Slidex Attacks on the Even–Mansour Encryption Scheme

Abstract

The Even–Mansour cryptosystem was developed in 1991 in an attempt to obtain the simplest possible block cipher, using only one publicly known random permutation and two whitening keys. Its exact security remained open for more than 20 years in the sense that the lower bound proof considered known plaintexts, whereas the best published attack (which is based on differential cryptanalysis) required chosen plaintexts. In this paper, we solve this open problem by introducing the new extended slide attack (abbreviated as slidex) which matches the T=Ω(2ⁿ/D) lower bound on the time T for any number of known plaintexts D. By using this tight security result, we show that a simplified single-key variant of the Even–Mansour scheme has exactly the same security as the original two-key scheme. We then show how to apply variants of the slidex attack to several other cryptosystems, including an Even–Mansour variant which adds rather than XORs its whitening keys, DES protected with decorrelation modules, various flavors of DESX, and a reduced-round version of GOST. In addition, we show how to apply the slidex attack in extreme scenarios in which the cryptanalyst is only given some partial information about the plaintexts, or when he can only use a tiny amount of memory.

1 Introduction

The Even–Mansour (EM) block cipher was proposed at ASIACRYPT 1991 [13, 14], and was strongly influenced by the design of the DESX scheme by Ron Rivest in 1984 [27]. It uses a single publicly known random permutation P on n-bit values and two secret n-bit keys K ₁ and K ₂, and defines the encryption of the n-bit plaintext m as E(m)=P(m⊕K ₁)⊕K ₂. The decryption of the n-bit ciphertext c is similarly defined as D(c)=P ⁻¹(c⊕K ₂)⊕K ₁. Its extreme simplicity and suitability for rigorous security analysis had made it a very popular research topic in the last few years, with many papers related to this scheme appearing at CRYPTO, EUROCRYPT, ASIACRYPT, CHES, FSE and the IACR archive [1, 7, 8, 11, 16, 20, 21, 23, 24, 29].

Unfortunately, all the bounds published so far about the security of the EM scheme are not tight in the sense that the lower bound allows known message attacks whereas the best known upper bounds require either chosen plaintexts or an extremely large number of known plaintexts. Our goal in this paper is to obtain the first tight bound, which will not only characterize the exact security of the original EM scheme, but will also make it possible to rigorously prove that a simplified variant of the original EM scheme offers exactly the same security as the original EM scheme.

One of the main tools used in previous attacks was the slide attack [5]. Originally, slide attacks were developed in order to break iterated cryptosystems with an arbitrarily large number of rounds by exploiting their self-similarity under small shifts. The attack searched the given data for a slid pair of encryptions which have identical values along their common part (see Sect. 3.2 for formal definitions). For each candidate pair, the attack uses the two known plaintexts and two known ciphertexts to analyze the two short non-common parts in order to verify the assumption that the two encryptions are indeed a slid pair, and if so to derive some key material. A different variant of this attack, called slide with a twist [6], tries to find a slid pair consisting of one encryption and one decryption, which have identical values along their common parts (i.e., the attack considers both shifts and reversals of the encryption rounds). In both cases, the existence of slid pairs is a random event which is expected to have a sharp threshold: Regardless of whether we use known or chosen messages, we do not expect to find any slid pairs if we are given fewer than 2^n/2 encryptions where n is the size of the internal state.¹ Consequently, we cannot apply the regular or twisted slide attack unless we are given a sufficiently large number of encryptions, even if we are willing to trade off the lower amount of data with higher time and space complexities.

In this paper, we propose the slidex attack, which is a new extended version of the slide attack that can efficiently use any amount of given data, even when it is well below the 2^n/2 threshold for the existence of slid pairs. Its main novelty is that we no longer require equality between the values along the common part, but only the existence of some known relationship between these values. By using this new attack, we can finally close the gap between the upper and lower bounds on the security of the EM scheme.

To demonstrate the usefulness and versatility of the new slidex attack, we apply it to several additional schemes which are unrelated to the EM scheme. In particular, we show how to break 20 rounds of GOST using 2³³ known plaintexts in 2⁷⁷ time, and how to use the complementation property of DES in order to attack it with a slide-type attack even when it is surrounded on both sides by one of Vaudenay’s proposed decorrelation modules.

The paper is organized as follows. In Sect. 2, we introduce the Even–Mansour scheme, describe its formal proof of security, and survey all the previously published attacks on the scheme. In Sect. 3, we describe the known types of slide attacks, and explain why they cannot efficiently exploit a small number of known plaintexts. We then introduce our new Slidex attack, and use it to develop a new upper bound on the security of the Even–Mansour scheme which matches the proven lower bound for any number of known plaintexts. In Sect. 4, we describe the single-key variant of the Even–Mansour scheme, which is strictly simpler but has the same level of provable security. In Sect. 5, we analyze the security of several other variants of the Even–Mansour scheme, demonstrating both the generality and the fragility of its formal proof of security. Another limitation of the proof technique is described in Sect. 6, where we show that no comparable lower bound on the memory complexity of our attacks can exist. Sections 7 and 8 describe several generalizations of the slidex attack and their applications: In Sect. 7, we describe the mirror slidex attack and apply it to variants of GOST and DESX, and in Sect. 8 we describe the addition slidex attack and apply it to attack a variant of DES surrounded by decorrelation modules. We conclude the paper with open questions and directions for future research in Sect. 9.

2 The Even–Mansour Scheme

In this section, we present the Even–Mansour (EM) scheme, review its lower bound proof given in [13], and describe previous attacks on it presented in [9] and [6].

2.1 Definition of the EM Scheme and Its Notation

The Even–Mansour scheme is a block cipher which consists of a single publicly known permutation \(\mathcal{F}\) over n-bit strings, preceded and followed by two independent n-bit whitening keys K ₁ and K ₂:

$$\mathit{EM}^{\mathcal{F}}_{K_1,K_2}(P) = \mathcal{F}(P \oplus K_1) \oplus K_2. $$

It is assumed that the adversary is allowed to perform two types of queries:

• Queries to a full encryption/decryption oracle, called an E-oracle, that computes either \(E(P)=\mathit{EM}^{\mathcal{F}}_{K_{1},K_{2}}(P)\) or \(D(C)=(\mathit{EM}^{\mathcal{F}}_{K_{1},K_{2}})^{-1}(C)\).

• Queries to an \(\mathcal{F}\)-oracle that computes either \(\mathcal{F}(x)\) or \(\mathcal{F}^{-1}(y)\).

The designers of EM considered two types of attacks. In the first type, called existential forgery attack, the adversary tries to find a new pair (P,C) such that E(P)=C. The second type is the more standard security game, where the adversary tries to decrypt a message C, i.e., to find P for which E(P)=C.² The data complexity of an attack on the scheme is determined by the number D of queries to the E-oracle and their type (i.e., known/chosen/adaptively chosen etc.), and the time complexity of the attack is lower bounded by the number T of queries to the \(\mathcal{F}\)-oracle.³ The success probability of an attack is the probability that the single guess it produces (either a pair (P,C) for the first type of attack, or a plaintext P for the second type) is correct.

2.2 The Lower Bound Security Proof

The main rigorously proven result in [13] was an upper bound of O(DT/2ⁿ) on the success probability of any cryptanalytic attack (of either type) on EM that uses at most D queries to the E-oracle and T queries to the \(\mathcal{F}\)-oracle. This result implies that in order to attack EM with a constant probability of success, we must have DT=Ω(2ⁿ). Since this security proof is crucial for some of our results, we briefly describe its main steps.

The proof requires several definitions. Consider a cryptanalytic attack on EM, and assume that at some stage of the attack, the adversary already performed s queries to the E-oracle and t queries to the \(\mathcal{F}\)-oracle, and obtained sets \(\mathcal{D}\) and \(\mathcal{T}\) of E-pairs and \(\mathcal{F}\)-pairs, respectively, i.e.,

$$\mathcal{D}=\bigl\{ (P_i,C_i)\bigr\} _{i=1,\ldots,s} \quad\mbox{and} \quad \mathcal{T}=\bigl\{ (X_j,Y_j) \bigr\} _{j=1,\ldots,t}. $$

We say that the key K ₁ is bad with respect to the sets of queries \(\mathcal{D}\) and \(\mathcal{T}\), if there exist i,j such that P _i ⊕K ₁=X _j . Otherwise, K ₁ is good with respect to \(\mathcal {D}, \mathcal{T}\). Intuitively, a good key is one whose feasibility cannot be deduced from the available data, whereas a bad key is one whose feasibility has to be further analyzed (but not necessarily discarded). Similarly, K ₂ is bad w.r.t. \(\mathcal{D},\mathcal{T}\) if there exist i,j such that Y _j ⊕K ₂=C _i , and K ₂ is good otherwise. The key K=(K ₁,K ₂) is good with respect to \(\mathcal{D},\mathcal{T}\) if both K ₁ and K ₂ are good. It is easy to show that the number of good keys w.r.t. \(\mathcal{D}\) and \(\mathcal{T}\) is at least 2²ⁿ−2st⋅2ⁿ. A pair \((K=(K_{1},K_{2}),\mathcal{F})\) is consistent w.r.t. \(\mathcal {D}\) and \(\mathcal{T}\) if for any pair \((P_{i},C_{i}) \in\mathcal{D}\) we have \(C_{i}=K_{2} \oplus \mathcal{F}(P_{i} \oplus K_{1})\), and for any pair \((X_{j},Y_{j}) \in\mathcal{T}\), we have \(\mathcal{F}(X_{j}) = Y_{j}\).

