Relaxing Full-Codebook Security: A Refined Analysis of Key-Length - - PowerPoint PPT Presentation

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes

Peter Gaži1 Jooyoung Lee2 Yannick Seurin3 John Steinberger4 Stefano Tessaro5

1IST, Austria 2Sejong University, Korea 3ANSSI, France 4Tsinghua University, China 5UC Santa Barbara, USA

March 10, 2015 - FSE 2015

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 1 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Outline

Context: Key-Length Extension for Block Ciphers Main Lemma Randomized Cascading Plain Cascading

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 2 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Block Ciphers

E x k y

A block cipher E

• takes as input
• a plaintext x ∈ {0, 1}n
• a key k ∈ {0, 1}κ
• outputs a ciphertext y ∈ {0, 1}n
• Ek(·) is a permutation ∀k
• examples: DES, AES, IDEA, etc.

Notation

• n = block-length
• κ = key-length

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 3 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Block Ciphers

E x k y

A block cipher E

• takes as input
• a plaintext x ∈ {0, 1}n
• a key k ∈ {0, 1}κ
• outputs a ciphertext y ∈ {0, 1}n
• Ek(·) is a permutation ∀k
• examples: DES, AES, IDEA, etc.

Notation

• n = block-length
• κ = key-length

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 3 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Block Ciphers

E x k y

A block cipher E

• takes as input
• a plaintext x ∈ {0, 1}n
• a key k ∈ {0, 1}κ
• outputs a ciphertext y ∈ {0, 1}n
• Ek(·) is a permutation ∀k
• examples: DES, AES, IDEA, etc.

Notation

• n = block-length
• κ = key-length

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 3 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Block Ciphers

E x k y

A block cipher E

• takes as input
• a plaintext x ∈ {0, 1}n
• a key k ∈ {0, 1}κ
• outputs a ciphertext y ∈ {0, 1}n
• Ek(·) is a permutation ∀k
• examples: DES, AES, IDEA, etc.

Notation

• n = block-length
• κ = key-length

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 3 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Block Ciphers

E x k y

A block cipher E

• takes as input
• a plaintext x ∈ {0, 1}n
• a key k ∈ {0, 1}κ
• outputs a ciphertext y ∈ {0, 1}n
• Ek(·) is a permutation ∀k
• examples: DES, AES, IDEA, etc.

Notation

• n = block-length
• κ = key-length

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 3 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Block Ciphers

E x k y

A block cipher E

• takes as input
• a plaintext x ∈ {0, 1}n
• a key k ∈ {0, 1}κ
• outputs a ciphertext y ∈ {0, 1}n
• Ek(·) is a permutation ∀k
• examples: DES, AES, IDEA, etc.

Notation

• n = block-length
• κ = key-length

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 3 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Block Cipher Security: Pseudorandom Permutations

0/1 E k random key 0/1 P

• unif. random

permutation

SPRP (a.k.a. CCA) advantage: Advsprp

E

(D) =

• Pr
• DEk = 1
• − Pr
• DP = 1
• Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security FSE 2015 4 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Block Cipher Security: Pseudorandom Permutations

0/1 E k random key 0/1 P

• unif. random

permutation

SPRP (a.k.a. CCA) advantage: Advsprp

E

(D) =

• Pr
• DEk = 1
• − Pr
• DP = 1
• Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security FSE 2015 4 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Block Cipher Security: Pseudorandom Permutations

0/1 E k random key 0/1 P

• unif. random

permutation

SPRP (a.k.a. CCA) advantage: Advsprp

E

(D) =

• Pr
• DEk = 1
• − Pr
• DP = 1
• Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security FSE 2015 4 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Block Cipher Security: Pseudorandom Permutations

0/1 E k random key 0/1 P

• unif. random

permutation

SPRP (a.k.a. CCA) advantage: Advsprp

E

(D) =

• Pr
• DEk = 1
• − Pr
• DP = 1
• Gaži, Lee, Seurin, Steinberger, Tessaro

Relaxing Full-Codebook Security FSE 2015 4 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Key-Length is Crucial

E x k y

Exhaustive key search

• key k is recoverable in ∼ 2κ evaluations of E

Given O ∈ {P, Ek}:

• 1. y ← O(0n)
• 2. ∀k′ ∈ {0, 1}κ:

(a) y ′ ← Ek′(0n) (b) if y = y ′, check k′ with some extra queries

• this also upper bounds PRP-security!
• this is a generic attack (works for any E)

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 5 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Key-Length is Crucial

E x k y

Exhaustive key search

• key k is recoverable in ∼ 2κ evaluations of E

Given O ∈ {P, Ek}:

• 1. y ← O(0n)
• 2. ∀k′ ∈ {0, 1}κ:

