Relaxing Full-Codebook Security: A Refined ... - Yannick Seurin's

qc construction queries to Ck[E](Â·) or P(Â·). â¢ qe ideal cipher queries to E(Â·,Â·). â¢ it is computationally unbounded (information-theoretic sec.) â¢ NB: generic attack with ...

Télécharger le PDF

1MB taille 2 téléchargements 201 vues

commentaire

Report

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes Peter Gaži1 Jooyoung Lee2 Yannick Seurin3 John Steinberger4 Stefano Tessaro5 1 IST, 2 Sejong

Austria

University, Korea

3 ANSSI, 4 Tsinghua 5 UC

France

University, China

Santa Barbara, USA

March 10, 2015 - FSE 2015 Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

1 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Outline

Context: Key-Length Extension for Block Ciphers Main Lemma Randomized Cascading Plain Cascading

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

2 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Block Ciphers k x

E

y

A block cipher E

Notation

• takes as input • a plaintext x ∈ {0, 1}n • a key k ∈ {0, 1}κ

• n = block-length • κ = key-length

• outputs a ciphertext y ∈ {0, 1}n • Ek (·) is a permutation ∀k • examples: DES, AES, IDEA, etc. Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

3 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Block Ciphers k x

E

y

A block cipher E

Notation

• takes as input • a plaintext x ∈ {0, 1}n • a key k ∈ {0, 1}κ

• n = block-length • κ = key-length

• outputs a ciphertext y ∈ {0, 1}n • Ek (·) is a permutation ∀k • examples: DES, AES, IDEA, etc. Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

3 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Block Ciphers k x

E

y

A block cipher E

Notation

• takes as input • a plaintext x ∈ {0, 1}n • a key k ∈ {0, 1}κ

• n = block-length • κ = key-length

• outputs a ciphertext y ∈ {0, 1}n • Ek (·) is a permutation ∀k • examples: DES, AES, IDEA, etc. Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

3 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Block Ciphers k x

E

y

A block cipher E

Notation

• takes as input • a plaintext x ∈ {0, 1}n • a key k ∈ {0, 1}κ

• n = block-length • κ = key-length

• outputs a ciphertext y ∈ {0, 1}n • Ek (·) is a permutation ∀k • examples: DES, AES, IDEA, etc. Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

3 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Block Ciphers k x

E

y

Notation

A block cipher E • takes as input • a plaintext x ∈ {0, 1}n • a key k ∈ {0, 1}κ

• n = block-length • κ = key-length

• outputs a ciphertext y ∈ {0, 1}n • Ek (·) is a permutation ∀k • examples: DES, AES, IDEA, etc. Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

3 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Block Ciphers k x

E

y

Notation

A block cipher E • takes as input • a plaintext x ∈ {0, 1}n • a key k ∈ {0, 1}κ

• n = block-length • κ = key-length

• outputs a ciphertext y ∈ {0, 1}n • Ek (·) is a permutation ∀k • examples: DES, AES, IDEA, etc. Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

3 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Block Cipher Security: Pseudorandom Permutations random key

unif. random permutation

k

E

P

0/1

0/1

SPRP (a.k.a. CCA) advantage:

h

i

h

i

Ek Advsprp = 1 − Pr DP = 1 E (D) = Pr D

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

4 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Block Cipher Security: Pseudorandom Permutations random key

unif. random permutation

k

E

P

0/1

0/1

SPRP (a.k.a. CCA) advantage:

h

i

h

i

Ek Advsprp = 1 − Pr DP = 1 E (D) = Pr D

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

4 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Block Cipher Security: Pseudorandom Permutations random key

unif. random permutation

k

E

P

0/1

0/1

SPRP (a.k.a. CCA) advantage:

h

i

h

i

Ek Advsprp = 1 − Pr DP = 1 E (D) = Pr D

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

4 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Block Cipher Security: Pseudorandom Permutations random key

unif. random permutation

k

E

P

0/1

0/1

SPRP (a.k.a. CCA) advantage:

h

i

h

i

Ek Advsprp = 1 − Pr DP = 1 E (D) = Pr D

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

4 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Key-Length is Crucial k x

E

y

Exhaustive key search • key k is recoverable in ∼ 2κ evaluations of E

Given O ∈ {P, Ek }: 1. y ← O(0n ) 2. ∀k 0 ∈ {0, 1}κ : (a) y 0 ← Ek 0 (0n ) (b) if y = y 0 , check k 0 with some extra queries

• this also upper bounds PRP-security! • this is a generic attack (works for any E ) Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

5 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Key-Length is Crucial k x

E

y

Exhaustive key search • key k is recoverable in ∼ 2κ evaluations of E

Given O ∈ {P, Ek }: 1. y ← O(0n ) 2. ∀k 0 ∈ {0, 1}κ : (a) y 0 ← Ek 0 (0n ) (b) if y = y 0 , check k 0 with some extra queries

• this also upper bounds PRP-security! • this is a generic attack (works for any E ) Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

5 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Key-Length is Crucial k x

E

y

Exhaustive key search • key k is recoverable in ∼ 2κ evaluations of E

Given O ∈ {P, Ek }: 1. y ← O(0n ) 2. ∀k 0 ∈ {0, 1}κ : (a) y 0 ← Ek 0 (0n ) (b) if y = y 0 , check k 0 with some extra queries

