Composition Implies Adaptive Security in Minicrypt Krzysztof Pietrzak ⋆ D´ epartement d’informatique, Ecole Normale Sup´ erieure, Paris, France pietrzak@di.ens.fr Abstract. To prove that a secure key-agreement protocol exists one must at least show P  = NP . Moreover any proof that the sequential composition of two non-adaptively secure pseudorandom functions is se- cure against at least two adaptive queries must falsify the decisional Diffie-Hellman assumption, a standard assumption from public-key cryp- tography. Hence proving any of this two seemingly unrelated statements would require a significant breakthrough. We show that at least one of the two statements is true. To our knowledge this gives the first positive cryptographic result (namely that composition implies some weak adaptive security) which holds in Minicrypt, but not in Cryptomania, i.e. under the assumption that one-way functions exist, but public-key cryptography does not. 1 Introduction A pseudorandom function (PRF) is a function which cannot be distinguished from a uniformly random function by any efficient adversary. One can give dif- ferent security definitions for PRFs depending on how the attacker can access the function: a non-adaptive adversary must choose all his queries to the func- tion at once, whereas a (more powerful) adaptive adversary must only decide on the i’th query after receiving the i − 1’th output. As a generalisation we define k-adaptive adversaries which can choose k blocks of queries to be made, where the k’th block must be chosen at once but only after receiving the outputs to the k − 1’th block (in particular 1-adaptive means non-adaptive, and ∞-adaptive means adaptive). Consider the following two statements: K k : There exists a secure k-pass key-agreement protocol. C k : The sequential composition of two (k − 1)-adaptively secure PRFs is k- adaptively secure. The main result of this paper is that either composition of PRFs always increases the security in the sense that the cascade is k-adaptive secure whenever the components are k − 1 secure OR that key agreement exists. ⋆ Most of this work was done while the author was a PhD student at ETH where he was supported by the Swiss National Science Foundation, project No. 200020-103847/1. Part of this work is supported by the Commission of the European Communities through the IST program under contract IST-2002-507932 ECRYPT. S. Vaudenay (Ed.): EUROCRYPT 2006, LNCS 4004, pp. 328–338, 2006. c  International Association for Cryptologic Research 2006