Composition Does Not Imply Adaptive Security

  • Krzysztof Pietrzak
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3621)


We study the question whether the sequential or parallel composition of two functions, each indistinguishable from a random function by non-adaptive distinguishers is secure against adaptive distinguishers. The sequential composition of F \((\centerdot)\) and G \((\centerdot)\) is the function G(F(\(\centerdot\))), the parallel composition is F \((\centerdot) \bigstar\) G \((\centerdot)\) where ⋆ is some group operation. It has been shown that composition indeed gives adaptive security in the information theoretic setting, but unfortunately the proof does not translate into the more interesting computational case.

In this work we show that in the computational setting composition does not imply adaptive security: If there is a prime order cyclic group where the decisional Diffie-Hellman assumption holds, then there are functions F and G which are indistinguishable by non-adaptive polynomially time-bounded adversaries, but whose parallel composition can be completely broken (i.e. we recover the key) with only three adaptive queries. We give a similar result for sequential composition. Interestingly, we need a standard assumption from the asymmetric (aka. public-key) world to prove a negative result for symmetric (aka. private-key) systems.


Sequential Composition Parallel Composition Pseudorandom Function Adaptive Query Adaptive Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory IT-22(6), 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    El-Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 31(4), 469–472 (1985)zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Luby, M., Rackoff, C.: Pseudo-random permutation generators and cryptographic composition. In: Proc. 18th ACM Symposium on the Theory of Computing (STOC), pp. 356–363 (1986)Google Scholar
  4. 4.
    Maurer, U., Pietrzak, K.: Composition of random systems: When two weak make one strong. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 410–427. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Myers, S.: Efficient amplification of the security of weak pseudo-random function generators. Journal of Cryptology 16(1), 1–24 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Myers, S.: Black-box composition does not imply adaptive security. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 189–206. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Pietrzak, K.: Exploring minicrypt, Manuscript (2005)Google Scholar
  8. 8.
    Pletscher, P.: Adaptive security of composition, Semester Thesis. Advisors K. Pietrzak and U. Maurer (2005)Google Scholar
  9. 9.
    Vaudenay, S.: Decorrelation: A theory for block cipher security. Journal of Cryptology 16(4), 249–286 (2003)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Krzysztof Pietrzak
    • 1
  1. 1.Department of Computer ScienceETH ZürichZürichSwitzerland

Personalised recommendations