Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes Peter Gaži1 Jooyoung Lee2 Yannick Seurin3 John Steinberger4 Stefano Tessaro5 1 IST, 2 Sejong
Austria
University, Korea
3 ANSSI, 4 Tsinghua 5 UC
France
University, China
Santa Barbara, USA
March 10, 2015 - FSE 2015 Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
1 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Outline
Context: Key-Length Extension for Block Ciphers Main Lemma Randomized Cascading Plain Cascading
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
2 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Block Ciphers k x
E
y
A block cipher E
Notation
• takes as input • a plaintext x ∈ {0, 1}n • a key k ∈ {0, 1}κ
• n = block-length • κ = key-length
• outputs a ciphertext y ∈ {0, 1}n • Ek (·) is a permutation ∀k • examples: DES, AES, IDEA, etc. Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
3 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Block Ciphers k x
E
y
A block cipher E
Notation
• takes as input • a plaintext x ∈ {0, 1}n • a key k ∈ {0, 1}κ
• n = block-length • κ = key-length
• outputs a ciphertext y ∈ {0, 1}n • Ek (·) is a permutation ∀k • examples: DES, AES, IDEA, etc. Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
3 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Block Ciphers k x
E
y
A block cipher E
Notation
• takes as input • a plaintext x ∈ {0, 1}n • a key k ∈ {0, 1}κ
• n = block-length • κ = key-length
• outputs a ciphertext y ∈ {0, 1}n • Ek (·) is a permutation ∀k • examples: DES, AES, IDEA, etc. Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
3 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Block Ciphers k x
E
y
A block cipher E
Notation
• takes as input • a plaintext x ∈ {0, 1}n • a key k ∈ {0, 1}κ
• n = block-length • κ = key-length
• outputs a ciphertext y ∈ {0, 1}n • Ek (·) is a permutation ∀k • examples: DES, AES, IDEA, etc. Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
3 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Block Ciphers k x
E
y
Notation
A block cipher E • takes as input • a plaintext x ∈ {0, 1}n • a key k ∈ {0, 1}κ
• n = block-length • κ = key-length
• outputs a ciphertext y ∈ {0, 1}n • Ek (·) is a permutation ∀k • examples: DES, AES, IDEA, etc. Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
3 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Block Ciphers k x
E
y
Notation
A block cipher E • takes as input • a plaintext x ∈ {0, 1}n • a key k ∈ {0, 1}κ
• n = block-length • κ = key-length
• outputs a ciphertext y ∈ {0, 1}n • Ek (·) is a permutation ∀k • examples: DES, AES, IDEA, etc. Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
3 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Block Cipher Security: Pseudorandom Permutations random key
unif. random permutation
k
E
P
0/1
0/1
SPRP (a.k.a. CCA) advantage:
h
i
h
i
Ek Advsprp = 1 − Pr DP = 1 E (D) = Pr D
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
4 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Block Cipher Security: Pseudorandom Permutations random key
unif. random permutation
k
E
P
0/1
0/1
SPRP (a.k.a. CCA) advantage:
h
i
h
i
Ek Advsprp = 1 − Pr DP = 1 E (D) = Pr D
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
4 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Block Cipher Security: Pseudorandom Permutations random key
unif. random permutation
k
E
P
0/1
0/1
SPRP (a.k.a. CCA) advantage:
h
i
h
i
Ek Advsprp = 1 − Pr DP = 1 E (D) = Pr D
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
4 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Block Cipher Security: Pseudorandom Permutations random key
unif. random permutation
k
E
P
0/1
0/1
SPRP (a.k.a. CCA) advantage:
h
i
h
i
Ek Advsprp = 1 − Pr DP = 1 E (D) = Pr D
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
4 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Key-Length is Crucial k x
E
y
Exhaustive key search • key k is recoverable in ∼ 2κ evaluations of E
Given O ∈ {P, Ek }: 1. y ← O(0n ) 2. ∀k 0 ∈ {0, 1}κ : (a) y 0 ← Ek 0 (0n ) (b) if y = y 0 , check k 0 with some extra queries
• this also upper bounds PRP-security! • this is a generic attack (works for any E ) Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
5 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Key-Length is Crucial k x
E
y
Exhaustive key search • key k is recoverable in ∼ 2κ evaluations of E
Given O ∈ {P, Ek }: 1. y ← O(0n ) 2. ∀k 0 ∈ {0, 1}κ : (a) y 0 ← Ek 0 (0n ) (b) if y = y 0 , check k 0 with some extra queries
• this also upper bounds PRP-security! • this is a generic attack (works for any E ) Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
5 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Key-Length is Crucial k x
E
y
Exhaustive key search • key k is recoverable in ∼ 2κ evaluations of E
Given O ∈ {P, Ek }: 1. y ← O(0n ) 2. ∀k 0 ∈ {0, 1}κ : (a) y 0 ← Ek 0 (0n ) (b) if y = y 0 , check k 0 with some extra queries
• this also upper bounds PRP-security! • this is a generic attack (works for any E ) Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
5 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
The Key-Length Extension (KLE) Problem k0 C k y0
x0 x
E
y
Goal: construct from E a new block cipher 0
C[E ] : {0, 1}κ × {0, 1}n → {0, 1}n such that
Examples • Triple Encryption
• κ0 > κ • best generic attack requires > 2κ
evaluations of E and C
• FX construction
(generic DESX)
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
6 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
The Key-Length Extension (KLE) Problem k0 C k y0