(a) y ′ ← Ek′(0n) (b) if y = y ′, check k′ with some extra queries

• this also upper bounds PRP-security!
• this is a generic attack (works for any E)

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 5 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Key-Length is Crucial

E x k y

Exhaustive key search

• key k is recoverable in ∼ 2κ evaluations of E

Given O ∈ {P, Ek}:

• 1. y ← O(0n)
• 2. ∀k′ ∈ {0, 1}κ:

(a) y ′ ← Ek′(0n) (b) if y = y ′, check k′ with some extra queries

• this also upper bounds PRP-security!
• this is a generic attack (works for any E)

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 5 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

The Key-Length Extension (KLE) Problem

x ′ y ′ k′ C E x y k

Examples

• Triple Encryption
• FX construction

(generic DESX)

Goal:

construct from E a new block cipher C[E] : {0, 1}κ′ × {0, 1}n → {0, 1}n such that

• κ′ > κ
• best generic attack requires > 2κ

evaluations of E and C

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 6 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

The Key-Length Extension (KLE) Problem

x ′ y ′ k′ C E x y k

Examples

• Triple Encryption
• FX construction

(generic DESX)

Goal:

construct from E a new block cipher C[E] : {0, 1}κ′ × {0, 1}n → {0, 1}n such that

• κ′ > κ
• best generic attack requires > 2κ

evaluations of E and C

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 6 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

The Key-Length Extension (KLE) Problem

x ′ y ′ k′ C E x y k

Examples

• Triple Encryption
• FX construction

(generic DESX)

Goal:

construct from E a new block cipher C[E] : {0, 1}κ′ × {0, 1}n → {0, 1}n such that

• κ′ > κ
• best generic attack requires > 2κ

evaluations of E and C

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 6 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

The Key-Length Extension (KLE) Problem

x ′ y ′ k′ C E x y k

Examples

• Triple Encryption
• FX construction

(generic DESX)

Goal:

construct from E a new block cipher C[E] : {0, 1}κ′ × {0, 1}n → {0, 1}n such that

• κ′ > κ
• best generic attack requires > 2κ

evaluations of E and C

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 6 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

The Ideal Cipher Model (ICM)

We will model the underlying block cipher E as an ideal cipher

E x y k

Ideal Block Cipher Model

• family of uniformly random permutations Ek(·)
• independent for each key
• given as an oracle to all parties (incl. adversaries)

Generic Security

• attacks cannot exploit any weakness of E

⇒ “generic” attacks

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 7 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

The Ideal Cipher Model (ICM)

We will model the underlying block cipher E as an ideal cipher

E x y k

Ideal Block Cipher Model

• family of uniformly random permutations Ek(·)
• independent for each key
• given as an oracle to all parties (incl. adversaries)

Generic Security

• attacks cannot exploit any weakness of E

⇒ “generic” attacks

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 7 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

The Ideal Cipher Model (ICM)

We will model the underlying block cipher E as an ideal cipher

E x y k

Ideal Block Cipher Model

• family of uniformly random permutations Ek(·)
• independent for each key
• given as an oracle to all parties (incl. adversaries)

Generic Security

• attacks cannot exploit any weakness of E

⇒ “generic” attacks

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 7 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Key-Length Extension in the ICM

0/1 E k C E qe qc 0/1 E P qe qc

• qc construction queries to Ck[E](·) or P(·)
• qe ideal cipher queries to E(·, ·)
• it is computationally unbounded (information-theoretic sec.)
• NB: generic attack with qe = 2κ+n for any KLE scheme

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 8 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Key-Length Extension in the ICM

0/1 E k C E qe qc 0/1 E P qe qc

• qc construction queries to Ck[E](·) or P(·)
• qe ideal cipher queries to E(·, ·)
• it is computationally unbounded (information-theoretic sec.)
• NB: generic attack with qe = 2κ+n for any KLE scheme

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 8 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Key-Length Extension in the ICM

0/1 E k C E qe qc 0/1 E P qe qc

• qc construction queries to Ck[E](·) or P(·)
• qe ideal cipher queries to E(·, ·)
• it is computationally unbounded (information-theoretic sec.)
• NB: generic attack with qe = 2κ+n for any KLE scheme

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 8 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Key-Length Extension in the ICM

0/1 E k C E qe qc 0/1 E P qe qc

• qc construction queries to Ck[E](·) or P(·)
• qe ideal cipher queries to E(·, ·)
• it is computationally unbounded (information-theoretic sec.)
• NB: generic attack with qe = 2κ+n for any KLE scheme

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 8 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Full vs. Partial Codebook

Query Accounting

• most previous work sets qc = 2n (full codebook of C[E])

⇒ qe is the only complexity measure

• too restrictive!
• number of pt/ct pairs can be limited (frequent rekeying)
• mode of operation may impose qc ≪ 2n
• we aim at studying the entire plan (qc, qe)

log2(qc) log2(qe) n κ κ + n previous work

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 9 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Full vs. Partial Codebook

