On Cipher-Dependent Related-Key Attacks in the Ideal-Cipher Model

@inproceedings{Albrecht2011OnCR,
  title={On Cipher-Dependent Related-Key Attacks in the Ideal-Cipher Model},
  author={Martin R. Albrecht and Pooya Farshim and Kenneth G. Paterson and Gaven J. Watson},
  booktitle={IACR Cryptol. ePrint Arch.},
  year={2011}
}
Bellare and Kohno introduced a formal framework for the study of related-key attacks against blockciphers. They established sufficient conditions (output-unpredictability and collision-resistance) on the set of related-key-deriving (RKD) functions under which an ideal cipher is secure against related-key attacks, and suggested this could be used to derive security goals for real blockciphers. However, to do so requires the reinterpretation of results proven in the idealcipher model for the… 
The Related-Key Security of Iterated Even-Mansour Ciphers
TLDR
It is shown that the simplest one-round EM cipher is strong enough to achieve non-trivial levels of RKA security even under chosen-ciphertext attacks and that three rounds can boost security to resist chosen-plaintext attacks.
Towards a Characterization of the Related-Key Attack Security of the Iterated Even-Mansour Cipher
TLDR
A far simpler proof is presented which uses techniques similar to those used by Cogliati and Seurin in their proof that the four-round Even-Mansour cipher is secure against XOR related-key attacks—a special case of the result of Farshim and Proctor.
The design and analysis of symmetric cryptosystems
TLDR
A general forgery attack against the related message authentication schemes is described, as well as providing a common description of all known attacks against such schemes, and greatly expanding the number of known weak keys.
A note on quantum related-key attacks
On the Related-Key Attack Security of Authenticated Encryption Schemes
TLDR
This work revisits the common approach to construct AEAD from encryption and message authentication and extends the traditional security notion of AEAD to the RKA setting and considers an adversary that can tamper with the key Ke and Km of the underlying encryption and MAC, respectively.
A quantum related-key attack based on Bernstein-Vazirani algorithm
TLDR
This work shows that related-key attack is quite powerful when combined with quantum algorithms, and provides some guidance for the design of block ciphers that are secure against quantum adversaries.
Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security
TLDR
It is proved that if this proof technique is adopted, tweak-rekeying will not help in achieving optimal security: if 2^{\sigma n/(\sigma +1)}\) is the best one can get without tweak- rekeying, optimal \(2^n\) provable security with tweak-Rekeying is impossible.
Cryptography Secure Against Related-Key Attacks and Tampering
TLDR
A broad and high level picture of the way achievability of RKA security varies across primitives is presented, showing, in particular, that some primitives resist "more" RKAs than others.
Security of Symmetric Primitives against Key-Correlated Attacks
TLDR
This work provides feasibility results in the ideal-cipher model for KCAs and shows that 3-round Even–Mansour is KCA secure under key offsets in the random-permutation model, which allows for a unified treatment of RKA and KDM security in idealized models of computation.
Encryption in the presence of key-dependent messages and related-key attacks
TLDR
This thesis investigates enhanced adversarial models for encryption for scenarios where established notions of security are not sufficient to accurately model the capabilities of real-world adversaries, and presents a composition theorem showing how to generically achieve RKA-KDM security.
...
...

References

SHOWING 1-10 OF 24 REFERENCES
A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications
TLDR
This work begins by introducing definitions for the concepts of PRPs and PRFs secure against classes of RKAs, each such class being specified by an associated set of related-key deriving (RKD) functions, and proves impossibility results for some classes of attacks.
Security under key-dependent inputs
TLDR
This work re-visits the question of building cryptographic primitives that remain secure even when queried on inputs that depend on the secret key and considers many natural constructions that fail to be KDI secure in the standard model, including some schemes that have been proven in the random oracle model.
Distinguisher and Related-Key Attack on the Full AES-256
TLDR
A chosen-key distinguisher and a related-key attack on the full 256-bit key AES, showing that AES-256 can not model an ideal cipher in theoretical constructions.
Ciphers Secure against Related-Key Attacks
  • S. Lucks
  • Computer Science, Mathematics
    FSE
  • 2004
TLDR
This paper studies the security of PRF- and PRP-constructions against related-key attacks, and presents two novel constructions for related-keys secure PRFs and proves their security under number-theoretical infeasibility assumptions.
Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks
This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of PRFs and PRPs resisting rich and relevant forms of
On Related-Secret Pseudorandomness
TLDR
This paper develops a theoretical framework of “related-secret secure” cryptographic primitives, a class of primitives which includes related-key secure blockciphers and PRFs, and shows that while a single related-secret pseduorandom bit is sufficient and necessary to create related- key secure block ciphers, hard-core bits with typical proofs are not related- secret psuedorandom.
New Types of Cryptanalytic Attacks Using related Keys (Extended Abstract)
  • E. Biham
  • Computer Science, Mathematics
    EUROCRYPT
  • 1993
TLDR
It is shown that the key scheduling algorithms of many blockciphers inherit obvious relationships between keys, and use these key relations to attack the block ciphers, and shows that theKey scheduling algorithm should be carefully designed and that its structure should not be too simple.
New types of cryptanalytic attacks using related keys
  • E. Biham
  • Computer Science, Mathematics
    Journal of Cryptology
  • 2004
TLDR
It is shown that the key-scheduling algorithms of many blockciphers inherit obvious relationships between keys, and use these key relations to attack the blockcips, and that DES is not vulnerable to the related keys attacks.
Related-Key Cryptanalysis of the Full AES-192 and AES-256
TLDR
This paper shows the first key recovery attack that works for all the keys and has 299.5 time and data complexity, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has much higher complexity.
Semantic Security under Related-Key Attacks and Applications
TLDR
A formal study of RKA security for randomized encryption schemes, providing general definitions for semantic security under passive and active RKAs and showing that previous protocols which made a specialized use of random oracles in the form of operation respecting synthesizers or correlation-robust hash functions can be instantiated with RKA-secure encryption schemes.
...
...