For AES, does the construct two encryptions for a 3rd value have any practical use?

b degnan

11/21/23, 7:09 PM

As AES could be considered as a function AES(key, data) that return encrypted data, is there a use of the construct of AES(key1, AES(key0, data)) as the resulting data could be decrypted by key2? Is there a way to determine key2, if key0 and key1 are known?

1 + 1

aes

fgrieu

11/21/23, 9:37 PM

Composition of a block cipher's instance for two fixed keys form a fixed bijection of the plaintext space; but there is no reason that this bijection is any of those obtainable by this cipher for a fixed key. In the question's setup, for whatever standard AES key sizes, it would very surprising that there is any triplet (`key1`, `key2`, `key3`) with the property that for all `data`, it holds `AES(key1, AES(key0, data)) = AES(key2, data)`; and more surprising if for all pairs (`key0`, `key1`) there was some `key2` with that property.

Score:4

Crypto

Eugene Styer

11/21/23, 9:38 PM

This is similar to Triple DES, except that Triple DES generally uses Encrypt/Decrypt/Encrypt.

First, I would be very surprised if AES was constructed in such a way that key2 exists (except possibly for very rare situations). If key2 always exists, then from the attacker's view we are just using plain AES with key2. If we assume AES is a random permutation, then we have (assuming 256-bit keys) two permutations of $2^{256}$ possible values each, for a total of $2^{512}$ possible permutations after two encryptions, but key2 only provides $2^{256}$ possible permutations, so it would be extremely unlikely for such a key2 to exist.

Second, double encryption does not provide a significant increase in security even if key2 doesn't exist. Given a plaintext/ciphertext pair, an attacker can execute a meet-in-the-middle attack by simply encrypting the plaintext with each possible key0, and decrypting the ciphertext with each possible key1, and looking for a match. So with only double the effort of plain AES (and lots of memory), this system can be broken.

Finally, I will note that this depends on the encryption algorithm used. If we replace AES with monoalphabetic substitution, then key2 does exist and can be easily found.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: For AES, does the construct two encryptions for a 3rd value have any practical use?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.