Alexander Klimov <[EMAIL PROTECTED]> writes:
> On Wed, 2 May 2007, Perry E. Metzger wrote:
>> All cryptography is about economics. In crypto, we usually
>> consider what the best strategy for an attacker is in terms of
>> breaking a cryptosystem, but here I think the right question
>> is what the optimal strategy is for the attacker in terms of
>> maximizing economic pain for the defender.
>
> I guess we should pay more attention to the real motivation of
> the players. In my opinion it is very unlikely that attackers
> want to "maximize economic pain" of the defender, it is more
> believable that they simply want to be the first to solve the
> challenge.

I'm making a somewhat different point.

When doing analysis of attacks on an algorithm or protocol, one
considers the "worst" thing the attacker can do, not the "most likely"
thing the attacker could do. It is true that the real attacker might
(or might not) do the "worst" thing, but I think that is not the
correct way to analyze the properties of the system.

My main claim here was that in addition to examining the best moves
the attacker and defender can make on the level of breaking/defending
the system on a technical level, one should also consider the economic
impact of their respective strategies. The fact that the attacker
could do things like timing disclosures of keys to maximize losses
seems quite significant to me.

If we are willing to demand that a cipher defend against things like
known and chosen plaintext attack even if such attacks might be very
difficult to conduct in some circumstances, I think we should also
consider things like the economic effects an attacker could inflict
upon the defenders in a DRM system, especially if the attacker suffers
no marginal cost in picking a more economically damaging attack.

It would be desirable for a system to permit defense against such an
attack, because the defender cannot control the actions of the
attacker and presumably wishes to be safe even if the attacker is
motivated to do maximum damage, or by chance happens to do maximum
damage. For example, one should not have the security of the system
rely upon the attackers choosing to release keys at random rather than
at times that maximize inventory losses, because the attackers can
alter the timing of key revelations at no marginal cost.

Many people think of it as valid for a system to depend on an attacker
needing extreme resources to conduct an attack -- many smart card
systems work this way. We therefore already incorporate economics into
our analysis. In cases like DRM, I think it is equally valid to
consider different strategies an attacker who already has broken or
partially broken a system might choose to use to cause maximum
economic impact.


Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to