Taming the Adversary

While there is a great deal of sophistication in modern cryptology, simple (and simplistic) explanations of cryptography remain useful and perhaps necessary. Many of the explanations are informal; others are embodied in formal methods, particularly in formal methods for the analysis of security protocols. This note (intended to accompany a talk at the Crypto 2000 conference) describes some of those explanations. It focuses on simple models of attacks, pointing to partial justifications of these models. 1 Polite Adversaries Some of the simplest explanations of cryptography rely on analogies with physical objects, such as safes, locks, and sealed envelopes. These explanations are certainly simplistic. Nevertheless, and in spite of the sophistication of modern cryptology, these and other simplifications can be helpful when used appropriately. The simplifications range from informal metaphors to rigorous abstract models, and include frequent omissions of detail and conceptual conflations (e.g., [28]). They commonly appear in descriptions of systems that employ cryptography, in characterizations of attackers, and correspondingly in statements of security properties. They are sometimes deceptive and dangerous. However, certain simplifications can be justified: – on pragmatic grounds, when the simplifications enable reasoning (even automated reasoning) that leads to better understanding of systems, yielding increased confidence in some cases and the discovery of weaknesses in others; – on theoretical grounds, when the simplifications do not hide security flaws (for example, when it can be proved that a simple attacker is as powerful as an arbitrary one). In particular, in the design and study of security protocols, it is typical to adopt models that entail sensible but substantial simplifying restrictions on attackers. (See for example [13] and most of the references below.) In these models, an adversary may perform the same operations as other principals. For example, all principals, including the adversary, may be allowed to send and receive messages. If the protocol relies explicitly on cryptography, all principals may be allowed to perform cryptographic operations; thus, the adversary may generate keys, encrypt, decrypt, sign, verify signatures, and hash. In addition, the