Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes

Itai Dinur, Orr Dunkelman, Nathan Keller, Adi Shamir

Research output: Contribution to journalArticlepeer-review


Iterated Even–Mansour (EM) encryption schemes (also named “key-alternating ciphers”) were extensively studied in recent years as an abstraction of commonly used block ciphers. A large amount of previous works on iterated EM concentrated on security in an information-theoretic model. A central question studied in these papers is: What is the minimal number of rounds for which the resulting cipher is indistinguishable from an ideal cipher? In this paper, we study a similar question in the computational model: What is the minimal number of rounds, assuring that no attack can recover the secret key faster than trivial attacks (such as exhaustive search)? We study this question for the two natural key scheduling variants that were considered in most previous papers: the identical subkeys variant and the independent subkeys variant. In the identical subkeys variant, we improve the best known attack by an additional round and show that r= 3 rounds are insufficient for assuring security, by devising a key recovery attack whose running time is about n/ log (n) times faster than exhaustive search for an n-bit key. In the independent subkeys variant, we also extend the known results by one round and show that for r= 2 , there exists a key recovery attack whose running time is faster than the benchmark meet-in-the-middle attack. Despite their generic nature, we show that the attacks can be applied to improve the best known attacks on several concrete ciphers, including the full AES 2(proposed at Eurocrypt 2012) and reduced-round LED-128 (proposed at CHES 2012).

Original languageEnglish
Pages (from-to)697-728
Number of pages32
JournalJournal of Cryptology
Issue number4
StatePublished - 1 Oct 2016

Bibliographical note

Publisher Copyright:
© 2015, International Association for Cryptologic Research.


  • AES block cipher
  • Backdoors in cryptography
  • Cryptanalysis
  • Iterated Even–Mansour
  • Key recovery attacks
  • LED block cipher

ASJC Scopus subject areas

  • Software
  • Computer Science Applications
  • Applied Mathematics


Dive into the research topics of 'Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes'. Together they form a unique fingerprint.

Cite this