[cryptography] Unbreakable crypto?

Michael Kjörling michael at kjorling.se
Sun Mar 22 11:12:11 EDT 2015


On 22 Mar 2015 10:50 -0400, from givonne at gmx.com (Givon Zirkind):
>>> I was tempted by the promise of software to run a one-time pad on my
>>> machine.  I am a fool and I fall upon my own sword.
>> 
>> An unauthenticated one-time pad is trivial to implement; it's
>> literally a few lines of code in any reasonably modern language, and a
>> handful of lines of code in less modern ones.
>> 
>> The hard part, as has been pointed out in this thread, is to generate
>> and handle the _pad_.
> 
> imho, this is not as difficult as you say.  using a time-date stamp
> as part of your seed.

Any pseudo-random number generator is going to, _at best_, be exactly
as secure as the entropy of the seed. And the entropy of a
date/time-stamp in most contexts is _incredibly_ low; I would expect a
few tens of bits at the very most even with a high-precision
timestamp. Remember that a timestamp of one second accuracy between
about 1902 and 2038 can be expressed as a single 32-bit integer value,
so for any semi-reasonable range, we'd be looking at an entropy of 30
bits or less. For something like "message was sent between 2011-01-01
and 2017-12-31" (seven full years' range) and one-second precision
that's approximately log(7×365×86400)/log(2) ≅ 27.7 bits of entropy,
assuming no other knowledge on part of the attacker.

The point I made Friday still stands:

# It doesn't matter how the PRNG works. If it's seeded by a key, and
# the pad is regenerable given the key (which it sounds like given the
# description), then it's not an OTP, and you get _at the very best_
# 2^k bits security (where k is the number of entropy bits in the key)
# rather than a proper OTP's 2^n bits security (where n is the length
# of the message, in bits).

There is a time and a place for a seedable CSPRNG together with an
operation to combine the CSPRNG output with the ciphertext or
plaintext. That construct is called a _stream cipher_; it is _not_
called a one-time pad.


> the real difficulty is in the length of the key.  rounding & other
> calculations errors will quickly interfere.
> but, for up to 500 characters, the length of the avg email, imho,
> you can produce a non-reusable pad

1. Do you have any data to suggest that the average length of an
email, even if we play nice by excluding headers and quoted material,
is 500 characters or less? My experience points toward it being
significantly higher.

2. How do you propose to get the pad to the recipient?

3. How do you propose the recipient should securely store the pad
until it is used?

4. How do you guarantee that no part of the pad is ever reused for a
different message?

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the cryptography mailing list