[liberationtech] OneTime 2.0 (beta): one-time pad system.
Steve Weis
steveweis at gmail.com
Wed Jul 31 14:29:20 PDT 2013
No. Without a message authentication code (MAC) or signature, your
ciphertext is insecure. The compression function is not expected to
offer any resistance to modification. There is no proof or argument
that you cannot "jump in and modify bits".
I don't really see a practical use case for one-time pads. You have to
assume that you can securely deliver the pad to someone in advance of
any other communications. Then someone may force you to exhaust your
pad bits by corrupting or dropping messages in transit.
Regardless, you could use a one-time MAC on the ciphertext. Here are
some lecture notes on the topic:
http://cs.nyu.edu/~dodis/randomness-in-crypto/lecture1.pdf
For each message, you will need to uniformly sample a
pairwise-independent hash function to compute an authentication tag.
That hash function will either limit the max size of your message to
the domain of the function, or you will need to use a message digest
function and uniformly map its output into the domain of the hash.
If the whole premise of using one-time pads is "I don't trust
NIST-approved crypto primitives", then you will need to find a
non-standard message digest that people will trust to use. Good luck
with that.
On Wed, Jul 31, 2013 at 10:08 AM, Karl Fogel <kfogel at red-bean.com> wrote:
> In practice, they'd have to know all or most of the plaintext, I think?
> Because under compression, the later parts of the (compressed) plaintext
> depend on earlier parts -- it's not like you can just jump in and modify
> bits in the middle of a compression stream.
More information about the liberationtech
mailing list