Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Provable security
open-in-new
<h2 id="in-cryptography">In cryptography</h2> <p>In <a href="/facts/Cryptography/e94PEVau">cryptography</a>, a system has provable security if its security requirements can be stated formally in an <a href="/facts/Adversary_(cryptography)/X211CFfE">adversarial</a> model, as opposed to heuristically, with clear assumptions that the adversary has access to the system as well as enough computational resources. The proof of security (called a "reduction") is that these security requirements are met provided the assumptions about the adversary's access to the system are satisfied and some clearly stated <a href="/facts/Computational_hardness_assumption/ewjpb1I7">assumptions about the hardness of certain computational tasks</a> hold. An early example of such requirements and proof was given by <a href="/facts/Shafi_Goldwasser/aTJJq4mB">Goldwasser</a> and <a href="/facts/Silvio_Micali/IxgCplaX">Micali</a> for <a href="/facts/Semantic_security/PlW18aEh">semantic security</a> and the construction based on the <a href="/facts/Quadratic_residuosity_problem/b8B2ptVQ">quadratic residuosity problem</a>. Some proofs of security are in given theoretical models such as the <a href="/facts/Random_oracle_model/wK7MhxDq">random oracle model</a>, where real cryptographic <a href="/facts/Hash_function/rk6MlCt3">hash functions</a> are represented by an idealization. </p><p>There are several lines of research in provable security. One is to establish the "correct" definition of security for a given, intuitively understood task. Another is to suggest constructions and proofs based on general assumptions as much as possible, for instance the existence of a <a href="/facts/One-way_function/rGtcumDW">one-way function</a>. A major <a href="/facts/Open_problem/VuR6yLsW">open problem</a> is to establish such proofs based on <a href="/facts/P_versus_NP/xoC7Ruda">P ≠ NP</a>, since the existence of one-way functions is not known to follow from the P ≠ NP <a href="/facts/Conjecture/oPWUb7SF">conjecture</a>. </p> <h3>Controversies</h3> <p>Several researchers have found mathematical fallacies in proofs that had been used to make claims about the security of important protocols. In the following partial list of such researchers, their names are followed by first a reference to the original paper with the purported proof and then a reference to the paper in which the researchers reported on flaws: V. Shoup;<a class="footnote-ref" id="fnref:1" href="#fn:1"><sup>1</sup></a><a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a> A. J. Menezes;<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a><a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> A. Jha and M. Nandi;<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a><a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> D. Galindo;<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a><a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a> T. Iwata, K. Ohashi, and K. Minematsu;<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a><a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a> M. Nandi;<a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a><a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a> J.-S. Coron and D. Naccache;<a class="footnote-ref" id="fnref:13" href="#fn:13"><sup>13</sup></a><a class="footnote-ref" id="fnref:14" href="#fn:14"><sup>14</sup></a> D. Chakraborty, V. Hernández-Jiménez, and P. Sarkar;<a class="footnote-ref" id="fnref:15" href="#fn:15"><sup>15</sup></a><a class="footnote-ref" id="fnref:16" href="#fn:16"><sup>16</sup></a> P. Gaži and U. Maurer;<a class="footnote-ref" id="fnref:17" href="#fn:17"><sup>17</sup></a><a class="footnote-ref" id="fnref:18" href="#fn:18"><sup>18</sup></a> S. A. Kakvi and E. Kiltz;<a class="footnote-ref" id="fnref:19" href="#fn:19"><sup>19</sup></a><a class="footnote-ref" id="fnref:20" href="#fn:20"><sup>20</sup></a> and T. Holenstein, R. Künzler, and S. Tessaro.