Minimalism in Cryptography - On the security of the Even-Mansour cryptosystem and its iterates

Nathan Keller


The Even-Mansour (EM) cryptosystem was developed in 1991 in an attempt to obtain the simplest possible block cipher, using only one publicly known random permutation and two whitening keys. In the last three years, EM and its variants has attracted much attention in the cryptographic community - from theoreticians, cryptanalysts and hardware specialists, leading to more than 10 papers in the main crypto conferences. In particular:

a. The exact security of EM was determined, after being open for 20 years.

b. Several newly proposed lightweight block ciphers were based on an iterated EM structure, with r publicly known permutations and r+1 whitening keys (either independent or generated from a single key).

c. New upper and lower bounds on the security of iterated EM schemes were obtained.

In this talk we will survey recently obtained upper bounds on the security of EM and iterated EM, with applications to the security of EM-based lightweight block ciphers, such as LED and Zorro. The talk will be mostly self-contained and intended to a wide crypto/security audience.

Based on joint works with Itai Dinur, Orr Dunkelman, and Adi Shamir.

Time and Place

Wednesday, October 2, 4:15pm
Gates 463A