Alexander Klimov <[EMAIL PROTECTED]> writes: > On Wed, 2 May 2007, Perry E. Metzger wrote: >> All cryptography is about economics. In crypto, we usually >> consider what the best strategy for an attacker is in terms of >> breaking a cryptosystem, but here I think the right question >> is what the optimal strategy is for the attacker in terms of >> maximizing economic pain for the defender. > > I guess we should pay more attention to the real motivation of > the players. In my opinion it is very unlikely that attackers > want to "maximize economic pain" of the defender, it is more > believable that they simply want to be the first to solve the > challenge.
I'm making a somewhat different point. When doing analysis of attacks on an algorithm or protocol, one considers the "worst" thing the attacker can do, not the "most likely" thing the attacker could do. It is true that the real attacker might (or might not) do the "worst" thing, but I think that is not the correct way to analyze the properties of the system. My main claim here was that in addition to examining the best moves the attacker and defender can make on the level of breaking/defending the system on a technical level, one should also consider the economic impact of their respective strategies. The fact that the attacker could do things like timing disclosures of keys to maximize losses seems quite significant to me. If we are willing to demand that a cipher defend against things like known and chosen plaintext attack even if such attacks might be very difficult to conduct in some circumstances, I think we should also consider things like the economic effects an attacker could inflict upon the defenders in a DRM system, especially if the attacker suffers no marginal cost in picking a more economically damaging attack. It would be desirable for a system to permit defense against such an attack, because the defender cannot control the actions of the attacker and presumably wishes to be safe even if the attacker is motivated to do maximum damage, or by chance happens to do maximum damage. For example, one should not have the security of the system rely upon the attackers choosing to release keys at random rather than at times that maximize inventory losses, because the attackers can alter the timing of key revelations at no marginal cost. Many people think of it as valid for a system to depend on an attacker needing extreme resources to conduct an attack -- many smart card systems work this way. We therefore already incorporate economics into our analysis. In cases like DRM, I think it is equally valid to consider different strategies an attacker who already has broken or partially broken a system might choose to use to cause maximum economic impact. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]