Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks

This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of PRFs and PRPs resisting rich and relevant forms of related-key attack (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversary-specified ways. Based on the Naor-Reingold PRF we obtain an RKA-PRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversary-specified group elements. Our framework yields other RKA-PRFs including a DUN-based one derived from the Lewko-Waters PRF. We show how to turn these PRFs into PRPs (blockciphers) while retaining security against RKAs. Over the last 17 years cryptanalysts and blockcipher designers have routinely and consistenly targeted RKA-security; it is important for abuse-resistant cryptography; and it helps protect against fault-injection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofs-of-concept in the foundational style and not practical.