[Cryptography] One-time pads in modern crypto software?

Arnold Reinhold agr at me.com
Sun Feb 21 11:23:56 EST 2021

On 20 Feb 2021 14:00:09 +0100 Kristian Gj?steen wrote:

> It is in general straight-forward to build a version of TLS that uses OTP for confidentiality and a one-time MAC for integrity. There are a lot of details, but it is not theoretically challenging. If you do it right, denial-of-service attacks will not exhaust your key material.
> Should anyone do so? I can?t see why.
> First, there?s no point. There has never been an attack on any system that has amounted to a cryptographic attack on AES (as far as we know). We?ve seen cryptanalytic attacks against other ciphers, but these have in general been known to be weak well before the attacks were developed. We have seen attacks against parameter sets that were known to be weak, but no attacks against reasonably current parameters sets (with respect to cryptologic consensus, not standards). There isn?t much reason to worry about the computational security of AES, at least if you use the 256 bit version. Quantum computers may happen this century, but wide-spread quantum-safe cryptography seems plausible this decade. (Yeah, reasonable people could argue that information theoretic security is anyway better than computational security, so feel free to ignore this.)
> Second, information-theoretic cryptography exacerbates the engineering problems we already have. The attacks on GCM-AES and similar constructions that we have seen discussed here lately, almost always reduce to either key management or nonce management. While these problems are theoretically simple to solve, it turns out that this is not easy to solve for engineers, even engineers allowed to develop security-critical code such as TLS code. The key and nonce management problem for information theoretic security, especially in a TLS context, is much more difficult theoretically. Is it reasonable to expect the engineers working on specifications and implementations of an information-theoretically secure TLS to succeed here?
> Third, computational cryptography provides security that we want, and that information-theoretical cryptography cannot provide. There are, in some sense, roughly speaking, two sorts of key compromise: one where the adversary is interested in what you did, and one where the adversary is interested in what you will be doing. Theoretically, it is fairly easy to defend against the former in an information-theoretic setting, simply by erasing your key. Theoretically, it is also easy to defend against the latter compromise under computational assumptions. This is not possible information-theoretically, I believe. Practically, reliably erasing large amounts of key material is difficult with modern computer hardware (without using a good blender). Practically, modern key exchange schemes are designed to defend against both forms of key compromise, up to impersonation, and my (vague, uncertain) impression is that engineers are capable of using key exchange schemes correctly. Theoretically, ev
> olving keys can be used to defend against some impersonation attacks (it is theoretically impossible to defend against some attacks, but such attacks can to a certain extent be detected). Practically, I would worry about your average implementation of evolving keys, in particular in a TLS setting.
> In other words:
> * We don?t need information-theoretic security.
> * We can?t implement information-theoretic cryptography correctly.
> * We want security that information-theoretic cryptography cannot provide.
> PS. There may be highly specialised applications where information-theoretic security may be appropriate. But I suspect these applications can make do with simpler protocols than TLS, and I would certainly not involve standard e-mail software in such applications.

I would just like to call attention my Terakey concept that was discussed on this list this past July. (https://www.researchgate.net/publication/342697247 <https://www.researchgate.net/publication/342697247>)

It attempts the provide what you call information-theoretic security with high probability, backed up by computational cryptography in rare instances. It also provides a reasonable and auditable alternative to quantum key distribution at much lower cost and without the need for special quantum-coherent communication channels. 

It is not intended as a general purpose drop-in for conventional cryptography in TLS, but it can provide an additional layer of provable security on top of TLS and similar systems that appear to be safe but have never been rigorously proven secure from first principles.

Arnold Reinhold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210221/56af5206/attachment.htm>

More information about the cryptography mailing list