<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

Steve is right: OTP <i>could</i> be used, although, obviously, only in special scenarios, as exchanging the keys would idd be a challenge. In fact, it's a bit like the huge advantage that PKC has, making it so much easier to establish keys between entities.

 Easier; but, at least for some applications, we can also manage w/o PKC (if we have to). </div>

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<br>

</div>

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

But let me mention that there's another advantage for evaluating OTP-based designs: modularity. They allow to separate the challenge of establishing a secure design (assuming a OTP), from the challenge of establishing the OTP. Of course, typical mechanism to

 `establish the OTP' would only ensure a pseudorandom string, which is 'only' computationally-secure, but the separation makes it harder to design a (computationally) secure system.</div>

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<br>

</div>

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

Best, Amir</div>

<div id="Signature">

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="background-color: rgb(255, 255, 255);">

<div style="text-align: left; font-family: Arial, Helvetica, sans-serif; font-size: 9.75pt; color: rgb(34, 34, 34);">

--</div>

<div style="text-align: left; font-family: Arial, Helvetica, sans-serif; font-size: 9.75pt; color: rgb(34, 34, 34);">

Amir Herzberg</div>

<div style="text-align: left; font-family: Arial, Helvetica, sans-serif; font-size: 9.75pt; color: rgb(34, 34, 34);">

<br>

</div>

<div style="text-align: left; font-family: Arial, Helvetica, sans-serif; font-size: 9.75pt; color: rgb(34, 34, 34);">

Comcast professor of Security Innovations, </div>

<div style="text-align: left; font-family: Arial, Helvetica, sans-serif; font-size: 9.75pt; color: rgb(34, 34, 34);">

Computer Science and Engineering, University of Connecticut</div>

<div style="text-align: left; font-family: Arial, Helvetica, sans-serif; font-size: 9.75pt;">

<span style="color: rgb(34, 34, 34);">Homepage: </span><span style="color: rgb(17, 85, 204);"><a style="color: rgb(17, 85, 204);" class="OWAAutoLink" id="OWAf15422ed-e276-9fab-797b-d47fd3cb3462" target="_blank" href="https://sites.google.com/site/amirherzberg/home">https://sites.google.com/site/amirherzberg/home</a></span></div>

</div>

<div style="text-align: left; background-color: rgb(255, 255, 255); font-family: Arial, Helvetica, sans-serif; font-size: 9.75pt;">

<span style="color: rgb(34, 34, 34);">Applied Introduction to Cryptography and Cybersecurity:</span><span style="color: rgb(17, 85, 204);"><a style="color: rgb(17, 85, 204);" class="OWAAutoLink" id="OWAef3d514c-13fa-4ab9-1d80-02bbfe51da87" target="_blank" href="https://sites.google.com/site/amirherzberg/cybersecurity"> </a><a class="OWAAutoLink" id="OWA553b3a2c-9afe-8345-3201-dff03d9eac44" href="https://sites.google.com/site/amirherzberg/crypto-cyber-book">https://sites.google.com/site/amirherzberg/crypto-cyber-book</a></span></div>

</div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> cryptography <cryptography-bounces+amir.herzberg=uconn.edu@metzdowd.com> on behalf of Steven M. Bellovin <smb@cs.columbia.edu><br>

<b>Sent:</b> Sunday, September 7, 2025 10:21 PM<br>

<b>To:</b> Ron Garret <ron@flownet.com><br>

<b>Cc:</b> Andrew Lee <andrew@joseon.com>; cryptography@metzdowd.com <cryptography@metzdowd.com><br>

<b>Subject:</b> Re: [Cryptography] New White Paper: GhostLine - Information-Theoretically Secure Multi-Party Chat</font>

<div> </div>

</div>

<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">

<div class="PlainText">*External sender: This message came from outside UConn. It might be safe, but use caution before interacting with links, attachments, or requests.*<br>

<br>

<br>

On 7 Sep 2025, at 14:48, Ron Garret wrote:<br>

<br>

><br>

> Sure.  But there are certain things that are just a waste of time, like creationism, flat-eartherism, lunar-landing denialism, and perpetual motion machines.  One-time pads fall into this category, for a very simple reason: if you had a secure way to distribute

 an OTP you could use that same mechanism to securely distribute a message and you would not need the OTP.  (This is not quite true.  There is one use case for an OTP, which is that you have a secure way to distribute it at one time, and you want to send a

 secure message using that OTP at a later time.  But this is an extremely rare circumstance, and it never applies to the stated use case for Ghostline.)<br>

