## A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications (2003)

### Cached

### Download Links

- [www.cs.ucsd.edu]
- [charlotte.ucsd.edu]
- [cseweb.ucsd.edu]
- [www.cs.washington.edu]
- [homes.cs.washington.edu]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | Advances in Cryptology – EUROCRYPT ’03, Lecture Notes in Computer Science |

Citations: | 53 - 11 self |

### BibTeX

@INPROCEEDINGS{Bellare03atheoretical,

author = {Mihir Bellare and Tadayoshi Kohno},

title = {A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications},

booktitle = {Advances in Cryptology – EUROCRYPT ’03, Lecture Notes in Computer Science},

year = {2003},

pages = {491--506},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We initiate a theoretical investigation of the popular block-cipher design-goal of security against “related-key attacks ” (RKAs). We begin by introducing definitions for the concepts of PRPs and PRFs secure against classes of RKAs, each such class being specified by an associated set of “related-key deriving (RKD) functions. ” Then for some such classes of attacks, we prove impossibility results, showing that no block-cipher can resist these attacks while, for other, related classes of attacks that include popular targets in the block cipher community, we prove possibility results that provide theoretical support for the view that security against them is achievable. Finally we prove security of various block-cipher based constructs that use related keys, including a tweakable block cipher given in [17]. We believe this work helps block-cipher designers and cryptanalysts by clarifying what classes of attacks can and cannot be targets of design. It helps block-cipher users by providing guidelines about the kinds of related keys that are safe to use in constructs, and by enabling them to prove the security of such constructs. Finally, it puts forth a new primitive for consideration by theoreticians with regard to open questions about constructs based on minimal assumptions.

### Citations

650 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...n of selecting s at random from set S and by x ← y the assignment of value y to x. If S is a set then |S| denotes its size, while if s is a string then |s| denotes its length. PRFs were introduced by =-=[9]-=- and PRPs by [15]. We recall the latter, but since our goal is to model block ciphers, we adopt the concrete approach of [1] rather than the asymptotic approach of the original papers. Let Perm(D) den... |

295 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ...lysts with clear attack models, and it enables theorists to prove the security of blockcipher based constructs. The best example to date is the pseudorandom permutation (PRP) model for a block cipher =-=[15, 1]-=- which has been instrumental in both these ways. We seek something similar with regard to RKAs. Definition. We propose an extension of the notion of a PRP. Let E : K × D → D be the block cipher whose ... |

218 |
The Design of Rijndael
- Daemen, Rijmen
- 2002
(Show Context)
Citation Context ... that uses 256 different related keys and that extends through nine (out of 14) rounds of Rijndael with 128-bit blocks and 256bit keys [8]. Daemen and Rijmen discuss related-key attacks in their book =-=[7]-=- and in their AES submission documents [6] and comment that the diffusion and non-linearity of Rijndael’s key schedule makes it difficult for related-key attacks to pass through the entire cipher. In ... |

204 | Security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
- 2000
(Show Context)
Citation Context ...ysts with clear attack models, and it enables theorists to prove the security of block-cipher based constructs. The best example to date is the pseudorandom permutation (PRP) model for a block cipher =-=[18, 1]-=- which has been instrumental in both these ways. We seek something similar with regard to RKAs. Definition. We propose an extension of the notion of a PRP. Let E : K×D→Dbe the block cipher whose secur... |

201 | Cryptanalysis of block ciphers with overdefined systems of equations
- Courtois, Pieprzyk
- 2002
(Show Context)
Citation Context ...rspective, in proving the existence, based on standard assumptions, of PRFs secure against Φ-restricted RKAs for non-trivial classes Φ. Related work. Prior to the recent work of Courtois and Pieprzyk =-=[5]-=-, the best (in terms of the number of rounds) known attack against Rijndael was a Φ ⊕ k -restricted related key attack that uses 256 different related keys and that extends through nine (out of 14) ro... |

165 | New Types of Cryptanalytic Attacks Using Related Keys
- Biham
- 1994
(Show Context)
Citation Context ... . . . . . . . . . . . . . 30 2s1 Introduction Most modern block ciphers, including the AES [6], are designed with the explicitly stated goal of resisting what are called “related-key attacks (RKAs)” =-=[3]-=-. However, it is not clear exactly what types of attacks this encompasses, and against which of these security is even achievable. Towards answering such questions, this paper provides a theoretical t... |

150 | Number-theoretic constructions of efficient pseudo-random functions
- Naor, Reingold
- 1997
(Show Context)
Citation Context ... (regardless of the number of rounds) with independent round keys is not resistant to Φ ⊕ k -restricted related-key attacks. We then look at DDH-based PRF constructions such as those of Naor-Reingold =-=[16]-=- and Nielsen [17] and show that they succumb to related-key attacks restricted to trivial classes Φ. (We stress that these constructs were never designed with the goal or claim of resisting any kind o... |

110 | Tweakable block ciphers
- Liskov, Rivest, et al.
- 2002
(Show Context)
Citation Context ...al support for the view that security against them is achievable. Finally we prove security of various block-cipher based constructs that use related keys, including a tweakable block cipher given in =-=[14]-=-. 1 Introduction Most modern block ciphers, including the AES [6], are designed with the explicitly stated goal of resisting what are called “related-key attacks (RKAs)” [3]. However, it is not clear ... |

68 | CBC MACs for arbitrary-length messages: the three-key constructions. Crypto ’00
- Black, Rogaway
(Show Context)
Citation Context ...e original block cipher is a PRP resistant to Φ ⊕ k -restricted related-key attacks. Simplifying constructs. Some block-cipher based schemes such as Black and Rogaway’s threekey CBC MAC constructions =-=[4]-=- use several independent block-cipher keys. In such schemes it is possible to use related keys instead and thereby both reduce the key-length of the scheme and conceptually simplify it. We present rel... |

56 | Improved cryptanalysis of rijndael
- Ferguson, Kelsey, et al.
- 2000
(Show Context)
Citation Context ...ttack against Rijndael was a Φ ⊕ k -restricted related key attack that uses 256 different related keys and that extends through nine (out of 14) rounds of Rijndael with 128-bit blocks and 256bit keys =-=[8]-=-. Daemen and Rijmen discuss related-key attacks in their book [7] and in their AES submission documents [6] and comment that the diffusion and non-linearity of Rijndael’s key schedule makes it difficu... |

25 |
K.: OMAC: One-Key CBC
- Iwata, Kurosawa
- 2003
(Show Context)
Citation Context ...} is some set of RKD permutations and InSec cr Φ (3) = 0. For example, Φ might consist of the three functions ADD0, ADD1, ADD2. From a pragmatic perspective, one may now wish to use TMAC [13] or OMAC =-=[10]-=-, two recently-proposed two-key and one-key CBC-MAC variants, rather than the constructions we present in the full version of this paper. We present our constructions primarily because they illustrate... |

22 |
AES proposal: Rijndael http://csrc.nist.gov/CryptoToolkit/aes/rijndael
- Daemen, Rijimen
(Show Context)
Citation Context ...Finally we prove security of various block-cipher based constructs that use related keys, including a tweakable block cipher given in [14]. 1 Introduction Most modern block ciphers, including the AES =-=[6]-=-, are designed with the explicitly stated goal of resisting what are called “related-key attacks (RKAs)” [3]. However, it is not clear exactly what types of attacks this encompasses, and against which... |

18 |
D.: Key-schedule cryptanalysis of IDEA
- Kelsey, Schneier, et al.
- 1996
(Show Context)
Citation Context ...Φ + k ⊕ or Φk (eg. {K ↦→ K, K ↦→ K + 1 mod 2k , K ↦→ K + 2 mod 2k }). Analysis of legacy protocols. Constructions using related keys also show up in existing cryptographic applications. (For example, =-=[11]-=- mentions a proprietary application that uses different, related keys to encrypt different messages.) Our notions can be used to retroactively analyze such protocols, thus providing formal justificati... |

17 | A threshold pseudorandom function construction and its applications
- Nielsen
- 2002
(Show Context)
Citation Context ...he number of rounds) with independent round keys is not resistant to Φ ⊕ k -restricted related-key attacks. We then look at DDH-based PRF constructions such as those of Naor-Reingold [16] and Nielsen =-=[17]-=- and show that they succumb to related-key attacks restricted to trivial classes Φ. (We stress that these constructs were never designed with the goal or claim of resisting any kind of related-key att... |

10 | Analysis of RMAC
- Knudsen, Kohno
- 2003
(Show Context)
Citation Context ...e construction-level related-key attacks are outside the standard models of security for MACs and encryption schemes). Consider, for example, the construction-level related-key attack against RMAC in =-=[12]-=-. As another example, note that the tweakable block cipher in Theorem 2 is vulnerable to construction-level related-key attacks. Namely, ˜ E(K, T, M) = ˜E(K ⊕ X, T ⊕ X, M) for any k-bit string X. Whet... |

2 |
TMAC: Two-key CBC MAC. NIST submission, available at http://csrc.nist.gov/CryptoToolkit/modes
- Kurosawa, Iwata
- 2002
(Show Context)
Citation Context ...= {φ1, φ2, φ3} is some set of RKD permutations and InSec cr Φ (3) = 0. For example, Φ might consist of the three functions ADD0, ADD1, ADD2. From a pragmatic perspective, one may now wish to use TMAC =-=[13]-=- or OMAC [10], two recently-proposed two-key and one-key CBC-MAC variants, rather than the constructions we present in the full version of this paper. We present our constructions primarily because th... |