Why 8(to)7 encryption is just another perpetual-crypto algorithm
All of the snake-oil clichés, none of the evidence
Ignorant people are constantly inventing new forms of perpetual motion, reactionless drives, compression of random data, …. and unhackable encryption algorithms. The message is always the same, that the experts are closed-minded about the breakthrough the ignorant have made. They produce demos proving their invention works, though only in carefully controlled conditions that doesn’t prove it works in practice. The ignorant are seduced by their own ignorance, an are skilled at seducing others ignorant of the subject.
Many call these snake-oil encryption algorithms. Maybe a better name is “perpetual-crypto”.
The latest example is a company “8(to)7” that claims some new innovation with their “NaVeOl” encryption algorithm.
In this blogpost, I try to be as fair and open-minded as I can. I do my best to describe why their claims aren’t reasonable. As far as anybody can tell, it’s just the same old “snake-oil” encryption we’ve seen many times before.
Examples of unreasonable claims
When we look at their How It Works page, we see a random jumble of buzzwords. We experts understand all the words, we just don’t understand how they are used. Nothing makes sense. Take for example, this screenshot from their slides:
First of all, why a “3 gigabyte file”?? Why not just measure speed the same way everyone else does (gigabytes/second). In any case, AES speed ranges from 0.1 gigabytes/second to 1 gigabyte/second, in other words, would take between 3 to 30 seconds for a single pass of their file on modern CPUs.
RSA is an asymmetric encryption algorithm, whereas this NoVeOl algorithm claims to be symmetric like AES and DES. What’s the point of including it here? Either they are confused, or they think the audience is.
Another example is the following paragraph:
This isn’t a thing. Well, it sorta is, we call it “electronic codebook mode”, where identical blocks are always encrypted the same way. But we don’t use algorithms in that mode. It’s like teaching thatched roofs in beginning house construction class in order to teach the fire dangers of construction — we don’t actually use thatched roofs in the real world, except in rare cases, like building a set for a movie about Robin Hood.
If you are reading this post on Substack, then it’s encrypted on the wire using AES GCM — the well-known AES algorithm in “Galois Counter Mode”, which not only guards against the above issue, but also does “authentication”. It’s “authentication” that is a more modern issue in cryptography. But they fail to mention this new issue but only an outdated issue.
Such snake-oil encryption usually comes from such people that take an “intro to cryptography” class and then go off and invent their own encryption algorithm. That’s what it sounds like here — repeating basic concepts as if they are major inventions.
They mention an algorithm called “Blowfish” a lot. It’s not a real-world algorithm, nobody uses it. Instead, it pretty much just comes from the popular textbook “Applied Cryptography”. All their content seems pulled directly from that textbook — extracting the buzzwords without understanding their meaning.
Their mention of “quantum” computing makes no sense. Yes, it’s probably the hottest topic in cryptography right now. But it applies mainly to asymmetric algorithms, not symmetric algorithms (which they claim to be). Again, it’s an example of how cryptographers know the terms they are using, but are baffled how they use the terms.
They spew buzzwords, like:
None of this paragraph makes sense. If you are using quantum cryptography, then you need quantum devices. If you are doing molecular computing with DNA molecules, then you need DNA-based devices. But they just claim to have normal computers running code. You can’t do these alternative computing techniques with standard computers, that’s the entire point. As for “artificial intelligence”, it just doesn’t make sense.
The website spews false claims, like claiming existing encryption can be hacked.
Current encryption standards like AES, RSA, SHA2 aren’t really hackable. Hackers aren’t breaking encryption. When they hack computers, it has nothing to do with breaking these algorithms.
Old cryptography textbooks (circa 1990s) take the fatalistic belief that all algorithms will eventually be “broken”, because at the time, they pretty much were. The reason we have the SHA2 algorithm is because SHA1 was broken [essentially, I’m skipping steps]. They made plans for a SHA3 version in case the old SHA2 was hacked.
But these days, the encryption algorithms that you use is unhackable, whether it be an encrypted ZIP file, using SSL to encrypt data sent over a network, or talking with end-to-end encryption on your phone. They’ve stood for over 20 years. Sure, things get hacked, but that’s due to people using the combination on their luggage “1234” as their password. It’s not the algorithms themselves that are the problem.
Thus, we know this new algorithm is “snake-oil” because it falsely claims the old algorithms are broken, an are to blame for ransomware, phishing, and other hacking. But these algorithms aren’t broken, and aren’t related to hacking. Even if they invent the world’s most perfect algorithm, it still has no benefit over the old ones.
In the introduction, I mention some of the other foolish things the ignorant invent, like perpetual motion and the ability to compress random data. Along with their new encryption algorithm, these people have also claim to have invented a way to compress white-noise by 12.5%. White-noise is random data. If it’s compressible, then it’s neither white noise nor random data.
They claim they can’t provide source code because their algorithms are “patented”. This is the opposite of how patents work. Patents demand you make it public, so others can build on it, in exchange for a temporary monopoly. Patents allow you to publish the details, so everyone can see them, but without being able to use your algorithm. If they’ve patented their technology, then they can simply show us the patent, and we’d be able to see their algorithm. It’s only when they don’t patent it that they need to keep it secret.
Note that they can still patent their algorithm even if it doesn’t work. The patent office doesn’t care if an invention works, only that it’s original.
The final cliche is their “competition”, offering some vague reward for anybody who can prove they aren’t what they claim. You can’t prove a negative. You can’t prove space aliens don’t exist, you can only show there’s no evidence. The same is true here. It’s impractical to prove them wrong, we can only point out they’ve done thing to show they are right.
For example, they could simply wrap up an obfuscated version of AES or ChaCha20 (the two primary encryption algorithms used today) and we wouldn’t be able to see the difference. Indeed, they could do the world’s worst encryption algorithm and we still couldn’t tell the difference. Testing an algorithm requires first seeing the algorithm.
They even mention this among their slides, because it’s a basic cryptography concept. They claim their algorithm is robust even when the adversary knows the algorithm. But they miss the other half of that claim, that no algorithm is robust until the adversary (and everyone else) knows the algorithm.
The point is this: nowhere on their website have they given us any reason to believe their fantastic claims, but they have given us a lot of reason to doubt them. They’ve done nothing reasonable yet, but a lot that’s unreasonable.
How to fix it
Let’s pretend it’s not yet another perpetual-motion invention, how can they fix it?
The first step is to remove the things that are false. It’s not true that current algorithms are broken and responsible for phishing and ransomware.
The second step is to provide technical explanations. For example, they claim something vague about “molecular computing”. This is just a buzzword without context, so provide that context. Write up a paper that describes how you’ve applied molecular computing to an encryption algorithm.
If you claim a speed advantage, then write a paper with benchmarks, comparing this algorithm against AES-GCM encryption speed running on a Raspberry Pi, Amazon EC2 instance, or some other standard system.
Stop promising demos. Technical people aren’t interested in demos because we know they can be faked. A couple years ago, Crown Sterling did the same thing demoing their buzzword-filled perpetual encryption algorithm. It looked impressive on the surface but was proven to be fake.
Stop telling experts to prove them wrong. It’s not worth anybody’s time until you’ve given credible reason to believe you might be right.
Of course, we are pretty confident that the likelihood of any of this happen is the same as it has been for prior perpetual crypto algorithms.
"Up till 100% hackable" is technically true of any encryption scheme. In fact, "up till 100% <adjective>" is true of any noun phrase.