The Crazy !&*#? World of Crypto

The Crazy !&*#? World of Crypto

Don’t overclaim, unless you really have the evidence

It is not often that you hear:

“Get off the stage … you shouldn’t be here! Black Hat are going to take all this down”

at research presentation [here]. If you are a PhD researcher that will be giving your first research presentation soon, perhaps don’t view the video from social media.

Preface

Please excuse me here for explaining the world of academic research. We have a process of peer review, and it is there to guard against those who may make fault claims. It also protects those who are new to the field from over claiming the significance of something. So, just because I tell the world that I have broken elliptic curve cryptography in a news item and that no-ones data is safe any more, doesn’t actually mean it’s true. There are thus certain processes that are involved in research that you have to follow, and, as you will see, the TIME AI paper presented at Black Hat 2019 is perhaps stepping over a line.

Waking up to a new threat

Well. In cryptography, you just know that someday you will wake up, and someone will have found a new way of doing something and that the world is a whole lot unsafer. Think of Heartbleed, Logjam, Poodle, Beasts, and all the other major threats. And the Bleichenbacher’s attack just won’t go away. It is basically what I love about the subject … it protects, but in an instance, it could be cracked.

Symmetric and Asymmetric Encryption

Let me start by saying that there are two main ways of doing encryption: symmetric key (based on scrambling and unscrambling data) and asymmetric key (with a public key and a private key). With asymmetric encryption, we typically use either Elliptic Curve Cryptography or RSA. With RSA, the difficulty is to factorize a large number (the modulus — N) into two randomly selected prime numbers (P and Q). At present, for the sizes of the modulus’ we have (typically over 1,024 bits), this is a hard problem and will require too much computing power to even crack a single encryption key. The method is that N is known (and published with the public key — [e,N]), and if I factorize it into P and Q, I find the decryption key (d) by taking the inverse of the encryption key (e) mod [(P-1)(Q-1)]. The method is outlined here:

TIME AI

Robert E. Grant has now caused a bit of a controversy at Black Hat 2019, and where cryptographers and academics around the world are grumbling and even openly shouting over social media that they think there’s something not quite right with his company’s claims:

One thing you learning in academic research is that you need to get things right, and the title itself rings alarm bells:

The World’s First ‘Non-Factor ‘ Based Quantum Encryption Technology

The title is completely wrong! As I said before, encryption involves both symmetric key and asymmetric key methods, and symmetric key methods — such as AES and ChaCha20 — don’t go anywhere near factorization. In an academic conference, the title — or any claim like this — would never be allowed (unless proven to the nth degree).

Also, there are lots of “Non-factor”-based quantum encryption methods, and NIST is looking at that now!

And then the thing that has gotten many researchers hot under the collar is the claim:

In March of 2019, Grant identified the first Infinite Prime Number prediction pattern, where the discovery was published on Cornell University’s www.arXiv.org titled: “Accurate and Infinite Prime Number Prediction from Novel Quasi-Prime Analytical Methodology.” The paper was co-authored by Physicist and Number Theorist Talal Ghannam PhD. The discovery challenges today’s current encryption framework by enabling the accurate prediction of prime numbers.

The paper is here:

I can’t even start to explain how making a claim like this, by saying it is published on arXiv is academically unsound. If you know the peer review process, then you will know that anyone can publish a pre-print there. I have only just recently been using it, and here are some of mine’s [here]:

The first paper here has been published, and No 3 is just going to production, after two peer-review stages. Papers 2 and 4 are still in the peer-review process. While we can make claims on the findings in paper No 1 and No 3, we cannot make any claims, yet, on paper 2 and 4, and, in fact, they may get rejected outright, and we would probably remove them from arXiv.

As part of peer review, there should be a rigorous analysis of the methods used, and the paper will only be accepted into a peer review journal if it has been shown to produce a significant contribution. But, in the case of the TIME AI paper, there is no existing peer review done on it, even though it is claimed in the press release. This is a crazy situation, and media outlets have been happily publishing the press release with little care that it is currently building on sand.

One of the people I respect most in cryptography is JP Aumasson, and who has a long track record of core contributions in computer security. Here is his thoughts on the presentation:

Go read here. There are claims too about the confidentiality of a talk. Surely if you give a talk to an audience who will listen to you, then they are not is not quite confidential. Basically, you would have to get everyone who attended the talk to sign NDAs before it and take their mobile phones away. And, there are big questions, too, about the sponsorship of the talk. Continually we get called by conference agencies asking us to pay to present at any event, and we always say, “No!”, as it compromises our academic integrity.

And the company?

The company have a strange profile — and perhaps wacky profile — and even advertise 5D encryption:

And for the company founder, some have been highlighting a rather strange history in research:

Conclusions

The axVir system is NOT peer reviewed!

A claim is not verified by the research community until it has been fully peer-reviewed.

Factorization is not all of encryption.

You make up your own mind!

Postscript

I remember my first conference talk at the IEE in London. I was so nervous! It was the days before laptops, so I made flick books to animate my work and handed them out. I will never forget the scene of all these high distinguished academics, smiling as they watched a wave propagate.

But in my nervousness, I got a bit muddled and showed that my waves travelled faster than light…I will always remember the gentleness of the feedback from a leading Professor in the questions after it. He really engaged with my presentation, and then made a lovely joke of highlighting what I had just done. I will also remember his gentleness and respect in my work, even though I was just a junior researcher. If you are a new researcher, don’t worry too much about making a presentation … be confident in your work, and remember you are still learning, so take any feedback that you can, and improve.

For the presentation on TIME AI at Black Hat 2019, that’s a whole other area, and it’s where someone makes extremely bold claims, and where they struggle to find a foundation. So make sure you have your foundations in place — such as in your literature review. Also, always be honest with your knowledge and don’t over claim.

Research is wonderful, and we should all help each other. Be honest, be kind, and be supportive, and do things for the right reason.