Percy the Python loves IPG

Thu Feb 29 14:07:00 PST 1996

At 10:41 PM 2/25/96 -0500, ab411 at detroit.freenet.org (David R. Conrad) wrote:
>I think the IPG system is great!  Percy, my pet python, has never been
>slicker or better lubricated!
:-)

>IPG Sales <ipgsales at cyberstation.net> wrote:
>>Perhaps so, but our system does employ a true hardware generated OTP, and
>>operates similiar to what you describe -  however, the important
>>differernce is that we use a small OTP to generate a larger OTP, like
>>stringing the cable across the Golden Gate narrows.

That's not a cryptographic one-time-pad - the folks who strung the cable
across the Golden Gate used the little cable to haul a bigger hardware cable
across - you're taking your little cable and stretching it into a longer
thinner cable, tangling it up a bit, and hauling the ends across the narrows.
You haven't added anything to it, so it hasn't gotten any stronger,
and it may have gotten a lot weaker.

If the Small Pad has S bits of entropy, and the Large Pad has L>S bits,
the Large Pad still has s<=S bits of entropy in it, because you haven't
added any more from your hardware RNG - you've just shuffled around
the S bits of entropy you had and maybe even lost some if you're careless.
Therefore, the Large Pad is not a One Time Pad, because it's using each bit
of the Small Pad more than Once.  Maybe you only use the Large Pad once,
but it's no longer a One Time Pad; it's a small pad used more than once.
By your own admission, you're using your pads more than once.

A true One Time Pad has the property that each bit of pad has one bit of
entropy,
so even if I know the value of N-1 bits of the pad, I know entirely nothing
about the value of the other bit, even with infinite computation.
With your method, if I know N-1 bits of the large pad, and have a large
enough computer, I can determine the other bit.  Depending on how strong
your algorithm for deriving the Large Pad from the Small Pad is,
I may or may not be able to afford the computation, and the computer
may or may not fit on one planet, but the bit is recoverable;
finding a fast way to crack it is just gravy.

Furthermore, there are two ways I can tell that you've only given the
Large Pad to the two official recipients and destroyed your originals.
One way is to totally observe your handling procedures all the time,
so I know what you've done with it.  This is obviously impractical.

The other way, a bit less secure, is for you to sign a contract as part of
your service that says what how you will generate and handle the keys,
who you'll give them to, what bonding and insurance you have, and how much
liability you'll accept for mishandling.  This isn't mathematically secure,
like a real one time pad, but it does establish a certain trust level -
I now know how much care you're using with the pads, how much I can sue you for
if you mess up, and therefore I can estimate the value of the information
I can trust your product to carry.  In general, that means I can trust it for
conversations which have a specific, limited monetary value, such as
purchase orders
for parts - I can sue you for the $N I'd lose if the message gets stolen.
But I'd better not trust it for high-value secrets, like my marketing strategy
or trade secrets or plans to invade Cuba, because if you mess up,
I can't recover enough money from you to cover my loss if they leak.

So please email me the keys to your company; I'll donate 10% of the value
to David's python Percy for extra snake oil.

#--
#				Thanks;  Bill
# Bill Stewart, stewarts at ix.netcom.com / billstewart at attmail.com +1-415-442-2215
# http://www.idiom.com/~wcs     Pager +1-408-787-1281