Cyph is a cryptographically secure messaging and social networking service, providing an extreme level of privacy combined with best-in-class ease of use. A question that often comes up is what makes it unique, or in what ways is it better than some other service.
This isn’t a straightforward question to answer, as security isn’t just a binary property that can be flipped on and off, and means different things to different people depending on their threat model. This is further complicated by the wide range of competition — from the Signal messenger, which is understood to have a solid cryptographic implementation, to many others that claim to offer “secure” or “end-to-end encrypted” communication yet often contain glaring security flaws.
To give a short answer: only Cyph automatically mitigates man-in-the-middle attacks (with no manual in-person fingerprint verification), offers both native apps and cryptographically secure web access (thanks to WebSign), and as a bonus protects present-day encrypted data from future quantum computing attacks.
If you’re interested in how that all works, keep reading!
The Cyph platform broadly accomplishes two goals:
- Enable novel functionality not seen in other cryptographic applications
- Surpass the security properties of state-of-the-art cryptographic applications
To expand on #1: Cyph’s primary goal is to provide functionality and ease-of-use that rival mainstream non-secure solutions, without compromising on security:
- It’s well understood by security professionals that cryptography cannot be securely performed from a website; for this reason, alternatives either don’t provide a web app (such as Signal and Coinbase Wallet), or do provide a web app despite the fact that opening it even once can leak all of a user’s private data (such as ProtonMail, WhatsApp, and the BTC.com wallet).
Cyph uniquely is able to offer both web and native apps (securely) thanks to the patented technology WebSign, which was the basis of research presentations at the Black Hat and DEF CON conferences.
- Alternatives are largely limited to storing data on devices’ local storage and transferring it peer-to-peer. While this has benefits with regards to obfuscating metadata of the social graph from outside observers, it significantly limits potential functionality and is associated with the sometimes-uncomfortable user experience quirk of phone numbers being used in place of usernames.
Cyph instead uses a more traditional centralized architecture, protecting all private data with end-to-end encryption (such that only the intended audience can decrypt and view any content) and protecting all public data with end-to-end signing (such that all content is guaranteed authentic and unmodified by anyone other than the indicated author). In terms of chat functionality, this means that a user’s Cyph logs are synchronized and consistent across all of their devices. In terms of wallet functionality, this means that a user’s funds are accessible in real time from any device, backed up to mitigate accidental loss, and not held in escrow or otherwise accessible by service administrators. It also facilitates substantial additional functionality that otherwise isn’t provided in a cryptographically secure way by any existing solution.
To expand on #2: at a minimum, Cyph would ideally provide at least equivalent security to the best alternative cryptographically secure solutions. However, it actually provides the following security improvements:
- Alternative messengers allow users to communicate with unauthenticated encryption, leaving them vulnerable to a man-in-the-middle attack (wherein a third party would secretly sit in the middle of their session and read their messages). The standard solution is to allow users to optionally verify their session after the fact, which must be done in person. This problem is exacerbated by the fact that a new encryption key pair is uniquely generated on each of a user’s devices, thus requiring potentially numerous manual in-person verifications between any given pair of users in order to reap the intended benefits of the encryption.
Cyph solves this by generating a single long-lived key pair per user, and authenticating each one by issuing a long-lived PKI certificate from a custom device that uses air gapped cold storage and unidirectional networking to protect the signing key from exfiltration. In exchange for a one-time delay upon signup (pending one of the Cyph founders manually invoking the certificate issuance), users are protected from this attack vector.
- Alternatives use encryption that is theoretically vulnerable to efficient brute force attacks by quantum computers. Even if no quantum computer with a sufficient number of qubits to perform this attack is known to exist at present, as soon as one does come into existence, it will be able to retroactively decrypt all the communication and online data storage currently taking place through these solutions.
Cyph solves this by leveraging various cryptographic primitives that are considered by current cryptanalysis to be resistant to quantum computing. While these primitives are relatively newer and less well understood (being an active area of research), they’re used in combination with classical equivalents in such a way that a vulnerability in one wouldn’t reduce the security of Cyph’s cryptography to below that of the classical equivalent on its own.
In short, Cyph makes strong security accessible to mere mortals, while also opportunistically hardening it further.