Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers

  • Peter Gaži
Conference paper

DOI: 10.1007/978-3-642-40041-4_30

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8042)
Cite this paper as:
Gaži P. (2013) Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers. In: Canetti R., Garay J.A. (eds) Advances in Cryptology – CRYPTO 2013. Lecture Notes in Computer Science, vol 8042. Springer, Berlin, Heidelberg

Abstract

Cascading-based constructions represent the predominant approach to the problem of key-length extension for block ciphers. Besides the plain cascade, existing works also consider its modification containing key-whitening steps between the invocations of the block cipher, called randomized cascade or XOR-cascade. We contribute to the understanding of the security of these two designs by giving the following attacks and security proofs, assuming an underlying ideal block cipher with key length k and block length n:

  • For the plain cascade of odd (resp. even) length ℓ we present a generic attack requiring roughly \(2^{\emph{k}+\frac{\ell-1}{\ell+1}n}\) (resp. \(2^{\emph{k}+\frac{\ell-2}{\ell}n}\)) queries, being a generalization of both the meet-in-the-middle attack on double encryption and the best known attack on triple cascade.

  • For XOR-cascade of odd (resp. even) length ℓ we prove security up to \(2^{\emph{k}+\frac{\ell-1}{\ell+1}n}\) (resp. \(2^{\emph{k}+\frac{\ell-2}{\ell}n}\)) queries and also an improved bound \(2^{\emph{k}+\frac{\ell-1}{\ell}n}\) for the special case ℓ ∈ {3,4} by relating the problem to the security of key-alternating ciphers in the random-permutation model.

  • Finally, for a natural class of sequential constructions where block-cipher encryptions are interleaved with key-dependent permutations, we show a generic attack requiring roughly \(2^{\emph{k}+\frac{\ell-1}{\ell}n}\) queries. Since XOR-cascades are sequential, this proves tightness of our above result for XOR-cascades of length ℓ ∈ {3,4} as well as their optimal security within the class of sequential constructions.

These results suggest that XOR-cascades achieve a better security/efficiency trade-off than plain cascades and should be preferred.

Keywords

Provable security block ciphers key-length extension ideal-cipher model cascade XOR-cascade 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Peter Gaži
    • 1
  1. 1.Department of Computer ScienceETH ZurichSwitzerland

Personalised recommendations