sign in sign up
<<
Home , Key whitening

Secret- from Ideal Primitives: A Systematic Overview

Peter Gaziˇ Stefano Tessaro Institute of Science and Technology, Austria University of California, Santa Barbara [email protected] [email protected]

Abstract—Secret-key constructions are often proved secure in however, we focus on the development of a general theory a model where one or more underlying components are replaced of cryptographic constructions in ideal models, rather than on by an idealized oracle accessible to the attacker. This model the practical implications of these results. gives rise to information-theoretic security analyses, and several advances have been made in this area over the last few years. II.IDEAL PRIMITIVESAND SECRET-KEY CONSTRUCTIONS This paper provides a systematic overview of what is achievable in this model, and how existing works fit into this view. A. Ideal primitives Index Terms—Cryptography, provable security, ideal-primitive model. We start by formalizing the concept of an ideal primitive using notation inspired from [27]. An ideal primitive I is a I.INTRODUCTION system that initially samples as its state a function I according to some probability distribution, and then gives access to it Cryptographic systems are often proved secure under com- in forms of queries, i.e., on input x it returns I(x).1 The putational assumptions, such as the hardness of a certain following are typical examples: computational problem at hand. This approach is by now random function Rn,m R : standard, yet many practical schemes cannot be proved secure -A gives access to a function {0, 1}n → {0, 1}m under such assumptions despite being seemingly sound. chosen uniformly at random. It is also useful to consider a random oracle R∗,m, which takes An alternative is to carry out the security analysis in the so- arbitrary-length inputs, instead of n-bit long ones. called ideal primitive model (IPM): One starts by identifying -A random permutation Pn replies to both forward queries a building block B of a cryptographic construction C = C[B], (x, +), and backward queries (y, −), returning π(x) and and modeling an “idealized” version I of B. Then, one proves π−1(y), respectively, for a permutation π on n-bit strings that the construction C is secure when B is replaced by I, chosen uniformly at random. and the attacker can evaluate I. Typically, these proofs are - An extension is an ideal cipher Eκ,n which replies completely information-theoretic, i.e., security holds against to both forward queries (k, x, +), and backward attackers only bounded in the number of calls to I but queries (k, y, −), where k ∈ {0, 1}κ, returning π (x) otherwise computationally unrestricted. k and π−1(y), respectively, where the 2κ permutations An IPM security proof is a heuristic argument towards k {π } κ on the n-bit strings are chosen indepen- the security of the real construction C[B]: It excludes any k k∈{0,1} dently uniformly at random. We also write Eκ,n to attack that would use B in a black-box way, and hence, k identify the random permutation obtained by restricting any successful attack would have to exploit some structural queries to π . weakness of the real primitive B. Generally, IPM proofs do k not imply that I can be replaced by some concrete algorithm We often omit the parameters given as superscripts when clear B and retain security. Still, they are often the only way to from the context. Also, we are going to write I(x) to denote validate the security of many practical constructions. invoking the random primitive I on input x. Often, we write −1 This paper considers constructions of secret-key primitives P(x) or P (y) instead of P(x, +) and P(y, −). in the IPM (and more concretely, pseudorandom functions B. Pseudorandom functions and permutations and permutations, defined below), a problem that has gained widespread attention over the last few years. First, we are go- In this paper, we focus on the problem building pseudo- ing to provide a unified treatment of the problem, highlighting random functions (PRFs) and permutations (PRPs) from ideal the inherent barriers in terms of achievability. Second, we will primitives. PRFs and PRPs are universal for symmetric cryp- survey some existing results and see how they fit within this tography, meaning that all conventional secret-key primitives general treatment. We also provide two results (Theorem 1 can be built in a black-box way from them. Concretely, we and Theorem 3) that are new to the best of our knowledge, consider deterministic constructions C = C[I] that invoke and help better define the landscape. 