Weinvestigate, in the Shannon model, the security of constructions corresponding to double and #two-key# triple DES. That is, we consider F k1 #F k2 #### and F k1 #F ,1 k2 #F k1 ##### with the component functions being ideal ciphers. This models the resistance of these constructions to #generic" attacks like meet in the middle attacks. We obtain the #rst proof that composition actually increases the security in some meaningful sense. We compute a bound on the probability of breaking the double cipher as a function of the number of computations of the base cipher made, and the number of examples of the composed cipher seen, and show that the success probability is the square of that for a single key cipher. The same bound holds for the two-key triple cipher. The #rst bound is tight and shows that meet in the middle is the best possible generic attack against the double cipher. Keywords: Ciphers, cascaded ciphers, Shannon model, information theory, DES, Double DES, meet i...

Communication systems check integrity to protect information against alteration introduced by natural means such as noise and by malicious security attacks. This paper proposes that some integrity checks used for security should also be used for error control, since there are similarities between the functions used for both purposes, and repeated checking can have a high cost. The paper extensively examines where integrity functions should be implemented in a network, and the dependencies between functions implemented in a node, since these limit the extent to which such amalgamation of function is possible. The arguments presented in this paper mean that end-system-to-end-system (e.g. Transport layer) error checks will need to be cryptographically strengthened if they are to remain justifiable in the future.

Abstract. A robust combiner is a construction that combines several implementations of a primitive based on different assumptions, and yields an implementation guaranteed to be secure if at least some assumptions (i.e. sufficiently many but not necessarily all) are valid. In this paper we generalize this concept by introducing error-tolerant combiners, which in addition to protection against insecure implementations provide tolerance to functionality failures: an error-tolerant combiner guarantees a secure and correct implementation of the output primitive even if some of the candidates are insecure or faulty. We present simple constructions of error-tolerant robust combiners for oblivious linear function evaluation. The proposed combiners are also interesting in the regular (not error-tolerant) case, as the construction is much more efficient than the combiners known for oblivious transfer. 1

1.4 Simple XOR

Cryptographic solutions should be cryptanalysis-tolerant, i.e. avoid dependency on the assumed security of a single cryptographic function. We present the 2/3 composition, a cryptanalysis-tolerant design for commitment schemes and cryptographic hash functions. Previous cryptanalysis-tolerant solutions provided either confidentiality or binding properties; the 2/3 composition provides both properties. The 2/3 composition is simple and efficient, and appropriate for practical applications, either to compose existing functions or to design new functions. Keywords: cryptographic functions; hash functions; one-way functions; collisionresistance; commitment schemes 1.

Abstract. The security of cascade blockcipher encryption is an important and well-studied problem in theoretical cryptography with practical implications. It is well-known that double encryption improves the security only marginally, leaving triple encryption as the shortest reasonable cascade. In a recent paper, Bellare and Rogaway showed that in the ideal cipher model, triple encryption is significantly more secure than single and double encryption, stating the security of longer cascades as an open question. In this paper, we propose a new lemma on the indistinguishability of systems extending Maurer’s theory of random systems. In addition to being of independent interest, it allows us to compactly rephrase Bellare and Rogaway’s proof strategy in this framework, thus making the argument more abstract and hence easy to follow. As a result, this allows us to address the security of longer cascades as well as some errors in their paper. Our result implies that for blockciphers with smaller key space than message space (e.g. DES), longer cascades improve the security of the encryption up to a certain limit. This partially answers the open question mentioned above.