[Cryptography] Based on Even Mansour
Sandy Harris
sandyinchina at gmail.com
Mon Sep 29 11:35:35 EDT 2014
On Sat, Sep 27, 2014 at 8:37 PM, Ryan Carboni <ryacko at gmail.com> wrote:
> Even Mansour is secure against 2^(n/2) chosen plaintexts.
I think you need to read their paper more carefully. They assume the
enemy has oracles that give permutation output for any input & vice
versa, and define the time T to break the cipher as the number of
calls to those oracles required. This is roughly equivalent to
assuming a broken block cipher and asking how many cipher iterations
you need to find the whitening.
What they prove is a lower bound; for an n-bit permutation, 2n bits of
whitening and D known or chosen plaintexts, you have:
DT >= 2^n
With 2^(n/2) chosen plaintexts, that only gives T > 2^(n/2) which is
not necessarily secure.
More information about the cryptography
mailing list