Slidex attacks on the Even-Mansour encryption scheme

O. Dunkelman, N. Keller, A. Shamir

Research output: Contribution to journalArticlepeer-review


The Even–Mansour cryptosystem was developed in 1991 in an attempt to obtain the simplest possible block cipher, using only one publicly known random permutation and two whitening keys. Its exact security remained open for more than 20 years in the sense that the lower bound proof considered known plaintexts, whereas the best published attack (which is based on differential cryptanalysis) required chosen plaintexts. In this paper, we solve this open problem by introducing the new extended slide attack (abbreviated as slidex) which matches the T=Ω(2 n /D) lower bound on the time T for any number of known plaintexts D. By using this tight security result, we show that a simplified single-key variant of the Even–Mansour scheme has exactly the same security as the original two-key scheme. We then show how to apply variants of the slidex attack to several other cryptosystems, including an Even–Mansour variant which adds rather than XORs its whitening keys, DES protected with decorrelation modules, various flavors of DESX, and a reduced-round version of GOST. In addition, we show how to apply the slidex attack in extreme scenarios in which the cryptanalyst is only given some partial information about the plaintexts, or when he can only use a tiny amount of memory.


Dive into the research topics of 'Slidex attacks on the Even-Mansour encryption scheme'. Together they form a unique fingerprint.

Cite this