2

If we composed (as in function composition) multiple CPA-secure encryption schemes would the result also be CPA-secure?

Gordon
  • 487
  • 5
  • 18

1 Answers1

3

Yes, if (and this is important) the keys for $E$ and $S$ are selected independently.

Consider that we had two encryption methods $E$, $S$ for which their composition $E(S(x))$ is not CPA secure; that is, we have some distinguisher $D$ that had some advantage in distinguishing that from a random function. Then, we can build a distinguisher for $E$ (by selecting a random key for $S$, then then use the distinguisher $D$, and when it made a query, we'd take the plaintext it selected, encrypt it with $S$ with our random key, and then gave that ciphertext to the object we're distinguishing (either $E$ or the random function).

Similar logic can be used to show that we can use the distinguisher to distinguish the inner function (by selecting a random key for the outer function).

Hence, if $E$ and $S$ are indistinguishable, so is their composition (in the CPA model). In fact, we can make a stronger statement; if either are indistinguishable, so is the composition.

On the other hand, if the keys aren't independent, then all bets are off. Not only do these simulation arguments don't work (as the simulator is unable to select the appropriate key), but the possible insecurity of the system can be seen by considering the case where $E$ and $S$ are inverses of each other.

poncho
  • 147,019
  • 11
  • 229
  • 360