one time pads

George A. Gleason gg at well.sf.ca.us
Tue Oct 13 01:14:58 PDT 1992 

Good hard critique, Eric!  Now if I might try to salvage my position...

"One time pads are very (much more) expensive on a per-link basis than
public key systems..."  

Yes, of course.  However I don't envision OTPs as a standard for bulk
encryption on large networks.  Rather, for person-to-person communication in
small networks.  Examples: a group of civil rights attorneys suing the
Federal govt., an international environmental organisation's main offices in
the capital cities of a small number of countries, etc.  Cases where the
adversary is one or more powerful governments, and the number of links
required is relatively small.  Given the nature of the relationships between
these kinds of networks and their adversaries, the expense would seem to be
justified; in any case, the **incremental** cost of for instance a set of
30MB cartridges as compared to a few floppy discs, is an minor fraction of
the cost of the airline tickets and other expenses for trusted couriers.
(oops: "a minor fraction...")

Your discussion of bandwidth can be met with a similar counter-arguement.
First of all, I would reject the use of UPS or (God help us) the *Post
Office* as a courier, particularly where one or more governments may be the
adversaries against whom protection is needed.  
So your reference to those carriers is not relevant to the main point of my
case.  I'm assuming that key materials are transported by trusted courier
and are guarded by same until they reach their intended recipient.  Okay,
that *really* drives up the cost, doesn't it...?  Not if the key materials
"hitch hike" on an existing travel plan: attorney A flies out to city B to
visit attorney B... and happens to carry key material onboard in his/her
shoulder bag.  No added cost except for the storage devices, and that is not
significant.  

Re mathematical breakthroughs in factoring etc, you say, "we don't know when
that will happen, and we don't know which will happen."  Exactly my point.
*We* don't know.  But the NSA and so on, most certainly do know, and they
won't be telling.  If the breakthrough comes, then the period between that
point and the point when it is publicised, will be one of false security.
Was it Kahn who said nothing is more dangerous than a bad cipher?  My point
here comes down to nothing more or less than the principle of caution in the
face of an unknown.  

(Discussion of relative cost of brute force solutions, and the question of
hard problems and scale.)  I agree that my intuition about these things may
be highly flawed. However this doesn't invalidate my point about the
possibility of basic breakthroughs happening behind closed doors.  Now in a
way I'll admit that my arguement here sort of comes down to a black box.
However, again I would assert that there are cases where the almost
irrational caution is worthwhile.  

You say in concluding, "Perfect security is not worth the cost in time,
effort, or dollars when the marginal cost of perfection is less (do you mean
more?) than perfection."  You cite examples of international banking
systems.

I would cite examples of political movements which have been sabotaged and
destroyed by government covert action.  One need not look far to run into
COINTELPRO and the more recent French govt action of blowing up a Greenpeace
vessel.  Where your adversaries are the intelligence agencies of world
powers, and where lives are at stake, I would say the cost of perfect
security is justified.  Now of course, the French terrorist bombing, the
destruction of Black nationalist and student organising groups in the US,
and other examples, may not (probably would not) have been prevented
altogether by adoption of perfect communications security.  Che Guevara
after all used OTPs, and it was radio direction finding and traffic analysis
(rather than cryptanalysis) which ultimately led to his murder by US-backed
mercenaries.  

If we are promoting a tendency which is inherently political, it implicitly
recognises governments as its adversaries.  Our choices of cryptographic
systems should reflect a wide range of applications and not exclude some
a-priori on grounds of cost or convenience.  

-George (gg at well.sf.ca.us)

More information about the cypherpunks-legacy mailing list