up:: Classical Cryptography MOC

Even-Mansour construction

The Even-Mansour construction is the minimal way to turn a single publicly known permutation into a secret-keyed block cipher, by XORing a secret key into the input, running the result through the public permutation, and XORing a second secret key into the output. Written out, it’s E(x) = P(x XOR k1) XOR k2, where P is a fixed permutation everyone knows and k1, k2 are the only secrets. Shimon Even and Yishay Mansour introduced it to answer a foundational question, namely how much a cipher actually needs in order to be secure, and the answer turned out to be almost nothing beyond two key-XORs around one permutation.

Its relevance to the quantum transition is precise rather than broad. The Even-Mansour construction and its key-whitening generalization (the FX construction) are the exact designs that the Simon’s-algorithm quantum attacks break, so it’s the worked example of how a symmetric construction can be weakened in a quantum model. It has nothing to say about the security of AES, which is built on entirely different foundations.

Source: Shimon Even and Yishay Mansour, “A Construction of a Cipher from a Single Pseudorandom Permutation,” Journal of Cryptology, vol. 10, no. 3, 1997, pp. 151-161 (first presented at ASIACRYPT 1991), link.springer.com.

The short version:

  • The Even-Mansour construction builds a block cipher from one public permutation P and two secret keys, as E(x) = P(x XOR k1) XOR k2. Nothing else.
  • Classically it’s provably strong for what it is. Any attack needs the product of its data and its permutation queries to reach about 2^n for an n-bit block, which lands real security near 2^(n/2).
  • It matters as theory. It’s the cleanest demonstration of what a secret key adds to a public function, and its key-whitening cousin, the FX construction, is how real ciphers like DESX, PRINCE, and PRIDE harden a cipher.
  • It’s the headline casualty of quantum period-finding. Simon’s algorithm recovers its key in polynomial time given superposition access, and the offline Simon’s algorithm breaks it with only classical queries in about 2^(n/3) quantum time.
  • The threat scope is narrow and honest. This concerns Even-Mansour and FX-style designs, not AES-256 and not mainstream symmetric cryptography, and any real break still needs a large fault-tolerant quantum computer that doesn’t exist yet.

An everyday way to picture it

Imagine a public dough press that everyone owns an identical copy of. The press always mashes dough the same scrambled way, so on its own it keeps no secrets, since anyone can run it forward or backward. To turn that public machine into a private lock, you stamp your secret pattern into the dough before you press it and stamp a second secret pattern into the shape that comes out. Now, even though the press itself is public and predictable, an outsider who sees only the finished shape can’t recover your dough without knowing both stamps. The Even-Mansour construction is exactly that idea in cryptography. The permutation is the public press, and the two key-XORs are the private stamps on the way in and the way out, and those two stamps are the entire secret.

What is the Even-Mansour construction?

The Even-Mansour construction is a block-cipher design that keys a single fixed permutation using two whitening keys, one added before the permutation and one after. Formally, for an n-bit block it’s defined as E_{k1,k2}(x) = P(x XOR k1) XOR k2, where:

  1. P is a public permutation on n-bit strings that both the defender and the attacker can evaluate freely, forward and backward. It holds no secret.
  2. k1 is a pre-whitening key XORed into the plaintext before the permutation.
  3. k2 is a post-whitening key XORed into the permutation’s output to produce the ciphertext.

The whole point of the design is minimalism. Even and Mansour asked what the least you can add to a public permutation is to get a secure cipher, and they proved that these two key-XORs suffice. Because the construction embodies the idea that all the security lives in the key and none of it in the (public) algorithm, it’s a foundational teaching object rather than a cipher people deploy directly. A later result by Dunkelman, Keller, and Shamir showed that even the single-key variant, where k1 = k2 = k collapses the two whitening keys into one n-bit secret, keeps the same security guarantee, which sharpened just how little the construction actually needs.

Source: Shimon Even and Yishay Mansour, “A Construction of a Cipher from a Single Pseudorandom Permutation,” Journal of Cryptology, vol. 10, no. 3, 1997, pp. 151-161, link.springer.com.

Source: Orr Dunkelman, Nathan Keller, Adi Shamir, “Minimalism in Cryptography, The Even-Mansour Scheme Revisited,” EUROCRYPT 2012, IACR ePrint 2011/541.

How does the Even-Mansour construction work?

