{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T07:48:32Z","timestamp":1781077712321,"version":"3.54.1"},"reference-count":33,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2018,5,16]],"date-time":"2018-05-16T00:00:00Z","timestamp":1526428800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptol"],"published-print":{"date-parts":[[2018,10]]},"DOI":"10.1007\/s00145-018-9295-y","type":"journal-article","created":{"date-parts":[[2018,5,16]],"date-time":"2018-05-16T19:30:45Z","timestamp":1526499045000},"page":"1064-1119","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":20,"title":["Minimizing the Two-Round Even\u2013Mansour Cipher"],"prefix":"10.1007","volume":"31","author":[{"given":"Shan","family":"Chen","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Rodolphe","family":"Lampe","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jooyoung","family":"Lee","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yannick","family":"Seurin","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"John","family":"Steinberger","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2018,5,16]]},"reference":[{"key":"9295_CR1","doi-asserted-by":"crossref","unstructured":"E. Andreeva, A. Bogdanov, Y. Dodis, B. Mennink, J.P. Steinberger, On the Indifferentiability of Key-Alternating Ciphers. in Ran Canetti and Juan A. Garay, editors, Advances in Cryptology\u2014CRYPTO 2013 (Proceedings, Part I), volume 8042 of LNCS (Springer, 2013), pp. 531\u2013550. \n                    http:\/\/eprint.iacr.org\/2013\/061","DOI":"10.1007\/978-3-642-40041-4_29"},{"issue":"2","key":"9295_CR2","doi-asserted-by":"publisher","first-page":"786","DOI":"10.1137\/07067917X","volume":"22","author":"N Alon","year":"2008","unstructured":"N. Alon, T. Kaufman, M. Krivelevich, D. Ron, Testing triangle-freeness in general graphs. SIAM J. Discrete Math., 22(2), 786\u2013819 (2008)","journal-title":"SIAM J. Discrete Math."},{"key":"9295_CR3","unstructured":"L. Babai, The Fourier transform and equations over finite Abelian groups: an introduction to the method of trigonometric sums. Lecture notes, (December 1989). \n                    http:\/\/people.cs.uchicago.edu\/~laci\/reu02\/fourier.pdf"},{"key":"9295_CR4","doi-asserted-by":"crossref","unstructured":"A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, C. Vikkelsoe, PRESENT: an ultra-lightweight block cipher, in Pascal Paillier and Ingrid Verbauwhede, editors, Cryptographic Hardware and Embedded Systems\u2014CHES 2007, volume 4727 of LNCS (Springer, 2007), pp. 450\u2013466","DOI":"10.1007\/978-3-540-74735-2_31"},{"key":"9295_CR5","doi-asserted-by":"crossref","unstructured":"A. Bogdanov, L.R. Knudsen, G. Leander, F.-X. Standaert, J.P. Steinberger, E. Tischhauser, Key-alternating ciphers in a provable setting: encryption using a small number of public permutations\u2013(extended abstract), in David Pointcheval and Thomas Johansson, editors, Advances in Cryptology\u2014EUROCRYPT 2012, volume 7237 of LNCS (Springer, 2012), pp. 45\u201362","DOI":"10.1007\/978-3-642-29011-4_5"},{"key":"9295_CR6","doi-asserted-by":"crossref","unstructured":"A. Biryukov, D. Wagner, S. Attacks, in L.R. Knudsen, editor, Fast Software Encryption\u2013FSE \u201999, volume 1636 of LNCS (Springer, 1999), pp. 245\u2013259","DOI":"10.1007\/3-540-48519-8_18"},{"key":"9295_CR7","doi-asserted-by":"crossref","unstructured":"A. Biryukov, D. Wagner, Advanced slide attacks, in Bart Preneel, editor, Advances in Cryptology\u2014UROCRYPT 2000, volume 1807 of LNCS (Springer, 2000), pp. 589\u2013606","DOI":"10.1007\/3-540-45539-6_41"},{"key":"9295_CR8","doi-asserted-by":"crossref","unstructured":"S. Chen, J. Steinberger, Tight security bounds for key-alternating ciphers. In Phong\u00a0Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology\u2014EUROCRYPT 2014, volume 8441 of LNCS (Springer, 2014), pp. 327\u2013350. \n                    http:\/\/eprint.iacr.org\/2013\/222","DOI":"10.1007\/978-3-642-55220-5_19"},{"key":"9295_CR9","doi-asserted-by":"crossref","unstructured":"J. Daemen, Limitations of the Even\u2013Mansour construction. In Hideki Imai, Ronald\u00a0L. Rivest, and Tsutomu Matsumoto, editors, Advances in Cryptology\u2014ASIACRYPT\u00a0\u201991, volume 739 of LNCS (Springer, 1991), pp. 495\u2013498","DOI":"10.1007\/3-540-57332-1_46"},{"key":"9295_CR10","doi-asserted-by":"crossref","unstructured":"I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Key recovery attacks on 3-round Even\u2013Mansour, 8-step LED-128, and full \n                    \n                      \n                    \n                    $$\\text{AES}^{2}$$\n                    \n                      \n                        \n                          AES\n                          2\n                        \n                      \n                    \n                  . In Kazue Sako and Palash Sarkar, editors, Advances in Cryptology\u2013ASIACRYPT 2013 (Proceedings, Part I), volume 8269 of LNCS (Springer, 2013), pp. 337\u2013356. \n                    http:\/\/eprint.iacr.org\/2013\/391","DOI":"10.1007\/978-3-642-42033-7_18"},{"key":"9295_CR11","doi-asserted-by":"crossref","unstructured":"I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Cryptanalysis of iterated Even\u2013Mansour schemes with two keys. In Palash Sarkar and Tetsu Iwata, editors, Advances in Cryptology\u2013ASIACRYPT 2014 (Proceedings, Part I), volume 8873 of LNCS (Springer, 2014), pp. 439\u2013457. \n                    http:\/\/eprint.iacr.org\/2013\/674","DOI":"10.1007\/978-3-662-45611-8_23"},{"key":"9295_CR12","doi-asserted-by":"crossref","unstructured":"O. Dunkelman, N. Keller, A. Shamir, Minimalism in cryptography: the Even\u2013Mansour scheme revisited, in David Pointcheval and Thomas Johansson, editors, Advances in Cryptology\u2014EUROCRYPT 2012, volume 7237 of LNCS (Springer, 2012), pp. 336\u2013354.","DOI":"10.1007\/978-3-642-29011-4_21"},{"key":"9295_CR13","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-04722-4","volume-title":"The design of Rijndael: AES\u2014the advanced encryption standard","author":"J Daemen","year":"2002","unstructured":"J. Daemen, V. Rijmen, The design of Rijndael: AES\u2014the advanced encryption standard. Springer, Berlin(2002)"},{"key":"9295_CR14","unstructured":"J. Daemen, V. Rijmen, Probability distributions of correlations and differentials in block ciphers. IACR Cryptology ePrint Archive, Report 2005\/212, (2005). \n                    http:\/\/eprint.iacr.org\/2005\/212.pdf"},{"issue":"3","key":"9295_CR15","doi-asserted-by":"publisher","first-page":"151","DOI":"10.1007\/s001459900025","volume":"10","author":"S Even","year":"1997","unstructured":"S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation. J. Cryptol., 10(3), 151\u2013162 (1997)","journal-title":"J. Cryptol."