[liberationtech] OneTime 2.0 (beta): one-time pad system.
Andy Isaacson
adi at hexapodia.org
Thu Aug 1 07:58:35 PDT 2013
On Wed, Jul 31, 2013 at 02:29:20PM -0700, Steve Weis wrote:
> I don't really see a practical use case for one-time pads. You have to
> assume that you can securely deliver the pad to someone in advance of
> any other communications.
This is the key management problem. If I want to secure a 10MB/day
channel, I have to deliver a 64GB microSD card to my correspondent every
150 years. Not significantly worse than any other cryptography key
management problem (most of which, in practice, for truly paranoid
users, turn into a physical transaction).
> Then someone may force you to exhaust your
> pad bits by corrupting or dropping messages in transit.
An attacker with control of your wire can deny you service. News at 11!
What cryptosystem does not have this property?
> Regardless, you could use a one-time MAC on the ciphertext. Here are
> some lecture notes on the topic:
> http://cs.nyu.edu/~dodis/randomness-in-crypto/lecture1.pdf
Thanks for the link, that looks very helpful (although too dense for me
to absorb quickly right now).
> For each message, you will need to uniformly sample a
> pairwise-independent hash function to compute an authentication tag.
> That hash function will either limit the max size of your message to
> the domain of the function, or you will need to use a message digest
> function and uniformly map its output into the domain of the hash.
For my 10MB/day channel usecase, a 2x ciphertext expansion and 2x pad
consumption factor is acceptable, which I am pretty confident can
provide a "information theoretic probabilistic message integrity
guarantee" to coin a phrase.
-andy
More information about the liberationtech
mailing list