6

Assume it's proven: "Security of protocol $\Pi$ can be deduced from hardness of problem $P$".

Is it correct to state: "Security of protocol $\Pi$ can be reduced to (hardness of) problem $P$" ?

My question is about accepted VOCABULARY in the field of cryptography with provable security.

This is a simplified version of this question, where the first of the above assertions is (I assume, rigorously) established by exhibiting an algorithm that would solve problem $P$ from an algorithm that would break protocol $\Pi$. I read two interesting answers (which I thus upvoted) concluding for one that that reduced "cannot (technically)" be used in this way but remains understandable in the context, for the other that it's "appropriate".

For a non-native speaker like me, that's far from trivial.

fgrieu
  • 149,326
  • 13
  • 324
  • 622

1 Answers1

5

I think you are right (in the other question): “security of protocol $P$ reduces to assumption $X$” is incorrect (or at best too sloppy) language, and has too much potential for confusion. This is both because the intended “direction” of the reduction is not completely clear (does breaking $P$ imply breaking $X$, or the other way around?), and a reduction is supposed to be from one computational problem to another (but “security of $P$” is not a problem).

Saying “security of $P$ is based on assumption $X$” is fine, and is more naturally phrased than “breaking $X$ reduces to breaking $P$.” Though it is perhaps not entirely explicit that there is a formal reduction, because a few authors might say this even without a reduction. (But I think they would be wrong to do so.)

All this is somewhat a matter of opinion, relating to prescriptivism versus descriptivism in language. The descriptivist argument is that words and phrases take on meanings when enough people say they do, so “security reduces to” is fine. But for precise technical and mathematical language, especially where the intended meaning could be one of two completely different things, I would lean toward prescriptivism, and “reduction”/“reduces to” already have established meanings that were inherited deliberately from complexity theory.

Chris Peikert
  • 5,893
  • 1
  • 26
  • 28