x0 x
E
y
Goal: construct from E a new block cipher 0
C[E ] : {0, 1}κ × {0, 1}n → {0, 1}n such that
Examples • Triple Encryption
• κ0 > κ • best generic attack requires > 2κ
evaluations of E and C
• FX construction
(generic DESX)
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
6 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
The Key-Length Extension (KLE) Problem k0 C k y0
x0 x
E
y
Goal: construct from E a new block cipher 0
C[E ] : {0, 1}κ × {0, 1}n → {0, 1}n such that
Examples • Triple Encryption
• κ0 > κ • best generic attack requires > 2κ
evaluations of E and C
• FX construction
(generic DESX)
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
6 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
The Key-Length Extension (KLE) Problem k0 C k y0
x0 x
E
y
Goal: construct from E a new block cipher 0
C[E ] : {0, 1}κ × {0, 1}n → {0, 1}n such that
Examples • Triple Encryption
• κ0 > κ • best generic attack requires > 2κ
evaluations of E and C
• FX construction
(generic DESX)
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
6 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
The Ideal Cipher Model (ICM) We will model the underlying block cipher E as an ideal cipher
k x
E
y
Ideal Block Cipher Model • family of uniformly random permutations Ek (·) • independent for each key • given as an oracle to all parties (incl. adversaries)
Generic Security • attacks cannot exploit any weakness of E
⇒ “generic” attacks
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
7 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
The Ideal Cipher Model (ICM) We will model the underlying block cipher E as an ideal cipher
k x
E
y
Ideal Block Cipher Model • family of uniformly random permutations Ek (·) • independent for each key • given as an oracle to all parties (incl. adversaries)
Generic Security • attacks cannot exploit any weakness of E
⇒ “generic” attacks
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
7 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
The Ideal Cipher Model (ICM) We will model the underlying block cipher E as an ideal cipher
k x
E
y
Ideal Block Cipher Model • family of uniformly random permutations Ek (·) • independent for each key • given as an oracle to all parties (incl. adversaries)
Generic Security • attacks cannot exploit any weakness of E
⇒ “generic” attacks
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
7 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Key-Length Extension in the ICM k C P E
E qe
qc
E qe
0/1
• • • •
qc
0/1
qc construction queries to Ck [E ](·) or P(·) qe ideal cipher queries to E (·, ·) it is computationally unbounded (information-theoretic sec.) NB: generic attack with qe = 2κ+n for any KLE scheme
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
8 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Key-Length Extension in the ICM k C P E
E qe
qc
E qe
0/1
• • • •
qc
0/1
qc construction queries to Ck [E ](·) or P(·) qe ideal cipher queries to E (·, ·) it is computationally unbounded (information-theoretic sec.) NB: generic attack with qe = 2κ+n for any KLE scheme
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
8 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Key-Length Extension in the ICM k C P E
E qe
qc
E qe
0/1
• • • •
qc
0/1
qc construction queries to Ck [E ](·) or P(·) qe ideal cipher queries to E (·, ·) it is computationally unbounded (information-theoretic sec.) NB: generic attack with qe = 2κ+n for any KLE scheme
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
8 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Key-Length Extension in the ICM k C P E
E qe
qc
E qe
0/1
• • • •
qc
0/1
qc construction queries to Ck [E ](·) or P(·) qe ideal cipher queries to E (·, ·) it is computationally unbounded (information-theoretic sec.) NB: generic attack with qe = 2κ+n for any KLE scheme
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
8 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Full vs. Partial Codebook Query Accounting • most previous work sets qc = 2n (full codebook of C[E ])
⇒ qe is the only complexity measure • too restrictive! • number of pt/ct pairs can be limited (frequent rekeying) • mode of operation may impose qc 2n
• we aim at studying the entire plan (qc , qe ) log2 (qe ) κ+n
previous work
κ 0 Gaži, Lee, Seurin, Steinberger, Tessaro
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
9 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Full vs. Partial Codebook Query Accounting • most previous work sets qc = 2n (full codebook of C[E ])
⇒ qe is the only complexity measure • too restrictive! • number of pt/ct pairs can be limited (frequent rekeying) • mode of operation may impose qc 2n
• we aim at studying the entire plan (qc , qe ) log2 (qe ) κ+n
previous work
κ 0 Gaži, Lee, Seurin, Steinberger, Tessaro
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
9 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Full vs. Partial Codebook Query Accounting • most previous work sets qc = 2n (full codebook of C[E ])
⇒ qe is the only complexity measure • too restrictive! • number of pt/ct pairs can be limited (frequent rekeying) • mode of operation may impose qc 2n
• we aim at studying the entire plan (qc , qe ) log2 (qe ) κ+n
previous work
κ 0 Gaži, Lee, Seurin, Steinberger, Tessaro
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
9 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Full vs. Partial Codebook Query Accounting • most previous work sets qc = 2n (full codebook of C[E ])
⇒ qe is the only complexity measure • too restrictive! • number of pt/ct pairs can be limited (frequent rekeying) • mode of operation may impose qc 2n
• we aim at studying the entire plan (qc , qe ) log2 (qe ) κ+n
previous work
this work κ 0 Gaži, Lee, Seurin, Steinberger, Tessaro
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
9 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Outline
Context: Key-Length Extension for Block Ciphers Main Lemma Randomized Cascading Plain Cascading
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
10 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Randomized Key-Length Extension Schemes Very general class abiding to the following structure: k z φ1 x
ρ0z
ρ1z
E
φ2
φr
E
E
ρrz
y
• the ρi ’s are keyed permutations, potentially very simple
(e.g. ρiz (x ) = x ⊕ z) • encryption keys φ1 (k), . . . , φr (k) can be deterministically
related or independent
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
11 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Induced Sequential Cipher k z φ1 x
ρ0z
E
ρ1z
φ2
φr
E
E
ρrz
y
• k fixed and known
⇒ C[E ] = block cipher construction using • independent public permutations P1 , . . . , Pr • key z
• ⇒ induced sequential cipher (ISC) of C, denoted C • generalization of a key-alternating cipher • well-studied design in the Random Permutation Model Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
12 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Induced Sequential Cipher z
x
ρ0z
P1
ρ1z
P2
Pr
ρrz
y
• k fixed and known
⇒ C[E ] = block cipher construction using • independent public permutations P1 , . . . , Pr • key z
• ⇒ induced sequential cipher (ISC) of C, denoted C • generalization of a key-alternating cipher • well-studied design in the Random Permutation Model Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
12 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Induced Sequential Cipher z
x
ρ0z
P1
ρ1z
P2
Pr
ρrz
y
• k fixed and known
⇒ C[E ] = block cipher construction using • independent public permutations P1 , . . . , Pr • key z
• ⇒ induced sequential cipher (ISC) of C, denoted C • generalization of a key-alternating cipher • well-studied design in the Random Permutation Model Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
12 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Induced Sequential Cipher z
x
ρ0z
P1
ρ1z
P2
Pr
ρrz
y
• k fixed and known
⇒ C[E ] = block cipher construction using • independent public permutations P1 , . . . , Pr • key z
• ⇒ induced sequential cipher (ISC) of C, denoted C • generalization of a key-alternating cipher • well-studied design in the Random Permutation Model Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
12 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Induced Sequential Cipher z
x
ρ0z
P1
ρ1z
P2
Pr
ρrz
y
• k fixed and known
⇒ C[E ] = block cipher construction using • independent public permutations P1 , . . . , Pr • key z
• ⇒ induced sequential cipher (ISC) of C, denoted C • generalization of a key-alternating cipher • well-studied design in the Random Permutation Model Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
12 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
KLE-to-ISC Lemma k z φ1 x
ρ0z
E
ρ1z
φ2
φr
E
E
ρrz
y
Allows to reduce the security analysis of a randomized KLE C to the analysis of the Induced Sequential Cipher C
Lemma For any M, Advsprp C (qc , qe ) ≤
rqe + AdvCsprp (qc , M) M2κ
Optimizing M yields a bound that depends only on qc and qe . Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
13 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
KLE-to-ISC Lemma k z φ1 x
ρ0z
E
ρ1z
φ2
φr
E
E
ρrz
y
Allows to reduce the security analysis of a randomized KLE C to the analysis of the Induced Sequential Cipher C
Lemma For any M, Advsprp C (qc , qe ) ≤
rqe + AdvCsprp (qc , M) M2κ
Optimizing M yields a bound that depends only on qc and qe . Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
13 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
KLE-to-ISC Lemma z
x
ρ0z
P1
ρ1z
P2
Pr
ρrz
y
Allows to reduce the security analysis of a randomized KLE C to the analysis of the Induced Sequential Cipher C
Lemma For any M, Advsprp C (qc , qe ) ≤
rqe + Advsprp (qc , M) C M2κ
Optimizing M yields a bound that depends only on qc and qe . Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
13 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
KLE-to-ISC Lemma z
x
ρ0z
P1
ρ1z
P2
Pr
ρrz
y
Allows to reduce the security analysis of a randomized KLE C to the analysis of the Induced Sequential Cipher C
Lemma For any M, Advsprp C (qc , qe ) ≤
rqe + Advsprp (qc , M) C M2κ
Optimizing M yields a bound that depends only on qc and qe . Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
13 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Outline
Context: Key-Length Extension for Block Ciphers Main Lemma Randomized Cascading Plain Cascading
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
14 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Key Whitening k x
y
E
FX construction (generic DESX) • additional keys hide i./o. of E
log2 (qe ) κ+n
• suggested by Rivest
Insec.
• analyzed by [KR01] • secure when qc · qe 2κ+n • same bound when z0 = z1
Gaži, Lee, Seurin, Steinberger, Tessaro
Sec. κ
Relaxing Full-Codebook Security
0
n
log2 (qc )
FSE 2015
15 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Key Whitening k z0 x
z1 y
E
FX construction (generic DESX) • additional keys hide i./o. of E
log2 (qe ) κ+n
• suggested by Rivest
Insec.
