Minimizing the Two-Round Even-Mansour Cipher

(1)

Minimizing the Two-Round Even-Mansour Cipher

?

Shan Chen??, Rodolphe Lampe? ? ?, Jooyoung Lee†, Yannick Seurin‡, and John Steinberger??

Revised, December 18, 2014

Abstract. Ther-round (iterated)Even-Mansour cipher(also known askey-alternating cipher) defines a block cipher fromr fixed publicn-bit permutationsP1, . . . , Pr as follows: given a se-quence of n-bit round keysk0, . . . , kr, an n-bit plaintext x is encrypted by xoring round key

k0, applying permutationP1, xoring round keyk1, etc. The (strong) pseudorandomness of this construction in the random permutation model (i.e., when the permutationsP1, . . . , Pr are pub-lic random permutation oracles that the adversary can query in a black-box way) was studied in a number of recent papers, culminating with the work of Chen and Steinberger (EURO-CRYPT 2014), who proved that ther-round Even-Mansour cipher is indistinguishable from a truly random permutation up toO(2rrn+1_{) queries of any adaptive adversary (which is an optimal}

security bound since it matches a simple distinguishing attack). All results in this entire line of work share the common restriction that they only hold under the assumption thatthe round keys

k0, . . . , kr and the permutationsP1, . . . , Pr are independent. In particular, for two rounds, the current state of knowledge is that the block cipherE(x) =k2⊕P2(k1⊕P1(k0⊕x)) is provably secure up toO(22n/3_{) queries of the adversary, when}_k0_,_k1_{, and}_k2 _{are three independent}_n_-bit

keys, and P1 and P2 are two independent random n-bit permutations. In this paper, we ask whether one can obtain a similar bound for the two-round Even-Mansour cipherfrom just one

n-bit key and one n-bit permutation. Our answer is positive: when the three n-bit round keys

k0,k1, andk2 are adequately derived from ann-bit master keyk, and the same permutationP

is used in place ofP1 and P2, we prove a qualitatively similarOe(2

2n/3

) security bound (in the random permutation model). To the best of our knowledge, this is the first “beyond the birthday bound” security result for AES-like ciphers that does not assume independent round keys.

Keywords: generalized Even-Mansour cipher, key-alternating cipher, indistinguishability, pseudorandom permutation, random permutation model, sum-capture problem

?_c

IACR 2014. This is the full version of the article submitted by the authors to the IACR and to Springer-Verlag in June 2014, which appears in the proceedings of CRYPTO 2014.

?? _{Tsinghua University, P.R. China. E-mail:}

[email protected],[email protected]. These authors were supported by National Basic Research Program of China Grant 2011CBA00300, 2011CBA00301, the Na-tional Natural Science Foundation of China Grant 61033001, 61361136003, and by the China Ministry of Education grant number 20121088050.

? ? ? _{University of Versailles, France. E-mail:} _{[email protected]}_{. This author was supported by the} French Direction Générale de l’Armement and the French National Agency of Research through the PRINCE project (contract ANR-10-SEGI-015).

†

Sejong University, Seoul, Korea. E-mail:[email protected]. This author was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (NRF-2013R1A1A2007488).

‡

(2)

For concrete designs, where permutations P1, . . . , Pr are fixed, the current state of art of provable security only allows to upper bound the success probability of very specific attacks such as differential or linear attacks. On the other hand, it is possible to obtain broader provable security results by working in the random permutation model forP1, . . . , Pr, i.e., by viewing permutationsP1, . . . , Pras public random permutation oracles, to which the adversary can only make black-box queries (both in the forward and backward direction). This is a very strong model, but this allows to upper bound the advantage of any (even computationally unbounded) adversary as a function of the number of queries it makes. It also heuristically indicates that any adversary willing to beat the proven security bound cannot be “generic” and must somehow take advantage of some particular property of the permutations used in any concrete block cipher.

Such results in the random permutation model were first obtained forr= 1 round by Even and Mansour [EM97], who showed that the block cipher encrypting x into k1⊕P1(k0⊕x), wherek0 andk1 are independentn-bit keys, andP1is a random permutation oracle, is secure up to O(2n/2) queries1 of the adversary.2 For this reason, this construction is often referred to as the Even-Mansour cipher, though this is somehow a misnomer since this is rather a framework in which one can conveniently analyze the security of the family of one-round key-alternating ciphers. In the following, we will perpetuate this unfortunate terminology and use the namingr-round iterated Even-Mansour cipher to designate the “ideal” r-round key-alternating cipher whereP1, . . . , Pr are public and perfectly random permutation oracles. Curiously, the general construction with r > 1 remained unstudied for a long while until a paper by Bogdanovet al.[BKL+12], who showed that forr≥2, security is guaranteed up to

O(22n/3) queries of the adversary. They also conjectured that the security should beO(2rrn+1₎ for general r, which matches a simple distinguishing attack. Progress towards solving this conjecture was rather quick: Steinberger [Ste12] proved security up to O(23n/4) queries for

r≥3, Lampeet al.[LPS12] proved security up toO(2rrn+2_{) queries for any even}_r_{, and finally} Chen and Steinberger [CS14] resolved the conjecture and proved theO(2rrn+1_{)-security bound} for anyr. We stress that all these results only hold assuming that the r+ 1 round keys and ther permutations are independent. Actually, this is not perfectly accurate: one only needs the r + 1 round keys (k0, . . . , kr) to be r-wise independent [CS14], which can be obtained from only an rn-bit long master key, the most simple example being round keys of the form

1 _{When we talk about}_queries_{without being more specific, this includes both queries to the cipher and queries}

to the inner permutation(s).

(4)

(k₁0, k₁0⊕k₂0, k₂0⊕k₃0, . . . , kr−0 1⊕kr0, k0r), in which case the resulting iterated Even-Mansour cipher is exactly the cascade ofr single-key one-round Even-Mansour ciphersx7→k_i0⊕Pi(k0i⊕x).

Our Problem. Let us quickly recapitulate existing provable security results on the Even-Mansour cipher for a low number of rounds. For r = 1, we know that the single-key Even-Mansour cipherx7→k⊕P(k⊕x) ensures security up toO(2n/2) queries of the adversary. As pointed out by Dunkelmanet al.[DKS12], this construction is “minimal” in the sense that if one removes any component (either the addition of one of the keys, or the permutation P), the construction becomes trivially breakable. For the two-round Even-Mansour cipher, the best provable security result we have so far requires two independentn-bit permutations P1 andP2, and two independentn-bit keys (k, k0) to construct three pairwise independent round keys, for example (k, k0⊕k, k0). Concretely, the block cipherx7→k0⊕P2((k0⊕k)⊕P1(k⊕x)) ensures security up toO(22n/3) queries of the adversary. In this paper, we tackle the following question:

Can we obtain a O(22n/3)-security bound similar to the one proven for the two-round Even-Mansour cipher with (pairwise) independent round keys and independent permu-tations, from just one n-bit keyk and one n-bit random permutation P?

