Keywords

1 Introduction

Modern block cipher design is based on the concept of iterating a round function [44]. This round function typically consists of a subkey addition followed by an unkeyed invertible function. All commonly-used block ciphers, including the DES [46] and AES [23] standards, follow this design strategy.

As such, the design of an iterated block cipher consists of two parts: the design of a round function, and a key schedule to generate the subkeys for every round. Although round function design seems to be a relatively well-understood problem, this is much less the case for the key schedule. For example, Rijmen and Daemen already stated in the AES design book that: “There is no consensus on the criteria that a key schedule must satisfy” [23, p. 77]. This fact has been repeated many times since, for example in the SHA-3 finalist Grøstl design document [32, p. 5]. In particular, there seems to be no consensus on whether a “strong” or a “simple” key schedule is required, a choice which appears to depend on the application.

An argument for a “simple” key schedule is that keys should be chosen uniformly at random from the entire key space anyway, in order to avoid a speed-up of brute-force attacks due to low key entropy. As a result, attacks based on weak keys [25] and known keys [42] are no longer applicable. Similarly, when multiple keys are used, they should be chosen independently to prevent a compromise of one key helping the recovery of other keys. This avoids attacks based on related keys [911].

Proponents of a “strong” key schedule point out that in practice, keys may not always be chosen independently from a uniformly random distribution. The cause of this could be a weak protocol, a programming error or an insecure implementation.

Complexity, however, always comes at a cost. It makes cryptosystems more difficult to design, to implement and to analyze. Hence, we argue for a block cipher with a simple key schedule, combined with the use of a secure key derivation function (KDF) [20] for secret-key applications. A KDF can be as simple as using the same block cipher to encrypt a counter, in which case the implementation overhead is minimal. For a theoretical treatment of KDFs, we refer to [1].

Although the use of a KDF avoids attacks on weak keys, known keys and related keys, it cannot prevent multi-key attacks [12, 14, 24, 38]: a plaintext may be encrypted under multiple independent keys. Often overlooked by block cipher designers, multi-key attacks are highly relevant in practice (cf. Sect. 2).

This leads us to the following open problem, formulated by Daemen and Rijmen in 2012 [24]. In their paper, they point out: “A scenario where the adversary can query the block cipher under related keys, or even multiple keys, inevitably leads to security erosion”. Paraphrased, concerning the multi-key setting they ask: “Can we design a secure block cipher with a lighter key schedule and higher key agility if related-key security is not required?”

In this paper, we give a positive answer to their question. Surprisingly, one of the simplest block ciphers, the single-key Even-Mansour constructionFootnote 1 [26, 29, 30], shown in Fig. 1, offers similar security to an ideal block cipher when a small number of plaintexts can be queried under many keys.

Fig. 1.
figure 1

The Even-Mansour construction.

Full size image

Outline. The single-key, related-key and multi-key attack settings are discussed in Sect. 2, from a theoretical as well as a practical perspective. In Sect. 3, we prove tight bounds for the security of an Even-Mansour block cipher and of an ideal block cipher in the multi-key setting. The relevance of our observations for the security and efficiency of block cipher implementations is discussed in Sect. 4. We conclude the paper in Sect. 5.

2 Attack Settings

2.1 Three Attack Settings

Single-Key Setting. One key K is chosen uniformly at random from the key space in the single-key setting, also referred to as the fixed-key setting. The adversary can then make encryption and decryption queries to block cipher E, all under the same key K.

Related-Key Setting. In the related-key setting, the adversary can perform encryption and decryption queries to block cipher E under keys \(K_i\). Each key i satisfies the relationship \(K_i = \varPhi _i(K)\), where K is secret, but the functions \(\varPhi _i\) are chosen by the adversary. To avoid that not every block cipher E is vulnerable to a related-key attack, restrictions are necessary on the functions \(\varPhi _i\) as explained in [9].

Security against related-key attacks is often considered in the design of a block cipher. For example, it was a stated design goal for the AES block cipher [23], although it was shown that AES is not secure against related-key attacks [15, 16].

Furthermore, it should be noted that certain commonly-used algorithms, including DES and Triple-DES, are trivially insecure against related-key attacks. For DES [46] and Triple-DES [6], this is an immediate result of its complementation property [36]: \(\overline{E_{K}(P)}=E_{\overline{K}}(\overline{P})\), where \(\overline{x}\) represents the bitwise complement of x.

