Blumenthal, Uri - 0553 - MITLL writes: > What âprobability of disasterâ is acceptable to you, why,
The direct financial damage caused by ransomware is generally estimated as tens of billions of dollars per year. This immediately justifies, e.g., a million-dollar investment that reduces worldwide attack probability by 1/10000. To be clear, I'm _not_ saying that a disaster probability of 1/10000 (per million dollars invested) is acceptable. Ransomware damage is only one part of overall attack damage, and we want security to be more cost-effective. But this _lower bound_ on damage suffices for the purpose at hand, namely seeing why non-hybrid deployment is reckless. > and how do you compute it? https://cr.yp.to/papers.html#qrcsp, "Quantifying risks in cryptographic selection processes", is the state of the art on that topic. It finds a currently-known-failure rate of 48% among the 69 round-1 submissions to NIST, 25% among the submissions not broken by the end of round 1, and 36% among the submissions selected by NIST for round 2. Btw, I didn't notice answers to my previous questions about the claim of being "reasonably certain" in the security of "accepted PQ algorithms": "Reasonably certain meaning, what, 90% certainty? What's the basis for this claim? And are you saying that a 10% chance of disaster is okay?" > > > Where do you draw the line? > > Simple: require hybrids. > Why do you draw the line there? I already answered this: "The point is to address the concern that an upgrade to post-quantum crypto will be to something that's actually breakable." I also explained what's wrong with conflating that topic with the ECC+PQ1+PQ2 topic. [ regarding encryption vs. signatures: ] > Thereâs no damage possible (at least, in the TLS context) caused by PQ > DSA break Not true. I already explained what's wrong with this argument: https://mailarchive.ietf.org/arch/msg/tls/77uUYhGJYNVQIp9heMY9bkbKbaA/ ---D. J. Bernstein
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org