Jon Callas wrote:
On Jan 9, 2009, at 4:16 PM, Ben Laurie wrote:
Jon Callas wrote:
(Let me put on my hash-designer's hat for a moment. In Skein, we
created a one-pass MAC construction that can replace HMAC. It also
has
a proof of security.
I wish people would stop saying that things have "a proof of
security".
Rot13 has a proof of security, but I don't want to use it. You need to
state what security properties you have proved.
If we're going to get picky, Rot-13 is not a cipher, it's a code.
So what?
It
has similar security properies to ASCII, which is a related code. But
you're right -- on another list I'm on, there was someone who made the
comment that there's no theoretically perfect cryptography. I almost
replied that the Caesar cipher (which is ROT-N) has perfect security,
just an inadequate key space.
Nonetheless, you're right. Many people including me sneer at security
proofs.
Then why mention them?
The list of things that have had proofs of security and then
fallen over is large. There are plenty of proofs of security that have
some people raise an eyebrow. For example, we say that HMAC is secure
on today's slightly dodgy hash functions because of a proof of
security, but that proof relies on properties of the hash function
we're not sure they have. (Niels Ferguson was the first person I know
to bring this up, and for the most part, we all whistle as we walk by
his observations.)
I think that security proofs are fundamentally lacking in basic
foundations. There's a sense in which you can start with the Peano
postulates for arithmetic and end up with double entry bookkeeping. We
can't do anything like that in security, and it's a huge lack.
Nonetheless, it's better to have a proof than not to have one.
If the proof proves something useful, then indeed it is better. But once
more, saying "it has a security proof" provides no useful information.
And I
didn't want to turn this into a Skein discussion, I was making the
aside that there are people looking at verification constructions that
have properties programmers like, and I know this because I've worked
on one.
Go read the Skein paper. It's at <http://www.skein-hash.info>. I think
we've addressed your comments, because we feel the same way.
I have read the Skein paper.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff