Abstract
Universal hash functions (UHFs) have been extensively used in the design of cryptographic schemes. If we consider the related-key attack (RKA) against these UHF-based schemes, some of them may not be secure, especially those using the key of UHF as a part of the whole key of scheme, due to the weakness of UHF in the RKA setting. In order to solve this issue, we propose a new concept of related-key almost universal hash function, which is a natural extension to almost universal hash function in the RKA setting. We define related-key almost universal (RKA-AU) hash function and related-key almost XOR universal (RKA-AXU) hash function. However almost all the existing UHFs do not satisfy the new definitions. We construct one fixed-input-length universal hash function named RH1 and two variable-input-length universal hash functions named RH2 and RH3. We show that RH1 and RH2 are both RKA-AXU, and RH3 is RKA-AU for the RKD set \(\varPhi ^\oplus \). Furthermore, RH1, RH2 and RH3 are nearly as efficient as previously similar constructions. RKA-AU (RKA-AXU) hash functions can be used as components in the related-key secure cryptographic schemes. If we replace the universal hash functions in the schemes with our corresponding constructions, the problems about related-key attack can be solved for some RKD sets. More specifically, we give four concrete applications of RKA-AU and RKA-AXU in related-key secure message authentication codes and tweakable block ciphers.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
- Almost universal hash function
- Related-key attack
- Related-key almost universal hash function
- Message authentication code
- Tweakable block cipher
1 Introduction
Universal Hash Functions. Ever since introduced by Carter and Wegman [15, 52] in the design of message authentication code (MAC), universal hash functions (UHFs) have become common components in numerous cryptographic constructions, especially in modes of operation, to provide security services as confidentiality, authenticity or both. A universal hash function (UHF) is a family of functions indexed by keys. Unlike other components such as block ciphers, keyed hash functions and permutations, which are often used as pseudorandom permutations (PRPs), pseudorandom functions (PRFs) and public random permutations respectively, UHFs have no cryptographic strength such as pseudorandomness. So UHFs usually come along with other primitives, such as PRPs, PRFs, etc., to set up cryptographic schemes. The basic property of UHF is that the collision probability of hash values from any two different messages is small when the key is uniformly random.
One of examples is the polynomial evaluation hash function [8] in which the variable is the key and the coefficients consist of message blocks, such as: \(Poly: \{0,1\}^n\times \{0,1\}^{nm} \rightarrow \{0,1\}^n\),
where \(M = M_1\Vert M_2||\cdots \Vert M_m\in \{0,1\}^{nm} \), \(M_i\in \{0,1\}^n\), \(i = 1, 2, \cdots , m\) and all the operations are in the finite field \(GF(2^n)\). This kind of UHF appears in GCM [37], XCB [29], HCTR [50], HCH [16, 17], COBRA [2], Enchilada [27], POET [1] and many other constructions. For any \(M\ne M'\), \(Poly_K(M)\oplus Poly_K(M')\) is a polynomial in K whose degree is nonzero and no more than m, so there are at most m keys leading to \(Poly_K(M) = Poly_K(M')\), that is the collision probability is at most \(m/2^n\) when K is uniformly random. We say that this hash function is \(m/2^n\)-almost-universal (AU). Obviously the probability of \(Poly_K(M) \oplus Poly_K(M') = C\) is also at most \(m/2^n\) for any \(M\ne M'\) and C. That is another commonly used concept: almost XOR universal (AXU) hash functions. Poly is also \(m/2^n\)-AXU.
A direct application of UHFs is in message authentication codes (MACs) in which the message is hashed by the UHF into a short digest which then encrypted into a tag. MACs of this kind have been standardized in ISO/IEC 9797-3:2011 [31] which includes UMAC [13], Badger [14], Poly1305-AES [6] and GMAC [37]. UHFs are also used in tweakable block ciphers (TBCs) [36] and tweakable enciphering schemes (TESes), e.g. XTS-AES in IEEE Std 1619-2007 [28] and NIST SP 800-38E [40], XCB in IEEE Std 1619.2-2010 [29], HCTR [50] and HCH [16, 17], etc. The third application of UHF is in authenticated encryption (AE) schemes, e.g. the most widely used AE scheme GCM [37] standardized in ISO/IEC-19772:2009 [30] and NIST SP 800-38D [39]. In the recent CAESAR competition, several UHF-based AE schemes were proposed, e.g. COBRA [2], Enchilada [27] and POET [1], etc. In the security proofs of all these schemes, a crucial point is the collision probability about the inputs to other primitives. The property of UHF guarantees that the collision seldom happens.
Related-Key Attacks. Related-key attack (RKA) was firstly introduced by Biham [10] against block ciphers [12, 22, 48] and then extended to other cryptographic algorithms such as stream ciphers [18], MACs [41], TESes [49], AE schemes [21], etc. Bellare and Kohno [5] firstly gave a theoretical study of related-key security of block cipher, modeling the concept of pseudorandom permutation in the RKA setting (RKA-PRP) and pseudorandom function in the RKA setting (RKA-PRF). Applebaum et al. [3] gave the related-key security definition of encryption. Bhattacharyya and Roy [9] gave the related-key security definition of MAC. Related-key security has become an important criteria for cryptographic constructions.
In the RKA setting, the adversary does not know the secret key as in the usual invariable-key setting, but can apply related-key-deriving (RKD) transformations to change the secret key and observe outputs under the related keys. Let \(\varPhi \) be a RKD set which consists of transformations on the key space \(\mathcal {K}=\{0,1\}^k\). There are two canonical RKD sets: \(\varPhi ^\oplus =\{XOR_\varDelta : K \mapsto K \oplus \varDelta , \varDelta \in \mathcal {K}\}\) and \(\varPhi ^+=\{ADD_\delta : K \mapsto K+\delta \mod 2^k, \delta \in \mathcal {K}\}\). In the following, we use \(\varPhi ^\oplus \) as the default RKD set unless specified otherwise.
The related-key security requires that the queries under the related keys do not threaten the security under the original key, as the definition of related-key unforgeability in [9]. Or more strictly, for different related keys, the corresponding algorithms are secure independently, as the definition of RKA-PRP in [5] and [3].
Motivations. How to guarantee the related-key security? An intuition is that if the underlying components are related-key secure, the upper constructions should be related-key secure. This is true for most of block cipher modes of operation, especially for those one-key modes whose key is also that of the underlying block cipher, including CBC, OFB, CFB, CTR, CMAC, OCB, etc. But for the UHF-based schemes, it is not the case. Although almost all the UHF-based schemes have security proofs in the usual invariable-key setting, there are a lot of examples showing that some of them can not resist related-key attacks.