1Note that efficient implementations of I usually use lazy sampling, i.e., The motivation for these results has been mostly practical, they generate I on the fly query after query, keeping this partial state as a as these results often validate block-cipher designs. Here, table. an ideal primitive I to implement a keyed function C[I]: k1 {0, 1}w × {0, 1}d → {0, 1}r, where d ∈ N ∪ {∗}. The first argument is referred to as the key, and the second as the input. ⊕ R PRF security demands that CK [I] = C[I](K, ·) (for a k2 random secret K) behaves as Rd,r for bounded adversaries. Concretely, let A be an adversary, i.e., a computationally x ⊕ R ⊕ M3[R](x) unbounded machine that can query one or more oracles, and k finally outputs a decision bit. We define the PRF advantage 3 of A against C as the quantity ⊕ R h i h d,r i prf CK [I],I R ,I AdvC (A) = P A ⇒ 1 − P A ⇒ 1 , where K is a uniform w-bit string. Note that here A gets access Fig. 1. The construction M3. to two oracles, namely CK [I] and I in the “real world”, as well as Rd,r and I in the “ideal world.” In particular, in the real world, both oracles are correlated, whereas in the ideal world query-answer pairs xi, yi for i ∈ [qC ], the adversary A checks they are independent. Queries to the first oracle are called whether there exists some I consistent with the qP primitive w construction queries, whereas queries to the second oracle are queries, and a key k ∈ {0, 1} such that Ck[I](xi) = yi for all called primitive queries. i ∈ [qc]. If so, it outputs 1, if not it outputs 0. Clearly, A always We also say that E : {0, 1}w ×{0, 1}n → {0, 1}n is (κ, n)- outputs 1 in the real world. In the ideal world, the adversary R (I) + w + ∆ if Ek = E(k, ·) is a permutation for all k. If C[I] obtains at least bits of randomness, yet there R (I)+w is a (κ, n)-block cipher, then we define the PRP advantage of are at most 2 q choices of I and k, and thus at most an adversary A against C as the quantity so many sequences of qC pairs (xi, yi) that can appear in the real world. Thus, the distinguisher outputs 1 with probability h i h n i prp CK [I],I P ,I −∆ AdvC (A) = P A ⇒ 1 − P A ⇒ 1 , at most 2 , i.e., the probability that the random outputs hit one of these sequences. where we abuse notation by denoting as CK [I] to oracle that The above attack implies that any PRF construction based answers forward queries (x, +) via CK [I](x) and backward on I can only be secure against adversaries with q  q(I) −1 P queries (y, −) as CK [I] (y). prf and qC  q(I). The same attack can also be used against PRP Finally, we say that C is a (qC , qP , ε)-PRF if AdvC (A) ≤ ε security, with the term 2−∆ replaced by a slightly larger one. for all adversaries A making qC construction and qP primitive KEY-SEARCH ATTACK: Another simple attack tries out all queries. We informally say that C is a (qC , qP )-PRF if it is a −w keys and checks them for consistency with construction (qC , qP , ε)-PRF for some small ε (e.g., ε = o(1) or ε = 2 ). queries. This is summarized by the following theorem, whose Similarly, one can define the notions of a (qC , qP , ε)-PRP and proof is omitted. (The same attack applies to PRP security, a (qC , qP )-PRP. with only a slightly larger term instead of 2w−rqC .) III.GENERIC ATTACKS Theorem 2: Let C = C[I]: {0, 1}w × {0, 1}d → {0, 1}r, and let t be an upper bound on the number of queries C makes Here, we want to understand what are the largest qC and to I upon each invocation. Then there exists an adversary A qP such that a construction can be a (qC , qP )-secure PRF or w asking qC construction queries and qP ≤ tqC 2 primitive PRP. We give two generic attacks establishing such bounds. prf queries such that Adv (A) ≥ 1 − 2w−rqC . RANDOMNESS EXHAUSTION ATTACK: For a primitive I ∈ C n,m n κ,n {R , P , E }, let q(I) be the number of queries neces- IV. CONSTRUCTIONSFROM RANDOM PERMUTATIONS AND n,m sary to recover its internal randomness I. (I.e., q(R ) = FUNCTIONS q(Pn) = 2n, q(Eκ,n) = 2κ+n.) Moreover, for q < q(I), let In this section, we discuss the question of building a PRF or Iq(I) be the minimum (over all sequences of q queries to I) n,m of the number of possible states of the internal randomness of a PRP from a random function R or a random permutation Pn. We note that the best we can hope for here is to build a I consistent with these q queries. Also, let Rq(I) = log Iq(I). n,m n (2n, 2n)-PRF or a (2n, 2n)-PRP, and we will see how close For example, Rq(R ) = (2 − q) · m. Theorem 1: Let C = C[I]: {0, 1}w ×{0, 1}d → {0, 1}r. For we get to this. We note that such constructions have been considered in the context of justifying block-cipher designs all qP < q(I), there exists an adversary A asking qP primitive l Rqp (I)+w+∆ m from some (unkeyed) function or permutation. queries and qC = r construction queries, such that A. Constructing PRFs Advprf (A) ≥ 1 − 2−∆ . C As far as we know, all PRF constructions (without invert- n,m Proof: The adversary A asks q = qP primitive queries ibility properties) from a random function R = R in n n minimizing the number of consistent states I to be Iq(I) = the literature fall short of achieving (2 , 2 )-PRF security. Rq (I) 2 , and qC distinct construction queries. Then, given the Here, we show that the following construction M`[R] (cf. also k1 k2 k` k`+1 k1 k2 k` x L P L ··· L P L 1 ` x E E ··· E

Fig. 2. The key-alternating cipher KAC[P ,..., P ] of length `. 1 ` Fig. 3. The cascade construction CE[E] of length `.

