
"Unbreakable" Encryption Almost Certainly Isn't - prajjwal
https://www.schneier.com/blog/archives/2014/04/unbreakable_enc.html
======
danso
> _The researchers, led by Dr. Tomislav Stankovski, created an encryption
> mechanism that can generate a truly unlimited number of keys, which they say
> vastly increases the security of the communication. To do so, they took
> inspiration from the anatomy of the human body._

Maybe this is just a problem of imprecise language and reporting, but when has
the _ability_ to generate an unlimited number of keys ever been the main
problem? I always thought the problem was distributing/maintaining such a
number of keys, and to a lesser extent, generating those keys in a reasonable
amount of time.

Because wasn't "unbreakable" _encryption_ invented a long time ago, and
implemented successfully since? That is, one-time pads, which are
theoretically unbreakable by anyone who is _not_ omniscient? Of course, the
problem of distributing and maintaining such keys gets in the way of popular
implementation...

edit: I'm obviously not suggesting that one-time pads have solved much of
anything...just that, why do researchers brag about creating an infinite
number of keys, or even "unbreakable" encryption, when those don't seem to be
much of a real-world problem...Maybe in this case it's just bad reporting and
translation of researcher-speak. Now, extremely-unfeasible-to-break while
feasible-to-use...that's clearly worth bragging about.

~~~
TeMPOraL
> _I 'm obviously not suggesting that one-time pads have solved much of
> anything_

Well, they did. Think about various secret channels between governments, like
the Washington D.C. - Moscow line.

[http://en.wikipedia.org/wiki/One-
time_pad#Historical_uses](http://en.wikipedia.org/wiki/One-
time_pad#Historical_uses)

~~~
dghf
I read a novel _by_ a former SAS soldier _about_ a former SAS soldier who's
sent on deniable operations by the British government, and who uses what is
clearly a one-time pad to communicate with his handlers. The detailed
description of the precise method used, the fact that the term "one-time pad"
is never used, and the narrator's apparent lack of understanding of how
exactly it works (encryption/decryption is done via modulo-10
addition/subtraction, which the narrator derisively refers to as "spook
maths") suggest that the author himself, or a contact of his in the same
circles, has used a very similar system for real.

------
pnathan
It's always kind of cute to see ridiculous headlines roll through.

Taking a look at the paper and a stream of thought about it.

\- Researchers are affiliated with a university _they aren 't kooks_

\- These are physicists. They speak a different language. That will make
decoding this paper difficult. It may have useful insight, but it is obscured
by the jargon of a different discipline. Typically I haven't see continuous
diffeq in crypto. >.>

\- Essentially I believe this is a two-directional stream cipher, with prior
clear?crypt?text from both sides feeding into the input.

\- I'm not sure what unbounded precisely is being meant here with their
coupling function.

\- Almost zero crypto papers cited (I counted two, and they sounded fringe-y
by title and were also published in physics journals).

Several key aspects have been neglected by the authors:

\- Lack of citation of the current state of crypto- they betray nearly no
understanding of the terminology of crypto nor present the contribution to the
field in relation to the field.

\- No analysis of the information-theoretic leakage of the communication
system.

\- No analysis of keyspaces, expected break time for chosen|known ciphertext,
etc.

My take on it is that it's a well-intentioned but largely useless paper by
non-experts. If they took the time to understand the field, it might have some
valuable insights.

I would _guess_ the coupling function as an idea results in a system design
that leaks information like a sieve about both Alice and Bob. It _might_ be a
restatement of something like switching keys periodically, but I lack the
vocab to interpret.

~~~
rcxdude
I think by unbounded they meant 'you can stick any number of arbitrarily
complicated functions here'. I'm not sure whether this is any different in
practice from just upping the key size on a cipher (since any implementation
will be limited by at least memory used to represent the functions).

------
LukeWalsh
There's only one "unbreakable" encryption, and that's a pair of one time pads
with truly random data as long as the message itself.

[http://www.pro-
technix.com/information/crypto/pages/vernam_b...](http://www.pro-
technix.com/information/crypto/pages/vernam_base.html)

~~~
andrewla
While this may seem like a tempting statement, it is not really an answer,
since "unbreakable" is not really well-defined. Clearly, "truly random" is a
bit of a tough one to define. And sending the message length is a bit of an
information leak itself. But even putting those aside, there's a bigger flaw.

The biggest problem in this mechanism is how does the other party get their
one-time pad? An upper bound on the unbreakableness of the entire scheme is
the unbreakability of transmitting a one-time pad; and if you can do that,
then why not just send the actual message via that mechanism?

~~~
voidlogic
You give each party a briefcase full of 4 TB hard drives full of random
numbers generated from a USB attached atomic decay device.

Now for 1,2,10 years depending on your rate of communication you can
communicate using the one time pad.

>why not just send the actual message via that mechanism?

The point is you only have to exchange pads periodically, not every time you
communicate.

