Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes

Abstract

We revisit the security (as a pseudorandom permutation) of cascading-based constructions for block-cipher key-length extension. Previous works typically considered the extreme case where the adversary is given the entire codebook of the construction, the only complexity measure being the number \(q_e\) of queries to the underlying ideal block cipher, representing adversary’s secret-key-independent computation. Here, we initiate a systematic study of the more natural case of an adversary restricted to adaptively learning a number \(q_c\) of plaintext/ciphertext pairs that is less than the entire codebook. For any such \(q_c\), we aim to determine the highest number of block-cipher queries \(q_e\) the adversary can issue without being able to successfully distinguish the construction (under a secret key) from a random permutation.

More concretely, we show the following results for key-length extension schemes using a block cipher with n-bit blocks and \(\kappa \)-bit keys:

• Plain cascades of length \(\ell =2r+1\) are secure whenever \(q_cq_e^r \ll 2^{r(\kappa +n)}\), \(q_c \ll 2^\kappa \) and \(q_e \ll 2^{2\kappa }\). The bound for \(r = 1\) also applies to two-key triple encryption (as used within Triple DES).

• The r-round XOR-cascade is secure as long as \(q_cq_e^r \ll 2^{r(\kappa +n)}\), matching an attack by Gaži (CRYPTO 2013).

• We fully characterize the security of Gaži and Tessaro’s two-call \(\mathsf {2XOR}\) construction (EUROCRYPT 2012) for all values of \(q_c\), and note that the addition of a third whitening step strictly increases security for \(2^{n/4} \le q_c \le 2^{3/4n}\). We also propose a variant of this construction without re-keying and achieving comparable security levels.

1 Introduction

1.1 Block Ciphers and Key-Length Extension

Block ciphers (like DES [10] and AES [2]) are the workhorses of cryptography. Most importantly, they constitute the basic building block within several modes of operation for secret-key message encryption and authentication.

Formally, a block cipher with key length \(\kappa \) and block length n (often referred to as a \((\kappa , n)\) -block cipher) is a family of efficiently computable (and invertible) permutations \(E_k\) on the set of n-bit strings indexed by a \(\kappa \)-bit key k. For example, \(n = 64\) and \(\kappa = 56\) for DES, and \(n = 128\) and \(\kappa \in \{128, 192, 256\}\) for AES.

Block-cipher security. Most applications assume and require that the underlying block cipher behaves as a pseudorandom permutation (PRP), i.e., under a random secret key, it cannot be efficiently distinguished from a uniformly random permutation. To capture this notion, the PRP-security level of a block cipher is defined as the complexity required to distinguish it from a random permutation with non-negligible advantage.

The security level of a block cipher E is inherently limited by its key length \(\kappa \): Given very few plaintext-ciphertext pairs \((x_i, E_k(x_i))\), a generic brute-force attack can easily recover the secret key k with roughly \(2^\kappa \) evaluations of E. This easily yields a PRP distinguishing attack with the same complexity. Clearly, this attack directly affects legacy designs with short keys, such as DES, for which \(2^{56}\) is well within the boundaries of feasible computation.

Key-length extension and the ICM. Nonetheless, legacy designs often remain attractive in niche applications, like e.g. in the financial sector, where DES-based construction are used to encipher PIN numbers due to their short block length (as in the EMV standard [1]). In order to mitigate the effects of the above generic attacks, the well-known key-length extension (KLE) problem addresses the following question:

“Does there exist a construction \(\mathsf {C}\) transforming any  \((\kappa , n)\) -block cipher E into a \((\kappa ', n)\) -block cipher \(\mathsf {C}[E]\) (for \(\kappa ' > \kappa \) ), such that \(\mathsf {C}[E]\) is secure against generic attackers (using E as a black-box) investing more than \(2^{\kappa }\) effort?”

Starting with the work of Killian and Rogaway on DESX [16], and followed by a series of subsequent works [5, 9, 12, 14, 15, 19], KLE has been formalized and studied in the ideal cipher model (ICM), where the underlying block cipher is modeled as an ideal cipher, i.e., \(E_k\) is an independent random permutation for every individual key k. Then, ICM PRP security of a KLE construction \(\mathsf {C}[E]\) is captured by considering a random experiment where the attacker (also known as a distinguisher) issues two types of queries:

• Block-cipher queries to evaluate the block cipher \(E_k(x)\) and \(E^{-1}_k(y)\) for any k, x, and y chosen by the distinguisher.

• Construction queries to evaluate on a chosen n-bit input x either the KLE construction \(\mathsf {C}[E]_{K'}\) with a uniformly random secret \(\kappa '\)-bit key \(K'\), or a uniform random permutation P independent of E. The respective inverses can also be evaluated.

The distinguisher’s goal is to decide whether construction queries are answered by the construction or by P, and its power is measured in terms of the number \(q_e \le 2^{n + \kappa }\) of queries of the former type, and the number \(q_c \le 2^n\) of queries of the latter type. Security of \(\mathsf {C}\) is measured in terms of which values of \((q_c, q_e)\) do not allow distinguishing with non-negligible advantage.

Relaxing full-codebook security. So far, the security of KLE constructions (with the notable exception of the work of Killian and Rogaway [16]) has been analyzed in the full-codebook regime, i.e., where we allow \(q_c = 2^n\), and then see how large \(q_e\) can be while still retaining pseudorandomness. However, there is often no rational reason to assume that \(q_c=2^n\). Not only this value is usually unreasonably large, but also, we can either easily restrict the number of block cipher evaluations on a certain secret key at the application level (by enforcing re-keying) or when using the KLE construction within a certain mode of operation, the security analysis of the latter may simply force security to only hold for smaller \(q_c\) anyway (e.g., \(q_c \le 2^{n/2}\) for CBC modes).

In this paper, we relax the unreasonably strong requirement of full-codebook security, and undertake the first in-depth investigation of the security of KLE constructions in the realistic scenario where \(q_c \ll 2^{n}\).

1.2 Plain and Randomized Cascades

Before we turn to our contributions, let us first review previous works on KLE in the full-codebook regime \(q_c = 2^n\). A summary of the attainable PRP security levels is given in Appendix A.

Cascading-based KLE. The most natural KLE approach is perhaps cascading, generalizing the idea behind triple DES. Formally, the cascade of length \(\ell \) for a \((\kappa , n)\)-block cipher E is the \((\ell \cdot \kappa , n)\)-block cipher which takes an \(\ell \kappa \)-bit key \(\mathsf {mk} =(k_1,\ldots ,k_\ell )\in \left( \{0,1\} ^{\kappa }\right) ^\ell \) and encrypts a plaintext \(x\in \{0,1\} ^n\) by computing

$$y=\mathsf {CE}_{\mathsf {mk} }[E](x)=E_{k_\ell }\circ E_{k_{\ell -1}} \circ \cdots \circ E_{k_2}\circ E_{k_{1}}(x).$$

It is well known that the case \(\ell = 2\) still allows for a \(2^{\kappa }\)-query meet-in-the-middle attack (even though only a smaller distinguishing advantage is achievable for \(q_e < 2^{\kappa }\) as shown by Aiello et al. [3]). For the case \(r = 3\) (which generalizes 3DES), Bellare and Rogaway [5] first proved PRP security for \(q_e \le 2^{\kappa + n/2}\). This result was later generalized to arbitrary length \(\ell \) by Gaži and Maurer [14]. Their bound on \(q_e\) was however far from tight, and was first improved by Lee [19], and a tight bound (matching an attack by Gaži [12]) was only recently given by Dai, Lee, Mennink, and Steinberger [9].

Randomized cascades. Another approach to key-length extension generalizes the DESX construction, using additional key material to randomize inputs and outputs of block-cipher calls. (This technique is often called whitening.) For example, the r-round XOR-cascade of a \((\kappa , n)\)-block cipher E is the \((\kappa + (r+1)n, n)\)-block cipher which, on input key (k, z) (where \(z = (z_0, z_1, \ldots , z_r)\) consists of \((r + 1)\) n-bit strings) and message x, returns

$$ \mathsf {XCE}[E]((k,z),x)=\oplus _{z_r} \circ E_{\phi _r(k)} \circ \oplus _{z_{r-1}}\circ E_{\phi _{r-1}(k)}\circ \cdots \circ \oplus _{z_1}\circ E_{\phi _1(k)} \circ \oplus _{z_0} (x), $$

where \(\oplus _z\) maps \(x'\) to \(x' \oplus z\), and \(\phi _1, \ldots , \phi _r\) are permutations on the \(\kappa \)-bit strings such that \(\phi _i(k) \ne \phi _j(k)\) for all k and \(i \ne j\). Security bounds for XOR-cascades in the full-codebook regime were proved by Lee [19] and by Gaži [12]. The latter work considered a variant without the last whitening step, and in combination with the result on key-alternating ciphers [8] led to tight bounds.

