Mystical Mathematics & Snake Oil

An opinion piece which takes a closer look at the TimeAI / Crown Sterling story.

Mystical Mathematics & Snake Oil

The name TimeAI may ring a bell for you, or if not Crown Sterling might, today I am going to try and break down all of the parts in this insane story and give a coherent overview as to what TimeAI is, who Crown Sterling are and why the idea of "cryptography by 5 dimensions" is, for want of a better word, delusional.

Who are TimeAI?

TimeAI is a company/project owned by one Robert Edward Grant, by his own admission he is a "modern day Polymath" (I might add that I personally believe he's potentially a nutcase). I don't want to talk much about him because there's an awful lot to say and none of it is positive, if you're interested in the man behind this project, I suggest visiting the "about" section on his website.

But what is TimeAI? Well, TimeAI claims that they are providing new methods for encryption via Quantum - sounds good, right? On the surface, yes, that is until you start digging into their claims a little more. According to them they are providing: "Quantum Encryption & Data Sovereignty using five dimensions of encryption, leveraging biometrics, music's infinite variability and more." Some of you might be baffled as to what the hell that means and to be honest, I cannot blame you.

For those of you that do know who TimeAI are you will most likely be familiar with a paper titled "Accurate and Infinite Prime Prediction from Novel Quasi-Prime Analytical Methodology", but even for non-math people the words "infinite prime prediction" should make you suspicious. I mean, this is a challenge that mathematicians have been working on for a very long time. It is the very thing that gives us security in so many cryptographic algorithms you know like, RSA.

Back to the paper. Currently this paper is the most notable thing associated with TimeAI/Robert Grant/Crown Sterling who wrote this paper which fundamentally claims that by using a "Simple Quasi-Prime INDEX" they can "quickly and accurately identify prime factors (Private Keys) from having only the bi-prime (Public Key)". There's only two ways that sentence can sound to you, the first is "omfg RSA is broken" and the second is "is this bloke a fruitcake?" - more on this later.

How I Discovered TimeAI

So, I don't want to say that I am somehow special but I was ahead of the curve on all of this nonsense which starts where all snakeoil starts, on Twitter. I first heard about this on the 31st March at 2:18am when @Me posted a link to a tweet from Chey Cobb on the matter in The Many Hats Club, but the actual paper was published on Arxiv on the 20th March, so I was slightly late to the party but the math community were not!

What followed on from me calling out the paper on Chey Cobb's tweet was nothing short of Twitter drama at its finest - however, I digress.

So I mention that I discovered this at 2:18am and by 2:29am I was pretty convinced that this was utter snakeoil so I decided to read it & wait. I waited a few days and after reading through Twitter, I came to the conclusion that everyone else also thought that this was just complete and utter snakeoil - guess I was right.

The Paper Overview

I'm not going to go into the maths of this paper too much, mostly because there are plenty of fantastic mathematicians which have already broken this paper down, in-fact absolutely tore it to shreds; I don't need to attempt to do it again. Before I give a brief overview of the maths, here is a paper by @LargeCardinal - I highly recommend reading it.

As a high-level breakdown the paper details the use of digital root analysis in order to identify prime numbers, Grant's claim is that by using this technique he can accurately identify prime numbers and factors without the use of trial division or probabilistic based methods. It should be clear that this is a very bold claim to make, especially since this is essentially the entire reason why RSA and other algorithms are secure.

If his claim is true that he can identify prime factors accurately & quickly then this is really impressive work, but the main problem here is that he can't. The main overall point that you should understand here is that the speedup the paper advertises, i.e the speedup of computation of primes they advertise is not at all tangible. Another point I should raise is that the way in which they phrase things in the paper is just plain wrong - they make rather bold claims such as this one "new classification of quasi primes" despite them being an established topic in mathematics.

Even more worryingly TimeAI is claiming to provide a cryptosystem that doesn't rely on prime numbers but instead relies on the use of "time, music’s infinite variability, artificial intelligence, and mathematical constants to generate entangled key pairs" they call this "five dimensional encryption" - what I call this is the writings of an absolute headcase but after all, he's the polymath here not me :D

Ultimately, there is way too much bullshit for me to cover in this article specifically so if you're really interested in the specifics of why this is nonsense then I suggest reading the paper itself, Marks draft paper, this Twitter thread and also this thread. I've linked all of Mark's stuff as I have a lot of respect for him but there is a bunch more of these threads you can find explaining exactly why Rob is just... Wrong.

Bruce Schneier wrote a good article on the subject here.

The BlackHat Fiasco

As you probably already know Crown Sterling paid $115,000 to be a Gold Sponsor of BlackHat in order to give, a now infamous, talk where they were laughed at and mocked. Quite rightly in my mind, if you're going to promote snakeoil you deserve to be mocked especially after all of the attempts from the mathematics community to explain why their paper is nonsense.

