On the Indifferentiability of Key-Alternating Ciphers

The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAtconsists of a small number t of fixed permutations Pion n bits, separated by key addition: KAt(K, m) = kt⊕ Pt(...k2⊕ P2(k1⊕ P1(k0⊕ m))...), where, (k0..., kt) are obtained from the master key K using some key derivation function. For t = 1, KA1collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P1is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers - indifferentiability from an ideal cipher - and ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KAtindifferentiable from the ideal cipher, assuming P1,...,Ptare (public) random permutations? As our main result, we give an affirmative answer for t = 5, showing that the 5-round key-alternating cipher KA5is indifferentiable from an ideal cipher, assuming P1,...,P5are five independent random permutations, and the key derivation function sets all rounds keys ki= f(K), where 0 ≤ i ≤ 5 and f is modeled as a random oracle. Moreover, when |K| = |m|, we show we can set f(K) = P0(K)⊕K, giving an n-bit block cipher with an n-bit key, making only six calls to n-bit permutations P0,P1,P2,P3,P4,P5. © 2013 International Association for Cryptologic Research.

ISBN:978-3-642-40040-7

Publication year:2013

BOF-keylabel:yes

IOF-keylabel:yes

Authors from:Government, Higher Education

Accessibility:Open