Semantic Security under Related-Key Attacks and Applications

Benny Applebaum, Danny Harnik, Yuval Ishai

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


In a related-key attack (RKA) an adversary attempts to break a cryptographic primitive by invoking
the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal
study of RKA security for randomized encryption schemes. We begin by providing general definitions for semantic
security under passive and active RKAs. We then focus on RKAs in which the keys satisfy known linear relations
over some Abelian group. We construct simple and efficient schemes which resist such RKAs even when the
adversary can choose the linear relation adaptively during the attack.
More concretely, we present two approaches for constructing RKA-secure encryption schemes. The first is based
on standard randomized encryption schemes which additionally satisfy a natural “key-homomorphism” property.
We instantiate this approach under number-theoretic or lattice-based assumptions such as the Decisional DiffieHellman (DDH) assumption and the Learning Noisy Linear Equations assumption. Our second approach is
based on RKA-secure pseudorandom generators. This approach can yield either deterministic, one-time use
schemes with optimal ciphertext size or randomized unlimited use schemes. We instantiate this approach by
constructing a simple RKA-secure pseurodandom generator under a variant of the DDH assumption.
Finally, we present several applications of RKA-secure encryption by showing that previous protocols which
made a specialized use of random oracles in the form of operation respecting synthesizers (Naor and Pinkas,
Crypto 1999) or correlation-robust hash functions (Ishai et. al., Crypto 2003) can be instantiated with RKAsecure encryption schemes. This includes the Naor-Pinkas protocol for oblivious transfer (OT) with adaptive queries, the IKNP protocol for batch-OT, the optimized garbled circuit construction of Kolesnikov and
Schneider (ICALP 2008), and other results in the area of secure computation. Hence, by plugging in our constructions we get instances of these protocols that are provably secure in the standard model under standard
Original languageAmerican English
Title of host publicationInnovations in Computer Science - ICS 2011
Subtitle of host publicationTsinghua University
Place of PublicationBeijing, China
StatePublished - 7 Jan 2011


Dive into the research topics of 'Semantic Security under Related-Key Attacks and Applications'. Together they form a unique fingerprint.

Cite this