Results 1  10
of
18
The security of triple encryption and a framework for codebased gameplaying proofs
 EUROCRYPT 2006, volume 4004 of LNCS
, 2006
"... Abstract. We show that, in the idealcipher model, triple encryption (the cascade of three independentlykeyed blockciphers) is more secure than single or double encryption, thereby resolving a longstanding open problem. Our result demonstrates that for DES parameters (56bit keys and 64bit plaint ..."
Abstract

Cited by 157 (39 self)
 Add to MetaCart
(Show Context)
Abstract. We show that, in the idealcipher model, triple encryption (the cascade of three independentlykeyed blockciphers) is more secure than single or double encryption, thereby resolving a longstanding open problem. Our result demonstrates that for DES parameters (56bit keys and 64bit plaintexts) an adversary’s maximal advantage against triple encryption is small until it asks about 2 78 queries. Our proof uses codebased gameplaying in an integral way, and is facilitated by a framework for such proofs that we provide. 1
CodeBased GamePlaying Proofs and the Security of Triple Encryption
 Eurocrypt 2006, LNCS
"... (Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates t ..."
Abstract

Cited by 47 (10 self)
 Add to MetaCart
(Show Context)
(Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates that for DES parameters (56bit keys and 64bit plaintexts) an adversary’s maximal advantage is small until it asks about 278 queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for gameplaying proofs and discussing techniques used within such proofs. To further exercise the gameplaying framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security
ChosenCiphertext Security of Multiple Encryption
 In TCC’05, LNCS 3378
, 2005
"... Abstract. Encryption of data using multiple, independent encryption schemes (“multiple encryption”) has been suggested in a variety of contexts, and can be used, for example, to protect against partial key exposure or cryptanalysis, or to enforce threshold access to data. Most prior work on this sub ..."
Abstract