A simple variant of two-round XOR-cascades, called \(\mathsf {2XOR}\), was studied by Gaži and Tessaro [15], where the third key \(z_2\) is omitted, and \(z_0 = z_1\). They prove PRP security for \(q_e \le 2^{\kappa + n/2}\), and that this security level is optimal (for \(q_c = 2^n\)) with respect to a large class of two-call constructions. We finally emphasize that the work by Killian and Rogaway [16] analyzing DESX (which is the case \(r = 1\)) is a notable exception to the above restriction to the full-domain regime, and exhibits a smooth security trade-off for any \(q_c\) and \(q_e\) as long as \(q_c \cdot q_e \le 2^{n + \kappa }\).

Table 1. Overview of our results. Parameters \(q_c, q_e\) for which we prove security.

1.3 Our Contributions

While tight bounds are known in the full-codebook regime, the landscape is still mostly uncharted when moving to the case \(q_c \ll 2^n\). This paper proves lower and upper bounds on the PRP security level of existing and new KLE constructions in the setting where \(q_c \ll 2^{n}\). While a summary of our bounds is given in Table 1, we now discuss our contributions a bit more in detail.

We start with the randomized case:

• Tight bounds for XOR cascades. We provide tight bounds for XOR-cascades, matching an attack previously given by Gaži [12].

• Characterizing \(\mathsf {2XOR}\) . We complete the picture of the security of \(\mathsf {2XOR}\) for all \(q_c \le 2^n\), showing that \(q_e \le 2^{\kappa + n/2}\) is tight when \(q_c \in [2^{n/2}, 2^n]\), and observing that otherwise \(q_c \cdot q_e \le 2^{\kappa + n}\) is necessary and sufficient for \(q_c \le 2^{n/2}\).

• The \(\mathsf {3XOR}\) construction. We show that adding the whitening key to the output of \(\mathsf {2XOR}\) yields a construction—that we name \(\mathsf {3XOR}\)—which is always at least as secure as \(\mathsf {2XOR}\) and strictly more secure for \(2^{n/4} < q_c < 2^{3/4n}\).

• A two-call construction with no re-keying. We finally propose a variant of \(\mathsf {3XOR}\) (called \(\mathsf {3XSK}\)) where both block-cipher calls are with the same key, whereas the middle whitening key is a permutation of the original one. The security is comparable to that of \(\mathsf {3XOR}\) for \(q_c \le 2^{2/3 n}\).

Our results also improve our picture with respect to plain cascading.

• Odd-length plain cascades. We prove that cascades of odd length \(\ell = 2r + 1\) are secure whenever \(q_c q_e^r \ll 2^{r(\kappa + n)}\), \(q_c \ll 2^{\kappa }\), and \(q_e \ll 2^{2\kappa }\). For \(\kappa \) and n satisfying \(\kappa \ge \frac{rn}{r+1}\), this improves on the security bound of Dai et al. [9] when \(q_c\le 2^{\frac{rn}{r+1}}\). Moreover, when \(\kappa \ge n\), this yields a tight bound (matching Gaži’s attack [12]) for all parameters (for \(\kappa \le n\), the situation is more involved, see Sect. 5 for a complete discussion).

• Two-key triple encryption. We prove a similar bound for two-key triple encryption, where the first and third keys are identical, as in Triple DES.

Overview of our techniques. It turns out that the techniques behind our results are fairly general. We start by defining a general class of KLE constructions called randomized KLE schemes, that capture both plain cascades, XOR-cascades and others. Our core technical tool is then a lemma relating the security of a construction from this class to a particular cipher that can be derived from it, called a sequential cipher, also introduced here. Such ciphers constitute a generalization of key-alternating ciphers (or KACs, for short), studied in [4, 6, 17, 18, 24], and implement a block cipher by invoking a number of permutations in a sequential manner. Our lemma generalizes a previous result by Gaži [12], which only considered the case of KACs but neither our relaxation to randomized KLEs, nor the case without a full codebook.

To instantiate some of our bounds, we provide a generalized analysis of sequential ciphers, extending recent bounds by Chen and Steinberger [8].

1.4 Further Related Works

We note in passing that an orthogonal line of works devoted to cascade-like construction was initiated by Luby and Rackoff [20]. These works study standard model security amplification achieved by plain and randomized cascades, and in particular show how, when instantiated with a block cipher which is a weak PRP in the sense of the attacker achieving a large distinguishing advantage, these constructions reduce the best possible advantage with an increasing number of rounds. Increasingly tighter bounds have been given by Maurer and Tessaro [22], and by Tessaro [25]. An information-theoretic version of this question was also studied [21, 26].

2 Preliminaries

2.1 Basic Notation and Block Ciphers

In all the following, we fix integers \(n,\kappa >0\), and denote \(N=2^n\) and \(K=2^{\kappa }\). The set of all permutations on \( \{0,1\} ^n\) will be denoted \(\mathcal {P} _n\). For a set T and an integer \(\ell \ge 1\), \( (T)_{\ell } \) denotes the set of all sequences that consist of \(\ell \) distinct elements of T. For integers \(1\le \ell \le t\), we will write \((t)_{\ell }=t(t-1)\cdots (t-\ell +1)\). If \(|T|=t\), then \((t)_{\ell }\) becomes the size of \( (T)_{\ell } \).

A block cipher is a function family \(E:\mathcal {K}\times \{0,1\} ^n\rightarrow \{0,1\} ^n\) such that for all \(k\in \mathcal {K}\) the mapping \(E(k,\cdot )\) is a permutation on \( \{0,1\} ^n\). We denote by \(\mathsf {BC} (\mathcal {K},n)\) the set of all such block ciphers, shortening to \(\mathsf {BC} (\kappa ,n)\) when \(\mathcal {K}= \{0,1\} ^{\kappa }\). In the ideal-cipher model, a block cipher E is chosen from \(\mathsf {BC} (\kappa ,n)\) uniformly at random and made available to the participants through oracle queries. It allows for two types of oracle queries E(k, x) and \(E^{-1}(k,y)\) for \(x,y\in \{0,1\} ^{n}\) and \(k\in \{0,1\} ^{\kappa }\).¹ The answer to an inverse query \(E^{-1}(k,y)\) is \(x\in \{0,1\} ^{n}\) such that \(E(k,x)=y\).

For a set \(\mathcal {Q} =((x_1,y_1),\ldots ,(x_q,y_q))\in \left( \{0,1\} ^n\times \{0,1\} ^n\right) ^q\) and a permutation \(P\in \mathcal {P} _n\), we say that P extends \(\mathcal {Q} \), denoted \(P \vdash \mathcal {Q} \), if \(P(x_i)=y_i\) for \(i=1,\ldots ,q\). The domain and the range of \(\mathcal {Q} \) are defined as

$$\begin{aligned} \mathsf {Dom}(\mathcal {Q} ) =\{x\in \{0,1\} ^n:(x,y)\in \mathcal {Q} \}\;, \; \mathsf {Rng}(\mathcal {Q} ) =\{y\in \{0,1\} ^n:(x,y)\in \mathcal {Q} \} \end{aligned}$$

respectively. By an abuse of notation, we will sometimes denote \(\mathcal {Q} \) the bijection from \(\mathsf {Dom}(\mathcal {Q} )\) to \(\mathsf {Rng}(\mathcal {Q} )\) such that \(\mathcal {Q} (x_i)=y_i\) for \(i=1,\ldots ,q\). Thus, for another set (bijection) \( \mathcal {Q} '\in \left( \{0,1\} ^n\times \{0,1\} ^n\right) ^{q'}, \) we have

$$\begin{aligned} \mathsf {Dom}(\mathcal {Q} '\circ \mathcal {Q} )&=\{x\in \{0,1\} ^n:(x,y)\in \mathcal {Q} \wedge y\in \mathsf {Dom}(\mathcal {Q} ')\}\\ \mathsf {Rng}(\mathcal {Q} '\circ \mathcal {Q} )&=\{y\in \{0,1\} ^n:(x,y)\in \mathcal {Q} '\wedge x\in \mathsf {Rng}(\mathcal {Q} )\} \end{aligned}$$

and similar definitions for the composition of more than two bijections. For a set \(\mathcal {Q} =((x_1,k_1,y_1),\ldots ,(x_q,k_q,y_q))\in \left( \{0,1\} ^n\times \{0,1\} ^{\kappa }\times \{0,1\} ^n\right) ^q\) and a block cipher \(E\in \mathsf {BC} (\kappa ,n)\), we say that E extends \(\mathcal {Q} \), denoted \(E \vdash \mathcal {Q} \), if \(E(k_i,x_i)=y_i\) for \(i=1,\ldots ,q\).

