## Theoretical Aspects of Cryptography and Their Applications for Data Protection in Emerging 5G Systems

View this Special IssueResearch Article | Open Access

# Minimizing Key Materials: The Even–Mansour Cipher Revisited and Its Application to Lightweight Authenticated Encryption

**Academic Editor:**Andrea Visconti

#### Abstract

The Even–Mansour cipher has been widely used in block ciphers and lightweight symmetric-key ciphers because of its simple structure and strict provable security. Its research has been a hot topic in cryptography. This paper focuses on the problem to minimize the key material of the Even–Mansour cipher while its security bound remains essentially the same. We introduce four structures of the Even–Mansour cipher with a short key and derive their security by Patarin’s H-coefficients technique. These four structures are proven secure up to adversarial queries, where *k* is the bit length of the key material and *μ* is the maximal multiplicity. Then, we apply them to lightweight authenticated encryption modes and prove their security up to about -bit adversarial queries, where *b* is the size of the permutation and *c* is the capacity of the permutation. Finally, we leave it as an open problem to settle the security of the *t*-round iterated Even–Mansour cipher with short keys.

#### 1. Introduction

In recent years, more and more attention has been paid to lightweight cryptography as smart home, Internet of things (IoT), smart transportation, and 5G/B5G networks are proposed. These new technologies brought convenience to our lives but have introduced a powerful security threat, such as the leakage of the private data in our smart phone. Lightweight cryptography is an effective countermeasure against the security threats in order to achieve the privacy and integrity protections of the sensitive data. Lightweight cryptography is mainly used in resource-constrained devices. The block cipher has become a very vital lightweight symmetric-key cryptography, due to its fast speed, easy implementation, and easy standardization on these devices. It is often used to implement sensitive data encryption, digital signature, message authentication, and key encapsulation schemes in the field of information security and network communication security.

The *t*-round iterated Even–Mansour cipher is simply described as a pure permutation-based block cipher:where is a sequence of *n*-bit round keys which are usually derived from some master key and is a sequence of *t* public random permutations. This iterated Even–Mansour cipher, also known as key-alternating ciphers, is of great significance in the design of block ciphers and is also favored in the design of lightweight cryptography. The security of the iterated Even–Mansour ciphers is based on the random permutation model (RPM). In RPM, all permutations are modeled as public random permutation oracles, in other words, anyone can query these permutations and obtain the corresponding responses. The related research includes [1–9].

This paper focuses on the case . Even and Mansour [10] did pioneering work in 1997 and proved that it is birthday-bound secure. That is where the name “Even–Mansour cipher” comes from. The Even–Mansour cipher has some very nice properties, such as simplest structure and strict provable security. Although the research of the Even–Mansour cipher went unnoticed for years, Gold will always shine. Fortunately, it has been a very hot topic in cryptography. In 2012, Dunkelman et al. [11] pointed out that the Even–Mansour cipher is minimal, i.e., any component (either one of the keys or the permutation) is removed; the Even–Mansour cipher becomes trivially breakable. In 2015, Cogliati et al. [12] introduced the tweakable Even–Mansour (TEM) cipher combined by the Even–Mansour cipher and a tweak, and proved its security. Meanwhile, Mouha and Luykx [13] revisited the Even–Mansour cipher and analyzed the multikey security. do Nascimento and Xexeo [14] applied the Even–Mansour cipher to the Internet of Things (IoT) environments and presented a flexible lightweight authenticated encryption mode in 2017. It follows that Cho et al. [15] presented a new family of white-box block ciphers based on the Even–Mansour cipher WEM which achieves balances between performance and security. Farshim et al. [16] analyzed the security of the Even–Mansour cipher under key-dependent messages. In 2018, we described a generalized tweakable Even–Mansour cipher and applied it to authentication and authenticated encryption modes [17].

In the lightweight devices, the storage resources are limited. Therefore, a vital issue is the minimalism and agility of the key material in the design of lightweight ciphers. In this paper, we revisit the Even–Mansour cipher and consider as problem whether we can use the least key material to achieve the same security bound. The Even–Mansour cipher is proven security up to approximately adversarial queries, where *k* is the bit-length of the key material. Can we decrease the key material and achieve the same security bound (this bound must be beyond-birthday-bound)?

