We prove that achieving adaptive security from composing two general non-adaptively secure pseudo-random functions is impossible if and only if a uniform-transcript key agreement protocol exists.It is well known that proving the security of a key agreement protocol (even in a special case where the protocol transcript looks random to an outside observer) is at least as difficult as proving P=NP . Another (seemingly unrelated) statement in cryptography is the existence of two or more non-adaptively secure pseudo-random functions that do not become adaptively secure under sequential or parallel composition. In 2006, Pietrzak showed that {em at least one} of these two seemingly unrelated statements is true. Pietrzak's result was significant since it showed a surprising connection between the worlds of public-key (i.e., ``cryptomania") and private-key cryptography (i.e., ``minicrypt"). In this paper we show that this duality is far stronger: we show that {em at least one} of these two statements must also be false. In other words, we show their {em equivalence}.More specifically, Pietrzak's paper shows that if sequential composition of two non-adaptively secure pseudo-random functions is not adaptively secure, then there exists a key agreement protocol. However, Pietrzak's construction implies a slightly stronger fact: If sequential composition does not imply adaptive security (in the above sense), then a {em uniform-transcript} key agreement protocol exists, where by uniform-transcript we mean a key agreement protocol where the transcript of the protocol execution is indistinguishable from uniform to eavesdroppers. In this paper, we complete the picture, and show the reverse direction as well as a strong equivalence between these two notions. More specifically, as our main result, we show that if there exists {em any} uniform-transcript key agreement protocol, then composition does not imply adaptive security. Our result holds for both parallel and sequential composition. Our implication holds based on virtually all known key agreement protocols, and can also be based on general complexity assumptions of the existence of dense trapdoor permutations.
展开▼
机译:我们证明,只有当存在统一笔录密钥协商协议时,才能通过组合两个通用的非自适应安全伪随机函数来实现自适应安全性。众所周知,证明密钥协商协议的安全性(即使在在特殊情况下,协议记录本对外部观察者来说是随机的)至少与证明P = NP一样困难。密码术中的另一个(看似无关)陈述是存在两个或多个非自适应安全伪随机函数,这些伪随机函数在顺序或并行组合下不会自适应安全。 Pietrzak在2006年证明,这两个看似无关的陈述中的{ em至少一个}是正确的。 Pietrzak的结果非常重要,因为它显示了公钥(即``cryptomania'')和私钥密码术(即``minicrypt'')之间令人惊讶的联系。在本文中,我们证明了这种二元性要强得多:我们证明这两个语句中的{ em至少一个}也必须为假。 Pietrzak的论文表明,如果两个非自适应安全的伪随机函数的顺序组合不是自适应安全的,则存在一个密钥协商协议。但是,Pietrzak的构造暗示了一个更强的事实:如果顺序组合并不意味着自适应安全性(在上述意义上),那么存在一个{ em Unified-transcript}密钥协商协议,其中,通过Uniform-transcript我们指的是密钥协商协议从统一到窃听者,协议执行的记录是无法区分的。在本文中,我们完成了图片,并显示了相反的方向以及这两个概念之间的强烈对等关系。更具体地说,作为我们的主要结果,我们表明,如果存在{ em any}统一笔迹密钥协商协议,那么组合并不意味着自适应安全性。我们的结果适用于并行和顺序组合。我们的涵义基于几乎所有已知的关键协议协议,也可以基于存在密集活板门置换的一般复杂性假设。
展开▼
