[Cryptography] New White Paper: GhostLine - Information-Theoretically Secure Multi-Party Chat

Patrick Chkoreff pc at fexl.com
Mon Jan 5 10:58:45 EST 2026 

On 1/4/26 8:02 AM, Jerry Leichter wrote:

> If I use your proposed system to transmit the contents today’s N.Y. Times, someone who just guesses that I’m forwarding the latest news can try the first block, quickly determine the seed, then decrypt the rest of the newspaper - and also the comments you appended to it.  Indeed, this kind of attack was considered so significant prior to the emergence of modern cryptography that when a statement was sent, encrypted, to an embassy for publication, the embassy staff was expected to re-write it before releasing it to deny attackers access to any plaintext.  That’s the issue - not reuse.
>                                            -- Jerry

Right.  Yesterday I thought about your Guns N Roses example and it 
became clear that *probable* plaintext was also a huge vulnerability.

That led me to consider other possible ways of generating a _static_ 
large OTP deterministically up front, but safely so that the knowledge 
of one block of key material does not allow you to infer the subsequent 
blocks.  Clearly a hash chain is the worst possible scheme in this regard.

But you could devise a scheme where you would have to know the original 
256 bit true random key/seed itself to derive any block of key material, 
including tricks like encrypting a counter and such.  Clearly this is 
just reinventing stream ciphers, which often (always?) rely crucially on 
a nonce to avoid this kind of fragility.

My question originally arose in response to the GhostLine scheme of 
actually *using* an OTP.  I was considering ways of generating an OTP 
deterministically from a single 256 bit "truly random" seed.  Clearly 
using a hash chain is disastrously frail.

I'm sure the way to do it, assuming you want to do it at all, is to 
hijack any suitable stream cipher and use the 256-bit key, plus maybe a 
nonce of zero, and generate the multi-gigabyte OTP mask from that.

Again, I'm just thinking of ways to generate a strong OTP from "only" 
256 bits of entropy, which should really be more than strong enough for 
any purpose -- as opposed to having to tap directly into quantum 
turbulence or whatever to generate each of a billion blocks of key 
material.


-- Patrick

More information about the cryptography mailing list