1992-10-11 - one time pads

Header Data

From: Eric Hughes <hughes@soda.berkeley.edu>
To: cypherpunks@toad.com
Message Hash: 8236d653b8591abe4a4138bcd063e84c62d1551b1b3dd16fc430ea7f2987a312
Message ID: <9210111753.AA24487@soda.berkeley.edu>
Reply To: <199210110757.AA22987@well.sf.ca.us>
UTC Datetime: 1992-10-11 18:52:00 UTC
Raw Date: Sun, 11 Oct 92 11:52:00 PDT

Raw message

From: Eric Hughes <hughes@soda.berkeley.edu>
Date: Sun, 11 Oct 92 11:52:00 PDT
To: cypherpunks@toad.com
Subject: one time pads
In-Reply-To: <199210110757.AA22987@well.sf.ca.us>
Message-ID: <9210111753.AA24487@soda.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain


George writes:

   The cost of key storage is trivial: a fraction
   of the cost of the yearly (or less frequent) travel to meet each
   correspondent in person.

Let me emphasize _each_ in that sentence.  One time pads are very
expensive on a per-link basis than public key systems for this reason
only.  Per-link is one person-to-person link.

   Consider replaceable hard drive cartridges (30 meg
   for about a buck a meg), digital cassette formats including applications
   involving videocassettes, and so on.  

Suppose one cartridge per link.  That's $30 per link.  Per link,
that's a _lot_ of money.

   "Bandwidth required is much higher..."  In what way?  

Whatever channel you use to transmit keys on, be it 30 Mb cartridges
or what, will be more efficiently used by an exchange which requires
less storage.  In the case of cartridges, the UPS cost to ship one is
still only about 1/5 of the cost of a cartridge.  A 3 1/2 inch floppy
can be shipped for one or two ounces of postage.

   However, RSA is just one mathematical breakthrough
   away from being obsolete, and we have no way of knowing when that
   breakthrough occurs.

It is also one breakthrough away from being known to be fully secure.
Not only do we not know when that will happen, we don't know which
will happen.

   It may also be that massively parallel processors can
   be built through VLSI technology, allowing the cost of brute force solutions
   to come down to a reasonable level.  

Look at the figures for best know factoring algorithms.  Now estimate
the total amount of silicon output per annum in the US and estimate
it's computational ability.  I think you'll find that it would still
take on the order of years to factor a single 1024 bit modulus.

The difficulty of hard problems and the scale of the solar system are
two things which are both extremely difficult to get any intuition
about.

   I would suggest that we need a number of different systems, and
   need to keep them all in fairly constant use.  [...]  Now I'm just
   suggesting that a One-Time system should be another one among the
   many.

Here's the bottom line: More security, more cost.  Perfect security is
not worth the cost in time, effort, or dollars when the marginal cost
of perfection is less than the marginal benefit.

Even SWIFT, the international monetary wire transfer system, does not
use one time pads for link encryption.  Now here is a network which
breaking into would be worth billions (that's thousands of millions,
let me remind you).  The chief executives of SWIFT exchanges keys by
post.  

One time pads are useful for all sorts of things, but they are very
expensive to use.  They are useful in protocols for blinding and key
exchanges.  They do not seem to be useful for end-to-end link
encryption, however.

Eric







Thread