Balanced permutations Even-Mansour ciphers

The $r$-rounds Even-Mansour block cipher is a generalization of the well known Even-Mansour block cipher to $r$ iterations. Attacks on this construction were described by Nikoli\'c et al. and Dinur et al., for $r = 2, 3$. These attacks are only marginally better than brute force, but are based on an interesting observation (due to Nikoli\'c et al.): for a"typical"permutation $P$, the distribution of $P(x) \oplus x$ is not uniform. This naturally raises the following question. Call permutations for which the distribution of $P(x) \oplus x$ is uniform"balanced."Is there a sufficiently large family of balanced permutations, and what is the security of the resulting Even-Mansour block cipher? We show how to generate families of balanced permutations from the Luby-Rackoff construction, and use them to define a $2n$-bit block cipher from the $2$-rounds Even-Mansour scheme. We prove that this cipher is indistinguishable from a random permutation of $\{0, 1\}^{2n}$, for any adversary who has oracle access to the public permutations and to an encryption/decryption oracle, as long as the number of queries is $o (2^{n/2})$. As a practical example, we discuss the properties and the performance of a $256$-bit block cipher that is based on our construction, and uses AES as the public permutation.

As a practical example, Bogdanov et al. defined the 128-bit block cipher AES 2 , which is an instantiation of the 2-rounds EM cipher where the two public permutations are AES with two publicly known "arbitrary" keys (they chose the binary digits of the constant π). The complexity of the best (meet-in-themiddle) attack they showed uses 2 129.6 cipher revaluations. Consequently, they conjectured that AES 2 offers 128-bit security.
Understanding the security of the EM cipher has been the topic of extended research. First, Even and Mansour [8] proved, for r = 1, that an adversary needs to make Ω(2 n/2 ) oracle queries before he can decrypt a new message with high success probability. Daemen [5] showed that this bound is tight, by demonstrating a chosen-plaintext key-recovery attack after O(2 n/2 ) evaluations of P 1 and the encryption oracle. Bogdanov et al. [2], showed, for the r-rounds EM cipher, r ≥ 2, that an adversary who sees only O(2 2n/3 ) chosen plaintext-ciphertext pairs cannot distinguish the encryption oracle from a random permutation of {0, 1} n . This result has been recently improved by Chen and Steinberger [3], superseding intermediate progress made by Steinberger [19] and by Lampe, Patarin and Seurin [12]. They showed that for every r, an adversary needs Ω(2 r r+1 n ) chosen plaintext-ciphertext pairs before he can distinguish the r-rounds EM cipher from a random permutation of {0, 1} n . This bound is tight, by Bogdanov et al.'s [2] distinguishing attack after O(2 r r+1 n ) queries. Nikolić et al. [15] demonstrated a chosen-plaintext key-recovery attack on the single key variant (K 0 = K 1 = K 2 ) of the 2-rounds EM cipher. Subsequently, Dinur et al. [7] produced additional key-recovery attacks on various other EM variants. All the attack in [15] and [7] are only slightly better than a brute force approach. For example, the attack ( [7]) on the single key variant of the 2-rounds EM cipher has time complexity O log n n 2 n , and the attack ( [7]) on AES 2 (with three different keys) has complexity of 2 126.8 (still better than Bogdanov et al. [2], thus enough to invalidate their that AES 2 has 2 128 security).
The above attacks are based on the astute observation, made in [15], that for a "typical" permutation P of {0, 1} n , the distribution of P (x) ⊕ x over uniformly chosen x ∈ {0, 1} n is not uniform. Currently, this observation yields only weak attacks, but the unveiled asymmetry may have the potential to lead to stronger results.
This motivates the following question. Call a permutation P of {0, 1} n "balanced" if the distribution of P (x) ⊕ x, over uniformly chosen x ∈ {0, 1} n , is uniform. Can we construct a block cipher based on balanced permutations? We point out that, a priori, it is not even clear that there exists a family of such permutations, that is large enough to support a block cipher construction.
In this work, we show how to generate a large family of balanced permutations of {0, 1} 2n , by observing that a 2-rounds Luby-Rackoff construction with any two identical permutations of {0, 1} n , always yields a balanced permutation (of {0, 1} 2n ). We use these permutations in an EM setup (illustrated in Figure 2, top panel), to construct a block cipher with block size of 2n bits. Note that in this EM setup, the permutations P 1 , P 2 are not chosen uniformly at random from the set of all permutations of {0, 1} 2n . They are selected from a particular subset of the permutations of {0, 1} 2n , and defined via a random choice of two permutations of {0, 1} n , as the paper describes.
For the security of the resulting 2n bits block cipher, we would ideally like to maintain the security of the EM cipher (on blocks of 2n bits ). This would be guaranteed if we replaced the random permutation in the EM cipher, with an indifferentiable block cipher (as defined in [13]). However, the balanced permutations we use in the EM construction are 2-rounds Luby-Rackoff permutations, and it was shown in [4] that even the 5-rounds Luby-Rackoff construction does not satisfy indifferentiability. Therefore, it is reasonable to expect weaker security properties in our cipher. Indeed, we demonstrate a distinguishing (not a key recovery) attack that uses O(2 n/2 ) queries. On the other hand, we prove that a smaller number of chosen plaintext-ciphertext queries is not enough to distinguish the block cipher from a random permutation of {0, 1} 2n .
We comment that the combination of EM and Luby-Rackoff constructions have already been used and analyzed. Gentry and Ramzan [9] showed that the internal permutation of the Even-Mansour construction for 2n-bits block size, can be securely replaced by a 4-rounds Luby-Rackoff scheme with public round functions. They proved that the resulting construction is secure up to O(2 n/2 ) queries. Lampe and Seurin [11] discuss r-rounds Luby-Rackoff constructions where the round functions are of the form x → F i (K i ⊕ x), F i is a public random function, and K i is a (secret) round key. For an even number of rounds, this can be seen as a r/2-rounds EM construction, where the permutations are 2-rounds Luby-Rackoff permutations. They show that this construction is secure up to O(2 tn t+1 ) queries, where t = r/3 for non-adaptive chosen-plaintext adversaries, and t = r/6 for adaptive chosen-plaintext and ciphertext adversaries. These works bare some similarities to ours, but the new feature in our construction is the emergence of balanced permutations.
The paper is organized as follows. In Section 2 we discuss balanced permutations and balanced permutations EM ciphers. Section 3 provides general background for the security analysis given in Section 4. In Section 5, we demonstrate the distinguishing attack. A practical use of our construction is a 256-bit block cipher is based on AES. Section 6 defines this cipher and discusses its performance characteristics. We conclude with a discussion in Section 7.
5 Also known as "orthomorphism" in the mathematical literature Example 1. Let A ∈ M n×n (Z 2 ) be a matrix such that both A and I + A are invertible. Define π A : Z n 2 → Z n 2 by π A (x) = Ax. Then π A is a balance permutation of {0, 1} n . One such matrix is defined by A i,i = A i,i+1 = 1 for i = 1, 2, . . . , n − 1, A n,1 = 1 and A i,j = 0 for all other 1 ≤ i, j ≤ n.
Example 2. Let a be an element of GF (2 n ) such that a = 0, 1. Identify GF (2 n ) with {0, 1} n , so that field addition corresponds to bitwise XOR. The field's multiplication is denoted by ×. The function x → a × x is a balanced permutation of {0, 1} n . Note that this example is actually a special case of the previous one. Let us use the following notation. For a string ω ∈ {0, 1} 2n , denote the string of its first n bits by ω L ∈ {0, 1} n , and the string of its last n bits by ω R ∈ {0, 1} n . Denote the concatenation of two strings ω 1 , ω 2 ∈ {0, 1} n (in this order) by ω 1 * ω 2 ∈ {0, 1} 2n . We have the following identities: For every r ≥ 2 and r functions f 1 , . . . , f r : {0, 1} n → {0, 1} n , we define the r-rounds Luby-Rackoff permutation to be the composition Assume that x, y ∈ {0, 1} 2n such thatP (x) =P (y), i.e., We established that P (x) =P (y) implies x = x L * x R = y L * y R = y which concludes the proof. Figure 1 shows an illustration of 2-rounds Luby-Rackoff (balanced) permutation.

