**Continuous Non-Malleable Key Derivation and Its Application to Related-Key Security**

*Baodong Qin and Shengli Liu and Tsz Hon Yuen and Robert H. Deng and Kefei Chen*

**Abstract: **Related-Key Attacks (RKAs) allow an adversary to observe the outcomes of a cryptographic primitive under not only its original secret key e.g., $s$, but also a sequence of modified keys $\phi(s)$, where $\phi$ is specified by the adversary from a class $\Phi$ of so-called Related-Key Derivation (RKD) functions. This paper extends the notion of non-malleable Key Derivation Functions (nm-KDFs), introduced by Faust et al. (EUROCRYPT'14), to \emph{continuous} nm-KDFs. Continuous nm-KDFs have the ability to protect against any a-priori \emph{unbounded} number of RKA queries, instead of just a single time tampering attack as in the definition of nm-KDFs. Informally, our continuous non-malleability captures the scenario where the adversary can tamper with the original secret key repeatedly and adaptively. We present a novel construction of continuous nm-KDF for any polynomials of bounded degree over a finite field. Essentially, our result can be extended to richer RKD function classes possessing properties of \emph{high output entropy and input-output collision resistance}. The technical tool employed in the construction is the one-time lossy filter (Qin et al. ASIACRYPT'13) which can be efficiently obtained under standard assumptions, e.g., DDH and DCR. We propose a framework for constructing $\Phi$-RKA-secure IBE, PKE and signature schemes, using a continuous nm-KDF for the same $\Phi$-class of RKD functions. Applying our construction of continuous nm-KDF to this framework, we obtain the first RKA-secure IBE, PKE and signature schemes for a class of polynomial RKD functions of bounded degree under \emph{standard} assumptions. While previous constructions for the same class of RKD functions all rely on non-standard assumptions, e.g., $d$-extended DBDH assumption.

**Category / Keywords: **public-key cryptography / Related-key attacks, non-malleable key derivation, one-time lossy filter

**Original Publication**** (in the same form): **IACR-PKC-2015

**Date: **received 3 Jan 2015, last revised 10 Jan 2015

**Contact author: **qinbaodong at sjtu edu cn,slliu@sjtu edu cn

**Available format(s): **PDF | BibTeX Citation

**Note: **Fixed a minor error in the definition of Game 1 in Fig.3 and some typos.

**Version: **20150110:081920 (All versions of this report)

**Short URL: **ia.cr/2015/003

[ Cryptology ePrint archive ]