[omeid2]

> No reasonable threat model says, conducting this attack takes $100,000, and since most people don't have $100,000 in savings it's safe

Sure, that is never the claim.

> And in particular the claims here are in fact about exact amounts: a factor of two

Sure, but that is still a factor of X, an unknown amount.

The bottom line is that for many actors, even nation state, the cost difference of 20M and 40M might mean that they have to seek alternative options. Not every actor has access to infinite amount of USD or compute.

[geofft]

And my claim is that if your threat model depends on an attacker who can afford $20M being unable to afford $40M, your threat model is flawed and you've already lost. They might have to seek alternative options. They might not. They might just be able to issue $20M of bonds, who knows. They might have a strong economy next year and the attackerbucks-to-USD exchange rate might double. If you need to defend against an attacker with $30M in the bank, make the attack cost $30B or $30T.

And the neat thing about crypto is that's easy to do: just increase the amount of entropy involved. A mere ten more bits make a brute-force attack cost 1000x as much. If we're genuinely worried that 63 bits is too small, ditch the 64-bit requirement and make it 128-bit. (Probably phrase it as 120-bit, so people can use UUIDs and whatnot - the point is still that 120 is still clearly more than enough, not near the borderline.)

[omeid2]

> And my claim is that if your threat model depends on an attacker who can afford $20M being unable to afford $40M

But is it? I think the underlying claim is that 2X difference doesn't matter, which is patently false.

[geofft]

2X difference doesn't matter to a reasonably constructed cryptographic threat model. Any threat model for which a 2X difference is meaningful is already flawed. I'm not saying a 2X difference doesn't matter in general. I'm saying a reasonably constructed cryptographic threat model is going to consider attacks as either "worth worrying about" or "not worth worrying about", and any maybes, like the possibility of an attacker who already controls $20M finding another $20M, fall in the "worth worrying about" bucket.

[Dylan16807]

A 2X difference from baseline does not make a meaningful difference in who can attack you.

[omeid2]

It could make the difference of mounting a hash collision before a certificate expires or after (2X time), if the attack doesn't yield to parallelism and time becomes a limiting factor.

[Dylan16807]

The claim was about a 1 bit reduction in entropy. A scenario like that definitely acts differently, but it's not searching a space either; reducing a guaranteed calculation time by 2x is not really comparable to a loss of 1 entropy bit.