The proof consists of two main steps.

1. 1.

   The first step shows that all good keys are, in some sense, equally likely to be the correct key. Formally, if the probability over the keys and over the permutations is uniform, then for all \(\mathcal{D},\mathcal{T}\), the probability

   $$\Pr_{K,\mathcal{F}} \bigl[K=k | (K,\mathcal{F}) \mbox{ is consistent with } \mathcal{D},\mathcal{T} \bigr] $$

   is the same for any key k∈{0,1}²ⁿ that is good with respect to \(\mathcal{D},\mathcal{T}\).

   We present the proof of this step, since it will be crucial in the sequel. It follows from Bayes’ formula that it suffices to prove that the probability

   $$ p = \Pr_{K,\mathcal{F}} \bigl[(K,\mathcal{F}) \mbox{ is consistent with } \mathcal{D},\mathcal{T} | K=k \bigr] $$

   (1)

   is the same for all good keys. Given a good key k=(k ₁,k ₂), it is possible to transform the set \(\mathcal{D}\) of E-pairs to an equivalent set \(\mathcal{D}'\) of \(\mathcal{F}\)-pairs by transforming the E-pair (P _i ,C _i ) to the \(\mathcal{F}\)-pair (P _i ⊕k ₁,C _i ⊕k ₂). Since the key k is good, the pairs in \(\mathcal{D}'\) and \(\mathcal{T}\) do not overlap, and hence p is simply the probability of consistency of a random permutation \(\mathcal{F}\) with s+t given distinct input/output pairs. This probability clearly does not depend on k, which proves the assertion.

2. 2.

   The second step shows that the success probability of any attack is bounded by the sum of the probability that in some step of the attack, the right key becomes a bad key, and the probability that the adversary can successfully generate a “new” consistent E-pair (P,C) if the right key is still amongst the good keys. The first probability can be bounded by 4DT/(2ⁿ−2DT), and the second probability can be bounded by 1/(2ⁿ−D−T). Hence, the total success probability of the attack is bounded by O(DT/2ⁿ). We omit the proof of this step since it is not used in the sequel.

We note that obtaining non-trivial information about the key (e.g., that the least significant bit of the K ₁ is zero, or the value of K ₁⊕K ₂), is also covered by this proof. Hence, throughout the paper we treat such leakage of information as a “problem” in the security of the construction (even if the exact keys are not found).

2.3 Previous Attacks on the Even–Mansour Scheme

The first proposed attack on the Even–Mansour scheme was published by Joan Daemen at ASIACRYPT 1991 [9], as an illustration of the author’s doubts on the usefulness of the Even–Mansour approach. Daemen used the framework of differential cryptanalysis [3] to develop a chosen plaintext attack which matched the Even–Mansour lower bound for any amount of given data. The approach is to pick D pairs of chosen plaintexts whose XOR difference is some nonzero constant Δ. This plaintext difference is preserved by the XOR with the prewhitening key K ₁, and similarly, the ciphertext difference is preserved by the XOR with the postwhitening key K ₂. For a known permutation \(\mathcal{F}\), most combinations of input and output differences suggest only a small number of possible input and output values, but it is not easy to find them. To carry out the attack, all we have to do is to sample 2ⁿ/D pairs of inputs to \(\mathcal{F}\) whose difference is Δ, and with constant non-negligible probability we can find an output difference which already exists among the chosen data pairs. This equality suggests actual input and output values to/from \(\mathcal{F}\) for that pair, and thus recovers the two keys. We note that a similar chosen-plaintext attack was suggested in [18] for constructions where \(\mathcal{F}\) is keyed (where DT≥2^n+k−1 for a k-bit keyed \(\mathcal{F}\)).

This attack matches the time/data relationship of the lower bound, but it is not tight since it requires chosen plaintexts, whereas the lower bound allows known plaintexts. This discrepancy was handled ten years later by a new attack called slide with a twist which was developed by Alex Biryukov and David Wagner, and presented at EUROCRYPT 2000 [6]. By taking two Even–Mansour encryptions, sliding one of them and reversing the other, they showed how to attack the scheme with known instead of chosen plaintexts.⁴ However, in order to find at least one slid pair, their attack requires at least Ω(2^n/2) known plaintext/ciphertext pairs, and thus it could not be applied with a reasonable probability of success given any smaller number of known pairs.

These two cryptanalytic attacks were thus complementary: One of them matched the full time/data tradeoff curve but required chosen plaintexts, while the other could use known plaintexts but only if at least Ω(2^n/2) of them were given. In the next section, we present the new slidex technique that closes this gap: it allows using any number of known plaintexts with the same time/data tradeoff as in the lower bound proof, thus providing an optimal attack on the Even–Mansour scheme.

3 The Slidex Attack and a Tight Bound on the Security of the Even–Mansour Scheme

In this section, we present the new slidex attack and use it to obtain a tight bound on the security of the Even–Mansour scheme. We start with a description of the slide with a twist attack on EM [6] which serves as a basis for our attack, and then we present the slidex technique and apply it to EM. For more information on slide attacks, we refer the reader to [4–6].

3.1 The Slide with a Twist Attack

The main idea of the slide with a twist attack on EM is as follows. Assume that two plaintexts P,P ^∗ satisfy

$$P \oplus P^* = K_1. $$

In such a case, we have

$$E(P)=\mathcal{F}(P \oplus K_1) \oplus K_2 = \mathcal{F}\bigl(P^*\bigr) \oplus K_2, $$

and similarly,

$$E\bigl(P^*\bigr)=\mathcal{F}\bigl(P^* \oplus K_1\bigr) \oplus K_2 = \mathcal{F}(P) \oplus K_2 $$

(see Fig. 1(a)). Hence,

$$E(P) \oplus E\bigl(P^*\bigr) = \mathcal{F}(P) \oplus\mathcal{F}\bigl(P^*\bigr), $$

or equivalently,

$$E(P) \oplus\mathcal{F}(P) = E\bigl(P^*\bigr) \oplus\mathcal{F}\bigl(P^*\bigr). $$

Fig. 1.

(a) A twisted-slid pair; (b) A slidex pair.

This relation allows mounting the following attack:

1. 1.

   Query both the E-oracle and the \(\mathcal{F}\)-oracle at the same 2^(n+1)/2 known values⁵ P ₁,P ₂,… . Store in a hash table the pairs \((E(P_{i}) \oplus\mathcal{F}(P_{i}), i)\), sorted by the first coordinate.

2. 2.

   For each collision in the table, i.e., \(E(P_{i}) \oplus\mathcal {F}(P_{i}) = E(P_{j}) \oplus\mathcal{F}(P_{j})\), check the guess K ₁=P _i ⊕P _j and \(K_{2}=E(P_{i}) \oplus\mathcal{F}(P_{j})\).

By the birthday paradox, it is expected that the data set contains a slid pair, i.e., a pair satisfying P _i ⊕P _j =K ₁, with a non-negligible constant probability. For a random pair (P _i ,P _j ), the probability that \(E(P_{i}) \oplus\mathcal{F}(P_{i}) = E(P_{j}) \oplus\mathcal{F}(P_{j})\) is 2⁻ⁿ, and thus, only a few collisions are expected in the table. These collisions include the collision induced by the slid pair, which suggests the correct values of K ₁ and K ₂. The data complexity of the attack is D=2^(n+1)/2 known plaintexts, and the number of queries to \(\mathcal{F}\) it requires is T=2^(n+1)/2. Thus, DT=2ⁿ⁺¹, which matches the lower bound up to a constant factor of 2.

3.2 The New Slidex Attack

The slidex attack is an enhancement of the slide with a twist technique, which makes it possible to use a smaller number of known plaintexts (i.e., queries to the E-oracle), in exchange for a higher number of queries to the \(\mathcal{F}\)-oracle. The basic idea of the attack is as follows: Assume that a pair of plaintexts P,P ^∗ satisfies

$$P \oplus P^* = K_1 \oplus\varDelta, $$

for some Δ∈{0,1}ⁿ. In such a case,

$$E(P)=\mathcal{F}(P \oplus K_1) \oplus K_2 = \mathcal{F}\bigl(P^* \oplus \varDelta\bigr) \oplus K_2, $$

and similarly,

$$E\bigl(P^*\bigr)=\mathcal{F}\bigl(P^* \oplus K_1\bigr) \oplus K_2 = \mathcal{F}(P \oplus \varDelta) \oplus K_2 $$

(see Fig. 1(b)). Hence,

$$E(P) \oplus E\bigl(P^*\bigr) = \mathcal{F}\bigl(P^* \oplus\varDelta\bigr) \oplus \mathcal {F}(P \oplus\varDelta), $$

or equivalently,

$$E(P) \oplus\mathcal{F}(P \oplus\varDelta) = E\bigl(P^*\bigr) \oplus\mathcal {F} \bigl(P^* \oplus\varDelta\bigr). $$

This allows mounting the following attack, for any d≤n:

1. 1.

