Cascading Aes-Twofish-Serphent question

Networking/Security Forums -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security

Author: ilovegrolsc PostPosted: Fri Aug 06, 2010 3:42 am    Post subject: Cascading Aes-Twofish-Serphent question
If you cascade each of these 256 bit algorithms then isn't the result the same as having 768 bit encryption?

Because i can't see how someone could decrypt the 3 in separate stages as the cipher text in between each is unknown. Therefore the only way to break it would be to decrypt all three algorithms at once making the result 768 bit encryption. Therefore the cascade is 3x stronger than just using either of the algorithms alone right?

Is that logic flawed?

More info on the cascade:

Three ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with Serpent (256-bit key) in XTS mode, then with Twofish (256-bit key) in XTS mode, and finally with AES (256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are mutually independent (note that header keys are independent too, even though they are derived from a single password..


Author: JustinTLocation: Asheville, NC, US / Uberlândia, MG, Brazil PostPosted: Sat Sep 04, 2010 7:05 pm    Post subject: Re: Cascading Aes-Twofish-Serphent question
Given the description of your post, I'll assume we're talking about TrueCrypt; if not, my apologies, although it does not affect my response.

In short, yes. A cascade of three block ciphers will increase security beyond that of a single cipher or a cascade of two block ciphers. [A word of caution follows.] In the real world, is this significant? Not really. Why? Because when cryptography fails in practice, it's almost always because of the implementation -- not the cryptography itself. However, the more options you have (e.g., numerous block ciphers and cascades of them), the more complexity you introduce to the implementation. Given that, I'm worried about implementations -- not algorithms -- because that's what is most at risk in practice. A single block cipher, such as the AES, will beyond suffice.

Now for the longer, more mathematical reasoning behind my short answer; most of it was already posted on TrueCrypt's forums some years ago. A double cipher's effective key length is essentially no more than that of a single cipher, since the upper bound on the advantage hits one (i.e., meet-in-the-middle attack), for the double cipher, at the same point it does for the single cipher (i.e., exhaustive search). To be fair, that doesn't say all there is to say about the security of a double cipher. Rather, we can say that its security, in the Shannon model, is increased. In other words, the success probability of an adversary is much lower in the case of a double cipher than with a single cipher (i.e., it would require more queries to gain the same advantage). All in all, though, the meet-in-the-middle attack severely limits the gain; while you gain something, it is negligible. (By negligible, I mean half a bit of security for an advantage 0.5.)

Take DES, for example. First, we model the block cipher as a family of random permutations - one for each key. The adversary gets oracle access to the block cipher and its inverse. The adversary's job is to distinguish the cascade and its inverse from a random permutation and its inverse, roughly. If the adversary wants an advantage 0.5, he'll have to ask $2^{50}$ queries, $2^{55.5}$ queries, and $2^{78.5}$ queries, for single, double, and triple encryption, respectively. You might notice that the gap between single encryption and double encryption is relatively small, while the gap between double encryption and triple encryption is significantly larger. As such, to approach the security you would expect from a composition of multiple ciphers, the minimum is three; it provides the security that one might naïvely expect from double encryption.

Triple encryption increases security (significantly) in a way that double encryption cannot (negligibly); it follows that triple encryption, with three independent keys, is the shortest potentially "good" cascade, in this sense. This has been proven under the ideal-cipher model, using code-based game-playing techniques. (Note, I use "Shannon model" and "ideal-cipher model" interchangeably.)

So, yes, security is increased. Will you feel the difference in practice? Most likely not. But if the option is already there for you, and assuming the implementation is secure, then I suppose it won't hurt.

Networking/Security Forums -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group