9

For example, in the question “Is there any reason not to use Single-Key EM with AES and a constant key?” it is proposed to use AES with a fixed key as the permutation in a xor-permute-xor construction. In the paper linked in the answer – “Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations” (PDF) – there is a proposal for a cipher that uses the full AES cipher with a fixed key(s).

Why is the full round AES required? How would the situation change if AES with only half the number of rounds was used? What about AES with only two rounds? If I recall correctly, two rounds of AES is the minimum required for complete diffusion of the input, so I wonder why 2 rounds wouldn't work just as well.

Why would one use an iterated construction, if the XOR-permute-XOR construction is providing all the security?

What requirements does the permutation need to fulfill, specifically? In the paper “Minimalism in Cryptography: The Even-Mansour Scheme Revisited” (PDF) they appear to just use the term "fixed random permutation" or "publicly known permutation".

Community
  • 1
Ella Rose
  • 19,603
  • 6
  • 53
  • 101
  • 1
    I think the answer will be "you need a PRP and round reduced AES is not a PRP because you can distinguish it from a RP" – SEJPM Jun 30 '16 at 20:09

1 Answers1

5

The permutation used for Even-Mansour needs to approximate a random permutation. This is the model in which all of the $r$-round Even-Mansour proofs are done. If you have a permutation that is distinguishable from random in a small number of queries, those proofs become null and void—though in some cases the cipher may still be secure.

Now, it is perfectly reasonable to wonder about the exact limits of this approach like you did, and in fact people have: this is a popular cipher design approach otherwise known as "key-alternating cipher". The AES itself is probably the most famous instance of it. You can model the AES as $$ P'(\dotsc P(P(m \oplus k_0) \oplus k_1) \oplus k_2) \dotsc) \oplus k_{10}, $$ where $$P(x) =\mathsf{MixColumns}(\mathsf{ShiftRows}(\mathsf{SubBytes}(x)))$$ and $$P'(x) = \mathsf{ShiftRows}(\mathsf{SubBytes}(x)),$$ and $k_i$ are the keys produced by the key schedule.

While the AES is not provably secure, since each of those permutations is way too simple to behave as a random permutation, heuristically this works out against known attacks given enough rounds. But in this case, the Even-Mansour results are of little use (besides confirming that the high-level design approach is sound), and concrete analysis against differential, linear, etc cryptanalysis is much more valuable.

Samuel Neves
  • 12,460
  • 43
  • 52