[Cryptography] New White Paper: GhostLine - Information-Theoretically Secure Multi-Party Chat

[zeb at qtt.se]

>> On Sep 13, 2025, at 19:51, Pierre Abbat <phma at bezitopo.org> wrote:
>> 
>> Here's an idea: Can you use a secret-sharing scheme, such as Lagrange
>> polynomial interpretation, to reduce the total amount of pad that 
>> needs to be
>> distributed? Suppose that the total amount of data that the group will 
>> send in
>> time T is a meg, but no one will send and receive (combined) more than 
>> 10 kB.
>> Instead of sending everyone the same meg of pad, you can send everyone 
>> a
>> different pad of 10 kB, and Alice can encrypt a message so that only 
>> Alice and
>> Bob can decrypt it.
> 
> On 2025-09-16 00:11, Jon Callas wrote:
> 
> Not really. Or perhaps, absolutely you can. We have constructs to 
> bracket what the parameters are. For example, is it worthwhile to limit 
> the security parameter from information-theoretic security, down to one 
> that has a security factor of, oh, let's say 2^256 while getting in 
> return a 2^-256 reduction in pad size? Is that a decent tradeoff?
> 
> If it is, then yes, we have such constructs. They're called stream 
> ciphers.
> 
> Jon

It is, I think, not a bad idea to try and divide a big pad into smaller 
shares based on some kind of knowledge of expected individual 
participant usage. And with "shares", Shamir and such comes to mind, I'm 
with you Pierre, but I don't see how _secret sharing_ would help in this 
case, not at least since neither Alice nor Bob would have a clue with 
just their own, or even boths, shares.

Also, as far as I've gathered, the key component in this ghostly 
protocol is OTP synchronisation, which I'd expect to get much more 
complicated with different pads. And I think the OP stated use case was 
group chat.

But Jon, isn't Shamir also information-theoretic?

Z