"Nearly Unbreakable" Encryption Scheme Inspired By Human Biology

rjmarvin (3001897) writes "Researchers at the U.K.'s Lancaster University have reimagined the fundamental logic behind encryption, stumbling across a radically new way to encrypt data while creating software models to simulate how the human heart and lungs coordinate rhythms. The encryption method published in the American Physical Society journal and filed as a patent entitled 'Encoding Data Using Dynamic System Coupling,' transmits and receive multiple encrypted signals simultaneously, creating an unlimited number of possibilities for the shared encryption key and making it virtually impossible to decrypt using traditional methods. One of the researchers, Peter McClintock, called the encryption scheme 'nearly unbreakable.'

Crypto hype

[Anonymous Coward]

Every intelligence everywhere can invent an encryption scheme it can't break.
Don't ever use any crypto algorithm the experts haven't been attacking and publishing about for a while.

Nearly Unbreakable

[ArcadeMan]

The keyword here is nearly, which means it can be broken.

And next up, they claim to have cured cancer.

[pla]

TFA contains no actual information, just an assertion that the interaction between poorly-described models of "biological" systems might kinda possibly maybe make them money because the world needs car door key fobs, or something like that.

Deep.

Red flags

[Anonymous Coward]

Red flag #1 publication to inappropriate forum. If your "breakthrough" in physics only got published in the Journal of English as a Foreign Language, it's most likely bunk. Likewise then, if you've got some crypto results and the best place you could find to publish them was a physics journal, that's a bad sign. There are journals about crypto. If this wasn't sent to them it means nobody serious has looked at this. If it was sent and they declined it means serious people laughed their heads off.

Red flag #2 use of phrase "nearly unbreakable" which doesn't mean anything. Anybody who knew what the hell they were talking about would steer clear of that phrase, but oh my, if you're clueless it sounds impressive. So, probably clueless then.

Re:Nearly Unbreakable

[geekmux]

I can easily create an encryption system that is unbreakable. You just won't be able to get your data back.

Then your statement is pointless, for you haven't made an encryption system at all. You've made a destruction system.

Re:Nearly Unbreakable

[Wootery]

Then it wouldn't be encryption. It would be hashing.

Meh

[swillden]

I don't know whether or not this idea actually works, or what level of security it may or may not provide, but it's addressing an already thoroughly-solved problem. It appears to provide a symmetric key cipher, which means -- regardless of how radical the approach may or may not be -- it's in direct competition with algorithms like AES and the multitude of other well-respected and heavily-researched block and stream ciphers. The abstract and summary mention "an unlimited number of possibilities for a shared encryption key", but existing algorithms already provide enormous key spaces.

Of course, some cryptanalytic breakthrough could provide a way to break all existing ciphers, but who's to say the same breakthrough wouldn't impact systems based on this idea. And, actually, we already have another approach which uses special hardware at each end, Quantum Cryptography, which can absolutely guarantee security, unless our understanding of the Uncertainty Principle is wrong. Or unless there are bugs in the physical implementation, which there have been, and I see no reason that this "Dynamic Systems Coupling" approach wouldn't be subject to the same kinds of problems.

So... meh.

Anyone...

[FuzzNugget]

Anyone can invent an encryption scheme so clever that he or she can't think of a way to break it.

anyone can devise encryption they can't break

[raymorris]

The author's claim that it's very hard to break only means that THEY don't know how to break it. That's meaningless, because anyone and everyone can come up with a puzzle they don't know how to solve. That doesn't mean it's hard, just that they don't know how it's done.

A trivial example would be a kindergartener who might observe that if you encode a message by writing it with letters, they don't kow how to read that message. That's only because the kid doesn't know how to read. It in no way suggests that reading is impossible. For many Slashdot readers, compiling a message into a Windows resource file makes unreadable _to_them. Windows resource files are of course quite easy to read, if you know how. These researchers don't know how to read their own encoding. So what? That doesn't mean _I_ don't know how to read their stuff.

Their scheme does have one attribute that's good - it can generate long keys. So can a random number generator. They MAY have a good idea, but we won't know until alot of other people try to break their encryption and fail.

Key sharing?

[Hentes]

There's nothing in the protocol description about key sharing. If you already have a way to share keys, why not just use a one time pad that's proven to be unbreakable?

geez, guys, give it a rest

[stenvar]

The paper contains none of the cryptographic analysis necessary to show that this is a secure cryptographic system. It's just another one of these "let's take a chaotic dynamical system and use it for cryptography" papers.

The paper doesn't tell you much about cryptography, but it does illustrate the failures of peer review.

It looks bad to me.

[TechyImmigrant]

From the abstract it seems that they are claiming:

1) Boy, those chaotic systems look complex.
2) Gee they can synchronize
3) If we superimpose other chaotic systems on top, then it looks even more complexer.

So something like Walsh codes implemented badly. Walsh codes have nothing to do with cryptography btw.

What they haven''t shown is a lower bound for brute for attack complexity, or why it is resistant to any of the normal attack methods. I don't see why an imposter could not sync to the source the same way the intended recipient does. From the paper, I see several linear systems of equations describing the chaotic oscillators.

This will fall fast when a real cryptographer has go at it.

Re:Famous last words

[dalias]

"Climate change" is not a "downgrade" to global warming. It's simply better wording to avoid denial from idiots who don't understand math (i.e. means) and say "wow it's really cold this winter, global warming is bs!" Nothing has changed; we still know the mean temperature is increasing and that the increase is caused by human activity. But the new wording is less susceptible to idiotic misinterpretation.

Re:Meh

[swillden]

I wonder if the crypto key is tied to your body.

It's not. This has nothing to do with biology, other than being vaguely inspired by it. RTFA.

If so, it's just as stupid as biometrics.

After that information is stolen, you can't easily change it anymore.

Biometrics aren't stupid. They're all wrong for most of the common situations where we see them applied, but they're not inherently a bad idea. And the common /. meme about them being useless because they can't be changed is ridiculous, and arises from the -- badly broken -- analogy between biometric identification and password authentication.

Biometrics are useful as identifiers, and to the degree that the biometric scan and matching process can be trusted, you can bootstrap an identification to an authentication. The kicker is that level of trust. If the biometric scanner is deployed in a secure area, to ensure it's not tampered, and the scanning process is monitored to ensure that the object being scanned actually is the person to be identified, and the template storage and matching process are also adequately secured, then biometric authentication is awesome.

Alternatively, if the scanner isn't secured or monitored and the if security of the template store and matcher are also questionable, biometrics still aren't completely useless -- they just don't provide a significant level of assurance. If what you need is an extremely convenient way to unlock access with such low security needs that your other realistic alternative is to leave it unsecured, then biometrics are also fine. For example, if in the absence of a fingerprint reader you would leave your phone entirely unlocked, then unlocking it with a fingerprint is an improvement.

In between, in contexts where security requirements aren't high enough to justify all of the effort and expense needed to make biometrics really strong, but where some security is actually needed, then biometrics are useless. That doesn't make them stupid, it just makes them the wrong tool for the job.

To use a car analogy, it's like trying to haul a 53-foot semi trailer with a Honda Civic. Or maybe with a Bugatti Veyron, which if you can get it attached somehow might actually have the power to move the trailer, but you can't call the result a functional freight transporter.