Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [provable-security]

A primitive or protocol with provable security is accompanied by a mathematical proof that shows how to reduce the security claims about the protocol to a set of assumptions.

A primitive or protocol with provable security is accompanied by a mathematical proof that shows how to reduce the security claims about the protocol to a set of assumptions.

Provable security does not imply the assumptions are correct. Generally one might face choosing between less efficient protocols based on "standard" or "plain-model" assumptions and more efficient protocols based on "non-standard" (but not known to be incorrect) assumptions.

723 questions
101
votes
2 answers

What is the "Random Oracle Model" and why is it controversial?

What is the "Random Oracle Model"? Is it an "assumption" akin to the hardness of factoring and discrete log? Or something else? And why do some researchers have a strong distrust of this model?
Fixee
  • 4,258
  • 3
  • 26
  • 39
75
votes
1 answer

Easy explanation of "IND-" security notions?

There are many schemes that can advertise themselves with certain security notions, usually IND-CPA or IND-CCA2, for example plain ElGamal has IND-CPA security but doesn't provide IND-CCA security. The most common ones are the "IND-" ones,…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
61
votes
6 answers

Soft question: Examples where lack of mathematical rigour cause security breaches?

Cryptographic tools can often become adopted even when their security proofs lack mathematical rigour - or altogether missing. Are there famous cases of security breaches in the industry, where the underlying cryptography was (up until then)…
Snoop Catt
  • 1,307
  • 8
  • 14
43
votes
3 answers

Why does nobody use (or break) the Camellia Cipher?

If Camellia is of equivalent security and speed to AES, concerns arise. First of all, assuming the above, why is Camellia so rarely used in practice? Why aren't there any breaks in Camellia? Does that mean that Camellia is currently more secure than…
Chris Smith
  • 1,202
  • 1
  • 11
  • 18
34
votes
8 answers

Why do some people believe that humans are "bad at" generating random numbers/characters like this?

I'm not even sure if they are serious, but I've heard many times that some people refuse to not only trust their computer to generate a random string (which is understandable) but also don't trust themselves to do it. So, instead of simply…
K. B.
  • 373
  • 1
  • 4
  • 4
34
votes
1 answer

What do the signature security abbreviations like EUF-CMA mean?

From time to time, one stumbles across formal security definitions. This includes security definitions for signature schemes. The most common ones are the *UF-* ones, advertising security against specific classes of attackers. Now these notions may…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
34
votes
3 answers

Random oracle model proofs and programmability

Proving the security of a scheme with the random oracle model (ROM) involves two steps: first you prove that the scheme is secure in an idealized world where a random oracle exists, and then you implement this scheme in the real world by replacing…
dira
  • 441
  • 5
  • 3
33
votes
3 answers

Is 128-bit security still considered strong in 2020, within the context of both ECC Asym & Sym ciphers

Given that much of our ECC crypto primitives provide “only” 128-bit security when defined over a 256-bit curve due to pollard-rho, is it then still safe in 2020 to consider 128-bit security safe for the medium term (5-8 years). I’m looking for an…
Woodstock
  • 1,454
  • 1
  • 15
  • 26
33
votes
2 answers

Formal verification in cryptography

I have seen in some places that people use formal verification and/or computer-aided verification for cryptography (tools like ProVerif, CryptoVerif, etc.). How do these approaches work?
user4936
32
votes
4 answers

Why does Neumann think cryptography isn't the solution?

What did Peter G. Neumann mean by: If you think cryptography is the answer to your problem, then you don't know what your problem is. (eg: quoted in the New York Times, February 20 2001)
user2768
  • 367
  • 4
  • 15
31
votes
2 answers

What are standard cryptographic assumptions?

I am struggling to understand what is meant by "standard cryptographic assumption". The Wikipedia artice on the Goldwasser–Micali system (GM) reads "GM has the distinction of being the first probabilistic public-key encryption scheme which is…
3nondatur
  • 617
  • 6
  • 11
31
votes
1 answer

Uniform vs discrete Gaussian sampling in Ring learning with errors

The Wikipedia article on RLWE mentions two methods of sampling "small" polynomials namely uniform sampling and discrete Gaussian sampling. Uniform sampling is clearly the simplest, involving simply uniformly selecting the coefficients from the set…
Morty
  • 639
  • 4
  • 13
27
votes
7 answers

Is there any famous protocol that were proven secure but whose proof was wrong and lead to real world attacks?

Are there moderns (post World War II) and famous protocols that were proven secure (in any model: game-based, UC...) but whose proof was wrong and could have led to real-world attacks? Note that: I'm not really concerned about attacks on the…
Léo Colisson
  • 1,551
  • 13
  • 14
26
votes
3 answers

What is the ideal cipher model?

What is the ideal cipher model? What assumptions does it make about a block cipher? How does it relate to assuming that my block cipher is a pseudo-random permutation (PRP)? When is the ideal cipher model appropriate to use? How do I tell…
D.W.
  • 36,982
  • 13
  • 107
  • 196
21
votes
3 answers

Are there any secure commutative ciphers?

This answer lists two commutative cipher algorithms - Pohlig-Hellman and SRA. However, they don't appear to be too secure. My question is, here there any commutative ciphers out there that are secure enough for sensitive data encryption / decryption…
ThePiachu
  • 1,689
  • 2
  • 18
  • 26
1
2 3
47 48