Keywords

1 Introduction

A series of cryptanalytic results have established the threat of related-key attacks as a mainstream cryptographic challenge. Introduced by Biham and Knudsen [6, 16] for block ciphers, related-key cryptanalysis has led to high profile attacks, ranging from key recovery [7] to distinguishers [810]. In a related-key setting, the secret key of a cryptosystem/primitive can be partially controlled by the adversary. Specifically, the adversary can apply key transformations to change the key and observe the outcome under the modified keys. A typical example of such transformation is fault injection attack.

Motivated by the cryptanalytic applications, Bellare and Kohno [5] initiated a theoretical study of related-key (RK) security of block ciphers, traditionally modelled as pseudorandom permutations (PRPs) and pseudorandom functions (PRFs). They defined related-key security with respect to a class of related-key-deriving (RKD) functions, \(\varPhi \), which specifies the relations available to the adversary, and considered an adversary who can (adaptively) choose the relation from \(\varPhi \) during the attack. Although in some of the examples of [5], choice of RKD set makes the adversary quite powerful, they help to characterize the set of functions.

Despite of its importance in applied cryptography only a few positive results are known in the RK setting [2, 4, 5, 17]. Bellare and Kohno [5], followed by Lucks [17] considered the construction of RK secure pseudorandom functions and permutations from the ideal primitives like ideal cipher. Lucks introduced the notion of group induced RKD class where, if the keyspace forms a group under some given operation, then the RKD functions may be chosen by an adversary using this group-operation. An obvious example of such operation is bit wise exclusive or (XOR) operation of a key with some known constant (of same bit length as the key). In a breakthrough result, Bellare and Cash [3] constructed RK secure PRPs based on hardness of DDH/DLIN assumptions. Although this construction proves an important feasibility result , the solution is quite inefficient and hard to use in practice.

On the other hand, related-key distinguishers have been found for widely used block-ciphers including AES [10]. Naturally, concerns are mounting over the security of the primitives, designed based on these ciphers [18]. Specifically, security of applications like message authentication codes, where block-ciphers are used heavily as the underlying primitive, needs to be revisited in light of the related-key attacks. Although, most of the popular MAC constructions were proven to be pseudorandom assuming pseudorandomness of the underlying block cipher, much weaker security notion, like unpredictability, is sufficient for MACs. As AES and some other block-ciphers are believed to remain unpredictable, even against related-key attacks, a natural question is what security guarantee we can prove from this assumption. Specifically, Can we achieve an efficient construction of Message Authentication Code, secure against related-key attacks, if we only assume related-key unpredictability from the underlying block ciphers?

Our Results. In this paper, we focus our attention to the security of message authentication codes against related-key attacks. Instead of modeling the block cipher as RK-PRP, we model underlying block cipher as only RK unpredictable. We reconsider several practical and popular constructions from the literature, and analyze them in the light of related-key attacks, towards their feasibility as related-key MACs. We also present two proofs of concept RK unpredictable functions, both based on DDH assumption. A more detailed description of our results follows.

Definitions. We start with presenting general definition of unpredictability against related-key attacks. We consider two types of security of unforgeability. In the first type (called Weak Related-Key Unforgeability), adversary’s prediction has to be on a fresh message, i.e. she can not predict the output of the function (on the target key) on a message, which she has queried earlier even on a related-key. In the stronger type (called Related-Key Unforgeability), adversary can be more powerful. She is allowed to forge a message, even if she has queried it on a related-key (although, not on the target key).

Handling Constant Functions. We revisit the necessary conditions for the class of related-key transformations argued by Bellare and Kohno [5], specifically transformations mapping all keys to some constant. We present a simple proof that a general message authentication code is inherently secure against constant RKD functions. To the best of our knowledge, this results to a first symmetric key construction which can handle constant RKD transformations.

Cryptanalysis of Popular MAC Construction. Next, we show negative results on many popular constructions. We show simple attacks against XCBC and TMAC. We also prove that, if the key of the MAC construction is viewed as a single key, ECBC and FCBC constructions do not guarantee unforgeability, irrespective of the strength of underlying block ciphers.

A Related-Key Secure Domain Extension. The natural question that arises from the results of previous paragraph is whether any existing construction preserves unpredictability against a related-key adversary. For the general setting, most designs use the NI construction of [1]. The general idea behind the construction is a collision at the output would imply a collision at the compression function (by standard MD argument). Then one would try to design an efficient weak collision resistant compression function from unpredictable functions, and prove that a collision at the compression function output can be used to predict the output of the underlying functions. However, in the related-key scenario, this need not be the case. Indeed, the collision of the mode as well as the compression function may be with a related-key query. If the related key query was made later, then the previous approach will not work.

To solve this problem, we propose a Merkle-Damgård based construction (prefix-free NI) for related-key unpredictability. Specifically, our construction is a prefix free MD domain extension with an extra round at the end. Using this extra round, we prove that even if the collision is with a related-key query, input of the last round (during the evaluation of forgery output) is either new (hence can be used for prediction) or generates a collision with a previous query on the target key. Then one can extend the standard MD based arguments to find forgery on the underlying functions.

We instantiate this mode of operation by the enciphered CBC construction of Dodis, Pietrzak and Puniya [13], and prove that this gives a variable input length related-key unpredictable function from fixed input length related-key secure unpredictable functions and permutations.

A General Construction of RK Unpredictable Functions. Our final contribution is a provably secure construction of Related Key Unpredictable function in the standard model. We instantiate this construction by two recent constructions in [11]. Our basic construction, secure against partial key-transformations, is much efficient in terms of keysize. Specifically, the keysize in our case is linear as compared to quadratic keysize in [3]. Our second construction is fully secure against component-wise group induced transformations. The construction of Bellare and Cash [3] can be seen as a special case of our construction. Additionally, the concept of key homomorphism in this work avoids the complexity of key malleability faced in [3]. Compared to Bellare-Cash construction, this construction is efficient in terms of exponentiation.

2 Overview of Our Technique

Claw-free RKD sets. In this work, like most of the previous positive results, we focus on claw-free related-key deriving (RKD) functions. Roughly speaking, a set \(\varPhi \) of RKD functions is called claw-free if for all but negiligible fraction of \(k\), distinct functions \(\phi _1\) and \(\phi _2\) from \(\varPhi \), \(\phi _1(k)\ne \phi _2(k)\). We note that, Bellare, Cash, and Miller [4] have constructed related-key secure signature scheme where they could break this requirement. However, their construction heavily depends on the notion of ICR pseudorandom generator, which in turn depends on RK-secure pseudorandom functions. We stress that, no construction of RK-secure pseudorandom function against non-claw free RKD set is known till date, and constructions of [4] are not instantiable by current RK-secure PRFs. In such a situation, we consider the claw-free RKD sets as worthy target.

Handling Multiple Keys. The most popular paradigm to design variable-input-length (VIL) MAC (or PRF) is the Hash then MAC (or Hash then PRF) approach. The message is first hashed by applying a collision resistant hash function, and then passed through an independent fixed input length MAC (PRF). Naturally, the key of such a construction contains the key(s) of the hash function (or the underlying primitive) and an independently sampled key of the final transformation. The key of the variable input length MAC is simply the concatenation of these sampled keys. The question is, how will the adversary change this key, i.e. should she consider functions which work independently over the individual keys? Or we can allow her to consider any claw-free RKD transformation over the keyspace (Cartesian product of the keyspace of the hash function and the final transformation) of the variable input length MAC.