},{"key":"9295_CR16","doi-asserted-by":"crossref","unstructured":"P. Gazi, Plain versus randomized cascading-based key-length extension for block ciphers, in Ran Canetti and Juan\u00a0A. Garay, editors, Advances in Cryptology\u2014CRYPTO 2013 (Proceedings, Part I), volume 8042 of LNCS (Springer, 2013), pp. 551\u2013570","DOI":"10.1007\/978-3-642-40041-4_30"},{"key":"9295_CR17","doi-asserted-by":"crossref","unstructured":"S.W. Golomb, G. Gong, L. Mittenthal, Constructions of orthomorphisms of \n                    \n                      \n                    \n                    $$\\mathbb{Z}_n^2$$\n                    \n                      \n                        \n                          Z\n                          n\n                          2\n                        \n                      \n                    \n                  , in Dieter Jungnickel and Harald Niederreiter, editors, Proceedings of The Fifth International Conference on Finite Fields and Applications (Springer, 1999), pp. 178\u2013195","DOI":"10.1007\/978-3-642-56755-1_15"},{"key":"9295_CR18","doi-asserted-by":"crossref","unstructured":"J. Guo, T. Peyrin, A. Poschmann, M.J.B. Robshaw, The LED block cipher, in Bart Preneel and Tsuyoshi Takagi, editors, Cryptographic Hardware and Embedded Systems\u2013CHES 2011, volume 6917 of LNCS (Springer, 2011), pp. 326\u2013341","DOI":"10.1007\/978-3-642-23951-9_22"},{"key":"9295_CR19","doi-asserted-by":"crossref","unstructured":"P. Gazi, S. Tessaro, Efficient and optimally secure key-length extension for block ciphers via randomized cascading, in David Pointcheval and Thomas Johansson, editors, Advances in Cryptology\u2013EUROCRYPT 2012, volume 7237 of LNCS (Springer, 2012), pp. 63\u201380","DOI":"10.1007\/978-3-642-29011-4_6"},{"key":"9295_CR20","unstructured":"T.P. Hayes, A large-deviation inequality for vector-valued martingales. \n                    http:\/\/www.cs.unm.edu\/~hayes\/papers\/VectorAzuma\n                    \n                   (2005)"},{"key":"9295_CR21","doi-asserted-by":"crossref","unstructured":"P. Junod, S. Vaudenay, FOX: a new family of block ciphers, in Helena Handschuh, M.\u00a0Anwar Hasan, editors, Selected Areas in Cryptography\u2013SAC 2004, volume 3357 of LNCS (Springer, 2004), pp. 114\u2013129","DOI":"10.1007\/978-3-540-30564-4_8"},{"key":"9295_CR22","doi-asserted-by":"crossref","unstructured":"E. Kiltz, K. Pietrzak, M. Szegedy, Digital signatures with minimal overhead from indifferentiable random invertible functions, in Ran Canetti, Juan\u00a0A. Garay, editors, Advances in Cryptology\u2014CRYPTO 2013 (Proceedings, Part I), volume 8042 of LNCS (Springer, 2013), pp. 571\u2013588","DOI":"10.1007\/978-3-642-40041-4_31"},{"issue":"1","key":"9295_CR23","doi-asserted-by":"publisher","first-page":"17","DOI":"10.1007\/s001450010015","volume":"14","author":"J Kilian","year":"2001","unstructured":"J. Kilian, P. Rogaway, How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptol.\n                           14(1), 17\u201335 (2001)","journal-title":"J. Cryptol."},{"key":"9295_CR24","doi-asserted-by":"crossref","unstructured":"J. Lee, Towards key-length extension with optimal security: cascade encryption and xor-cascade encryption, in Thomas Johansson, Phong\u00a0Q. Nguyen, editors, Advances in Cryptology\u2014EUROCRYPT 2013, volume 7881 of LNCS (Springer, 2013), pp. 405\u2013425","DOI":"10.1007\/978-3-642-38348-9_25"},{"key":"9295_CR25","doi-asserted-by":"crossref","unstructured":"X. Lai, J.L. Massey, A proposal for a new block encryption standard, in Ivan Damg\u00e5rd, editor, Advances in Cryptology\u2014EUROCRYPT \u201990, volume 473 of LNCS (Springer, 1990), pp. 389\u2013404","DOI":"10.1007\/3-540-46877-3_35"},{"key":"9295_CR26","doi-asserted-by":"crossref","unstructured":"R. Lampe, J. Patarin, Y. Seurin, An