[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The Fallacy of Cracking Contests

Bruce Schneier writes:
 > 3.  Contest prizes are rarely good incentives.
> Just look at the economics.  Taken at a conservative $125 an hour for
> a competent cryptanalyst, a $10K prize pays for two weeks of work,
> not enough time to even dig through the code.  A $100K prize might be
> worth a look, but reverse-engineering the product is boring and that's
> still not enough time to do a thorough job.  A prize of $1M starts to
> become interesting, but most companies can't afford to offer that.
Another point to consider is that a company sponsoring a contest,
particularly one which involves one of its products, has a great
interest in measuring the state of existing relevant art, and almost
no interest at all in directly funding new research leading to the
destruction of its cipher.
Most such contests have very carefully structured rules, and prizes
that are not too large, to sample what current tools and algorithms
can do, without single-handedly funding expeditions into unexplored
Factoring contests are a good example of this, where you get a few
thousand dollars for breaking something slightly larger than the last
thing broken, rather than $10 million for inventing the singing and
dancing factoring algorithm of the future, and breaking the 500
decimal digit key.
> I can offer $10K to the first person who successfully breaks into my
> home and steals a book off my shelf.  If no one does so before the
> contest ends, that doesn't mean my home is secure.  Maybe no one with
> any burgling ability heard about my contest.  Maybe they were too busy
> doing other things.  Maybe they weren't able to break into my home,
> but they figured out how to forge the real-estate title to put the
> property in their name.  Maybe they did break into my home, but took a
> look around and decided to come back when there was something more
> valuable than a $10,000 prize at stake.  The contest proved nothing.
Exactly.  Contests do nothing in the absence of prior academic
interest in the problem, and even then only serve to spotlight and
highlight what already exists.  Contests do not drive research, nor do
they prove ciphers secure.
Still, they're fun.

Eric Michael Cordian 0+
O:.T:.O:. Mathematical Munitions Division
"Do What Thou Wilt Shall Be The Whole Of The Law"