It is difficult to say whether related-key security should be a requirement, as this depends on the protocol in which the cryptosystem is used. Nevertheless, it seems fair to point out that protocol designers should not assume related-key security, given that several commonly-used designs are (sometimes trivially) insecure in this setting.

Multi-key Setting. In the multi-key setting, the adversary can query encryption and decryption queries under keys \(K_i\), where all \(K_i\) are independently chosen, uniformly at random. The multi-key setting can be seen as a generalization of the multi-user setting of Chatterjee et al. [19], where encryption queries of only one plaintext P are allowed under keys \(K_i\).Footnote 2 This multi-user setting is then again a further generalization of the broadcast setting of Mantin and Shamir [45], where the plaintext P is unknown to the attacker.

Every attack in the broadcast setting also leads to an attack in the multi-user setting, and every multi-user attack is also a multi-key attack. We will therefore use the multi-key setting throughout this paper, in order to evaluate the security against the most powerful adversaries.

2.2 Practical Relevance of the Multi-key Setting

The terms “broadcast” and “multi-user” imply a setting where one message is sent to many users, encrypted under independent keys. Note, however, that this setting does not actually require a large amount of users, and also applies to one user that rekeys frequently.

Frequent rekeying is often a result of the common implementation practice to use session keys. As explained in [48, Sect. 12.2.2], session keys limit the available ciphertext under the same key for cryptanalytic attacks, and limit the exposure in case a session key is compromised.

Furthermore, rekeying is necessary in certain scenarios in order to avoid cryptanalytical attacks or to comply with existing standards. It should be noted that several cryptanalytical attacks have a higher success probability when more plaintext-ciphertext pairs under a specific key are available [8].

For example, NIST limits the amount of plaintext that can be processed under the same key to \(2^{32}\) blocks (32 GB) for three-key Triple-DES, and to \(2^{20}\) blocks (16 MB) for two-key Triple-DES [6]. In the case of MAC functions, NIST not only recommends to limit the number of message blocks under the same key, but also to limit the number of MAC failures before rekeying is required [27, 28]. In the case of TLS, rekeying is required after only one MAC failure [34].

AlFardan et al. [3] showed that it is a realistic attack vector in the case of TLS to obtain the encryption of one secret (a cookie or password) under multiple independent keys. They explained that this can be done either by using JavaScript malware to generate multiple sessions, or by causing the session to be terminated, after which some applications automatically reconnect and retransmit the cookie or password. As shown by Paterson et al. [54], the same attack setting also applies to WPA-TKIP because of its use of per-packet keys.

2.3 Security in the Multi-key Setting

As noted by Biham [12, 13], there exists a faster generic key-recovery attack on any block cipher in the multi-key setting compared to the single-key setting. This can be seen as follows. To keep our explanation simple, let us assume in this section that key size k equals the block size n.

In the single-key setting, an adversary with \(D=1\) plaintext-ciphertext pair will need on average \(T=2^{k-1}\) encryptions to recover the key by exhaustive search with a success probability of about 50 %. More plaintext-ciphertext pairs will increase the success probability of the attack, as probability decreases that a random key will be found instead of the correct key, but will not reduce the time complexity of the attack.

Recovering one key can be done with a lower time complexity in the multi-key setting. To see this, let an attacker have D encryptions

$$\begin{aligned} E_{K_1}(P), E_{K_2}(P), \ldots , E_{K_D}(P)\end{aligned}$$
(1)

of the same plaintext P under multiple independent keys \(K_1, K_2, \ldots , K_D\). Then, after on average \(T=2^{k-1}/D\) encryptions of the plaintext P, one of the keys \(K_1, K_2, \ldots , K_D\) will be recovered with a success probability of about 50 %.

Besides this observation, Biham also remarked in [12, 13] that key collisions become likely in this multi-key setting after about \(D=2^{k/2}\) plaintext-ciphertext pairs. Consequently, the key size k should be chosen to be sufficiently large by design to avoid key collision attacks.

In Sect. 3, we will prove that the Even-Mansour construction has similar security to an ideal block cipher in the multi-key setting, assuming the number of plaintexts queried per key is small. Or put differently, when multi-key attacks with a small amount of plaintext per key are taken into account, there is little advantage in choosing a block cipher with a more complicated key schedule than the Even-Mansour construction.

2.4 Related Work

The time-memory tradeoff of Hellman [37] is not a concern for block ciphers with a reasonably long key size, because its precomputation time is the same as that of exhaustive key search. This is different from the time-memory-data tradeoffs for stream ciphers of Babbage-Golić [5, 33] and Biryukov-Shamir [17], where the time complexity can be far below exhaustive search.

As shown by Hong and Sarkar [38], and independently by Birykov [14], the stream cipher time-memory-data tradeoffs can be applied to the block cipher setting as well, assuming that a plaintext is encrypted under multiple keys. Their work generalizes the findings of Biham that we presented in Sect. 2.3.

Chatterjee, Koblitz, Menezes and Sarkar critiqued the security proofs of symmetric-key encryption and authentication modes [19, 43, 47], pointing out that security is often reduced when a multi-user setting is considered.

Their findings inspired Fouque et al. [31] to look at collision search algorithms in the multi-user setting. One of their results is the first analysis of the Even-Mansour construction in the multi-user setting. We will use an entirely different approach in this paper, by considering information-theoretic adversaries that are only limited by the number of queries to the Even-Mansour block cipher and to the underlying permutation. As we will show, the attack by Fouque et al. reaches the security bound that we will prove for the Even-Mansour construction in the multi-key setting.

A recent paper by Andreeva et al. [4] considers the security of keyed sponge constructions in the single-target and multi-target scenarios, which are similar to our single-key and multi-key settings. The approach that we follow in this paper is different, as we introduce these concepts in a more general way. Furthermore, we do not express the attacks and security bounds in terms of the “total maximum multiplicity \(\mu \)”, a parameter that is specific to the analysis of sponge constructions.

Note that the multi-user setting is not only relevant for symmetric-key cryptography, but also for public-key cryptography. For a theoretical treatment of public-key encryption in the multi-user setting, we refer to Bellare et al. [7].

3 Security Proofs in the Multi-key Setting

Block cipher security in the multi-key setting is formalized with a distinguisher comparing two worlds, one in which the distinguisher is given access to a block cipher instantiated with \(\ell \) keys, and one in which it is given access to \(\ell \) independent permutations. Our focus is on constructions in the ideal model, meaning they make use of an ideal primitive.

Definition 1

An ideal primitive is a uniformly distributed random variable over a set of functions F.

These primitives model basic components from which cryptographic algorithms are constructed. In line with Kerckhoffs’s principle, ideal primitives are public and can be accessed by adversaries in security definitions. The adversaries themselves are information-theoretic and are only bounded in the number of queries they make to each oracle.

Let \(\mathsf {perm}(n)\) denote the set of all permutations on n bits, and \(\mathsf {block}(k,n)\) denote the set of all block ciphers with k-bit key and n-bit block size. Let \(\ell \) denote number of keys \(K_i\) under which the adversary performs queries, that is, there is at least one query for every key \(K_i\) for \(1\le i\le \ell \).

Definition 2

(Multi-key Security). Let \(\varPi \) be a primitive and \(E^\varPi \) a random variable over \(\mathsf {block}(k,n)\). Given an adversary \(\mathcal {A}\), its multi-key advantage with respect to \(\ell \) keys is

$$\begin{aligned} \mathbf {Adv}_{E}^{\mathsf {mk}}(\mathcal {A}) = \left|\Pr \left( \mathcal {A}^{E^\varPi _{K_1}, E^\varPi _{K_2}, \ldots , E^\varPi _{K_\ell },\varPi }\rightarrow 1\right) - \Pr \left( \mathcal {A}^{p_1,p_2,\ldots ,p_\ell ,\varPi }\rightarrow 1\right) \right|, \end{aligned}$$
(2)

where the keys \(K_1, \ldots , K_\ell \) are independently and uniformly drawn from \(\{0,1\}^k\), and \(p_1,\ldots ,p_\ell \) are independently and uniformly drawn from \(\mathsf {perm}(n)\). The adversary \(\mathcal {A}\) has access to both forward and inverse oracles.

In the case of the Even-Mansour block cipher, the primitive \(\varPi \) is a permutation, whereas for an ideal block cipher, the primitive \(\varPi \) is the block cipher itself.

Note that our definition is similar to the “3PRP” notion in the security analysis of Chaskey [49], however we consider \(\ell \) independent keys instead of three keys that are related to each other. Our definition also closely follows the “Joint Distinguishing Advantage” of Andreeva et al. [4, Definition 2], except that the total maximum multiplicity \(\mu \) is not a parameter in our security definition.

