Ciphers Secure against Related-Key Attacks [chapter]

Stefan Lucks
2004 Lecture Notes in Computer Science  
In a related-key attack, the adversary is allowed to transform the secret key and request encryptions of plaintexts under the transformed key. This paper studies the security of PRF-and PRP-constructions against related-key attacks. For adversaries who can only transform a part of the key, we propose a construction and prove its security, assuming a conventionally secure block cipher is given. By the terms of concrete security, this is an improvement over a recent result by Bellare and Kohno
more » ... . Further, based on some technical observations, we present two novel constructions for related-key secure PRFs, and we prove their security under number-theoretical infeasibility assumptions. Introduction In a related-key scenario, the adversary can partially control the key. It remains secret to the adversary (i.e., she can't read it), but she can choose key transformations, modify the key accordingly, and request encryptions under the modified keys. The well-known DES complementation property can be viewed as a vulnerability against a related-key DES-distinguisher. One motivation to study related-key attacks is to evaluate the security of secretkey cryptosystems, namely the security of block ciphers and their "key schedules ", see Knudsen [11] and Biham [3]. Kelsey, Schneier and Wagner [9, 10] presented related-key attacks against several block ciphers, including three-key triple-DES. Today, relatedkey attacks are a well established tool to evaluate the security of block ciphers, e.g. in the context of the AES [4, 5, 7] . Another motivation is the existence of cryptographic schemes, whose security depends on the related-key security of some underlying primitive. Two examples are tweakable block ciphers by Liskov, Rivest and Wagner [13] and RMAC by Jaulmes, Joux and Valette [8] . Knudsen and Kohno [12] pointed out that the triple-DES based variant of RMAC (which had been proposed for standardisation [6]) can be attacked by exploiting the related-key insecurity of triple-DES. Recently, Bellare and Kohno [1, 2] investigated related-key attacks from a theoretical point of view. They presented an approach to formally handle the notion of relatedkey attacks. As it turned out, the security of a scheme against related-key attacks greatly depends on the adversary's capabilities, namely on the set of key transformations available to her.
doi:10.1007/978-3-540-25937-4_23 fatcat:evqum7qqsrcoviup3jfozxzzfq