0

First of all a couple of things: I am aware that cascade encryption tries to solve a problem that isn't present often. Attacks are more likely to be mounted against implementation details instead of creating a pure cryptoanalytic break on modern crypto.

I am also aware that cascade encryption has at least the security of the inner layer/first cipher of the cascade. This question asks about the case when the inner layer is insecure against the adversary and the designer of the cascade does not know which block cipher in the cascade is secure.

Finally, I am aware that one can combine the usage of multiple block ciphers by either using the block ciphers to encrypt random pads that then are combined used to encrypt the plaintext or by using them as keystream generators(ie run the block ciphers in CTR mode on all zero plaintext) which are then combined to encrypt the plaintext.

  1. The designer of the cascade is given a set of N block ciphers.
  2. Cascade construction is as follows: \begin{equation} \text{Enc}_1\left(\text{Enc}_2\left(\ldots \text{Enc}_N(p,k_N),k_2\right),k_1\right) \end{equation}
  3. Each encryption layer is a block cipher that appears IND-CCA2 secure to everyone(Except for the situation in point 3).
  4. The adversary has attacks against all but one block cipher that can be composed together. For example, assuming that \begin{equation}\text{Enc}_1(p,k_1)\end{equation} \begin{equation}\text{Enc}_2(p,k_2)\end{equation} are attackable by the adversary, \begin{equation}\text{Enc}_1(\text{Enc}_2(p,k_2),k_1)\end{equation} \begin{equation}\text{Enc}_2(\text{Enc}_1(p,k_1),k_2)\end{equation}are also attackable. Also note that this means one of the block ciphers in the cascade is IND-CCA2 secure against even the adversary. It is unknown which one of the block ciphers is this one however.
  5. The secure block cipher in the set of block ciphers used in the cascade does not form a group in any possible cascade with the other block ciphers.
  6. All keys are random and independent.
  7. For this question assume that mode of operations are out of scope. The plaintext is exactly the size of the block cipher's block size and all of the block ciphers share the same block size.
  8. Also assume that side channel attacks are out of scope. If the implmentation is vulnerable to an exploit or timing side channel or the adversary has direct physical access, all bets are off anyways.

What happens to the security of the cascade encryption scheme? Does the attacker get the ability to attack the entire scheme IND-CCA2 wise despite the inclusion of the one secure block cipher somewhere in the cascade? Does the security only merely degrade(IE there is some special attack akin to meet in the middle) relative to the secure block cipher by itself? Or is the security of the cascade equivalent to the security of the strongest block cipher in the cascade?

From what I've been able to find on the internet, it isn't very clear what happens to the security of the cascade in this specific context.

blaze5641
  • 1
  • 1
    How does this scheme account for the obligatory ciphertext expansion of a IND-CCA2 cipher? – aiootp Sep 10 '23 at 10:46
  • Wait, why does IND-CCA2 security require ciphertext expansion? I would understand the need if we were talking IND-CCA3 where we also need to block forgery of a ciphertext that can be decrypted validly and therefore we would need to add data that would help authenticate the ciphertext but IND-CCA2 to my knowledge does not require that. – blaze5641 Sep 10 '23 at 18:06
  • Can you show how a IND-CCA2 secure block cipher could both be non-ciphertext-expanding & be placed arbitrarily in the scheme without the designer knowing? – aiootp Sep 10 '23 at 19:38

0 Answers0