Ari Juels RSA Laboratories3 November 1999
Provable Security: Some Caveats
What is provable security?
Is this provable security?
Ivan Damgård: Payment Systems and Credential
Mechanisms with Provable Security Against Abuse
by Individuals. 328-335 -- CRYPTO ‘88
Or this follow-on?
Birgit Pfitzmann, Michael Waidner:
How to Break and Repair a "Provably Secure"
Untraceable Payment System. 338-350 , CRYPTO ‘91
Is this provable security?
M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/
average-case equivalence. In Proc. 29th ACM STOC, pp. 284-293,
1997
A follow-on
P. Nguyen and J. Stern.
Cryptanalysis of the Ajtai-Dwork Cryptosystem
Proc. Of Crypto 98, pp. 223-242
Problems with provable security
Who shall guard the guardians? Who’s to say that a proof is correct?
Worst case security Average case security Asymptotic security Real world security
But even with a more precise notion of ‘‘provable security’’...
Amdahl’s Law
Part 1 Part 2 Part 3 Part 4
Amdahl’s Law
Part 1 Part 2 Part 3 Part 4
…Accelerating a small piece doesn’t help much
“Amdahl’s Law of Security”
Part 1 Part 2 Part 3 Part 4
Crypto
“Amdahl’s Law of Security”
Part 1 Part 2 Part 3 Part 4
…Strengthening secure part doesn’t help much
Provable Security Strengthens Most Secure Part
As far as we know, cryptography is rarely weakest point in system. Instead, it’s:
– Bad password selection– Social engineering– Bad software implementation
Where do you wnt to go today?re
WWhere do you want to go today?
A major security problem...
Provable security
May distract from more critical vulnerabilities– Hackers just go around the crypto
May yield more complex algorithms, and therefore make correct implementation less likely
Slow down implementations and encourage avoidance of crypto
What lessons to be learned?
Emphasis on extensive expert and empirical testing as a basis for security as with, e.g., RSA– Can be in addition to proofs
Emphasis on simple proofs and algorithms and on ‘exact security’
Top Related