TY - GEN
T1 - Key recovery attacks on 3-round Even-Mansour, 8-step LED-128, and full AES2
AU - Dinur, Itai
AU - Dunkelman, Orr
AU - Keller, Nathan
AU - Shamir, Adi
PY - 2013
Y1 - 2013
N2 - The Even-Mansour (EM) encryption scheme received a lot of attention in the last couple of years due to its exceptional simplicity and tight security proofs. The original 1-round construction was naturally generalized into r-round structures with one key, two alternating keys, and completely independent keys. In this paper we describe the first key recovery attack on the one-key 3-round version of EM which is asymptotically faster than exhaustive search (in the sense that its running time is o(2n ) rather than O(2n) for an n-bit key). We then use the new cryptanalytic techniques in order to improve the best known attacks on several concrete EM-like schemes. In the case of LED-128, the best previously known attack could only be applied to 6 of its 12 steps. In this paper we develop a new attack which increases the number of attacked steps to 8, is slightly faster than the previous attack on 6 steps, and uses about a thousand times less data. Finally, we describe the first attack on the full AES2 (which uses two complete AES-128 encryptions and three independent 128-bit keys, and looks exceptionally strong) which is about 7 times faster than a standard meet-in-the-middle attack, thus violating its security claim.
AB - The Even-Mansour (EM) encryption scheme received a lot of attention in the last couple of years due to its exceptional simplicity and tight security proofs. The original 1-round construction was naturally generalized into r-round structures with one key, two alternating keys, and completely independent keys. In this paper we describe the first key recovery attack on the one-key 3-round version of EM which is asymptotically faster than exhaustive search (in the sense that its running time is o(2n ) rather than O(2n) for an n-bit key). We then use the new cryptanalytic techniques in order to improve the best known attacks on several concrete EM-like schemes. In the case of LED-128, the best previously known attack could only be applied to 6 of its 12 steps. In this paper we develop a new attack which increases the number of attacked steps to 8, is slightly faster than the previous attack on 6 steps, and uses about a thousand times less data. Finally, we describe the first attack on the full AES2 (which uses two complete AES-128 encryptions and three independent 128-bit keys, and looks exceptionally strong) which is about 7 times faster than a standard meet-in-the-middle attack, thus violating its security claim.
KW - AES encryption scheme
KW - Cryptanalysis
KW - LED encryption scheme
KW - iterated Even-Mansour
KW - key recovery attacks
UR - http://www.scopus.com/inward/record.url?scp=84892379419&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-42033-7_18
DO - 10.1007/978-3-642-42033-7_18
M3 - Conference contribution
AN - SCOPUS:84892379419
SN - 9783642420320
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 337
EP - 356
BT - Advances in Cryptology, ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings
T2 - 19th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2013
Y2 - 1 December 2013 through 5 December 2013
ER -