[Cryptography] New White Paper: GhostLine - Information-Theoretically Secure Multi-Party Chat

Wed Sep 10 06:31:27 EDT 2025

On 9/8/25 5:17 PM, Magnus Ahltorp wrote:

> I don't know how serious your question is, but I'll answer it seriously.

I do have a serious question, but unfortunately the example I used 
clouded it because it was of the form "Well, apart from this one fatal 
vulnerability, how good is this?"  That's not what I intended.

> Having no encryption in each step, and instead using a hash, ensures that a known-plaintext attack in any 256-bit block of the string will trivially disclose the rest of the string.
Yes, that's why I said this:

> I understand the higher risk of key compromise:  namely, that if you know any one of the 256 bit blocks in the OTP sequence, you therefore know all the subsequent blocks to infinity.  There are ways to mitigate that.

As you say, known-plaintext is one way to uncover a single 256-bit 
block, and thus uncover all the subsequent blocks.

Indeed there are ways to mitigate that.  Kristian gave one example:

> First sequence is x1, x2, …, generated as x_{i+1} = SHA-3-256(«0» || x_i), which is almost your sequence.
> 
> Second sequence is y1, y2, …, generated as y_i = SHA-3-256(«1» || x_i), which is the actual pseudo-random sequence.

There the entire sequence is determined by the 256-bit quantity x1, 
which serves as the shared secret key.  The knowledge of any y[i], by 
known plaintext or any other means, does not tell you anything about y[i+1].

You also mention OFB with key and IV, based on some fundamental block 
encryption operation.  That too is a way to produce an unguessable key 
stream which is XORed with the plaintext -- and that key stream cannot 
be easily compromised.

So, I understand that the simple hash chain I described is horribly 
vulnerable to compromise.  My deliberate over-simplification clouded the 
true nature of my question.

My real question regards the suitability of using an unguessable key 
stream that is generated by hashing ONLY -- given that it avoids the 
possibility of compromise by knowing a single block.  That is to say, no 
AES or any other kind of block cipher is involved, just a plain XOR of a 
purely hash-based key stream against the plaintext.

The second question is, how long can you "pull" on that one key stream, 
treating it like an indefinitely long OTP where you have to keep your 
last offset to avoid reusing key material?

Yes the entire thing hinges on a single 256-bit key, generated perhaps 
by rolling 64 of those 16 sided dice.  As we know, 2^256 is a literally 
astronomically big number:

115792089237316195423570985008687907853269984665640564039457584007913129639936

I'm wondering, is it "safe" in some sense to just keep pulling on the 
one key stream sequence indefinitely, even for petabytes of data?

-- Patrick