
If your cipher were secure, this image wouldn't have repeating patterns (2015) - EthanHeilman
https://mailarchive.ietf.org/arch/msg/cfrg/e-jEGddvSbManBMppC8XAc5i8GY/
======
jascii
Thanks for that rabbit hole!

See also:
[https://github.com/mmcc1/crystalline](https://github.com/mmcc1/crystalline)
[http://maldr0id.blogspot.com/2015/05/crystalline-cipher-
and-...](http://maldr0id.blogspot.com/2015/05/crystalline-cipher-and-
cryptography.html)

The authors inability to take any criticism is stunning, sometimes I wonder if
a fragile ego isn't one of the greatest barriers to cyber security..

~~~
jiggawatts
The author reminds of some religious people I've had debates with in the past.
They would make some fundamentally flawed argument, get shot down, and so they
would move on to other arguments, which is not great but valid. But then,
later, I'd see them making the _exact same argument_ to someone else.

To people like this, arguing is like punching. If you punch someone and they
get up, they're a "tough opponent". That doesn't mean that punching is
ineffective on other people. They just _don 't understand_ at their core that
once an argument is shown to be false, it can _never_ be reused. Their mind
just doesn't work this way. They think "Well, left-hook didn't work on _this_
guy, but maybe it'll work in _that_ guy" or "This guy didn't fall for this
argument, but maybe that guy will."

It's deeply dishonest, but I'm not convinced they're even aware of this.

So, just from a cursory look at his code, the glaring problems I see are:

1) It'll crash if you feed it more than 256MB because of the way the C#
BitArray class works. He's also using 32-bit ints in several places that have
similar issues. These are implementation details, but it just goes to show how
thoughtless the "reference implementation" is.

2) Similarly, the reference implementation copies the entire data into the
BitArrary (and then back into a byte array) for each "round". This is
_spectacularly_ inefficient. He never mentions throughput in terms of MB/s/GHz
or any such thing. I wonder why...

3) It's not a stream cipher. You need to encrypt the entire file. Again, he
could come up with some sort of streaming version by feeding in the last few
KB of the previous encrypted chunk into the next chunk, but he hasn't. As the
long history of various streaming ciphers have shown, this is actually a hard
problem to solve efficiently _and_ securely. This is why AES-GCM is the hot
new thing: it's both.

4) If _either_ the key or salt values are all 0s then the encryption does
_nothing_. AES for comparison will still encrypt your data with _some_ level
of security even if the IV initialisation is not perfectly random or skipped.

5) He's calculating the offsets as an "int" from a byte multiplied by a byte.
Hence the maximum shift is 65536 positions. This is just big enough to exceed
L1 data cache on most platforms, but have a high hit ratio. Whether you hit
the L1 cache or not depends on the Key & IV values, so this is a recipe for
timing-based side-channel attacks. Constant-time cyphers are basically
mandatory these days...

6) Related to the above: The bit shifts are only in an 8KB window, but the
byte shifts are in an 64KB window. I wonder if there's some interaction here
where this might make some keys insecure.

7) Despite this windowing, the default "protocol" wraps around the end of the
file to the beginning using a modulo the data.Length, so it can't be used as a
streaming cipher. To do so, he'd have to introduce a breaking change.

8) The encryption is defined in terms of bit-by-bit and byte-by-byte _long-
range_ operations, so there's basically no hope of ever making this efficient.
E.g.: with SIMD or similar many-bytes-at-a-time instruction sets. The "state"
that would have to be kept in CPU registers is over 64KB, so this is just
never, ever, _EVER_ going to compete with something like AES-NI.

I could go on, but I'm wasting my time. This is wasting _everyone 's_ time.

The author clearly has no interest in producing something that is secure and
usable. He's just enjoying the arguments. He's even posted some of the
feedback on his GitHub, _proudly showing off_ the debates he's felt he's won.

Don't feed this troll.

~~~
yellowstuff
> It's deeply dishonest, but I'm not convinced they're even aware of this.

I suspect you might be confusing a mistake for a conflict, as described here:
[https://slatestarcodex.com/2018/01/24/conflict-vs-
mistake/](https://slatestarcodex.com/2018/01/24/conflict-vs-mistake/)

