Provably secure counter mode with related-key-based internal re-keying

Abstract

Block cipher cryptanalysis in related-key adversary model is usually underestimated, since it is believed that the conditions of this model could be hardly achieved in practice. Nevertheless, the use of keys with known relation between them (e.g. for constructing a lightweight key-derivation procedure) in the cryptographic schemes and protocols could allow to increase their efficiency without significant security loss. In this case base cryptographic primitives (e.g. block ciphers) must be secure in a strong enough related-key adversary model. We propose a new internally re-keyed block cipher mode of operation called CTRR (”CounTer with Related-key Re-keying mode”). We prove its security under the assumption that the underlying cipher is secure in the related-key adversary model. As far as the authors know, this mode is the first block cipher encryption mode whose proven cryptographic properties are essentially based on the related-key security of the underlying primitives. We also study the security of the Kuznyechik block cipher against the related-key attack. We have managed to propose the attack only on the essentially reduced (up to 4 rounds and with significantly simplified key schedule) variant of the Kuznyechik cipher. The attack requires approximately $$2^{12}$$ encryptions under $$2^{12}$$ related keys and $$2^{43}$$ offline encryptions to recover the secret key. We also discuss why extending such an approach to the original cipher seems to be impossible. We use these heuristic reasoning to make an assumption that the cipher is secure in the corresponding adversary model and can be used with the proposed mode. At the same time, of course, the related-key cryptanalysis of the Kuznyechik cipher has to be continued. The results were originally presented at the CTCrypt’2018 workshop.