Encryption runs a plaintext through exactly three steps, and decryption reverses them using the inverse of the public permutation. The forward direction:

  1. Pre-whiten. Take the n-bit plaintext x and XOR in the first key to get x XOR k1.
  2. Permute. Apply the public permutation P to that value, producing P(x XOR k1).
  3. Post-whiten. XOR in the second key to get the ciphertext c = P(x XOR k1) XOR k2.

To decrypt, a receiver who holds k1 and k2 computes x = P^{-1}(c XOR k2) XOR k1, using the fact that P is a permutation and therefore invertible. Everything an attacker lacks is the two keys, because the permutation itself is assumed public. That’s the design’s honesty. It refuses to hide anything in the algorithm and stakes its entire security on the secrecy of the whitening keys, which is why it became the standard laboratory for reasoning about what a key contributes to a cipher.

Source: Shimon Even and Yishay Mansour, “A Construction of a Cipher from a Single Pseudorandom Permutation,” Journal of Cryptology, vol. 10, no. 3, 1997, pp. 151-161, link.springer.com.

How secure is the Even-Mansour construction classically?

Against a classical attacker, the Even-Mansour construction is provably secure up to a clean bound. Even and Mansour proved that any successful attack must satisfy D * T = Omega(2^n), where D is the number of encryption queries the attacker makes to E and T is the number of queries it makes to the public permutation P, for an n-bit block. The product of the two workloads has to reach roughly 2^n, which is what makes the construction meaningfully secure despite its bare-bones structure.

That bound has two practical consequences worth holding together:

  1. The proof is tight. Joan Daemen exhibited a chosen-plaintext key-recovery attack that matches the bound, and later work (the slidex attack of Dunkelman, Keller, and Shamir) confirmed the T = Omega(2^n / D) tradeoff is essentially the best an attacker can do. So the 2^n product is the real, tested security level, since Daemen’s attack reaches it and nothing beats it.
  2. A balanced attacker sits near 2^(n/2). When an attacker spends its budget evenly, using about 2^(n/2) encryption queries and about 2^(n/2) permutation queries, the product reaches 2^n and the key falls. So the effective classical security is closer to n/2 bits than to n bits, which is a subtlety people miss when they assume two n-bit keys buy n-bit security.

Source: Shimon Even and Yishay Mansour, “A Construction of a Cipher from a Single Pseudorandom Permutation,” Journal of Cryptology, vol. 10, no. 3, 1997, pp. 151-161, link.springer.com.

Source: Orr Dunkelman, Nathan Keller, Adi Shamir, “Slidex Attacks on the Even-Mansour Encryption Scheme,” Journal of Cryptology, vol. 28, no. 1, 2015, pp. 1-28, link.springer.com.

Why does the Even-Mansour construction matter?

It matters as a foundational object, because it isolates the single question every cipher has to answer, what does the secret key actually add to a public transformation. By stripping a block cipher down to one permutation and two key-XORs, Even-Mansour makes the contribution of the key measurable, and that clarity is why it recurs constantly in cryptographic proofs and teaching. Three concrete reasons it earns its place:

  1. It’s the atom of key whitening. XORing a secret key onto the input and output of a public function is the most basic hardening move in symmetric cryptography, and Even-Mansour is the pure, analyzable form of it. Understanding the construction is understanding what whitening buys.
  2. It generalizes into real ciphers through the FX construction. Replace the fixed public permutation with a keyed block cipher and you get the FX construction, which is exactly how designers add whitening to strengthen an existing cipher against exhaustive key search.
  3. It’s the reference target for structural cryptanalysis. Because its structure is so transparent, it’s the first thing new attack techniques get tested against, and that’s precisely how the quantum period-finding attacks announced themselves.

The construction isn’t a cipher you’d pull off a shelf and deploy for bulk encryption. Its value is that it’s the cleanest place to see a general principle at work, which is what makes its quantum story so instructive.

Source: Shimon Even and Yishay Mansour, “A Construction of a Cipher from a Single Pseudorandom Permutation,” Journal of Cryptology, vol. 10, no. 3, 1997, pp. 151-161, link.springer.com.

What is the FX construction, and how does it relate?

