[Cryptography] New White Paper: GhostLine - Information-Theoretically Secure Multi-Party Chat
Ray Dillinger
bear at sonic.net
Fri Jan 2 15:01:57 EST 2026
On 9/8/25 6:21 AM, Patrick Chkoreff wrote:
> On 9/7/25 2:46 AM, Pierre Abbat wrote:
>
> What you do is roll 64 of those 16-sided dice to produce an initial
> 256 bit seed. Then you run that seed through SHA256 to produce the
> next 256 bit seed, and continue that chain indefinitely.
>
> The first 256 bit block is "truly" random; the subsequent blocks are
> "pseuo" random but nevertheless "random enough." There's your OTP.
> You could probably extend it for many terabytes. Maybe even petabytes.
>
> ====> OK, now for one serious question: in the hash chain sequence I
> describe above, in what way is that NOT suitable for use as an OTP?
> I understand the higher risk of key compromise: namely, that if you
> know any one of the 256 bit blocks in the OTP sequence, you therefore
> know all the subsequent blocks to infinity. There are ways to
> mitigate that. I'm just asking about the "randomness" quality of the
> OTP material itself.
>
The thing you missed is that knowing any one of the 256 bit blocks in
the OTP sequence is terrifyingly easy and can be done by passive
eavesdropping.
Because a lot of commonly used protocols, document formats, video
codecs, etc feature 256-bit chunks of invariant or highly predictable
boilerplate, payload description, and overhead, a 256-bit known
plaintext is easy to achieve just by passively listening to
transmissions, and then you can apply a known-plaintext attack.
Known-plaintext attack: You can XOR your known plaintext to the
corresponding ciphertext to extract the OTP used to encrypt that
plaintext. Once you have that, you can use SHA256 to extend the OTP
indefinitely and decrypt everything that comes after the known plaintext.
Note there are a lot of other ways to identify 256-bit chunks of known
plaintext: somebody is going to transmit their collection of
"Guns'n'Roses" CDs, or the latest install images for their favorite
software distribution source or something, and when you catch them at it
you have literal hundreds of megabytes of known plaintext.
Bear
More information about the cryptography
mailing list