Query Accounting

• most previous work sets qc = 2n (full codebook of C[E])

⇒ qe is the only complexity measure

• too restrictive!
• number of pt/ct pairs can be limited (frequent rekeying)
• mode of operation may impose qc ≪ 2n
• we aim at studying the entire plan (qc, qe)

log2(qc) log2(qe) n κ κ + n previous work

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 9 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Full vs. Partial Codebook

Query Accounting

• most previous work sets qc = 2n (full codebook of C[E])

⇒ qe is the only complexity measure

• too restrictive!
• number of pt/ct pairs can be limited (frequent rekeying)
• mode of operation may impose qc ≪ 2n
• we aim at studying the entire plan (qc, qe)

log2(qc) log2(qe) n κ κ + n previous work

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 9 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Full vs. Partial Codebook

Query Accounting

• most previous work sets qc = 2n (full codebook of C[E])

⇒ qe is the only complexity measure

• too restrictive!
• number of pt/ct pairs can be limited (frequent rekeying)
• mode of operation may impose qc ≪ 2n
• we aim at studying the entire plan (qc, qe)

this work log2(qc) log2(qe) n κ κ + n previous work

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 9 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Outline

Context: Key-Length Extension for Block Ciphers Main Lemma Randomized Cascading Plain Cascading

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 10 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Randomized Key-Length Extension Schemes

Very general class abiding to the following structure:

x z k E ρ0

z

φ1 E ρ1

z

φ2 E y ρr

z

φr

• the ρi’s are keyed permutations, potentially very simple

(e.g. ρi

z(x) = x ⊕ z)

• encryption keys φ1(k), . . . , φr(k) can be deterministically

related or independent

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 11 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Induced Sequential Cipher

x z E ρ0

z

E ρ1

z

E y ρr

z

k φ1 φ2 φr

• k fixed and known

⇒ C[E] = block cipher construction using

• independent public permutations P1, . . . , Pr
• key z
• ⇒ induced sequential cipher (ISC) of C, denoted C
• generalization of a key-alternating cipher
• well-studied design in the Random Permutation Model

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 12 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Induced Sequential Cipher

x z P1 ρ0

z

P2 ρ1

z

Pr y ρr

z

• k fixed and known

⇒ C[E] = block cipher construction using

• independent public permutations P1, . . . , Pr
• key z
• ⇒ induced sequential cipher (ISC) of C, denoted C
• generalization of a key-alternating cipher
• well-studied design in the Random Permutation Model

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 12 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Induced Sequential Cipher

x z P1 ρ0

z

P2 ρ1

z

Pr y ρr

z

• k fixed and known

⇒ C[E] = block cipher construction using

• independent public permutations P1, . . . , Pr
• key z
• ⇒ induced sequential cipher (ISC) of C, denoted C
• generalization of a key-alternating cipher
• well-studied design in the Random Permutation Model

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 12 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Induced Sequential Cipher

x z P1 ρ0

z

P2 ρ1

z

Pr y ρr

z

• k fixed and known

⇒ C[E] = block cipher construction using

• independent public permutations P1, . . . , Pr
• key z
• ⇒ induced sequential cipher (ISC) of C, denoted C
• generalization of a key-alternating cipher
• well-studied design in the Random Permutation Model

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 12 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Induced Sequential Cipher

x z P1 ρ0

z

P2 ρ1

z

Pr y ρr

z

• k fixed and known

⇒ C[E] = block cipher construction using

• independent public permutations P1, . . . , Pr
• key z
• ⇒ induced sequential cipher (ISC) of C, denoted C
• generalization of a key-alternating cipher
• well-studied design in the Random Permutation Model

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 12 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

KLE-to-ISC Lemma

x z E ρ0

z

E ρ1

z

E y ρr

z

k φ1 φ2 φr

Allows to reduce the security analysis of a randomized KLE C to the analysis of the Induced Sequential Cipher C

Lemma

For any M, Advsprp

C

(qc, qe) ≤ rqe M2κ + Advsprp

C

(qc, M) Optimizing M yields a bound that depends only on qc and qe.

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 13 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

KLE-to-ISC Lemma

x z E ρ0

z

E ρ1

z

E y ρr

z

k φ1 φ2 φr

Allows to reduce the security analysis of a randomized KLE C to the analysis of the Induced Sequential Cipher C

Lemma

For any M, Advsprp

C

(qc, qe) ≤ rqe M2κ + Advsprp

C

(qc, M) Optimizing M yields a bound that depends only on qc and qe.

