Talk:One-time pad

From Wikipedia, the free encyclopedia

WikiProject on Cryptography This article is part of WikiProject Cryptography, an attempt to build a comprehensive and detailed guide to cryptography on Wikipedia. If you would like to participate, you can choose to edit the article attached to this page, or visit the project page, where you can join the project and see a list of open tasks.
WikiReader Cryptography It is intended that this article be included in WikiReader Cryptography, a WikiReader on the topic of cryptography. Help and comments for improving this article would be especially welcome. A tool for coordinating the editing and review of these articles is the daily article box.
To-do list for One-time pad:
  • A worked example of a one-time pad is needed, showing how two different pads can be used to decrypt a ciphertext into contradictory plaintexts.
  • The history of the invention of the one-time pad
  • An explanation of why, when hearing that a piece of encryption software uses a "one-time pad", most cryptographers burst into peals of hysterical laughter (cf. Snake oil (cryptography).
  • Maybe instructions on how to make a pad by hand
Archive
Archives
  1. February 2002 – May 2006

Contents

[edit] Data remenance

I don't understand why my assertions about relative data rememance were removed. It matters that the pad might persist for longer than the plaintext; it's a potential disadvantage of using (only) the OTP over (only) conventional PFS encryption. I've re-introduced them and I'm hoping we can discuss it here. — ciphergoth 13:45, 12 May 2006 (UTC)

I think its a minor point and a bit speculative. In general, anyone dealing with crypto has to worry about data remenance for plaintext, private keys, intermediate results and so on. I can see your point that there may be situations where OPT presents more of a remenance problem than PKC, but they seem a bit contrived--people usually want to keep plaintext on file--and they can be overcome by good design.--agr 02:38, 14 May 2006 (UTC)

[edit] want to chop a lot of stuff out

The OTP was an important crypto method in the pre-mechanical era and in WW2, and was possibly used for diplomatic traffic as late as the 1960's. But as far as is known, computerized cryptography has completely replaced it now. I'd like to remove the stuff about transporting OTP's on DVD-R's and USB keys and condense the examples of OTP's in operation. Just about any serious cryptographers would have conniptions about such methods. Shred a full DVD into 1mm2 particles, and each particle will still contain over 100 kilobits of pad data. USB keys often have write wear levelling. Even with a secure destruction method, physical transportation of the pads is insecure and impractical. OTP's are mostly of historical and theoretical interest, and the article should be written that way. Phr (talk) 10:44, 16 July 2006 (UTC)

