[Cryptography] Many curves versus one curve

Jerry Leichter leichter at lrw.com
Mon Aug 11 10:10:58 EDT 2014


On Aug 10, 2014, at 3:19 PM, William Allen Simpson <william.allen.simpson at gmail.com> wrote:
>> Suppose that an unknown fraction of elliptic curves has some undesirable property. By using a large number of curves, we decrease the variance of our risk in expectation. Under a minimax cost model, this is a big gain. (A certainty of small loss, rather
>> than a small chance of catastrophe.)
> That is the argument we've been making for over 20 years.
I put this another way here not long ago:  It's basic game theory.  You have a bunch of alternative moves to choose from (each curve, or each cryptographic algorithm, is a move) and (initially) no way of knowing which move your opponent will make "in response" (i.e., which curve/algorithm he chooses to attack, or gets lucky in attacking - *how* he operates is irrelevant, all that matters is that he makes a move).  Assuming all moves by your opponent are equally likely, your best approach is a mixed strategy, choosing among all (a priori equivalent) moves at random.

If you have some kind of probability distribution on your opponents responses, you can adjust your probability distribution to maximum your expected results.  This way, broken systems naturally get chosen less frequently - and ultimately not at all if the break is bad enough.
                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140811/2c3fd6e8/attachment.bin>


More information about the cryptography mailing list