Let’s first check UHF-based MACs, in which a typical construction is to encrypt the hash value into a tag by one-time-pad encryption. This method originates from Carter and Wegman [15, 52] and dominates the usages of UHF in MACs [31]. Consider a simple example: \(MAC_{K, K'}(N, M) = Poly_K(M)\oplus F_{K'}(N)\) where \(M=M_1\Vert M_2\in \{0,1\}^{2n}\), \(Poly_K(M_1\Vert M_2) = M_1K^2\oplus M_2K\), F is a function often instantiated by a block cipher and N is a nonce. It has been proved that [7, 44] if F is a PRF and Poly is almost XOR universal, MAC is secure.
But if we query with \(A\Vert A\) under the related key \((K\oplus 0^{n-1}1, K')\), the answer is \(T = (A(K\oplus 0^{n-1}1)^2 \oplus A(K\oplus 0^{n-1}1))\oplus F_{K'}(N) = (AK^2 \oplus AK))\oplus F_{K'}(N)\). Therefore we can predict that the tag of \(A\Vert A\) under the original key is also T. So \((N, A\Vert A, T)\) is a successful forgery which breaks the RKA security of the MAC. A similar attack can apply to Poly1305-AES [6] in ISO/IEC 9797-3:2011 [31].
In Appendix B, we give more RKA examples against TBC, TES and AE schemes using Poly as UHF components. In all these examples, the key of UHF is a part of the key of whole scheme, so that the adversary can derive the related key of UHF and get input collisions to other primitives such as PRPs or PRFs. The collision in the MAC example is \(Poly_{K\oplus 0^{n-1}1}(A\Vert A) = Poly_K(A\Vert A)\). We stress that all these attacks only use the properties of UHF in the RKA setting and have nothing to do with other underlying primitives, whether it is RKA secure or not. In other words, the related-key weaknesses of the UHF alone results in related-key attacks against the schemes.
Definitions. In order to prevent the above attacks, we propose a new concept of related-key almost universal hash function which can ensure that the above collisions seldom happen. The new concept is a natural extension to almost universal hash function in the RKA setting. We define related-key almost universal (RKA-AU) hash function and related-key almost XOR universal (RKA-AXU) hash function. We will show that these definitions solve the above problems for some RKD set. Unfortunately almost all the existing UHFs do not satisfy the new definitions, including Poly mentioned in the above, MMH [26], Square Hash [23], NMH [26] and NH [13], etc. See Appendix C for details.
Constructions. We construct one fixed-input-length universal hash function named RH1 and two variable-input-length universal hash functions named RH2 and RH3. We prove that RH1 and RH2 are both RKA-AXU, and RH3 is RKA-AU for the RKD set \(\varPhi ^\oplus \). Furthermore, RH1, RH2 and RH3 are almost as efficient as previous constructions.
Applications. If we replace the universal hash functions in the examples of Sect. 1 with our constructions, the problems about related-key attacks for some RKD set can be solved. More specifically, we give four concrete examples in MACs and TBCs.
2 Definitions
For a finite set \(\mathcal {S}\), \(x \xleftarrow {\$} \mathcal {S}\) means selecting an element x uniformly at random from the set X. For a string M, |M| denotes the bit length of M. For \(b\in \{0,1\}\), \(b^m\) denotes m bits of b. \(\mathbb {A}^\mathcal {O}\Rightarrow b \) denotes that the algorithm \(\mathbb {A}\) with an oracle \(\mathcal {O}\) outputs b.
For a function \(H:\mathcal {K} \times \mathcal {D} \rightarrow \mathcal {R}\), when \(K\in \mathcal {K}\) is a key, we write H(K, M) as \(H_K(M)\), where \((K, M)\in \mathcal {K}\times \mathcal {D}\). The following are the usual definitions of UHF.
Definition 1
(AU [46]). H is an \(\epsilon \)-almost-universal (\(\epsilon \)-AU) hash function, if for any \(M, M'\in \mathcal {D}\), \(M\ne M'\),
When \(\epsilon \) is negligible we say that H is AU.
Definition 2
(AXU [34]). Let \((\mathcal {R}, \oplus )\) be an abelian groupFootnote 1. H is an \(\epsilon \)-almost-XOR-universal (\(\epsilon \)-AXU), if for any \(M, M'\in \mathcal {D}\), \(M\ne M'\), and \(C\in \mathcal {R}\),
When \(\epsilon \) is negligible we say that H is AXU.
Clearly, if H is \(\epsilon \)-AXU, it is also \(\epsilon \)-AU, for \(\epsilon \)-AU is a special case of \(\epsilon \)-AXU when \(C=0\).
RKA-AU and RKA-AXU. In the following, we extend the above definitions in the RKA setting. Let \(\varPhi \) be a RKD set.
Definition 3
(RKA-AU). H is an \(\epsilon \)-related-key-almost-universal (\(\epsilon \)-RKA-AU) hash function for the RKD set \(\varPhi \), if for any \(\phi , \phi '\in \varPhi \), \(M, M'\in \mathcal {D}\), \((\phi , M)\ne (\phi ', M')\),
When \(\epsilon \) is negligible we say that H is RKA-AU for \(\varPhi \).
Definition 4
(RKA-AXU). Let \((\mathcal {R}, \oplus )\) be an abelian group. H is an \(\epsilon \)-related-key-almost-universal (\(\epsilon \)-RKA-AXU) hash function for the RKD set \(\varPhi \), if for any \(\phi , \phi '\in \varPhi \), \(M, M'\in \mathcal {D}\), \((\phi , M)\ne (\phi ', M')\), and \(C\in \mathcal {R}\),
When \(\epsilon \) is negligible we say that H is RKA-AXU for \(\varPhi \).
For \(\phi , \phi '\in \varPhi \), \(\phi \ne \phi '\) means there exists a key \(K\in \mathcal {K}\) such that \(\phi (K)\ne \phi '(K)\).
Restricting RKD Sets. As in the discussion of RKA-PRP [5], the related-key properties of UHF are relevant to the choice of RKD set. For some RKD sets the related-key almost universal hash function may not exist. It is necessary that the RKD set is both output unpredictable and collision resistant. We must put some restrictions on the RKD set.
-
(1)
Output unpredictability. A \(\phi \in \varPhi \) that has predictable outputs if there exists a constant S such that the probability of \(\phi (K) = S\) is high. If it happens, then for any function H the probability of \(H_{\phi (K)}(M) \oplus H_{\phi (K)}(M') = H_{S}(M) \oplus H_{S}(M')\) is also high for any two distinct M and \(M'\). So the RKA-AXU function is not available for the RKD set which has predictable transformations. We define \(OU(\varPhi ) = max_{\phi \in \varPhi , S}\mathrm {Pr}[K \xleftarrow {\$} \mathcal {K}: \phi (K) = S]\). If \(OU(\varPhi )\) is negligible, we say that \(\varPhi \) is output unpredictable.
