Paper 2013/019

Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers

Peter Gaźi

Abstract

Cascading-based constructions represent the predominant approach to the problem of key-length extension for block ciphers. Besides the plain cascade, existing works also consider its modification containing key-whitening steps between the invocations of the block cipher, called randomized cascade or XOR-cascade. We contribute to the understanding of the security of these two designs by giving the following attacks and security proofs, assuming an underlying ideal block cipher with key length $k$ and block length $n$: - For the plain cascade of odd (resp. even) length $l$ we present a generic attack requiring roughly $2^{k+\frac{l-1}{l+1}n}$ (resp. $2^{k+\frac{l-2}{l}n}$) queries, being a generalization of both the meet-in-the-middle attack on double encryption and the best known attack on triple cascade. - For XOR-cascade of odd (resp. even) length $l$ we prove security up to $2^{k+\frac{l-1}{l+1}n}$ (resp. $2^{k+\frac{l-2}{l}n}$) queries and also an improved bound $2^{k+\frac{l-1}{l}n}$ for the special case $l\in\{3,4\}$ by relating the problem to the security of key-alternating ciphers in the random-permutation model. - Finally, for a natural class of sequential constructions where block-cipher encryptions are interleaved with key-dependent permutations, we show a generic attack requiring roughly $2^{k+\frac{l-1}{l}n}$ queries. Since XOR-cascades are sequential, this proves tightness of our above result for XOR-cascades of length $l\in\{3,4\}$ as well as their optimal security within the class of sequential constructions. These results suggest that XOR-cascades achieve a better security/efficiency trade-off than plain cascades and should be preferred.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. A conference version of this paper appears at CRYPTO 2013.
Keywords
block cipherskey-length extensionideal cipher modelcascadeXOR-cascade
Contact author(s)
peter gazi @ inf ethz ch
History
2013-06-21: last of 5 revisions
2013-01-18: received
See all versions
Short URL
https://ia.cr/2013/019
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/019,
      author = {Peter Gaźi},
      title = {Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers},
      howpublished = {Cryptology ePrint Archive, Paper 2013/019},
      year = {2013},
      note = {\url{https://eprint.iacr.org/2013/019}},
      url = {https://eprint.iacr.org/2013/019}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.