IACR News item: 30 August 2025
Elena Andreeva, Amit Singh Bhati, Andreas Weninger
ePrint Report
The Iterated Even-Mansour (IEM) construction was introduced by Bogdanov et al. at EUROCRYPT 2012 and can be seen as an abstraction or idealization of blockciphers like AES. IEM provides insights into the soundness of this blockcipher structure and the best possible security for any number of rounds. IEM with $r$ permutations on $n$-bit blocks is secure up to $q \approx 2^{rn/(r+1)}$ queries to the cipher and each permutation.
Forkciphers, introduced at ASIACRYPT 2019 as expanding symmetric ciphers, have since found applications in encryption, authenticated encryption and key derivation. Kim et al. (ToSC 2020) proposed the first IEM-style forkcipher, FTEM, but their security proof is limited to a 2-round design with tweak processing based on XORing AXU hashes. This offers limited insight into practical forkciphers like ForkSkinny, which use 40 to 56 rounds and a different tweak schedule. No security results currently exist for forked IEM constructions with more than two rounds. We propose a generalized forked IEM construction called GIEM which integrates any tweakey schedule (including tweak-dependent round keys or constant keys) and thus encompasses IEM, FTEM and similar IEM-related constructions.
We define three forkcipher-related instantiations, FEM (2 branches and no tweaks), FTEMid (2 branches and idealized tweakey schedule) and MFTEM (unlimited branches and AXU-based tweakey schedule). We prove that each construction achieves security similar to the respective non-forked construction. This shows the soundness of the forking design strategy and can serve as a basis for new constructions with more than two branches.
In their work, Bogdanov et al. also propose an attack against IEM using $q \approx 2^{rn/(r+1)}$ queries, which is used in a number of follow-up works to argue the tightness of IEM-related security bounds. In this work, we demonstrate that the attack is ineffective with the specified query complexity. To salvage the purported tightness results, we turn to an attack by Gazi (CRYPTO 2013) against cascading block ciphers and provide the necessary parameters to apply it to IEM. This validates the tightness of the known IEM security bound.
Forkciphers, introduced at ASIACRYPT 2019 as expanding symmetric ciphers, have since found applications in encryption, authenticated encryption and key derivation. Kim et al. (ToSC 2020) proposed the first IEM-style forkcipher, FTEM, but their security proof is limited to a 2-round design with tweak processing based on XORing AXU hashes. This offers limited insight into practical forkciphers like ForkSkinny, which use 40 to 56 rounds and a different tweak schedule. No security results currently exist for forked IEM constructions with more than two rounds. We propose a generalized forked IEM construction called GIEM which integrates any tweakey schedule (including tweak-dependent round keys or constant keys) and thus encompasses IEM, FTEM and similar IEM-related constructions.
We define three forkcipher-related instantiations, FEM (2 branches and no tweaks), FTEMid (2 branches and idealized tweakey schedule) and MFTEM (unlimited branches and AXU-based tweakey schedule). We prove that each construction achieves security similar to the respective non-forked construction. This shows the soundness of the forking design strategy and can serve as a basis for new constructions with more than two branches.
In their work, Bogdanov et al. also propose an attack against IEM using $q \approx 2^{rn/(r+1)}$ queries, which is used in a number of follow-up works to argue the tightness of IEM-related security bounds. In this work, we demonstrate that the attack is ineffective with the specified query complexity. To salvage the purported tightness results, we turn to an attack by Gazi (CRYPTO 2013) against cascading block ciphers and provide the necessary parameters to apply it to IEM. This validates the tightness of the known IEM security bound.
Additional news items may be found on the IACR news page.