Provable Security. It is very difficult to design secure cryptographic schemes. This is illustrated by the number of cryptographic schemes that have been proposed over time and in which flaws have subsequently been discovered. These flaws may be due to new attacks which were not previously known, or simply due to inadequate security analysis on the part of the scheme’s designers. It is therefore crucial to rigorously analyze a scheme for possible security flaws before it is implemented and used in practice. Traditionally, a cryptographic scheme was analyzed by constructing convincing argu- ments that a scheme was immune to the best currently known attack methods because the resources required were greater than those of any reasonable attacker. Such analysis is called heuristic analysis and schemes that survive such analysis are said to have heuristic security. However heuristic security is only a measure of security against currently known at- tacks. It gives little assurance that a scheme is in fact secure since it cannot guarantee that no previously undiscovered attack cannot compromise the scheme’s security. In 1984, Xxxxxxxxxx and Xxxxxx [61] introduced the paradigm of provable security and lead the way for far more rigorous treatments of cryptographic schemes by developing precise definitions and appropriate “models” of security for various cryptographic primi- tives. Xxxxxxxxxx, Xxxxxx and Xxxxxx [63] were the first to formalize a notion of security for digital signature schemes. They also presented a scheme that satisfied their definition under reasonable assumptions. In order to analyze cryptographic primitives, we introduce some useful terminology. An adversary or attacker of a cryptographic scheme is an entity which tries to defeat the intended security objective of the scheme. A passive adversary is one which only monitors communication channels. An active adversary is one which attempts to delete, add, or in some way modify the transmissions on a channel. When reasoning about cryptographic schemes under attack, the entities involved in such schemes, as well as the attacker(s) are modelled as interactive Turing machines, which can be seen as abstractions of modern computers. In general, these Turing machines are probabilistic, meaning that they have access to a supply of random bits. Giving a precise definition of security is an important step when analyzing the secu- rity of a cryptographic scheme. Firstly, the objectives of the scheme need to be clearly understo...
Provable Security. A mathematical statement is an assertion about well-defined, unambiguous concepts. So whenever we want to apply the rigorous tools of mathematics to cryptography, wefirst have to decide how to model the different parties and their interactions (both honest and dishonest) that will take place in an application of our scheme. It is important to realize that a formal security proof can only support our confidence in a scheme’s practical security if the model adequately represents the context and security requirements of the application. One aspect to determine is the power of the adversary, the so-called attack model. Do we allow the adversary to choose the instance (e.g. ciphertext, iden- tity of whose signature to forge) himself, or does it have to break the scheme on any given target? Does it have unlimited computational resources, or perhaps a bounded memory? Can it access some example broken instances different from its target, to learn from? If yes, does it get to choose which example instances? The more power and freedom we grant the adversary in our attack-model, the stronger will be the claims of security that we derive. On the downside, such claims will also be harder to prove, and they might be overkill for applications where malicious parties are constrained by the context (e.g. it only pays offto inconspicuously alter the amount on yourownsavings account). As an example, consider the case of an encryption scheme. Atfirst glance, we simply desire that an adversary should not be able to decrypt a given ciphertext, i.e.figure out the corresponding encrypted plaintext. However, not being able to decrypt does not imply that the adversary is unable to extract any useful information from a ciphertext. In an encrypted voting system he might not be able to determine for which particular candidate a vote is cast, but still distinguish between votes for candidates from different political parties and thus influence the election outcome by discarding votes of a certain kind. In other contexts, an attacker might be able to influence what messages are sent over an encrypted channel and hence obtain some knowledge on the rela- tion between plaintexts and ciphertexts that can help him decrypt. A famous example comes from WWII, where the US knew from a partially decrypted ci- phertext that Japan was planning an attack against ‘AF’, and suspected this to be an encryption of ‘Midway Island’. By leaking a fake message about Midway Island, they observed the Japanese ...
Provable Security. Provable security was invented in the 1980’s by Xxxxxxxxxx and Xxxxxx [28], and origi- xxxxx applied to encryption schemes and signature schemes. A scheme is provable secure if there is a polynomial reduction proof from a known hard computational problem (such as those of Section 2.4) to an attack against the security of the scheme. Thus, if there is a polynomially bounded adversary that breaks the scheme, then the problem assumed to be hard can be solved in polynomial time. Provided that the assumption regarding the hardness of the problem is true, then no such adversary exists. The process in proving security comes in four stages [3],
Provable Security. Recall DAi and DBi denote the two personal mobile devices of the user Ui, and we will now prove that the proposed protocol is secure even though one of the two mobile devices is controlled by a malicious adversary. IDt
