- For the plain cascade of odd (resp. even) length $l$ we present a generic attack requiring roughly $2^{k+\frac{l-1}{l+1}n}$ (resp. $2^{k+\frac{l-2}{l}n}$) queries, being a generalization of both the meet-in-the-middle attack on double encryption and the best known attack on triple cascade.
- For XOR-cascade of odd (resp. even) length $l$ we prove security up to $2^{k+\frac{l-1}{l+1}n}$ (resp. $2^{k+\frac{l-2}{l}n}$) queries and also an improved bound $2^{k+\frac{l-1}{l}n}$ for the special case $l\in\{3,4\}$ by relating the problem to the security of key-alternating ciphers in the random-permutation model.
- Finally, for a natural class of sequential constructions where block-cipher encryptions are interleaved with key-dependent permutations, we show a generic attack requiring roughly $2^{k+\frac{l-1}{l}n}$ queries. Since XOR-cascades are sequential, this proves tightness of our above result for XOR-cascades of length $l\in\{3,4\}$ as well as their optimal security within the class of sequential constructions.
These results suggest that XOR-cascades achieve a better security/efficiency trade-off than plain cascades and should be preferred.
Category / Keywords: secret-key cryptography / block ciphers, key-length extension, ideal cipher model, cascade, XOR-cascade Publication Info: A conference version of this paper appears at CRYPTO 2013. Date: received 11 Jan 2013, last revised 21 Jun 2013 Contact author: peter gazi at inf ethz ch Available format(s): PDF | BibTeX Citation Version: 20130621:075615 (All versions of this report) Short URL: ia.cr/2013/019 Discussion forum: Show discussion | Start new discussion