## Another Look at “Provable Security" (2004)

### Cached

### Download Links

Citations: | 63 - 12 self |

### BibTeX

@TECHREPORT{Koblitz04anotherlook,

author = {Neal Koblitz and Alfred J. Menezes},

title = {Another Look at “Provable Security"},

institution = {},

year = {2004}

}

### Years of Citing Articles

### OpenURL

### Abstract

We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common sense. We discuss the reasons why the search for mathematically convincing theoretical evidence to support the security of public-key systems has been an important theme of researchers. But we argue that the theorem-proof paradigm of theoretical mathematics is often of limited relevance here and frequently leads to papers that are confusing and misleading. Because our paper is aimed at the general mathematical public, it is self-contained and as jargon-free as possible.

### Citations

11418 |
Computers and Intractability: A Guide to the Theory of NP -completeness
- Garey, Johnson
- 1979
(Show Context)
Citation Context ...thm to solve P2 could use it to solve P1 with relatively little additional effort; in that case one says that P1 reduces to P2. The most familiar use of reductions is in the theory of NP-completeness =-=[28]-=-, where P1 is a well-known NP-complete problem such as 3SAT and P2 is another NP problem that you want to prove is NP-complete. In cryptography, P1 is a mathematical problem such as factoring that is ... |

3160 | A Method for Obtaining Digital Signatures and Public Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ... more elaborate criteria for security than just non-invertibility of the underlying one-way function. 1.1 The first system with reductionist security — Rabin encryption Soon after the earliest paper=-=s [24, 50]-=- on public-key cryptography appeared, many people started to realize that breaking a system was not necessarily equivalent to solving the underlying mathematical problem. For example, the RSA function... |

2929 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ... more elaborate criteria for security than just non-invertibility of the underlying one-way function. 1.1 The first system with reductionist security — Rabin encryption Soon after the earliest paper=-=s [24, 50]-=- on public-key cryptography appeared, many people started to realize that breaking a system was not necessarily equivalent to solving the underlying mathematical problem. For example, the RSA function... |

1419 | Random Oracles are Practical: A Paradigm for Designing Efficient - Bellare, Rogaway - 1993 |

1231 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...t to systematically develop precise definitions and appropriate “models” of security for various types of cryptographic protocols. One of the seminal ideas of that period was probabilistic encrypt=-=ion [31, 32]. In-=- public-key cryptography, where everyone has the information needed to encipher, deterministic encryption — in which a given plaintext is enciphered into one and only one possible ciphertext — has... |

1217 | A Public Key Cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...y supports it, and we conclude with some informal remarks about whether “proving” security is an art or a science. 2 Cramer–Shoup Encryption We start by describing the basic ElGamal encryption s=-=cheme [25]. Le-=-t G be the subgroup of prime order q of the multiplicative group of the prime field of p elements, where q|p − 1, and let g ∈ G be a fixed element (not the identity). (In practice, p might be a 10... |

881 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...wasser and Tauman claim to have found a difficulty with Pointcheval and Stern’s [46] use of the random oracle assumption to show security of signature schemes constructed by the method of Fiat–Sha=-=mir [26]. Tha-=-t is, suppose that we have an (α; β; γ) identification protocol. This means that Alice proves her identity to Bob by sending him a message α, then receiving from him a random sequence β, and fina... |

863 | A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...acks has purportedly been proved in [59] and [30]. If these proofs are correct, then the matter has finally been settled. The second important theoretical advance in the mid-1980’s was the first wor=-=k [33, 34] to gi-=-ve a definition of what it means for digital signatures to be secure. That definition has stood the test of time and is still widely used today. Goldwasser–Micali–Rivest replace “chosen-cipherte... |

792 | Jun: Di®erential Power Analysis
- Kocher, Ja®e, et al.
- 1999
(Show Context)
Citation Context ...uting devices during the execution of private-key operations such as decryption and signature generation. The kind of information that can be exploited includes execution time [39], power consumption =-=[40], -=-electromagnetic radiation [1], induced errors [13], and error messages [41]. Finally, we should mention two fundamental contributions in the 1990’s to the theoretical study of security issues, both ... |