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 13 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

KLE-to-ISC Lemma

x z P1 ρ0

z

P2 ρ1

z

Pr y ρr

z

Allows to reduce the security analysis of a randomized KLE C to the analysis of the Induced Sequential Cipher C

Lemma

For any M, Advsprp

C

(qc, qe) ≤ rqe M2κ + Advsprp

C

(qc, M) Optimizing M yields a bound that depends only on qc and qe.

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 13 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

KLE-to-ISC Lemma

x z P1 ρ0

z

P2 ρ1

z

Pr y ρr

z

Allows to reduce the security analysis of a randomized KLE C to the analysis of the Induced Sequential Cipher C

Lemma

For any M, Advsprp

C

(qc, qe) ≤ rqe M2κ + Advsprp

C

(qc, M) Optimizing M yields a bound that depends only on qc and qe.

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 13 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Outline

Context: Key-Length Extension for Block Ciphers Main Lemma Randomized Cascading Plain Cascading

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 14 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Key Whitening

x E k y

FX construction (generic DESX)

• additional keys hide i./o. of E
• suggested by Rivest
• analyzed by [KR01]
• secure when qc · qe ≪ 2κ+n
• same bound when z0 = z1

log2(qc) log2(qe) n κ κ + n Sec. Insec.

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 15 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Key Whitening

x E z0 k y z1

FX construction (generic DESX)

• additional keys hide i./o. of E
• suggested by Rivest
• analyzed by [KR01]
• secure when qc · qe ≪ 2κ+n
• same bound when z0 = z1

log2(qc) log2(qe) n κ κ + n Sec. Insec.

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 15 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Key Whitening

x E z0 k y z1

FX construction (generic DESX)

• additional keys hide i./o. of E
• suggested by Rivest
• analyzed by [KR01]
• secure when qc · qe ≪ 2κ+n
• same bound when z0 = z1

log2(qc) log2(qe) n κ κ + n Sec. Insec.

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 15 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Key Whitening

x E z0 k y z1

FX construction (generic DESX)

• additional keys hide i./o. of E
• suggested by Rivest
• analyzed by [KR01]
• secure when qc · qe ≪ 2κ+n
• same bound when z0 = z1

log2(qc) log2(qe) n κ κ + n Sec. Insec.

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 15 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Key Whitening

x E z k y z

FX construction (generic DESX)

• additional keys hide i./o. of E
• suggested by Rivest
• analyzed by [KR01]
• secure when qc · qe ≪ 2κ+n
• same bound when z0 = z1

log2(qc) log2(qe) n κ κ + n Sec. Insec.

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 15 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

2XOR construction [GT12]

x E z k E z φ(k) y

2XOR construction

• combines key-whitening and

cascading

• same whitening key z
• φ such that ∀k, φ(k) = k
• [GT12] proved (tight) security

for qc = 2n and qe ≪ 2κ+n/2

log2(qc) log2(qe) n κ κ + n

2

κ + n FX

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 16 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

2XOR construction [GT12]

x E z k E z φ(k) y

2XOR construction

• combines key-whitening and

cascading

• same whitening key z
• φ such that ∀k, φ(k) = k
• [GT12] proved (tight) security

for qc = 2n and qe ≪ 2κ+n/2

log2(qc) log2(qe) n κ κ + n

2

κ + n FX

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 16 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

2XOR construction [GT12]

x E z k E z φ(k) y

2XOR construction

• combines key-whitening and

cascading

• same whitening key z
• φ such that ∀k, φ(k) = k
• [GT12] proved (tight) security

for qc = 2n and qe ≪ 2κ+n/2

log2(qc) log2(qe) n κ κ + n

2

κ + n FX

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 16 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Refined Analysis of 2XOR

x E z k E z φ(k) y

We (tightly) complete the picture:

• for 1 ≤ qc ≤ 2n/2:

same security bound as FX

• for 2n/2 ≤ qc ≤ 2n:

secure when qe ≪ 2κ+n/2

log2(qc) log2(qe)

n 2

n κ κ + n

2

κ + n FX

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 17 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Refined Analysis of 2XOR

x E z k E z φ(k) y

We (tightly) complete the picture:

• for 1 ≤ qc ≤ 2n/2:

same security bound as FX

• for 2n/2 ≤ qc ≤ 2n:

secure when qe ≪ 2κ+n/2

log2(qc) log2(qe)

n 2

n κ κ + n

2

κ + n FX 2XOR

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 17 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Refined Analysis of 2XOR

x E z k E z φ(k) y

We (tightly) complete the picture:

• for 1 ≤ qc ≤ 2n/2:

same security bound as FX

• for 2n/2 ≤ qc ≤ 2n:

secure when qe ≪ 2κ+n/2

log2(qc) log2(qe)

n 2

n κ κ + n

2

κ + n FX 2XOR

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 17 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

3XOR: Final Whitening Step Helps

x E k z E φ(k) z y z

3XOR construction

• add a final whitening step
• induced sequential cipher = 2-round Even-Mansour cipher

with identical keys ⇒ analyzed by [CLL+14]

