The Security of Multiple Encryption in the Ideal Cipher Model

  • Yuanxi Dai
  • Jooyoung Lee
  • Bart Mennink
  • John Steinberger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8616)


Multiple encryption—the practice of composing a blockcipher several times with itself under independent keys—has received considerable attention of late from the standpoint of provable security. Despite these efforts proving definitive security bounds (i.e., with matching attacks) has remained elusive even for the special case of triple encryption. In this paper we close the gap by improving both the best known attacks and best known provable security, so that both bounds match. Our results apply for arbitrary number of rounds and show that the security of ℓ-round multiple encryption is precisely \(\exp(\kappa + \min\{\kappa (\ell'-2)/2), n (\ell'-2)/\ell'\})\) where \(\exp(t) = 2^t\) and where ℓ′ = 2⌈ℓ/2⌉ is the smallest even integer greater than or equal to ℓ, for all ℓ ≥ 1. Our technique is based on Patarin’s H-coefficient method and relies on a combinatorial result of Chen and Steinberger originally required in the context of key-alternating ciphers.


Block Cipher Ideal World Message Space Data Encryption Standard Provable Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Aiello, W., Bellare, M., Di Crescenzo, G., Venkatesan, R.: Security amplification by composition: the case of doubly-iterated, ideal ciphers. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 390–407. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  2. 2.
    ANSI X9.52: Triple Data Encryption Algorithm Modes of Operation, withdrawn (1998)Google Scholar
  3. 3.
    Armknecht, F., Fleischmann, E., Krause, M., Lee, J., Stam, M., Steinberger, J.: The preimage security of double-block length compression functions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 233–251. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Code-based game-playing proofs and the security of triple encryption. IACR eprint report,
  6. 6.
    Black, J.A., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  9. 9.
    Dai, Y., Steinberger, J.: Tight security bounds for multiple encryption. IACR Cryptology ePrint Archive, 2014/096,
  10. 10.
    Dai, Y., Lee, J., Mennink, B., Steinberger, J.: The security of multiple encryption in the ideal cipher model (Full version of this paper.) IACR Cryptology ePrint ArchiveGoogle Scholar
  11. 11.
    Diffie, W., Hellman, M.: Exhaustive cryptanalysis of the NBS data encryption standard. Computer 10(6), 74–84 (1997)CrossRefGoogle Scholar
  12. 12.
    Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 719–740. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  13. 13.
    Even, S., Goldreich, O.: On the power of cascade ciphers. ACM Transactions on Computer Systems 3(2), 108–116 (1985)CrossRefGoogle Scholar
  14. 14.
    Even, S., Mansour, Y.: A Construction of a Cipher From a Single Pseudorandom Permutation. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  15. 15.
    FIPS46-3: Data Encryption Standard. National Institute of Standards and Technology, withdrawn (1999)Google Scholar
  16. 16.
    Gaži, P.: Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 551–570. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. 17.
    Gaži, P., Maurer, U.: Cascade encryption revisited. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 37–51. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Gaži, P., Tessaro, S.: Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 63–80. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  19. 19.
    Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search (an analysis of DESX). Journal of Cryptology 14(1), 17–35 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Krause, M., Armknecht, F., Fleischmann, E.: Preimage resistance beyond the birthday bound: Double-length hashing revisited. IACR eprint report,
  21. 21.
    Lampe, R., Patarin, J., Seurin, Y.: An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  22. 22.
    Lee, J.: Towards Key-Length Extension with Optimal Security: Cascade Encryption and Xor-cascade Encryption. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 405–425. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  23. 23.
    Lee, J.: Tight Security for Triple Encryption. IACR Cryptology ePrint Archive, 2014/015,
  24. 24.
    Lee, J., Steinberger, J., Stam, M.: The preimage security of double-block-length compression functions. IACR eprint report,
  25. 25.
    Luby, M., Rackoff, C.: Pseudo-random permutation generators and cryptographic composition. In: STOC 1986: Proceedings of the 18th Annual ACM Symposium on Theory of Computing, pp. 356–363 (1986)Google Scholar
  26. 26.
    Lucks, S.: Attacking triple encryption. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 239–253. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  27. 27.
    Maurer, U., Massey, J.L.: Cascade ciphers: The importance of being first. Journal of Cryptology 6(1), 55–61 (1993)CrossRefzbMATHGoogle Scholar
  28. 28.
    Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  29. 29.
    Maurer, U., Tessaro, S.: Computational indistinguishability amplification: Tight product theorems for system composition. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 355–373. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  30. 30.
    Mennink, B., Preneel, B.: Triple and Quadruple Encryption: Bridging the Gap. IACR Cryptology ePrint Archive, 2014/016,
  31. 31.
    Merkle, R., Hellman, M.: On the Security of Multiple Encryption. Communications of the ACM 24(7), 465–467 (1981); See also: Communications of the ACM 24(11), 776 (1981)Google Scholar
  32. 32.
    Myers, S.: On the development of block-ciphers and pseudo-random function generators using the composition and XOR operators. Master’s thesis, University of Toronto (1999)Google Scholar
  33. 33.
    van Oorschot, P.C., Wiener, M.: Improving implementable meet-in-the-middle attacks by orders of magnitude. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 229–236. Springer, Heidelberg (1996)Google Scholar
  34. 34.
    van Oorschot, P.C., Wiener, M.: A Known-Plaintext Attack on Two-Key Triple Encryption. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 318–325. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  35. 35.
    NIST SP 800-67, Revision 1: Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher. National Institute of Standards and Technology (2012)Google Scholar
  36. 36.
    Patarin, J.: Etude de Génerateurs de Permutations Bases sur les Schemas du DES. In Ph.D. Thesis. Inria, Domaine de Voluceau, France (1991)Google Scholar
  37. 37.
    Patarin, J.: The “Coefficients H” Technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  38. 38.
    Steinberger, J.: Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance,
  39. 39.
    Tessaro, S.: Security Amplification for the Cascade of Arbitrarily Weak PRPs: Tight Bounds via the Interactive Hardcore Lemma. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 37–54. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Yuanxi Dai
    • 1
  • Jooyoung Lee
    • 2
  • Bart Mennink
    • 3
  • John Steinberger
    • 1
  1. 1.Institute for Interdisciplinary Information SciencesTsinghua UniversityBeijingP.R. China
  2. 2.Faculty of Mathematics and StatisticsSejong UniversitySeoulKorea
  3. 3.Dept. Electrical Engineering, ESAT/COSICKU Leuven, and iMindsBelgium

Personalised recommendations