Another Look at “Provable Security”. II

  • Neal Koblitz
  • Alfred Menezes
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4329)


We discuss the question of how to interpret reduction arguments in cryptography. We give some examples to show the subtlety and difficulty of this question.


Hash Function Signature Scheme Random Oracle Elliptic Curve Cryptography Discrete Logarithm Problem 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: Proc. 29th Symp. Theory of Computing, pp. 284–293. ACM, New York (1997)Google Scholar
  3. 3.
    Alexi, W., Chor, B., Goldreich, O., Schnorr, C.P.: RSA and Rabin functions: Certain parts are as hard as the whole. SIAM J. Computing 17, 194–209 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Barreto, P., Libert, B., McCullagh, N., Quisquater, J.-J.: Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 515–532. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Bellare, M.: Practice-oriented provable-security. In: Okamoto, E. (ed.) ISW 1997. LNCS, vol. 1396, pp. 221–231. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proc. First Annual Conf. Computer and Communications Security, pp. 62–73. ACM, New York (1993)CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption — how to encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  8. 8.
    Blackburn, S., Paterson, K.: Cryptanalysis of a message authentication code due to Cary and Venkatesan. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 446–453. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number generator. SIAM J. Computing 15, 364–383 (1986)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Computing 13, 850–864 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. 12.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Advances in Cryptology – Eurocrypt 1998. LNCS, vol. 1233, pp. 59–71. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  14. 14.
    Brown, D.: Generic groups, collision resistance, and ECDSA. Designs, Codes and Cryptography 35, 119–152 (2005)zbMATHCrossRefGoogle Scholar
  15. 15.
    Brown, D.: On the provable security of ECDSA. In: Blake, I., Seroussi, G., Smart, N. (eds.) Advances in Elliptic Curve Cryptography, pp. 21–40. Cambridge University Press, Cambridge (2005)CrossRefGoogle Scholar
  16. 16.
    Brown, D.: Breaking RSA may be as difficult as factoring,
  17. 17.
    Brown, D.: Unpublished communication (February 2006)Google Scholar
  18. 18.
    Cary, M., Venkatesan, R.: A message authentication code based on unimodular matrix groups. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 500–512. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Coron, J.-S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. 20.
    Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. 21.
    Eastlake, D., Crocker, S., Schiller, J.: RFC 1750 – Randomness Recommendations for Security, Available from:
  22. 22.
    Fischlin, R., Schnorr, C.P.: Stronger security proofs for RSA and Rabin bits. J. Cryptology 13, 221–244 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Gennaro, R.: An improved pseudo-random generator based on the discrete log problem. J. Cryptology 18, 91–110 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Howgrave-Graham, N., Dyer, J., Gennaro, R.: Pseudo-random number generation on the IBM 4758 Secure Crypto Coprocessor. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 93–102. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  25. 25.
    Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: 10th ACM Conf. Computer and Communications Security, pp. 155–164 (2003)Google Scholar
  26. 26.
    Knuth, D.: Seminumerical Algorithms. In: Art of Computer Programming, 3rd edn., vol. 2, Addison-Wesley, Reading (1997)Google Scholar
  27. 27.
    Koblitz, N., Menezes, A.: Another look at provable security. J. Cryptology (to appear), Available from:
  28. 28.
    Mackenzie, P., Patel, S.: Hard bits of the discrete log with applications to password authentication. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 209–226. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  29. 29.
    Manger, J.: A chosen ciphertext attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as standardized in PKCS #1 v2.0. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 230–238. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  30. 30.
    Nguyen, P.Q., Stern, J.: Cryptanalysis of the Ajtai–Dwork cryptosystem. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 223–242. Springer, Heidelberg (1998)Google Scholar
  31. 31.
    Nguyen, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  32. 32.
    Paillier, P., Vergnaud, D.: Discrete-log-based signatures not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  33. 33.
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996)Google Scholar
  34. 34.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptology 13, 361–396 (2000)zbMATHCrossRefGoogle Scholar
  35. 35.
    Schnorr, C.P.: Efficient signature generation for smart cards. J. Cryptology 4, 161–174 (1991)zbMATHMathSciNetGoogle Scholar
  36. 36.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)Google Scholar
  37. 37.
    Shoup, V.: Why chosen ciphertext security matters, IBM Research Report RZ 3076 (#93122) (23/11/1998)Google Scholar
  38. 38.
    Shoup, V.: OAEP reconsidered. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 239–259. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  39. 39.
    Sidorenko, A.: Unpublished communication (March 2006)Google Scholar
  40. 40.
    Sidorenko, A., Schoenmakers, B.: Concrete security of the Blum–Blum–Shub pseudorandom generator. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 355–375. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  41. 41.
    Vazirani, U.V., Vazirani, V.V.: Efficient and secure pseudo-random number generation. In: Proc. IEEE 25th Annual Symp. Foundations of Computer Science, pp. 458–463 (1984)Google Scholar
  42. 42.
    Yao, A.: Theory and applications of trapdoor functions. In: Proc. IEEE 23rd Annual Symp. Foundations of Computer Science, pp. 80–91 (1982)Google Scholar
  43. 43.
    Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. Wiley, Chichester (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Neal Koblitz
    • 1
  • Alfred Menezes
    • 2
  1. 1.Department of MathematicsUniversity of Washington 
  2. 2.Department of Combinatorics & OptimizationUniversity of Waterloo 

Personalised recommendations