Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes

Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes

Iterated Even–Mansour (EM) encryption schemes (also named “key-alternating ciphers”) were extensively studied in recent years as an abstraction of commonly used block ciphers. A large amount of previous works on iterated EM concentrated on security in an information-theoretic model. A central questi...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Journal of cryptology 2016-10, Vol.29 (4), p.697-728
Hauptverfasser: Dinur, Itai, Dunkelman, Orr, Keller, Nathan, Shamir, Adi
Format: Artikel
Sprache:eng
Schlagworte:
Algorithms
Coding and Information Theory
Combinatorics
Communications Engineering
Computational Mathematics and Numerical Analysis
Computer Science
Encryption
Information theory
Networks
Probability Theory and Stochastic Processes
Questions
Recovery
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 728
container_issue 4
container_start_page 697
container_title Journal of cryptology
container_volume 29
creator Dinur, Itai
Dunkelman, Orr
Keller, Nathan
Shamir, Adi
description Iterated Even–Mansour (EM) encryption schemes (also named “key-alternating ciphers”) were extensively studied in recent years as an abstraction of commonly used block ciphers. A large amount of previous works on iterated EM concentrated on security in an information-theoretic model. A central question studied in these papers is: What is the minimal number of rounds for which the resulting cipher is indistinguishable from an ideal cipher? In this paper, we study a similar question in the computational model: What is the minimal number of rounds, assuring that no attack can recover the secret key faster than trivial attacks (such as exhaustive search)? We study this question for the two natural key scheduling variants that were considered in most previous papers: the identical subkeys variant and the independent subkeys variant. In the identical subkeys variant, we improve the best known attack by an additional round and show that r = 3 rounds are insufficient for assuring security, by devising a key recovery attack whose running time is about n / log ( n ) times faster than exhaustive search for an n -bit key. In the independent subkeys variant, we also extend the known results by one round and show that for r = 2 , there exists a key recovery attack whose running time is faster than the benchmark meet-in-the-middle attack. Despite their generic nature, we show that the attacks can be applied to improve the best known attacks on several concrete ciphers, including the full AES 2 (proposed at Eurocrypt 2012) and reduced-round LED-128 (proposed at CHES 2012).
doi_str_mv 10.1007/s00145-015-9207-3
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2387712569</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2387712569</sourcerecordid><originalsourceid>FETCH-LOGICAL-c425t-7ff123b3b0dd8be71e85fce6b4a820ee241fc0b9be3cdd6df2ed8ab87221b3ca3</originalsourceid><addsrcrecordid>eNp1kMtKAzEUhoMoWKsP4G7AdTSXmSazrKVqsSJ4WYdcTrTVztQkLczOd_ANfRJTRnDl6my-__8PH0KnlJxTQsRFJISWFSa0wjUjAvM9NKAlZ5hyIffRgNScYyZqcoiOYlxmWlSCD9DlLXTFA9h2C6Erxilp-xaLtilmCYJO4IrpFprvz6873cR2E4ppY0O3TouMPNpXWEE8Rgdev0c4-b1D9Hw1fZrc4Pn99WwynmNbsiph4T1l3HBDnJMGBAVZeQsjU2rJCAArqbfE1Aa4dW7kPAMntZGCMWq41XyIzvredWg_NhCTWuaHmjypGJdCUFaN6kzRnrKhjTGAV-uwWOnQKUrUTpXqVamsSu1UKZ4zrM_EzDYvEP6a_w_9AIBxbWo</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2387712569</pqid></control><display><type>article</type><title>Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes</title><source>SpringerLink Journals</source><creator>Dinur, Itai ; Dunkelman, Orr ; Keller, Nathan ; Shamir, Adi</creator><creatorcontrib>Dinur, Itai ; Dunkelman, Orr ; Keller, Nathan ; Shamir, Adi</creatorcontrib><description>Iterated Even–Mansour (EM) encryption schemes (also named “key-alternating ciphers”) were extensively studied in recent years as an abstraction of commonly used block ciphers. A large amount of previous works on iterated EM concentrated on security in an information-theoretic model. A central question studied in these papers is: What is the minimal number of rounds for which the resulting cipher is indistinguishable from an ideal cipher? In this paper, we study a similar question in the computational model: What is the minimal number of rounds, assuring that no attack can recover the secret key faster than trivial attacks (such as exhaustive search)? We study this question for the two natural key scheduling variants that were considered in most previous papers: the identical subkeys variant and the independent subkeys variant. In the identical subkeys variant, we improve the best known attack by an additional round and show that r = 3 rounds are insufficient for assuring security, by devising a key recovery attack whose running time is about n / log ( n ) times faster than exhaustive search for an n -bit key. In the independent subkeys variant, we also extend the known results by one round and show that for r = 2 , there exists a key recovery attack whose running time is faster than the benchmark meet-in-the-middle attack. Despite their generic nature, we show that the attacks can be applied to improve the best known attacks on several concrete ciphers, including the full AES 2 (proposed at Eurocrypt 2012) and reduced-round LED-128 (proposed at CHES 2012).