• we can apply the KLE-to-ISC Lemma

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 18 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

3XOR: Final Whitening Step Helps

x P1 z P2 z y z

3XOR construction

• add a final whitening step
• induced sequential cipher = 2-round Even-Mansour cipher

with identical keys ⇒ analyzed by [CLL+14]

• we can apply the KLE-to-ISC Lemma

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 18 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

3XOR: Final Whitening Step Helps

x P1 z P2 z y z

3XOR construction

• add a final whitening step
• induced sequential cipher = 2-round Even-Mansour cipher

with identical keys ⇒ analyzed by [CLL+14]

• we can apply the KLE-to-ISC Lemma

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 18 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

3XOR: Final Whitening Step Helps

x E k z E φ(k) z y z

log2(qc) log2(qe)

2n 3 3n 4 n 2 n 4

n κ + n

2

κ + 2n

3

κ + 3n

4

κ + n 2XOR (tight)

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 18 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

3XOR: Final Whitening Step Helps

x E k z E φ(k) z y z

log2(qc) log2(qe)

2n 3 3n 4 n 2 n 4

n κ + n

2

κ + 2n

3

κ + 3n

4

κ + n 2XOR (tight) 3XOR

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 18 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

3XOR: Final Whitening Step Helps

x E k z E φ(k) z y z

log2(qc) log2(qe)

2n 3 3n 4 n 2 n 4

n κ + n

2

κ + 2n

3

κ + 3n

4

κ + n 2XOR (tight) 3XOR

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 18 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

3XOR: Final Whitening Step Helps

x E k z E φ(k) z y z

log2(qc) log2(qe)

2n 3 3n 4 n 2 n 4

n κ + n

2

κ + 2n

3

κ + 3n

4

κ + n 2XOR (tight) 3XOR Gaži’s generic attack [Gaz13]

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 18 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

3XOR: Final Whitening Step Helps

x E k z E φ(k) z y z

log2(qc) log2(qe)

2n 3 3n 4 n 2 n 4

n κ + n

2

κ + 2n

3

κ + 3n

4

κ + n 3XOR Gaži’s generic attack [Gaz13] Sec. Insec. ? ?

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 18 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

A 2-call Construction without Rekeying

x E k z E φ(k) z y z

• drawback of 2XOR and 3XOR constructions:

call the block cipher E with two distinct keys

• we propose a construction calling E twice with the same key
• π is a linear orthomorphism
• security bound qualitatively similar to 3XOR

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 19 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

A 2-call Construction without Rekeying

x E k z E k π(z) y z

• drawback of 2XOR and 3XOR constructions:

call the block cipher E with two distinct keys

• we propose a construction calling E twice with the same key
• π is a linear orthomorphism
• security bound qualitatively similar to 3XOR

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 19 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

A 2-call Construction without Rekeying

x E k z E k π(z) y z

• drawback of 2XOR and 3XOR constructions:

call the block cipher E with two distinct keys

• we propose a construction calling E twice with the same key
• π is a linear orthomorphism
• security bound qualitatively similar to 3XOR

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 19 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

A 2-call Construction without Rekeying

x E k z E k π(z) y z

• drawback of 2XOR and 3XOR constructions:

call the block cipher E with two distinct keys

• we propose a construction calling E twice with the same key
• π is a linear orthomorphism
• security bound qualitatively similar to 3XOR

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 19 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Independent Whitening Keys (XOR-Cascade)

x E φ1(k) z0 E φ2(k) z1 E φr(k) y zr

Xor-Cascade Encryption: XCE

• independent whitening keys, distinct encryption keys
• induced sequential cipher = iterated Even-Mansour cipher

⇒ tightly analyzed by Chen and Steinberger [CS14]

• r-round XCE is secure as long as qc · qr

e ≪ 2r(κ+n)

• matched by Gaži’s attack [Gaz13]

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 20 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Independent Whitening Keys (XOR-Cascade)

x P1 z0 P2 z1 Pr y zr

Xor-Cascade Encryption: XCE

• independent whitening keys, distinct encryption keys
• induced sequential cipher = iterated Even-Mansour cipher

⇒ tightly analyzed by Chen and Steinberger [CS14]

• r-round XCE is secure as long as qc · qr

e ≪ 2r(κ+n)

• matched by Gaži’s attack [Gaz13]

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 20 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Independent Whitening Keys (XOR-Cascade)

x E φ1(k) z0 E φ2(k) z1 E φr(k) y zr

Xor-Cascade Encryption: XCE

• independent whitening keys, distinct encryption keys
• induced sequential cipher = iterated Even-Mansour cipher

⇒ tightly analyzed by Chen and Steinberger [CS14]