The FX construction is the key-whitening generalization of Even-Mansour, and it’s the version that shows up in ciphers people actually built. It’s defined as FX_{k1,k,k2}(x) = k2 XOR E_k(k1 XOR x), which is Even-Mansour with the public permutation P swapped for a keyed block cipher E_k. The two outer keys k1 and k2 whiten the input and output exactly as in Even-Mansour, and the inner key k selects the block cipher’s own permutation. When E_k is treated as a public permutation, FX collapses back to Even-Mansour, which is why the two are studied as one family.

The reason FX matters is that whitening was invented to cheaply extend a cipher’s key length against brute force. The worked examples:

  1. DESX, Ron Rivest’s hardening of DES, wraps DES in two whitening keys to defeat exhaustive key search without redesigning the cipher.
  2. PRINCE and PRIDE, two lightweight block ciphers built for constrained hardware, use FX-style whitening as a core part of their design.

So Even-Mansour is the theoretical minimal case, and FX is the practical pattern in shipped ciphers, and both inherit the same structural weakness against a quantum period-finder.

Source: Xavier Bonnetain, Akinori Hosoyamada, María Naya-Plasencia, Yu Sasaki, André Schrottenloher, “Quantum Attacks Without Superposition Queries, the Offline Simon’s Algorithm,” ASIACRYPT 2019, IACR ePrint 2019/614.

Source: Gregor Leander, Alexander May, “Grover Meets Simon, Quantumly Attacking the FX-construction,” ASIACRYPT 2017, IACR ePrint 2017/427.

Is the Even-Mansour construction quantum-vulnerable?

Yes, and it’s the textbook case of a symmetric construction that a quantum computer breaks structurally rather than by brute force. The vulnerability comes from the whitening keys hiding a period that Simon’s algorithm is built to find. Kuwakado and Morii showed in 2012 that if an attacker can query the cipher in quantum superposition, the function f(x) = E(x) XOR P(x) = P(x XOR k1) XOR k2 XOR P(x) satisfies f(x) = f(x XOR k1), so its hidden period is exactly the first whitening key k1. Simon’s algorithm reads that period out in a polynomial number of queries, which recovers k1 and then k2, a total break that ignores the classical 2^(n/2) bound entirely.

That original attack lived in the superposition-query model, the “Q2” model, where the target evaluates its secret-keyed function on quantum superpositions of inputs. Real systems don’t grant that access, which kept the attack theoretical. The offline Simon’s algorithm of Bonnetain and colleagues closed that gap in 2019 by running Simon’s period-finding inside a Grover search, so the attack needs only ordinary classical queries and does the quantum work offline. Against Even-Mansour that costs about 2^(n/3) classical queries, about 2^(n/3) quantum time, and only O(n^2) qubits, which is a genuine break in a model a real adversary could occupy, at the honest price of cube-root cost rather than the polynomial cost the superposition attack enjoyed.

The security picture across models is worth keeping in one place (n is the block size):

Attack modelBest known attackQuery typeCostSource
ClassicalEven-Mansour bound, Daemen attackclassicalD*T = Omega(2^n), balanced near 2^(n/2)Even-Mansour 1997
Quantum, superposition (Simon)Kuwakado-Morii key recoverysuperposition (Q2)polynomial in nKuwakado-Morii 2012
Quantum, classical queries (offline Simon)Bonnetain et al.classical (Q1)~2^(n/3) time and queries, O(n^2) qubitsBonnetain et al. 2019

Source: Hidenori Kuwakado, Masakatu Morii, “Security on the Quantum-type Even-Mansour Cipher,” Proceedings of the International Symposium on Information Theory and its Applications (ISITA), 2012, pp. 312-316, ieeexplore.ieee.org.

Source: Xavier Bonnetain, Akinori Hosoyamada, María Naya-Plasencia, Yu Sasaki, André Schrottenloher, “Quantum Attacks Without Superposition Queries, the Offline Simon’s Algorithm,” ASIACRYPT 2019, IACR ePrint 2019/614.

Does breaking Even-Mansour threaten AES?

No, and this is the misconception to kill on sight. AES is a keyed substitution-permutation network with many rounds, not a single public permutation wrapped in two key-XORs, so it hides no single whitening period for Simon’s algorithm to extract. The Even-Mansour and FX breaks reach a specific structural family, mostly minimalist single-permutation ciphers and key-whitening layers, several of them lightweight or legacy designs. They stop at that family, leaving AES and the broad body of standard symmetric cryptography untouched.