This question is natural since in most (if not all) SPN block ciphers, round keys are derived from an n-bit master key (or more generally an`-bit master key, where ` ∈ [n,2n] is small compared with the total length of the round keys), and the same permutation, or very similar ones, are used at each round. It is therefore fundamental to determine whether security can actually benefit from the iterative structure and increase beyond the birthday bound, even though one does not use more key material nor more permutations than in the single-key one-round Even-Mansour cipher.

Our Results. We answer positively to the question above. Our main theorem states sufficient

conditions on the way to derive threen-bit round keys (k0, k1, k2) from onen-bit master key

kso that the two-round Even-Mansour cipher defined from a single permutation

x7→k2⊕P(k1⊕P(k0⊕x))

is secure up to Oe(22n/3) queries of the adversary, where the Oe(·) notation hides logarithmic

(in N = 2n) factors. In particular, such a good key-schedule k 7→ (k0, k1, k2) can be con-structed from any (fixed) linear orthomorphism ofFn2. A permutationπof{0,1}n is called an orthomorphism if x7→x⊕π(x) is also a permutation. The good cryptographic properties of orthomorphisms have already been noticed in a number of papers [Mit95,GGM99], and are in particular used in Lai-Massey schemes [LM90,Vau99] such as the block ciphers IDEA[LM90] andFOX [JV04]. Our main theorem is as follows.

Theorem (Informal). Let π be any (fixed) linear orthomorphism of _Fn₂, and let P be a public random n-bit permutation oracle. Then the block cipher with message space and key space{0,1}n _{defined as (see Figure} ₁_{, top)}

EMP_k(x) =k⊕P(π(k)⊕P(k⊕x)) (?)

is secure against any adversary making up toOe(2

2n

3 ) queries toEMP

k andP. (Queries can be

(5)

x k

P P

π

y

x P1

k

P2 k

y k

Fig. 1.Two constructions of “minimal” two-round Even-Mansour ciphers provably secure up toOe(2

2n

3_{) queries}

of any (adaptive) adversary. Top:πis a (fixed) linear orthomorphism ofFn2, andP is a public random

permu-tation oracle. Bottom:P1 andP2 are two independent public random permutation oracles.

We remark that if one omits π in construction (?), i.e., if one adds the same round key k

each time, security drops back toO(2n/2) queries. More generally, if round keys are all equal and the same permutation P is used at each round of the iterated Even-Mansour cipher, security caps at O(2n/2) queries of the adversary, independently of the number r of rounds. This seems to be known as a folklore result about slide attacks [BW99,BW00], but since we could not find a detailed exposition in the literature, we precisely describe and analyze this attack (as well as a simple extension for two rounds when the key-schedule simply consists in xoring constants to the master key) in this paper. Hence, construction (?) can be regarded as a “minimal” two-round Even-Mansour cipher delivering security beyond the birthday bound, since removing any component causes security to drop back toO(2n/2) queries at best (for π

this follows from the slide attack just mentioned, while removing any instance of permutation

P brings us back to a one-round Even-Mansour cipher). Additionally, we show that when using two independent public random permutations P1 and P2, the trivial key-schedule is sufficient: adding the same round key k at each round (see Figure 1, bottom) also yields a

e

O(22n/3)-security bound.

To the best of our knowledge, these are the first results proving “beyond the birthday bound” security for key-alternating ciphers such as AESthat do not rely on the assumption that round keys are independent. This sheds some light on which exact properties are required from the key-schedule in order to lift the round keys independence assumption in provable security results. In particular, this seems to point out that a pseudorandom key-schedule is not needed (we remind the reader that our results come with the usual caveat that they are only proved in the very strong Random Permutation Model, and hence can only be taken as a heuristic security insurance once the inner permutation(s) are instantiated).

More Details on Our Security Bounds. In order to ease the previous discussion, we

(6)

types of queries in our security bounds, so that they lend themselves to a more fine-grained analysis: for each possible value of the numberqe of queries to the Even-Mansour cipher, we can derive an upper bound on the number qp of queries to the inner permutation(s) that the construction can tolerate while still ensuring security (in our previous discussion, we were only considering the very specific case whereqe = qp). The results of this analysis are captured on Figure 2, both for the case of a single inner permutation and for independent inner permutations. One point to notice is that whenqe≥2

2n

3 , we still prove security up to

qp =O(n₂) queries to the inner permutations when they are independent, whereas our security bound becomes vacuous in the single-permutation case.

Regarding the tightness of our security bounds, we remark that a generic attack with complexityqp ∼2n−

1

2log2qe _{for any}_q

ehas been described3 by Gaži [Gaz13] (this is represented by the dotted line on Figure 2). We note that this matches our security bound (outside uninteresting extremal points) only in the specific case (qe, qp) = (2

2n

3 ,2 2n

3 ).

log2(qe)

0 n

4

n

3 23n

3n

4

n

log2(qp)

n

2 2n

3 3n

4 n

Fig. 2. Our security bounds for the two-round Even-Mansour construction as a function of (qe, qp). When the two inner permutations are independent and the round keys are identical (construction EMIP[n,2]), all parameters below the solid line are secure by Theorem4. In the case of a single inner permutation (construction

EMSP[n,2]), all parameters below the dashed line (which merges with the solid line forqe≤2

n

4_{) are secure by}

Theorem5. In both cases, all parameters above the dotted line are insecure by the generic attack of [Gaz13]. The status of the parameters in the light and dark gray region (resp. dark gray region) remains open in the single-permutation case (resp. in the independent permutation case).

3 _{In the wording of [}_Gaz13_{], the Even-Mansour construction can be regarded as a} _{sequential construction}

(7)

Overview of Our Techniques. In order to prove our results, we use the indistinguisha-bility framework, namely we consider a distinguisher which must tell apart two worlds: the “real” world where it interacts with (EMP_k, P), where EMP_k is the Even-Mansour cipher in-stantiated with permutationP and a random key k, and the “ideal” world where it interacts with (E, P) where E is a random permutation independent from P. The distinguisher can make at mostqe queries toEMPk/E and at mostqp queries toP (all queries are adaptive and can be forward or backward, and we work in the information-theoretic setting, i.e., the adver-sary is computationally unbounded). In order to upper bound the distinguishing advantage of this attacker, we use, as already done in [CS14], the H-coefficient method of Patarin [Pat08]. In a nutshell, this technique consists in partitioning the set of all possible transcripts of the interaction between the distinguisher and the tuple of permutations into a set T1 of “good” transcripts and a setT₂ of “bad” transcripts. Good transcriptsτ ∈ T₁ have the property that the ratio of the probabilities to obtain τ in the real and in the ideal world is greater that 1−ε1 for some small ε1 > 0, while the probability to obtain any bad transcript τ ∈ T2 (in the ideal world) is less than some smallε2 >0. Then the advantage of the distinguisher can be upper bounded byε1+ε2.