We answer positively to the question in this paper. We introduce four structures of the Even–Mansour cipher with a short key and present the provable security results. More concretely, we derive their security up to adversarial queries using Patarin’s H-coefficients technique, where *k* is the bit-length of the reducing key material and *μ* is the maximal multiplicity. The Even–Mansour cipher with a short key has many good advantages, such as calculating on-the-fly, avoiding the key schedule, and minimizing the key material. Therefore, it can be widely applied to resource-constrained lightweight devices. Then, we apply its four structures to lightweight authenticated encryption (AE) modes and prove their security up to about -bit adversarial queries, where is the size of the permutation and *c* (resp. *r*) is the capacity (resp. rate) of the permutation. Finally, we leave it as an open problem to settle the security of the *t*-round iterated Even–Mansour cipher with short keys.

The rest of this paper is organized as follows. In Section 2, we introduce some preliminaries. In Section 3, we prove the security of the Even–Mansour cipher with a short key. Section 4 describes lightweight AE modes based on four structures of the Even–Mansour cipher with a short key. Section 5 ends up with this paper.

#### 2. Preliminaries

Let be the set of binary strings of length *b* and . For two strings *X* and *Y*, let or be the concatenation of *X* and *Y*. Given a string *X*, we utilize to denote the length in bits of *X*. Given a nonempty set *X*, let denote an element *x* drawing from *X* uniformly at random and be the cardinality of *X*. Let stand for the set of permutations on . Let be an event that an adversary outputs 1 after interacting with the oracle *O*. Here, never makes a query for which the response is obviously known. Let be the probability that the event occurs.

##### 2.1. Multiplicity

Let be a set of *N* evaluations of a permutation *P*, where , . We introduce the total maximal multiplicity as inspired by [18], where

##### 2.2. H-Coefficients Technique

H-coefficients technique introduced by Patarin [19] is a very important analytical method in the symmetric-key cryptography. We briefly summarize this technique as follows. Consider an information-theoretic adversary , whose goal is to distinguish a real world *X* and an ideal world *Y* and denote the distinguishing advantage of as

Without loss of generality, we can assume that is a deterministic adversary. The interaction with any of the two worlds *X* or *Y* is summarized in a transcript *τ*. Denote by the probability distribution of transcripts when interacting with *X*, and similarly, the distribution of transcripts when interacting with *Y*. A transcript *τ* is attainable if , meaning that it can occur during interaction with *Y*. Let be the set of attainable transcripts. We denote as a set of good transcripts when interacting with *X* (*Y*). Let be a set of bad transcripts such that the probability to obtain any is small in the ideal world .

Lemma 1 (H-coefficients lemma [19]). *Fix a deterministic adversary . Let be a partition of the set of attainable transcripts. Assume that there exists such that for any , one hasand that there exists such that*

Then, the advantage of the adversary is

#### 3. The Even–Mansour Cipher with a Short Key

Fix a public permutation and integers , such that and . Let . The Even–Mansour cipher with a short key, called for short, is described in Figure 1. takes a uniform random key and a plaintext as inputs and outputs the ciphertext . Let and . The four structures of EM are, respectively, shown as follows:

**(a)**

**(b)**

**(c)**

**(d)**

We consider the security of the Even–Mansour cipher with a short key and obtain the following theorem.

Theorem 1. *For with and , we have*

The proof of Theorem 1 utilizes the H-coefficients technique. We consider an adversary which can interact with in the real world or in the ideal world, where are uniform random and independent permutations and *K* is a (dummy) key. We assume that the adversary makes at most construction queries and at most primitive queries. The transcripts can be expressed as this form , where and . We start by defining bad transcripts.

*Definition 1. *We define an attainable transcript as bad if one of the two following conditions is fulfilled. : and , such that : and , such thatOtherwise we say that *τ* is good. We denote , resp. the set of good, resp. bad transcripts, and .

In the real world *X*, a bad transcript implies that two invocations to *P* exist with the same input: one directly from querying the primitive oracle *P* and another one indirectly from querying the construction oracle , while all tuples in uniquely determine an input-output pair of *P* for a good transcript. In the ideal world *Y*, the abovementioned result is clearly established for a bad transcript, while it is not for a good transcript.

We first upper bound the probability of bad transcripts in the ideal world *Y* by the following lemma.

Lemma 2.

*Proof. *In the ideal world *Y*, is an attainable transcript with a dummy uniform random key .

