Another Look at "Provable Security"

@article{Koblitz2005AnotherLA,
  title={Another Look at "Provable Security"},
  author={Neal Koblitz and Alfred Menezes},
  journal={Journal of Cryptology},
  year={2005},
  volume={20},
  pages={3-37}
}
AbstractWe give an informal analysis and critique of several typical "provable security" results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and "proofs," whereas in other cases the formalism seems to be consistent with common sense. We discuss the reasons why the search for mathematically convincing theoretical evidence to support the security of public-key systems has been an important theme of researchers… 
View on Springer
cacr.uwaterloo.ca
260 Citations
Highly Influential Citations
12
Background Citations
101
Methods Citations
27
Results Citations
1

260 Citations

Citation Type

Citation Type

Provable Security Proofs and their Interpretation in the Real World
  • Vikram Singh
  • Mathematics, Computer Science
    IACR Cryptol. ePrint Arch.
  • 2013
TLDR
This paper analyses provable security proofs, using the EDL signature scheme as its case study, and interprets their benets and drawbacks when applied to the real world, to help the reader make their own decisions on security proofs.
Another Look at Provable Security
TLDR
Some examples are presented that illustrate the important role that old-fashioned cryptanalysis and sound engineering practices continue to play in establishing and maintaining confidence in the security of a cryptographic protocol.
Another look at automated theorem-proving
TLDR
It is asked whether there is evidence that automated theorem-proving can contribute anything of value to the security analysis of cryptographic protocols and three papers that purport to show the potential of computer-assisted proof-writing and proof-checking are discussed.
The Roll of Dices in Cryptology
TLDR
The role of probability theory within modern cryptology is discussed, reviewing probabilistic proof systems as a powerful tool towards efficient protocol design, and provable security, as an invaluable framework for deriving formal security proofs.
Non-Constructivity in Security Proofs
In the field of cryptography, one generally obtains assurances for the security of a cryptographic protocol by giving a reductionist security proof, which is comprised of a reduction from breaking a
Anomalous Look at Provable Security
TLDR
It is argued that the provable security paradigm remains sound in applications provided that assumptions are made with care, and the argument for the study of combiners and constructions based on generic assumptions, and transparent standardization processes in applied cryptography is strengthened.
Interpreting Hash Function Security Proofs
TLDR
While the authors of FSB, MQ-HASH and SWIFFT(X) prove existence of non-trivial lower bounds on security, it is shown that the quantification of the bounds limits the practical significance of the proofs.
A "proof-reading" of Some Issues in Cryptography
TLDR
It is argued that several issues in the interplay between practice and theory in cryptography are often overlooked or misunderstood, and that it may be very productive if both theoreticians and practitioners think more consciously about these issues and act accordingly.
Provable Security in the Real World
. Provable security introduces formal definitions of security and adopts techniques from probability theory and com-putational complexity theory to analyze the security of cryptographic constructs.
Errors in Computational Complexity Proofs for Protocols
TLDR
This work examines several protocols with claimed proofs of security by Boyd & Gonzalez Nieto, Jakobsson & Pointcheval, and Wong & Chan, and an authenticator by Bellare, Canetti, & Krawczyk, and reveals previously unpublished flaws in these protocols and their proofs.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 109 REFERENCES
Why Provable Security Matters?
  • J. Stern
  • Mathematics, Computer Science
    EUROCRYPT
  • 2003
TLDR
Concerns about methods from provable security, that had been developped for the last twenty years within the research community, and the fact that proofs themselves need time to be validated through public discussion was somehow overlooked are discussed.
Flaws in Applying Proof Methodologies to Signature Schemes
TLDR
This work found that the ESIGN proof does not hold in the usual model of security, but in a more restricted one, and gives more examples, showing that provable security is more subtle than it at first appears.
Practice-Oriented Provable-Security
TLDR
This short article is intended to complement my talk on practice-oriented provable-security, a fruitful blend of theory and practice that is able to enrich both sides and has by now had some impact on real world security.
A "Paradoxical" Solution to the Signature Problem (Extended Abstract)
TLDR
A general signature scheme which uses any pair of trap-door permutations for which it is infeasible to find any x, y with f0(x) = f1(y) and possesses the novel property of being robust against an adaptive chosen message attack.
Random oracles are practical: a paradigm for designing efficient protocols
TLDR
It is argued that the random oracles model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice, and yields protocols much more efficient than standard ones while retaining many of the advantages of provable security.
OAEP Reconsidered
TLDR
It turns out-- essentially by accident, rather than by design--that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.
An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem
TLDR
The results extend the understanding of the gap between the standard and RO models, and bring concerns raised by previous work closer to practice by indicating that the problem of RO-model schemes admitting no secure instantiation can arise in domains where RO schemes are commonly designed.
RSA-OAEP Is Secure under the RSA Assumption
TLDR
It is proved that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation.
Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log
We provide evidence that the unforgeability of several discrete-log based signatures like Schnorr signatures cannot be equivalent to the discrete log problem in the standard model. This contradicts
Cryptanalysis of the Ajtai-Dwork Cryptosystem
TLDR
This result shows that breaking the Ajtai-Dwork cryptosystem is not NP-hard, assuming the polynomial-time hierarchy does not collapse.
...
1
2
3
4
5
...