[Cryptography] On the Impending Crypto Monoculture

Jerry Leichter leichter at lrw.com
Sun Mar 27 06:23:11 EDT 2016 

> Is monoculture therefore golden?  No.  By no means - it's a risk decision.  We all know we're putting our one egg in one basket and feeding the world.  It's just that over time, this risk is lower than any other we know of - like Churchill's democracy, monoculture in algorithms is a really bad idea, but it's the least bad of the rest of the ideas.
I'm not sure you're assessing the *nature* of the risks correctly.

Let's contract a couple of possible situations.

If there's an AES monoculture, and AES is never broken, everything is great.  Highest probability world, lowest costs.

If there's an AES monoculture and a fallback, and AES is never broken, everything is great.  Highest probability world, slightly higher costs because of the need to establish and maintain the fallback.  The fallback code remains untested in real world service.

If we choose k equally standard algorithms, and use different algorithms in different situations, and none of them is broken, again all is golden - but the costs are higher.

If there's an AES monoculture, and AES is broken, every message ever encrypted is broken, and until an alternative can be established and fielded, every new message is also broken.  Extremely low probability event, immensely high cost.

If there's an AES monoculture and a fallback, and AES is broken, every existing message is broken, but future messages are safe once you can get everything switched to the alternative (which we'll assume is fairly quickly).  Same extremely low probability event, but a "half infinity" cost.  If, alternatively, it's the fallback that's broken (while AES survives), there's a much lower (but still significant) cost of find and fielding a new alternative.  (Or you could just continue in the "AES monoculture" world.)

If we choose k equally standard algorithms, and use different algorithms in different situations, and any one of them is broken, 1/k of previous messages ever encrypted is broken.  Once you can effectively blacklist the broken algorithm, future messages are secure.  Since attacker now have k algorithms to attack, perhaps their chances of breaking one are better - but it's still an extremely low probability event, thought costs are now considerably lower.

These are simplified scenarios, and without being able to plug in some values, it's hard to say anything meaningful.  And the problem is exactly that we have no way to guess at the values.  What's the probability of AES being broken in the next 10 years?  20 years?  50 years?  We have insufficient information to make any reasonable guess.  I think most people would say "vanishingly small" for 10 and even 20 years, but trying to predict *anything* out 50 years is very problematic.

And on the cost side, things are only a bit better.  Sure, "half infinity" is "less than" "infinity" (since "infinity" is just a codeword here for "so I high I can't even imagine") but is that really a meaningful comparison?

What about the additional costs of maintaining a fallback, or choosing amoung k alternatives?  That's probably not *that* high, but how do you compare it to the "infinitesimal * infinite" expected costs of a break if you don't do it?

BTW, the "k alternatives" can be seen in different ways.  At one extreme, each protocol might choose a single one of the alternatives.  At the other, you could randomly choose an alternative for each connection, in effect using a single "meta-algorithm" in which part of the key determines the algorithm.  (If you're doing PFS, the algorithm might switch per message.)  Should you assume that the probability of a break of the "meta-algorithm" is different from the cost of a break of one of the constituent algorithms?  Given that it's all just guesswork anyway....

The net result:  The choice to be made here is simply not informed by enough data to be more than philosophy and gut feel.  I'm sympathetic to the arguments against complexity - but sometimes you need complexity in your system to deal with real complexity in the world.  Codebook mode is the simplest mode, but it's not quite good enough.
                                                        -- Jerry

More information about the cryptography mailing list