Provable Security: Some Caveats

1
Provable Security Some Caveats
Ari Juels RSA Laboratories 3 November 1999
2
What is provable security?

3
Is this provable security?
Ivan Damgård Payment Systems and Credential
Mechanisms with Provable Security Against Abuse
by Individuals. 328-335 -- CRYPTO 88
4
Or this follow-on?
Birgit Pfitzmann, Michael Waidner How to Break
and Repair a "Provably Secure" Untraceable
Payment System. 338-350 , CRYPTO 91
5
Is this provable security?
M. Ajtai and C. Dwork. A public-key cryptosystem
with worst-case/ average-case equivalence. In
Proc. 29th ACM STOC, pp. 284-293, 1997
6
A follow-on
P. Nguyen and J. Stern. Cryptanalysis of the
Ajtai-Dwork Cryptosystem Proc. Of Crypto 98, pp.
223-242
7
Problems with provable security

• Who shall guard the guardians?
  Whos to say that a proof is correct?
• Worst case security ? Average case security
• Asymptotic security ? Real world security

8
But even with a more precise notion of provable
security...

9
Amdahls Law
Part 1
Part 2
Part 3
Part 4
10
Amdahls Law
Part 1
Part 2
Part 3
Part 4
Accelerating a small piece doesnt help
much
11
Amdahls Law of Security
Crypto
Part 1
Part 2
Part 3
Part 4
12
Amdahls Law of Security
Part 1
Part 2
Part 3
Part 4
Strengthening secure part doesnt help much
13
Provable Security Strengthens Most Secure Part

• As far as we know, cryptography is rarely weakest
  point in system. Instead, its
• Bad password selection
• Social engineering
• Bad software implementation

14
A major security problem...
Where do you want to go today?
15
Provable security

• May distract from more critical vulnerabilities
• Hackers just go around the crypto
• May yield more complex algorithms, and therefore
  make correct implementation less likely
• Slow down implementations and encourage avoidance
  of crypto

16
What lessons to be learned?

• Emphasis on extensive expert and empirical
  testing as a basis for security as with, e.g.,
  RSA
• Can be in addition to proofs
• Emphasis on simple proofs and algorithms and on
  exact security