• r-round XCE is secure as long as qc · qr

e ≪ 2r(κ+n)

• matched by Gaži’s attack [Gaz13]

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 20 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Independent Whitening Keys (XOR-Cascade)

x E φ1(k) z0 E φ2(k) z1 E φr(k) y zr

Xor-Cascade Encryption: XCE

• independent whitening keys, distinct encryption keys
• induced sequential cipher = iterated Even-Mansour cipher

⇒ tightly analyzed by Chen and Steinberger [CS14]

• r-round XCE is secure as long as qc · qr

e ≪ 2r(κ+n)

• matched by Gaži’s attack [Gaz13]

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 20 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Independent Whitening Keys (XOR-Cascade)

x E φ1(k) z0 E φ2(k) z1 E φr(k) y zr

log2(qc) log2(qe) n κ κ + n

2

κ + 2n

3

κ + n r = 1 (FX) r = 2 r = 3 r = +∞

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 20 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Independent Whitening Keys (XOR-Cascade)

x E φ1(k) z0 E φ2(k) z1 E φr(k) y zr

log2(qc) log2(qe) n κ κ + n

2

κ + 2n

3

κ + n r = 1 (FX) r = 2 r = 3 r = +∞

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 20 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Independent Whitening Keys (XOR-Cascade)

x E φ1(k) z0 E φ2(k) z1 E φr(k) y zr

log2(qc) log2(qe) n κ κ + n

2

κ + 2n

3

κ + n r = 1 (FX) r = 2 r = 3 r = +∞

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 20 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Independent Whitening Keys (XOR-Cascade)

x E φ1(k) z0 E φ2(k) z1 E φr(k) y zr

log2(qc) log2(qe) n κ κ + n

2

κ + 2n

3

κ + n r = 1 (FX) r = 2 r = 3 r = +∞

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 20 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Independent Whitening Keys (XOR-Cascade)

x E φ1(k) z0 E φ2(k) z1 E φr(k) y zr

log2(qc) log2(qe) n κ κ + n

2

κ + 2n

3

κ + n r = 1 (FX) r = 2 r = 3 r = +∞

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 20 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Outline

Context: Key-Length Extension for Block Ciphers Main Lemma Randomized Cascading Plain Cascading

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 21 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Plain Cascade Encryption

x E k1 E k2 E k3 E kℓ y

Cascade Encryption

• encrypt ℓ times with independent keys
• ℓ = 2 does not help (meet-in-the-middle attack [DH77])
• security gain starting from ℓ = 3 [BR06]
• tight bound for qc = 2n [DLMS14]: for odd ℓ, secure when

qe ≪ 2κ+ ℓ−1

ℓ+1 n Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 22 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Plain Cascade Encryption

x E k1 E k2 E k3 E kℓ y

Cascade Encryption

• encrypt ℓ times with independent keys
• ℓ = 2 does not help (meet-in-the-middle attack [DH77])
• security gain starting from ℓ = 3 [BR06]
• tight bound for qc = 2n [DLMS14]: for odd ℓ, secure when

qe ≪ 2κ+ ℓ−1

ℓ+1 n Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 22 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Plain Cascade Encryption

x E k1 E k2 E k3 E kℓ y

Cascade Encryption

• encrypt ℓ times with independent keys
• ℓ = 2 does not help (meet-in-the-middle attack [DH77])
• security gain starting from ℓ = 3 [BR06]
• tight bound for qc = 2n [DLMS14]: for odd ℓ, secure when

qe ≪ 2κ+ ℓ−1

ℓ+1 n Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 22 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Plain Cascade Encryption

x E k1 E k2 E k3 E kℓ y

Cascade Encryption

• encrypt ℓ times with independent keys
• ℓ = 2 does not help (meet-in-the-middle attack [DH77])
• security gain starting from ℓ = 3 [BR06]
• tight bound for qc = 2n [DLMS14]: for odd ℓ, secure when

qe ≪ 2κ+ ℓ−1

ℓ+1 n Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 22 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Our Analysis of Plain Cascade Encryption

x E k1 E k2 E k3 E k4 E k5 y

• use 2 independent ideal ciphers E, E ′ (key-domain separation)
• reveal function table of E ′ for free ⇒ randomized KLE
• apply the KLE-to-ISC Lemma
• generalize analysis of key-alternating ciphers of [CS14]
• our result: plain cascade of length ℓ = 2r + 1 is secure when

qc · qr

e ≪ 2r(κ+n),

qc ≪ 2κ, qe ≪ 22κ

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 23 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Our Analysis of Plain Cascade Encryption

x E ′ k1 E ′ k3 E ′ k5 E k2 E k4 y

• use 2 independent ideal ciphers E, E ′ (key-domain separation)
• reveal function table of E ′ for free ⇒ randomized KLE
• apply the KLE-to-ISC Lemma
• generalize analysis of key-alternating ciphers of [CS14]
• our result: plain cascade of length ℓ = 2r + 1 is secure when