<a class="footnote-ref" id="fnref:21" href="#fn:21"><sup>21</sup></a><a class="footnote-ref" id="fnref:22" href="#fn:22"><sup>22</sup></a> </p><p><a href="/facts/Neal_Koblitz/TebdlGqw">Koblitz</a> and Menezes have written that provable security results for important cryptographic protocols frequently have fallacies in the proofs; are often interpreted in a misleading manner, giving false assurances; typically rely upon strong assumptions that may turn out to be false; are based on unrealistic models of security; and serve to distract researchers' attention from the need for "old-fashioned" (non-mathematical) testing and analysis. Their series of papers supporting these claims<a class="footnote-ref" id="fnref:23" href="#fn:23"><sup>23</sup></a><a class="footnote-ref" id="fnref:24" href="#fn:24"><sup>24</sup></a> have been controversial in the community. Among the researchers who have rejected the viewpoint of Koblitz–Menezes is <a href="/facts/Oded_Goldreich/Ufn1bqW7">Oded Goldreich</a>, a leading theoretician and author of <i>Foundations of Cryptography</i>.<a class="footnote-ref" id="fnref:25" href="#fn:25"><sup>25</sup></a> He wrote a refutation of their first paper "Another look at 'provable security'"<a class="footnote-ref" id="fnref:26" href="#fn:26"><sup>26</sup></a> that he titled "On post-modern cryptography". Goldreich wrote: "... we point out some of the fundamental philosophical flaws that underlie the said article and some of its misconceptions regarding theoretical research in cryptography in the last quarter of a century."<a class="footnote-ref" id="fnref:27" href="#fn:27"><sup>27</sup></a>: 1 In his essay Goldreich argued that the rigorous analysis methodology of provable security is the only one compatible with science, and that Koblitz and Menezes are "reactionary (i.e., they play to the hands of the opponents of progress)".<a class="footnote-ref" id="fnref:28" href="#fn:28"><sup>28</sup></a>: 2 </p><p>In 2007, Koblitz published "The Uneasy Relationship Between Mathematics and Cryptography",<a class="footnote-ref" id="fnref:29" href="#fn:29"><sup>29</sup></a> which contained some controversial statements about provable security and other topics. Researchers Oded Goldreich, Boaz Barak, <a href="/facts/Jonathan_Katz_(computer_scientist)/NvWxVBYA">Jonathan Katz</a>, Hugo Krawczyk, and <a href="/facts/Avi_Wigderson/CVHaUAdI">Avi Wigderson</a> wrote letters responding to Koblitz's article, which were published in the November 2007 and January 2008 issues of the journal.<a class="footnote-ref" id="fnref:30" href="#fn:30"><sup>30</sup></a><a class="footnote-ref" id="fnref:31" href="#fn:31"><sup>31</sup></a> Katz, who is coauthor of a highly regarded cryptography textbook,<a class="footnote-ref" id="fnref:32" href="#fn:32"><sup>32</sup></a> called Koblitz's article "snobbery at its purest";<a class="footnote-ref" id="fnref:33" href="#fn:33"><sup>33</sup></a>: 1455 and Wigderson, who is a permanent member of the <a href="/facts/Institute_for_Advanced_Study/jQQCURKt">Institute for Advanced Study</a> in Princeton, accused Koblitz of "slander".<a class="footnote-ref" id="fnref:34" href="#fn:34"><sup>34</sup></a>: 7 </p><p><a href="/facts/Ivan_Damg%25C3%25A5rd/WNSpoGfU">Ivan Damgård</a> later wrote a <a href="/facts/Position_paper/TqVvpLQt">position paper</a> at ICALP 2007 on the technical issues,<a class="footnote-ref" id="fnref:35" href="#fn:35"><sup>35</sup></a> and it was recommended by <a href="/facts/Scott_Aaronson/htGK5zuz">Scott Aaronson</a> as a good in-depth analysis.