• this also upper bounds PRP-security! • this is a generic attack (works for any E ) Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

5 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

The Key-Length Extension (KLE) Problem k0 C k y0

x0 x

E

y

Goal: construct from E a new block cipher 0

C[E ] : {0, 1}κ × {0, 1}n → {0, 1}n such that

Examples • Triple Encryption

• κ0 > κ • best generic attack requires > 2κ

evaluations of E and C

• FX construction

(generic DESX)

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

6 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

The Key-Length Extension (KLE) Problem k0 C k y0

x0 x

E

y

Goal: construct from E a new block cipher 0

C[E ] : {0, 1}κ × {0, 1}n → {0, 1}n such that

Examples • Triple Encryption

• κ0 > κ • best generic attack requires > 2κ

evaluations of E and C

• FX construction

(generic DESX)

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

6 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

The Key-Length Extension (KLE) Problem k0 C k y0

x0 x

E

y

Goal: construct from E a new block cipher 0

C[E ] : {0, 1}κ × {0, 1}n → {0, 1}n such that

Examples • Triple Encryption

• κ0 > κ • best generic attack requires > 2κ

evaluations of E and C

• FX construction

(generic DESX)

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

6 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

The Key-Length Extension (KLE) Problem k0 C k y0

x0 x

E

y

Goal: construct from E a new block cipher 0

C[E ] : {0, 1}κ × {0, 1}n → {0, 1}n such that

Examples • Triple Encryption

• κ0 > κ • best generic attack requires > 2κ

evaluations of E and C

• FX construction

(generic DESX)

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

6 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

The Ideal Cipher Model (ICM) We will model the underlying block cipher E as an ideal cipher

k x

E

y

Ideal Block Cipher Model • family of uniformly random permutations Ek (·) • independent for each key • given as an oracle to all parties (incl. adversaries)

Generic Security • attacks cannot exploit any weakness of E

⇒ “generic” attacks

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

7 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

The Ideal Cipher Model (ICM) We will model the underlying block cipher E as an ideal cipher

k x

E

y

Ideal Block Cipher Model • family of uniformly random permutations Ek (·) • independent for each key • given as an oracle to all parties (incl. adversaries)

Generic Security • attacks cannot exploit any weakness of E

⇒ “generic” attacks

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

7 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

The Ideal Cipher Model (ICM) We will model the underlying block cipher E as an ideal cipher

k x

E

y

Ideal Block Cipher Model • family of uniformly random permutations Ek (·) • independent for each key • given as an oracle to all parties (incl. adversaries)

Generic Security • attacks cannot exploit any weakness of E

⇒ “generic” attacks

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

7 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Key-Length Extension in the ICM k C P E

E qe

qc

E qe

0/1

• • • •

qc

0/1

qc construction queries to Ck [E ](·) or P(·) qe ideal cipher queries to E (·, ·) it is computationally unbounded (information-theoretic sec.) NB: generic attack with qe = 2κ+n for any KLE scheme

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

8 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Key-Length Extension in the ICM k C P E

E qe

qc

E qe

0/1

• • • •

qc

0/1

qc construction queries to Ck [E ](·) or P(·) qe ideal cipher queries to E (·, ·) it is computationally unbounded (information-theoretic sec.) NB: generic attack with qe = 2κ+n for any KLE scheme

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

8 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Key-Length Extension in the ICM k C P E

E qe

qc

E qe

0/1

• • • •

qc

0/1

qc construction queries to Ck [E ](·) or P(·) qe ideal cipher queries to E (·, ·) it is computationally unbounded (information-theoretic sec.) NB: generic attack with qe = 2κ+n for any KLE scheme

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

8 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Key-Length Extension in the ICM k C P E

E qe

qc

E qe

0/1

• • • •

qc

0/1

qc construction queries to Ck [E ](·) or P(·) qe ideal cipher queries to E (·, ·) it is computationally unbounded (information-theoretic sec.) NB: generic attack with qe = 2κ+n for any KLE scheme

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

8 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Full vs. Partial Codebook Query Accounting • most previous work sets qc = 2n (full codebook of C[E ])

⇒ qe is the only complexity measure • too restrictive! • number of pt/ct pairs can be limited (frequent rekeying) • mode of operation may impose qc 2n

• we aim at studying the entire plan (qc , qe ) log2 (qe ) κ+n

previous work

κ 0 Gaži, Lee, Seurin, Steinberger, Tessaro

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

9 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Full vs. Partial Codebook Query Accounting • most previous work sets qc = 2n (full codebook of C[E ])

⇒ qe is the only complexity measure • too restrictive! • number of pt/ct pairs can be limited (frequent rekeying) • mode of operation may impose qc 2n

• we aim at studying the entire plan (qc , qe ) log2 (qe ) κ+n

previous work

κ 0 Gaži, Lee, Seurin, Steinberger, Tessaro

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

9 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Full vs. Partial Codebook Query Accounting • most previous work sets qc = 2n (full codebook of C[E ])

⇒ qe is the only complexity measure • too restrictive! • number of pt/ct pairs can be limited (frequent rekeying) • mode of operation may impose qc 2n

