[Cryptography] Just found about Even-Mansour
Ryan Carboni
ryacko at gmail.com
Tue Sep 30 22:52:49 EDT 2014
>
> I think you need to read their paper more carefully. They assume the
> enemy has oracles that give permutation output for any input & vice
> versa, and define the time T to break the cipher as the number of
> calls to those oracles required. This is roughly equivalent to
> assuming a broken block cipher and asking how many cipher iterations
> you need to find the whitening.
>
> What they prove is a lower bound; for an n-bit permutation, 2n bits of
> whitening and D known or chosen plaintexts, you have:
>
> DT >= 2^n
>
> With 2^(n/2) chosen plaintexts, that only gives T > 2^(n/2) which is
> not necessarily secure.
I'm just saying, the bare minimum of security a block cipher is capable of
is half of it's block size. Thus if one uses a 256-bit block cipher with a
128-bit key, it would never be "theoretically" broken.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140930/3fc37251/attachment.html>
More information about the cryptography
mailing list