Ⅰ. Introduction
In 1992 and 1993, Knudsen"" and Biham(4) independently introduced a very useful cryptanalytic technique which exploits related keys in a differential attack. After this kind of attack, called a related-key attack, was introduced, it has been widely used to evaluate the security of block ciphers'이"'⑻ , The related-key attack has been also extended into various cryptanalytic techniques such as a related-key differential-linear at壮ack"이, a related-key impossible differential attack"", a related-key boomerang and rectangle attacks"(4) and so on. Related-key attacks are well-known to be very powerful tools to analyze block ciphers. Up to now, the best (in terms of the number of attacked rounds) known attacks against AES[16\ KASUMI⑹, XTEA审〕and G* OST 〕are related-key attacks. Furthermore, related-key attacks can be used to evaluate the security of message authentication schemes and block cipher based enciphering modes (refer to (3) as an example).
The related-key attack is very difficult or even infeasible to conduct in many cryptographic applications, since it would certainly be unlikely that an attacker could persuade a sender to encrypt plaintexts under related keys unknown to the attacker. However, as demonstrated in (12), the related-key attack is feasible in some of the current real-world applications such as the IBM 과 758 crypto processorr, key-exchange protocols that do not guarantee key integrity, and key-update protocols that updates session keys using a known function.
Related-key attacks allow an adversary to obtain plaintext and ciphertext pairs by using different, but related keys. The general aim of these attacks is to retrieve some or all portions of the related keys by using collected plaintext and ciphertext pairs. However, the success or failure of these attacks is determined by whether or not the adversary can distinguish the underlying cipher from a random permutation family with the same key space and plaintext/ciphertext space as those of the xinderlying cipher. Hence, from a theoretical point of view, the distinguishing ability of the most powerful related-key adversary determines the security of the underlying cipher against related-key attacks. More precisely, if a cipher E (or and a randomly chosen permutation family G(or G G厂 i) are indistinguishable under related-key attack models, we then say that E is secure in the sense of a pseudorandom permutation (PRP) (or a strong pseudorandom permutation (SPRP)) against related-key attacks (RKA), simply, we say that £ is a secure PRP-RKA (or SPRP-RKA) cipher.
Compared to cryptanalytic results on related-key attacks there are few theoretical results on them. In 2003, Bellare and Kohno이 first initiated a theoretical investigation of security against related-key attacks. In 〔3〕, they defined a general model of related-key attacks (i.e.s classes of related-key attacks which are specified by an associated set of key transformations) together with some security notions for these attacks such as PRP-RKA, SPRP-RKA and PRF-RKA. They also clarified what classes of these attacks do or do not allow to achieve security against them (for any ciphers there exist classes of related-key attacks against which they are not secxire). They also gave a construction of secure PRP-RKA cipher. In〔21〕Lucks proposed another construction of secure PRP-RKA cipher that has a better security bound than that of〔3〕.
The first goal of this paper is to construct various secure permutation families against some classes of related-key attacks from constructions which are already known to be secure. The second goal of this paper is to define various security notions for related-key attacks and to show the relationships of those security notions.
In this paper, we observe that secure tweakable permutation families in the sense of SPRP can be transformed to secure permutation families in the sense of SPRP-RKA, and secure function families of a certain form in the sense of PRF can be transformed to secure permutation families in the sense of PRP-RKA. This enables us to construct various SPRP-RKA or PRP-RKA ciphers from known design methods. Especially, we present a construction of secure SPRP-RKA cipher which is more efficient than the mentioned above two secure PRP-RKA ciphers. Furthermore, we define other security notions for related-key attacks, indistinguishability and non-malle-ability, and look into the relations between the security notions for related-key attacks. At the end of this paper, we show that secure tweakable permutation families in the sense of indistinguishability (resp. non-malleability) can be transformed to secure permutation families in the sense of indistinguishability (resp. non-malleability) against related-key attacks.
