Meet-in-the-Middle Key Recovery Attacks on a Single-Key Two-Round Even-Mansour Cipher

Takanori ISOBE  Kyoji SHIBUTANI  

IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E102-A   No.1   pp.17-26
Publication Date: 2019/01/01
Online ISSN: 1745-1337
DOI: 10.1587/transfun.E102.A.17
Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security)
block cipher,  Even-Mansour ciphers,  meet-in-the-middle attack,  key recovery,  partial invariable pair,  matching with the input-restricted public permutation,  

Full Text: PDF(946.2KB)>>
Buy this Article

We propose new key recovery attacks on the two-round single-key n-bit Even-Mansour ciphers (2SEM) that are secure up to 22n/3 queries against distinguishing attacks proved by Chen et al. Our attacks are based on the meet-in-the-middle technique which can significantly reduce the data complexity. In particular, we introduce novel matching techniques which enable us to compute one of the two permutations without knowing a part of the key information. Moreover, we present two improvements of the proposed attack: one significantly reduces the data complexity and the other reduces the time complexity. Compared with the previously known attacks, our attack first breaks the birthday barrier on the data complexity although it requires chosen plaintexts. When the block size is 64 bits, our attack reduces the required data from 245 known plaintexts to 226 chosen plaintexts with keeping the time complexity required by the previous attacks. Furthermore, by increasing the time complexity up to 262, the required data is further reduced to 28, and DT=270, where DT is the product of data and time complexities. We show that our data-optimized attack requires DT=2n+6 in general cases. Since the proved lower bound on DT for the single-key one-round n-bit Even-Mansour ciphers is 2n, our results imply that adding one round to one-round constructions does not sufficiently improve the security against key recovery attacks. Finally, we propose a time-optimized attacks on 2SEM in which, we aim to minimize the number of the invocations of internal permutations.