2.2 Indistinguishability in Idealized Models

In this paper, we consider block ciphers that are built (in a black-box way) on top of an existing primitive F. The primitive F is modeled as an ideal oracle (publicly accessible to the adversary), whose answers follow some probability distribution. Namely, we will consider two slightly different settings: the so-called KLE-setting where F will be the ideal cipher E; and the so-called SC-setting ² where F will be a tuple of random permutations \({\varvec{P}} =(P_1,\ldots ,P_m)\). In both settings, we consider a construction C which encrypts a message \(x\in \{0,1\} ^n\) with some (master) key³ \(\mathsf {mk} \in \{0,1\} ^{\kappa '}\) by making calls to F, and denote \(\mathsf C [F]\) the resulting block cipher (hence \(\mathsf C [F]\in \mathsf {BC} (\kappa ',n)\), and \(\mathsf C _{\mathsf {mk} }[F]\) is the permutation associated to key \(\mathsf {mk} \)).

To define security, we consider an adversary (a.k.a. distinguisher) \(\mathsf {D} \) which interacts with a pair of oracles that we denote generically (P, F). The goal of \(\mathsf {D} \) is to distinguish whether it is interacting with \((\mathsf C _{\mathsf {mk} }[F],F)\) for some uniformly random key \(\mathsf {mk} \) (a case we will informally refer to as the “real” world) or with (P, F) where P is a random n-bit permutation independent from F (the “ideal” world). Note that in both worlds the first oracle P is a permutation that can be queried in both directions. The distinguisher’s advantage is defined as

$$ \mathbf{Adv } _\mathsf{C }^{\mathrm {cca} }(\mathsf {D} )=\left| \Pr \left[ \mathsf {D} ^\mathsf{C _{\mathsf {mk} }[F],F}=1 \right] -\Pr \left[ \mathsf {D} ^{P,F}=1\right] \right| $$

where the first probability is taken over the random choice of \(\mathsf {mk} \) and the random answers of F, and the second probability is taken over the random choice of P and F. We refer to \(\mathsf {D} \)’s queries to its first and second oracle as construction and primitive queries, respectively. In the KLE-setting (SC-setting), the primitive queries are sometimes referred to more concretely as block-cipher queries (permutation queries), respectively.

In the KLE-setting, for \(q_c,q_e\ge 0\) we define

$$ \mathbf{Adv } _\mathsf{C }^{\mathrm {cca} }(q_c,q_e)=\max _{\mathsf {D} } \mathbf{Adv } _\mathsf{C }^{\mathrm {cca} }(\mathsf {D} ) $$

where the maximum is taken over all distinguishers making exactly \(q_c\) construction and \(q_e\) ideal-cipher queries. Similarly, in the SC-setting, for \(q_c,q_p\ge 0\),

$$ \mathbf{Adv } _\mathsf{C }^{\mathrm {cca} }(q_c,q_p)=\max _{\mathsf {D} } \mathbf{Adv } _\mathsf{C }^{\mathrm {cca} }(\mathsf {D} ) $$

where the maximum is taken over all distinguishers making exactly \(q_c\) construction queries and \(q_p\) permutation queries to each permutation oracle \(P_i\).

In all the paper, we assume that the distinguisher is computationally unbounded, deterministic, and that it never makes redundant queries (these last two assumptions being wlog). In accordance with several recent works on the topic, we are using Patarin’s H-coefficients technique [23] in some of our proofs. Our use of the H-coefficients technique will be self-contained, for a more detailed introduction to this method see for example [8].

3 From Randomized KLE Schemes to Sequential Ciphers

In this section we study the relationship of two general classes of constructions that we first define. On one hand, we consider randomized KLE schemes that generalize both cascades and XOR-cascades,⁴ on the other hand we introduce sequential ciphers that are in turn a generalization of key-alternating ciphers (whose definition is also provided below). We show that every randomized KLE scheme induces a sequential cipher and the security properties of these two constructions are tightly connected.

3.1 Definitions

Randomized KLE. Let \(n,\kappa >0\) be some fixed parameters denoting the block- and key-length of the underlying block cipher, respectively. Fix additional parameters \(\lambda ,r,m>0\). Let \((\phi _1,\ldots ,\phi _m)\) be m permutations of \( \{0,1\} ^\kappa \) with the property that for any \(k\in \{0,1\} ^\kappa \), the values \((\phi _1(k),\ldots ,\phi _m(k))\) are distinct. (Note that this imposes \(m\le 2^\kappa \).) Let \(\sigma :\{1,\ldots ,r\}\rightarrow \{1,\ldots ,m\}\) be a surjective function.⁵ For \(i=0,\ldots , r\), let

$$ \rho ^i: \{0,1\} ^{\lambda }\times \{0,1\} ^n\rightarrow \{0,1\} ^n $$

be a function such that for each \(z\in \{0,1\} ^{\lambda }\), \(\rho ^i(z,\cdot )\) (also denoted \(\rho ^i_z(\cdot )\)) is a permutation on \( \{0,1\} ^n\).⁶

A randomized key-length extension scheme \(\mathsf {R}\) transforms a block cipher \(E\in \mathsf {BC} (\kappa ,n)\) into a new block cipher \(\mathsf {R}[E]\in \mathsf {BC} (\kappa +\lambda ,n)\) specified as follows: for a plaintext \(x\in \{0,1\} ^n\) and a key \((k,z)\in \{0,1\} ^\kappa \times \{0,1\} ^\lambda \), the ciphertext is defined as (see Fig. 1)

$$ \mathsf {R}[E]((k,z),x)=\rho ^r_{z}\circ E_{k_{\sigma (r)}}\circ \rho ^{r-1}_{z}\circ E_{k_{\sigma (r-1)}}\circ \cdots \circ E_{k_{\sigma (2)}}\circ \rho ^1_{z}\circ E_{k_{\sigma (1)}}\circ \rho ^0_{z}(x) \;. $$

where we simply write \((k_1,\ldots ,k_m)=(\phi _1(k),\ldots ,\phi _m(k))\). For a fixed key (k, z), we also denote \(\mathsf {R}_{k,z}[E]\) the permutation \(x\mapsto \mathsf {R}[E]((k,z),x)\).

Sequential Cipher. With the same primitives \(\sigma \) and \((\rho ^0,\ldots , \rho ^r)\), a sequential cipher \(\mathsf {S}\) transforms a set of permutations \({\varvec{P}} =(P_1,\ldots ,P_m)\) into a block cipher \(\mathsf {S}[{\varvec{P}} ]\in \mathsf {BC} (\lambda ,n)\) specified as follows: for a plaintext \(x\in \{0,1\} ^n\) and a key \(z\in \{0,1\} ^\lambda \), the ciphertext is defined as (again see Fig. 1)

$$ \mathsf {S}[{\varvec{P}} ](z,x)=\rho ^r_{z}\circ P_{\sigma (r)}\circ \rho ^{r-1}_{z}\circ P_{\sigma (r-1)}\circ \cdots \circ P_{\sigma (2)}\circ \rho ^1_{z}\circ P_{\sigma (1)}\circ \rho ^0_{z}(x) \;. $$

For a fixed key z, we denote \(\mathsf {S}_{z}[{\varvec{P}} ]\) the permutation \(x\mapsto \mathsf {S}[{\varvec{P}} ](z,x)\).

Fig. 1.

The randomized key-length extension construction \(\mathsf {R}[E]\) (top), and its induced sequential cipher \(\overline{\mathsf {R}}[{\varvec{P}} ]\) (bottom).

3.2 Induced Sequential Ciphers

When the key k is fixed in some key-length extension scheme \(\mathsf {R}\), the resulting scheme can be regarded as a sequential cipher with key space \( \{0,1\} ^\lambda \) using independent random permutations \(P_1,\ldots ,P_m\) in place of \(E_{\phi _1(k)},\ldots , E_{\phi _m(k)}\) in the ideal cipher model. We formalize this remark as follows.

