A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications

We initiate a theoretical investigation of the popular block-cipher design-goal of security against “related-key attacks” (RKAs). We begin by introducing definitions for the concepts of PRPs and PRFs secure against classes of RKAs, each such class being specified by an associated set of “related-key deriving (RKD) functions.” Then for some such classes of attacks, we prove impossibility results, showing that no block-cipher can resist these attacks while, for other, related classes of attacks that include popular targets in the block cipher community, we prove possibility results that provide theoretical support for the view that security against them is achievable. Finally we prove security of various block-cipher based constructs that use related keys, including a tweakable block cipher given in [17]. We believe this work helps block-cipher designers and cryptanalysts by clarifying what classes of attacks can and cannot be targets of design. It helps block-cipher users by providing guidelines about the kinds of related keys that are safe to use in constructs, and by enabling them to prove the security of such constructs. Finally, it puts forth a new primitive for consideration by theoreticians with regard to open questions about constructs based on minimal assumptions.