On Wed, Jul 31, 2013 at 02:29:20PM -0700, Steve Weis wrote: > I don't really see a practical use case for one-time pads. You have to > assume that you can securely deliver the pad to someone in advance of > any other communications.
This is the key management problem. If I want to secure a 10MB/day channel, I have to deliver a 64GB microSD card to my correspondent every 150 years. Not significantly worse than any other cryptography key management problem (most of which, in practice, for truly paranoid users, turn into a physical transaction). > Then someone may force you to exhaust your > pad bits by corrupting or dropping messages in transit. An attacker with control of your wire can deny you service. News at 11! What cryptosystem does not have this property? > Regardless, you could use a one-time MAC on the ciphertext. Here are > some lecture notes on the topic: > http://cs.nyu.edu/~dodis/randomness-in-crypto/lecture1.pdf Thanks for the link, that looks very helpful (although too dense for me to absorb quickly right now). > For each message, you will need to uniformly sample a > pairwise-independent hash function to compute an authentication tag. > That hash function will either limit the max size of your message to > the domain of the function, or you will need to use a message digest > function and uniformly map its output into the domain of the hash. For my 10MB/day channel usecase, a 2x ciphertext expansion and 2x pad consumption factor is acceptable, which I am pretty confident can provide a "information theoretic probabilistic message integrity guarantee" to coin a phrase. -andy -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
