[Cryptography] New White Paper: GhostLine - Information-Theoretically Secure Multi-Party Chat

[Jon Callas]

> On Sep 16, 2025, at 05:27, zeb--- via cryptography <cryptography at metzdowd.com> wrote:
> 
> 
> It is, I think, not a bad idea to try and divide a big pad into smaller shares based on some kind of knowledge of expected individual participant usage. And with "shares", Shamir and such comes to mind, I'm with you Pierre, but I don't see how _secret sharing_ would help in this case, not at least since neither Alice nor Bob would have a clue with just their own, or even boths, shares.
> 
> Also, as far as I've gathered, the key component in this ghostly protocol is OTP synchronisation, which I'd expect to get much more complicated with different pads. And I think the OP stated use case was group chat.
> 
> But Jon, isn't Shamir also information-theoretic?

Yes, and this is why it's better to talk about information-theoretic security and not fixate on one-time pads.

However, Shamir secret sharing has its own issue, and that is that when an appropriate quorum pulls together the secret, you have to trust them not to keep the secret and use it later. There are many instances where this is fine, and others where it's mostly okay, and ones where it isn't, and that's why we have other constructs, like modern threshold signatures, or group signatures, or ring signatures. They all have different security qualities.

Back in PGP days, we did a Shamir secret-sharing thing so you could pull together shares of a PGP key and use it. The software prevented extra use of it, but of course you had to trust the software and the person who is the coordinator of the operation. It has limitations, and if you're okay with those limitations, then it's great.

An OTP, though, is basically a stream cipher that is hard to set up and hard to use and is malleable. Again, there are places where it works well, and those are high-latency, low-bandwidth communications, or things like numbers stations.

	Jon