Tight Security Bounds for Key-Alternating Ciphers

A t-round key-alternating cipher (also called iterated Even-Mansour cipher) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P1, . . . , Pt : {0, 1} → {0, 1} and a key k = k0‖ · · · ‖kt ∈ {0, 1} by setting Ek(x) = kt⊕Pt(kt−1⊕Pt−1(· · · k1⊕P1(k0⊕ x) · · · )). The indistinguishability of Ek from a truly random permutation by an adversary who also has oracle access to the (public) random permutations P1, . . . , Pt was investigated in 1997 by Even and Mansour for t = 1 and for higher values of t in a series of recent papers. For t = 1, Even and Mansour proved indistinguishability security up to 2 queries, which is tight. Much later Bogdanov et al. (2011) conjectured that security should be 2 t t+1 n queries for general t, which matches an easy distinguishing attack (so security cannot be more) . A number of partial results have been obtained supporting this conjecture, besides Even and Mansour’s original result for t = 1: Bogdanov et al. proved security of 2 2 3 n for t ≥ 2, Steinberger (2012) proved security of 2 3 4 n for t ≥ 3, and Lampe, Patarin and Seurin (2012) proved security of 2 t t+2 n for all even values of t, thus “barely” falling short of the desired 2 t t+1 . Our contribution in this work is to prove the long-sought-for security bound of 2 t t+1 , up to a constant multiplicative factor depending on t. Our method is essentially an application of Patarin’s H-coefficient technique. The proof contains some coupling-like and inclusion-exclusion ideas, but the main trick that pushes the computations through is to stick with the combinatorics and to refrain from rounding any quantities too early. For the reader’s interest, we include a self-contained tutorial on the H-coefficient technique. Introduction Given t permutations P1, . . ., Pt : {0, 1} n → {0, 1}n the t-round key-alternating cipher based on P1, . . . , Pt is a blockcipher E : {0, 1} (t+1)n × {0, 1}n → {0, 1}n of keyspace {0, 1}(t+1)n and message space {0, 1}n, where for a key k = k0‖k1‖ · · · ‖kt ∈ {0, 1} (t+1)n and a message x ∈ {0, 1}n we set E(k, x) = kt ⊕ Pt(kt−1 ⊕ Pt−1(· · ·P1(k0 ⊕ x) · · · )). (1) (See Figure 1.) Plainly, E(k, ·) is a permutation of {0, 1}n for each fixed k ∈ {0, 1}(t+1)n ; we let E−1(k, ·) denote the inverse permutation. The Pi’s are called the round permutations of E and t is the number of rounds of E. Thus t and the permutations P1, . . . , Pt are parameters determining E. k0 P1 k1 P2 k2 P3 b b b Pt kt Figure 1: A t-round key alternating cipher.