You quite naturally see a discussion of a cipher as an attempt to find the
truth, and it barely registers for you that it might not be. They probably see
a discussion of _their_ cipher as an attempt to persuade, so they use the most
effective argument they can think of at a given time, and it barely registers
for them that the discussion could be an unbiased attempt to find the truth.

~~~
jiggawatts
That's an interesting article, but I think it's oversimplifying things, which
I suppose makes me a Mistake Theorist. 8)

I prefer to think of people's traits not in simple binary terms, but more in
terms of high-dimensional attributes. Think: word2vec.

In practice, I find that people are messy. They have their own interests, and
hence there's conflict, but they're also lazy, hence the mistakes. There's
plenty of room for several kinds of suboptimal behaviour in their squishy meat
brains.

Sometimes I feel like I'm The Man From Earth, watching this craziness unfold
from the outside.

PS: Watch it, it's a good movie.

------
tialaramex
Earlier today I was watching a YouTube video somebody referenced in my social
media feed about Fake Martial Arts.

Mostly these aren't just heavily stylised exercises that have limited
practical value as fighting styles, they're woo like energy blasts or psychic
power that can't work at all. Practitioners wave their hands or say magic
words and seemingly defeat groups of skilled foes. Except it's bullshit.

The video includes some unpleasant though relatively brief excerpts showing
what happens when a practitioner of such a fake won't back down and fights
someone who knows what they're doing. They generally seem initially very
confident and then within seconds they're on the ground just trying to keep
from getting further hurt. That they'd show up and fight rather than make thin
excuses and vanish suggests these people are delusional rather than (or as
well as) crooks.

Fighting and cryptography are both disciplines where it isn't just a matter of
opinion whether you're right.

~~~
camjohnson26
[https://www.youtube.com/watch?v=gjbSCEhmjJA](https://www.youtube.com/watch?v=gjbSCEhmjJA)

------
kazinator
Dyed-in-the-wool kook/crank.

[http://web.mst.edu/%7Elmhall/WhatToDoWhenTrisectorComes.pdf](http://web.mst.edu/%7Elmhall/WhatToDoWhenTrisectorComes.pdf)

~~~
bscphil
Someone points this out in the email chain, as well, linking to Schneier's
famous list of 9 warning signs: [https://www.schneier.com/crypto-
gram/archives/1999/0215.html...](https://www.schneier.com/crypto-
gram/archives/1999/0215.html#snakeoil)

I'd add the following three generic warning signs of crackpots, all of which
are on display here.

1\. Person doesn't know mailing list etiquette, for example top-posting and
failing to send hard-wrapped plain text messages. Also not understanding the
_purpose_ of a mailing list intended for something else.

2\. Person claims that others are rejecting basic principles of open-
mindedness and making trivial errors in reasoning, or that they don't
understand foundational elements of their field. Accusations of rudeness and
threats to professional reputation.

3\. Person uses just enough technical jargon to give the impression that they
have some fluency in the relevant field. When corrected, they often seem to
just barely misunderstand the correction, in order to give correspondents the
false hope that they are open to being shown their errors.

Thanks for the Trisector link, it's been a couple years since I've read that
one.

------
irjustin
Reading this reminds me of situations for Anti-vax, religion vs science, red
vs blue, flat earthers vs.... the rest of us?

Whatever their "idea" is, is infallible. Minds cannot be changed with logic or
debate when clearly wrong/false.

A belief is unbreakable if the person holding it wishes it to be so.
Discussing such topics over the internet will never lead to yielding any
ground.

Perhaps at the core of it is the fear of being rejected or wrong. Or that
their world as they know it is crumbling and keeping it together is of the
highest requirement + cost.

I keep hope for these discussions in that people can change. As cheesy as it
is to say, I've only seen people really change when it's with love. That we
reach out the other side and simply love the person first. Daryl Davis is my
hero on this[0].

Unrealistic in a forum about cryptographic schemes, but it hurts for me to
read the circles the author plays himself into.

[0]
[https://en.wikipedia.org/wiki/Daryl_Davis](https://en.wikipedia.org/wiki/Daryl_Davis)

~~~
mkhpalm
Somewhat related rant:

Has anybody ever _really_ debated a "flat earther" let alone found one? As-in
found somebody who actually believed it and wasn't just screwing with you to
get a reaction?

I keep hearing about these people who believe the earth is flat but I've yet
to ever come across anybody who actually believes that.

~~~
AlexandrB
I’m pretty sure I’m related to an honest-to-goodness flat earther. The first
time he brought it up I countered by professing a belief in Last-
Thursdayism[0] as a sort of absurdist ploy to get him arguing for the more
rational position. I think I converted him to Last-Thursdayism instead.

[0]
[https://rationalwiki.org/wiki/Last_Thursdayism](https://rationalwiki.org/wiki/Last_Thursdayism)

~~~
goto11
So you argued for a position you didn't actually believe just to see how he
would counter? I suspect this is what most "flat-earthers" do. I know multiple
people who independently joined a "flat earth" Facebook group for
entertainment purposes. It is just trolls trolling trolls.