Definition 1

Let \(\mathsf {R}\) be a randomized key-length extension scheme defined as above. The induced sequential cipher of \(\mathsf {R}\), denoted \(\overline{\mathsf {R}}\), is a sequential cipher which specifies a block cipher \(\overline{\mathsf {R}}[{\varvec{P}} ]\in \mathsf {BC} (\lambda ,n)\) from an m-tuple of permutations \({\varvec{P}} =(P_1,\ldots ,P_m)\) of \( \{0,1\} ^n\) by replacing each call to \(E(\phi _i(k),\cdot )\), resp. \(E^{-1}(\phi _i(k),\cdot )\) when computing \(\mathsf {R}_{k,z}[E](x)\) by a call to \(P_i(\cdot )\), resp. \(P_i^{-1}(\cdot )\) in the computation of \(\overline{\mathsf {R}}_z[{\varvec{P}} ](x)\).

Example 1

If we let \(\sigma \) be the identity, \(\lambda =(r+1)n\) and \(\rho ^i(z,u)=u\oplus z_i\) for \(i=0,\ldots ,r\) where z is split as \(z=(z_0,\ldots ,z_{r})\in \left( \{0,1\} ^n\right) ^{r+1}\), then the resulting randomized KLE and sequential cipher constructions are called an XOR-cascade scheme and a key-alternating cipher (KAC), respectively.

More formally, the r-round XOR-cascade construction \(\mathsf {XCE}\) turns a block cipher \(E\in \mathsf {BC} (\kappa ,n)\) into a new block cipher \(\mathsf {XCE}[E]\in \mathsf {BC} (\kappa +(r+1)n,n)\) as follows. Let \((\phi _1,\ldots ,\phi _r)\) be r permutations of \( \{0,1\} ^\kappa \) with the property that for any \(k\in \{0,1\} ^\kappa \), the values \((\phi _1(k),\ldots ,\phi _r(k))\) are distinct. Then for a plaintext \(x\in \{0,1\} ^n\) and a key \((k,z)\in \{0,1\} ^\kappa \times ( \{0,1\} ^n)^{r+1}\) with \(z=(z_0,\ldots ,z_r)\), the ciphertext is defined as (see also Fig. 2):

$$ \mathsf {XCE}[E]((k,z),x)=\oplus _{z_r} \circ E_{\phi _r(k)} \circ \oplus _{z_{r-1}}\circ E_{\phi _{r-1}(k)}\circ \cdots \circ \oplus _{z_1}\circ E_{\phi _1(k)} \circ \oplus _{z_0} (x), $$

where \(\oplus _{z_i}\) denotes the mapping \(x\mapsto x\oplus z_i\). Its induced sequential cipher \(\overline{\mathsf {XCE}}\) is the key-alternating cipher (hence denoted \(\mathsf {KAC}\))

$$ \overline{\mathsf {XCE}}[{\varvec{P}} ](z,x) = \mathsf {KAC}[{\varvec{P}} ](z,x) = \oplus _{z_r} \circ P_{r} \circ \oplus _{z_{r-1}}\circ P_{r-1}\circ \cdots \circ \oplus _{z_1}\circ P_{1} \circ \oplus _{z_0} (x) \;. $$

A tight bound for the security of key-alternating ciphers was given in [8]. We show how to extend their approach to the more general case of sequential ciphers, as this will turn out to be useful in our later proofs. Due to space constraints, we present this extension in the full version of this paper [13].

Example 2

A more specialized case of the XOR-cascade scheme (i.e., taking \(r=1\)) is the \(\mathsf {FX} \) construction of [16] (the generic variant of DESX, attributed to Rivest) which turns a block cipher \(E\in \mathsf {BC} (\kappa ,n)\) into a block cipher \(\mathsf {FX} [E]\in \mathsf {BC} (\kappa +2n,n)\) defined as

$$ \mathsf {FX} _{k,(z_0,z_1)}[E](x)=E_k(x\oplus z_0)\oplus z_1. $$

The resulting construction \(\overline{\mathsf {FX}} \), for a permutation \(P\in \mathcal {P} _n\), is

$$ \overline{\mathsf {FX}} _{(z_0,z_1)}[P](x)=P(x\oplus z_0)\oplus z_1, $$

which is exactly the Even-Mansour cipher [11].

3.3 The Reduction

In this section we prove our main lemma that reduces the security of a randomized key-length extension scheme to the security of the corresponding induced sequential cipher. It can be seen as a generalization of [12, Theorem 2] to more general classes of constructions and as well to the setting where the number of construction queries \(q_c\) is arbitrary (rather than \(q_c=2^n\)).

Lemma 1

Let \(\mathsf {R}\) be a randomized key-length extension scheme and let \(\overline{\mathsf {R}}\) be its induced sequential cipher. Then for \(q_c,q_e,M>0\), one has

$$ \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {R}}(q_c,q_e)\le \frac{mq_e}{KM}+ \mathbf{Adv } ^{\mathrm {cca} }_{\overline{\mathsf {R}}}(q_c,M). $$

Proof

Consider a distinguisher \(\mathsf {D} \) interacting with (P, E), where E is an ideal cipher and P is either the construction \(\mathsf {R}_{k,z}[E]\) for a uniformly random key \((k,z)\in \{0,1\} ^\kappa \times \{0,1\} ^\lambda \), or a random permutation independent from E. Following the H-coefficients technique [8, 23], we summarize all the information gathered by the distinguisher when interacting with the system (P, E) in the raw query transcript which is simply the ordered list of queries of \(\mathsf {D} \) to its oracles together with their answers. From this raw query transcript we can build the construction query transcript

$$ \mathcal {Q} _C=((x_1,y_1),\ldots ,(x_{q_c},y_{q_c})), $$

where the i-th pair \((x_i,y_i)\) indicates that the i-th query to the construction/random permutation oracle was either \(P(x_i)\) with answer \(y_i\) or \(P^{-1}(y_i)\) with answer \(y_i\). Similarly, we can build the ideal cipher query transcript

$$ \mathcal {Q} _E=((u_1,k_1,v_1),\ldots ,(u_{q_e},k_{q_e},v_{q_e})), $$

where the i-th triple \((u_i,k_i,v_i)\) indicates that the i-th query to the ideal cipher was either \(E(k_i,u_i)\) with answer \(v_i\) or \(E^{-1}(k_i,v_i)\) with answer \(u_i\). (Since the distinguisher is deterministic, the raw query transcript can unambiguously be reconstructed from the pair \((\mathcal {Q} _C,\mathcal {Q} _E)\).)

Moreover, in the real world, the key k (but not z) is given for free to \(\mathsf {D} \) at the end of its queries, while in the ideal world (where no such key exists), a dummy key k is drawn uniformly at random and given to \(\mathsf {D} \). (This can only increase the distinguishing advantage since \(\mathsf {D} \) can disregard this additional information.) This results in what we simply call the transcript \(\tau =(\mathcal {Q} _C,\mathcal {Q} _E,k)\) of the attack. We will say that a transcript \(\tau =(\mathcal {Q} _C,\mathcal {Q} _E,k)\) is attainable if there exists a permutation P and a block cipher E such that the interaction of \(\mathsf {D} \) with (P, E) yields queries transcripts \((\mathcal {Q} _C,\mathcal {Q} _E)\) (said otherwise, the probability to obtain this transcript in the “ideal” world is non-zero). Finally, we let \(T_\mathrm{re} \), resp. \(T_\mathrm{id} \) denote the probability distribution of the transcript \(\tau \) induced by the real world, resp. the ideal world (note that these two probability distributions depend on the distinguisher). By extension, we use the same notation to denote a random variable distributed according to each distribution.

