Title: Provable Security: Some Caveats
1Provable Security Some Caveats
Ari Juels RSA Laboratories 3 November 1999
2What is provable security?
3Is this provable security?
Ivan Damgård Payment Systems and Credential
Mechanisms with Provable Security Against Abuse
by Individuals. 328-335 -- CRYPTO 88
4Or this follow-on?
Birgit Pfitzmann, Michael Waidner How to Break
and Repair a "Provably Secure" Untraceable
Payment System. 338-350 , CRYPTO 91
5Is this provable security?
M. Ajtai and C. Dwork. A public-key cryptosystem
with worst-case/ average-case equivalence. In
Proc. 29th ACM STOC, pp. 284-293, 1997
6A follow-on
P. Nguyen and J. Stern. Cryptanalysis of the
Ajtai-Dwork Cryptosystem Proc. Of Crypto 98, pp.
223-242
7Problems with provable security
- Who shall guard the guardians?
Whos to say that a proof is correct? - Worst case security ? Average case security
- Asymptotic security ? Real world security
8But even with a more precise notion of provable
security...
9Amdahls Law
Part 1
Part 2
Part 3
Part 4
10Amdahls Law
Part 1
Part 2
Part 3
Part 4
Accelerating a small piece doesnt help
much
11Amdahls Law of Security
Crypto
Part 1
Part 2
Part 3
Part 4
12Amdahls Law of Security
Part 1
Part 2
Part 3
Part 4
Strengthening secure part doesnt help much
13Provable Security Strengthens Most Secure Part
- As far as we know, cryptography is rarely weakest
point in system. Instead, its - Bad password selection
- Social engineering
- Bad software implementation
14A major security problem...
Where do you want to go today?
15Provable security
- May distract from more critical vulnerabilities
- Hackers just go around the crypto
- May yield more complex algorithms, and therefore
make correct implementation less likely - Slow down implementations and encourage avoidance
of crypto
16What lessons to be learned?
- Emphasis on extensive expert and empirical
testing as a basis for security as with, e.g.,
RSA - Can be in addition to proofs
- Emphasis on simple proofs and algorithms and on
exact security