> Date: Fri, 28 Jul 2000 07:35:42 -0700
> From: "James A. Donald" <[EMAIL PROTECTED]>
> "Provably secure" is a word applicable to cyphers, not protocols. To use
> it in reference to a protocol is nonsense gibberish.
No, it is just more difficult to establish of protocols than of
primitives because there are more possible attacks to consider.
> When we discuss a protocol, we normally take for granted that the cyphers
> are strong, irrespective of whether they are provably secure or not.
In fact the ciphers most commonly used in practice have not been
proved secure. (A widespread misconception is that breaking RSA is as
hard as factoring, which may be true but has not been proved.)
> One can prove that cracking a cypher is as hard as cracking some well known
> mathematical problem.
>
> What, however, does it mean to say that a protocol is provably secure? A
> protocol is not a cypher, though it uses well known cyphers.
It usually means essentially the same thing, namely that one can prove
that a successful attack of the protocol yields a solution to an
assumed-hard problem. (Such a proof must establish that all possible
protocol attacks have been taken into account.) It can also refer to
a complexity-theoretic or information-theoretic analysis of the
protocol relative to an appropriate adversarial model.
There are also formal methods that address the security of protocols,
e.g. BAN logic. I don't know too much about that stuff except that it
is usually possible to find insecure protocols that pass the tests, so
the techniques are more useful for finding weaknesses in protocols
than for providing convincing proofs of security.
