|
|
|
|
|
|
by schoen
4002 days ago
|
|
|
One thing you might be thinking of is "there should be one mode, and it should be secure". http://iang.org/ssl/h3_there_is_only_one_mode_and_it_is_secu... This isn't exactly the same as what you said, but I think it's an argument in favor of your point of view. Another analogous thing is that academic cryptographers will regard an algorithm or protocol as broken if an adversary can gain a significant advantage (probability of distinguishing things that are supposed to be indistinguishable, reduction in work factor, etc.), even if the resulting work factor to mount the attack is still enormous. For example, if there were an attack that could break AES in 2¹⁰⁰ operations, AES would be considered broken even though we believe there is no one who can perform 2¹⁰⁰ operations, because it no longer provides the designed or advertised security margin. |
|
|