Key-Recovery Security Of Single-Key Even-Mansour Ciphers

In this paper, we explore the security of single-key Even-Mansour ciphers against key-recovery attacks. First, we introduce a simple key-recovery attack using key relations on an n-bit r -round single-key EvenMansour cipher ( r -SEM). This attack is feasible with queries of DTr = O (2(r n)) and 2(2r/r+1)n memory accesses, which is 2(1/r+1n) times smaller than the previous generic attacks on r-SEM, where D and T are the number of queries to the encryption function E-K and the internal permutation P, respectively. Next, we further reduce the time complexity of the key recovery attack on 2-SEM by a start-in-the-middle approach. This is the first attack that is more efficient than an exhaustive key search while keeping the query bound of DT2 = O(2(2n)). Finally, we leverage the start-in-the-middle approach to directly improve the previous attacks on 2-SEM by Dinur et al., which exploit t-way collisions of the underlying function. Our improved attacks do not keep the bound of DT2 = O(2(2n)), but are the most time-efficient attacks among the existing ones. For n = 64; 128 and 256, our attack is feasible with the time complexity of about 2(n) . 1/2n in the chosen-plaintext model, while Dinur et al.'s attack requires 2(n) . log(n)/n in the known-plaintext model.