Fig. 1) is sufficient to achieve this: Given key k = (k1, . . . , k`), C. PRPs from Random Functions on input x ∈ {0, 1}n, it outputs The question of building PRPs from a random function was considered in the works of Gentry and Ramzan [19] and M`[R](k, x) = R(x ⊕ k1) ⊕ · · · ⊕ R(x ⊕ k`) . of Lampe and Seurin [24], who gave constructions based on This construction is simliar to one used by Myers [29] Feistel networks of n-bit input PRPs from a random function for the different problem of amplifying security of weak Rn/2,n/2. In particular, the construction of [24] is (nearly) an pseudorandom functions. We are not aware that it was ever (2n/2, 2n/2)-PRP for sufficiently many rounds, which is the analyzed for ` ≥ 2 (the analysis for ` = 1 is folklore). best one can hope for by Theorem 1. The following theorem establishes its security, and implies for V. KEY-LENGTH EXTENSIONFOR BLOCK CIPHERS example that for ` = Ω(1/ε) the construction is a (qC , qP )- n(1−ε) PRF for qC = qP = 2 for any ε > 0. A. Motivation Theorem 3: The construction M` is a (qC , qP , ε)-PRF for The key length inherently bounds the PRP security of ` n` ε = qC · (qC + qP ) /2 . a block cipher. For some existing block ciphers (such as Here, we only give the main idea behind the proof. Using DES) a short key represents the main security shortcoming, a standard argument, one can show that to break PRP security even if they otherwise do not exhibit any weaknesses. This an attacker needs to issue a construction query x with the motivated the problem of key-length extension (KLE): The property that there exists no i ∈ [`] such that x ⊕ ki is fresh, goal is to find constructions C transforming any (κ, n)-block i.e., for every i, R is evaluated on input x ⊕ ki by either cipher E into a (w, n)-block cipher C[E] with w > κ and another construction query or directly as a primitive query, and with the property that any attack should require significantly that the probability that this event occurs bounds Advprf (A) more than 2κ efforts, assuming that E itself contains no non- M` for every A. Again by a standard argument (cf. e.g. [27]), it generic weaknesses, and hence can be modeled as E = Eκ,n. is sufficient to consider the probability of this event in the Therefore, KLE formally considers constructions C[E] of a ideal world, where the keys k1, . . . , k` are independent of the (w, n)-block cipher for w > κ which we want to prove to be interaction. Using the independence of the keys, it is not hard secure PRPs, noting that the best we can hope for is a (qC , qP )- n κ+n to see that the probability of this event is at most qC (qC + PRP for qC and qP approaching 2 and 2 , respectively. q )`/2`n. P B. Plain Cascades B. PRPs from random permutations The most natural KLE approach is to apply the block cipher repeatedly using an independent key at each step – this is The question of building PRPs from a random permutation usually referred to as cascading. Formally, the cascade of n P was first considered by Even and Mansour [13]. Their length ` for E = Eκ,n is the (` · κ, n)-block cipher which, construction, given keys (k1, k2) and input x, outputs on input key k = (k1, . . . , k`) and plaintext x, returns

EM[P]((k1, k2), x) = k2 ⊕ P(x ⊕ k1) . CE`[E](k, x) = (Ek` ◦ · · · ◦ Ek1 )(x) . (1)

