Cryptology ePrint Archive: Report 2010/397
Pseudorandom Functions and Permutations Provably Secure Against Related-Key Attacks
Mihir Bellare and David Cash
Abstract: This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of related-key attacks (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversary-specified ways. Based on the Naor-Reingold PRF we obtain an RKA-PRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversary-specified group elements. Previous work was able only to provide schemes in idealized models (ideal cipher, random oracle), under new, non-standard assumptions, or for limited classes of attacks. The reason was technical difficulties that we resolve via a new approach and framework that, in addition to the above, yields other RKA-PRFs including a DLIN-based one derived from the Lewko-Waters PRF. Over the last 15 years cryptanalysts and blockcipher designers have routinely and consistently targeted RKA-security; it is visibly important for abuse-resistant cryptography; and it helps protect against fault-injection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofs-of-concept in the foundational style and not practical.
Category / Keywords: secret-key cryptography / Pseudorandom Functions, Blockciphers, Related-Key Attacks, DDH
Original Publication (with major differences): IACR-CRYPTO-2010
Date: received 14 Jul 2010, last revised 29 Jul 2015
Contact author: mihir at eng ucsd edu
Available format(s): PDF | BibTeX Citation
Note: Bug fixes.
Version: 20150729:233210 (All versions of this report)
Short URL: ia.cr/2010/397
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]