618 |
Efficient Signature Generation for Smart Cards
- Schnorr
(Show Context)
Citation Context ... a signature scheme based on a discrete-log primitive. 5 Schnorr Signatures and the Forking Lemma 5.1 The equivalence of Schnorr signature forgery and discrete logs We first describe Schnorr’s metho=-=d [53] for si-=-gning a message. As in §2, let q be a large prime, and let p be an even larger prime such that p ≡ 1 (mod q). In practice, roughly p ≈ 2 1024 and q ≈ 2 160 . Let g be a generator of the cyclic ... |

593 | Short signatures from the Weil pairing
- Boneh, Shacham, et al.
(Show Context)
Citation Context ...e, this decision problem is likely to be strictly easier than the Computational Diffie– Hellman Problem; in fact, promising new cryptographic protocols have recently been developed (see, for example=-=, [15]) based on-=- the “gap” in difficulty between these two problems in certain groups. On the other hand, these “Diffie–Hellman gap groups” seem to be very exceptional (the best examples are supersingular e... |

476 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ...naive ElGamal that was described above); w contains the message m “disguised” by the “mask” e r ; and u1 and u2 are the clues she needs to remove the mask. 4 They used a slightly weaker assump=-=tion in [23]-=-, namely, that H is a member of a universal one-way hash family; however, collision-resistance is just as good in practice. Note that they do not make the random oracle assumption. 9sMore precisely, t... |

476 | Timing Attacks on Implementations of Diffie-Hellman
- Kocher
(Show Context)
Citation Context ...ation leaked by the computing devices during the execution of private-key operations such as decryption and signature generation. The kind of information that can be exploited includes execution time =-=[39], -=-power consumption [40], electromagnetic radiation [1], induced errors [13], and error messages [41]. Finally, we should mention two fundamental contributions in the 1990’s to the theoretical study o... |

426 | Modular Elliptic Curves and Fermat’s Last Theorem
- Wiles
- 1995
(Show Context)
Citation Context ...spurporting to prove Fermat’s Last Theorem. Within two months a referee found a subtle gap in the long, extremely difficult proof — a gap that was fixed a little over a year later by Taylor and Wi=-=les [58, 60]. A more-=- recent example of the scrutiny that a dramatic new result gets in mathematics is the response to the theorem that “Primes is in P” of Agrawal–Kayal–Saxena [2]. Their proof, while ingenious, w... |

358 |
Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack
- Rackoff, Simon
- 1991
(Show Context)
Citation Context ... RSA “padding.” In the context of probabilistic encryption, Goldwasser and Micali [31, 32] were able to define strong notions of security that were later extended by Naor– Yung [45] and Rackoff�=-=��Simon [49]-=- to cover chosen-ciphertext attacks. One basic 5sconcept is that of semantic security. This means that the attacker is unable to obtain any information at all (except for its bitlength) about the plai... |

352 | The exact security of digital signatures - How to sign with RSA and Rabin - Bellare, Rogaway - 1996 |

324 | On the Importance of Checking Cryptographic Protocols for Faults
- Boneh, DeMillo, et al.
- 1997
(Show Context)
Citation Context ...erations such as decryption and signature generation. The kind of information that can be exploited includes execution time [39], power consumption [40], electromagnetic radiation [1], induced errors =-=[13], -=-and error messages [41]. Finally, we should mention two fundamental contributions in the 1990’s to the theoretical study of security issues, both by Bellare and Rogaway. In [6] they studied the use ... |

303 |
Digitalized Signatures and Public-key Functions as Intractable as Factorization
- Rabin
- 1979
(Show Context)
Citation Context ...lo n. However, no one could really say for sure. And much more recently, work by Boneh and Venkatesan [16] suggests that inverting the RSA function might not be equivalent to factoring. In 1979 Rabin =-=[48]-=- produced an encryption function that could be proved to be invertible only by someone who could factor n. His system is similar to RSA, except that the exponent is 2 rather than an integer e prime to... |