Let \(\mathsf {D} \) be an optimal distinguisher making \(q_c\) construction queries and \(q_e\) ideal-cipher queries such that⁷

$$ \mathbf{Adv } _{\mathsf {R}}^{\mathrm {cca} }(q_c,q_e)= \mathbf{Adv } _{\mathsf {R}}^{\mathrm {cca} }(\mathsf {D} )=\sum _{\tau \in \mathcal {T} _1}\Pr [T_\mathrm{id} =\tau ]-\sum _{\tau \in \mathcal {T} _1}\Pr [T_\mathrm{re} =\tau ]$$

and let \(\mathcal {T} _1\) be the set of attainable transcripts \(\tau =(\mathcal {Q} _C,\mathcal {Q} _E,k)\) such that the distinguisher outputs 1 when obtaining \(\tau \). Given an ideal-cipher queries transcript \(\mathcal {Q} _E\), we also define the set of bad keys as

$$ \mathsf {Bad} (\mathcal {Q} _E)=\{k\in \{0,1\} ^\kappa : |\{(x,y):(x,k,y)\in \mathcal {Q} _E\}|>M\}. $$

(Hence, a key k is bad if it appears strictly more than M times in \(\mathcal {Q} _E\).) We say that an attainable transcript \(\tau =(\mathcal {Q} _C,\mathcal {Q} _E,k)\) is bad if \(\phi _i(k)\in \mathsf {Bad} (\mathcal {Q} _E)\) for some \(i=1,\ldots ,m\), and good otherwise. We denote resp. \(\mathcal {T}_\mathrm{bad} \) and \(\mathcal {T}_\mathrm{good} \) the sets of bad and good transcripts (which form a partition of the set of attainable transcripts \(\mathcal {T} \)). Then we have

$$\begin{aligned}&\mathbf{Adv } _{\mathsf {R}}^{\mathrm {cca} }(\mathsf {D} )=\sum _{\tau \in \mathcal {T} _1}\Pr [T_\mathrm{id} =\tau ]-\sum _{\tau \in \mathcal {T} _1}\Pr [T_\mathrm{re} =\tau ] \\&\quad \ \le \sum _{\tau \in \mathcal {T}_\mathrm{bad} }\Pr [T_\mathrm{id} =\tau ]+\sum _{\tau \in \mathcal {T} _1\cap \mathcal {T}_\mathrm{good} }\Pr [T_\mathrm{id} =\tau ]-\sum _{\tau \in \mathcal {T} _1\cap \mathcal {T}_\mathrm{good} }\Pr [T_\mathrm{re} =\tau ] \nonumber \end{aligned}$$

(1)

where the inequality follows from the fact that \(\mathcal {T}_\mathrm{good} \) and \(\mathcal {T}_\mathrm{bad} \) form a partition of the set of attainable transcripts \(\mathcal {T} \). We upper bound each summand in turn.

Since in the ideal world the key k is drawn uniformly at random at the end of the interaction of the distinguisher with its oracles, we clearly can bound \(\sum _{\tau \in \mathcal {T}_\mathrm{bad} }\Pr [T_\mathrm{id} =\tau ]=\Pr [T_\mathrm{id} \in \mathcal {T}_\mathrm{bad} ]\) as

$$\begin{aligned} \Pr [T_\mathrm{id} \in \mathcal {T}_\mathrm{bad} ]\le \sum _{i=1}^m\Pr [k\leftarrow _{\$} \{0,1\} ^{\kappa }:\phi _i(k)\in \mathsf {Bad} (\mathcal {Q} _E)]\le \frac{mq_e}{KM}, \end{aligned}$$

(2)

where the last inequality follows from the fact that each \(\phi _i\) is a permutation (hence \(\phi _i(k)\) is uniformly random) and that the size of \(\mathsf {Bad} (\mathcal {Q} _E)\) is at most \(q_e/M\) by definition.

To upper bound the second term, we consider the following (probabilistic) distinguisher \(\overline{\mathsf {D} } \) against construction \(\overline{\mathsf {R}}\) (in the random permutation model), which uses \(\mathsf {D} \) as a subroutine. \(\overline{\mathsf {D} } \) has access to \(m+1\) permutation oracles \((P_0,P_1,\ldots ,P_m)\), where \(P_0\) is either the construction \(\overline{\mathsf {R}}_z[P_1,\ldots , P_m]\) for some random key \(z\leftarrow _{\$} \{0,1\} ^{\lambda }\), or a random permutation independent from \((P_1,\ldots ,P_m)\). At the beginning of the experiment, \(\overline{\mathsf {D} } \) draws a key \(k\leftarrow _{\$} \{0,1\} ^{\kappa }\) uniformly at random. Then, \(\overline{\mathsf {D} } \) runs \(\mathsf {D} \) and answers its queries as follows. First, it relays any construction query from \(\mathsf {D} \) to its own construction oracle and relays back the corresponding answer to \(\mathsf {D} \). When \(\mathsf {D} \) makes any ideal cipher query for some key \(k'\notin \{\phi _1(k),\ldots \phi _m(k)\}\), \(\overline{\mathsf {D} } \) simulates a perfectly random permutation associated with \(k'\). If \(\mathsf {D} \) makes an ideal cipher query for some key \(\phi _i(k)\), \(i=1,\ldots ,m\), \(\overline{\mathsf {D} } \) relays this query to permutation oracle \(P_i\) and forwards the corresponding answer to \(\mathsf {D} \). However, if \(\mathsf {D} \) attempts to make more than M queries corresponding to some key \(\phi _i(k)\), \(i=1,\ldots ,m\), then \(\overline{\mathsf {D} } \) aborts and outputs 0. (Hence \(\overline{\mathsf {D} } \) always makes at most M queries to each permutation oracle \(P_i\), \(i=1,\ldots ,m\).) Otherwise, once \(\mathsf {D} \) has finished its queries, \(\overline{\mathsf {D} } \) forwards k to \(\mathsf {D} \) (recall that we include k in the transcript) and outputs the same value as \(\mathsf {D} \). Clearly, when \(\overline{\mathsf {D} } \) is interacting with \((P_0,P_1,\ldots ,P_m)\), where \(P_0\) is the construction \(\overline{\mathsf {R}}_z[P_1,\ldots , P_m]\) then it is perfectly simulating the real world \((\mathsf {R}_{k,z}[E],E)\) to \(\mathsf {D} \), while when \(\overline{\mathsf {D} } \) is interacting with \((P_0,P_1,\ldots ,P_m)\) where \(P_0\) is independent from \((P_1,\ldots ,P_m)\), then it is perfectly simulating the ideal world (P, E) to \(\mathsf {D} \). Hence, the distinguishing advantage of \(\overline{\mathsf {D} } \) is

$$\begin{aligned} \mathbf{Adv } _{\overline{\mathsf {R}}}^{\mathrm {cca} }(\overline{\mathsf {D} } )=\left| \sum _{\tau \in \mathcal {T} _1\cap \mathcal {T}_\mathrm{good} }\Pr [T_\mathrm{re} =\tau ]-\sum _{\tau \in \mathcal {T} _1\cap \mathcal {T}_\mathrm{good} }\Pr [T_\mathrm{id} =\tau ] \right| . \end{aligned}$$

(3)

Since \(\overline{\mathsf {D} } \) makes at most \(q_c\) queries to its construction and at most M queries to each permutation oracle \(P_i\), \(i=1,\ldots ,m\), and since in the information-theoretic setting the advantage of a probabilistic adversary cannot be larger than the one of the best deterministic adversary, one has

$$\begin{aligned} \mathbf{Adv } _{\overline{\mathsf {R}}}^{\mathrm {cca} }(\overline{\mathsf {D} } )\le \mathbf{Adv } ^{\mathrm {cca} }_{\overline{\mathsf {R}}}(q_c,M). \end{aligned}$$

(4)

Combining (1), (2), (3), and (4), we obtain

$$ \mathbf{Adv } _{\mathsf {R}}^{\mathrm {cca} }(\mathsf {D} )= \mathbf{Adv } _{\mathsf {R}}^{\mathrm {cca} }(q_c,q_e)\le \frac{mq_e}{KM}+ \mathbf{Adv } ^{\mathrm {cca} }_{\overline{\mathsf {R}}}(q_c,M). $$

   \(\Box \)

The following corollary can be easily obtained after optimization of M in Lemma 1 when one has a simple enough upper bound on \( \mathbf{Adv } ^{\mathrm {cca} }_{\overline{\mathsf {R}}}(q_c,q_p)\).

Corollary 1

Let \(\mathsf {R}\) be a randomized key-length extension scheme and let \(\overline{\mathsf {R}}\) be its induced sequential cipher. Assume that

$$ \mathbf{Adv } ^{\mathrm {cca} }_{\overline{\mathsf {R}}}(q_c,q_p)\le A+B\frac{q_c^{\alpha } q_p^{\beta }}{N^{\gamma }}, $$

where \(A,B,\alpha ,\beta ,\gamma \) do not depend on \(q_p\), and \(B\ge 1\), \(\beta \ge 1\). Then

$$ \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {R}}(q_c,q_e)\le A+mB(\beta +1)\left( \frac{q_c^{\alpha }q_e^{\beta }}{K^{\beta }N^{\gamma }} \right) ^{\frac{1}{\beta +1}}\!. $$

4 Randomized Key-Length Extension Schemes

In this section, we derive security bounds for various randomized KLE schemes.

