Relations between robustness and RKA security under public-key encryption

We revisit the notions of robustness introduced by Abdalla, Bellare and Neven (TCC 2010), and related-key attack (RKA) security raised by Bellare, Cash and Miller (ASIACRYPT 2011). In the setting of public-key encryption (PKE), robustness means that it is hard to produce a ciphertext that is valid for two different users, while RKA security means that a PKE scheme is still secure even when an attacker can induce modifications in a decryption key, and subsequently observe the outcome of this PKE scheme under this modified key. In this paper, we explore the relationship between RKA security and various notions of robustness (weak, strong, complete, and so so). We show, there is no implication between weak (strong) robustness and RKA security while complete robustness implies RKA security but is not implied by RKA security; besides complete robustness, there exist other ROB definitions that can imply RKA security if they meet some security requirements. This result provides a different framework enabling the construction of PKE schemes that are secure under the restricted related key attacks. Also, we instantiate how a robust PKE scheme achieves RKA security, and compare it with other existing ways of achieving RKA security in public-key setting.