Minimizing Key Materials: The Even–Mansour Cipher Revisited and Its Application to Lightweight Authenticated Encryption

,e Even–Mansour cipher has been widely used in block ciphers and lightweight symmetric-key ciphers because of its simple structure and strict provable security. Its research has been a hot topic in cryptography. ,is paper focuses on the problem to minimize the key material of the Even–Mansour cipher while its security bound remains essentially the same. We introduce four structures of the Even–Mansour cipher with a short key and derive their security by Patarin’s H-coefficients technique.,ese four structures are proven secure up to 􏽥 O(2/μ) adversarial queries, where k is the bit length of the key material and μ is the maximal multiplicity. ,en, we apply them to lightweight authenticated encryption modes and prove their security up to about min b/2, c, k − log μ 􏼈 􏼉-bit adversarial queries, where b is the size of the permutation and c is the capacity of the permutation. Finally, we leave it as an open problem to settle the security of the t-round iterated Even–Mansour cipher with short keys.


Introduction
In recent years, more and more attention has been paid to lightweight cryptography as smart home, Internet of things (IoT), smart transportation, and 5G/B5G networks are proposed. ese new technologies brought convenience to our lives but have introduced a powerful security threat, such as the leakage of the private data in our smart phone. Lightweight cryptography is an effective countermeasure against the security threats in order to achieve the privacy and integrity protections of the sensitive data. Lightweight cryptography is mainly used in resource-constrained devices. e block cipher has become a very vital lightweight symmetric-key cryptography, due to its fast speed, easy implementation, and easy standardization on these devices. It is often used to implement sensitive data encryption, digital signature, message authentication, and key encapsulation schemes in the field of information security and network communication security. e t-round iterated Even-Mansour cipher is simply described as a pure permutation-based block cipher: y � P t P t− 1 · · · P 1 x ⊕ K 1 ⊕ K 2 · · · ⊕ K t ⊕ K t+1 , (1) where (K 1 , K 2 , . . . , K t , K t+1 ) is a sequence of n-bit round keys which are usually derived from some master key and (P 1 , P 2 , . . . , P t ) is a sequence of t public random permutations. is iterated Even-Mansour cipher, also known as keyalternating ciphers, is of great significance in the design of block ciphers and is also favored in the design of lightweight cryptography. e security of the iterated Even-Mansour ciphers is based on the random permutation model (RPM). In RPM, all permutations are modeled as public random permutation oracles, in other words, anyone can query these permutations and obtain the corresponding responses. e related research includes [1][2][3][4][5][6][7][8][9].
is paper focuses on the case t � 1. Even and Mansour [10] did pioneering work in 1997 and proved that it is birthday-bound secure. at is where the name "Even-Mansour cipher" comes from. e Even-Mansour cipher has some very nice properties, such as simplest structure and strict provable security. Although the research of the Even-Mansour cipher went unnoticed for years, Gold will always shine. Fortunately, it has been a very hot topic in cryptography. In 2012, Dunkelman et al. [11] pointed out that the Even-Mansour cipher is minimal, i.e., any component (either one of the keys or the permutation) is removed; the Even-Mansour cipher becomes trivially breakable. In 2015, Cogliati et al. [12] introduced the tweakable Even-Mansour (TEM) cipher combined by the Even-Mansour cipher and a tweak, and proved its security. Meanwhile, Mouha and Luykx [13] revisited the Even-Mansour cipher and analyzed the multikey security. do Nascimento and Xexeo [14] applied the Even-Mansour cipher to the Internet of ings (IoT) environments and presented a flexible lightweight authenticated encryption mode in 2017. It follows that Cho et al. [15] presented a new family of white-box block ciphers based on the Even-Mansour cipher WEM which achieves balances between performance and security. Farshim et al. [16] analyzed the security of the Even-Mansour cipher under keydependent messages. In 2018, we described a generalized tweakable Even-Mansour cipher and applied it to authentication and authenticated encryption modes [17].
In the lightweight devices, the storage resources are limited. erefore, a vital issue is the minimalism and agility of the key material in the design of lightweight ciphers. In this paper, we revisit the Even-Mansour cipher and consider as problem whether we can use the least key material to achieve the same security bound. e Even-Mansour cipher is proven security up to approximately 2 k/2 adversarial queries, where k is the bit-length of the key material. Can we decrease the key material and achieve the same security bound (this bound must be beyond-birthday-bound) ? We answer positively to the question in this paper. We introduce four structures of the Even-Mansour cipher with a short key and present the provable security results. More concretely, we derive their security up to O(2 k /μ) adversarial queries using Patarin's H-coefficients technique, where k is the bit-length of the reducing key material and μ is the maximal multiplicity. e Even-Mansour cipher with a short key has many good advantages, such as calculating on-the-fly, avoiding the key schedule, and minimizing the key material. erefore, it can be widely applied to resource-constrained lightweight devices. en, we apply its four structures to lightweight authenticated encryption (AE) modes and prove their security up to about min b/2, c, k − log μ -bit adversarial queries, where b � r + c is the size of the permutation and c (resp. r) is the capacity (resp. rate) of the permutation. Finally, we leave it as an open problem to settle the security of the tround iterated Even-Mansour cipher with short keys. e rest of this paper is organized as follows. In Section 2, we introduce some preliminaries. In Section 3, we prove the security of the Even-Mansour cipher with a short key. Section 4 describes lightweight AE modes based on four structures of the Even-Mansour cipher with a short key. Section 5 ends up with this paper.