<a class="footnote-ref" id="fnref:36" href="#fn:36"><sup>36</sup></a> <a href="/facts/Brian_Snow/1bcXr7UU">Brian Snow</a>, former Technical Director of the Information Assurance Directorate of the U.S. <a href="/facts/National_Security_Agency/Sg6MGV1o">National Security Agency</a>, recommended the Koblitz-Menezes paper "The brave new world of bodacious assumptions in cryptography"<a class="footnote-ref" id="fnref:37" href="#fn:37"><sup>37</sup></a> to the audience at the RSA Conference 2010 Cryptographers Panel.<a class="footnote-ref" id="fnref:38" href="#fn:38"><sup>38</sup></a> </p> <h3>Practice-oriented provable security</h3> <p>Classical provable security primarily aimed at studying the relationship between <a href="/facts/Asymptotic_analysis/kt87qLpu">asymptotically</a> defined objects. Instead, practice-oriented provable security is concerned with concrete objects of cryptographic practice, such as hash functions, <a href="/facts/Block_cipher/MJywAyfQ">block ciphers</a>, and protocols as they are deployed and used.<a class="footnote-ref" id="fnref:39" href="#fn:39"><sup>39</sup></a> Practice oriented provable security uses <a href="/facts/Concrete_security/fCFpMNnm">concrete security</a> to analyse practical constructions with fixed key sizes. "Exact security" or "<a href="/facts/Concrete_security/fCFpMNnm">concrete security</a>" is the name given to provable security reductions where one quantifies security by computing precise bounds on computational effort, rather than an asymptotic bound which is guaranteed to hold for "sufficiently large" values of the <a href="/facts/Security_parameter/Xbqeyh60">security parameter</a>. </p> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Bellare, Mihir; Rogaway, Phillip (1995). "Optimal asymmetric encryption". Advances in Cryptology — EUROCRYPT'94. Lecture Notes in Computer Science. Vol. 950. pp. 92–111. doi:10.1007/BFb0053428. ISBN 978-3-540-60176-0. <a href="978-3-540-60176-0" target="_blank">978-3-540-60176-0</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Shoup, Victor (2002), "OAEP reconsidered", Journal of Cryptology, 15 (4): 223–249, doi:10.1007/s00145-002-0133-9, S2CID 26919974 <a href="/wiki/Doi_(identifier)" target="_blank">/wiki/Doi_(identifier)</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Krawczyk, Hugo (2005). "HMQV: A High-Performance Secure Diffie-Hellman Protocol". Advances in Cryptology – CRYPTO 2005. Lecture Notes in Computer Science. Vol. 3621. pp. 546–566. doi:10.1007/11535218_33. ISBN 978-3-540-28114-6. <a href="978-3-540-28114-6" target="_blank">978-3-540-28114-6</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Menezes, Alfred J. (2007), "Another look at HMQV", Journal of Mathematical Cryptology, 1: 47–64, doi:10.1515/JMC.2007.004, S2CID 15540513 <a href="/wiki/Doi_(identifier)" target="_blank">/wiki/Doi_(identifier)</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>Bellare, Mihir; Pietrzak, Krzysztof; Rogaway, Phillip (2005). "Improved Security Analyses for CBC MACs". Advances in Cryptology – CRYPTO 2005. Lecture Notes in Computer Science. Vol. 3621. pp. 527–545. doi:10.1007/11535218_32. ISBN 978-3-540-28114-6.; and Pietrzak, Krzysztof (2006), "A Tight Bound for EMAC", Automata, Languages and Programming, Lecture Notes in Computer Science, vol. 4052, pp. 168–179, doi:10.1007/11787006_15, ISBN 978-3-540-35907-4 <a href="978-3-540-28114-6978-3-540-35907-4" target="_blank">978-3-540-28114-6978-3-540-35907-4</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Jha, Ashwin; Nandi, Mridul (2016), "Revisiting structure graphs: Applications to CBC-MAC and EMAC", Journal of Mathematical Cryptology, 10 (3–4): 