Alternating Product Ciphers: A Case for Provable Security Comparisons (extended abstract)

TL;DR

This paper investigates the security implications of alternating between different sequences of rounds in iterated block ciphers, revealing that such alternation can either enhance or diminish security depending on the case, and introduces new methods for provable security comparison.

Contribution

It provides a formal framework for comparing security of alternating product ciphers, clarifying when such alternation improves or reduces security, and introduces new machinery for security ordering.

Findings

Alternating ciphers can increase security in some cases.

Alternating ciphers can decrease security in other cases.

New methods enable provable security comparisons across metrics.

Abstract

We formally study iterated block ciphers that alternate between two sequences of independent and identically distributed (i.i.d.) rounds. It is demonstrated that, in some cases the effect of alternating increases security, while in other cases the effect may strictly decrease security relative to the corresponding product of one of its component sequences. As this would appear to contradict conventional wisdom based on the ideal cipher approximation, we introduce new machinery for provable security comparisons. The comparisons made here simultaneously establish a coherent ordering of security metrics ranging from key-recovery cost to computational indistinguishability.