This paper is organized as follows: Section 2 provides some notations and security notions for related-key attacks. In Sect. 3 and Sect. 4, we observe that various secure permutation families against some classes of related-key attacks can be constructed from constructions which are already known to be secure. Section 5 defines various security notions for related-key attacks and shows the relationships of those security notions and Sect. 6 concludes the paper.
Ⅱ. Preliminaries
In this section, we present some notation and definitions which are used throughout the paper. We adopt the notation of〔3〕.
2.1. Notation
. s으S: the operation of selecting s uniformly at random from the set S
. F K>JDtR: a family of functions from D to R indexed by keys K, i.e., Fk{ - ) is a function from D to R for each keK
. E: KxD-eD: a family of permutations on D indexed by K, ie, 鸟(.)8 is a permutation on f) for each key kwK
. E-. Kx TxD-eD: a family of permutations on f) indexed by Kx T, i.e., Ek(t, . ) is a permutation on D for each key keK and tweak teT (Note that T is not secret information.)
. PermeEi)'. the set of all permutations on D
. PermitD): the set of all families of permutations with domain D and keys K
. the set of all functions from D to R
. the set of all families of fimctions with domain D, range R and keys K
In this paper, we call F a function family. We also call E and E a permutation family and a tweakable permutation family, respectively. According to the$ above notations, Ge—Perm(K, D) represents the se lection of a random permutation family, i.e., for each key keK, Gk( - ) is a permutation randomly chosen from Perm(lf). Furthermore, &으"如诅(瓦丑) repre sents the selection of a random function family, i.e., for each key kJK, Gk{ -) is a function randomly chosen from 7也配
2.2. Definitions
Many security notions have been introduced for function and permutation families; in these notions, an adversary A is modeled as a Turing machine that has black-box access to an oracle (or multiple oracles). While the computational power of A is unlimited, the total number of oracle calls is limited to a certain number. For each query of A the oracle gives an answer to A. After making a limited number of queries to the oracle(s) adaptively, A outputs a bit. Sections 3 and 4 considers below four security notions. Some other security notions will be offered in Sect 5.
Definition 1. (PRF)〔2〕Let F. KxDtR be a function family andbe an adversary. Then the prf-ad-vantage of A is defined by
#
A。—)means A with an oracle 0( .), which returns for the adversary's query M.
Definition 2. (SPRP) [22] Let E: KxD—D be a permutation family and A be an adversary. Then the sprp-advantage of A is defined by
#
*( -) means A with two oracles, ), 。-'( . ); for an adversary's query of M (resp. C) to the first (resp. second) oracle it returns O(M) (resp. d©)
Definition 3. flWEAKSPRP) [8] Let E: Kx TxD-eD be a tweakable permutation family and ^4 be an adversary. Then the tweak-sprp-advantage of A is defined by
#
■), o *( ■. .) means 厶 with two oracles 5( ., . (9-1( ., . ) for an adversary's query of (resp. to the first (resp. second) oracle it returns d如初(resp.
Definition 4. (SPRP-RKA)〔3〕Let EKxUD be a permutation family and be a set of functions over Let A be an adversary that is restricted to queries of the form 0, x) in which 垂 and xeD. Then the sprp-rka advantage of A is defined by
#
AdveJ~rka(A) = Pr 脣箜K: A Eg w(.、保由. -Pr [aAa;Ge~Perm(K, D):')"協., *)(')= »/4°風)(, )匕嵐)(・)means A with two oracles 0顶 . )(')"쟈(. )( .); f* an adversary's query of 0, 1协(resp. to the first (resp. second) oracle it returns。心)(」切(resp.。成;)(0).
The PRP-RKA security notionC3] is defined by removin흥 the decryption oracle in Definition 4. This will be used in Sect. 4.
Ⅲ. From Secure Tweakable SPRP Families to Secure SPRP-RKA Families
Bellare and Kohno propose a construction method of secure PRP-RKA family (Proposition 9.1 of〔3)). In their security proof there are two ways to complete it: one is a direct proof which was concretely described in〔3〕, and the other one is an indirect pro就 i.e., it is based on the relationship between tweakable PRP families and PRP-RKA families (the second proof was sketched in〔3〕)’ In a formal statement, this proof can be naturally extended into the SPRP security notion.
