Blumenthal, Uri - 0553 - MITLL writes:
> What “probability of disaster” is acceptable to you, why,

The direct financial damage caused by ransomware is generally estimated
as tens of billions of dollars per year. This immediately justifies,
e.g., a million-dollar investment that reduces worldwide attack
probability by 1/10000.

To be clear, I'm _not_ saying that a disaster probability of 1/10000
(per million dollars invested) is acceptable. Ransomware damage is only
one part of overall attack damage, and we want security to be more
cost-effective. But this _lower bound_ on damage suffices for the
purpose at hand, namely seeing why non-hybrid deployment is reckless.

> and how do you compute it?

https://cr.yp.to/papers.html#qrcsp, "Quantifying risks in cryptographic
selection processes", is the state of the art on that topic. It finds a
currently-known-failure rate of 48% among the 69 round-1 submissions to
NIST, 25% among the submissions not broken by the end of round 1, and
36% among the submissions selected by NIST for round 2.

Btw, I didn't notice answers to my previous questions about the claim of
being "reasonably certain" in the security of "accepted PQ algorithms":
"Reasonably certain meaning, what, 90% certainty? What's the basis for
this claim? And are you saying that a 10% chance of disaster is okay?"

> > > Where do you draw the line?
> > Simple: require hybrids.
> Why do you draw the line there?

I already answered this: "The point is to address the concern that an
upgrade to post-quantum crypto will be to something that's actually
breakable." I also explained what's wrong with conflating that topic
with the ECC+PQ1+PQ2 topic.

  [ regarding encryption vs. signatures: ]
> There’s no damage possible (at least, in the TLS context) caused by PQ
> DSA break

Not true. I already explained what's wrong with this argument:
https://mailarchive.ietf.org/arch/msg/tls/77uUYhGJYNVQIp9heMY9bkbKbaA/

---D. J. Bernstein

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to