Keywords

1 Introduction

Universal Hash Functions. Ever since introduced by Carter and Wegman [15, 52] in the design of message authentication code (MAC), universal hash functions (UHFs) have become common components in numerous cryptographic constructions, especially in modes of operation, to provide security services as confidentiality, authenticity or both. A universal hash function (UHF) is a family of functions indexed by keys. Unlike other components such as block ciphers, keyed hash functions and permutations, which are often used as pseudorandom permutations (PRPs), pseudorandom functions (PRFs) and public random permutations respectively, UHFs have no cryptographic strength such as pseudorandomness. So UHFs usually come along with other primitives, such as PRPs, PRFs, etc., to set up cryptographic schemes. The basic property of UHF is that the collision probability of hash values from any two different messages is small when the key is uniformly random.

One of examples is the polynomial evaluation hash function [8] in which the variable is the key and the coefficients consist of message blocks, such as: \(Poly: \{0,1\}^n\times \{0,1\}^{nm} \rightarrow \{0,1\}^n\),

$$\begin{aligned} Poly_K(M)=M_1K^m \oplus M_2K^{m-1} \oplus \cdots \oplus M_mK \end{aligned}$$
(1)

where \(M = M_1\Vert M_2||\cdots \Vert M_m\in \{0,1\}^{nm} \), \(M_i\in \{0,1\}^n\), \(i = 1, 2, \cdots , m\) and all the operations are in the finite field \(GF(2^n)\). This kind of UHF appears in GCM [37], XCB [29], HCTR [50], HCH [16, 17], COBRA [2], Enchilada [27], POET [1] and many other constructions. For any \(M\ne M'\), \(Poly_K(M)\oplus Poly_K(M')\) is a polynomial in K whose degree is nonzero and no more than m, so there are at most m keys leading to \(Poly_K(M) = Poly_K(M')\), that is the collision probability is at most \(m/2^n\) when K is uniformly random. We say that this hash function is \(m/2^n\)-almost-universal (AU). Obviously the probability of \(Poly_K(M) \oplus Poly_K(M') = C\) is also at most \(m/2^n\) for any \(M\ne M'\) and C. That is another commonly used concept: almost XOR universal (AXU) hash functions. Poly is also \(m/2^n\)-AXU.

A direct application of UHFs is in message authentication codes (MACs) in which the message is hashed by the UHF into a short digest which then encrypted into a tag. MACs of this kind have been standardized in ISO/IEC 9797-3:2011 [31] which includes UMAC [13], Badger [14], Poly1305-AES [6] and GMAC [37]. UHFs are also used in tweakable block ciphers (TBCs) [36] and tweakable enciphering schemes (TESes), e.g. XTS-AES in IEEE Std 1619-2007 [28] and NIST SP 800-38E [40], XCB in IEEE Std 1619.2-2010 [29], HCTR [50] and HCH [16, 17], etc. The third application of UHF is in authenticated encryption (AE) schemes, e.g. the most widely used AE scheme GCM [37] standardized in ISO/IEC-19772:2009 [30] and NIST SP 800-38D [39]. In the recent CAESAR competition, several UHF-based AE schemes were proposed, e.g. COBRA [2], Enchilada [27] and POET [1], etc. In the security proofs of all these schemes, a crucial point is the collision probability about the inputs to other primitives. The property of UHF guarantees that the collision seldom happens.

Related-Key Attacks. Related-key attack (RKA) was firstly introduced by Biham [10] against block ciphers [12, 22, 48] and then extended to other cryptographic algorithms such as stream ciphers [18], MACs [41], TESes [49], AE schemes [21], etc. Bellare and Kohno [5] firstly gave a theoretical study of related-key security of block cipher, modeling the concept of pseudorandom permutation in the RKA setting (RKA-PRP) and pseudorandom function in the RKA setting (RKA-PRF). Applebaum et al. [3] gave the related-key security definition of encryption. Bhattacharyya and Roy [9] gave the related-key security definition of MAC. Related-key security has become an important criteria for cryptographic constructions.

In the RKA setting, the adversary does not know the secret key as in the usual invariable-key setting, but can apply related-key-deriving (RKD) transformations to change the secret key and observe outputs under the related keys. Let \(\varPhi \) be a RKD set which consists of transformations on the key space \(\mathcal {K}=\{0,1\}^k\). There are two canonical RKD sets: \(\varPhi ^\oplus =\{XOR_\varDelta : K \mapsto K \oplus \varDelta , \varDelta \in \mathcal {K}\}\) and \(\varPhi ^+=\{ADD_\delta : K \mapsto K+\delta \mod 2^k, \delta \in \mathcal {K}\}\). In the following, we use \(\varPhi ^\oplus \) as the default RKD set unless specified otherwise.

