Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading

  • Peter Gaži
  • Stefano Tessaro
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7237)


We consider the question of efficiently extending the key length of block ciphers. To date, the approach providing highest security is triple encryption (used e.g. in Triple-DES), which was proved to have roughly κ + min {n/2, κ/2} bits of security when instantiated with ideal block ciphers with key length κ and block length n, at the cost of three block-cipher calls per message block.

This paper presents a new practical key-length extension scheme exhibiting κ + n/2 bits of security – hence improving upon the security of triple encryption – solely at the cost of two block cipher calls and a key of length κ + n. We also provide matching generic attacks showing the optimality of the security level achieved by our approach with respect to a general class of two-query constructions.


Block ciphers Cascade encryption Provable security 


  1. 1.
    FIPS PUB 46: Data Encryption Standard (DES). National Institute of Standards and Technology (1977)Google Scholar
  2. 2.
    ANSI X9.52: Triple Data Encryption Algorithm Modes of Operation (1998)Google Scholar
  3. 3.
    FIPS PUB 46-3: Data Encryption Standard (DES). National Institute of Standards and Technology (1999)Google Scholar
  4. 4.
    FIPS PUB 197: Advanced Encryption Standard (AES). National Institute of Standards and Technology (2001)Google Scholar
  5. 5.
    NIST SP 800-67: Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher. National Institute of Standards and Technology (2004)Google Scholar
  6. 6.
    EMV Integrated Circuit Card Specifications for Payment Systems. Book 2: Security and Key Management, v.4.2. EMVCo (June 2008)Google Scholar
  7. 7.
    Aiello, W., Bellare, M., Di Crescenzo, G., Venkatesan, R.: Security Amplification by Composition: The Case of Doubly-Iterated, Ideal Ciphers. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 390–407. Springer, Heidelberg (1998)Google Scholar
  8. 8.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: FOCS 1997: Proceedings of the 38th IEEE Annual Symposium on Foundations of Computer Science, pp. 394–403 (1997)Google Scholar
  9. 9.
    Bellare, M., Kilian, J., Rogaway, P.: The Security of Cipher Block Chaining Message Authentication Code. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994)Google Scholar
  10. 10.
    Bellare, M., Kohno, T.: A Theoretical Treatment of Related-key Attacks: RKA-PRPs, RKA-PRFs, and Applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Bellare, M., Rogaway, P.: The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  12. 12.
    Black, J., Rogaway, P.: A Block-Cipher Mode of Operation for Parallelizable Message Authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Diffie, W., Hellman, M.E.: Exhaustive Cryptanalysis of the NBS Data Encryption Standard. Computer 10(6), 74–84 (1977)CrossRefGoogle Scholar
  14. 14.
    Even, S., Goldreich, O.: On the power of cascade ciphers. ACM Trans. Comput. Syst. 3(2), 108–116 (1985)CrossRefGoogle Scholar
  15. 15.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Journal of Cryptology, pp. 151–161. Springer, Heidelberg (1991)Google Scholar
  16. 16.
    Gaži, P., Maurer, U.: Cascade Encryption Revisited. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 37–51. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Gaži, P., Maurer, U.: Free-Start Distinguishing: Combining Two Types of Indistinguishability Amplification. In: Kurosawa, K. (ed.) ICITS 2009. LNCS, vol. 5973, pp. 28–44. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Kilian, J., Rogaway, P.: How to Protect DES Against Exhaustive Key Search (an Analysis of DESX). Journal of Cryptology 14, 17–35 (2001)MathSciNetzbMATHCrossRefGoogle Scholar
  19. 19.
    Lai, X., Massey, J.L.: A Proposal for a New Block Encryption Standard. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 389–404. Springer, Heidelberg (1991)Google Scholar
  20. 20.
    Luby, M., Rackoff, C.: Pseudo-random permutation generators and cryptographic composition. In: STOC 1986: Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, pp. 356–363 (1986)Google Scholar
  21. 21.
    Lucks, S.: Attacking Triple Encryption. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 239–253. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  22. 22.
    Maurer, U.: Indistinguishability of Random Systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  23. 23.
    Maurer, U., Massey, J.L.: Cascade ciphers: The importance of being first. Journal of Cryptology 6(1), 55–61 (1993)zbMATHCrossRefGoogle Scholar
  24. 24.
    Maurer, U., Pietrzak, K.: Composition of Random Systems: When Two Weak Make One Strong. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 410–427. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability Amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    Maurer, U., Tessaro, S.: Computational Indistinguishability Amplification: Tight Product Theorems for System Composition. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 355–373. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  27. 27.
    Rogaway, P., Steinberger, J.P.: Security/Efficiency Tradeoffs for Permutation-Based Hashing. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 220–236. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  28. 28.
    Schneier, B.: Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish). In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809, pp. 191–204. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  29. 29.
    Stam, M.: Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 397–412. Springer, Heidelberg (2008)Google Scholar
  30. 30.
    Steinberger, J.P.: Stam’s Collision Resistance Conjecture. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 597–615. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  31. 31.
    Tessaro, S.: Security Amplification for the Cascade of Arbitrarily Weak PRPs: Tight Bounds via the Interactive Hardcore Lemma. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 37–54. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  32. 32.
    Vaudenay, S.: Decorrelation: a theory for block cipher security. Journal of Cryptology 16(4), 249–286 (2003)MathSciNetzbMATHCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Peter Gaži
    • 1
    • 2
  • Stefano Tessaro
    • 3
    • 4
  1. 1.Department of Computer ScienceComenius UniversityBratislavaSlovakia
  2. 2.Department of Computer ScienceETH ZurichSwitzerland
  3. 3.Department of Computer Science and EngineeringUniversity of California San DiegoLa JollaUSA
  4. 4.MITCambridgeUSA

Personalised recommendations