Theorem 1. Let E: Kx T乂 UD be a tweakable permutation family and let E: (Kx 7)XUD be a permutation family defined as &血(网=练where k is a secret key in K t is either a tweak value in T of or a secret key in T of E, and M is a message in If is a secure tweakble SPRP, then E is a secure SPRP with respect to ^-restricted RKAs if each function 步 in 0 is a partial transformation for which there exists a function 甘:T-eT such that (机A盘)=(/©'(£)). Fomally, given a SPRP-RKA adversary A attacking E, we can construct a TWEAK-SPRP adversary BA attacking E such that
#
and Ba takes the same amount of time and makes the same number of oracle queries as A.
Using Theorem 1 and Theorem 2 of〔19〕, we can construct a secure SPRP-RKA family which is the most efficient to date. See Proposition 1 for the details. In Proposition 1, a set H of functions with domain Tond range D is said to be e-almost 2-xor universal ( e -AXU2) if Pr = 시 <e for all 幻协시: 19〕, where Prh[] is the probability over the function h.
Proposition 1. Let E\ KxD—D be a permutation family, let H: AD be an e-AXU2 family with e > 1/L퍼 and let E : (Kx T乂 上打乂 D—D be another permutation family defined as 矶(4)丄初=鸟(顺九。))㊉九(匕) where is a secret key in KxTxH, and M is a message in 2?. If is a secure SPRP and H is e—AXU2 where e is negligible, then Z is a secure SPRP with respect to ^-restricted RKAs when each function。in e is a partial transformation for which there exists a fiinction <j): T-eT such that ©("h, ) = (5(t), h, ). Formally, given a SPRP-RKA adversary A attacking E that queries its oracles with at most q queries, we can construct a SPRP adversary Ba attacking E such that
#
and Ba takes the same amount of time and makes the
Figure 1 compares the construction of Proposition 1 with the previous ones. Note that Constructions A and B calls two block ciphers while Construction C does one block cipher and one e-almost 2-xor universal function which is implemented faster than a block cipher. It follows that Construction C is more efficient than the other two constructions. See〔3, 21〕for the concrete security bounds of Constructions A and B.
[Fig. 1) Comparison of the construction (C) of Proposition 1 and the p「evio니s ones (A, B)
Theorem 1 can be also exploited to construct various secure permutation families from tweakable enciphering modes which are already known to be secure. The security of tweakable enciphering modes CMC ⑻, EME⑼, E* ME C7] is based on the security of the underlying block ciphers. In CMC, EME, E*, ME if the tweaks of CMC, EME, E* ME are modified into parts of keys, then the modified enciphering modes with fixed-length messages, i.e., the modified permutation families are secure against any ^-restricted related-key attack under the assumption that the underlying block ciphers are secure and the functions of 亟 only transform the modified key portions.
Ⅳ. From Secure PRF Families of a Certain Form to Secure PRP-RKA Families
This section shows that secure PRF families of a certain form can be transformed into secure PRP-RKA families. Before showing it, we give a tighter bound of the PRF-RKA/PRP-RKA switching Proposition 8.9 in〔3〕.
Lemma 1. Let A be a related-key adversary that queries its oracle with at most r different key transformations from fixed @ and at most q times per transformation. Then
#
where丿以乌=工蔼叫, 号三諏旭步:。(k) = k'|.
Proof. From Proposition 8.9 in〔3〕we know that
#
where represents the probability in the experiment E瓦 G』”也nd(瓦力此)and D represents the event that, for each related-key that A accesses to its oracle (i.e.} 0(fc) where A queries to its oracle), there are no collisions in the responses of the oracle for different messages. In〔3〕, Bellare and Kohno showed that
#
However, we can bound Pr5 [2>] more tightly.
