## Abstract

In a related-key attack (RKA) an adversary attempts to break a cryptographic primitive by invoking

the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal

study of RKA security for randomized encryption schemes. We begin by providing general definitions for semantic

security under passive and active RKAs. We then focus on RKAs in which the keys satisfy known linear relations

over some Abelian group. We construct simple and efficient schemes which resist such RKAs even when the

adversary can choose the linear relation adaptively during the attack.

More concretely, we present two approaches for constructing RKA-secure encryption schemes. The first is based

on standard randomized encryption schemes which additionally satisfy a natural “key-homomorphism” property.

We instantiate this approach under number-theoretic or lattice-based assumptions such as the Decisional DiffieHellman (DDH) assumption and the Learning Noisy Linear Equations assumption. Our second approach is

based on RKA-secure pseudorandom generators. This approach can yield either deterministic, one-time use

schemes with optimal ciphertext size or randomized unlimited use schemes. We instantiate this approach by

constructing a simple RKA-secure pseurodandom generator under a variant of the DDH assumption.

Finally, we present several applications of RKA-secure encryption by showing that previous protocols which

made a specialized use of random oracles in the form of operation respecting synthesizers (Naor and Pinkas,

Crypto 1999) or correlation-robust hash functions (Ishai et. al., Crypto 2003) can be instantiated with RKAsecure encryption schemes. This includes the Naor-Pinkas protocol for oblivious transfer (OT) with adaptive queries, the IKNP protocol for batch-OT, the optimized garbled circuit construction of Kolesnikov and

Schneider (ICALP 2008), and other results in the area of secure computation. Hence, by plugging in our constructions we get instances of these protocols that are provably secure in the standard model under standard

assumptions.

the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal

study of RKA security for randomized encryption schemes. We begin by providing general definitions for semantic

security under passive and active RKAs. We then focus on RKAs in which the keys satisfy known linear relations

over some Abelian group. We construct simple and efficient schemes which resist such RKAs even when the

adversary can choose the linear relation adaptively during the attack.

More concretely, we present two approaches for constructing RKA-secure encryption schemes. The first is based

on standard randomized encryption schemes which additionally satisfy a natural “key-homomorphism” property.

We instantiate this approach under number-theoretic or lattice-based assumptions such as the Decisional DiffieHellman (DDH) assumption and the Learning Noisy Linear Equations assumption. Our second approach is

based on RKA-secure pseudorandom generators. This approach can yield either deterministic, one-time use

schemes with optimal ciphertext size or randomized unlimited use schemes. We instantiate this approach by

constructing a simple RKA-secure pseurodandom generator under a variant of the DDH assumption.

Finally, we present several applications of RKA-secure encryption by showing that previous protocols which

made a specialized use of random oracles in the form of operation respecting synthesizers (Naor and Pinkas,

Crypto 1999) or correlation-robust hash functions (Ishai et. al., Crypto 2003) can be instantiated with RKAsecure encryption schemes. This includes the Naor-Pinkas protocol for oblivious transfer (OT) with adaptive queries, the IKNP protocol for batch-OT, the optimized garbled circuit construction of Kolesnikov and

Schneider (ICALP 2008), and other results in the area of secure computation. Hence, by plugging in our constructions we get instances of these protocols that are provably secure in the standard model under standard

assumptions.

Original language | American English |
---|---|

Title of host publication | Innovations in Computer Science - ICS 2011 |

Subtitle of host publication | Tsinghua University |

Place of Publication | Beijing, China |

Pages | 45-60 |

State | Published - 7 Jan 2011 |