2013
DOI: 10.1007/978-3-642-40041-4_29
|View full text |Cite
|
Sign up to set email alerts
|

On the Indifferentiability of Key-Alternating Ciphers

Abstract: Abstract. The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition:where (k0, . . . , kt) are obtained from the master key K using some key derivation function. For t = 1, KA1 collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (sec… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
2

Citation Types

2
52
0

Year Published

2013
2013
2020
2020

Publication Types

Select...
6

Relationship

0
6

Authors

Journals

citations
Cited by 61 publications
(54 citation statements)
references
References 46 publications
2
52
0
Order By: Relevance
“…In a prior and independent work [2], Andreeva et al proved a result which is close and complementary to ours: they showed that the iterated Even-Mansour construction with five rounds and a key derivation function modeled as a random oracle is indifferentiable from an ideal cipher. Though significantly reducing the number of rounds required for the proof to go through, and lifting the restriction that the master key length be equal to the block length of the permutations, their technique puts a strong burden on the key derivation function, which can hardly be seen as close to a random oracle in most concrete block ciphers.…”
Section: Theorem the 12-round Single-key Iterated Even-mansour Ciphesupporting
confidence: 73%
See 4 more Smart Citations
“…In a prior and independent work [2], Andreeva et al proved a result which is close and complementary to ours: they showed that the iterated Even-Mansour construction with five rounds and a key derivation function modeled as a random oracle is indifferentiable from an ideal cipher. Though significantly reducing the number of rounds required for the proof to go through, and lifting the restriction that the master key length be equal to the block length of the permutations, their technique puts a strong burden on the key derivation function, which can hardly be seen as close to a random oracle in most concrete block ciphers.…”
Section: Theorem the 12-round Single-key Iterated Even-mansour Ciphesupporting
confidence: 73%
“…Together with the result of [2] discussed below, our main theorem validates the design strategy underlying SPNs and more generally key-alternating ciphers as a sound way to ensure security beyond pseudorandomness: it (theoretically) enables to achieve resistance against related-key, known-key and chosen-key attacks (that an ideal cipher can withstand). We stress that our result cannot be used as is to take concrete design decisions: first, our bounds (as is often the case with indifferentiability results) are extremely loose.…”
Section: Theorem the 12-round Single-key Iterated Even-mansour Ciphesupporting
confidence: 65%
See 3 more Smart Citations