Eric, good point about public keys and trust by association. More on OTPs. You say the key distribution problem for OTPs is "much worse" than for PKS and even other conventional ciphers. "Much worse" in what ways? The need for F2F meetings with all possible correspondents is something which exists with conventional ciphers. The cost of key storage is trivial: a fraction of the cost of the yearly (or less frequent) travel to meet each correspondent in person. Consider replaceable hard drive cartridges (30 meg for about a buck a meg), digital cassette formats including applications involving videocassettes, and so on. Yes, as you say, you have to exchange keys each time you run out of key; but you can keep ten years' with of key (error: "worth" not "with") on hand if you like, taking up less physical space than a box of cookies. "Bandwidth required is much higher..." In what way? Certainly not in terms of transmission; a stream cipher is a stream cipher. Perhaps in that each plaintext character requires one key character? This is just another formulation of the "storage" issue: and again, if you have a stack of 30MB cartridges, who cares? Not like we're talking about punched paper tape. I do agree that PKS offer convenience and features not available with conventional ciphers. However, RSA is just one mathematical breakthrough away from being obsolete, and we have no way of knowing when that breakthrough occurs. It may also be that massively parallel processors can be built through VLSI technology, allowing the cost of brute force solutions to come down to a reasonable level. All of this is not by way of getting down on PKS. I would suggest that we need a number of different systems, and need to keep them all in fairly constant use. I think we're already all in agreement that one of those systems should be RSA-based. Now I'm just suggesting that a One-Time system should be another one among the many. BTW, sorry I couldn't make today's meeting; various local tasks demanding attention; plus physical travel distance. Be back next time... -gg
George writes: The cost of key storage is trivial: a fraction of the cost of the yearly (or less frequent) travel to meet each correspondent in person. Let me emphasize _each_ in that sentence. One time pads are very expensive on a per-link basis than public key systems for this reason only. Per-link is one person-to-person link. Consider replaceable hard drive cartridges (30 meg for about a buck a meg), digital cassette formats including applications involving videocassettes, and so on. Suppose one cartridge per link. That's $30 per link. Per link, that's a _lot_ of money. "Bandwidth required is much higher..." In what way? Whatever channel you use to transmit keys on, be it 30 Mb cartridges or what, will be more efficiently used by an exchange which requires less storage. In the case of cartridges, the UPS cost to ship one is still only about 1/5 of the cost of a cartridge. A 3 1/2 inch floppy can be shipped for one or two ounces of postage. However, RSA is just one mathematical breakthrough away from being obsolete, and we have no way of knowing when that breakthrough occurs. It is also one breakthrough away from being known to be fully secure. Not only do we not know when that will happen, we don't know which will happen. It may also be that massively parallel processors can be built through VLSI technology, allowing the cost of brute force solutions to come down to a reasonable level. Look at the figures for best know factoring algorithms. Now estimate the total amount of silicon output per annum in the US and estimate it's computational ability. I think you'll find that it would still take on the order of years to factor a single 1024 bit modulus. The difficulty of hard problems and the scale of the solar system are two things which are both extremely difficult to get any intuition about. I would suggest that we need a number of different systems, and need to keep them all in fairly constant use. [...] Now I'm just suggesting that a One-Time system should be another one among the many. Here's the bottom line: More security, more cost. Perfect security is not worth the cost in time, effort, or dollars when the marginal cost of perfection is less than the marginal benefit. Even SWIFT, the international monetary wire transfer system, does not use one time pads for link encryption. Now here is a network which breaking into would be worth billions (that's thousands of millions, let me remind you). The chief executives of SWIFT exchanges keys by post. One time pads are useful for all sorts of things, but they are very expensive to use. They are useful in protocols for blinding and key exchanges. They do not seem to be useful for end-to-end link encryption, however. Eric
participants (2)
-
Eric Hughes -
George A. Gleason