Designs, Codes and Cryptography

, Volume 60, Issue 1, pp 15–35

Notions and relations for RKA-secure permutation and function families

  • Jongsung Kim
  • Jaechul Sung
  • Ermaliza Razali
  • Raphael C.-W. Phan
  • Marc Joye


The theory of designing block ciphers is mature, having seen significant progress since the early 1990s for over two decades, especially during the AES development effort. Nevertheless, interesting directions exist, in particular in the study of the provable security of block ciphers along similar veins as public-key primitives, i.e. the notion of pseudorandomness (PRP) and indistinguishability (IND). Furthermore, recent cryptanalytic progress has shown that block ciphers well designed against known cryptanalysis techniques including related-key attacks (RKA) may turn out to be less secure against RKA than expected. The notion of provable security of block ciphers against RKA was initiated by Bellare and Kohno, and subsequently treated by Lucks. Concrete block cipher constructions were proposed therein with provable security guarantees. In this paper, we are interested in the security notions for RKA-secure block ciphers. In the first part of the paper, we show that secure tweakable permutation families in the sense of strong pseudorandom permutation (SPRP) can be transformed into secure permutation families in the sense of SPRP against some classes of RKA (SPRP–RKA). This fact allows us to construct a secure SPRP–RKA cipher which is faster than the Bellare–Kohno PRP–RKA cipher. We also show that function families of a certain form secure in the sense of a pseudorandom function (PRF) can be transformed into secure permutation families in the sense of PRP against some classes of RKA (PRP–RKA). We can exploit it to get various constructions secure against some classes of RKA from known MAC algorithms. Furthermore, we discuss how the key recovery (KR) security of the Bellare–Kohno PRP–RKA, the Lucks PRP–RKA and our SPRP–RKA ciphers relates to existing types of attacks on block ciphers like meet-in-the-middle and slide attacks. In the second part of the paper, we define other security notions for RKA-secure block ciphers, namely in the sense of indistinguishability (IND) and non-malleability, and show the relations between these security notions. In particular, we show that secure tweakable permutation families in the sense of IND (resp. non-malleability) can be transformed into RKA-secure permutation families in the sense of IND (resp. non-malleability).


Pseudorandom Related-Key Attacks PRP SPRP–RKA 

Mathematics Subject Classification (2000)



Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare M., Desai A., Jokipii E., Rogaway P.: A concrete security treatment of symmetric encryption: analysis of the DES modes of operation. In: Proceedings of the 38th symposium on foundations of computer science (FOCS), IEEE, 1997.
  2. 2.
    Bellare M., Kilian J., Rogaway P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)MathSciNetMATHCrossRefGoogle Scholar
  3. 3.
    Bellare M., Kohno T.: A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications. Advances in Cryptology—EUROCRYPT 2003, LNCS vol. 2654, pp. 491–506. Springer-Verlag, Berlin (2003).
  4. 4.
    Biham E.: New Types of Cryptanalytic Attack Using Related Keys. Advances in Cryptology—EUROCRYPT 1993, LNCS vol. 765, pp. 398–409. Springer-Verlag, Berlin (1994).Google Scholar
  5. 5.
    Biham E., Dunkelman O., Keller N.: Related-Key Boomerang and Rectangle Attacks. Advances in Cryptology—EUROCRYPT 2005, LNCS vol. 3494, pp. 507–525. Springer-Verlag, Berlin (2005).Google Scholar
  6. 6.
    Biham E., Dunkelman O., Keller, N.: Related-Key Rectangle Attack on the Full KASUMI. Advances in Cryptology—ASIACRYPT 2005, LNCS vol. 3788, pp. 443–461. Springer-Verlag, Brlin(2005).Google Scholar
  7. 7.
    Biham E., Dunkelman O., Keller N.: New Cryptanalytic Results on IDEA. Advances in Cryptology—ASIACRYPT 2006, LNCS vol. 4284, pp. 412–427. Springer-Verlag, Berlin (2006).Google Scholar
  8. 8.
    Biham E., Dunkelman O., Keller N.: A Simple Related-Key Attack on the Full SHACAL-1. Topics in Cryptology—CT-RSA 2007, LNCS vol. 4377, pp. 20–30. Springer-Verlag, Berlin (2007).Google Scholar
  9. 9.
    Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)MathSciNetMATHCrossRefGoogle Scholar
  10. 10.
    Biryukov A., Wagner D.: Advanced Slide Attacks. Advances in Cryptology—EUROCRYPT 2000, LNCS vol. 1807, pp. 589–606. Springer-Verlag, Berlin (2000).Google Scholar
  11. 11.
    Choi J., Kim J., Sung J., Lee S., Lim J.: Related-key and meet-in-the-middle attacks on triple-DES and DES-EXE. In: Proceedings of Information Security and Hiding (ISH 2005), in Conjunction with the International Conference on Computational Science and Its Applications (ICCSA 2005), LNCS vol. 3481, pp. 567–576. Springer, Berlin (2005).Google Scholar
  12. 12.
    Halevi S.: EME*: Extending EME to Handle Arbitrary-length Messages with Associated Data, 2004. Progress in Cryptology—INDOCRYPT 2004, LNCS vol. 3348, pp. 315–327. Springer-Verlag, Berlin (2004).
  13. 13.
    Halevi S., Rogaway P.: A Tweakable Enciphering Mode. Advances in Cryptology—CRYPTO 2003, LNCS vol. 2729, pp. 482–499. Springer-Verlag, Berlin (2003).Google Scholar
  14. 14.
    Halevi S., Rogaway P.: A Parallelizable Enciphering Mode. Topics in Cryptology—CT-RSA 2004, LNCS vol. 2964, pp. 292–304. Springer-Verlag, Berlin (2004).
  15. 15.
    Hawkes P.: Differential-Linear Weak-Key Classes of IDEA. Advances in Cryptology—EUROCRYPT 1998, LNCS vol. 1403, pp. 112–126. Springer-Verlag, Berlin (1998).Google Scholar
  16. 16.
    Hellman M.E., Karnin E.D., Reyneri J.M.: On the Necessity of Exhaustive Search for System-Invariant Cryptanalysis. Advances in Cryptology—A Report on CRYPTO 1981. U.C. ECE Report No 82-04, pp. 2–6. Department of Electrical and Computer Engineering, Santa Barbara (1982).Google Scholar
  17. 17.
    Iwata T., Kurosawa K.: OMAC: One-Key CBC MAC. Proceedings of Fast Software Encryption (FSE 2003), LNCS vol. 2887, pp. 129–153. Springer-Verlag, Berlin (2003).Google Scholar
  18. 18.
    Jakimoski G., Desmedt Y.: Related-Key Differential Cryptanalysis of 192-bit Key AES Variants. Proceedings of Selected Areas in Cryptography (SAC 2003), LNCS vol. 3006, pp. 208–221. Springer-Verlag, Berlin (2003).Google Scholar
  19. 19.
    Kelsey J., Schneier B., Wagner D.: Key-schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. Advances in Cryptology— CRYPTO 1996, LNCS vol. 1109, pp. 237–251. Springer-Verlag, Berin (1996).Google Scholar
  20. 20.
    Kelsey J., Schneier B., Wagner D.: Related-key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Proceedings of Information and Communications Security (ICICS 1997), LNCS vol. 1334, pp. 233–246 Springer-Verlag, Berlin (1997).Google Scholar
  21. 21.
    Kilian J., Rogaway P.: How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptol 14(1), 17–35 (2001)MathSciNetMATHCrossRefGoogle Scholar
  22. 22.
    Kim J., Kim G., Hong S., Lee S., Hong D.: The Related-Key Rectangle Attack—Application to SHACAL-1. Proceedings of Information Security and Privacy (ACISP 2004), LNCS vol. 3108, pp. 123–136. Springer-Verlag, Berlin (2004).Google Scholar
  23. 23.
    Kim J., Kim G., Lee S., Lim J., Song J.: Related-Key Attacks on Reduced Rounds of SHACAL-2. Progress in Cryptology—INDOCRYPT 2004, LNCS vol. 3348, pp. 175–189. Springer-Verlag, Berlin (2004).Google Scholar
  24. 24.
    Kim J., Hong S., Preneel B.: Related-Key Rectangle Attacks on Reduced AES-192 and AES-256. Proceedings of Fast Software Encryption (FSE 2007), LNCS vol. 4593, pp. 225–241. Springer-Verlag, Berlin (2007).Google Scholar
  25. 25.
    Knudsen L.R.: Cryptanalysis of LOKI91. Advances in Cryptology—AUSCRYPT 1992, LNCS vol. 718, pp. 196–208. Springer-Verlag, Berlin (1993).Google Scholar
  26. 26.
    Ko Y., Hong S., Lee W., Lee S., Kang J.: Related Key Differential Attacks on 26 Rounds of XTEA and Full Rounds of GOST. Proceedings of Fast Software Encryption (FSE 2004), LNCS vol. 3017, pp. 299–316. Springer-Verlag, Berlin (2004).Google Scholar
  27. 27.
    Liskov M., Rivest R.L., Wagner D.: Tweakable Block Ciphers. Advances in Cryptology—CRYPTO 2002, LNCS vol. 2442, pp. 31–46. Springer-Verlag, Berlin (2002).Google Scholar
  28. 28.
    Luby M., Rackoff C.: How to construct pseudorandom permutations from peudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)MathSciNetMATHCrossRefGoogle Scholar
  29. 29.
    Lucks S.: Ciphers Secure against Related-Key Attacks, Proceedings of Fast Software Encryption (FSE 2004), LNCS vol. 3017, pp. 359–370. Springer-Verlag, Berlin (2004).Google Scholar
  30. 30.
    Murphy S., Robshaw M.J.B.: Key-dependent S-boxes and differential cryptanalysis. Des. Codes Cryptogr 27(3), 229–255 (2002)MathSciNetMATHCrossRefGoogle Scholar
  31. 31.
    Naor M., Reingold O.: On the construction of pseudorandom permutations: Luby-Rackoff revisted. J Cryptol 12(1), 29–66 (1999)MathSciNetMATHCrossRefGoogle Scholar
  32. 32.
    Phan R.C.-W.: Related-Key Attacks on Triple-DES and DESX Variants, Topics in Cryptology— CT-RSA 2004, LNCS vol. 2964, pp. 15–24. Springer-Verlag, Berlin (2004).Google Scholar
  33. 33.
    Phan R.C.-W., Handschuh H.: On Related-Key and Collision Attacks: the Case for the IBM 4758 Cryptoprocessor. Proceedings of Information Security (ISC 2004), LNCS vol. 3225, pp. 111–122. Springer-Verlag, Berlin (2004).Google Scholar
  34. 34.
    Razali E., Phan R.C.-W.: On the Existence of Related-Key Oracles in Cryptosystems Based on Block Ciphers. On the Move to Meaningful Internet Systems 2006: OTM 2006, LNCS, vol. 4277, pp. 425–438. Springer-Verlag, Berlin (2006).Google Scholar
  35. 35.
    Razali E., Phan R.C.-W., Joye M.: On the Notions of PRP-RKA, KR and KR-RKA for block ciphers. Proceedings of Provable Security (ProvSec 2007), LNCS vol. 4784, pp. 188–197. Springer-Verlag, Berlin (2007).Google Scholar
  36. 36.
    Vaudenay S.: Decorrelation: a theory for block cipher security. J. Cryptol. 16(4), 249–286 (2003)MathSciNetMATHCrossRefGoogle Scholar
  37. 37.
    Wagner D.: Towards a Unifying View of Block Cipher Cryptanalysis. Proceedings of Fast Software Encryption (FSE 2004), LNCS vol. 3014, pp. 16–33. Springer-Verlag, Berlin (2004).Google Scholar
  38. 38.
    Winternitz R.S., Hellman M.E.: Chosen-key attacks on a block cipher. Cryptologia 11(1), 16–20 (1987)MATHCrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Jongsung Kim
    • 1
  • Jaechul Sung
    • 2
  • Ermaliza Razali
    • 3
  • Raphael C.-W. Phan
    • 4
  • Marc Joye
    • 5
  1. 1.Division of e-BusinessKyungnam UniversityMasan, KyungnamKorea
  2. 2.Department of MathematicsUniversity of SeoulSeoulKorea
  3. 3.Information Security Research (iSECURES) LabSwinburne University of TechnologySarawakMalaysia
  4. 4.Electronic & Electrical EngineeringLoughborough UniversityLoughboroughUK
  5. 5.Technicolor, Security & Content Protection LabsCesson-Sévigné, CedexFrance

Personalised recommendations