The next step in going against "conventional wisdom" - Create your own Crypto!

[CIYAM]

I created a topic about "brainwallets" that some of you might have followed (https://bitcointalk.org/index.php?topic=885616.0) where I challenged the idea that "no-one can create a secure brainwallet".

I pointed out my own brainwallet address with 1 BTC (https://blockchain.info/address/1Au4v6dZacFVsWXeKUMJd99AtyBZeqti2L) and it still has that 1 BTC there (so those wanting to show that you can't create a good brainwallet are not doing a good job in that they seemingly are unable to sweep that 1 BTC and it has been there for a long time - and as I took out 9 BTC previously the public key is available also).

My next challenge to conventional thinking is with crypto itself. We are constantly told *don't roll your own crypto* and for sure just like *don't create a brainwallet* it is not something that *anyone can do* but I think that those who are smart enough to create a brainwallet should also be thinking about exercising their skills at creating crypto (if they are keen to work out how to do so).

Why?

Because maybe you shouldn't trust anyone else to create it for you.

Everyone here should be well aware that any publicly created crypto could likely have been influenced by the NSA or other groups (as has already been exposed by Wikileaks and others).

So I prefer that we discuss ways of creating new crypto rather than saying "we can't discuss that as we are not qualified". As that is the easiest argument to force everyone to use unsafe software (i.e. don't think for yourself just use what *we say you should use*).

[1715539035]

1715539035

[1715539035]

1715539035

[1715539035]

1715539035

[Flashman]

The biggest reason why not is because you yourself are blind to the ways in which you are incompetent.

You don't know what you don't know.

[CIYAM]

So let's start with a very simple but important thing - the "one time pad".

It is actually the best method of encryption in existence as it only relies upon the two sides having a shared secret at one point in time.

Before asymmetrical crypto was implemented the issue was "how to exchange keys" but of course that is now much easier using DSA technology. There is still however some problems with trusting the keys that are used that could only be solved by offline (or direct) communication.

But assuming we are happy that we have solved the issue of exchanging a key (whether via GPG or an in person meeting) then we can start to build a secure method to exchange messages without needing to use any 3rd party software.

[CIYAM]

The biggest reason why not is because you yourself are blind to the ways in which you are incompetent.

A good point - as stated - this topic is not intended for those without the necessary skills (the question I am raising is exactly how much skill is required).

Many have tried to point out that I should be incompetent to create a brainwallet - yet my brainwallet stands (and anyone with any brains knows that there are bots working 24x7 to crack brainwallets).

So I accept your criticism but also just point out that I am somehow able to beat the odds (do you think that is just luck - especially after I've published my address for months?).

[Flashman]

Points from the Cypherpunks FAQ ...

2.4.19. "I Have a New Idea for a Cipher---Should I Discuss it Here?"
  - Please don't. Ciphers require careful analysis, and should
     be in paper form (that is, presented in a detailed paper,
     with the necessary references to show that due diligence
     was done, the equations, tables, etc. The Net is a poor
     substitute.
  - Also, breaking a randomly presented cipher is by no means
     trivial, even if the cipher is eventually shown to be weak.
     Most people don't have the inclination to try to break a
     cipher unless there's some incentive, such as fame or money
     involved.
  - And new ciphers are notoriously hard to design. Experts are
     the best folks to do this. With all the stuff waiting to be
     done (described here), working on a new cipher is probably
     the least effective thing an amateur can do. (If you are
     not an amateur, and have broken other people's ciphers
     before, then you know who you are, and these comments don't
     apply. But I'll guess that fewer than a handful of folks on
     this list have the necessary background to do cipher
     design.)
  - There are a vast number of ciphers and systems, nearly all
     of no lasting significance. Untested, undocumented, unused-
     -and probably unworthy of any real attention. Don't add to
     the noise.

edit: also ...

