Research ArticleMinimizing Key Materials The EvenndashMansour Cipher Revisitedand Its Application to Lightweight Authenticated Encryption

Ping Zhang 1 and Qian Yuan2

1School of Computer Science Nanjing University of Posts and Telecommunications Nanjing 210023 China2School of Economics and Management Southeast University Nanjing 211189 China

Correspondence should be addressed to Ping Zhang zhgpnjupteducn

Received 12 December 2019 Accepted 7 February 2020 Published 10 March 2020

Guest Editor Andrea Visconti

Copyright copy 2020 Ping Zhang and Qian Yuanis is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work isproperly cited

e EvenndashMansour cipher has been widely used in block ciphers and lightweight symmetric-key ciphers because of its simplestructure and strict provable security Its research has been a hot topic in cryptography is paper focuses on the problem tominimize the key material of the EvenndashMansour cipher while its security bound remains essentially the same We introduce fourstructures of the EvenndashMansour cipher with a short key and derive their security by Patarinrsquos H-coefficients techniqueese fourstructures are proven secure up to 1113957O(2kμ) adversarial queries where k is the bit length of the key material and μ is the maximalmultiplicity en we apply them to lightweight authenticated encryption modes and prove their security up to aboutmin b2 c k minus log μ1113864 1113865-bit adversarial queries where b is the size of the permutation and c is the capacity of the permutation Finallywe leave it as an open problem to settle the security of the t-round iterated EvenndashMansour cipher with short keys

1 Introduction

In recent years more and more attention has been paid tolightweight cryptography as smart home Internet of things(IoT) smart transportation and 5GB5G networks areproposed ese new technologies brought convenience toour lives but have introduced a powerful security threatsuch as the leakage of the private data in our smart phoneLightweight cryptography is an effective countermeasureagainst the security threats in order to achieve the privacyand integrity protections of the sensitive data Lightweightcryptography is mainly used in resource-constrained de-vices e block cipher has become a very vital lightweightsymmetric-key cryptography due to its fast speed easyimplementation and easy standardization on these devicesIt is often used to implement sensitive data encryptiondigital signature message authentication and key encap-sulation schemes in the field of information security andnetwork communication security

e t-round iterated EvenndashMansour cipher is simplydescribed as a pure permutation-based block cipher

y Pt Ptminus 1 middot middot middot P1 xoplusK1( 1113857oplusK2( 1113857 middot middot middotoplusKt( 1113857oplusKt+1( (1)

where (K1 K2 Kt Kt+1) is a sequence of n-bit roundkeys which are usually derived from some master key and(P1 P2 Pt) is a sequence of t public random permuta-tionsis iterated EvenndashMansour cipher also known as key-alternating ciphers is of great significance in the design ofblock ciphers and is also favored in the design of light-weight cryptography e security of the iteratedEvenndashMansour ciphers is based on the random permutationmodel (RPM) In RPM all permutations are modeled aspublic random permutation oracles in other words anyonecan query these permutations and obtain the correspondingresponses e related research includes [1ndash9]

is paper focuses on the case t 1 Even andMansour [10] did pioneering work in 1997 and provedthat it is birthday-bound secure at is where the nameldquoEvenndashMansour cipherrdquo comes from e EvenndashMansourcipher has some very nice properties such as simpleststructure and strict provable security Although the researchof the EvenndashMansour cipher went unnoticed for years Gold

HindawiSecurity and Communication NetworksVolume 2020 Article ID 4180139 6 pageshttpsdoiorg10115520204180139

will always shine Fortunately it has been a very hot topic incryptography In 2012 Dunkelman et al [11] pointed out thatthe EvenndashMansour cipher is minimal ie any component(either one of the keys or the permutation) is removed theEvenndashMansour cipher becomes trivially breakable In 2015Cogliati et al [12] introduced the tweakable EvenndashMansour(TEM) cipher combined by the EvenndashMansour cipher and atweak and proved its security Meanwhile Mouha and Luykx[13] revisited the EvenndashMansour cipher and analyzed themultikey security do Nascimento and Xexeo [14] applied theEvenndashMansour cipher to the Internet of ings (IoT) envi-ronments and presented a flexible lightweight authenticatedencryption mode in 2017 It follows that Cho et al [15]presented a new family of white-box block ciphers based onthe EvenndashMansour cipher WEM which achieves balancesbetween performance and security Farshim et al [16] ana-lyzed the security of the EvenndashMansour cipher under key-dependent messages In 2018 we described a generalizedtweakable EvenndashMansour cipher and applied it to authen-tication and authenticated encryption modes [17]

In the lightweight devices the storage resources arelimited erefore a vital issue is the minimalism and agilityof the key material in the design of lightweight ciphers Inthis paper we revisit the EvenndashMansour cipher and consideras problem whether we can use the least key material toachieve the same security bound e EvenndashMansour cipheris proven security up to approximately 2k2 adversarialqueries where k is the bit-length of the key material Can wedecrease the key material and achieve the same securitybound (this bound must be beyond-birthday-bound)

We answer positively to the question in this paper Weintroduce four structures of the EvenndashMansour cipher with ashort key and present the provable security results Moreconcretely we derive their security up to 1113957O(2kμ) adversarialqueries using Patarinrsquos H-coefficients technique where k isthe bit-length of the reducing key material and μ is themaximal multiplicity e EvenndashMansour cipher with a shortkey has many good advantages such as calculating on-the-flyavoiding the key schedule and minimizing the key materialerefore it can be widely applied to resource-constrainedlightweight devices en we apply its four structures tolightweight authenticated encryption (AE) modes and provetheir security up to aboutmin b2 c k minus log μ1113864 1113865-bit adversarialqueries where b r + c is the size of the permutation and c(resp r) is the capacity (resp rate) of the permutation Finallywe leave it as an open problem to settle the security of the t-round iterated EvenndashMansour cipher with short keys

e rest of this paper is organized as follows In Section2 we introduce some preliminaries In Section 3 we provethe security of the EvenndashMansour cipher with a short keySection 4 describes lightweight AE modes based on fourstructures of the EvenndashMansour cipher with a short keySection 5 ends up with this paper

2 Preliminaries

Let 0 1 b be the set of binary strings of length b and N 2bFor two strings X and Y let XY or XY be the concatenationof X and Y Given a string X we utilize |X| to denote the

length in bits of X Given a nonempty set X let xlarrX denotean element x drawing from X uniformly at random and X bethe cardinality of X Let Perm(b) stand for the set of per-mutations on 0 1 b LetAO 1 be an event that an adversaryA outputs 1 after interacting with the oracleO HereA nevermakes a query for which the response is obviously known LetPr[E] be the probability that the event E occurs

21Multiplicity Let (xi yi)1113864 1113865N

i1 be a set ofN evaluations of apermutation P where xi xi1113954xi yi yi1113954yi We introducethe total maximal multiplicity as μ μfwd + μbwd inspired by[18] where

μfwd maxa

i 1 N xi a or 1113954xi a1113864 1113865 (2)

μbwd maxa

i 1 N yi a or 1113954yi a1113864 1113865 (3)

22 H-Coefficients Technique H-coefficients technique in-troduced by Patarin [19] is a very important analyticalmethod in the symmetric-key cryptography We brieflysummarize this technique as follows Consider an infor-mation-theoretic adversaryA whose goal is to distinguish areal world X and an ideal world Y and denote the dis-tinguishing advantage of A as

Adv(A) Pr AX

11113960 1113961 minus Pr AY

11113960 111396111138681113868111386811138681113868

11138681113868111386811138681113868 (4)

Without loss of generality we can assume that A is adeterministic adversary e interaction with any of the twoworlds X or Y is summarized in a transcript τ Denote by DX

the probability distribution of transcripts when interactingwith X and similarly DY the distribution of transcriptswhen interacting with Y A transcript τ is attainable ifPr[DY τ]gt 0 meaning that it can occur during interactionwith Y Let Γ be the set of attainable transcripts We denoteΓ1 as a set of good transcripts when interacting with X (Y)Let Γ2 be a set of bad transcripts such that the probability toobtain any τ isin Γ2 is small in the ideal world Γ Γ1cup Γ2

Lemma 1 (H-coefficients lemma [19]) Fix a deterministicadversary A Let Γ Γ1cup Γ2 be a partition of the set of at-tainable transcripts Assume that there exists ϵ1 such that forany τ isin Γ1 one has

Pr DX τ1113858 1113859

Pr DY τ1113858 1113859ge 1 minus ϵ1 (5)

and that there exists ϵ2 such that

Pr DY isin Γ21113858 1113859le ϵ2 (6)

en the advantage of the adversary A is

Adv(A)le ϵ1 + ϵ2 (7)

3 The EvenndashMansour Cipher with a Short Key

Fix a public permutation P 0 1 b⟶ 0 1 b and integersr c and k such that b r + c and klemin r c Let