• we aim at studying the entire plan (qc , qe ) log2 (qe ) κ+n

previous work

κ 0 Gaži, Lee, Seurin, Steinberger, Tessaro

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

9 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Full vs. Partial Codebook Query Accounting • most previous work sets qc = 2n (full codebook of C[E ])

⇒ qe is the only complexity measure • too restrictive! • number of pt/ct pairs can be limited (frequent rekeying) • mode of operation may impose qc 2n

• we aim at studying the entire plan (qc , qe ) log2 (qe ) κ+n

previous work

this work κ 0 Gaži, Lee, Seurin, Steinberger, Tessaro

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

9 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Outline

Context: Key-Length Extension for Block Ciphers Main Lemma Randomized Cascading Plain Cascading

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

10 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Randomized Key-Length Extension Schemes Very general class abiding to the following structure: k z φ1 x

ρ0z

ρ1z

E

φ2

φr

E

E

ρrz

y

• the ρi ’s are keyed permutations, potentially very simple

(e.g. ρiz (x ) = x ⊕ z) • encryption keys φ1 (k), . . . , φr (k) can be deterministically

related or independent

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

11 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Induced Sequential Cipher k z φ1 x

ρ0z

E

ρ1z

φ2

φr

E

E

ρrz

y

• k fixed and known

⇒ C[E ] = block cipher construction using • independent public permutations P1 , . . . , Pr • key z

• ⇒ induced sequential cipher (ISC) of C, denoted C • generalization of a key-alternating cipher • well-studied design in the Random Permutation Model Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

12 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Induced Sequential Cipher z

x

ρ0z

P1

ρ1z

P2

Pr

ρrz

y

• k fixed and known

⇒ C[E ] = block cipher construction using • independent public permutations P1 , . . . , Pr • key z

• ⇒ induced sequential cipher (ISC) of C, denoted C • generalization of a key-alternating cipher • well-studied design in the Random Permutation Model Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

12 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Induced Sequential Cipher z

x

ρ0z

P1

ρ1z

P2

Pr

ρrz

y

• k fixed and known

⇒ C[E ] = block cipher construction using • independent public permutations P1 , . . . , Pr • key z

• ⇒ induced sequential cipher (ISC) of C, denoted C • generalization of a key-alternating cipher • well-studied design in the Random Permutation Model Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

12 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Induced Sequential Cipher z

x

ρ0z

P1

ρ1z

P2

Pr

ρrz

y

• k fixed and known

⇒ C[E ] = block cipher construction using • independent public permutations P1 , . . . , Pr • key z

• ⇒ induced sequential cipher (ISC) of C, denoted C • generalization of a key-alternating cipher • well-studied design in the Random Permutation Model Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

12 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Induced Sequential Cipher z

x

ρ0z

P1

ρ1z

P2

Pr

ρrz

y

• k fixed and known

⇒ C[E ] = block cipher construction using • independent public permutations P1 , . . . , Pr • key z

• ⇒ induced sequential cipher (ISC) of C, denoted C • generalization of a key-alternating cipher • well-studied design in the Random Permutation Model Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

12 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

KLE-to-ISC Lemma k z φ1 x

ρ0z

E

ρ1z

φ2

φr

E

E

ρrz

y

Allows to reduce the security analysis of a randomized KLE C to the analysis of the Induced Sequential Cipher C

Lemma For any M, Advsprp C (qc , qe ) ≤

rqe + AdvCsprp (qc , M) M2κ

Optimizing M yields a bound that depends only on qc and qe . Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

13 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

KLE-to-ISC Lemma k z φ1 x

ρ0z

E

ρ1z

φ2

φr

E

E

ρrz

y

Allows to reduce the security analysis of a randomized KLE C to the analysis of the Induced Sequential Cipher C

Lemma For any M, Advsprp C (qc , qe ) ≤

rqe + AdvCsprp (qc , M) M2κ

Optimizing M yields a bound that depends only on qc and qe . Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

13 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

KLE-to-ISC Lemma z

x

ρ0z

P1

ρ1z

P2

Pr

ρrz

y

Allows to reduce the security analysis of a randomized KLE C to the analysis of the Induced Sequential Cipher C

Lemma For any M, Advsprp C (qc , qe ) ≤

rqe + Advsprp (qc , M) C M2κ

Optimizing M yields a bound that depends only on qc and qe . Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

13 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

KLE-to-ISC Lemma z

x

ρ0z

P1

ρ1z

P2

Pr

ρrz

y

Allows to reduce the security analysis of a randomized KLE C to the analysis of the Induced Sequential Cipher C

Lemma For any M, Advsprp C (qc , qe ) ≤

rqe + Advsprp (qc , M) C M2κ

Optimizing M yields a bound that depends only on qc and qe . Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

13 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Outline

Context: Key-Length Extension for Block Ciphers Main Lemma Randomized Cascading Plain Cascading

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

14 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Key Whitening k x

y

E

FX construction (generic DESX) • additional keys hide i./o. of E

log2 (qe ) κ+n

• suggested by Rivest

Insec.