157–180, doi:10.1515/jmc-2016-0030, S2CID 33121117 <a href="/wiki/Doi_(identifier)" target="_blank">/wiki/Doi_(identifier)</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>Boneh, Dan; Franklin, Matthew (2003), "Identity-based encryption from the Weil pairing", SIAM Journal on Computing, 32 (3): 586–615, doi:10.1137/S0097539701398521 <a href="/wiki/Doi_(identifier)" target="_blank">/wiki/Doi_(identifier)</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>Galindo, David (2005), "Boneh-Franklin Identity Based Encryption Revisited", Automata, Languages and Programming, Lecture Notes in Computer Science, vol. 3580, pp. 791–802, doi:10.1007/11523468_64, hdl:2066/33216, ISBN 978-3-540-27580-0, S2CID 605011 <a href="978-3-540-27580-0" target="_blank">978-3-540-27580-0</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>McGrew, David A.; Viega, John (2004), "The Security and Performance of the Galois/Counter Mode (GCM) of Operation", Progress in Cryptology - INDOCRYPT 2004, Lecture Notes in Computer Science, vol. 3348, pp. 343–355, doi:10.1007/978-3-540-30556-9_27, ISBN 978-3-540-24130-0 <a href="978-3-540-24130-0" target="_blank">978-3-540-24130-0</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>Iwata, Tetsu; Ohashi, Keisuke; Minematsu, Kazuhiko (2012). "Breaking and Repairing GCM Security Proofs". Advances in Cryptology – CRYPTO 2012. Lecture Notes in Computer Science. Vol. 7417. pp. 31–49. doi:10.1007/978-3-642-32009-5_3. ISBN 978-3-642-32008-8. <a href="978-3-642-32008-8" target="_blank">978-3-642-32008-8</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>Ristenpart, Thomas; Rogaway, Phillip (2007), "How to Enrich the Message Space of a Cipher", Fast Software Encryption, Lecture Notes in Computer Science, vol. 4593, pp. 101–118, doi:10.1007/978-3-540-74619-5_7, ISBN 978-3-540-74617-1 <a href="978-3-540-74617-1" target="_blank">978-3-540-74617-1</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>Nandi, Mridul (2014). "XLS is Not a Strong Pseudorandom Permutation". Advances in Cryptology – ASIACRYPT 2014. Lecture Notes in Computer Science. Vol. 8874. pp. 478–490. doi:10.1007/978-3-662-45611-8_25. ISBN 978-3-662-45607-1. <a href="978-3-662-45607-1" target="_blank">978-3-662-45607-1</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> <li id="fn:13"><p>Bellare, Mihir; Garray, Juan A.; Rabin, Tal (1998). "Fast batch verification for modular exponentiation and digital signatures". Advances in Cryptology — EUROCRYPT'98. Lecture Notes in Computer Science. Vol. 1403. pp. 236–250. doi:10.1007/BFb0054130. ISBN 978-3-540-64518-4. <a href="978-3-540-64518-4" target="_blank">978-3-540-64518-4</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></p></li> <li id="fn:14"><p>Coron, Jean-Sébastien; Naccache, David (1999), Public Key Cryptography, Lecture Notes in Computer Science, vol. 1560, pp. 197–203, doi:10.1007/3-540-49162-7, ISBN 978-3-540-65644-9, S2CID 11711093 <a href="978-3-540-65644-9" target="_blank">978-3-540-65644-9</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></p></li> <li id="fn:15"><p>McGrew, David A.; Fluhrer, Scott R. (2007), "The Security of the Extended Codebook (XCB) Mode of Operation", Selected Areas in Cryptography, Lecture Notes in Computer Science, vol. 4876, pp. 311–327, doi:10.1007/978-3-540-77360-3_20, ISBN 978-3-540-77359-7 <a href="978-3-540-77359-7" target="_blank">978-3-540-77359-7</a> <a href="#fnref:15" class="footnote-back-ref">↩</a></p></li> <li id="fn:16"><p>Chakraborty, Debrup; Hernández-Jiménez, Vicente; Sarkar, Palash (2015), "Another look at XCB", Cryptography and Communications, 7 (4): 439–468, doi:10.1007/s12095-015-0127-8, S2CID 17251595 <a href="/wiki/Doi_(identifier)" target="_blank">/wiki/Doi_(identifier)</a> <a