Limits of Constructive Security Proofs

  • Michael Backes
  • Dominique Unruh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5350)


The collision-resistance of hash functions is an important foundation of many cryptographic protocols. Formally, collision-resistance can only be expected if the hash function in fact constitutes a parametrized family of functions, since for a single function, the adversary could simply know a single hard-coded collision. In practical applications, however, unkeyed hash functions are a common choice, creating a gap between the practical application and the formal proof, and, even more importantly, the concise mathematical definitions.

A pragmatic way out of this dilemma was recently formalized by Rogaway: instead of requiring that no adversary exists that breaks the protocol (existential security), one requires that given an adversary that breaks the protocol, we can efficiently construct a collision of the hash function using an explicitly given reduction (constructive security).

In this paper, we show the limits of this approach: We give a protocol that is existentially secure, but that provably cannot be proven secure using a constructive security proof.

Consequently, constructive security—albeit constituting a useful improvement over the state of the art—is not comprehensive enough to encompass all protocols that can be dealt with using existential security proofs.


  1. 1.
    Backes, M., Unruh, D.: Limits of constructive security proofs (2008),
  2. 2.
    Baker, T., Gill, J., Solovay, R.: Relativizations of the \(\mathrm p\overset?=\mathrm{NP}\) question. SIAM Journal on Computing 4, 431–442 (1975)MathSciNetCrossRefMATHGoogle Scholar
  3. 3.
    Barak, B.: How to go beyond the black-box simulation barrier. In: 42th Annual Symposium on Foundations of Computer Science, Proceedings of FOCS 2001, pp. 106–115. IEEE Computer Society, Los Alamitos (2001), Google Scholar
  4. 4.
    Damgård, I.: Collision free hash functions and public key signature schemes. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  5. 5.
    Dwork, C., Naor, M.: Zaps and their applications. ECCC TR02-001 (2002),
  6. 6.
    Fortnow, L.: The role of relativization in complexity theory. Bulletin of the EATCS 52 (February 1994),
  7. 7.
    Goldreich, O.: Foundations of Cryptography, vol. 1 (Basic Tools). Cambridge University Press, Cambridge (August 2001), CrossRefMATHGoogle Scholar
  8. 8.
    Goldreich, O.: Foundations of Cryptography, vol. 2 (Basic Applications). Cambridge University Press, Cambridge (May 2004), CrossRefMATHGoogle Scholar
  9. 9.
    Rogaway, P.: Formalizing human ignorance: Collision-resistant hashing without the keys. In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 221–228. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  10. 10.
    Stinson, D.R.: Some observations on the theory of cryptographic hash functions. IACR ePrint Archive (March 2001),

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Michael Backes
    • 1
    • 2
  • Dominique Unruh
    • 1
  1. 1.Saarland UniversitySaarbrückenGermany
  2. 2.Max-Planck-Institute for Software SystemsSaarbrückenGermany

Personalised recommendations