4

Is it feasible to use triple encryption for block ciphers with the maximum keysize being the only significant security issue? I mean $C = E_{k_1}(E_{k_2}(E_{k_3}(P)))$ and $P = D_{k_1}(D_{k_2}(D_{k_3}(C)))$ where $E$ is encryption, $D$ is decryption, $P$ is a plaintext block, and $C$ is a ciphertext block. $k_1$, $k_2$, and $k_3$ are mutually independent keys, each individually of a size vulnerable to exhaustive search. I know that 3DES uses encrypt-decrypt-encrypt for efficiency in hardware from this question.

What about stream ciphers? If a stream cipher has a small key size, would it be feasible to do $C = P \oplus K_{k_1} \oplus K_{k_2} \oplus K_{k_3}$ and $P = C \oplus K_{k_1} \oplus K_{k_2} \oplus K_{k_3}$ where $K$ is the keystream?

My naive interpretation is that these would be secure ways to use ciphers that take small keys, with the only downside being a meet-in-the-middle attack reducing the effective keyspace to $2^{2n}$ where each of the three keys are of size $n$. Is this interpretation correct? Do any other attacks exist?

forest
  • 15,253
  • 2
  • 48
  • 103
  • Are you asking how to protect small keys from exhaustive search? – Elias Mar 07 '18 at 08:12
  • The first construct with a block cipher will have identical security to 3DES if the keys are random and independent. I guess that the stream cipher combination requires a crypt-analysis of the stream cipher construction. By the way, $n$ is usually used for the block size, I'd use $K$ for the keys themselves and $k$ or $klen$ for the key size. – Maarten Bodewes Mar 07 '18 at 14:51
  • If you use the same cipher and nonce for each layer, you at least lose a couple of extra bits due to stream ciphers commuting (you can choose $k_1 \le k_2 \le k_3$). – otus Mar 23 '18 at 05:32
  • @otus By same cipher do you mean same key perchance? I'm not sure why using the same cipher algorithm would matter. – forest Mar 23 '18 at 05:36
  • @forest I mean that you use the same stream cipher each time (which your question assumes). With different ciphers there is no additional freedom to swap keys between them without affecting the result. – otus Mar 23 '18 at 05:39
  • @otus They keys are all mutually independent. – forest Mar 23 '18 at 05:39
  • @forest, yes but with a single stream cipher encrypting first with $k$ and then $k'$ is the same as first encrypting with $k'$ and and then $k$. So you only need to test one. – otus Mar 23 '18 at 05:41
  • @otus Yeah you're right, hence why I deleted that comment (I realized just after posting it). That is valuable to know, though! Is there any simple way to avoid that with stream ciphers, short of modifying them to work on blocks? – forest Mar 23 '18 at 05:44
  • Don't neglect block size as a security issue! – Squeamish Ossifrage Mar 08 '19 at 07:37

0 Answers0