• analyzed by [KR01] • secure when qc · qe 2κ+n • same bound when z0 = z1

Gaži, Lee, Seurin, Steinberger, Tessaro

Sec. κ

Relaxing Full-Codebook Security

0

n

log2 (qc )

FSE 2015

15 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Key Whitening k z0 x

z1 y

E

FX construction (generic DESX) • additional keys hide i./o. of E

log2 (qe ) κ+n

• suggested by Rivest

Insec.

• analyzed by [KR01] • secure when qc · qe 2κ+n • same bound when z0 = z1

Gaži, Lee, Seurin, Steinberger, Tessaro

Sec. κ

Relaxing Full-Codebook Security

0

n

log2 (qc )

FSE 2015

15 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Key Whitening k z0 x

z1 y

E

FX construction (generic DESX) • additional keys hide i./o. of E

log2 (qe ) κ+n

• suggested by Rivest

Insec.

• analyzed by [KR01] • secure when qc · qe 2κ+n • same bound when z0 = z1

Gaži, Lee, Seurin, Steinberger, Tessaro

Sec. κ

Relaxing Full-Codebook Security

0

n

log2 (qc )

FSE 2015

15 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Key Whitening k z0 x

z1 y

E

FX construction (generic DESX) • additional keys hide i./o. of E

log2 (qe ) κ+n

• suggested by Rivest

Insec.

• analyzed by [KR01] • secure when qc · qe 2κ+n • same bound when z0 = z1

Gaži, Lee, Seurin, Steinberger, Tessaro

Sec. κ

Relaxing Full-Codebook Security

0

n

log2 (qc )

FSE 2015

15 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Key Whitening k z x

z y

E

FX construction (generic DESX) • additional keys hide i./o. of E

log2 (qe ) κ+n

• suggested by Rivest

Insec.

• analyzed by [KR01] • secure when qc · qe 2κ+n • same bound when z0 = z1

Gaži, Lee, Seurin, Steinberger, Tessaro

Sec. κ

Relaxing Full-Codebook Security

0

n

log2 (qc )

FSE 2015

15 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

2XOR construction [GT12] φ(k)

k z

z

x

E

2XOR construction

E

y

log2 (qe )

• combines key-whitening and

FX

κ+n

cascading • same whitening key z

κ+

n 2

• φ such that ∀k, φ(k) 6= k • [GT12] proved (tight) security

κ

for qc = 2n and qe 2κ+n/2 Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

0

n

log2 (qc )

FSE 2015

16 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

2XOR construction [GT12] φ(k)

k z

z

x

E

2XOR construction

E

y

log2 (qe )

• combines key-whitening and

FX

κ+n

cascading • same whitening key z

κ+

n 2

• φ such that ∀k, φ(k) 6= k • [GT12] proved (tight) security

κ

for qc = 2n and qe 2κ+n/2 Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

0

n

log2 (qc )

FSE 2015

16 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

2XOR construction [GT12] φ(k)

k z

z

x

E

2XOR construction

E

y

log2 (qe )

• combines key-whitening and

FX

κ+n

cascading • same whitening key z

κ+

n 2

• φ such that ∀k, φ(k) 6= k • [GT12] proved (tight) security

κ

for qc = 2n and qe 2κ+n/2 Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

0

n

log2 (qc )

FSE 2015

16 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Refined Analysis of 2XOR φ(k)

k z x

z E

We (tightly) complete the picture:

y

E

log2 (qe ) FX

κ+n

• for 1 ≤ qc ≤ 2n/2 :

same security bound as FX

κ+

n 2

• for 2n/2 ≤ qc ≤ 2n :

secure when qe 2κ+n/2

κ 0

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

n 2

n

log2 (qc )

FSE 2015

17 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Refined Analysis of 2XOR φ(k)

k z x

z E

We (tightly) complete the picture:

y

E

log2 (qe ) FX

κ+n

2XOR

• for 1 ≤ qc ≤ 2n/2 :

same security bound as FX

κ+

n 2

• for 2n/2 ≤ qc ≤ 2n :

secure when qe 2κ+n/2

κ 0

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

n 2

n

log2 (qc )

FSE 2015

17 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Refined Analysis of 2XOR φ(k)

k z x

z E

We (tightly) complete the picture:

y

E

log2 (qe ) FX

κ+n

2XOR

• for 1 ≤ qc ≤ 2n/2 :

same security bound as FX

κ+

n 2

• for 2n/2 ≤ qc ≤ 2n :

secure when qe 2κ+n/2

κ 0

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

n 2

n

log2 (qc )

FSE 2015

17 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

3XOR: Final Whitening Step Helps φ(k)

k z x

z E

z E

y

3XOR construction • add a final whitening step • induced sequential cipher = 2-round Even-Mansour cipher

with identical keys ⇒ analyzed by [CLL+ 14] • we can apply the KLE-to-ISC Lemma

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

18 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

3XOR: Final Whitening Step Helps z x

z P1

z P2

y

3XOR construction • add a final whitening step • induced sequential cipher = 2-round Even-Mansour cipher

with identical keys ⇒ analyzed by [CLL+ 14] • we can apply the KLE-to-ISC Lemma

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

18 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

3XOR: Final Whitening Step Helps z x

z P1

z P2

y

3XOR construction • add a final whitening step • induced sequential cipher = 2-round Even-Mansour cipher

with identical keys ⇒ analyzed by [CLL+ 14] • we can apply the KLE-to-ISC Lemma

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

18 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

3XOR: Final Whitening Step Helps φ(k)

k z

z

x

z

E

E

log2 (qe )

y

2XOR (tight)

