Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers

  • Peter Gaži
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8042)


Cascading-based constructions represent the predominant approach to the problem of key-length extension for block ciphers. Besides the plain cascade, existing works also consider its modification containing key-whitening steps between the invocations of the block cipher, called randomized cascade or XOR-cascade. We contribute to the understanding of the security of these two designs by giving the following attacks and security proofs, assuming an underlying ideal block cipher with key length k and block length n:

  • For the plain cascade of odd (resp. even) length ℓ we present a generic attack requiring roughly \(2^{\emph{k}+\frac{\ell-1}{\ell+1}n}\) (resp. \(2^{\emph{k}+\frac{\ell-2}{\ell}n}\)) queries, being a generalization of both the meet-in-the-middle attack on double encryption and the best known attack on triple cascade.

  • For XOR-cascade of odd (resp. even) length ℓ we prove security up to \(2^{\emph{k}+\frac{\ell-1}{\ell+1}n}\) (resp. \(2^{\emph{k}+\frac{\ell-2}{\ell}n}\)) queries and also an improved bound \(2^{\emph{k}+\frac{\ell-1}{\ell}n}\) for the special case ℓ ∈ {3,4} by relating the problem to the security of key-alternating ciphers in the random-permutation model.

  • Finally, for a natural class of sequential constructions where block-cipher encryptions are interleaved with key-dependent permutations, we show a generic attack requiring roughly \(2^{\emph{k}+\frac{\ell-1}{\ell}n}\) queries. Since XOR-cascades are sequential, this proves tightness of our above result for XOR-cascades of length ℓ ∈ {3,4} as well as their optimal security within the class of sequential constructions.

These results suggest that XOR-cascades achieve a better security/efficiency trade-off than plain cascades and should be preferred.


Provable security block ciphers key-length extension ideal-cipher model cascade XOR-cascade 


  1. 1.
    Data encryption standard. In: FIPS PUB 46. Federal Information Processing Standards Publication (1977)Google Scholar
  2. 2.
    ANSI X9.52: Triple Data Encryption Algorithm Modes of Operation (1998)Google Scholar
  3. 3.
    FIPS PUB 46-3: Data Encryption Standard (DES). National Institute of Standards and Technology (1999)Google Scholar
  4. 4.
    Advanced encryption standard. In: FIPS PUB 197. Federal Information Processing Standards Publication (2001)Google Scholar
  5. 5.
    Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher. National Institute of Standards and Technology. Special Publication 800-67 (2004)Google Scholar
  6. 6.
    EMV Integrated Circuit Card Specification for Payment Systems, Book 2: Security and Key Management, v.4.2 (June 2008)Google Scholar
  7. 7.
    Aiello, W., Bellare, M., Di Crescenzo, G., Venkatesan, R.: Security amplification by composition: The case of doubly-iterated, ideal ciphers. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 390–407. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  8. 8.
    Andreeva, E., Bogdanov, A., Dodis, Y., Mennink, B., Steinberger, J.P.: On the indifferentiability of key-alternating ciphers. Cryptology ePrint Archive, Report 2013/061 (2013),
  9. 9.
    Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006), at Scholar
  11. 11.
    Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  12. 12.
    Diffie, W., Hellman, M.E.: Exhaustive Cryptanalysis of the NBS Data Encryption Standard. Computer 10(6), 74–84 (1977)CrossRefGoogle Scholar
  13. 13.
    Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 719–740. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Even, S., Goldreich, O.: On the power of cascade ciphers. ACM Trans. Comput. Syst. 3(2), 108–116 (1985)CrossRefGoogle Scholar
  15. 15.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. Journal of Cryptology, 151–161 (1991)Google Scholar
  16. 16.
    Gaži, P., Maurer, U.: Cascade encryption revisited. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 37–51. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Gaži, P., Maurer, U.: Free-start distinguishing: Combining two types of indistinguishability amplification. In: Kurosawa, K. (ed.) ICITS 2010. LNCS, vol. 5973, pp. 28–44. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Gaži, P., Tessaro, S.: Efficient and optimally secure key-length extension for block ciphers via randomized cascading. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 63–80. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  19. 19.
    Kilian, J., Rogaway, P.: How to Protect DES Against Exhaustive Key Search (an Analysis of DESX). Journal of Cryptology 14, 17–35 (2001)MathSciNetCrossRefMATHGoogle Scholar
  20. 20.
    Lampe, R., Patarin, J., Seurin, Y.: An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  21. 21.
    Lampe, R., Seurin, Y.: How to construct an ideal cipher from a small set of public permutations. Cryptology ePrint Archive, Report (2013),
  22. 22.
    Lee, J.: Towards Key-Length Extension with Optimal Security: Cascade Encryption and Xor-cascade Encryption. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 405–425. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  23. 23.
    Lucks, S.: Attacking triple encryption. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 239–253. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  24. 24.
    Maurer, U.M.: Indistinguishability of Random Systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  25. 25.
    Maurer, U., Massey, J.L.: Cascade ciphers: The importance of being first. Journal of Cryptology 6(1), 55–61 (1993)CrossRefMATHGoogle Scholar
  26. 26.
    Maurer, U.M., Pietrzak, K.: Composition of random systems: When two weak make one strong. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 410–427. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  27. 27.
    Maurer, U.M., Pietrzak, K., Renner, R.S.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  28. 28.
    Maurer, U., Tessaro, S.: Computational indistinguishability amplification: Tight product theorems for system composition. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 355–373. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  29. 29.
    Steinberger, J.: Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance. Cryptology ePrint Archive, Report 2012/481 (2012),
  30. 30.
    Tessaro, S.: Security amplification for the cascade of arbitrarily weak PRPs: Tight bounds via the interactive Hardcore Lemma. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 37–54. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  31. 31.
    Vaudenay, S.: Decorrelation: a theory for block cipher security. Journal of Cryptology 16(4), 249–286 (2003)MathSciNetCrossRefMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Peter Gaži
    • 1
  1. 1.Department of Computer ScienceETH ZurichSwitzerland

Personalised recommendations