Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [provable-security]

A primitive or protocol with provable security is accompanied by a mathematical proof that shows how to reduce the security claims about the protocol to a set of assumptions.

A primitive or protocol with provable security is accompanied by a mathematical proof that shows how to reduce the security claims about the protocol to a set of assumptions.

Provable security does not imply the assumptions are correct. Generally one might face choosing between less efficient protocols based on "standard" or "plain-model" assumptions and more efficient protocols based on "non-standard" (but not known to be incorrect) assumptions.

675 questions
31
votes
4 answers

Why does Neumann think cryptography isn't the solution?

What did Peter G. Neumann mean by: If you think cryptography is the answer to your problem, then you don't know what your problem is. (eg: quoted in the New York Times, February 20 2001)
user2768
  • 357
  • 4
  • 15
15
votes
3 answers

What are the differences between proofs based on simulation and proofs based on games?

what are the main pros and cons of proving the "security" of a crypto scheme under simulation proofs instead of game based proofs?
curious
  • 6,160
  • 6
  • 32
  • 45
13
votes
1 answer

How did the Koblitz/Menezes papers affect the cryptography community?

Two highly-critical papers by Koblitz and Menezes (two well-regarded mathematicians who've contributed to the crypto community) were published years ago: Another Look at “Provable Security” in 2004, Another Look at “Provable Security”. II in…
Fixee
  • 4,158
  • 2
  • 25
  • 39
13
votes
1 answer

Difference between computational and statistical indistinguishabilities

What is the difference between the two notions of computational and statistical indistinguishability?
Dingo13
  • 2,867
  • 3
  • 27
  • 46
9
votes
4 answers

Why haven't we proven many things computationally secure yet?

Brute Force is infeasible for just about every algorithm we use today. Yet, attacks are feasible. This is because weaknesses keep coming up in our algorithms. Why? We have proven lower bounds for things like sorts, the information security of things…
Christopher King
  • 819
  • 5
  • 19
7
votes
2 answers

Proof by reduction vs. hybrid argument

In many cases why going through the security proofs I have seen that some does it using a blackbox reduction to some known hardness assumption DDH and others do it using a hybrid argument by arguing the indistinguishability between the hybrids is…
Cinderella
  • 307
  • 2
  • 8
6
votes
1 answer

"Reduced to" vs "deduced from"

Assume it's proven: "Security of protocol $\Pi$ can be deduced from hardness of problem $P$". Is it correct to state: "Security of protocol $\Pi$ can be reduced to (hardness of) problem $P$" ? My question is about accepted VOCABULARY in the field…
fgrieu
  • 140,762
  • 12
  • 307
  • 587
6
votes
2 answers

What is the relation between computational security and provable security?

I read the book "Introduction modern cryptography". It gives the notion of computational security of private-key encryption at first which comes from perfect security and statistical security. Let $(E,D)$ be an encryption scheme that uses $n$-bits…
Blanco
  • 1,622
  • 1
  • 10
  • 20
5
votes
1 answer

Questions about the ideal cipher model

I've read that we can study the security of modes of operation by assuming the use of an ideal block cipher. I've also seen a paper suggesting that the ideal cipher model could be something else than an ideal block cipher. Are there protocols…
Dingo13
  • 2,867
  • 3
  • 27
  • 46
4
votes
1 answer

Are there any more ways to validate a security proof except peer review?

Are there any ways better than peer review to validate a security proof? Are there any ways to make your security proof easier to validate; using a simulator based proof instead of a game based proof? Can we "reduce" a security proof to something…
WeCanBeFriends
  • 1,303
  • 11
  • 20
4
votes
1 answer

On Proving That a Primitive Does Not Exist

In the paper of Hsiao and Reyzin, Section $1.4$: Note that to show that no general reduction from $P$ to $Q$ exists requires proving that $Q$ does not exist Since the statement is about trying to rule out the implication $Q \rightarrow P$,…
user25240
  • 41
  • 2
4
votes
3 answers

Fault-based transition for crypto proof (a la Shoup) with big probability of fault - does it work?

background In [Shoup2004], Victor Shoup synthesizes the 'sequence of games' technique for proving security properties: Roughly it consists in a sequence from game_0 to game_n, game_0 consisting in the property. You prove that for any two games the…
Cédric Van Rompay
  • 771
  • 5
  • 21
4
votes
1 answer

confusion about the meaning of reduction

I'm learning provable security, and I'm a bit confused with the concept of reduction. So, here's my understanding: to prove a protocol/scheme/generic construction is at some level of security, there are three components: the scheme itself ---> a…
Daisy Ding
  • 95
  • 4
3
votes
0 answers

trust-less blind execution environment (thought experiment)

I apologize for the theoretical nature of this question, but It has cost me a lot of sleep over the past months. Querying my immediate peers has so far failed to produce results. I assume this question belongs to the domains of Cryptography &…
telamon
  • 131
  • 2
3
votes
0 answers

Are there only two ways to prove a cryptographic protocol is secure?

If I want to prove my protocol is secure, can I just use a game based approach and/or a simulator approach? Or are there other common approaches?
WeCanBeFriends
  • 1,303
  • 11
  • 20
1
2 3 4