- Published 2016 in IACR Cryptology ePrint Archive

We revisit the t-round Even-Mansour (EM) scheme with random oracle key derivation previously considered by Andreeva et al. (CRYPTO 2013), namely, xork ◦Pt ◦ xork ◦ . . . ◦ xork ◦P2 ◦ xork ◦P1 ◦ xork, where P1, . . . ,Pt stand for t independent n-bit random permutations, xork is the operation of xoring with the n-bit round-key k = H(K) for a κ-to-n-bit bit random oracle H on a κ-bit main key K. For this scheme, Andreeva et al. provided an indifferentiability (from an ideal (κ, n)-cipher) proof for 5 rounds while they exhibited an attack for 2 rounds. Left open is the (in)differentiability of 3 and 4 rounds. We present a proof for the indifferentiability of 3 rounds and thus close the aforementioned gap. This also separates EM ciphers with non-invertible key derivations from those with invertible ones in the “full” indifferentiability setting. Prior work only established such a separation in the weaker sequentialindifferentiability setting (ours, DCC, 2015). Our results also imply 3-round EM indifferentiable under multiple random known-keys, partially settling a problem left by Cogliati and Seurin (FSE 2016). The key point for our indifferentiability simulator is to pre-emptively prepare some chains of ideal-cipherqueries to simulate the structures due to the related-key boomerang property in the 3-round case. The length of such chains has to be as large as the number of queries issued by the distinguisher. Thus the situation somehow resembles the context of hash-of-hash H considered by Dodis et al. (CRYPTO 2012). Besides, a technical novelty of our proof is the absence of the so-called distinguisher that completes all chains.

@article{Guo2016IndifferentiabilityO3,
title={Indifferentiability of 3-Round Even-Mansour with Random Oracle Key Derivation},
author={Chun Guo and Dongdai Lin},
journal={IACR Cryptology ePrint Archive},
year={2016},
volume={2016},
pages={894}
}