The Seduction of the One-Time Pad

1
The Seduction of the One-Time Pad

• Jon Callas
• 8 October 1998

2
The Situation

• The One-Time Pad (OTP) is the only provably
  secure form of encryption
• Cryptography, like life, is filled with
  uncertainties
• People want certainty, so they think that if they
  make their system more like an OTP, it will be
  more certain and more secure

3
The Seduction

• OTPs are hard
• OTPs attract cranks
• In other fields, certainties attract cranks
• OTPs attract people who should know better

4
The Problem

• Making crypto like an OTP is like making an
  airplane like a bird
• Great idea
• Great metaphor
• Some people actually make it work
• In general, a bad idea

5
Overview

• What is an OTP?
• How do they work?
• Why dont they work?
• Pseudo-OTPs
• Snake Oil

6
What is an OTP?

• OTP takes a string of random numbers as long as
  the message
• Combines the random numbers with the message
• XOR, modular or rotational arithmetic good ways
• This produces cyphertext
• Because all random strings are equally likely,
  cryptanalysis is impossible

7
How it works

• Message ATTACK
• Pad (key) 4 8 20 10 16 1
• Cyphertext EAMKSL
• But what if the pad was 25 15 11 10 16 1
• Message is FLBACK
• This is why its unbreakable

8
So Far, So Good

• But what longer messages?
• You need a longer pad
• You need a lot of pad
• You need a pad for every person you want to talk
  to.

9
Dangers

• The pad must be cryptographically random
• This takes work
• Cryptographic random numbers are not like other
  random numbers
• They must be conformists
• You must never reuse a pad
• http//www.nsa.gov8080/docs/venona/venona.html
• You must never lose a pad

10
Is this Feasible?

• Suppose we pre-compute 1MB pads
• Suppose you want enough pads for a 1000 person
  company
• Thats 500K pads
• Thats 1/2 terabyte
• Id like a laptop that big!

11
Is this Feasible?

• Suppose we dont pre-compute pads
• Pads must be distributed through a secure channel
• If you use a secure network, the security level
  of the pad is that of the network
• You lose provable security

12
Can These Flaws be Fixed?

• Pseudo-OTP
• A PRNG replaces the RNG
• Pads dont have to be stored
• Seed material is smaller than pads, easier to
  secure
• This isnt an OTP
• Its a stream cypher
• There is nothing wrong with a stream cypher
• Its not an OTP

13
Snake Oil

• A term for medicine with over-broad claims
• Real medicine comes with a list of caveats
• Snake oil may still cure some things
• Its really an error in labeling

14
Cranks

• Over-label
• Vague claims
• Wear persecution as a badge
• Galileo was persecuted
• Im persecuted
• Therefore, Im the next Galileo
• Ignore peer review, publication process
• Exception -- patents

15
Identifying Snake Oil

• No Papers
• No Algorithms
• No Publication
• No Documentation
• Outrageous claims
• Thousand to Million bit keys
• Access to secret knowledge
• Etc.

16
Very Long Keys

• There are 285 nanoseconds until the sun goes
  nova
• There are 2170 atoms in Planet Earth
• If every atom on the planet tests a key per
  nanosecond, it will check 255 bits of key space
  when the sun goes nova

17
Coming Full Circle

• Theres no certainty in security
• We settle for predictability
• Reasonably designed systems have predictable
  security parameters
• The reasonable design of 256-bit cyphers is a
  leap from the reasonable design of 128-bit
  systems
• There is no assurance that longer keys in known
  systems give more security

18
Questions?