Let °1, ©2广., 世', 3'£ 質)be transformations in 垂 that A queries. Without loss of generality, we assume that g (k) =. . .=如I (k)=知稣+1 (fc) =. . .=她+oJfc)=板 …, 如 -, 頂) =. ..= 시 = 如
where % +…+%-1+% =尸' and % 구如 for 1 <j<j < m. Since queries at most q times per key transformation, for each 奴 the probability of a colli sion in the output of the oracle on distinct inputs is 어 . g . (억. q— 1)at most -------------------- (this bound follows from Proposition A.l in〔2〕). Furthermore, each % is at most min (/, NM@\. Thus Prff [D\ is bounded as follows.
#
Using Lemma 1 we can easily show Theorem 2
Theorem 2. Let E:(-缶 乂K)xUD be a permutation family and let _P: -缶 x(瓦 x2?)—be a function femily defined as (시D协 = 耳恥(』初 where kt is a secret key in 灼 is either a secret key in of or a message in & of 矶 and Af is a message in D. If F is a secure PRF, then is a secure PRP with respect to ^-restricted RKAs if each function 页 in 步 is a partial transformation for which there exists a function 术:缶—瓦 such that = W(kJ). Formally, given a PRP-RKA adversary A attacking E that queries its oracle with at most r different key transformations and at most q queries per transformation, we can construct a PRF adversary BA attacking F such that
#
and Ba takes the same amount of time and makes the same nximber of oracle queries as A.
Proof. Let be the Z1 adversary that works as follows.
<Adversary B?')그
1. Select & at random &om 缶.
2. Obtain A's request 0(= (id, </))), M) by running A.
3. Return 00'(幻)1 成)to A.
4. If A outputs b, then output b. Otherwise, go to Step 2.
When Ba is given access to R & computes E with related keys. So the following equality holds:
#
When Ba is given access to G where G is randomly chosen from RmdU&x DJ旗 Ba replies to A using an independently selected random function on D for each 琴).So the equation
#
holds. Therefore, by using the above two equations and Lemma 1,
#
Theorem 2 can be exploited to construct various permutation families from MAC algorithms which are already known to be secure in the sense of PRF. Consider for example OMAC with fixed-leng± inputs, if all message blocks except for the first one are modified into parts of keys, then the modified pennutation family is secure against any ^-restricted related-key attack under the assumption that the underlying block cipher is secure in the sense of PRP and functions in 0 only transform the modified key portions.
Ⅴ. Relationships between Security Notions
In this section, we introduce some other security notions that give more information on psmutatio효 families and then clarify their relations. We first give a definition of indistinguishability, which is the same as the lefl-or-right security notion of Bellare et al.〔1〕.
Definition 5. (TWEAK-IND) [8] Let E:KxTxD-eD be a tweakable permutation family and ^4 be an adversary. Then the tweak-ind advantage of A is defined by
#
means A with two oracles 5( ., . )6, , . )6; for an adversary's query of (resp. ((寄, q), (7j, q))) to the first (resp. second) oracle it returns 3(7;, 衅)(resp. d(4, q)).
Similarly, the IND-RKA security notion can be defined as follows.
Definition 6. (IND-RKA) Let E: KxUD be a permutation family and be a set of functions over K・ Let >1 be an adversary that is restricted to queries within 时 D. Then the ind-rka advantage of A is defined by
#
湿져.)(>0 = 0 or 1) means A with two oracles ORK{ .)(.)% O諷.)(. )6 ; for an adversary's query of (0("楠), (如力4)) (resp.((加4), (郊q))) to the first (resp. second) oracle it returns 잉皿)(孵) (厂冲잉(%)(q)).
Note that the tweak-ind adversary and the ind-rka adversary should be disallowed from asking queries that will allow it to win trivially. In the IND-RKA security notion, when the ind-rka adversary gets an answer C from the encryption oracle for a query ((偽〃崎), (S』4)), the adversary should be disallowed from asking queries (0京崎), (., .)), or ((., -), (爲, 格)) to the encryption oracle and queries (&6( ., .)), or ((., . to the decryption oracle, where (., .) represents an arbitrary argument. The similar argument is applied when the ind-rka adversary gets an answer M from the decryption oracle for a query ((知q), 0i, q))・ See〔8〕for the disallowed queries of a tweak-ind adversary.
