Provable security in an encryption setting is very similar to provable security in a digital signature setting (see Chapter II). In both cases we aim to make meaningful, mathematically rigorous statements about the security of cryptosystems and provide proofs that these statements are correct.

Generally, a security proof attempts to show how difficult “breaking” a cryptographic scheme is, in terms of how difficult it is to solve some mathematical problem. If we can show that the difference between breaking the cryptographic scheme and solving the underlying mathematical problem is only small, and we assume that solving the underlying problem is difficult to do, then we can have some measure of assurance in the security of the cryptographic scheme. The main difference between proving security in the signature setting and in the encryption setting is deciding what is meant by “breaking” the scheme.

Before we launch into the complicated and arcane world of provable security, it is useful to take a moment to consider its history. The field of provable security for public-key encryption schemes has a history almost as long as public-key encryption itself. The most significant early papers on provable security are by Rabin in 1979 [279] and Goldwasser and Micali in 1984 [149].