In Sect. 6, we show that if we allow any claw-free RKD transformation over the keyspace, then multi-key constructions have an inherent limitation. Specifically, we show attacks on ECBC and FCBC, where the related-key adversary can turn a three key construction into a two key construction, using a claw-free RKD class.

We identify an alternative yet natural class of RKD functions, called component-wise transformation as a feasible target. A component-wise transformation over the keyspace \(\mathcal {K}^n\) is an \(n\)-element vector of RKD functions over \(\mathcal {K}\). Let \(\phi =(\phi _1,\phi _2,\cdots ,\phi _n)\) be such a vector where each \(\phi _i\) is a function over \(\mathcal {K}\). For any key \(k=(k_1,k_2,\cdots ,k_n)\), \(\phi (k)\) is defined by \((\phi _1(k_1),\phi _2(k_2),\cdots ,\phi _n(k_n))\). We remark that this idea of component-induced transformation is not new. In fact, constructions of RK-PRFs [3] were shown essentially for such classes. However, we are the first to formalize such idea.

Removing Unkeyed Collision Resistance Assumption. One of the most important tools of the related-key secure VIL-PRF of [3] is an unkeyed collision resistant hash function with carefully chosen range. Thus, security of this PRF is based on the assumption of existence of unkeyed collision resistant hash function. This assumption is very strong (in fact, stronger than existence of one-way function) and thus undesirable. However, the problem is, if we consider keyed hash function, then that key is also subject to related key attack. It is not clear from [3], how to tackle that problem.

We solve this problem by introducing the notion of identity collision resistance and target preimage resistance for keyed hash functions. Intuitively, against an identity collision resistant hash function \(H\) with key \(k\), a related-key adversary (which makes adaptive queries serially) will not be able to output, with significant probability, a message \(m\) such that \(H_k(m)\) matches with the output of the (related-key) queries she already made. We prove such a notion along with a notion of target preimage resistance (lifted to the RK setting) is enough for the Hash and MAC construction. We also show how to construct such an hash function from length preserving related-key secure MACs/permutations. Although we faced some technical challenges (mentioned in the previous section), we solve them with an elegant prefix-free padding and Merkle-Damgård mode of operation.

Independent Work

Independent to our work, Xagawa [19] also considered related key security of message authentication codes over additive rkd sets, extending the results of [12]. Some of his results are similar to our algebraic constructions in Sect. 10.

3 Notations and Security Definitions

Notations: If \(x\) is a string, \( | x |\) denotes the length (number of characters) of the string, \(x[i]\) denotes the \(i^{th}\) character of \(x\), and \(x_1||x_2||..||x_t\) denotes concatenation of \(t\) strings. For a finite set \( X \), \(|X|\) denotes the size of the set. \(x\leftarrow _{{\tiny {\text {R}}}}X\) means selecting an element \(x\) uniformly at random from the set \(X\). \(A\rightarrow x\) denotes that an algorithm \(A\) outputs \(x\). \(\mathsf{Func }(\mathcal {D},\mathcal {R})\) denotes the set of all functions from \(\mathcal {D}\) to \(\mathcal {R}\). A family of functions \(F:\mathcal {K}\times \mathcal {D} \rightarrow \mathcal {R}\) takes a key \(k\in \mathcal {K}\) and an input \(m\in \mathcal {D}\), and outputs \(F(k,m)\). Throughout the paper \(F_k\) denotes the function \(F(k,.)\). A block-cipher is a family of permutations \(E:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {D}\) and \(E_k\) denotes the permutation \(E(k,.)\) for \(k\in \mathcal {K}\).

Unforgeability of a function family: The security of \(F\) as a MAC is expressed via the following security game, where \(\mathcal {A}\) is an adversary with oracle access to \(F_k\),

Game UF-CMA

  • Setup: \(k \leftarrow _{{\tiny {\text {R}}}}\mathcal {K}\).

  • Query Phase: \(\mathcal {A}\) makes a set of queries \(\mathcal {Q}\) to the oracle \(F_k\).

  • Guess Phase: \(\mathcal {A}\rightarrow (m,\sigma )\).

  • Verify: If \(m \notin \mathcal {Q}\) and \(F_k(m) = \sigma \) then \(\mathcal {A}\) wins, else \(\mathcal {A}\) looses.

A family of function \(F\) is said to be \((q,\ell ,\epsilon )\) unforgeable under chosen message attack if for all adversary \(\mathcal {A}\) who makes \(q\) queries with total size of the queries \(\ell \) bits,

$$\begin{aligned} \mathbf{Adv }_{F}^{mac}(\mathcal {A})\mathop {=}\limits ^{def}Prob[\mathcal {A}~\text {wins game}~\mathtt{UF{-}CMA }]\le \epsilon . \end{aligned}$$

We note that the notion of unforgeability is also known as the unpredictability.

Framework for Related-Key Attack. In the related-key setting, security of a function family \(F(\mathcal {K}, \mathcal {D}, \mathcal {R})\) is defined against a related-key adversary. At the beginning of the corresponding security game the adversary outputs a set of functions \(\varPhi \subseteq \mathsf {Func} (\mathcal {K},\mathcal {K})\), called related-key deriving (RKD) functions. Throughout the game, the adversary has access to a related-key oracle \(F_\mathtt{RK }\). The oracle takes an ordered pair \((m,\phi )\) as input (\(m\in \mathcal {D},\phi \in \varPhi \)) and returns \(F(\phi (k),m)\), where \(F_k \in F(\mathcal {K}, \mathcal {D}, \mathcal {R})\) for some \(k (\leftarrow _{{\tiny {\text {R}}}}\mathcal {K})\) unknown to the adversary.

If \(\varPhi \) contains the identity function id then \(F_\mathtt{RK }\) can also simulate the oracle \(F(k,.)\). For the rest of the paper unless specified we will assume that \(\varPhi \) includes the function id.

In  [17] Lucks described an elegant way of choosing \(\varPhi \) as a set of group-induced transformations when \((\mathcal {K}, *)\) is a group.

Definition 1

(Group Induced Transformations [17]). Let \(\mathcal {K}\) be a group under operation \(\circ \). A group induced transformation is a set of functions, \(\varPhi \), over \(\mathcal {K}\) defined as

$$\begin{aligned} \varPhi \mathop {=}\limits ^{def}\{\phi :\mathcal {K}\rightarrow \mathcal {K}| \exists \delta \in \mathcal {K}:\phi (k)=k\circ \delta \} \end{aligned}$$

Another important family of RKD functions, called partial transformations, is also used in  [5, 17]. Partial transformations restrict the adversary to choose a function which can change only a part of the entire key. For example if we have a family of functions with key space \(\mathcal {K} \times \mathcal {K}\) , then a partial key transformation \(\phi '\) can be defined as \(\phi '(k_1,k_2) = (k_1,\phi (k_2))\) where \(\phi \) is an RKD function on \(\mathcal {K}\).

Finally, we introduce the notion of component-induced key transformations for multiple-key constructions.

Definition 2

(Component-wise Transformations). Let \(\mathcal {K}=\mathcal {K}_1\times \mathcal {K}_2\times \cdots \mathcal {K}_n\) be a set of keys. A component-wise transformation is a set of functions \(\varPhi \) over \(\mathcal {K}\) defined as

$$\begin{aligned} \varPhi \mathop {=}\limits ^{def}\{\phi =(\phi _1,\phi _2,\cdots ,\phi _n)|\forall i, \phi _i:\mathcal {K}_i\rightarrow \mathcal {K}_i,\forall k=(k_1,k_2,\cdots ,k_n)\in \mathcal {K}\\\phi (k)=(\phi _1(k_1),\phi _2(k_2),\cdots ,\phi _n(k_n)) \} \end{aligned}$$

We stress that, in case of component-wise transformations each \(\phi _i\) is applied on \(k_i\) and is independent to other \(k_j\)s.

