One of the best things about the growth of Bitcoin is how it has propelled research and development in cryptography. What was once a relatively sleepy field of computer science has now become one of the most popular areas of study. There is no doubt that this additional research will yield great advances in the coming decades. But cryptography is unique from other computer science disciplines, in that there is no margin for error – especially if that cryptography is being used to secure money or digital assets. Unfortunately, the growth of Bitcoin has also fueled a new wave of rushed cryptography. Rushed cryptography is brand new cryptographic technology that hasn’t had sufficient peer review or test, yet is being promoted as the new panacea to all your hacking woes.
The creators of rushed cryptography always know that they rushed it. They know they haven’t done sufficient testing or peer review. Testing takes months to years and peer review takes years to decades. Excited to launch products with their new technology, combined with a little hubris and a little ambition, rushed cryptographers use their new algorithms prematurely. While they make bold claims and brag about the awesomeness of their creation, internally, the rushed cryptographer is actually full of fear – fear that someone will find a bug, a hole, or a problem before they do. To prevent this from happening, they fall back on the oldest trick in the book: they make it proprietary.
What is proprietary cryptography? Nobody knows except the creator – the same one that is now trying to sell you his product. The creator says they tested it. They hired PhD’s, experts and mathematicians to attest they did a great job. They hired security auditors and code reviewers. But did they? How can you know? How can you possibly use this to secure assets worth millions?
OWASP (the Open Web Application Security Project) has this to say about proprietary cryptography: “Proprietary encryption algorithms are not to be trusted as they typically rely on ‘security through obscurity’ and not sound mathematics. These algorithms should be avoided if possible.”
Remember Schneier’s Law: “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.”
It is an exciting time for cryptography, computer science, and digital assets. But one of the best things about Bitcoin is that it relies on stable, steady, known algorithms. This conservative development helps the system, builds trust, and is known to be secure. To those that are rushing new crypto, don’t forget peer review and open source implementations: this is money!