The Seduction of the One-Time Pad

1. The Seduction of the One-Time Pad Jon Callas 8 October 1998

2. The Situation • The One-Time Pad (OTP) is the only provably secure form of encryption • Cryptography, like life, is filled with uncertainties • People want certainty, so they think that if they make their system more like an OTP, it will be more certain and more secure

3. The Seduction • OTPs are hard • OTPs attract cranks • In other fields, certainties attract cranks • OTPs attract people who should know better

4. The Problem • Making crypto like an OTP is like making an airplane like a bird • Great idea • Great metaphor • Some people actually make it work • In general, a bad idea

5. Overview • What is an OTP? • How do they work? • Why don’t they work? • Pseudo-OTPs • Snake Oil

6. What is an OTP? • OTP takes a string of random numbers as long as the message • Combines the random numbers with the message • XOR, modular or rotational arithmetic good ways • This produces cyphertext • Because all random strings are equally likely, cryptanalysis is impossible

7. How it works • Message: ATTACK • Pad (key): 4 8 20 10 16 1 • Cyphertext: EAMKSL • But what if the pad was 25 15 11 10 16 1 • Message is FLBACK • This is why it’s unbreakable

8. So Far, So Good • But what longer messages? • You need a longer pad • You need a lot of pad • You need a pad for every person you want to talk to.

9. Dangers • The pad must be cryptographically random • This takes work • Cryptographic random numbers are not like other random numbers • They must be conformists • You must never reuse a pad • http://www.nsa.gov:8080/docs/venona/venona.html • You must never lose a pad

10. Is this Feasible? • Suppose we pre-compute 1MB pads • Suppose you want enough pads for a 1000 person company • That’s ~500K pads • That’s 1/2 terabyte • I’d like a laptop that big!

11. Is this Feasible? • Suppose we don’t pre-compute pads • Pads must be distributed through a secure channel • If you use a “secure network,” the security level of the pad is that of the network • You lose provable security

12. Can These Flaws be Fixed? • Pseudo-OTP • A PRNG replaces the RNG • Pads don’t have to be stored • Seed material is smaller than pads, easier to secure • This isn’t an OTP • It’s a stream cypher • There is nothing wrong with a stream cypher • It’s not an OTP

13. Snake Oil • A term for medicine with over-broad claims • Real medicine comes with a list of caveats • Snake oil may still cure some things • It’s really an error in labeling

14. Cranks • Over-label • Vague claims • Wear “persecution” as a badge • Galileo was persecuted • I’m persecuted • Therefore, I’m the next Galileo • Ignore peer review, publication process • Exception -- patents

15. Identifying Snake Oil • No Papers • No Algorithms • No Publication • No Documentation • Outrageous claims • Thousand to Million bit keys • Access to secret knowledge • Etc.

16. Very Long Keys • There are 2**85 nanoseconds until the sun goes nova • There are 2**170 atoms in Planet Earth • If every atom on the planet tests a key per nanosecond, it will check 255 bits of key space when the sun goes nova

17. Coming Full Circle • There’s no certainty in security • We settle for predictability • Reasonably designed systems have predictable security parameters • The reasonable design of 256-bit cyphers is a leap from the reasonable design of 128-bit systems • There is no assurance that longer keys in known systems give more security

18. Questions?