Equivalence of Uniform Key Agreement and Composition Insecurity

  • Chongwon Cho
  • Chen-Kuei Lee
  • Rafail Ostrovsky
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6223)


We prove that achieving adaptive security from composing two general non-adaptively secure pseudo-random functions is impossible if and only if a uniform-transcript key agreement protocol exists.

It is well known that proving the security of a key agreement protocol (even in a special case where the protocol transcript looks random to an outside observer) is at least as difficult as proving \(P \not = NP\). Another (seemingly unrelated) statement in cryptography is the existence of two or more non-adaptively secure pseudo-random functions that do not become adaptively secure under sequential or parallel composition. In 2006, Pietrzak showed that at least one of these two seemingly unrelated statements is true. Pietrzak’s result was significant since it showed a surprising connection between the worlds of public-key (i.e., “cryptomania”) and private-key cryptography (i.e., “minicrypt”). In this paper we show that this duality is far stronger: we show that at least one of these two statements must also be false. In other words, we show their equivalence.

More specifically, Pietrzak’s paper shows that if sequential composition of two non-adaptively secure pseudo-random functions is not adaptively secure, then there exists a key agreement protocol. However, Pietrzak’s construction implies a slightly stronger fact: If sequential composition does not imply adaptive security (in the above sense), then a uniform-transcript key agreement protocol exists, where by uniform-transcript we mean a key agreement protocol where the transcript of the protocol execution is indistinguishable from uniform to eavesdroppers. In this paper, we complete the picture, and show the reverse direction as well as a strong equivalence between these two notions. More specifically, as our main result, we show that if there exists any uniform-transcript key agreement protocol, then composition does not imply adaptive security. Our result holds for both parallel and sequential composition. Our implication holds based on virtually all known key agreement protocols, and can also be based on general complexity assumptions of the existence of dense trapdoor permutations.


Sequential Composition Parallel Composition Adaptive Query Adaptive Security Secure Composition 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Cho, C., Lee, C.K., Ostrovsky, R.: Equivalence of uniform key agreement and composition insecurity. Electronic Colloquium on Computational Complexity (ECCC), Report No. 108 (2009)Google Scholar
  2. 2.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)CrossRefMathSciNetGoogle Scholar
  3. 3.
    Holenstein, T.: Key agreement from weak bit agreement. In: STOC 2005: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, pp. 664–673. ACM, New York (2005)CrossRefGoogle Scholar
  4. 4.
    Impagliazzo, R.: A personal view of average-case complexity. In: SCT 1995: Proceedings of the 10th Annual Structure in Complexity Theory Conference, p. 134. IEEE Computer Society, Washington (1995)CrossRefGoogle Scholar
  5. 5.
    Luby, M., Rackoff, C.: Pseudo-random permutation generators and cryptographic composition. In: STOC 1986: Proceedings of the 18th Annual ACM Symposium on Theory of Computing, pp. 356–363. ACM, New York (1986)CrossRefGoogle Scholar
  6. 6.
    Maurer, U., Pietrzak, K.: Composition of random systems: When two weak make one strong. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 410–427. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Myers, S.: Black-box composition does not imply adaptive security. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 189–206. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Pietrzak, K.: Composition does not imply adaptive security. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 55–65. Springer, Heidelberg (2005)Google Scholar
  10. 10.
    Pietrzak, K.: Composition implies adaptive security in minicrypt. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 328–338. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Vaudenay, S.: Decorrelation: A theory for block cipher security. J. Cryptology 16(4), 249–286 (2003)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Chongwon Cho
    • 1
  • Chen-Kuei Lee
    • 1
  • Rafail Ostrovsky
    • 2
  1. 1.Department of Computer ScienceUCLA 
  2. 2.Department of Computer Science and MathematicsUCLA 

Personalised recommendations