Journal of Cryptology

, Volume 31, Issue 4, pp 917–964 | Cite as

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier

  • Michel Abdalla
  • Fabrice Benhamouda
  • Alain Passelègue
  • Kenneth G. Paterson


Related-key attacks (RKAs) concern the security of cryptographic primitives in the situation where the key can be manipulated by the adversary. In the RKA setting, the adversary’s power is expressed through the class of related-key deriving (\(\mathrm {RKD}\)) functions which the adversary is restricted to using when modifying keys. Bellare and Kohno (EUROCRYPT 2003, volume 2656 of LNCS, Springer, Heidelberg, pp 491–506, 2003) first formalized RKAs and pinpointed the foundational problem of constructing RKA-secure pseudorandom functions (RKA-PRFs). To date there are few constructions for RKA-PRFs under standard assumptions, and it is a major open problem to construct RKA-PRFs for larger classes of \(\mathrm {RKD}\) functions. We make significant progress on this problem. We first show how to repair the framework for constructing RKA-PRF by Bellare and Cash (CRYPTO 2010, volume 6223 of LNCS, Springer, Heidelberg, pp 666–684, 2010) and extend it to handle the more challenging case of classes of \(\mathrm {RKD}\) functions that contain claws. We apply this extension to show that a variant of the Naor–Reingold function already considered by Bellare and Cash is an RKA-PRF for a class of affine \(\mathrm {RKD}\) functions under the Decisional Diffie–Hellman (DDH) assumption, albeit with a blowup that is exponential in the PRF input size. We then develop a second extension of the Bellare–Cash framework and use it to show that the same Naor–Reingold variant is actually an RKA-PRF for a class of degree d polynomial \(\mathrm {RKD}\) functions under the stronger decisional d-Diffie–Hellman inversion assumption. As a significant technical contribution, our proof of this result avoids the exponential-time security reduction that was inherent in the work of Bellare and Cash and in our first result. In particular, by setting \(d = 1\) (affine functions), we obtain a construction of RKA-secure PRF for affine relation based on the polynomial hardness of DDH.


Related-key security Pseudorandom functions Polynomial RKD functions 



We thank Susan Thomson for bringing the issues in the original Bellare–Cash framework to our attention, and for useful comments on the paper. Michel Abdalla, Fabrice Benhamouda, and Alain Passelègue were supported in part by the French ANR-10-SEGI-015 PRINCE Project, the Direction Générale de l’Armement (DGA), the CFM Foundation, the European Commission through the FP7-ICT-2011-EU-Brazil Program under Contract 288349 SecFuNet, and the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007-2013 Grant Agreement 339563 – CryptoCloud). Alain Passelègue was supported in part from a DARPA/ARL SAFEWARE award, NSF Frontier Award 1413955, NSF Grants 1619348, 1228984, 1136174, and 1065276, BSF Grant 2012378, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. This material is based upon work supported by the Defense Advanced Research Projects Agency through the ARL under Contract W911NF-15-C-0205. The views expressed are those of the authors and do not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the US Government. Kenneth G. Paterson was supported by an EPSRC Leadership Fellowship, EP/H005455/1.

Supplementary material


  1. 1.
    M. Abdalla, F. Benhamouda, A. Passelègue, K.G. Paterson, Related-key security for pseudorandom functions beyond the linear barrier, in J.A. Garay, R. Gennaro, editors, CRYPTO 2014, Part I. LNCS, vol. 8616 (Springer, Heidelberg, 2014), pp. 77–94Google Scholar
  2. 2.
    M. Bellare, D. Cash, Pseudorandom functions and permutations provably secure against related-key attacks, in T. Rabin, editor, CRYPTO 2010. LNCS, vol. 6223 (Springer, Heidelberg, 2010), pp. 666–684Google Scholar
  3. 3.
    M. Bellare, D. Cash, Pseudorandom functions and permutations provably secure against related-key attacks. Cryptology ePrint Archive, Report 2010/397 (2010). Last updated 27/10/2013
  4. 4.
    M. Bellare, D. Cash, R. Miller. Cryptography secure against related-key attacks and tampering, in D.H. Lee, X. Wang, editors, ASIACRYPT 2011. LNCS, vol. 7073 (Springer, Heidelberg, 2011), pp. 486–503Google Scholar
  5. 5.
    E. Biham, O. Dunkelman, N. Keller, Related-key boomerang and rectangle attacks, in R. Cramer, editor, EUROCRYPT 2005. LNCS, vol. 3494 (Springer, Heidelberg, 2005), pp. 507–525Google Scholar
  6. 6.
    E. Biham, O. Dunkelman, N. Keller, A unified approach to related-key attacks, in K. Nyberg, editor, FSE 2008. LNCS, vol. 5086 (Springer, Heidelberg, 2008), pp. 73–96Google Scholar
  7. 7.
    A. Biryukov, O. Dunkelman, N. Keller, D. Khovratovich, A. Shamir, Key recovery attacks of practical complexity on AES-256 variants with up to 10 rounds, in H. Gilbert, editor, EUROCRYPT 2010. LNCS, vol. 6110 (Springer, Heidelberg, 2010), pp. 299–319Google Scholar
  8. 8.
    E. Biham, New types of cryptanalytic attacks using related keys (extended abstract), in T. Helleseth, editor, EUROCRYPT’93. LNCS, vol. 765 (Springer, Heidelberg, 1994), pp. 398–409Google Scholar
  9. 9.
    M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in E. Biham, editor, EUROCRYPT 2003. LNCS, vol. 2656 (Springer, Heidelberg, 2003), pp. 491–506Google Scholar
  10. 10.
    A. Biryukov, D. Khovratovich, Related-key cryptanalysis of the full AES-192 and AES-256, in M. Matsui, editor, ASIACRYPT 2009. LNCS, vol. 5912 (Springer, Heidelberg, 2009), pp. 1–18Google Scholar
  11. 11.
    A. Biryukov, D. Khovratovich, I. Nikolic, Distinguisher and related-key attack on the full AES-256, in S. Halevi, editor, CRYPTO 2009. LNCS, vol. 5677 (Springer, Heidelberg, 2009), pp. 231–249Google Scholar
  12. 12.
    D. Boneh, K. Lewi, H. W. Montgomery, A. Raghunathan, Key homomorphic PRFs and their applications, in R. Canetti, J.A. Garay, editors, CRYPTO 2013, Part I. LNCS, vol. 8042 (Springer, Heidelberg, 2013), pp. 410–428Google Scholar
  13. 13.
    A. Banerjee, C. Peikert, New and improved key-homomorphic pseudorandom functions, in J.A. Garay, R. Gennaro, editors, CRYPTO 2014, Part I. LNCS, vol. 8616 (Springer, Heidelberg, 2014), pp. 353–370Google Scholar
  14. 14.
    M. Bellare, K.G. Paterson, S. Thomson, RKA security beyond the linear barrier: IBE, encryption and signatures, in X. Wang, K. Sako, editors, ASIACRYPT 2012. LNCS, vol. 7658 (Springer, Heidelberg, 2012), pp. 331–348Google Scholar
  15. 15.
    M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in S. Vaudenay, editor, EUROCRYPT 2006. LNCS, vol. 4004 (Springer, Heidelberg, 2006), pp. 409–426Google Scholar
  16. 16.
    A. Escala, G. Herold, E. Kiltz, C. Ràfols, J. Villar, An algebraic framework for Diffie–Hellman assumptions, in R. Canetti, J.A. Garay, editors, CRYPTO 2013, Part II. LNCS, vol. 8043 (Springer, Heidelberg, 2013), pp. 129–147Google Scholar
  17. 17.
    O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions (extended abstract), in 25th FOCS (IEEE Computer Society Press, Washington, 1984), pp. 464–479Google Scholar
  18. 18.
    V. Goyal, A. O’Neill, V. Rao. Correlated-input secure hash functions, in Y. Ishai, editor, TCC 2011. LNCS, vol. 6597 (Springer, Heidelberg, 2011), pp. 182–200Google Scholar
  19. 19.
    J. Kim, S. Hong, B. Preneel, Related-key rectangle attacks on reduced AES-192 and AES-256, in A. Biryukov, editor, FSE 2007. LNCS, vol. 4593 (Springer, Heidelberg, 2007), pp. 225–241Google Scholar
  20. 20.
    L.R. Knudsen, Cryptanalysis of LOKI91, in J. Seberry, Y. Zheng, editors, AUSCRYPT’92. LNCS, vol. 718 (Springer, Heidelberg, 1993), pp. 196–208Google Scholar
  21. 21.
    K.S. Kedlaya, C. Umans, Fast polynomial factorization and modular composition. SIAM J. Comput. 40(6), 1767–1802 (2011)MathSciNetCrossRefGoogle Scholar
  22. 22.
    K. Lewi, H.W. Montgomery, A. Raghunathan, Improved constructions of PRFs secure against related-key attacks, in I. Boureanu, P. Owesarski, S. Vaudenay, editors, ACNS 14. LNCS, vol. 8479 (Springer, Heidelberg, 2014), pp. 44–61Google Scholar
  23. 23.
    M. Naor, O. Reingold, Number-theoretic constructions of efficient pseudo-random functions, in 38th FOCS (IEEE Computer Society Press, Washington, 1997), pp. 458–467Google Scholar
  24. 24.
    H. Wee, Public key encryption against related key attacks, in M. Fischlin, J. Buchmann, M. Manulis, editors, PKC 2012. LNCS, vol. 7293 of LNCS (Springer, Heidelberg, 2012), pp. 262–279Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Michel Abdalla
    • 1
    • 2
  • Fabrice Benhamouda
    • 3
  • Alain Passelègue
    • 4
  • Kenneth G. Paterson
    • 5
  1. 1.Département d’informatique de l’ENS, École normale supérieure, CNRSPSL Research UniversityParisFrance
  2. 2.INRIAParisFrance
  3. 3.IBM ResearchYorktown HeightsUSA
  4. 4.UCLALos AngelesUSA
  5. 5.Information Security Group, Royal HollowayUniversity of LondonEghamUK

Personalised recommendations