Provable Security: Some Caveats Ari Juels RSA Laboratories 3 November 1999
Is this provable security? Ivan Damgård: Payment Systems and Credential Mechanisms with Provable Security Against Abuse by Individuals. 328-335 -- CRYPTO ‘88
Or this follow-on? Birgit Pfitzmann, Michael Waidner: How to Break and Repair a "Provably Secure" Untraceable Payment System. 338-350 , CRYPTO ‘91
Is this provable security? M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/ average-case equivalence. In Proc. 29th ACM STOC, pp. 284-293, 1997
A follow-on P. Nguyen and J. Stern. Cryptanalysis of the Ajtai-Dwork Cryptosystem Proc. Of Crypto 98, pp. 223-242
Problems with provable security • Who shall guard the guardians? Who’s to say that a proof is correct? • Worst case security Average case security • Asymptotic security Real world security
But even with a more precise notion of ‘‘provable security’’...
Amdahl’s Law Part 1 Part 2 Part 3 Part 4
Amdahl’s Law Part 1 Part 2 Part 3 Part 4 …Accelerating a small piece doesn’t help much
“Amdahl’s Law of Security” Crypto Part 1 Part 2 Part 3 Part 4
“Amdahl’s Law of Security” Part 1 Part 2 Part 3 Part 4 …Strengthening secure part doesn’t help much
Provable Security Strengthens Most Secure Part As far as we know, cryptography is rarely weakest point in system. Instead, it’s: • Bad password selection • Social engineering • Bad software implementation
Where do you wnt to go today?re W A major security problem... Where do you want to go today?
Provable security • May distract from more critical vulnerabilities • Hackers just go around the crypto • May yield more complex algorithms, and therefore make correct implementation less likely • Slow down implementations and encourage avoidance of crypto
What lessons to be learned? • Emphasis on extensive expert and empirical testing as a basis for security as with, e.g., RSA • Can be in addition to proofs • Emphasis on simple proofs and algorithms and on ‘exact security’