-
(2)
Collision resistance. Two distinct \(\phi , \phi '\in \varPhi \) have high collision probability if the probability of \(\phi (K) = \phi '(K)\) is hight. If it happens, then for any function H the probability of \(H_{\phi (K)}(M) \oplus H_{\phi '(K)}(M) = 0\) is also high for any M. So neither the RKA-AXU nor RKA-AU function is available for the RKD set which has high collision probability. We define \(CR(\varPhi ) = max_{\phi ,\phi '\in \varPhi , \phi \ne \phi '}\mathrm {Pr}[K \xleftarrow {\$} \mathcal {K}: \phi (K) = \phi '(K)]\). If \(CR(\varPhi )\) is negligible, we say that \(\varPhi \) is collision resistant. More strictly, if for any two distinct \(\phi , \phi '\in \varPhi \) and any key K, we have \(\phi (K)\ne \phi '(K)\), or in other words \(CR(\varPhi ) = 0\), we say that \(\varPhi \) is claw-free.
We note that \(\varPhi ^\oplus \) and \(\varPhi ^+\) are output unpredictable, collision resistant and claw-free. The example in Sect. 1 shows that Poly is not RKA-AXU for the RKD set \(\varPhi ^\oplus \). If we choose the message M to be \(0^{mn}\), \(Poly_K(M)\) will always be \(0^{n}\). Therefore for any \(\phi , \phi '\in \varPhi \), we have \(Poly_{\phi (K)}(0^{mn})=Poly_{\phi '(K)}(0^{mn})\). So Poly is not RKA-AU either. If we look at the other existing UHFs, unfortunately almost all of them do not satisfy the new definitions, including MMH [26], Square Hash [23], NMH [26] and NH [13], etc. See Appendix C for more details.
3 Constructions
We construct two types of related-key almost universal hash functions: one fixed-input-length (FIL) UHF named RH1 and two variable-input-length (VIL) UHFs named RH2 and RH3. We prove that RH1 and RH2 are both RKA-AXU, and RH3 is RKA-AU, for the RKD set \(\varPhi ^\oplus \).
For a function \(F: \mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\), we define a new function \(F': \mathcal {K}\times (\mathcal {K}\times \mathcal {D})\rightarrow \mathcal {R}\)
It is easy to see that F is RKA-AU (RKA-AXU) for the RKD set \(\varPhi ^\oplus \) if and only if \(F'\) is AU (AXU). All the constructions are based on the polynomial evaluation function Poly. From the above observation, our main idea is to modify \(Poly_K(M)\) into \(F_K(M)\) such that \(F_{K\oplus \varDelta }(M)\) is still an almost (XOR) universal hash function.
FIL Constructions. We first construct a function based on \(Poly_K(M) = MK\) by adding a new term \(K^3\).
Construction 1
\(RH1 : \{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^n\),
Theorem 1
RH1 is \(2/2^n\)-RKA-AXU for the RKD set \(\varPhi ^\oplus \).
Proof
We prove that for any \(M, M', \varDelta _1, \varDelta _2 \in \{0,1\}^n\), \((\varDelta _1, M)\ne (\varDelta _2, M')\), and \(C\in GF(2^n)\), \(\mathrm {Pr}[K \xleftarrow {\$} \{0,1\}^n: F(K) = C ]\le \epsilon \), where \(F(K)=RH1 _{K\oplus \varDelta _1}(M)\oplus RH1 _{K\oplus \varDelta _2}(M')\). We have
If \(\varDelta _2\ne \varDelta _1\), \(F(K) = C\) has two roots at most. If \(\varDelta _1=\varDelta _2\), then \(M\ne M'\). The degree of F(K) is 1 and \(F(K) = C\) has one root. Therefore RH1 is \(2/2^n\)-RKA-AXU. \(\square \)
Remark 1
As one of reviewers points out that RH1 is RKA-AXU for the RKD set \(\varPhi ^\oplus \), but is not RKA-AXU or even RKA-AU for a RKD set containing just containing two transformation: \(\varPhi = \{id, f_\alpha \}\) where id is the identity transformation and \(f_\alpha (K)=\alpha K\), \(\alpha ^3 = 1\). It is easy to verify that \(RH1 _{f_\alpha (K)}(\alpha ^{-1}M) = RH1 _K(M)\).
Remark 2
More generally we consider polynomial \(H^{i,j}_K(M)=MK^i + K^j\) over the finite field \(GF(2^n)\) or GF(p) where i, j are integers and p is a prime. We show the results when \(1\le i,j \le 4\) in Table 1.
VIL Constructions. Poly does not support variable input length. For any message \(M\in \{0,1\}^*\), a general padding method as in [37] is to firstly pad minimum zeroes to make the length multiple of the block length and then pad the bit length of M as the last block:
Then \(Poly_K(pad(M))\) is variable-input-length AXU hash function but still is not RKA-AU (RKA-AXU). Following the above method we add some term \(K^i\) in order to get the RKA-AXU property.
Construction 2
\(RH2 : \{0,1\}^n \times \{0,1\}^* \rightarrow \{0,1\}^n \),
where \(l = \lceil |M|/n\rceil +1\) is the number of blocks in pad(M).
Theorem 2
RH2 is \((l_{max}+3)/2^n\)-RKA-AXU for the RKD set \(\varPhi ^\oplus \), where \(l_{max}\) is the maximum block number of messages after padding.
Proof
For any message M, suppose \(pad(M) = M_1\Vert M_2\Vert \cdots \Vert M_{l}\). When l is odd
When l is even
We prove that for any \(M, M'\in \{0,1\}^* \), \(\varDelta _1, \varDelta _2, C\in \{0,1\}^n\), \((\varDelta _1, M)\ne (\varDelta _2, M')\), \(\mathrm {Pr}[F(K) = C]\le \epsilon \), where \(F(K)=RH2 _{K\oplus \varDelta _1}(M)\oplus RH2 _{K\oplus \varDelta _2}(M') \). We only need to show the degree of F(K) is nonzero. Suppose \(pad(M)=M_1\Vert M_2\Vert \cdots \Vert M_l\) and \(pad(M')=M'_1\Vert M'_2\Vert \cdots \Vert M'_{l'}\). Consider F(K) in the following two cases.
Case 1. \(\varDelta _1 \ne \varDelta _2\). Suppose the degrees of \(RH2 _{K\oplus \varDelta _1}(M)\) and \(RH2 _{K\oplus \varDelta _2}(M')\) are d and \(d'\) respectively, which are both odd.
When \(d = d'\), the coefficient of \(K^{d-1}\) in F(K) is \(\varDelta _1\oplus \varDelta _2\) which is nonzero.
When \(d\ne d'\), suppose \(d>d'\) w.l.o.g. the coefficient of \(K^{d}\) in F(K) is 1.
Case 2. \(\varDelta _1 = \varDelta _2\). We treat \(K\oplus \varDelta _1\) as a new key, so without loss of generality, we only consider \(\varDelta _1 = \varDelta _2 = 0\) in the following.