The related-key security requires that the queries under the related keys do not threaten the security under the original key, as the definition of related-key unforgeability in [9]. Or more strictly, for different related keys, the corresponding algorithms are secure independently, as the definition of RKA-PRP in [5] and [3].

Motivations. How to guarantee the related-key security? An intuition is that if the underlying components are related-key secure, the upper constructions should be related-key secure. This is true for most of block cipher modes of operation, especially for those one-key modes whose key is also that of the underlying block cipher, including CBC, OFB, CFB, CTR, CMAC, OCB, etc. But for the UHF-based schemes, it is not the case. Although almost all the UHF-based schemes have security proofs in the usual invariable-key setting, there are a lot of examples showing that some of them can not resist related-key attacks.

Let’s first check UHF-based MACs, in which a typical construction is to encrypt the hash value into a tag by one-time-pad encryption. This method originates from Carter and Wegman [15, 52] and dominates the usages of UHF in MACs [31]. Consider a simple example: \(MAC_{K, K'}(N, M) = Poly_K(M)\oplus F_{K'}(N)\) where \(M=M_1\Vert M_2\in \{0,1\}^{2n}\), \(Poly_K(M_1\Vert M_2) = M_1K^2\oplus M_2K\), F is a function often instantiated by a block cipher and N is a nonce. It has been proved that [7, 44] if F is a PRF and Poly is almost XOR universal, MAC is secure.

But if we query with \(A\Vert A\) under the related key \((K\oplus 0^{n-1}1, K')\), the answer is \(T = (A(K\oplus 0^{n-1}1)^2 \oplus A(K\oplus 0^{n-1}1))\oplus F_{K'}(N) = (AK^2 \oplus AK))\oplus F_{K'}(N)\). Therefore we can predict that the tag of \(A\Vert A\) under the original key is also T. So \((N, A\Vert A, T)\) is a successful forgery which breaks the RKA security of the MAC. A similar attack can apply to Poly1305-AES [6] in ISO/IEC 9797-3:2011 [31].

In Appendix B, we give more RKA examples against TBC, TES and AE schemes using Poly as UHF components. In all these examples, the key of UHF is a part of the key of whole scheme, so that the adversary can derive the related key of UHF and get input collisions to other primitives such as PRPs or PRFs. The collision in the MAC example is \(Poly_{K\oplus 0^{n-1}1}(A\Vert A) = Poly_K(A\Vert A)\). We stress that all these attacks only use the properties of UHF in the RKA setting and have nothing to do with other underlying primitives, whether it is RKA secure or not. In other words, the related-key weaknesses of the UHF alone results in related-key attacks against the schemes.

Definitions. In order to prevent the above attacks, we propose a new concept of related-key almost universal hash function which can ensure that the above collisions seldom happen. The new concept is a natural extension to almost universal hash function in the RKA setting. We define related-key almost universal (RKA-AU) hash function and related-key almost XOR universal (RKA-AXU) hash function. We will show that these definitions solve the above problems for some RKD set. Unfortunately almost all the existing UHFs do not satisfy the new definitions, including Poly mentioned in the above, MMH [26], Square Hash [23], NMH [26] and NH [13], etc. See Appendix C for details.

Constructions. We construct one fixed-input-length universal hash function named RH1 and two variable-input-length universal hash functions named RH2 and RH3. We prove that RH1 and RH2 are both RKA-AXU, and RH3 is RKA-AU for the RKD set \(\varPhi ^\oplus \). Furthermore, RH1, RH2 and RH3 are almost as efficient as previous constructions.

Applications. If we replace the universal hash functions in the examples of Sect. 1 with our constructions, the problems about related-key attacks for some RKD set can be solved. More specifically, we give four concrete examples in MACs and TBCs.

2 Definitions

For a finite set \(\mathcal {S}\), \(x \xleftarrow {\$} \mathcal {S}\) means selecting an element x uniformly at random from the set X. For a string M, |M| denotes the bit length of M. For \(b\in \{0,1\}\), \(b^m\) denotes m bits of b. \(\mathbb {A}^\mathcal {O}\Rightarrow b \) denotes that the algorithm \(\mathbb {A}\) with an oracle \(\mathcal {O}\) outputs b.

For a function \(H:\mathcal {K} \times \mathcal {D} \rightarrow \mathcal {R}\), when \(K\in \mathcal {K}\) is a key, we write H(KM) as \(H_K(M)\), where \((K, M)\in \mathcal {K}\times \mathcal {D}\). The following are the usual definitions of UHF.

Definition 1

(AU [46]). H is an \(\epsilon \)-almost-universal (\(\epsilon \)-AU) hash function, if for any \(M, M'\in \mathcal {D}\), \(M\ne M'\),

$$\mathrm {Pr}[K \xleftarrow {\$} \mathcal {K}:H_K(M)= H_K(M')]\le \epsilon .$$

When \(\epsilon \) is negligible we say that H is AU.