Fig. 2.
figure 2

An Even-Mansour block cipher \(E_K(P)=\pi (P\oplus K)\oplus K\) in the multi-key setting. Although only one direction is shown, inverse oracles can be accessed as well. The number of queries by the adversary \(\mathcal {A}\) to any of the first \(\ell \) oracles is denoted by D, the number of queries to the last oracle by T.

Full size image

Theorem 1

(Even-Mansour Multi-key Security). Let \(\mathrm {EM}\) be the Even-Mansour block cipher \(E_K(P)=\pi (P \oplus K) \oplus K\), then for all \(\mathcal {A}\) making at most D queries to \(E_{K_1},\ldots , E_{K_\ell }\) (resp. \(p_1,\ldots , p_\ell \)) or their inverses and at most T queries to \(\pi \) or \(\pi ^{-1}\),

$$\begin{aligned} \mathbf {Adv}_{\mathrm {EM}}^{\mathsf {mk}}(\mathcal {A}) \le \dfrac{D^2+2DT}{2^n}. \end{aligned}$$
(3)

Our proof is similar to the security proof of the MAC function Chaskey [49], except that we now consider that \(\ell \) keys are drawn independently and uniformly at random. The proof uses Patarin’s H-coefficient technique [53]. For a detailed explanation of this technique, we refer to Chen and Steinberger [21]. The proof can be seen as a generalization of the security analysis of the Even-Mansour block cipher [29, 30].

Proof

As shown in Fig. 2, we consider an adversary \(\mathcal {A}\) that has bidirectional access to \(\ell +1\) oracles \((\mathcal {O}_1,\ldots ,\mathcal {O}_{\ell +1})\). In the real world, these are \((E_{K_1},\ldots ,E_{K_\ell },\pi )\) (where \(E_K(P)=\pi (P \oplus K) \oplus K\)) with \(K_i{\xleftarrow {{\scriptscriptstyle \$}}}\{0,1\}^{n}\) for \(i=1,\ldots ,\ell \), \(\pi \xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\), and in the ideal world these are \((p_1,\ldots ,p_{\ell },\pi )\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)^{\ell +1}\). Without loss of generality we assume that \(\mathcal {A}\) is deterministic. It makes \(D_i\) queries to oracle \(\mathcal {O}_i\) for \(i=1,\ldots ,\ell \), and T queries to \(\mathcal {O}_{\ell +1}\). Let \(D=\sum _{i=1}^{\ell }D_i\). To be overly generous to the adversary \(\mathcal {A}\), after it has made all of its \(D+T\) queries, but before it outputs its decision, we will reveal the keys \(K_1,\ldots ,K_{\ell }\) (in the real world) or randomly generated dummy keys \(K_1,\ldots ,K_{\ell }\) (in the ideal world).

The interaction of \(\mathcal {A}\) with the oracles can be summarized by a transcript \(\tau =(K_1,\ldots ,K_{\ell },\tau _1,\ldots ,\tau _{\ell +1})\). Here, the directionless list of queries to \(\mathcal {O}_j\) for \(i=1,\ldots ,\ell \) is denoted by \(\tau _i=\{(P_i^{(1)},C_i^{(1)}),\ldots ,(P_i^{(D_i)},C_i^{(D_i)})\}\), and to \(\mathcal {O}_{\ell +1}\) by \(\tau _{\ell +1}=\{(x^{(1)},y^{(1)}),\ldots ,(x^{(T)},y^{(T)})\}\). We assume the adversary never makes duplicate queries, so that \(P_i^{(j)}\ne P_i^{(j')}\), \(C_i^{(j)}\ne C_{i}^{(j')}\), \(x^{(j)}\ne x^{(j')}\), and \(y^{(j)}\ne y^{(j')}\) for all \(i,j,j'\) where \(j \ne j'\).

