Tight Security Bounds for Triple Encryption

In this paper, we revisit the long-standing open problem asking the exact provable security of triple encryption in the ideal cipher model. For a blockcipher with key length κ and block size n, triple encryption is known to be provably secure up to 2 1 2 min{κ,n} queries, while the best attack requires 2κ+min{κ, n 2 } query complexity. So there has been a gap between the upper and lower bounds for the security of triple encryption. We close this gap by proving the security up to 2κ+min{κ, n 2 } query complexity. With the DES parameters, triple encryption is secure up to 2 queries, greater than the current bound of 2 and comparable to 2 for 2-XOR-cascade [10]. We also analyze the security of two-key triple encryption, where the first and the third keys are identical. We prove that two-key triple encryption is secure up to 2κ+min{κ, n 2 } blockcipher queries and 2min{κ, n 2 } construction queries. For the DES parameters, this result is interpreted as the security of two-key triple encryption up to 2 plaintext-ciphertext pairs and 2 blockcipher encryptions.