Numbers stations suggest otherwise. And, in any case, neither you nor I nor anyone outside the (NSA/GCHQ/DSE/...) fraternity is really up to date about what's being actually used. Computers really do make OTP implementationsmore practical, if only one can pass the key material. If I could be sure about that, I'd prefer the OTP because it's got a serious security proof. I can;t see that your proposed cut will be sensible, except possibly to save a little space on the WP servers. A few K of text isn't that big a deal in that context. Err on the side of completeness in a contorversy, is my suggestion. Our Reader can much more easily gloss over stuff than supply now missing stuff, after all. ww 20:26, 16 July 2006 (UTC)
And now I've just come across your changes today. I think you've added something that I think is probably true, but which we have no justification. That is, that OTP are currently useful mostly in situations which are for some reason (govt edict perhaps) unavailable. It's certainly true, that if you can do it properly, it's the most secure you can use on pen and paper. But it's also more secure, if properly done, than other computer based algorithms. So, I think we ought not to make a claim nobody will admit to who knows more about the secret world than I do. ww 20:53, 16 July 2006 (UTC)
I edited the section in question to add the concern that trustworthy computers may not be available. Given the high rate of infection of typical PCs, even in large organizations, the security of computer based methods is at least open to question. And I put back the point about OTP being the only system with full proof of security. --agr 00:33, 17 July 2006 (UTC)
Arnold, I hope you don't mind, I'm about to move that paragraph out of the "practical" section and into the intro section. OTP's on computers do nothing to prevent security failure if the computer is infected. The infected computer can leak the pad. And the "proof of security" claim simply mentions a theoretical proof (information theoretic or Shannon security) with no clear assertion that it's of valid practical concern. The overwhelming consensus of both the military and civilian crypto communities seems to be that the deployment hassles of OTP's far outweigh any practical concerns about the lack of Shannon security in conventional cryptography, and so real-world crypto organizations appear satisfied with conventional cryptography even for the highest security traffic. That is to say, they don't care about Shannon security in practice. See for example NSA encryption systems as mentioned elsewhere. If you insist on moving the paragraph back, I won't revert again either way, but note that by moving it, you're converting a reasonably valid theoretical claim to a very questionable practical claim. If you do that, I'd appreciate it if you could follow Wikipedia standards by backing up the claim with a verifiable cite to a reliable source on crypto, that asserts that Shannon security is of practical concern to contemporary crypto users. Thanks. -- Phr (talk) 03:20, 17 July 2006 (UTC)
(outdent)
I don't know of any evidence, and I have extreme skepticism, that anyone in the so-called secret world has used OTP's in the modern era because of their theoretically provable security. Their possible use by less-technologically-advanced countries more than two decades ago doesn't show anything. The likely reason for that apparent OTP was so the users could encrypt and decrypt the traffic without a computer. Unless there's evidence that the stuff printed on the paper was truly random and not the output of a computer-implemented PRNG, it can't be treated as a true OTP. And I don't see the slightest reason to think that the numbers station broadcasts are encrypted with OTP's rather than with conventional crypto.
It's certainly well known (i.e. it's not secret) that the US considers conventional cryptography sufficient for top secret traffic, though the actual algorithms are classified--see type 1 encryption and NSA encryption systems. "If properly done" with regard to computer implementation is an extremely big and probably unachievable "if"; it implies perfectly secure handling, transportation, and destruction of the key material, a concept equivalent to the frictionless pulleys of freshman physics class, that doesn't exist in the real world. The US govt, at least, requires hardware crypto implementation for secret traffic. The hardware security requirements are of course classified but they're surely at least as stringent as the civilian standards (e.g. FIPS 140). I've never heard of anyone implementing an OTP with that kind of hardware. The nonsense about transporting pad material on DVD-R's would send any self-respecting crypto spook into convulsions.
Remember also that OTP's don't provide any authentication, something we should mention in the article. There are some theoretical schemes for authenticating OTP's with provable security (we could mention that), but I've never heard of anything like that ever being deployed in practice. The classical OTP (with no authentication) is less secure than anything that would be considered acceptable today.
It'd be irresponsible for us to imply any more than a remote theoretical possibility that any modern crypto organizations that know what they're doing use OTP's for anything today. For that matter, they might theoretically be using telepathic communications. Phr (talk) 04:22, 17 July 2006 (UTC)
How would one encrypt telepathic communications? Interesting conceit that. But off topic. I am in agreement with you as the type of cryptosystem in use in the secret world, but my endorsement is largely irrelevant as, like Sgt Schultz, I know nothing. Adn if anyone who did know, said so, they'd be in trouble. So I'll assume strongly that we're all in this shrouded boat. That being so, we've no grounds whatsoever to make such an assumption as you suggest on behalf of our Reader. We should not what we know, not what you (and I and I suspect agr as well) assume. And recall that the only crypto system both NSA and the Russians could agree on was in fact a teletype one time pad. And that possession of diplomatic puches and armed couriers makes secure key material distribution much much easier for governments. I appreciate your enthusiasm but think it misplaced in this instance. ww 03:33, 17 July 2006 (UTC)
I think it's extremely unlikely that any govt agencies are using telepathic communications and it would be silly for us to indicate that they are, without evidence. It's the same way with OTP's and Shannon secrecy. The reason stated for the US-USSR hotline using OTP's was that they didn't want to reveal their conventional crypto methods. It had nothing to do with Shannon secrecy. Who would they be trying to prevent from cracking the traffic anyway? Each was the other's main adversary in that era, and the hotline was for them to send stuff to each other. Also, that was the 1960's, before the modern (computer) crypto era. We have to distinguish that from any purported usefulness of OTP's today. Phr (talk) 04:22, 17 July 2006 (UTC)