href="#fnref:16" class="footnote-back-ref">↩</a></p></li> <li id="fn:17"><p>Bellare, Mihir; Rogaway, Phillip (2006). "The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs". Advances in Cryptology - EUROCRYPT 2006. Lecture Notes in Computer Science. Vol. 4004. pp. 409–426. doi:10.1007/11761679_25. ISBN 978-3-540-34546-6. <a href="978-3-540-34546-6" target="_blank">978-3-540-34546-6</a> <a href="#fnref:17" class="footnote-back-ref">↩</a></p></li> <li id="fn:18"><p>Gaži, Peter; Maurer, Ueli (2009). "Cascade Encryption Revisited". Advances in Cryptology – ASIACRYPT 2009. Lecture Notes in Computer Science. Vol. 5912. pp. 37–51. doi:10.1007/978-3-642-10366-7_3. ISBN 978-3-642-10365-0. <a href="978-3-642-10365-0" target="_blank">978-3-642-10365-0</a> <a href="#fnref:18" class="footnote-back-ref">↩</a></p></li> <li id="fn:19"><p>Coron, Jean-Sébastien (2002). "Optimal Security Proofs for PSS and Other Signature Schemes". Advances in Cryptology — EUROCRYPT 2002. Lecture Notes in Computer Science. Vol. 2332. pp. 272–287. doi:10.1007/3-540-46035-7_18. ISBN 978-3-540-43553-2. <a href="978-3-540-43553-2" target="_blank">978-3-540-43553-2</a> <a href="#fnref:19" class="footnote-back-ref">↩</a></p></li> <li id="fn:20"><p>Kakvi, Saqib A.; Kiltz, Eike (2012). "Optimal Security Proofs for Full Domain Hash, Revisited". Advances in Cryptology – EUROCRYPT 2012. Lecture Notes in Computer Science. Vol. 7237. pp. 537–553. doi:10.1007/978-3-642-29011-4_32. ISBN 978-3-642-29010-7. <a href="978-3-642-29010-7" target="_blank">978-3-642-29010-7</a> <a href="#fnref:20" class="footnote-back-ref">↩</a></p></li> <li id="fn:21"><p>Coron, Jean-Sébastien; Patarin, Jacques; Seurin, Yannick (2008). "The Random Oracle Model and the Ideal Cipher Model Are Equivalent". Advances in Cryptology – CRYPTO 2008. Lecture Notes in Computer Science. Vol. 5157. pp. 1–20. doi:10.1007/978-3-540-85174-5_1. ISBN 978-3-540-85173-8. <a href="978-3-540-85173-8" target="_blank">978-3-540-85173-8</a> <a href="#fnref:21" class="footnote-back-ref">↩</a></p></li> <li id="fn:22"><p>Holenstein, Thomas; Künzler, Robin; Tessaro, Stefano (2011), "The equivalence of the random oracle model and the ideal cipher model, revisited", Proceedings of the forty-third annual ACM symposium on Theory of computing, pp. 89–98, arXiv:1011.1264, doi:10.1145/1993636.1993650, ISBN 9781450306911, S2CID 2960550 <a href="9781450306911" target="_blank">9781450306911</a> <a href="#fnref:22" class="footnote-back-ref">↩</a></p></li> <li id="fn:23"><p>Koblitz, Neal; Menezes, Alfred (2019). "Critical perspectives on provable security: Fifteen years of 'Another look' papers". Advances in Mathematics of Communications. 13 (4): 517–558. doi:10.3934/amc.2019034. <a href="https://doi.org/10.3934%2Famc.2019034" target="_blank">https://doi.org/10.3934%2Famc.2019034</a> <a href="#fnref:23" class="footnote-back-ref">↩</a></p></li> <li id="fn:24"><p>These papers are all available at "Another look at provable security". Retrieved 12 April 2018. <a href="http://anotherlook.ca" target="_blank">http://anotherlook.ca</a> <a href="#fnref:24" class="footnote-back-ref">↩</a></p></li> <li id="fn:25"><p>Goldreich, Oded (2003). Foundations of Cryptography. Cambridge University Press. ISBN 9780521791724. <a href="9780521791724" target="_blank">9780521791724</a> <a href="#fnref:25" class="footnote-back-ref">↩</a></p></li> <li id="fn:26"><p>Koblitz, Neal; Menezes, Alfred J. (2007), "Another look at "provable security"", Journal of Cryptology, 20 (1): 3–37, doi:10.1007/s00145-005-0432-z, S2CID 7601573 <a href="/wiki/Doi_(identifier)" target="_blank">/wiki/Doi_(identifier)</a> <a href="#fnref:26" class="footnote-back-ref">↩</a></p></li> <li id="fn:27"><p>"On post-modern cryptography". Retrieved 12 April 