Paper 2014/096

Tight security bounds for multiple encryption

Yuanxi Dai and John Steinberger


Multiple encryption---the practice of composing a blockcipher several times with itself under independent keys---has received considerable attention of late from the standpoint of provable security. Despite these efforts proving definitive security bounds (i.e., with matching attacks) has remained elusive even for the special case of triple encryption. In this paper we close the gap by improving both the best known attacks and best known provable security, so that both bounds match. Our results apply for arbitrary number of rounds and show that the security of $\ell$-round multiple encryption is precisely $\exp(\kappa + \min\{\kappa (\ell'-2)/2), n (\ell'-2)/\ell'\})$ where $\exp(t) = 2^t$ and where $\ell' = 2\lceil \ell/2\rceil$ is the even integer closest to $\ell$ and greater than or equal to $\ell$, for all $\ell \geq 1$. Our technique is based on Patarin's H-coefficient method and reuses a combinatorial result of Chen and Steinberger originally required in the context of key-alternating ciphers.

Available format(s)
Secret-key cryptography
Publication info
multiple encryptioncascade ciphersprovable security
Contact author(s)
jpsteinb @ gmail com
shusdtc @ gmail com
2014-03-20: revised
2014-02-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Yuanxi Dai and John Steinberger},
      title = {Tight security bounds for multiple encryption},
      howpublished = {Cryptology ePrint Archive, Paper 2014/096},
      year = {2014},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.