• analyzed by [KR01] • secure when qc · qe 2κ+n • same bound when z0 = z1
Gaži, Lee, Seurin, Steinberger, Tessaro
Sec. κ
Relaxing Full-Codebook Security
0
n
log2 (qc )
FSE 2015
15 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Key Whitening k z0 x
z1 y
E
FX construction (generic DESX) • additional keys hide i./o. of E
log2 (qe ) κ+n
• suggested by Rivest
Insec.
• analyzed by [KR01] • secure when qc · qe 2κ+n • same bound when z0 = z1
Gaži, Lee, Seurin, Steinberger, Tessaro
Sec. κ
Relaxing Full-Codebook Security
0
n
log2 (qc )
FSE 2015
15 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Key Whitening k z0 x
z1 y
E
FX construction (generic DESX) • additional keys hide i./o. of E
log2 (qe ) κ+n
• suggested by Rivest
Insec.
• analyzed by [KR01] • secure when qc · qe 2κ+n • same bound when z0 = z1
Gaži, Lee, Seurin, Steinberger, Tessaro
Sec. κ
Relaxing Full-Codebook Security
0
n
log2 (qc )
FSE 2015
15 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Key Whitening k z x
z y
E
FX construction (generic DESX) • additional keys hide i./o. of E
log2 (qe ) κ+n
• suggested by Rivest
Insec.
• analyzed by [KR01] • secure when qc · qe 2κ+n • same bound when z0 = z1
Gaži, Lee, Seurin, Steinberger, Tessaro
Sec. κ
Relaxing Full-Codebook Security
0
n
log2 (qc )
FSE 2015
15 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
2XOR construction [GT12] φ(k)
k z
z
x
E
2XOR construction
E
y
log2 (qe )
• combines key-whitening and
FX
κ+n
cascading • same whitening key z
κ+
n 2
• φ such that ∀k, φ(k) 6= k • [GT12] proved (tight) security
κ
for qc = 2n and qe 2κ+n/2 Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
0
n
log2 (qc )
FSE 2015
16 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
2XOR construction [GT12] φ(k)
k z
z
x
E
2XOR construction
E
y
log2 (qe )
• combines key-whitening and
FX
κ+n
cascading • same whitening key z
κ+
n 2
• φ such that ∀k, φ(k) 6= k • [GT12] proved (tight) security
κ
for qc = 2n and qe 2κ+n/2 Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
0
n
log2 (qc )
FSE 2015
16 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
2XOR construction [GT12] φ(k)
k z
z
x
E
2XOR construction
E
y
log2 (qe )
• combines key-whitening and
FX
κ+n
cascading • same whitening key z
κ+
n 2
• φ such that ∀k, φ(k) 6= k • [GT12] proved (tight) security
κ
for qc = 2n and qe 2κ+n/2 Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
0
n
log2 (qc )
FSE 2015
16 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Refined Analysis of 2XOR φ(k)
k z x
z E
We (tightly) complete the picture:
y
E
log2 (qe ) FX
κ+n
• for 1 ≤ qc ≤ 2n/2 :
same security bound as FX
κ+
n 2
• for 2n/2 ≤ qc ≤ 2n :
secure when qe 2κ+n/2
κ 0
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
n 2
n
log2 (qc )
FSE 2015
17 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Refined Analysis of 2XOR φ(k)
k z x
z E
We (tightly) complete the picture:
y
E
log2 (qe ) FX
κ+n
2XOR
• for 1 ≤ qc ≤ 2n/2 :
same security bound as FX
κ+
n 2
• for 2n/2 ≤ qc ≤ 2n :
secure when qe 2κ+n/2
κ 0
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
n 2
n
log2 (qc )
FSE 2015
17 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Refined Analysis of 2XOR φ(k)
k z x
z E
We (tightly) complete the picture:
y
E
log2 (qe ) FX
κ+n
2XOR
• for 1 ≤ qc ≤ 2n/2 :
same security bound as FX
κ+
n 2
• for 2n/2 ≤ qc ≤ 2n :
secure when qe 2κ+n/2
κ 0
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
n 2
n
log2 (qc )
FSE 2015
17 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
3XOR: Final Whitening Step Helps φ(k)
k z x
z E
z E
y
3XOR construction • add a final whitening step • induced sequential cipher = 2-round Even-Mansour cipher
with identical keys ⇒ analyzed by [CLL+ 14] • we can apply the KLE-to-ISC Lemma
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
18 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
3XOR: Final Whitening Step Helps z x
z P1
z P2
y
3XOR construction • add a final whitening step • induced sequential cipher = 2-round Even-Mansour cipher
with identical keys ⇒ analyzed by [CLL+ 14] • we can apply the KLE-to-ISC Lemma
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
18 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
3XOR: Final Whitening Step Helps z x
z P1
z P2
y