Fig. 2.

The XOR-cascade key-length extension scheme \(\mathsf {XCE}[E]\).

4.1 XOR-Cascades: Tight Bounds

As a first application, we complete the picture of the security of the XOR-cascade key-length extension scheme with independent whitening keys introduced in [12]. We derive a tight security bound for the setting with less than \(2^n\) construction queries. Recall the definition of the r-round XOR-cascade construction \(\mathsf {XCE}\) given in Sect. 3.2, Example 1.

Lemma 1 shows that the security of the r-round XOR-cascade construction is directly related to the security of the corresponding r-round key-alternating cipher \(\mathsf {KAC}\). It was observed in [12] to be related to the security of the \((r-1)\)-round key-alternating cipher, but in hindsight this rather appears as an artifact of the setting \(q_c=2^n\).

Combining our improved result on the security of \(\mathsf {KAC}\) (following from [8] and given in the full version of this paper [13]) with Lemma 1, we obtain that for any integer M such that \(q_c+M\le N/2\),

$$ \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {XCE}}(q_c,q_e)\le \frac{rq_e}{KM}+4(r+2)\left( \frac{rq_cM^r}{(r+2)N^r}\right) ^{\frac{1}{r+1}}\!. $$

After the optimization of M (by equating the two summands), we arrive at the following theorem.

Theorem 1

Consider the r-round XOR-cascade construction \(\mathsf {XCE}\). Then

$$ \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {XCE}}(q_c,q_e)\le C_r\left( \frac{q_cq_e^r}{K^rN^r}\right) ^{\frac{1}{2r+1}}\!, $$

where \(C_r\) is a constant that depends only on r, namely

$$ C_r=\left( 2^{4r+3}\cdot r^{r+1}(r+2)^r\right) ^{\frac{1}{2r+1}}\in \mathcal {O} (r). $$

In short, XOR-cascade encryption is secure as long as \(q_cq_e^r\) is small compared to \(2^{r(\kappa +n)}\). We note that this security bound is matched by a generic attack on sequential constructions given in [12, Theorem 3], since this attack can be easily generalized for arbitrary \(q_c\) as observed there.

4.2 \(\mathsf {2XOR}\): Tight Bounds

The construction \(\mathsf {2XOR}\) was proposed by Gaži and Tessaro [15] to turn a block cipher \(E\in \mathsf {BC} (\kappa ,n)\) into a new block cipher \(\mathsf {2XOR}[E]\in \mathsf {BC} (\kappa +n,n)\) defined as

$$ \mathsf {2XOR}_{k,z}[E](x)=E_{\phi (k)}(E_k(x\oplus z)\oplus z), $$

where \(\phi \) is any (fixed) permutation of \( \{0,1\} ^{\kappa }\) without fixed points. They showed the following result.

Theorem 2

([15, Theorem 3]). For any integer \(q_e\),

$$ \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {2XOR}}(q_c=2^n,q_e)\le 4\cdot \left( \frac{q_e}{2^{\kappa +n/2}}\right) ^{\frac{2}{3}}\!. $$

We describe how to attack \(\mathsf {2XOR}\) for any \(1\le c \le n/2\) using roughly \(2^c\) construction queries and \(2^{\kappa +n-c}\) block-cipher queries.

Theorem 3

Let \(1\le c\le n/2\) and \(1\le t\le c\) be integers such that t is even. There exists a distinguisher \(\mathsf {D} \) which makes at most \(q_c=2^{c+t/2}\) (forward) construction queries and \(q_e=2^{\kappa +n-c+t/2+1}\) ideal cipher queries, and which achieves

$$ \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {2XOR}}(\mathsf {D} )\ge 1-2^{\kappa +n-2^t(n-1)}. $$

In particular, for \(c=n/2\) and \(t=\lfloor \log _2(\kappa /n+1)\rfloor +1\), its advantage is negligibly close to 1 (asymptotically in n), and its complexity is \(q_c=\mathcal {O} (2^{n/2})\) and \(q_e=\mathcal {O} (2^{\kappa +n/2})\) (for \(\kappa /n\) constant).

Fig. 3.

Distinguisher \(\mathsf {D} \) for the proof of Theorem 3, attacking the construction \(\mathsf {2XOR}\) and parametrized by c, t.

Proof

Consider the distinguisher \(\mathsf {D} \) depicted in Fig. 3 (we assume n to be even for simplicity). For its analysis, first note that for any \(z\in \{0,1\} ^n\), the size of the set \(V_z\) determined on line 10 is exactly \(2^t\), due to the choice of the sets X and U. When \(\mathsf {D} \) interacts with \((\mathsf {2XOR}_{k,z}[E],E)\), it always outputs 1 since the check on line 11 succeeds for the real key (k, z). In the ideal world (P, E), we can upper-bound the probability that the distinguisher outputs 1 as follows: for each key (k, z), the values \(\tilde{v}(k,u)\) and \(\tilde{u}(k,x)\) for the \(2^t\) pairs \((x,u)\in V_z\) are independent, so that the probability that the check on line 11 succeeds is exactly \(\frac{1}{(2^n)_{2^{t}} }\le 2^{-2^t(n-1)}\). By the union bound over the \(2^{\kappa +n}\) pairs (k, z), the probability that \(\mathsf {D} \) returns 1 is at most \( 2^{\kappa +n-2^t(n-1)} \). \(\quad \square \)

To illustrate that the tradeoff \(q_cq_e\le 2^{\kappa +n}\) imposed by the attack above is tight for \(0\le \log _2(q_c) \le n/2\), consider the sequential cipher \(\overline{\mathsf {2XOR}}\) induced by \(\mathsf {2XOR}\). By a trivial reduction (simulating its last, independent random permutation), one can show that \(\mathsf {2XOR}\) is at least as secure as the Even-Mansour cipher \(\overline{\mathsf {FX}} \) described in Example 2 in Sect. 3.2. However, it follows from [11] that \(\overline{\mathsf {FX}} \) is secure as long as \(q_cq_p\le 2^{n}\), which, via \(\overline{\mathsf {2XOR}}\) and the application of Lemma 1, implies that \(\mathsf {2XOR}\) is secure roughly as long as \(q_cq_e\le 2^{\kappa +n}\). This completes the picture for \(\mathsf {2XOR}\) on the interval \(0\le \log _2(q_c) \le n/2\). For any \(q_c \ge 2^{n/2}\), a tight bound for \(\mathsf {2XOR}\) is \(q_e=2^{\kappa +n/2}\) as follows from Theorems 2 and 3, hence the security of \(\mathsf {2XOR}\) is now understood for the full spectrum of parameters \((q_c,q_e)\) (see Fig. 5).

4.3 \(\mathsf {3XOR}\): Final Whitening Step Helps

It was also argued in [15] that the \(\mathsf {2XOR}\) construction has optimal security within a large class of (so-called sequential) two-query constructions in the following sense: They give a generic attack on any construction from this class requiring roughly \(2^n\) construction queries and \(2^{\kappa +n/2}\) block-cipher queries, hence matching the security bound from Theorem 2. However, this only shows the optimality of the \(\mathsf {2XOR}\) construction (and in particular, no need to add a final XOR step at its end) in the setting where \(q_c=2^n\) is assumed. As we show below, the situation changes as soon as we also consider lower values of \(q_c\). In this general case, adding a third randomization step actually does improve security for some range of the parameters \((q_c,q_e)\).

We define the \(\mathsf {3XOR}\) construction similarly to the \(\mathsf {2XOR}\) construction, but with a final whitening step (see Fig. 4), i.e.,

$$ \mathsf {3XOR}_{k,z}[E](x)=E_{\phi (k)}(E_k(x\oplus z)\oplus z)\oplus z. $$

Note that \(\mathsf {3XOR}\) is simply the 2-round \(\mathsf {XCE}\) construction with identical whitening keys in-between the block-cipher calls. The induced sequential cipher \(\overline{\mathsf {3XOR}}\) is hence the 2-round Even-Mansour cipher with independent permutations and identical round keys:

$$ \overline{\mathsf {3XOR}}_{z}[P_1,P_2](x)=P_2(P_1(x\oplus z)\oplus z)\oplus z. $$

The security of this construction was analyzed by Chen et al. [7]. We recall their result in the full version of this paper [13]. Combining it with Corollary 1, we obtain the following theorem for the security of the \(\mathsf {3XOR}\) construction.

