Post-Quantum Security of the Even-Mansour Cipher

The Even-Mansour cipher is a simple method for constructing a (keyed) pseudorandom permutation E from a public random permutation P : {0, 1}(n) -> {0, 1}(n). It is secure against classical attacks, with optimal attacks requiring q(E) queries to E and q(P) queries to P such that q(E) center dot q(P) approximate to 2(n). If the attacker is given quantum access to both E and P, however, the cipher is completely insecure, with attacks using q(E), q(P) = O(n) queries known. In any plausible real-world setting, however, a quantum attacker would have only classical access to the keyed permutation E implemented by honest parties, while retaining quantum access to P. Attacks in this setting with q(E) center dot q(P)(2) approximate to 2(n) are known, showing that security degrades as compared to the purely classical case, but leaving open the question as to whether the Even-Mansour cipher can still be proven secure in that natural, "post-quantum" setting. We resolve this question, showing that any attack in that setting requires q(E) center dot q(P)(2) + q(P) center dot q(E)(2) approximate to 2(n). Our results apply to both the two-key and single-key variants of Even-Mansour. Along the way, we establish several generalizations of results from prior work on quantum-query lower bounds that may be of independent interest.