On the Impossibility of Tight Cryptographic Reductions
Lecture Notes in Computer Science
The existence of tight reductions in cryptographic security proofs is an important question, motivated by the theoretical search for cryptosystems whose security guarantees are truly independent of adversarial behavior and the practical necessity of concrete security bounds for the theoretically-sound selection of cryptographic parameters. At Eurocrypt 2002, Coron described a meta-reduction technique that allows to prove the impossibility of tight reductions for certain digital signature
... . This seminal result has found many further interesting applications. However, due to a technical subtlety in the argument, the applicability of this technique beyond digital signatures in the single-user setting has turned out to be rather limited. We describe a new meta-reduction technique for proving such impossibility results, which improves on known ones in several ways. First, it enables interesting novel applications. This includes a formal proof that for certain cryptographic primitives (including public-key encryption/key encapsulation mechanisms and digital signatures), the security loss incurred when the primitive is transferred from an idealized single-user setting to the more realistic multi-user setting is impossible to avoid, and a lower tightness bound for non-interactive key exchange protocols. Second, the technique allows to rule out tight reductions from a very general class of non-interactive complexity assumptions. Third, the provided bounds are quantitatively and qualitatively better, yet simpler, than the bounds derived from Coron's technique and its extensions. where Λ A has either a significantly larger running time or a significantly smaller success probability than A (or both). Thus, the reduction "loses" efficiency and/or efficacy. Since provable security is inspired by classical complexity theory, security proofs have traditionally been formulated asymptotically. The running time and success probability of Turing machines are modeled as functions in a security parameter k ∈ N. Let t Λ A (k ) denote the running time and Λ A (k ) denote the success probability of Λ A . Likewise, let t A (k ) and A (k ) denote the running time and success probability of A. Then it holds that for some "loss" (k ). A reduction Λ is considered efficient, if its loss (k ) is bounded by a polynomial. Note that in this approach the concrete size of polynomial (i.e., its degree and the size of its coefficients) does not matter. As common in classical complexity theory, it was considered sufficient to show that is polynomially-bounded. Concrete security proofs, the notion of tightness, and its relevance. In order to deploy a cryptosystem in practice, the size of cryptographic parameters (like for instance the length of moduli or the size of underlying algebraic groups) has to be selected. However, the asymptotic approach described above does not allow to derive concrete recommendations for such parameters, as it only shows that sufficiently large parameters exist. This is because the size of parameters depends on the concrete value of , the loss of the reduction. A larger loss requires larger parameters. The more recent approach, termed concrete security, makes the concrete security loss of a reduction explicit. This allows to derive concrete recommendations for parameters in a theoretically sound way (see e.g.  for a detailed treatment). Ideally, (k) is constant. In this case the reduction is said to be tight. 1 The existence of cryptosystems whose security is independent of deployment parameters is of course an interesting theoretical question in its own right. Moreover, it has a strong practical motivation, because the tightness of a reduction directly influences the (theoretically sound selection of the) size of cryptographic parameters, and thus has a direct impact to the efficiency of cryptosystems. An example is given in Appendix A. Coron's result and its refinements. Coron  considered the existence of tight reductions for unique 2 signature schemes in the single user setting, and described a "rewinding argument" (cf. Goldwasser et al.  ), which allowed to prove lower tightness bounds for such signature schemes. In particular, Coron considered "simple" 3 reduc-Consider the following experiment NICA B N (1 k ).