3XOR construction • add a final whitening step • induced sequential cipher = 2-round Even-Mansour cipher
with identical keys ⇒ analyzed by [CLL+ 14] • we can apply the KLE-to-ISC Lemma
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
18 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
3XOR: Final Whitening Step Helps φ(k)
k z
z
x
z
E
E
log2 (qe )
y
2XOR (tight)
κ+n
κ+ κ+
3n 4 2n 3
κ+
n 2
0
n 4
Gaži, Lee, Seurin, Steinberger, Tessaro
n 2
2n 3n 3 4
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
18 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
3XOR: Final Whitening Step Helps φ(k)
k z
z
x
z
E
E
log2 (qe )
y
2XOR (tight)
κ+n 3XOR
κ+ κ+
3n 4 2n 3
κ+
n 2
0
n 4
Gaži, Lee, Seurin, Steinberger, Tessaro
n 2
2n 3n 3 4
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
18 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
3XOR: Final Whitening Step Helps φ(k)
k z
z
x
z
E
E
log2 (qe )
y
2XOR (tight)
κ+n 3XOR
κ+ κ+
3n 4 2n 3
κ+
n 2
0
n 4
Gaži, Lee, Seurin, Steinberger, Tessaro
n 2
2n 3n 3 4
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
18 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
3XOR: Final Whitening Step Helps φ(k)
k z
z
x
z
E
E
log2 (qe )
y
2XOR (tight)
κ+n 3XOR Gaži’s generic attack [Gaz13] κ+ κ+
3n 4 2n 3
κ+
n 2
0
n 4
Gaži, Lee, Seurin, Steinberger, Tessaro
n 2
2n 3n 3 4
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
18 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
3XOR: Final Whitening Step Helps φ(k)
k z
z
x
z
E
E
y
log2 (qe ) κ+n 3XOR Gaži’s generic attack [Gaz13]
Insec. κ+ κ+
?
3n 4 2n 3
κ+
Sec. ?
n 2
0
n 4
Gaži, Lee, Seurin, Steinberger, Tessaro
n 2
2n 3n 3 4
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
18 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
A 2-call Construction without Rekeying
φ(k)
k z
z x
E
z E
y
• drawback of 2XOR and 3XOR constructions:
call the block cipher E with two distinct keys • we propose a construction calling E twice with the same key • π is a linear orthomorphism • security bound qualitatively similar to 3XOR
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
19 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
A 2-call Construction without Rekeying
k
k z x
z
π(z) E
E
y
• drawback of 2XOR and 3XOR constructions:
call the block cipher E with two distinct keys • we propose a construction calling E twice with the same key • π is a linear orthomorphism • security bound qualitatively similar to 3XOR
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
19 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
A 2-call Construction without Rekeying
k
k z x
z
π(z) E
E
y
• drawback of 2XOR and 3XOR constructions:
call the block cipher E with two distinct keys • we propose a construction calling E twice with the same key • π is a linear orthomorphism • security bound qualitatively similar to 3XOR
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
19 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
A 2-call Construction without Rekeying
k
k z x
z
π(z) E
E
y
• drawback of 2XOR and 3XOR constructions:
call the block cipher E with two distinct keys • we propose a construction calling E twice with the same key • π is a linear orthomorphism • security bound qualitatively similar to 3XOR
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
19 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Independent Whitening Keys (XOR-Cascade) φ1 (k) z0 x
φ2 (k)
φr (k)
z1 E
zr E
E
y
Xor-Cascade Encryption: XCE • independent whitening keys, distinct encryption keys • induced sequential cipher = iterated Even-Mansour cipher
⇒ tightly analyzed by Chen and Steinberger [CS14] • r -round XCE is secure as long as qc · qer 2r (κ+n) • matched by Gaži’s attack [Gaz13]
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
20 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Independent Whitening Keys (XOR-Cascade) z0 x
z1 P1
zr P2
Pr
y
Xor-Cascade Encryption: XCE • independent whitening keys, distinct encryption keys • induced sequential cipher = iterated Even-Mansour cipher
⇒ tightly analyzed by Chen and Steinberger [CS14] • r -round XCE is secure as long as qc · qer 2r (κ+n) • matched by Gaži’s attack [Gaz13]
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
20 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Independent Whitening Keys (XOR-Cascade) φ1 (k) z0 x
φ2 (k)
φr (k)
z1 E
zr E
E
y
Xor-Cascade Encryption: XCE • independent whitening keys, distinct encryption keys • induced sequential cipher = iterated Even-Mansour cipher
⇒ tightly analyzed by Chen and Steinberger [CS14] • r -round XCE is secure as long as qc · qer 2r (κ+n) • matched by Gaži’s attack [Gaz13]
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
20 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Independent Whitening Keys (XOR-Cascade) φ1 (k) z0 x
φ2 (k)
φr (k)
z1 E
zr E
E
y
Xor-Cascade Encryption: XCE • independent whitening keys, distinct encryption keys • induced sequential cipher = iterated Even-Mansour cipher
⇒ tightly analyzed by Chen and Steinberger [CS14] • r -round XCE is secure as long as qc · qer 2r (κ+n) • matched by Gaži’s attack [Gaz13]
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
20 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Independent Whitening Keys (XOR-Cascade) φ1 (k) z0
φ2 (k)
φr (k)
z1
x
E
zr E
E
y
log2 (qe ) κ+n
r = +∞ r =3 r =2 r = 1 (FX)
2n 3 + n2
κ+ κ
κ 0
Gaži, Lee, Seurin, Steinberger, Tessaro
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
20 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Independent Whitening Keys (XOR-Cascade) φ1 (k) z0
φ2 (k)
φr (k)
z1
x
E
zr E
E
y
log2 (qe ) κ+n
r = +∞ r =3 r =2 r = 1 (FX)
2n 3 + n2
κ+ κ
κ 0
Gaži, Lee, Seurin, Steinberger, Tessaro
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
20 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Independent Whitening Keys (XOR-Cascade) φ1 (k) z0
φ2 (k)
φr (k)
z1
x
E
zr E
E
y
log2 (qe ) κ+n
r = +∞ r =3 r =2 r = 1 (FX)
2n 3 + n2
κ+ κ
κ 0
Gaži, Lee, Seurin, Steinberger, Tessaro
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
20 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Independent Whitening Keys (XOR-Cascade) φ1 (k) z0
φ2 (k)
φr (k)
z1
x
E
zr E
E
y
log2 (qe ) κ+n
r = +∞ r =3 r =2 r = 1 (FX)
2n 3 + n2
κ+ κ
κ 0
Gaži, Lee, Seurin, Steinberger, Tessaro
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
20 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Independent Whitening Keys (XOR-Cascade) φ1 (k) z0
φ2 (k)
φr (k)
z1
x
E
zr E
E
y
log2 (qe ) κ+n
r = +∞ r =3 r =2 r = 1 (FX)
2n 3 + n2
κ+ κ
κ 0
Gaži, Lee, Seurin, Steinberger, Tessaro
n
log2 (qc )
Relaxing Full-Codebook Security
FSE 2015
20 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Outline
Context: Key-Length Extension for Block Ciphers Main Lemma Randomized Cascading Plain Cascading
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
21 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Plain Cascade Encryption
x
k1
k2
k3
k`
E
E
E
E
y
Cascade Encryption • encrypt ` times with independent keys • ` = 2 does not help (meet-in-the-middle attack [DH77]) • security gain starting from ` = 3 [BR06] • tight bound for qc = 2n [DLMS14]: for odd `, secure when `−1
qe 2κ+ `+1 n
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
22 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Plain Cascade Encryption
x
k1
k2
k3
k`
E
E
E
E
y
Cascade Encryption • encrypt ` times with independent keys • ` = 2 does not help (meet-in-the-middle attack [DH77]) • security gain starting from ` = 3 [BR06] • tight bound for qc = 2n [DLMS14]: for odd `, secure when `−1
qe 2κ+ `+1 n
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
22 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Plain Cascade Encryption
x
k1
k2
k3
k`
E
E
E
E
y
Cascade Encryption • encrypt ` times with independent keys • ` = 2 does not help (meet-in-the-middle attack [DH77]) • security gain starting from ` = 3 [BR06] • tight bound for qc = 2n [DLMS14]: for odd `, secure when `−1
qe 2κ+ `+1 n
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
22 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Plain Cascade Encryption
x
k1
k2
k3
k`
E
E
E
E
y
Cascade Encryption • encrypt ` times with independent keys • ` = 2 does not help (meet-in-the-middle attack [DH77]) • security gain starting from ` = 3 [BR06] • tight bound for qc = 2n [DLMS14]: for odd `, secure when `−1
qe 2κ+ `+1 n
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