In order to get intuition about what hides behind good and bad transcripts, it helps to first look at an example of how an adversary might “get lucky” during an attack. Specifically, we focus on the following attack scenario (we assume that qe =qp = q for simplicity). The distinguisher (adversary) D starts by making q arbitrary queries to EMP_k/E, resulting in a set of q pairs QE = {(x1, y1), . . . ,(xq, yq)}; then D determines the pair of sets (U, V) with

|U|=|V|=q and U, V ⊆ {0,1}n_{, that maximizes the size of the set}

K(QE, U, V) def

= {k0 ∈ {0,1}n:∃(xi, yi)∈ QE s.t.xi⊕k0∈U, yi⊕k0 ∈V} ⊆ {0,1}n, (1)

and D queries P(u), P−1(v) for all u ∈ U, v ∈ V. (This makes 2q queries to P instead of

q, but this small constant factor is unimportant for the sake of intuition.) Note that if D is in the real world and if the real key k is in the setK(Q_E, U, V) defined in (1), then D can see that one of itsEMP_k/E-queries is compatible with two of its P-queries with respect tok

(in more detail, there exists a valuei and queries (u, v), (u0, v0) to P such that xi⊕k = u,

v⊕π(k) = u0, and v0 ⊕k = yi). Elementary probabilistic considerations show that such a “complete cycle” will occur for at most a handful of keys inK(QE, U, V), so that “false alerts” can be quickly weeded out and the correct keykvalidated in a few extra queries, all assuming

k ∈ K(Q_E, U, V). Moreover, heuristic considerations indicate that k will be in K(Q_E, U, V) with probability |K(QE, U, V)|/2n. In particular, thus, it becomes necessary to show that

|K(Q_E, U, V)|is significantly smaller than 2n with high probability overQ_E, i.e., that

max U,V⊆{0,1}n

|U|=|V|=q

|{k0 ∈ {0,1}n:∃(xi, yi)∈ QE s.t. xi⊕k0 ∈U, yi⊕k0 ∈V}| (2)

is significantly smaller than 2n with high probability over QE, in order to show that D has small advantage atq queries. One of the criteria that can make a transcript “bad” in our proof happens to be, precisely, if the set of queriesQE toEMPk/E contained within the transcript is such that (2) is larger than desirable. (Jumping ahead, K(QE, U, V) will be re-baptized

(8)

To elaborate a little more on this, note that

|K(Q_E, U, V)| ≤ |{(k0, u, v)∈ {0,1}n×U ×V :k0⊕u=xi, k0⊕v =yi for some 1≤i≤q}| =|{(i, u, v)∈ {1, . . . , q} ×U ×V :xi⊕yi =u⊕v}|.

Also note that the set of values{xi⊕yi : (xi, yi)∈ QE}is essentially a random set since if the

i-th query toEMP_k/E is forward then yi comes at random from a large set, whereas otherwise

xi comes at random from a large set. Moreover, as a matter of fact, the problem of upper bounding

µ(A)def= max U,V⊆{0,1}n

|U|=|V|=q

|{(a, u, v)∈A×U×V :a=u⊕v}

for atruly random set A⊆ {0,1}n _{of size}_q _{has already been studied before [}_Bab89_,_Hay05_,

AKKR08,KPS13,Ste13], being dubbed4 thesum-capture problem in [Ste13]. One of the main known results [Bab89, Ste13] on the sum-capture problem is that µ(A) is upper bounded by roughly q3/2 for q ≤ 22n/3. Surprisingly enough, this bound is exactly sufficient for our application, sinceq3/2 2n forq22n/3. (Implying, thus, that (2) is far from 2n as long as

qremains beneath 22n/3, as desired.) Our own setting is, of course, slightly different, since the set{xi⊕yi: (xi, yi)∈ QE}isn’t, unlikeA, a purely random set of sizeq. Other complications also arise: in the general case where the three round keys (k0, k1, k2) are derived from then-bit master keyk using non-trivial (bijective) key derivation functions γi :k 7→ ki, K(QE, U, V) takes the more complicated form

{k0 ∈ {0,1}n:∃(xi, yi)∈ QE s.t.xi⊕γ0(k0)∈U, yi⊕γ2(k0)∈V}, so that we have to upper bound

|{(i, u, v)∈ {1, . . . , q} ×U ×V :xi⊕u=γ0◦γ2−1(yi⊕v)}|.

All this means that we have to carefully adapt (and to some degree significantly extend) the Fourier-analytic techniques used in [Bab89,Ste13].

Once the probability to obtain a bad transcript has been upper bounded, the second part of the proof is to show that the ratio between the probabilities to obtain any good transcript in the real and the ideal world is close to 1. This part is in essence a permutation counting argument. When the two permutations are independent (Figure 1, bottom), the counting argument is not overly complicated. While we could, in principle, re-use the general results of [CS14], we expose it in Section 5 (see Lemma8) since it constitutes a good warm-up for the reader before the more complicated counting in the subsequent section. For the single-permutation case, things become much more involved: first, we need to consider more conditions defining bad transcripts; and second, the permutation counting itself becomes much more intricate. Interestingly, this part is related to the following simple to state (yet to the best of our knowledge unexplored) problem: how many queries are needed to distinguish a random squared permutationP◦P (whereP is uniformly random) from a uniformly random permutationE?

(9)

Related Work. Two recent papers analyzed a stronger security property of the iterated Even-Mansour cipher than mere pseudorandomness, namely indifferentiability from an ideal cipher [ABD+13,LS13]. Aside with provable security results already mentioned, a number of papers explored attacks on the (iterated) Even-Mansour cipher for one round [Dae91,BW00,

DKS12], two rounds [NWW13], three rounds [DDKS13], and four rounds [DDKS14].

