• Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Cascading Aes-Twofish-Serphent question

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security

View previous topic :: View next topic  
Author Message
Just Arrived
Just Arrived

Joined: 06 Aug 2010
Posts: 0


PostPosted: Fri Aug 06, 2010 3:42 am    Post subject: Cascading Aes-Twofish-Serphent question Reply with quote

If you cascade each of these 256 bit algorithms then isn't the result the same as having 768 bit encryption?

Because i can't see how someone could decrypt the 3 in separate stages as the cipher text in between each is unknown. Therefore the only way to break it would be to decrypt all three algorithms at once making the result 768 bit encryption. Therefore the cascade is 3x stronger than just using either of the algorithms alone right?

Is that logic flawed?

More info on the cascade:

Three ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with Serpent (256-bit key) in XTS mode, then with Twofish (256-bit key) in XTS mode, and finally with AES (256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are mutually independent (note that header keys are independent too, even though they are derived from a single password..

Back to top
View user's profile Send private message
Trusted SF Member
Trusted SF Member

Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlândia, MG, Brazil


PostPosted: Sat Sep 04, 2010 7:05 pm    Post subject: Re: Cascading Aes-Twofish-Serphent question Reply with quote

Given the description of your post, I'll assume we're talking about TrueCrypt; if not, my apologies, although it does not affect my response.

In short, yes. A cascade of three block ciphers will increase security beyond that of a single cipher or a cascade of two block ciphers. [A word of caution follows.] In the real world, is this significant? Not really. Why? Because when cryptography fails in practice, it's almost always because of the implementation -- not the cryptography itself. However, the more options you have (e.g., numerous block ciphers and cascades of them), the more complexity you introduce to the implementation. Given that, I'm worried about implementations -- not algorithms -- because that's what is most at risk in practice. A single block cipher, such as the AES, will beyond suffice.

Now for the longer, more mathematical reasoning behind my short answer; most of it was already posted on TrueCrypt's forums some years ago. A double cipher's effective key length is essentially no more than that of a single cipher, since the upper bound on the advantage hits one (i.e., meet-in-the-middle attack), for the double cipher, at the same point it does for the single cipher (i.e., exhaustive search). To be fair, that doesn't say all there is to say about the security of a double cipher. Rather, we can say that its security, in the Shannon model, is increased. In other words, the success probability of an adversary is much lower in the case of a double cipher than with a single cipher (i.e., it would require more queries to gain the same advantage). All in all, though, the meet-in-the-middle attack severely limits the gain; while you gain something, it is negligible. (By negligible, I mean half a bit of security for an advantage 0.5.)

Take DES, for example. First, we model the block cipher as a family of random permutations - one for each key. The adversary gets oracle access to the block cipher and its inverse. The adversary's job is to distinguish the cascade and its inverse from a random permutation and its inverse, roughly. If the adversary wants an advantage 0.5, he'll have to ask $2^{50}$ queries, $2^{55.5}$ queries, and $2^{78.5}$ queries, for single, double, and triple encryption, respectively. You might notice that the gap between single encryption and double encryption is relatively small, while the gap between double encryption and triple encryption is significantly larger. As such, to approach the security you would expect from a composition of multiple ciphers, the minimum is three; it provides the security that one might naïvely expect from double encryption.

Triple encryption increases security (significantly) in a way that double encryption cannot (negligibly); it follows that triple encryption, with three independent keys, is the shortest potentially "good" cascade, in this sense. This has been proven under the ideal-cipher model, using code-based game-playing techniques. (Note, I use "Shannon model" and "ideal-cipher model" interchangeably.)

So, yes, security is increased. Will you feel the difference in practice? Most likely not. But if the option is already there for you, and assuming the implementation is secure, then I suppose it won't hurt.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security All times are GMT + 2 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register