George writes: The cost of key storage is trivial: a fraction of the cost of the yearly (or less frequent) travel to meet each correspondent in person. Let me emphasize _each_ in that sentence. One time pads are very expensive on a per-link basis than public key systems for this reason only. Per-link is one person-to-person link. Consider replaceable hard drive cartridges (30 meg for about a buck a meg), digital cassette formats including applications involving videocassettes, and so on. Suppose one cartridge per link. That's $30 per link. Per link, that's a _lot_ of money. "Bandwidth required is much higher..." In what way? Whatever channel you use to transmit keys on, be it 30 Mb cartridges or what, will be more efficiently used by an exchange which requires less storage. In the case of cartridges, the UPS cost to ship one is still only about 1/5 of the cost of a cartridge. A 3 1/2 inch floppy can be shipped for one or two ounces of postage. However, RSA is just one mathematical breakthrough away from being obsolete, and we have no way of knowing when that breakthrough occurs. It is also one breakthrough away from being known to be fully secure. Not only do we not know when that will happen, we don't know which will happen. It may also be that massively parallel processors can be built through VLSI technology, allowing the cost of brute force solutions to come down to a reasonable level. Look at the figures for best know factoring algorithms. Now estimate the total amount of silicon output per annum in the US and estimate it's computational ability. I think you'll find that it would still take on the order of years to factor a single 1024 bit modulus. The difficulty of hard problems and the scale of the solar system are two things which are both extremely difficult to get any intuition about. I would suggest that we need a number of different systems, and need to keep them all in fairly constant use. [...] Now I'm just suggesting that a One-Time system should be another one among the many. Here's the bottom line: More security, more cost. Perfect security is not worth the cost in time, effort, or dollars when the marginal cost of perfection is less than the marginal benefit. Even SWIFT, the international monetary wire transfer system, does not use one time pads for link encryption. Now here is a network which breaking into would be worth billions (that's thousands of millions, let me remind you). The chief executives of SWIFT exchanges keys by post. One time pads are useful for all sorts of things, but they are very expensive to use. They are useful in protocols for blinding and key exchanges. They do not seem to be useful for end-to-end link encryption, however. Eric