whos to say? we're jus trapt on erf together. On Mar 21, 2015 11:37 PM, "Seth David Schoen" <sch...@eff.org> wrote:
> Lee writes: > > > On 3/21/15, Jeffrey Goldberg <jeff...@goldmark.org> wrote: > > > [Apologies for quoting badly] > > > > > > No! A thousand times no. > > > > > > (1) the file isn't secret > > > > But the fact that I'm using it as my one-time pad is. Why isn't that > > good enough? > > If an attacker has access to the same web sites and databases that you > do, the attacker could just try all of them the files in them. There > shouldn't be more than 2⁵⁰ publicly-accessible files out there, right? > > Or maybe each file in a copy of the Internet Archive, say. One of them > is actually going to be that ISO file! > > There are other conceptual problems that are much worse than this > practical problem. The biggest conceptual problem is that, for the > one-time pad setting that has been mathematically proven secure, the > shortest description of the pad you are using should normally be the pad > itself. If there is a shorter description, the attacker first of all has > a smaller work factor (set of things to try), but what's really _much much > much_ worse conceptually, the attacker has a probability of being able > to usefully distinguish one possible decryption as more likely than others. > > In the ideal one-time pad, there is no basis on which an attacker (even > an attacker with completely unbounded resources) can usefully say that > one proposed decryption is more likely to be right than another, at > least compared to the attacker's prior beliefs about what the plaintext > was likely to be. But if there is a meaningfully shorter description of > what you used as the pad, then an attacker with vast resources who > correctly guesses what that was will know that it's likely to be right, > which is a kind of success that the attacker couldn't have achieved with > a truly random pad. > > *True random pad*: Attacker doesn't know whether pad k₁ is actually more > likely than pad k₂, if (c ⊕ k₁) and (c ⊕ k₂) both appear to be equally > plausible plaintexts. > > *Choosing a meaningful file but keeping secret which one you used*: An > attacker who tries your file f₁ as the pad notices that both (c ⊕ f₁) > and f₁ itself appear "meaningful", so it's more likely that f₁ is > correct compared to some other f₂ which is not "meaningful". > > > This is the great thing about the classical one-time pad: the attacker > _literally doesn't know when the attack was successful_, a fact which > has nothing to do with how powerful the attacker is (how many keys the > attacker is able to try guessing). In the classical one-time pad with > a true random pad, even an attacker who can try _every single_ pad > literally doesn't have any evidence which could reveal which one was > right, or which could reveal any new fact or property about the > plaintext. Relaxing the randomness assumption, in turn, undermines this > conclusion because the attacker can now have some conceivable indication > about "being on the right track" (even if that's merely statistical), > which could simply never happen with a true random pad. > > -- > Seth Schoen <sch...@eff.org> > Senior Staff Technologist https://www.eff.org/ > Electronic Frontier Foundation https://www.eff.org/join > 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography >
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography