Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance

A t-round key alternating cipher can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P1, . . . , Pt : {0, 1}n → {0, 1}n and a key k = k0‖ · · · ‖kt ∈ {0, 1}n(t+1) by setting Ek(x) = kt ⊕ Pt(kt−1 ⊕ Pt−1(· · · k1 ⊕ P1(k0 ⊕ x) · · · )). The indistinguishability of Ek from a random truly random permutation by an… CONTINUE READING