Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes

We revisit the security (as a pseudorandom permutation) of cascading-based constructions for block-cipher key-length extension. Previous works typically considered the extreme case where the adversary is given the entire codebook of the construction, the only complexity measure being the number q(e) of queries to the underlying ideal block cipher, representing adversary's secret-key-independent computation. Here, we initiate a systematic study of the more natural case of an adversary restricted to adaptively learning a number q(c) of plaintext/ ciphertext pairs that is less than the entire codebook. For any such q(c), we aim to determine the highest number of block-cipher queries q(e) the adversary can issue without being able to successfully distinguish the construction (under a secret key) from a random permutation. More concretely, we show the following results for key-length extension schemes using a block cipher with n-bit blocks and.-bit keys: Plain cascades of length l = 2r+1 are secure whenever q(c)q(e)(r) << 2(r)(kappa vertical bar n), q(c) << 2(kappa) and q(e) << 2 2(kappa) The bound for r = 1 also applies to two-key triple encryption (as used within Triple DES). The r-round XOR-cascade is secure as long as qcq r e 2 r(.+ n), matching an attack by Ga. zi (CRYPTO 2013). We fully characterize the security of Ga. zi and Tessaro's two-call 2XOR construction (EUROCRYPT 2012) for all values of q(c), and note that the addition of a third whitening step strictly increases security for 2(n/4) <= q(c)(r) <= 2(3/4n). We also propose a variant of this construction without re-keying and achieving comparable security levels.