Bernstein is touting "boring crypto" as what users want. Boring crypto is crypto that just works, so that users don't have to keep updating their libraries and protocols. The implementation is provably correct, and the only two ways to transform cyphertext into plaintext are (a) having the key, and (b) brute force.
But this isn't some C library; cryptography is intrinsically adversarial. And attackers outnumber defenders; you can make more money by breaking a cypher than by inventing one. Cracking libboring would be a major prize.
And I imagine libboring is never going to happen. There will always be new, unexpected attack channels. For example, I'd never have guessed (in advance) that instruction timing would be a viable way to attack a cypher.
As far as I'm aware, NaCl isn't like "The End Of History" for cryptographic excitement; isn't it more like a safety razor, that makes it more difficult than usual for users to do stupid things? The primitives it offers don't include stupid primitives, and you can't stich the primitives together in stupid ways.
But the primitives it offers are the same primitives offered by other kits; those are not immune to 'excitement' issues.
It offers higher-level primitives than e.g. OpenSSL. Instead of the primitives “ChaCha20”, “Poly1305” and “Ed25519 signature”, you get “authenticated encryption” (implemented using ChaCha20, Poly1305 and Ed25519). You do not have to know or understand how to combine the three securely, nor how to combine everything down into a single parseable stream for the other end.
@dang: The year 2012 in the post title appears to be incorrect. Several slides in the linked-to deck refer to events in 2015, and the deck's filename is slides-djb-20151005-a4.pdf, suggesting that the correct year is 2015.
You are absolutely right, my mistake. I saw "2012" in another submission and didn't care to check myself. I can't edit the title myself, though, so hopefully dang will correct it.
I think it's an established fact / pseudo-open secret that there has been deliberate weakening of the academic field of cryptography, and cipher and hash algorithms, by cryptanalysis actors happening for a long time.
The weird thing about the field of cryptography is this is not accepted, and is basically taboo: that the strongest designs are classified and the unclassified ones deliberately weakened.
It's this weird suspension of disbelief / faith in security that has been carefully created by the cryptanalysis actors, so that the public designs are breakable by the ones who hold the classified designs.
And here we see one of the many value propositions of cryptocurrency. I know what you're saying is false, for things like ed25519 signatures, and for sha256, sha512, because there is a multi-hundred billion dollar honey pot for anyone who can break those.
Those constructs are very likely to be safe.
It isn't enough, in my opinion, to just have mathematical proofs of safety because reading and understanding those proofs demands trust in an authority on them. To get the knowledge necessary to, without a doubt, verify the proof is not commonly accessible.
But people can hold a cryptocurrency for years and say "well, it's still there and spendable". It is an easy, easy target were that not the case. The Satoshi stash is a honeypot for when things break. Countless lost wallets are the honeypot for when things break. This is easy to audit and verify.
Then, we can know more expansive privacy crypto is functional based upon its availability to turn into USD. Can you turn Monero into USD on any regulated exchanges? You cannot. Because it protects your privacy. Can you store value in Monero long term? You can. This means it is very likely that the slew of crypto constructs involved in protecting privacy are functional, and that the crypto involved with creating, storing, and transferring value is functional.
Cryptocurrencies act as a real world validation mechanism for the active security auditing of these constructs. I would be hard pressed to use any crypto not used by a cryptocurrency with a market cap of at least $1 billion.
If there's only a few people skilled in cryptanalysis, is it possible that some government has a crack in those systems and just doesn't want to burn it?
That said, I find that possibility highly unlikely. Cryptocurrencies are a direct and powerful threat to all existing power structures. If for example they were a material country, the west would have been at war with that country and would have dismantled them already long before they entered public discourse or understanding. They are a threat of that scale to banking and traditional power. They are more dangerous than terrorists, more dangerous than even nukes I would argue, so if you could control them / discredit them / invalidate them, even if it meant exposing some secret crypto vulnerabilities, you absolutely would.
That is to say, if you could break it you simply would, which would then crush the mechanism and they would no longer be an existential threat to traditional structures.
I get you’re trying to take a jab at crypto, but he’s not wrong.
Most DAO “hacks” fall into 3 classes
1. Poorly written contracts. There’s no accounting for bad programming
2. Malicious members who made back doors for themselves
3. Regular old social engineering attacks
Almost never is the fundamental blockchain technology exploited. If you could, you’d just take the billions in satoshi’s wallet and call it a day.
Taking Satoshi's bitcoins would be a really bad idea. People who had the misfortune of having the name "Satoshi Nakamoto" were harassed by journalists who thought they might be onto some story. Any movement of those coins would gather unwanted attention -- either it was the real "Satoshi Nakamoto" who used them, or somebody stole them, both would be a headline news story. And given the high stakes, anyone dumb enough to attempt this heist would probably be risking their life.
If you are a state actor trying to discredit or destroy cryptocurrencies, taking Satoshi's stash is the clear strategic target. You can simultaneously tank the value of the currency while also not exposing your method of breaking the crypto by taking his stash.
The fact that his stash remains is the clearest signal the crypto is not broken -- and the methods to create his wallet are the oldest / original ones when it comes to cryptocurrencies. A state-level actor would have absolutely moved his stash to easily create panic and remove competition against fiat currencies.
If a state actor can't do it, I highly doubt any other actor could. If some no-name independent researcher somehow figures out an exploit, then yes, it would be foolish to move Satoshi's stash. Better to target "dead" addresses that no one cares much about and won't have an impact -- these are wallets of people that have lost their keys who are not celebrities, so they wouldn't get any attention on them. You could take those funds and move them quietly so that you could make money.
Extremely unlikely possibility for a number of reasons, but anything is possible.
Do you have sources for these assertions? Have you spent time studying Keccak or blake/chacha/salsa? Anyone can and should. A lot of study has gone into these, one can confirm they are in fact quite difficult to “crack”! Give it a try, see for yourself!
But this isn't some C library; cryptography is intrinsically adversarial. And attackers outnumber defenders; you can make more money by breaking a cypher than by inventing one. Cracking libboring would be a major prize.
And I imagine libboring is never going to happen. There will always be new, unexpected attack channels. For example, I'd never have guessed (in advance) that instruction timing would be a viable way to attack a cypher.