Ari Juels RSA Laboratories3 November 1999

Provable Security: Some Caveats

What is provable security?

Is this provable security?

Ivan Damgård: Payment Systems and Credential

Mechanisms with Provable Security Against Abuse

by Individuals. 328-335 -- CRYPTO ‘88

Or this follow-on?

Birgit Pfitzmann, Michael Waidner:

How to Break and Repair a "Provably Secure"

Untraceable Payment System. 338-350 , CRYPTO ‘91

Is this provable security?

M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/

average-case equivalence. In Proc. 29th ACM STOC, pp. 284-293,

1997

A follow-on

P. Nguyen and J. Stern.

Cryptanalysis of the Ajtai-Dwork Cryptosystem

Proc. Of Crypto 98, pp. 223-242

Problems with provable security

Who shall guard the guardians? Who’s to say that a proof is correct?

Worst case security Average case security Asymptotic security Real world security

But even with a more precise notion of ‘‘provable security’’...

Amdahl’s Law

Part 1 Part 2 Part 3 Part 4

Amdahl’s Law

Part 1 Part 2 Part 3 Part 4

…Accelerating a small piece doesn’t help much

“Amdahl’s Law of Security”

Part 1 Part 2 Part 3 Part 4

Crypto

“Amdahl’s Law of Security”

Part 1 Part 2 Part 3 Part 4

…Strengthening secure part doesn’t help much

Provable Security Strengthens Most Secure Part

As far as we know, cryptography is rarely weakest point in system. Instead, it’s:

– Bad password selection– Social engineering– Bad software implementation

Where do you wnt to go today?re

WWhere do you want to go today?

A major security problem...

Provable security

May distract from more critical vulnerabilities– Hackers just go around the crypto

May yield more complex algorithms, and therefore make correct implementation less likely

Slow down implementations and encourage avoidance of crypto

What lessons to be learned?

Emphasis on extensive expert and empirical testing as a basis for security as with, e.g., RSA– Can be in addition to proofs

Emphasis on simple proofs and algorithms and on ‘exact security’