Slidex Attacks on the Even–Mansour Encryption Scheme

Orr Dunkelman, Nathan Keller, Adi Shamir

Research output: Contribution to journalArticlepeer-review

22 Scopus citations

Abstract

The Even–Mansour cryptosystem was developed in 1991 in an attempt to obtain the simplest possible block cipher, using only one publicly known random permutation and two whitening keys. Its exact security remained open for more than 20 years in the sense that the lower bound proof considered known plaintexts, whereas the best published attack (which is based on differential cryptanalysis) required chosen plaintexts. In this paper, we solve this open problem by introducing the new extended slide attack (abbreviated as slidex) which matches the T=Ω(2n/D) lower bound on the time T for any number of known plaintextsD. By using this tight security result, we show that a simplified single-key variant of the Even–Mansour scheme has exactly the same security as the original two-key scheme. We then show how to apply variants of the slidex attack to several other cryptosystems, including an Even–Mansour variant which adds rather than XORs its whitening keys, DES protected with decorrelation modules, various flavors of DESX, and a reduced-round version of GOST. In addition, we show how to apply the slidex attack in extreme scenarios in which the cryptanalyst is only given some partial information about the plaintexts, or when he can only use a tiny amount of memory.

Original languageEnglish
Pages (from-to)1-28
Number of pages28
JournalJournal of Cryptology
Volume28
Issue number1
DOIs
StatePublished - Jan 2013

Bibliographical note

Publisher Copyright:
© 2013, International Association for Cryptologic Research.

Keywords

  • Even–Mansour block cipher
  • Provable security
  • Single-key Even–Mansour
  • Slide attack
  • Slidex attack
  • Tight security bounds
  • Whitening keys

Fingerprint

Dive into the research topics of 'Slidex Attacks on the Even–Mansour Encryption Scheme'. Together they form a unique fingerprint.

Cite this