# Balanced Permutations Even–Mansour Ciphers

^{1}

^{2}

^{3}

^{4}

^{*}

## Abstract

**:**

## 1. Introduction

^{2}, which is an instantiation of the 2-round EM cipher where the two public permutations are AES with two publicly known “arbitrary” keys (they chose the binary digits of the constant π). The complexity of the best (meet-in-the-middle) attack they showed uses ${2}^{129.6}$ cipher revaluations. Consequently, they conjectured that AES

^{2}offers 128-bit security.

^{2}(with three different keys) has complexity of ${2}^{126.8}$ (still better than Bogdanov et al. [1], thus enough to invalidate their that AES

^{2}has ${2}^{128}$ security).

## 2. Balanced Permutations and Balanced Permutation EM Ciphers

#### 2.1. Balanced Permutations

**Definition 1**(Balanced permutation)

**.**

**Example 1.**

**Example 2.**

**Definition 2**(Luby–Rackoff permutations)

**.**

**Proposition 1.**

**Proof.**

#### 2.2. Balanced Permutation EM Ciphers

**Definition 3**(r-round balanced permutations EM ciphers (BPEM))

**.**

**Remark 1.**

**Remark 2.**

**Remark 3.**

#### 2.3. Equivalent Representation of BPEM in Terms of LR

**Notation 1.**

**Lemma 1.**

**Proof.**

## 3. Security Preliminaries and Definitions

**Observation 1.**

**Observation 2.**

#### 3.1. Coefficient-H Technique

**Theorem 1**

**.**Let $\mathcal{O}$ and ${\mathcal{O}}^{\prime}$ be two oracle algorithms with domain D and range R. Suppose there exist a set ${\mathcal{V}}_{bad}\subseteq {D}^{q}\times {R}^{q}$ and $\epsilon >0$ such that the following conditions hold:

- For all $({x}_{1},\dots ,{x}_{q},{y}_{1}$, …, ${y}_{q})\notin {\mathcal{V}}_{bad}$,$$Pr[\mathcal{O}\left({x}_{1}\right)={y}_{1},\dots ,\mathcal{O}\left({x}_{q}\right)={y}_{q}]\ge (1-\epsilon )Pr[{\mathcal{O}}^{\prime}\left({x}_{1}\right)={y}_{1},\dots ,{\mathcal{O}}^{\prime}\left({x}_{q}\right)={y}_{q}]$$
- For all A making at most q queries to ${\mathcal{O}}^{\prime}$, $Pr[\mathrm{Trans}({A}^{{\mathcal{O}}^{\prime}})\in {\mathcal{V}}_{bad}]\le \delta $ where $\mathrm{Trans}({A}^{{\mathcal{O}}^{\prime}})=({x}_{1},\dots ,{x}_{q},{y}_{1},\dots ,{y}_{q})$, ${x}_{i}$ and ${y}_{i}$ denote the ${i}^{\mathrm{th}}$ query and response of A to ${\mathcal{O}}^{\prime}$.

#### 3.2. Known Related Results

#### 3.2.1. The Security of Even–Mansour Cipher

#### 3.2.2. The Security of Luby–Rackoff Encryption

**Theorem 2**

**.**Let ${\Pi}_{1},\dots ,{\Pi}_{4}$ be four independent random permutations of ${\{0,1\}}^{n}$, and let Π be a random permutation of ${\{0,1\}}^{2n}$. Then, $\mathsf{LR}[{\Pi}_{1},\dots ,{\Pi}_{4}]$ is SPRP secure in the following sense:

**Theorem 3**

**.**Let $r\ge 4$, and let $({\alpha}_{1},\dots {\alpha}_{r})$ be a sequence of numbers from $\{1,\dots ,t\}$ such that $({\alpha}_{1},\dots {\alpha}_{r})\ne ({\alpha}_{r},\dots ,{\alpha}_{1})$. Let ${\Pi}_{1},\dots ,{\Pi}_{t}$ be t independent random permutations of ${\{0,1\}}^{n}$, and let Π be a random permutation of ${\{0,1\}}^{2n}$. Then, $\mathsf{LR}[{\Pi}_{{\alpha}_{1}},\dots ,{\Pi}_{{\alpha}_{r}}]$ is SPRP secure in the following sense:

## 4. Security Analysis of Our Construction

#### 4.1. Security Analysis of Tuples of Single Key 1-Round EM Cipher

**Notation 2.**

**Observation 3.**

**Lemma 2.**

**Proof.**

**Lemma 3.**

**Proof.**

- There are $1\le i,{i}^{\prime}\le t$, $1\le j\le {q}_{i}$, $1\le {j}^{\prime}\le {q}_{{i}^{\prime}}$ such that $(i,j)\ne ({i}^{\prime},{j}^{\prime})$, ${\alpha}_{i}={\alpha}_{{i}^{\prime}}$, and ${K}_{{\beta}_{i}}\oplus {M}_{j}^{{\alpha}_{i}}={K}_{{\beta}_{{i}^{\prime}}}\oplus {M}_{{j}^{\prime}}^{{\alpha}_{{i}^{\prime}}}$.
- There are $1\le i\le t$, $1\le j\le {q}_{i}$, $1\le {j}^{\prime}\le {q}_{{\alpha}_{i}}^{\prime}$ such that ${K}_{{\beta}_{i}}\oplus {M}_{j}^{{\alpha}_{i}}={X}_{{j}^{\prime}}^{{\alpha}_{i}}$.
- There are $1\le i,{i}^{\prime}\le t$, $1\le j\le {q}_{i}$, $1\le {j}^{\prime}\le {q}_{{i}^{\prime}}$ such that $(i,j)\ne ({i}^{\prime},{j}^{\prime})$, ${\alpha}_{i}={\alpha}_{{i}^{\prime}}$, and ${K}_{{\beta}_{i}}\oplus {C}_{j}^{{\alpha}_{i}}={K}_{{\beta}_{{i}^{\prime}}}\oplus {C}_{{j}^{\prime}}^{{\alpha}_{{i}^{\prime}}}$.
- There are $1\le i\le t$, $1\le j\le {q}_{i}$, $1\le {j}^{\prime}\le {q}_{{\alpha}_{i}}^{\prime}$ such that ${K}_{{\beta}_{i}}\oplus {C}_{j}^{{\alpha}_{i}}={Y}_{{j}^{\prime}}^{{\alpha}_{i}}$.

#### 4.2. Main Theorems

**Theorem 4.**

**Proof.**

**Theorem 5.**

**Remark 4.**

**Lemma 4.**

**Theorem 6.**

**Theorem 7.**

## 5. A Distinguishing Attack on BPEM

**Lemma 5.**

**Proof.**

**Proposition 2.**

**Remark 5.**

**Proof.**

## 6. A Practical Construction of a 256-Bit Cipher

**Definition 4**($EM256AES$: a 256-bit block cipher)

**.**

- ${\ell}_{1}$ and ${\ell}_{2}$ are determined during the setup phase, and can be made public (e.g., sent from the sender to the receiver as an IV).
- ${K}_{0},{K}_{1},{K}_{2}$ are selected per encryption session.

#### $EM256AES$ Efficiency

#### $EM256AES$ Performance

^{TM}i7-4700MQ (microarchitecture Codename Haswell) where the enhancements (Intel® Turbo Boost Technology, Intel® Hyper-Threading Technology, and Enhanced Intel Speedstep® Technology) were disabled. The code used the AES instructions (AES-NI) that are available on such modern processors. On this platform, we point out the following baseline: the performance of AES (128-bit key) in a parallelized mode (CTR) is $0.63$ C/B, and in a serial mode (CBC encryption) it is $4.44$ cycles per byte (C/B hereafter). The measured performance of our $EM256AES$ implementation was $1.44$ C/B for the parallel mode, and $8.92$ C/B for the serial mode. The measured performance clearly matches the predictions. It is also interesting to compare the performance of $EM256AES$ to another 256-bit cipher. To this end, we prepared an implementation of Rijndael256 cipher [22] (we point out that although AES is based on the Rijndael block cipher, the AES standardizes only a 128 block size, while the Rijndael definitions support both 128-bit and 256-bit blocks). For details on how to code Rijndael256 with AES-NI, see [23]). Rijndael256 (in ECB mode) turned out to be much slower than $EM256AES$, performing at $3.85$ C/B.