2.4.25. "Ask Emily Post Crypt"
  + my variation on "Ask Emily Postnews"
    - for those that don't know, a scathing critique of
       clueless postings
  + "I just invented a new cipher. Here's a sample. Bet you
     can't break it!"
    - By all means post your encrypted junk. We who have
       nothing better to do with our time than respond will be
       more than happy to spend hours running your stuff through
       our codebreaking Crays!
    - Be sure to include a sample of encrypted text, to make
       yourself appear even more clueless.
  + "I have a cypher I just invented...where should I post it?"
    + "One of the very most basic errors of making ciphers is
       simply to add
      - layer upon layer of obfuscation and make a cipher which
         is nice and
      - "complex".  Read Knuth on making random number
         generators for the
      - folly in this kind of approach.  " <Eric Hughes, 4-17-
         94, Cypherpunks>
    + "Ciphers carry the presumption of guilt, not innocence.
       Ciphers
      - designed by amateurs invariably fail under scrutiny by
         experts.  This
      - sociological fact (well borne out) is where the
         presumption of
      - insecurity arises.  This is not ignorance, to assume
         that this will
      - change.  The burden of proof is on the claimer of
         security, not upon
      - the codebreaker.  <Eric Hughes, 4-17-94, Cypherpunks>

[CIYAM]

Points from the Cypherpunks FAQ ...

Good points - I am not inventing a new type of cypher.

The idea of a OTP is at least hundreds of years old.

The only idea I would ask anyone to accept is that "secure hashes are secure" (as many other crypto algos work upon that assumption I don't think I have violated any sacrosanct idea).

If SHA256 is not secure then Bitcoin should have already been destroyed (and that is the OTP method that I use).

[CIYAM]

I think you have mistaken me for someone naively creating a "new crypto algo".

I am not doing that at all (SHA256 is actually used by Linux systems for /var/random when physical random data is not available - so unless you are going to suggest that the Linux kernel devs are idiots then perhaps you can stop comparing me to some newbies).

It is interesting how the "arrogance" of the above posts (you referenced) came about - if I were the NSA and I wanted to stop anyone questioning about crypto that is exactly the approach I think I'd use also.

Perhaps the cypherfunks were too naive themselves - they got infiltrated by NSA and didn't even realise it - so next thing they are recommending everyone in the world to not think and just do what they are told with the banner "trust us".

If I were a cypherfunk then I think I would be *ashamed* to be so quiet.

[CIYAM]

Personally I think it would be really strange that true cypherfunks would be so adverse to helping people who are trying to work out how to play with encryption.

If they really are so arrogant then it is clear why they have lost to the NSA and other such organisations.

[Flashman]

It's more a case that naively glomming stuff together can tend to create edge cases and create insecure patterns, one can unknowingly create backdoors and shortcuts. Re-implementing well known algorithms can also have many pitfalls for the unwary.

One can only gain much confidence in one's work if the cypher is under constant attack for a long period and remains secure. Getting that level of real world testing "just for the hell of it" is unlikely.

Basically, you can give yourself a false sense of security behind something with critical weaknesses, just because nobody finds what you're protecting with it interesting or lucrative... then after 5 years of patting yourself on the back you use it for something that MATTERS and bam, fucked over in a weekend.

[2112]

cypherfunks

I did not know that insult. Cypherfunk is probably someone partway between cypherpunk and cypherflunk. 

[bitcreditscc]

Personally I think it would be really strange that true cypherfunks would be so adverse to helping people who are trying to work out how to play with encryption.

If they really are so arrogant then it is clear why they have lost to the NSA and other such organisations.

+1000

and the "bitcoin is the be all and is all" mentality being forced onto people is not helping.

[moni3z]

Because it takes a PHd level knowledge and about 10 years directly working at breaking crypto implementations to roll your own crypto libraries. That's basically what people mean by "don't roll your own crypto" it means don't invent libraries, use the already well established, and tested ones. For example libsodium is good to use if you want to create an encrypted chat/video program like Tox does.

Colin Percival (FreeBSD developer, owner of Tarsnap) gives a good talk about what you need to know about implementing crypto in w/e software you're doing:
https://www.youtube.com/watch?v=jzY3m5Kv7Y8

For example, cpercival does not use XTS or other block modes for Tarsnap cloud storage and for good reason, because there are all sorts of attacks that can be done to XTS once it is freed from the physical confines of disk geometry.