n The construction is a (qC , qP )-PRP as long as qC · qP ≤ 2 , A cascade of length ` is depicted in Figure 3. In practice, even when k1 = k2 [12]. This construction can be generalized the cascade of length ` = 3 underlies the widely deployed to multiple rounds, and is usually called a key-alternating Triple-DES (3DES) standard [1]. cipher (KAC) (see Fig. 2). This structure is in fact used also We note that plain cascades have been the object of security within the AES block cipher, and this fact has motivated a analyses in the standard-model, showing that they can be used recent line of works [5], [30], [22], [7] showing that for ` to amplify the security of weak pseudorandom permutations. ` `n Describing these works is beyond the scope of this paper, but rounds, KACs are a (qC , qP )-PRP as long as qC qP  2 . n n `−1 we refer the reader to [31] for an overview. This for example tolerates qC = 2 and qP = 2 ` , which is nearly optimal for growing `. Several variants of SECURITY BOUNDS: A length-two cascade does not increase length-two KACs with repeated keys or permutations were security in terms of the number of tolerable primitive queries considered in [6]. The results on KACs also have implications due to the meet-in-the-middle attack [11]. Nonetheless, a slight for the security of related constructions called XOR-cascades, security increase in terms of smaller distinguishing advantage κ as discussed below in Section V-C. ε was shown in [2] when qP < 2 . Bellare and Rogaway [4] were the first to prove that CE3 z0 φ1(k) z1 z`−1 φ`(k) z` n is a (qC , qP )-PRP whenever qC ≤ 2 and  κ n L L L L log(qP )  κ + min 2 , 2 . x E ··· E Gaziˇ and Maurer [16] subsequently showed an improvement for odd ` ≥ 4 and κ ≤ n, showing CE` is a (qC , qP )-PRP Fig. 4. The XOR-cascade construction XCE of length `. n when qC ≤ 2 and n o log(q )  min 2` · κ, κ + n . P `+1 2 Combining cascading and key whitening, Gaziˇ and Tes- With increasing ` the right-hand side approaches saro [17] proposed the so-called 2-XOR-cascade (or random- min 2κ, κ + n . Lee [25] improved the right-hand side, ized cascade) construction. It maps each n-bit message x under 2 κ n showing a better bound approaching the optimal value a key (k, z) ∈ {0, 1} × {0, 1} to of κ + min {κ, n} with increasing ` → ∞, however his 2XOR[E]((k, z), x) = E (Ek(x ⊕ z) ⊕ z) result only gives useful bounds for large ` (say ` ≥ 16). ek A tight bound (matching the attacks mentioned below) was where ek is derived from k in a deterministic way (e.g. by finally given by Dai, Lee, Mennink, and Steinberger [10], flipping a single bit). The natural generalization to length ` establishing the security of a cascade of length ` as long as in [25], [18] is referred to as the `-XOR-cascade XCE`. Given n qC ≤ 2 and key (k, z) (where z = (z0, z1, . . . , z`)) and input x, it returns n 0 0 o log(q )  κ + min ` −2 · κ, ` −2 · n , P 2 `0 XCE`[E]((k, z), x) = (⊕z` ◦ Eφ`(k) ◦ ⊕z`−1 ◦ Eφ`−1(k) 0 ◦ · · · ◦ ⊕ ◦ E ◦ ⊕ )(x), where ` = 2 · d`/2e denotes the smallest even integer not z1 φ1(k) z0 0 0 smaller than `. where ⊕z maps x to x ⊕ z, and φ1, . . . , φ` are permutations A recent work [15] initiated the study of plain cascades in on the κ-bit strings such that φi(k) 6= φj(k) for all k and a more fine-grained (and cryptographically more appropriate) i 6= j. The general XOR-cascade is depicted in Figure 4. setting where q can be smaller than 2n. In this setting, [15] C SECURITY BOUNDS: Kilian and Rogaway [21] showed that prove that plain cascades of length ` = 2r + 1 are secure FX is a (q , q )-PRP whenever q · q  2κ+n and also whenever C P C P provided an attack matching their bound. In contrast, the 2- XOR-cascade construction [17] was proved secure as long as