Here, we assume that an adversary makes at most construction queries and at most primitive queries. For each and each , we obtain at most (resp. ) tuples such that for structures (a) and (b) or for structures (c) and (d) (resp. for structures (a) and (d) or for structures (b) and (c)) from the property of multiplicity.

It follows that and . Hence, the probability of bad transcripts in the ideal world *Y* is at most , where .

We then analyze good transcripts and lower bound the ratio .

Lemma 3. *For any good transcript τ, one has*

*Proof. *Consider a good transcript . Let be a nonempty set of all possible oracles in the real world *X* and be a nonempty set of all possible oracles in the ideal world *Y*. Therefore, the cardinalities of sets and are, respectively, and . Let and be the two sets of oracles compatible with transcript *τ*. The probabilities appearing in Lemma 1 can be evaluated as follows:First, we calculate . As consists of query tuples and any query tuple in *τ* fixes exactly one input-output pair of the underlying permutation oracle, the number of possible oracles in the real world *X* equals .

Second, we calculate . The number of possible oracles in the ideal world *Y* equals , as *P* and *Q* are uniform random and independent permutations.

It follows thatTherefore, we have .

Combining Lemmas 1–3, we can obtain the result of Theorem 1.

#### 4. Application to Lightweight Authenticated Encryption

With the rises of the smart home, IoT, and 5G/B5G networks, lightweight authenticated encryption (AE) modes are attracting more and more attentions [20–22]. A lightweight AE mode is a lightweight symmetric-key cipher which supports the services of privacy and authenticity of the sensitive data in the devices.

The Even–Mansour cipher with a short key can be directly applied to a lightweight AE mode, which is shown in Figure 2. It consists of an encryption algorithm *E* and a decryption algorithm *D*. The encryption algorithm *E* takes a plaintext *M* and a key *K* as inputs and returns a ciphertext *C* and an authentication tag *T*, i.e., . The decryption algorithm *D* takes a key *K*, a ciphertext *C*, and an authentication tag *T* as inputs and returns a plaintext *M* or a reject symbol , i.e., . If the last *c*-bit of the EM decryption is 0, then the decryption algorithm *D* returns *M*. Otherwise, the decryption algorithm *D* returns .

**(a)**

**(b)**

**(c)**

**(d)**

Let stand for our lightweight AE modes. We introduce the AE-security model as follows.

*Definition 2. *(AE security). Let P be a public random permutation. Let be a *P*-based AE scheme. Let be an adversary which interacts with in the real world or in the ideal world. Let . Then, the AE-security of is defined as follows:where *q* is the number of queries to the encryption oracle *E* or the decryption oracle *D*, *p* is the number of queries to the random permutation *P* or its inverse , is a random function which always returns a fresh and random response for each query, and is a symbol which stands for the failure of the decryption oracles.

Theorem 2. *Let and . Then,*

Proof Sketch. Let be an adversary with access to the encryption oracle *E*, the decryption oracle *D*, and the random permutation *P* or its inverse . can be represented as an EM scheme. We replace the EM modular structure to the random permutation *Q*. According to Theorem 1, we have

It follows thatwhere obtained by the PRP-PRF Switch Lemma [23] and is from the fact that the successful probability of the adversary is for each forgery attempt.

Combining equations (19) and (20), it is easy to draw the result of Theorem 2.

According to Theorem 2, we can find that these lightweight AE modes ensure about -bit AE-security.

#### 5. Conclusions

The key material is crucial for the secure implementation of cryptographic schemes. Most of devices widely used in smart home, smart transportation, and Internet of Things (IoT) environments are resource constrained. Therefore, in the design of lightweight ciphers, a vital issue is the minimalism and agility of the key material.

In this paper, we revisit the Even–Mansour cipher and discuss this problem whether we can use the least key material to achieve the same (even beyond conventional) security bound in the Even–Mansour cipher. We introduce four structures of the Even–Mansour cipher with a short key and derive security up to adversarial queries, where *k* is the bits of the key material and *μ* is the maximal multiplicity, using Patarin’s H-coefficients technique. Then, we apply them to lightweight authenticated encryption modes and prove their security up to about -bit adversarial queries, where is the size of the permutation and *c* is the capacity of the permutation. Finally, we leave it as an open problem to settle the security of the *t*-round iterated Even–Mansour cipher with short keys. The Even–Mansour cipher with a short key is proven -bit security. It is natural to consider whether our result can be generalized to the *t*-round iterated Even–Mansour cipher. But the situation of the *t*-round iterated Even–Mansour cipher with short keys is more complicated. Therefore, it is regarded as an open problem to attract scholars to discuss and analyze it in detail. The Even–Mansour cipher with a short key has many good advantages, such as calculating on-the-fly, avoiding the key schedule, and minimizing the area of the hardware implementation and the key material. Therefore, it can be widely applied to the data security of smart home, Internet of Things, and some lightweight devices.

