[0xFluegel]

> Anyone doing secure comms at this level, and is talking about families of mathematics always gives me the impression they don't really know what they're doing.

Why is that? Do you assume that making competent choices for encryption algorithms (for which you try to understand the math problems involved) and trying to market the systems security means that they also try to implement it themselves? Or is the "family of mathematics" a sign for incompetence that I just don't recognize?

[red_admiral]

As someone who's worked in the sector (the crypto sector, not the crime one):

"Families of Mathematics" is a marketing statement, or "hot air" as I prefer to call it. The information content of that statement is zero, what it's doing is trying to project warm "you can trust us" feelings.

A statement aimed at technical people would read more like "we use AES-256-OFB with Axolotl on Curve25519 and scrypt(2^14, 8, 1)" or something like that.

To a crypto professional, I'd say any "trust us" statement that's not backed up by technical information actually lowers their trust in the system - it makes you wonder why they're not making their algorithm choice public.

[charwalker]

The US created a fake bank to catch drug runners and cartel bosses. What's to say this isn't an state intelligence backed company created not to sell a product but to be sold to criminals then listened to until warrants were signed?

I haven't looked into the service at all so could be totally off.

[pas]

Wow. Do you happen to have more details about that fake bank honeypot?

[taylorfinley]

There's an excellent episode of the npr podcast Planet Money that covers this story: https://www.npr.org/transcripts/694548245

[charwalker]

That's where I heard it, yeah.

[tlrobinson]

> To a crypto professional, I'd say any "trust us" statement that's not backed up by technical information actually lowers their trust in the system - it makes you wonder why they're not making their algorithm choice public.

IMHO if your solution isn't open source, or least completely documented so it can be verified, then the whole point is moot anyway.

[0xFluegel]

Thanks for clarifying. You convinced me.

[strbean]

I just interpreted that as "we use RSA and ECC".

[alias_neo]

So it's based on my experience. I'm an Engineer in secure comms. I absolutely see the "family of mathematics" card as a sign of incompetence. In the space, nobody talks about the mathematics. The people implementing algos might, but they're in a different space.

A savvy customer wants to know which algos you're using, and how you're using them, where you're using them. EC? RSA? Other? Which implementation are you using, is it audited? Standard based? Working with government, is it FIPS or similar? What does your KEx and KDF look like? Data at rest security? WHAT are you storing, and sending? Transport security? Metadata? Development practices?

There are a LOT of things a customer wants to know, and which or how many "family(/ies) of mathematics" has never been one of them, in my experience.

[kazinator]

Waving about "families of mathematics" when selling a product is just an attempt to bamboozle the gullible.

The number of branches of mathematics that you involve in the product doesn't mean anything.

Encrypting a message twice with different keys using exactly the same algorithm (thus the same branch of mathematics) is prima facie as effective a security increase as using some different algorithms involving different mathematics.

Most everyday crypto products rely on the results from several different areas of cryptography with different mathematics.