Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier
Related-key attacks (RKAs) concern the security of cryptographic primitives in the situation where the key can be manipulated by the adversary. In the RKA setting, the adversary’s power is expressed through the class of related-key deriving (RKD) functions which the adversary is restricted to using when modifying keys. Bellare and Kohno (EUROCRYPT 2003, volume 2656 of LNCS, Springer, Heidelberg, pp 491–506, 2003) first formalized RKAs and pinpointed the foundational problem of constructing RKA-secure pseudorandom functions (RKA-PRFs). To date there are few constructions for RKA-PRFs under standard assumptions, and it is a major open problem to construct RKA-PRFs for larger classes of RKD functions. We make significant progress on this problem. We first show how to repair the framework for constructing RKA-PRF by Bellare and Cash (CRYPTO 2010, volume 6223 of LNCS, Springer, Heidelberg, pp 666–684, 2010) and extend it to handle the more challenging case of classes of RKD functions that contain claws. We apply this extension to show that a variant of the Naor–Reingold function already considered by Bellare and Cash is an RKA-PRF for a class of affine RKD functions under the Decisional Diffie–Hellman (DDH) assumption, albeit with a blowup that is exponential in the PRF input size. We then develop a second extension of the Bellare–Cash framework and use it to show that the same Naor–Reingold variant is actually an RKA-PRF for a class of degree d polynomial RKD functions under the stronger decisional d-Diffie–Hellman inversion assumption. As a significant technical contribution, our proof of this result avoids the exponential-time security reduction that was inherent in the work of Bellare and Cash and in our first result. In particular, by setting d= 1 (affine functions), we obtain a construction of RKA-secure PRF for affine relation based on the polynomial hardness of DDH.