Infinite One-Time Pad, is this product BS?
in [Cryptography]
|
Prev: Certificates
Next: Q: Kerchhoffs' principle
From: Mok-Kong Shen on 4 Jan 2010 13:28 rossum wrote: > Richard Outerbridge wrote: > >> Now, obviously, 1320000 bits is nowhere close to infinity, >> but it's easily conveyed, transported and pre-established. >> >> If SuperKISS is all Marsaglia claims it to be, why couldn't >> it form the basis of a practical, unbreakable, one-time-pad >> system? > It could possibly be the basis of a perfectly good practical stream > cypher. It could never be a One Time Pad. If there is no TRNG > involved then there is no OTP either. KISS may well be a very good > PRNG but it is not a TRNG. I use to think that one should (in practice) be content with (reasonably) sufficiently high practical security. For the theoretical perfect security of OTP is by its nature never (in the absolute sense) practically achievable for diverse practical reasons. (One well-known practical attempt to use OTP that badly failed was Vernona.) M. K. Shen
From: unruh on 4 Jan 2010 15:30 On 2010-01-04, Richard Outerbridge <outer(a)interlog.com> wrote: > In article <5b24k5970vopcd86071vb2vga461qeahso(a)4ax.com>, > rossum <rossum48(a)coldmail.com> wrote: > >> On Mon, 04 Jan 2010 02:25:13 +0100, Ohm <Ohm(a)no.no> wrote: >> This is not a One Time Pad, so to that extent it is snake oil. It may >> or may not be a secure cypher, but I would not be inclined to risk >> using it without a lot of further study. Safer to use one of the more >> established cyphers. > > What if one were to take Marsglia's recent Super_KISS generator? > > The internal states seem to me to be: > > superKISS32 internal state > > Q[] 41265 * 32 = 1320480 > carry 1 * 32 = 32 > xcng 1 * 32 = 32 > xs 1 * 32 = 32 > indx 1 * 15.33 = 15 > > More-or-less ~1320591 bits > > superKISS64 internal state > > Q[] 20632 * 64 = 1320448 > carry 1 * 64 = 64 > xcng 1 * 64 = 64 > xs 1 * 64 = 64 > indx 1 * 14.33 = 14 > > More-or-less ~1320654 bits > > Now, obviously, 1320000 bits is nowhere close to infinity, > but it's easily conveyed, transported and pre-established. > > If SuperKISS is all Marsaglia claims it to be, why couldn't > it form the basis of a practical, unbreakable, one-time-pad > system? Why couldn't a horse be a jet fighter? There is a definition of a one time pad, and it is what is provably unbreakable. What you describe is NOT unbreakable in theory. It may be hard to break and may be a good practical cypher, but it is not a one time pad and is not unbreakable. > > The usual caveats apply. > > outer >
From: unruh on 4 Jan 2010 15:34 On 2010-01-04, Mok-Kong Shen <mok-kong.shen(a)t-online.de> wrote: > rossum wrote: >> Richard Outerbridge wrote: >> >>> Now, obviously, 1320000 bits is nowhere close to infinity, >>> but it's easily conveyed, transported and pre-established. >>> >>> If SuperKISS is all Marsaglia claims it to be, why couldn't >>> it form the basis of a practical, unbreakable, one-time-pad >>> system? >> It could possibly be the basis of a perfectly good practical stream >> cypher. It could never be a One Time Pad. If there is no TRNG >> involved then there is no OTP either. KISS may well be a very good >> PRNG but it is not a TRNG. > > I use to think that one should (in practice) be content with > (reasonably) sufficiently high practical security. For the theoretical That may be true, but is also irrelevant. There is a definiton of a one time pad and it is a cypher which obeys that definition which is theoretically unbreakable. Many people want to pretend to hide under that umbrella, and make unwarranted and extravagant claims for their own cypher. As soon as they do so, one knows they are incompetent, and should not be trusted to hide the Easter eggs, never mind something more serious. > perfect security of OTP is by its nature never (in the absolute sense) > practically achievable for diverse practical reasons. (One well-known > practical attempt to use OTP that badly failed was Vernona.) That may be. So why try to claim that you have achieved it, except to commit fraud. > > M. K. Shen >
From: Jens Stuckelberger on 4 Jan 2010 15:43 On Mon, 04 Jan 2010 19:28:25 +0100, Mok-Kong Shen wrote: > (One well-known practical attempt to use OTP that badly failed was > Vernona.) That depends on your definition of "badly failed." Between '42 and '48 just a few thousands, out of hundreds of thousands, of intercepted Soviet messages were decrypted - most of them only partially so. After '48, zilch. The Soviets might claim that this just not was 100% successful - not quite the same as "badly failed."
From: rossum on 4 Jan 2010 17:10
On Mon, 04 Jan 2010 19:28:25 +0100, Mok-Kong Shen <mok-kong.shen(a)t-online.de> wrote: >One well-known practical attempt to use OTP that badly failed was Vernona. That was Venona. It failed because they reused some of the random key. Reusing some key breaks the OTP proof. An XOR cypher with a repeated key is very weak. rossum |