4 Unforgeability Against Related-Key Attack

We start with a formal definition of the related-key security for MACs. Recall that, in the related-key setup, the adversary may query the oracle on a message and a related-key. The obvious way (analogous to [15], in the context of signature) to define the notion of related-key-unforgeability would be to ensure that the forgery \(m^*\) was never queried to the oracle with the relation \(\mathsf id \). However, the adversary may define the RKD function to be such that it agrees with id for all but negligable fraction of the keys. For such a function, the security gets broken trivially. In other words, such a restriction would force the RKD class to be claw-free. We present a general definition of related-key unforgeability through the following game between an adversary and the challenger. The adversary \(\mathcal {A}\) has oracle access to \(F_\mathtt{RK }\).

Game RK-UF-CMA

  • Setup: \(k \leftarrow _{{\tiny {\text {R}}}}\mathcal {K}\) , \(\mathcal {A}\) gets the security parameter \(\lambda \). \(\mathcal {A}\) submits the description of the RKD class \(\varPhi \). \(\mathcal {Q}=\emptyset \).

  • Query: \(\mathcal {A}\) adaptively queries with \((m,\phi )\), the challenger returns \(F(\phi (k),m)\). \(\mathcal {Q}=\mathcal {Q}\cup (m,\phi )\).

  • Guess: \(\mathcal {A}\) outputs a forgery \((m^*,\sigma ^*)\).

  • Verify: If \(F(k,m^*)=\sigma ^*\), and \(\phi (k)\ne k\) for all \((m^*,\phi )\in \mathcal {Q}\) then \(\mathcal {A}\) wins else \(\mathcal {A}\) looses.

Definition 3

(Related-Key Unforgeability). A family of functions \(F\) is said to be \((q,\ell ,\epsilon )\) unforgeable under chosen message related-key attack over the RKD set \(\varPhi \) if for all adversary \(\mathcal {A}\) who makes \(q\) queries with total size of the queries \(\ell \) bits,

where the probability is taken over the key \(k\) and the internal randomness of \(\mathcal {A}\).

5 Properties of RKD Transformations

In this section, we analyze the necessary properties of \(\varPhi \), the RKD transformation, necessary for related-key security of MAC. In [5], Bellare Kohno proposed two essential conditions, namely unpredictability and claw-free ness, for RKD functions for related-key security. Specifically, they proved that if \(\varPhi \) contains a constant function, then no block cipher can be pseudorandom against related-key attack over \(\varPhi \). In a sharp contrast, we now prove that, a general message authentication code is inherently secure against constant RKD functions.

Theorem 1

Let \(F:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a MAC. Let \(\varPhi \mathop {=}\limits ^{def}\{\phi _c:c\in \mathcal {K}, \forall k\in \mathcal {K}, \phi _c(k)=c \}\) be the set of constant RKD transformations. For all related-key adversary \(\mathcal {A}_{RK}\) against related-key unforgeability of \(F\) over RKD set \(\varPhi \), there exists adversary \(\mathcal {A}\) such that

$$\begin{aligned} {{{\varvec{Adv}}}}_{F}^{rk-mac}(\mathcal {A}_{RK},\varPhi ) \le {{{\varvec{Adv}}}}_{F}^{mac}(\mathcal {A}) \end{aligned}$$

Proof

The main idea of the proof is the following: the adversary \(\mathcal {A}\) will simulate \(\mathcal {A}_{RK}\). When \(\mathcal {A}_{RK}\) queries with id, \(\mathcal {A}\) will answer the queries by making query to its own oracle. However as the related-key functions are constant functions, \(\mathcal {A}\) can answer any related-key query \((m,\phi _c)\) by computing \(F(c,m)\) on its ownFootnote 1. Finally when \(\mathcal {A}_{RK}\) outputs a forgery \((m^*,\sigma ^*)\), \(\mathcal {A}\) outputs \((m^*,\sigma ^*)\). By the condition of the game RK-UF-CMA, \((m^*,\mathsf id )\) was never queried by \(\mathcal {A}_{RK}\). Hence \((m^*,\mathsf id )\) was never queried by \(\mathcal {A}\) as well. So, \(\mathcal {A}\) succeeds whenever \(\mathcal {A}_{RK}\) succeeds.

Insecurity against colliding functions. The claw-freeness condition, however, is essential for security of related-key security of MAC. The attack of [5], involving addition and xor over the keyspace, can indeed recover the secret key, resulting a forgery. For detailed description of this attack, we refer the reader to Proposition 4.3 of [5].

6 Related-Key Attacks Against Popular MAC Constructions

In this section we show examples of some simple related-key adversaries against some well known MAC constructions. We consider two popular variants of CBC-MAC, namely XCBC and TMAC. Constructions like ECBC and FCBC can also be attacked with a more aggressive class of transformations. Due to space constraint, the cryptanalysis of ECBC and FCBC are omitted in this proceedings version. All these constructions were proved to be secure under the assumption that underlying block cipher is PRP. Although our ultimate aim is to achieve a related-key secure MAC when the underlying primitive is related-key unforgeable, in the following examples we show that the XCBC and TMAC can be forged using related-key attack even if the underlying block ciphers are related-key secure prp.

Proposition 2

XCBC is not related-key secure.

Proof

The attack is extremely simple. Let \(n\) be the block length of the underlying block cipher. Consider a message \(m = m_1||m_2\) such that \(|m_1| = |m_2| = n\). Let the RKD set chosen by adversary be \(\mathcal {A}_{RK}\). \(\varPhi = \{\phi _i(k_1, k_2, k_2) = (k_1, k_2 \oplus i, k_3): 0 < i < 2^{|k_2|}\} \cup \mathsf id \). \(\mathcal {A}_{RK}\) makes a related-key query \((m,\phi _i)\) for any \(i > 0\). Suppose \(\sigma \) be the answer. \(\mathcal {A}_{RK}\) returns \((m^*,\sigma )\) , where \(m^* = m_1 || m_2 \oplus i\).

Let \(y = E_{k_1}(m_1)\). Then the last block operation is \(E_{k_1}(y \oplus m_2 \oplus k_2 )\). We know that \(E_{k_1}(y \oplus m_2 \oplus (k_2 \oplus i)) = E_{k_1}(y \oplus (m_2 \oplus i) \oplus k_2)\). Hence \(XCBC_\mathtt{RK }(m,\phi _i) = XCBC(m^*) = \sigma \). This implies \((m^*,\sigma )\) is a valid forgery and \(\mathbf{Adv }_{XCBC}^{rk-mac}(\mathcal {A}_{XCBC},\varPhi ) = 1\).

TMAC can be viewed as a variant of XCBC MAC and instead of using three keys it uses two keys in the construction. The last block operation of TMAC is given as \(E_{k_1}(m' \oplus (k_2 \cdot u))\), where \(u\) is a constant polynomial in \(GF(2^n)\) and the product is performed in the same field. The simplification of the product \(x \cdot u\) is linear in \(x\). Hence using a RKD set similar as above the adversary will be able to forge TMAC.

Corollary 1

TMAC is not a secure MAC Against related-key attack.