Given the fixed deterministic adversary \(\mathcal {A}\), we denote the probability distribution of transcripts in the real world by X, and in the ideal world by Y. We say that a transcript \(\tau \) is attainable if it can be obtained from interacting with \((p_1,\ldots ,p_{\ell },\pi )\), hence if \(\Pr \left( Y=\tau \right) >0\). According to the H-coefficient technique, we have (see [21] for a proof):

Lemma 1

(H-coefficient Technique). Let us consider a fixed deterministic adversary \(\mathcal {A}\), and let \(\mathcal {T}=\mathcal {T}_\mathrm {good}\cup \mathcal {T}_\mathrm {bad}\) be a partition of the set of attainable transcripts. Let \(\varepsilon \) be such that for all \(\tau \in \mathcal {T}_\mathrm {good}\)

$$\begin{aligned} \frac{\Pr \left( X=\tau \right) }{\Pr \left( Y=\tau \right) } \ge 1-\varepsilon . \end{aligned}$$
(4)

Then, \(\mathbf {Adv}_{\mathrm {EM}}^{\mathsf {mk}}(\mathcal {A})\le \varepsilon + \Pr \left( Y\in \mathcal {T}_\mathrm {bad}\right) \).

We say that a transcript \(\tau \) is bad if two different queries would result in the same input or output to \(\pi \), were \(\mathcal {A}\) interacting with the real world. Put formally, \(\tau \) is bad if one of the following conditions is set:

$$\begin{aligned}&\exists i,i',j,j':\, i\ne i': \,\, P_{i}^{(j)}\oplus P_{i'}^{(j')} {\,\,}={\,\,} K_{i} \oplus K_{i'} \,\,\vee \; C_{i}^{(j)}{\,\,}\oplus {\,\,} C_{i'}^{(j')} =\; K_{i} \oplus K_{i'}, \end{aligned}$$
(5)
$$\begin{aligned}&\exists i,j,j': {\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,} P_{i}^{(j)} \oplus x^{(j')} {\,\,}={\,\,} K_{i} {\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,}\vee \; C_{i}^{(j)}{\,\,}\oplus {\,\,} x^{(j')} =\; K_{i}. \end{aligned}$$
(6)

A transcript that is not a bad transcript, is referred to as a good transcript.

Upper Bounding We want to upper bound the event that a transcript \(\tau \) in the ideal world satisfies (5)–(6). Note that \(K_i\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\) for \(i=1,\ldots ,\ell \) are dummy keys generated independently of \(\tau _1,\ldots ,\tau _{\ell }\). Therefore, there are at most \(2D_{i}D_{i'}\) possible keys that satisfy (5) for any fixed \(i\ne i'\). Analogously, there are at most \(2D_{i}T\) possible keys that satisfy (6) for any fixed i. Therefore,

$$\begin{aligned} \Pr \left( Y\in \mathcal {T}_\mathrm {bad}\right)&\le \frac{\sum _i\sum _{i'<i}2D_{i}D_{i'} + \sum _{i}2D_{i}T}{2^n},\end{aligned}$$
(7)
$$\begin{aligned}&\le \frac{D^2+2DT}{2^n}. \end{aligned}$$
(8)

Lower Bounding Ratio \({\varvec{\Pr \left( X=\tau \right) {\,} /{\,} \Pr \left( Y=\tau \right) \!.}}\) Let us consider a good and attainable transcript \(\tau \in \mathcal {T}_\mathrm {good}\). Then denote by \(\varOmega _X=2^{n\ell }\cdot 2^n!\) the set of all possible oracles in the real world and by \(\mathsf {comp}_X(\tau )\subseteq \varOmega _X\) the set of oracles in \(\varOmega _X\) compatible with transcript \(\tau \). Define \(\varOmega _Y=2^{n\ell }\cdot (2^n!)^{\ell +1}\) and \(\mathsf {comp}_Y(\tau )\) similarly. According to the H-coefficient technique:

$$\begin{aligned} \Pr \left( X=\tau \right) = \frac{|\mathsf {comp}_X(\tau )|}{|\varOmega _X|}, \qquad \text { and }\qquad \Pr \left( Y=\tau \right) = \frac{|\mathsf {comp}_Y(\tau )|}{|\varOmega _Y|}. \end{aligned}$$
(9)

First, we calculate \(|\mathsf {comp}_X(\tau )|\). As \(\tau \in \mathcal {T}_\mathrm {good}\), there are no two queries in \(\tau \) with the same input to or output of the underlying permutation. Any query tuple in \(\tau \) therefore fixes exactly one input-output pair of the underlying oracle. Because \(\tau \) consists of \(D+T\) query tuples, the number of possible oracles in the real world equals \((2^n-D-T)!\). By a similar reasoning, the number of possible oracles in the ideal world equals \(\prod _{i=1}^{\ell }(2^n-D_i)!\cdot (2^n-T)!\). Therefore,

$$\begin{aligned} \Pr \left( X=\tau \right)&= \frac{(2^n-D-T)!}{2^{n\ell }\cdot 2^n!},\end{aligned}$$
(10)
$$\begin{aligned} \Pr \left( Y=\tau \right)&= \frac{\prod _{i=1}^{\ell }(2^n-D_i)!\cdot (2^n-T)!}{2^{n\ell }\cdot (2^n!)^{\ell +1}} \le \frac{(2^n-D-T)!\cdot (2^n!)^{\ell }}{2^{n\ell }\cdot (2^n!)^{\ell +1}}. \end{aligned}$$
(11)

