More concretely, we show the following results for key-length extension schemes using a block cipher with $n$-bit blocks and $\kappa$-bit keys:
- Plain cascades of length $\ell = 2r+1$ are secure whenever $q_c q_e^r \ll 2^{r(\kappa+n)}$, $q_c \ll 2^\ka$ and $q_e \ll 2^{2\ka}$. The bound for $r = 1$ also applies to two-key triple encryption (as used within Triple DES).
- The $r$-round XOR-cascade is secure as long as $q_c q_e^r \ll 2^{r(\kappa+n)}$, matching an attack by Gazi (CRYPTO 2013).
- We fully characterize the security of Gazi and Tessaro's two-call 2XOR construction (EUROCRYPT 2012) for all values of $q_c$, and note that the addition of a third whitening step strictly increases security for $2^{n/4} \le q_c \le 2^{3/4n}$. We also propose a variant of this construction without re-keying and achieving comparable security levels.
Category / Keywords: secret-key cryptography / block ciphers, key-length extension, provable security, ideal-cipher model Original Publication (with major differences): IACR-FSE-2015 Date: received 27 Apr 2015, last revised 27 Apr 2015 Contact author: yannick seurin at m4x org Available format(s): PDF | BibTeX Citation Note: An abridged version appears in the proceedings of FSE 2015. This is the full version. Version: 20150501:120607 (All versions of this report) Short URL: ia.cr/2015/397 Discussion forum: Show discussion | Start new discussion