This article is about one-time pads and we are discussing a section on its pros and cons. We should certainly include all the cons but there are pros as well and they should not be excluded. Telepathy is not an apt analogy. There is no scientific basis for it and no evidence that it was ever seriously used for secure communication. There is a strong scientific basis for OTP, arguably stronger than that for any other method. And it was apparently used for highly sensitive intelligence communications by the U.S. until the mid-1950s at least, when the KW-26 was introduced. See http://www.nsa.gov/publications/publi00017.pdf , pages 4, 7. It was also used for the Moscow Washington Hot Line. (It's silly, by the way, to suggest that the leaders of the U.S. and U.S.S.R. would not have cared if their communications were intercepted. In a crisis they would value the ability to communicate in private without even their allies listening in.) Spies are often found with OTPs and the Grenada find was widely reported around October 28, 1983. I'll try to find a more specific cite. Of course we don't know for sure how such pads were produced; they could have been made using a cipher as an RNG, but cryptographers are a pretty conservative bunch.
I agree it appears that the U.S. has long accepted the use of ciphers for even its most sensitive communications. Whether that was wise or not is open to debate. The Walker spy ring was able to smuggle large amount of keying material to the Soviets and compromised a great deal of highly sensitive information in the process. They would have had a much harder time if OTP had been used due to the sheer volume of material they would have had to smuggle out. Regardless, there are now published algorithms that are approved by NSA for Secret (AES-128 and Skipjack) and Top Secret (Larger block size AES) in "approved systems." Others, however, may not accept NSA certification at face value and may lack the ability to certify algorithms on their own. Whether all other nations and groups have eliminated use of OPT seems purely a matter for speculation. We should not imply that they are still used, nor that they are not.
The theoretical security of OTP is a legitimate point to raise in its favor. It is widely mention in the literature. See, for example, Schneier. Applied Cryptography, 2nd ed. pp 15-17. Your claim that no one cares about Shannon security in practice is belied by the significant interest in Quantum cryptography, which touts, among other things, it's ability to "solve" the key distribution problem for one-time pads. If any conventional crypto system had a theoretical proof of security from first principles, even if there were practical caveats, its supporters would cite it as a very major advantage.
The cited section of Schneier also mentions the idea of distributing OTP on CD-ROM. He did not seem to find it laughable, though he does point out some problems, most of which have been overcome by more modern technology. (It was hard to make just two copies of a CD when he wrote, for example. It's easy now.) --agr 18:19, 17 July 2006 (UTC)
I agree that the US used OTP's fifty years ago and that it was sensible then. I'd consider that to be a historical use that should certainly be cited as one. The section about practical use, I thought, was about practical use in the modern era. Swords have been an important military weapon throughout a lot of history but are practically zero importance today. An article about swords might discuss history extensively but should certainly not give the impression that the US Marines still use them in combat today. It's the same way with OTP's. We have a situation in cryptography where a lot of amateurs think that OTP's are of practical superiority to regular ciphers, because of OTP's theoretical Shannon security; but this is sort of like amateur military buffs who think that swords are better than guns because swords never run out of bullets or jam. Actual military organizations in the real world don't find that advantage compelling enough to even think about replacing guns with swords.
I'd like to know more about the Grenada codebooks found in 1983. Even that, though, was over 20 years ago, an eternity in this business. We were still in the DES-paranoia era then. My copy of AC2 is in storage so I can't check pp. 15-17--what does it say? Schneier's Crypto-grams column has a good essay about OTP's: [1].
Walker also operated in the 1980's, handing over photos of printed key lists for 1950's-vintage mechanical and vacuum tube cipher machines that are ancient by today's standards. Nowadays there aren't any such lists; the keys always live in tamper-resistant hardware and humans can never see them. And of course, if public-key is used, the secrets live only in the end nodes, so there's not any distribution system like the one Walker compromised. OTP can never accomplish that.
I don't think there's that much practical interest in quantum key distribution for now. It's just research. As for provable security, sure, it would be of great practical interest to have a provably secure cipher if the provable security came without practical cost. OTP's have enormous cost. We actually have provably secure stream ciphers (up to the difficulty of integer factoring), e.g. Blum-Blum-Shub, but nobody uses them because they're too slow, even without the key distribution hassles of OTP's. Phr (talk) 23:19, 17 July 2006 (UTC)
If swords were a bit tricky to use but when used properly could stop a tank, they might still be taken seriously. (And every soldier is still taught to use a bayonet.) It is certainly true that many if not most professional cryptographers look down on OTP. But it is not entirely an amateur/professional divide. A couple of companies have formed to sell quantum cryptography and I believe the EU is supporting the work. And I know several professional mathematicians who are amused by modern cryptography's reliance on unproved assertions, e.g. "up to integer factorization." I think the current article presents the majority, cautionary opinion quite forcefully. I've tried to strengthen some of that text myself. Maybe more should be added. But there is another point of view, amateur or not, and its legitimate points deserve mention.
After it invaded Granada in October 1983, the U.S. announced it had found a Cuban warehouse on the island with various weapons. President Reagan gave a speech mentioning the find around Oct. 27. Among the material found was a supply of new code books in pairs that appeared to be one-time pads. I recall seeing a photo at the time, either in the NY Times of maybe Aviation Week. Schneier's section on one-time pads starts out "Believe it or not, there is a perfect encryption scheme." He goes on to explain the method and its history and adds the usual cautions about the difficulty of generating random bit streams, securely transporting large amounts of data and the importance of using keying material only once. He also mentions the lack of authentication. He ends by saying "One-time pads have application in today's world, primarily for ultra-secure low bandwidth channels", mentioning the Hot Line and pointing out that messages encrypted this way "are still secure today and will remain that way forever."
Your certainty that there aren't human-accessible keys may be premature. There is a fair amount of material on the Internet, originally from government web sites, about NSA's Electronic Key Management System, which is a project underway to eliminate the need for physical keys. The material suggests that paper tape keys (cipher keys, not OTP) were still in use at least as of 2000 on legacy systems. Apparently many of the key fill devices in use cannot handle "modern" 128-bit keys, but the KOI-18 paper tape readers can. Maybe they are no longer used today, but it's hard to get budget for replacing stuff that still works. --agr 13:52, 18 July 2006 (UTC)