κ+n

κ+ κ+

3n 4 2n 3

κ+

n 2

0

n 4

Gaži, Lee, Seurin, Steinberger, Tessaro

n 2

2n 3n 3 4

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

18 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

3XOR: Final Whitening Step Helps φ(k)

k z

z

x

z

E

E

log2 (qe )

y

2XOR (tight)

κ+n 3XOR

κ+ κ+

3n 4 2n 3

κ+

n 2

0

n 4

Gaži, Lee, Seurin, Steinberger, Tessaro

n 2

2n 3n 3 4

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

18 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

3XOR: Final Whitening Step Helps φ(k)

k z

z

x

z

E

E

log2 (qe )

y

2XOR (tight)

κ+n 3XOR

κ+ κ+

3n 4 2n 3

κ+

n 2

0

n 4

Gaži, Lee, Seurin, Steinberger, Tessaro

n 2

2n 3n 3 4

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

18 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

3XOR: Final Whitening Step Helps φ(k)

k z

z

x

z

E

E

log2 (qe )

y

2XOR (tight)

κ+n 3XOR Gaži’s generic attack [Gaz13] κ+ κ+

3n 4 2n 3

κ+

n 2

0

n 4

Gaži, Lee, Seurin, Steinberger, Tessaro

n 2

2n 3n 3 4

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

18 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

3XOR: Final Whitening Step Helps φ(k)

k z

z

x

z

E

E

y

log2 (qe ) κ+n 3XOR Gaži’s generic attack [Gaz13]

Insec. κ+ κ+

?

3n 4 2n 3

κ+

Sec. ?

n 2

0

n 4

Gaži, Lee, Seurin, Steinberger, Tessaro

n 2

2n 3n 3 4

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

18 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

A 2-call Construction without Rekeying

φ(k)

k z

z x

E

z E

y

• drawback of 2XOR and 3XOR constructions:

call the block cipher E with two distinct keys • we propose a construction calling E twice with the same key • π is a linear orthomorphism • security bound qualitatively similar to 3XOR

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

19 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

A 2-call Construction without Rekeying

k

k z x

z

π(z) E

E

y

• drawback of 2XOR and 3XOR constructions:

call the block cipher E with two distinct keys • we propose a construction calling E twice with the same key • π is a linear orthomorphism • security bound qualitatively similar to 3XOR

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

19 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

A 2-call Construction without Rekeying

k

k z x

z

π(z) E

E

y

• drawback of 2XOR and 3XOR constructions:

call the block cipher E with two distinct keys • we propose a construction calling E twice with the same key • π is a linear orthomorphism • security bound qualitatively similar to 3XOR

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

19 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

A 2-call Construction without Rekeying

k

k z x

z

π(z) E

E

y

• drawback of 2XOR and 3XOR constructions:

call the block cipher E with two distinct keys • we propose a construction calling E twice with the same key • π is a linear orthomorphism • security bound qualitatively similar to 3XOR

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

19 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Independent Whitening Keys (XOR-Cascade) φ1 (k) z0 x

φ2 (k)

φr (k)

z1 E

zr E

E

y

Xor-Cascade Encryption: XCE • independent whitening keys, distinct encryption keys • induced sequential cipher = iterated Even-Mansour cipher

⇒ tightly analyzed by Chen and Steinberger [CS14] • r -round XCE is secure as long as qc · qer 2r (κ+n) • matched by Gaži’s attack [Gaz13]

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

20 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Independent Whitening Keys (XOR-Cascade) z0 x

z1 P1

zr P2

Pr

y

Xor-Cascade Encryption: XCE • independent whitening keys, distinct encryption keys • induced sequential cipher = iterated Even-Mansour cipher

⇒ tightly analyzed by Chen and Steinberger [CS14] • r -round XCE is secure as long as qc · qer 2r (κ+n) • matched by Gaži’s attack [Gaz13]

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

20 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Independent Whitening Keys (XOR-Cascade) φ1 (k) z0 x

φ2 (k)

φr (k)

z1 E

zr E

E

y

Xor-Cascade Encryption: XCE • independent whitening keys, distinct encryption keys • induced sequential cipher = iterated Even-Mansour cipher

⇒ tightly analyzed by Chen and Steinberger [CS14] • r -round XCE is secure as long as qc · qer 2r (κ+n) • matched by Gaži’s attack [Gaz13]

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

20 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Independent Whitening Keys (XOR-Cascade) φ1 (k) z0 x

φ2 (k)

φr (k)

z1 E

zr E

E

y

Xor-Cascade Encryption: XCE • independent whitening keys, distinct encryption keys • induced sequential cipher = iterated Even-Mansour cipher

⇒ tightly analyzed by Chen and Steinberger [CS14] • r -round XCE is secure as long as qc · qer 2r (κ+n) • matched by Gaži’s attack [Gaz13]

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

20 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Independent Whitening Keys (XOR-Cascade) φ1 (k) z0

φ2 (k)

