- Underkill or overkill: which is more secure? Quality time, sweetheart. - Cryptographic security rests on time. This is why the strength of a cipher is measured in "polynomial time" or "exponential time." Quality time, sweetheart. - Quantum time is a theory at this point. It is a lame conjecture. Do not trust theories and conjectures. Trust quality time. - Obscurity is a time buffer. Until the obscure is unobscured, time is working effortlessly against the effort of attack. (!blasphemy!) - Ciphertext, keys, and digests are like toothpase: whiten, whiten, whiten. Use separate whitening vectors for all. - Industry standard crypto is always insufficient for dangerous messages. There must be a time-to-generate bottleneck. - One-time pad injects a time bottleneck approaching functional infinity. - Industry standard crypto gets bugged and broken regularly. Using it can produce a secure, self-signed death warrant. - The longer a decipherment key takes to generate the more secure the ciphertext will be. (time-to-generate delay) - The longer the bottleneck the longer it takes for your adversary to drink your beer. - The longer the bottleneck the less of your bit-booze the enemy can drink. - The hassle of exchanging one-time pads is much less than the hassle of digitally signing your own death warrant. - With random one-time pads you run zero risk of secretly borked crypto algorithms. - If doubt is bad, use the one-time pad. Otherwise, bottleneck, bottleneck, whiten, whiten, obscure, obscure. - If it has not been 100% proven secure, why would you assume it is secure? - The prophetess of Delphi is not your human shield. Standard assumptions in the oracle don't stop bullets. - When borked 'standard crypto assumptions' buy you a ticket to the gangplank will the academic researchers be there to sell you shark repellant? - Just because you don't know that anyone has broken a cryptography scheme, does not mean it hasn't been broken. - Why would your adversary publish the fact that he has broken your cryptography? - Rather it may mean your adversary is practicing security through obscurity, which has won many battles. (!blasphemy!) - When you are using anything besides OTP then time is your only friend. Your scheme must tack on the time. - Security through obscurity worked for dozens of historical military commanders (who were not sitting in ivory towers.) - If security through obscurity is always bad then why do trade secrets generate billions in profits? - If security through obscurity is always bad then why do armies and governments use it every day? - What was said about casting pearls before pigs? - The more obscure your means of communication, the more time your adversary must invest to uncover it. - An exponential increase in required key attack time is often an exponential increase in safety, if your scheme is secure. - University cryptographers are smart. But who signs their paychecks? Is it the same Sam who signs NSA paychecks? - Does the academic who pumps a certain unobscure cryptosystem have a life insurance policy on you? Is your cryptography advisor invested in noose stocks? - Will the pumpers of a certain cryptosystem support your family when you are doxed or dead or disappeared? - Provable security of a dangerous cryptosystem does not make it safe or secure. It must also be deeply obscured from view. - Web site crypto keys are vouched for by state-licensed actors. Need we say more? Dangerous crypto should also be obscured by quality time. - Generally the more time you take to secure your communications the more time your adversary needs to attack. - Why settle for 2 ^ 256 when 2 ^ 256 million is a clear winner? - Why settle for one algorithm when you can cascade many? - Envelope Superencryption of many algorithms is not necessarily limited to strength of its weakest algorithm. (!blasphemy!) - Basket encryption and stacking pancakes: If 16 superencryptions are used with 16 different algorithms then the attacker must spend time to correctly guess each algorithm in the correct order with the correct keys or breaks. 16 pow 16 = 18446744073709551616 combinations, before we've even addressed possible keys. If your basket of available algorithms is larger than 16, this time injection can get unwieldy for attackers, even if the attacker has a quantum 'flux capacitor.' - When your life or liberty is at stake, to hell with efficiency. Churn, baby, churn! - Peer review and public availability of a cryptosystem are not magic guarantees that weaknesses or flaws will be found. Remember, if a cryptosystem is broken, bad actors who borked it are not going to tell you. That obscurity is their advantage. The counter to this advantage is polymorphism, chains of superencryptions, and using as much obscurity as you can to inject all the time delay you reasonably can. ------------------------------------------------- S P I R I T O F N I K O P O L Don't swap synthetic brains for your real brains. broadcast on BitMessage (https://bitmessage.org) subscribe: BM-NBEz3C1WktcyMZwVRWgDNGpU5gMRZ2iT