Definition 2

(AXU [34]). Let \((\mathcal {R}, \oplus )\) be an abelian groupFootnote 1. H is an \(\epsilon \)-almost-XOR-universal (\(\epsilon \)-AXU), if for any \(M, M'\in \mathcal {D}\), \(M\ne M'\), and \(C\in \mathcal {R}\),

$$\mathrm {Pr}[K \xleftarrow {\$} \mathcal {K}:H_K(M)\oplus H_K(M') = C]\le \epsilon .$$

When \(\epsilon \) is negligible we say that H is AXU.

Clearly, if H is \(\epsilon \)-AXU, it is also \(\epsilon \)-AU, for \(\epsilon \)-AU is a special case of \(\epsilon \)-AXU when \(C=0\).

RKA-AU and RKA-AXU. In the following, we extend the above definitions in the RKA setting. Let \(\varPhi \) be a RKD set.

Definition 3

(RKA-AU). H is an \(\epsilon \)-related-key-almost-universal (\(\epsilon \)-RKA-AU) hash function for the RKD set \(\varPhi \), if for any \(\phi , \phi '\in \varPhi \), \(M, M'\in \mathcal {D}\), \((\phi , M)\ne (\phi ', M')\),

$$\mathrm {Pr}[K \xleftarrow {\$} \mathcal {K}:H_{\phi (K)}(M)= H_{\phi '(K)}(M')]\le \epsilon .$$

When \(\epsilon \) is negligible we say that H is RKA-AU for \(\varPhi \).

Definition 4

(RKA-AXU). Let \((\mathcal {R}, \oplus )\) be an abelian group. H is an \(\epsilon \)-related-key-almost-universal (\(\epsilon \)-RKA-AXU) hash function for the RKD set \(\varPhi \), if for any \(\phi , \phi '\in \varPhi \), \(M, M'\in \mathcal {D}\), \((\phi , M)\ne (\phi ', M')\), and \(C\in \mathcal {R}\),

$$\mathrm {Pr}[K \xleftarrow {\$} \mathcal {K}: H_{\phi (K)}(M)\oplus H_{\phi '(K)}(M') = C]\le \epsilon .$$

When \(\epsilon \) is negligible we say that H is RKA-AXU for \(\varPhi \).

For \(\phi , \phi '\in \varPhi \), \(\phi \ne \phi '\) means there exists a key \(K\in \mathcal {K}\) such that \(\phi (K)\ne \phi '(K)\).

Restricting RKD Sets. As in the discussion of RKA-PRP [5], the related-key properties of UHF are relevant to the choice of RKD set. For some RKD sets the related-key almost universal hash function may not exist. It is necessary that the RKD set is both output unpredictable and collision resistant. We must put some restrictions on the RKD set.

  1. (1)

    Output unpredictability. A \(\phi \in \varPhi \) that has predictable outputs if there exists a constant S such that the probability of \(\phi (K) = S\) is high. If it happens, then for any function H the probability of \(H_{\phi (K)}(M) \oplus H_{\phi (K)}(M') = H_{S}(M) \oplus H_{S}(M')\) is also high for any two distinct M and \(M'\). So the RKA-AXU function is not available for the RKD set which has predictable transformations. We define \(OU(\varPhi ) = max_{\phi \in \varPhi , S}\mathrm {Pr}[K \xleftarrow {\$} \mathcal {K}: \phi (K) = S]\). If \(OU(\varPhi )\) is negligible, we say that \(\varPhi \) is output unpredictable.

  2. (2)

    Collision resistance. Two distinct \(\phi , \phi '\in \varPhi \) have high collision probability if the probability of \(\phi (K) = \phi '(K)\) is hight. If it happens, then for any function H the probability of \(H_{\phi (K)}(M) \oplus H_{\phi '(K)}(M) = 0\) is also high for any M. So neither the RKA-AXU nor RKA-AU function is available for the RKD set which has high collision probability. We define \(CR(\varPhi ) = max_{\phi ,\phi '\in \varPhi , \phi \ne \phi '}\mathrm {Pr}[K \xleftarrow {\$} \mathcal {K}: \phi (K) = \phi '(K)]\). If \(CR(\varPhi )\) is negligible, we say that \(\varPhi \) is collision resistant. More strictly, if for any two distinct \(\phi , \phi '\in \varPhi \) and any key K, we have \(\phi (K)\ne \phi '(K)\), or in other words \(CR(\varPhi ) = 0\), we say that \(\varPhi \) is claw-free.

