The progressive ratio, defined below, provides a second intermediate metric that unifies security and efficiency metric. For the reasons stated below, this metric should be optimized only after optimizing the work ratio metric. That said, it is probably less arbitrary to optimize this metric after work ratio, than to merely pick one of efficiency or security as a secondary objective.
First, extrapolating Moore’s law in a simplistic form, define the log-security value
t = vlog(s), where v is some constant, as representing the amount of time t the algo- rithm can resist an attack. Log-security essentially grants the adversary, and actually anybody, effectively exponential-time computing power, which is bizarrely contrary to the usual notions of computational complexity.
Log-security is monotonic function of security, so preserves any ranking and thresh- olds. Therefore, one can talk about defective, tolerable, and saturated log-security, and one can trade between log-security and efficiency, without making any difference to one’s final decision of curve. So, using log-security instead of security in these decision strategies serves merely as a convenient way to view and think about the security metric, such as for displaying in a table or a graph or customer explanation.
The progressive ratio goes one substantial step further with log-security, by multiplying it by efficiency; so the progressive ratio is u=ve. Doubling the efficiency of an algorithm doubles its progressive ratio, squaring its security doubles its Moore value, because the pro- gressive ratio only presumes that squaring the security doubles the lifetime. The progressive ratio places a bet on the fact that Moore’s law will progress indefinitely, and as such, is a rather pessimistic bet since it favors the adversary of the future.
One technical difficulty with the progressive ratio is its lack of scale-invariance: if we change our units of costs in the absolute metrics, this can change the progressive ratio. By contrast, in the work ratio, the cost units cancel, so work ratio is more a dimensionless parameter. By contrast, progressive ratio has some units: log-cost divided by cost. Nev- ertheless, when comparing the progressive ratios of two different algorithms, this is not a problem if one uses the same cost units for each algorithm.
Again, I recommend optimizing work ratio before optimizing progressive ratio, because the progressive ratio depends on the questionable assumption of Moore’s law continuing indefinitely, whereas the work ratio does not. However, even after optimizing work ratio, (or trading security or efficiency), there may still remain a degree of freedom in the choice. At this point, it appears reasonable to optimize the progressive ratio.
The progressive ratio has one potential advantage over the work ratio, in that it perhaps models an adversary in the future, which may be useful for things like confidentiality. For security goals like real-time authentication, future adversaries are not a concern, so the progressive ratio appears irrelevant. Beware: even signature algorithms can also provide stale authentication, which needs future security, so the progressive ratio may be relevant to signatures.
In the case of elliptic curves, unlike work ratio, the progressive ratio depends more strongly upon the curve efficiency, rather than just the curve size. One might expect that, for a fixed curve size, the progressive ratio generally increases with efficiency of the curve. But one should calculate this to be sure.
Graphically, the progressive ratio is just a hyperbola on the log-security-efficiency plane as in Figure 5. This figure, if overlaid with Figure 4 suggests that, for any algorithm
efficiency 320 256 192 128 64 0 −64 log−security
Figure 5: Progressive Ratio: Constant Value Contours are Hyperbolas in the Log-Security- Efficiency Plane
whatsoever, when making a choice between two algorithms with the same work ratio, one should choose more efficient one will have a higher value of progressive ratio. This seems to follow because the work ratio contours appear always steeper than the progressive ratio contours where the contours cross.
Remark B.9.Actually, this appearance may not quite be correct, because Figure 5shows only one contour. There is actually a divide in the plane, whose graph is reverse exponential similar to the work ratio contours, below which the progressive ratio contours are steeper. The dividing curve is very close the horizontal and vertical axes (log-security of zero).
Anyway, this seems to better justify choosing the the most efficient curve of a given size. In other words, the benefit of efficiency to user is greater than to the adversary, because under progressive ratio, a gain in efficiency buys the user more time in the present than the secure lifetime is lost in the future under Moore’s law progressing.
Conversely, if one makes progressive the primary objective, and work ratio the second, then one would choose resolve a tie of optimal progressive ratio by choosing the highest security, because that should optimize work ratio.