   Query the E-oracle at 2^(d+1)/2 arbitrary values (i.e., known plaintexts) P ₁,P ₂,… .

2. 2.

   Choose 2^n−d arbitrary values Δ ₁,Δ ₂,… of Δ. For each Δ _ℓ , query the \(\mathcal{F}\)-oracle at the values \(\{P_{i} \oplus \varDelta_{\ell}\}_{i=1,2,\ldots,2^{(d+1)/2}}\), store in a hash table the pairs \((E(P_{i}) \oplus\mathcal{F}(P_{i} \oplus\varDelta_{\ell}), i)\), sorted by the first coordinate, and search for a collision.

3. 3.

   For each collision in any of the hash tables, i.e., when P _i ,P _j for which \(E(P_{i}) \oplus\mathcal{F}(P_{i} \oplus\varDelta_{\ell}) = E(P_{j}) \oplus\mathcal{F}(P_{j} \oplus\varDelta_{\ell})\) are detected, check the guess K ₁=P _i ⊕P _j ⊕Δ _ℓ and \(K_{2}=E(P_{i}) \oplus\mathcal{F}(P_{j} \oplus\varDelta_{\ell})\).

For each triplet (P _i ,P _j ,Δ _ℓ ), the probability that P _i ⊕P _j ⊕Δ _ℓ =K ₁ is 2⁻ⁿ. Since the data contains 2^d⋅2^n−d=2ⁿ such triplets, it is expected that with a non-negligible constant probability the data contains at least one slidex triplet (i.e., a triplet for which P _i ⊕P _j ⊕Δ _ℓ =K ₁). On the other hand, since the probability of a collision in each hash table is 2^d−n and there are 2^n−d tables, it is expected that only a few collisions occur, and one of them suggests the correct key guess.

The number of queries to the E-oracle in the attack is D=2^(d+1)/2, and the number of queries to the \(\mathcal{F}\)-oracle is T=2^{n−(d−1)/2}. Thus, DT=2ⁿ⁺¹, which matches the lower bound of [13] up to a constant factor of 2.

A summary of the complexities of all the old and new attacks on the Even–Mansour scheme appears in Table 1.

Table 1. Comparison of results on the Even–Mansour scheme.

4 The Single-Key Even–Mansour Scheme

In this section, we analyze the single-key variant of the Even–Mansour scheme (abbreviated in the sequel as “SEM”), which has the same level of security while using only n secret key bits (compared to 2n bits in EM). First, we define the scheme and show that the security proof of [13] can be adapted to yield a similar lower bound on its security. Then, we present a simple attack on the new scheme which matches the lower bound, thus proving its optimality.

We note that variants of SEM were considered (in different contexts) in several previous papers, but without proving the equivalence of SEM to the original two-key Even–Mansour scheme: In [18], Kilian and Rogaway studied a variant of SEM in which the internal permutation is keyed, and obtained a lower bound on its security in the indistinguishability (rather than key recovery) model. In [19], Kurosawa studied a variant of SEM in which the pre-/post-whitening keys are changed in each block. Finally, constructions similar to SEM were used in the design of several cryptographic primitives, including the stream cipher Salsa20 [2].

4.1 Definition of the Scheme and Sketch of Its Security Proof

Given a publicly known permutation \(\mathcal{F}\) over n-bit strings and an n-bit secret key K, the Single-Key Even–Mansour (SEM) scheme is defined as follows:

$$\mathit{SEM}^{\mathcal{F}}_{K}(P) = \mathcal{F}(P \oplus K) \oplus K. $$

The attack model is the same as in the EM scheme. That is, the adversary can query an encryption/decryption E-oracle and an \(\mathcal{F}\)-oracle, and the complexity of an attack is determined by the number D of queries to the E-oracle and their type (known/chosen, etc.), and the number T of queries to the \(\mathcal{F}\)-oracle.

Surprisingly, the security proof of the EM scheme [13] holds almost without a change when we apply it to the single-key SEM variant. The only modification we have to make is to define a key K as bad with respect to sets of oracle queries \(\mathcal{D}\) and \(\mathcal{T}\) if there exist i,j such that either P _i ⊕K=X _j or C _i ⊕K=Y _j , and K as good otherwise. It is easy to see that if \(|\mathcal{D}|=s\) and \(|\mathcal{T}|=t\), then at least 2ⁿ−2st keys are still “good” keys. Exactly the same proof as for EM shows that all the good keys are equally likely to be the right key, and the bounds on the success probability of an attack apply without change for SEM. Therefore, for any successful attack on SEM, we must have DT=Ω(2ⁿ), which means that SEM provides the same security as EM, using only half as many key bits.

4.2 A Simple Optimal Attack on SEM

The slidex attack presented in Sect. 3 applies also to SEM, and is optimal since it uses only known plaintexts and matches everywhere the tradeoff curve of the security proof.

However, in the case of SEM, there is an even simpler attack (though, with the same complexity). Consider an encryption of a plaintext P through SEM, and denote the intermediate values in the encryption process by:

$$x=P, \qquad y=P \oplus K, \qquad z=\mathcal{F}(P \oplus K), \qquad w=E(P)= \mathcal{F}(P \oplus K) \oplus K. $$

Note that x⊕w=y⊕z. This allows mounting the following simple attack, applicable for any D≤2ⁿ:

1. 1.

   Query the \(\mathcal{F}\)-oracle at 2ⁿ/D arbitrary values \(X_{1},X_{2},\ldots,X_{2^{n}/D}\), and store in a hash table the values \((X_{j} \oplus\mathcal{F}(X_{j}), j)\), sorted by the first coordinate.

2. 2.

   Query the E-oracle at D arbitrary values P ₁,P ₂,…,P _D insert the values P _i ⊕E(P _i ) to the hash table and search for a match.

3. 3.

   If a match is found, i.e., \(P_{i} \oplus E(P_{i}) = X_{j} \oplus \mathcal{F}(X_{j})\), check the guess K=P _i ⊕X _j .

The analysis of the attack is exactly the same as that of the slide with a twist attack (see Sect. 3.1).

The security model of EM defined in [13] does not distinguish between precomputation and online computations, and thus, both EM and SEM enjoy the same level of security. However, we note that this attack has an advantage over the slidex attack, since its first step can be performed as a precomputation, thus reducing the time complexity of the on-line phase of the attack.

5 The Security of Other Variants of the Even–Mansour Scheme

In this section, we consider several natural variants of the Even–Mansour scheme, and analyze their security.

The first variant replaces the XOR operations with modular additions, which are not involutions and are thus immune to standard slide-type attacks (as noted in [6]). However, we show that a new addition slidex attack can break it with the same complexity as that of the slidex attack on the original EM scheme.

The second variant considers the case in which the mapping \(\mathcal{F}\) is chosen as an involution. This is motivated by the fact that in many “real-life” implementations of the EM scheme we would like to instantiate \(\mathcal{F}\) by a keyless variant of a block cipher. Since in Feistel structures and many other schemes (e.g., KHAZAD, Anubis, Noekeon) the only difference between the encryption and decryption processes is the key schedule, such schemes become involutions when we make them keyless. In this section, we show that this seemingly mild weakness of \(\mathcal{F}\) can be used to mount a devastating attack on the EM scheme. In particular, we show that even when \(\mathcal{F}\) is chosen uniformly at random among the set of all the possible involutions on n-bit strings, the adversary can recover the value K ₁⊕K ₂ with O(2^n/2) queries to the E-oracle and no queries at all (!) to the \(\mathcal{F}\)-oracle. This clearly violates the lower bound proof that no significant information about the key can be obtained unless DT=Ω(2ⁿ) (which was proven for random permutations but seems intuitively to be equally applicable to random involutions), and is achieved by a new variant of the slide attack, which we call the mirror slidex attack.

After considering these two basic variants of EM, we consider combinations of them, such as “Addition Even–Mansour with a random involution as the permutation”, and compare them with their single-key analogues. Our results are summarized in Table 2 which contains the security bounds and the matching attacks for 12 variants of the Even–Mansour construction.

Table 2. Summary of the security of the 12 Even–Mansour variants.

5.1 Even–Mansour with Addition

Consider the following scheme:

$$\mathit{AEM}^{\mathcal{F}}_{K_1,K_2}(P) = \mathcal{F}(P + K_1) + K_2, $$

where \(\mathcal{F}\) is a publicly known permutation over n-bit strings, and ‘+’ denotes modular addition in the additive group \(Z_{2^{n}}\). In the sequel, we call it “Addition Even–Mansour” (AEM).

It is clear that the lower bound security proof of EM holds without any change for AEM. Similarly, it is easy to see that Daemen’s differential attack on EM [9] can be easily adapted to AEM, by replacing XOR differences with modular differences.

