Does multiple encryption help?

HowieB

10/4/23, 10:17 AM

Suppose some original material (say a text message, text.txt) is encrypted multiple times, (say using ChaCha20) each time with a different key. Suppose the output of this process is a binary (output.bin). Suppose some third party is attempting to crack the file output.bin. Suppose this third party succeeds in cracking the file output.bin.

Since they have now retrieved the result of the second to last encryption (and not the original material), then how would they know that they had succeeded?

201

0 + 0

encryption

Score:2

Crypto

kelalaka

10/4/23, 10:50 AM

ChaCha20 is a stream cipher and outputs a stream $O_i$ to encrypt the messages to get the ciphertext $$C_i = M_i\oplus O_i$$ Your next encryption will be $$C_i' = M_i\oplus O_i \oplus O_i'$$ where the $O_i'$ is the output of the second ChaCha20 with a different key.

Well, what you are asking is the ciphertext-only attack on ChaCha20. No one is able to do this for even single encryption, yet there is no distinguisher. The output of a single ChaCha20 is good enough so that one cannot distinguish it from random. So, the attacker can see all possible messages as long as the message space is not short or some other verification methods exist like a server acts as an Oracle.

Since they have now retrieved the result of the second to last encryption (and not the original material), then how would they know that they had succeeded?

Removing layers is not helpful here since $$random \oplus message = random$$ So, there will be no information to verify.

This is not your actual problem, your actual problem will be the management of the keys. Be careful how you generate/derive them and how you store/derive.

Using a single ChaCha20 with 256 bits of the key is enough to be safe from all adversaries (classical or quantum) with a uniform random key. If you really want to use double encryption combine it with a different encryption algorithm like AES-GCM.

Keep in mind that, the multiple encryption (cascading) consideration and analyses started with the DES weakness consideration. Ueli M. Maurer & James L. Massey in 1993 showed in Cascade Ciphers: The Importance of Being First this;

Cascade construction is secure as the first cipher and more security is not guaranteed. There is a blog post of Matthew Green on this subject; Multiple encryptions as noted by SAI Peregrinus.

For stream ciphers we have a different result ( again Maurer and Massey);

Corollary 2. The bitwise modulo $2$ sum of $n$ keystream sequences that are generated by devices with independent keys is at least as difficult to predict as the most-difficult to-predict keystream sequence.

0 + 0

SAI Peregrinus

10/4/23, 1:47 PM

For the last paragraph, you might want to note that multiple encryption is as strong as the *first* cipher used, but not necessarily any stronger. It can be stronger, and for modern ciphers usually is (though uselessly so). Also if the first cipher is IND-CCA2 secure and the outer ones aren't there can be some attacks on the outer malleability. https://blog.cryptographyengineering.com/2012/02/02/multiple-encryption/

Maarten Bodewes

10/4/23, 3:28 PM

Having a distinguisher is probably the lowest hanging fruit when it comes to finding cryptographic weaknesses. For ChaCha20 that fruit is still hanging way too high, but this should be taken into account. Furthermore, if any meta-data is added to the ciphertext (such as a non-random IV) then the distinguisher is present even if the ciphertext itself doesn't supply one. As SAI Peregrinus said, it is not *necessarily* much better than single encryption and as kelalaka said: good key management is probably more important.

kelalaka

10/4/23, 4:58 PM

Well, actually, I didn't want to dive into this. added some. I believe single encryption is enough. I used indistinguishability in the sense that, the attacker cannot check the values after somehow removing one layer since all is random. Meta-Data existence put into some other or oracle. Thanks for the comments.