We note that \(\varPhi ^\oplus \) and \(\varPhi ^+\) are output unpredictable, collision resistant and claw-free. The example in Sect. 1 shows that Poly is not RKA-AXU for the RKD set \(\varPhi ^\oplus \). If we choose the message M to be \(0^{mn}\), \(Poly_K(M)\) will always be \(0^{n}\). Therefore for any \(\phi , \phi '\in \varPhi \), we have \(Poly_{\phi (K)}(0^{mn})=Poly_{\phi '(K)}(0^{mn})\). So Poly is not RKA-AU either. If we look at the other existing UHFs, unfortunately almost all of them do not satisfy the new definitions, including MMH [26], Square Hash [23], NMH [26] and NH [13], etc. See Appendix C for more details.

3 Constructions

We construct two types of related-key almost universal hash functions: one fixed-input-length (FIL) UHF named RH1 and two variable-input-length (VIL) UHFs named RH2 and RH3. We prove that RH1 and RH2 are both RKA-AXU, and RH3 is RKA-AU, for the RKD set \(\varPhi ^\oplus \).

For a function \(F: \mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\), we define a new function \(F': \mathcal {K}\times (\mathcal {K}\times \mathcal {D})\rightarrow \mathcal {R}\)

$$F'_K(\varDelta , M)=F_{K\oplus \varDelta }(M).$$

It is easy to see that F is RKA-AU (RKA-AXU) for the RKD set \(\varPhi ^\oplus \) if and only if \(F'\) is AU (AXU). All the constructions are based on the polynomial evaluation function Poly. From the above observation, our main idea is to modify \(Poly_K(M)\) into \(F_K(M)\) such that \(F_{K\oplus \varDelta }(M)\) is still an almost (XOR) universal hash function.

FIL Constructions. We first construct a function based on \(Poly_K(M) = MK\) by adding a new term \(K^3\).

Construction 1

\(RH1 : \{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^n\),

$$\begin{aligned} RH1 _K(M)= MK\oplus K^3.\end{aligned}$$
(2)

Theorem 1

RH1 is \(2/2^n\)-RKA-AXU for the RKD set \(\varPhi ^\oplus \).

Proof

We prove that for any \(M, M', \varDelta _1, \varDelta _2 \in \{0,1\}^n\), \((\varDelta _1, M)\ne (\varDelta _2, M')\), and \(C\in GF(2^n)\), \(\mathrm {Pr}[K \xleftarrow {\$} \{0,1\}^n: F(K) = C ]\le \epsilon \), where \(F(K)=RH1 _{K\oplus \varDelta _1}(M)\oplus RH1 _{K\oplus \varDelta _2}(M')\). We have

$$ F(K)=(\varDelta _1\oplus \varDelta _2)K^2\oplus (\varDelta _1^2\oplus \varDelta _2^2\oplus M\oplus M')K\oplus (\varDelta _1^3\oplus \varDelta _2^3\oplus M\varDelta _1\oplus M'\varDelta _2). $$

If \(\varDelta _2\ne \varDelta _1\), \(F(K) = C\) has two roots at most. If \(\varDelta _1=\varDelta _2\), then \(M\ne M'\). The degree of F(K) is 1 and \(F(K) = C\) has one root. Therefore RH1 is \(2/2^n\)-RKA-AXU.   \(\square \)

Remark 1

As one of reviewers points out that RH1 is RKA-AXU for the RKD set \(\varPhi ^\oplus \), but is not RKA-AXU or even RKA-AU for a RKD set containing just containing two transformation: \(\varPhi = \{id, f_\alpha \}\) where id is the identity transformation and \(f_\alpha (K)=\alpha K\), \(\alpha ^3 = 1\). It is easy to verify that \(RH1 _{f_\alpha (K)}(\alpha ^{-1}M) = RH1 _K(M)\).

Remark 2

More generally we consider polynomial \(H^{i,j}_K(M)=MK^i + K^j\) over the finite field \(GF(2^n)\) or GF(p) where ij are integers and p is a prime. We show the results when \(1\le i,j \le 4\) in Table 1.

Table 1. For \(H^{i,j}_K(M)=MK^i + K^j\), “11” means it is RKA-AU and RKA-AXU for the RKD set \(\varPhi ^\oplus \), “10” means it is RKA-AU but not RKA-AXU, and “00” means it is neither RKA-AU nor RKA-AXU.
Full size table

VIL Constructions. Poly does not support variable input length. For any message \(M\in \{0,1\}^*\), a general padding method as in [37] is to firstly pad minimum zeroes to make the length multiple of the block length and then pad the bit length of M as the last block:

$$pad(M) = M\Vert 0^i\Vert |M|.$$

Then \(Poly_K(pad(M))\) is variable-input-length AXU hash function but still is not RKA-AU (RKA-AXU). Following the above method we add some term \(K^i\) in order to get the RKA-AXU property.

