In this paper we put these results into perspective by completing the picture of the investigated landscape in various ways. We give the following attacks and security lower bounds for constructions using a block cipher with key length $k$ and block length $n$:
- For the plain cascade of odd (resp. even) length $l$ we present a generic attack requiring roughly $2^{k + n(l-1)/(l+1)}$ (resp. $2^{k + n(l-2)/l}$) queries. This is a generalization of both the meet-in-the-middle attack on double encryption and the best known attack on triple cascade given in [L98].
- For the general case of XOR-cascade of odd (resp. even) length $l$ we prove security up to $2^{k+n(l-1)/(l+1)}$ (resp. $2^{k+n(l-2)/l}$) queries and also an improved bound $2^{k+n(l-1)/l}$ for the special case of $l$ in {3,4}. This is achieved by relating the problem to an independent line of work on the security of key-alternating ciphers in the random-permutation model.
- Finally, for a natural class of sequential constructions where block-cipher encryptions are interleaved with key-dependent permutations, we show a generic attack requiring roughly $2^{k+n(l-1)/l}$ queries. Since XOR-cascades are sequential, this proves tightness of our above result for XOR-cascades of length $l$ in {3,4} as well as their optimal security within the class of sequential constructions.
These results suggest that XOR-cascades achieve a better security/efficiency trade-off than plain cascades and should be preferred.
Category / Keywords: secret-key cryptography / block ciphers, key-length extension, ideal cipher model, cascade, XOR-cascade Date: received 11 Jan 2013, last revised 18 Feb 2013 Contact author: peter gazi at inf ethz ch Available formats: PDF | BibTeX Citation Version: 20130218:152801 (All versions of this report) Discussion forum: Show discussion | Start new discussion