Balanced permutations EM ciphers
Definition 3 (r-rounds balanced permutations EM ciphers (BPEM)). Let n ≥ 1 and r ≥ 1 be integers. Let K 0 , K 1 , . . . , K r be r respectively. The r-rounds balanced permutations EM (BPEM) block cipher is defined as (where EM is defined by (1)). It encrypts 2n-bit blocks with an r-rounds EM cipher with the keys K 0 , K 1 , . . . , K r , where the r permutations P 1 , P 2 , . . . , P r (of The use of the r-rounds BPEM cipher for encryption (and decryption) starts with an initialization step, where the permutations f 1 , f 2 , . . . , f r are selected uniformly and independently, at random from the set of permutations of {0, 1} n . After they are selected, they can be made public. Subsequently, per session/message, the secret keys K 0 , K 1 , . . . , K r are selected uniformly and independently, at random, from {0, 1} 2n . Figure 2 illustrates a 2-rounds BPEM cipher BPEM[K 0 , K 1 , K 2 ; f 1 , f 2 ], which is the focus of this paper. Remark 1. The r-rounds EM cipher is not necessarily secure with any choice of balanced permutations as P 1 , P 2 , . . . , P r . For example, it can be easily broken when using the linear balanced permutations shown in Examples 1 and 2.
Remark 2. In our construction, the permutations P 1 , P 2 , . . . , P r are not random permutations. Therefore, the security analysis of the "classical" EM does not apply, and the resulting cipher (BPEM) may not be secure. Indeed, it is easy to see that the 1-round BPEM does not provide confidentiality. For any plaintexts m ∈ {0, 1} 2n , we have, by (3), Therefore, by (4), (1) and (3), which means that the ciphertexts leak out information on m 1 , m 2 . This also implies that the r-rounds BPEM cipher must be used with r ≥ 2 to have any hope for achieving security.
In Section 4 we prove that the 2-round BPEM cipher is indistinguishable from a random permutation.

Equivalent representation of BPEM in terms of LR
In this section we show that 2-rounds BPEM can be viewed as a "keyed" 6 Luby-Rackoff cipher (in fact, the r-rounds BPEM has a similar representation for every r).

Security preliminaries and definitions
Let A be an oracle adversary which interacts with one or more oracles. Suppose that O and O are two oracles (or a tuple of oracles) with same domain and range spaces. We define the distinguishing advantage of A distinguishing O and O as The maximum advantage max A ∆ A (O; O ) over all adversaries with complexity θ (which includes query, time complexities etc.) is denoted by ∆ θ (O; O ). When we consider computationally unbounded adversaries (which is done in this paper), the time and memory parameters are not present and so we only consider query complexities. In the case of a single oracle, θ is the number of queries, and in the case of a tuple of oracles, θ would be of the form (q 1 , . . . , q r ) where q i denotes the number of queries to the i th oracle. While we define security advantages of O, we usually choose O to be an ideal candidate, such as the random permutation Π or a random function. The PRP-advantage of A against a keyed construction The maximum PRP-advantage with query complexity θ is denoted as ∆ prp C (θ).
In this paper, we always assume that queries to an oracle O are allowed in both directions, i.e., to O −1 as well. We denote The SPRP-advantage of a keyed construction C K (where the adversary has access to both the encryption C K and its decryption . When a construction C is based on one or more ideal permutations or random permutations f 1 , . . . , f r and a key K, we define SPRP-advantage of a distinguisher A, in presence of ideal candidates, as ∆ ± A ((C, f 1 , . . . , f r ); (Π, f 1 , . . . , f r )) where Π is sampled independently off := (f 1 , . . . , f r ). We denote the maximum advantage by ∆ im-sprp C (θ) := ∆ ± θ ((C,f ); (Π,f )) which we call SPRP-advantage in the ideal model. The complexity parameters of the above advantages depend on the number of oracles, and will be explicitly declared in specific instances.
We state two simple observations on the distinguishing advantages for oracles (we skip the proofs of these observations, as these are straightforward).
Observation 2 If C is an oracle construction, then (by using standard reduction) where r is the number of queries to O, needed to simulate one query to the construction C O ).
Note that in the Observation 2, we do not need to assume any kind of independence of the oracles. Analogous observations, up to obvious changes, hold for the case where O 1 , O 2 , O are tuples of oracles.

