01696nas a2200145 4500008004100000245005300041210005100094260001500145520127900160100001901439700001401458700001901472700002201491856003701513 2022 eng d00aPost-Quantum Security of the Even-Mansour Cipher0 aPostQuantum Security of the EvenMansour Cipher c12/14/20213 a
The Even-Mansour cipher is a simple method for constructing a (keyed) pseudorandom permutation E from a public random permutation~P:{0,1}n→{0,1}n. It is secure against classical attacks, with optimal attacks requiring qE queries to E and qP queries to P such that qE⋅qP≈2n. If the attacker is given \emph{quantum} access to both E and P, however, the cipher is completely insecure, with attacks using qE,qP=O(n) queries known. In any plausible real-world setting, however, a quantum attacker would have only \emph{classical} access to the keyed permutation~E implemented by honest parties, even while retaining quantum access to~P. Attacks in this setting with qE⋅q2P≈2n are known, showing that security degrades as compared to the purely classical case, but leaving open the question as to whether the Even-Mansour cipher can still be proven secure in this natural, "post-quantum" setting. We resolve this question, showing that any attack in that setting requires qE⋅q2P+qP⋅q2E≈2n. Our results apply to both the two-key and single-key variants of Even-Mansour. Along the way, we establish several generalizations of results from prior work on quantum-query lower bounds that may be of independent interest.
1 aAlagic, Gorjan1 aBai, Chen1 aKatz, Jonathan1 aMajenz, Christian uhttps://arxiv.org/abs/2112.07530