When \(l = l'\), there exists \(1\le j\le l\) s.t. \(M_{j}\ne M'_{j}\). So the coefficient of \(K^{l+1-j}\) (if l is odd) or \(K^{l+2-j}\) (if l is even) in F(K) is \(M_j\oplus M'_j\) which is nonzero.
When \(l'\ne l\) and are both odd, the coefficient of K is \(|M|\oplus |M'|\) which is nonzero.
When \(l'\ne l\) and are both even, the coefficient of \(K^2\) is \(|M|\oplus |M'|\) which is nonzero.
When \(l'\ne l\), one is odd and one is even, the coefficient of K is |M| or \(|M'|\) which are both nonzero.
Therefore the degree of F(K) is nonzero. \(\square \)
Since RH2 is RKA-AXU, it is also RKA-AU. But sometimes we only need RKA-AU functions. We can improve the efficiency of RKA-AU construction by one less multiplication in finite field if replace Poly in RH2 with the following \(Poly'\):
where \(M = M_1\Vert M_2||\cdots \Vert M_m\in \{0,1\}^{nm}\). \(Poly'\) is AU but not AXU. We have the following construction and the proof is similar to that of Theorem 2.
Construction 3
\(RH3 : \{0,1\}^n \times \{0,1\}^* \rightarrow \{0,1\}^n \),
where \(l = \lceil |M|/n\rceil +1\) is the number of blocks in pad(M).
Theorem 3
RH3 is \((l_{max}+3)/2^n\)-RKA-AU for the RKD set \(\varPhi ^\oplus \), where \(l_{max}\) is the maximum number of blocks in messages after padding.
Efficiency of Constructions. We analyze the efficiency of RH1, RH2 and RH3 compared with previous similar constructions.
-
(1)
RH1. Compared with \(Poly_K(M) = MK\), in \(RH1 _K(M)= MK\oplus K^3\) the monomial \(K^3\) can be pre-computed. So RH1 needs extra one pre-computation and one XOR operation.
-
(2)
RH2. The polynomial \(T = M_1K^m \oplus M_2K^{m-1} \oplus \cdots \oplus M_mK\) is usually evaluated by Horner’s rule: \(T\leftarrow 0\), \(T\leftarrow (T\oplus M_i)K\) for \(1\le i\le m\). Assume that \(pad(M) = M_1\Vert M_2\Vert \cdots \Vert M_{l}\), Table 2 shows the computation processes of RH2\(_K(M)\) and \(Poly_K(pad(M))\) by Horner’s rule respectively. We can see that compared with \(Poly_K(pad(M))\), RH2 needs one additional pre-computation of \(K^2\), and one more multiplication if l is even.
-
(3)
RH3. Similar to the analysis of RH2, RH3 needs one additional pre-computation of \(K^2\), and one more multiplication if l is even, compared with \(Poly'_K(pad(M))\).
In brief, RH1, RH2 and RH3 are almost as efficient as previous similar constructions.
4 Applications
RKA-AU (RKA-AXU) hash functions can be used as components, along with other primitives such as RKA-PRPs and RKA-PRFs, in the design of related-key secure cryptographic schemes. If we replace the UHFs in the cryptographic schemes in Sect. 1 with our corresponding constructions, the issues about related-key attacks can be solved for some RKD set. Informally speaking, if the UHF is RKA-AU or RKA-AXU for the RKD set \(\varPhi _1\) and the underlying primitive is RKA-PRP or RKA-PRF for the RKD set \(\varPhi _2\) , the scheme is related-key secure for the RKD set \(\varPhi _1\times \varPhi _2\) .
In the following, we give four concrete applications of RKA-AU and RKA-AXU in related-key secure MACs and TBCs. In the analyses of these schemes, we mainly give intuitive interpretations by establishing the relationship between the RKA setting and the invariable-key setting and the detailed proofs will be given in the full paper [51]. Then the remaining proof is similar to that in the invariable-key setting. Let RKA-PRF be PRF against related-key attacks. We define a chosen-ciphertext attack (CCA) secure tweakable block cipher as a strongly tweakable pseudorandom permutation (STPRP, SPRP if it has no tweak). If it is also related-key secure we denote it as RKA-STPRP (RKA-SPRP if it has no tweak). The detailed definitions are in Appendix A.
For simplicity we only consider the claw-free RKD set \(\varPhi \) in which for any \(\phi _1, \phi _1\in \varPhi \) and any key K we have \(\phi _1(K)\ne \phi _2(K)\). The relationships are based on three observations on the underlying components when we regard the RKD transformation as an additional input.
Observation 1
For a function \(F: \mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) and a claw-free RKD set \(\varPhi \) on \(\mathcal {K}\). We define a new function \(F': \mathcal {K}\times (\varPhi \times \mathcal {D})\rightarrow \mathcal {R}\), \(F'_K(\phi , M)=F_{\phi (K)}(M).\) It is directly derived from the definition that F is \(\epsilon \)-RKA-AU (\(\epsilon \)-RKA-AXU) for the RKD set \(\varPhi \) if and only if \(F'\) is \(\epsilon \)-AU (\(\epsilon \)-AXU).
Observation 2
Furthermore, we have that F is a RKA-PRF for the RKD set \(\varPhi \) if and only if \(F'\) is a PRF.
Observation 3
For a block cipher \(E: \mathcal {K}\times \{0,1\}^n\rightarrow \{0,1\}^n\) and a claw-free RKD set \(\varPhi \) on \(\mathcal {K}\), define a tweakable block cipher \(E': \mathcal {K}\times \varPhi \times \{0,1\}^n\rightarrow \{0,1\}^n\), \(E'_K(\phi , M) = E_{\phi (K)}(M)\). E is a RKA-SPRP for the RKD set \(\varPhi \), if and only if \(E'\) is a STPRP.
4.1 Related-Key Secure MACs
Beside the Carter-Wegman scheme to construct MAC [52]
the other method [45] is
where \(H: \mathcal {K}_1\times \mathcal {D}\rightarrow \{0,1\}^n\) and \(F: \mathcal {K}_2\times \{0,1\}^n\rightarrow \{0,1\}^n\) are two keyed functions, M is a message and N is a nonce. We show that the two schemes are both related-key secure by the following two theorems.
Theorem 4
If H is \(\epsilon \)-RKA-AXU for the RKD set \(\varPhi _1\) and F is a RKA-PRF for the RKD set \(\varPhi _2\), then \(MAC1 \) is related-key unforgable (RKA-UF) for the RKD set \(\varPhi _1\times \varPhi _2\). More specifically,
where the adversary makes q queries to \({MAC1 }\) and \(t' = t + O(q)\).
From Observation 1, \(H'_K(\phi _1, M) = H_{\phi _1(K)}(M)\) is AXU; from Observation 2, \(F'_{K'}(\phi _2, N) = F_{\phi _2(K')}(N) \) is a PRF. If we look \(\phi _1\) as a part of the message and \(\phi _2\) as a part of the nonce, we only need to prove that \(G_{K, K'}(\phi _2,N,\phi _1,M) = H'_K(\phi _1, M)\oplus F'_{K'}(\phi _2, N)\) is unforgeable in the invariable-key setting. The remaining proof is similar to that in [34].