We now consider another security notion, nonalleability. In a tweakable permutation family E. Tfx TxDtD, a tweak-nm adversary A is given access to an encrypting oracle 耳(., . ) and a decrypting oracle ., - ) where K is chosen uniformly at random from the set of keys K、In order to define the advantage of a tweak-nm adversary A we need definitions of the following three sets.
-a set of all M such that A asks _&%(., .) to encrypt (t, M) or A asks ■案'* ( , *) to decrypt (i, C) and its answer is M.
-C(t) : a set of all C such that4 asks .) to decrypt (松 d) or A asks ) to enciypt and its answer is C.
-: a set 底t(很力 if CEC(n and a set otherwise.
DeHnition 7. (TWEAK・NNQ〔8〕Let KKeTxLeD be a tweakable permutation family and ^4 be an adversary. Then the tweak-nm advantage of A is defined by
#
The function f is the encoding of a predicate f :ao 丄
Similarly, we can define non-malleability of a permutation family E\ KxUD against related-key attacks. In related-key attack models, an nm-rka adversary A is given access to an encrypting oracle Erk<財 *)and a decrypting oracle 碳(.』)(*) where K is chosen uniformly at random from the set of keys K・ In these attack models, A is restricted to queries of the form (</>, x) in which © is in a certain set of key transformations and x is in D. The three sets are defined as follows.
-M。) : a set of all Af such that A asks ERKe ., * 、)(.) to enciypt or A asks 瓦;(., *)(.) to decrypt (@ and its answer is M.
-C0) : a set of all C such that A asks 瓦* .* , )(, ) to decrypt (4)C) or A asks Eg. , &)(.)to encrypt and its answer is C.
-M0Q) : a set E;&(O if C* B硏, and a set D- M0) otherwise.
Definition 8. (NM-RKA) Let E-. KxD-^-D be a permutation family and be a set of functions over K. Let A be an adversary that is restricted to queries within 金xD. Then the nm-rka advantage of A is defined by
#
The function f is the encoding of a predicate /:刀—0, 1.
The following three theorems clarify the relationships between these newly defined security notions IND-RKA, NM-RKA and the SPRP-RKA security notion. Theorem 3 shows that SPRP-RKA security implies IND-RKA security and Theorem 4 shows the converse. Theorem 5 shows that SPRP-RKA. security implies NM-RKA
security. The proofs of Theorems 3, 4, 5 are similar to the proofs of〔8), so we omit them.
Theorem 3. Let E\ KxD—D be a permutation family and be a set of functions over K. If E is secure in the sense of SPRP-RKA restricted to 轧 then E is also secure in the sense of IND-RKA restricted the 豆 Formally, given a ^-restricted IND-RKA adversary A that queries its oracles with at most q queries, we can construct a ^-restricted SPRP-RKA adversary BA such that
#
and Ba takes almost same amount of time and makes the same number of oracle queries as A.
Theorem 4. Let E\ KxHD be a permutation family and be a set of functions over K. If E is secure in the sense of IND・RKA restricted to <?, then E is also secure in 나le sense of SPRP-RKA restricted the 0. Formally, given a ^-restricted SPRP-RKA adversary A that queries its oracles with at most q queries, we can construct a ^-restricted IND-RKA adversary Ba such that
#
and Ba takes almost same amount of time and makes the same number of oracle queries as A.
Theorem 5. Let E: KXD~fD be a permutation family and be a set of functions over .《If £ is secure in the sense of SPRP-RKA. restricted to 步, then E is also secure in the sense of NM-RKA restricted the 勿 Formally, given a ^-restricted NM-RKA adversary A that queries its oracles with at most q queries, we can construct a ^-restricted SPRP-RKA adversary BA such that
#
and Ba takes almost same amount of time as A and makes one more query than A.
The following two theorems show that secure TWEAK-IND (resp. TWEAK-NM) families can be transformed into secure IND-RKA (resp. NM-RKA) families.
