[Cryptography] a question on consensus over algorithmic agility

[Jerry Leichter]

On Jun 26, 2014, at 5:21 PM, John Kelsey <crypto.jmk at gmail.com> wrote:
> a.  The security benefit of algorithm agility is entirely in being able to *stop* using some algorithms while still functioning.  
> 
> This means that you only really get this benefit if you have at least two ciphersuites that are both SHALLs.  If everyone implements RC4 + CRC32 (the SHALL), and some people also implement AEC-GCM (the SHOULD), then when someone finally realizes that RC4+CRC32 is insecure, you can't actually get rid of it.  
But this leads us to an interesting position.  We have two schemes (algorithms, protocols what have you), A and B, that both ends definitely implement and which in other ways (performance, cost) are essentially interchangeable (else, again, we would not be in a position to stop supporting either).  We think both are secure, but one of them *may* have been broken - we just don't know which.

This is then simple game theory:  We have two strategies, with equivalent payoffs that may be low (if the opponent "chose" to attack the same strategy we chose), or high otherwise.  And game theory tells us that the optimal strategy is a mixed one:  Choose A or B at random with equal probability.  (You can weight the probability to match knowledge of a weighted probability on the opponent's side.)

So the logical outcome of asking for algorithm agility is ... a single more complex algorithm.
                                                        -- Jerry