</description><identifier>ISSN: 0933-2790</identifier><identifier>EISSN: 1432-1378</identifier><identifier>DOI: 10.1007/s00145-015-9207-3</identifier><language>eng</language><publisher>New York: Springer US</publisher><subject>Algorithms ; Coding and Information Theory ; Combinatorics ; Communications Engineering ; Computational Mathematics and Numerical Analysis ; Computer Science ; Encryption ; Information theory ; Networks ; Probability Theory and Stochastic Processes ; Questions ; Recovery</subject><ispartof>Journal of cryptology, 2016-10, Vol.29 (4), p.697-728</ispartof><rights>International Association for Cryptologic Research 2015</rights><rights>International Association for Cryptologic Research 2015.</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c425t-7ff123b3b0dd8be71e85fce6b4a820ee241fc0b9be3cdd6df2ed8ab87221b3ca3</citedby><cites>FETCH-LOGICAL-c425t-7ff123b3b0dd8be71e85fce6b4a820ee241fc0b9be3cdd6df2ed8ab87221b3ca3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://link.springer.com/content/pdf/10.1007/s00145-015-9207-3$$EPDF$$P50$$Gspringer$$H</linktopdf><linktohtml>$$Uhttps://link.springer.com/10.1007/s00145-015-9207-3$$EHTML$$P50$$Gspringer$$H</linktohtml><link.rule.ids>314,776,780,27901,27902,41464,42533,51294</link.rule.ids></links><search><creatorcontrib>Dinur, Itai</creatorcontrib><creatorcontrib>Dunkelman, Orr</creatorcontrib><creatorcontrib>Keller, Nathan</creatorcontrib><creatorcontrib>Shamir, Adi</creatorcontrib><title>Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes</title><title>Journal of cryptology</title><addtitle>J Cryptol</addtitle><description>Iterated Even–Mansour (EM) encryption schemes (also named “key-alternating ciphers”) were extensively studied in recent years as an abstraction of commonly used block ciphers. A large amount of previous works on iterated EM concentrated on security in an information-theoretic model. A central question studied in these papers is: What is the minimal number of rounds for which the resulting cipher is indistinguishable from an ideal cipher? In this paper, we study a similar question in the computational model: What is the minimal number of rounds, assuring that no attack can recover the secret key faster than trivial attacks (such as exhaustive search)? We study this question for the two natural key scheduling variants that were considered in most previous papers: the identical subkeys variant and the independent subkeys variant. In the identical subkeys variant, we improve the best known attack by an additional round and show that r = 3 rounds are insufficient for assuring security, by devising a key recovery attack whose running time is about n / log ( n ) times faster than exhaustive search for an n -bit key. In the independent subkeys variant, we also extend the known results by one round and show that for r = 2 , there exists a key recovery attack whose running time is faster than the benchmark meet-in-the-middle attack. Despite their generic nature, we show that the attacks can be applied to improve the best known attacks on several concrete ciphers, including the full AES 2 (proposed at Eurocrypt 2012) and reduced-round LED-128 (proposed at CHES 2012).</description><subject>Algorithms</subject><subject>Coding and Information Theory</subject><subject>Combinatorics</subject><subject>Communications Engineering</subject><subject>Computational Mathematics and Numerical Analysis</subject><subject>Computer Science</subject><subject>Encryption</subject><subject>Information theory</subject><subject>Networks</subject><subject>Probability Theory and Stochastic Processes</subject><subject>Questions</subject><subject>Recovery</subject><issn>0933-2790</issn><issn>1432-1378</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2016</creationdate><recordtype>article</recordtype><recordid>eNp1kMtKAzEUhoMoWKsP4G7AdTSXmSazrKVqsSJ4WYdcTrTVztQkLczOd_ANfRJTRnDl6my-__8PH0KnlJxTQsRFJISWFSa0wjUjAvM9NKAlZ5hyIffRgNScYyZqcoiOYlxmWlSCD9DlLXTFA9h2C6Erxilp-xaLtilmCYJO4IrpFprvz6873cR2E4ppY0O3TouMPNpXWEE8Rgdev0c4-b1D9Hw1fZrc4Pn99WwynmNbsiph4T1l3HBDnJMGBAVZeQsjU2rJCAArqbfE1Aa4dW7kPAMntZGCMWq41XyIzvredWg_NhCTWuaHmjypGJdCUFaN6kzRnrKhjTGAV-uwWOnQKUrUTpXqVamsSu1UKZ4zrM_EzDYvEP6a_w_9AIBxbWo</recordid><startdate>20161001</startdate><enddate>20161001</enddate><creator>Dinur, Itai</creator><creator>Dunkelman, Orr</creator><creator>Keller, Nathan</creator><creator>Shamir, Adi</creator><general>Springer