From Distinguishers to Key Recovery: Improved Related-Key Attacks on Even-Mansour.

RK distinguishers can be converted to key recovery Switch to queries to (k ∆) (Still only one RK class) RKA models (cont.) ... Allowing RK distinguishers on EM ≡ allowing (linear-time) RK key recovery mod change of RK class ...

doi:10.1007/978-3-319-23318-5_10 fatcat:7kjzeo7oc5bq7kaixqhlg45ek4

These attacks are based on recent work by Fouque, Joux and Mavromati presented at Asiacrypt 2014 on Even-Mansour based constructions. ... In this paper, we present key-recovery attacks against Chaskey in the single and multi-user setting. ... Collision-based attacks using the distinguished point technique against the Even-Mansour scheme The distinguished point technique. ...

doi:10.1007/978-3-319-31301-6_12 fatcat:apl5cjsqjbc5npbucdgxt5doie

Despite their generic nature, we show that the attacks can be applied to improve the best known attacks on several concrete ciphers, including the full AES 2 (proposed at Eurocrypt 2012) and reduced-round ... Iterated Even-Mansour (EM) encryption schemes (also named "key-alternating ciphers") were extensively studied in recent years as an abstraction of commonly used block ciphers. ... A Time-Optimized Attack on 2-Round Iterated Even-Mansour with Independent Subkeys In order to improve the attack, we need to add more filtering conditions, and thus we actually work on triplets, as described ...

doi:10.1007/s00145-015-9207-3 fatcat:6laql7jmobdz5gwbxfryu7zmfq

We then use the new cryptanalytic techniques in order to improve the best known attacks on several concrete EM-like schemes. ... The Even-Mansour (EM) encryption scheme received a lot of attention in the last couple of years due to its exceptional simplicity and tight security proofs. ... A Time-Optimized Attack on 2-Round Iterated Even-Mansour In order to improve the attack, we need to add more filtering conditions, and thus we actually work on triplets, as described in the improved algorithm ...

doi:10.1007/978-3-642-42033-7_18 fatcat:re3nf6of7vdzbbdmyw27aivc3i

The tweakable Even-Mansour construction generalizes the conventional Even-Mansour scheme through replacing round keys by strings derived from a master key and a tweak. ... In the present paper, we evaluate the multi-key security of TEM-1, one of the most commonly used one-round tweakable Even-Mansour schemes (formally introduced at CRYPTO 2015), which is constructed from ... We are also grateful to Si Gao for providing useful suggestions on the related experiments. ...

doi:10.46586/tosc.v2016.i2.288-306 fatcat:2dg5ktpl3vavzmvl6vcpxkq23q

DOAJ OJS

The tweakable Even-Mansour construction generalizes the conventional Even-Mansour scheme through replacing round keys by strings derived from a master key and a tweak. ... In the present paper, we evaluate the multi-key security of TEM-1, one of the most commonly used one-round tweakable Even-Mansour schemes (formally introduced at CRYPTO 2015), which is constructed from ... We are also grateful to Si Gao for providing useful suggestions on the related experiments. ...

doi:10.13154/tosc.v2016.i2.288-306 dblp:journals/tosc/GuoWLZ16 fatcat:besakbj35bgbpm2mfqfocmmwda

DOAJ OJS

One possible scenario is to recover a single key in a large set of users more efficiently than to recover a key in the classical model. ... We put these two ideas together and we show that in the multi-user Even-Mansour scheme, all the keys of L = N 1/3 users can be found with N 1/3+ queries for each user (where N is the domain size). ... Time/Memory/Data Tradeoff Attack on Even-Mansour Attacking Even-Mansour using distinguished points methods. ...

doi:10.1007/978-3-662-45611-8_22 fatcat:s2o446bbwncancfpg4m6dpeyxa

At ASIACRYPT 1991, Even and Mansour introduced a block cipher construction based on a single permutation. ... In this paper, we prove that if a small number of plaintexts are encrypted under multiple independent keys, the Even-Mansour construction surprisingly offers similar security as an ideal block cipher with ... For a discussion of these attacks and their subsequent improvements, we refer to Sect. 2.3. Evidently, these attacks are also applicable to the Even-Mansour block cipher in the multi-key setting. ...

doi:10.1007/978-3-662-47989-6_10 fatcat:o3izd5smcrcvloiybvbbfvfcje

From January 10-15, 2016, the seminar 16021 in Symmetric Cryptography was held in Schloss Dagstuhl -Leibniz Center for Informatics. ... Another strong trend in the current symmetric key cryptography is related to the so-called Even-Mansour designs. ... From this model one can the derive formulas for success probability and data complexity in multiple and multidimensional linear key-recovery attacks. ...

doi:10.4230/dagrep.6.1.34 dblp:journals/dagstuhl-reports/ArmknechtINP16 fatcat:3p4woms76ncrdm5hkd2iempk74

