Tight security bounds for multiple encryption

Multiple encryption—the practice of composing a blockcipher several times with itself under independent keys—has received considerable attention of late from the standpoint of provable security. Despite these efforts proving definitive security bounds (i.e., with matching attacks) has remained elusive even for the special case of triple encryption. In this paper we close the gap by improving both the best known attacks and best known provable security, so that both bounds match. Our results apply for arbitrary number of rounds and show that the security of l-round multiple encryption is precisely exp(κ+min{κ(l − 2)/2), n(l − 2)/l}) where exp(t) = 2 and where l = 2⌈l/2⌉ is the even integer closest to l and greater than or equal to l, for all l ≥ 1. Our technique is based on Patarin’s H-coefficient method and reuses a combinatorial result of Chen and Steinberger originally required in the context of key-alternating ciphers.