Bad, bad crypto
Is not good crypto
The problem with bad security is that it looks just like good security.
—Bruce SchneierEl vulgo admira más lo confuso que lo complejo.
—Nicolás Gómez Dávila
Cryptography looks easy. Anyone can design a cipher they can’t break but what’s hard is designing one that no one can break and that is as fast and simple as possible.
Call it gatekeeping, but without hundreds of hours spent analyzing and attacking cryptography you won’t get far. Amateurs produce amateur cryptography. It doesn’t matter that you have a PhD in quantum physics or musicology.
Outwardly innovative designs that stack buzzwords and convoluted concepts for no reason but impressing novices or baiting investors aren’t serious cryptography. They’re snake-oil.
Today we look at some of the worst crypto I’ve seen over the years, the most pretentious and the least secure. Cryptocurrency protocols sit in their own league but I’ll make one exception.
Time AI (2019)
Time fucking AI. The mother of all crypto snake-oil. AI scams before it was cool. New age mysticism. Music theory. Infinity. A charismatic leader—“A modernized polymathic life propelled by intention.” I had the chance to witness it live at Black Hat 2019, sitting next to fellow cryptography expert Dan Guido. It was glorious.
But watch the video first:
Now look at their sponsored Black Hat talk. A Twitter thread is worth thousand words. Selected bits below, with my quotes from the genius speaker:
“Quantum AI” before Google, gotta give them that. But don’t say “quantum,” say “time’s entangled uncertainty.”
Lie algebra, octonion, yeah sure.
And don’t miss the “who do you work for?” after Dan called him out.
You’d think something this moronic wouldn’t fool anyone, that we’d passed the nonsense singularity where the infinite mass of red flags coalesced into the single neuron of Robert E. Grant. Right?
But never underestimate con artists, and never overestimate investors. This company ended up raising an 8-digit figure. The pay-to-play Black Hat talk was part of the sham, and many investors were in the room.
IOTA (2017)
Where to start?
The “blockchain for IoT” that needs 3 round trips of API calls for a transaction, with huge payloads and a local proof of work?
The blockless blockchain, with neither blocks nor chains..
Because 3 > 2, Iota didn’t use 2-state bits but 3-state trits. Superior. Revolutionary.
The broken hash function “curl” used in Iota’s signature scheme, failing basic pseudorandomness checks and with trivial collision attacks.
You can check their 2017 site and whitepaper. The kind of nonsense you’ll read from most blockchain projects, but blockless:
The whole fields of
Chaos-based cryptography, and hyperchaotic cryptography. Chaos is messy and unpredictable, must be great for crypto. Let’s use cellular automata to generate pseudorandom numbers.
DNA cryptography. You can encode information as CTAG sequences, and you can modify CTAG sequences as you’d modify bits. What’s the point? Publishing papers, and strengthen AES with DNA.
AI cryptography and neural cryptography. AI-powered encryption. Make cryptography smarter with AI. Synergy, baby. True fact though: I once used a genetic algorithm to select S-boxes of a proprietary cipher, around 2010.
Those are the three main leagues. Adjacent ones are fractal cryptography, wavelet cryptography, vector cryptography, chemical encryption, neuromorphic encryption, and a large part of the cryptography-related articles publishes in Nature (especially the randomness generation ones).
The tactic of these papers is to combine basics from one scientific field with cryptography concepts and verbiage, adding scientific-looking graphs with random-looking patterns, calling it “security,” and publishing in low-tier journals.
Look at A new encryption algorithm for image data based on two-way chaotic maps and iterative cellular automata, for example, published as a “scientific report” of the venerable Nature:
A messy cloud of points, so chaotic, wow.
Not only chaotic but also spatiotemporal? Must be super secure.
The right image doesn’t look uniformly random, but it doesn’t look like Lena, must be super secure.
How to spot bad crypto?
Easy. Look for signs of crackpotery, for claims of “military-grade” technology or “revolutionary” ideas. Count the buzzwords. If you’re not sure, ask me.
Featured image: SNL.