Limits of Constructive Security Proofs
The collision-resistance of hash functions is an important foundation of many cryptographic protocols. Formally, collision-resistance can only be expected if the hash function in fact constitutes a parametrized family of functions, since for a single function, the adversary could simply know a single hard-coded collision. In practical applications, however, unkeyed hash functions are a common choice, creating a gap between the practical application and the formal proof, and, even more importantly, the concise mathematical definitions.
A pragmatic way out of this dilemma was recently formalized by Rogaway: instead of requiring that no adversary exists that breaks the protocol (existential security), one requires that given an adversary that breaks the protocol, we can efficiently construct a collision of the hash function using an explicitly given reduction (constructive security).
In this paper, we show the limits of this approach: We give a protocol that is existentially secure, but that provably cannot be proven secure using a constructive security proof.
Consequently, constructive security—albeit constituting a useful improvement over the state of the art—is not comprehensive enough to encompass all protocols that can be dealt with using existential security proofs.
- 1.Backes, M., Unruh, D.: Limits of constructive security proofs (2008), http://www.infsec.cs.uni-sb.de/~unruh/publications/backes08limits.html
- 3.Barak, B.: How to go beyond the black-box simulation barrier. In: 42th Annual Symposium on Foundations of Computer Science, Proceedings of FOCS 2001, pp. 106–115. IEEE Computer Society, Los Alamitos (2001), http://www.wisdom.weizmann.ac.il/~boaz/Papers/nonbb.ps Google Scholar
- 5.Dwork, C., Naor, M.: Zaps and their applications. ECCC TR02-001 (2002), http://eccc.hpi-web.de/eccc-reports/2002/TR02-001/index.html
- 6.Fortnow, L.: The role of relativization in complexity theory. Bulletin of the EATCS 52 (February 1994), http://people.cs.uchicago.edu/~fortnow/papers/relative.ps
- 10.Stinson, D.R.: Some observations on the theory of cryptographic hash functions. IACR ePrint Archive (March 2001), http://eprint.iacr.org/2001/020