Theorem 5
If H is \(\epsilon \)-RKA-AU for the RKD set \(\varPhi _1\) and F is a RKA-PRF for the RKD set \(\varPhi _2\), then \(MAC2 \) is a RKA-PRF for the RKD set \(\varPhi _1\times \varPhi _2\). More specifically,
where the adversary makes q queries to \(MAC2 \) and \(t' = t + O(q)\).
From Observation 1, \(H'_K(\phi _1, M) = H_{\phi _1(K)}(M)\) is AXU; from Observation 2, \(F'_{K'}(\phi _2, M) = F_{\phi _2(K')}(M)\) is a PRF. If we look \(\phi _1\) and \(\phi _2\) as a part of the message, we only need to prove that \(G_{K, K'}(\phi _1,\phi _2,M) = F'_{K'}(\phi _2, H'_K(\phi _1, M))\) is a PRF in the invariable-key setting. The remaining proof is similar to that in [45].
4.2 Related-Key Secure TBCs
Block Cipher Based Schemes. In [36] Liskov et al. gave a construction of tweakable block cipher (TBC) from a block cipher and a universal hash function:
where \(H: \mathcal {K}_1\times \mathcal {D}\rightarrow \{0,1\}^n\) is the universal hash function and \(E: \mathcal {K}_2\times \{0,1\}^n\rightarrow \{0,1\}^n\) is the block cipher. In Appendix B we show that TBC1 is not related-key secure if \(H_K(T)=TK\). But if H is RKA-AXU, we show that TBC1 is related-key secure for some RKD set in Theorem 6.
Theorem 6
If H is \(\epsilon \)-RKA-AXU for the RKD set \(\varPhi _1\) and E is RKA-SPRP for the RKD set \(\varPhi _2\), then \(TBC1 \) is a RKA-STPRP for the RKD set \(\varPhi _1\times \varPhi _2\). More specifically,
where the adversary makes q queries to \(TBC1 \) or \(TBC1 ^{-1}\) and \(t' = t + O(q)\).
From Observation 1, \(H'_K(\phi _1, M) = H_{\phi _1(K)}(M)\) is AXU; from Observation 3, \(E'_{K'}(\phi _2, M) = E_{\phi _2(K')}(M)\) is a STPRP. If we consider \(\phi _1\) and \(\phi _2\) as a part of the tweak, we only need to prove that \(\widetilde{E}_{K, K'}(\phi _1, \phi _2, T, M) = E'_{K'}(\phi _2, M\oplus H'_{K}(\phi _1, T))\oplus H'_{K}(\phi _1, T) \) is a STPRP in the invariable-key setting. The remaining proof is similar to that in [36].
Permutation Based Schemes. If we replace the block cipher in TBC1 as a permutation, we get
where \(\pi \) is the permutation from \(\{0,1\}^m\) to \(\{0,1\}^m\), \(n\le m\). For \(A\in \{0,1\}^n\), \(B\in \{0,1\}^m\), when \(n<m\), \(A\oplus B\) is defined as \((A\Vert 0^{m-n}) \oplus B\). We show the related-key security of TBC2 in Theorem 7. We need that H is both RKA-AXU and related-key almost uniform. H is \(\delta \)-related-key-almost-uniform means for any \(\phi \in \varPhi \), \(M\in \mathcal {D}\) and \(C\in \{0,1\}^n\), \(\mathrm {Pr}[K \xleftarrow {\$} \mathcal {K}: H_{\phi (K)}(M)= C]\le \delta \). When H is also \(\epsilon \)-RKA-AXU, we say that it is \((\epsilon , \delta )\)-RKA-AXU. For example, \(RH1 = MK\oplus K^3\) is \((2/2^n, 3/2^n)\)-RKA-AXU.
TBC2 is a one-round tweakable Even-Mansour cipher. How to add tweak and retain related-key security of the Even-Mansour cipher is a popular topic in recent years [19, 20, 24, 25, 38]. Compared with previous constructions in [25, 38] we only need one permutation invocation (two in [25, 38] ).
Theorem 7
If H is \((\epsilon , \delta )\)-RKA-AXU for the RKD set \(\varPhi \) and \(\pi \) is public random permutation, then \(TBC2 \) is a RK-TSPRP for the RKD set \(\varPhi \). More specifically,
where the adversary makes \(q_0\) queries to \(TBC2 \) or \(TBC2 ^{-1}\)and \(q_1\) queries to \(\pi \) or \(\pi ^{-1}\).
From Observation 1, \(H'_K(\phi , M) = H_{\phi (K)}(M)\) is AXU. If we look \(\phi \) as a part of the nonce, we only need to prove that \(\widetilde{E}_{K}(\phi , T, M) = \pi (M\oplus H'_{K}(\phi , T))\oplus H'_{K}(\phi , T) \) is a STPRP in the invariable-key setting. The remaining proof is similar to that in [35] or [19].
5 Conclusions
In this paper we mainly focus on two-key schemes, e.g. one key for the UHF and the other key for the block cipher. In order to resist related-key attacks, we define a new concept of related-key almost universal hash function, which is a natural extension to almost universal hash function in the RKA setting.
Not every UHF-based scheme suffers from related-key attacks. For example GCM [37] has only one key which is also the key of the underlying block cipher. The key of UHF is derived from the master key K as \(E_K(0^{128})\). GCM has been proved to be secure in the invariable-key setting [32] given that E is a PRP. If E is a RKA-PRP, for each \(\phi \in \varPhi \), \(E_{\phi (K)}\) is an independent PRP. So GCM is secure independently for each related key, and thus GCM is also secure in the RKA setting. In this roughly reasoning, we only require that the UHF is AXU but not RKA-AXU. Therefore it is possible that the upper scheme “inherit” the related-key security only from the underlying block cipher. It is also true to some other one-key schemes such as XCB [29], POET [1], etc. We can even modify the vulnerable schemes in this paper into related-key secure ones without the notion of RKA-AXU or RKA-AU by generating the keys in the schemes as \(K_i = E_K(i)\), \(i = 1,2,\cdots \) where K is the master key. But there are still a lot of two-key schemes such as Poly1305-AES [6], HCTR [50], HCHp and HCHfp [16, 17]. Furthermore, if we regard related-key attacks as a class of side-channel attacks, the attacker may have the ability to change a stored key via tampering or fault injection [4, 11]. The key of UHF stored somewhere, no matter whether it is a part of the master key or derived from the master key, can be changed in this scenario.
We also give several efficient constructions named RH1, RH2 and RH3 which are nearly as efficient as previous similar ones. RKA-AU (RKA-AXU) hash functions can be used as components, along with other primitives such as RKA-PRPs and RKA-PRFs etc., in the design of related-key secure cryptographic schemes.
