Limits of Constructive Security Proofs

  • Michael Backes
  • Dominique Unruh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5350)

Abstract

The collision-resistance of hash functions is an important foundation of many cryptographic protocols. Formally, collision-resistance can only be expected if the hash function in fact constitutes a parametrized family of functions, since for a single function, the adversary could simply know a single hard-coded collision. In practical applications, however, unkeyed hash functions are a common choice, creating a gap between the practical application and the formal proof, and, even more importantly, the concise mathematical definitions.

A pragmatic way out of this dilemma was recently formalized by Rogaway: instead of requiring that no adversary exists that breaks the protocol (existential security), one requires that given an adversary that breaks the protocol, we can efficiently construct a collision of the hash function using an explicitly given reduction (constructive security).

In this paper, we show the limits of this approach: We give a protocol that is existentially secure, but that provably cannot be proven secure using a constructive security proof.

Consequently, constructive security—albeit constituting a useful improvement over the state of the art—is not comprehensive enough to encompass all protocols that can be dealt with using existential security proofs.

References

  1. 1.
    Backes, M., Unruh, D.: Limits of constructive security proofs (2008), http://www.infsec.cs.uni-sb.de/~unruh/publications/backes08limits.html
  2. 2.
    Baker, T., Gill, J., Solovay, R.: Relativizations of the \(\mathrm p\overset?=\mathrm{NP}\) question. SIAM Journal on Computing 4, 431–442 (1975)MathSciNetCrossRefMATHGoogle Scholar
  3. 3.
    Barak, B.: How to go beyond the black-box simulation barrier. In: 42th Annual Symposium on Foundations of Computer Science, Proceedings of FOCS 2001, pp. 106–115. IEEE Computer Society, Los Alamitos (2001), http://www.wisdom.weizmann.ac.il/~boaz/Papers/nonbb.ps Google Scholar
  4. 4.
    Damgård, I.: Collision free hash functions and public key signature schemes. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  5. 5.
    Dwork, C., Naor, M.: Zaps and their applications. ECCC TR02-001 (2002), http://eccc.hpi-web.de/eccc-reports/2002/TR02-001/index.html
  6. 6.
    Fortnow, L.: The role of relativization in complexity theory. Bulletin of the EATCS 52 (February 1994), http://people.cs.uchicago.edu/~fortnow/papers/relative.ps
  7. 7.
    Goldreich, O.: Foundations of Cryptography, vol. 1 (Basic Tools). Cambridge University Press, Cambridge (August 2001), http://www.wisdom.weizmann.ac.il/~oded/frag.html CrossRefMATHGoogle Scholar
  8. 8.
    Goldreich, O.: Foundations of Cryptography, vol. 2 (Basic Applications). Cambridge University Press, Cambridge (May 2004), http://www.wisdom.weizmann.ac.il/~oded/frag.html CrossRefMATHGoogle Scholar
  9. 9.
    Rogaway, P.: Formalizing human ignorance: Collision-resistant hashing without the keys. In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 221–228. Springer, Heidelberg (2006), http://eprint.iacr.org/2006/281 CrossRefGoogle Scholar
  10. 10.
    Stinson, D.R.: Some observations on the theory of cryptographic hash functions. IACR ePrint Archive (March 2001), http://eprint.iacr.org/2001/020

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Michael Backes
    • 1
    • 2
  • Dominique Unruh
    • 1
  1. 1.Saarland UniversitySaarbrückenGermany
  2. 2.Max-Planck-Institute for Software SystemsSaarbrückenGermany

Personalised recommendations