Prewhitening key and RKA: Both the attacks described above exploit the use of prewhitening key. Suppose a MAC construction involves an operation of the form \(E_{k'}(k * x)\) (where \(x\) is a chaining value independent of \(k\) and \(*\) is a commutative-group induced operation ) and \(k\) is independent of \(k'\) and other keys used in the construction. Then it is always possible to mount similar related-key attack as above.

7 Technical Tools

In this section we introduce the tools we use in our construction. First we introduce the notion of weak unforgeability against related-key attack, which essentially bridges the notion of unforgeability between the standard and the related-key settings.

Weak Unforgeability against Related-Key Attack

Definition 4

(Key-Homomorphic MAC). Let \(F:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be family of MACs. We say that \(F\) is key-homomorphic MAC if \(\mathcal {K}\) and \(\mathcal {R}\) are groups with efficient operations (\(\circ \) and \(*\) respectively) and for any fixed \(m\in \mathcal {D}\), there is a group homomorphism form \(\mathcal {K}\) to \(\mathcal {R}\). Specifically, for any \(k_1,k_2\in \mathcal {K}\),

$$\begin{aligned} F_{k_1~\circ ~ k_2}(m)=F(k_1,m)*F(k_2,m) \end{aligned}$$

Let \(F\) be a family of key-homomorphic MACs and \(\varPhi ^{\circ }\) a \((\mathcal {K}, \circ )\) group-induced RKD set. Essentially, for \(\phi \in \varPhi ^{\circ }\), one can compute \(F(\phi (k),m)\) by making queries to \(F(k,m)\) and using the group homomorphism property of \(F\). In the RK-UF-CMA game, the adversary is challenged to forge \(F(k,.)\). Apparently, finding \(F(\phi (k),.)\) from \(F(k,.)\) does not directly help her. However, the adversary may first query the related-key oracle and get \(F(\phi (k),m)\) for some \(m\), then using the group homomorphism property, predict the value of \(F(k,m)\). To see this, consider an adversary \(\mathcal {A}\) who makes a query \((m, \phi )\) to \(F_\mathtt{RK }\) for some \(m\in \mathcal {D}\). Now, we know that \(\phi (k)=k \circ \delta \) for \(\delta \in \mathcal {K}\). So, \(\mathcal {A}\) knows \(\sigma _1=F(\phi (k),m)\) and can compute \(\sigma _2=F(\delta ,m)\) on her own as the family \(F\) is public. Hence, \(\mathcal {A}\) successfully forges \(F(k,.)\) with \((m,\sigma )\) where \(\sigma =\sigma _1*\sigma _2^{-1}\).

We observe that, previous adversary \(\mathcal {A}\) is not a unique-message adversary. Against a unique-message adversary of the RK-UF-CMA game, a key-homomorphic MAC is related-key unforgeable over group induced \(\varPhi \). Motivated by this observation, we introduce the notion of weak unforgeability against related-key attack. In this case, the adversary is not allowed to forge a message which she has queried even on some non-id RKD function.

Game WeakRK-UF-CMA

  • Setup: \(k \leftarrow _{{\tiny {\text {R}}}}K\) , \(\mathcal {A}\) gets the security parameter \(\lambda \). \(\mathcal {A}\) submits the description of the RKD class \(\varPhi \). \(\mathcal {Q}=\emptyset \).

  • Query: \(\mathcal {A}\) adaptively queries with \((m,\phi )\), the challenger returns \(F(\phi (k),m)\). \(\mathcal {Q}=\mathcal {Q}\cup (m,\phi )\).

  • Guess: \(\mathcal {A}\) outputs a forgery \((m^*,\sigma ^*)\).

  • Verify: If \(F(k,m^*)=\sigma ^*\), and \((m^*,\phi )\notin \mathcal {Q}\) for any \(\phi \) then \(\mathcal {A}\) wins else \(\mathcal {A}\) looses.

Definition 5

(Weak RK-Unforgeability). A family of functions \(F\) is said to be \((q,\ell ,\epsilon )\) weakly unforgeable under chosen message related-key attack (WRK-UF) over the RKD set \(\varPhi \) if for all adversary \(\mathcal {A}\) who makes \(q\) queries with total size of the queries \(\ell \) bits,

where the probability is taken over the key \(k\) and the internal randomness of \(\mathcal {A}\).

For a key homomorphic MAC the following lemma can be proved in a straightforward way.

Lemma 1

(Key Homomorphic MAC is WRK-UF). Let \(F:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a family of key-homomorphic MACs. Let \(\varPhi \) be a claw-free set of group induced RKD functions. \(\mathcal {F}\) is a secure WRK-UF over \(\varPhi \). Specifically, for every \((q,\ell )\) adversary \(\mathcal {A}\), there exists a \((q,\ell )\) adversary \(\mathcal {A}_F\) such that

$$\begin{aligned} {{{\varvec{Adv}}}}_{F}^{wrk-mac}(\mathcal {A},\varPhi )\le {{{\varvec{Adv}}}}_{F}^{mac}(\mathcal {A}) \end{aligned}$$

Identity Fingerprint. The main technical tool used in [3] in order to construct the RK secure PRF is the notion of key fingerprint. Informally, a key fingerprint (as defined in [3]) is a vector over the message space, such that under two different keys, outputs of the function will be different on at least one index. However, as observed in [4], this notion is too demanding and may not be achievable for some PRFs.

In this paper, we consider the following relaxed notion of key fingerprint.

Definition 6

(Identity Fingerprint). Let \(F:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be family of functions and \(\varPhi \) be a set of RKD functions over \(\mathcal {K}\). Let \(w\) be a \(d\) dimensional vector over \(\mathcal {D}\). We call \(w\) an identity-fingerprint of \(F\) over \(\varPhi \) if

$$\begin{aligned} Prob_{k\leftarrow _{{\tiny {\text {R}}}}\mathcal {K}}\bigg [\forall \phi \in \varPhi :&\bigg (F(k,w_1), F(k,w_2), \cdots , F(k,w_d)\bigg )\\ {}&\ne \bigg (F(\phi (k),w_1), F(\phi (k),w_2), \cdots , F(\phi (k),w_d)\bigg )\bigg ]> 1-{\mathtt{\textit{negl} }} \end{aligned}$$

where \(d=\mathcal {O}(|k|)\), negl is some negligible function in terms of \(|k|\).

We remark that, the identity key fingerprint notion of [4] is similar. As argued in [4], few distinct points from the domain can be considered as a candidate identity fingerprint for any practical block-cipher. Although we cannot prove it formally, such an assumption seems to be consistent with the premise of cryptanalysis.

ICTPR Hash Function. In this paper we remove the collision resistant hash function assumption. In our framework, we encounter keyed hash function which is subject to tampering by the adversary. To achieve security even in such a scenario, we propose and use the notion of ICTPR hash functions.

An ICTPR hash function \(H:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) has two properties: identity-collision (IC) resistance and target preimage (TP) resistance.

Identity Collision Resistance. Roughly, the identity collision resistance ensures that, for (related-key) adversary with oracle access to \(H_\mathtt{RK }\), output of a query on a message \(m\) and the secret key (i.e. query of the form \((m,\mathsf {id})\)), does not collide with the output of some previous query (even on a related-key). The formal security game works in the following way.

Game ID-CR

  • Setup: \(k \leftarrow _{{\tiny {\text {R}}}}\mathcal {K}\) , \(\mathcal {A}\) gets the security parameter \(\lambda \). \(\mathcal {A}\) submits the description of the RKD class \(\varPhi \). \(\mathcal {Q}=\emptyset \).