Notes
- 1.
For arbitrary abelian groups a generalized notion is almost Delta universal (A\(\varDelta \)U) hash function [47]. In the following when we say AXU we may sometimes refer to A\(\varDelta \)U.
References
Abed, F., Fluhrer, S., Foley, J., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: The POET family of on-line authenticated encryption schemes (2014). http://competitions.cr.yp.to/caesar-submissions.html
Andreeva, E., Bogdanov, A., Lauridsen, M.M., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: AES-COBRA (2014). http://competitions.cr.yp.to/caesar-submissions.html
Applebaum, B., Harnik, D., Ishai, Y.: Semantic security under related-key attacks and applications. In: Chazelle, B. (ed.) Innovations in Computer Science - ICS 2010, pp. 45–60. Tsinghua University Press (2011). http://conference.itcs.tsinghua.edu.cn/ICS2011/content/papers/30.html
Bellare, M., Cash, D., Miller, R.: Cryptography secure against related-key attacks and tampering. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 486–503. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25385-0_26
Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003). doi:10.1007/3-540-39200-9_31
Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005). doi:10.1007/11502760_3
Bernstein, D.J.: Stronger security bounds for Wegman-Carter-Shoup authenticators. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 164–180. Springer, Heidelberg (2005). doi:10.1007/11426639_10
Bernstein, D.J.: Polynomial evaluation and message authentication (2011). http://cr.yp.to/papers.html#pema
Bhattacharyya, R., Roy, A.: Secure message authentication against related-key attack. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 305–324. Springer, Heidelberg (2014). doi:10.1007/978-3-662-43933-3_16
Biham, E.: New types of cryptanalytic attacks using related keys. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 398–409. Springer, Heidelberg (1994)
Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). doi:10.1007/BFb0052259_12
Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10366-7_1
Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: Wiener, M.J. (ed.) [53], pp. 216–233. http://dx.org/10.1007/3-540-48405-1_14
Boesgaard, M., Christensen, T., Zenner, E.: Badger – a fast and provably secure MAC. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 176–191. Springer, Heidelberg (2005). doi:10.1007/11496137_13
Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)
Chakraborty, D., Sarkar, P.: HCH: a new tweakable enciphering scheme using the hash-encrypt-hash approach. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 287–302. Springer, Heidelberg (2006). doi:10.1007/11941378_21
Chakraborty, D., Sarkar, P.: HCH: a new tweakable enciphering scheme using the hash-counter-hash approach. IEEE Trans. Inf. Theor. 54(4), 1683–1699 (2008). doi:10.1109/TIT.2008.917623
Chen, J., Miyaji, A.: A new practical key recovery attack on the stream cipher RC4 under related-key model. In: Lai, X., Yung, M., Lin, D. (eds.) Inscrypt 2010. LNCS, vol. 6584, pp. 62–76. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21518-6_5
Cogliati, B., Lampe, R., Seurin, Y.: Tweaking Even-Mansour ciphers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 189–208. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47989-6_9
Cogliati, B., Seurin, Y.: On the provable security of the iterated Even-Mansour cipher against related-key and chosen-key attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 584–613. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_23
Dobraunig, C., Eichlseder, M., Mendel, F.: Related-Key Forgeries for Prøst-OTR. IACR Cryptology ePrint Archive, to appear in FSE 2015 (2015). http://eprint.iacr.org/2015/091
Dunkelman, O., Keller, N., Shamir, A.: A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. J. Cryptology 27(4), 824–849 (2014). doi:10.1007/s00145-013-9154-9
Etzel, M., Patel, S., Ramzan, Z.: SQUARE HASH: fast message authenication via optimized universal hash functions. In: Wiener, M.J. (ed.) [53], pp. 234–251. http://dx.org/10.1007/3-540-48405-1_15
Farshim, P., Procter, G.: The related-key security of iterated Even-Mansour ciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 342–363. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48116-5_17
Granger, R., Jovanovic, P., Mennink, B., Neves, S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. Cryptology ePrint Archive, Report 2015/999 (2015). http://eprint.iacr.org/
Halevi, S., Krawczyk, H.: MMH: software message authentication in the Gbit/Second rates. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 172–189. Springer, Heidelberg (1997). doi:10.1007/BFb005234
Harris, S.: AES-COBRA (2014). http://competitions.cr.yp.to/caesar-submissions.html
IEEE Std 1619-2007: IEEE standard for cryptographic protection of data on block-oriented storage devices (2008)
IEEE Std 1619.2-2010: IEEE standard for wide-block encryption for shared storage media (2011)
ISO/IEC 19772:2009: Information technology - security techniques - authenticated encryption (2009)
ISO/IEC9797-3:2011: Information technology - security techniques - message authentication codes (MACs) - part 3: Mechanisms using a universal hash-function (2011)
Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_3
Jutla, C.S.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 529. Springer, Heidelberg (2001). doi:10.1007/3-540-44987-6_32
Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994). doi:10.1007/3-540-48658-5_15
Kurosawa, K.: Power of a public random permutation and its application to authenticated encryption. IEEE Trans. Inf. Theor. 56(10), 5366–5374 (2010). doi:10.1109/TIT.2010.2059636
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 31. Springer, Heidelberg (2002). doi:10.1007/3-540-45708-9_3
McGrew, D.A., Viega, J.: The Galois/Counter mode of operation (GCM) (2004). http://csrc.nist.gov/groups/ST/toolkit/BCM/
Mennink, B.: XPX: generalized tweakable Even-Mansour with improved security guarantees. IACR Cryptology ePrint Archive 2015, 476 (2015). http://eprint.iacr.org/2015/476
NIST SP 800-38D: Recommendations for block cipher modes of operation: Galois/counter mode (GCM) and GMAC, November 2007
NIST SP 800-38E: Recommendation for block cipher modes of operation: The XTS-AES mode for confidentiality on storage devices (2010)
Peyrin, T., Sasaki, Y., Wang, L.: Generic related-key attacks for HMAC. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 580–597. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34961-4_35
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30539-2_2
Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P. (eds.) ACM Conference on Computer and Communications Security, pp. 196–205. ACM (2001)
Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996). doi:10.1007/3-540-68697-5_24
Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology ePrint Archive 2004, 332 (2004). http://eprint.iacr.org/2004/332
Stinson, D.R.: Universal hashing and authentication codes. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 74–85. Springer, Heidelberg (1992). doi:10.1007/3-540-46766-1_5
Stinson, D.R.: On the connections between universal hashing, combinatorial designs and error-correcting codes. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 2, no. 52 (1995). http://eccc.hpi-web.de/eccc-reports/1995/TR95-052/index.html
Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45611-8_9
Sun, Z., Wang, P., Zhang, L.: Weak-key and related-key analysis of hash-counter-hash tweakable enciphering schemes. In: Foo, E., Stebila, D. (eds.) ACISP 2015. LNCS, vol. 9144, pp. 3–19. Springer, Heidelberg (2015). doi:10.1007/978-3-319-19962-7_1
Wang, P., Feng, D., Wu, W.: HCTR: a variable-input-length enciphering mode. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 175–188. Springer, Heidelberg (2005). doi:10.1007/11599548_15
Wang, P., Li, Y., Zhang, L., Zheng, K.: Related-key almost universal hash functions: definitions, constructions and applications. Cryptology ePrint Archive, Report 2015/766 (2015). http://eprint.iacr.org/
Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)
Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999)
Acknowledgment
The authors would like to thank the anonymous reviewers for their helpful and valuable comments and suggestions. The work of this paper is supported by the National Key Basic Research Program of China (2014CB340603), the National Natural Science Foundation of China (Grants 61272477, 61472415, 61202422, 61572484), the Strategic Priority Research Program of Chinese Academy of Sciences under Grant XDA06010702. Liting Zhang is supported by the Youth Innovation Promotion Association of CAS (2015087).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Related-Key Security of MAC, TBC, TES and AE Schemes
(1) RKA-PRF. For a function \(F: \mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\), the adversary \(\mathbb {A}\) can make related-key oracle queries \((\phi , M)\in \varPhi \times \mathcal {D}\) and is responded with \(F_{\phi (K)}(M)\) where K is the secret key. Let \(\rho \) be a uniformly random function from \(\mathcal {K}\times \mathcal {D}\) to \(\mathcal {R}\). The advantage of \(\mathbb {A}\) is defined as
For all adversaries with computation time at most t, oracle queries at most q, we denote \(\mathbf {Adv}_{F}^{rka-prf}{(q,t)} = max_\mathbb {A}\mathbf {Adv}_{F}^{rka-prf}{(\mathbb {A})}\). When the advantage is negligible, we say that F is a RKA-PRF for \(\varPhi \).
