Equivalence of Uniform Key Agreement and Composition Insecurity
 Chongwon Cho,
 ChenKuei Lee,
 Rafail Ostrovsky
 … show all 3 hide
Abstract
We prove that achieving adaptive security from composing two general nonadaptively secure pseudorandom functions is impossible if and only if a uniformtranscript key agreement protocol exists.
It is well known that proving the security of a key agreement protocol (even in a special case where the protocol transcript looks random to an outside observer) is at least as difficult as proving \(P \not = NP\) . Another (seemingly unrelated) statement in cryptography is the existence of two or more nonadaptively secure pseudorandom functions that do not become adaptively secure under sequential or parallel composition. In 2006, Pietrzak showed that at least one of these two seemingly unrelated statements is true. Pietrzak’s result was significant since it showed a surprising connection between the worlds of publickey (i.e., “cryptomania”) and privatekey cryptography (i.e., “minicrypt”). In this paper we show that this duality is far stronger: we show that at least one of these two statements must also be false. In other words, we show their equivalence.
More specifically, Pietrzak’s paper shows that if sequential composition of two nonadaptively secure pseudorandom functions is not adaptively secure, then there exists a key agreement protocol. However, Pietrzak’s construction implies a slightly stronger fact: If sequential composition does not imply adaptive security (in the above sense), then a uniformtranscript key agreement protocol exists, where by uniformtranscript we mean a key agreement protocol where the transcript of the protocol execution is indistinguishable from uniform to eavesdroppers. In this paper, we complete the picture, and show the reverse direction as well as a strong equivalence between these two notions. More specifically, as our main result, we show that if there exists any uniformtranscript key agreement protocol, then composition does not imply adaptive security. Our result holds for both parallel and sequential composition. Our implication holds based on virtually all known key agreement protocols, and can also be based on general complexity assumptions of the existence of dense trapdoor permutations.
 Cho, C., Lee, C.K., Ostrovsky, R.: Equivalence of uniform key agreement and composition insecurity. Electronic Colloquium on Computational Complexity (ECCC), Report No. 108 (2009)
 Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986) CrossRef
 Holenstein, T.: Key agreement from weak bit agreement. In: STOC 2005: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, pp. 664–673. ACM, New York (2005) CrossRef
 Impagliazzo, R.: A personal view of averagecase complexity. In: SCT 1995: Proceedings of the 10th Annual Structure in Complexity Theory Conference, p. 134. IEEE Computer Society, Washington (1995) CrossRef
 Luby, M., Rackoff, C.: Pseudorandom permutation generators and cryptographic composition. In: STOC 1986: Proceedings of the 18th Annual ACM Symposium on Theory of Computing, pp. 356–363. ACM, New York (1986) CrossRef
 Maurer, U., Pietrzak, K.: Composition of random systems: When two weak make one strong. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 410–427. Springer, Heidelberg (2004) CrossRef
 Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007) CrossRef
 Myers, S.: Blackbox composition does not imply adaptive security. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 189–206. Springer, Heidelberg (2004) CrossRef
 Pietrzak, K.: Composition does not imply adaptive security. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 55–65. Springer, Heidelberg (2005)
 Pietrzak, K.: Composition implies adaptive security in minicrypt. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 328–338. Springer, Heidelberg (2006) CrossRef
 Vaudenay, S.: Decorrelation: A theory for block cipher security. J. Cryptology 16(4), 249–286 (2003) CrossRef
 Title
 Equivalence of Uniform Key Agreement and Composition Insecurity
 Book Title
 Advances in Cryptology – CRYPTO 2010
 Book Subtitle
 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 1519, 2010. Proceedings
 Pages
 pp 447464
 Copyright
 2010
 DOI
 10.1007/9783642146237_24
 Print ISBN
 9783642146220
 Online ISBN
 9783642146237
 Series Title
 Lecture Notes in Computer Science
 Series Volume
 6223
 Series ISSN
 03029743
 Publisher
 Springer Berlin Heidelberg
 Copyright Holder
 International Association for Cryptologic Research
 Additional Links
 Topics
 Industry Sectors
 eBook Packages
 Editors

 Tal Rabin ^{(16)}
 Editor Affiliations

 16. IBM T.J.Watson Research Center
 Authors

 Chongwon Cho ^{(17)}
 ChenKuei Lee ^{(17)}
 Rafail Ostrovsky ^{(18)}
 Author Affiliations

 17. Department of Computer Science, UCLA,
 18. Department of Computer Science and Mathematics, UCLA,
Continue reading...
To view the rest of this content please follow the download PDF link above.