[edit] Terminology confusion - proposal

Part of the confusion and disagreement here in the talk page is that the article uses OTP to mean two different things in different places. I propose that we update the article to carefully distinguish:

  1. Use of a one-time additive keystream (for example printed on paper) for encryption, where the keystream comes from some (possibly unknown) random or pseudorandom source. For example, Alice and Bob might meet at a secure location, generate such a keystream on a computer using AES-128 in counter mode, and print out two copies for later use in the field. This does not assert information theoretic (Shannon) security, although if AES meets its intended security criteria, there is no practical way for an attacker to tell the difference. I propose that we try to consistently refer to this in the article as a "Vernam cipher" or something equivalent TBD, and not as an OTP, since the "security proof" frequently associated with OTP's does not apply here.
But it's not a one-time pad, just an approach to it. ww
  1. Use of such a keystream where each symbol in the keystream is generated independently by some physically random process (subject of course to a lot of discussion of what constitutes a physically random process, or whether physically random processes exist at all). This is supposed to provide information-theoretic (Shannon) security, so maybe we can refer to such a keystream in the article as a Shannon OTP, and reserve that term specifically for an OTP generated by such a process.

Let me know how this sounds. -- Phr (talk) 03:35, 17 July 2006 (UTC)

Not sure I like Shannon OTP, though I agree it makes a distinction which seems useful to make. But we're not supposed to be inventing terms here -- however sensible, as this is WP. So I think it's a non-starter. But he distinction you not should be made very clear, and if it isn't so made, I think we are under an obligation to make it so. ww 20:58, 17 July 2006 (UTC)

I agree that the term OTP is incorrect, and that some permutation of "Vernam," "Mauborgne," "cipher," "streaming," and/or "random" is more correct. The only people I have ever met who use the term OTP are academics and dilettantes--the professionals I have known never used that term. The main entry, much of which is copied from the article "Re-visiting the One-Time Pad," by Nithin Nagaraj, Vivek Vaidya and Prabhakar G Vaidya, seems stuck on using the term OTP, which is childish. firmDoc 13:43, 12 April 2007 (EDT)

[edit] numbers stations

The content of these stations may indeed by OTP encrypted stuff, though I understand they are often high powered which suggests the spyies aren't doing so. What seems to be the general suspicion is that they are key material. Rabin proved (April of 2001?) that entropy can be preserved in a public broadcast like this, though I seem to remember these stations existed long before. So, in this reading, the spies are actually sending in OTP encoded stuff, maybe on flash paper like the Krogers or Col Able, etc.

