### Abstract

The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KA_{t} consists of a small number t of fixed permutations P_{i} on n bits, separated by key addition: KA_{t}(K, m) = k_{t} ⊕ P _{t}(...k_{2} ⊕ P_{2}(k_{1} ⊕ P _{1}(k_{0} ⊕ m))...), where, (k_{0}..., k _{t}) are obtained from the master key K using some key derivation function. For t = 1, KA_{1} collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P_{1} is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers - indifferentiability from an ideal cipher - and ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KA_{t} indifferentiable from the ideal cipher, assuming P_{1},...,P_{t} are (public) random permutations? As our main result, we give an affirmative answer for t = 5, showing that the 5-round key-alternating cipher KA_{5} is indifferentiable from an ideal cipher, assuming P_{1},...,P_{5} are five independent random permutations, and the key derivation function sets all rounds keys k_{i} = f(K), where 0 ≤ i ≤ 5 and f is modeled as a random oracle. Moreover, when |K| = |m|, we show we can set f(K) = P_{0}(K)⊕K, giving an n-bit block cipher with an n-bit key, making only six calls to n-bit permutations P_{0},P_{1},P_{2},P_{3},P _{4},P_{5}.

Original language | English (US) |
---|---|

Title of host publication | Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings |

Pages | 531-550 |

Number of pages | 20 |

Volume | 8042 LNCS |

Edition | PART 1 |

DOIs | |

State | Published - 2013 |

Event | 33rd Annual International Cryptology Conference, CRYPTO 2013 - Santa Barbara, CA, United States Duration: Aug 18 2013 → Aug 22 2013 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Number | PART 1 |

Volume | 8042 LNCS |

ISSN (Print) | 03029743 |

ISSN (Electronic) | 16113349 |

### Other

Other | 33rd Annual International Cryptology Conference, CRYPTO 2013 |
---|---|

Country | United States |

City | Santa Barbara, CA |

Period | 8/18/13 → 8/22/13 |

### Fingerprint

### Keywords

- Even-Mansour
- ideal cipher
- indifferentiability
- key-alternating cipher

### ASJC Scopus subject areas

- Computer Science(all)
- Theoretical Computer Science

### Cite this

*Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings*(PART 1 ed., Vol. 8042 LNCS, pp. 531-550). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8042 LNCS, No. PART 1). https://doi.org/10.1007/978-3-642-40041-4_29

**On the indifferentiability of key-alternating ciphers.** / Andreeva, Elena; Bogdanov, Andrey; Dodis, Yevgeniy; Mennink, Bart; Steinberger, John P.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

*Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings.*PART 1 edn, vol. 8042 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), no. PART 1, vol. 8042 LNCS, pp. 531-550, 33rd Annual International Cryptology Conference, CRYPTO 2013, Santa Barbara, CA, United States, 8/18/13. https://doi.org/10.1007/978-3-642-40041-4_29

}

TY - GEN

T1 - On the indifferentiability of key-alternating ciphers

AU - Andreeva, Elena

AU - Bogdanov, Andrey

AU - Dodis, Yevgeniy

AU - Mennink, Bart

AU - Steinberger, John P.

PY - 2013

Y1 - 2013

N2 - The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition: KAt(K, m) = kt ⊕ P t(...k2 ⊕ P2(k1 ⊕ P 1(k0 ⊕ m))...), where, (k0..., k t) are obtained from the master key K using some key derivation function. For t = 1, KA1 collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P1 is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers - indifferentiability from an ideal cipher - and ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KAt indifferentiable from the ideal cipher, assuming P1,...,Pt are (public) random permutations? As our main result, we give an affirmative answer for t = 5, showing that the 5-round key-alternating cipher KA5 is indifferentiable from an ideal cipher, assuming P1,...,P5 are five independent random permutations, and the key derivation function sets all rounds keys ki = f(K), where 0 ≤ i ≤ 5 and f is modeled as a random oracle. Moreover, when |K| = |m|, we show we can set f(K) = P0(K)⊕K, giving an n-bit block cipher with an n-bit key, making only six calls to n-bit permutations P0,P1,P2,P3,P 4,P5.

AB - The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition: KAt(K, m) = kt ⊕ P t(...k2 ⊕ P2(k1 ⊕ P 1(k0 ⊕ m))...), where, (k0..., k t) are obtained from the master key K using some key derivation function. For t = 1, KA1 collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P1 is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers - indifferentiability from an ideal cipher - and ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KAt indifferentiable from the ideal cipher, assuming P1,...,Pt are (public) random permutations? As our main result, we give an affirmative answer for t = 5, showing that the 5-round key-alternating cipher KA5 is indifferentiable from an ideal cipher, assuming P1,...,P5 are five independent random permutations, and the key derivation function sets all rounds keys ki = f(K), where 0 ≤ i ≤ 5 and f is modeled as a random oracle. Moreover, when |K| = |m|, we show we can set f(K) = P0(K)⊕K, giving an n-bit block cipher with an n-bit key, making only six calls to n-bit permutations P0,P1,P2,P3,P 4,P5.

KW - Even-Mansour

KW - ideal cipher

KW - indifferentiability

KW - key-alternating cipher

UR - http://www.scopus.com/inward/record.url?scp=84884494086&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84884494086&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-40041-4_29

DO - 10.1007/978-3-642-40041-4_29

M3 - Conference contribution

AN - SCOPUS:84884494086

SN - 9783642400407

VL - 8042 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 531

EP - 550

BT - Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings

ER -