φr (k)

z1

x

E

zr E

E

y

log2 (qe ) κ+n

r = +∞ r =3 r =2 r = 1 (FX)

2n 3 + n2

κ+ κ

κ 0

Gaži, Lee, Seurin, Steinberger, Tessaro

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

20 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Independent Whitening Keys (XOR-Cascade) φ1 (k) z0

φ2 (k)

φr (k)

z1

x

E

zr E

E

y

log2 (qe ) κ+n

r = +∞ r =3 r =2 r = 1 (FX)

2n 3 + n2

κ+ κ

κ 0

Gaži, Lee, Seurin, Steinberger, Tessaro

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

20 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Independent Whitening Keys (XOR-Cascade) φ1 (k) z0

φ2 (k)

φr (k)

z1

x

E

zr E

E

y

log2 (qe ) κ+n

r = +∞ r =3 r =2 r = 1 (FX)

2n 3 + n2

κ+ κ

κ 0

Gaži, Lee, Seurin, Steinberger, Tessaro

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

20 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Independent Whitening Keys (XOR-Cascade) φ1 (k) z0

φ2 (k)

φr (k)

z1

x

E

zr E

E

y

log2 (qe ) κ+n

r = +∞ r =3 r =2 r = 1 (FX)

2n 3 + n2

κ+ κ

κ 0

Gaži, Lee, Seurin, Steinberger, Tessaro

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

20 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Independent Whitening Keys (XOR-Cascade) φ1 (k) z0

φ2 (k)

φr (k)

z1

x

E

zr E

E

y

log2 (qe ) κ+n

r = +∞ r =3 r =2 r = 1 (FX)

2n 3 + n2

κ+ κ

κ 0

Gaži, Lee, Seurin, Steinberger, Tessaro

n

log2 (qc )

Relaxing Full-Codebook Security

FSE 2015

20 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Outline

Context: Key-Length Extension for Block Ciphers Main Lemma Randomized Cascading Plain Cascading

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

21 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Plain Cascade Encryption

x

k1

k2

k3

k`

E

E

E

E

y

Cascade Encryption • encrypt ` times with independent keys • ` = 2 does not help (meet-in-the-middle attack [DH77]) • security gain starting from ` = 3 [BR06] • tight bound for qc = 2n [DLMS14]: for odd `, secure when `−1

qe 2κ+ `+1 n

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

22 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Plain Cascade Encryption

x

k1

k2

k3

k`

E

E

E

E

y

Cascade Encryption • encrypt ` times with independent keys • ` = 2 does not help (meet-in-the-middle attack [DH77]) • security gain starting from ` = 3 [BR06] • tight bound for qc = 2n [DLMS14]: for odd `, secure when `−1

qe 2κ+ `+1 n

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

22 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Plain Cascade Encryption

x

k1

k2

k3

k`

E

E

E

E

y

Cascade Encryption • encrypt ` times with independent keys • ` = 2 does not help (meet-in-the-middle attack [DH77]) • security gain starting from ` = 3 [BR06] • tight bound for qc = 2n [DLMS14]: for odd `, secure when `−1

qe 2κ+ `+1 n

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

22 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Plain Cascade Encryption

x

k1

k2

k3

k`

E

E

E

E

y

Cascade Encryption • encrypt ` times with independent keys • ` = 2 does not help (meet-in-the-middle attack [DH77]) • security gain starting from ` = 3 [BR06] • tight bound for qc = 2n [DLMS14]: for odd `, secure when `−1

qe 2κ+ `+1 n

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

22 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Our Analysis of Plain Cascade Encryption

x

k1

k2

k3

k4

k5

E

E

E

E

E

y

• use 2 independent ideal ciphers E , E 0 (key-domain separation) • reveal function table of E 0 for free ⇒ randomized KLE • apply the KLE-to-ISC Lemma • generalize analysis of key-alternating ciphers of [CS14] • our result: plain cascade of length ` = 2r + 1 is secure when

qc · qer 2r (κ+n) ,

Gaži, Lee, Seurin, Steinberger, Tessaro

qc 2κ ,

Relaxing Full-Codebook Security

qe 22κ

FSE 2015

23 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Our Analysis of Plain Cascade Encryption

x

k1

k2

k3

k4

k5

E0

E

E0

E

E0

y

• use 2 independent ideal ciphers E , E 0 (key-domain separation) • reveal function table of E 0 for free ⇒ randomized KLE • apply the KLE-to-ISC Lemma • generalize analysis of key-alternating ciphers of [CS14] • our result: plain cascade of length ` = 2r + 1 is secure when

qc · qer 2r (κ+n) ,

Gaži, Lee, Seurin, Steinberger, Tessaro

qc 2κ ,

Relaxing Full-Codebook Security

qe 22κ

FSE 2015

23 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Our Analysis of Plain Cascade Encryption

x

k1

k2

k3

k4

k5

E0

E

E0

E

E0

y

• use 2 independent ideal ciphers E , E 0 (key-domain separation) • reveal function table of E 0 for free ⇒ randomized KLE • apply the KLE-to-ISC Lemma • generalize analysis of key-alternating ciphers of [CS14] • our result: plain cascade of length ` = 2r + 1 is secure when

qc · qer 2r (κ+n) ,

Gaži, Lee, Seurin, Steinberger, Tessaro

qc 2κ ,

Relaxing Full-Codebook Security

qe 22κ

FSE 2015

23 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Our Analysis of Plain Cascade Encryption k1 x

