[Cryptography] One-time pads in modern crypto software?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Feb 20 09:16:25 EST 2021

Kristian Gjøsteen <kristian.gjosteen at ntnu.no> writes:

>The attacks on GCM-AES and similar constructions that we have seen discussed
>here lately, almost always reduce to either key management or nonce

And that would be one reason why you don't want to use TLS with a OTP.  We
can't even get working with 128-256 bits of key + nonce right, how are we
going to deal with OTPs which are nothing but key?


More information about the cryptography mailing list