Abstract
Cascading-based constructions represent the predominant approach to the problem of key-length extension for block ciphers. Besides the plain cascade, existing works also consider its modification containing key-whitening steps between the invocations of the block cipher, called randomized cascade or XOR-cascade. We contribute to the understanding of the security of these two designs by giving the following attacks and security proofs, assuming an underlying ideal block cipher with key length k and block length n:
-
For the plain cascade of odd (resp. even) length ℓ we present a generic attack requiring roughly \(2^{\emph{k}+\frac{\ell-1}{\ell+1}n}\) (resp. \(2^{\emph{k}+\frac{\ell-2}{\ell}n}\)) queries, being a generalization of both the meet-in-the-middle attack on double encryption and the best known attack on triple cascade.
-
For XOR-cascade of odd (resp. even) length ℓ we prove security up to \(2^{\emph{k}+\frac{\ell-1}{\ell+1}n}\) (resp. \(2^{\emph{k}+\frac{\ell-2}{\ell}n}\)) queries and also an improved bound \(2^{\emph{k}+\frac{\ell-1}{\ell}n}\) for the special case ℓ ∈ {3,4} by relating the problem to the security of key-alternating ciphers in the random-permutation model.
-
Finally, for a natural class of sequential constructions where block-cipher encryptions are interleaved with key-dependent permutations, we show a generic attack requiring roughly \(2^{\emph{k}+\frac{\ell-1}{\ell}n}\) queries. Since XOR-cascades are sequential, this proves tightness of our above result for XOR-cascades of length ℓ ∈ {3,4} as well as their optimal security within the class of sequential constructions.
These results suggest that XOR-cascades achieve a better security/efficiency trade-off than plain cascades and should be preferred.
Chapter PDF
Similar content being viewed by others
References
Data encryption standard. In: FIPS PUB 46. Federal Information Processing Standards Publication (1977)
ANSI X9.52: Triple Data Encryption Algorithm Modes of Operation (1998)
FIPS PUB 46-3: Data Encryption Standard (DES). National Institute of Standards and Technology (1999)
Advanced encryption standard. In: FIPS PUB 197. Federal Information Processing Standards Publication (2001)
Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher. National Institute of Standards and Technology. Special Publication 800-67 (2004)
EMV Integrated Circuit Card Specification for Payment Systems, Book 2: Security and Key Management, v.4.2 (June 2008)
Aiello, W., Bellare, M., Di Crescenzo, G., Venkatesan, R.: Security amplification by composition: The case of doubly-iterated, ideal ciphers. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 390–407. Springer, Heidelberg (1998)
Andreeva, E., Bogdanov, A., Dodis, Y., Mennink, B., Steinberger, J.P.: On the indifferentiability of key-alternating ciphers. Cryptology ePrint Archive, Report 2013/061 (2013), http://eprint.iacr.org/
Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006), at http://eprint.iacr.org/2004/331
Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012)
Diffie, W., Hellman, M.E.: Exhaustive Cryptanalysis of the NBS Data Encryption Standard. Computer 10(6), 74–84 (1977)
Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 719–740. Springer, Heidelberg (2012)
Even, S., Goldreich, O.: On the power of cascade ciphers. ACM Trans. Comput. Syst. 3(2), 108–116 (1985)
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. Journal of Cryptology, 151–161 (1991)
Gaži, P., Maurer, U.: Cascade encryption revisited. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 37–51. Springer, Heidelberg (2009)
Gaži, P., Maurer, U.: Free-start distinguishing: Combining two types of indistinguishability amplification. In: Kurosawa, K. (ed.) ICITS 2010. LNCS, vol. 5973, pp. 28–44. Springer, Heidelberg (2010)
Gaži, P., Tessaro, S.: Efficient and optimally secure key-length extension for block ciphers via randomized cascading. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 63–80. Springer, Heidelberg (2012)
Kilian, J., Rogaway, P.: How to Protect DES Against Exhaustive Key Search (an Analysis of DESX). Journal of Cryptology 14, 17–35 (2001)
Lampe, R., Patarin, J., Seurin, Y.: An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012)
Lampe, R., Seurin, Y.: How to construct an ideal cipher from a small set of public permutations. Cryptology ePrint Archive, Report (2013), http://eprint.iacr.org/
Lee, J.: Towards Key-Length Extension with Optimal Security: Cascade Encryption and Xor-cascade Encryption. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 405–425. Springer, Heidelberg (2013)
Lucks, S.: Attacking triple encryption. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 239–253. Springer, Heidelberg (1998)
Maurer, U.M.: Indistinguishability of Random Systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002)
Maurer, U., Massey, J.L.: Cascade ciphers: The importance of being first. Journal of Cryptology 6(1), 55–61 (1993)
Maurer, U.M., Pietrzak, K.: Composition of random systems: When two weak make one strong. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 410–427. Springer, Heidelberg (2004)
Maurer, U.M., Pietrzak, K., Renner, R.S.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007)
Maurer, U., Tessaro, S.: Computational indistinguishability amplification: Tight product theorems for system composition. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 355–373. Springer, Heidelberg (2009)
Steinberger, J.: Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance. Cryptology ePrint Archive, Report 2012/481 (2012), http://eprint.iacr.org/
Tessaro, S.: Security amplification for the cascade of arbitrarily weak PRPs: Tight bounds via the interactive Hardcore Lemma. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 37–54. Springer, Heidelberg (2011)
Vaudenay, S.: Decorrelation: a theory for block cipher security. Journal of Cryptology 16(4), 249–286 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 International Association for Cryptologic Research
About this paper
Cite this paper
Gaži, P. (2013). Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers. In: Canetti, R., Garay, J.A. (eds) Advances in Cryptology – CRYPTO 2013. CRYPTO 2013. Lecture Notes in Computer Science, vol 8042. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40041-4_30
Download citation
DOI: https://doi.org/10.1007/978-3-642-40041-4_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40040-7
Online ISBN: 978-3-642-40041-4
eBook Packages: Computer ScienceComputer Science (R0)