Quality Time, Sweetheart: Some Principles on Dangerous Crypto

Sat Dec 14 03:34:53 PST 2019

- Underkill or overkill: which is more secure? Quality time, sweetheart.

- Cryptographic security rests on time. This is why the strength of a
cipher is measured in "polynomial time" or "exponential time." Quality
time, sweetheart.

- Quantum time is a theory at this point. It is a lame conjecture. Do not
trust theories and conjectures. Trust quality time.

- Obscurity is a time buffer. Until the obscure is unobscured, time is
working effortlessly against the effort of attack. (!blasphemy!)

- Ciphertext, keys, and digests are like toothpase: whiten, whiten,
whiten. Use separate whitening vectors for all.

- Industry standard crypto is always insufficient for dangerous messages.
There must be a time-to-generate bottleneck.

- One-time pad injects a time bottleneck approaching functional infinity.

- Industry standard crypto gets bugged and broken regularly. Using it can
produce a secure, self-signed death warrant.

- The longer a decipherment key takes to generate the more secure the
ciphertext will be. (time-to-generate delay)

- The longer the bottleneck the longer it takes for your adversary to
drink your beer.

- The longer the bottleneck the less of your bit-booze the enemy can drink.

- The hassle of exchanging one-time pads is much less than the hassle of
digitally signing your own death warrant.

- With random one-time pads you run zero risk of secretly borked crypto
algorithms.

- If doubt is bad, use the one-time pad. Otherwise, bottleneck,
bottleneck, whiten, whiten, obscure, obscure.

- If it has not been 100% proven secure, why would you assume it is secure?

- The prophetess of Delphi is not your human shield. Standard assumptions
in the oracle don't stop bullets.

- When borked 'standard crypto assumptions' buy you a ticket to the
gangplank will the academic researchers be there to sell you shark
repellant?

- Just because you don't know that anyone has broken a cryptography
scheme, does not mean it hasn't been broken.

- Why would your adversary publish the fact that he has broken your
cryptography?

- Rather it may mean your adversary is practicing security through
obscurity, which has won many battles. (!blasphemy!)

- When you are using anything besides OTP then time is your only friend.
Your scheme must tack on the time.

- Security through obscurity worked for dozens of historical military
commanders (who were not sitting in ivory towers.)

- If security through obscurity is always bad then why do trade secrets
generate billions in profits?

- If security through obscurity is always bad then why do armies and
governments use it every day?

- What was said about casting pearls before pigs?

- The more obscure your means of communication, the more time your
adversary must invest to uncover it.

- An exponential increase in required key attack time is often an
exponential increase in safety, if your scheme is secure.

- University cryptographers are smart. But who signs their paychecks? Is
it the same Sam who signs NSA paychecks?

- Does the academic who pumps a certain unobscure cryptosystem have a life
insurance policy on you? Is your cryptography advisor invested in noose
stocks?

- Will the pumpers of a certain cryptosystem support your family when you
are doxed or dead or disappeared?

- Provable security of a dangerous cryptosystem does not make it safe or
secure. It must also be deeply obscured from view.

- Web site crypto keys are vouched for by state-licensed actors. Need we
say more? Dangerous crypto should also be obscured by quality time.

- Generally the more time you take to secure your communications the more
time your adversary needs to attack.

- Why settle for 2 ^ 256 when 2 ^ 256 million is a clear winner?

- Why settle for one algorithm when you can cascade many?

- Envelope Superencryption of many algorithms is not necessarily limited
to strength of its weakest algorithm. (!blasphemy!)

- Basket encryption and stacking pancakes: If 16 superencryptions are used
with 16 different algorithms then the attacker must spend time to
correctly guess each algorithm in the correct order with the correct keys
or breaks. 16 pow 16 = 18446744073709551616 combinations, before we've
even addressed possible keys. If your basket of available algorithms is
larger than 16, this time injection can get unwieldy for attackers, even
if the attacker has a quantum 'flux capacitor.'

- When your life or liberty is at stake, to hell with efficiency. Churn,
baby, churn!

- Peer review and public availability of a cryptosystem are not magic
guarantees that weaknesses or flaws will be found. Remember, if a
cryptosystem is broken, bad actors who borked it are not going to tell
you. That obscurity is their advantage. The counter to this advantage is
polymorphism, chains of superencryptions, and using as much obscurity as
you can to inject all the time delay you reasonably can.

 -------------------------------------------------
 S P I R I T    O F    N I K O P O L

 Don't swap synthetic brains for your real brains.
 broadcast on BitMessage (https://bitmessage.org)
 subscribe: BM-NBEz3C1WktcyMZwVRWgDNGpU5gMRZ2iT