Preliminaries
Let 0, 1 { } b be the set of binary strings of length b and N � 2 b . For two strings X and Y, let X‖Y or XY be the concatenation of X and Y. Given a string X, we utilize |X| to denote the length in bits of X. Given a nonempty set X, let x ← X denote an element x drawing from X uniformly at random and #X be the cardinality of X. Let Perm(b) stand for the set of permutations on 0, 1 { } b . Let A O � 1 be an event that an adversary A outputs 1 after interacting with the oracle O. Here, A never makes a query for which the response is obviously known. Let Pr[E] be the probability that the event E occurs.

H-Coefficients Technique.
H-coefficients technique introduced by Patarin [19] is a very important analytical method in the symmetric-key cryptography. We briefly summarize this technique as follows. Consider an information-theoretic adversary A, whose goal is to distinguish a real world X and an ideal world Y and denote the distinguishing advantage of A as Without loss of generality, we can assume that A is a deterministic adversary. e interaction with any of the two worlds X or Y is summarized in a transcript τ. Denote by D X the probability distribution of transcripts when interacting with X, and similarly, D Y the distribution of transcripts when interacting with Y. A transcript τ is attainable if Pr[D Y � τ] > 0, meaning that it can occur during interaction with Y. Let Γ be the set of attainable transcripts. We denote Γ 1 as a set of good transcripts when interacting with X (Y). Let Γ 2 be a set of bad transcripts such that the probability to obtain any τ ∈ Γ 2 is small in the ideal world Γ � Γ 1 ∪ Γ 2 .
Lemma 1 (H-coefficients lemma [19]). Fix a deterministic adversary A. Let Γ � Γ 1 ∪ Γ 2 be a partition of the set of attainable transcripts. Assume that there exists ϵ 1 such that for any τ ∈ Γ 1 , one has and that there exists ϵ 2 such that en, the advantage of the adversary A is

The Even-Mansour Cipher with a Short Key
Fix a public permutation P: 0, 1 e Even-Mansour cipher with a short key, called EM for short, is described in Figure 1. EM takes a uniform random key K ∈ 0, 1 { } k and a plaintext x ∈ 0, 1 { } b as inputs and outputs the ciphertext y � EM P K (x) ∈ 0, 1 { } b . Let pad 1 (K) � 0 r− k ‖K and pad 2 (K) � 0 c− k ‖K. e four structures of EM are, respectively, shown as follows: We consider the security of the Even-Mansour cipher with a short key and obtain the following theorem.
e proof of eorem 1 utilizes the H-coefficients technique. We consider an adversary A which can interact with X � (EM P K , P) in the real world or Y � (Q, P) in the ideal world, where P and Q are uniform random and independent permutations and K is a (dummy) key. We assume that the adversary A makes at most q e construction queries and at most q p primitive queries. e transcripts can be expressed as this form τ � (Q e , Q p , K), where Q e � (x i , y i ) q e i�1 and Q p � (u j , v j ) q p j�1 . We start by defining bad transcripts. Definition 1. We define an attainable transcript τ � (Q e , Q p , K) ∈ Γ as bad if one of the two following conditions is fulfilled.
Otherwise we say that τ is good. We denote Γ good , resp. Γ bad the set of good, resp. bad transcripts, and Γ � Γ good ⊔ Γ bad .
In the real world X, a bad transcript implies that two invocations to P exist with the same input: one directly from querying the primitive oracle P and another one indirectly from querying the construction oracle EM P K , while all tuples in (Q e , Q p ) uniquely determine an input-output pair of P for a good transcript. In the ideal world Y, the abovementioned result is clearly established for a bad transcript, while it is not for a good transcript. We first upper bound the probability of bad transcripts in the ideal world Y by the following lemma.

Lemma 2
Pr Proof. In the ideal world Y, (Q e , Q p ) is an attainable transcript with a dummy uniform random key K ∈ 0, 1 { } k . Here, we assume that an adversary A makes at most q e construction queries and at most q p primitive queries. For each (x, y) ∈ Q e and each (u, v) ∈ Q p , we obtain at most μ fwd (resp. μ bwd ) tuples (x, y) such that x � u for structures (a) and (b) or x � u for structures (c) and (d) (resp. y � v for structures (a) and (d) or y � v for structures (b) and (c)) from the property of multiplicity.
It follows that Pr(Bad 1 ) ≤ μ fwd q p /2 k and Pr(Bad 2 ) ≤ μ bwd q p /2 k . Hence, the probability of bad transcripts in the ideal world Y is at most μq p /2 k , where μ � μ fwd + μ bwd .
We then analyze good transcripts and lower bound the