Theorem 6. Let 每 K* Tx. D-eD be a tweakable permutation family and let E-. (kx T) x HD be a permutation family defined as in Theorem 1. If E is secure in the sense of TWEAK-IND, then E is secure in the sense of IND-RKA restricted to ① if each function ©w① is a partial transformation for which there exists a function g: T-eT such that ©(k, z) = (#渺(圳. Formally, given a ^-restricted IND-RKA adversary A attacking we can construct a TWEAK-IND adversary Ba attacking E such that
#
and Ba takes the same amount of time and makes the same number of oracle queries as A.
Proof. Let BA be the E adversary that works as follows.
<AdversajA
1. Select t at random from T.
2. Obtain X's request (%, 』%), (4), %)) (or (00, q), (如 q)))切 running & vtoe 布=㎛, 札) and S =(以©'J.
3. Return 2矶(玖衅)(or b W), q)) to A.
4. If A outputs 甘, then output b'. Otherwise, go to Step 2.
Since the adversary BA is given access to 耳(., .)匕-用「1( ., - )6 where k is randomly chosen from K, Ba computes (., 니, )( . )七碱(., 니')( -)° by running A. So the equality
#
holds. This completes the proof.
Theorem 7. Let 玉). KxTxUD be a tweakable permutation family and let E:(KxTMDfD be a permutation family defined as in Theorem 1. If £* is secure in the sense of TWEAK-NM, then E is secure in the sense of NM-RKA restricted to 步 if each function ©u鱼 is a partial transformation for which there exists a function ' : T-eT such that ©(") = (t)). Formally, given a -restricted NM-RKA adversary A attacking E, we can construct a TWEAK-NM adversary Ba attacking E such that
#
and Ba takes the same amount of time and makes the same number of ora이e queries as A.
Proof. Let 匀 be the Z adversary that works as follows.
<Adversary 그
1. Select t at random from T.
2. Obtain 4s request 0(* =( 泌6)* ), 財)(or 0(* =0 娜)* )0) by running A.
3. Return 久犷(£), 可)(or /(4)(* t), G)) to A.
4. If A outputs 0(=(H0')), Gf), then output 0'(玖 Gf). Otherwise, go to Step 2.
Since the adversary BA is given access t。_或(., .), 攻 ¥ ., , ) where k is chosen uniformly at random from K, Ba computes
., 曲)( .), 磁(., 세*)( .)by running A. So it is easy to see that
#
Since 广(#(£), C)) = 1 if and only if .f㈤iiM(O) = l, the equ시ity
#
holds. Furthermore, for all , =(讪矿)and C M締 of Ba takes the same distribution with M0、(》of A and thus the equation
#
holds. This completes the proof.
Ⅵ. Conclusion
We have presented a SPRP construction that is secure against related-key attacks (SPRP-RKA) from a tweakable SPRP, which is the most efficient to date. We have also improved a bound for the PRF-RKA /PRP-RKA switching proposition, which provides a tighter security bound for constructing PRP-RKA ciphers from PRF of a certain form. Our observations can stimulate the design and analysis of SPRP (or PRP) that are secure against related-key attacks.
Acknowledgements. We thank Bart Preneel for his helpful comments.