It may seem that the new variant has better security with respect to slide-type attacks. As noted in [6], ordinary slide attacks (and even the slide-with-a-twist attack) can be applied only for ciphers in which the secret key is inserted through a symmetric operation such as XOR, and not through modular addition. In the specific case of EM, the slide with a twist attack relies on the observation that if for two plaintexts P,P ^∗, we have P ^∗=P⊕K ₁, then surely, P=P ^∗⊕K ₁ as well. This observation fails for AEM: If P ^∗=P+K ₁, then P ^∗+K ₁=P+2K ₁≠P (unless K ₁=0 or K=2ⁿ⁻¹). The slidex attack presented in Sect. 3.2 fails against AEM for the same reason. Hence, it seems that none of the previously known attacks can break AEM in the known plaintext model.

We present an extension of the slidex attack, which we call addition slidex, which can break AEM with data complexity of D known plaintexts and time complexity of T \(\mathcal{F}\)-oracle queries, for any D,T such that DT=2ⁿ, hence showing that the security of AEM is identical to that of EM.

The basic idea of the attack is as follows: Assume that a pair of plaintexts P,P ^∗ satisfies P+P ^∗=−K ₁+Δ. (Note that somewhat counter intuitive, we consider the modular sum of the plaintexts rather than their modular difference!) In such a case,

$$E(P)=\mathcal{F}(P + K_1) + K_2 = \mathcal{F}\bigl( - P^* + \varDelta\bigr) + K_2, $$

and similarly,

$$E\bigl(P^*\bigr)=\mathcal{F}\bigl(P^* + K_1\bigr) + K_2 = \mathcal{F}(-P + \varDelta) + K_2. $$

Hence,

$$E(P) - E\bigl(P^*\bigr) = \mathcal{F}\bigl(-P^* + \varDelta\bigr) - \mathcal{F}(-P + \varDelta), $$

or equivalently,

$$ E(P) + \mathcal{F}(-P + \varDelta) = E\bigl(P^*\bigr) + \mathcal{F} \bigl(-P^* + \varDelta\bigr). $$

(2)

Equation (2) allows us to mount an attack similar to the slidex attack, with the only change that instead of the values \((E(P_{i}) \oplus\mathcal{F}(P_{i} \oplus\varDelta), i)\), the adversary stores in the hash table the values \((E(P_{i}) + \mathcal {F}(-P_{i} + \varDelta), i)\).

We note that the addition slidex attacks applies not only to addition but to any group operation. In particular, its application to the XOR operation, which is the group operation in the additive group (Z ₂)ⁿ, yields the slidex attack presented in Sect. 3.2. Moreover, the attack can be extended to the case where two different group operations are used in the pre- and the post-whitening. For example, if XOR is used in the pre-whitening and modular addition is used in the post-whitening, the attack requires storing in the hash table the values \((E(P_{i}) + \mathcal{F}(P_{i} \oplus\varDelta), i)\) and proceeds like the slidex attack.

5.2 Even–Mansour with a Random Involution as the Permutation

Let Involutional Even–Mansour (IEM) be the following scheme:

$$\mathit{IEM}^\mathcal{I}_{K_1,K_2}(P) = \mathcal{I}(P \oplus K_1) \oplus K_2, $$

where \(\mathcal{I}\) is chosen uniformly at random amongst the set of involutions on n-bit strings. We present a new technique, which we call mirror slidex, that allows recovering the value K ₁⊕K ₂ using 2^n/2 queries to the E-oracle, and with no queries to the \(\mathcal{I}\)-oracle.

The idea of the technique is as follows. Consider two input/output pairs (P,C), (P ^∗,C ^∗) for IEM. Assume that we have

$$ P \oplus C^* = K_1 \oplus K_2. $$

(3)

In such a case,

$$P \oplus K_1 = C^* \oplus K_2, $$

and hence, since \(\mathcal{I}\) is an involution,

$$\mathcal{I}(P \oplus K_1) = \mathcal{I}^{-1}\bigl(C^* \oplus K_2\bigr). $$

However, by the construction, we have

$$C = \mathcal{I}(P \oplus K_1) \oplus K_2 \quad\mbox{and} \quad P^* = \mathcal{I}^{-1}\bigl(C^* \oplus K_2 \bigr) \oplus K_1, $$

and thus,

$$C \oplus K_2 = P^* \oplus K_1, $$

or equivalently,

$$P^* \oplus C = K_1 \oplus K_2 = P \oplus C^*, $$

where the last equality follows from Eq. (3). Therefore, assuming that P⊕C ^∗=K ₁⊕K ₂, we must have

$$P \oplus C = P^* \oplus C^*. $$

This allows mounting a simple attack, similar to the slide with a twist attack. In the attack, the adversary queries the E-oracle at 2^(n+1)/2 arbitrary values P ₁,P ₂,… , and stores in a hash table the pairs (E(P _i )⊕P _i ,i), sorted by the first coordinate. It is expected that only a few collisions exist, and that with a non-negligible probability, one of them results from a pair (P _i ,P _j ), for which P _i ⊕E(P _j )=K ₁⊕K ₂.

Therefore, the attack supplies the adversary with only a few possible values of K ₁⊕K ₂, after performing 2^(n+1)/2 queries to the E-oracle and no queries at all to the \(\mathcal{I}\)-oracle. As we show later, the adversary cannot obtain K ₁ or K ₂ themselves (without additional effort or data), but at the same time, the adversary does learn a nontrivial information about the key, which contradicts the security proof of the original EM scheme.

Where the Security Proof Fails

One may wonder, which part of the formal security proof fails when \(\mathcal{F}\) is an involution. It turns out that the only part that fails is the argument in the first step of the proof showing that all good keys are equally likely to be the right key. Recall that in order to show this, one has to show that the probability

$$p = \Pr_{K,\mathcal{F}} \bigl[(K,\mathcal{F}) \mbox{ is consistent with } \mathcal{D},\mathcal{T} | K=k\bigr] $$

is the same for all good keys. In the case of EM, p is shown to be the probability of consistence of a random permutation \(\mathcal{F}\) with s+t given distinct input/output pairs, which indeed does not depend on k (since such pairs are independent). In the case of IEM, the input/output pairs may be dependent, since it may occur that an encryption query to the E-oracle results in querying \(\mathcal{I}\) at some value x, while a decryption query to the E-oracle results in querying \(\mathcal{I}^{-1}\) at the same value x. Since \(\mathcal{I}\) is an involution, these queries are not independent and thus, the probability p depends on whether such dependency has occurred, and this event does depend on k. An examination of the mirror slidex attack shows that this property is exactly the one exploited by the attack.

It is interesting to note that in the single-key case (i.e., for SEM where \(\mathcal{F}\) is an involution, which we denote by SIEM), such an event cannot occur, as in order to query \(\mathcal{I}\) and \(\mathcal{I}^{-1}\) at the same value, one must query E and E ⁻¹ at the same value. Since in the single-key case, the entire construction is an involution, such two queries result in the same answer for any value of the secret key, and hence, do not create dependency on the key. It can be shown, indeed, that the security proof does hold for SIEM and yields the same security bound, thus showing that in the case of involutions, the single-key variant is clearly more efficient than the original two-key variant! Moreover, it can be noticed that in the case of EM, after the adversary recovers the value K ₁⊕K ₂, the encryption scheme becomes equivalent to a single-key Even–Mansour scheme with the key K ₁, i.e., \(E'(P) = \mathcal{I}(P \oplus K_{1}) \oplus K_{1}\). Thus, using two different keys in this case is totally obsolete, and also creates a security flaw which can be deployed by an adversary if the keys K ₁ and K ₂ are used also in other systems.

We note that SIEM provides an example of the gap between the indistinguishability security notion and the cost of finding a key. Obviously, one can easily distinguish SIEM from a random permutation using two adaptive queries with an extremely high probability (as SIEM is an involution). At the same time, the lower bounds of the Even–Mansour security proof assure us that it is impossible to decrypt a ciphertext C encrypted by SIEM or to produce a new (P,C) pair for SIEM without first obtaining DT=Ω(2ⁿ) queries.

5.3 Addition Even–Mansour with an Involution as the Permutation

In this subsection, we consider a combination of the two variants discussed in the previous subsections, i.e., AEM where \(\mathcal{F}\) is a random involution. We abbreviate this variant as AIEM.

It can be easily shown that the mirror slidex attack can be adapted to the case of AIEM, by modifying the assumption to C ^∗−P=K ₁+K ₂, and the conclusion to P+C=P ^∗+C ^∗. The attack allows recovering the value K ₁+K ₂, and then the scheme becomes equivalent to a conjugation EM scheme with a single key: \(\mathit{CSIEM}(P) = \mathcal{I}(P + K_{1}) - K_{1}\), and it can be shown that the security proof of EM applies also to CSIEM. Thus, the security of AEM under the assumption that \(\mathcal{F}\) is an involution is identical to that of the original EM.