This graph captures the extent to which certain subsets of coordinates in each vector distinguish it from other vectors. ... Our efficient PID graphs imply general algorithms for these recovery problems, even when loss or noise are just below the information-theoretic limit! ... We thank Sanjeev Arora, Avrim Blum, Russell Impagliazzo, Dick Karp, Yishay Mansour and Elchanan Mossel for helpful comments on an earlier version of this work. ...

doi:10.1007/s10994-015-5489-9 fatcat:2hegmzq6avbi5fhulqsyaa4tlq

This graph captures the extent to which certain subsets of coordinates in each vector distinguish it from other vectors. ... Our efficient PID graphs imply general algorithms for these recovery problems, even when loss or noise are just below the information-theoretic limit! ... We thank Sanjeev Arora, Avrim Blum, Russell Impagliazzo, Dick Karp, Yishay Mansour and Elchanan Mossel for helpful comments on an earlier version of this work. ...

doi:10.1109/focs.2012.14 dblp:conf/focs/WigdersonY12 fatcat:7i7yzhkyqbbixl3ykbkaj4jypi

As a demonstration of the multibridge technique, we devise a new attack on 4 steps of the LED-128 block cipher, reducing the time complexity of the best known attack on this scheme from 2 96 to 2 64 . ... The iterated Even-Mansour (EM) scheme is a generalization of the original 1-round construction proposed in 1991, and can use one key, two keys, or completely independent keys. ... In addition to their application to iterated Even-Mansour ciphers with two keys, we notice that our techniques can also be combined with statistical distinguishers to give efficient key recovery attacks ...

doi:10.1007/978-3-662-45611-8_23 fatcat:ho5gkcthjjbm3fzfga5kgyiemq

In this paper, we report the first quantum key-recovery attack on a symmetric block cipher design, using classical queries only, with a more than quadratic time speedup compared to the best classical attack ... (ASIACRYPT 2019) can be extended to, in particular, attack this construction in quantum time Õ(2^n), providing a 2.5 quantum speedup over the best classical attack. ... A typical example is the polynomial-time key-recovery on Even-Mansour of Kuwakado and Morii [44] . Given access to an Even-Mansour cipher EM k1,k2 of unknown key, define f (x) = EM k1,k2 (x)⊕Π(x). ...

arXiv:2110.02836v1 fatcat:r5m6f4bqu5hjhdcaliuh3nat2y

In this paper, we extend this line of work by considering the resistance of the iterated Even-Mansour cipher to xor-induced related-key attacks (i.e., related-key attacks where the adversary is allowed ... For xor-induced related-key attacks, we first provide a distinguishing attack for two rounds, assuming the key-schedule is linear. ... Acknowledgment We thank Gaëtan Leurent for pointing to our attention the related-key attack matching the security bound of Theorem 2. ...

doi:10.1007/978-3-662-46800-5_23 fatcat:dyikfqk23jcdlanqcjrhhihhbi

Our proof crucially relies on the use of a coupling to upper-bound the statistical distance of the outputs of the iterated Even-Mansour cipher to the uniform distribution. ... We analyze the security of the iterated Even-Mansour cipher (a.k.a. key-alternating cipher), a very simple and natural construction of a blockcipher in the random permutation model. ... We focus on security proofs in this work, but we stress that quite a few papers explored attacks (mainly key-recovery ones) against the Even-Mansour cipher. ...

doi:10.1007/978-3-642-34961-4_18 fatcat:3fcgkecjvfa4ba62iygmfn3zl4

From Distinguishers to Key Recovery: Improved Related-Key Attacks on Even-Mansour [chapter]

Preserved Fulltext

Key-Recovery Attacks Against the MAC Algorithm Chaskey [chapter]

Preserved Fulltext

Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes

Preserved Fulltext

Key Recovery Attacks on 3-round Even-Mansour, 8-step LED-128, and Full AES2 [chapter]

Preserved Fulltext

Multi-key Analysis of Tweakable Even-Mansour with Applications to Minalpher and OPP

Preserved Fulltext

Multi-key Analysis of Tweakable Even-Mansour with Applications to Minalpher and OPP

Preserved Fulltext

Multi-user Collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE [chapter]

Preserved Fulltext

Multi-key Security: The Even-Mansour Construction Revisited [chapter]

Preserved Fulltext

Symmetric Cryptography (Dagstuhl Seminar 16021)

Preserved Fulltext

Population recovery and partial identification

Preserved Fulltext

Population Recovery and Partial Identification

Preserved Fulltext

Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys [chapter]

Preserved Fulltext

Beyond quadratic speedups in quantum attacks on symmetric schemes [article]

Preserved Fulltext

On the Provable Security of the Iterated Even-Mansour Cipher Against Related-Key and Chosen-Key Attacks [chapter]

Preserved Fulltext

An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher [chapter]

Preserved Fulltext