Abstract. A t-round key-alternating cipher (also called iterated Even-Mansour cipher ) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P1, . . . , Pt : {0, 1} n → {0, 1} n and a key k = k0 · · · kt ∈ {0, 1} n(t+1) by setting. The indistinguishability of E k from a truly random permutation by an adversary who also has oracle access to the (public) random permutations P1, . . . , Pt was investigated in 1997 by Even and Mansour for t = 1 and for higher values of t in a series of recent papers. For t = 1, Even and Mansour proved indistinguishability security up to 2 n/2 queries, which is tight. Much later Bogdanov et al. (2011) conjectured that security should be 2 t t+1 n queries for general t, which matches an easy distinguishing attack (so security cannot be more). n for all even values of t, thus "barely" falling short of the desired 2 t t+1 n .Our contribution in this work is to prove the long-sought-for security bound of 2 t t+1n , up to a constant multiplicative factor depending on t. Our method is essentially an application of Patarin's H-coefficient technique.