Construction 2

\(RH2 : \{0,1\}^n \times \{0,1\}^* \rightarrow \{0,1\}^n \),

$$\begin{aligned} RH2 _K(M)= {\left\{ \begin{array}{ll} \ K^{l+2}\oplus Poly_K(pad(M)), &{} \ l \text { is odd}\\ K^{l+3}\oplus Poly_K(pad(M))K, &{} \ l \text { is even} \end{array}\right. }\end{aligned}$$
(3)

where \(l = \lceil |M|/n\rceil +1\) is the number of blocks in pad(M).

Theorem 2

RH2 is \((l_{max}+3)/2^n\)-RKA-AXU for the RKD set \(\varPhi ^\oplus \), where \(l_{max}\) is the maximum block number of messages after padding.

Proof

For any message M, suppose \(pad(M) = M_1\Vert M_2\Vert \cdots \Vert M_{l}\). When l is odd

$$RH2 _K(M) = K^{l+2}\oplus M_1K^{l}\oplus \cdots \oplus M_{l}K.$$

When l is even

$$RH2 _K(M) = K^{l+3}\oplus M_1K^{l+1}\oplus \cdots \oplus M_{l}K^2.$$

We prove that for any \(M, M'\in \{0,1\}^* \), \(\varDelta _1, \varDelta _2, C\in \{0,1\}^n\), \((\varDelta _1, M)\ne (\varDelta _2, M')\), \(\mathrm {Pr}[F(K) = C]\le \epsilon \), where \(F(K)=RH2 _{K\oplus \varDelta _1}(M)\oplus RH2 _{K\oplus \varDelta _2}(M') \). We only need to show the degree of F(K) is nonzero. Suppose \(pad(M)=M_1\Vert M_2\Vert \cdots \Vert M_l\) and \(pad(M')=M'_1\Vert M'_2\Vert \cdots \Vert M'_{l'}\). Consider F(K) in the following two cases.

Case 1. \(\varDelta _1 \ne \varDelta _2\). Suppose the degrees of \(RH2 _{K\oplus \varDelta _1}(M)\) and \(RH2 _{K\oplus \varDelta _2}(M')\) are d and \(d'\) respectively, which are both odd.

When \(d = d'\), the coefficient of \(K^{d-1}\) in F(K) is \(\varDelta _1\oplus \varDelta _2\) which is nonzero.

When \(d\ne d'\), suppose \(d>d'\) w.l.o.g. the coefficient of \(K^{d}\) in F(K) is 1.

Case 2. \(\varDelta _1 = \varDelta _2\). We treat \(K\oplus \varDelta _1\) as a new key, so without loss of generality, we only consider \(\varDelta _1 = \varDelta _2 = 0\) in the following.

When \(l = l'\), there exists \(1\le j\le l\) s.t. \(M_{j}\ne M'_{j}\). So the coefficient of \(K^{l+1-j}\) (if l is odd) or \(K^{l+2-j}\) (if l is even) in F(K) is \(M_j\oplus M'_j\) which is nonzero.

When \(l'\ne l\) and are both odd, the coefficient of K is \(|M|\oplus |M'|\) which is nonzero.

When \(l'\ne l\) and are both even, the coefficient of \(K^2\) is \(|M|\oplus |M'|\) which is nonzero.

When \(l'\ne l\), one is odd and one is even, the coefficient of K is |M| or \(|M'|\) which are both nonzero.

Therefore the degree of F(K) is nonzero.    \(\square \)

Since RH2 is RKA-AXU, it is also RKA-AU. But sometimes we only need RKA-AU functions. We can improve the efficiency of RKA-AU construction by one less multiplication in finite field if replace Poly in RH2 with the following \(Poly'\):

$$Poly'_K(M)= M_1K^{m-1} \oplus M_2K^{m-2} \oplus \cdots \oplus M_m$$

where \(M = M_1\Vert M_2||\cdots \Vert M_m\in \{0,1\}^{nm}\). \(Poly'\) is AU but not AXU. We have the following construction and the proof is similar to that of Theorem 2.

Construction 3

\(RH3 : \{0,1\}^n \times \{0,1\}^* \rightarrow \{0,1\}^n \),

$$\begin{aligned} RH3 _K(M)= {\left\{ \begin{array}{ll} \ K^{l+2}\oplus Poly'_K(pad(M)), &{} \ l \text { is odd}\\ K^{l+3}\oplus Poly'_K(pad(M))K, &{} \ l \text { is even} \end{array}\right. }\end{aligned}$$
(4)

where \(l = \lceil |M|/n\rceil +1\) is the number of blocks in pad(M).