Coefficient-H technique
Patarin's coefficient-H technique [16] (see also [17]) is a tool for showing an upper bound for the distinguishing advantage. Here is the basic result of the technique.
Theorem 1 (Patarin [16]). Let O and O be two oracle algorithms with domain D and range R. Suppose there exist a set V bad ⊆ D q × R q and ε > 0 such that the following conditions hold: 1. For all (x 1 , . . . , x q , y 1 , . . ., y q ) ∈ V bad , (the above probabilities are called interpolation probabilities). Then,

For all
The above result can be applied for more than one oracle. In such cases we split the parameter q into (q 1 , . .

Known related results
The security of Even-Mansour cipher It is known that the Even-Mansour cipher EM K0,K1 is SPRP secure in the ideal model, in the following sense: The same is true for the single key variant EM K,K . In Section 4, we provide (using Patarin's coefficient-H technique) a simple proof of this result (Lemma 2) and a more general result (Lemma 3).
The security of Luby-Rackoff encryption The 3-rounds Luby-Rackoff construction is PRP secure and the 4-rounds Luby-Rackoff construction is SPRP secure , when the underlying functions f i are PRP's (or PRF's). We use the following quantified version of the SPRP security of the 4-rounds case.
Observation 3 For every dist n (x 1 , . . . , x t ), dist n (y 1 , . . . , y t ) and a uniform random permutation Π on {0, 1} n , More generally, let Π 1 , . . . , Π r be independent uniform random permutations over {0, 1} n then for every block-wise distinct tuples . (6) Now we show that for a random permutation Π of {0, 1} n and a uniformly chosen K, the permutation Π ⊕K (single keyed 1-round EM, see Notation 1) is SPRP secure in the ideal model. Proof. We use Patarin's coefficient H-technique. We take the set of bad views V bad to be the empty set. We need to show that for every tuples M, C ∈ ({0, 1} n ) q1 , x, y ∈ ({0, 1} n ) q2 , where ε = 2q1q2 2 n . With no loss of generality we may assume that each of the tuples M, C, x, y is block-wise distinct. Then, by (6), .
We say that a key K ∈ {0, 1} n is "good" if K ⊕ M i = x j and K ⊕ C i = y j for all 1 ≤ i ≤ q 1 , 1 ≤ j ≤ q 2 . In other words, for a good key all the inputs (outputs) of Π (in the I real computation) are block-wise distinct. Thus, for any given good key K, By a simple counting argument, the number of good keys is at least 2 n − 2q 1 q 2 , i.e., the probability that a randomly chosen key is good, is at least (1 − ε), where ε = 2q1q2 2 n . Therefore, we have  Proof. The proof is similar to the proof of Lemma 2. Let M i , C i ∈ ({0, 1} n ) qi , 1 ≤ i ≤ t, X α , Y α ∈ ({0, 1} n ) q α , 1 ≤ α ≤ r, be block-wise distinct tuples. From (6), we have that .
We say that a tuple of keys (K 1 , . . . , K s ) is "bad" if one of the following holds: Note that there are at most r α=1 σα 2 cases in the first and in the third items, and at most r α=1 σ α q α cases in the second and fourth items. If a key tuple is not bad, we say that it is a "good" key tuple. As in the proof of Lemma 2, for a good key tuple all the inputs (outputs) of each permutation are distinct. Thus, given a good tuple of keys (K 1 , . . . , K s ), it is easy to see that It now remains to bound the probability that a random key tuple is bad. This can happen with one of the cases listed in items 1-4 where each case has probability 2 −n to occur. Hence, the probability that a random key tuple is bad, is at most σ 2 n , and the probability that a random key tuple is good is therefore at least 1 − σ 2 n . The result follows by Theorem 1.

