Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier

Related-key attacks (RKAs) concern the security of cryptographic primitives in the situation where the key can be manipulated by the adversary. In the RKA setting, the adversary’s power is expressed through the class of related-key deriving ($$\mathrm {RKD}$$RKD) functions which the adversary is restricted to using when modifying keys. Bellare and Kohno (EUROCRYPT 2003, volume 2656 of LNCS, Springer, Heidelberg, pp 491–506, 2003) first formalized RKAs and pinpointed the foundational problem of constructing RKA-secure pseudorandom functions (RKA-PRFs). To date there are few constructions for RKA-PRFs under standard assumptions, and it is a major open problem to construct RKA-PRFs for larger classes of $$\mathrm {RKD}$$RKD functions. We make significant progress on this problem. We first show how to repair the framework for constructing RKA-PRF by Bellare and Cash (CRYPTO 2010, volume 6223 of LNCS, Springer, Heidelberg, pp 666–684, 2010) and extend it to handle the more challenging case of classes of $$\mathrm {RKD}$$RKD functions that contain claws. We apply this extension to show that a variant of the Naor–Reingold function already considered by Bellare and Cash is an RKA-PRF for a class of affine $$\mathrm {RKD}$$RKD functions under the Decisional Diffie–Hellman (DDH) assumption, albeit with a blowup that is exponential in the PRF input size. We then develop a second extension of the Bellare–Cash framework and use it to show that the same Naor–Reingold variant is actually an RKA-PRF for a class of degree d polynomial $$\mathrm {RKD}$$RKD functions under the stronger decisional d-Diffie–Hellman inversion assumption. As a significant technical contribution, our proof of this result avoids the exponential-time security reduction that was inherent in the work of Bellare and Cash and in our first result. In particular, by setting $$d = 1$$d=1 (affine functions), we obtain a construction of RKA-secure PRF for affine relation based on the polynomial hardness of DDH.

[1]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[2]  Jongsung Kim,et al.  Related-Key Rectangle Attacks on Reduced AES-192 and AES-256 , 2007, FSE.

[3]  Kevin Lewi,et al.  Improved Constructions of PRFs Secure Against Related-Key Attacks , 2014, ACNS.

[4]  Kenneth G. Paterson,et al.  RKA Security beyond the Linear Barrier: IBE, Encryption and Signatures , 2012, IACR Cryptol. ePrint Arch..

[5]  Hoeteck Wee Public Key Encryption against Related Key Attacks , 2012, Public Key Cryptography.

[6]  Silvio Micali,et al.  How to Construct Random Functions (Extended Abstract) , 1984, FOCS.

[7]  Lars R. Knudsen,et al.  Cryptanalysis of LOKI91 , 1992, AUSCRYPT.

[8]  Alex Biryukov,et al.  Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds , 2010, IACR Cryptol. ePrint Arch..

[9]  Eli Biham,et al.  New Types of Cryptanalytic Attacks Using related Keys (Extended Abstract) , 1994, EUROCRYPT.

[10]  NaorMoni,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004 .

[11]  Kenneth G. Paterson,et al.  Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier , 2014, Journal of Cryptology.

[12]  Adam O'Neill,et al.  Correlated-Input Secure Hash Functions , 2011, TCC.

[13]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[14]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[15]  David Cash,et al.  Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks , 2010, CRYPTO.

[16]  Eli Biham,et al.  A Unified Approach to Related-Key Attacks , 2008, FSE.

[17]  Abhishek Banerjee,et al.  New and Improved Key-Homomorphic Pseudorandom Functions , 2014, CRYPTO.

[18]  Eli Biham,et al.  Related-Key Boomerang and Rectangle Attacks , 2005, EUROCRYPT.

[19]  David Cash,et al.  Cryptography Secure Against Related-Key Attacks and Tampering , 2011, IACR Cryptol. ePrint Arch..

[20]  Dan Boneh,et al.  Key Homomorphic PRFs and Their Applications , 2013, CRYPTO.

[21]  Christopher Umans,et al.  Fast Polynomial Factorization and Modular Composition , 2011, SIAM J. Comput..

[22]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[23]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.