thoughts on one time pads
solinym at gmail.com
Fri Jan 27 09:52:09 EST 2006
> I think that's because you missed the point. You're confusing manual
> key distribution (which makes sense in some cases, but is unworkable
> in others) with using a one-time pad (a specific method of encrypting
> information that uses up key material very fast but has a security
Actually, you're right, I was sort of conflating two ideas, since the
system I described is useful both for distributing key material and
for use as a OTP.
Specifically, we can either encrypt text messages using the pad, or
use a portion of the "pad" as a key for something else. And if we're
really paranoid, we can encrypt a de novo key using OTP, which has the
property that the attacker must have that portion of the pad *and* the
transmission containing the OTP-encrypted new key to derive the new
key; merely having the pad doesn't buy you anything.
> Yep. You've got to store the key material safely in transit and at
> the endpoints either way, though, and that's much easier for 256 bit
> AES keys (which can be put inside an off-the-shelf tamper-resistant
> token), and easier still for hashes of public keys (which only have to
> arrive unchanged--it doesn't matter if the bad guys learn the
Yes, but not without cost. Those rest on more and more assumptions.
In theory, it rests on only one assumption; unpredictability of the
pad. In practice it's unbreakable even if your RNG is badly broken
(for example, a bunch of typists asked to type random five-digit
> There are provably secure authentication schemes that use much less
> key material per message. Google for universal hashing and IBC Hash,
> and for provably secure authentication schemes. I seem to recall that
> Stinson has a really nice survey of this either webbed or in his
> book. (Anyone else remember?)
I have his book, I'll check both. I seem to remember him discussing
authentication a lot in the book.
"The generation of random numbers is too important to be left to chance."
-- Robert Coveyou -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography