On the Existence of Related-Key Oracles in Cryptosystems Based on Block Ciphers

  • Ermaliza Razali
  • Raphael C. -W. Phan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4277)


The notion of a related-key attack (RKA) was formally introduced by Biham in 1993. It is essentially more of an attack model rather than a specific type of attack in that it considers what sort of oracles are available to the attacker. In this case, the attacker has access to related-key (RK) oracles, i.e. he is able to have encryptions performed on plaintexts of his choice, keyed by two or more unknown but related keys. The feasibility of this attack model is at times debated mainly because the assumption that an attacker would have access to RK oracles may be too strong to really exist in practice. Hence, attacks on block ciphers in this RKA model have commonly not been regarded on the same level of significance of those not requiring RK oracles. A good example is the AES. It is generally accepted that the best known attack is a non-RKA by Gilbert and Minier in 2000, although it applies to less rounds compared to the best known RKA on AES by Biham et al. that applies to more rounds. It is our aim in this paper to show how RK oracles exist in various block cipher based cryptosystems. The gist is to think outside the box, i.e. to note that a block cipher is often an underlying primitive within a larger cryptographic construct, thus it is only natural to evaluate the block cipher security in this setting and not as a standalone primitive. In doing so, we formally introduce the notion of related-key multiplicative differentials, and related-key compositionally differentials. We also consider the existence of RK oracles in PGV-type hash functions, message authentication codes, recent authenticated encryption modes and cases of key-exchange protocols not previously mentioned in literature.


Hash Function Smart Card Block Cipher Advance Encryption Standard Message Authentication Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Kohno, T.: A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003), available at CrossRefGoogle Scholar
  2. 2.
    Biham, E.: New Types of Cryptanalytic Attacks Using Related Keys. J. Cryptology 7(4), 229–246 (1994)CrossRefMATHGoogle Scholar
  3. 3.
    Biham, E., Dunkelman, O., Keller, N.: A Related-Key Rectangle Attack on the Full KASUMI. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 443–461. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Biham, E., Dunkelman, O., Keller, N.: Related-Key Boomerang and Rectangle Attacks. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 507–525. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Borisov, N., Chew, M., Johnson, R., Wagner, D.: Multiplicative Differentials. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 17–33. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Boyd, C., Mathuria, A.: Protocols for Authentication and Key Establishment. Springer, Heidelberg (2003)Google Scholar
  7. 7.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: Proc. of IEEE-FOCS 2001, pp. 136–145 (2001)Google Scholar
  8. 8.
    Diffie, W., Hellman, M.E.: Privacy and Authentication: An Introduction to Cryptography. Proc. of the IEEE 67(3), 397–427 (1979)CrossRefGoogle Scholar
  9. 9.
    Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, M., Wagner, D., Whiting, D.: Improved Cryptanalysis of Rijndael. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 213–230. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Gilbert, H., Minier, M.: A Collision Attack on 7 Rounds of Rijndael. In: Proc. of AES 2000, pp. 230–241 (2000)Google Scholar
  11. 11.
    Goldreich, O., Krawczyk, H.: On the Composition of Zero-Knowledge Proof Systems. In: Paterson, M. (ed.) ICALP 1990. LNCS, vol. 443, pp. 268–282. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  12. 12.
    Iwata, T., Kurosawa, K.: OMAC: One-Key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Jaulmes, É., Joux, A., Valette, F.: RMAC: A Randomized MAC Beyond the Birthday Paradox Limit, available online at
  14. 14.
    Kanjanarin, W., Amornraksa, T.: Scrambling and Key Distribution Scheme for Digital Television. In: Proc. of IEEE-ICON 2001, pp. 140–145 (2001)Google Scholar
  15. 15.
    Kelsey, J., Schneier, B., Wagner, D.: Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 237–251. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Kelsey, J., Schneier, B., Wagner, D.: Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. In: Han, Y., Quing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 233–246. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  17. 17.
    Kelsey, J., Schneier, B., Wagner, D.: Protocol Interactions and the Chosen Protocol Attack. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 91–104. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  18. 18.
    Kim, J., Biryukov, A., Preneel, B., Hong, S.: On the Security of HMAC and NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Kim, J., Biryukov, A., Preneel, B., Lee, S.: On the Security of Encryption Modes of MD4, MD5 and HAVAL. In: Qing, S., Mao, W., López, J., Wang, G. (eds.) ICICS 2005. LNCS, vol. 3783, pp. 147–158. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Knudsen, L.R.: Cryptanalysis of LOKI. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 22–35. Springer, Heidelberg (1993)Google Scholar
  21. 21.
    Knudsen, L.R., Kohno, T.: Analysis of RMAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 182–191. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Ko, Y., Hong, S., Lee, W., Lee, S., Kang, J.-S.: Related Key Differential Attacks on 27 Rounds of XTEA and Full-Round GOST. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 299–316. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  23. 23.
    Kurosawa, K., Iwata, T.: TMAC: Two-Key CBC MAC. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 33–49. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  24. 24.
    Lucks, S.: Ciphers Secure against Related-Key Attacks. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 359–370. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    NIST. Advanced Encryption Standard (AES). FIPS 197 (2001)Google Scholar
  26. 26.
    NIST. Recommendation for Block Cipher Modes of Operation. SP800-38A (2001)Google Scholar
  27. 27.
    NIST. Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality. SP800-38C (2004)Google Scholar
  28. 28.
    NIST. Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. SP800-38B (2005)Google Scholar
  29. 29.
    NIST. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication. Draft SP800-38D (2006)Google Scholar
  30. 30.
    Pfitzmann, B., Waidner, M.: Composition and Integrity Preservation of Secure Reactive Systems. In: Proc. of ACM-CCS 2000, pp. 245–254 (2000)Google Scholar
  31. 31.
    Phan, R.C.-W.: Related-Key Attacks on Triple-DES and DESX Variants. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 15–24. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  32. 32.
    Phan, R.C.-W., Handschuh, H.: On Related-Key and Collision Attacks: The Case for the IBM 4758 Cryptoprocessor. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 111–122. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  33. 33.
    Preneel, B.: Hash Functions and MAC Algorithms Based on Block Ciphers. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 270–282. Springer, Heidelberg (1997)Google Scholar
  34. 34.
    Preneel, B., Govaerts, R., Vandewalle, J.: Differential Cryptanalysis of Hash Functions Based on Block Ciphers. In: Proc. of ACM-CCS 1993, pp. 183–188 (1993)Google Scholar
  35. 35.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash Functions Based on Block Ciphers: A Synthetic Approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)Google Scholar
  36. 36.
    Rabin, M.O.: Digitalized Signatures. In: Fdns. of Secure Computation, pp. 155–166 (1978)Google Scholar
  37. 37.
    Tsudik, G., Herreweghen, E.V.: On Simple and Secure Key Distribution. In: Proc. of ACM-CCS 1993, pp. 49–57 (1993)Google Scholar
  38. 38.
    Winternitz, R.S., Hellman, M.E.: Chosen-key Attacks on a Block Cipher. Cryptologia 11(1), 16–20 (1987)MATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ermaliza Razali
    • 1
  • Raphael C. -W. Phan
    • 1
  1. 1.Information Security Research (iSECURES) LabSwinburne University of Technology (Sarawak Campus)Malaysia

Personalised recommendations