In case you don't know, I've been developing a new encryption for six years now. Timeshift has been my pride and joy. It has outlived friendships, high school, even an engagement. It's my brain child, along with my buddy Karl. As development for it progressed, it became clear that I either need a lot of time to expand my knowledge, or aid from those who have. Over the 6 years, I've found both. Early on, I discovered Bruce Schneier's site. He seemed to be a big man in the industry so I was surprised his email was listed on the site, even more surprised when I received a response. I sent him an email saying that I was having problems explaining an aspect of my cipher and I was wondering if I could have some of his insight. I received the shortest email ever as a response:
I wrote this a decade ago:
http://www.schneier.com/crypto-gram-9810.html#cipherdesign
I read it and it was heartbreaking, but I'm not stopping. While browsing his site, I found another article that seemed to cut it close to what I'm doing. #2 and #5 could easily be related to me. I would like to defend myself and truly explain why I'm not some quack who is trying to "sell his snake oil."
While I write this, I'm reminded of Clarke's Three Laws. The 3rd law is the most recognized, technology being magic and all, but his first law comes to mind when I think about what Schneier has said. I respectfully disagree with Schneier's ten year old article about amateur cryptographers and how it applies to me. The first law states "When a distinguished but elderly scientist states that something is possible, he is almost certainly right; when he states that something is impossible, he is probably wrong." I also find relief in that he knows nothing of how Timeshift is implemented and gives his advice on assumptions. Now, I cannot disagree with him that I'm an amateur cryptographer. I've never broken any cipher other than my first creations at the age of 14 and the challenges from Assassin's Creed. As fun as they were, neither of which are big enough challenges to make me or anybody else anything more than an amateur. I've made about a dozen ciphers before Timeshift, but I'll be the first to tell you how horrible they were.
As for his five rules of snake oil, only #2 and #5 really apply to me, but let me break down all five of his warning signs.
#1: Pseudo-Mathematical Gobbledygook - I can promise you that all math involved in the cipher is as real as it gets. I don't work for a year on a single aspect so I can make it believable because it's made up. I'm not making up words or non-sensically putting words together to sound epic. I agree with Bruce here in it's entireity.
#2: New Mathematics - Ok, about that... Only half of our math is new. Ciphers have used Linear Feedback Shift Registers (LFSRs) since at least World War I with the Enigma machine. LFSR based encryptions have since been susceptible to particular kinds of cryptanalysis, but with our discovery and new methods of expanding an LFSRs looping size, not to mention a few other tricks up our sleeves, we have brought security back to LFSR based encryptions.
#3: Proprietary Cryptography - Upon completion this algorithm will be written up and published. Karl and I will be the authors, but we know that nobody will trust it if they don't know exactly how it works. Also, we plan to have people attempt to break it. If after three to five years of nobody breaking the encryption, we know that people will start believing that it's secure. It's a long road ahead of us, but we already have six years of analysis, planning, research, and testing behind us so we are in it for the long run. We're just not releasing anything until we're ready.
#4: Extreme Cluelessness - Karl and I are devoted to understanding, explaining, and proving our encryption legitimately without the Pseudo-mathematical gobbledygook of #1. Reading books, understanding how other people cracked other ciphers, overall just expanding our knowledge in any way possible. Our code is geared towards efficiency and speed, it's not sloppily thrown together, hap-hazard, and certainly not "extremely clueless."
#5: Ridiculous Key Lengths - The key lengths we have discussed do seem a little ludicrous but they're well founded. In the beginning we wanted to strive for a more secure algorithm, something that was more than just "good enough" but an algorithm that could mean piece of mind for your most important information for however long you may need.
#6: One-Time Pads - Computers have problems with random. We don't always call them so, but any Random Number Generator (RNG) is pseudo, fake, faux, not quite real. One-Time Pads are a concept, but not 100% implementable. Timeshift doesn't promise this. I agree with his post about this, although I do not find it relates to Timeshift.
#7: Unsubstantial Claims - I make no claims outside of it's capabilities. I'm not going to say some made up company tested it, or that we won some award.
#8: Security Proofs - It's hard to prove something is secure. Instead, you must repeatedly prove that something is not insecure. It sounds a little backwards at first, but that's how the industry works. Timeshift has gone through six years of analyzing, updating and reanalyzing. It's all been "in-house" but after we publish, it'll be a more public development cycle.
#9 Cracking Contests - This just sounds like kind of a crazy idea to begin with. Timeshift has not been submitted to any contest.
I have a lot of work ahead of me and I know it. It won't be easy and it may not come to fruition for another five years, who knows, but I'm not giving up. This may just be the beginning.
Computer Security, Misc
timeshift, bruce schneier