Main theorems
where the (secret) keys K 0 , K 1 , K 2 are selected uniformly and independently at random. Let q * be the maximum number of queries to the encryption/decryption oracle, and let q 1 , q 2 be the maximum numbers of queries to the public permutations f 1 and f 2 , respectively. Then, Proof. By Lemma 1, we know that our BPEM construction is same as where K 1 , . . . , K 6 are defined via (5) by K 1 , K 2 , K 3 , K 4 . The matrix in (5) is lower triangular with non-zero diagonal, and hence non-singular. Thus, the "new" keys K 1 , . . . , K 6 are also distributed uniformly and independently. As K 5 , K 6 are independent of all the "ingredients" of LR[f ], it suffices to prove our result without the keys K 5 and K 6 .
Theorem 5. Consider the single permutation BPEM cipher BPEM[K 0 , K 1 , K 2 ; f, f ] where the (secret) keys K 0 , K 1 , K 2 are selected uniformly and independently at random. Let q * be the maximum number of queries to the encryption/decryption oracle, and let q be the maximum number of queries to the public permutation f . Then, Remark 4. The difference in the bounds we received in Theorems 4 and 5 are due only to the difference in the value of σ in the application of Lemma 3.
We skip the proof of this lemma as it is similar to that of Lemma 3. Similarly to the proof of Theorem 4 (while using Lemma 4 instead of Lemma 3), we can obtain the following bound.
Theorem 6. Consider the single key BPEM cipher BPEM[K, K, K; f 1 , f 2 ] where the (secret) key K is selected uniformly at random. Let q * be the maximum number of queries to the encryption/decryption oracle, and let q 1 , q 2 be the maximum numbers of queries to the public permutations f 1 and f 2 , respectively. Then, Finally, similarly to the proof of Theorem 5 (while using Lemma 4 instead of Lemma 3, and using Theorem 3 instead of Theorem 2), we obtain the following bound.
Theorem 7. Consider the single key single permutation BPEM cipher BPEM[K, K, K; f, f ] where the (secret) key K is selected uniformly at random. Let q * be the maximum number of queries to the encryption/decryption oracle, and let q be the maximum number of queries to the public permutation f . Then,

A distinguishing attack on BPEM
In this section we describe a distinguishing attack on BPEM that uses O(2 n/2 ) queries. This is the same attack as the one described in [20,Section 3.2] for the 4-rounds Luby-Rackoff with internal permutations, not at all surprising, since we showed (in Section 2.3) that BPEM can be viewed as a 4-rounds Luby-Rackoff with internal (keyed) permutations. Nevertheless, for the sake of completeness, we describe and analyze the attack in this BPEM terminology. We will use the following technical lemma.
then x = y.