~~~
andrewla
I mean, what you're saying here is that in addition to one-time-pad based
cryptography, there is a "give a briefcase to the person"-based cryptographic
system. In reality, I think lot more briefcase-based transfers are "cracked",
as it were, than SSL sessions.

My problem is just that the proposed mechanism relies on already having an
even more perfect mechanism, and thus cannot be the "only one", but is in fact
strictly weaker than this other mechanism. So we have a contradiction, and we
can get rid of the notion that there exists such a thing as an "unbreakable"
system (or, alternatively, that it is a useful concept)

~~~
voidlogic
No, this is a a breifcase full of one time pad. If you could fit 32 4 TB hard
drives full of pad in the brief case that would allow you to send 128 TB in
the future securely using something like an XOR one time pad. Assuming you are
just sending ASCII and compress it before sending/XORing you could send a lot
more then 128 TB of ASCII.

This is pretty powerful. It means that organization which and periodically
move physical assets securely can send information in a manner that is secure
even if quantum computers reach their full potential.

~~~
_kst_
Was "128 GB" a typo for "128 TB"?

Incidentally, the mechanism for sharing the pad doesn't have to be 100%
secure, as long as you can reliably _detect_ any compromises. If someone opens
the briefcase while it's in transit, you just generate new pads and send
another briefcase. To compromise the system, an adversary has to compromise
the pad in transit _without being detected_.

------
bo1024
Theoretical cryptographers -- those who come up with new encryption schemes
like the classics we rely on, e.g RSA and DH -- will take the following
perspective:

 _Every encryption scheme is based on the assumption "X is not solvable in
polynomial time", for some problem X. Don't start by wasting time with details
of the scheme. Start by telling me X._

Common examples of X are factoring and discrete log. More exotic ones include
e.g. [1], the types of assumptions underlying fully homomorphic encryption. In
the case of this bio paper, cryptographers won't care unless the authors can
succinctly describe:

1\. The computational problem that needs to be solved to break their scheme.

2\. The relationship of this computational problem to well-known ones (can it
be reduced to factoring? To computing some difficult integral?).

3\. Evidence to suggest this problem is difficult (can factoring be reduced to
it? Or some other hard problem?).

[1] [http://en.wikipedia.org/wiki/Lattice-
based_cryptography](http://en.wikipedia.org/wiki/Lattice-based_cryptography)

------
hawkharris
I love these two lines from Shneier's earlier article, the one he links to at
the end:

"The 'best cryptographers around' break a lot of ciphers. The academic
literature is littered with the carcasses of ciphers broken by their
analyses."

~~~
a1a
Indeed. Related advice, also from Schneier: "Anyone, from the most clueless
amateur to the best cryptographer, can create an algorithm that he himself
can't break. It's not even hard."

------
EGreg
Although one-time pads are indeed unbreakable in a mathematical sense, in the
real world everything is theoretically decipherable, in the end, using rubber-
hose cryptanalysis and good timing.

[http://xkcd.com/538/](http://xkcd.com/538/)

Possible defenses against rubber hose cryptanalysis on your one time pads
include:

Perfect forward secrecy and plausible deniability

Hidden hard drives within hard drives within hard drives
[http://www.truecrypt.org/](http://www.truecrypt.org/)

Being dead [http://www.cracked.com/article_20110_5-secret-languages-
that...](http://www.cracked.com/article_20110_5-secret-languages-that-stuck-
it-to-man.html)

Quantum mechanics
[http://en.m.wikipedia.org/wiki/Quantum_key_distribution](http://en.m.wikipedia.org/wiki/Quantum_key_distribution)

------
a1a
"Truly unlimited number of keys"

What data type would you use to store such a key? My guess is that it wouldn't
be much bigger than 2048 bits after being implemented. Besides, key length is
a terrible metric for measuring security.

~~~
rcxdude
It could be bigger. The 'keys' are just arbitrary sytems of equations, this is
where 'unbounded keyspace' comes from. Any implementation would wind up being
bounded by some practical constraint.

Whether this is any improvement on existing ciphers (which you can also design
to have any size key you desire), is less clear, but I would bet on 'no'.

------
BrandonMarc
This axiom of Schneier's (I think it's his) can't be repeated often enough:

 _anyone can create a cryptosystem that he himself cannot break_

It's amazing how many times a lack of knowing this axiom becomes a problem /
surprise.

------
infruset
In the referenced article ([https://www.schneier.com/crypto-
gram-9810.html#cipherdesign](https://www.schneier.com/crypto-
gram-9810.html#cipherdesign)), he says:

> Algorithms posted to Internet newsgroups by unknowns won't get a second
> glance.

It seems to me this would not be true of Bitcoin.

~~~
hueving
Bitcoin isn't a new crypto algorithm. It's a distributed ledger algorithm that
uses well known crypto protocols. It didn't invent its own magical hashing
algorithm or anything of the sort.

------
BrownBuffalo
If anything is shown from BitCoin - specialized hardware/application to solve
encryption problems, its just a matter of specific application and time with
any level of encryption.

------
ssdfsdf
Seems like quite a good idea to me.