log(qC ) + r log(qP )  r(κ + n) ∧ log(qC )  κ q ≤ 2n and q ≤ 2κ+n/2 queries and this bound is also ∧ log(q )  2κ . C P P shown tight by a matching attack. They also show a very similar bound for the two-key variant The work by Lee [25] first considered the general case of in the ` = 3 case, where the first and the third keys XOR-cascade of length ` (with independent keys) and proved are identical (as proposed in the 3DES standard). that its security approaches the optimal bound 2κ+n, while GENERIC ATTACKS: A parallel (and overlapping) line of again giving useful statements only for large `. works investigates so-called generic attacks against cascades. The security of a variant of XOR-cascades (not containing These are attacks that compromise its PRP-security (as de- the last whitening step) was considered in [18], where it was scribed above) in the ideal-cipher model, i.e., by accessing reduced to the security of key-alternating ciphers discussed in the block-cipher as a black box and hence not exploiting any Section IV-B. This reduction, together with a tight analysis of potential weaknesses of its inner workings. KACs given in [7], results in tight bounds for XOR-cascades n Lucks [26] presented the to-date best known attack on in the setting with 2 construction queries. A recent, more cascades of length ` = 3, which requires roughly 2κ+n/2 fine-grained reduction given in [15] achieves the same for the n queries. A generalization of this attack [18] is applicable general case of arbitrary qC ≤ 2 , establishing that an XOR- cascade of length ` is secure, roughly speaking, as long as against cascades of length ` ∈ {2r + 1, 2r + 2}, requiring qC log(q ) + ` log(q )  `(κ + n). construction queries and qP primitive queries, where qC , qP C P satisfy GENERIC ATTACKS: A generic attack against XOR-cascades κ was given in [18], requiring roughly qC construction queries log(qC ) + r log(qP ) ≈ r(κ + n) ∧ qC ≤ qP /2 . and qP block cipher queries for any values qC , qP such that C. XOR-Cascades log(qC ) + ` log(qP ) ≈ `(κ + n) is satisfied. This attack hence An alternative KLE approach uses variant of the key- proves the above-mentioned bound to be tight. whitening technique, generalizing the DESX block-cipher VI.ONSTRONGERSECURITYNOTIONS construction due to Rivest. In its simplest form, one obtains the There have been works targeting strictly stronger security following construction FX[E] abstracting DESX which given notions than PRF and PRP security. In particular, a series of three keys k , k , k, on input x outputs i o works considered constructions of block ciphers from random FX[E]((ki, ko, k), x) = ko ⊕ Ek(ki ⊕ x). functions [9], [20] and from random permutations [3], [23] in the sense of indifferentiability [28]. Very recently, the notion [15] P. Gazi,ˇ J. Lee, Y. Seurin, J. Steinberger, and S. Tessaro, “Relaxing of PRF and PRP security against related-key attacks has also Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes.” to appear in Fast Software Encryption, 2015. been shown to be attainable in [14], [8]. However, the concrete [16] P. Gaziˇ and U. Maurer, “Cascade encryption revisited,” in Advances in security of the constructions is far lower than that for all Cryptology — ASIACRYPT 2009 (M. Matsui, ed.), vol. 5912 of Lecture aforementioned results. Notes in Computer Science, pp. 37–51, Springer Berlin Heidelberg, 2009. [17] P. Gaziˇ and S. Tessaro, “Efficient and optimally secure key-length Acknowledgements. We would like to thank all the colleagues