Quiz Entry - updated: 2026.07.14
What is the "abstraction dilemma" in security?
Security that holds in high-level code can break at the implementation level — e.g. a "constant-time" password compare that actually leaks the password via timing.
* Abstraction dilemma — logic that looks clean at the design level leaks both message and key at the implementation level, because the analog output voltage is unique to each input combination. *
The abstraction dilemma: security properties proven at one abstraction level may not hold at lower levels, because of implementation details.
Example — Timing attack on password comparison:
| Level | Security |
|---|---|
| High-level code | if (userPassword == storedPassword) looks constant-time — just a simple comparison |
| Implementation reality | Most string comparisons stop at the first mismatch. Attacker measures response time: wrong first character = instant rejection (1μs), correct first character but wrong second = slightly longer (2μs). This leaks the password character by character |
Lessons:
- Theoretical security ≠ practical security
- Side channels (timing, power, electromagnetic) can leak information
- Abstractions hide details — High-level operations may have unsafe low-level behavior
- Defense in depth — Use constant-time comparison functions (e.g.,
hash_equals()in PHP)
Real-world security requires testing actual implementations, not just verifying algorithms.