  • Query: \(\mathcal {A}\) adaptively queries with \((m,\phi )\), the challenger returns \(H(\phi (k),m)\). \(\mathcal {Q}=\mathcal {Q}\cup (m,\phi )\).

  • Collision: \(\mathcal {A}\) outputs a message \(m^*\).

  • Verify: If for some \((m,\phi )\in \mathcal {Q}\), \(H(\phi (k),m)=H(k,m^*)\) and \((m^*,\mathsf id ) \notin \mathcal {Q}\) then \(\mathcal {A}\) wins else \(\mathcal {A}\) looses.

Definition 7

(Identity Collision Resistant Hash Function). Let \(H:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be family of hash functions and \(\varPhi \) be a set of RKD functions on \(\mathcal {K}\). \(H\) is said to be \((q,\ell ,\epsilon )\) identity collision resistant (ICR) over the RKD set \(\varPhi \) if for all adversary \(\mathcal {A}\) who makes \(q\) queries with total size of the queries \(\ell \) bits,

where the probability is taken over the key \(k\) and the internal randomness of \(\mathcal {A}\).

Target Preimage Resistance Against Related-Key Attack. In addition to the identity collision resistance, we also need a notion of everywhere preimage resistance against related-key attacks. The preimage resistance game between an adversary \(\mathcal {A}\) and a challenger for a hash function \(H:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) is described as following

Game RK-TPR

  • Setup: \(k \leftarrow _{{\tiny {\text {R}}}}\mathcal {K}\) , \(\mathcal {A}\) gets the security parameter \(\lambda \). \(\mathcal {A}\) submits \(t\) targets \(z_1,\cdots ,z_t\in \mathcal {R}\), and the description of the RKD class \(\varPhi \). \(\mathcal {Q}=\emptyset \).

  • Query: \(\mathcal {A}\) adaptively queries with \((m,\phi )\), the challenger returns \(H(\phi (k),m)\). \(\mathcal {Q}=\mathcal {Q}\cup (m,\phi )\).

  • Preimage: \(\mathcal {A}\) outputs a message \(m^*\).

  • Verify: If \(H(k,m^*)=z_i\), for some \(i\) then \(\mathcal {A}\) wins else \(\mathcal {A}\) looses.

Definition 8

(Related-Key Target Preimage Resistant Hash Function). Let \(H:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be family of hash functions and \(\varPhi \) be a set of RKD functions on \(\mathcal {K}\). \(H\) is said to be \((q,t,\ell ,\epsilon )\) related-key target preimage resistant (RK-TPR) over the RKD set \(\varPhi \) if for all adversary \(\mathcal {A}\) who submits \(t\) targets, makes \(q\) queries with total size of the queries \(\ell \) bits,

where the probability is taken over the key \(k\) and the internal randomness of \(\mathcal {A}\).

We define ICTPR advantage of an adversary \(\mathcal {A}\) against a hash function \(H\) as

$$\begin{aligned} \mathbf{Adv }_{H}^{ictpr} = \mathbf{Adv }_{H}^{rk-tpr}+\mathbf{Adv }_{H}^{icr} \end{aligned}$$

8 Construction of Related-Key Secure MAC

In this section, we show a general construction of related-key secure MAC. The basic essence of our construction is essentially the Hash then MAC paradigm of An and Bellare [1], lifted to the related-key setting. In fact most of the proposed VIL-MAC constructions [13, 14] have been proved secure in this paradigm. The intuitive approach while extending the arguments of [1] would be to show that a suitable hash function \(H\) followed by a FIL-related-key unforgeable MAC \(F\) will give us a VIL-related-key secure MAC \(G\). However, in the following theorem, we prove that, for claw-free RKD sets, if the hash function is ICTPR, it is enough for \(F\) only to be weak related-key unforgeable (cf. Definition 5).

Theorem 3

Let \(F:\mathcal {K}_1\times \mathcal {D}\rightarrow \mathcal {R}\) be a weak related-key unforgeable MAC over RKD set \(\varPhi _1\) with identity fingerprint \(\overline{w}=(w_1,w_2,\cdots ,w_d)\). Let \(H:\mathcal {K}_2\times \{0,1\}^*\rightarrow \mathcal {D}\) be a ICTPR hash function over the RKD set \(\varPhi _2\). Let \(G:(\mathcal {K}_1\times \mathcal {K}_2)\times \{0,1\}^*\rightarrow \mathcal {R}\) be a family of function defined as

$$\begin{aligned} G(k_1,k_2,m) \mathop {=}\limits ^{def}F( k_1 , H(k_2, m \Vert F(k_1 ,w_1)\Vert F(k_1,w_2)\Vert \cdots \Vert F(k_1,w_d) ) ) \end{aligned}$$

where \(k_1\in \mathcal {K}_1,k_2\in \mathcal {K}_2.\) \(G\) is related-key unforgeable against chosen message attack over the component-induced RKD set \(\varPhi \mathop {=}\limits ^{def}\varPhi _1\times \varPhi _2\). Specifically if there exists a \((q,l)\) adversary \(\mathcal {A}_G\) against \(G\), then there exists a \((q,q\log |\mathcal {D}|)\) adversary \(\mathcal {A}_F\) against \(F\), and a \((q,l)\) adversary \(\mathcal {A}_H\) against \(H\) such that

$$\begin{aligned} {{{\varvec{Adv}}}}_{F}^{wrk-mac}(\mathcal {A}_F,\varPhi _1) + {{{\varvec{Adv}}}}_{H}^{ictpr}(\mathcal {A}_H,\varPhi _2) \ge {{{\varvec{Adv}}}}_{G}^{rk-mac}(\mathcal {A}_G,\varPhi ) \end{aligned}$$

Proof

Let \(\tau _\mathsf{id}=F(k_1 ,w_1)\Vert F(k_1,w_2)\Vert \cdots \Vert F(k_1,w_d)\), and \(\tau _{\phi _1}=F(\phi _1(k_1),w_1)\Vert \) \( F(\phi _1(k_1),w_2)\Vert \) \(\cdots \Vert F(\phi _1(k_1),w_d)\). The basic idea of the proof is the following. Let \((m^*,\sigma )\) be a valid forgery. If \(x^*=H(k_2, m^*\Vert \tau _\mathsf{id})\) does not collide with any previous \(H\) query (including the related-key oracles, thus maintaining identity collision resistance), or one of the \(w_i\)s of the identity fingerprint \(\overline{w}\) (thus maintaining target preimage resistance), then the query to \(F(k,.)\) is new and was not queried even to the related-key oracle \(F_\mathsf{RK}\). Hence \((x^*,\sigma )\) is a valid forgery against weak related-key unforgeable \(F_k\). Hence we need to show that against any related-key adversary if \(x^*\) collides with the output of some previous \(H_\mathsf{RK}\) query or \(x^*\in \{w_1,\cdots ,w_d\}\), ICTPR property of \(H_{k_2}\) can be broken. The arguments for those cases are straightforward. We refer the reader to the full version for the formal proof.

Up to this point, our approach closely matched with the approach of Bellare and Cash, who also used similar arguments. The difference comes in while constructing a ICTPR hash function. While [3] assumes an unkeyed collision resistant function with tailor-made range, we present a mode of operation based on fixed-input length related-key secure MAC (to construct VIL-related key unforgeable MAC) in the next section. We mention that given a keyed collision resistant hash function \(H(k,.)\), one can easily get an ICTPR hash function (against claw-free transformations), \(\hat{H}(k,.)\) defined as \(\hat{H}(k,m)=k\Vert H(k,m)\). However, when constructing from block ciphers (as done in practice), this construction is trivially insecure (as it gives away the key). Additionally, to use it in Theorem 3, the final transformation requires to have a larger domain. On the other hand, our construction can be instantiated with a single related-key unpredictable function with independently sampled keys.

