[Cryptography] OTP as WKBI, New White Paper: GhostLine - Information-Theoretically Secure Multi-Party Chat
John Levine
johnl at iecc.com
Mon Sep 8 09:49:18 EDT 2025
It appears that Steven M. Bellovin <smb at cs.columbia.edu> said:
>Yes, they're hard to use properly—even producing the keying material is hard, to say nothing of avoiding key reuse (see Venona and
>Friedman), and distribution can be difficult in many situations. I've often referred to one-time pads as "theoretically secure and
>practically useless". But they have been and can be used—even the in the last World War II example I cite, the produced five copies of
>the tapes, to permit different communication patterns.
True, but we all seem to agree that's the exception, where the mechanism to
distribute the keys is different from the one to exchange messages. I could
imagine a scenario where before a trip to Intrusivestan, your office has a shelf
of pairs of DVD-R recorded from a physical white noise source, and you put a few
of them in your bag. Your crypto protocol could be little more than "start at
disk 34735, track 14" followed by the encrypted data, ideally with some way to
physically mark the track so you can't use it again. But that's a pretty narrow
use case.
OTPs aren't nonsense but they're what I call a Well Known Bad Idea, something
that people keep reinventing but that always hits the same implementation wall.
(In the e-mail world where I spend too much time, the classic is "charge 1c per
message and spam will go away.")
I'd say that if you want to propose a WKBI, sure, go ahead, but it's on you to
show that you know why it's failed before, and why this time is different.
R's,
John
More information about the cryptography
mailing list