5

It seems that the acceptable "security margin" for ciphers is set to be between 25% and 30% as a target by designers, where this number represents the number of rounds that remain "unbroken" for a certain worse-case attack. It is all too eerily empirical from a field that dislikes that sort of thing considering that the security margin tends to decrease over time as attacks improve.

Is there a historical reason for picking this arbitrary number or is there just a consensus that better than 25% is good enough?

Ilmari Karonen
  • 46,120
  • 5
  • 105
  • 181
b degnan
  • 4,810
  • 1
  • 24
  • 48
  • 4
    Considering that basically all of modern cryptography rests on a bunch of unproven conjectures that are assumed to be true only because nobody's been able to prove them false, I feel like you may be underrating the "empiricity" of the field. Still, +1 for an interesting question. – Ilmari Karonen Apr 10 '19 at 08:11
  • @IlmariKaronen touche. Usually I can find some mathematical reasoning that makes sense. This one just seems so arbitrary. – b degnan Apr 10 '19 at 15:24
  • It won't be arbitrary. Security margin ~ safety factor, and you'll know that safety factors are based on empirical statistics. Factoid: safety factor for a building = 1.6. – Paul Uszak Apr 10 '19 at 21:26
  • @PaulUszak You do realize that "factoid" means a false fact blindly repeated by fools, right? – forest Apr 11 '19 at 04:59
  • @forest Like your version of a smaller $\pi$? – Paul Uszak Apr 11 '19 at 10:24
  • @PaulUszak A smaller $\pi$? When did I ever say anything like that? – forest Apr 12 '19 at 05:49
  • 1
    SImon and Speck have detailed design specifications. They include the reasoning behind the safety margins used for the algorithms. See Notes on the design and analysis of Simon and Speck, Section 5, Security Margins. (The authors kind of had to do it because of the politics involved with NSA designs). –  Apr 27 '19 at 05:15

2 Answers2

2

There is not much reason behind this particular number, but I think that the AES cipher stands as an example. By the time of its selection as AES, Rijndael-128 had 7 out of its 10 rounds broken, though for the 7-round attack it was not clear then if it is better than the exhaustive search. So the security margin was about 30% that time. Now, as the attacks have de-facto advanced by 1 round only (the biclique attacks have only a small constant advantage factor), it is understood that the security margin was well chosen and it made sense to have it 30%.

Dmitry Khovratovich
  • 5,647
  • 21
  • 24
2

There is not such a consensus. For example, Salsa20 has a ‘security margin’ of 60%, with 8 out of 20 rounds broken; for ChaCha, it's 65%, with only 7 out of 20 rounds broken. But it is all a heuristic pseudo-empirical sociological interpretation of the literature. A decade and a half ago, EUROCRYPT recommended the reduced-round Salsa20/12 because it was faster, but these days ChaCha with the full 20 rounds is one of the most widely used ciphers on the planet.

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223