An interesting phenomenon is that in the involution case, the security of single-key AEM (which we denote by ASIEM) is much worse than that of AIEM. Indeed, the mirror slidex attack allows recovering K ₁+K ₁=2K ₁, and hence finding K ₁ (up to the value of the MSB) which breaks the scheme completely. This suggests that in the case of addition, the “natural” variant of single-key AEM is the conjugation variant, i.e., \(\mathit{CSEM}(P) = \mathcal{F}(P + K_{1}) - K_{1}\), for which the security proof of EM indeed applies even if \(\mathcal{F}\) is an involution, as mentioned above.

In Table 2, we list 12 variants of the Even–Mansour construction (single key/two keys, random permutation/random involution, and whether the keys are XORed, added, or conjugated). For each variant we list the security bound (if possible), and the attack that matches the bound.

6 Memoryless and Ciphertext-Only Attacks on the Even–Mansour Scheme

In this section, we consider two attack scenarios in which the adversary is severely restricted—memoryless attacks in which the adversary can use only a few cells of memory, and ciphertext-only attacks in which the adversary is given only a partial information about the plaintexts (e.g., only knows that the plaintext consists of words in English). We show that in both scenarios, we can obtain the tradeoff curve DT=Ω(2ⁿ), but only for part of the possible values of D.

6.1 Memoryless Attacks on the Even–Mansour Scheme

All previous papers on the Even–Mansour scheme, including the lower bounds proved by the designers [13], Daemen’s attack [9], and Biryukov–Wagner’s slide attack [6], considered only the data and time complexities of attacks, but not the memory complexity. Analysis of the previously proposed attacks shows that in all of them, the memory complexity is at least min{D,T}, where D is the data complexity (i.e., the number of E-queries) and T is the time complexity (i.e., the number of \(\mathcal{F}\)-queries). Thus, it is natural to ask whether the memory complexity can also be inserted into the lower bound security proofs, e.g., in the form M≥min(D,T).

In this section, we show that such a general lower bound cannot exist, by constructing an attack with data and time complexities of O(2^n/2), and with only a constant memory complexity. The attack is a memoryless variant of the slide with a twist attack described in Sect. 3.1. Recall that the main step of the slide with a twist attack is to find collisions of the form \(E(P) \oplus\mathcal{F}(P) = E(P^{*}) \oplus \mathcal{F}(P^{*})\).

We observe that such collisions can be found in a memoryless manner. We treat the function

$$\mathcal{G}: P \rightarrow E(P) \oplus\mathcal{F}(P) $$

as a random function, and apply Floyd’s cycle finding algorithm [15] (or any of its variants, such as Nivasch’s algorithm [25]) to find a collision in \(\mathcal{G}\). The attack algorithm is as follows:

1. 1.

   Query the E-oracle at a sequence of O(2^n/2) adaptively chosen values P ₁,P ₂,… such that P ₁ is arbitrary and for k>1, \(P_{i} = E(P_{i-1}) \oplus\mathcal {F}(P_{i-1})\). (Here, after each query to the E-oracle, the adversary queries the \(\mathcal{F}\)-oracle at the same value and uses its answer in choosing the next query to the E-oracle.)

2. 2.

   Use Floyd’s cycle finding algorithm to find P _i ,P _j such that \(E(P_{i}) \oplus\mathcal{F}(P_{i}) = E(P_{j}) \oplus\mathcal{F}(P_{j})\).

3. 3.

   For each colliding pair, check the guess K ₁=P _i ⊕P _j and \(K_{2}=E(P_{i}) \oplus\mathcal{F}(P_{j})\).

The analysis of the attack is identical to the analysis of the slide with a twist attack. The memory complexity is negligible, and the data and time complexities remain O(2^n/2). The only downside of this algorithm is the fact that the queries to the E-oracle are chosen adaptively, whereas in the slide with a twist attack we could choose arbitrary queries to the E-oracle.

6.2 Ciphertext-Only Attacks on the Even–Mansour Scheme

In ciphertext-only attacks, the assumption is that the adversary is not given any plaintext/ciphertext pairs, but only knows the ciphertexts and some partial information on the plaintexts, e.g., that the plaintexts are English words encoded by ASCII characters. Such a situation is very realistic in passive eavesdropping attacks.

We show that if the partial information on each plaintext contains k linear equations on its bits, then a variant of the slidex attack can break the scheme with time complexity T and data complexity D such that DT=O(2ⁿ), as long as D≤2^k. In particular, in the case of English words encoded by ASCII characters, it is known that the most significant bit of each byte equals zero in the ASCII encoding, which yields n/8 linear equations in the bits of each n-bit plaintext. Hence, the tradeoff curve DT=O(2ⁿ) can be obtained for all D≤2^n/8.

Recall that in the slidex attack on EM, the adversary looks for collisions in the function \(P_{i} \mapsto E(P_{i}) \oplus{\mathcal{F}}(P_{i} \oplus \varDelta_{\ell})\) (for a fixed Δ _ℓ ) and uses them to find pairs of plaintexts (P _i ,P _j ) such that P _i ⊕P _j ⊕Δ _ℓ =K ₁. In the ciphertext-only attack, the adversary cannot check this function, as she does not know the value P _i ⊕Δ _ℓ . However, we observe that the same attack procedure can be performed in the inverse direction, i.e., looking at collisions in the function \(C_{i} \mapsto E^{-1}(C_{i}) \oplus{\mathcal{F}^{-1}}(C_{i} \oplus\varDelta_{\ell})\) in order to find pairs of ciphertexts (C _i ,C _j ) such that C _i ⊕C _j ⊕Δ _ℓ =K ₂.

As the ciphertexts are fully known to the adversary, she can compute the value \({\mathcal{F}^{-1}}(C_{i} \oplus\varDelta_{\ell})\). The value E ⁻¹(C _i ) is not known, but, by the assumption, the adversary knows k linear equations in its bits (e.g., knows that the most significant bit of each byte equals zero in the English ASCII case). Hence, she can search for a collision between the values \(E^{-1}(C_{i}) \oplus{\mathcal{F}^{-1}}(C_{i} \oplus\varDelta_{\ell})\) in the k known linear combinations of bits. Each such partial collision (C _i ,C _j ) suggests a value K ₂=C _i ⊕C _j ⊕Δ _ℓ for the key K ₂, and these suggestions can be checked easily.⁶

As the total number of triplets (C _i ,C _j ,Δ _ℓ ) examined in the attack is 2ⁿ (see the analysis of the slidex attack in Sect. 3.2), the expected number of partial collisions is 2ⁿ⋅2^−k=2^n−k. Thus, the phase of examining key suggestions arising from the partial collisions, which is the only additional phase compared to the slidex attack, requires time complexity of 2^n−k and no additional data complexity. Therefore, for D≤2^k (for which the time complexity of the basic slidex attack is T≥2^n−k), the overall data and time complexities of the attack satisfy the tradeoff curve DT=O(2ⁿ).

An interesting question for future research is whether partial information on the plaintexts which cannot be represented in the form of linear equations (e.g., quadratic equations in the plaintext bits) can also be used by some variant of the slidex attack.

7 Further Applications of the Mirror Slide Attack

In this section, we present the general framework of the mirror slidex attack that was presented in Sect. 5.2 in the special case of the Even–Mansour scheme. We show that the mirror slidex attack generalizes the slide with a twist attack [6] and can be combined with the complementation slide attack [6]. We apply the new technique to a 20-round variant of the block cipher GOST [28], and to variants of the DESX cryptosystem [27] in which the subkeys of the internal DES cipher are replaced by a 2-round or a 4-round self-similar sequence.

7.1 The General Framework

The mirror slidex attack applies to block ciphers that can be decomposed as a cascade of three sub-ciphers: E=E ₂∘E ₁∘E ₀, where the middle layer E ₁ is an involution, i.e., E ₁=(E ₁)⁻¹.⁷

Let E be such a cipher, and assume that for two plaintext/ciphertext pairs (P,C), (P ^∗,C ^∗), we have

$$ E_0(P) = E_2^{-1} \bigl(C^* \bigr). $$

(4)

In such case, since E ₁ is an involution,

$$E_1\bigl(E_0(P)\bigr) = E_1^{-1} \bigl(E_2^{-1}\bigl( C^*\bigr)\bigr). $$

By the construction, this implies that

$$ E_2^{-1}(C) = E_1 \bigl(E_0(P)\bigr) = E_1^{-1} \bigl(E_2^{-1}\bigl( C^*\bigr)\bigr) = E_0 \bigl(P^*\bigr). $$

(5)

If Eq. (4) holds (and thus, Eq. (5) also holds), the pair (P,P ^∗) is called a mirror slid pair.

The way to exploit mirror slid pairs in a cryptanalytic attack is similar to standard slide-type attacks [5, 6]: The adversary asks for the encryption of 2^(n+1)/2 known plaintexts P ₁,P ₂,… (where n is the block size of E) and denotes the corresponding ciphertexts by C ₁,C ₂,… . For each pair (P _i ,P _j ), the adversary assumes that it is a mirror slid pair and tries to solve the system of equations:

$$ \begin{aligned} \left\{ \begin{array}{c l} C_j = E_2(E_0(P_i)), \\ C_i = E_2(E_0(P_j)) \end{array} \right. \end{aligned} $$

(6)

(which is equivalent to Eqs. (4) and (5)). If E ₀ and E ₂ are “simple enough”, the adversary can solve the system efficiently and recover the key material used in E ₀ and E ₂.