It then follows that \(\Pr \left( X=\tau \right) / \Pr \left( Y=\tau \right) \ge 1\).    \(\square \)

Fig. 3.
figure 3

An ideal block cipher \(E_K\) in the multi-key setting. Although only one direction is shown, all oracles are assumed to be bidirectional.

Full size image

Theorem 2

(Ideal Block Cipher Multi-key Security). Let the ideal block cipher \(\mathrm {IBC}\) be uniformly distributed random variable over \(\mathsf {block}(k,n)\), then for all \(\mathcal {A}\) making at most D queries to \(E_{K_1},\ldots , E_{K_\ell }\) (resp. \(p_1,\ldots , p_\ell \)) or their inverses and at most T queries to \(E_K\) or its inverse under adversary-chosen keys,

$$\begin{aligned} \mathbf {Adv}_{\mathrm {IBC}}^{\mathsf {mk}}(\mathcal {A}) \le \dfrac{\ell ^2+2\ell T}{2^{k+1}}. \end{aligned}$$
(12)

Proof

We consider the adversary \(\mathcal {A}\) shown in Fig. 3. Define \(\mathbf {E}\) to be the event where either

  1. 1.

    there exists \(i\ne j\) such that \(K_i = K_j\) or

  2. 2.

    there exists a query E(KX) or \(E^{-1}(K,X)\) such that \(K = K_i\) for some i.

Given that \(\mathbf {E}\) does not happen, \(E_{K_1},\ldots , E_{K_\ell }\) are drawn independently and uniformly at random from \(\mathsf {perm}(n)\), and all queries made to E are independent of \(E_{K_1}, \ldots , E_{K_\ell }\). Therefore \((E_{K_1},\ldots , E_{K_\ell }, E)\) and \((p_1, \ldots , p_\ell , E)\) are indistinguishable given the negation of \(\mathbf {E}\), and by the fundamental lemma of game playing,

$$\begin{aligned} \mathbf {Adv}_{\mathrm {IBC}}^{\mathsf {mk}}(\mathcal {A})\le \Pr \left( \mathbf {E}\right) \!. \end{aligned}$$
(13)

The probability that there exists an adversary query E(KX) or \(E^{-1}(K,X)\) such that \(K = K_i\) is at most \(\frac{T\ell }{2^k}\). The probability that two keys collide is bounded above by \(\frac{\ell ^2}{2^{k+1}}\), hence

$$\begin{aligned} \Pr \left( \mathbf {E}\right) \le \frac{\ell ^2 + 2\ell T}{2^{k+1}}. \end{aligned}$$
(14)

   \(\square \)

By our definition, there must be at least one query for every key. Therefore \(D\ge \ell \), so that the following corollary can be derived from Theorem 2:

Corollary 1

(Corollary of Theorem 2 ).

$$\begin{aligned} \mathbf {Adv}_{\mathrm {IBC}}^{\mathsf {mk}}(\mathcal {A}) \le \dfrac{D^2+2DT}{2^{k+1}}. \end{aligned}$$
(15)

Observe that when the amount of plaintext per key is small, this bound is close to that of Theorem 2.

3.1 Tightness of the Security Bounds

Several attacks have been published that match the security bound of the Even-Mansour block cipher in the single-key setting. The first attacks were published by Daemen [22]: a known-plaintext attack for \(D=2\) and a chosen-plaintext attack for any value of D. Biruykov and Wagner [18] presented a known-plaintext attack for \(D\ge 2^{n/2}\). A known-plaintext attack for any value of D was given by Dunkelman et al. [26].

The single-key setting is a special case of the multi-key setting where \(\ell =1\). We proved in Sect. 3 (see Theorem 1) that the security bound of Even-Mansour in multi-key setting is a straightforward extension of the single-key setting. Therefore, the bound that we derived for Even-Mansour in the multi-key setting is also tight.