300 |
Elliptic curve public key cryptosystems
- Menezes
- 1993
(Show Context)
Citation Context ...y function. This is in fact the impression conveyed in some of the mathematically oriented introductions to cryptography. The first books on cryptography that the two of us wrote in our naive youth 1 =-=[38, 44]-=- suffer from this defect: the sections on security deal only with the problem of inverting the one-way function. The problem with this limited view of security is that it fails to anticipate most of t... |

299 | Security Arguments for Digital Signatures and Blind Signatures
- Pointcheval, Stern
(Show Context)
Citation Context ...definition of A0, the second number is at most #(A \ A0)ɛb/2 ≤ aɛb/2. Then there are fewer than (ɛa/2)b + aɛb/2 = ɛab good pairs in all, and this is a contradiction. 5.4 The “forking lemma”=-= Following [46, 47],-=- let us return to the forger in §5.1, but now make a weaker and more realistic assumption, namely, that the signature scheme is attacked by a probabilistic chosen-message existential forger in the ra... |

260 | Public key cryptosystems provable secure against chosen ciphertext attacks", STOC '90
- Naor, Yung
(Show Context)
Citation Context ...tion; this is called an RSA “padding.” In the context of probabilistic encryption, Goldwasser and Micali [31, 32] were able to define strong notions of security that were later extended by Naor–=-= Yung [45] a-=-nd Rackoff–Simon [49] to cover chosen-ciphertext attacks. One basic 5sconcept is that of semantic security. This means that the attacker is unable to obtain any information at all (except for its bi... |

254 | Ring-theoretic properties of certain hecke algebra
- Taylor
- 1995
(Show Context)
Citation Context ...spurporting to prove Fermat’s Last Theorem. Within two months a referee found a subtle gap in the long, extremely difficult proof — a gap that was fixed a little over a year later by Taylor and Wi=-=les [58, 60]. A more-=- recent example of the scrutiny that a dramatic new result gets in mathematics is the response to the theorem that “Primes is in P” of Agrawal–Kayal–Saxena [2]. Their proof, while ingenious, w... |

249 | Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS
- Bleichenbacher
(Show Context)
Citation Context ...ages have to adhere to a certain format, and if a decrypted message is not in that form Alice’s computer transmits an error message to the sender. This seems innocuous enough. However, Bleichenbache=-=r [10] s-=-howed that the error messages sometimes might compromise security. Bleichenbacher’s idea can be illustrated if we consider a simplified version of the protocol that he attacked in [10]. Suppose that... |

224 | Security proofs for signature schemes, in
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ...definition of A0, the second number is at most #(A \ A0)ɛb/2 ≤ aɛb/2. Then there are fewer than (ɛa/2)b + aɛb/2 = ɛab good pairs in all, and this is a contradiction. 5.4 The “forking lemma”=-= Following [46, 47],-=- let us return to the forger in §5.1, but now make a weaker and more realistic assumption, namely, that the signature scheme is attacked by a probabilistic chosen-message existential forger in the ra... |

216 | Optimal asymmetric encryption { How to encrypt with RSA
- Bellare, Rogaway
(Show Context)
Citation Context ...te 1970’s (with the condition that the image of the hash function be the full set of residues) seems still to be the one to use. 7 4 The Search for Optimal RSA Encryption In 1994, Bellare and Rogawa=-=y [7] p-=-roposed a protocol for encrypting messages that they called Optimal Asymmetric Encryption Padding (OAEP). Their method was mainly intended to be used with the RSA function y = x e (mod n) — in which... |

210 |
A Course in Number Theory and Cryptography
- Koblitz
- 1991
(Show Context)
Citation Context ...y function. This is in fact the impression conveyed in some of the mathematically oriented introductions to cryptography. The first books on cryptography that the two of us wrote in our naive youth 1 =-=[38, 44]-=- suffer from this defect: the sections on security deal only with the problem of inverting the one-way function. The problem with this limited view of security is that it fails to anticipate most of t... |

