Nimrod Aviram writes: > The construction is proven to satisfy this property under precise > assumptions about its components.
So, to be clear, the statement that a function F provides "provable security" means that there's a proof that F achieves the security property under discussion (in this case, dual PRF) under precise assumptions about various functions declared to be "components" of F? Katz and Lindell wrote that "One of the key intellectual contributions of modern cryptography has been the realization that formal definitions of security are _essential_ prerequisites for the design, usage, or study of any cryptographic primitive or protocol." Surely the concept of "provable security" should be defined, so that everyone can evaluate claims that particular functions are "provably secure". > We think the resulting assumptions are reasonable when SHA-256 is used > in the instantiation To support security evaluation, can you please list the assumptions regarding SHA-256? Also, for people who prefer SHA-3, can you please list any differences in the case of SHA-3? Thanks in advance. Btw, I did read the paper before asking questions. Section 5 doesn't have a clearly labeled list of hash-function hypotheses, never mind proofs. Sometimes there was a clear flow of logic from something that I would presume was intended as a hypothesis, but in general the section doesn't follow basic falsifiability rules. A cryptanalyst wants to see authors committing to a clear statement of the hypotheses being made about SHA-256, so that the work for breaking those hypotheses is given appropriate credit, rather than being met by a change in the rules. ---Dan _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
