# Another Look at "Provable Security"

@article{Koblitz2005AnotherLA, title={Another Look at "Provable Security"}, author={Neal Koblitz and Alfred Menezes}, journal={Journal of Cryptology}, year={2005}, volume={20}, pages={3-37} }

AbstractWe give an informal analysis and critique of several typical
"provable security" results. In some cases there are
intuitive but convincing arguments for rejecting the conclusions
suggested by the formal terminology and "proofs," whereas
in other cases the formalism seems to be consistent with common
sense. We discuss the reasons why the search for mathematically
convincing theoretical evidence to support the security of
public-key systems has been an important theme of
researchers…

## 260 Citations

Provable Security Proofs and their Interpretation in the Real World

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2013

This paper analyses provable security proofs, using the EDL signature scheme as its case study, and interprets their benets and drawbacks when applied to the real world, to help the reader make their own decisions on security proofs.

Another Look at Provable Security

- Computer Science, MathematicsEUROCRYPT
- 2012

Some examples are presented that illustrate the important role that old-fashioned cryptanalysis and sound engineering practices continue to play in establishing and maintaining confidence in the security of a cryptographic protocol.

Another look at automated theorem-proving

- Computer Science, MathematicsJ. Math. Cryptol.
- 2007

It is asked whether there is evidence that automated theorem-proving can contribute anything of value to the security analysis of cryptographic protocols and three papers that purport to show the potential of computer-assisted proof-writing and proof-checking are discussed.

The Roll of Dices in Cryptology

- Computer Science, Mathematics
- 2018

The role of probability theory within modern cryptology is discussed, reviewing probabilistic proof systems as a powerful tool towards efficient protocol design, and provable security, as an invaluable framework for deriving formal security proofs.

Non-Constructivity in Security Proofs

- Computer Science, Mathematics
- 2018

This thesis examines three instances of non-constructive security proofs for cryptographic protocols in the literature: a password-based key derivation function; an HMAC-related message authentication code scheme; and a roundoptimal blind signature scheme.

Anomalous Look at Provable Security

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

It is argued that the provable security paradigm remains sound in applications provided that assumptions are made with care, and the argument for the study of combiners and constructions based on generic assumptions, and transparent standardization processes in applied cryptography is strengthened.

Interpreting Hash Function Security Proofs

- Computer Science, MathematicsProvSec
- 2010

While the authors of FSB, MQ-HASH and SWIFFT(X) prove existence of non-trivial lower bounds on security, it is shown that the quantification of the bounds limits the practical significance of the proofs.

A "proof-reading" of Some Issues in Cryptography

- Computer ScienceICALP
- 2007

It is argued that several issues in the interplay between practice and theory in cryptography are often overlooked or misunderstood, and that it may be very productive if both theoreticians and practitioners think more consciously about these issues and act accordingly.

Errors in Computational Complexity Proofs for Protocols

- Computer Science, MathematicsASIACRYPT
- 2005

This work examines several protocols with claimed proofs of security by Boyd & Gonzalez Nieto, Jakobsson & Pointcheval, and Wong & Chan, and an authenticator by Bellare, Canetti, & Krawczyk, and reveals previously unpublished flaws in these protocols and their proofs.

ComSeFor : Computer Security and Formal methods October

- Computer Science, Mathematics
- 2015

This project aims at bypassing the problem of designing an attacker model by specifying what an attacker cannot do, instead of specifying what he/she can do.

## References

SHOWING 1-10 OF 109 REFERENCES

Why Provable Security Matters?

- Computer ScienceEUROCRYPT
- 2003

Concerns about methods from provable security, that had been developped for the last twenty years within the research community, and the fact that proofs themselves need time to be validated through public discussion was somehow overlooked are discussed.

Flaws in Applying Proof Methodologies to Signature Schemes

- Computer Science, MathematicsCRYPTO
- 2002

This work found that the ESIGN proof does not hold in the usual model of security, but in a more restricted one, and gives more examples, showing that provable security is more subtle than it at first appears.

Practice-Oriented Provable-Security

- Computer ScienceISW
- 1997

This short article is intended to complement my talk on practice-oriented provable-security, a fruitful blend of theory and practice that is able to enrich both sides and has by now had some impact on real world security.

A "Paradoxical" Solution to the Signature Problem (Extended Abstract)

- Computer Science, MathematicsFOCS
- 1984

A general signature scheme which uses any pair of trap-door permutations for which it is infeasible to find any x, y with f0(x) = f1(y) and possesses the novel property of being robust against an adaptive chosen message attack.

Random oracles are practical: a paradigm for designing efficient protocols

- Computer Science, MathematicsCCS '93
- 1993

It is argued that the random oracles model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice, and yields protocols much more efficient than standard ones while retaining many of the advantages of provable security.

OAEP Reconsidered

- Computer Science, MathematicsCRYPTO
- 2000

It turns out-- essentially by accident, rather than by design--that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.

An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem

- Computer Science, MathematicsEUROCRYPT
- 2004

The results extend the understanding of the gap between the standard and RO models, and bring concerns raised by previous work closer to practice by indicating that the problem of RO-model schemes admitting no secure instantiation can arise in domains where RO schemes are commonly designed.

RSA-OAEP Is Secure under the RSA Assumption

- Computer Science, MathematicsJournal of Cryptology
- 2002

It is proved that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation.

Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log

- Computer Science, MathematicsASIACRYPT
- 2005

We provide evidence that the unforgeability of several discrete-log based signatures like Schnorr signatures cannot be equivalent to the discrete log problem in the standard model. This contradicts…

Cryptanalysis of the Ajtai-Dwork Cryptosystem

- Computer Science, MathematicsCRYPTO
- 1998

This result shows that breaking the Ajtai-Dwork cryptosystem is not NP-hard, assuming the polynomial-time hierarchy does not collapse.