Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10 5/3/83; site utcsrgv.UUCP Path: utzoo!utcsrgv!outer From: outer@utcsrgv.UUCP (Richard Outerbridge) Newsgroups: net.crypt Subject: Re: secure codes Message-ID: <3278@utcsrgv.UUCP> Date: Tue, 14-Feb-84 15:25:25 EST Article-I.D.: utcsrgv.3278 Posted: Tue Feb 14 15:25:25 1984 Date-Received: Tue, 14-Feb-84 16:12:32 EST References: <239@vortex.UUCP> <620@nsc.UUCP>, <574@orca.UUCP> Organization: CSRG, University of Toronto Lines: 32 What is wrong with one-time pads? Two things, expense and applicability. The one-time system requires as much key as message; and the key must be distributed with perfect security. The one-time system is a 'stream' cipher, which restricts its usefulness for protecting static data. If you have a network of N stations, all of which may talk to each other, you require (N-1)**2 one-time pads (or one pad split into that many sections, or a protocol that takes care of 'crossing off' used sections). Each pad has to be big enough to handle all the data transmitted on that link. Anyway, it will be seen that this is only a practical objection; mass storage is becoming cheaper, and networking sophistication greater. On the other hand, consider the protection of on-line data rather than data transmission. To use a one-time scheme doubles the storage requirements. You can't do partial updates without reenciphering with a new one-time key. Random access becomes harder because you have to match key with cipher text. Of course, you have to protect the on-line "one-time" key from inspection. Then there are problems of undetected data modification (because of known plaintext). Still, it may be that these too are only practical problems. The use of one-time systems is becoming more and more feasible, if no less problematic, but the allure of other cryptosystems is still economic: if you need 1 unit of key for every unit of plaintext, you end up transmitting (or "distributing") as much information over discrete ("outside") channels as you do over the insecure channels. Obviously the timeliness of the insecure communication provides the economic justification for the scheme, but you can see that taken to an extreme perfect security is at best ludicrous. Hence the interest in "practically" or computationally secure cryptography. In effect this means schemes that have a lifespan of as few as ten years. Whether this makes much more sense is an open question. The hope is to find one (for example, RSA) whose useful life is likely to be several decades. Richard Outerbridge outer@utcsrgv UofToronto CSRG