP) with the expected number of bad keys, we are reduced to the following permutation counting problem.

Permutation counting problem (simplified)

Let X = {x1, . . . , xq} and Y = {y1, . . . , yq} with X ∩ Y “small”. Compare preal = Pr[P ←$ Pn : P ◦ P(xi) = yi for i = 1, . . . , q] and pideal = 1 2n(2n − 1) · · · (2n − q + 1) (Pr[E(xi) = yi])

Lemma

Assume |X ∩Y | ≤ q/2n/3. Then preal ≥ (1 − ε1) pideal with ε1 = O

• q3

22n

• .

Proof: intricate counting

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 23 / 29

Random square permutation vs. random permutation

D 0/1

P P

D 0/1 E

Random Square Permutation Problem

How many queries needs D to distinguish a random square permutation P ◦ P from a perfectly random permutation E? Conjecture: indistinguishable up to ∼ 2n queries Best known attack: find a fixed point (P ◦ P has twice more fixed points than a random permutation)

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 24 / 29

Random square permutation vs. random permutation

D 0/1

P P

D 0/1 E

Random Square Permutation Problem

How many queries needs D to distinguish a random square permutation P ◦ P from a perfectly random permutation E? Conjecture: indistinguishable up to ∼ 2n queries Best known attack: find a fixed point (P ◦ P has twice more fixed points than a random permutation)

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 24 / 29

Conclusion

minimal Even-Mansour cipher secure against generic attacks up to O(2

2n 3 ) queries:

x k P P π y

first “beyond birthday-bound” security result for AES-like ciphers that does not require the “independent round keys” assumption

• pen problems:

remove technical restrictions (mainly F2-linear key-schedule) extend the result to r ≥ 3 rounds! (generalization of the sum-capture problem?)

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 25 / 29

Conclusion

minimal Even-Mansour cipher secure against generic attacks up to O(2

2n 3 ) queries:

x k P P π y

first “beyond birthday-bound” security result for AES-like ciphers that does not require the “independent round keys” assumption

• pen problems:

remove technical restrictions (mainly F2-linear key-schedule) extend the result to r ≥ 3 rounds! (generalization of the sum-capture problem?)

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 25 / 29

Conclusion

minimal Even-Mansour cipher secure against generic attacks up to O(2

2n 3 ) queries:

x k P P π y

first “beyond birthday-bound” security result for AES-like ciphers that does not require the “independent round keys” assumption

• pen problems:

remove technical restrictions (mainly F2-linear key-schedule) extend the result to r ≥ 3 rounds! (generalization of the sum-capture problem?)

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 25 / 29

The end. . .

Thanks for your attention! Comments or questions?

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 26 / 29

References I

László Babai. The Fourier Transform and Equations over Finite Abelian Groups: An introduction to the method of trigonometric sums. Lecture notes, December 1989. Available at http://people.cs.uchicago.edu/~laci/reu02/fourier.pdf. Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, François-Xavier Standaert, John P. Steinberger, and Elmar Tischhauser. Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number

• f Public Permutations - (Extended Abstract).

In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology - EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pages 45–62. Springer, 2012.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 27 / 29

References II

Shan Chen and John Steinberger. Tight Security Bounds for Key-Alternating Ciphers. In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology - EUROCRYPT 2014, volume 8441 of Lecture Notes in Computer Science, pages 327–350. Springer, 2014. Full version available at http://eprint.iacr.org/2013/222. Orr Dunkelman, Nathan Keller, and Adi Shamir. Minimalism in Cryptography: The Even-Mansour Scheme Revisited. In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology - EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pages 336–354. Springer, 2012. Shimon Even and Yishay Mansour. A Construction of a Cipher from a Single Pseudorandom Permutation. Journal of Cryptology, 10(3):151–162, 1997.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 28 / 29

References III

Rodolphe Lampe, Jacques Patarin, and Yannick Seurin. An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher. In Xiaoyun Wang and Kazue Sako, editors, Advances in Cryptology - ASIACRYPT 2012, volume 7658 of Lecture Notes in Computer Science, pages 278–295. Springer, 2012. John Steinberger. Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance. IACR Cryptology ePrint Archive, Report 2012/481, 2012. Available at http://eprint.iacr.org/2012/481. John Steinberger. Counting solutions to additive equations in random sets. arXiv Report 1309.5582, 2013. Available at http://arxiv.org/abs/1309.5582.

Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 29 / 29