209 | The decision Diffie–Hellman problem, in
- Boneh
- 1998
(Show Context)
Citation Context ... answer the decision version of the problem. The reverse implications are not known, although there is evidence that the first two problems may be equivalent [42, 14] and the last two probably aren’=-=t [11]. 2.1 -=-The Cramer–Shoup encryption scheme and security claim We are now ready to state the Cramer–Shoup Reductionist security claim. If the Decision Diffie–Hellman Problem is hard in the group G and if... |

198 |
The Foundations of Cryptography
- Goldreich
- 2004
(Show Context)
Citation Context ...e natural definition, and so all proofs in the literature use it. The equivalence of indistinguishability and semantic security under chosen-ciphertext attacks has purportedly been proved in [59] and =-=[30]. -=-If these proofs are correct, then the matter has finally been settled. The second important theoretical advance in the mid-1980’s was the first work [33, 34] to give a definition of what it means fo... |

137 |
Probabilistic encryption & how to play mental poker keeping secret all partial information
- Goldwasser, Micali
- 1982
(Show Context)
Citation Context ...t to systematically develop precise definitions and appropriate “models” of security for various types of cryptographic protocols. One of the seminal ideas of that period was probabilistic encrypt=-=ion [31, 32]. In-=- public-key cryptography, where everyone has the information needed to encipher, deterministic encryption — in which a given plaintext is enciphered into one and only one possible ciphertext — has... |

135 | RSA– OAEP is secure under the RSA assumption
- Fujisaki, Okamoto, et al.
(Show Context)
Citation Context ...ary must query H(s ∗ ). Moreover, Shoup showed that if ν is much less than σ (which would be true in practice) and if e = 3 (a restriction that was later removed by Fujisaki–Okamoto–Pointcheva=-=l–Stern [27]), the-=-n the Bellare–Rogaway reductionist security claim is valid for RSA-OAEP (but not for OAEP with other trapdoor one-way functions). The crucial point is that if you know s ∗ and y ∗ , then the equ... |

122 | On the exact security of full domain hash
- Coron
- 2000
(Show Context)
Citation Context ...e. In the reduction we saw that the forgery program would have to be used roughly O(q) times (where q is the number of hash queries) in order to find the desired e-th root modulo n. A result of Coron =-=[21]-=- shows that this can be improved to O(qs), where qs denotes a bound on the number of signature queries. (Thus, q = qs + qh, where qh is a bound on the number of hash function queries that are not foll... |

103 | New explicit conditions of elliptic curve traces for FRreduction
- MIYAJI, NAKABAYASHI, et al.
- 2001
(Show Context)
Citation Context ... certain groups. On the other hand, these “Diffie–Hellman gap groups” seem to be very exceptional (the best examples are supersingular elliptic curves and certain families of ordinary elliptic curves =-=[37, 47]-=-). In the groups that Cramer–Shoup would use, as far as we know there is no way to solve Decision Diffie–Hellman that is faster than finding discrete logarithms. So their assumption that the Decision ... |

91 |
Finding a Small Root of a Univariate Modular Equation
- Coppersmith
- 1996
(Show Context)
Citation Context ... with other trapdoor one-way functions). The crucial point is that if you know s ∗ and y ∗ , then the equation x ∗3 = (2 ν s ∗ + t ∗ ) 3 ≡ y ∗ (mod n) can be solved for t ∗ using Copp=-=ersmith’s method [20] for-=- finding small roots of polynomials modulo n. In addition, Shoup [55] proposed a modification of OAEP, which he called OAEP+ (“optimal asymmetric encryption padding plus”), for which he showed tha... |

85 |
The notion of security for probabilistic cryptosystems
- Micali, Rackoff, et al.
- 1988
(Show Context)
Citation Context ...er it chooses m0, m1, it cannot guess which of the two messages was encrypted with significantly more than 1/2 chance of success. These two strong notions of security are closely related; in fact, in =-=[31, 32, 46]-=- they were proved to be equivalent against a passive adversary. But for a long time it was not clear whether or not they are equivalent under active attacks. It is quite surprising that the equivalenc... |

