Abstract
In a related-key attack (RKA) an adversary attempts to break a cryptographic primitive by invoking
the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal
study of RKA security for randomized encryption schemes. We begin by providing general definitions for semantic
security under passive and active RKAs. We then focus on RKAs in which the keys satisfy known linear relations
over some Abelian group. We construct simple and efficient schemes which resist such RKAs even when the
adversary can choose the linear relation adaptively during the attack.
More concretely, we present two approaches for constructing RKA-secure encryption schemes. The first is based
on standard randomized encryption schemes which additionally satisfy a natural “key-homomorphism” property.
We instantiate this approach under number-theoretic or lattice-based assumptions such as the Decisional DiffieHellman (DDH) assumption and the Learning Noisy Linear Equations assumption. Our second approach is
based on RKA-secure pseudorandom generators. This approach can yield either deterministic, one-time use
schemes with optimal ciphertext size or randomized unlimited use schemes. We instantiate this approach by
constructing a simple RKA-secure pseurodandom generator under a variant of the DDH assumption.
Finally, we present several applications of RKA-secure encryption by showing that previous protocols which
made a specialized use of random oracles in the form of operation respecting synthesizers (Naor and Pinkas,
Crypto 1999) or correlation-robust hash functions (Ishai et. al., Crypto 2003) can be instantiated with RKAsecure encryption schemes. This includes the Naor-Pinkas protocol for oblivious transfer (OT) with adaptive queries, the IKNP protocol for batch-OT, the optimized garbled circuit construction of Kolesnikov and
Schneider (ICALP 2008), and other results in the area of secure computation. Hence, by plugging in our constructions we get instances of these protocols that are provably secure in the standard model under standard
assumptions.
the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal
study of RKA security for randomized encryption schemes. We begin by providing general definitions for semantic
security under passive and active RKAs. We then focus on RKAs in which the keys satisfy known linear relations
over some Abelian group. We construct simple and efficient schemes which resist such RKAs even when the
adversary can choose the linear relation adaptively during the attack.
More concretely, we present two approaches for constructing RKA-secure encryption schemes. The first is based
on standard randomized encryption schemes which additionally satisfy a natural “key-homomorphism” property.
We instantiate this approach under number-theoretic or lattice-based assumptions such as the Decisional DiffieHellman (DDH) assumption and the Learning Noisy Linear Equations assumption. Our second approach is
based on RKA-secure pseudorandom generators. This approach can yield either deterministic, one-time use
schemes with optimal ciphertext size or randomized unlimited use schemes. We instantiate this approach by
constructing a simple RKA-secure pseurodandom generator under a variant of the DDH assumption.
Finally, we present several applications of RKA-secure encryption by showing that previous protocols which
made a specialized use of random oracles in the form of operation respecting synthesizers (Naor and Pinkas,
Crypto 1999) or correlation-robust hash functions (Ishai et. al., Crypto 2003) can be instantiated with RKAsecure encryption schemes. This includes the Naor-Pinkas protocol for oblivious transfer (OT) with adaptive queries, the IKNP protocol for batch-OT, the optimized garbled circuit construction of Kolesnikov and
Schneider (ICALP 2008), and other results in the area of secure computation. Hence, by plugging in our constructions we get instances of these protocols that are provably secure in the standard model under standard
assumptions.
Original language | American English |
---|---|
Title of host publication | Innovations in Computer Science - ICS 2011 |
Subtitle of host publication | Tsinghua University |
Place of Publication | Beijing, China |
Pages | 45-60 |
State | Published - 7 Jan 2011 |