If the amount of subkey material used in E ₀ and E ₂ is at most n bits (in total), it is expected that at most a few of the systems of equations generated by the 2ⁿ plaintext pairs are consistent (since the equation system is a 2n-bit condition). One of them is the system generated by the mirror slid pair, which is expected to exist in the data with a constant probability since the probability of a random pair to be a mirror slid pair is 2⁻ⁿ. Hence, the adversary obtains only a few suggestions for the key, which contain the right key with a constant probability. If the amount of key material used in E ₀ and E ₂ is bigger than n bits, the adversary can still find the right key, by enlarging the data set by a small factor and using key ranking techniques (exploiting the fact that the right key is suggested by all mirror slid pairs, while the other pairs suggest “random” keys).

The data complexity of the attack is O(2^n/2) known plaintexts, and its time complexity is O(2ⁿ)⋅t, where t is the time required for solving the system (6).

We note that the attack can be applied even when E ₀ and E ₂ are not “simple” ciphers using a meet-in-the-middle attack. If both E ₀ and E ₂ use κ≤n key bits at most, one can try and find the solutions to the above set of equations in time min{O(2^n+κ),O(2^n/2+2κ)}.⁸

7.2 The Slide with a Twist Attack and an Application to 20-Round GOST

The first special case of the mirror slidex framework we consider is where in the subdivision of E, we have E ₂=Identity. In such a case, the system of equations presented above is simplified to

$$ \left\{ \begin{array}{c l} C_j = E_0(P_i), \\ C_i = E_0(P_j). \end{array} \right. $$

(7)

It turns out that in this case, the attack is reduced exactly to the slide with a twist attack presented in [6]! (Though, in [6] the attack is described in a different way.)

A concrete example of this case is a reduced-round variant of the block cipher GOST [28] that consists of the last 20 of its 32 rounds. It is well-known that the last 16 rounds of GOST compose an involution, and hence, this variant can be represented as E=E ₁∘E ₀, where E ₀ is 4-round GOST, and E ₁ (which is the last 16 rounds of GOST) is an involution.⁹ As shown in [10], a 4-round variant of GOST can be broken with two plaintext/ciphertext pairs and time complexity of 2¹² encryptions. Therefore, the mirror slidex attack can break this 20-round variant of GOST with data complexity of 2³³ known plaintexts (since the block size of GOST is 64 bits), and time complexity of 2⁶⁵⋅2¹²=2⁷⁷ encryptions.¹⁰

We note that a similar attack was described in [6] using the slide with a twist technique, but only on a 20-round version of a modified variant of GOST called GOST⊕ in which the key addition is replaced by XOR.

7.3 Combination with the Complementation Slide Attack and Application to 2K-DESX

In this subsection, we consider the case where E ₁ is not an involution, but rather a Feistel cipher with a 2-round self-similarity property (see Fig. 2). Such a cipher (but without the key whitening) was considered in [6], and it was shown that it can be broken with complexity of O(2^n/2), using a technique called complementation slide.¹¹ We show that the complementation slide technique can be combined with the mirror slidex technique to yield an attack on the scheme including pre- and post- key whitening, with the same complexity.

Fig. 2.

Pre-/post-whitened cipher with 2-round self similarity.

A concrete example of such construction one may consider is a variant of DESX [27] in which the subkeys generated by the DES key schedule are replaced by the periodic sequence (k _a ,k _b ,k _a ,k _b ,…). Using the terminology of [5, 6], this variant can be called 2K-DESX. For the sake of simplicity, we demonstrate the attack on the example of 2K-DESX.

Consider two plaintext/ciphertext pairs (P,C),(P ^∗,C ^∗) of 2K-DESX, and assume that

$$P \oplus C^* = K_0 \oplus K_2 \oplus(k_a \oplus k_b || k_a \oplus k_b), $$

where || denotes concatenation of bit strings. In such a case,

$$ P \oplus K_0 = \bigl(C^* \oplus K_2 \bigr) \oplus(k_a \oplus k_b || k_a \oplus k_b). $$

(8)

We would like to apply E ₁ to the left-hand side and \(E_{1}^{-1}\) to the right-hand side, like in the standard mirror slidex attack. In our case, E ₁ is not an involution. However, this is compensated by the term (k _a ⊕k _b ||k _a ⊕k _b ) in the right-hand side of the equation. Indeed, in the first round of E ₁, the subkey is k _a , and thus, the input to the F-function is P _R ⊕K _0R ⊕k _a (where X _R denotes the right half of X). On the other side, the subkey in the first round of \(E_{1}^{-1}\), which is the subkey in the last round of E ₁, is k _b , and hence, the input to the F-function is \(C^{*}_{R} \oplus K_{2R} \oplus k_{b}\). Therefore, by Eq. (8), the two inputs are equal. A similar analysis shows that equality holds for the inputs of the F-functions in all rounds, and thus,

$$E_1(P \oplus K_0) = E_1^{-1} \bigl(C^* \oplus K_2\bigr) \oplus(k_a \oplus k_b || k_a \oplus k_b), $$

or equivalently,

$$ C \oplus K_2 = P^* \oplus K_0 \oplus(k_a \oplus k_b || k_a \oplus k_b). $$

(9)

XORing Eqs. (8) and (9), we get

$$C \oplus C^* = P \oplus P^*. $$

This allows applying an attack similar to the attack on IEM and recovering the value K ₀⊕K ₂⊕(k _a ⊕k _b ||k _a ⊕k _b ) with data and time complexities of O(2^n/2).

7.4 Application to a Variant of 4K-DESX

The last case we consider is a variant of DESX in which the number of rounds in DES is changed to 4m+1, and the subkeys are replaced by the sequence (k _a ,k _b ,k _c ,k _d )^m,k _a . We show that another combination of the complementation slide technique with the mirror slidex technique allows breaking this variant with data and time complexity of O(2^n/2).

Consider two plaintext/ciphertext pairs (P,C),(P ^∗,C ^∗), and assume that

$$P \oplus C^* = K_0 \oplus K_2 \oplus(k_b \oplus k_d || 0), $$

where || denotes concatenation of bit strings. In such a case,

$$ P \oplus K_0 = \bigl(C^* \oplus K_2 \bigr) \oplus(k_b \oplus k_d || 0). $$

(10)

We apply E ₁ to the left-hand side of the equation, and \(E_{1}^{-1}\) to the right-hand side of the equation. In the first round of E ₁, the subkey is k _a , and thus, the input to the F-function is P _R ⊕K _0R ⊕k _a . The subkey in the first round of \(E_{1}^{-1}\) is also k _a , and hence, the input to the F-function in that round is \(C^{*}_{R} \oplus K_{2R} \oplus k_{a}\). Therefore, by Eq. (10), the two inputs are equal. In the second round of E ₁ and \(E_{1}^{-1}\), the subkey in E ₁ is k _b , while the subkey in \(E_{1}^{-1}\) is k _d . However, this difference is canceled with the term k _b ⊕k _d in Eq. (10). A similar analysis shows that equality holds for the inputs of the F-functions in all rounds, and thus,

$$E_1(P \oplus K_0) = E_1^{-1} \bigl(C^* \oplus K_2\bigr) \oplus(k_b \oplus k_d || 0), $$

or equivalently,

$$ C \oplus K_2 = P^* \oplus K_0 \oplus(k_b \oplus k_d || 0). $$

(11)

XORing Eqs. (10) and (11), we get

$$C \oplus C^* = P \oplus P^*, $$

and the attack can be concluded as in the previous case and retrieve the value K ₀⊕K ₂⊕(k _b ⊕k _d ||0).

We note that this technique does not apply to the standard variant of 4K-DESX, in which the subkeys are (k _a ,k _b ,k _c ,k _d )^m (without an additional subkey k _a at the end). The reason is that the rate of symmetry between E ₁ and \(E_{1}^{-1}\) is insufficient. While the asymmetry in the first two rounds can be compensated by adding the term (k _a ⊕k _d ||k _b ⊕k _c ) to the equation, the inputs to the F-function in the third round will not be equal anymore.

8 Further Applications of the Addition Slidex Attack

In Sect. 5, we presented two new slide-type attacks that are applicable to ciphers in which the subkeys are inserted through modular addition (rather than XOR). The first was a variant of the slidex attack that was used in Sect. 5.1 to attack AEM, i.e., an Even–Mansour scheme in which the key XOR is replaced by modular addition. The second was a variant of the mirror slidex attack that was used in Sect. 5.3 to attack AIEM, i.e., AEM in which the internal permutation is an involution. These two attacks can be considered as special cases of a more general technique which we call the addition slidex attack. The main feature of the technique (that appears in both special cases) is that the relation between the elements of a slid pair concerns their modular sum, rather than their difference (as one may expect in light of the standard slide-type attacks).

