Review of Foundations of Cryptography: Basic Tools∗ and Modelling and Analysis of Security Protocols†

There are essentially two schools, advocating two general approaches to the problem of reasoning about the security properties of a system. What do I mean by a security property? Examples of these include secrecy (ensuring that only authorized parties get access to a piece of information), integrity (ensuring that messages exchanged between parties are not modified in transit), and authenticity (ensuring that parties can ascertain the origin of messages). Reasoning about the security of a system basically means figuring out whether the security properties of interest hold in the presence of an adversary that attempts to attack the system by manipulating the environment in which the system executes. For instance, the adversary may intercept, modify, and redirect messages, may pose as different parties, etc. In order to prevent the adversary from successfully attacking the system (and thereby access secret information, or corrupting messages without any party noticing, depending on what the security property is guaranteeing should not happen), the system will typically make use of various encryption schemes to encrypt the messages exchanged by the parties, signature schemes to digitally sign messages, and communication protocols indicating, say, the pattern of message exchanges that need to occur between the parties. As I said, historically, two schools have emerged concerning the analysis of security in such systems. Very roughly speaking, the first school, which is also the oldest, focuses on the underlying mechanisms for providing secure messaging, such as encryption schemes (for instance, DES, AES, Blowfish, RSA, etc), or signature schemes. The central theme in this approach is one of complexity—how difficult is it to “break” the scheme—and reliance on probabilities. Here, the adversary is assumed to possess a certain amount of computational abilities, without going into the details of what exactly those abilities are. For instance, a common assumption is to take the adversary to be able to perform arbitrary probabilistic polynomial-time computations. The second school has focused not so much on the properties of the underlying schemes, but rather on the way these schemes are used in communication protocols. The kind of analysis done is more combinatorial in nature. For instance, many protocols have flaws that are independent of the security of the underlying encryption schemes. To put it bluntly, no encryption scheme is secure if you stupidly reveal the key used to encrypt messages during a protocol exchange. This is of course an extreme example, but many security protocols fail due to the misuse of perfectly good encryption schemes. To help concentrate on that aspect of security protocols, the approach is to completely abstract away from the encryption or signature schemes, assuming them to be perfect, and rather than allow the adversary to