Lemma 3. For any good transcript τ, one has
Proof. Consider a good transcript τ ∈ Γ good . Let Ω X be a nonempty set of all possible oracles in the real world X and Ω Y be a nonempty set of all possible oracles in the ideal world Y. erefore, the cardinalities of sets Ω X and Ω Y are, respectively, #Ω X � (2 b )! · 2 k and #Ω Y � (2 b !) 2 · 2 k . Let comp X (τ) ⊆ Ω X and comp Y (τ) ⊆ Ω Y be the two sets of oracles compatible with transcript τ. e probabilities appearing in Lemma 1 can be evaluated as follows: Pr First, we calculate #comp X (τ). As τ ∈ Γ good consists of q e + q p query tuples and any query tuple in τ fixes exactly one input-output pair of the underlying permutation oracle, the number of possible oracles in the real world X equals Second, we calculate #comp Y (τ). e number of possible oracles in the ideal world Y equals (2 b − q p )!(2 b − q e )!, as P and Q are uniform random and independent permutations.
It follows that

Security and Communication Networks
Pr

Application to Lightweight Authenticated Encryption
With the rises of the smart home, IoT, and 5G/B5G networks, lightweight authenticated encryption (AE) modes are attracting more and more attentions [20][21][22]. A lightweight AE mode is a lightweight symmetric-key cipher which supports the services of privacy and authenticity of the sensitive data in the devices. e Even-Mansour cipher with a short key can be directly applied to a lightweight AE mode, which is shown in Figure 2. It consists of an encryption algorithm E and a decryption algorithm D. e encryption algorithm E takes a plaintext M and a key K as inputs and returns a ciphertext C and an authentication tag T, i.e., C‖T � EM P K (M‖0 c ) � E(K, M). e decryption algorithm D takes a key K, a ciphertext C, and an authentication tag T as inputs and returns a plaintext M or a reject symbol ⊥, i.e., M/⊥ � D(K, C, T). If the last c-bit of the EM decryption is 0, then the decryption algorithm D returns M. Otherwise, the decryption algorithm D returns ⊥.
Let Π � (E, D) stand for our lightweight AE modes. We introduce the AE-security model as follows.
Definition 2. (AE security). Let P be a public random permutation. Let Π � (E, D) be a P-based AE scheme. Let A be an adversary which interacts with X � (E, D, P ± ) in the real world or Y � ($, ⊥, P ± ) in the ideal world. Let q, p > 0. en, the AE-security of Π � (E, D) is defined as follows: where q is the number of queries to the encryption oracle E or the decryption oracle D, p is the number of queries to the random permutation P or its inverse P − 1 , is a random function which always returns a fresh and random response for each query, and ⊥ is a symbol which stands for the failure of the decryption oracles.
Proof Sketch. Let A be an adversary with access to the encryption oracle E, the decryption oracle D, and the random permutation P or its inverse P − 1 . Π can be represented as an EM scheme. We replace the EM modular structure to the random permutation Q. According to eorem 1, we have It follows that where q 2 /2 b obtained by the PRP-PRF Switch Lemma [23] and q/2 c is from the fact that the successful probability of the adversary is 1/2 c for each forgery attempt. Combining equations (19) and (20), it is easy to draw the result of eorem 2. According to eorem 2, we can find that these lightweight AE modes ensure about min b/2, c, k − log μ -bit AEsecurity.

Conclusions
e key material is crucial for the secure implementation of cryptographic schemes. Most of devices widely used in smart home, smart transportation, and Internet of ings (IoT) environments are resource constrained. erefore, in the design of lightweight ciphers, a vital issue is the minimalism and agility of the key material.
In this paper, we revisit the Even-Mansour cipher and discuss this problem whether we can use the least key material to achieve the same (even beyond conventional) security bound in the Even-Mansour cipher. We introduce four structures of the Even-Mansour cipher with a short key and derive security up to O(2 k /μ) adversarial queries, where k is the bits of the key material and μ is the maximal multiplicity, using Patarin's H-coefficients technique. en, we apply them to lightweight authenticated encryption modes and prove their security up to about min b/2, { c, k − log μ}-bit adversarial queries, where b � r + c is the size of the permutation and c is the capacity of the permutation. Finally, we leave it as an open problem to settle the security of the t-round iterated Even-Mansour cipher with short keys. e Even-Mansour cipher with a short key is proven (k − log μ)-bit security. It is natural to consider whether our result can be generalized to the t-round iterated Even-Mansour cipher. But the situation of the tround iterated Even-Mansour cipher with short keys is more complicated. erefore, it is regarded as an open problem to attract scholars to discuss and analyze it in detail. e Even-Mansour cipher with a short key has many good advantages, such as calculating on-the-fly, avoiding the key schedule, and minimizing the area of the hardware implementation and the key material. erefore, it can be widely applied to the data security of smart home, Internet of ings, and some lightweight devices.

Data Availability
e data used to support the findings of the study are available within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.