><br>

> So this is not arbitrary dismissal of an idea for superficial reasons, this is pointing out that the idea being advanced is not new, but rather one that is proposed by crackpots on the regular, and that there is a well-known and sound reason for dismissing

 it out of hand.<br>

><br>

I disagree. Creationism, flat-eartherism, etc., are blatant nonsense and aren't worth any attention at all. But one-time pads have been and have been used in the real world. The German diplomatic service used them in the early 1920s (source: Kahn, "The Codebreakers",

 chap. 13), Soviet spies (Kahn, chap. 18, and yes, I know about Venona), the Washington-Moscow hotline (Kahn, chap. 19), during World War II by the US and Britain (SIGSALY:

<a href="https://www.nsa.gov/portals/75/documents/about/cryptologic-heritage/historical-figures-publications/publications/wwii/sigsaly.pdf">

https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.nsa.gov%2Fportals%2F75%2Fdocuments%2Fabout%2Fcryptologic-heritage%2Fhistorical-figures-publications%2Fpublications%2Fwwii%2Fsigsaly.pdf&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073705945%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=PM%2BKt%2Bke4q%2FRraqbwN7ojPRKNk4rjhYJzzIA17ZkggU%3D&reserved=0</a>

 and <a href="https://www.cryptomuseum.com/crypto/usa/sigsaly/">https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cryptomuseum.com%2Fcrypto%2Fusa%2Fsigsaly%2F&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073730466%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=U2txUw3QrcVautGZaVK67m5PfDMhFfatY3PdzAi5xAQ%3D&reserved=0)</a>,

 and US military communications during that war ("The Friedman Legacy", <a href="https://www.govinfo.gov/content/pkg/GOVPUB-D-PURL-gpo52787/pdf/GOVPUB-D-PURL-gpo52787.pdf">

https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.govinfo.gov%2Fcontent%2Fpkg%2FGOVPUB-D-PURL-gpo52787%2Fpdf%2FGOVPUB-D-PURL-gpo52787.pdf&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073745258%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=7QqLlhREbXWCadOfdGxBGj6xIjZaQSVIGqFTFumJrxU%3D&reserved=0</a>,

 p. 164). I'm sure there are many more examples, but those are the ones that come to mind.<br>

<br>

Yes, they're hard to use properly—even producing the keying material is hard, to say nothing of avoiding key reuse (see Venona and Friedman), and distribution can be difficult in many situations. I've often referred to one-time pads as "theoretically secure

 and practically useless". But they have been and can be used—even the in the last World War II example I cite, the produced five copies of the tapes, to permit different communication patterns.<br>

<br>

(Btw, if you're interested in the history of the Vernam-Mauborgne one-time pad, see

<a href="https://mice.cs.columbia.edu/getTechreport.php?techreportID=1576&format=pdf&">

https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmice.cs.columbia.edu%2FgetTechreport.php%3FtechreportID%3D1576%26format%3Dpdf%26&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073759235%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Nh9EWQ43mz0jXxmenMdaWgosEbAXZJbO3pOPxYVxnRQ%3D&reserved=0</a>;

 if you're interested in the actual invention of it in 1882, see <a href="https://mice.cs.columbia.edu/getTechreport.php?techreportID=1460&format=pdf&">

https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmice.cs.columbia.edu%2FgetTechreport.php%3FtechreportID%3D1460%26format%3Dpdf%26&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073772432%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=NEmDck4j8LZGidwPvv%2Fa3NywXzYIzXrq0oNklhdHD54%3D&reserved=0</a>.

 Both papers were formally published but paywalled; these versions are publicly available.)<br>

<br>

        --Steve Bellovin, <a href="https://www.cs.columbia.edu/~smb">https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cs.columbia.edu%2F~smb&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073785639%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=X%2F4ES6DeiCLoJiSNKclt%2B85VzGsuGEIuJ3ht6Lz2KQY%3D&reserved=0</a><br>

_______________________________________________<br>

The cryptography mailing list<br>

cryptography@metzdowd.com<br>

<a href="https://www.metzdowd.com/mailman/listinfo/cryptography">https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.metzdowd.com%2Fmailman%2Flistinfo%2Fcryptography&data=05%7C02%7Camir.herzberg%40uconn.edu%7Cf40b2ff176914725331d08ddee7e6bb9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C638928949073798981%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ASEXvlAAQbPwyOfJx5cnt8nSJRMaKRb0oGn6AKuD1oI%3D&reserved=0</a><br>

</div>

</span></font></div>

</body>

</html>