22 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Our Analysis of Plain Cascade Encryption
x
k1
k2
k3
k4
k5
E
E
E
E
E
y
• use 2 independent ideal ciphers E , E 0 (key-domain separation) • reveal function table of E 0 for free ⇒ randomized KLE • apply the KLE-to-ISC Lemma • generalize analysis of key-alternating ciphers of [CS14] • our result: plain cascade of length ` = 2r + 1 is secure when
qc · qer 2r (κ+n) ,
Gaži, Lee, Seurin, Steinberger, Tessaro
qc 2κ ,
Relaxing Full-Codebook Security
qe 22κ
FSE 2015
23 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Our Analysis of Plain Cascade Encryption
x
k1
k2
k3
k4
k5
E0
E
E0
E
E0
y
• use 2 independent ideal ciphers E , E 0 (key-domain separation) • reveal function table of E 0 for free ⇒ randomized KLE • apply the KLE-to-ISC Lemma • generalize analysis of key-alternating ciphers of [CS14] • our result: plain cascade of length ` = 2r + 1 is secure when
qc · qer 2r (κ+n) ,
Gaži, Lee, Seurin, Steinberger, Tessaro
qc 2κ ,
Relaxing Full-Codebook Security
qe 22κ
FSE 2015
23 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Our Analysis of Plain Cascade Encryption
x
k1
k2
k3
k4
k5
E0
E
E0
E
E0
y
• use 2 independent ideal ciphers E , E 0 (key-domain separation) • reveal function table of E 0 for free ⇒ randomized KLE • apply the KLE-to-ISC Lemma • generalize analysis of key-alternating ciphers of [CS14] • our result: plain cascade of length ` = 2r + 1 is secure when
qc · qer 2r (κ+n) ,
Gaži, Lee, Seurin, Steinberger, Tessaro
qc 2κ ,
Relaxing Full-Codebook Security
qe 22κ
FSE 2015
23 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Our Analysis of Plain Cascade Encryption k1 x
E0
k3 P2
E0
k5 P4
y
E0
• use 2 independent ideal ciphers E , E 0 (key-domain separation) • reveal function table of E 0 for free ⇒ randomized KLE • apply the KLE-to-ISC Lemma • generalize analysis of key-alternating ciphers of [CS14] • our result: plain cascade of length ` = 2r + 1 is secure when
qc · qer 2r (κ+n) ,
Gaži, Lee, Seurin, Steinberger, Tessaro
qc 2κ ,
Relaxing Full-Codebook Security
qe 22κ
FSE 2015
23 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Our Analysis of Plain Cascade Encryption k1 x
E0
k3 P2
E0
k5 P4
y
E0
• use 2 independent ideal ciphers E , E 0 (key-domain separation) • reveal function table of E 0 for free ⇒ randomized KLE • apply the KLE-to-ISC Lemma • generalize analysis of key-alternating ciphers of [CS14] • our result: plain cascade of length ` = 2r + 1 is secure when
qc · qer 2r (κ+n) ,
Gaži, Lee, Seurin, Steinberger, Tessaro
qc 2κ ,
Relaxing Full-Codebook Security
qe 22κ
FSE 2015
23 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Our Analysis of Plain Cascade Encryption k1 x
E0
k3 P2
E0
k5 P4
y
E0
• use 2 independent ideal ciphers E , E 0 (key-domain separation) • reveal function table of E 0 for free ⇒ randomized KLE • apply the KLE-to-ISC Lemma • generalize analysis of key-alternating ciphers of [CS14] • our result: plain cascade of length ` = 2r + 1 is secure when
qc · qer 2r (κ+n) ,
Gaži, Lee, Seurin, Steinberger, Tessaro
qc 2κ ,
Relaxing Full-Codebook Security
qe 22κ
FSE 2015
23 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
The Case of Triple Encryption
x
k1
k2
k3
E
E
E
• our bound:
y
log2 (qe ) κ+n
qc 2κ
2κ
qe 22κ qc · qe 2κ+n
κ+
n 2
• when 2n/2 ≤ qc ≤ 2n
⇒ [DLMS14] bound applies (qe 2κ+n/2 ) Gaži, Lee, Seurin, Steinberger, Tessaro
κ 0
Relaxing Full-Codebook Security
n 2
κ
n
log2 (qc )
FSE 2015
24 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
The Case of Triple Encryption
x
k1
k2
k3
E
E
E
• our bound:
y
log2 (qe ) κ+n
qc 2κ
2κ
qe 22κ qc · qe 2κ+n
κ+
n 2
• when 2n/2 ≤ qc ≤ 2n
⇒ [DLMS14] bound applies (qe 2κ+n/2 ) Gaži, Lee, Seurin, Steinberger, Tessaro
κ 0
Relaxing Full-Codebook Security
n 2
κ
n
log2 (qc )
FSE 2015
24 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
The Case of Triple Encryption
x
k1
k2
k3
E
E
E
• our bound:
y
log2 (qe ) κ+n
qc 2κ
2κ
qe 22κ qc · qe 2κ+n
κ+
n 2
• when 2n/2 ≤ qc ≤ 2n
⇒ [DLMS14] bound applies (qe 2κ+n/2 ) Gaži, Lee, Seurin, Steinberger, Tessaro
κ 0
Relaxing Full-Codebook Security
n 2
κ
n
log2 (qc )
FSE 2015
24 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
The Case of Triple Encryption
x
k1
k2
k3
E
E
E
• our bound:
y
log2 (qe ) κ+n
qc 2κ
2κ
?
