Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10 5/3/83; site utcsrgv.UUCP
Path: utzoo!utcsrgv!outer
From: outer@utcsrgv.UUCP (Richard Outerbridge)
Newsgroups: net.crypt
Subject: Re: secure codes
Message-ID: <3278@utcsrgv.UUCP>
Date: Tue, 14-Feb-84 15:25:25 EST
Article-I.D.: utcsrgv.3278
Posted: Tue Feb 14 15:25:25 1984
Date-Received: Tue, 14-Feb-84 16:12:32 EST
References: <239@vortex.UUCP> <620@nsc.UUCP>, <574@orca.UUCP>
Organization: CSRG, University of Toronto
Lines: 32

What is wrong with one-time pads?  Two things, expense and applicability.  The
one-time system requires as much key as message; and the key must be 
distributed with perfect security.  The one-time system is a 'stream' cipher,
which restricts its usefulness for protecting static data.

If you have a network of N stations, all of which may talk to each other, you
require (N-1)**2 one-time pads (or one pad split into that many sections, or a
protocol that takes care of 'crossing off' used sections).  Each pad has to be
big enough to handle all the data transmitted on that link.  Anyway, it will be
seen that this is only a practical objection; mass storage is becoming cheaper,
and networking sophistication greater.  
On the other hand, consider the protection of on-line data rather than data
transmission.  To use a one-time scheme doubles the storage requirements.  
You can't do partial updates without reenciphering with a new one-time key.
Random access becomes harder because you have to match key with cipher text.
Of course, you have to protect the on-line "one-time" key from inspection.
Then there are problems of undetected data modification (because of known
plaintext).  Still, it may be that these too are only practical problems.

The use of one-time systems is becoming more and more feasible, if no less
problematic, but the allure of other cryptosystems is still economic: if you
need 1 unit of key for every unit of plaintext, you end up transmitting (or
"distributing") as much information over discrete ("outside") channels as you
do over the insecure channels.  Obviously the timeliness of the insecure 
communication provides the economic justification for the scheme, but you can
see that taken to an extreme perfect security is at best ludicrous.  Hence
the interest in "practically" or computationally secure cryptography.  In
effect this means schemes that have a lifespan of as few as ten years.  Whether
this makes much more sense is an open question.  The hope is to find one (for
example, RSA) whose useful life is likely to be several decades.

Richard Outerbridge	outer@utcsrgv	UofToronto CSRG