The Security of Multiple Encryption in the Ideal Cipher Model

Abstract: Abstract. Multiple encryption-the practice of composing a blockcipher several times with itself under independent keys-has received considerable attention of late from the standpoint of provable security. Despite these efforts proving definitive security bounds (i.e., with matching attacks) has remained elusive even for the special case of triple encryption. In this paper we close the gap by improving both the best known attacks and best known provable security, so that both bounds match. Our results apply for… Show more

“…We prove that cascades of odd length = 2r + 1 are secure whenever q c q r e 2 r(κ+n) , q c 2 κ , and q e 2 2κ . For κ and n satisfying κ ≥ rn r+1 , this improves on the security bound of Dai et al [9] when q c ≤ 2 rn r+1 . Moreover, when κ ≥ n, this yields a tight bound (matching Gaži's attack [12]) for all parameters (for κ ≤ n, the situation is more involved, see Section 5 for a complete discussion).…”

“…This result was later generalized to arbitrary length by Gaži and Maurer [13]. Their bound on q e was however far from tight, and was first improved by Lee [18], and a tight bound (matching an attack by Gaži [12]) was only recently given by Dai, Lee, Mennink, and Steinberger [9].…”

“…Starting with the work of Killian and Rogaway on DESX [15], and followed by a series of subsequent works [5,13,14,18,12,9], KLE has been formalized and studied in the ideal cipher model (ICM), where the underlying block cipher is modeled as an ideal cipher, i.e., E k is an independent random permutation for every individual key k. Then, ICM PRP security of a KLE construction C[E] is captured by considering a random experiment where the attacker (also known as a distinguisher) issues two types of queries:…”

“…In terms of the number of threshold queries, cascade encryption of length = 2r + 1 is hence secure when q c q r e 2 r(κ+n) , q c 2 κ , and q e 2 2κ (asymptotically, ignoring constants). Our bound must be compared with the security result of Dai et al [9], who considered the full-codebook regime q c = 2 n . They showed that, for κ ≥ n/(r + 1) (which is satisfied for virtually any real block cipher we know of), cascade encryption of length = 2r + 1 is secure when q e 2 κ+ rn r+1 (and, obviously, this also holds for any q c < 2 n ).…”

Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes

“…We prove that cascades of odd length = 2r + 1 are secure whenever q c q r e 2 r(κ+n) , q c 2 κ , and q e 2 2κ . For κ and n satisfying κ ≥ rn r+1 , this improves on the security bound of Dai et al [9] when q c ≤ 2 rn r+1 . Moreover, when κ ≥ n, this yields a tight bound (matching Gaži's attack [12]) for all parameters (for κ ≤ n, the situation is more involved, see Section 5 for a complete discussion).…”

“…This result was later generalized to arbitrary length by Gaži and Maurer [13]. Their bound on q e was however far from tight, and was first improved by Lee [18], and a tight bound (matching an attack by Gaži [12]) was only recently given by Dai, Lee, Mennink, and Steinberger [9].…”

“…Starting with the work of Killian and Rogaway on DESX [15], and followed by a series of subsequent works [5,13,14,18,12,9], KLE has been formalized and studied in the ideal cipher model (ICM), where the underlying block cipher is modeled as an ideal cipher, i.e., E k is an independent random permutation for every individual key k. Then, ICM PRP security of a KLE construction C[E] is captured by considering a random experiment where the attacker (also known as a distinguisher) issues two types of queries:…”

“…In terms of the number of threshold queries, cascade encryption of length = 2r + 1 is hence secure when q c q r e 2 r(κ+n) , q c 2 κ , and q e 2 2κ (asymptotically, ignoring constants). Our bound must be compared with the security result of Dai et al [9], who considered the full-codebook regime q c = 2 n . They showed that, for κ ≥ n/(r + 1) (which is satisfied for virtually any real block cipher we know of), cascade encryption of length = 2r + 1 is secure when q e 2 κ+ rn r+1 (and, obviously, this also holds for any q c < 2 n ).…”

Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes

“…Lee [25] improved the right-hand side, showing a better bound approaching the optimal value of κ + min {κ, n} with increasing → ∞, however his result only gives useful bounds for large (say ≥ 16). A tight bound (matching the attacks mentioned below) was finally given by Dai, Lee, Mennink, and Steinberger [10], establishing the security of a cascade of length as long as q C ≤ 2 n and log(q P ) κ + min −2 2 · κ, −2 · n , where = 2 · /2 denotes the smallest even integer not smaller than .…”

Secret-key cryptography from ideal primitives: A systematic overview

Flexible Group Non-interactive Key Exchange in the Standard Model