(2) RKA-UF. A message authentication code (MAC) is a function \(F: \mathcal {K}\times \mathcal {N}\times \mathcal {M}\rightarrow \{0,1\}^n\), where \(\mathcal {K}\), \(\mathcal {N}\), \(\mathcal {M}\) and \(\{0,1\}^n\) are spaces of key, nonce, message and tag respectively. The nonce space can be an empty set \(\mathcal {N} = \emptyset \). For a RKD set \(\varPhi \), the adversary \(\mathbb {A}\) queries the MAC algorithm with \((\phi , N, M)\in \varPhi \times \mathcal {N}\times \mathcal {M}\) but never repeats N, and gets \(T = F_{\phi (K)}(N, M)\). After several queries \(\mathbb {A}\) returns a quadruple \((\phi ', N', M', T')\) which never appear before in the queries. We define the probability of \(T' = F_{\phi '(K)}(N', M')\) as the advantage of \(\mathbb {A}\) and write it as:
For all adversaries with computation time at most t, oracle queries at most q, we denote \(\mathbf {Adv}_{F}^{rka-uf}{(q,t)} = max_\mathbb {A}\mathbf {Adv}_{F}^{rka-uf}{(\mathbb {A})}.\) When the advantage is negligible, we say that F is related-key unforgeable (RKA-UF) or related-key unpredictable for \(\varPhi \).
(3) RKA-STPRP and RKA-SPRP. A tweakable block cipher consists of two algorithms \(\mathcal {S} = (\mathbf {E}, \mathbf {D})\). The encryption algorithm \(\mathbf {E}: \mathcal {K}\times \mathcal {T}\times \{0,1\}^n\rightarrow \{0,1\}^n\), where \(\mathcal {K}\), \(\mathcal {T}\) and \(\{0,1\}^n\) are spaces of key, tweak, plaintext/ciphertext respectively. For input \((K, T, P)\in \mathcal {K}\times \mathcal {T}\times \{0,1\}^n\), we write the result as \(C = \mathbf {E}_K^T(P)\) The decryption algorithm \(\mathbf {D}: \mathcal {K}\times \mathcal {T}\times \{0,1\}^n\rightarrow \{0,1\}^n\). We require that for any \((K, T)\in \mathcal {K}\times \mathcal {T}\), \(\mathbf {E}_K^T(\cdot )\) and \(\mathbf {D}_K^T(\cdot )\) are permutations, and \(\mathbf {D}_K^T(\mathbf {E}_K^T(P)) = P\). For a RKD set \(\varPhi \), an adversary \(\mathbb {A}\) queries \(\mathbf {E}\) with \((\phi , T, P)\in \varPhi \times \mathcal {T}\times \{0,1\}^n\) or queries \(\mathbf {D}\) with \((\phi , T, C)\in \varPhi \times \mathcal {T}\times \{0,1\}^n\). \(\mathbb {A}\) tries to distinguish \(\mathcal {S}\) from an ideal TBC, where for any \((K, T)\in \mathcal {K}\times \mathcal {T}\), \(\pi _K^T\) is an independent uniformly random permutation. Without loss of generality we assume that the adversary never make pointless queries that the adversary “knows” the answer. For example, if the adversary query \((\phi , T, P)\) to the encryption oracle and get the answer C, he will never query \((\phi , T, C)\) to the decryption oracle. We define the advantage as
For all adversaries with computation time at most t, oracle queries at most q, we denote \(\mathbf {Adv}_{\mathcal {S}}^{rka-stprp}{(q,t)} = max_\mathbb {A}\mathbf {Adv}_{\mathcal {S}}^{rka-stprp}{(\mathbb {A})}.\) When the advantage is negligible, we say that \(\mathcal {S}\) is a related-key strongly tweakable pseudorandom permutation (RKA-STPRP) for \(\varPhi \). When the tweak space \(\mathcal {T}\) is a empty set \(\mathbf {E}\) becomes a block cipher. The corresponding security notion is related-key strongly pseudorandom permutation (RKA-SPRP). Tweakable enciphering schemes are TBCs with large or variable input length. The definition is the same as that of TBC.
(4) RKA-AE. An authenticated encryption scheme consists of two algorithms \(\mathcal {SE} = (\mathbf {E}, \mathbf {D})\). The encryption \(\mathbf {E}: \mathcal {K}\times \mathcal {N}\times \mathcal {A}\times \mathcal {P}\rightarrow \mathcal {C}\), where \(\mathcal {K}\), \(\mathcal {N}\), \(\mathcal {A}\), \(\mathcal {P}\) and \(\mathcal {C}\) are spaces of key, nonce, associated data, plaintext and ciphertext respectively. For input \((K, N, A, P)\in \mathcal {K}\times \mathcal {N}\times \mathcal {A}\times \mathcal {P}\), we write the result as \(C = \mathbf {E}_K(N, A, P)\). The decryption algorithm \(\mathbf {D}: \mathcal {K}\times \mathcal {N}\times \mathcal {A}\times \mathcal {C}\rightarrow \mathcal {P}\cup \{\bot \}\). We require that \(\mathbf {D}_K(N, A, \mathbf {E}_K(N, A, P)) = P\). For a RKD set \(\varPhi \), an adversary \(\mathbb {A}\) queries the \(\mathbf {E}\) with \((\phi , N, A, P)\in \varPhi \times \mathcal {N}\times \mathcal {A}\times \mathcal {P}\) but never repeats \((\phi , N)\), or queries the \(\mathbf {D}\) with \((\phi , N, A, C)\). \(\mathbb {A}\) tries to distinguish \(\mathcal {SE}\) from an ideal AE scheme\((\$, \bot )\), where for any query \(\$\) returns a random string and \(\bot \) always returns \(\bot \). We define the advantage as
For all adversaries with computation time at most t, oracle queries at most q, we denote \(\mathbf {Adv}_{\mathcal {SE}}^{rka-ae}{(q,t)} = max_\mathbb {A}\mathbf {Adv}_{\mathcal {SE}}^{rk-ae}{(\mathbb {A})}.\) When the advantage is negligible, we say that \(\mathcal {SE}\) is related-key secure for \(\varPhi \).
