Editing Provable security (section)

{{Short description|Computer security method}}
{{no footnotes|section|date=September 2018}}
'''Provable security''' refers to any type or level of [[computer security]] that can be proved. It is used in different ways by different fields.

Usually, this refers to [[mathematical proof]]s, which are common in [[cryptography]]. In such a proof, the capabilities of the attacker are defined by an [[adversary (cryptography)|adversarial]] model (also referred to as attacker model): the aim of the proof is to show that the attacker must solve the underlying [[Computational complexity theory#Hard|hard problem]] in order to break the security of the modelled system. Such a proof generally does not consider [[side-channel attack]]s or other implementation-specific attacks, because they are usually impossible to model without implementing the system (and thus, the proof only applies to this implementation).

Outside of cryptography, the term is often used in conjunction with [[secure coding]] and [[security by design]], both of which can rely on proofs to show the security of a particular approach. As with the cryptographic setting, this involves an attacker model and a model of the system. For example, code can be verified to match the intended functionality, described by a model: this can be done through [[Static program analysis|static checking]]. These techniques are sometimes used for evaluating products (see ''[[Common Criteria]]''): the security here depends not only on the correctness of the attacker model, but also on the model of the code.

Finally, the term provable security is sometimes used by sellers of [[security software]] that are attempting to sell security products like [[firewall (computing)|firewall]]s, [[antivirus software]] and [[intrusion detection system]]s. As these products are typically not subject to scrutiny, many [[hacker (computer security)|security researchers]] consider this type of claim to be selling [[Snake oil (cryptography)|snake oil]].