thoughts on one time pads

Travis H. solinym at
Fri Jan 27 09:52:09 EST 2006

> I think that's because you missed the point.  You're confusing manual
> key distribution (which makes sense in some cases, but is unworkable
> in others) with using a one-time pad (a specific method of encrypting
> information that uses up key material very fast but has a security
> proof).

Actually, you're right, I was sort of conflating two ideas, since the
system I described is useful both for distributing key material and
for use as a OTP.

Specifically, we can either encrypt text messages using the pad, or
use a portion of the "pad" as a key for something else.  And if we're
really paranoid, we can encrypt a de novo key using OTP, which has the
property that the attacker must have that portion of the pad *and* the
transmission containing the OTP-encrypted new key to derive the new
key; merely having the pad doesn't buy you anything.

> Yep.  You've got to store the key material safely in transit and at
> the endpoints either way, though, and that's much easier for 256 bit
> AES keys (which can be put inside an off-the-shelf tamper-resistant
> token), and easier still for hashes of public keys (which only have to
> arrive unchanged--it doesn't matter if the bad guys learn the
> hashes).

Yes, but not without cost.  Those rest on more and more assumptions.

In theory, it rests on only one assumption; unpredictability of the
pad.  In practice it's unbreakable even if your RNG is badly broken
(for example, a bunch of typists asked to type random five-digit

> There are provably secure authentication schemes that use much less
> key material per message.  Google for universal hashing and IBC Hash,
> and for provably secure authentication schemes.  I seem to recall that
> Stinson has a really nice survey of this either webbed or in his
> book.  (Anyone else remember?)

I have his book, I'll check both.  I seem to remember him discussing
authentication a lot in the book.
"The generation of random numbers is too important to be left to chance."
  -- Robert Coveyou -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list