[Cryptography] New White Paper: GhostLine - Information-Theoretically Secure Multi-Party Chat

Jerry Leichter leichter at lrw.com
Tue Sep 9 21:53:44 EDT 2025 

> 2. On Your Mischaracterization of QKD and PKI
> 
> Your assertion that "the whole point of quantum key distribution and PKI is to eliminate the need for out-of-band communications" is categorically false and demonstrates a surprising gap in your knowledge of cryptographic trust roots.
> 
> Public Key Infrastructure (PKI): PKI absolutely relies on out-of-band mechanisms for its security. The trust in a certificate authority (CA) is ultimately rooted in the pre-distribution of the CA's root certificates into your browser or operating system. This distribution is a secure out-of-band 
> process....
> 
> Quantum Key Distribution (QKD): While QKD secures the channel against eavesdropping, it requires an authenticated classical channel to prevent man-in-the-middle attacks....
You're missing the forest for the trees here.  According to your apparent definition of an out-of-band channel, traditional symmetric cryptography is impossible - after all, Alice and Bob had to share the key somehow.  Yes, Diffie-Hellman key exchange appears to avoid any need for an initial secure channel - but then you get to the issue of authentication - and as I've argued here in the past, it's hard to make much sense of the very notion of "authentication" in the absence of some secure connection to establish just what you're authenticating.

But more fundamentally, the exchange of private keys, certs, and such does not require a secure out-of-band channel in the same sense as one-time pads do because the information exchanged securely for these protocols can be used to protect an exponentially larger amount of data.  With a true one-time-pad, you need to securely exchange one bit of pad for each bit of data.  That's a very, very different requirement.

(And, no, computing additional bits beyond the exchanged one-time-pad by tricks like ratchets does *not* give you a larger one-time-pad.  The new bits are *not* random and the information-theoretical security proof goes out the window.  You're simply left with some stream cipher with an unusually large key, whose strength you don't know until you analyze it fully - but it's unlikely that the strength it gives you is sufficient to pay back the cost of requiring some huge initial key.)
                                                        -- Jerry

More information about the cryptography mailing list