What is Provab le Security?
Provab le security refers to any type or level of security that can be proved. It is used in different ways by different fields. Usually, this refers to mathematical proofs, which are common in cryptography.
In such a proof, the capabilities of the attacker are defined by an adversarial model (also referred to as attacker model): the aim of the proof is to show that the attacker must solve the underlying hard problem in order to break the security of the modelled system.
Such a proof generally does not consider side-channel attacks or other implementation-specific attacks, because they are usually impossible to model without implementing the system (and thus, the proof only applies to this implementation).
A few years ago, Provab le security was largely known only to theoreticians. This has been changing. We are seeing a growing appreciation of Provab le security in practice, leading in some cases to the use of such schemes in preference to other ones. Indeed, it seems standards bodies and implementors now view Provab le security as an attribute of a proposed scheme.
This means that a wider audience needs an understanding of the basic ideas behind Provab le security. Now that Provab le security is moving into practice, there are many people who although not trained as theoreticians, or even deeply interested in the details of research, need to take decisions involving claims about Provab le security.
The kinds of things they need to know are: exactly what Provab le security provides and doesn't provide; how to compare different provably secure schemes; how to validate a claim of Provab le security.
Finally, the term Provab le security is sometimes used by sellers of security software that are attempting to sell security products like firewalls, antivirus software and intrusion detection systems. As these products are typically not subject to scrutiny, many security researchers consider this type of claim to be selling snakeoil.
Methods from Provab le security, developed over the last twenty years, have been recently extensively used to support emerging standards. However, the fact that proofs also need time to be validated through public discussion was somehow overlooked.
This became clear when Shoup found that there was a gap in the widely believed security proof of OAEP against adaptive chosen-ciphertext attacks.... the use of Provab le security is more subtle than it appears, and flaws in security proofs themselves might have a devastating effect on the trustworthiness of cryptography.
In cryptography, a system has Provab le security if its security requirements can be stated formally in an adversarial model, as opposed to heuristically, with clear assumptions that the adversary has access to the system as well as enough computational resources.
Benefits of Provab le Security
The proof of security (called a "reduction") is that these security requirements are met provided the assumptions about the adversary's access to the system are satisfied and some clearly stated assumptions about the hardness of certain computational tasks hold.
An early example of such requirements and proof was given by Goldwasser and Micali for semantic security and the construction based on the quadratic residuosity problem. Some proofs of security are in given theoretical models such as the random oracle model, where real cryptographic hash functions are represented by an idealization.
Recently, some research has been performed on obtaining exact bounds for cryptographic reductions without reference to vague polynomial factors, instead obtaining exact numerical factors.
The objective of the present work is to take these exact results as far as possible, providing concrete engineering advice. To do this, we choose a simple protocol, give a Provab le-security-based proof with exact bounds, and then analyze the results.
"Provab le security" means that a security system has been mathematically proven to be secure under some generally accepted assumption. In almost every case, this assumption isn't necessarily known to be true, it's just much easier to reason about and is generally believed to be true.
There are cases where the "assumptions" are the axioms of information theory, laws of probability, or other things that are considered absolutely unquestionable (if you weaken or remove them, you're not working in the same mathematical system anymore), but they're uncommon -- normally, the assumption is "This problem is difficult for a computer to quickly solve" or "This component has such-and-such a property."
For instance, the RSA assumption is "given ciphertext C and public key (N, e), you can't efficiently find M such that M^e = C mod N." RSA-based algorithms tend to use that as their security assumption.
Provab le security is a validation technique for the design of cryptographic protocols where the protocol designer states the envisioned security properties and provides a mathematical proof that the proposed protocol satisfies the stated properties, usually by means of a reduction from a set of underlying mathematical or cryptographic assumptions.
Although several flavors of Provab le security exist, its general principles are widely adopted and even a requirement in the modern cryptographic community.
Their use in the PETs community is somewhat less consistent, partially perhaps because of the complex distributed attack models of PETs, but partially also due to a divide between the PETs and cryptographic communities.