#### Data Availability

The data used to support the findings of the study are available within the article.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work was supported by the Research Fund of International Young Scientists (Grant no. 61902195), Natural Science Fund for Colleges and Universities in Jiangsu Province (General Program, Grant no. 19KJB520045), and NUPTSF (Grant no. NY219131).

#### References

- E. Andreeva, A. Bogdanov, Y. Dodis, B. Mennink, and J. P. Steinberger, “On the indifferentiability of key-alternating ciphers,” in
*Advances in Cryptology–CRYPTO 2013, Lecture Notes in Computer Science*, R. Canetti and J. A. Garay, Eds., vol. 8042, pp. 531–550, Springer, Berlin, Germany, 2013. View at: Publisher Site | Google Scholar - A. Bogdanov, L. R. Knudsen, G. Leander, FX. Standaert, J. Steinberger, and E. Tischhauser, “Key-alternating ciphers in a provable setting: encryption using a small number of public permutations,” in
*Advances in Cryptology–EUROCRYPT 2012, Lecture Notes in Computer Science*, D. Pointcheval and T. Johansson, Eds., vol. 7237, pp. 45–62, Springer, Berlin, Germany, 2012. View at: Publisher Site | Google Scholar - S. Chen, R. Lampe, J. Lee, Y. Seurin, and J. Steinberger, “Minimizing the two-round Even-Mansour cipher,”
*Journal of Cryptology*, vol. 31, no. 4, pp. 1064–1119, 2018. View at: Publisher Site | Google Scholar - S. Chen and J. Steinberger, “Tight security bounds for key-alternating ciphers,” in
*Advances in Cryptology–EUROCRYPT 2014, Lecture Notes in Computer Science*, P. Q. Nguyen and E. Oswald, Eds., vol. 8441, pp. 327–350, Springer, Berlin, Germany, 2014. View at: Publisher Site | Google Scholar - B. Cogliati and Y. Seurin, “On the provable security of the iterated Even-Mansour cipher against related-key and chosen-key attacks,” in
*Advances in Cryptology–EUROCRYPT 2015, Lecture Notes in Computer Science*, E. Oswald and M. Fischlin, Eds., vol. 9056, pp. 584–613, Springer, Berlin, Germany, 2015. View at: Publisher Site | Google Scholar - P. Farshim and G. Procter, “The related-key security of iterated Even-Mansour ciphers,” in
*Fast Software Encryption–FSE 2015, Lecture Notes in Computer Science*, G. Leander, Ed., vol. 9054, pp. 342–363, Springer, Berlin, Germany, 2015. View at: Publisher Site | Google Scholar - A. Hosoyamada and K. Aoki, “On quantum related-key attacks on iterated Even-Mansour ciphers,”
*IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences*, vol. E102.A, no. 1, pp. 27–34, 2019. View at: Publisher Site | Google Scholar - T. Isobe and K. Shibutani, “Meet-in-the-middle key recovery attacks on a single-key two-round Even-Mansour cipher,”
*IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences*, vol. E102.A, no. 1, pp. 17–26, 2019. View at: Publisher Site | Google Scholar - R. Lampe, J. Patarin, and Y. Seurin, “An asymptotically tight security analysis of the iterated Even-Mansour cipher,” in
*Advances in Cryptology–ASIACRYPT 2012, Lecture Notes in Computer Science*, X. Wang and K. Sako, Eds., vol. 7658, pp. 278–295, Springer, Berlin, Germany, 2012. View at: Publisher Site | Google Scholar - S. Even and Y. Mansour, “A construction of a cipher from a single pseudorandom permutation,”
*Journal of Cryptology*, vol. 10, no. 3, pp. 151–161, 1997. View at: Publisher Site | Google Scholar - O. Dunkelman, N. Keller, and A. Shamir, “Minimalism in cryptography: the Even-Mansour scheme revisited,” in