For mainstream symmetric primitives the quantum concern that actually governs key sizes is still Grover’s algorithm, which only halves effective strength and is answered by a bigger key. AES-256 keeps a comfortable margin, and appropriately sized hashes like SHA-256 stay useful. So the Even-Mansour quantum result is a design lesson about a narrow family of constructions, and the one real-world exposure it flags is legacy gear built on Even-Mansour or FX-style ciphers holding long-lived data, which is a smaller and nearer concern than the Shor-driven break of public-key cryptography that drives the whole migration. Any of these attacks still needs a large fault-tolerant quantum computer, the same hardware class a Grover exhaustive search needs, which nobody has built.

Source: Xavier Bonnetain et al., “Quantum Attacks Without Superposition Queries, the Offline Simon’s Algorithm,” ASIACRYPT 2019, IACR ePrint 2019/614.

Common misconceptions

  1. “Even-Mansour is a cipher people deploy.” It’s a minimal theoretical construction used to reason about what a key adds to a public permutation. Its practical descendant is the FX-style whitening in ciphers like DESX and PRINCE, not the bare Even-Mansour scheme itself.
  2. “Two n-bit keys give n-bit security.” The provable security is a product bound, D*T = Omega(2^n), so a balanced classical attacker recovers the key near 2^(n/2) work. The construction is strong, but the effective level is closer to half the block size than to the combined key length.
  3. “The quantum break on Even-Mansour means AES is broken.” AES is a multi-round keyed substitution-permutation network with no single hidden whitening period, so the Simon-based attacks can’t touch it. Its quantum concern remains Grover’s, fixed by using AES-256.
  4. “The quantum attack is polynomial, so Even-Mansour falls instantly on any quantum computer.” The polynomial-time Kuwakado-Morii attack needs superposition query access that real systems don’t expose. The realistic classical-query version costs about 2^(n/3), and either way it needs a fault-tolerant machine that doesn’t yet exist.
  5. “The permutation P is the secret.” P is public by assumption, and the entire security rests on the two whitening keys. That’s the design’s defining feature, not a flaw.

Questions people ask

What is the Even-Mansour construction in one line? It’s a block cipher built from a single public permutation P as E(x) = P(x XOR k1) XOR k2, where the two whitening keys are the only secret. It’s the minimal way to key a public permutation.

Who created it and when? Shimon Even and Yishay Mansour, first presented at ASIACRYPT 1991 and published in full in the Journal of Cryptology in 1997 (link.springer.com). They built it to answer how little a cipher needs in order to be secure.

How strong is it against a normal (classical) attacker? Provably strong up to a product bound. Any attack needs its encryption queries times its permutation queries to reach about 2^n for an n-bit block, which puts a balanced attacker near 2^(n/2) work, and Daemen’s matching attack shows that bound is tight.

Why is it a big deal in quantum cryptography? Because it’s the cleanest example of a symmetric construction a quantum computer breaks structurally. Its whitening key sits inside the cipher as a hidden period, and Simon’s algorithm is purpose-built to find hidden periods, so the key falls far faster than the classical bound allows.

Does the quantum attack work with a real, non-magical query? The original 2012 attack needed superposition access that real systems don’t give. The 2019 offline Simon’s algorithm removed that requirement, breaking Even-Mansour with only classical queries in about 2^(n/3) quantum time, which is why it counts as a realistic-model result.

Is my AES-encrypted data at risk from this? No. AES isn’t an Even-Mansour or FX construction, so these attacks can’t reach it. Your AES exposure, if any, is the modest Grover key-search discount, handled by using a 256-bit key.

What real ciphers does this affect? FX-style key whitening, the practical generalization of Even-Mansour, appears in DESX (Rivest’s hardened DES) and in the lightweight ciphers PRINCE and PRIDE. Those are the designs in the blast radius, not mainstream ciphers like AES.

Does breaking Even-Mansour change how I should do post-quantum migration? For almost every organization, no. The migration is a public-key story driven by Shor’s algorithm, and symmetric guidance still follows Grover. The one place to look is legacy equipment built on Even-Mansour or FX-style ciphers holding data that must stay secret for years.


Everything here is the map, given freely. When your team needs the quantum-crypto threat sorted into what’s urgent, what’s narrow, and what’s a legacy edge case for your own systems, that’s the work I do. Request an alignment briefing.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.