Composition Does Not Imply Adaptive Security

We study the question whether the sequential or parallel composition of two functions, each indistinguishable from a random function by non-adaptive distinguishers is secure against adaptive distinguishers. The sequential composition of F(.) and G(.) is the function G(F(.)), the parallel composition is F(.) ? G(.) where ? is some group operation. It has been shown that composition indeed gives adaptive security in the information theoretic setting, but unfortunately the proof does not translate into the more interesting computational case. In this work we show that in the computational setting composition does not imply adaptive security: If there is a prime order cyclic group where the decisional Diffie-Hellman assumption holds, then there are functions F and G which are indistinguishable by non-adaptive polynomially timebounded adversaries, but whose parallel composition can be completely broken (i.e. we recover the key) with only three adaptive queries. We give a similar result for sequential composition. Interestingly, we need a standard assumption from the asymmetric (aka. public-key) world to prove a negative result for symmetric (aka. private-key) systems. 1 Sequential and Parallel Composition We continue to investigate the question whether composition of (pseudo) random functions yields a function whose security is in some sense superior to any of it’s components. The two most natural ways to compose functions is to either apply them sequentially or in parallel. For two function F and G we denote by G◦F the sequential composition: G◦F(x) def = G(F(x)). And by F?G the parallel composition: F ? G(x) def = F(x) ? G(x) where ? is some group operation defined on the range of F and G. In the information theoretic model one considers computationally unbounded adversaries and only bounds the number of queries they are allowed to make. In this model Vaudenay [9] shows that if a permutation F cannot be distinguished from random with advantage more than 2 by any adaptive (resp. non-adaptive) distinguisher making q queries, then the sequential composition of k such permutations has security 22 against adaptive (resp. non-adaptive) distinguishers. ? Supported by the Swiss National Science Foundation, project No. 200020-103847/1. 1 Adaptive means that the distinguisher can choose the (i+1)’th query after seeing the output to the i’th query. A non-adaptive distinguisher must decide which q queries he wants to make beforehand. The same holds for parallel composition where F can be a function and doesn’t have to be a permutation. For the computational case, where one considers polynomially time-bounded adversaries a similar amplification result was proven by Luby and Rackoff [3]. So if we have a function with some security against adaptive (resp. non-adaptive) distinguishers we can amplify this security for the same class of distinguishers in both models. Another question is whether we always get adaptive security by the composition of non-adaptively secure functions. This is in fact true in the information theoretic model: Maurer and Pietrzak [4] show that if F and G both have security 2 against non-adaptive distinguishers, then F ? G has security 22(1 + ln 2) against adaptive distinguishers (the same holds for G◦F if F and G are permutations). But no such result is known for the computational case. In fact, Myers [6] showed that there is an oracle relative to which non-adaptively secure permutations exist, but their sequential composition is not adaptively secure. This means that if it was indeed true that composition would always imply adaptive security, no relativizing proof for that does exist. As only very few non-relativizing proofs are known (not only in cryptography, but in complexity theory in general), Myers argues that this might be the reason for the lack of formal evidence that composition increases security even though this belief is shared by many cryptographers (including myself until recently). Here we show that composition does not imply adaptive security in general if there is a group where the decisional Diffie-Hellman assumption holds. We will construct functions F and G which are indistinguishable by non-adaptive (polynomial time) distinguishers if the DDH assumption holds. But where a simple adaptive strategy exists to get the whole key out of F ?G with only three adaptive queries. We then construct F and G such that the same holds for G ◦F. 1.1 Notation and Definitions Efficient/Negligible/Indistinguishable.We denote by κ ∈ N our security parameter. An efficient algorithm is an algorithm whose running time is polynomial in κ. A function μ : N → [0, 1] is negligible if for any c > 0 there is an n0 such that μ(n) ≤ 1/n c for all n ≥ n0. Two families of distributions (indexed with κ) are indistinguishable if any efficient algorithm has negligible advantage (over a random guess) in distinguishing those distributions. The DDH Assumption. The DDH assumption for a prime order cyclic group G = G(κ) states that for a generator g of G and random x, y the triplet g, g, g is indistinguishable from random. We denote the maximal advantage of any 2 Unlike in Vaudenay’s information theoretic result, where k, the number of components in the cascade, can be arbitrary (in particular any function of n), the computational amplification proven in [3] requires k to be a constant and independent of the security parameter. Myers [5] proves a stronger amplification for PRFs (which unlike [3] allows to turn a weak PRF into a strong one) for a construction which is basically parallel composition with some extra random values XOR-ed to the inputs. algorithm A running in time t for the DDH problem as AdvDDH(t) def = max A |Prx,y[A(g , g, g)→ 1]− Pra,b,c[A(g , g, g)→ 1]| For example the DDH assumption is believed to be true for the following groups: Let Q be a prime such that Q−1 = rP for some large prime P (say log(P ) ≥ κ). Let h be a generator of Z∗Q, then g = h r is a generator of the subgroup G def = 〈g〉 of order P . In G any a 6= 1 is a generator, here 1 denotes the identity element. The El-Gamal Cryptosystem. Let G, g, P be like above. The El-Gamal public-key cryptosystem [2] over G with generator g is defined as follows: The private-key is a random x ∈ ZP , and the public key is g. To encrypt m ∈ G with the public key g we choose r ∈ ZP at random and compute the ciphertext in G as Encgx(m, r) = (mg , g) The decryption of a ciphertext (a, b) with secret key x goes as