For starters, I don't need any don't-roll-your-crypto stuff. We're discussing a hypothetical.
So the idea is 3DES needs 3x the key size and achieves only 2x key size bit security. So using the 3x keyspace is essential for achieving the 2x bit security. Now entertain the same example, but this time it's 3AES-192. We have encrypt(K1, decrypt(K2, encrypt(K3))) and the reverse for decryption, using 3x unique 192-bit keys. So we need a 576-bit key to break up into 3 smaller keys to achieve 2x 192 = 384 bit security.
Now consider we were to have just a 384-bit key, and we were to do the following:
K1 = BLAKE3-192(key || 0x01)
K2 = BLAKE3-192(key || 0x02)
K3 = BLAKE3-192(key || 0x03)
to derive the 3 keys deterministically. I picked BLAKE3 for speed, also this setup eliminates related-key attacks. My question is, would this scheme still have the 2x 192 = 384 bits of security despite using only a 384-bit key. The scheme for triple chaining a block cipher states that a key 3 times the size is required to obtain 2 times the security, does this kind of deterministic setup get around that?