References
- M. Bellare, A. Desai, E. Jokipii and P. Rogaway, A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of Operation, Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE, 1997. The revised version is available at http://www-cse.ucsd.edu/users/mihir
- M. Bellare, J. Kilian and P. Rogaway, The Security of the Cipher Block Chaining message authentication code, Journal of Computer and System Sciences, Vol. 61, No. 3, pp.362-399, 2000 https://doi.org/10.1006/jcss.1999.1694
- M. Bellare and T. Kohno, A Theoretical Treatment of Related-Key Attacks:RKA-PRPs, RKA-PRFs, and Applications, Advances in Cryptology-Proceedings of EUROCRYPT 2003, LNCS 2654, Springer-Verlag, pp.491-506, 2003, Full version is available at http://www.cs.ucsd.edu/users/tkohno/papers/RKA
- E. Biham, New Types of Cryptanalytic Attack Using Related Keys, Advances in Cryptology-Proceedings of EUROCRYPT 1993, LNCS 765, pp.398-409, Springer-Verlag, 1994
- E. Biham, O. Dunkelman and N. Keller, Related-Key Boomerang and Rectangle Attacks, Advances in Cryptology - Proceedings of EUROCRYPT 2005, LNCS 3494, pp.507-525, Springer-Verlag, 2005
- E. Biham, O. Dunkelman and N. Keller, Related-Key Rectangle Attack on the Full KASUMI, Advances in Cryptology - Proceedings of ASIACRYPT 2005, to appear
- S. Halevi, EME*:eXtending EME to handle arbitrary-length messages with associated data, 2004. Available at the ePrint archive, http://eprint.iacr.org/2004/125/
- S. Halevi and P. Rogaway, A Tweakable Enciphering Mode, Advances in Cryptology - Proceedings of CRYPTO 2003, LNCS 2729, Springer-Verlag, pp.482-499, 2003
- S. Halevi and P. Rogaway, A Parallelizable Enciphering Mode, Proceedings of CT-RSA 2004, LNCS 2964, Springer-Verlag, pp.292-304, 2004, Full version is available at the ePrint archive, http://eprint.iacr.org/2003/147/
- P. Hawkes, Differential-Linear Weak-Key Classes of IDEA, Advances in Cryptology - Proceedings of EUROCRYPT 1998, LNCS 1403, pp.112-126, Springer-Verlag, 1998
- G. Jakimoski and Y. Desmedt, Related-Key Differential Cryptanalysis of 192-bit Key AES Variants, Proceedings of SAC 2003, LNCS 3006, Springer-Verlag, pp.208-221, 2003
- J. Kelsey, B. Schneier and D. Wagner, Keyschedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES, Advances in Cryptology-Proceedings of CRYPTO 1996, LNCS 1109, Springer-Verlag, pp.237-251, 1996
- J. Kelsey, B. Schneier and D. Wagner, Related-key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA, Information and Communications Security 1997, LNCS 1334, Springer-Verlag, pp.233-246, 1997
- J. Kim, G. Kim, S. Hong, S. Lee and D. Hong, The Related-Key Rectangle Attack - Application to SHACAL-1, Proceedings of ACISP 2004, LNCS 3108, Springer-Verlag, pp.123-136, 2004
- J. Kim, G. Kim, S. Lee, J. Lim and J. Song, Related-Key Attacks on Reduced Rounds of SHACAL-2, Proceedings of INDOCRYPT 2004, LNCS 3348, Springer-Verlag, pp.175-189, 2004
- J. Kim, S. Hong and B. Preneel, Related-Key Rectangle Attacks on Reduced AES-192 and AES-256, Proceedings of FSE 2007, to appear
- L.R. Knudsen, Cryptanalysis of LOKI91, Advances in Cryptology-Proceedings of AUSCRYPT 1992, LNCS 718, Springer-Verlag, pp.196-208, 1993
- Y. Ko, S. Hong, W. Lee, S. Lee and J. Kang, Related Key Differential Attacks on 26 Rounds of XTEA and Full Rounds of GOST, Proceedings of FSE 2004, LNCS 3017, Springer-Verlag, pp.299-316, 2004
- M. Liskov, R. L. Rivest and D. Wagner, Tweakable Block Ciphers, Advances in Cryptology-Proceedings of CRYPTO 2002, LNCS 2442, Springer-Verlag, pp.31-46, 2002
- M. Luby and C. Rackoff, How to Construct Pseudorandom Permutations from Peudorandom Function, SIAM J. Computation, Vol.17, No.2, 1988
- S. Lucks, Ciphers Secure against Related-Key Attacks, Proceedings of FSE 2004, LNCS 3017, Springer-Verlag, pp.359-370, 2004
- M. Naor and O. Reingold, On the Construction of Pseudorandom Permutations: Luby-Rackoff Revisted, Journal of Cryptology, Vol.12, No.1, pp.29-66, 1999 https://doi.org/10.1007/PL00003817