Theorem 3

RH3 is \((l_{max}+3)/2^n\)-RKA-AU for the RKD set \(\varPhi ^\oplus \), where \(l_{max}\) is the maximum number of blocks in messages after padding.

Efficiency of Constructions. We analyze the efficiency of RH1, RH2 and RH3 compared with previous similar constructions.

  1. (1)

    RH1. Compared with \(Poly_K(M) = MK\), in \(RH1 _K(M)= MK\oplus K^3\) the monomial \(K^3\) can be pre-computed. So RH1 needs extra one pre-computation and one XOR operation.

  2. (2)

    RH2. The polynomial \(T = M_1K^m \oplus M_2K^{m-1} \oplus \cdots \oplus M_mK\) is usually evaluated by Horner’s rule: \(T\leftarrow 0\), \(T\leftarrow (T\oplus M_i)K\) for \(1\le i\le m\). Assume that \(pad(M) = M_1\Vert M_2\Vert \cdots \Vert M_{l}\), Table 2 shows the computation processes of RH2\(_K(M)\) and \(Poly_K(pad(M))\) by Horner’s rule respectively. We can see that compared with \(Poly_K(pad(M))\), RH2 needs one additional pre-computation of \(K^2\), and one more multiplication if l is even.

  3. (3)

    RH3. Similar to the analysis of RH2, RH3 needs one additional pre-computation of \(K^2\), and one more multiplication if l is even, compared with \(Poly'_K(pad(M))\).

In brief, RH1, RH2 and RH3 are almost as efficient as previous similar constructions.

Table 2. Computation of RH2\(_K(M)\) and \(Poly_K(pad(M))\) by Horner’s rule.
Full size table

4 Applications

RKA-AU (RKA-AXU) hash functions can be used as components, along with other primitives such as RKA-PRPs and RKA-PRFs, in the design of related-key secure cryptographic schemes. If we replace the UHFs in the cryptographic schemes in Sect. 1 with our corresponding constructions, the issues about related-key attacks can be solved for some RKD set. Informally speaking, if the UHF is RKA-AU or RKA-AXU for the RKD set \(\varPhi _1\) and the underlying primitive is RKA-PRP or RKA-PRF for the RKD set \(\varPhi _2\) , the scheme is related-key secure for the RKD set \(\varPhi _1\times \varPhi _2\) .

In the following, we give four concrete applications of RKA-AU and RKA-AXU in related-key secure MACs and TBCs. In the analyses of these schemes, we mainly give intuitive interpretations by establishing the relationship between the RKA setting and the invariable-key setting and the detailed proofs will be given in the full paper [51]. Then the remaining proof is similar to that in the invariable-key setting. Let RKA-PRF be PRF against related-key attacks. We define a chosen-ciphertext attack (CCA) secure tweakable block cipher as a strongly tweakable pseudorandom permutation (STPRP, SPRP if it has no tweak). If it is also related-key secure we denote it as RKA-STPRP (RKA-SPRP if it has no tweak). The detailed definitions are in Appendix A.

For simplicity we only consider the claw-free RKD set \(\varPhi \) in which for any \(\phi _1, \phi _1\in \varPhi \) and any key K we have \(\phi _1(K)\ne \phi _2(K)\). The relationships are based on three observations on the underlying components when we regard the RKD transformation as an additional input.

Observation 1

For a function \(F: \mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) and a claw-free RKD set \(\varPhi \) on \(\mathcal {K}\). We define a new function \(F': \mathcal {K}\times (\varPhi \times \mathcal {D})\rightarrow \mathcal {R}\), \(F'_K(\phi , M)=F_{\phi (K)}(M).\) It is directly derived from the definition that F is \(\epsilon \)-RKA-AU (\(\epsilon \)-RKA-AXU) for the RKD set \(\varPhi \) if and only if \(F'\) is \(\epsilon \)-AU (\(\epsilon \)-AXU).

Observation 2

Furthermore, we have that F is a RKA-PRF for the RKD set \(\varPhi \) if and only if \(F'\) is a PRF.

Observation 3

For a block cipher \(E: \mathcal {K}\times \{0,1\}^n\rightarrow \{0,1\}^n\) and a claw-free RKD set \(\varPhi \) on \(\mathcal {K}\), define a tweakable block cipher \(E': \mathcal {K}\times \varPhi \times \{0,1\}^n\rightarrow \{0,1\}^n\), \(E'_K(\phi , M) = E_{\phi (K)}(M)\). E is a RKA-SPRP for the RKD set \(\varPhi \), if and only if \(E'\) is a STPRP.