Or maybe the entropy inthe broadcast stream is used to seed a more conventional crypto system? Not being of the secret world, we are left only sepeculaiton. Which is fair game for WP, if identified as such. ww 20:58, 17 July 2006 (UTC)

I have no inside information, but I do not believe there is any real mystery about the function of these atations. The most natural understanding is that that are sytems for sending untracible coded mesages to recipients anywhere in the broadcast coverage area, often world-wide. The reason for the constant flow of numbers or letters is to achive what NSA calls traffic flow security, i.e. no adversary can determine when or how often messages are sent. That means most of the time the numbers are meaningless and likely purely random except that certain combinations are avoided at certain times, unless a message is actually pending. These combinations serve as addresses. Recipients are given time to listen in and, if they hear the number pattern assigned to them for that session, they copy the remaining numbers, perhaps to an end signal. Those numbers are then decoded, likely with a pad, though possibly these days with a computer program running on their cell phone or gameboy. Messages might also be simple codes, like "go to the secondary meeting point tomorrow." The obvious users would be spys, but it also could serve as a backup for embassies, offices and the like, and even military units.--agr 15:26, 19 July 2006 (UTC)

[edit] von Neumann whitening

That just doesn't seem so great an entropy distillation method. It only works if the input bits are independent and are all drawn from the same probability distribution. Both of those seem like unrealistic assumptions. We want some function that maps an input string to an output bit, where if the input string is S assumed to have min-entropy > H, then

|\Pr[H(s)= 1] - 0.5| < 2^{-O(H)}

There is some literature about how to do stuff like that, maybe with universal hashing. I'll see if I can find a reference. Phr (talk) 00:04, 18 July 2006 (UTC)

[edit] NP vs P double speak

It is very annoying when a Wikipedia article says one thing and then directly contradicts it. Either the NP/P problem is relavent to the security of the best encryption algorithms or it isn't. Please clear this up.

On another note, it sounds silly to say 'most informed observers believe' when what is being 'observed' is mathematical. This is one of those great unsolved problems, and nobody can offer a proof just from 'observation'. Of course common sense tells even the CS undergraduate that N and NP are almost certianly not the same, but there is no proof. This really needs to be rephrased.

The main problem I find is that the article says (i paraphrase) 'NP=P would just destroy all encryption algorithms, zomg' and then tacked onto the end says 'From what I observe NP=P isn't that likely, but even if it was, who cares, it isn't relavent'.

Which is it?

Ok, not a good paraphrase, I'm just tired. Please take this as the tongue in cheek, seme-serious, latenight arm-chair wikipedia punditry that it is :P

—The preceding unsigned comment was added by 70.186.18.164 (talk • contribs) 07:01, 6 August 2006 (UTC2)

P vs NP is one of those conjectures like Fermat's Last Theorem and the Four Color theorem, where just about everyone always believed both were certainly true, but it took a very long time and an enormous amount of new technical machinery to come up with formal proofs. And even if P=NP so there's a P-time cryptanalysis to (say) an AES-like block cipher with an n-bit key and block size, if the best possible running time is O(n600), that's still good enough for practical cryptography, especially if that lower bound can be proven. Does that help? Phr (talk) 09:10, 6 August 2006 (UTC)
More precisely, if you have known plaintext or even some way to test if a decryption is plaintext (which you usually do in practice if the plaintext is a natural language and is long enough) then AES-256 can be broken in under 2256 steps, where the length of each step can be specified exactly (no "big O" required). In other words, AES-256 is in the class of constant time problems C, which is a subset of P. (Of course 2256 is so large that this attack cannot be performed by any known technlology.) I agree with the annon user that the P vs NP discussion should be removed.--agr 12:15, 6 August 2006 (UTC)
AGR, Perhaps this discussion is obscure, and hard to follow, but the basic point -- that there might someday be termites in the crypto foundations -- is one worth making. Even if it's somewhat squishy adn not so easily provable (ie, mathematically) as the anon poster hoped. Crypto really is a bit of odd duck, neither mathematical fish, nor merely practical. that's a point worth making here at WP. Clarity is of course a good thing in this as in the rest of the article. ww 04:32, 7 August 2006 (UTC)
I agree your point should be made, but I don't think a discussion of P vs NP is the best way to make it. A proof that P = NP is not likely undermine the foundations of cryptography. If anything Wiles' proof of Fermat's Last Theorem has a better chance of having an impact, since it includes some deep results about elliptic curves. It might help to beef up the Cryptography section in List of open problems in computer science so we could reference it.--agr 16:00, 7 August 2006 (UTC)