E0

k3 P2

E0

k5 P4

y

E0

• use 2 independent ideal ciphers E , E 0 (key-domain separation) • reveal function table of E 0 for free ⇒ randomized KLE • apply the KLE-to-ISC Lemma • generalize analysis of key-alternating ciphers of [CS14] • our result: plain cascade of length ` = 2r + 1 is secure when

qc · qer 2r (κ+n) ,

Gaži, Lee, Seurin, Steinberger, Tessaro

qc 2κ ,

Relaxing Full-Codebook Security

qe 22κ

FSE 2015

23 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Our Analysis of Plain Cascade Encryption k1 x

E0

k3 P2

E0

k5 P4

y

E0

• use 2 independent ideal ciphers E , E 0 (key-domain separation) • reveal function table of E 0 for free ⇒ randomized KLE • apply the KLE-to-ISC Lemma • generalize analysis of key-alternating ciphers of [CS14] • our result: plain cascade of length ` = 2r + 1 is secure when

qc · qer 2r (κ+n) ,

Gaži, Lee, Seurin, Steinberger, Tessaro

qc 2κ ,

Relaxing Full-Codebook Security

qe 22κ

FSE 2015

23 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Our Analysis of Plain Cascade Encryption k1 x

E0

k3 P2

E0

k5 P4

y

E0

• use 2 independent ideal ciphers E , E 0 (key-domain separation) • reveal function table of E 0 for free ⇒ randomized KLE • apply the KLE-to-ISC Lemma • generalize analysis of key-alternating ciphers of [CS14] • our result: plain cascade of length ` = 2r + 1 is secure when

qc · qer 2r (κ+n) ,

Gaži, Lee, Seurin, Steinberger, Tessaro

qc 2κ ,

Relaxing Full-Codebook Security

qe 22κ

FSE 2015

23 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

The Case of Triple Encryption

x

k1

k2

k3

E

E

E

• our bound:

y

log2 (qe ) κ+n

qc 2κ

2κ

qe 22κ qc · qe 2κ+n

κ+

n 2

• when 2n/2 ≤ qc ≤ 2n

⇒ [DLMS14] bound applies (qe 2κ+n/2 ) Gaži, Lee, Seurin, Steinberger, Tessaro

κ 0

Relaxing Full-Codebook Security

n 2

κ

n

log2 (qc )

FSE 2015

24 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

The Case of Triple Encryption

x

k1

k2

k3

E

E

E

• our bound:

y

log2 (qe ) κ+n

qc 2κ

2κ

qe 22κ qc · qe 2κ+n

κ+

n 2

• when 2n/2 ≤ qc ≤ 2n

⇒ [DLMS14] bound applies (qe 2κ+n/2 ) Gaži, Lee, Seurin, Steinberger, Tessaro

κ 0

Relaxing Full-Codebook Security

n 2

κ

n

log2 (qc )

FSE 2015

24 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

The Case of Triple Encryption

x

k1

k2

k3

E

E

E

• our bound:

y

log2 (qe ) κ+n

qc 2κ

2κ

qe 22κ qc · qe 2κ+n

κ+

n 2

• when 2n/2 ≤ qc ≤ 2n

⇒ [DLMS14] bound applies (qe 2κ+n/2 ) Gaži, Lee, Seurin, Steinberger, Tessaro

κ 0

Relaxing Full-Codebook Security

n 2

κ

n

log2 (qc )

FSE 2015

24 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

The Case of Triple Encryption

x

k1

k2

k3

E

E

E

• our bound:

y

log2 (qe ) κ+n

qc 2κ

2κ

?

2κ

qe 2

qc · qe 2κ+n

κ+

n 2

• when 2n/2 ≤ qc ≤ 2n

⇒ [DLMS14] bound applies (qe 2κ+n/2 ) Gaži, Lee, Seurin, Steinberger, Tessaro

κ 0

Relaxing Full-Codebook Security

n 2

κ

n

log2 (qc )

FSE 2015

24 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Conclusion I log2 (qe ) κ+n κ+

3n 4

2n 3 + n2

κ+ κ

κ

log2 (qc ) 0

n 4

Gaži, Lee, Seurin, Steinberger, Tessaro

n 2

2n 3n 3 4

n

Relaxing Full-Codebook Security

FSE 2015

25 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Conclusion I log2 (qe )

FX (tight)

κ+n κ+

3n 4

2n 3 + n2

κ+ κ

κ

log2 (qc ) 0

n 4

Gaži, Lee, Seurin, Steinberger, Tessaro

n 2

2n 3n 3 4

n

Relaxing Full-Codebook Security

FSE 2015

25 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Conclusion I log2 (qe )

FX (tight) 2XOR (tight)

κ+n κ+

3n 4

2n 3 + n2

κ+ κ

κ

log2 (qc ) 0

n 4

Gaži, Lee, Seurin, Steinberger, Tessaro

n 2

2n 3n 3 4

n

Relaxing Full-Codebook Security

FSE 2015

25 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Conclusion I log2 (qe )