2018. <a href="https://eprint.iacr.org/2006/461" target="_blank">https://eprint.iacr.org/2006/461</a> <a href="#fnref:27" class="footnote-back-ref">↩</a></p></li> <li id="fn:28"><p>"On post-modern cryptography". Retrieved 12 April 2018. <a href="https://eprint.iacr.org/2006/461" target="_blank">https://eprint.iacr.org/2006/461</a> <a href="#fnref:28" class="footnote-back-ref">↩</a></p></li> <li id="fn:29"><p>Koblitz, Neal (2007), "The uneasy relationship between mathematics and cryptography" (PDF), Notices Amer. Math. Soc., 54 (8): 972–979 <a href="https://www.ams.org/notices/200708/tx070800972p.pdf" target="_blank">https://www.ams.org/notices/200708/tx070800972p.pdf</a> <a href="#fnref:29" class="footnote-back-ref">↩</a></p></li> <li id="fn:30"><p>"Letters to the Editor" (PDF), Notices Amer. Math. Soc., 54 (12): 1454–1455, 2007 <a href="https://www.ams.org/notices/200711/tx071101454p.pdf" target="_blank">https://www.ams.org/notices/200711/tx071101454p.pdf</a> <a href="#fnref:30" class="footnote-back-ref">↩</a></p></li> <li id="fn:31"><p>"Letters to the Editor" (PDF), Notices Amer. Math. Soc., 55 (1): 6–7, 2008 <a href="https://www.ams.org/notices/200801/tx080100006p.pdf" target="_blank">https://www.ams.org/notices/200801/tx080100006p.pdf</a> <a href="#fnref:31" class="footnote-back-ref">↩</a></p></li> <li id="fn:32"><p>Katz, Jonathan; Lindell, Yehuda (2008). Introduction to Modern Cryptography. Chapman & Hall/CRC. ISBN 9781584885511. <a href="9781584885511" target="_blank">9781584885511</a> <a href="#fnref:32" class="footnote-back-ref">↩</a></p></li> <li id="fn:33"><p>"Letters to the Editor" (PDF), Notices Amer. Math. Soc., 54 (12): 1454–1455, 2007 <a href="https://www.ams.org/notices/200711/tx071101454p.pdf" target="_blank">https://www.ams.org/notices/200711/tx071101454p.pdf</a> <a href="#fnref:33" class="footnote-back-ref">↩</a></p></li> <li id="fn:34"><p>"Letters to the Editor" (PDF), Notices Amer. Math. Soc., 55 (1): 6–7, 2008 <a href="https://www.ams.org/notices/200801/tx080100006p.pdf" target="_blank">https://www.ams.org/notices/200801/tx080100006p.pdf</a> <a href="#fnref:34" class="footnote-back-ref">↩</a></p></li> <li id="fn:35"><p>Damgård, I. (2007). "A "proof-reading" of Some Issues in Cryptography". Automata, Languages and Programming. Lecture Notes in Computer Science. Vol. 4596. pp. 2–11. doi:10.1007/978-3-540-73420-8_2. ISBN 978-3-540-73419-2. <a href="978-3-540-73419-2" target="_blank">978-3-540-73419-2</a> <a href="#fnref:35" class="footnote-back-ref">↩</a></p></li> <li id="fn:36"><p>"Shtetl-Optimized". scottaaronson.com. September 2007. <a href="http://www.scottaaronson.com/blog/?p=268" target="_blank">http://www.scottaaronson.com/blog/?p=268</a> <a href="#fnref:36" class="footnote-back-ref">↩</a></p></li> <li id="fn:37"><p>Koblitz, Neal; Menezes, Alfred J. (2010), "The brave new world of bodacious assumptions in cryptography" (PDF), Notices Amer. Math. Soc., 57: 357–365 <a href="https://www.ams.org/notices/201003/rtx100300357p.pdf" target="_blank">https://www.ams.org/notices/201003/rtx100300357p.pdf</a> <a href="#fnref:37" class="footnote-back-ref">↩</a></p></li> <li id="fn:38"><p>"RSA Conference 2010 USA: The Cryptographers Panel". YouTube. 9 March 2010. Archived from the original on 2021-12-22. Retrieved 9 April 2018. <a href="https://www.youtube.com/watch?v=z7nOsqgIzew" target="_blank">https://www.youtube.com/watch?v=z7nOsqgIzew</a> <a href="#fnref:38" class="footnote-back-ref">↩</a></p></li> <li id="fn:39"><p>Rogaway, Phillip. "Practice-Oriented Provable Security and the Social Construction of Cryptography". Unpublished Essay Corresponding to an Invited Talk at EUROCRYPT 2009. May 6, 2009. <a href="#fnref:39" class="footnote-back-ref">↩</a></p></li> </ol>