Cryptography Reference
In-Depth Information
3.2.5
Evaluating security
One of themost difficult aspects of cryptography ismaking an accurate assessment
of the security of a given cryptosystem. We separate this discussion into assessing
the security of cryptographic primitives, protocols and cryptosystems.
ASSESSING THE SECURITY OF A CRYPTOGRAPHIC ALGORITHM
Historically, the security of cryptographic algorithms (and protocols) relied on a
rather informal approach that considered known attacks on the algorithm, such as
an exhaustive key search, and then designed the algorithm so that it was believed
that these attacks would not work. Often the arguments put forward to justify
the resulting 'security' were not particularly rigorous, and in many cases were
experimental. This process resulted from the fact that cryptographic algorithm
design is as much about engineering as mathematics.
The problem with such an informal approach is that it does not provide
any real notion of 'proof' that a cryptographic algorithm is secure. With
this in mind, cryptographic researchers have gradually been developing and
adopting methodologies for attempting to provide stronger arguments for the
security of cryptographic algorithms. This concept of
provable security
attempts
to assess the security of a cryptographic algorithm by starting from some
assumptions about the attack environment (captured by a
security model
), and
then showing that the security of the cryptographic algorithm can be formally
linked (
reduced
) to the difficulty of a computational problem that is better
understood.
There are two potential problems with this type of approach:
The starting assumptions may not be the right ones
. For example, there may be
attacks that have not been considered in the security model.
The computational problem might not be as difficult as thought
. Provable
security arguments are essentially translations from one relatively poorly
understood concept (the cryptographic algorithm) into a better understood
concept (the computational problem). However, this does not guarantee any
'security' in the event that the computational problem is not as hard as
originally believed.
Provable security is thus not really a 'proof' of cryptographic algorithm security.
Nonetheless, it is a substantially better approach than the informal one of the
past. A security proof within a sensible security model should thus be regarded
as important evidence in favour of the overall security of a cryptographic
algorithm.
Arguably the best assessment benchmark for a cryptographic algorithm
remains exposure and breadth of adoption. As we observed in Section 1.5, the
most highly regarded cryptographic algorithms tend to be those that have been
widely scrutinised and implemented. To this end, several standardisation bodies,