qc · qr

e ≪ 2r(κ+n),

qc ≪ 2κ, qe ≪ 22κ

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 23 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Our Analysis of Plain Cascade Encryption

x E ′ k1 E ′ k3 E ′ k5 E k2 E k4 y

• use 2 independent ideal ciphers E, E ′ (key-domain separation)
• reveal function table of E ′ for free ⇒ randomized KLE
• apply the KLE-to-ISC Lemma
• generalize analysis of key-alternating ciphers of [CS14]
• our result: plain cascade of length ℓ = 2r + 1 is secure when

qc · qr

e ≪ 2r(κ+n),

qc ≪ 2κ, qe ≪ 22κ

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 23 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Our Analysis of Plain Cascade Encryption

x E ′ k1 E ′ k3 E ′ k5 P2 P4 y

• use 2 independent ideal ciphers E, E ′ (key-domain separation)
• reveal function table of E ′ for free ⇒ randomized KLE
• apply the KLE-to-ISC Lemma
• generalize analysis of key-alternating ciphers of [CS14]
• our result: plain cascade of length ℓ = 2r + 1 is secure when

qc · qr

e ≪ 2r(κ+n),

qc ≪ 2κ, qe ≪ 22κ

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 23 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Our Analysis of Plain Cascade Encryption

x E ′ k1 E ′ k3 E ′ k5 P2 P4 y

• use 2 independent ideal ciphers E, E ′ (key-domain separation)
• reveal function table of E ′ for free ⇒ randomized KLE
• apply the KLE-to-ISC Lemma
• generalize analysis of key-alternating ciphers of [CS14]
• our result: plain cascade of length ℓ = 2r + 1 is secure when

qc · qr

e ≪ 2r(κ+n),

qc ≪ 2κ, qe ≪ 22κ

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 23 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Our Analysis of Plain Cascade Encryption

x E ′ k1 E ′ k3 E ′ k5 P2 P4 y

• use 2 independent ideal ciphers E, E ′ (key-domain separation)
• reveal function table of E ′ for free ⇒ randomized KLE
• apply the KLE-to-ISC Lemma
• generalize analysis of key-alternating ciphers of [CS14]
• our result: plain cascade of length ℓ = 2r + 1 is secure when

qc · qr

e ≪ 2r(κ+n),

qc ≪ 2κ, qe ≪ 22κ

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 23 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

The Case of Triple Encryption

x E k1 E k2 E k3 y

• our bound:

qc ≪ 2κ qe ≪ 22κ qc · qe ≪ 2κ+n

• when 2n/2 ≤ qc ≤ 2n

⇒ [DLMS14] bound applies (qe ≪ 2κ+n/2)

log2(qc) log2(qe)

n 2

κ n κ κ + n

2

2κ κ + n

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 24 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

The Case of Triple Encryption

x E k1 E k2 E k3 y

• our bound:

qc ≪ 2κ qe ≪ 22κ qc · qe ≪ 2κ+n

• when 2n/2 ≤ qc ≤ 2n

⇒ [DLMS14] bound applies (qe ≪ 2κ+n/2)

log2(qc) log2(qe)

n 2

κ n κ κ + n

2

2κ κ + n

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 24 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

The Case of Triple Encryption

x E k1 E k2 E k3 y

• our bound:

qc ≪ 2κ qe ≪ 22κ qc · qe ≪ 2κ+n

• when 2n/2 ≤ qc ≤ 2n

⇒ [DLMS14] bound applies (qe ≪ 2κ+n/2)

log2(qc) log2(qe)

n 2

κ n κ κ + n

2

2κ κ + n

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 24 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

The Case of Triple Encryption

x E k1 E k2 E k3 y

• our bound:

qc ≪ 2κ qe ≪ 22κ qc · qe ≪ 2κ+n

• when 2n/2 ≤ qc ≤ 2n

⇒ [DLMS14] bound applies (qe ≪ 2κ+n/2)

? log2(qc) log2(qe)

n 2

κ n κ κ + n

2

2κ κ + n

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 24 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Conclusion I

log2(qc) log2(qe)

n 4 n 2 2n 3 3n 4

n κ κ + n

2

κ + 2n

3

κ + 3n

4

κ + n

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 25 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Conclusion I

log2(qc) log2(qe)

n 4 n 2 2n 3 3n 4

n κ κ + n

2

κ + 2n

3

κ + 3n

4

κ + n FX (tight)

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 25 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Conclusion I

log2(qc) log2(qe)

n 4 n 2 2n 3 3n 4

n κ κ + n

2

κ + 2n

3

κ + 3n

4

κ + n FX (tight) 2XOR (tight)

