Paper 2013/019
Plain versus Randomized CascadingBased KeyLength Extension for Block Ciphers
Peter Gaźi
Abstract
Cascadingbased constructions represent the predominant approach to the problem of keylength extension for block ciphers. Besides the plain cascade, existing works also consider its modification containing keywhitening steps between the invocations of the block cipher, called randomized cascade or XORcascade. We contribute to the understanding of the security of these two designs by giving the following attacks and security proofs, assuming an underlying ideal block cipher with key length $k$ and block length $n$:  For the plain cascade of odd (resp. even) length $l$ we present a generic attack requiring roughly $2^{k+\frac{l1}{l+1}n}$ (resp. $2^{k+\frac{l2}{l}n}$) queries, being a generalization of both the meetinthemiddle attack on double encryption and the best known attack on triple cascade.  For XORcascade of odd (resp. even) length $l$ we prove security up to $2^{k+\frac{l1}{l+1}n}$ (resp. $2^{k+\frac{l2}{l}n}$) queries and also an improved bound $2^{k+\frac{l1}{l}n}$ for the special case $l\in\{3,4\}$ by relating the problem to the security of keyalternating ciphers in the randompermutation model.  Finally, for a natural class of sequential constructions where blockcipher encryptions are interleaved with keydependent permutations, we show a generic attack requiring roughly $2^{k+\frac{l1}{l}n}$ queries. Since XORcascades are sequential, this proves tightness of our above result for XORcascades of length $l\in\{3,4\}$ as well as their optimal security within the class of sequential constructions. These results suggest that XORcascades achieve a better security/efficiency tradeoff than plain cascades and should be preferred.
Metadata
 Available format(s)
 Category
 Secretkey cryptography
 Publication info
 Published elsewhere. A conference version of this paper appears at CRYPTO 2013.
 Keywords
 block cipherskeylength extensionideal cipher modelcascadeXORcascade
 Contact author(s)
 peter gazi @ inf ethz ch
 History
 20130621: last of 5 revisions
 20130118: received
 See all versions
 Short URL
 https://ia.cr/2013/019
 License

CC BY
BibTeX
@misc{cryptoeprint:2013/019, author = {Peter Gaźi}, title = {Plain versus Randomized CascadingBased KeyLength Extension for Block Ciphers}, howpublished = {Cryptology ePrint Archive, Paper 2013/019}, year = {2013}, note = {\url{https://eprint.iacr.org/2013/019}}, url = {https://eprint.iacr.org/2013/019} }