On Cipher-Dependent Related-Key Attacks in the Ideal-Cipher Model
Bellare and Kohno introduced a formal framework for the study of related-key attacks against blockciphers. They established sufficient conditions (output-unpredictability and collision-resistance) on the set of Related-Key-Deriving (RKD) functions under which an ideal cipher is secure against related-key attacks, and suggested this could be used to derive security goals for real blockciphers. However, to do so requires the reinterpretation of results proven in the ideal-cipher model for the standard model (in which a blockcipher is modeled as, say, a pseudorandom permutation family). As the authors show here, this is a fraught activity. In particular, building on a recent idea of Bernstein, they first demonstrate a related-key attack that applies generically to a large class of blockciphers.