[2112]

don't invent libraries

You have to be really clear whether you are against "reimplementing code" from the libraries or "inventing hokey-pokey algorithms". In particular SSLeay/OpenSSL is a swiss-army-harvester-combine-cum-crutch that is a culprit of many bugs and inconsistencies in many, many codebases. It is not uncommon for a undergrad-student-level exercise projects to beat the efficiency of the supposedly well optimized code from the well-known cryptographic libraries, both open source and for-pay source.

In particular rewriting conventional crypto implementations to properly take advantage of the SIMD instructions that are now available in nearly every processor gives great payoffs in terms of power efficiency and resistance to various attacks.

One thing is the PhD-level knowledge of relevant mathematics/algebra and the other thing is simple patience and careful craftsmanship required to write clear and neat code. There's lots of the source code available out there that for the expedience of portability and meeting some very narrow benchmarking goals had completely forsaken readability and maintainability.

[Foxpup]

So, how many of these "NSA" algorithms have you personally broken? That's not an unfair question: remember Schneier's Law: "Anyone can create an algorithm that he himself can't break." And your inability to break your own algorithm means nothing if you are unable to break any other algorithms. Nobody will take your cryptography seriously unless you have a lot of experience in breaking other people's algorithms, and rightly so.

Bruce Schneier provides a self-study course in cryptanalysis. Start here and don't even dream of rolling your own crypto until you've broken most of the algorithms in that paper. And no cheating.

[darkota]

I created a topic about "brainwallets" that some of you might have followed (https://bitcointalk.org/index.php?topic=885616.0) where I challenged the idea that "no-one can create a secure brainwallet".

I pointed out my own brainwallet address with 1 BTC (https://blockchain.info/address/1Au4v6dZacFVsWXeKUMJd99AtyBZeqti2L) and it still has that 1 BTC there (so those wanting to show that you can't create a good brainwallet are not doing a good job in that they seemingly are unable to sweep that 1 BTC and it has been there for a long time - and as I took out 9 BTC previously the public key is available also).

My next challenge to conventional thinking is with crypto itself. We are constantly told *don't roll your own crypto* and for sure just like *don't create a brainwallet* it is not something that *anyone can do* but I think that those who are smart enough to create a brainwallet should also be thinking about exercising their skills at creating crypto (if they keen to work out how to do so).

Why?

Because you simply can't trust anyone else to create it for you.

Everyone here should be well aware that any publicly created crypto has been more than likely influenced by the NSA or other groups (as has already been exposed by Wikileaks and others).

So I prefer that we discuss ways of creating new crypto rather than saying "we can't discuss that as we are not qualified". As that is the easiest argument to force everyone to use unsafe software (i.e. don't think for yourself just use what *we say you should use*).

I don't quite understand the paranoid behavior so many of you here display at the NSA. The NSA is not an omnipotetnt all knowing being, it's simply an organization for America's security.

The NSA more likely than not, has had hardly if any any influence on crypto. If they did, then Bitcoin would not have reached where it has today. All the scams and thefts that have rocketed cryptocoins the past year(s) were created mostly by people we know the identities of. The guy who scammed people with his ponzi for millions of Bitcoin, was arrested. Charlie Shrem, was arrested. The guy who scammed the Mintpal users, we know how he looks like, etc etc.

If you actually look at the facts and details, you'd find that most of the big scams going on or that have happened in crypto are not secretive, the identities of the scammers are known, it's just catching them/putting them in jail that awaits.

So please, stop with your damn paranoia. It's annoying.

[CIYAM]

Interesting - not a single question about any algo I have (supposedly) written but instead a lot of lecturing (funny how people are so happy to tell you not to write any code rather than review any code you have written).

For all you armchair critics know I have simply put a standard OpenSSL call in a function wrapper!



As for the NSA it is not paranoia but actual known issues made public by Wikileaks that I am referring to.

