On the indifferentiability of key-alternating ciphers

Elena Andreeva, Andrey Bogdanov, Yevgeniy Dodis, Bart Mennink, John P. Steinberger

Research output: Chapter in Book/Report/Conference proceedingConference contribution


The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition: KAt(K, m) = kt ⊕ P t(...k2 ⊕ P2(k1 ⊕ P 1(k0 ⊕ m))...), where, (k0..., k t) are obtained from the master key K using some key derivation function. For t = 1, KA1 collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P1 is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers - indifferentiability from an ideal cipher - and ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KAt indifferentiable from the ideal cipher, assuming P1,...,Pt are (public) random permutations? As our main result, we give an affirmative answer for t = 5, showing that the 5-round key-alternating cipher KA5 is indifferentiable from an ideal cipher, assuming P1,...,P5 are five independent random permutations, and the key derivation function sets all rounds keys ki = f(K), where 0 ≤ i ≤ 5 and f is modeled as a random oracle. Moreover, when |K| = |m|, we show we can set f(K) = P0(K)⊕K, giving an n-bit block cipher with an n-bit key, making only six calls to n-bit permutations P0,P1,P2,P3,P 4,P5.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings
Number of pages20
EditionPART 1
StatePublished - 2013
Event33rd Annual International Cryptology Conference, CRYPTO 2013 - Santa Barbara, CA, United States
Duration: Aug 18 2013Aug 22 2013

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
NumberPART 1
Volume8042 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other33rd Annual International Cryptology Conference, CRYPTO 2013
Country/TerritoryUnited States
CitySanta Barbara, CA


  • Even-Mansour
  • ideal cipher
  • indifferentiability
  • key-alternating cipher

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'On the indifferentiability of key-alternating ciphers'. Together they form a unique fingerprint.

Cite this