{"title":"计算稳健性- Diffie-Hellman密钥的情况","authors":"E. Bresson, Y. Lakhnech, L. Mazaré, B. Warinschi","doi":"10.3233/978-1-60750-714-7-277","DOIUrl":null,"url":null,"abstract":"Symbolic vs. Computational Models. A common criticism of symbolic approaches for security is that they rely on models that are too abstract to offer clear security guarantees. In such models the adversary appears to be severely restricted. The axioms that characterize security of primitives allow the adversary only a limited number of operations, and it is usually unclear how to enforce these axioms in actual implementations. Furthermore, the representation of messages as symbols does not permit reasoning about partial information, a real concern in many applications. This criticism is even more relevant given alternative models that offer clearly stronger guarantees. Under these computational models, security analysis of protocols considers a much lower level of abstraction. Typically, parties are viewed as algorithms (written in some Turing-complete language) and the messages with which they operate and communicate are actual bitstrings. The adversaries are required to operate efficiently (i.e. run in time polynomial in some security parameter), but are otherwise allowed to perform arbitrary computations. Furthermore, unlike in the case of symbolic methods where security of primitives is axiomatized, in computational approaches security is defined. This enables rigorous proofs that implementations actually meet their required security levels starting from widely accepted assumptions. The technique most commonly used in such proofs is known as \"reduction\". The idea is to show that the security of a cryptographic construct can be reduced to solving some problem(s) that is believed to be hard. Specifically, one argues that any adversary that is successful against the cryptographic construct can be used to solve some underlying hard problem. Typical hard problems include factoring, taking discrete logarithms, the computational Diffie-Hellman problem, etc [24]. The low level of abstraction and the powerful and realistic adversarial model imply strong security guarantees schemes with computational security proofs. Unfortunately, reduction techniques do not scale well. While they enjoyed considerable success for","PeriodicalId":253475,"journal":{"name":"Formal Models and Techniques for Analyzing Security Protocols","volume":"32 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":"{\"title\":\"Computational Soundness - The Case of Diffie-Hellman Keys\",\"authors\":\"E. Bresson, Y. Lakhnech, L. Mazaré, B. Warinschi\",\"doi\":\"10.3233/978-1-60750-714-7-277\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Symbolic vs. Computational Models. A common criticism of symbolic approaches for security is that they rely on models that are too abstract to offer clear security guarantees. In such models the adversary appears to be severely restricted. The axioms that characterize security of primitives allow the adversary only a limited number of operations, and it is usually unclear how to enforce these axioms in actual implementations. Furthermore, the representation of messages as symbols does not permit reasoning about partial information, a real concern in many applications. This criticism is even more relevant given alternative models that offer clearly stronger guarantees. Under these computational models, security analysis of protocols considers a much lower level of abstraction. Typically, parties are viewed as algorithms (written in some Turing-complete language) and the messages with which they operate and communicate are actual bitstrings. The adversaries are required to operate efficiently (i.e. run in time polynomial in some security parameter), but are otherwise allowed to perform arbitrary computations. Furthermore, unlike in the case of symbolic methods where security of primitives is axiomatized, in computational approaches security is defined. This enables rigorous proofs that implementations actually meet their required security levels starting from widely accepted assumptions. The technique most commonly used in such proofs is known as \\\"reduction\\\". The idea is to show that the security of a cryptographic construct can be reduced to solving some problem(s) that is believed to be hard. Specifically, one argues that any adversary that is successful against the cryptographic construct can be used to solve some underlying hard problem. Typical hard problems include factoring, taking discrete logarithms, the computational Diffie-Hellman problem, etc [24]. The low level of abstraction and the powerful and realistic adversarial model imply strong security guarantees schemes with computational security proofs. Unfortunately, reduction techniques do not scale well. While they enjoyed considerable success for\",\"PeriodicalId\":253475,\"journal\":{\"name\":\"Formal Models and Techniques for Analyzing Security Protocols\",\"volume\":\"32 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"1900-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"5\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Formal Models and Techniques for Analyzing Security Protocols\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.3233/978-1-60750-714-7-277\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Formal Models and Techniques for Analyzing Security Protocols","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.3233/978-1-60750-714-7-277","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Computational Soundness - The Case of Diffie-Hellman Keys
Symbolic vs. Computational Models. A common criticism of symbolic approaches for security is that they rely on models that are too abstract to offer clear security guarantees. In such models the adversary appears to be severely restricted. The axioms that characterize security of primitives allow the adversary only a limited number of operations, and it is usually unclear how to enforce these axioms in actual implementations. Furthermore, the representation of messages as symbols does not permit reasoning about partial information, a real concern in many applications. This criticism is even more relevant given alternative models that offer clearly stronger guarantees. Under these computational models, security analysis of protocols considers a much lower level of abstraction. Typically, parties are viewed as algorithms (written in some Turing-complete language) and the messages with which they operate and communicate are actual bitstrings. The adversaries are required to operate efficiently (i.e. run in time polynomial in some security parameter), but are otherwise allowed to perform arbitrary computations. Furthermore, unlike in the case of symbolic methods where security of primitives is axiomatized, in computational approaches security is defined. This enables rigorous proofs that implementations actually meet their required security levels starting from widely accepted assumptions. The technique most commonly used in such proofs is known as "reduction". The idea is to show that the security of a cryptographic construct can be reduced to solving some problem(s) that is believed to be hard. Specifically, one argues that any adversary that is successful against the cryptographic construct can be used to solve some underlying hard problem. Typical hard problems include factoring, taking discrete logarithms, the computational Diffie-Hellman problem, etc [24]. The low level of abstraction and the powerful and realistic adversarial model imply strong security guarantees schemes with computational security proofs. Unfortunately, reduction techniques do not scale well. While they enjoyed considerable success for
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
