"Double Encryption" using the same cipher?

Question

When it comes to the words "double encryption", I cringe. What I see is the following scenario play out.

Someone has plain text and they encrypt it with the AES cipher using the 14 round variant, so AES256. Then they run that encrypted information, through again another 14 rounds thinking it is double encrypted.

In my mind, I think of it differently. When I think of encryption and doubling it, I believe the strength of encryption, in the case of AES, as being tied to the number of rounds through the algorithm. So in this scenario, I think of double encryption as 28 rounds through the AES cipher.

In short - AES(28 round) > AES(14 round) + AES(14 round)

I have read some whitepapers on cascading encryption, but they referred to using two different ciphers, not the same cipher twice.

Is there anyone able to shed some light on this for me?

Answer 1

When I think of encryption and doubling it, I believe the strength of encryption, in the case of AES, as being tied to the number of rounds through the algorithm.

I don't believe that's the best way to think of things.

The strength of the encryption really is 'how much work does an attacker need to do to perform the attack'.

For a cipher, there are two strategies:

• We can just go through all possible key values, and see which one 'works'

• We can rely on cryptographical weaknesses within the cipher itself

Increasing the number of rounds can plausibly (not always, but in practice, appears to) make the cryptographical weaknesses within the cipher harder to exploit, but (unless increasing the number of rounds also increases the number of key bits), doesn't do anything to slow down brute force attacks (apart from a constant factor).

As far as we know, there are no known cryptographical weaknesses in AES-256 (apart from some related key attacks, typically not applicable), and so adding more rounds doesn't increase security in any meaningful sense.

Now, it would look like running the text through two separately keyed AES-256 would double the number of key bits, and so significantly increase security. However, it turns out that there is a better-than-bruce force attack; this involves encrypting the plaintext with all possible AES-256 keys, decrypting the ciphertext with all possible AES-256 keys, and then searching for a match.

Of course, the amount of work involved is ridiculous; it will never be the case that anything involving $2^{256}$ operations will be feasible; this can be shown by thermodynamics and the minimal amount of energy needed to perform any operation.

This implies that, barring a cryptographical advance that allows us to break AES-256 with significantly less than $2^{256}$ operations, it'll be safe.

Which leads us directly to the next topic:

I have read some whitepapers on cascading encryption, but they referred to using two different ciphers, not the same cipher twice.

This potential cryptographical weakness is precisely why people use distinct ciphers. There might be a weakness in AES-256 that makes the cipher significantly weaker than our current understanding; however, if we perform AES-256 encryption, and then (say) Camellia-256 encryption, then the resulting cipher is strong unless both AES-256 and Camellia-256 are weak. It is possible that there is a weakness in one of the two ciphers; it is considered far less likely that both contain weaknesses.

Answer 2

The method you laid out to double encrypt something isn't so good. Sometimes ciphers will interact strangely and could actually make that type of double encryption less secure than just using one (especially if independent keys are not used).

Here is a quote about a sneaky thing to watch out for if you are cascading algorithms, from Applied Cryptography, Second Edition 15.8 Combining Multiple Block Algorithms:

If the second algorithm is vulnerable to a chosen-plaintext attack, then the first algorithm might facilitate that attack and make the second algorithm vulnerable to a known-plaintext attack when used in a cascade. This potential attack is not limited to encryption algorithms: If you let someone else specify any algorithm which is used on your message before encryption, then you had better be sure that your encryption will withstand a chosen-plaintext attack.

The safer way to go is to create a one time pad and encrypt that, and the cipher text (OTP XOR message) and encrypt that as well. Now your encrypted message is twice as long but decoding 1/2 of your double encryption tells you nothing about the other half.

This has some implications on the equivalent number of rounds but also on the equivalent key strength. Its over my head what those implications are but I think Wikipedia's final note is wrong about them (I believe using one weak encryption does not help at all with the second). The story of 3DES is good to show why sometimes cascading the same encryption algorithm does not increase the security in the way you think it should.