------
hyper_reality
The Register have an article about this guy from 12 years before this where he
apparently besieged a mailing list with his plans for a revolutionary anti-
spam system:
[https://www.theregister.co.uk/2003/07/11/weve_found_the_perf...](https://www.theregister.co.uk/2003/07/11/weve_found_the_perfect_solution/)

~~~
henrikschroder
Holy crap what a rabbit hole indeed!

"Thirdly, we deliberately introduced confusion over the systems architecture.
This was not to protect any secrets we had, it was just another tactic in the
controversial marketing tactic."

So it's not that he can't explain how it works, he deliberately introduced
errors in the explanation, which allows him to conveniently claim that people
poking holes in his crap don't actually understand the system, because he
hasn't accurately described the system! Haha! Gotcha! Therefore the system is
perfect!

"I had done it, I was the first in the world to prove, beyond any doubt, that
the pyramids of the Giza Necropolis were, in fact, a scale representation of
the three inner planets."

Wow. Just wow. That took a turn.

Extensive pattern matching is a marker for mental illness, and is no joke.
That explains so much about the author.

------
JohnJamesRambo
I wish HN was almost entirely nerdy out of the way awesome found things like
this.

[https://mailarchive.ietf.org/arch/msg/cfrg/cdeJ91NBT_-
yU24Q3...](https://mailarchive.ietf.org/arch/msg/cfrg/cdeJ91NBT_-
yU24Q3CnZe5N-SVA/)

That part is one of the best dressing downs I've ever read on the internet.

~~~
DoofusOfDeath
That kind of public dressing-down makes me feel uncomfortable. If I take
pleasure in reading such a thing, I feel ugly afterward.

~~~
enriquto
It's not the first response he received. At the beginning they treated him
respectfully, but the man was obnoxious to the extreme. I had great fun
reading this.

------
seemslegit
Between the github account and theregister article posted in the comments here
it is clear that the person in question is psychologically unwell regardless
of whether he believes his own assertions or acts them out in some
performative capacity. Using it to draw morals about thickness or inability to
address criticism is not very helpful here.

------
iandinwoodie
If anyone wants another rabbit hole, reading through the Open Street Map
Foundation resolution for the indefinite ban of user sorein is a good evening
read:

[https://www.openstreetmap.org/user_blocks/493](https://www.openstreetmap.org/user_blocks/493)

~~~
wolfgang42
Wow, I imagine it takes a lot of work for your ban to get a 49-page PDF report
written about it:

 _> In response, Harry Wood of the Communications Working Group tries to
reason with Mr. Acela (Appendix A.3), and Sorin continues his rude replies,
claiming that the redaction process was_ STUPID _and that the community
members [...] are_ terrorists _(Appendix A.4)._

 _> [...]_

 _> It never came to a Skype session because mediation requires a certain base
level of respect and understanding between the parties._

------
xtacy
It's a funny coincidence that I was just reading this book
([https://toc.cryptobook.us/](https://toc.cryptobook.us/)), Figure 4.5 on book
page 102, that talks about this exact issue.

I doubt the author realises that the system must be resistant against a class
of attacks (in this case, I believe a chosen plaintext attack). From reading
the thread, and comparing it to the example in the book, it seems like the
non-uniform patterns in the output highlight a possibility of a CPA.

And of course, the author wants a fully implemented + concrete attack instead
of pointing to what's an obvious flaw to the crypto community.

~~~
jascii
At some point in the thread the author complains that it isn't fair to point
out the repetitive patterns "because the clear-text is all zeroes and this
would be masked by actual data"

~~~
sidewndr46
So the author tried to encrypt the null byte, repeated thousands of times?
That seems like the most pointless test I could dream up for any processing
algorithm.

Computes all the primes less than 0? Already.

Achieve compression approaching 100% on a string of zeroes? Easy.

Losslessly compress an image with all pixels having opacity of 0? Easy

~~~
henrikschroder
If an all-null message results in a simple/repeating ciphertext, it means that
there exists at least one message whose ciphertext leaks information, and that
in turns means that there are probably more messages like it, and it's also
probable that all messages leak info in varying degrees.

------
praptak
"I'm somewhat disappointed in your reply, as I presumed that someone with a
stated interest in ciphers would be eager to investigate anything new to pop
up that didn't have obvious holes in it."

This is totally, utterly and critically wrong. Ciphers with "no obvious holes"
are dime a dozen. Nobody is interested in looking at your cipher unless you
both have strong evidence that it's beats the existing ones in at least one
area and that you did your homework to check for known weaknesses.

------
misterprime
This might actually be good to included as required reading in first year
computer science courses. It's an excellent example of "how not to conduct
yourself".

~~~
htk
Actually in any science. He was surrounded by knowledgeable people pointing
the flaws in his work and he didn't learn anything from it. Maybe it’s one
form of lunacy.

------
jagged-chisel
I remember similar stuff from the data compression usenet groups years ago. So
if anyone is interested, I have software that’ll compress megabytes,
gigabytes, terabytes of data down to a kilobyte! And it can encrypt your data
so that not even state actors can recover!

