[Cryptography] One-time pads in modern crypto software?

[Jerry Leichter]

...and, of course, my proposal immediately fails after 5 minutes more of thought:  Because everything is linear and commutative, an attacker can flip a bit of the message and also flip the next "check" bit and everything will appear fine.

This linearity is the real root of the difficulty - and unavoidable as long as you only consider single bits since XOR is the only invertible combining function.  (Well, there XOR with NOT but that's completely equivalent.)  I've always wondered why we don't use combining functions on (tiny) blocks.  For example, map groups of k bits of plaintext and k bits of pad to produce k bits of ciphertext.  There are many ways to do this that are invertible but are not commutative, even for quite small k.

I've suggested this in the past and the answer was always "you need an authentication mode on top of your OTP encryption anyway so why bother."  But if we could get an authentication mode with no additional mathematical assumptions ... it might be worthwhile.
                                                        -- Jerry