A distinct yet related line of work considers the security of the so-called “Xor-Cascade” construction [Gaz13, Lee13], a key-length extension method which generalizes the DESX construction [KR01] in the same way the Generalized Even-Mansour construction generalizes the original (one-round) Even-Mansour cipher. Given a block cipher E with message space

{0,1}n_{and key space}_{₀_,₁_}κ_{, the}_r_{-round Xor-Cascade construction}_XCE _{defines a new block} cipher with message space{0,1}n _{and key space} _{₀_,₁_}κ+(r+1)n _{as follows: given a plaintext}

x∈ {0,1}n _{and a key (}_{z, k}

0, . . . , kr)∈ {0,1}κ+(r+1)n, the ciphertexty is computed as

y=kr⊕Ezr(kr−1⊕Ezr−1(· · ·Ez2(k1⊕Ez1(k0⊕x))· · ·)),

where (z1, . . . , zr) is a sequence of sub-keys deterministically derived fromzin a way such that for anyz, thezi’s are pairwise distinct (note that this imposesr ≤2κ). Some authors consid-ered minor variants of this construction where the last whitening keykr is omitted [Gaz13] or where the sub-keys (z1, . . . , zr) are drawn uniformly at random [Lee13]. Directly relevant to our work, Gazi and Tessaro [GT12] considered a construction they named 2XOR, which is the two-round variant of Xor-Cascade where the whitening keys are identical (and the last whitening key is omitted), namely

2XORE_z,k(x) =Ez2(k⊕Ez1(k⊕x)),

where (z1, z2) are pairwise distinct sub-keys derived from z. They showed that, when the underlying block cipher E is modeled as an ideal cipher, this construction is secure up to

O(2κ+n/2) queries to E, even when the adversary can make all possible 2n queries to the permutation oracle (which, in the indistinguishability experiment, is either 2XORE_z,k or an independent random permutation). Considering a block cipherE with key-lengthκ= 1, one obtains a construction which is similar to the two-round Even-Mansour cipher of Figure 1, bottom, where the last key addition would be omitted.5 Hence, the Gazi-Tessaro result says that this construction is secure forqe= 2nandqp =O(2n/2).6 Our own results are incompara-ble with the one of [GT12]. First, the third key addition is omitted in the2XOR construction. Second, our bounds are more general: they hold for any value ofqeandqp as long asqe<22n/3 and qp <22n/3. Though our bounds become meaningless for qe = 2n, they show that when

qe < 22n/3 (an interesting case in practice since an attacker will not always have access to the entire codebook), security is ensured up toOe(22n/3) queries to the internal permutations

(something that cannot be derived from the result of [GT12]).

5 _{There is a slight subtlety here: in the}_2XOR_{construction used with a block cipher with key-length} _κ_{= 1,}

i.e., a pair of permutations (P1, P2), there is an additional key bitz (hidden to the distinguisher) which tells in which order the two permutations are called.

6

This is in fact very closely related to the security result for the single-key one-round Even-Mansour cipher up toO(2n/2) queries to the inner and outer permutations [DKS12]. In the Gazi-Tessaro case withκ= 1, the adversary is given an arbitrary permutationE, and must distinguish, given access to (P1, P2), whether

P1andP2 are independent, or whetherP2(k⊕P1(k⊕x)) =E(x) for some random keyk. In the single-key one-round Even-Mansour case, the adversary must distinguish, given access to (P1, P2), whetherP1 andP2

are independent, or whetherk⊕P1(k⊕x) =P2(x), i.e.,P2−1(k⊕P1(k⊕x)) =x. These are very similar

(10)

Open Questions. Currently, our results only apply when the key derivation functions map-ping the master key to the round keys arelinear bijective functions of_Fn₂. This is due to the fact that the proof of our sum-capture theorem in Section 3 requires linear mappings. It is an open question whether this theorem can be extended to nonlinear (bijective) mappings as well. A second tantalizing yet challenging open problem is of course to generalize our results to larger numbers of rounds. Namely, forr > 2, can we find sufficient conditions on the key-schedule such that ther-round single-permutation Even-Mansour cipher ensures security up toOe(2

rn

r+1_{) queries of the adversary? We stress that even the simpler case where permutations} are independent and round keys are identical seems hard to tackle for r > 2: we currently have no idea of how to extend our sum-capture result in order to upper bound the probability of bad transcripts even in the caser = 3.

It would also be interesting to reduce the time complexity of attacks against the two-round Even-Mansour cipher (potentially down toO(22n/3)). Currently, the best known attack (for the case of independent permutations and identical round keys) has time complexity

O(2n−log2n_{) [}_DKS12_{]. Since our focus in this paper is on query complexity, we have not} investigated whether this attack applies to the single-permutation variant (?) as well.

Organization. We start in Section 2 by setting the notation, giving the necessary

back-ground on the H-coefficient technique, and proving some helpful lemmas. In Section3, which is self-contained, we prove our new sum-capture result, which might be of independent inter-est. In Section4, we detail slide attacks against the iterated Even-Mansour cipher. Sections5

and 6contain our two provable security results for the two “minimized” variants of the two-round Even-Mansour cipher of Figure 1. In Section5, we first deal with the case where the two permutations are independent and the three round keys are identical. The permutation counting argument in this section (Lemma8) serves as a good exercise before the correspond-ing one of the subsequent section (Lemma 10). Section 6, which contains our main theorem, deals with the case of a single permutation.

2 Preliminaries

2.1 Notation

Permutations. In all the following, we fix an integer n ≥ 1, and we write N = 2n. The

set of all permutations on{0,1}n _{will be denoted} _P

n. For integers 1 ≤s ≤ t, we will write (t)s=t(t−1)· · ·(t−s+1) and (t)0 = 1 by convention. GivenQ= ((x1, y1), . . . ,(xq, yq)), where thexi’s are pairwise distinctn-bit strings and theyi’s are pairwise distinctn-bit strings, and a permutationP ∈ P_n, we say thatP extendsQ, denotedP ` Q, ifP(xi) =yi fori= 1, . . . , q. Let X = {x ∈ {0,1}n _{: (}_{x, y}₎ _{∈ Q}} _and _Y ₌ _{_y _{∈ {}₀_,₁_}n _{: (}_{x, y}₎ _{∈ Q}}_{. We call} _X _and

Y respectively thedomain and the range of Q. By an abuse of notation, we will sometimes denote Q the bijection from X to Y such that Q(xi) = yi for i = 1, . . . , q. Thus, for any

X0 ⊆X we have Q(X0) = {y ∈ {0,1}n _{: (}_{x, y}₎_{∈ Q ∧}_x _∈_X0_}_{, and for any} _Y0 _⊆ _Y _{we have}

Q−1₍_Y0_{) =}_{_x _{∈ {}₀_,₁_}n _{: (}_{x, y}₎ _{∈ Q ∧}_y _∈ _Y0_}_{. We will often use the following simple fact:} givenQ of sizeq and Q0 _{of size}_q0 _{whose respective domains}_X _and _X0 _{and respective ranges}

Y and Y0 satisfyX∩X0=∅and Y ∩Y0=∅, one has Pr

P ←_$P_n:P ` Q0 P ` Q

= 1

(N −q)q0.

(11)

Vector Space Fn2. We denote F2 ' {0,1} the field with two elements, and Fn2 the vector space of dimension n over _F₂. Given two vectors x = (x1, . . . , xn) and y = (y1, . . . , yn) in Fn2, we denote x ·y =

Pn

i=1xiyimod 2 the inner product of x and y. The general linear group of degree n over F2, i.e., the set of all automorphisms (linear bijective mappings) of

Fn2, will be denotedGL(n). Given Γ ∈GL(n), we denoteΓ∗ the adjoint of Γ, i.e., the unique automorphism satisfyingx·Γ(y) =Γ∗(x)·y for all x, y∈_Fn

2.