So during the sponsored talk that Robert Grant was giving @veorq (JP Aumasson) had a thread going on Twitter, showing the slides and commenting on each one you can find that here. It's a good thread and I highly recommend going through it but without a doubt the best part is the video he shows where @dguido (Dan Guido) gets up and states very clearly that Grant doesn't deserve to be there -  of course, Grant doesn't agree, he paid for his speaking slot. In-fact according to the lawsuit:

BlackHat had an obligation both to conference attendees and to Crown Sterling to ensure that Crown Sterling was treated only with respect and dignity.

We'll go back to the lawsuit later but for now I'd like to commend @dguido (Dan Guido) for what he did, he's right in that Grant did not deserve to be there, but due to money he unfortunately was. I must also add here that Dan was chucked out of the room and I pray to God someone bought him a pint for that.

You might be wondering what happened after Dan got chucked out and well, I'm sorry to say the show went on... When I say show I'm referring to the jester being on stage talking about how he "loves maths" whilst simultaneously spewing bullshit. Thinking about it, the more times I watch these videos back the more I think about the level at which Grant's narcissistic personality disorder operates and where it will end.

Well, back to the lawsuit - what's all that about?

I'm going to sum it up for you in just a few words; Grant was offended. I mean really, that's it. He paid some money for a sponsored talk, while the lawsuit states 'treated only with respect and dignity' what this really means is "absolutely no criticism under any circumstances because I paid money to be here!" - this reaffirms my earlier point where I said he appears to have NPD. Nonetheless, let's take a look at the lawsuit.

If you're going to read the complaint, I highly advise not drinking any liquids whilst you do because you might like me spit red bull all over your laptop (yes that actually happened when I started thinking about writing this article and it was a pain in the ass to clean).

So yeah, the lawsuit! The first thing that stands out to me is this line 'Black Hat USA’s failure was occasioned by a premeditated, orchestrated attack on Plaintiff Crown Sterling at Black Hat USA 2019, staged by certain industry detractors and Case 1:19-cv-07900 Document 1 Filed 08/22/19 Page 2 of 13 3 competitors.'  - yes, you read that correctly, they genuinely believe that this was "premeditated" and "orchestrated", I need not say more to that point.

Immediately after that ridiculous line sits this 'In purchasing the highest (“gold”) sponsorship package, Crown Sterling went all in to support the Black Hat conference, trusting that Black Hat USA reasonably would stand by its high standards. But it did not'.

As I said earlier, the money was nothing more than a way of them hoping they would not be criticized, this statement affirms that. Possibly my favourite part of the lawsuit is this 'This small group of detractors used this staged “event” to initiate a smear campaign on social media during the conference and immediately after. In that campaign, these detractors defamed Crown Sterling, questioning both its integrity and its cryptography solutions, which they described in one publication as “Snake Oil Crypto.”'

The lawsuit goes onto explain how they paid for sponsorship, how they feel that BlackHat did not fulfill their side of the contractual agreement, blah, blah, blah. I'm not going to dig into the lawsuit any further here (since I'm not a legal expert) so if you're interested you can read the rest here.

The Crown Sterling Demo

The funny part about this is that when I started writing this article or rather, started to think about writing it; I did not have the courtesy of seeing a "demo" of their theory in action and believe me when I tell you I'm glad we have one now.

It seems that Robert took his theory to a private event to "demo" it and show people that the content in his paper is not only valid but is usable.

Now there is already an extensive article on this posted by Arstechnica, but the main points are this. Rob stood up on stage and for his demo he decided that he would crack an RSA key, you might be thinking "finally we have some actual proof" you're right, we do have proof just not very useful proof. This is due to the fact that the key he cracked using his method was merely a 256-bit RSA key.

To give you an idea of how ridiculous this demo is, Mark did his own test and actually out-performed Rob's algorithm by around 50% - ironic right? Similar tests were carried out by others in the math/cryptography community and they got exactly the same/similar results to Mark. What a surprise... Of course when Rob was called out on this he backpeddled as you might expect and went off on a tangent about DES for some bizarre reason. Honestly, I highly recommend you go and read that article by Arstechnica because it's just too funny to miss.

Closing Notes

I appreciate this article is rather long so I'd just like to say a quick word, while by no means am I a cryptographer, the idea behind this article was to hopefully bring people up-to-date with the entire story. I've not heard much surrounding TimeAI in a little while, well actually, since mid September. But I am fairly sure it won't be long before we see some new bullshit from them given that Grant claimed at the aforementioned private event they are writing a new paper.

I wonder what it will contain; maybe he will tell us how he can use his NPD to break AES256. Who knows, in my personal view Crown Sterling and TimeAI is snakeoil, I think that to hold any other opinion on that matter would be quite frankly, ridiculous. I'll do my best to keep track of this story and if anything new comes out, I'll try and do a more technical post for those that wanted that.

If I had to link one thing which summed up this entire situation it would be this video - thanks for reading!

The awesome GIF used in this article is called Dancing Snake and was created by Romulo Pinheiro