Fig. 4.

The \(\mathsf {3XOR}[E]\) key-length extension scheme.

Theorem 4

Assume that \(n\ge 11\), \(q_c\ge 9n\), \(q_e\ge 9n\), and \(2q_c+2q_e\le N\). Then the following upper bounds hold:

1. (i)

   When \(q_c\le 2^{\frac{n}{4}}\), one has

   $$\begin{aligned} \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {3XOR}}(q_c,q_e)\le 24\left( \frac{q_cq_e}{KN}\right) ^{\frac{1}{2}}\!. \end{aligned}$$
2. (ii)

   When \(2^{\frac{n}{4}}\le q_c\le 2^{\frac{2n}{3}}\), one has

   $$\begin{aligned} \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {3XOR}}(q_c,q_e)\le \frac{6}{N} +4\times (13+9\sqrt{n})\left( \frac{q_c^{\frac{1}{5}} q_e}{KN^{\frac{4}{5}}}\right) ^{\frac{1}{2}}\!. \end{aligned}$$
3. (iii)

   When \(2^{\frac{2n}{3}}\le q_c\le 2^{\frac{3n}{4}}\), one has

   $$\begin{aligned} \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {3XOR}}(q_c,q_e)\le \frac{6}{N} +4\times (13+9\sqrt{n})\left( \frac{q_c^2 q_e}{KN^2}\right) ^{\frac{1}{2}}\!. \end{aligned}$$
4. (iv)

   When \(q_c\ge 2^{\frac{3n}{4}}\), one has,

   $$\begin{aligned} \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {3XOR}}(q_c,q_e)\le \frac{1}{eN} + 6n\left( \frac{q_e}{KN^{\frac{1}{2}}}\right) ^{\frac{2}{3}}\!. \end{aligned}$$

This security bound is qualitatively similar to the one of \(\mathsf {2XOR}\) for \(q_c\le 2^{\frac{n}{4}}\) and \(q_c\ge 2^{\frac{3n}{4}}\), but strictly better for \(2^{\frac{n}{4}}\le q_c\le 2^{\frac{3n}{4}}\) (see Fig. 5). Regarding the tightness of the bound, we note that the general attack against sequential constructions given in [12, Theorem 3] applies to \(\mathsf {3XOR}\), so that for any \(q_c\), the construction is insecure for \(q_e\approx 2^{\kappa +n-\frac{1}{2}\log _2 q_c}\). This matches the security bound for the special cases \(q_c\approx 1\), \(q_c\approx 2^{\frac{2n}{3}}\), and \(q_c\approx 2^n\) (see Fig. 5).

Fig. 5.

The security of the \(\mathsf {3XOR}\) key-length extension scheme. All parameters below the (red) solid line are secure due to Theorem 4, while all parameters above the (black) dashed line are insecure due to the attack [12]. The status for parameters between these two lines remains unknown. The (blue) dotted line (which merges with the red solid line for \(q_c\le 2^{\frac{n}{4}}\) and \(q_c\ge 2^{\frac{3n}{4}}\)) also indicates the (tight) security bound for \(\mathsf {2XOR}\) (Color figure online).

In conclusion, our results in Sects. 4.2 and 4.3 show that \(\mathsf {3XOR}\) is always at least as secure \(\mathsf {2XOR}\) for all possible values of \(q_c\), and strictly more secure for \(2^{n/4}< q_c < 2^{3n/4}\).

4.4 \(\mathsf {3XSK}\): A 2-Call Construction without Rekeying

A drawback of the \(\mathsf {3XOR}\) construction is that the underlying block cipher E is called under two distinct keys. Since rekeying is typically a costly operation for a block cipher, it would be appealing to have a key-length extension construction providing the same level of security as \(\mathsf {3XOR}\), but calling the underlying block cipher E with a single key. We describe such a construction in this section.

Let \(\pi \) be a linear orthomorphism of \(\mathbb {F} _2^n\) (a permutation \(\pi \) of \( \{0,1\} ^n\) is an orthomorphism if \(z\mapsto z\oplus \pi (z)\) is also a permutation).⁸ We define the \(\mathsf {3XSK}\) (3 XOR, single key) construction which turns a block cipher \(E\in \mathsf {BC} (\kappa ,n)\) into a new block cipher \(\mathsf {3XSK}[E]\in \mathsf {BC} (\kappa +n,n)\) as follows (see Fig. 6):

$$ \mathsf {3XSK}_{k,z}[E](x)=E_{k}(E_k(x\oplus z)\oplus \pi (z))\oplus z. $$

Fig. 6.

The \(\mathsf {3XSK}[E]\) key-length extension scheme.

The induced sequential cipher \(\overline{\mathsf {3XSK}}\) is exactly the two-round Even-Mansour cipher with a single permutation and the sequence of round keys \((z,\pi (z),z)\),

$$ \overline{\mathsf {3XSK}}_{z}[P](x)=P(P(x\oplus z)\oplus \pi (z))\oplus z. $$

Again, the security of this construction was studied by Chen et al. [7] and we restate their findings in the full version of this paper [13]. Combining it with Corollary 1, we obtain the following theorem for the security of the \(\mathsf {3XSK}\) construction.

Theorem 5

Assume that \(n\ge 9\), \(q_c\ge 9n\), \(q_e\ge 9n\), and \(4q_c+2q_e\le N\). Then the following upper bounds hold:

1. (i)

   When \(q_c\le 2^{\frac{n}{3}}\), one has

   $$\begin{aligned} \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {3XSK}}(q_c,q_p)\le \frac{23}{N^{\frac{1}{3}}} + 32\left( \frac{q_c q_e}{KN}\right) ^{\frac{1}{2}}\!. \end{aligned}$$
2. (ii)

   When \(q_c\ge 2^{\frac{n}{3}}\), one has

   $$\begin{aligned} \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {3XSK}}(q_c,q_p)\le \frac{10}{N} + (23+6\sqrt{n})\frac{q_c}{N^{\frac{2}{3}}}+2\times (39+9\sqrt{n})\left( \frac{q_e}{KN^{\frac{2}{3}}}\right) ^{\frac{1}{2}}\!. \end{aligned}$$

(Note that this bound becomes vacuous for \(q_c\ge 2^{\frac{2n}{3}}\).)

This matches the security bound for \(\mathsf {2XOR}\) for \(q_c<2^{\frac{n}{3}}\), (and hence the lower bound proven for \(\mathsf {3XOR}\) in Sect. 4.3 for \(q_c<2^{\frac{n}{4}}\)) while for \(2^{\frac{n}{3}}\le q_c\le 2^{\frac{2n}{3}}\) it caps at \(q_p\approx 2^{\kappa +\frac{2n}{3}}\) (hence it is slightly worse than the security lower bound of \(\mathsf {3XOR}\) in that case). The security for \(q_c\) larger than \(2^{\frac{2n}{3}}\) remains unknown. Note that the attack given in [12] also applies to \(\mathsf {3XSK}\) exactly in the same way as to \(\mathsf {3XOR}\), providing an upper bound on its security.

5 Plain Cascade Encryption

In this section, we give another application of Lemma 1, this time to analyze the security of plain cascade encryption in the setting where the number of construction queries is smaller than \(2^n\). Recall that the \(\ell \)-round cascade encryption using a \((\kappa ,n)\)-block cipher E, denoted \(\mathsf {CE}[E]\), takes an \(\ell \kappa \)-bit key \(\mathsf {mk} =(k_1,\ldots ,k_\ell )\in \left( \{0,1\} ^{\kappa }\right) ^\ell \) and encrypts a plaintext \(x\in \{0,1\} ^n\) by computing

$$y=\mathsf {CE}_{\mathsf {mk} }[E](x)=E_{k_\ell }\circ E_{k_{\ell -1}} \circ \cdots \circ E_{k_2}\circ E_{k_{1}}(x).$$

We focus on the security of \(\mathsf {CE}\) for odd length \(\ell =2r+1\) and our result is summarized in the following theorem.

