Pseudo-random permutation generators and cryptographic composition
STOC '86 Proceedings of the eighteenth annual ACM symposium on Theory of computing
Improved security analysis of XEX and LRW modes
SAC'06 Proceedings of the 13th international conference on Selected areas in cryptography
Indistinguishability amplification
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Free-start distinguishing: combining two types of indistinguishability amplification
ICITS'09 Proceedings of the 4th international conference on Information theoretic security
Equivalence of uniform key agreement and composition insecurity
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Composition implies adaptive security in minicrypt
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Luby-Rackoff ciphers from weak round functions?
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
From non-adaptive to adaptive pseudorandom functions
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
New bounds for PMAC, TMAC, and XCBC
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Hardness preserving reductions via cuckoo hashing
TCC'13 Proceedings of the 10th theory of cryptography conference on Theory of Cryptography
Hi-index | 0.00 |
We study the question whether the sequential or parallel composition of two functions, each indistinguishable from a random function by non-adaptive distinguishers is secure against adaptive distinguishers. The sequential composition of F$(\centerdot)$ and G$(\centerdot)$ is the function G(F($\centerdot$)), the parallel composition is F$(\centerdot) \bigstar$G$(\centerdot)$ where ⋆ is some group operation. It has been shown that composition indeed gives adaptive security in the information theoretic setting, but unfortunately the proof does not translate into the more interesting computational case. In this work we show that in the computational setting composition does not imply adaptive security: If there is a prime order cyclic group where the decisional Diffie-Hellman assumption holds, then there are functions F and G which are indistinguishable by non-adaptive polynomially time-bounded adversaries, but whose parallel composition can be completely broken (i.e. we recover the key) with only three adaptive queries. We give a similar result for sequential composition. Interestingly, we need a standard assumption from the asymmetric (aka. public-key) world to prove a negative result for symmetric (aka. private-key) systems.