## 7. Conclusions

## Acknowledgments

## Author Contributions

## Conflicts of Interest

## References

- Bogdanov, A.; Knudsen, L.R.; Leander, G.; Standaert, F.; Steinberger, J.P.; Tischhauser, E. Key-alternating ciphers in a provable setting: Encryption using a small number of public permutations (extended abstract). In Advances in Cryptology—EUROCRYPT 2012; Lecture Notes in Computer Science; Springer: Heidelberg, Germany, 2012; Volume 7237, pp. 45–62. [Google Scholar]
- Even, S.; Mansour, Y. A construction of a cipher from a single pseudorandom permutation. J. Cryptol.
**1997**, 10, 151–161. [Google Scholar] [CrossRef] - Daemen, J. Limitations of the Even–Mansour construction. In Advances in Cryptology—ASIACRYPT 1991; Lecture Notes in Computer Science; Springer: Berlin, Germany, 1991; Volume 739, pp. 495–498. [Google Scholar]
- Chen, S.; Steinberger, J. Tight security bounds for key-alternating ciphers. In Advances in Cryptology—EUROCRYPT 2014; Lecture Notes in Computer Science; Springer: Heidelberg, Germany, 2014; Volume 8441, pp. 327–350. [Google Scholar]
- Steinberger, J.P. Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance. Available online: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.348.6401&rep=rep1&type=pdf (accessed on 15 January 2016).
- Lampe, R.; Patarin, J.; Seurin, Y. An Asymptotically Tight Security Analysis of the Iterated Even–Mansour Cipher. In Advances in Cryptology—ASIACRYPT 2012; Lecture Notes in Computer Science; Springer: Berlin, Germany, 2012; Volume 7658, pp. 278–295. [Google Scholar]
- Nikolić, I.; Wang, L.; Wu, S. Cryptanalysis of Round-Reduced LED. In Fast Software Encryption—FSE 2013; Lecture Notes in Computer Science; Springer: Berlin, Germany, 2013; Volume 8424, pp. 112–129. [Google Scholar]
- Dinur, I.; Dunkelman, O.; Keller, N.; Shamir, A. Key Recovery Attacks on 3-round Even–Mansour, 8-step LED-128, and full AES
^{2}. In Advances in Cryptology—ASIACRYPT 2013; Lecture Notes in Computer Science; Springer: Berlin, Germany, 2013; Volume 8269, pp. 337–356. [Google Scholar] - Maurer, U.; Renner, R.; Holenstein, C. Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In Theory of Cryptography; Lecture Notes in Computer Science; Springer: Berlin, Germany, 2004; Volume 2951, pp. 21–39. [Google Scholar]
- Coron, J.-S.; Patarin, J.; Seurin, Y. The random oracle model and the ideal cipher model are equivalent. In Advances in Cryptology—CRYPTO 2008; Lecture Notes in Computer Science; Springer: Berlin, Germany; 2008; Volume 5157, pp. 1–20. [Google Scholar]
- Gentry, C.; Ramzan, Z. Eliminating random permutation oracles in the Even–Mansour ciphe. In Advances in Cryptology—ASIACRYPT 2004; Lecture Notes in Computer Science; Springer: Berlin, Germany, 2004; Volume 3329, pp. 32–47. [Google Scholar]
- Lampe, R.; Seurin, Y. Security Analysis of Key-Alternating Feistel Ciphers. In Fast Software Encryption—FSE 2014; Lecture Notes in Computer Science; Springer: Berlin, Germany, 2014; Volume 8540, pp. 243–264. [Google Scholar]
- Patarin, J. Étude Des générateurs de Permutations Pseudo-aléatoires basés Sur le Schéma du D.E.S. Ph.D. Thesis, National Institute for Research in Computer Science and Control (INRIA), Rocquencourt, France, 1991. [Google Scholar]
- Patarin, J. Luby–Rackoff: 7 rounds are enough for 2
^{n(1 − ε)}security. In Advances in Cryptology—CRYPTO 2003; Lecture Notes in Computer Science; Springer: Berlin, Germnay, 2003; Volume 2729, pp. 513–529. [Google Scholar] - Piret, G. Luby–Rackoff revisited: On the use of permutations as inner functions of a Feistel scheme. Des. Codes Cryptogr.
**2006**, 39, 233–245. [Google Scholar] [CrossRef] - Treger, J.; Patarin, J. Generic attacks on Feistel networks with internal permutations. In Progress in Cryptology—AFRICACRYPT 2009; Lecture Notes in Computer Science; Springer: Berlin, Germany, 2009; Volume 5580, pp. 41–59. [Google Scholar]
- Nandi, M. The characterization of Luby–Rackoff and its optimum single-key variants. In Progress in Cryptology—INDOCRYPT 2010; Lecture Notes in Computer Science; Springer: Berlin, Germany, 2010; Volume 6498, pp. 82–97. [Google Scholar]
- Mouha, N.; Luykx, A. Multi-Key Security: The Even–Mansour Construction Revisited, In Advances in Cryptology—CRYPTO 2015; Lecture Notes in Computer Science; Springer: Berlin, Germany, 2015; Volume 9251, pp. 209–223. [Google Scholar]
- Announcing Request for Candidate Algorithm Nominations for the Advanced Encryption Standard (AES). Available online: http://csrc.nist.gov/CryptoToolkit/aes/pre-round1/aes_9709.htm (accessed on 15 January 2016).
- Knudsen, L.; Rijmen, V. Known-Key Distinguishers for Some Block Ciphers. In Advances in Cryptology—ASIACRYPT 2007; Lecture Notes in Computer Science; Springer: Berlin, Germany, 2007; Volume 4833, pp. 315–324. [Google Scholar]
- Gilbert, H.; Peyrin, T. Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations. In Fast Software Encryption—FSE 2010; Lecture Notes in Computer Science; Springer: Berlin, Germany, 2010; Volume 6147, pp. 365–383. [Google Scholar]
- Daemen, J.; Rijmen, V. AES Proposal: Rijndael (National Institute of Standards and Technology). Available online: http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf (accessed on 15 January 2016).
- Gueron, S. Intel Advanced Encryption Standard (AES) Instructions Set (Rev 3.01). Available online: http://software.intel.com/sites/default/files/article/165683/aes-wp-2012-09-22-v01.pdf (accessed on 15 January 2016).