An attack matching our Even-Mansour security bound in the multi-key setting was recently given by Fouque et al. [31] for \(\ell =2^{n/3}\), \(D_i=2^{n/3}\) for \(i=1,\ldots ,\ell \) and \(T=2^{n/3}\).

In the case of an ideal block cipher in the multi-key setting with \(D=\ell \), the key collision and time-memory trade-off attacks of Biham [12, 13] show that the security bound of Corollary 1 is also tight. For a discussion of these attacks and their subsequent improvements, we refer to Sect. 2.3. Evidently, these attacks are also applicable to the Even-Mansour block cipher in the multi-key setting.

4 Discussion

As we proved in Sect. 3, the Even-Mansour block cipher has similar security in the multi-key setting as an ideal block cipher with the same block and key size, assuming \(D \approx \ell \). In Sect. 2.2, we pointed out the relevance of this multi-key setting in practice.

The Even-Mansour block cipher is interesting from a design point of view because of its simplicity. As Dunkelman et al. [26] argued, it also achieves minimalism, in the sense that removing any component (one of the two key additions or the permutation) results in an insecure construction. But the Even-Mansour construction also has many implementation advantages.

From an efficiency point of view, the Even-Mansour block cipher avoids that round keys need to be precalculated and stored in memory, or that they need to be calculated on-the-fly. Avoiding precalculation of the key schedule results in a higher key agility, because of the lower cost to rekey. If round keys do not need to be calculated on-the-fly, the efficiency of every block cipher call increases. For software implementations, avoiding a key schedule reduces register pressure and decreases RAM requirements. The amount of RAM is very critical on certain microcontrollers, as shown for example in [39].

From a security point of view, the Even-Mansour block cipher avoids the need to store round keys securely. Note that in the case of AES-128, recovery of any round key leads to recovery of the encryption key. In the case of AES with 192-bit or 256-bit keys, any two consecutive round keys can be used to recover the encryption key.

Secure key storage is not only a problem for smart cards and RFID tags, but is also difficult to ensure on general purpose CPUs. The virtual memory system may move cryptographic keys into swap storage, which necessitates error-prone techniques to avoid swapping, or to use swap encryption [57].

But even in the presence of these countermeasures, cold boot attacks [35] may be used to exploit the fact that DRAM retains a large part of its memory for several seconds after removing power. Cooling techniques may be used to increase this time to several hours or even days.

If the round keys that are recovered by a cold boot attack contain errors (due to memory bit decay), it may still be possible to recover the encryption key. For AES, Halderman et al. [35] describe a simple algorithm to recover the encryption key in this case. Improved attacks were later given by Albrecht et al. [2] using integer programming, and by Tsow [58], and Kamal and Youssef [41] using a SAT solver.

The Even-Mansour block cipher avoids all attacks that recover the encryption key from multiple noisy round keys, as it avoids the calculation of round keys altogether. The leakage of encryption keys or round keys cannot be avoided without additional security measures, for example by ensuring they are only stored in the processor registers and not in RAM [50, 51]. However, this problem becomes much more manageable for the Even-Mansour construction, as only one n-bit key needs to be protected, instead of multiple round keys.

5 Conclusion and Future Work

Rekeying occurs frequently in real-world implementations, meaning that a plaintext may be encrypted under different keys. This setting is used, for example, in the attacks by AlFardan et al. [3] on TLS, and by Paterson et al. [54] on WPA-TKIP.

This setting is often referred to as the broadcast setting or the multi-user setting. In this paper, we introduced the multi-key setting to generalize the aforementioned settings. In the multi-key setting, the adversary can perform chosen-plaintext and chosen-ciphertext attacks under a set of unknown keys.

In the multi-key setting, we proved that the Even-Mansour block cipher is secure up to \((D^2+2DT)/2^n\) queries. We proved a similar bound for an ideal block cipher with \(k=n\), and showed that both bounds are tight. We used our proofs to argue in favor of the Even-Mansour construction: not only because of the simplicity of its design, but also because the lack of a key schedule makes it easier to generate fast and secure implementations.

Modes of operation for encryption and/or authentication may be designed more efficiently, if it is known that the underlying block cipher follows the Even-Mansour construction. It also seems that an Even-Mansour block cipher may still be secure if the underlying permutation is far from ideal, an idea that was pioneered by the design of the Chaskey MAC function [49]. We leave the further exploration of these research questions to future work.