Theorem 6

Consider the \(\ell \)-round cascade encryption \(\mathsf {CE}\) where \(\ell =2r+1\) for some \(r\ge 1\). Then, assuming \(q_c\le N/4\) and \(q_e\le KN/8\), one has

$$\begin{aligned} \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {CE}}(q_c,q_e) \le \frac{\ell ^2}{K} +e^{-n}&+ r^2(r+1)\left( \frac{3nq_c}{K}\right) ^{\frac{1}{2}}+\\&\qquad \quad \max \left\{ A_r\left( \frac{q_cq_e^r}{K^rN^r}\right) ^{\frac{1}{2r+1}}\!, B_r\left( \frac{nq_e}{K^2}\right) ^{\frac{1}{3}} \right\} \!, \end{aligned}$$

where \(A_r \in \mathcal {O} (r^2)\) and \(B_r \in \mathcal {O} (r^{\frac{7}{3}})\) only depend on r, namely

$$\begin{aligned} A_r =6r^2(r+1)\left( \frac{2^r}{r^{r+1}(r+1)^{r+1}}\right) ^{\frac{1}{2r+1}},\;\; B_r =6r^2(r+1)\left( \frac{3}{4r(r+1)}\right) ^{\frac{1}{3}}. \end{aligned}$$

Proof (sketch)

From a high-level perspective, the proof consists of the following steps. First, we modify the cascade to use two independent ideal ciphers E and \(E'\) in an interleaving manner and show that this does not introduce a large distinguishing gap. Second, we need to assume that the block cipher \(E'\) used in the odd steps of the cascade is good in some well-defined sense and hence we show that the opposite is unlikely (over the randomness of \(E'\)). Third, we publish the complete function table of \(E'\) (but not the keys being used with it), thus arriving at a randomized KLE scheme of length r. Then we can apply Lemma 1 to reduce its security to the security of the induced sequential cipher. Finally, we analyze the latter directly, using an H-coefficient analysis inspired by [8] that employs the assumption that \(E'\) is good. The full proof discussing each of the individual steps in greater detail can be found in the full version of this paper [13]. \(\quad \square \)

Discussion. In terms of the number of threshold queries, cascade encryption of length \(\ell =2r+1\) is hence secure when \(q_cq_e^r\ll 2^{r(\kappa +n)}\), \(q_c\ll 2^\kappa \), and \(q_e\ll 2^{2\kappa }\) (asymptotically, ignoring constants). Our bound must be compared with the security result of Dai et al. [9], who considered the full-codebook regime \(q_c=2^n\). They showed that, for \(\kappa \ge n/(r+1)\) (which is satisfied for virtually any real block cipher we know of), cascade encryption of length \(\ell =2r+1\) is secure when \(q_e \ll 2^{\kappa +\frac{rn}{r+1}}\) (and, obviously, this also holds for any \(q_c<2^n\)). Hence, our new bound improves on [9] when \(q_c\le 2^{\frac{rn}{r+1}}\), but only assuming \(\kappa \ge \frac{rn}{r+1}\) since otherwise the condition \(q_e\ll 2^{2\kappa }\) in our bound becomes more restrictive than Dai et al.’s one. This is depicted on Fig. 7. We remark that our bound also applies to cascade encryption of length \(2r+2\), since adding a round cannot decrease security.

Fig. 7.

The security of plain cascade encryption with \(2r+1\) or \(2r+2\) rounds, depending on \(\kappa \) and n. All parameters below the solid line are secure due either to Theorem 6 or the results of [9]. All parameters above the dashed line are insecure due to the attack of [12]. The status for parameters between these lines remains unknown.

Tightness. As observed in [12], the attack against cascades given there can be adjusted to provide a trade-off between block-cipher and construction queries. This results in an attack against plain cascade of length \(\ell =2r+1\) that achieves a constant distinguishing advantage as long as \(q_cq_e^r\approx 2^{r(\kappa +n)}\) and \(q_e\ge 2^\kappa q_c\) (again, ignoring constants). Note that the second condition only comes into play when \(q_c\ge 2^{\frac{rn}{r+1}}\), in which case the attack requires \(q_e \approx 2^{\kappa +\frac{rn}{r+1}}\) (instead of \(q_e \approx 2^{\kappa +n -\frac{1}{r}\log _2 q_c}\)). Hence, this matches the bound of [9] for \(q_c\ge 2^{\frac{rn}{r+1}}\). When \(\kappa \ge n\), this also matches our own new bound for \(q_c\le 2^{\frac{rn}{r+1}}\), yielding a tight bound for all parameters. When \(\frac{rn}{r+1}\le \kappa \le n\), the attack matches our new bound only for \(q_c\ge 2^{r(n-\kappa )}\) since otherwise the security bound caps at \(q_e\ll 2^{2\kappa }<2^{\kappa +n -\frac{1}{r}\log _2 q_c}\). When \(\kappa \le \frac{rn}{r+1}\), there is a provable security gap between this attack and the bound of [9] for any \(q_c\le 2^{\frac{rn}{r+1}}\). This is also summarized on Fig. 7. Again, all this applies to the case of cascade encryption of length \(2r+2\) since Gaži’s attack [12] was given for cascades of even length. Note that the case of 3DES (\(\kappa =56\), \(n=64\), and \(r=1\)) corresponds to the middle graph.

Two-key Triple Encryption. Let \(\mathsf {TTE}\) denote a variant of triple encryption where the first and the third keys are identical. So \(\mathsf {TTE}\) accepts a \(2\kappa \)-bit key \(\mathsf {mk} =(k_1,k_2)\in \left( \{0,1\} ^{\kappa }\right) ^2\) and encrypts a plaintext \(x\in \{0,1\} ^n\) by computing \(y=\mathsf {TTE}_{\mathsf {mk} }[E](x)=E_{k_1}\circ E_{k_2}\circ E_{k_1}(x).\) We prove the following result.

Theorem 7

For the two-key triple encryption \(\mathsf {TTE}\), we have, assuming \(q_c\le N/4\) and \(q_e\le KN/8\),

$$ \mathbf{Adv } ^{\mathrm {cca} }_{\mathsf {TTE}}(q_c,q_e)\le e^{-n}+2\left( \frac{3nq_c}{K}\right) ^{\frac{1}{2}} +12\max \left\{ \left( \frac{q_cq_e}{2KN}\right) ^{\frac{1}{3}},\left( \frac{3nq_e}{8K^2}\right) ^{\frac{1}{3}}\right\} . $$

Proof (sketch)

Similar to the analysis of cascade encryption in the proof of Theorem 6, we slightly modify the key-sampling process from \(\mathbf {A}\) to \(\mathbf {B}\):

• A: Choose \(\mathsf {mk} \in \left( \{0,1\} ^{\kappa }\right) ^2\) uniformly at random.

• B: Randomly partition \(T_1\cup T_2= \{0,1\} ^\kappa \) so that \(|T_1|=|T_2|\), choose \(z_1\in T_1\) and \(k_2\in T_2\) uniformly at random, and then define \(\mathsf {mk} =(z_1,k_2)\).

It is easy to show that these two processes have the same probability distribution. The rest of the proof follows exactly the same line of arguments as the proof of Theorem 6 for cascade encryption of length 3. \(\quad \square \)

A Overview of Previous Results

The following tables summarize the currently known best bounds for the full-codebook regime where \(q_c = 2^n\). For a given \(\ell \) (resp. r), \(\ell '\) (resp. \(r'\)) is the smallest even integer greater or equal to \(\ell \) (resp. r).

\(\ell \) -Round Plain Cascades
Ref.	Max. value of \(\log (q_e)\)	Note
[5]	\(\kappa + \min \{n/2, \kappa /2\}\)	\(\ell = 3\)
[14]	\(\kappa + \min \{\kappa (\ell '- 2)/\ell ', n/2\}\)
[19]	\(\kappa + \min \{\kappa , n\} - 8n/\ell \)
[9]	\(\kappa + \min \{\kappa (\ell ' - 2)/2, n(\ell ' - 2)/\ell '\}\)

r -Round Randomized Cascades
Ref.	Max. value of \(\log (q_e)\)	Note
[16]	\(n + \kappa - \log (q_c)\)	\(r=1\), \(\mathsf {FX}\)
[15]	\(\kappa + n/2\)	\(r=2\), \(\mathsf {2XOR}\)
[19]	\(\kappa + \min \{\kappa , n\} - 4n/r\)
[12]	\(\kappa + \frac{r' - 2}{r'} n \)