The cr.yp.to microblog: 2020.04.19 01:17:52

2020.04.19 01:17:52 (1251651188174422018) from Daniel J. Bernstein, replying to "Yehuda Lindell (@LindellYehuda)" (1251644262795657217):

When I describe how the incentive structures in crypto lead to security failures for users, you object, saying the "field of crypto" is a "huge" success. You don't define the success metric but you categorically state that failures don't "take away" from it. Did I get that right?

2020.04.19 02:41:06 (1251672136244006914) from Daniel J. Bernstein:

I wrote: "As a community we systematically refuse to measure and optimize how well we're doing at proactively avoiding errors and protecting users." As this thread shows, we respond to failures by declaring our field to be a "huge" success and saying the failures don't matter.

Context

2020.04.19 00:18:42 (1251636300555444224) from "Yehuda Lindell (@LindellYehuda)":

I understand. Let me clarify - I wasn’t being clear at all (I see now). I disagree with what Diffie said as criticism. Doing clever things for that purpose ends up solving a lot of problems that we need solved many years later.

2020.04.19 00:20:03 (1251636638322696193) from "Yehuda Lindell (@LindellYehuda)", replying to "Yehuda Lindell (@LindellYehuda)" (1251636300555444224):

For example, hash based signatures was a clever idea aimed at proving that one way functions imply signatures. Now, it is seriously looked at for PQC. So, not everyone needs to look at real users and applications to do important work.

2020.04.19 00:32:19 (1251639726819270656) from Daniel J. Bernstein, replying to "Yehuda Lindell (@LindellYehuda)" (1251636638322696193):

Can you please state clearly which metric you're using for the allegedly "huge" success of the "field of crypto"? You keep giving alleged examples but not stating the metric. Readers can't figure out if the metric sees, e.g., OpenSSL's upcoming emergency patch as a failure.

2020.04.19 00:50:21 (1251644262795657217) from "Yehuda Lindell (@LindellYehuda)":

The fact that there are failures, even big ones, does not take away from the many successes. We need to always try to do better, but this doesn’t take away the value of what is being done. But this isn’t the answer you’re looking for but I don’t know what is.