US</general><general>Springer Nature B.V</general><scope>AAYXX</scope><scope>CITATION</scope></search><sort><creationdate>20161001</creationdate><title>Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes</title><author>Dinur, Itai ; Dunkelman, Orr ; Keller, Nathan ; Shamir, Adi</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c425t-7ff123b3b0dd8be71e85fce6b4a820ee241fc0b9be3cdd6df2ed8ab87221b3ca3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2016</creationdate><topic>Algorithms</topic><topic>Coding and Information Theory</topic><topic>Combinatorics</topic><topic>Communications Engineering</topic><topic>Computational Mathematics and Numerical Analysis</topic><topic>Computer Science</topic><topic>Encryption</topic><topic>Information theory</topic><topic>Networks</topic><topic>Probability Theory and Stochastic Processes</topic><topic>Questions</topic><topic>Recovery</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Dinur, Itai</creatorcontrib><creatorcontrib>Dunkelman, Orr</creatorcontrib><creatorcontrib>Keller, Nathan</creatorcontrib><creatorcontrib>Shamir, Adi</creatorcontrib><collection>CrossRef</collection><jtitle>Journal of cryptology</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Dinur, Itai</au><au>Dunkelman, Orr</au><au>Keller, Nathan</au><au>Shamir, Adi</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes</atitle><jtitle>Journal of cryptology</jtitle><stitle>J Cryptol</stitle><date>2016-10-01</date><risdate>2016</risdate><volume>29</volume><issue>4</issue><spage>697</spage><epage>728</epage><pages>697-728</pages><issn>0933-2790</issn><eissn>1432-1378</eissn><abstract>Iterated Even–Mansour (EM) encryption schemes (also named “key-alternating ciphers”) were extensively studied in recent years as an abstraction of commonly used block ciphers. A large amount of previous works on iterated EM concentrated on security in an information-theoretic model. A central question studied in these papers is: What is the minimal number of rounds for which the resulting cipher is indistinguishable from an ideal cipher? In this paper, we study a similar question in the computational model: What is the minimal number of rounds, assuring that no attack can recover the secret key faster than trivial attacks (such as exhaustive search)? We study this question for the two natural key scheduling variants that were considered in most previous papers: the identical subkeys variant and the independent subkeys variant. In the identical subkeys variant, we improve the best known attack by an additional round and show that r = 3 rounds are insufficient for assuring security, by devising a key recovery attack whose running time is about n / log ( n ) times faster than exhaustive search for an n -bit key. In the independent subkeys variant, we also extend the known results by one round and show that for r = 2 , there exists a key recovery attack whose running time is faster than the benchmark meet-in-the-middle attack. Despite their generic nature, we show that the attacks can be applied to improve the best known attacks on several concrete ciphers, including the full AES 2 (proposed at Eurocrypt 2012) and reduced-round LED-128 (proposed at CHES 2012).</abstract><cop>New York</cop><pub>Springer US</pub><doi>10.1007/s00145-015-9207-3</doi><tpages>32</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 0933-2790
ispartof Journal of cryptology, 2016-10, Vol.29 (4), p.697-728
issn 0933-2790
1432-1378
language eng
recordid cdi_proquest_journals_2387712569
source SpringerLink Journals
subjects Algorithms
Coding and Information Theory
Combinatorics
Communications Engineering
Computational Mathematics and Numerical Analysis
Computer Science
Encryption
Information theory
Networks
Probability Theory and Stochastic Processes
Questions
Recovery
title Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-06T04%3A02%3A20IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Key%20Recovery%20Attacks%20on%20Iterated%20Even%E2%80%93Mansour%20Encryption%20Schemes&rft.jtitle=Journal%20of%20cryptology&rft.au=Dinur,%20Itai&rft.date=2016-10-01&rft.volume=29&rft.issue=4&rft.spage=697&rft.epage=728&rft.pages=697-728&rft.issn=0933-2790&rft.eissn=1432-1378&rft_id=info:doi/10.1007/s00145-015-9207-3&rft_dat=%3Cproquest_cross%3E2387712569%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2387712569&rft_id=info:pmid/&rfr_iscdi=true