## Cascade Ciphers: The Importance of Being First

### Ueli Maurer and James L. Massey

The security of cascade ciphers, in which by definition the keys of the component ciphers are independent, is considered. It is shown by a counterexample that the intuitive result, formally stated and proved in the literature, that a cascade is at least as strong as the strongest component cipher, requires the uninterestingly restrictive assumption that the enemy cannot exploit information about the plaintext statistics. It is proved, for very general notions of breaking a cipher and of problem difficulty, that a cascade is at least as difficult to break as the first component cipher. A consequence of this result is that, if the ciphers commute, then a cascade is at least as difficult to break as the most-difficult-to-break component cipher, i.e., the intuition that a cryptographic chain is at least as strong as its strongest link is then provably correct. It is noted that additive stream ciphers do commute, and this fact is used to suggest a strategy for designing secure practical ciphers. Other applications in cryptology are given of the arguments used to prove the cascade cipher result.

Key words: Cascade ciphers, multiple encryption, provable security, computational security.

## BibTeX Citation

@article{MauMas93a, author = {Ueli Maurer and James L. Massey}, title = {Cascade Ciphers: The Importance of Being First}, journal = {Journal of Cryptology}, pages = {55--61}, number = {1}, volume = {6}, year = {1993}, note = {Preliminary version: \cite{MauMas90b}}, }