Paper 2010/544

Semantic Security Under Related-Key Attacks and Applications

Benny Applebaum, Danny Harnik, and Yuval Ishai


In a related-key attack (RKA) an adversary attempts to break a cryptographic primitive by invoking the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal study of RKA security for \emph{randomized encryption} schemes. We begin by providing general definitions for semantic security under passive and active RKAs. We then focus on RKAs in which the keys satisfy known linear relations over some Abelian group. We construct simple and efficient schemes which resist such RKAs even when the adversary can choose the linear relation adaptively during the attack. More concretely, we present two approaches for constructing RKA-secure encryption schemes. The first is based on standard randomized encryption schemes which additionally satisfy a natural ``key-homomorphism'' property. We instantiate this approach under number-theoretic or lattice-based assumptions such as the Decisional Diffie-Hellman (DDH) assumption and the Learning Noisy Linear Equations assumption. Our second approach is based on RKA-secure pseudorandom generators. This approach can yield either {\em deterministic,} {\em one-time use} schemes with optimal ciphertext size or randomized unlimited use schemes. We instantiate this approach by constructing a simple RKA-secure pseurodandom generator under a variant of the DDH assumption. Finally, we present several applications of RKA-secure encryption by showing that previous protocols which made a specialized use of random oracles in the form of \emph{operation respecting synthesizers} (Naor and Pinkas, Crypto 1999) or \emph{correlation-robust hash functions} (Ishai et. al., Crypto 2003) can be instantiated with RKA-secure encryption schemes. This includes the Naor-Pinkas protocol for oblivious transfer (OT) with adaptive queries, the IKNP protocol for batch-OT, the optimized garbled circuit construction of Kolesnikov and Schneider (ICALP 2008), and other results in the area of secure computation. Hence, by plugging in our constructions we get instances of these protocols that are provably secure in the standard model under standard assumptions.

Available format(s)
Publication info
Published elsewhere. A shortened version of this work will be published in ICS2011.
related-key attacksrandomized encryptionoblivious transferoperation respecting synthesizerscorrelation-robust hash functions
Contact author(s)
benny applebaum @ gmail com
2010-10-25: last of 2 revisions
2010-10-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Benny Applebaum and Danny Harnik and Yuval Ishai},
      title = {Semantic Security Under Related-Key Attacks and Applications},
      howpublished = {Cryptology ePrint Archive, Paper 2010/544},
      year = {2010},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.