Cited by 47 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Encryption of data using multiple, independent encryption schemes (“multiple encryption”) has been suggested in a variety of contexts, and can be used, for example, to protect against partial key exposure or cryptanalysis, or to enforce threshold access to data. Most prior work on this subject has focused on the security of multiple encryption against chosenplaintext attacks, and has shown constructions secure in this sense based on the chosenplaintext security of the component schemes. Subsequent work has sometimes assumed that these solutions are also secure against chosenciphertext attacks when component schemes with stronger security properties are used. Unfortunately, this intuition is false for all existing multiple encryption schemes. Here, in addition to formalizing the problem of chosenciphertext security for multiple encryption, we give simple, efficient, and generic constructions of multiple encryption schemes secure against chosenciphertext attacks (based on any component schemes secure against such attacks) in the standard model. We also give a more efficient construction from any (hierarchical) identitybased encryption scheme secure against selectiveidentity chosen plaintext attacks. Finally, we discuss a wide range of applications for our proposed schemes. 1
The Security of AllorNothing Encryption: Protecting against Exhaustive Key Search
 In Advances in Cryptology – CRYPTO ’00 (2000
, 2000
"... Abstract. We investigate the allornothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an allornothing transform (AONT) with an ordinary encryption mode. The goal is to have secure encryption modes with the addit ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We investigate the allornothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an allornothing transform (AONT) with an ordinary encryption mode. The goal is to have secure encryption modes with the additional property that exhaustive keysearch attacks on them are slowed down by a factor equal to the number of blocks in the ciphertext. We give a new notion concerned with the privacy of keys that provably captures this keysearch resistance property. We suggest a new characterization of AONTs and establish that the resulting allornothing encryption paradigm yields secure encryption modes that also meet this notion of key privacy. A consequence of our new characterization is that we get more efficient ways of instantiating the allornothing encryption paradigm. We describe a simple blockcipherbased AONT and prove it secure in the Shannon Model of a block cipher. We also give attacks against alternate paradigms that were believed to have the above keysearch resistance property. 1
Blackbox composition does not imply adaptive security
 In EUROCRYPT
, 2004
"... In trying to provide formal evidence that composition has security increasing properties, we ask if the composition of nonadaptively secure permutation generators necessarily produces adaptively secure generators. We show the existence of oracles relative to which there are nonadaptively secure pe ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
In trying to provide formal evidence that composition has security increasing properties, we ask if the composition of nonadaptively secure permutation generators necessarily produces adaptively secure generators. We show the existence of oracles relative to which there are nonadaptively secure permutation generators, but where the composition of such generators fail to achieve security against adaptive adversaries. Thus, any proof of security for such a construction would need to be nonrelativizing. This result can be used to partially justify the lack of formal evidence we have that composition increases security, even though it is a belief shared by many cryptographers.
Cascade Encryption Revisited
"... Abstract. The security of cascade blockcipher encryption is an important and wellstudied problem in theoretical cryptography with practical implications. It is wellknown that double encryption improves the security only marginally, leaving triple encryption as the shortest reasonable cascade. In a ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The security of cascade blockcipher encryption is an important and wellstudied problem in theoretical cryptography with practical implications. It is wellknown that double encryption improves the security only marginally, leaving triple encryption as the shortest reasonable cascade. In a recent paper, Bellare and Rogaway showed that in the ideal cipher model, triple encryption is significantly more secure than single and double encryption, stating the security of longer cascades as an open question. In this paper, we propose a new lemma on the indistinguishability of systems extending Maurer’s theory of random systems. In addition to being of independent interest, it allows us to compactly rephrase Bellare and Rogaway’s proof strategy in this framework, thus making the argument more abstract and hence easy to follow. As a result, this allows us to address the security of longer cascades as well as some errors in their paper. Our result implies that for blockciphers with smaller key space than message space (e.g. DES), longer cascades improve the security of the encryption up to a certain limit. This partially answers the open question mentioned above.
Efficient and optimally secure keylength extension for block ciphers via randomized cascading
 Advances in Cryptology — EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science
, 2012
"... Abstract. We consider the question of efficiently extending the key length of block ciphers. To date, the approach providing highest security is triple encryption (used e.g. in TripleDES), which was proved to have roughly κ + min{n/2, κ/2} bits of security when instantiated with ideal block ciphers ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the question of efficiently extending the key length of block ciphers. To date, the approach providing highest security is triple encryption (used e.g. in TripleDES), which was proved to have roughly κ + min{n/2, κ/2} bits of security when instantiated with ideal block ciphers with key length κ and block length n, at the cost of three blockcipher calls per message block. This paper presents a new practical keylength extension scheme exhibiting κ + n/2 bits of security – hence improving upon the security of triple encryption – solely at the cost of two block cipher calls and a key of length κ+n. We also provide matching generic attacks showing the optimality of the security level achieved by our approach with respect to a general class of twoquery constructions.
On the Security of Multiple Encryption or CCAsecurity+CCAsecurity=CCAsecurity?
 Proc. of PKC’04, LNCS 2947
, 2003
"... In a practical system, a message is often encrypted more than once by different encryptions, here called multiple encryption, to enhance its security. Additionally, new features may be achieved by multiple encrypting a message for a scheme, such as the keyinsulated cryptosystems [13] and anonymous ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
In a practical system, a message is often encrypted more than once by different encryptions, here called multiple encryption, to enhance its security. Additionally, new features may be achieved by multiple encrypting a message for a scheme, such as the keyinsulated cryptosystems [13] and anonymous channels [8]. Intuitively, a multiple encryption should remain "secure", whenever there is one component cipher unbreakable in it. In NESSIE's latest Portfolio of recommended cryptographic primitives (Feb. 2003), it is suggested to use multiple encryption with component ciphers based on different assumptions to acquire long term security. However, in this paper we show this needs careful discussion. Especially, this may not be true...
Efficient Amplification of the Security of Weak PseudoRandom Function Generators
"... Abstract. We show that given a PRFG (pseudorandom function genpartially secure, the construction g1(x ⊕ r1) ⊕ · · · ⊕ erator) G which is 1 c glog2 n(x⊕r log2 n) produces a strongly secure PRFG, where gi ∈ G and ri are strings of random bits. Thus we present the first “natural ” construction o ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We show that given a PRFG (pseudorandom function genpartially secure, the construction g1(x ⊕ r1) ⊕ · · · ⊕ erator) G which is 1 c glog2 n(x⊕r log2 n) produces a strongly secure PRFG, where gi ∈ G and ri are strings of random bits. Thus we present the first “natural ” construction of a (totally secure) PRFG from a partially secure PRFG. Using results of Luby and Rackoff, this result also demonstrates how to “naturally” construct a PRPG from partially secure PRPG. 1
Optimally Secure Tweakable Blockciphers
 Software Encryption  FSE 2015, volume 9054 of LNCS
, 2015
"... Abstract. We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear pre and postprocessing functions can be distinguished from an ideal one with an attack complexity of about 2n/2. Next, we introduce the tweakable blockcipher F ̃ [1]. It consists of one multiplication and one blockcipher call with tweakdependent key, and achieves 22n/3 security. Finally, we introduce F ̃ [2], which makes two blockcipher calls, one of which with tweakdependent key, and achieves optimal 2n security. Both schemes are more efficient than all existing beyond birthday bound tweakable blockciphers known to date, as long as one blockcipher key renewal is cheaper than one blockcipher evaluation plus one universal hash evaluation.