On the security of the XOR sandwiching paradigm for multiple keyed block ciphers

Abstract

While block cipher design is relatively mature, advances in computational power mean that the keylength of block ciphers, upon which the security relies entirely, becomes less resistant to cryptanalysis over time. Therefore, the security for a block cipher with a particular keylength typically is seen to last for at most some decades. One common approach to strengthen a block cipher's security is based on increasing its keylength. In the literature, two strategies have emerged: multiple keyed multiple encryption and multiple keyed XOR sandwiching. Known attacks on these such as Meet-in-the-Middle(Merkle and Hellman, 1981; van Oorschot and Wiener, 1991; Lucks, 1998) and Related-Key (J. Kelsey and Wagner, 1996; Choi et al., 1996; Vaudenay, 2011; Phan, 2004) attacks, show that Triple Encryption is significantly weaker than a brute-force attack would suggest, especially for block ciphers with small keys, such as the Data Encryption Standard (DES). This paper provides a comprehensive analysis on the security of the XOR sandwiching paradigm against known attacks for the case of multiple keyed triple encryption, without loss of generality, using DES as the underlying block cipher. In particular, we focus on DES-XEXEXEX variants, based on 2-Key and 3-Key Triple-DES, which involve performing the XOR for key-whitening before and after each encryption with an additional 64-bit key. One of the conclusions to be drawn from this work is the increased strength obtained from the XOR sandwiching paradigm while requiring little in terms of additional computational resources.