cryptoanarchy.wiki

Arise, you have nothing to lose but your barbed wire fences!

1996-10-21 - Re: [crypto-philo]OTP or DES?

Header Data

From: paul@fatmans.demon.co.uk
To: walrus <walrus@tcgcs.com>
Message Hash: 56cb013c05e2052eddb85f57436dfa91f33dae885ba9d3012fe7ef37a00ddef6
Message ID: <845910403.8325.0@fatmans.demon.co.uk>
Reply To: N/A
UTC Datetime: 1996-10-21 15:57:33 UTC
Raw Date: Mon, 21 Oct 1996 08:57:33 -0700 (PDT)

Raw message

From: paul@fatmans.demon.co.uk
Date: Mon, 21 Oct 1996 08:57:33 -0700 (PDT)
To: walrus <walrus@tcgcs.com>
Subject: Re: [crypto-philo]OTP or DES?
Message-ID: <845910403.8325.0@fatmans.demon.co.uk>
MIME-Version: 1.0
Content-Type: text/plain



> It is quite easy to take the bits of the des-encrypted message, and
> calculate the OTP key nessasary to decrypt the message into your real plan.
> It would seem you could build a key to have your message say anything of
> equal length.  Why then must a true OTP be based on a true RNG?  Because one
> of the actual possible keys of a real OTP is indeed the encrypted des
> message, you can claim that it is an otp and no-one can prove otherwise.
> They can say "But we cracked your des key and can decypher this message!"
> and you say "nope i used an OTP, that is a false message, here is what it
> really says! The fact that by PURE coincidence that OTP could be decrypted
> using that particular key means nothing, because a true OTP can generate
> that bit sequence.

Not quite, 

It is so unlikely that any DES key would exist to turn a one time pad 
encrypted message into an intelligible plaintext with no errors, 
proper linguistic structure etc. that it just wouldn`t wash.

I shiver at the idea of calculating the probability (my statistics is 
a bit rusty) but it is a pretty damn small probability given that the 
set of all possible DES ciphertexts is a smallish subset of all 
possible binary values (if memory serves correctly, I may be off the 
mark here though).

This may work with a stream cipher (which is pretty similar to a OTP 
apart from not being provably secure because the entropy of the key 
is greater than or equal to that of the message) where you can have 
any possible binary value as your ciphertext...
However, for a block cipher, this would appear to me to be impossible 
for most ciphertexts.


  Datacomms Technologies web authoring and data security
       Paul Bradley, Paul@fatmans.demon.co.uk
  Paul@crypto.uk.eu.org, Paul@cryptography.uk.eu.org    
       Http://www.cryptography.home.ml.org/
      Email for PGP public key, ID: 5BBFAEB1
     "Don`t forget to mount a scratch monkey"

Thread