In this section, we present another application of the addition slidex technique. The attack targets Addition DESX, i.e., a variant of DESX [27] in which the whitening keys are inserted using modular addition (instead of XOR). We show that while this variant seems to be as secure as DESX, it can be broken using only two related keys and practical complexity of either 2³⁴ in the chosen plaintext model, or 2⁴³ in the known plaintext model. The attack exploits the well-known complementation property of DES, namely, that for any P,K,

$$\mathit{DES}_K(P) = \overline{\mathit{DES}_{\bar{K}}(\bar{P})}, $$

where \(\bar{X}\) denotes the bitwise complement of X (i.e., \(\bar{X}=X \oplus FF\ldots FF_{x} = 2^{64} - 1 - X\)). It is interesting to note that while in the cases of DES and DESX, this property can be used only either for a distinguishing attack or for speeding up exhaustive key search by a factor of 2, in our case it can be deployed to mount a key recovery attack.

After presenting the attack on Addition DESX, we show that a slightly modified variant of the attack applies (with the same complexities) to another variant of DESX in which the key pre/post whitenings are replaced by key-dependent decorrelation modules [31].

8.1 Attack on Addition DESX

The addition DESX block cipher is defined as

$$E_{K_0,K_1,K_2}(P) = K_2 + \mathit{DES}_{K_1}(P + K_0), $$

where ‘+’ denotes addition modulo 2⁶⁴. The basic idea of the attack is as follows. Let (P,C),(P ^∗,C ^∗) be two plaintext/ciphertext pairs, such that P is encrypted under (K ₀,K ₁,K ₂) and P ^∗ is encrypted under \((K_{0},\overline{K_{1}},K_{2})\). Assume that the pair (P,P ^∗) satisfies

$$ P + P^* + 2K_0 \equiv2^{64}-1 \pmod{2^{64}}. $$

(12)

In such a case, we have

$$P + K_0 = \overline{P^*+K_0}. $$

By the complementation property, this implies

$$\mathit{DES}_{K_1} (P+K_0) = \overline{\mathit{DES}_{\overline{K_1}} \bigl(P^*+K_0\bigr)}, $$

or equivalently,

$$\mathit{DES}_{K_1} (P+K_0) + \mathit{DES}_{\overline{K_1}} \bigl(P^*+K_0\bigr) \equiv2^{64}-1 \pmod{2^{64}}. $$

This, in turn, implies

$$ C + C^* = E_{K_0,K_1,K_2}(P) + E_{K_0,\overline{K_1},K_2}\bigl(P^*\bigr) \equiv2^{64}-1 +2K_2 \pmod{2^{64}}. $$

(13)

Equation (13) cannot be exploited directly (like in all previous attacks) since the value of K ₂ is not known to the adversary. However, we observe that since the right hand side of Eq. (13) does not depend on P and P ^∗, it can be canceled using another pair of plaintexts.

Let (P,C),(P ^∗,C ^∗) be plaintext/ciphertext pairs such that the pair (P,P ^∗) satisfies Eq. (12), and let \(a \in Z_{2^{64}}\) be arbitrary. Consider the encryptions of P+a and P ^∗−a under the keys (K ₀,K ₁,K ₂) and \((K_{0},\overline{K_{1}},K_{2})\), respectively, and denote the corresponding ciphertexts by C′ and C′^∗. It is clear that the pair (P+a,P ^∗−a) also satisfies Eq. (12). Hence, we have

$$ C' + C'^* \equiv2^{64}-1 +2K_2 \pmod{2^{64}}. $$

(14)

Combining Eqs. (13) and (14), we get

$$C + C^* = C' + C'^*, $$

or equivalently,

$$C - C' = C'^* - C^*. $$

This allows mounting the following attack:

1. 1.

   Choose some arbitrary \(a \in Z_{2^{64}}\).¹²

2. 2.

   Ask for the encryption of 2³² arbitrary plaintexts P ₁,P ₂,… under the key (K ₀,K ₁,K ₂), and denote the corresponding ciphertexts by (C ₁,C ₂,…). Ask for the encryption of the 2³² plaintexts P ₁+a,P ₂+a,… under the same key, and denote the corresponding ciphertexts by \((C'_{1},C'_{2},\ldots)\). Store in a hash table the pairs \(((C_{i} - C'_{i}), i)\), sorted by the first coordinate.

3. 3.

   Ask for the encryption of 2³² arbitrary plaintexts \(P^{*}_{1},P^{*}_{2},\ldots\) under the key \((K_{0},\overline{K_{1}},K_{2})\), and denote the corresponding ciphertexts by \((C^{*}_{1},C^{*}_{2},\ldots)\). Ask for the encryption of the 2³² plaintexts \(P^{*}_{1}-a,P^{*}_{2}-a,\ldots\) under the same key, and denote the corresponding ciphertexts by \((C'^{*}_{1},C'^{*}_{2},\ldots)\). Insert the values \(C'^{*}_{j} - C^{*}_{j}\) into the hash table and search for collisions.

4. 4.

   For each collision in the table, i.e., \(C_{i} - C'_{i} = C'^{*}_{j} - C^{*}_{j}\), check the guess \(2K_{0}= 2^{64}-1 - P_{i} - P^{*}_{j} \pmod{2^{64}}\) and \(2K_{2}= C_{i} + C^{*}_{j} - (2^{64} - 1) \pmod{2^{64}}\).

As in the previous attacks, it is expected that only a few collisions occur, and that with a constant probability, one of them suggests the right key (K ₀,K ₂). A key guess suggested by the pair \((P_{i},P^{*}_{j})\) can be checked by choosing another \(a' \in Z_{2^{64}}\), asking for the encryption of P _i +a′ and \(P^{*}_{j} - a'\) under the keys (K ₀,K ₁,K ₂) and \((K_{0},\overline{K_{1}},K_{2})\), respectively, and checking whether the corresponding ciphertexts (denoted by \(C''_{i}\) and \(C''^{*}_{j}\)) satisfy

$$C_i - C''_i = C''^*_j - C^*_j. $$

If the equation is satisfied, then the pair \((P_{i},P^{*}_{j})\) satisfies Eq. (12) with overwhelming probability, and thus, the suggestion for (K ₀,K ₂) is correct (with the same probability). The value of K ₁ can be found using auxiliary techniques (e.g., a differential or a linear attack on DES). The data complexity of the attack is 2³⁴ chosen plaintexts encrypted under two keys, and its memory and time complexities are about 2³⁴ (except for the part of recovering K ₁). As in the previous cases, the attack can be transformed into a memoryless attack with the same time complexity, where the data complexity is 2³⁴ adaptively chosen plaintexts.

A Known-Plaintext Variant of the Attack

A variant of the attack can be performed in the known plaintext model without enlarging the number of examined plaintexts, at the expense of enlarging the time complexity. The attack uses the fact that the procedure described above succeeds for any value of a, and thus, the adversary can exploit many values of a simultaneously. The algorithm of the known plaintext attack is as follows:

1. 1.

   Ask for the encryption of two pools of 2³² arbitrary plaintexts each under the key (K ₀,K ₁,K ₂), and denote the plaintext/ciphertext pairs in the pools by (P ₁,C ₁),(P ₂,C ₂),… , and \((P'_{1},C'_{1}),(P'_{2},C'_{2}),\ldots\) , respectively.

2. 2.

   Ask for the encryption of two pools of 2³² arbitrary plaintexts each under the key \((K_{0},\overline{K_{1}},K_{2})\), and denote the plaintext/ciphertext pairs in the pools by \((P^{*}_{1},C^{*}_{1}),(P^{*}_{2},C^{*}_{2}),\ldots\) , and \((P'^{*}_{1},C'^{*}_{1}),(P'^{*}_{2},C'^{*}_{2}),\ldots\) , respectively.

3. 3.

   Search for a four-collision of 128-bit values, of the form

   $$ \bigl(P_i - P'_j + P^*_k - P'^*_\ell, C_i - C'_j + C^*_k - C'^*_\ell \bigr) = 0. $$

   (15)
4. 4.

   For each such collision, check the guess \(2K_{0}= 2^{64}-1 - P_{i} - P^{*}_{j} \pmod{2^{64}}\) and \(2K_{2}= C_{i} + C^{*}_{j} - (2^{64} - 1) \pmod{2^{64}}\).

It is expected that among the 2¹²⁸ examined plaintext quartets, about 2⁶⁴ quartets satisfy the equation \(P_{i} - P'_{j} + P^{*}_{k} - P'^{*}_{\ell}= 0\), and thus can be represented as \((P_{i},P_{i}+a,P^{*}_{k},P^{*}_{k}-a)\), for \(a=P'_{j}-P_{i}\). Thus, with a constant probability, in at least one of these quartets, P _i and \(P^{*}_{k}\) satisfy Eq. (12). For such a quartet, we must have \(C_{i} - C'_{j} + C^{*}_{k} - C'^{*}_{\ell}= 0\), and thus, it generates a collision of the form needed for the attack. On the other hand, the probability that Eq. (15) is satisfied for a random quartet is 2⁻¹²⁸, and hence, it is expected that only a few collisions exist, and at least one of them suggests the right key.