More Examples of Related-Key Attacks Against UHF-based Schemes
(1) TBC. A tweakable block cipher (TBC) is a generalized block cipher with an extra input called tweak. TBCs were first formalized by Liskov et al. [36] and found applications largely in modes of operation [42]. In their seminal paper, Liskov et al. gave a construction of TBC from a block cipher: \(TBC_{K, K'}(T, M) = E_{K'}(M\oplus H_K(T))\oplus H_K(T)\) where E is the block cipher, H is a universal hash function and T is the tweak. They proved that when E is a PRP against chosen ciphertext attacks (CCAs) and H is almost XOR universal, TBC is secure against CCA attacks. If we use \(Poly_K(T) = TK\) as the underlying UHF, the following is an attack. First we query with (T, M) under the derived key \((K\oplus \varDelta , K')\) where \(\varDelta \ne 0\), then the answer is \(C = E_{K'}(M\oplus T(K\oplus \varDelta ))\oplus T(K\oplus \varDelta ) = E_{K'}((M\oplus T\varDelta ) \oplus TK)\oplus TK\oplus T\varDelta \). So we can predict that the ciphertext of \((T, (M\oplus T\varDelta ))\) under the original key is \(C\oplus T\varDelta \). Therefore it does not resist related-key attack.
(2) TES. A tweakable enciphering scheme is a generalized TBC with large or variable input length, suitable for disk sector encryption. Recently Sun et al. [49] show that HCTR [50], HCHp and HCHfp [16, 17] suffer related-key attacks. All these TESes use the polynomial evaluation hash function as the underlying UHF.
(3) AE scheme. An authenticated encryption scheme achieves both confidentiality and authenticity. One of AE schemes OCB [42, 43] following from IAPM [33], encrypts the message blocks using independent PRPs into ciphertext blocks and encrypts the XOR of the message blocks into a tag using another independent PRP. Kurosawa [35] proposed a modified IAPM, the encryption of message blocks is
where \(M_i\) is the i-th message block, E is the block cipher and the key of the scheme is \((K, K')\). Kurosawa proved that this modified IAPM is secure even if the underlying block cipher is publicly accessible. But if we query with (IV, M) under the derived key \((K\oplus 0^{n-1}1, K')\), the first ciphertext block \(C_1 = E_{K'}((M_i\oplus IV \oplus 0^{n-1}1)\oplus (Poly_K(IV\Vert 0^{n-1}1)) \oplus Poly_K(IV\Vert 0^{n-1}1) \oplus IV \oplus 0^{n-1}1 \). We can predict that the first ciphertext block of \((IV, M')\) under the original key is \(C_1\oplus IV \oplus 0^{n-1}1\), where \(M'\) is changed from M by changing the first block into \(M_1\oplus IV \oplus 0^{n-1}1\). If we define the confidentiality as the indistinguishability between ciphertexts and uniformly random bits, this scheme does not resist the related-key attack.
In the above examples, the key of UHF is a part of the key of whole scheme, so that the adversary can derive the related key of UHF and get the input collision to other primitives such as PRPs or PRFs. The collisions in the above attacks are listed as following.
-
(1)
\(Poly_{K\oplus \varDelta }(T) \oplus Poly_K(T) = \varDelta T\) used in the TBC example;
-
(2)
\(Poly_{K\oplus \varDelta }(A\Vert B) \oplus Poly_K(A\Vert B) = A\varDelta ^2\oplus B\varDelta \) used in the TES and AE scheme examples.
Existing UHFs that Are Not RKA-AXU (RKA-AU)
The following universal hash functions are proved to be AXU (A\(\varDelta \)U).
-
(1)
MMH [26]: \(H_K(M) = (((\sum _{i=1}^t M_iK_i)\mod 2^{64})\mod p)\mod 2^{32}\), \(M_i, K_i\in \mathbf {Z}_{2^{32}}\) and \(p = 2^{32}+15\);
-
(2)
Square Hash [23]: \(H_K(M) = \sum _{i=1}^t (M_i+K_i)^2 \mod p\), \(M_i, K_i\in \mathbf {Z}_{p}\);
-
(3)
NMH [26]: \(H_K(M) = ( \sum _{i=1}^{t/2}(M_{2i-1}+K_{2i-1})(M_{2i}+K_{2i})) \mod p\), \(M_i, K_i\in \mathbf {Z}_{2^{32}}\), \(p = 2^{32}+15\);
-
(4)
NH [13]: \(H_K(M) = ( \sum _{i=1}^{t/2}((M_{2i-1}+K_{2i-1})\mod 2^w)((M_{2i}+K_{2i})\mod 2^w)) \mod 2^{2w}\), \(M_i, K_i\in \mathbf {Z}_{2^w}\).
In (1) we set \(t = 1\), then \(H_K(M) = (MK\mod 2^{32}+15) \mod 2^{32}\). If \(M = M'= \varDelta ' =1\), \(\varDelta = 0\), then \(H_K(M) = K\), \(H_{K+\varDelta '}(M') = K + 1 \mod 2^{32}\), therefore \(H_K(M) + 1 = H_{K+\varDelta '}(M')\), MMH is not RK-A\(\varDelta \)U. (2), (3) and (4) all have the term \(M_1+K_1\). From \(M_1+K_1 = (M_1-1)+(K_1+1)\) we know that they are all not RKA-AU.
Rights and permissions
Copyright information
© 2016 International Association for Cryptologic Research
About this paper
Cite this paper
Wang, P., Li, Y., Zhang, L., Zheng, K. (2016). Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications. In: Peyrin, T. (eds) Fast Software Encryption. FSE 2016. Lecture Notes in Computer Science(), vol 9783. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-52993-5_26
Download citation
DOI: https://doi.org/10.1007/978-3-662-52993-5_26
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-52992-8
Online ISBN: 978-3-662-52993-5
eBook Packages: Computer ScienceComputer Science (R0)