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 25 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Conclusion I

log2(qc) log2(qe)

n 4 n 2 2n 3 3n 4

n κ κ + n

2

κ + 2n

3

κ + 3n

4

κ + n FX (tight) 2XOR (tight) triple encryption

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 25 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Conclusion I

log2(qc) log2(qe)

n 4 n 2 2n 3 3n 4

n κ κ + n

2

κ + 2n

3

κ + 3n

4

κ + n FX (tight) 2XOR (tight) triple encryption 3XOR

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 25 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Conclusion I

log2(qc) log2(qe)

n 4 n 2 2n 3 3n 4

n κ κ + n

2

κ + 2n

3

κ + 3n

4

κ + n FX (tight) 2XOR (tight) triple encryption 3XOR 2-r. xor-cascade (tight) (ind. whit. keys)

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 25 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Conclusion II

• our results seem to advocate in favor of xor-cascade rather than

plain cascade

• e.g. triple encryption (3 E-calls) has similar security as
• FX (1 E-call) for qc ≤ 2n/2
• 2XOR (2 E-calls) for 2n/2 ≤ qc ≤ 2n
• but this is in the ideal cipher model (information-theoretic)
• FX seems to have other “computational” issues

(see time-memory-data trade-off by Dinur, EC 2015)

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 26 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Conclusion II

• our results seem to advocate in favor of xor-cascade rather than

plain cascade

• e.g. triple encryption (3 E-calls) has similar security as
• FX (1 E-call) for qc ≤ 2n/2
• 2XOR (2 E-calls) for 2n/2 ≤ qc ≤ 2n
• but this is in the ideal cipher model (information-theoretic)
• FX seems to have other “computational” issues

(see time-memory-data trade-off by Dinur, EC 2015)

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 26 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Conclusion II

• our results seem to advocate in favor of xor-cascade rather than

plain cascade

• e.g. triple encryption (3 E-calls) has similar security as
• FX (1 E-call) for qc ≤ 2n/2
• 2XOR (2 E-calls) for 2n/2 ≤ qc ≤ 2n
• but this is in the ideal cipher model (information-theoretic)
• FX seems to have other “computational” issues

(see time-memory-data trade-off by Dinur, EC 2015)

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 26 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

Conclusion II

• our results seem to advocate in favor of xor-cascade rather than

plain cascade

• e.g. triple encryption (3 E-calls) has similar security as
• FX (1 E-call) for qc ≤ 2n/2
• 2XOR (2 E-calls) for 2n/2 ≤ qc ≤ 2n
• but this is in the ideal cipher model (information-theoretic)
• FX seems to have other “computational” issues

(see time-memory-data trade-off by Dinur, EC 2015)

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 26 / 29

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion

The end. . .

Thanks for your attention! Comments or questions?

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 27 / 29

References

References I

Mihir Bellare and Phillip Rogaway. The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In Serge Vaudenay, editor, Advances in Cryptology - EUROCRYPT 2006, volume 4004 of LNCS, pages 409–426. Springer, 2006. Full version available at http://eprint.iacr.org/2004/331. Shan Chen, Rodolphe Lampe, Jooyoung Lee, Yannick Seurin, and John P.

• Steinberger. Minimizing the Two-Round Even-Mansour Cipher. In Juan A.

Garay and Rosario Gennaro, editors, Advances in Cryptology - CRYPTO 2014 (Proceedings, Part I), volume 8616 of LNCS, pages 39–56. Springer,

• 2014. Full version available at http://eprint.iacr.org/2014/443.

Shan Chen and John Steinberger. Tight Security Bounds for Key-Alternating Ciphers. In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology - EUROCRYPT 2014, volume 8441 of LNCS, pages 327–350. Springer, 2014. Full version available at http://eprint.iacr.org/2013/222.

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 28 / 29

References

References II

Yuanxi Dai, Jooyoung Lee, Bart Mennink, and John P. Steinberger. The Security of Multiple Encryption in the Ideal Cipher Model. In Juan A. Garay and Rosario Gennaro, editors, Advances in Cryptology - CRYPTO 2014 (Proceedings, Part I), volume 8616 of LNCS, pages 20–38. Springer, 2014. Peter Gazi. Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers. In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology - CRYPTO 2013 (Proceedings, Part I), volume 8042 of LNCS, pages 551–570. Springer, 2013. Peter Gazi and Stefano Tessaro. Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading. In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology - EUROCRYPT 2012, volume 7237 of LNCS, pages 63–80. Springer, 2012. Joe Kilian and Phillip Rogaway. How to Protect DES Against Exhaustive Key Search (an Analysis of DESX). Journal of Cryptology, 14(1):17–35, 2001.

Gaži, Lee, Seurin, Steinberger, Tessaro Relaxing Full-Codebook Security FSE 2015 29 / 29