International Association
for Cryptologic Research

Multiple encryption---the practice of composing a blockcipher several

times with itself under independent keys---has received considerable

attention of late from the standpoint of provable security. Despite

these efforts proving definitive security bounds (i.e., with matching

attacks) has remained elusive even for the special case of triple

encryption. In this paper we close the gap by improving both the best

known attacks and best known provable security, so that both bounds

match. Our results apply for arbitrary number of rounds and show that

the security of $\\ell$-round multiple encryption is precisely

$\\exp(\\kappa + \\min\\{\\kappa (\\ell\'-2)/2), n (\\ell\'-2)/\\ell\'\\})$ where

$\\exp(t) = 2^t$ and where $\\ell\' = 2\\lceil \\ell/2\\rceil$ is the even

integer closest to $\\ell$ and greater than or equal to $\\ell$, for all

$\\ell \\geq 1$. Our technique is based on Patarin\'s H-coefficient

method and reuses a combinatorial result of Chen and Steinberger

originally required in the context of key-alternating ciphers.