[Cryptography] One-time pads in modern crypto software?
Christian Huitema
huitema at huitema.net
Sat Feb 20 21:56:38 EST 2021
On 2/20/2021 6:16 AM, Peter Gutmann wrote:
> Kristian Gjøsteen<kristian.gjosteen at ntnu.no> writes:
>
>> The attacks on GCM-AES and similar constructions that we have seen discussed
>> here lately, almost always reduce to either key management or nonce
>> management.
> And that would be one reason why you don't want to use TLS with a OTP. We
> can't even get working with 128-256 bits of key + nonce right, how are we
> going to deal with OTPs which are nothing but key?
Could be quite simple if you use the OTP as a source of shared secrets.
Consider for example the "shared secret" variant of TLS. The client
provides an identifier of the shared secret, which could be something
like name of OTP + offset + length. Server recognizes that. Both get a
set of bits from the OTP, then use the bits in TLS exactly the same way
they could currently use a shared secret. Derive a master secret, and
then key and nonce for your favorite AEAD algorithm using all the
existing TLS machinery. Very little new code required.
-- Christian Huitema
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210220/b7685ea3/attachment.htm>
More information about the cryptography
mailing list