Paper 2010/397

Pseudorandom Functions and Permutations Provably Secure Against Related-Key Attacks

Mihir Bellare and David Cash


This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of related-key attacks (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversary-specified ways. Based on the Naor-Reingold PRF we obtain an RKA-PRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversary-specified group elements. Previous work was able only to provide schemes in idealized models (ideal cipher, random oracle), under new, non-standard assumptions, or for limited classes of attacks. The reason was technical difficulties that we resolve via a new approach and framework that, in addition to the above, yields other RKA-PRFs including a DLIN-based one derived from the Lewko-Waters PRF. Over the last 15 years cryptanalysts and blockcipher designers have routinely and consistently targeted RKA-security; it is visibly important for abuse-resistant cryptography; and it helps protect against fault-injection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofs-of-concept in the foundational style and not practical.

Note: Bug fixes.

Available format(s)
Secret-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2010
Pseudorandom FunctionsBlockciphersRelated-Key AttacksDDH
Contact author(s)
mihir @ eng ucsd edu
2015-07-29: last of 2 revisions
2010-07-15: received
See all versions
Short URL
Creative Commons Attribution


      author = {Mihir Bellare and David Cash},
      title = {Pseudorandom Functions and Permutations Provably Secure Against Related-Key Attacks},
      howpublished = {Cryptology ePrint Archive, Paper 2010/397},
      year = {2010},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.