JustinT Trusted SF Member
Joined: 17 Apr 2003 Posts: 16777215 Location: Asheville, NC, US / Uberlândia, MG, Brazil

Posted: Sat Sep 04, 2010 7:05 pm Post subject: Re: Cascading AesTwofishSerphent question 


Given the description of your post, I'll assume we're talking about TrueCrypt; if not, my apologies, although it does not affect my response.
In short, yes. A cascade of three block ciphers will increase security beyond that of a single cipher or a cascade of two block ciphers. [A word of caution follows.] In the real world, is this significant? Not really. Why? Because when cryptography fails in practice, it's almost always because of the implementation  not the cryptography itself. However, the more options you have (e.g., numerous block ciphers and cascades of them), the more complexity you introduce to the implementation. Given that, I'm worried about implementations  not algorithms  because that's what is most at risk in practice. A single block cipher, such as the AES, will beyond suffice.
Now for the longer, more mathematical reasoning behind my short answer; most of it was already posted on TrueCrypt's forums some years ago. A double cipher's effective key length is essentially no more than that of a single cipher, since the upper bound on the advantage hits one (i.e., meetinthemiddle attack), for the double cipher, at the same point it does for the single cipher (i.e., exhaustive search). To be fair, that doesn't say all there is to say about the security of a double cipher. Rather, we can say that its security, in the Shannon model, is increased. In other words, the success probability of an adversary is much lower in the case of a double cipher than with a single cipher (i.e., it would require more queries to gain the same advantage). All in all, though, the meetinthemiddle attack severely limits the gain; while you gain something, it is negligible. (By negligible, I mean half a bit of security for an advantage 0.5.)
Take DES, for example. First, we model the block cipher as a family of random permutations  one for each key. The adversary gets oracle access to the block cipher and its inverse. The adversary's job is to distinguish the cascade and its inverse from a random permutation and its inverse, roughly. If the adversary wants an advantage 0.5, he'll have to ask $2^{50}$ queries, $2^{55.5}$ queries, and $2^{78.5}$ queries, for single, double, and triple encryption, respectively. You might notice that the gap between single encryption and double encryption is relatively small, while the gap between double encryption and triple encryption is significantly larger. As such, to approach the security you would expect from a composition of multiple ciphers, the minimum is three; it provides the security that one might naïvely expect from double encryption.
Triple encryption increases security (significantly) in a way that double encryption cannot (negligibly); it follows that triple encryption, with three independent keys, is the shortest potentially "good" cascade, in this sense. This has been proven under the idealcipher model, using codebased gameplaying techniques. (Note, I use "Shannon model" and "idealcipher model" interchangeably.)
So, yes, security is increased. Will you feel the difference in practice? Most likely not. But if the option is already there for you, and assuming the implementation is secure, then I suppose it won't hurt.