[edit] Unbreakable

Re:

  • The one-time-pad is the only cryptosystem proven secure. Though most experts have confidence in standard cryptosystems for practical purposes, one cannot be certain that a future cryptanalytic breakthrough, or a breakthrough in computer hardware such as quantum computing, will not render them breakable.

Isn't the quantum cipher also proven unbreakable (well, in the sense that no message encrypted with it can be read)? Or is that the wrong sense of the word...? --Katrielalex 13:08, 12 September 2006 (UTC)

K, "The quantum cypher" is sufficiently indeterminate that no answer is possible. On the other hand, quantum transmission of data can be -- at our present understanding of quantum phenomnea -- untappable without detection. This is a moderately high standard for confidentiality if not for cyptography or encryption, and unless new understanding comes, could be thought unbreakable. But, more or less, you're correct it's a misuse of the term. Unbreakability is generally understood to be the reversal of an encryption of some sort.
In the case of the one-time pad, Shannon's proof is based on theory of communication considerations and is nearly universally thought to be fundamental. ww 14:58, 12 September 2006 (UTC)
There is no "quantum cipher" per se. Quantum cryptography provides a way to securely send a random stream of bits from one location to another. Those bit streams can then be used as a one time pad, or they can be used a a list of keys for conventional ciphers.--agr 20:17, 12 September 2006 (UTC)

The best way of expressing the security of the one-time pad is as "unconditionally secure", which in the cryptographic literature is also referred to as "information theoretically secure". It is misleading to say that the one-time-pad is the "only" secure scheme. There is a whole field of "information theoretically secure" cryptographic primitives. Other examples include Shamir's secret sharing scheme, and the privacy of Chaum's blind signatures. "Unconditionally" refers to the fact that the security of the OTP does not require reduction to another problem that is assumed to be hard (such as the security of block cipher, hash functions, the hardness of factoring or the discrete logarithm problem.) 82.6.104.167 (talk) 23:50, 28 November 2007 (UTC)

You are certainly correct in a technical sense. The sense the article seems to working from is more popular however. a cypher encrypts, is it possible to break it? Except for teh one-time pad (and equivalents under another name or style) is unique in that all others include some something less than complete independence from one bit to the next. So in that limited sense, unbreakable in terms of the question in the back of people's minds. But the technical qualiification you note is either more than a Reader can expected to cope with or soemthing we editor should add to the article in such clear lucid prose that even our Reader will get the idea, subtle and technical though it may be. I favor the latter, rather than tripping over the slightly different meanings of common workd use and technical word use. Be bold and have at it! ww (talk) 18:31, 29 November 2007 (UTC)

[edit] Just Wondering

I was wondering why this article mentions the Vernam cipher as the basis of the one-time pad, and not the Vigenère cipher. The example given on this page works out when using the Vigenère cipher and not what is described on the Vernam cipher page. Also, in The Code Book by Simon Singh specifically mentions the Vigenère cipher when explaining the one-time pad cipher, and I don't remember the name Vernam being mentioned at all in the book. The page for the Vernam cipher doesn't really explain it much beyond that it is "applied to the individual impulses or bits used to encode the characters" and giving an example where a plaintext of "A" and a key of "B" give a ciphertext of "G", while the example on this page just uses the characters themselves. So is there a reason Vernam is mentioned here and not Vigenère?

