The Seduction of the One-Time Pad Jon Callas 8 October 1998
The Situation The One-Time Pad (OTP) is the only provably secure form of encryption Cryptography, like life, is filled with uncertainties People want certainty, so they think that if they make their system more like an OTP, it will be more certain and more secure
The Seduction OTPs are hard OTPs attract cranks In other fields, certainties attract cranks OTPs attract people who should know better
The Problem Making crypto like an OTP is like making an airplane like a bird Great idea Great metaphor Some people actually make it work In general, a bad idea
Overview What is an OTP? How do they work? Why don’t they work? Pseudo-OTPs Snake Oil
What is an OTP? OTP takes a string of random numbers as long as the message Combines the random numbers with the message XOR, modular or rotational arithmetic good ways This produces cyphertext Because all random strings are equally likely, cryptanalysis is impossible
How it works Message: ATTACK Pad (key): 4 8 20 10 16 1 Cyphertext: EAMKSL But what if the pad was 25 15 11 10 16 1 Message is FLBACK This is why it’s unbreakable
So Far, So Good But what longer messages? You need a longer pad You need a lot of pad You need a pad for every person you want to talk to.
Dangers The pad must be cryptographically random This takes work Cryptographic random numbers are not like other random numbers They must be conformists You must never reuse a pad http://www.nsa.gov:8080/docs/venona/venona.html You must never lose a pad
Is this Feasible? Suppose we pre-compute 1MB pads Suppose you want enough pads for a 1000 person company That’s ~500K pads That’s 1/2 terabyte I’d like a laptop that big!
Is this Feasible? Suppose we don’t pre-compute pads Pads must be distributed through a secure channel If you use a “secure network,” the security level of the pad is that of the network You lose provable security
Can These Flaws be Fixed? Pseudo-OTP A PRNG replaces the RNG Pads don’t have to be stored Seed material is smaller than pads, easier to secure This isn’t an OTP It’s a stream cypher There is nothing wrong with a stream cypher It’s not an OTP
Snake Oil A term for medicine with over-broad claims Real medicine comes with a list of caveats Snake oil may still cure some things It’s really an error in labeling
Cranks Over-label Vague claims Wear “persecution” as a badge Galileo was persecuted I’m persecuted Therefore, I’m the next Galileo Ignore peer review, publication process Exception -- patents
Identifying Snake Oil No Papers No Algorithms No Publication No Documentation Outrageous claims Thousand to Million bit keys Access to secret knowledge Etc.
Very Long Keys There are 2**85 nanoseconds until the sun goes nova There are 2**170 atoms in Planet Earth If every atom on the planet tests a key per nanosecond, it will check 255 bits of key space when the sun goes nova
Coming Full Circle There’s no certainty in security We settle for predictability Reasonably designed systems have predictable security parameters The reasonable design of 256-bit cyphers is a leap from the reasonable design of 128-bit systems There is no assurance that longer keys in known systems give more security
Questions?