[Cryptography] New White Paper: GhostLine - Information-Theoretically Secure Multi-Party Chat

Herzberg, Amir amir.herzberg at uconn.edu
Mon Sep 8 06:05:01 EDT 2025 

Steve is right: OTP could be used, although, obviously, only in special scenarios, as exchanging the keys would idd be a challenge. In fact, it's a bit like the huge advantage that PKC has, making it so much easier to establish keys between entities. Easier; but, at least for some applications, we can also manage w/o PKC (if we have to).

But let me mention that there's another advantage for evaluating OTP-based designs: modularity. They allow to separate the challenge of establishing a secure design (assuming a OTP), from the challenge of establishing the OTP. Of course, typical mechanism to `establish the OTP' would only ensure a pseudorandom string, which is 'only' computationally-secure, but the separation makes it harder to design a (computationally) secure system.

Best, Amir

--
Amir Herzberg

Comcast professor of Security Innovations,
Computer Science and Engineering, University of Connecticut
Homepage: https://sites.google.com/site/amirherzberg/home
Applied Introduction to Cryptography and Cybersecurity: <https://sites.google.com/site/amirherzberg/cybersecurity> https://sites.google.com/site/amirherzberg/crypto-cyber-book
________________________________
From: cryptography <cryptography-bounces+amir.herzberg=uconn.edu at metzdowd.com> on behalf of Steven M. Bellovin <smb at cs.columbia.edu>
Sent: Sunday, September 7, 2025 10:21 PM
To: Ron Garret <ron at flownet.com>
Cc: Andrew Lee <andrew at joseon.com>; cryptography at metzdowd.com <cryptography at metzdowd.com>
Subject: Re: [Cryptography] New White Paper: GhostLine - Information-Theoretically Secure Multi-Party Chat

*External sender: This message came from outside UConn. It might be safe, but use caution before interacting with links, attachments, or requests.*


On 7 Sep 2025, at 14:48, Ron Garret wrote:

>
> Sure.  But there are certain things that are just a waste of time, like creationism, flat-eartherism, lunar-landing denialism, and perpetual motion machines.  One-time pads fall into this category, for a very simple reason: if you had a secure way to distribute an OTP you could use that same mechanism to securely distribute a message and you would not need the OTP.  (This is not quite true.  There is one use case for an OTP, which is that you have a secure way to distribute it at one time, and you want to send a secure message using that OTP at a later time.  But this is an extremely rare circumstance, and it never applies to the stated use case for Ghostline.)
>
> So this is not arbitrary dismissal of an idea for superficial reasons, this is pointing out that the idea being advanced is not new, but rather one that is proposed by crackpots on the regular, and that there is a well-known and sound reason for dismissing it out of hand.
>
I disagree. Creationism, flat-eartherism, etc., are blatant nonsense and aren't worth any attention at all. But one-time pads have been and have been used in the real world. The German diplomatic service used them in the early 1920s (source: Kahn, "The Codebreakers", chap. 13), Soviet spies (Kahn, chap. 18, and yes, I know about Venona), the Washington-Moscow hotline (Kahn, chap. 19), during World War II by the US and Britain (SIGSALY: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.nsa.gov%2Fportals%2F75%2Fdocuments%2Fabout%2Fcryptologic-heritage%2Fhistorical-figures-publications%2Fpublications%2Fwwii%2Fsigsaly.pdf&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073705945%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=PM%2BKt%2Bke4q%2FRraqbwN7ojPRKNk4rjhYJzzIA17ZkggU%3D&reserved=0<https://www.nsa.gov/portals/75/documents/about/cryptologic-heritage/historical-figures-publications/publications/wwii/sigsaly.pdf> and https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cryptomuseum.com%2Fcrypto%2Fusa%2Fsigsaly%2F&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073730466%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=U2txUw3QrcVautGZaVK67m5PfDMhFfatY3PdzAi5xAQ%3D&reserved=0)<https://www.cryptomuseum.com/crypto/usa/sigsaly/>, and US military communications during that war ("The Friedman Legacy", https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.govinfo.gov%2Fcontent%2Fpkg%2FGOVPUB-D-PURL-gpo52787%2Fpdf%2FGOVPUB-D-PURL-gpo52787.pdf&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073745258%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=7QqLlhREbXWCadOfdGxBGj6xIjZaQSVIGqFTFumJrxU%3D&reserved=0<https://www.govinfo.gov/content/pkg/GOVPUB-D-PURL-gpo52787/pdf/GOVPUB-D-PURL-gpo52787.pdf>, p. 164). I'm sure there are many more examples, but those are the ones that come to mind.

Yes, they're hard to use properly—even producing the keying material is hard, to say nothing of avoiding key reuse (see Venona and Friedman), and distribution can be difficult in many situations. I've often referred to one-time pads as "theoretically secure and practically useless". But they have been and can be used—even the in the last World War II example I cite, the produced five copies of the tapes, to permit different communication patterns.

(Btw, if you're interested in the history of the Vernam-Mauborgne one-time pad, see https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmice.cs.columbia.edu%2FgetTechreport.php%3FtechreportID%3D1576%26format%3Dpdf%26&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073759235%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Nh9EWQ43mz0jXxmenMdaWgosEbAXZJbO3pOPxYVxnRQ%3D&reserved=0<https://mice.cs.columbia.edu/getTechreport.php?techreportID=1576&format=pdf&>; if you're interested in the actual invention of it in 1882, see https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmice.cs.columbia.edu%2FgetTechreport.php%3FtechreportID%3D1460%26format%3Dpdf%26&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073772432%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=NEmDck4j8LZGidwPvv%2Fa3NywXzYIzXrq0oNklhdHD54%3D&reserved=0<https://mice.cs.columbia.edu/getTechreport.php?techreportID=1460&format=pdf&>. Both papers were formally published but paywalled; these versions are publicly available.)

        --Steve Bellovin, https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cs.columbia.edu%2F~smb&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073785639%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=X%2F4ES6DeiCLoJiSNKclt%2B85VzGsuGEIuJ3ht6Lz2KQY%3D&reserved=0<https://www.cs.columbia.edu/~smb>
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.metzdowd.com%2Fmailman%2Flistinfo%2Fcryptography&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073798981%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ASEXvlAAQbPwyOfJx5cnt8nSJRMaKRb0oGn6AKuD1oI%3D&reserved=0<https://www.metzdowd.com/mailman/listinfo/cryptography>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250908/9617c8bd/attachment.htm>

More information about the cryptography mailing list