2.2 The Generalized Even-Mansour Cipher

Fix integers n, r, m, ` ≥ 1. Let φ : {1, . . . , r} → {1, . . . , m} be an arbitrary function, and

γ= (γ0, . . . , γr) be a (r+1)-tuple of functions from{0,1}`to{0,1}n. Ther-round Generalized Even-Mansour constructionEM[n, r, m, `, φ,γ] specifies, from anym-tupleP = (P1, . . . , Pm) of permutations on{0,1}n_{, a block cipher with message space} _{₀_,₁_}n _{and key space} _{₀_,₁_}`_, simply denotedEMP in the following (parameters [n, r, m, `, φ,γ] are implicit and will always be clear from the context), which maps a plaintext x∈ {0,1}n _{and a key} _K _{∈ {}₀_,₁_}` _{to the} ciphertext defined by (see Figure3):

EMP(K, x) =γr(K)⊕Pφ(r)(γr−1(K)⊕Pφ(r−1)(· · ·Pφ(2)(γ1(K)⊕Pφ(1)(γ0(K)⊕x))· · ·)). We denoteEMP_K :x7→EMP(K, x) the Even-Mansour cipher instantiated with keyK (hence, syntactically,EMP_K is a permutation on{0,1}n_).

x K

Pφ(1) γ0

Pφ(2) γ1

Pφ(r) y γr

Fig. 3.Ther-round Generalized Even-Mansour cipher.

For example, AES-128 is a Generalized Even-Mansour cipher where n = 128, r = 10,

m = 2, ` = 128, the function φ is defined by φ(i) = 1 for i = 1, . . . ,9 and φ(10) = 2, each key derivation functionγi is a 128-bit (non-linear for i≥1) permutation, and the two permutationsP1 and P2 are defined as:

P1 =MixColumns◦ShiftRows◦SubBytes

P2 =ShiftRows◦SubBytes.

All previous work about the indistinguishability of the Even-Mansour cipher [BKL+12,

LPS12,Ste12,CS14] considered the case where all permutations and all round keys are inde-pendent, namelym=r,φis the identity function,`= (r+ 1)n, andγi simply selects thei-th

n-bit string ofK = (k0, . . . , kr).

(12)

– the case where permutations are independent and the same n-bit key k is used at each round, namely m = r, φ is the identity function, ` = n, and all γi’s are the identity function, in which case we will simply denoteEMIP[n, r] the resulting construction. Hence, for anr-tuple of permutationsP = (P1, . . . , Pr), the block cipherEMIPP maps a plaintext

x∈ {0,1}n _{and a key}_k_{∈ {}₀_,₁_}n _{to the ciphertext defined by:}

EMIPP(k, x) =k⊕Pr(k⊕Pr−1(· · ·P2(k⊕P1(k⊕x))· · ·)).

– the case where a single permutationPis used at each round, namelym= 1 andφ(i) = 1 for

i= 1, . . . , r, in which case we will simply denoteEMSP[n, r, `,γ] the resulting construction. Hence, for a permutation P, the block cipher EMSPP maps a plaintextx∈ {0,1}n_{and a} key K∈ {0,1}` _{to the ciphertext defined by:}

EMSPP(K, x) =γr(K)⊕P(γr−1(K)⊕P(· · ·P(γ1(K)⊕P(γ0(K)⊕x))· · ·)). When additionally`=n(namely the master key length is equal to the block length), we overload the notation and simply denote EMSP[n, r,γ] the resulting construction.

2.3 Security Definition

To study the indistinguishability of the Generalized Even-Mansour cipher (in the Random Permutation Model), we consider a distinguisherD which interacts with a set of m+ 1 per-mutation oracles onnbits that we denote generically (P0, P1. . . , Pm) = (P0,P). The goal of

Dis to distinguish whether it is interacting with (EMP_K,P), whereP = (P1, . . . , Pm) are ran-dom and independent permutations andKis randomly chosen from{0,1}`_{(we will informally} refer to this case as the “real” world), or with (E,P), where Eis a randomn-bit permutation independent fromP (the “ideal” world). Note that in the latter case the distinguisher is sim-ply interacting withm+ 1 independent random permutations. We sometimes refer to the first permutationP0 as the outer permutation, and to permutationsP1, . . . , Pm as theinner per-mutations. The distinguisher is adaptive, and can make both forward and backward queries to each permutation oracle, which corresponds to the notion of adaptive chosen-plaintext and ciphertext security (CCA). We consider computationally unbounded distinguishers, and we assume wlog that the distinguisher is deterministic and never makes useless queries (which means that it never repeats a query, nor makes a queryP_i−1(y) if it received y as the answer to a previous queryPi(x), or vice-versa).

The distinguishing advantage ofD is defined as

Adv(D) = Pr

h

DEMPK,P _{= 1} i

−PrhDE,P = 1i ,

where the first probability is taken over the random choice of K and P, and the second probability is taken over the random choice of E and P. We recall that, even though this is not apparent from the notation, the distinguisher can make both forward and backward queries to each permutation oracle.

For qe, qp non-negative integers, we define the insecurity of the ideal7 Generalized Even-Mansour cipher with parameters (n, r, m, `, φ,γ) as:

Advcca_EM_[_n,r,m,`,φ,_γ_](qe, qp) = max

D Adv(D),

(13)

where the maximum is taken over all distinguishersD making exactlyqequeries to the outer permutation and exactlyqp queries to each inner permutation. The notation is adapted nat-urally for the two special casesEMIPand EMSPdefined in Section 2.2.

2.4 The H-Coefficient Technique

We give here all the necessary background on the H-coefficient technique [Pat08,CS14] that we will use throughout this paper.

Transcript. All the information gathered by the distinguisher when interacting with the system of m+ 1 permutations can be summarized in what we call the transcript of the interaction, which is the ordered list of queries and answers received from the system (i, b, z, z0), wherei∈ {0, . . . , m} names the permutation being queried,bis a bit indicating whether this is a forward or backward query, z ∈ {0,1}n _{is the actual value queried and} _z0 _{the answer.} We say that a transcript is attainable (with respect to some fixed distinguisher D) if there exists a tuple of permutations (P0, . . . , Pm) ∈ (Pn)m+1 such that the interaction of D with (P0, . . . , Pm) yields this transcript (said otherwise, the probability to obtain this transcript in the “ideal” world is non-zero). In fact, an attainable transcript can be represented in a more convenient way that we will use in all the following. Namely, from the transcript we can build

m+ 1 lists of directionless queries

QE = ((x1, y1), . . . ,(xqe, yqe)), Q_P1 = ((u1,1, v1,1), . . . ,(u1,qp, v1,qp)),

.. .

