The fundamental goal of provable security D. J. Bernstein - - PDF document

the fundamental goal of provable security d j bernstein
SMART_READER_LITE
LIVE PREVIEW

The fundamental goal of provable security D. J. Bernstein - - PDF document

Sep 24, 2022 528 likes •626 views

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

slide-1
SLIDE 1

The fundamental goal of “provable security”

  • D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven Let’s focus on what “provable security” is trying to do. Let’s not get distracted by current obstacles: proof errors, looseness, limited models, etc. Surely these can all be fixed. Let’s look at an example ✿ ✿ ✿

slide-2
SLIDE 2

Chaum–van Heijst–Pfitzmann, Crypto 1991: choose ♣ sensibly; define ❈(①❀ ②) = 4①9② mod ♣ for suitable ranges of ① and ②. Simple, beautiful, structured. Very easy security reduction: finding ❈ collision implies computing a discrete logarithm.

slide-3
SLIDE 3

Chaum–van Heijst–Pfitzmann, Crypto 1991: choose ♣ sensibly; define ❈(①❀ ②) = 4①9② mod ♣ for suitable ranges of ① and ②. Simple, beautiful, structured. Very easy security reduction: finding ❈ collision implies computing a discrete logarithm. Typical exaggerations: ❈ is “provably secure”; ❈ is “cryptographically collision-free”; “security follows from rigorous mathematical proofs”.

slide-4
SLIDE 4

This is very bad cryptography. Horrible security for its speed. Far worse security record than “unstructured” compression- function designs such as BLAKE.

slide-5
SLIDE 5

This is very bad cryptography. Horrible security for its speed. Far worse security record than “unstructured” compression- function designs such as BLAKE. How did we figure this out? Cryptanalysis! Security losses in ❈ include 1922 Kraitchik (index calculus); 1986 Coppersmith–Odlyzko– Schroeppel (NFS predecessor); 1993 Gordon (general DL NFS); 1993 Schirokauer (faster NFS); 1994 Shor (quantum poly time).

slide-6
SLIDE 6

A security reduction can be a useful guide to cryptanalysts: “to attack ❈, focus on DL.”

slide-7
SLIDE 7

A security reduction can be a useful guide to cryptanalysts: “to attack ❈, focus on DL.” But if you advertise the “provable security” of ❈ to cryptographic users then you’re a snake-oil salesman. “Provable security” has very little correlation with actual security, maybe even negative correlation: ❈’s structure helps the proof but also helps attackers. “If it’s provably secure, it’s probably not” —Lars Knudsen

slide-8
SLIDE 8

Not everyone agrees: “The only reasonable approach is to construct cryptographic systems with the objective

  • f being able to give security

reductions.” —Ivan Damg˚ ard

slide-9
SLIDE 9

Not everyone agrees: “The only reasonable approach is to construct cryptographic systems with the objective

  • f being able to give security

reductions.” —Ivan Damg˚ ard This approach produces papers but does not produce security. From a security perspective, the

  • nly reasonable objective is to

construct cryptographic systems that will survive cryptanalysis. Users should select cryptographic systems based on cryptanalysis.