The data complexity of the attack is 2³⁴ known plaintexts encrypted under two keys, and the memory and time complexities are about 2⁶⁴.

As the collision search performed in the attack is a solution of a standard generalized birthday problem, one can obtain a time/memory/data tradeoff using the improved algorithms for the generalized birthday problem presented by Wagner [32]. For example, if the data complexity is increased to 2^42.6 known plaintexts, then the memory and time complexities can be reduced to 2^42.6. As the key K ₁ can be found with about 2⁴³ known plaintexts using linear cryptanalysis [22], this allows recovering the full key (K ₀,K ₁,K ₂) of Addition DESX with data complexity of about 2⁴³ known plaintexts and time and memory complexities of 2⁴³ in total.

8.2 Attack on DES Surrounded by Decorrelation Modules

Decorrelation modules, introduced by Vaudenay [31] in 1997, are tools to ensure security against statistical attacks such as differential and linear cryptanalysis. One of the basic decorrelation modules (used in COCONUT98 [30]) is the NUT-II decorrelation module defined as \(DM_{K_{1},K_{2}} (X) = (X \oplus K_{1}) \cdot K_{2}\), where the multiplication is done over the field GF(2ⁿ), and K ₂≠0.

One property of this decorrelation module is that once the key is set, the decorrelation module is linear, but when the key is random, the probability of any non-trivial differential going through the module equals 1/(2ⁿ−1) on average. A similar condition can be proved with respect to linear cryptanalysis as well. Thus, inserting decorrelation modules as an element in a block cipher is suggested in order to make it secure against differential and linear cryptanalysis.

It seems that surrounding a block cipher with key-dependent decorrelation modules is a stronger measure than adding pre/post key whitening.¹³ However, it turns out that in the case of DES, due to the complementation property, this leads to related-key attacks which are significantly stronger than the best known attacks on DESX in the related-key model.

Consider the block cipher Decorrelation-DES, defined as

$$E_{(K_0,K_1),K_2,(K_3,K_4)} (P) = M_1\bigl(\mathit{DES}_{K_2} \bigl(M_0(P)\bigr)\bigr), $$

where M ₀(X)=(X⊕K ₀)⋅K ₁, M ₁(X)=(X⊕K ₃)⋅K ₄, and K ₁≠0,K ₄≠0.

Consider two plaintext/ciphertext pairs (P,C) and (P ^∗,C ^∗), encrypted under the keys (K ₀,K ₁,K ₂,K ₃,K ₄) and \((K_{0},K_{1},\overline{K_{2}},K_{3},K_{4})\), respectively. Assume that the plaintext pair (P,P ^∗) satisfies

$$M_0(P) \oplus M_0\bigl(P^*\bigr) = \bigl(P \oplus P^* \bigr) \cdot K_1 = FF\ldots FF_x. $$

Then, by the complementation property of DES, we have

$$\mathit{DES}_{K_2}\bigl(M_0(P)\bigr) \oplus \mathit{DES}_{\overline{K_2}} \bigl(M_0\bigl(P^*\bigr)\bigr) = FF\ldots FF_x. $$

Since for a fixed key, the decorrelation module M ₁ is linear, this implies

$$ C \oplus C^* = M_1\bigl(\mathit{DES}_{K_2} \bigl(M_0(P)\bigr)\bigr) \oplus M_1\bigl(\mathit{DES}_{\overline{K_2}} \bigl(M_0\bigl(P^*\bigr)\bigr)\bigr) = FF\ldots FF_x \cdot K_4. $$

(16)

As the right-hand side of Eq. (16) does not depend on the plaintexts, one can mount an attack similar to the attack on Addition DESX presented in Sect. 8.1, with the pair (P⊕a,P ^∗⊕a) considered instead of the pair (P+a,P ^∗−a). The data and time complexities of the attack are exactly the same as the complexities of the attack on Addition DESX (including its known plaintext variant), and the attack allows recovering the subkeys K ₁ and K ₄.

Note that after recovering these subkeys, the cipher is equivalent (up to pre/post multiplication by known constants) to

$$E_{K'_0,K_2,K'_3}(P) = \mathit{DES}_{K_2}\bigl(P \oplus K'_0 \bigr) \oplus K'_3, $$

that is, to DESX!¹⁴ Hence, our attack shows that with respect to the related-key model, surrounding DES by decorrelation modules may be weaker than adding pre/post key whitening, since it does not increase the security and on the other hand, it allows the adversary to retrieve part of the secret key efficiently.¹⁵

9 Open Problems

We conclude this paper with a few open problems and topics for further research that arise naturally from our results.

Memoryless Attacks on EM with D≪2^n/2

In Sect. 6, we showed that a lower bound on the memory complexity of attacks on EM cannot be obtained in general, by presenting a memoryless attack with D=T=2^n/2. However, our attack is based on the slide-with-a-twist technique, which is applicable only for D≥2^n/2. What can be said about the case D≪2^n/2?

At first glance, it seems that we can obtain a memoryless attack by adapting the slidex attack described in Sect. 3.2, in the same way like the slide-with-a-twist attack is adapted to the memoryless scenario in Sect. 6. However, it appears that such an adaptation does not work. The main obstacle is that the adversary has to reuse the data many times in order to construct the hash tables for different values of Δ, and this can be done only if the data is stored somewhere rather than used in an on-line manner which discards it after computing the next plaintext. This leads to the following open problem:

Problem 1

Does there exist a memoryless attack on the Even–Mansour scheme with D E-oracle queries and 2ⁿ/D \(\mathcal{F}\)-oracle queries, where D≪2^n/2?

A similar question can be asked with respect to the Single-Key Even–Mansour scheme, where in addition to the slidex attack, the simple attack presented in Sect. 4.2 can also break the scheme when D≪2^n/2. The attack of Sect. 4.2 can also be transformed to a memoryless attack, by defining a random function

$$\mathcal{H}(X) = \left\{ \begin{array}{l@{\quad}l} X \oplus E(X), & \mathit{LSB}(X)=1, \\ X \oplus\mathcal{F}(X), & \mathit{LSB}(X)=0, \end{array} \right. $$

and using Floyd’s cycle finding algorithm to find a collision of \(\mathcal{H}\). In the case when D and T are both close to 2^n/2, with a constant probability such collision yields a pair (X ₁,X ₂) such that \(X_{1} \oplus E(X_{1}) = X_{2} \oplus \mathcal{F}(X_{2})\), concluding the attack. The problem is that if D≪2^n/2, then with overwhelming probability, a collision in \(\mathcal{H}\) is of the form \(X_{1} \oplus\mathcal{F}(X_{1}) = X_{2} \oplus\mathcal{F}(X_{2})\), which is not useful to the adversary. Therefore, we state an additional open problem:

Problem 2

Does there exist a memoryless attack on the Single-Key Even–Mansour scheme with D E-oracle queries and 2ⁿ/D \(\mathcal{F}\)-oracle queries, where D≪2^n/2?

If such a memoryless attack can be found only for Single-Key EM and not for the ordinary EM, this will show that at least in some respect, the use of an additional key in EM does make the scheme stronger.

Multi-Round Even–Mansour Construction

The standard security notion for block ciphers (that was used, e.g., in the AES competition) states that a block cipher provides n-bit security if any attack that can break it in the single-user setting requires at least 2ⁿ data, time, or memory. An n-bit key block cipher is considered secure if it provides n-bit security.

According to this notion, the Even–Mansour construction is not secure, as it has a 2n-bit key and provides only n/2-bit security (due to the attacks with data and time complexity of 2^n/2). Single-key EM is better in this sense, as it provides n/2-bit security while using an n-bit key, but is still far from security level equal to the key length.

A natural way to increase the security of EM while preserving its general structure is to use several consecutive rounds of EM, that is,

$$\mathit{EM}_r(X) = K \oplus P_r\bigl(K \oplus P_{r-1} \bigl(K \oplus\bigl(\cdots \bigl(K \oplus P_1(K \oplus X)\bigr)\bigr) \bigr)\bigr), $$

where K is the secret key, and P ₁,…,P _r are publicly known permutations.

This extension was studied in several recent papers (e.g., [7, 20, 29]) with respect to its security in the indistinguishability model, and served as the basis to the design of several block ciphers, such as LED and Zorro.

In [24], Nicolic et al. presented an attack on EM ₂ (i.e., two-round EM) with data, memory, and time complexities of roughly 2^n−logn. Recently, Dinur et al. [11] enhanced the attack to target EM ₃ with similar data, memory, and time complexities.

Based on these works, we state an additional open problem:

Problem 3

What is the minimal number of rounds r such that any attack on r-round EM requires at least 2ⁿ data, time or memory?

Other Applications of the Slidex Technique

In this paper, we presented three new slide-type attacks: the slidex attack, the mirror slidex attack, and the addition slidex attack. We applied them to the Even–Mansour construction and to variants of several block ciphers, such as GOST and DESX. We believe that the generic form of the techniques can make them applicable to other block ciphers as well. Hence, we conclude the paper with a quest:

Problem 4

Find other applications of the new slide-type techniques proposed in this paper.