QPm = ((um,1, vm,1), . . . ,(um,qp, vm,qp))

as follows. Forj = 1, . . . , qe, let (0, b, z, z0) be thej-th query toP0 in the transcript: if this was a forward query then we setxj =zandyj =z0, otherwise we setxj =z0 andyj =z. Similarly, for eachi= 1, . . . , m, andj = 1, . . . , qp, let (i, b, z, z0) be thej-th query toPi in the transcript: if this was a forward query then we setui,j =z and vi,j =z0, otherwise we set ui,j =z0 and

vi,j =z. A moment of thinking should make it clear that for attainable transcripts there is a one-to-one mapping between these two representations. (Essentially this follows from the fact that the distinguisher is deterministic). Moreover, though we defined QE,QP1, . . . ,QPm

as ordered lists, the order is unimportant (our formalization keeps the natural order induced by the distinguisher).

For convenience, and following [CS14], we will be generous with the distinguisher by providing it, at the end of its interaction, with the actual keyK when it is interacting with (EMP_K,P), or with a dummy key K selected uniformly at random when it is interacting with (E,P). This is without loss of generality since the distinguisher is free to ignore this additional information. Hence, all in all a transcript τ is a tuple (QE,QP1, . . . ,QPm, K). We

(14)

Main Lemma. In order to upper bound the advantage of the distinguisher, we will repeatedly use the following strategy: we will partition the set of attainable transcripts T into a set of “good” transcriptsT₁ such that the probabilities to obtain some transcriptτ ∈ T₁ are close in the real and in the ideal world, and a setT2 of “bad” transcripts such that the probability to obtain anyτ ∈ T₂ is small in the ideal world. More precisely, we will use the following result. Lemma 1. Fix a distinguisher D. Let T = T1 t T2 be a partition of the set of attainable

transcripts. Assume that there existsε1 such that for any τ ∈ T1, one has8 Pr[Tre=τ]

Pr[Tid=τ]

≥1−ε1,

and that there existsε2 such that

Pr[Tid∈ T2]≤ε2.

ThenAdv(D)≤ε1+ε2.

Proof. The proof is standard, but we sketch it here for completeness. Since the distinguisher’s output is a (deterministic) function of the transcript, its distinguishing advantage is upper bounded by the statistical distance betweenTid and Tre, namely

Adv(D)≤ kTre−Tidk def

= 1 2

X

τ∈T

|Pr[Tre=τ]−Pr[Tid=τ]|.

Moreover we have:

kTre−Tidk=

X

τ∈T

Pr[Tid=τ]>Pr[Tre=τ]

(Pr[Tid=τ]−Pr[Tre=τ])

= X

τ∈T

Pr[Tid=τ]>Pr[Tre=τ]

Pr[Tid=τ]

1−Pr[Tre=τ]

Pr[Tid=τ]

≤ X

τ∈T1

Pr[Tid=τ]ε1+

X

τ∈T2

Pr[Tid=τ]

≤ε1+ε2. ut

The ratio Pr[Tre=τ]/Pr[Tid=τ] takes a particularly simple form for the Even-Mansour cipher. (This is one of the reasons why we append the key K at the end of the transcript; otherwise, the ratio would take a more cumbersome form.)

Lemma 2. Let τ = (QE,QP1, . . . ,QPm, K)∈ T be an attainable transcript. Let

p(τ)def= PrhP1, . . . , Pm←$ Pn:EMP1,...,P_K m` QE

(P1 ` QP1)∧ · · · ∧(Pm` QPm) i

.

Then

Pr[Tre=τ] Pr[Tid=τ]

= (N)qe·p(τ).

(15)

Proof. One can easily check that the interaction of the distinguisher with any set of permu-tations (P0, P1, . . . , Pm) produces permutation transcript (QE,QP1, . . . ,QPm) iff

(P0` QE)∧(P1 ` QP1)∧ · · · ∧(Pm` QPm).

In the ideal world, the distinguisher interacts with (E, P1, . . . , Pm) where E is independent from P1, . . . Pm, and the (dummy) key K is uniformly random and independent from the permutations. It follows easily that

Pr[Tid=τ] = 1 2` ×

1 (N)qe

× 1

(N)qp !m

.

In the real world, the distinguisher interacts with (EMP1,...,Pm

K , P1, . . . , Pm), where the key K is uniformly random and independent from (P1, . . . , Pm). It easily follows that

Pr[Tre=τ] = 1 2` ×

1 (N)_q_p

!m

×PrhP1, . . . , Pm←$Pn:EMP1,...,P_K m ` QE

(P1` QP1)∧ · · · ∧(Pm ` QPm) i

,

hence the result. ut

2.5 A Useful Lemma

We prove a lemma that will be useful throughout the paper.

Lemma 3. Let N, a, b, c, d be positive integers such thatc+d= 2b and2a+ 2b≤N. Then

(N)a(N −2b)a (N−c)a(N −d)a

≥1−4ab

2

N2 .

Proof. Assumewlog thatc≥d. Note that this impliesc≥b. Then:

(N)_a(N −2b)_a (N−c)a(N −d)a

= (N)a(N −2b)a ((N −b)a)2

× ((N−b)a)

2 (N −c)a(N−d)a

=

N−b

Y

i=N−a−b+1

(i+b)(i−b)

i2 ×

N−b

Y

i=N−a−b+1

i2

(i−c+b)(i−d+b)

=

N−b

Y

i=N−a−b+1

1−b

2

i2

! ×

N−b

Y

i=N−a−b+1

i2

(i−(c−b))(i+ (c−b))

| {z }

≥1

≥ 1− b

2

(N −a−b+ 1)2

!a

≥1−4ab

2

N2 ,

(16)

3 A Sum-Capture Theorem

In this section, we prove a variant of previous “sum-capture” results [Bab89,KPS13,Ste13]. Informally, such results typically state that when choosing a random subsetA of_Zn₂ (or more generally any abelian group) of sizeq, the value

µ(A) = max U,V⊆Zn2 |U|=|V|=q

|{(a, u, v)∈A×U×V :a=u⊕v}|

is close to its expected valueq3/N (if A, U, V were chosen at random), except with negligible probability. Here, we prove a result of this type for the setting where A arises from the interaction of an adversary with a random permutationP, namely A={x⊕y : (x, y)∈ Q}, whereQ is the transcript of the interaction between the adversary and P. In fact our result is even more general, the special case just mentioned corresponding toΓ being the identity in the theorem below.

Theorem 1. Fix an automorphism Γ ∈ GL(n). Let P be a uniformly random permutation of {0,1}n_{, and let} _A _{be some probabilistic algorithm making exactly} _q _{(two-sided) adaptive}

queries toP. LetQ= ((x1, y1), . . . ,(xq, yq))denote the transcript of the interaction of Awith

P. For any two subsets U andV of {0,1}n_{, let}

µ(Q, U, V) =|{((x, y), u, v)∈ Q ×U ×V :x⊕u=Γ(y⊕v)}|.

Then, assuming 9n≤q≤N/2, one has

Pr P,ω

"

∃U, V ⊆ {0,1}n:µ(Q, U, V)≥ q|U||V|

N +

2q2p|U||V|

N + 3

q

nq|U||V| #

≤ 2

N,

where the probability is taken over the random choice of P and the random coins ω of A.

Proof. The theorem follows directly from Lemmas4 and6 that are proven below. ut

A Reminder on Fourier Analysis. We start by introducing some notation and recalling

some classical results on Fourier analysis over the abelian group_Zn₂. In the following, given a subsetS ⊂ {0,1}n_{, we denote 1}

S :{0,1}n→ {0,1} the characteristic functions of S, namely 1S(x) = 1 ifx∈S and 1S(x) = 0 if x /∈S. Given two functions f, g:{0,1}n→R, we denote

hf, gi=E[f g] = 1

N

X

x∈{0,1}n

f(x)g(x)

the inner product off and g, and, for allx∈ {0,1}n_{, we denote}

(f∗g)(x) = X y∈{0,1}n

f(y)g(x⊕y)

the convolution off and g. Given α∈ {0,1}n_{, we denote}_χ

α :{0,1}n → {±1} thecharacter associated withα defined as

(17)

The all-one character χ0 is called the principal character. All other characters χ 6= 1 corre-sponding toα6= 0 are callednon-principal characters. The set of all characters forms a group for the pointwise product operation (χαχβ)(x) =χα(x)χβ(x) and one has χαχβ =χα⊕β.

Given a functionf :{0,1}n_→

Randα∈ {0,1}n, the Fourier coefficient off correspond-ing toα is

b

f(α)def= hf, χαi= 1

N

X

x∈{0,1}n

f(x)(−1)α·x.

The coefficient corresponding toα= 0 is called the principal Fourier coefficient, all the other ones are callednon-principal Fourier coefficients. Note that for a setS⊆ {0,1}n _{one has}

c

1S(0) =

|S|

N ,

namely the principal Fourier coefficient of 1S is equal to the relative size of the set. We will also use the following three classical results, holding for any functionsf, g,:{0,1}n_→

R, any

α∈ {0,1}n_{, and any}_S _{⊆ {}₀_,₁_}n_:

X

x∈{0,1}n

f(x)g(x) =N X

α∈{0,1}n b

f(α)g_b(α) (3)

\

(f ∗g)(α) =Nfb(α)g_b(α) (4)

X

α∈{0,1}n

|c1S(α)|2 =

|S|

N . (5)

First Step: the Cauchy-Schwarz Trick. As a preliminary step towards proving

The-orem1, we start by relating the quantity µ(Q, U, V) with the maximal amplitude of (a sub-set of) non-principal Fourier coefficients of the characteristic function 1Qc of the set Q =

((x1, y1), . . . ,(xq, yq)) seen as a subset of {0,1}2n. This part is adapted from Babai [Bab89, Section 4] and Steinberger [Ste13], but in our setting we have to work over the product group Zn2 ×Zn2 (in particular, Lemma 4 below is the analogue of Theorem 4.1 in [Bab89], which was independently rediscovered by Steinberger [Ste13]). In the following, we let, for anyα, β ∈ {0,1}n_,_α₆_{= 0,}_β ₆_{= 0,}

Φα,β(Q) def

= N2

1cQ(α, β) =

X

(x,y)∈Q

(−1)α·x⊕β·y

Φ(Q)def= max

α6=0,β6=0Φα,β(Q). Lemma 4. For any subsets U and V of {0,1}n_{, one has}

µ(Q, U, V)≤ q|U||V|

N +Φ(Q)

q |U||V|.

Proof. In the following, we denote

W =U ×V ={(u, v) :u∈U, v ∈V}

(18)

Since ((x, y), u, v)∈ Q ×U×V satisfiesx⊕u=Γ(y⊕v) iff there existsk∈ {0,1}n_{such that} (x, y)⊕(u, v) = (Γ(k), k),

it follows that we have

µ(Q, U, V) = X (x,y)∈({0,1}n₎2 (u,v)∈({0,1}n₎2

1Q(x, y)1W(u, v)1K(x⊕u, y⊕v)

= X

(x,y)∈({0,1}n₎2

1Q(x, y) X (u,v)∈({0,1}n₎2

1W(u, v)1K(x⊕u, y⊕v)

= X

(x,y)∈({0,1}n₎2

1Q(x, y)(1W ∗1K)(x, y)

=N2 X

(α,β)∈({0,1}n₎2

c

1Q(α, β)(1W\∗1K)(α, β) (by (3))

=N4 X

(α,β)∈({0,1}n₎2

c

1Q(α, β)d1W(α, β)1cK(α, β) (by (4)).

Separating the principal Fourier coefficient from non-principal ones in the last equality above, we get

µ(Q, U, V) =N4|Q| N2

|W|

N2

|K|

N2 +N

4 X

(α,β)6=(0,0)

c

1Q(α, β)d1_W(α, β)1c_K(α, β)

= q|U||V|

N +N

4 X

(α,β)6=(0,0)

c

1Q(α, β)1d_W(α, β)1c_K(α, β). (6)

(We note that equality (6) above holds in fact for any abelian group G and any fixed, non-necessarily linear, permutation Γ :G → G, replacing the summation over (α, β) 6= (0,0) by the summation over all non-principal characters of the product group G×G.) Moreover, we have

d

1W(α, β) = 1

N2

X

(u,v)∈({0,1}n₎2

1W(u, v)(−1)α·u⊕β·v

= 1

N2

X

(u,v)∈({0,1}n₎2

1_U(u)1_V(v)(−1)α·u⊕β·v

= 1

N2



 X

u∈{0,1}n

1_U(u)(−1)α·u



 

 X

v∈{0,1}n

1_V(v)(−1)β·v





=1cU(α)1cV(β), and

c

1_K(α, β) = 1

N2

X

(x,y)∈({0,1}n₎2

1_K(x, y)(−1)α·x⊕β·y

= 1

N2

X

y∈{0,1}n

(19)

= 1

N2

X

y∈{0,1}n

(−1)Γ∗(α)·y⊕β·y

= 0 if β6=Γ∗(α) 1

N ifβ =Γ

∗₍_α₎_.