You can do one-time pad using lots of operations (any old quasigroup will do), but the Vernam 5-bit-wide addition was the first known implementation (and was very common in real world systems). — Matt Crypto 07:02, 4 October 2006 (UTC)
Yeah, this is unclear in the article. What opperations can you use? what are the qualifications for it to be unbreakable? Can somebody explain and perhalps put it in the article? King Mir 21:34, 11 November 2006 (UTC)
AFAIK, a simple modular addition is always used. XOR is a modular addition too. There is no need to use a more complex operations, it would only bring the possibility of more bugs. Touisiau 12:01, 15 November 2006 (UTC)

[edit] Repitition

The article contains a lot of the same information several times over (such as its inventors and early users, and its level of security). Some serious rationalization is needed. --88.111.41.106 00:15, 21 November 2006 (UTC)

[edit] One time pads from Digital Cameras

In one aspect the use of one time pads has become relatively more practical. In prior years the generation of a one time pad required some source of truly random data. This called for some specialized hardware, not commonly available (though potentially simple). Common use of digital cameras offers a large amount of data with a significant random component. A simple flash drive full of photos can serve as a one-time pad (with a bit of light shuffling).

There is some merit in waving around a camera, handing out a flash drive, then knowing you can send data in complete security (up to about the size of the flash memory).

Photographs are not truly random data. — Matt Crypto 21:34, 2 January 2007 (UTC)

[edit] Explanation of Modular arithmetic.

Sorry, maybe I'm being stupid but shouldn't

Note that if a number is larger than 25, then in modular arithmetic fashion, the remainder on division by 26 would be taken. This simply means that, if your computations "go past" Z, you start again at A.

be

Note that if a number is larger than 26, then in modular arithmetic fashion, the remainder on division by 26 would be taken. This simply means that, if your computations "go past" Z, you start again at A.

Because if you get a 26 thats a Z.

Perhaps I'm wrong, if so, sorry.

--Danielcoulbourne 02:16, 14 May 2007 (UTC)

The math is simpler if you start counting from zero. If you look a bit earlier in the article, you'll see it says:

"A" is 0, "B" is 1, and so on through "Z", 25.

That's why the first version of the text you quote is correct.--agr 03:07, 14 May 2007 (UTC)

There's another problem: You never "divide" by 26; you subtract 26. I've changed the text from "the remainder on division by 26 would be taken" to "the remainder after subtraction of 26 is taken." 129.170.204.153 (talk) 22:53, 1 June 2008 (UTC)

[edit] One time pad programs

I don't think we should be listing so-called one time pad programs in the links section. The hard part of using OTP is generating random pads and managing them properly. Programs that just combine pad and message, which is generally the case, are essentially trivial and not worth much. Programs the generate pad material require careful audit which is beyond Wikipedia's scope. --agr 17:41, 18 May 2007 (UTC)

I agree. Moreover, implementors of one time pads are often not aware that one time pads do not provide authenticity. At least one of the implementations on this page was not even a proper one-time pad. The other link was badly documented and thus had not even educational value. 85.2.22.56 17:53, 18 May 2007 (UTC)
Yes using a one time pad program can give the user a sense of security that is not present.
The reson why i restored the link is that it demonstrates it's use.
This inspires me to make a flash program to demonstrates it's use (and pitfalls). —Preceding unsigned comment added by Foton40 (talk • contribs)

[edit] Provable security

Provable security is often understood as secure against adaptive chosen-ciphertext attacks, which implies non-malleability. One-time pads are malleable. Hence claims that the one-time pad is provable secure is misleading. One-time pads just have perfect secrecy. These two security notions should not be confused. 85.2.86.69 07:01, 12 June 2007 (UTC)

Adaptive chosen-ciphertext attacks are a vulnerability of asymmetric algorithms. I don't see how they would work on an OTP. The article does point out that OPT is malleable, tho we don't currently use the term (we should).--agr 22:32, 12 June 2007 (UTC)
Yes, of course. For 'provable security' of symmetric cryptosystems we also must make sure that chosen plaintexts are not helpful to a potential attacker. A chosen-ciphertext attack against a OTP is simple in theory. An attacker, who has a ciphertext c chooses a random pad r then sends c xor r to the receiver and gets the decryption of c xor r from which the attacker can derive the original message. Whether such an attack can be pulled off in practice is another question, which depends on the protocol that is used. My only point was, when people talk about 'provable security' today then they usually talk about a security notion that is much stronger than just 'perfect secrecy'. Otherwise the article did a good job at explaining the strength and weaknesses of the OTP. 85.2.117.213 08:42, 13 June 2007 (UTC)
The cryptographic community has a nasty habit of defining terms in misleading ways that would shame a consumer marketing executive. The current definition of provable security does not include a proof that the method is secure, merely that is it polynomial equivalent to a problem that is commonly thought to be hard. OPT's proof of security does not depend on this loophole. "Provable security" also excludes absolute deniability as a criteria, even though it is desirable in practice, because no modern cipher can meet that test. But OTP can. So I think it is best to avoid jargonized labels in the article altogether and simply present the facts.--agr 15:35, 13 June 2007 (UTC)
The crypto community isn't that bad. Most papers that propose new schemes exactly describe the properties that are shown and the assumption that were made. The problem is more the term "provable security" itself. It does not have an exact definition. "Provable security" is more a set of unwritten expectations, but these expectations change over time and are often misinterpreted. I certainly agree that the term should be avoided and replaced with more precise statement. 85.2.120.114 08:55, 15 June 2007 (UTC)

