[PDF] Top 20 Tweaking Even-Mansour Ciphers

... Tweakable block ciphers can be designed “from scratch” (e.g., the Hasty Pudding ci- pher [Sch98], Mercy [Cro00], or Threefish, the block cipher on which the Skein hash func- tion [FLS + 10] is based), however most ... See full document

... Tweaking Even-Mansour ...Feistel ciphers. This was extended to generalized Feistel ciphers by Mitsuda and Iwata ...block ciphers besides Feistel ciphers, namely ... See full document

... As early approaches for tweakable Even-Mansour construction, Sasaki et al. propose a concrete one-round scheme and use it to design their AE algorithm Minalpher [STA + 15], which is a second-round candidate ... See full document

... block ciphers, round keys are derived from an n-bit master key (or more generally an `-bit master key, where ` ∈ [n, 2n] is small compared with the total length of the round keys), and the same permutation, or ... See full document

... iterated Even-Mansour ciphers with two keys, we notice that our techniques can also be combined with statistical distin- guishers to give efficient key recovery attacks on certain block ...block ... See full document

... 1991, Even and Mansour introduced a block cipher construction based on a single ...block ciphers against generic ...the Even-Mansour construction sur- prisingly offers similar security ... See full document

... A tweakable blockcipher (TBC) is a generalization of a traditional block cipher, which adds a tweak as an extra public input on the basis of the usual inputs (a plaintext and a key). Tweakable blockciphers (TBCs) with ... See full document

... We define here the notion of sequential indifferentiability (seq-indifferentiability for short), introduced by [MPS12], which is a weakened variant of (full) indifferentiability as introduced by [MRH04], and then explain ... See full document

... Remark. If the padding of the nonce in Prøst-OTR were done on the most significant bits, no attack similar to Step 2 could recover the corresponding key bits: the modular addition is a triangular function (meaning that ... See full document

... the Even-Mansour ciphers could be broken in polynomial time by Simon algorithm [9], which could find the period of a periodic function in polynomial time in a quantum ... See full document

... Our Contributions. In the domain of provable security, it is well-known that iterating an ideal primitive will result in a loss of security. This is already evident from the very first results in provable security, so we ... See full document

... to resist the exhaustive key search by Grover’s algorithm [9] is sufficient to pro- tect symmetric-key schemes from quantum computers. However, Kuwakado and Morii [15] demonstrated that, by exploiting Simon’s algorithm ... See full document

... Abstract. Simpira v2 is a family of cryptographic permutations proposed at ASIACRYPT 2016 which can be used to construct high throughput block ciphers using the Even-Mansour construc- tion, ... See full document

... Meet-in-the-Middle Attacks. The idea behind a meet-in-the-middle attack is to separate the mathematical equations that describe a block cipher into two or more groups, in such a way that some variables do not appear in ... See full document

... Indifferentiability of IEM. The studies on indifferentiability and sequential- indifferentiability (seq-indifferentiability ) of IEM are mainly motivated by fur- ther validating the SPN-based blockcipher design ... See full document

... The search for xor-RKA security leads us to consider the two-round EM constructions. The first attack discussed above, where the key is offset by a constant, still applies in this setting and once again we consider key ... See full document

... Hereafter, we use the single key EM256AES. To establish security proper- ties for EM 256AES, we make the standard assumption about AES: if a secret key is selected (uniformly at ranomd), an adversary has negligible ... See full document

... A stream cipher is defined as an algorithm for encryption and decryption of individual plaintext digits (e.g single bits or bytes), as opposed to block ciphers that encrypt blocks of a fixed bit length. Usually ... See full document

... – April 21, 2015: The underlying block cipher of Chaskey was bench- marked by the FELICS project [4] of the University of Luxembourg on a variety of microcontrollers. As the implementation results show, the Chaskey block ... See full document

... As we will show in detail, this allows to argue very convincingly that our instance is secure against differential attacks. Indeed, under standard assumptions, we can show that the probability of any (non-trivial) ... See full document