Dear Dan and PQC forum,
More thoughts about the age/thought-based estimates that feed into the cost
benefit analysis of layering diverse crypto. I hope that this email will help
make things clearer, this time.
First, on quantification, I notice that the methods can be re-expressed in
terms of well-established methods such as survival functions. Second, on
philosophy of what breakable means, and how conjectures are worded, I try to
clarify the distinction between existence of attack algorithms, and real-world
attackers being able to find attack algorithms.
Needless to say, some of these thoughts would not have occurred to me without
Dan Bernstein's criticisms. (E.g. I would have moved on to other more, or
less, important topics.)
1. Quantification and survival functions
Bernstein's initial model, with a single function p(), seems quite similar
1-S(), where S is a survival function
https://en.wikipedia.org/wiki/Survival_function so it seems a sensible
approach, for which there may already exist working tools.
In particular, the Kaplan-Meier estimator
https://en.wikipedia.org/wiki/Kaplan%E2%80%93Meier_estimator would infer,
based on the observation of attacks on schemes, likely suggest that p(M) < 1
for large M, just as Dan predicated. More interestingly, the KM estimator
says that p(M) becomes constant for M larger than the oldest observation. I
think that this is an artefact of the KM estimator. Anyway, with
KM-estimator, the conditional probability estimate for the breakability of the
oldest scheme works out to 0. So, maybe a more cautious estimate than the KM
estimator would be suitable for this application.
The model that I considered in 2021/608 can also be seen in terms of survival
function. It restricts the survival function to be an exponential survival
function (aka Poisson distribution) but allows for a different survival
function S for each cryptographic scheme. This is a one-parameter model. To
infer the parameter, we use one value of input data (the public thought T).
It is possible S(t)=1 for all t, but as a precaution the estimates never infer
this.
2. Philosophy of what counts as breakable, and crypto conjecture wording
In Bernstein's model, "breakable" means p(infinity) = 1, i.e. p(M)->1 as M->
infinity. In particular, breakable includes the case that p(M)<1 for all M,
but p(M) -> 1 (or p(infeasible-M)=1). This grants an attacker an ability to
find an attack that public attackers would never find in practice. For
example, suppose that p(100000) = 0.000001, yet p(10^10^10^10)=1. For now,
let's call this a prescient attacker. In other words, if an attack algorithm
exists, the prescient attacker will find it. As motivation for my choice of
word "prescient", suppose the attacker uses a time machine, travels to a point
when the public finds an attack, and then returns to the present.
Aiming for resistance a prescient attacker is a great precaution. Calling the
existence of a prescient attack "breakable" might be excessive, but of course,
authors are fairly free to define jargon arbitrarily.
In the 2021/608 model, the attackers considered are more limited than the
prescient attacker. All attackers are subject to the same p() that applies to
the defenders. Attacker and defenders are humans, with limited resources.
So, this model ignores the prescient attacker, and does not even attempt to
resist the prescient attacker. In other words, it drops Bernstein's
precaution about resisting a prescient attacker. Actually, the 2021/608
model is more drastic: it assumes that a prescient attacker exists. In other
words, it presumes that any cryptographic scheme is vulnerable to a prescient
attacker. This presumption could itself be considered a precaution, as way of
underestimating the security of the cryptography being studied. Perhaps it is
too harsh an estimate.
Dropping the precaution of demanding resistance to a prescient attacker is
arguably compensated by other precautions in the 2021/608 model. First, the
time input to p() is not calendar time, but rather amount of thought: one can
scale up the attacker's thought t. If we are worried about strong attackers,
though not prescient, boost t to high number. (Here were are of course not
worried about time travelers, but work done in parallel by multiple people, by
extra effort, expertise, etc.) Second, the survival function S()=1-p() is
assumed to be exponential S(t)=e^(-At), allowing p()->1 as t->infinity,
meaning it admits the possibility of a prescient attacker (as mentioned in the
previous paragraph).
Just to nitpick on wordings, the assumed function p() = 1 - e^(-At) never hits
"100%" exactly in "enough" time, unless "enough" time includes time t =
infinity, or "100%=99.6%".
Regarding the 2021/608 model impacting security conjectures, Bernstein made a
good point, though I don't agree with Bernstein's wording (see previous
paragraph "100%" and "enough").
The crypto conjectures are often formulated:
There exists no feasible algorithm to break scheme X.
A weakened version of this conjecture would be:
Nobody on earth will find a feasible algorithm to break scheme X.
Ok, "nobody on earth" is not the perfect wording, but I hope you can see what
I am aiming for. In other words, the first conjecture says the prescient
attacker does not exist, the second conjecture does not care whether the
prescient attacker exists.
The first form is cleaner and bolder, and more in line with computer science
practice. But in practice, the two conjectures have about the same real-world
impact, so the wording does not matter. However, this notion of a prescient
attacker does manage the split the hairline between these two wordings.
A cryptographer's main supporting evidence for either conjecture might be that
cryptographers have spent much time attacking X, and they feel every possible
algorithm likely to attack X will be infeasibly slow.
With such evidence, the second nobody on earth conjecture already seems
reasonably well supported, since people-on-earth tried and failed.
The stronger non-existence form of the conjecture needs a little more support,
I think.
Certainly, cryptographers could not have run all possible attack algorithms.
Nor could they have predicted the runtimes of all possible attack algorithms.
Indeed, I vaguely have an recollection that some algorithms have runtimes (or
halting status) that are difficult to predict other than by running the
algorithms. There could well be better evidence for the non-existence
conjectures, but what is it?
The famous NP>P conjecture is likely often stated the non-existence form too
(there exists no P algorithm that solves NP-complete, etc.). So, the crypto
conjectures have good company. But NP>P arguably has other types of
supporting evidence. Consider the huge generality of NP and P, and startling
implications of P=NP, the domino effects. I think typical crypto conjectures
have no comparable sweeping and startling impacts if proven wrong.
Anyway, at the splitting hairs level of detail, I agree that the 2021/608
model says that most crypto conjectures ought to be more cautious and used the
weakened nobody-on-earth form. At practical level, I wouldn't agree that the
2021/608 model says that "every cryptographer is wrong 100% of the time".
Best regards,
Dan