[Cryptography] Are zero knowledge authentication systems safe?
Benjamin Kreuter
brk7bx at virginia.edu
Sun Nov 1 18:18:53 EST 2015
On Sun, 2015-11-01 at 07:37 -0500, Jerry Leichter wrote:
> 1. The proofs that are out there, even if true, often don't prove what
> they claim;
Sort of; I think it is more that the proofs show *exactly* what they
claim, but the claims are very easy to misinterpret. The typical
example is a proof of some asymptotic result that ignores polynomial
losses in security -- resulting in a system that is only secure for
completely impractical parameter sizes. Another example that Koblitz
and Menezes bring up are security definitions that do not properly
capture real-world attack scenarios -- i.e. proving the wrong thing.
> 3. One can find examples where algorithms were almost certainly made
> *weaker* in order to enable a "proof of security".
It is kind of hard to know what this statement means. If there is no
reason to think an algorithm is secure, how can we say it was weakened?
What appears to be a weakness may actually be key to security.
Really though, as cryptography is applied to more complicated problems,
ad-hoc approaches to security are almost certainly going to become less
common. The process by which TLS*, IPSec, SSH, etc. were designed would
be a disaster for multiparty computation (which is already seeing
real-world use and will almost certainly become more common in the near
future). Security arguments based on *tight* reductions to some
underlying assumptions are going to be necessary if we ever want to do
more than encrypt and authenticate data.
-- Ben
* Yes, there are a few examples of attempts to use a provably secure
design that created even more of a mess for TLS. There is a much longer
list of problems with TLS stemming from ad-hoc designs that lacked any
security argument. The broader point is that incrementally refining the
security of a protocol, which has been the general process for TLS, is
not going to work well for the next generation of cryptosystems.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151101/57e6a1b0/attachment.sig>
More information about the cryptography
mailing list