A Modern Reappraisal of the One-Time Pad Cipher.
in [Cryptography]
|
Prev: A Randomness Hypothesis.
Next: How cool is this?
From: Mok-Kong Shen on 13 May 2010 09:11 adacrypt wrote: [snip] A genuine good OTP has the well-known essential disadvantages in key management and technical expenses. Anyone who desires to use a very good OTP nonetheless should read a recent publication "Random numbers certified by Bell's theorem", Nature, Vol 464 15 April 2010. BTW, there are much discussions in this thread on a proposal by nemo-outis. There was also a similar scheme discussed a number of years ago in the group, if my memory is right. M. K. Shen
From: Bryan on 13 May 2010 21:52
Simon Johnson wrote: > I fully understand the difference between a stream cipher and the one- > time pad (OTP). Do you understand the difference between self-proclaimed understanding and demonstration? > The theorem that applies to the OTP does _not_ apply > to stream ciphers. So did someone forged your name? Someone calling "Simon Johnson" wrote: | The cryptographic community did exactly what you suggested. They | built a workable one-time pad implementation. | | It's called a stream-cipher. What I had suggested was, "a well-engineered OTP system would be, at the very least, a great student project." I tried hard to to distinguish the OTP from the newbie misunderstanding that sci.crypt has suffered. Alas, this person calling himself "Simon Johnson" posted the same stream-cipher-is-workable-OTP error that we've seen so often before. > However, my argument is more subtle than you give me credit for. My > argument is that the OTP has, in practice, provides less security than > AES in CTR mode. Subtle sophistication of argument is not a point in your favor here. If "AES in CTR mode" is secure, then as cheap insurance in generating a random OTP, we can include in our pad generation process the XOR a CTR mode AES stream. If computational security exists, then we can generate a secure pad. The converse is not known to be true. I agree with those who are tired of threads belaboring the OTP, and with the mistaken newbie responses they inevitably elicit. Nevertheless, sci.crypt has not seen an OTP system implemented anywhere nearly as well as it could be by a competent crypto engineer. In my previous post, I tried to distinguish interesting cryptographic problems -- I named "authentication, synchronization, and automatically ensuring that pad data gets used only once" -- from the nonsense that bogs down sci.crypt discussions of the OTP. Nevertheless, I was not surprised to get a response proclaiming a workable OTP: "It's called a stream-cipher." I'm not a big OTP advocate, but there are engineering problems here that are interesting, solvable, and appropriate for the level of sci.crypt. -- --Bryan |