[Cryptography] RIP Claude Shannon

[Jerry Leichter]

> As a mental exercise, assume that you have a low-latency, high-bandwidth mechanism to transmit pads, something suitable for use on the Internet. Now -- why can't you optimize by instead of transmitting your pads with this, just transmit the message?
Actually, this illustrates when one-time pads might be appropriate:  If your communications are *asymmetrical*, so that you have a low-latency, high-bandwidth, *secure* (you left that part out) channel in one direction but not the other.

Historically, the asymmetry was often in time:  It existed when the system was put in place, but not later.  When you prepare your spy, you can give him a large quantity of keying material which he can carry with him.  When he needs to report his findings, he has no secure channel to report on, but can create one using the keying material.

In fact, any system with pre-shared keys involves the same asymmetry.  Cryptographic functions don't eliminate the need for the *secure* "outgoing" channel - they simply "stretch" the initial shared secret immensely so that the "high-bandwidth" part goes away.  (Whether "low-latency" is an issue depends on other details - in the classic spy case, it might take days for the one-time pads to reach their destination - but if they were traveling along with the spy, the effective additional latency is zero.)

You might think that public-key systems eliminate the whole problem - and for pure secrecy, they do.  But if you want to to know *who* you're sending your information to, you need to get the initial trust base out there *somehow*.

                                                        -- Jerry