[edit] one time pad picture

Anyone else find the picture of the one time pad a bit naff? It's just random data (apparently), which is only a one time pad if used as such. Not to mention it being a picture of some text... How about a diagram of the (admittedly trivial) encryption process instead? AbleRiver 15:51, 31 August 2007 (UTC)

I agree that the picture doesn't really add much to the article -- even if it was key generated using a deterministic algorithm we'd be none the wiser. A diagram of the encryption process would boil down to "plaintext + key = ciphertext"; which would be fine, I suppose, but would also do for general symmetric encryption. Ideally, we'd have a photo of some historic one-time pad material. — Matt Crypto 19:21, 31 August 2007 (UTC)

[edit] Perfect secrecy

An incorrect claim keeps coming back in different formulations. E.g.:

And in fact all plaintexts are equally probable.
To a cryptanalyst, no possible decryption is any more likely than any other; the worst of all possible situations.

Thus it seems necessary to discuss this here with more details. It is quite important to understand that a cryptanalyst may and usually does have some information about the plaintext. For example the cryptanalyst might know (or guess) that the sender and receiver are speaking English and that they exchange text messages. The cryptanalyst might even have some known plaintext (e.g. standard header, closing, etc.). Thus, it is not true that all plaintexts are equally probable. Some plaintexts are clearly more likely than others. Furthermore, the cryptanalyst will try to exploit any a priori information on the plaintext to decrypt a cipher text. The main point behind perfect secrecy is that the ciphertext does in no way help the cryptanalyst to extend his/her knowledge about the plaintext (other than possibly its length); even under the assumption that unlimited computational resources are available. 85.2.88.244 09:28, 18 October 2007 (UTC)

85.2, Yes, it's probably good to discuss it here.
What you've noted above is just that which is essentially the point the text(s) you object to attempts to make. Pure cryptanalysis provides no purchase on a correct decryption, because of the equi-probablility of all texts. Successfully breaking a one time code message requires additional information, and even if a crib is available and helpful, the next character in a properly protected message will be independent of those in the cribbed portion. Your perspective is slightly skew to the point being made. Form the perspective given, the text and its replacement are actually correct. ww 04:39, 19 October 2007 (UTC)
Again, assuming "equi-probability" of plaintexts does not make a convincing argument. So the goal is to show the statistical independence between plaintext and ciphertext. Claiming that for a given ciphertext all plaintexts are equally likely is at least confusing. Rather one should argue that for a given plaintext all ciphertexts (of equal length) are equally likely. This would imply that the distribution of ciphertexts does not depend on the plaintext and therefore the ciphertext does not give information about the plaintext. More formally, we want to show that P(M) = P(M | C), i.e., the probability of a given plaintext M does not depend on the ciphertext C. Using Bayes' theorem this is equivalent to P(C) = P(C | M), i.e., the probability of a given ciphertext C does not depend on the plaintext. Moreover, since for every pair (C,M) there is exactly one key encrypting M to C it can be shown that P(C) = P(C | M) = 2 n where n is the length of the message. 85.2.9.211 08:36, 19 October 2007 (UTC)


[edit] Scrabble

Why's there a picture of the full Scrabble set when it says you should only use 1 of each letter 15:32, 19 December 2007 (UTC)15:32, 19 December 2007 (UTC)15:32, 19 December 2007 (UTC)15:32, 19 December 2007 (UTC)15:32, 19 December 2007 (UTC)15:32, 19 December 2007 (UTC)66.254.246.198 (talk) 15:32, 19 December 2007 (UTC)