2κ
qe 2
qc · qe 2κ+n
κ+
n 2
• when 2n/2 ≤ qc ≤ 2n
⇒ [DLMS14] bound applies (qe 2κ+n/2 ) Gaži, Lee, Seurin, Steinberger, Tessaro
κ 0
Relaxing Full-Codebook Security
n 2
κ
n
log2 (qc )
FSE 2015
24 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Conclusion I log2 (qe ) κ+n κ+
3n 4
2n 3 + n2
κ+ κ
κ
log2 (qc ) 0
n 4
Gaži, Lee, Seurin, Steinberger, Tessaro
n 2
2n 3n 3 4
n
Relaxing Full-Codebook Security
FSE 2015
25 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Conclusion I log2 (qe )
FX (tight)
κ+n κ+
3n 4
2n 3 + n2
κ+ κ
κ
log2 (qc ) 0
n 4
Gaži, Lee, Seurin, Steinberger, Tessaro
n 2
2n 3n 3 4
n
Relaxing Full-Codebook Security
FSE 2015
25 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Conclusion I log2 (qe )
FX (tight) 2XOR (tight)
κ+n κ+
3n 4
2n 3 + n2
κ+ κ
κ
log2 (qc ) 0
n 4
Gaži, Lee, Seurin, Steinberger, Tessaro
n 2
2n 3n 3 4
n
Relaxing Full-Codebook Security
FSE 2015
25 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Conclusion I log2 (qe )
FX (tight) 2XOR (tight) triple encryption
κ+n κ+
3n 4
2n 3 + n2
κ+ κ
κ
log2 (qc ) 0
n 4
Gaži, Lee, Seurin, Steinberger, Tessaro
n 2
2n 3n 3 4
n
Relaxing Full-Codebook Security
FSE 2015
25 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Conclusion I log2 (qe )
FX (tight) 2XOR (tight) triple encryption
κ+n κ+
3n 4
3XOR
2n 3 + n2
κ+ κ
κ
log2 (qc ) 0
n 4
Gaži, Lee, Seurin, Steinberger, Tessaro
n 2
2n 3n 3 4
n
Relaxing Full-Codebook Security
FSE 2015
25 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Conclusion I log2 (qe )
FX (tight) 2XOR (tight) triple encryption
κ+n κ+
3n 4
3XOR 2-r. xor-cascade (tight) (ind. whit. keys)
2n 3 + n2
κ+ κ
κ
log2 (qc ) 0
n 4
Gaži, Lee, Seurin, Steinberger, Tessaro
n 2
2n 3n 3 4
n
Relaxing Full-Codebook Security
FSE 2015
25 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Conclusion II
• our results seem to advocate in favor of xor-cascade rather than
plain cascade • e.g. triple encryption (3 E -calls) has similar security as • FX (1 E -call) for qc ≤ 2n/2 • 2XOR (2 E -calls) for 2n/2 ≤ qc ≤ 2n • but this is in the ideal cipher model (information-theoretic) • FX seems to have other “computational” issues
(see time-memory-data trade-off by Dinur, EC 2015)
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
26 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Conclusion II
• our results seem to advocate in favor of xor-cascade rather than
plain cascade • e.g. triple encryption (3 E -calls) has similar security as • FX (1 E -call) for qc ≤ 2n/2 • 2XOR (2 E -calls) for 2n/2 ≤ qc ≤ 2n • but this is in the ideal cipher model (information-theoretic) • FX seems to have other “computational” issues
(see time-memory-data trade-off by Dinur, EC 2015)
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
26 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Conclusion II
• our results seem to advocate in favor of xor-cascade rather than
plain cascade • e.g. triple encryption (3 E -calls) has similar security as • FX (1 E -call) for qc ≤ 2n/2 • 2XOR (2 E -calls) for 2n/2 ≤ qc ≤ 2n • but this is in the ideal cipher model (information-theoretic) • FX seems to have other “computational” issues
(see time-memory-data trade-off by Dinur, EC 2015)
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
26 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
Conclusion II
• our results seem to advocate in favor of xor-cascade rather than
plain cascade • e.g. triple encryption (3 E -calls) has similar security as • FX (1 E -call) for qc ≤ 2n/2 • 2XOR (2 E -calls) for 2n/2 ≤ qc ≤ 2n • but this is in the ideal cipher model (information-theoretic) • FX seems to have other “computational” issues
(see time-memory-data trade-off by Dinur, EC 2015)
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
26 / 29
Key-Length Extension
Main Lemma
Randomized Cascading
Plain Cascading
Conclusion
The end. . .
Thanks for your attention! Comments or questions?
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
27 / 29
References
References I Mihir Bellare and Phillip Rogaway. The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In Serge Vaudenay, editor, Advances in Cryptology - EUROCRYPT 2006, volume 4004 of LNCS, pages 409–426. Springer, 2006. Full version available at http://eprint.iacr.org/2004/331. Shan Chen, Rodolphe Lampe, Jooyoung Lee, Yannick Seurin, and John P. Steinberger. Minimizing the Two-Round Even-Mansour Cipher. In Juan A. Garay and Rosario Gennaro, editors, Advances in Cryptology - CRYPTO 2014 (Proceedings, Part I), volume 8616 of LNCS, pages 39–56. Springer, 2014. Full version available at http://eprint.iacr.org/2014/443. Shan Chen and John Steinberger. Tight Security Bounds for Key-Alternating Ciphers. In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology - EUROCRYPT 2014, volume 8441 of LNCS, pages 327–350. Springer, 2014. Full version available at http://eprint.iacr.org/2013/222.
Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
28 / 29
References
References II Yuanxi Dai, Jooyoung Lee, Bart Mennink, and John P. Steinberger. The Security of Multiple Encryption in the Ideal Cipher Model. In Juan A. Garay and Rosario Gennaro, editors, Advances in Cryptology - CRYPTO 2014 (Proceedings, Part I), volume 8616 of LNCS, pages 20–38. Springer, 2014. Peter Gazi. Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers. In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology - CRYPTO 2013 (Proceedings, Part I), volume 8042 of LNCS, pages 551–570. Springer, 2013. Peter Gazi and Stefano Tessaro. Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading. In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology - EUROCRYPT 2012, volume 7237 of LNCS, pages 63–80. Springer, 2012. Joe Kilian and Phillip Rogaway. How to Protect DES Against Exhaustive Key Search (an Analysis of DESX). Journal of Cryptology, 14(1):17–35, 2001. Gaži, Lee, Seurin, Steinberger, Tessaro
Relaxing Full-Codebook Security
FSE 2015
29 / 29