[Cryptography] One-time pads in modern crypto software?

Christian Huitema huitema at huitema.net
Sat Feb 20 21:56:38 EST 2021

On 2/20/2021 6:16 AM, Peter Gutmann wrote:

> Kristian Gjøsteen<kristian.gjosteen at ntnu.no>  writes:
>> The attacks on GCM-AES and similar constructions that we have seen discussed
>> here lately, almost always reduce to either key management or nonce
>> management.
> And that would be one reason why you don't want to use TLS with a OTP.  We
> can't even get working with 128-256 bits of key + nonce right, how are we
> going to deal with OTPs which are nothing but key?

Could be quite simple if you use the OTP as a source of shared secrets. 
Consider for example the "shared secret" variant of TLS. The client 
provides an identifier of the shared secret, which could be something 
like name of OTP + offset + length. Server recognizes that. Both get a 
set of bits from the OTP, then use the bits in TLS exactly the same way 
they could currently use a shared secret. Derive a master secret, and 
then key and nonce for your favorite AEAD algorithm using all the 
existing TLS machinery. Very little new code required.

-- Christian Huitema

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210220/b7685ea3/attachment.htm>

More information about the cryptography mailing list