11

I've read recently the paper "Minimalism in Cryptography: The Even-Mansour Scheme Revisited" by Dunkelman, Keller and Shamir where it is claimed that the following construction (Single-Key EM) is secure:

$$C=K\oplus E(P\oplus K)$$

with $E$ being a publicly known fixed permutation.

Is there any reason not to use the above scheme (as block cipher) with AES-128 and key $0^{128}$ as $E$?

As for the reasons why somebody may want to use it:

  • It can provide smaller implementations, enabling the hard-coding of the round constants
  • It may be faster for the same reason
  • It is more key-agile, allowing for much faster key switches (e.g. in a hashing / KFB scenario)
SEJPM
  • 46,697
  • 9
  • 103
  • 214

1 Answers1

9

This is considered in §6 of Bogdanov et al., who go on to devise an alternative 2-round AES-based Even-Mansour cipher—$\text{AES}^2$. The problem is, essentially, that 1-round Even-Mansour is only secure up to $2^{n/2}$ blockcipher queries, for an $n$-bit block. Specifically, a collision between $\text{SEM}_K(P) \oplus P$ and $E(P) \oplus P$ immediately reveals $K$ (cf. §4.2 of Dunkelman-Keller-Shamir).

In general, you want an Even-Mansour cipher targeting $n$-bit security to have block size $2n$. This is the case with, e.g., Salsa20 and ChaCha's core functions, which are Even-Mansour-like, target 256-bit security, and work on 512-bit blocks. Several permutation-based CAESAR candidates, such as Prøst or Minalpher, work similarly.

Samuel Neves
  • 12,960
  • 46
  • 54