asymptotically tight security analysis of the iterated even\u2013mansour cipher, in Xiaoyun Wang, Kazue Sako, editors, Advances in Cryptology\u2014ASIACRYPT 2012, volume 7658 of LNCS (Springer, 2012), pp. 278\u2013295","DOI":"10.1007\/978-3-642-34961-4_18"},{"key":"9295_CR27","doi-asserted-by":"crossref","unstructured":"R. Lampe, Y. Seurin, How to construct an ideal cipher from a small set of public permutations, in Kazue Sako, Palash Sarkar, editors, Advances in Cryptology\u2014ASIACRYPT 2013 (Proceedings, Part I), volume 8269 of LNCS (Springer, 2013) pp. 444\u2013463. \n                    http:\/\/eprint.iacr.org\/2013\/255","DOI":"10.1007\/978-3-642-42033-7_23"},{"issue":"1","key":"9295_CR28","doi-asserted-by":"publisher","first-page":"59","DOI":"10.1006\/aama.1995.1003","volume":"16","author":"L Mittenthal","year":"1995","unstructured":"L. Mittenthal, Block substitutions using orthomorphic mappings. Adv. Appl. Math.\n                           16(1), 59\u201371 (1995)","journal-title":"Adv. Appl. Math."},{"key":"9295_CR29","doi-asserted-by":"crossref","unstructured":"I. Nikolic, L. Wang, S. Wu, Cryptanalysis of round-reduced LED, in Shiho Moriai, editor, Fast Software Encryption\u2014FSE 2013, volume 8424 of LNCS (Springer, 2013), pp. 112\u2013129","DOI":"10.1007\/978-3-662-43933-3_7"},{"key":"9295_CR30","doi-asserted-by":"crossref","unstructured":"J. Patarin, The \u201cCoefficients H\u201d technique, in Roberto\u00a0Maria Avanzi, Liam Keliher, Francesco Sica, editors, Selected Areas in Cryptography\u2014SAC 2008, volume 5381 o fLNCS (Springer, 2008), pp. 328\u2013345","DOI":"10.1007\/978-3-642-04159-4_21"},{"key":"9295_CR31","unstructured":"J. Steinberger, Improved security bounds for key-alternating ciphers via Hellinger distance. IACR Cryptology ePrint Archive, Report 2012\/481, (2012). \n                    http:\/\/eprint.iacr.org\/2012\/481"},{"key":"9295_CR32","unstructured":"J. Steinberger, Counting solutions to additive equations in random sets. arXiv Report 1309.5582, (2013). \n                    http:\/\/arxiv.org\/abs\/1309.5582"},{"key":"9295_CR33","doi-asserted-by":"crossref","unstructured":"S. Vaudenay, On the lai-massey scheme, in Kwok-Yan Lam, Eiji Okamoto, Chaoping Xing, editors, Advances in Cryptology\u2014ASIACRYPT \u201999, volume 1716 of LNCS (Springer, 1999), pp. 8\u201319","DOI":"10.1007\/978-3-540-48000-6_2"}],"container-title":["Journal of Cryptology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s00145-018-9295-y\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-018-9295-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-018-9295-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,4,8]],"date-time":"2020-04-08T08:08:53Z","timestamp":1586333333000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s00145-018-9295-y"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,5,16]]},"references-count":33,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2018,10]]}},"alternative-id":["9295"],"URL":"https:\/\/doi.org\/10.1007\/s00145-018-9295-y","relation":{},"ISSN":["0933-2790","1432-1378"],"issn-type":[{"value":"0933-2790","type":"print"},{"value":"1432-1378","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,5,16]]},"assertion":[{"value":"18 December 2014","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"22 January 2018","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"16 May 2018","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}