*Advances in Cryptology–EUROCRYPT 2012, Lecture Notes in Computer Science*, D. Pointcheval and T. Johansson, Eds., vol. 7237, pp. 336–354, Springer, Berlin, Germany, 2012. View at: Publisher Site | Google Scholar - B. Cogliati, R. Lampe, and Y. Seurin, “Tweaking even-mansour ciphers,” in
*Advances in Cryptology–CRYPTO 2015, Lecture Notes in Computer Science*, R. Gennaro and M. Robshaw, Eds., vol. 9215, pp. 189–208, Springer, Berlin, Germany, 2015. View at: Publisher Site | Google Scholar - N. Mouha and A. Luykx, “Multi-key security: the Even-Mansour construction revisited,” in
*Advances in Cryptology–CRYPTO 2015, Lecture Notes in Computer Science*, R. Gennaro and M. Robshaw, Eds., vol. 9215, pp. 209–223, Springer, Berlin, Germany, 2015. View at: Publisher Site | Google Scholar - E. M. do Nascimento and J. A. M. Xexeo, “A flexible authenticated lightweight cipher using Even-Mansour construction,” in
*Proceedings of the IEEE International Conference on Communications–ICC 2017*, pp. 1–6, IEEE, Paris, France, May 2017. View at: Publisher Site | Google Scholar - J. Cho, K. Y. Choi, I. Dinur et al., “WEM: a new family of white-box block ciphers based on the Even-Mansour construction,” in
*Cryptographers’ Track at the RSA Conference–CT-RSA 2017, Lecture Notes in Computer Science*, H. Handschuh, Ed., vol. 10159, pp. 293–308, Springer, Berlin, Germany, 2017. View at: Publisher Site | Google Scholar - P. Farshim, L. Khati, and D. Vergnaud, “Security of Even-Mansour ciphers under key-dependent messages,”
*The IACR Transactions on Symmetric Cryptology*, vol. 2017, no. 2, pp. 84–104, 2017. View at: Google Scholar - P. Zhang and H.-G. Hu, “Generalized tweakable Even-Mansour cipher and its applications,”
*Journal of Computer Science and Technology*, vol. 33, no. 6, pp. 1261–1277, 2018. View at: Publisher Site | Google Scholar - G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche, “Sponge-based pseudo-random number generators,” in
*Cryptographic Hardware and Embedded Systems–CHES 2010, Lecture Notes in Computer Science*, S. Mangard and FX. Standaert, Eds., vol. 6225, pp. 33–47, Springer, Berlin, Germany, 2010. View at: Publisher Site | Google Scholar - J. Patarin, “The “coefficients H” technique,” in
*Selected Areas in Cryptography–SAC 2008, Lecture Notes in Computer Science*, R. M. Avanzi, L. Keliher, and F. Sica, Eds., vol. 5381, pp. 328–345, Springer, Berlin, Germany, 2008. View at: Google Scholar - A. Chakraborti, N. Datta, M. Nandi, and K. Yasuda, “Beetle family of lightweight and secure authenticated encryption ciphers,”
*IACR Transactions on Cryptographic Hardware and Embedded Systems*, vol. 2018, no. 2, pp. 218–241, 2018. View at: Google Scholar - G. Hatzivasilis, G. Floros, I. Papaefstathiou, and C. Manifavas, “Lightweight authenticated encryption for embedded on-chip systems,”
*Information Security Journal: A Global Perspective*, vol. 25, no. 4–6, pp. 151–161, 2016. View at: Publisher Site | Google Scholar - Y. Sasaki and K. Yasuda, “Optimizing online permutation-based AE schemes for lightweight applications,”
*IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences*, vol. E102.A, no. 1, pp. 35–47, 2019. View at: Publisher Site | Google Scholar - M. Bellare and P. Rogaway, “The security of triple encryption and a framework for code-based game-playing proofs,” in
*Advances in Cryptology–EUROCRYPT 2006, Lecture Notes in Computer Science*, S. Vaudenay, Ed., vol. 4004, pp. 409–426, Springer, Berlin, Germany, 2006. View at: Publisher Site | Google Scholar

#### Copyright

Copyright © 2020 Ping Zhang and Qian Yuan. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.