2 Security and Communication Networks

K 0 1 k e EvenndashMansour cipher with a short keycalled EM for short is described in Figure 1 EM takes auniform random keyK isin 0 1 k and a plaintext x isin 0 1 b asinputs and outputs the ciphertext y EMP

K(x) isin 0 1 b Letpad1(K) 0rminus kK and pad2(K) 0cminus kK e four struc-tures of EM are respectively shown as follows

(a) y EMPK(x) P xoplus pad1(K) 0c

1113872 1113873oplus pad1(K) 0c

(b) y EMPK(x) P xoplus pad1(K) 0c

1113872 1113873oplus 0r pad2(K)

(c) y EMPK(x) P xoplus 0r

pad2(K)1113872 1113873oplus 0r pad2(K)

(d) y EMPK(x) P xoplus 0r

pad2(K)1113872 1113873oplus pad1(K) 0c

(8)

We consider the security of the EvenndashMansour cipherwith a short key and obtain the following theorem

Theorem 1 For EMPK with K isin 0 1 k and Plarr Perm(b) we

have

AdvEM qe qp1113872 1113873leμqp

2k (9)

e proof of eorem 1 utilizes the H-coefficientstechnique We consider an adversary A which can interactwith X (EMP

K P) in the real world or Y (Q P) in theideal world where P andQ are uniform random and in-dependent permutations and K is a (dummy) key We as-sume that the adversary A makes at most qe constructionqueries and at most qp primitive queries e transcripts canbe expressed as this form τ (QeQp K) whereQe (xi yi)1113864 1113865

qe

i1 andQp (uj vj)1113966 1113967qp

j1 We start by definingbad transcripts

Definition 1 We define an attainable transcriptτ (QeQp K) isin Γ as bad if one of the two followingconditions is fulfilled

Bad1 exist(x y) isin Qe and (u v) isin Qp such that

(a)amp(b) xoplus u pad1(K) 0c

(c)amp(d) xoplus u 0r pad2(K)

(10)

Bad2 exist(x y) isin Qe and (u v) isin Qp such that

(a)amp(d) yoplus v pad1(K) 0c

(b)amp(c) yoplus v 0r pad2(K)

(11)

Otherwise we say that τ is good We denote Γgood respΓbad the set of good resp bad transcripts and Γ Γgood ⊔Γbad

In the real world X a bad transcript implies that twoinvocations to P exist with the same input one directly fromquerying the primitive oracle P and another one indirectlyfrom querying the construction oracle EMP

K while all tuples

in (QeQp) uniquely determine an input-output pair of P fora good transcript In the ideal world Y the abovementionedresult is clearly established for a bad transcript while it is notfor a good transcript

We first upper bound the probability of bad transcriptsin the ideal world Y by the following lemma

Lemma 2

Pr DY isin Γbad( 1113857leμqp

2k (12)

Proof In the ideal world Y (QeQp) is an attainabletranscript with a dummy uniform random key K isin 0 1 k

Here we assume that an adversary A makes at most qe

construction queries and at most qp primitive queries Foreach (x y) isin Qe and each (u v) isin Qp we obtain at most μfwd(resp μbwd) tuples (x y) such that x u for structures (a)and (b) or 1113954x 1113954u for structures (c) and (d) (resp y v forstructures (a) and (d) or 1113954y 1113954v for structures (b) and (c))from the property of multiplicity

It follows that Pr(Bad1)le μfwdqp2k andPr(Bad2)le μbwdqp2k Hence the probability of bad tran-scripts in the ideal world Y is at most μqp2k whereμ μfwd + μbwd

We then analyze good transcripts and lower bound theratio (Pr[DX τ])Pr[DY τ]

Lemma 3 For any good transcript τ one has

Pr DX τ1113858 1113859

Pr DY τ1113858 1113859ge 1 (13)

Proof Consider a good transcript τ isin Γgood Let ΩX be anonempty set of all possible oracles in the real world X andΩY be a nonempty set of all possible oracles in the idealworld Y erefore the cardinalities of sets ΩX and ΩY arerespectively ΩX (2b) middot 2k and ΩY (2b)2 middot 2k LetcompX(τ)subeΩX and compY(τ)subeΩY be the two sets oforacles compatible with transcript τ e probabilitiesappearing in Lemma 1 can be evaluated as follows

Pr DX τ( 1113857 compX(τ)

ΩX

(14)

Pr DY τ( 1113857 compY(τ)

ΩY

(15)

First we calculate compX(τ) As τ isin Γgood consists ofqe + qp query tuples and any query tuple in τ fixes exactlyone input-output pair of the underlying permutation oraclethe number of possible oracles in the real world X equals(2b minus qe minus qp)

Second we calculate compY(τ)e number of possibleoracles in the ideal world Y equals (2b minus qp)(2b minus qe) as Pand Q are uniform random and independent permutations

It follows that

Security and Communication Networks 3

Pr DX τ( 1113857 compX(τ)

ΩX

2b minus qe minus qp1113872 1113873

2b( 1113857 middot 2k

2b minus qe minus qp1113872 11138732b

2b( 11138572

middot 2k

ge2b minus qp1113872 1113873 2b minus qe( 1113857

2b( 11138572

middot 2k Pr DY τ( 1113857

(16)

erefore we have (Pr[DX τ]Pr[DY τ])ge 1Combining Lemmas 1ndash3 we can obtain the result of

eorem 1

4 Application to LightweightAuthenticated Encryption

With the rises of the smart home IoT and 5GB5G net-works lightweight authenticated encryption (AE) modes areattracting more and more attentions [20ndash22] A lightweightAE mode is a lightweight symmetric-key cipher whichsupports the services of privacy and authenticity of thesensitive data in the devices

e EvenndashMansour cipher with a short key can be di-rectly applied to a lightweight AE mode which is shown inFigure 2 It consists of an encryption algorithm E and adecryption algorithm D e encryption algorithm E takes aplaintext M and a key K as inputs and returns a ciphertextC and an authentication tag T ie CT

EMPK(M0c) E(K M) e decryption algorithm D takes

a key K a ciphertext C and an authentication tag Tas inputsand returns a plaintext M or a reject symbol perp ieMperp D(K C T) If the last c-bit of the EM decryption is 0then the decryption algorithm D returns M Otherwise thedecryption algorithm D returns perp

Let Π (E D) stand for our lightweight AE modes Weintroduce the AE-security model as follows

Definition 2 (AE security) Let P be a public randompermutation LetΠ (E D) be a P-based AE scheme LetAbe an adversary which interacts with X (E D Pplusmn) in thereal world or Y ($perp Pplusmn) in the ideal world Let q pgt 0en the AE-security of Π (E D) is defined as follows

AdvaeΠ (A) Pr A

EDPplusmn 11113960 1113961 minus Pr A

$perpPplusmn 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

AdvaeΠ (q p) max

AAdvaeΠ (A)

(17)

where q is the number of queries to the encryption oracle Eor the decryption oracle D p is the number of queries to therandom permutation P or its inverse Pminus 1 is a randomfunction which always returns a fresh and random responsefor each query andperp is a symbol which stands for the failureof the decryption oracles

Theorem 2 Let Plarr Perm(b) and b r + c en

AdvaeΠ (q p)le

μp

2k+

q2

2b+

q

2c (18)

Proof Sketch Let A be an adversary with access to theencryption oracle E the decryption oracle D and the randompermutation P or its inverse Pminus 1 Π can be represented as anEM scheme We replace the EM modular structure to therandom permutation Q According to eorem 1 we have

AdvaeΠ (A) |Pr A

EDPplusmn 11113960 1113961 minus Pr1113858A$perpPplusmn

11113859|

le Pr AEDPplusmn

11113960 1113961 minus Pr AQQminus 1 Pplusmn

11113876 1113877

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

+ Pr AQQminus 1 Pplusmn

11113876 1113877 minus Pr A$perpPplusmn

11113960 1113961

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

μp

2k+ Pr A

QQminus 1 Pplusmn 11113876 1113877 minus Pr A

$perpPplusmn 11113960 1113961

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

(19)

It follows that

Pr AQQminus 1 Pplusmn

11113876 1113877 minus Pr A$perpPplusmn

11113960 1113961

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

le Pr AQQminus 1 Pplusmn

11113876 1113877 minus Pr AQperpPplusmn

11113960 1113961

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

+ Pr AQperpPplusmn

11113960 1113961 minus Pr A$perpPplusmn

11113960 111396111138681113868111386811138681113868

11138681113868111386811138681113868

leq

2c+

q2

2b

(20)

where q22b obtained by the PRP-PRF Switch Lemma [23]and q2c is from the fact that the successful probability of theadversary is 12c for each forgery attempt

Combining equations (19) and (20) it is easy to draw theresult of eorem 2

x y

K K

P

(a)

x y

K

K

P

(b)

x y

K K

P

(c)

x y

K

K

P

(d)

Figure 1 Four structures of EM

4 Security and Communication Networks

According to eorem 2 we can find that these light-weight AEmodes ensure about min b2 c k minus log μ1113864 1113865-bit AE-security

5 Conclusions

e key material is crucial for the secure implementation ofcryptographic schemes Most of devices widely used in smarthome smart transportation and Internet of ings (IoT)environments are resource constrained erefore in thedesign of lightweight ciphers a vital issue is the minimalismand agility of the key material

In this paper we revisit the EvenndashMansour cipher anddiscuss this problem whether we can use the least keymaterial to achieve the same (even beyond conventional)security bound in the EvenndashMansour cipher We introducefour structures of the EvenndashMansour cipher with a short keyand derive security up to 1113957O(2kμ) adversarial queries wherek is the bits of the key material and μ is the maximalmultiplicity using Patarinrsquos H-coefficients technique enwe apply them to lightweight authenticated encryptionmodes and prove their security up to about min b2

c k minus log μ-bit adversarial queries where b r + c is thesize of the permutation and c is the capacity of the per-mutation Finally we leave it as an open problem to settlethe security of the t-round iterated EvenndashMansour cipherwith short keys e EvenndashMansour cipher with a short keyis proven (k minus log μ)-bit security It is natural to considerwhether our result can be generalized to the t-rounditerated EvenndashMansour cipher But the situation of the t-round iterated EvenndashMansour cipher with short keys ismore complicated erefore it is regarded as an openproblem to attract scholars to discuss and analyze it indetaile EvenndashMansour cipher with a short key has manygood advantages such as calculating on-the-fly avoidingthe key schedule and minimizing the area of the hardwareimplementation and the key material erefore it can bewidely applied to the data security of smart home Internetof ings and some lightweight devices

Data Availability

e data used to support the findings of the study areavailable within the article

Conflicts of Interest

e authors declare that they have no conflicts of interest

Acknowledgments

is work was supported by the Research Fund of Inter-national Young Scientists (Grant no 61902195) NaturalScience Fund for Colleges and Universities in JiangsuProvince (General Program Grant no 19KJB520045) andNUPTSF (Grant no NY219131)

References

[1] E Andreeva A Bogdanov Y Dodis B Mennink andJ P Steinberger ldquoOn the indifferentiability of key-alternatingciphersrdquo in Advances in CryptologyndashCRYPTO 2013 LectureNotes in Computer Science R Canetti and J A Garay Edsvol 8042 pp 531ndash550 Springer Berlin Germany 2013

[2] A Bogdanov L R Knudsen G Leander FX StandaertJ Steinberger and E Tischhauser ldquoKey-alternating ciphers ina provable setting encryption using a small number of publicpermutationsrdquo in Advances in CryptologyndashEUROCRYPT2012 Lecture Notes in Computer Science D Pointcheval andT Johansson Eds vol 7237 pp 45ndash62 Springer BerlinGermany 2012

[3] S Chen R Lampe J Lee Y Seurin and J SteinbergerldquoMinimizing the two-round Even-Mansour cipherrdquo Journalof Cryptology vol 31 no 4 pp 1064ndash1119 2018

[4] S Chen and J Steinberger ldquoTight security bounds for key-alternating ciphersrdquo in Advances in CryptologyndashEUROCRYPT2014 Lecture Notes in Computer Science P Q Nguyen andE Oswald Eds vol 8441 pp 327ndash350 Springer BerlinGermany 2014

[5] B Cogliati and Y Seurin ldquoOn the provable security of theiterated Even-Mansour cipher against related-key and cho-sen-key attacksrdquo in Advances in CryptologyndashEUROCRYPT2015 Lecture Notes in Computer Science E Oswald andM Fischlin Eds vol 9056 pp 584ndash613 Springer BerlinGermany 2015

[6] P Farshim and G Procter ldquoe related-key security ofiterated Even-Mansour ciphersrdquo in Fast Software Encryp-tionndashFSE 2015 Lecture Notes in Computer Science G LeanderEd vol 9054 pp 342ndash363 Springer Berlin Germany 2015

[7] A Hosoyamada and K Aoki ldquoOn quantum related-key at-tacks on iterated Even-Mansour ciphersrdquo IEICE Transactionson Fundamentals of Electronics Communications and Com-puter Sciences vol E102A no 1 pp 27ndash34 2019

[8] T Isobe and K Shibutani ldquoMeet-in-the-middle key recoveryattacks on a single-key two-round Even-Mansour cipherrdquoIEICE Transactions on Fundamentals of Electronics Com-munications and Computer Sciences vol E102A no 1pp 17ndash26 2019

[9] R Lampe J Patarin and Y Seurin ldquoAn asymptotically tightsecurity analysis of the iterated Even-Mansour cipherrdquo inAdvances in CryptologyndashASIACRYPT 2012 Lecture Notes in

M CT0 P

K K

(a)

M CT0 P

K

K

(b)

M CT0

KK

P

(c)

M CT0

K

K

P

(d)

Figure 2 Lightweight authenticated encryption modes

Security and Communication Networks 5

Computer Science X Wang and K Sako Eds vol 7658pp 278ndash295 Springer Berlin Germany 2012

[10] S Even and Y Mansour ldquoA construction of a cipher from asingle pseudorandom permutationrdquo Journal of Cryptologyvol 10 no 3 pp 151ndash161 1997

[11] O Dunkelman N Keller and A Shamir ldquoMinimalism incryptography the Even-Mansour scheme revisitedrdquo in Ad-vances in CryptologyndashEUROCRYPT 2012 Lecture Notes inComputer Science D Pointcheval and T Johansson Edsvol 7237 pp 336ndash354 Springer Berlin Germany 2012

[12] B Cogliati R Lampe and Y Seurin ldquoTweaking even-man-sour ciphersrdquo in Advances in CryptologyndashCRYPTO 2015Lecture Notes in Computer Science R Gennaro andM Robshaw Eds vol 9215 pp 189ndash208 Springer BerlinGermany 2015

[13] N Mouha and A Luykx ldquoMulti-key security the Even-Mansour construction revisitedrdquo in Advances in Cryptolo-gyndashCRYPTO 2015 Lecture Notes in Computer ScienceR Gennaro and M Robshaw Eds vol 9215 pp 209ndash223Springer Berlin Germany 2015

[14] E M do Nascimento and J A M Xexeo ldquoA flexible authen-ticated lightweight cipher using Even-Mansour constructionrdquo inProceedings of the IEEE International Conference on Commu-nicationsndashICC 2017 pp 1ndash6 IEEE Paris France May 2017

[15] J Cho K Y Choi I Dinur et al ldquoWEM a new family ofwhite-box block ciphers based on the Even-Mansour con-structionrdquo in Cryptographersrsquo Track at the RSA Confer-encendashCT-RSA 2017 Lecture Notes in Computer ScienceH Handschuh Ed vol 10159 pp 293ndash308 Springer BerlinGermany 2017

[16] P Farshim L Khati and D Vergnaud ldquoSecurity of Even-Mansour ciphers under key-dependent messagesrdquo e IACRTransactions on Symmetric Cryptology vol 2017 no 2pp 84ndash104 2017

[17] P Zhang and H-G Hu ldquoGeneralized tweakable Even-Mansour cipher and its applicationsrdquo Journal of ComputerScience and Technology vol 33 no 6 pp 1261ndash1277 2018

[18] G Bertoni J Daemen M Peeters and G Van AsscheldquoSponge-based pseudo-random number generatorsrdquo inCryptographic Hardware and Embedded SystemsndashCHES 2010Lecture Notes in Computer Science S Mangard andFX Standaert Eds vol 6225 pp 33ndash47 Springer BerlinGermany 2010

[19] J Patarin ldquoe ldquocoefficients Hrdquo techniquerdquo in Selected Areasin CryptographyndashSAC 2008 Lecture Notes in Computer Sci-ence R M Avanzi L Keliher and F Sica Eds vol 5381pp 328ndash345 Springer Berlin Germany 2008

[20] A Chakraborti N Datta M Nandi and K Yasuda ldquoBeetlefamily of lightweight and secure authenticated encryptionciphersrdquo IACR Transactions on Cryptographic Hardware andEmbedded Systems vol 2018 no 2 pp 218ndash241 2018

[21] G Hatzivasilis G Floros I Papaefstathiou and C ManifavasldquoLightweight authenticated encryption for embedded on-chipsystemsrdquo Information Security Journal A Global Perspectivevol 25 no 4ndash6 pp 151ndash161 2016

[22] Y Sasaki and K Yasuda ldquoOptimizing online permutation-based AE schemes for lightweight applicationsrdquo IEICETransactions on Fundamentals of Electronics Communicationsand Computer Sciences vol E102A no 1 pp 35ndash47 2019

[23] M Bellare and P Rogaway ldquoe security of triple encryptionand a framework for code-based game-playing proofsrdquo inAdvances in CryptologyndashEUROCRYPT 2006 Lecture Notes inComputer Science S Vaudenay Ed vol 4004 pp 409ndash426Springer Berlin Germany 2006

6 Security and Communication Networks

K 0 1 k e EvenndashMansour cipher with a short keycalled EM for short is described in Figure 1 EM takes auniform random keyK isin 0 1 k and a plaintext x isin 0 1 b asinputs and outputs the ciphertext y EMP

K(x) isin 0 1 b Letpad1(K) 0rminus kK and pad2(K) 0cminus kK e four struc-tures of EM are respectively shown as follows

(a) y EMPK(x) P xoplus pad1(K) 0c

1113872 1113873oplus pad1(K) 0c

(b) y EMPK(x) P xoplus pad1(K) 0c

1113872 1113873oplus 0r pad2(K)

(c) y EMPK(x) P xoplus 0r

pad2(K)1113872 1113873oplus 0r pad2(K)

(d) y EMPK(x) P xoplus 0r

pad2(K)1113872 1113873oplus pad1(K) 0c

(8)

We consider the security of the EvenndashMansour cipherwith a short key and obtain the following theorem

Theorem 1 For EMPK with K isin 0 1 k and Plarr Perm(b) we

have

AdvEM qe qp1113872 1113873leμqp

2k (9)

e proof of eorem 1 utilizes the H-coefficientstechnique We consider an adversary A which can interactwith X (EMP

K P) in the real world or Y (Q P) in theideal world where P andQ are uniform random and in-dependent permutations and K is a (dummy) key We as-sume that the adversary A makes at most qe constructionqueries and at most qp primitive queries e transcripts canbe expressed as this form τ (QeQp K) whereQe (xi yi)1113864 1113865

qe

i1 andQp (uj vj)1113966 1113967qp

j1 We start by definingbad transcripts

Definition 1 We define an attainable transcriptτ (QeQp K) isin Γ as bad if one of the two followingconditions is fulfilled

Bad1 exist(x y) isin Qe and (u v) isin Qp such that

(a)amp(b) xoplus u pad1(K) 0c

(c)amp(d) xoplus u 0r pad2(K)

(10)

Bad2 exist(x y) isin Qe and (u v) isin Qp such that

(a)amp(d) yoplus v pad1(K) 0c

(b)amp(c) yoplus v 0r pad2(K)

(11)

Otherwise we say that τ is good We denote Γgood respΓbad the set of good resp bad transcripts and Γ Γgood ⊔Γbad

In the real world X a bad transcript implies that twoinvocations to P exist with the same input one directly fromquerying the primitive oracle P and another one indirectlyfrom querying the construction oracle EMP

K while all tuples

in (QeQp) uniquely determine an input-output pair of P fora good transcript In the ideal world Y the abovementionedresult is clearly established for a bad transcript while it is notfor a good transcript

We first upper bound the probability of bad transcriptsin the ideal world Y by the following lemma

Lemma 2

Pr DY isin Γbad( 1113857leμqp

2k (12)

Proof In the ideal world Y (QeQp) is an attainabletranscript with a dummy uniform random key K isin 0 1 k

Here we assume that an adversary A makes at most qe

construction queries and at most qp primitive queries Foreach (x y) isin Qe and each (u v) isin Qp we obtain at most μfwd(resp μbwd) tuples (x y) such that x u for structures (a)and (b) or 1113954x 1113954u for structures (c) and (d) (resp y v forstructures (a) and (d) or 1113954y 1113954v for structures (b) and (c))from the property of multiplicity

It follows that Pr(Bad1)le μfwdqp2k andPr(Bad2)le μbwdqp2k Hence the probability of bad tran-scripts in the ideal world Y is at most μqp2k whereμ μfwd + μbwd

We then analyze good transcripts and lower bound theratio (Pr[DX τ])Pr[DY τ]

Lemma 3 For any good transcript τ one has

Pr DX τ1113858 1113859

Pr DY τ1113858 1113859ge 1 (13)

Proof Consider a good transcript τ isin Γgood Let ΩX be anonempty set of all possible oracles in the real world X andΩY be a nonempty set of all possible oracles in the idealworld Y erefore the cardinalities of sets ΩX and ΩY arerespectively ΩX (2b) middot 2k and ΩY (2b)2 middot 2k LetcompX(τ)subeΩX and compY(τ)subeΩY be the two sets oforacles compatible with transcript τ e probabilitiesappearing in Lemma 1 can be evaluated as follows

Pr DX τ( 1113857 compX(τ)

ΩX

(14)

Pr DY τ( 1113857 compY(τ)

ΩY

(15)

First we calculate compX(τ) As τ isin Γgood consists ofqe + qp query tuples and any query tuple in τ fixes exactlyone input-output pair of the underlying permutation oraclethe number of possible oracles in the real world X equals(2b minus qe minus qp)

Second we calculate compY(τ)e number of possibleoracles in the ideal world Y equals (2b minus qp)(2b minus qe) as Pand Q are uniform random and independent permutations

It follows that

Security and Communication Networks 3

Pr DX τ( 1113857 compX(τ)

ΩX

2b minus qe minus qp1113872 1113873

2b( 1113857 middot 2k

2b minus qe minus qp1113872 11138732b

2b( 11138572

middot 2k

ge2b minus qp1113872 1113873 2b minus qe( 1113857

2b( 11138572

middot 2k Pr DY τ( 1113857

(16)

erefore we have (Pr[DX τ]Pr[DY τ])ge 1Combining Lemmas 1ndash3 we can obtain the result of

eorem 1

4 Application to LightweightAuthenticated Encryption

With the rises of the smart home IoT and 5GB5G net-works lightweight authenticated encryption (AE) modes areattracting more and more attentions [20ndash22] A lightweightAE mode is a lightweight symmetric-key cipher whichsupports the services of privacy and authenticity of thesensitive data in the devices

e EvenndashMansour cipher with a short key can be di-rectly applied to a lightweight AE mode which is shown inFigure 2 It consists of an encryption algorithm E and adecryption algorithm D e encryption algorithm E takes aplaintext M and a key K as inputs and returns a ciphertextC and an authentication tag T ie CT

EMPK(M0c) E(K M) e decryption algorithm D takes

a key K a ciphertext C and an authentication tag Tas inputsand returns a plaintext M or a reject symbol perp ieMperp D(K C T) If the last c-bit of the EM decryption is 0then the decryption algorithm D returns M Otherwise thedecryption algorithm D returns perp

Let Π (E D) stand for our lightweight AE modes Weintroduce the AE-security model as follows

Definition 2 (AE security) Let P be a public randompermutation LetΠ (E D) be a P-based AE scheme LetAbe an adversary which interacts with X (E D Pplusmn) in thereal world or Y ($perp Pplusmn) in the ideal world Let q pgt 0en the AE-security of Π (E D) is defined as follows

AdvaeΠ (A) Pr A

EDPplusmn 11113960 1113961 minus Pr A

$perpPplusmn 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

AdvaeΠ (q p) max

AAdvaeΠ (A)

(17)

where q is the number of queries to the encryption oracle Eor the decryption oracle D p is the number of queries to therandom permutation P or its inverse Pminus 1 is a randomfunction which always returns a fresh and random responsefor each query andperp is a symbol which stands for the failureof the decryption oracles

Theorem 2 Let Plarr Perm(b) and b r + c en

AdvaeΠ (q p)le

μp

2k+

q2

2b+

q

2c (18)

Proof Sketch Let A be an adversary with access to theencryption oracle E the decryption oracle D and the randompermutation P or its inverse Pminus 1 Π can be represented as anEM scheme We replace the EM modular structure to therandom permutation Q According to eorem 1 we have

AdvaeΠ (A) |Pr A

EDPplusmn 11113960 1113961 minus Pr1113858A$perpPplusmn

11113859|

le Pr AEDPplusmn

11113960 1113961 minus Pr AQQminus 1 Pplusmn

11113876 1113877

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

+ Pr AQQminus 1 Pplusmn

11113876 1113877 minus Pr A$perpPplusmn

11113960 1113961

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

μp

2k+ Pr A

QQminus 1 Pplusmn 11113876 1113877 minus Pr A

$perpPplusmn 11113960 1113961

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

(19)

It follows that

Pr AQQminus 1 Pplusmn

11113876 1113877 minus Pr A$perpPplusmn

11113960 1113961

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

le Pr AQQminus 1 Pplusmn

11113876 1113877 minus Pr AQperpPplusmn

11113960 1113961

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

+ Pr AQperpPplusmn

11113960 1113961 minus Pr A$perpPplusmn

11113960 111396111138681113868111386811138681113868

11138681113868111386811138681113868

leq

2c+

q2

2b

(20)

where q22b obtained by the PRP-PRF Switch Lemma [23]and q2c is from the fact that the successful probability of theadversary is 12c for each forgery attempt

Combining equations (19) and (20) it is easy to draw theresult of eorem 2

x y

K K

P

(a)

x y

K

K

P

(b)

x y

K K

P

(c)

x y

K

K

P

(d)

Figure 1 Four structures of EM

4 Security and Communication Networks

According to eorem 2 we can find that these light-weight AEmodes ensure about min b2 c k minus log μ1113864 1113865-bit AE-security

5 Conclusions

e key material is crucial for the secure implementation ofcryptographic schemes Most of devices widely used in smarthome smart transportation and Internet of ings (IoT)environments are resource constrained erefore in thedesign of lightweight ciphers a vital issue is the minimalismand agility of the key material

In this paper we revisit the EvenndashMansour cipher anddiscuss this problem whether we can use the least keymaterial to achieve the same (even beyond conventional)security bound in the EvenndashMansour cipher We introducefour structures of the EvenndashMansour cipher with a short keyand derive security up to 1113957O(2kμ) adversarial queries wherek is the bits of the key material and μ is the maximalmultiplicity using Patarinrsquos H-coefficients technique enwe apply them to lightweight authenticated encryptionmodes and prove their security up to about min b2

c k minus log μ-bit adversarial queries where b r + c is thesize of the permutation and c is the capacity of the per-mutation Finally we leave it as an open problem to settlethe security of the t-round iterated EvenndashMansour cipherwith short keys e EvenndashMansour cipher with a short keyis proven (k minus log μ)-bit security It is natural to considerwhether our result can be generalized to the t-rounditerated EvenndashMansour cipher But the situation of the t-round iterated EvenndashMansour cipher with short keys ismore complicated erefore it is regarded as an openproblem to attract scholars to discuss and analyze it indetaile EvenndashMansour cipher with a short key has manygood advantages such as calculating on-the-fly avoidingthe key schedule and minimizing the area of the hardwareimplementation and the key material erefore it can bewidely applied to the data security of smart home Internetof ings and some lightweight devices

Data Availability

e data used to support the findings of the study areavailable within the article

Conflicts of Interest

e authors declare that they have no conflicts of interest

Acknowledgments

is work was supported by the Research Fund of Inter-national Young Scientists (Grant no 61902195) NaturalScience Fund for Colleges and Universities in JiangsuProvince (General Program Grant no 19KJB520045) andNUPTSF (Grant no NY219131)

References

[1] E Andreeva A Bogdanov Y Dodis B Mennink andJ P Steinberger ldquoOn the indifferentiability of key-alternatingciphersrdquo in Advances in CryptologyndashCRYPTO 2013 LectureNotes in Computer Science R Canetti and J A Garay Edsvol 8042 pp 531ndash550 Springer Berlin Germany 2013

[2] A Bogdanov L R Knudsen G Leander FX StandaertJ Steinberger and E Tischhauser ldquoKey-alternating ciphers ina provable setting encryption using a small number of publicpermutationsrdquo in Advances in CryptologyndashEUROCRYPT2012 Lecture Notes in Computer Science D Pointcheval andT Johansson Eds vol 7237 pp 45ndash62 Springer BerlinGermany 2012

[3] S Chen R Lampe J Lee Y Seurin and J SteinbergerldquoMinimizing the two-round Even-Mansour cipherrdquo Journalof Cryptology vol 31 no 4 pp 1064ndash1119 2018

[4] S Chen and J Steinberger ldquoTight security bounds for key-alternating ciphersrdquo in Advances in CryptologyndashEUROCRYPT2014 Lecture Notes in Computer Science P Q Nguyen andE Oswald Eds vol 8441 pp 327ndash350 Springer BerlinGermany 2014

[5] B Cogliati and Y Seurin ldquoOn the provable security of theiterated Even-Mansour cipher against related-key and cho-sen-key attacksrdquo in Advances in CryptologyndashEUROCRYPT2015 Lecture Notes in Computer Science E Oswald andM Fischlin Eds vol 9056 pp 584ndash613 Springer BerlinGermany 2015

[6] P Farshim and G Procter ldquoe related-key security ofiterated Even-Mansour ciphersrdquo in Fast Software Encryp-tionndashFSE 2015 Lecture Notes in Computer Science G LeanderEd vol 9054 pp 342ndash363 Springer Berlin Germany 2015

[7] A Hosoyamada and K Aoki ldquoOn quantum related-key at-tacks on iterated Even-Mansour ciphersrdquo IEICE Transactionson Fundamentals of Electronics Communications and Com-puter Sciences vol E102A no 1 pp 27ndash34 2019

[8] T Isobe and K Shibutani ldquoMeet-in-the-middle key recoveryattacks on a single-key two-round Even-Mansour cipherrdquoIEICE Transactions on Fundamentals of Electronics Com-munications and Computer Sciences vol E102A no 1pp 17ndash26 2019

[9] R Lampe J Patarin and Y Seurin ldquoAn asymptotically tightsecurity analysis of the iterated Even-Mansour cipherrdquo inAdvances in CryptologyndashASIACRYPT 2012 Lecture Notes in

M CT0 P

K K

(a)

M CT0 P

K

K

(b)

M CT0

KK

P

(c)

M CT0

K

K

P

(d)

Figure 2 Lightweight authenticated encryption modes

Security and Communication Networks 5

Computer Science X Wang and K Sako Eds vol 7658pp 278ndash295 Springer Berlin Germany 2012

[10] S Even and Y Mansour ldquoA construction of a cipher from asingle pseudorandom permutationrdquo Journal of Cryptologyvol 10 no 3 pp 151ndash161 1997

[11] O Dunkelman N Keller and A Shamir ldquoMinimalism incryptography the Even-Mansour scheme revisitedrdquo in Ad-vances in CryptologyndashEUROCRYPT 2012 Lecture Notes inComputer Science D Pointcheval and T Johansson Edsvol 7237 pp 336ndash354 Springer Berlin Germany 2012

[12] B Cogliati R Lampe and Y Seurin ldquoTweaking even-man-sour ciphersrdquo in Advances in CryptologyndashCRYPTO 2015Lecture Notes in Computer Science R Gennaro andM Robshaw Eds vol 9215 pp 189ndash208 Springer BerlinGermany 2015

[13] N Mouha and A Luykx ldquoMulti-key security the Even-Mansour construction revisitedrdquo in Advances in Cryptolo-gyndashCRYPTO 2015 Lecture Notes in Computer ScienceR Gennaro and M Robshaw Eds vol 9215 pp 209ndash223Springer Berlin Germany 2015

[14] E M do Nascimento and J A M Xexeo ldquoA flexible authen-ticated lightweight cipher using Even-Mansour constructionrdquo inProceedings of the IEEE International Conference on Commu-nicationsndashICC 2017 pp 1ndash6 IEEE Paris France May 2017

[15] J Cho K Y Choi I Dinur et al ldquoWEM a new family ofwhite-box block ciphers based on the Even-Mansour con-structionrdquo in Cryptographersrsquo Track at the RSA Confer-encendashCT-RSA 2017 Lecture Notes in Computer ScienceH Handschuh Ed vol 10159 pp 293ndash308 Springer BerlinGermany 2017

[16] P Farshim L Khati and D Vergnaud ldquoSecurity of Even-Mansour ciphers under key-dependent messagesrdquo e IACRTransactions on Symmetric Cryptology vol 2017 no 2pp 84ndash104 2017

[17] P Zhang and H-G Hu ldquoGeneralized tweakable Even-Mansour cipher and its applicationsrdquo Journal of ComputerScience and Technology vol 33 no 6 pp 1261ndash1277 2018

[18] G Bertoni J Daemen M Peeters and G Van AsscheldquoSponge-based pseudo-random number generatorsrdquo inCryptographic Hardware and Embedded SystemsndashCHES 2010Lecture Notes in Computer Science S Mangard andFX Standaert Eds vol 6225 pp 33ndash47 Springer BerlinGermany 2010

[19] J Patarin ldquoe ldquocoefficients Hrdquo techniquerdquo in Selected Areasin CryptographyndashSAC 2008 Lecture Notes in Computer Sci-ence R M Avanzi L Keliher and F Sica Eds vol 5381pp 328ndash345 Springer Berlin Germany 2008

[20] A Chakraborti N Datta M Nandi and K Yasuda ldquoBeetlefamily of lightweight and secure authenticated encryptionciphersrdquo IACR Transactions on Cryptographic Hardware andEmbedded Systems vol 2018 no 2 pp 218ndash241 2018

[21] G Hatzivasilis G Floros I Papaefstathiou and C ManifavasldquoLightweight authenticated encryption for embedded on-chipsystemsrdquo Information Security Journal A Global Perspectivevol 25 no 4ndash6 pp 151ndash161 2016

[22] Y Sasaki and K Yasuda ldquoOptimizing online permutation-based AE schemes for lightweight applicationsrdquo IEICETransactions on Fundamentals of Electronics Communicationsand Computer Sciences vol E102A no 1 pp 35ndash47 2019

[23] M Bellare and P Rogaway ldquoe security of triple encryptionand a framework for code-based game-playing proofsrdquo inAdvances in CryptologyndashEUROCRYPT 2006 Lecture Notes inComputer Science S Vaudenay Ed vol 4004 pp 409ndash426Springer Berlin Germany 2006

6 Security and Communication Networks

Pr DX τ( 1113857 compX(τ)

ΩX

2b minus qe minus qp1113872 1113873

2b( 1113857 middot 2k

2b minus qe minus qp1113872 11138732b

2b( 11138572

middot 2k

ge2b minus qp1113872 1113873 2b minus qe( 1113857

2b( 11138572

middot 2k Pr DY τ( 1113857

(16)

erefore we have (Pr[DX τ]Pr[DY τ])ge 1Combining Lemmas 1ndash3 we can obtain the result of

eorem 1

4 Application to LightweightAuthenticated Encryption

With the rises of the smart home IoT and 5GB5G net-works lightweight authenticated encryption (AE) modes areattracting more and more attentions [20ndash22] A lightweightAE mode is a lightweight symmetric-key cipher whichsupports the services of privacy and authenticity of thesensitive data in the devices

e EvenndashMansour cipher with a short key can be di-rectly applied to a lightweight AE mode which is shown inFigure 2 It consists of an encryption algorithm E and adecryption algorithm D e encryption algorithm E takes aplaintext M and a key K as inputs and returns a ciphertextC and an authentication tag T ie CT

EMPK(M0c) E(K M) e decryption algorithm D takes

a key K a ciphertext C and an authentication tag Tas inputsand returns a plaintext M or a reject symbol perp ieMperp D(K C T) If the last c-bit of the EM decryption is 0then the decryption algorithm D returns M Otherwise thedecryption algorithm D returns perp

Let Π (E D) stand for our lightweight AE modes Weintroduce the AE-security model as follows

Definition 2 (AE security) Let P be a public randompermutation LetΠ (E D) be a P-based AE scheme LetAbe an adversary which interacts with X (E D Pplusmn) in thereal world or Y ($perp Pplusmn) in the ideal world Let q pgt 0en the AE-security of Π (E D) is defined as follows

AdvaeΠ (A) Pr A

EDPplusmn 11113960 1113961 minus Pr A

$perpPplusmn 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

AdvaeΠ (q p) max

AAdvaeΠ (A)

(17)

where q is the number of queries to the encryption oracle Eor the decryption oracle D p is the number of queries to therandom permutation P or its inverse Pminus 1 is a randomfunction which always returns a fresh and random responsefor each query andperp is a symbol which stands for the failureof the decryption oracles

Theorem 2 Let Plarr Perm(b) and b r + c en

AdvaeΠ (q p)le

μp

2k+

q2

2b+

q

2c (18)

Proof Sketch Let A be an adversary with access to theencryption oracle E the decryption oracle D and the randompermutation P or its inverse Pminus 1 Π can be represented as anEM scheme We replace the EM modular structure to therandom permutation Q According to eorem 1 we have

AdvaeΠ (A) |Pr A

EDPplusmn 11113960 1113961 minus Pr1113858A$perpPplusmn

11113859|

le Pr AEDPplusmn

11113960 1113961 minus Pr AQQminus 1 Pplusmn

11113876 1113877

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

+ Pr AQQminus 1 Pplusmn

11113876 1113877 minus Pr A$perpPplusmn

11113960 1113961

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

μp

2k+ Pr A

QQminus 1 Pplusmn 11113876 1113877 minus Pr A

$perpPplusmn 11113960 1113961

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

(19)

It follows that

Pr AQQminus 1 Pplusmn

11113876 1113877 minus Pr A$perpPplusmn

11113960 1113961

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

le Pr AQQminus 1 Pplusmn

11113876 1113877 minus Pr AQperpPplusmn

11113960 1113961

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

+ Pr AQperpPplusmn

11113960 1113961 minus Pr A$perpPplusmn

11113960 111396111138681113868111386811138681113868

11138681113868111386811138681113868

leq

2c+

q2

2b

(20)

where q22b obtained by the PRP-PRF Switch Lemma [23]and q2c is from the fact that the successful probability of theadversary is 12c for each forgery attempt

Combining equations (19) and (20) it is easy to draw theresult of eorem 2

x y

K K

P

(a)

x y

K

K

P

(b)

x y

K K

P

(c)

x y

K

K

P

(d)

Figure 1 Four structures of EM

4 Security and Communication Networks

According to eorem 2 we can find that these light-weight AEmodes ensure about min b2 c k minus log μ1113864 1113865-bit AE-security

5 Conclusions

e key material is crucial for the secure implementation ofcryptographic schemes Most of devices widely used in smarthome smart transportation and Internet of ings (IoT)environments are resource constrained erefore in thedesign of lightweight ciphers a vital issue is the minimalismand agility of the key material

In this paper we revisit the EvenndashMansour cipher anddiscuss this problem whether we can use the least keymaterial to achieve the same (even beyond conventional)security bound in the EvenndashMansour cipher We introducefour structures of the EvenndashMansour cipher with a short keyand derive security up to 1113957O(2kμ) adversarial queries wherek is the bits of the key material and μ is the maximalmultiplicity using Patarinrsquos H-coefficients technique enwe apply them to lightweight authenticated encryptionmodes and prove their security up to about min b2

c k minus log μ-bit adversarial queries where b r + c is thesize of the permutation and c is the capacity of the per-mutation Finally we leave it as an open problem to settlethe security of the t-round iterated EvenndashMansour cipherwith short keys e EvenndashMansour cipher with a short keyis proven (k minus log μ)-bit security It is natural to considerwhether our result can be generalized to the t-rounditerated EvenndashMansour cipher But the situation of the t-round iterated EvenndashMansour cipher with short keys ismore complicated erefore it is regarded as an openproblem to attract scholars to discuss and analyze it indetaile EvenndashMansour cipher with a short key has manygood advantages such as calculating on-the-fly avoidingthe key schedule and minimizing the area of the hardwareimplementation and the key material erefore it can bewidely applied to the data security of smart home Internetof ings and some lightweight devices

Data Availability

e data used to support the findings of the study areavailable within the article

Conflicts of Interest

e authors declare that they have no conflicts of interest

Acknowledgments

is work was supported by the Research Fund of Inter-national Young Scientists (Grant no 61902195) NaturalScience Fund for Colleges and Universities in JiangsuProvince (General Program Grant no 19KJB520045) andNUPTSF (Grant no NY219131)

References

[1] E Andreeva A Bogdanov Y Dodis B Mennink andJ P Steinberger ldquoOn the indifferentiability of key-alternatingciphersrdquo in Advances in CryptologyndashCRYPTO 2013 LectureNotes in Computer Science R Canetti and J A Garay Edsvol 8042 pp 531ndash550 Springer Berlin Germany 2013

[2] A Bogdanov L R Knudsen G Leander FX StandaertJ Steinberger and E Tischhauser ldquoKey-alternating ciphers ina provable setting encryption using a small number of publicpermutationsrdquo in Advances in CryptologyndashEUROCRYPT2012 Lecture Notes in Computer Science D Pointcheval andT Johansson Eds vol 7237 pp 45ndash62 Springer BerlinGermany 2012

[3] S Chen R Lampe J Lee Y Seurin and J SteinbergerldquoMinimizing the two-round Even-Mansour cipherrdquo Journalof Cryptology vol 31 no 4 pp 1064ndash1119 2018

[4] S Chen and J Steinberger ldquoTight security bounds for key-alternating ciphersrdquo in Advances in CryptologyndashEUROCRYPT2014 Lecture Notes in Computer Science P Q Nguyen andE Oswald Eds vol 8441 pp 327ndash350 Springer BerlinGermany 2014

[5] B Cogliati and Y Seurin ldquoOn the provable security of theiterated Even-Mansour cipher against related-key and cho-sen-key attacksrdquo in Advances in CryptologyndashEUROCRYPT2015 Lecture Notes in Computer Science E Oswald andM Fischlin Eds vol 9056 pp 584ndash613 Springer BerlinGermany 2015

[6] P Farshim and G Procter ldquoe related-key security ofiterated Even-Mansour ciphersrdquo in Fast Software Encryp-tionndashFSE 2015 Lecture Notes in Computer Science G LeanderEd vol 9054 pp 342ndash363 Springer Berlin Germany 2015

[7] A Hosoyamada and K Aoki ldquoOn quantum related-key at-tacks on iterated Even-Mansour ciphersrdquo IEICE Transactionson Fundamentals of Electronics Communications and Com-puter Sciences vol E102A no 1 pp 27ndash34 2019

[8] T Isobe and K Shibutani ldquoMeet-in-the-middle key recoveryattacks on a single-key two-round Even-Mansour cipherrdquoIEICE Transactions on Fundamentals of Electronics Com-munications and Computer Sciences vol E102A no 1pp 17ndash26 2019

[9] R Lampe J Patarin and Y Seurin ldquoAn asymptotically tightsecurity analysis of the iterated Even-Mansour cipherrdquo inAdvances in CryptologyndashASIACRYPT 2012 Lecture Notes in

M CT0 P

K K

(a)

M CT0 P

K

K

(b)

M CT0

KK

P

(c)

M CT0

K

K

P

(d)

Figure 2 Lightweight authenticated encryption modes

Security and Communication Networks 5

Computer Science X Wang and K Sako Eds vol 7658pp 278ndash295 Springer Berlin Germany 2012

[10] S Even and Y Mansour ldquoA construction of a cipher from asingle pseudorandom permutationrdquo Journal of Cryptologyvol 10 no 3 pp 151ndash161 1997

[11] O Dunkelman N Keller and A Shamir ldquoMinimalism incryptography the Even-Mansour scheme revisitedrdquo in Ad-vances in CryptologyndashEUROCRYPT 2012 Lecture Notes inComputer Science D Pointcheval and T Johansson Edsvol 7237 pp 336ndash354 Springer Berlin Germany 2012

[12] B Cogliati R Lampe and Y Seurin ldquoTweaking even-man-sour ciphersrdquo in Advances in CryptologyndashCRYPTO 2015Lecture Notes in Computer Science R Gennaro andM Robshaw Eds vol 9215 pp 189ndash208 Springer BerlinGermany 2015

[13] N Mouha and A Luykx ldquoMulti-key security the Even-Mansour construction revisitedrdquo in Advances in Cryptolo-gyndashCRYPTO 2015 Lecture Notes in Computer ScienceR Gennaro and M Robshaw Eds vol 9215 pp 209ndash223Springer Berlin Germany 2015

[14] E M do Nascimento and J A M Xexeo ldquoA flexible authen-ticated lightweight cipher using Even-Mansour constructionrdquo inProceedings of the IEEE International Conference on Commu-nicationsndashICC 2017 pp 1ndash6 IEEE Paris France May 2017

[15] J Cho K Y Choi I Dinur et al ldquoWEM a new family ofwhite-box block ciphers based on the Even-Mansour con-structionrdquo in Cryptographersrsquo Track at the RSA Confer-encendashCT-RSA 2017 Lecture Notes in Computer ScienceH Handschuh Ed vol 10159 pp 293ndash308 Springer BerlinGermany 2017

[16] P Farshim L Khati and D Vergnaud ldquoSecurity of Even-Mansour ciphers under key-dependent messagesrdquo e IACRTransactions on Symmetric Cryptology vol 2017 no 2pp 84ndash104 2017

[17] P Zhang and H-G Hu ldquoGeneralized tweakable Even-Mansour cipher and its applicationsrdquo Journal of ComputerScience and Technology vol 33 no 6 pp 1261ndash1277 2018

[18] G Bertoni J Daemen M Peeters and G Van AsscheldquoSponge-based pseudo-random number generatorsrdquo inCryptographic Hardware and Embedded SystemsndashCHES 2010Lecture Notes in Computer Science S Mangard andFX Standaert Eds vol 6225 pp 33ndash47 Springer BerlinGermany 2010

[19] J Patarin ldquoe ldquocoefficients Hrdquo techniquerdquo in Selected Areasin CryptographyndashSAC 2008 Lecture Notes in Computer Sci-ence R M Avanzi L Keliher and F Sica Eds vol 5381pp 328ndash345 Springer Berlin Germany 2008

[20] A Chakraborti N Datta M Nandi and K Yasuda ldquoBeetlefamily of lightweight and secure authenticated encryptionciphersrdquo IACR Transactions on Cryptographic Hardware andEmbedded Systems vol 2018 no 2 pp 218ndash241 2018

[21] G Hatzivasilis G Floros I Papaefstathiou and C ManifavasldquoLightweight authenticated encryption for embedded on-chipsystemsrdquo Information Security Journal A Global Perspectivevol 25 no 4ndash6 pp 151ndash161 2016

[22] Y Sasaki and K Yasuda ldquoOptimizing online permutation-based AE schemes for lightweight applicationsrdquo IEICETransactions on Fundamentals of Electronics Communicationsand Computer Sciences vol E102A no 1 pp 35ndash47 2019

[23] M Bellare and P Rogaway ldquoe security of triple encryptionand a framework for code-based game-playing proofsrdquo inAdvances in CryptologyndashEUROCRYPT 2006 Lecture Notes inComputer Science S Vaudenay Ed vol 4004 pp 409ndash426Springer Berlin Germany 2006

6 Security and Communication Networks

According to eorem 2 we can find that these light-weight AEmodes ensure about min b2 c k minus log μ1113864 1113865-bit AE-security

5 Conclusions

e key material is crucial for the secure implementation ofcryptographic schemes Most of devices widely used in smarthome smart transportation and Internet of ings (IoT)environments are resource constrained erefore in thedesign of lightweight ciphers a vital issue is the minimalismand agility of the key material

In this paper we revisit the EvenndashMansour cipher anddiscuss this problem whether we can use the least keymaterial to achieve the same (even beyond conventional)security bound in the EvenndashMansour cipher We introducefour structures of the EvenndashMansour cipher with a short keyand derive security up to 1113957O(2kμ) adversarial queries wherek is the bits of the key material and μ is the maximalmultiplicity using Patarinrsquos H-coefficients technique enwe apply them to lightweight authenticated encryptionmodes and prove their security up to about min b2

c k minus log μ-bit adversarial queries where b r + c is thesize of the permutation and c is the capacity of the per-mutation Finally we leave it as an open problem to settlethe security of the t-round iterated EvenndashMansour cipherwith short keys e EvenndashMansour cipher with a short keyis proven (k minus log μ)-bit security It is natural to considerwhether our result can be generalized to the t-rounditerated EvenndashMansour cipher But the situation of the t-round iterated EvenndashMansour cipher with short keys ismore complicated erefore it is regarded as an openproblem to attract scholars to discuss and analyze it indetaile EvenndashMansour cipher with a short key has manygood advantages such as calculating on-the-fly avoidingthe key schedule and minimizing the area of the hardwareimplementation and the key material erefore it can bewidely applied to the data security of smart home Internetof ings and some lightweight devices

Data Availability

e data used to support the findings of the study areavailable within the article

Conflicts of Interest

e authors declare that they have no conflicts of interest

Acknowledgments

is work was supported by the Research Fund of Inter-national Young Scientists (Grant no 61902195) NaturalScience Fund for Colleges and Universities in JiangsuProvince (General Program Grant no 19KJB520045) andNUPTSF (Grant no NY219131)

References

[1] E Andreeva A Bogdanov Y Dodis B Mennink andJ P Steinberger ldquoOn the indifferentiability of key-alternatingciphersrdquo in Advances in CryptologyndashCRYPTO 2013 LectureNotes in Computer Science R Canetti and J A Garay Edsvol 8042 pp 531ndash550 Springer Berlin Germany 2013

[2] A Bogdanov L R Knudsen G Leander FX StandaertJ Steinberger and E Tischhauser ldquoKey-alternating ciphers ina provable setting encryption using a small number of publicpermutationsrdquo in Advances in CryptologyndashEUROCRYPT2012 Lecture Notes in Computer Science D Pointcheval andT Johansson Eds vol 7237 pp 45ndash62 Springer BerlinGermany 2012

[3] S Chen R Lampe J Lee Y Seurin and J SteinbergerldquoMinimizing the two-round Even-Mansour cipherrdquo Journalof Cryptology vol 31 no 4 pp 1064ndash1119 2018

[4] S Chen and J Steinberger ldquoTight security bounds for key-alternating ciphersrdquo in Advances in CryptologyndashEUROCRYPT2014 Lecture Notes in Computer Science P Q Nguyen andE Oswald Eds vol 8441 pp 327ndash350 Springer BerlinGermany 2014

[5] B Cogliati and Y Seurin ldquoOn the provable security of theiterated Even-Mansour cipher against related-key and cho-sen-key attacksrdquo in Advances in CryptologyndashEUROCRYPT2015 Lecture Notes in Computer Science E Oswald andM Fischlin Eds vol 9056 pp 584ndash613 Springer BerlinGermany 2015

[6] P Farshim and G Procter ldquoe related-key security ofiterated Even-Mansour ciphersrdquo in Fast Software Encryp-tionndashFSE 2015 Lecture Notes in Computer Science G LeanderEd vol 9054 pp 342ndash363 Springer Berlin Germany 2015

[7] A Hosoyamada and K Aoki ldquoOn quantum related-key at-tacks on iterated Even-Mansour ciphersrdquo IEICE Transactionson Fundamentals of Electronics Communications and Com-puter Sciences vol E102A no 1 pp 27ndash34 2019

[8] T Isobe and K Shibutani ldquoMeet-in-the-middle key recoveryattacks on a single-key two-round Even-Mansour cipherrdquoIEICE Transactions on Fundamentals of Electronics Com-munications and Computer Sciences vol E102A no 1pp 17ndash26 2019

[9] R Lampe J Patarin and Y Seurin ldquoAn asymptotically tightsecurity analysis of the iterated Even-Mansour cipherrdquo inAdvances in CryptologyndashASIACRYPT 2012 Lecture Notes in

M CT0 P

K K

(a)

M CT0 P

K

K

(b)

M CT0

KK

P

(c)

M CT0

K

K

P

(d)

Figure 2 Lightweight authenticated encryption modes

Security and Communication Networks 5

Computer Science X Wang and K Sako Eds vol 7658pp 278ndash295 Springer Berlin Germany 2012

[10] S Even and Y Mansour ldquoA construction of a cipher from asingle pseudorandom permutationrdquo Journal of Cryptologyvol 10 no 3 pp 151ndash161 1997

[11] O Dunkelman N Keller and A Shamir ldquoMinimalism incryptography the Even-Mansour scheme revisitedrdquo in Ad-vances in CryptologyndashEUROCRYPT 2012 Lecture Notes inComputer Science D Pointcheval and T Johansson Edsvol 7237 pp 336ndash354 Springer Berlin Germany 2012

[12] B Cogliati R Lampe and Y Seurin ldquoTweaking even-man-sour ciphersrdquo in Advances in CryptologyndashCRYPTO 2015Lecture Notes in Computer Science R Gennaro andM Robshaw Eds vol 9215 pp 189ndash208 Springer BerlinGermany 2015

[13] N Mouha and A Luykx ldquoMulti-key security the Even-Mansour construction revisitedrdquo in Advances in Cryptolo-gyndashCRYPTO 2015 Lecture Notes in Computer ScienceR Gennaro and M Robshaw Eds vol 9215 pp 209ndash223Springer Berlin Germany 2015

[14] E M do Nascimento and J A M Xexeo ldquoA flexible authen-ticated lightweight cipher using Even-Mansour constructionrdquo inProceedings of the IEEE International Conference on Commu-nicationsndashICC 2017 pp 1ndash6 IEEE Paris France May 2017

[15] J Cho K Y Choi I Dinur et al ldquoWEM a new family ofwhite-box block ciphers based on the Even-Mansour con-structionrdquo in Cryptographersrsquo Track at the RSA Confer-encendashCT-RSA 2017 Lecture Notes in Computer ScienceH Handschuh Ed vol 10159 pp 293ndash308 Springer BerlinGermany 2017

[16] P Farshim L Khati and D Vergnaud ldquoSecurity of Even-Mansour ciphers under key-dependent messagesrdquo e IACRTransactions on Symmetric Cryptology vol 2017 no 2pp 84ndash104 2017

[17] P Zhang and H-G Hu ldquoGeneralized tweakable Even-Mansour cipher and its applicationsrdquo Journal of ComputerScience and Technology vol 33 no 6 pp 1261ndash1277 2018

[18] G Bertoni J Daemen M Peeters and G Van AsscheldquoSponge-based pseudo-random number generatorsrdquo inCryptographic Hardware and Embedded SystemsndashCHES 2010Lecture Notes in Computer Science S Mangard andFX Standaert Eds vol 6225 pp 33ndash47 Springer BerlinGermany 2010

[19] J Patarin ldquoe ldquocoefficients Hrdquo techniquerdquo in Selected Areasin CryptographyndashSAC 2008 Lecture Notes in Computer Sci-ence R M Avanzi L Keliher and F Sica Eds vol 5381pp 328ndash345 Springer Berlin Germany 2008

[20] A Chakraborti N Datta M Nandi and K Yasuda ldquoBeetlefamily of lightweight and secure authenticated encryptionciphersrdquo IACR Transactions on Cryptographic Hardware andEmbedded Systems vol 2018 no 2 pp 218ndash241 2018

[21] G Hatzivasilis G Floros I Papaefstathiou and C ManifavasldquoLightweight authenticated encryption for embedded on-chipsystemsrdquo Information Security Journal A Global Perspectivevol 25 no 4ndash6 pp 151ndash161 2016

[22] Y Sasaki and K Yasuda ldquoOptimizing online permutation-based AE schemes for lightweight applicationsrdquo IEICETransactions on Fundamentals of Electronics Communicationsand Computer Sciences vol E102A no 1 pp 35ndash47 2019

[23] M Bellare and P Rogaway ldquoe security of triple encryptionand a framework for code-based game-playing proofsrdquo inAdvances in CryptologyndashEUROCRYPT 2006 Lecture Notes inComputer Science S Vaudenay Ed vol 4004 pp 409ndash426Springer Berlin Germany 2006

6 Security and Communication Networks

Computer Science X Wang and K Sako Eds vol 7658pp 278ndash295 Springer Berlin Germany 2012

[10] S Even and Y Mansour ldquoA construction of a cipher from asingle pseudorandom permutationrdquo Journal of Cryptologyvol 10 no 3 pp 151ndash161 1997

[11] O Dunkelman N Keller and A Shamir ldquoMinimalism incryptography the Even-Mansour scheme revisitedrdquo in Ad-vances in CryptologyndashEUROCRYPT 2012 Lecture Notes inComputer Science D Pointcheval and T Johansson Edsvol 7237 pp 336ndash354 Springer Berlin Germany 2012

[12] B Cogliati R Lampe and Y Seurin ldquoTweaking even-man-sour ciphersrdquo in Advances in CryptologyndashCRYPTO 2015Lecture Notes in Computer Science R Gennaro andM Robshaw Eds vol 9215 pp 189ndash208 Springer BerlinGermany 2015

[13] N Mouha and A Luykx ldquoMulti-key security the Even-Mansour construction revisitedrdquo in Advances in Cryptolo-gyndashCRYPTO 2015 Lecture Notes in Computer ScienceR Gennaro and M Robshaw Eds vol 9215 pp 209ndash223Springer Berlin Germany 2015

[14] E M do Nascimento and J A M Xexeo ldquoA flexible authen-ticated lightweight cipher using Even-Mansour constructionrdquo inProceedings of the IEEE International Conference on Commu-nicationsndashICC 2017 pp 1ndash6 IEEE Paris France May 2017

[15] J Cho K Y Choi I Dinur et al ldquoWEM a new family ofwhite-box block ciphers based on the Even-Mansour con-structionrdquo in Cryptographersrsquo Track at the RSA Confer-encendashCT-RSA 2017 Lecture Notes in Computer ScienceH Handschuh Ed vol 10159 pp 293ndash308 Springer BerlinGermany 2017

[16] P Farshim L Khati and D Vergnaud ldquoSecurity of Even-Mansour ciphers under key-dependent messagesrdquo e IACRTransactions on Symmetric Cryptology vol 2017 no 2pp 84ndash104 2017

[17] P Zhang and H-G Hu ldquoGeneralized tweakable Even-Mansour cipher and its applicationsrdquo Journal of ComputerScience and Technology vol 33 no 6 pp 1261ndash1277 2018

[18] G Bertoni J Daemen M Peeters and G Van AsscheldquoSponge-based pseudo-random number generatorsrdquo inCryptographic Hardware and Embedded SystemsndashCHES 2010Lecture Notes in Computer Science S Mangard andFX Standaert Eds vol 6225 pp 33ndash47 Springer BerlinGermany 2010

[19] J Patarin ldquoe ldquocoefficients Hrdquo techniquerdquo in Selected Areasin CryptographyndashSAC 2008 Lecture Notes in Computer Sci-ence R M Avanzi L Keliher and F Sica Eds vol 5381pp 328ndash345 Springer Berlin Germany 2008

[20] A Chakraborti N Datta M Nandi and K Yasuda ldquoBeetlefamily of lightweight and secure authenticated encryptionciphersrdquo IACR Transactions on Cryptographic Hardware andEmbedded Systems vol 2018 no 2 pp 218ndash241 2018

[21] G Hatzivasilis G Floros I Papaefstathiou and C ManifavasldquoLightweight authenticated encryption for embedded on-chipsystemsrdquo Information Security Journal A Global Perspectivevol 25 no 4ndash6 pp 151ndash161 2016

[22] Y Sasaki and K Yasuda ldquoOptimizing online permutation-based AE schemes for lightweight applicationsrdquo IEICETransactions on Fundamentals of Electronics Communicationsand Computer Sciences vol E102A no 1 pp 35ndash47 2019

[23] M Bellare and P Rogaway ldquoe security of triple encryptionand a framework for code-based game-playing proofsrdquo inAdvances in CryptologyndashEUROCRYPT 2006 Lecture Notes inComputer Science S Vaudenay Ed vol 4004 pp 409ndash426Springer Berlin Germany 2006

6 Security and Communication Networks