Alice and Bob are using an encryption method. The encryption functions are called $E_K$, and the decryption functions are called $D_K$, where $K$ is a key. We assume that if someone knows $K$, then she also knows $E_K$ and $D_K$ (so Alice and Bob could be using one of the classical, nonpublic key systems such as DES or AES). They have a great idea. Instead of encrypting once, they use two keys $K_1$ and $K_2$ and encrypt twice. Starting with a plaintext message $m$, the ciphertext is $c=E_{K_2}(E_{K_1}(m))$. To decrypt, simply compute $m=D_{K_1}(D_{K_2}(c))$. Eve will need to discover both $K_1$ and $K_2$ to decrypt their messages.

Does this provide greater security? For many cryptosystems, applying two encryptions is the same as using an encryption for some other key. For example, the composition of two affine functions is still an affine function (see Exercise 11 in Chapter 2). Similarly, using two RSA encryptions (with the same $n$) with exponents $e_1$ and $e_2$ corresponds to doing a single encryption with exponent $e_1{e}_2$. In these cases, double encryption offers no advantage. However, there are systems, such as DES (see Subsection 7.4.1) where the composition of two encryptions is not simply encryption with another key. For these, double encryption might seem to offer a much higher level of security. However, the following attack shows that this is not really the case, as long as we have a computer with a lot of memory.

Assume Eve has intercepted a message $m$ and a doubly encrypted ciphertext $c=E_{K_2}(E_{K_1}(m))$. She wants to find $K_1$ and $K_2$. She first computes two lists:

1. $E_K(m)$ for all possible keys $K$

2. $D_L(c)$ for all possible keys $L$.

Finally, she compares the two lists and looks for matches. There will be at least one match, since the correct pair of keys will be one of them, but it is likely that there will be many matches. If there are several matches, she then takes another plaintext–ciphertext pair and determines which of the pairs $(K\text{,}L)$ she has found will encrypt the plaintext to the ciphertext. This should greatly reduce the list. If there is still more than one pair remaining, she continues until only one pair remains (or she decides that two or more pairs give the same double encryption function). Eve now has the desired pair $K_1\text{,}{K}_2$.

If Eve has only one plaintext–ciphertext pair, she still has reduced the set of possible key pairs to a short list. If she intercepts a future transmission, she can try each of these possibilities and obtain a very short list of meaningful plaintexts.

If there are $N$ possible keys, Eve needs to compute $N$ values $E_L(m)$. She then needs to compute $N$ numbers $D_L(c)$ and compare them with the stored list. But these $2N$ computations (plus the comparisons) are much less than the $N^2$ computations required for searching through all key pairs $K_1\text{,}{K}_2$.

This meet-in-the-middle procedure takes slightly longer than the exhaustive search through all keys for single encryption. It also takes a lot of memory to store the first list. However, the conclusion is that double encryption does not significantly raise the level of security.

Similarly, we could use triple encryption, using triples of keys. A similar attack brings the level of security down to at most what one might naively expect from double encryption, namely squaring the possible number of keys.