82 | An Un-Instantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem
- Bellare, Boldyreva, et al.
(Show Context)
Citation Context ...reat interest at the time because it was a practical system for which a reductionist security argument could be given under a weaker hash function assumption. Recently, Bellare, Boldyreva and Palacio =-=[5, 4]-=- obtained a striking result. They constructed an example of a type of cryptographic system that purportedly is practical and realistic and that has a natural and important security property under the ... |

79 |
Algorithms for black-box fields and their application to cryptography
- Boneh, Lipton
- 1996
(Show Context)
Citation Context ...utational Diffie–Hellman problem will also answer the decision version of the problem. The reverse implications are not known, although there is evidence that the first two problems may be equivalen=-=t [42, 14] and the-=- last two probably aren’t [11]. 2.1 The Cramer–Shoup encryption scheme and security claim We are now ready to state the Cramer–Shoup Reductionist security claim. If the Decision Diffie–Hellman... |

72 |
A modification of the RSA public-key encryption procedure
- Williams
- 1980
(Show Context)
Citation Context ...and ≡ −1 (mod q). That means that someone who can find messages must know the value of ɛ, in which case n can be factored quickly using the Euclidean algorithm, since g.c.d.(n, ɛ − 1) = p. 2 W=-=illiams [61]-=- developed a variant of Rabin encryption in which a plaintext is modified in a simple manner so that the plaintext can be uniquely recovered from its square, that is, from the ciphertext. 3sWe also gi... |

70 | Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms
- Maurer
- 1994
(Show Context)
Citation Context ...utational Diffie–Hellman problem will also answer the decision version of the problem. The reverse implications are not known, although there is evidence that the first two problems may be equivalen=-=t [42, 14] and the-=- last two probably aren’t [11]. 2.1 The Cramer–Shoup encryption scheme and security claim We are now ready to state the Cramer–Shoup Reductionist security claim. If the Decision Diffie–Hellman... |

70 | Using hash functions as a hedge against chosen ciphertext attack
- Shoup
- 2000
(Show Context)
Citation Context ...be able to produce a valid signature for one of the messages mi that Alice has not signed. Notice that in the random oracle model the forger does not have an algorithm 6 It is worth noting that Shoup =-=[54] ha-=-s given a variant of the Cramer–Shoup encryption scheme for which he can show indistinguishability under chosen-ciphertext attack either with the assumptions in §2.1 or else with the assumption tha... |

60 |
Simplified OAEP for the RSA and Rabin Functions
- Boneh
- 2001
(Show Context)
Citation Context ...it strings. 4.3 Boneh brings us back to Rabin At this point it might have appeared that the search for optimal RSA encryption had ended with Optimal Asymmetric Encryption Padding Plus. However, Boneh =-=[12] w-=-as able to improve upon Shoup’s result. He simplified the construction by reducing the number of Feistel rounds from two to one, and he showed that the reductionist security claim still holds. In ot... |

55 | Optimal Security Proofs for PSS and Other Signature Schemes
- Coron
- 2002
(Show Context)
Citation Context ...h time, namely 2 80 , as to find an e-th root modulo n. Assuming that Coron’s result cannot be improved to give a tight reduction argument (which he essentially proves to be the case in a later pape=-=r [22]),-=- we’re confronted with a discrepancy between the informal argument and the result coming from formal reduction. Who is right? What is going on here? 3.2 A tale of two RSA problems We can shed light ... |

54 |
A chosen ciphertext attack on RSA optimal asymmetric encryption padding (OAEP) as standardized
- Manger
(Show Context)
Citation Context ...on and signature generation. The kind of information that can be exploited includes execution time [39], power consumption [40], electromagnetic radiation [1], induced errors [13], and error messages =-=[41]. Fi-=-nally, we should mention two fundamental contributions in the 1990’s to the theoretical study of security issues, both by Bellare and Rogaway. In [6] they studied the use of the “random oracle mod... |

