[cryptography] Unbreakable crypto?

Jeffrey Goldberg jeffrey at goldmark.org
Sun Mar 22 14:17:57 EDT 2015

On 22 Mar 2015, at 9:48, Michael Kjörling wrote:

> On 22 Mar 2015 09:36 -0500, from jeffrey at goldmark.org (Jeffrey 
> Goldberg):
>> There are good crypto systems in use which generate pseudo-random
>> pads from keys that are 128 (or 256) bits in length. But these are
>> – at best – no better than the length of their keys.
> Which is, admittedly, _quite good enough_ for almost any _practical_
> purpose that an individual is likely to face.

Oh, absolutely. I am perfectly happy with 128 bit keys.

Indeed, I'm very much on record in defending 128 bit keys in
the face of customer demand for 256 bits.


I was just to distinguish between "perfect" secrecy and
everything else (without going into any discussion of asymptotic
security). I think that people who first learn about the OTP
are infatuated with perfect secrecy, and fail to what is really

Although I sympathize with Greg Rose's lament that we are beating
a long dead horse, I think that it is worthwhile to try to understand
why so many people seem to learn (something) about the OTP and then
badly reinvent stream ciphers. And I want to kill off the meme that
is popular in some circles that "the only unbreakable cipher is the

And so I see it as a "teaching moment". Thus if I may repeat
what others have said, I too recommend Dan Bonah's on-line
Cryptography course to Lee and anyone else who doesn't immediately
see why we all so emphatically screamed "No" to these OTP modifications.



More information about the cryptography mailing list