[Cryptography] New White Paper: GhostLine - Information-Theoretically Secure Multi-Party Chat

Thu Sep 18 16:27:26 EDT 2025

On 18 Sep 2025, at 14:26, Jon Callas wrote:

>
>
>> On Sep 18, 2025, at 03:22, zeb at qtt.se wrote:
>>
>>> On 2025-09-18 06:52, Jon Callas wrote:
>>> An OTP, though, is basically a stream cipher that is hard to set up and hard to use and is malleable. Again, there are places where it works well, and those are high-latency, low-bandwidth communications, or things like numbers stations.
>>> Jon
>>
>> Sure, with a truly random key as long as the plaintext ;>
>>
>
> Exactly, but the hard part is not "truly random" it's "as long as the plaintext."
>
> Once you have developed a way to securely send the pad, the next engineering question is why not optimize and send the message by the mechanism you use to send the pad?
>
It's a time-binding issue. It's easy for, say, Washington and Moscow to share as much keying material as they want when there isn't a crisis, but when there is there may not be time. A spy departing their home country can bring material with them, but can't get more securely without going back, which itself might be difficult to do without suspicion. Ditto diplomats, who may or may not trust the integrity of diplomatic pouches, but may need to communicate more quickly than a physical transfer can take place. (Aside: I just finished reading Scott Anderson's "King of Kings", about the Iranian revolution in 1979. When a senior diplomat wanted to bury but not block a message from a junior, it would be sent by diplomatic pouch instead of electronically. Time matters…) I'm sure there are other situations, but these are the three I cited earlier as where OTPs have been used historically.

All that said, it's worth taking a closer look at these three situations. German diplomats use OTPs in the early 1920s, after a disaster caused by cryptanalysis (the Zimmermann Telegram) and before there were (believed to be) secure machine ciphers. Soviet spies used OTPs in the early post-war period (and maybe later, but this is what is attested in the literature) when they didn't have suspicionless ways to do machine encryption. Can you imagine an illegal keeping a Fialka in a desk drawer? (Aside: it's worth reading Leo Marks' "Between Silk and Cyanide" on the dangers of hand ciphers and the like. When you read it, think about threat models—Marks understood them; others did not.) And the hotline? Neither Washington nor Moscow would want to disclose details of their own TS-rated ciphers to the other side, let alone keying procedures or key exchange algorithms. OTPs are simple, obvious, and known for decades.

The real question, then, is when to use OTPs. As noted, they're inconvenient, since you have to securely store—and securely destroy once used—a large amount of keying material. It may be hard to produce enough true-random keying material, let alone to distribute it, and in many situations distribution is a real problem. (Several cryptanalytic successes—Midway, Venona, the seizure of German weather ships with a few months of Enigma keying material, the cracking of Soviet use of Morehouse two-tape machines in the post-war period, per Budiansky's "Code War") were intimately related to production or distribution problems by the other side.)

        —Steve Bellovin, https://www.cs.columbia.edu/~smb