[CIYAM]

cypherfunks

I did not know that insult. Cypherfunk is probably someone partway between cypherpunk and cypherflunk.  

"If you don't like what you see here - get the funk out."

(Extreme II)

[bitcreditscc]

I created a topic about "brainwallets" that some of you might have followed (https://bitcointalk.org/index.php?topic=885616.0) where I challenged the idea that "no-one can create a secure brainwallet".

I pointed out my own brainwallet address with 1 BTC (https://blockchain.info/address/1Au4v6dZacFVsWXeKUMJd99AtyBZeqti2L) and it still has that 1 BTC there (so those wanting to show that you can't create a good brainwallet are not doing a good job in that they seemingly are unable to sweep that 1 BTC and it has been there for a long time - and as I took out 9 BTC previously the public key is available also).

My next challenge to conventional thinking is with crypto itself. We are constantly told *don't roll your own crypto* and for sure just like *don't create a brainwallet* it is not something that *anyone can do* but I think that those who are smart enough to create a brainwallet should also be thinking about exercising their skills at creating crypto (if they keen to work out how to do so).

Why?

Because you simply can't trust anyone else to create it for you.

Everyone here should be well aware that any publicly created crypto has been more than likely influenced by the NSA or other groups (as has already been exposed by Wikileaks and others).

So I prefer that we discuss ways of creating new crypto rather than saying "we can't discuss that as we are not qualified". As that is the easiest argument to force everyone to use unsafe software (i.e. don't think for yourself just use what *we say you should use*).

I don't quite understand the paranoid behavior so many of you here display at the NSA. The NSA is not an omnipotetnt all knowing being, it's simply an organization for America's security.

The NSA more likely than not, has had hardly if any any influence on crypto. If they did, then Bitcoin would not have reached where it has today. All the scams and thefts that have rocketed cryptocoins the past year(s) were created mostly by people we know the identities of. The guy who scammed people with his ponzi for millions of Bitcoin, was arrested. Charlie Shrem, was arrested. The guy who scammed the Mintpal users, we know how he looks like, etc etc.

If you actually look at the facts and details, you'd find that most of the big scams going on or that have happened in crypto are not secretive, the identities of the scammers are known, it's just catching them/putting them in jail that awaits.

So please, stop with your damn paranoia. It's annoying.

That alone says a lot about your understanding of current affairs.

What the NSA is, is an enemy to privacy, and not just them, most intelligence agencies are. They've had more influence on crypto than bitcoin has had on the world. put that comparison to thought if you want to understand "the paranoid behavior"

[Vessko]

Because maybe you shouldn't trust anyone else to create it for you.

Maybe because you are an ignoramus without a clue?

Everyone here should be well aware that any publicly created crypto has been more than likely influenced by the NSA or other groups (as has already been exposed by Wikileaks and others).

False. Wrong generalization using the word "any". Demonstrate to me how Blowfish has been influenced by the NSA.

So I prefer that we discuss ways of creating new crypto

Certainly. Go ahead and discuss. Maybe you'll learn something. Just don't ask others to rely on any cyphers you have created.

rather than saying "we can't discuss that as we are not qualified".

Some of us are more qualified than others. Many of us are more qualified than you. But there is nothing wrong in discussing things.

So let's start with a very simple but important thing - the "one time pad".

OK. Let's. As you undoubtedly know, it is unbreakable in theory. Explain to us why it is totally unusable in practice. Emphasize the various possible protocol pitfalls. Describe the key exchange problem.

It is actually the best method of encryption in existence

No, it is not. It is actually one of the worst encryption methods in existence. It is just the most resistant one to cryptanalysis.

it only relies upon the two sides having a shared secret at one point in time.

Wrong. It relies on the two sides having a key as long as the total length of their communication (over all the time they will be communicating), which key is totally, unpredictably, physically random. How would the sides know beforehand how long their communication would be? And, if they don't, how would they exchange a key with such a length? And, if they can do that in a secure way, why not exchange the message itself?

