Minimalism in cryptography: The Even-Mansour scheme revisited

Orr Dunkelman, Nathan Keller, Adi Shamir

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

In this paper we consider the following fundamental problem: What is the simplest possible construction of a block cipher which is provably secure in some formal sense? This problem motivated Even and Mansour to develop their scheme in 1991, but its exact security remained open for more than 20 years in the sense that the lower bound proof considered known plaintexts, whereas the best published attack (which was based on differential cryptanalysis) required chosen plaintexts. In this paper we solve this open problem by describing the new Slidex attack which matches the T=Ω(2 n/D) lower bound on the time T for any number of known plaintexts D. Once we obtain this tight bound, we can show that the original two-key Even-Mansour scheme is not minimal in the sense that it can be simplified into a single key scheme with half as many key bits which provides exactly the same security, and which can be argued to be the simplest conceivable provably secure block cipher. We then show that there can be no comparable lower bound on the memory requirements of such attacks, by developing a new memoryless attack which can be applied with the same time complexity but only in the special case of D=2 n/2. In the last part of the paper we analyze the security of several other variants of the Even-Mansour scheme, showing that some of them provide the same level of security while in others the lower bound proof fails for very delicate reasons.

Original languageEnglish
Title of host publicationAdvances in Cryptology, EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
Pages336-354
Number of pages19
DOIs
StatePublished - 2012
Event31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2012 - Cambridge, United Kingdom
Duration: 15 Apr 201219 Apr 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7237 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2012
Country/TerritoryUnited Kingdom
CityCambridge
Period15/04/1219/04/12

Keywords

  • Even-Mansour block cipher
  • minimalism
  • provable security
  • slide attacks
  • slidex attack
  • tight security bounds
  • whitening keys

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'Minimalism in cryptography: The Even-Mansour scheme revisited'. Together they form a unique fingerprint.

Cite this