Security Amplification for the Composition of Block Ciphers Simpler Proofs and New Results
Abstract
Security amplification results for block ciphers typically state that cascading (i.e., composing with independent keys) two (or more) block ciphers yields a new block cipher that offers better security against some class of adversaries and/or that resists stronger adversaries than each of its components. One of the most important results in this respect is the so-called "two weak make one strong" theorem, first established up to logarithmic terms by Maurer and Pietrzak (TCC 2004), and later optimally tightened by Maurer, Pietrzak, and Renner (CRYPTO 2007), which states that, in the information-theoretic setting, cascading F and G(-1), where F and G are respectively (q, epsilon F)-secure and (q, epsilon G)-secure against non-adaptive chosen-plaintext (NCPA) attacks, yields a block cipher which is (q, epsilon F + epsilon G)-secure against adaptive chosen-plaintext and ciphertext (CCA) attacks. The first contribution of this work is a surprisingly simple proof of this theorem, relying on Patarin's H-coefficient method. We then extend our new proof to obtain new results (still in the information-theoretic setting). In particular, we prove a new composition theorem (which can be seen as the generalization of the "two weak make one strong" theorem to the composition of n > 2 block ciphers) which provides both amplification of the advantage and strengthening of the distinguisher's class in some optimal way (indeed we prove that our new composition theorem is tight up to some constant).