https://hal.inria.fr/hal-02424902Leurent, GaëtanGaëtanLeurentSECRET - Security, Cryptology and Transmissions - Inria de Paris - Inria - Institut National de Recherche en Informatique et en AutomatiqueSibleyras, FerdinandFerdinandSibleyrasSECRET - Security, Cryptology and Transmissions - Inria de Paris - Inria - Institut National de Recherche en Informatique et en AutomatiqueLow-Memory Attacks against Two-Round Even-Mansour using the 3-XOR ProblemHAL CCSD2019Even-Mansour3-XORCryptanalysis[INFO.INFO-CR] Computer Science [cs]/Cryptography and Security [cs.CR]Leurent, GaëtanAlexandra BoldyrevaDaniele Micciancio2019-12-28 20:24:292022-06-08 12:50:052020-01-06 10:14:24enConference papershttps://hal.inria.fr/hal-02424902/document10.1007/978-3-030-26951-7_8application/pdf1The iterated Even-Mansour construction is an elegant construction that idealizes block cipher designs such as the AES. In this work we focus on the simplest variant, the 2-round Even-Mansour construction with a single key. This is the most minimal construction that offers security beyond the birthday bound: there is a security proof up to 2 2n/3 evaluations of the underlying permutations and encryption, and the best known attacks have a complexity of roughly 2 n /n operations. We show that attacking this scheme with block size n is related to the 3-XOR problem with element size = 2n, an important algorithmic problem that has been studied since the nineties. In particular the 3-XOR problem is known to require at least 2 /3 queries, and the best known algorithms require around 2 /2 / operations: this roughly matches the known bounds for the 2-round Even-Mansour scheme. Using this link we describe new attacks against the 2-round Even-Mansour scheme. In particular, we obtain the first algorithms where both the data and the memory complexity are significantly lower than 2 n. From a practical standpoint, previous works with a data and/or memory complexity close to 2 n are unlikely to be more efficient than a simple brute-force search over the key. Our best algorithm requires just λn known plaintex-t/ciphertext pairs, for some constant 0 < λ < 1, 2 n /λn time, and 2 λn memory. For instance, with n = 64 and λ = 1/2, the memory requirement is practical, and we gain a factor 32 over brute-force search. We also describe an algorithm with asymptotic complexity O(2 n ln 2 n/n 2), improving the previous asymptotic complexity of O(2 n /n), using a variant of the 3-SUM algorithm of Baran, Demaine, and Pǎtraşcu.