9 ICTPR from FIL-RKUF

In this section, we propose a mode of operation to construct a ICTPR hash function from length preserving related-key unforgeable MACs. Such a mode along with Theorem 3 will give us a variable input length MAC. We stress that the proof works for any RKD set, i.e. if one starts with a fixed-input-length related-key unpredictable function, secure without the claw-free assumption on the RKD set, the resulting MAC remains secure without the claw-free assumption.

We will describe the mode in two steps. First we shall describe a domain extension of fixed-input-length ICTPR compression function. Then we shall show that the enciphered CBC compression function of Dodis, Pietrzak, and Puniya [13] can be used to construct a fixed-input-length ICTPR compression function from length preserving related-key unforgeable MACs.

9.1 VIL-ICTPR Hash Function from ICTPR Compression Function

We shall use a variant of prefix free Merkle-Damgård iteration. Let \(\mathcal {D}=\{0,1\}^{2n},\) \(\mathcal {R}=\{0,1\}^n\), and \(H':\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a fixed-input-length ICTPR compression function.

Padding Rule. Let \(m\) be input message. Let \(len(m)=|m|\) be the length of the message. The message \(m\) is divided into blocks of \(n-1\) bits. If \(len(m)\) is not a multiple of \(n-1\), the last block is padded with a bit \(1\) and sufficiently many \(0\)s. After this padding let \(m_1, m_2, \cdots , m_l\) be the blocks. The final padded message \(\textsc {Pad}(m)\) will be the following

$$\textsc {Pad}(m)= y_1\Vert y_2\Vert \cdots \Vert y_l\Vert y,$$

where each \(y_i= 0\Vert m_i\), and \(y=1\Vert len(m)\).

The Mode. Our mode is essentially the Merkle-Damgård mode with an extra round at the end with \(1\Vert 0^{n-1}\) as the message block. Formal algorithm of the iteration is the following

figure a

Security. Now we show that the \(pfNI\) mode is ICTPR preserving. Let \(H^\prime :\mathcal {K}\times \{0,1\}^{2n}\rightarrow \{0,1\}^n\) be a compression function. We shall prove that, if there exists an adversary \(\mathcal {A}_H\) against \(H\mathop {=}\limits ^{def}pfNI^{H^\prime }\) breaking the ICTPR property, then there is an adversary \(\mathcal {A}_{H^\prime }\) against the ICTPR property of \(H^\prime \). To show this, we need to show reductions for both identity collision resistance and target preimage resistance (cf. Sect. 7).

Simulation of \(H\). \(\mathcal {A}_{H^\prime }\) has access to the oracle \(H_\mathtt{RK }^\prime \). Simulation of oracle \(H_{RK}\) will be performed by querying \(H^\prime _\mathtt{RK }\). During the simulation, \(\mathcal {A}_{H^\prime }\) maintains a list \(Q\) containing the queries to \(H_\mathtt{RK }^\prime \) and the corresponding responses.

Reduction for Identity Collision Resistance: Suppose \(\mathcal {A}_H\) breaks the identity collision resistance of \(H\). Recall that, identity collision resistance requires that no query \((m^*,\mathsf{id})\) generates a collision with a previous \((m, \phi )\) (\(\phi \) may or may not be \(\mathsf{id}\)) query. Hence, \(\mathcal {A}_H\) makes a \((m^*,\mathsf{id})\) query to \(H\) such that \(H(k,m^*)= H(\phi (k),m)\) and \((m,\phi )\) query was made before \((m^*,\mathsf{id})\) query.

Let \(h_{\ell ^*+1}\) be the penultimate chaining value during the computation of \(H(k,m^*)\). The following two cases can happen depending on whether \(h_{\ell ^*+1}\) was given as a response of some previous \(H_\mathsf{RK}^\prime \) query. Let \(x=h_{\ell +1}\Vert 10^{n-1}\) be the last \(H^\prime \) query during the computation of \(H(\phi (k),m)\).

  1. 1.

    \(h_{\ell ^*+1}=IV\mathbf : \) If \(h_{\ell ^*+1}\) is equal to IV, then we can show a reduction breaking the target preimage resistance of \(H^\prime \). We analyze it in the reduction for target preimage resistance.

  2. 2.

    \(H^\prime (k,h_{\ell ^*+1}\Vert \omega )\) was not queried during the simulation for any \(\omega \in \{0,1\}^n\mathbf : \) The padding ensures that \(10^{n-1}\) is the last message block of all the queries. Hence \(h_{\ell ^*+1}\ne h_{\ell +1}\). Moreover, \(H^\prime (k,h_{\ell ^*+1}\Vert 10^{n-1})\) has been queried after \(H^\prime (\phi (k),h_{\ell +1}\Vert 10^{n-1})\).

    As \(H(k,m^*)= H(\phi (k),m)\), obviously

    $$H^\prime (k,h_{\ell ^*+1}\Vert 10^{n-1})=H^\prime (\phi (k),h_{\ell +1}\Vert 10^{n-1}).$$

    This collision breaks the identity collision resistance property of \(H^\prime \).

  3. 3.

    \(H^\prime (k,h_{\ell ^*+1}\Vert \omega )\) was queried during the simulation for some \(\omega \mathbf : \) If \(h_{\ell ^*+1}\) is not equal to \(IV\), then \(h_{\ell ^*+1}\) matches with some chaining value during the simulation of the \(pfNI\) mode on some previous \((m',\mathsf{id})\) query. As \(m^*\ne m^\prime \), by standard argument of prefix free padding and collision resistance of Merkle-Damgård iteration, we will find a collision with some previous \(H^\prime (k,.)\) query.

Reduction for Target Preimage resistance: When \(\mathcal {A}_H\) submits the set of “target images” \(\{z_1,\cdots ,z_t\}\), \(\mathcal {A}_{H^\prime }\) submits \(T=\{IV,z_1,\cdots ,z_t\}\). For each \(H_\mathsf{RK}(m,\phi )\) query, \(\mathcal {A}_{H^\prime }\), simulates the \(pfNI^{H^\prime _\mathsf{RK}}\) by making queries \(H^\prime _\mathsf{RK}\). She checks whether during the simulation, output of some \(H^\prime (k,.)\) query is in \(T\). In such a case, she wins trivially. Note that, this takes care of the left out case in the reduction of identity collision resistance.

If none of the outputs are in \(T\), and \(\mathcal {A}_H\) outputs \(m^*\), \(\mathcal {A}_{H^\prime }\) simulates the \(pfNI\) mode and outputs the last compression function input (\(h_\ell ^*+1\Vert |10^{n-1}\)) as the output.

So in all the cases, if \(\mathcal {A}_H\) breaks the ICTPR property of \(H\), \(\mathcal {A}_{H^\prime }\) breaks the ICTPR property of \(H^\prime \).