47 |
Breaking RSA may not be equivalent to factoring
- BONEH, VENKATESAN
(Show Context)
Citation Context ...was highly unlikely that someone would find a quicker way than factoring n to find e-th roots modulo n. However, no one could really say for sure. And much more recently, work by Boneh and Venkatesan =-=[16]-=- suggests that inverting the RSA function might not be equivalent to factoring. In 1979 Rabin [48] produced an encryption function that could be proved to be invertible only by someone who could facto... |

47 | On the (In)security of the Fiat-Shamir Paradigm
- Goldwasser, Tauman
- 2003
(Show Context)
Citation Context ...ns are at least as far removed from real-world cryptography as the one in [5, 4]. We briefly discuss a recent example of this type of work that is concerned with signatures rather than encryption. In =-=[35, 36] Gol-=-dwasser and Tauman claim to have found a difficulty with Pointcheval and Stern’s [46] use of the random oracle assumption to show security of signature schemes constructed by the method of Fiat–Sh... |

41 | Practice-oriented provable-security
- Bellare
- 1997
(Show Context)
Citation Context ...t and practical schemes. We shall have more to say about the random oracle model in later sections. In addition, Bellare and Rogaway developed the notion of “practice-oriented provable security” (=-=see [3]-=-). As a result of their work, reductionist security arguments started to be translated into an exact, quantitative form, leading, for example, to specific recommendations about keylengths. The objecti... |

35 |
A “paradoxical” solution to the signature problem
- Goldwasser, Micali, et al.
- 1984
(Show Context)
Citation Context ...acks has purportedly been proved in [59] and [30]. If these proofs are correct, then the matter has finally been settled. The second important theoretical advance in the mid-1980’s was the first wor=-=k [33, 34] to gi-=-ve a definition of what it means for digital signatures to be secure. That definition has stood the test of time and is still widely used today. Goldwasser–Micali–Rivest replace “chosen-cipherte... |

30 | A signature scheme as secure as the Diffie-Hellman problem
- Goh, Jarecki
- 2003
(Show Context)
Citation Context ...orr scheme to lose its advantage of short signatures and rapid computation, we probably have to put aside any thought of getting a “provable security” guarantee. Finally, we note that Goh and Jare=-=cki [29] re-=-cently proposed a signature scheme for which they gave a tight reduction (in the random oracle model) from the computational Diffie–Hellman problem (see §2). Generally speaking, this is not as good... |

25 | Flaws in Applying Proof Methodologies to Signature Schemes
- Stern, Pointcheval, et al.
- 2002
(Show Context)
Citation Context ...d the papers. Moreover, the strange history of OAEP — where a “proof” was accepted for seven years before a fallacy was noticed — hardly inspires confidence. Stern, Pointcheval, Malone-Lee, an=-=d Smart [57]-=- comment: Methods from provable security, developed over the last twenty years, have been recently extensively used to support emerging standards. However, the fact that proofs also need time to be va... |

25 | Efficiency improvements for signature schemes with tight security reductions
- Katz, Wang
(Show Context)
Citation Context ...ash function be the full set of residues) seems still to be the one to use. 8 3.4 A variant of PSS Before leaving the topic of RSA signature schemes, we look at a recent construction of Katz and Wang =-=[38]-=- that is similar to PSS but more efficient. They show that instead of the random string r one need only take a single random bit. 8 Our purpose here is to highlight the comparison between PSS and full... |

24 |
Efficiency improvements for signature schemes with tight security reductions
- Katz, Wang
- 2003
(Show Context)
Citation Context ...ture schemes that are superior to both. For example, Bernstein [9] argues in favor of a version of Rabin signatures [48] for which he gives a tight reductionist security argument. Also, Katz and Wang =-=[37]-=- give a slight modification of full-domain hash RSA for which they provide a tight reduction to hardness of the RSA problem. 16sthat is, the component-wise sum modulo 2). Next, he evaluates H(s), comp... |