FX (tight) 2XOR (tight) triple encryption

κ+n κ+

3n 4

2n 3 + n2

κ+ κ

κ

log2 (qc ) 0

n 4

Gaži, Lee, Seurin, Steinberger, Tessaro

n 2

2n 3n 3 4

n

Relaxing Full-Codebook Security

FSE 2015

25 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Conclusion I log2 (qe )

FX (tight) 2XOR (tight) triple encryption

κ+n κ+

3n 4

3XOR

2n 3 + n2

κ+ κ

κ

log2 (qc ) 0

n 4

Gaži, Lee, Seurin, Steinberger, Tessaro

n 2

2n 3n 3 4

n

Relaxing Full-Codebook Security

FSE 2015

25 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Conclusion I log2 (qe )

FX (tight) 2XOR (tight) triple encryption

κ+n κ+

3n 4

3XOR 2-r. xor-cascade (tight) (ind. whit. keys)

2n 3 + n2

κ+ κ

κ

log2 (qc ) 0

n 4

Gaži, Lee, Seurin, Steinberger, Tessaro

n 2

2n 3n 3 4

n

Relaxing Full-Codebook Security

FSE 2015

25 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Conclusion II

• our results seem to advocate in favor of xor-cascade rather than

plain cascade • e.g. triple encryption (3 E -calls) has similar security as • FX (1 E -call) for qc ≤ 2n/2 • 2XOR (2 E -calls) for 2n/2 ≤ qc ≤ 2n • but this is in the ideal cipher model (information-theoretic) • FX seems to have other “computational” issues

(see time-memory-data trade-off by Dinur, EC 2015)

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

26 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Conclusion II

• our results seem to advocate in favor of xor-cascade rather than

plain cascade • e.g. triple encryption (3 E -calls) has similar security as • FX (1 E -call) for qc ≤ 2n/2 • 2XOR (2 E -calls) for 2n/2 ≤ qc ≤ 2n • but this is in the ideal cipher model (information-theoretic) • FX seems to have other “computational” issues

(see time-memory-data trade-off by Dinur, EC 2015)

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

26 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Conclusion II

• our results seem to advocate in favor of xor-cascade rather than

plain cascade • e.g. triple encryption (3 E -calls) has similar security as • FX (1 E -call) for qc ≤ 2n/2 • 2XOR (2 E -calls) for 2n/2 ≤ qc ≤ 2n • but this is in the ideal cipher model (information-theoretic) • FX seems to have other “computational” issues

(see time-memory-data trade-off by Dinur, EC 2015)

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

26 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

Conclusion II

• our results seem to advocate in favor of xor-cascade rather than

plain cascade • e.g. triple encryption (3 E -calls) has similar security as • FX (1 E -call) for qc ≤ 2n/2 • 2XOR (2 E -calls) for 2n/2 ≤ qc ≤ 2n • but this is in the ideal cipher model (information-theoretic) • FX seems to have other “computational” issues

(see time-memory-data trade-off by Dinur, EC 2015)

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

26 / 29

Key-Length Extension

Main Lemma

Randomized Cascading

Plain Cascading

Conclusion

The end. . .

Thanks for your attention! Comments or questions?

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

27 / 29

References

References I Mihir Bellare and Phillip Rogaway. The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In Serge Vaudenay, editor, Advances in Cryptology - EUROCRYPT 2006, volume 4004 of LNCS, pages 409–426. Springer, 2006. Full version available at http://eprint.iacr.org/2004/331. Shan Chen, Rodolphe Lampe, Jooyoung Lee, Yannick Seurin, and John P. Steinberger. Minimizing the Two-Round Even-Mansour Cipher. In Juan A. Garay and Rosario Gennaro, editors, Advances in Cryptology - CRYPTO 2014 (Proceedings, Part I), volume 8616 of LNCS, pages 39–56. Springer, 2014. Full version available at http://eprint.iacr.org/2014/443. Shan Chen and John Steinberger. Tight Security Bounds for Key-Alternating Ciphers. In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology - EUROCRYPT 2014, volume 8441 of LNCS, pages 327–350. Springer, 2014. Full version available at http://eprint.iacr.org/2013/222.

Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

28 / 29

References

References II Yuanxi Dai, Jooyoung Lee, Bart Mennink, and John P. Steinberger. The Security of Multiple Encryption in the Ideal Cipher Model. In Juan A. Garay and Rosario Gennaro, editors, Advances in Cryptology - CRYPTO 2014 (Proceedings, Part I), volume 8616 of LNCS, pages 20–38. Springer, 2014. Peter Gazi. Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers. In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology - CRYPTO 2013 (Proceedings, Part I), volume 8042 of LNCS, pages 551–570. Springer, 2013. Peter Gazi and Stefano Tessaro. Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading. In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology - EUROCRYPT 2012, volume 7237 of LNCS, pages 63–80. Springer, 2012. Joe Kilian and Phillip Rogaway. How to Protect DES Against Exhaustive Key Search (an Analysis of DESX). Journal of Cryptology, 14(1):17–35, 2001. Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security

FSE 2015

29 / 29

Relaxing Full-Codebook Security: A Refined ... - Yannick Seurin's

des documents recommandant