International Conference on the Theory and Application of Cryptology and Information Security

ASIACRYPT 2008: Advances in Cryptology - ASIACRYPT 2008 pp 290-307

Limits of Constructive Security Proofs

  • Michael Backes
  • Dominique Unruh
Conference paper

DOI: 10.1007/978-3-540-89255-7_18

Volume 5350 of the book series Lecture Notes in Computer Science (LNCS)

Abstract

The collision-resistance of hash functions is an important foundation of many cryptographic protocols. Formally, collision-resistance can only be expected if the hash function in fact constitutes a parametrized family of functions, since for a single function, the adversary could simply know a single hard-coded collision. In practical applications, however, unkeyed hash functions are a common choice, creating a gap between the practical application and the formal proof, and, even more importantly, the concise mathematical definitions.

A pragmatic way out of this dilemma was recently formalized by Rogaway: instead of requiring that no adversary exists that breaks the protocol (existential security), one requires that given an adversary that breaks the protocol, we can efficiently construct a collision of the hash function using an explicitly given reduction (constructive security).

In this paper, we show the limits of this approach: We give a protocol that is existentially secure, but that provably cannot be proven secure using a constructive security proof.

Consequently, constructive security—albeit constituting a useful improvement over the state of the art—is not comprehensive enough to encompass all protocols that can be dealt with using existential security proofs.

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Michael Backes
    • 1
    • 2
  • Dominique Unruh
    • 1
  1. 1.Saarland UniversitySaarbrückenGermany
  2. 2.Max-Planck-Institute for Software SystemsSaarbrückenGermany