Lemma 2

Let \(H^\prime :\mathcal {K}\times \{0,1\}^{2n}\rightarrow \{0,1\}^n\) be a compression function. Let \(H:\mathcal {K}\times \{0,1\}^*\rightarrow \{0,1\}^n\) be a hash function defined as

$$\begin{aligned} H(k,m)\mathop {=}\limits ^{def}pfNI^{H^\prime }(k,m). \end{aligned}$$

For all adversary \(\mathcal {A}_H\) making \(q\) queries of total bit length \(l\), there exists an adversary \(\mathcal {A}_H^\prime \) making \(\lceil ql/(n-1)\rceil +q\) queries of total bit length \(n(\lceil ql/(n-1) \rceil +q)\), such that

$$\begin{aligned} {\mathbf {Adv}}_{H}^{ictpr}(\mathcal {A}_H,\varPhi ) \le {\mathbf {Adv}}_{H^\prime }^{ictpr}(\mathcal {A}_{H^\prime },\varPhi ) \end{aligned}$$

9.2 Constructing ICTPR Hash Function Using Length Preserving RK-MAC

In this section we prove that the \(pfNI\) mode instantiated with enciphered CBC-MAC compression function using a length-preserving, related-key-unforgeable function, gives a ICTPR hash function. Let \(F:\mathcal {K}\times \{0,1\}^n\rightarrow \{0,1\}^n\) be a family of functions. The \(EnCBC\) compression function based on length preserving function \(F\) is defined as \(H^\prime _{k_1,k_2}(x_1,x_2) = F(k_1,x_1)\oplus F(k_2,x_2)\).

Lemma 3

Let \(F:\mathcal {K}\times \{0,1\}^n\rightarrow \{0,1\}^n\) be a family of related-key unforgeable function over \(\varPhi \) with identity fingerprint \(\overline{w}=\{w_1,\cdots ,w_d\}\). Define \(H^\prime :(\mathcal {K}\times \mathcal {K})\times \{0,1\}^{2n}\rightarrow \{0,1\}^n\) as

$$H^\prime _{k_1,k_2}(x_1,x_2)\mathop {=}\limits ^{def}F(k_1,x_1) \oplus F(k_2,x_2).$$

Define \(H:(\mathcal {K}\times \mathcal {K})\times \{0,1\}^{*}\rightarrow \{0,1\}^n\) as

$$\begin{aligned} H(k_1,k_2,m)\mathop {=}\limits ^{def}pfNI^{H^\prime }(k_1,k_2,m) \end{aligned}$$

Define \(\Psi :\{0,1\}^{2\kappa }\rightarrow \{0,1\}^{2\kappa }\) as

$$((\varPhi \setminus \{\mathsf{id}\})\times \varPhi )\cup (\mathsf{id,id})$$

Then \(H\) is ICTPR against Related-Key Attack over the RKD set \(\Psi \). For all adversary \(\mathcal {A}_H\) making \(q\) queries of total bit length \(l\), there exists an adversary \(\mathcal {A}_F\) making \(\lceil ql/(n-1)\rceil +q\) queries of total bit length \(n(\lceil ql/(n-1) \rceil +q)\), such that

$$\begin{aligned} {\mathbf {Adv}}_{H}^{ictpr}(\mathcal {A}_H,\Psi ) \le \bigg (\frac{q^4}{2}+\frac{q^2d}{2}\bigg ){\mathbf {Adv}}_{F}^{rk-mac}(\mathcal {A}_F,\varPhi ) \end{aligned}$$

The most natural way to prove the above Lemma will be to show that \(EnCBC\) construction, instantiated with RK-MAC gives an ICTPR compression function. However, there is an obstacle to prove such a claim. Recall that we want to show that when there is an ICTPR attack against the compression function, we can mount related-key forgery against the underlying RK-MAC. The general technique is to guess the colliding queries, and predict the output of chronologically last query. Unfortunately, the chronologically last query can indeed be on related-key(the target key of ICTPR attack may be derived from two separate target key queries made before the related-key query).

We give a direct proof the ICTPR security of the mode of operation, instantiated with EnCBC compression function. Specifically, we show that for both the conditions, described in the previous section, we can mount related-key forgery against the underlying MACs. We refer the reader to full version for the full proof.

10 Bellare-Cash Construction is MAC Preserving

Finally, as an application of Theorem 3, we show that the PRF construction of Bellare and Cash [3], can also be used to construct a related-key unforgeable MAC against chosen message attack. Note that, this construction uses an unkeyed collision resistance hash function \(H\). Although, we focused on keyed hash function for all the previous results, we state this result to be complete in our analysis of related-key security of message authentication codes.

Theorem 4

Let \(F:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a weak related-key unforgeable MAC over RKD set \(\varPhi \) with identity fingerprint \(\overline{w}=(w_1,w_2,\cdots ,w_d)\). Let \(H:\{0,1\}^*\rightarrow \mathcal {D}\setminus \{w_1,\cdots ,w_d\}\) be a collision resistant hash function. Let \(G:\mathcal {K}\times \{0,1\}^*\rightarrow \mathcal {R}\) be a family of functions defined as

$$\begin{aligned} G(k,M) \mathop {=}\limits ^{def}F( k , H(M \Vert F(k ,w_1)\Vert F(k,w_2)\Vert \cdots \Vert F(k,w_d) ) ) \qquad k\in \mathcal {K}. \end{aligned}$$

\(G\) is related-key unforgeable against chosen message attack over the RKD set \(\varPhi \). Specifically if there exists a \((q,l)\) adversary \(\mathcal {A}_G\) against \(G\), then there exists a \((q,q\log |D|)\) adversary \(\mathcal {A}_F\) against \(F\), and a \((q,l)\) adversary \(\mathcal {A}_H\) against \(H\) such that

$$\begin{aligned} {{{\varvec{Adv}}}}_{H}^{cr}(\mathcal {A}_H) + {{{\varvec{Adv}}}}_{F}^{wrk-mac}(\mathcal {A}_F,\varPhi ) \ge {{{\varvec{Adv}}}}_{G}^{rk-mac}(\mathcal {A}_G,\varPhi ) \end{aligned}$$

Proof

(Proof Sketch). The proof is similar (infact, special case) to Theorem 3 and we skip the proof.

10.1 Security Against Partial Key Transformation from DDH Assumption

In this section, we give a concrete construction of a related-key secure MAC based on the following MAC construction, due to Dodis, Kiltz, Pietrzak, and Wichs [11] based on the hash proof system of Cramer and Shoup.

\(MAC_{HPS}\)

  • Setup. \(p\) is a large prime. \(\mathbb {G}\) is a group of order \(p\). \(g\) is a random generator of \(\mathbb {G}\). \(\hat{H}:\mathbb {G}^2\times \mathcal {D}\rightarrow \mathbb {Z}_p\) is a collision resistant hash function. \(\mathcal {K}=\mathbb {Z}_p^3\), \(\mathcal {R}=\mathbb {G}^3\).

  • Key Generation: the secret key is \(k=(k_1,k_2,k_3)\leftarrow _{{\tiny {\text {R}}}}\mathbb {Z}_p^3\).

  • MAC: \(F:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) is defined as

    $$\begin{aligned} F(k_1, k_2,k_3, m)\mathop {=}\limits ^{def}(g\leftarrow _{{\tiny {\text {R}}}}\mathbb {G}, V= g^{k1}, g^{ k_2 \hat{H}(g,V,m) + k_3} ) \qquad m\in \mathcal {D},k_1,k_2,k_3\in \mathbb {Z}_p. \end{aligned}$$

For any element \(k=(k_1,k_2,k_3)\in \mathcal {K}\) and \(\varDelta =(0,\delta _2,\delta _3)\in \mathbb {Z}_p^3\), define \(k \circ \varDelta =(k_1,k_2+\delta _2,k_3+\delta _3)\) where \(+\) is addition modulo \(p\). It is easy to check that \(\mathcal {K}\) is a group under \(\circ \). The group induced RKD class over \(\mathcal {K}\) will be defined as \(\varPhi \mathop {=}\limits ^{def}{\phi _\varDelta (k)=(k\circ \varDelta )}\).

