A Synthetic Indifferentiability Analysis of Interleaved Double-Key Even-Mansour Ciphers

Iterated Even-Mansour scheme (IEM) is a generalization of the basic 1-round proposal (ASIACRYPT '91). The scheme can use one key, two keys, or completely independent keys. Most of the published security proofs for IEM against relate-key and chosen-key attacks focus on the case where all the round-keys are derived from a single master key. Whereas results beyond this barrier are relevant to the cryptographic problem whether a secure blockcipher with key-size twice the block-size can be built by mixing two relatively independent keys into IEM and iterating sufficiently many rounds, and this strategy actually has been used in designing blockciphers for a long-time. This work makes the first step towards breaking this barrier and considers IEM with Interleaved Double independent round-keys: IDEMr((k(1), k(2)), m) = k(i) circle plus (P-r( ... k(1) circle plus P-2(k(2) circle plus P-1(k(1) circle plus m)) ...)), where i = 2 when r is odd, and i = 1 when r is even. As results, this work proves that 15 rounds can achieve (full) indifferentiability from an ideal cipher with O(q(8)/2(n)) security bound. This work also proves that 7 rounds is sufficient and necessary to achieve sequential-indifferentiability (a notion introduced at TCC 2012) with O(q(6)/2(n)) security bound, so that IDEM7 is already correlation intractable and secure against any attack that exploits evasive relations between its input-output pairs.