
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

MeetintheMiddle Key Recovery Attacks on a SingleKey TwoRound EvenMansour Cipher
Takanori ISOBE Kyoji SHIBUTANI
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E102A
No.1
pp.1726 Publication Date: 2019/01/01
Online ISSN: 17451337
DOI: 10.1587/transfun.E102.A.17
Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security) Category: Keyword: block cipher, EvenMansour ciphers, meetinthemiddle attack, key recovery, partial invariable pair, matching with the inputrestricted public permutation,
Full Text: PDF(946.2KB)>>
Summary:
We propose new key recovery attacks on the tworound singlekey nbit EvenMansour ciphers (2SEM) that are secure up to 2^{2n/3} queries against distinguishing attacks proved by Chen et al. Our attacks are based on the meetinthemiddle technique which can significantly reduce the data complexity. In particular, we introduce novel matching techniques which enable us to compute one of the two permutations without knowing a part of the key information. Moreover, we present two improvements of the proposed attack: one significantly reduces the data complexity and the other reduces the time complexity. Compared with the previously known attacks, our attack first breaks the birthday barrier on the data complexity although it requires chosen plaintexts. When the block size is 64 bits, our attack reduces the required data from 2^{45} known plaintexts to 2^{26} chosen plaintexts with keeping the time complexity required by the previous attacks. Furthermore, by increasing the time complexity up to 2^{62}, the required data is further reduced to 2^{8}, and DT=2^{70}, where DT is the product of data and time complexities. We show that our dataoptimized attack requires DT=2^{n+6} in general cases. Since the proved lower bound on DT for the singlekey oneround nbit EvenMansour ciphers is 2^{n}, our results imply that adding one round to oneround constructions does not sufficiently improve the security against key recovery attacks. Finally, we propose a timeoptimized attacks on 2SEM in which, we aim to minimize the number of the invocations of internal permutations.