Sure, _you_ can’t recover the data, but it’s compressed and encrypted so that
your adversaries also can’t.

~~~
cortesoft
This sounds like my super fast nosql data store, /dev/null

~~~
hinkley
It’s webscale, too.

~~~
cortesoft
Only if you shard it.

~~~
hinkley
That sounds like an excellent PR to submit to the Linux kernel team on April
1.

Round robin load balancing or fewest connections? Maybe a flag for both.

------
cortesoft
It gets so frustrating when people with obviously crazy ideas get upset if you
don't engage with them and tell them why they are wrong. Some ideas are just
so crazy they aren't worth wasting time engaging on them.

------
st_goliath
I've read through some of the mails and the description of the algorithm on
Github.

This gives me some serious Kryptochef vibes.

If you haven't come across that name before: way back when, some guy was
trying to sell his "Vollbitverschlüsselung" (Full-bit-encryption) software
which he touted as the most secure in the world with an utterly bizarre
explanation on how it was supposed to work. I'm not absolutely sure to this
day if it was an elaborate hoax or whether he was actually serious.

The Kryptochef Website (German):

[https://web.archive.org/web/20111011174408/http://kryptochef...](https://web.archive.org/web/20111011174408/http://kryptochef.net/)

English translation with broken page layout:

[https://web.archive.org/web/20111024003746/http://kryptochef...](https://web.archive.org/web/20111024003746/http://kryptochef.net/indexh2e.htm)

------
walrus01
It seems inevitable that every so often some person shows up with zero
math/crypto credentials who claims they've invented a new miracle
cryptosystem. It's always eviscerated by the professionals.

~~~
segfaultbuserr
The problem isn't necessarily having no math/crypto credential, but falsely
believe one has unique insights, while refusing to learn even the basis of a
subject. It's more of an issue in psychology, than an issue of knowledge.

------
bitexploder
To be fair you can use AES to produce repeating patterns as well. Just look up
Tux encrypted with any modern block cipher using ECB:
[https://blog.filippo.io/the-ecb-penguin/](https://blog.filippo.io/the-ecb-
penguin/)

~~~
jokoon
how do you avoid that?

~~~
bitexploder
Look up “cryptographic right answers” and dig up the threads from HN on it.
Basically, don’t do the crypto yourself (even using with
algorithms/constructs)

------
thiswasnorabbit
[http://web.archive.org/web/20060429213545/http://www.gieis.u...](http://web.archive.org/web/20060429213545/http://www.gieis.uni.cc/)

And then just fast forward a bit in time.

------
AdamJacobMuller
Is there a term for someone like this? It's like a reverse imposter syndrome.
Really sad.

~~~
clickok
I believe "crank" suffices, or possibly "poseur".

~~~
Terr_
I think "poseur" is less-suitable, since it implies the person is motivated by
the glamour of the role. Not many people--crank or otherwise--go into
cryptography for the fame.

------
BubRoss
Interestingly these same sorts of visual patterns can be found when generating
samples using poor pseudo random numbers like C rand() function. When using
C++ mersenne twister algorithm the obvious coherency patterns go away.

~~~
userbinator
That's what the pattern reminded me of too.

More information:
[https://en.wikipedia.org/wiki/Spectral_test](https://en.wikipedia.org/wiki/Spectral_test)

------
natch
If you read through the thread, it becomes clear that mental illness is a
factor here. With so many such cases over the years, it's as though
cryptography has its own flavor of Jerusalem Syndrome. It's such a magnet for
this. The overconfidence of some of these people is really impressive. Plot
twist: while being wrong about almost everything technically, perhaps he's
right about the NSA wanting the conversation confined to a small, well
understood set of algorithms. But still, ugh, no thank you to what he's
offering.

------
userbinator
I thought it would be a link to the infamous ECB image:

[https://en.wikipedia.org/wiki/File:Tux_ecb.jpg](https://en.wikipedia.org/wiki/File:Tux_ecb.jpg)

------
jancsika
Has anyone written a wrapper algorithm to encode/decode "obvious repeating
patterns" to be used by common software that uses cryptography?

Call it something like "crackpot.js"

------
jokoon
I wonder if the NSA can actively lead developers towards bad crypto practices.

------
schoen
(2015)

------
jijji
it looks less like airbourne influenza and more like airbourne HIV, at least
from the fact that people are testing positive weeks after treatment [0]...

[0] [https://www.todayonline.com/world/covid-19-far-more-
likely-s...](https://www.todayonline.com/world/covid-19-far-more-likely-sars-
bond-human-cells-due-hiv-mutation-scientists-say)

~~~
cortesoft
Wrong thread?