4.1 Related-Key Secure MACs

Beside the Carter-Wegman scheme to construct MAC [52]

$$\begin{aligned} \text {MAC1}_{K, K'}(N, M) = H_K(M)\oplus F_{K'}(N)\end{aligned}$$
(5)

the other method [45] is

$$\begin{aligned} \text {MAC2}_{K, K'}(M) = F_{K'}(H_K(M))\end{aligned}$$
(6)

where \(H: \mathcal {K}_1\times \mathcal {D}\rightarrow \{0,1\}^n\) and \(F: \mathcal {K}_2\times \{0,1\}^n\rightarrow \{0,1\}^n\) are two keyed functions, M is a message and N is a nonce. We show that the two schemes are both related-key secure by the following two theorems.

Theorem 4

If H is \(\epsilon \)-RKA-AXU for the RKD set \(\varPhi _1\) and F is a RKA-PRF for the RKD set \(\varPhi _2\), then \(MAC1 \) is related-key unforgable (RKA-UF) for the RKD set \(\varPhi _1\times \varPhi _2\). More specifically,

$$\mathbf {Adv}_{MAC1 }^{rka-uf}{(q, t)}\le \mathbf {Adv}_{F}^{rka-prf}{(q, t')} + \epsilon $$

where the adversary makes q queries to \({MAC1 }\) and \(t' = t + O(q)\).

From Observation 1, \(H'_K(\phi _1, M) = H_{\phi _1(K)}(M)\) is AXU; from Observation 2, \(F'_{K'}(\phi _2, N) = F_{\phi _2(K')}(N) \) is a PRF. If we look \(\phi _1\) as a part of the message and \(\phi _2\) as a part of the nonce, we only need to prove that \(G_{K, K'}(\phi _2,N,\phi _1,M) = H'_K(\phi _1, M)\oplus F'_{K'}(\phi _2, N)\) is unforgeable in the invariable-key setting. The remaining proof is similar to that in [34].

Theorem 5

If H is \(\epsilon \)-RKA-AU for the RKD set \(\varPhi _1\) and F is a RKA-PRF for the RKD set \(\varPhi _2\), then \(MAC2 \) is a RKA-PRF for the RKD set \(\varPhi _1\times \varPhi _2\). More specifically,

$$\mathbf {Adv}_{MAC2 }^{rka-prf}{(q, t)}\le \mathbf {Adv}_{F}^{rka-prf}{(q, t')} + \epsilon q^2/2$$

where the adversary makes q queries to \(MAC2 \) and \(t' = t + O(q)\).

From Observation 1, \(H'_K(\phi _1, M) = H_{\phi _1(K)}(M)\) is AXU; from Observation 2, \(F'_{K'}(\phi _2, M) = F_{\phi _2(K')}(M)\) is a PRF. If we look \(\phi _1\) and \(\phi _2\) as a part of the message, we only need to prove that \(G_{K, K'}(\phi _1,\phi _2,M) = F'_{K'}(\phi _2, H'_K(\phi _1, M))\) is a PRF in the invariable-key setting. The remaining proof is similar to that in [45].

4.2 Related-Key Secure TBCs

Block Cipher Based Schemes. In [36] Liskov et al. gave a construction of tweakable block cipher (TBC) from a block cipher and a universal hash function:

$$\begin{aligned} \text {TBC1}_{K, K'}(T, M) = E_{K'}(M\oplus H_K(T))\oplus H_K(T) \end{aligned}$$
(7)

where \(H: \mathcal {K}_1\times \mathcal {D}\rightarrow \{0,1\}^n\) is the universal hash function and \(E: \mathcal {K}_2\times \{0,1\}^n\rightarrow \{0,1\}^n\) is the block cipher. In Appendix B we show that TBC1 is not related-key secure if \(H_K(T)=TK\). But if H is RKA-AXU, we show that TBC1 is related-key secure for some RKD set in Theorem 6.

Theorem 6

If H is \(\epsilon \)-RKA-AXU for the RKD set \(\varPhi _1\) and E is RKA-SPRP for the RKD set \(\varPhi _2\), then \(TBC1 \) is a RKA-STPRP for the RKD set \(\varPhi _1\times \varPhi _2\). More specifically,

$$\mathbf {Adv}_{TBC1 }^{rka-stprp}{(q, t)}\le \mathbf {Adv}_{E}^{rka-sprp}{(q, t')} + 3\epsilon q^2$$

where the adversary makes q queries to \(TBC1 \) or \(TBC1 ^{-1}\) and \(t' = t + O(q)\).

From Observation 1, \(H'_K(\phi _1, M) = H_{\phi _1(K)}(M)\) is AXU; from Observation 3, \(E'_{K'}(\phi _2, M) = E_{\phi _2(K')}(M)\) is a STPRP. If we consider \(\phi _1\) and \(\phi _2\) as a part of the tweak, we only need to prove that \(\widetilde{E}_{K, K'}(\phi _1, \phi _2, T, M) = E'_{K'}(\phi _2, M\oplus H'_{K}(\phi _1, T))\oplus H'_{K}(\phi _1, T) \) is a STPRP in the invariable-key setting. The remaining proof is similar to that in [36].

