2012
DOI: 10.1007/978-3-642-29011-4_6
|View full text |Cite
|
Sign up to set email alerts
|

Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading

Abstract: Abstract.We consider the question of efficiently extending the key length of block ciphers. To date, the approach providing highest security is triple encryption (used e.g. in Triple-DES), which was proved to have roughly κ + min{n/2, κ/2} bits of security when instantiated with ideal block ciphers with key length κ and block length n, at the cost of three block-cipher calls per message block. This paper presents a new practical key-length extension scheme exhibiting κ + n/2 bits of security -hence improving u… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
40
0

Year Published

2013
2013
2022
2022

Publication Types

Select...
9

Relationship

1
8

Authors

Journals

citations
Cited by 20 publications
(40 citation statements)
references
References 28 publications
0
40
0
Order By: Relevance
“…This model has already been employed numerous times to analyze the security of key-length extending constructions, e.g. in [20,10,17,19]. …”
Section: Block Ciphers and The Key-length Extension Problemmentioning
confidence: 99%
“…This model has already been employed numerous times to analyze the security of key-length extending constructions, e.g. in [20,10,17,19]. …”
Section: Block Ciphers and The Key-length Extension Problemmentioning
confidence: 99%
“…Looking at (9) it is possible to wonder whether anything substantial has been gained so far, or whether notations are simply being shuffled around; after all, Pr[X = τ ] and Pr Ω X [ω ∈ comp X (τ )] are "obviously the same thing" 4 (and the same for Y ). However the probability Pr Ω X [ω ∈ comp X (τ )] offers 1 More formally, the oracle is a deterministic function taking as input a query and a (large) random tape, where the random tape is sampled and fixed at the start of the experiment.…”
Section: Lower Bounding the Ratiomentioning
confidence: 99%
“…The ICM became increasingly popular after Black et al [12] used it to extensively analyze the security of the PGV block cipher-based compression functions [51]. Since then, the ICM has been used to prove the security of a variety of other block cipher-based hash functions [30,31,58,40,46], of key length extension methods for block ciphers [35,21,7,25,26], of symmetric encryption schemes [33], and even of some public-key protocols such as signature schemes [29], ring signature schemes [53], public-key encryption [34], and key exchange protocols [6]. Despite these numerous successful applications, one must not lose from sight that the ICM only gives heuristic insurance just as the ROM [14].…”
Section: Introductionmentioning
confidence: 99%