Although \(MAC_{HPS}\) is not key-homomorphic in general, but it is indeed key homomorphic over \(\varPhi \). Hence, we get the following lemma.

Lemma 4

\(MAC_{HPS}\) is weakly unforgeable against related-key attack over \(\varPhi \).

To use Theorem 4, it is now enough to prove the existence of a fingerprint for \(MAC_{HPS}\). Due to space constraint we leave out the identity-fingerprint for \(MAC_{HPS}\) in this version.

Theorem 5

Let \(\mathbb {G}\) be a prime order group of \(p\) elements, \(g_1,g_2\) be two random generators of \(\mathbb {G}\). Let \(w_1,w_2\) be two distinct elements from \(\mathcal {D}\). Suppose \(H:\mathcal {D}\times \mathbb {G}\rightarrow \mathcal {D}\setminus \{w_1,w_2\}\) and \(\hat{H}:\mathbb {G}^2\times \mathcal {D}\rightarrow \mathbb {Z}_p\) be two collision resistant hash functions. Define \(\mathcal {K}=\mathbb {Z}_p^3\), \(\mathcal {R}=\mathbb {G}^3\). Define \(G_{HPS}:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) defined as

$$\begin{aligned} G_{HPS}(k_1, k_2,k_3, m)\mathop {=}\limits ^{def}MAC_{HPS}(k_1,k_2,k_3, H ( m,\varGamma )) \end{aligned}$$

where

$$\begin{aligned} \varGamma = g_1, g_1^{k_1},g_1^{ k_2\hat{ H} (g_1,V,w_1) + k_3} ,g_2, g_2^{k_1}, g_2^{ k_2 \hat{H}(g_2,V,w_2) + k_3} ) \end{aligned}$$

Let \(\mathcal {A}_G\) be an adversary against the related-key unforgeability of \(G\) under chosen message attack over RKD set \(\varPhi \), and \(\mathcal {A}_G\) makes \(q\) queries. Then we can construct an adversary \(\mathcal {A}_{DDH}\) against the DDH problem in \(\mathbb {G}\), an adversary \(\mathcal {A}_H\) against collision resistance of \(H\), and an adversary \(\mathcal {A}_{\hat{H}}\) against collision resistance of \(\hat{H}\) such that

$$\begin{aligned} {\mathbf {Adv}}_{G}^{rk-mac}(\mathcal {A}_G,\varPhi )\le {\mathbf {Adv}}_{\mathbb {G}}^{ddh}(\mathcal {A}_{DDH})+{\mathbf {Adv}}_{H}^{cr}(\mathcal {A}_H) +{\mathbf {Adv}}_{\hat{H}}^{cr}(\mathcal {A}_{\hat{H} }) \end{aligned}$$

10.2 Towards Full Security

Previous construction, although very efficient in terms of the keysize, is only secure against partial key transformation. Now, we construct a related-key unforgeable MAC against a full group induced key transformation. The weak unforgeable MAC is based on another construction of Dodis et al. [11] which is again based on weak PRF and arguments of Waters.

\(MAC_{W}\)

  • Setup. \(p\) is a large prime. \(\mathbb {G}\) is a group of order \(p\). Message space is \(\{0,1\}^\lambda \). \(\mathcal {K}=\mathbb {Z}_p^{\lambda +1}\), \(\mathcal {R}=\mathbb {G}^3\).

  • Key Generation: the secret key is \(k=(k_0,k_1,\cdots ,k_{\lambda })\leftarrow _{{\tiny {\text {R}}}}\mathbb {Z}_p^{\lambda +1}\).

  • MAC: \(F:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) is defined as

    $$\begin{aligned} F(k_0,k_1,\cdots ,k_\lambda , m)\mathop {=}\limits ^{def}(g\leftarrow _{{\tiny {\text {R}}}}\mathbb {G}, g^{k_0+\sum _{i=1}^\lambda m[i]k_i}) \end{aligned}$$

For any element \(k=(k_0,k_1,\cdots ,k_\lambda )\in \mathcal {K}\) and \(\varDelta =(\delta _0,\delta _1,\cdots ,\delta _\lambda )\in \mathbb {Z}_p^{\lambda +1}\), define \(k \circ \varDelta =(k_0+\delta _0,\cdots ,k_\lambda +\delta _\lambda )\) where \(+\) is addition modulo \(p\). It is easy to check that \(\mathcal {K}\) is a group under \(\circ \). The group induced RKD class over \(\mathcal {K}\) will be defined as \(\varPhi \mathop {=}\limits ^{def}{\phi _\varDelta (k)=(k\circ \varDelta )}\).

\(MAC_{W}\) is key-homomorphic in an obvious way. Using Lemma 1

Lemma 5

\(MAC_{W}\) is weakly unforgeable against related-key attack over \(\varPhi \).

Using Theorem 4, we get the following theorem

Theorem 6

Let \(\mathbb {G}\) be a prime order group of \(p\) elements. Let

$$\overline{w}=\{0^\lambda ,10^{\lambda -1},010^{\lambda -2},\cdots ,0^{\lambda -1}1\}$$

Suppose \(H:\mathcal {D}\times \mathbb {G}^{2(\lambda +1)}\rightarrow \mathcal {D}\setminus \{\overline{w}\}\) be a collision resistant hash functions. Define \(\mathcal {K}=\mathbb {Z}_p^{\lambda +1}\), \(\mathcal {R}=\mathbb {G}^2\). Define \(G_{W}:\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) as

$$\begin{aligned} G_{W}(k, m)\mathop {=}\limits ^{def}MAC_{W}(k, H ( m, MAC_{W}(k,0^\lambda ),MAC_{W}(k,10^{\lambda -1}),\cdots ,MAC_{W}(k,0^{\lambda -1}1))) \end{aligned}$$

Let \(\mathcal {A}_G\) be an adversary against the related-key unforgeability of \(G_{W}\) under chosen message attack over RKD set \(\varPhi \), and \(\mathcal {A}_G\) makes \(q\) queries. Then we can construct an adversary \(\mathcal {A}_{DDH}\) against the DDH problem in \(\mathbb {G}\), an adversary \(\mathcal {A}_H\) against collision resistance of \(H\) such that

$$\begin{aligned} {\mathbf {Adv}}_{G}^{rk-mac}(\mathcal {A}_G,\varPhi )\le {\mathbf {Adv}}_{\mathbb {G}}^{ddh}(\mathcal {A}_{DDH})+{\mathbf {Adv}}_{H}^{cr}(\mathcal {A}_H) \end{aligned}$$

11 Conclusion

Security against related-key attacks is currently considered as a major challenge for symmetric key cryptography. In this paper, we considered security of message authentication codes against related-key attacks. We formalized the security definitions and identified feasible key transformations. We also presented the first security analysis for domain extension of related-key secure unpredictable functions(MAC). However our reduction for the Enciphered CBC construction achieves a reduction-factor of \(\mathcal {O}(2^{n/4})\) queries (Lemma 3). Finding constructions with improved security bound is an interesting open problem. Specifically, analysis of related-key security of Dodis-Steinberger construction [14] will be very interesting.