A practical constructions of a 256-bit cipher
In this section, we demonstrate a practical construction of a 256-bit block cipher based on the 2-rounds BPEM cipher, where the underlying permutation is AES.
Definition 4 (EM 256AES: a 256-bit block cipher). Let 1 and 2 be two 128-bit keys and let K 0 , K 1 , K 2 be three 256-bit secret keys (assume 1 , 2 , K 0 , K 1 , K 2 are selected uniformly and independently at random). Let the permutations f 1 and f 2 be the AES encryption using 1 and 2 as the AES key, respectively. The 256-bit block cipher EM 256AES is defined as the associated instantiation of the 2-rounds BPEM cipher BPEM[K 0 , K 1 , Usage of EM 256AES: • 1 and 2 are determined during the setup phase, and can be made public (e.g., sent from the sender to the receiver as an IV). • K 0 , K 1 , K 2 are selected per encryption session.
The single key EM256AES is the special case where a single value K ∈ {0, 1} 256 and a single value ∈ {0, 1} 128 are selected uniformly and independently at random, and the EM256AES cipher uses K 0 = K 1 = K 2 = K and 1 = 2 = .
Hereafter, we use the single key EM256AES. To establish security properties for EM 256AES, we make the standard assumption about AES with a secret key that is selected (uniformly at random): an adversary has negligible advantage in distinguishing AES from a random permutation of {0, 1} 128 even after seeing a (very) large number of plaintext-ciphertext pairs (i.e., the assumption is that AES satisfies its design goals ([1], Section 4). This assumption is certainly reasonable if the number of blocks that are encrypted with the same keys is limited to be much smaller than 2 64 . Therefore, in our context, we can consider assigning the randomly selected key at setup time, as an approximation for a random selection of the permutation f 1 = f 2 . Under this assumption, we can rely on the result of Theorem 7 for the security of EM 256AES.
EM 256AES efficiency: An encryption session between two parties requires exchanging a 256-bit secret key and transmitting a 128-bit IV (= ). One key (and IV) can be used for N blocks as long as we keep N 2 64 . Computing one (256-bit) ciphertext involves 4 AES computations (with the IV as the AES key) plus a few much cheaper XOR operations. Let us assume that the encryption is executed on a platform that has the capability of computing AES at some level of performance. If the EM 256AES encryption (decryption) is done in a serial mode, we can estimate the encryption rate to be roughly half the rate of AES (serial) computation on that platform (4 AES operations per one 256-bit block). Similarly, if the EM 256AES encryption is done in a parallelized mode, we can estimate the throughput to be roughly half the throughput of AES.
EM 256AES performance: To test the actual performance of EM 256AES, and validate our predictions, we coded an optimized implementation of EM 256AES. Its performance is reported here. The performance was measured on an Intel Core i7-4700MQ (microarchitecture Codename Haswell) where the enhancements (Intel Turbo Boost Technology, Intel Hyper-Threading Technology, and Enhanced Intel Speedstep Technology) were disabled. The code used the AES instructions (AES-NI) that are available on such modern processors. On this platform, we point out the following baseline: the performance of AES (128-bit key) in a parallelized mode (CTR) is 0.63 C/B, and in a serial mode (CBC) it is 4.44 cycles per byte (C/B hereafter). The measured performance of our EM 256AES implementation was 1.44 C/B for the parallel mode, and 8.92 C/B for the serial mode. The measured performance clearly matches the predictions. It is also interesting to compare the performance of EM 256AES to another 256bit cipher. To this end, we prepared an implementation of Rijndael256 cipher [6] 2 . For details on how to code Rijndael256 with AES-NI, see [10]). Rijndael256 (in ECB mode) turned out to be much slower than EM 256AES, performing at 3.85 C/B.

Discussion
In this work, we showed how to construct a large family of balanced permutations, and analyzed the resulting new variation, BPEM, of the EM cipher.
The resulting 2n-bit block cipher is obtained by using a permutation of {0, 1} n as a primitive. The computational cost of encrypting (decrypting) one 2n-bit block is 4 evaluations of a permutation of {0, 1} n (plus a relatively small overhead). Note that this makes BPEM readily useful in practice, for example to define a 256-bit cipher, because "good" permutations of {0, 1} 128 are available.
We demonstrated the specific cipher EM 256AES, which is based on AES, and showed that its throughput is (only) half the throughput of AES (and 2.5 times faster than Rijndael256).
A variation on the way by which BPEM can be used, would make it a tweakable 2n-bit block cipher. Here, the public IV (= ) can be associated with each encrypted block as an identifier, to be viewed as the tweak. The implementation would switch this tweak for each block. To randomize the keys for the (public) permutations, an additional encryption (using some secret key) is necessary.
The expression of the advantage in Theorem 4 behaves linearly with the number of queries to the public permutations, and quadratically with the number of queries to the encryption/decryption oracle. This reflects the intuition that the essential limitations on the number of adversary queries should be on the encryption/decryption invocations, while weaker (or perhaps no) limitations should be imposed on the number of queries to the public permutations. It also suggests the following protocol, where the secret keys are changed more frequently than the random permutations. Choose the public permutations for a period of, say, 1 1000 2 2n/3 blocks, divided into 2 n/3 sessions of 1 1000 2 n/3 blocks. Change the secret keys every session. This way, the relevant information on the block cipher, from a specific choice of keys, is limited to a session, while the adversary can accumulate relevant information from replies to the public permutations across sessions. Therefore, q * is limited to 1 1000 2 n/3 , while q * + q 1 + q 2 is limited to 1 1000 2 2n/3 . Theorem 4 guarantees that this usage is secure.