The goal of this workshop is to discuss and promote the application of Provab le security techniques in the design of privacy-enhancing technologies (PETs).
Provab le security is an essential tool for analyzing security of modern cryptographic primitives. The research community has witnessed the great contributions that the Provab le security methodology made to the analysis of cryptographic schemes and protocols.
Nowadays cryptographic primitives without a rigorous "proof" cannot be regarded as sound. Also, the methodology has been used to discover security flaws in the cryptographic schemes and protocols, which were considered seemingly secure without formal analysis.
On the one hand, Provab le security provides confidence in using cryptographic schemes and protocols for various real-world applications, but on the other hand, schemes with Provab le security are sometimes not efficient enough to be used in practice, and correctness of the proofs may be difficult to verify.
The goals of Provab le security are to define appropriate models of security on the one hand, and to develop cryptographic designs that can be proven to be secure within the defined models on the other. There are two general approaches for structuring the security proof.
One is reductionist approach and other is game-based approach. In these approaches, the security proofs reduce a well-known problem (such as discrete logarithm, RSA) to an attack against a proposed cryptosystem.
With this approach, the security of public key cryptosystem can be proved formally under the various models viz. random oracle model, generic group model and standard model. In this chapter, we will briefly explain these approaches along with the security proofs of well-known public key cryptosystems under the appropriate model.
The idea of Provab le operating systems first came about to solve the issue of proving, mathematically, that something was secure. To prove that X + Y = Z, you need to be able to show mathematical or logical proof.
The same can be said for secure systems: Can you show a logic, in a design for instance, that can offer proof the system is secure? “Provab le” being a probability that something is secure. A Provably Secure Operating System,” the substance and architecture of a Provably Secure Operating System (PSOS) was proposed.
The design specification of the system was to be a “general-purpose operating system, whose security properties can be formally proven.
It proposes an encryption/decryption technique which provides asymmetric implementation complexity at the communicating parties and provably enhanced cryptographic security.
Both asymmetric implementation complexity and enhanced security appear as a consequence of the design based on employment of a simulator for binary channels with insertion errors.
The goals are that the party with more powerful resources performs more complex operations and that the entire scheme provides a highly and provably secure level of cryptographic security resulting from the employment of the insertion communications channel paradigm.
Since then, creating encryption algorithms with this kind of “Provab le security” has been a major goal of cryptography, and new encryption algorithms that meet these criteria are sometimes marketed as “provably secure.”
In fact, no system can be “provably secure” in the strongest sense, since (1) we can’t be 100% certain that the system’s formal security requirements have been specified properly, and (2) we can’t be 100% certain the security proof itself is without error.
We develop an approach to deriving concrete engineering advice for cryptographic protocols from Provab le-security-style proofs of security. The approach is illustrated with a simple, yet useful protocol. The proof is novel and is the first published proof that provides an exact relationship between a high-level protocol and multiple cryptographic primitives.
We construct provably secure IBI/IBS schemes from code assumptions against impersonation under active and concurrent attacks through a provably secure code-based signature technique proposed by Preetha, Vasant and Rangan (PVR signature), and a security enhancement Or-proof technique.
We also present the parallel-PVR technique to decrease parameter values while maintaining the standard security level. Compared to other code-based IBI/IBS schemes, our schemes achieve not only preferable public parameter size, private key size, communication cost and signature length due to better parameter choices, but also provably secure.
In an effort toward a commercially viable QKD system with improved key generation rates, we developed a discrete-variable QKD system based on time-bin quantum photonic states that can generate provably secure cryptographic keys at megabit-per-second rates over metropolitan distances.
We give an informal analysis and critique of several typical “Provab le security” results. In some cases, there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common sense.
We would feel a little more at ease with “Provab le security” results if the same tradition of careful examination of all-important papers existed in theoretical cryptography.
We prove that the conventional proof techniques used in theoretical cryptography – black-box reductions and semi black-box reductions – are unable to prove that collision-resistance implies chain-resistance. Hence, in some sense the modifications in time-stamping schemes are necessary for establishing their Provab le security.