extension for block ciphers via randomized cascading,” in Advances in Cryptology — EUROCRYPT 2012 (D. Pointcheval and T. Johansson, we worked with on these questions: Yooyoung Lee, Ueli eds.), vol. 7237 of Lecture Notes in Computer Science, pp. 63–80, Maurer, Yannick Seurin and John Steinberger. Springer Berlin Heidelberg, 2012. Peter Gaziˇ was partly funded by the European Research [18] P. Gazi,ˇ “Plain versus randomized cascading-based key-length extension for block ciphers,” in CRYPTO 2013, Part I (R. Canetti and J. A. Garay, Council under an ERC Starting Grant (259668-PSPC). Stefano eds.), vol. 8042 of LNCS, (Santa Barbara, CA, USA), pp. 551–570, Tessaro was partially supported by NSF grant CNS-1423566. Springer, Berlin, Germany, Aug. 18–22, 2013. [19] C. Gentry and Z. Ramzan, “Eliminating random permutation oracles in the Even-Mansour cipher,” in ASIACRYPT 2004 (P. J. Lee, ed.), REFERENCES vol. 3329 of LNCS, (Jeju Island, Korea), pp. 32–47, Springer, Berlin, Germany, Dec. 5–9, 2004. [1] “Recommendation for the Triple Data Encryption Algorithm (TDEA) [20] T. Holenstein, R. Kunzler,¨ and S. Tessaro, “The equivalence of the Block Cipher.” National Institute of Standards and Technology, Special random oracle model and the ideal cipher model, revisited,” in 43rd Publication 800-67, 2004. ACM STOC (L. Fortnow and S. P. Vadhan, eds.), (San Jose, California, [2] W. Aiello, M. Bellare, G. D. Crescenzo, and R. Venkatesan, “Security USA), pp. 89–98, ACM Press, June 6–8, 2011. amplification by composition: The case of doubly-iterated, ideal ci- [21] J. Kilian and P. Rogaway, “How to Protect DES Against Exhaustive phers,” in Advances in Cryptology — CRYPTO ’98, vol. 1462 of Lecture Key Search (an Analysis of DESX),” Journal of Cryptology, vol. 14, Notes in Computer Science, pp. 390–407, Springer Berlin Heidelberg, pp. 17–35, 2001. 1998. [22] R. Lampe, J. Patarin, and Y. Seurin, “An Asymptotically Tight Security [3] E. Andreeva, A. Bogdanov, Y. Dodis, B. Mennink, and J. P. Steinberger, Analysis of the Iterated Even-Mansour Cipher,” in Advances in Cryp- “On the indifferentiability of key-alternating ciphers,” in CRYPTO 2013, tology — ASIACRYPT 2012 (X. Wang and K. Sako, eds.), vol. 7658 Part I (R. Canetti and J. A. Garay, eds.), vol. 8042 of LNCS, (Santa of Lecture Notes in Computer Science, pp. 278–295, Springer Berlin Barbara, CA, USA), pp. 531–550, Springer, Berlin, Germany, Aug. 18– Heidelberg, 2012. 22, 2013. [23] R. Lampe and Y. Seurin, “How to construct an ideal cipher from a small [4] M. Bellare and P. Rogaway, “Code-based game-playing proofs and set of public permutations,” in ASIACRYPT 2013, Part I (K. Sako and the security of triple encryption,” in Advances in Cryptology — EU- P. Sarkar, eds.), vol. 8269 of LNCS, (Bengalore, India), pp. 444–463, ROCRYPT 2006, vol. 4004 of Lecture Notes in Computer Science, Springer, Berlin, Germany, Dec. 1–5, 2013. pp. 409–426, Springer Berlin Heidelberg, 2006. Full version at [24] R. Lampe and Y. Seurin, “Security analysis of key-alternating feistel http://eprint.iacr.org/2004/331. ciphers,” in FSE 2014, Lecture Notes in Computer Science, 2015. [5] A. Bogdanov, L. R. Knudsen, G. Leander, F.