**Figure 1.**The figure shows a function from ${\{0,1\}}^{2n}$ to ${\{0,1\}}^{2n}$, based on two Feistel rounds with a function $f:{\{0,1\}}^{n}\to {\{0,1\}}^{n}$. For any function f, this construction is a permutation of ${\{0,1\}}^{2n}$, denoted ${\mathsf{LR}}^{\phantom{\rule{0.166667em}{0ex}}2}[f]$. We call it a “2-round Luby–Rackoff permutation”. Proposition 1 shows that if f itself is a permutation of ${\{0,1\}}^{n}$, then ${\mathsf{LR}}^{\phantom{\rule{0.166667em}{0ex}}2}[f]$ is a balanced permutation of ${\{0,1\}}^{2n}$.

**Figure 2.**The 2-round balanced permutation EM (BPEM) cipher operates on blocks of size $2n$ bits. The permutations ${P}_{1}$ and ${P}_{2}$ are balanced permutations of ${\{0,1\}}^{2n}$, defined as 2-round Luby–Rackoff permutations. ${f}_{1}$ and ${f}_{2}$ are two (public) permutations of ${\{0,1\}}^{n}$. Each of ${K}_{0},{K}_{1},{K}_{2}$ is a $2n$-bit secret key. See explanation in the text.

© 2016 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons by Attribution (CC-BY) license ( http://creativecommons.org/licenses/by/4.0/.

## Share and Cite

**MDPI and ACS Style**

Gilboa, S.; Gueron, S.; Nandi, M.
Balanced Permutations Even–Mansour Ciphers. *Cryptography* **2017**, *1*, 2.
https://doi.org/10.3390/cryptography1010002

**AMA Style**

Gilboa S, Gueron S, Nandi M.
Balanced Permutations Even–Mansour Ciphers. *Cryptography*. 2017; 1(1):2.
https://doi.org/10.3390/cryptography1010002

**Chicago/Turabian Style**

Gilboa, Shoni, Shay Gueron, and Mridul Nandi.
2017. "Balanced Permutations Even–Mansour Ciphers" *Cryptography* 1, no. 1: 2.
https://doi.org/10.3390/cryptography1010002