Towards Key-Length Extension with Optimal Security: Cascade Encryption and Xor-cascade Encryption

  • Jooyoung Lee
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7881)


This paper discusses provable security of two types of cascade encryptions. The first construction CEl, called l-cascade encryption, is obtained by sequentially composing l blockcipher calls with independent keys. The security of CEl has been a longstanding open problem until Gaži and Maurer [9] proved its security up to \(2^{\kappa +\min\{\frac{n}{2},\kappa \}}\) query complexity for large cascading length, where κ and n denote the key size and the block size of the underlying blockcipher, respectively. We improve this limit by proving the security of CEl up to \(2^{\kappa +\min\left\{\kappa ,n\right\}-\frac{16}{l}\left(\frac{n}{2}+2\right)}\) query complexity: this bound approaches \(2^{\kappa +\min\left\{\kappa ,n\right\}}\) with increasing cascade length l.

The second construction XCEl is a natural cascade version of the DESX scheme with intermediate keys xored between blockcipher calls. This can also be viewed as an extension of double XOR-cascade proposed by Gaži and Tessaro [10]. We prove that XCEl is secure up to \(2^{\kappa +n-\frac{8}{l}\left(\frac{n}{2}+2\right)}\) query complexity. As cascade length l increases, this bound approaches 2κ + n.

In the ideal cipher model, one can obtain all the evaluations of the underlying blockcipher by making 2κ + n queries, so the (κ + n)-bit security becomes the maximum that key-length extension based on a single κ-bit key n-bit blockcipher is able to achieve. Cascade encryptions CEl (with n ≤ κ) and XCEl provide almost optimal security with large cascade length.

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Jooyoung Lee
    • 1
  1. 1.Faculty of Mathematics and StatisticsSejong UniversitySeoulKorea

Personalised recommendations