Eliminating Random Permutation Oracles in the Even-Mansour Cipher

12 years 1 months ago
Eliminating Random Permutation Oracles in the Even-Mansour Cipher
Abstract. Even and Mansour [EM97] proposed a block cipher construction that takes a publicly computable random permutation oracle P and XORs different keys prior to and after applying P: C = k2 ⊕ P(M ⊕ k1). They did not, however, describe how one could instantiate such a permutation securely. It is a fundamental open problem whether their construction could be proved secure outside the random permutation oracle model. We resolve this question in the affirmative by showing that the construction can be proved secure in the random function oracle model. In particular, we show that the random permutation oracle in their scheme can be replaced by a construction that utilizes a four-round Feistel network (where each round function is a random function oracle publicly computable by all parties including the adversary). Further, we prove that the resulting cipher is super pseudorandom – the adversary’s distinguishing advantage is at most 2q2 /2n if he makes q total queries to the ciph...
Craig Gentry, Zulfikar Ramzan
Added 30 Jun 2010
Updated 30 Jun 2010
Type Conference
Year 2004
Authors Craig Gentry, Zulfikar Ramzan
Comments (0)