Permutation Based Schemes. If we replace the block cipher in TBC1 as a permutation, we get

$$\begin{aligned} \text {TBC2}_{K}(T, M) = \pi (M\oplus H_K(T))\oplus H_K(T) \end{aligned}$$
(8)

where \(\pi \) is the permutation from \(\{0,1\}^m\) to \(\{0,1\}^m\), \(n\le m\). For \(A\in \{0,1\}^n\), \(B\in \{0,1\}^m\), when \(n<m\), \(A\oplus B\) is defined as \((A\Vert 0^{m-n}) \oplus B\). We show the related-key security of TBC2 in Theorem 7. We need that H is both RKA-AXU and related-key almost uniform. H is \(\delta \)-related-key-almost-uniform means for any \(\phi \in \varPhi \), \(M\in \mathcal {D}\) and \(C\in \{0,1\}^n\), \(\mathrm {Pr}[K \xleftarrow {\$} \mathcal {K}: H_{\phi (K)}(M)= C]\le \delta \). When H is also \(\epsilon \)-RKA-AXU, we say that it is \((\epsilon , \delta )\)-RKA-AXU. For example, \(RH1 = MK\oplus K^3\) is \((2/2^n, 3/2^n)\)-RKA-AXU.

TBC2 is a one-round tweakable Even-Mansour cipher. How to add tweak and retain related-key security of the Even-Mansour cipher is a popular topic in recent years [19, 20, 24, 25, 38]. Compared with previous constructions in [25, 38] we only need one permutation invocation (two in [25, 38] ).

Theorem 7

If H is \((\epsilon , \delta )\)-RKA-AXU for the RKD set \(\varPhi \) and \(\pi \) is public random permutation, then \(TBC2 \) is a RK-TSPRP for the RKD set \(\varPhi \). More specifically,

$$\mathbf {Adv}_{TBC2 }^{rka-stprp}{(q_0, q_1)}\le q_0^2\epsilon + 2q_0q_1\delta + 2^{-m}(q_0^2+2q_0q_1)$$

where the adversary makes \(q_0\) queries to \(TBC2 \) or \(TBC2 ^{-1}\)and \(q_1\) queries to \(\pi \) or \(\pi ^{-1}\).

From Observation 1, \(H'_K(\phi , M) = H_{\phi (K)}(M)\) is AXU. If we look \(\phi \) as a part of the nonce, we only need to prove that \(\widetilde{E}_{K}(\phi , T, M) = \pi (M\oplus H'_{K}(\phi , T))\oplus H'_{K}(\phi , T) \) is a STPRP in the invariable-key setting. The remaining proof is similar to that in [35] or [19].

5 Conclusions

In this paper we mainly focus on two-key schemes, e.g. one key for the UHF and the other key for the block cipher. In order to resist related-key attacks, we define a new concept of related-key almost universal hash function, which is a natural extension to almost universal hash function in the RKA setting.

Not every UHF-based scheme suffers from related-key attacks. For example GCM [37] has only one key which is also the key of the underlying block cipher. The key of UHF is derived from the master key K as \(E_K(0^{128})\). GCM has been proved to be secure in the invariable-key setting [32] given that E is a PRP. If E is a RKA-PRP, for each \(\phi \in \varPhi \), \(E_{\phi (K)}\) is an independent PRP. So GCM is secure independently for each related key, and thus GCM is also secure in the RKA setting. In this roughly reasoning, we only require that the UHF is AXU but not RKA-AXU. Therefore it is possible that the upper scheme “inherit” the related-key security only from the underlying block cipher. It is also true to some other one-key schemes such as XCB [29], POET [1], etc. We can even modify the vulnerable schemes in this paper into related-key secure ones without the notion of RKA-AXU or RKA-AU by generating the keys in the schemes as \(K_i = E_K(i)\), \(i = 1,2,\cdots \) where K is the master key. But there are still a lot of two-key schemes such as Poly1305-AES [6], HCTR [50], HCHp and HCHfp [16, 17]. Furthermore, if we regard related-key attacks as a class of side-channel attacks, the attacker may have the ability to change a stored key via tampering or fault injection [4, 11]. The key of UHF stored somewhere, no matter whether it is a part of the master key or derived from the master key, can be changed in this scenario.

We also give several efficient constructions named RH1, RH2 and RH3 which are nearly as efficient as previous similar ones. RKA-AU (RKA-AXU) hash functions can be used as components, along with other primitives such as RKA-PRPs and RKA-PRFs etc., in the design of related-key secure cryptographic schemes.