Some practical implementations have involved giving special "pads" (notebooks) with the key to the soldiers during WWII, although I have no information regarding how the key was created. More contemporary example includes generating the keys from the noise of radioactive decay (the closest thing to random we have in nature), recording it on CD-ROMs and delivering them to the embassies with diplomatic mail. Of course, this relies that the key will not be intercepted and that it will be indeed random, which we cannot theoretically guarantee.

But assuming we are happy that we have solved the issue of exchanging a key (whether via GPG or an in person meeting) then we can start to build a secure method to exchange messages without needing to use any 3rd party software.

At this point you have already trusted 3rd-party software to generate the keys and perform key exchange. Why not also trust it with the encryption? And, if it is untrustworthy to begin with, your communication is already compromised (the attacker has the key), no matter what software you use for encryption.

Many have tried to point out that I should be incompetent to create a brainwallet

From what you have demonstrated so far, your incompetence in cryptology is orders of magnitude larger.

If SHA256 is not secure then Bitcoin should have already been destroyed

Wrong conclusion. Revealing that SHA-256 is not secure might cost more than one is able to gain by "breaking" Bitcoin.

(and that is the OTP method that I use)

You use SHA-256 to generate the key and call this a "one time pad"? Either I did not understand what you wrote, or you are a complete moron.

SHA256 is actually used by Linux systems for /var/random when physical random data is not available - so unless you are going to suggest that the Linux kernel devs are idiots then perhaps you can stop comparing me to some newbies

/var/random is not mathemathically random. The output is hashed in an attempt to increase randomness - because this is the best we can do. The result is still not theoretically random - we just hope that it is random enough.

if I were the NSA and I wanted to stop anyone questioning about crypto that is exactly the approach I think I'd use also

Nobody is stopping anyone from "questioning about crypto". We are just trying to stop ignorant morons from making idiotic statements about crypto that we would have to waste time debunking, like I am doing right now. If you want to learn and have legitimate questions - ask away. If you are going to bombard us with silly ideas and conspiracy theories exposing you ignorance - fuck off.

Perhaps the cypherfunks were too naive themselves - they got infiltrated by NSA and didn't even realise it

Uh-huh, and you genius were able to figure it our and are in a position to reveal it to the world. /facepalm

For example, cpercival does not use XTS or other block modes for Tarsnap cloud storage and for good reason, because there are all sorts of attacks that can be done to XTS once it is freed from the physical confines of disk geometry.

Actually, XTS sucks even for physical disks; it is just the best we can do there, since we are limited by the disk geometry. A disk sector of 512 bytes still has to be encrypted into 512 bytes - you don't have additional space for initialization vectors and authentication codes and checksums. (And, no, you can't rely on compression shrinking the size of the stuff you are going to encrypt.)

The NSA more likely than not, has had hardly if any any influence on crypto.

The NSA has had huge influence on crypto. They took IBM's Lucifer and changed it into DES, in practice strengthening it against an attack that wasn't known to the civilian sector at the time. They have also weakened a random number generator suggested by NIST - this is documented fact. They have also proposed particular elliptic curves suggested by NIST, except that now nobody knows the reason why - was it in order to strengthen or to weaken the encryption?

Interesting - not a single question about any algo I have (supposedly) written but instead a lot of lecturing

This is because the ignorance you have demonstrated so far in cryptology makes us totally uninterested in your algorithm.

For all you armchair critics know I have simply put a standard OpenSSL call in a function wrapper!

And you trust OpenSSL exactly why? And how do you know that you haven't introduced any weaknesses in your wrapper?

As for the NSA it is not paranoia but actual known issues made public by Wikileaks that I am referring to.

OK, explain us exactly what the NSA did, according to Wikileaks. (Given that you got even the source of the information wrong, I am willing to bet that you don't know what the information is, either, let alone understand its implications.)

[CIYAM]

Maybe because you are an ignoramus without a clue?

If you really want someone to actually read a very long reply (which presumably you must have wasted quite a bit of time typing) then next time I'd suggest not starting it with that.