-X. Standaert, J. Steinberger, [25] J. Lee, “Towards Key-Length Extension with Optimal Security: Cascade and E. Tischhauser, “Key-alternating ciphers in a provable setting: Encryption and Xor-cascade Encryption,” in Advances in Cryptology encryption using a small number of public permutations,” in Advances — EUROCRYPT 2013 (T. Johansson and P. Nguyen, eds.), vol. 7881 in Cryptology — EUROCRYPT 2012 (D. Pointcheval and T. Johansson, of Lecture Notes in Computer Science, pp. 405–425, Springer Berlin eds.), vol. 7237 of Lecture Notes in Computer Science, pp. 45–62, Heidelberg, 2013. Springer Berlin Heidelberg, 2012. [26] S. Lucks, “Attacking triple encryption,” in Fast Software Encryption [6] S. Chen, R. Lampe, J. Lee, Y. Seurin, and J. P. Steinberger, “Minimizing (S. Vaudenay, ed.), vol. 1372 of Lecture Notes in Computer Science, the two-round Even-Mansour cipher,” in CRYPTO 2014, Part I (J. A. pp. 239–253, Springer Berlin Heidelberg, 1998. Garay and R. Gennaro, eds.), vol. 8616 of LNCS, (Santa Barbara, CA, [27] U. M. Maurer, “Indistinguishability of random systems,” in EURO- USA), pp. 39–56, Springer, Berlin, Germany, Aug. 17–21, 2014. CRYPT 2002 (L. R. Knudsen, ed.), vol. 2332 of LNCS, (Amsterdam, [7] S. Chen and J. P. Steinberger, “Tight security bounds for key-alternating The Netherlands), pp. 110–132, Springer, Berlin, Germany, Apr. 28 – ciphers,” in EUROCRYPT 2014 (P. Q. Nguyen and E. Oswald, eds.), May 2, 2002. vol. 8441 of LNCS, (Copenhagen, Denmark), pp. 327–350, Springer, [28] U. M. Maurer, R. Renner, and C. Holenstein, “Indifferentiability, Berlin, Germany, May 11–15, 2014. impossibility results on reductions, and applications to the random [8] B. Cogliati and Y. Seurin, “On the provable security of the iterated oracle methodology,” in TCC 2004 (M. Naor, ed.), vol. 2951 of LNCS, even-mansour cipher against related-key and chosen-key attacks,” in (Cambridge, MA, USA), pp. 21–39, Springer, Berlin, Germany, Feb. 19– EUROCRYPT 2015, LNCS, 2015. To appear. 21, 2004. [9] J.-S. Coron, J. Patarin, and Y. Seurin, “The random oracle model and [29] S. Myers, “Efficient amplification of the security of weak pseudo- the ideal cipher model are equivalent,” in CRYPTO 2008 (D. Wagner, random function generators,” in EUROCRYPT 2001 (B. Pfitzmann, ed.), ed.), vol. 5157 of LNCS, (Santa Barbara, CA, USA), pp. 1–20, Springer, vol. 2045 of LNCS, (Innsbruck, Austria), pp. 358–372, Springer, Berlin, Berlin, Germany, Aug. 17–21, 2008. Germany, May 6–10, 2001. [10] Y. Dai, J. Lee, B. Mennink, and J. P. Steinberger, “The security of [30] J. Steinberger, “Improved Security Bounds for Key-Alternating Ciphers multiple encryption in the ideal cipher model,” in CRYPTO 2014, Part I via Hellinger Distance.” Cryptology ePrint Archive, Report 2012/481, (J. A. Garay and R. Gennaro, eds.), vol. 8616 of LNCS, (Santa Barbara, 2012. http://eprint.iacr.org/. CA, USA), pp. 20–38, Springer, Berlin, Germany, Aug. 17–21, 2014. [31] S. Tessaro, “Security amplification for the cascade of arbitrarily weak [11] W. Diffie and M. E. Hellman, “Exhaustive of the NBS PRPs: Tight bounds via the interactive hardcore lemma,” in TCC 2011 ,” Computer, vol. 10, no. 6, pp. 74–84, 1977. (Y. Ishai, ed.), vol. 6597 of LNCS, (Providence, RI, USA), pp. 37–54, [12] O. Dunkelman, N. Keller, and A. Shamir, “Minimalism in cryptog- Springer, Berlin, Germany, Mar. 28–30, 2011. raphy: The Even-Mansour scheme revisited,” in EUROCRYPT 2012 (D. Pointcheval and T. Johansson, eds.), vol. 7237 of LNCS, (Cambridge, UK), pp. 336–354, Springer, Berlin, Germany, Apr. 15–19, 2012. [13] S. Even and Y. Mansour, “A construction of a cipher from a single pseudorandom permutation,” Journal of Cryptology, vol. 10, no. 3, pp. 151–162, 1997. [14] P. Farshim and G. Procter, “The related-key security of iterated even- mansour ciphers,” in FSE 2015, LNCS, 2015. To appear.