Then, injecting the two observations above in (6), we obtain

µ(Q, U, V) = q|U||V|

N +N

3X

α6=0

c

1Q(α, Γ∗(α))1cU(α)1cV(Γ∗(α))

≤ q|U||V|

N +N

3X

α6=0

1Q(c α, Γ

∗ (α))

· 1cU(α)

·

1cV(Γ

∗ (α))

≤ q|U||V|

N +N Φ(Q)

X

α6=0

1cU(α)

·

1cV(Γ

∗₍_α₎₎ ,

where the last inequality follows by noting that|c1Q(α, Γ∗(α))| ≤Φ(Q)/N2 for anyα6= 0 (by definition ofΦ(Q)). By Cauchy-Schwarz,

X

α6=0

1cU(α)

·

1cV(Γ

∗₍_α₎₎ ≤

s _X

α∈{0,1}n

|1c_U(α)|2

s _X

α∈{0,1}n

|1c_V(Γ∗(α))|2 =

1

N

q |U||V|,

where the last equality follows from (5), so that we finally obtain

µ(Q, U, V)≤ q|U||V|

N +Φ(Q)

q

|U||V|. ut

Upper Bounding Non-Principal Fourier Coefficients. Having established Lemma4, it remains to find an upper bound on Φ(Q) holding with high probability over the random choice of P and the random coins of the adversary. For this, we will need the following extension of the Chernoff bound to “moderately dependent” random variables.

Lemma 5. Let 0≤ε≤1/2, and letA= (Ai)1≤i≤q be a sequence of random variables taking

values in {±1}. Assume that for any 1 ≤i ≤q and any sequence (a1, . . . , ai−1) ∈ {±1}i−1,

one has

Pr [Ai = 1|(A1, . . . , Ai−1) = (a1, . . . ai−1)]≤ 1 2+ε.

Then, for any δ∈[0,1], one has

Pr

" q

X

i=1

Ai ≥q(2ε+δ)

#

≤e−qδ

2 12 .

Proof. LetB = (Bi)1≤i≤q be independent and identically distributed random variables such that

Pr[Bi= 1] = 1

2+ε and Pr[Bi=−1] = 1 2−ε. We first show that for anyr, we have

Pr

" _q X

i=1

Ai ≥r

# ≤Pr

" _q X

i=1

Bi ≥r

#

(20)

We prove this with a coupling-like argument. LetBerp denote the±1 Bernoulli distribution of parameterp(which takes value 1 with probabilitypand −1 with probability 1−p). Consider the following sampling process (we assume ε < 1/2 here, but this is wlog since the lemma trivially holds forε= 1/2):

fori= 1 to q do

p←Pr [Ai = 1|(A1, . . . , Ai−1) = (u1, . . . ui−1)]

ui←Berp if ui = 1then

vi←1 else

p0 ← 1/2+₁_−pε−p

vi←Berp0

return ((u1, . . . , uq),(v1, . . . , vq))

Then clearly (u1, . . . , uq)∼A. Moreover, (v1, . . . , vq) ∼B. Indeed, for any i= 1, . . . , q, and any sequence (v1, . . . , vi−1)∈ {±1}i−1, one has

Pr[vi= 1|(v1, . . . , vi−1)] =p+p0(1−p) = 1 2 +ε.

Note that during the sampling process,ui= 1 implies vi= 1, so that for anyr, q

X

i=1

ui ≥r =⇒ q

X

i=1

vi≥r,

which implies (7).

Fix nowδ ∈[0,1], and let (B_i0)1≤i≤q be defined as

B_i0= 1 +Bi 2 ,

so that

Pr[B_i0 = 1] = 1

2 +ε and Pr[B 0

i = 0] = 1 2 −ε.

Letm=_E(Pq

i=1Bi0) =q(1/2 +ε). Then the Chernoff bound asserts that for any 0≤δ0 ≤1, one has

Pr

" q

X

i=1

B0_i≥(1 +δ0)m

#

≤e−mδ

02 3 .

Substitutingδ0 = ₂qδ_m = ₁₊₂δ _ε in the inequality above yields (note thatδ ∈[0,1]⇒δ0 ∈[0,1])

Pr

" q

X

i=1

Bi≥q(2ε+δ)

#

= Pr

" q

X

i=1

B_i0 ≥

1 + qδ 2m

m

# ≤e−q

2_δ2 12m ≤e−

qδ2

12 .

which combined with (7) concludes the proof. ut

(21)

Lemma 6. Assume that 9n≤q ≤N/2. Fix an adversary A making q queries to a random permutationP. Let Q denote the transcript of the interaction of A with P. Then

Pr P,ω

"

Φ(Q)≥ 2q

2

N + 3

√

nq

# ≤ 2

N,

where the probability is taken over the random choice of P and the random coins ω of A.

Proof. In all this proof, Pr[·] denotes Pr_P,ω[·]. Fix α, β ∈ {0,1}n_, _α ₆_{= 0 and} _β ₆_{= 0. Letting}

Q = ((x1, y1), . . . ,(xq, yq)) following the natural ordering of the queries of A, we define the sequence of random variables (Ai)1≤i≤q whereAi = (−1)α·xi⊕β·yi. ThenΦα,β(Q) =|Pqi=1Ai|. In order to apply Lemma5, we will show that for 1≤i≤q, and any sequence (a1, . . . , ai−1)∈

{±1}i−1_{, we have}

pi def

= Pr [Ai = 1|(A1, . . . , Ai−1) = (a1, . . . , ai−1)]≤ 1 2 +

q

N. (8)

Assume that thei-th query of the adversary toP is a forward queryxi. Note that the answer

yi is distributed uniformly at random on a set of size N −i+ 1. Also notice that, once xi is fixed, there are exactlyN/2 yi’s such that Ai = (−1)α·xi⊕β·yi = 1 since β 6= 0. Similarly, if the i-th query is a backward query yi, then the answer xi is is distributed uniformly at random on a set of size N −i+ 1, and onceyi is fixed, there are exactlyN/2 xi’s such that

Ai= (−1)α·xi⊕β·yi = 1 sinceα6= 0. Hence, we have that

pi ≤

N/2

N−i+ 1 ≤

N

2(N−q) ≤ 1 2 +

q

2(N −q) ≤ 1 2 +

q N.

We can now apply Lemma5 withε=q/N and we obtain, for anyδ ∈[0,1],

Pr

" q

X

i=1

Ai ≥ 2q2

N +qδ

#

≤e−qδ

2 12 .

DefiningA0_i =−Ai, and applying exactly the same reasoning, we obtain

Pr

" _q X

i=1

Ai≤ − 2q2

N +qδ

!#

≤e−qδ

2 12 .

Thus by a union bound we obtain:

Pr

"

Φα,β(Q)≥ 2q2

N +qδ

#

≤2e−qδ

2 12 .

Note that this holds for anyα6= 0 and β 6= 0. Hence, if we chooseδ =p

(12 lnN)/q (which, assumingq≥9n, implies δ≤1), we finally obtain, using√12 ln 2≤3,

Pr P,ω

"

Φ(Q)≥ 2q

2

N + 3

√

nq

# ≤ 2

Minimizing the Two-Round Even-Mansour Cipher

Minimizing the Two-Round Even-Mansour Cipher

Table of Contents