Hacker News new | ask | show | jobs
by geofft 2655 days ago
And my claim is that if your threat model depends on an attacker who can afford $20M being unable to afford $40M, your threat model is flawed and you've already lost. They might have to seek alternative options. They might not. They might just be able to issue $20M of bonds, who knows. They might have a strong economy next year and the attackerbucks-to-USD exchange rate might double. If you need to defend against an attacker with $30M in the bank, make the attack cost $30B or $30T.

And the neat thing about crypto is that's easy to do: just increase the amount of entropy involved. A mere ten more bits make a brute-force attack cost 1000x as much. If we're genuinely worried that 63 bits is too small, ditch the 64-bit requirement and make it 128-bit. (Probably phrase it as 120-bit, so people can use UUIDs and whatnot - the point is still that 120 is still clearly more than enough, not near the borderline.)
1 comments
omeid2 2655 days ago
> And my claim is that if your threat model depends on an attacker who can afford $20M being unable to afford $40M

But is it? I think the underlying claim is that 2X difference doesn't matter, which is patently false.

link
geofft 2655 days ago
2X difference doesn't matter to a reasonably constructed cryptographic threat model. Any threat model for which a 2X difference is meaningful is already flawed. I'm not saying a 2X difference doesn't matter in general. I'm saying a reasonably constructed cryptographic threat model is going to consider attacks as either "worth worrying about" or "not worth worrying about", and any maybes, like the possibility of an attacker who already controls $20M finding another $20M, fall in the "worth worrying about" bucket.
link
Dylan16807 2655 days ago
A 2X difference from baseline does not make a meaningful difference in who can attack you.
link
omeid2 2655 days ago
It could make the difference of mounting a hash collision before a certificate expires or after (2X time), if the attack doesn't yield to parallelism and time becomes a limiting factor.
link
Dylan16807 2655 days ago
The claim was about a 1 bit reduction in entropy. A scenario like that definitely acts differently, but it's not searching a space either; reducing a guaranteed calculation time by 2x is not really comparable to a loss of 1 entropy bit.
link