Abstract
The Even–Mansour cryptosystem was developed in 1991 in an attempt to obtain the simplest possible block cipher, using only one publicly known random permutation and two whitening keys. Its exact security remained open for more than 20 years in the sense that the lower bound proof considered known plaintexts, whereas the best published attack (which is based on differential cryptanalysis) required chosen plaintexts. In this paper, we solve this open problem by introducing the new extended slide attack (abbreviated as slidex) which matches the T=Ω(2n/D) lower bound on the time T for any number of known plaintextsD. By using this tight security result, we show that a simplified single-key variant of the Even–Mansour scheme has exactly the same security as the original two-key scheme. We then show how to apply variants of the slidex attack to several other cryptosystems, including an Even–Mansour variant which adds rather than XORs its whitening keys, DES protected with decorrelation modules, various flavors of DESX, and a reduced-round version of GOST. In addition, we show how to apply the slidex attack in extreme scenarios in which the cryptanalyst is only given some partial information about the plaintexts, or when he can only use a tiny amount of memory.
Original language | English |
---|---|
Pages (from-to) | 1-28 |
Number of pages | 28 |
Journal | Journal of Cryptology |
Volume | 28 |
Issue number | 1 |
DOIs | |
State | Published - Jan 2013 |
Bibliographical note
Publisher Copyright:© 2013, International Association for Cryptologic Research.
Keywords
- Even–Mansour block cipher
- Provable security
- Single-key Even–Mansour
- Slide attack
- Slidex attack
- Tight security bounds
- Whitening keys