One-Time Pad From Caltech Offers Uncrackable Cryptography

zrbyte writes "One-time pads are the holy grail of cryptography — they are impossible to crack, even in principle. However, the ability to copy electronic code makes one-time pads vulnerable to hackers. Now engineers at the California Institute of Technology in Pasadena, have found a way around this to create a system of cryptography that is invulnerable to electronic attack. Their solution is based on a special kind of one-time pad that generates a random key through the complexity of its physical structure, namely shining a light through a diffusive glass plate."

Impossible?

[Sockatume]

Couldn't you just steal the plate?

Re:Impossible?

[barlevg]

That's generally the only way to crack a true one-time pad: steal the pad.

Re:

[Sockatume]

Yeah, that's supposed to be what this problem solves, though, if I'm reading it right. Haven't they just taken a step back to having a physical OTP on your desk/in your shoe?

Re:Impossible?

[barlevg]

Right: it sounds like it's TWO MATCHED OTPs (or, rather, one-time slabs), so Eve would need both Alice's slab AND Bob's slab to crack the communication. And if Alice and Bob are both in physical possession of the slabs, then Eve is better off using $5 cryptography [xkcd.com] to get at the message. The issue, of course, is that one-time pads aren't exactly practical, because, by definition, they're one-use-and-then-destroy. If you use an OTP more than once, it becomes vulnerable to cracking.

Re:Impossible?

[L4t3r4lu5]

Eve is better off using $5 cryptography to get at the message.

Rubber Hose Cryptanalysis [wikipedia.org] Just FYI.

Re:Impossible?

[slim]

No, the two devices don't match. Each device contains a different several GB of random numbers (or I suppose, random transformations), encapsulated in the structure of the glass.

The two owners meet, and using both their devices, produce a "combined key". The combined key can be stored in a public repository. The shared OTP can be extracted from the combined key using either device.

The two parties exchange confidential data encrypted with bytes from the OTP until the OTP is all consumed. Then they must meet up again to create a new OTP.

There's nothing novel about the cryptography. What might be novel is the physical properties of the device used to allow someone to carry their personal list of random numbers around.

Re:

[SuiteSisterMary]

You could accomplish the same thing by having Alice's pad contain half of the full OTP, only the odd numbers, and Eve having only the even numbers.

Even better, use a third person with a third OTP to determine if the next sequence goes to Alice or Eve (i.e. Bob's pad is a string of numbers; if the number is odd, the next digit comes from Alice's pad, if even, Eve's pad.)

Re:

[slim]

I don't think we share a vocabulary on this topic. None of that made sense.

Re:Impossible?

[Hans Adler]

Who would have thought that the f... article addresses this devilishly ingenious workaround?

"And even if Eve steals the glass, they estimate that it would take her at least 24 hours to extract any relevant information about its structure.

This extraction can only be done by passing light through the glass at a rate that is limited by the amount of heat this creates (since any heating changes the microstructure of the material). And the time this takes should give the owners enough time to realise what has happened and take the necessary mitigating actions."

Re:

[Sockatume]

Right, it's difficult, not impossible. You need a sufficiently large time window to steal both pads and duplicate them.

Re:

[bugnuts]

Just one of them is sufficient.

At least it's not the size of a manuscript anymore, so you don't need a guy with a handcuffed briefcase on one hand and a SMG on the other.

Re:

[Sockatume]

If I'm reading it right (which is a shaky assumption) one pad is sufficient to decipher messages sent to that recipient, but both would be necessary to read messages going both ways.

Re:

[slim]

It's an implementation detail as to whether you use a different pad in each direction, though I don't really know why you would do.

The principle is well understood -- if you both know a secret list of numbers that's as long as your plaintext, you can exchange messages confidentially.

The challenge, which these guys claim to address, is how to get to the point where you both have the secret list of numbers, and can be confident that nobody else has it.

Once you have that confidence, I don't see why you wouldn'

Re:

[slim]

Sure, never use the same byte twice.

But, using the same pad in both directions:

> Hello Alice -- encrypts with pad[0..11]
< Hello Bob -- encrypts with pad[12..21] ... and so on.

Using two pads:
> Hello Alice -- encrypts with pad[0][0..11]
< Hello Bob -- encrypts with pad[1][0.9] ... and so on.

Equivalent, in terms of the randomness, the one-time-ness of the numbers, and the necessity that both sides have access to all the pads.

Re:

[bws111]

The 'one time' refers to the key, not the physical device. Just don't re-use the same portion of the data from the device.

Re:

[mbone]

Who would have thought that the f... article addresses this devilishly ingenious workaround?

"And even if Eve steals the glass, they estimate that it would take her at least 24 hours to extract any relevant information about its structure.

This extraction can only be done by passing light through the glass at a rate that is limited by the amount of heat this creates (since any heating changes the microstructure of the material). And the time this takes should give the owners enough time to realise what has happened and take the necessary mitigating actions."

Right. Note that this implies that this technique should only be used for messages that have an effective lifetime of 1 day.

"Attack at dawn" - yes

"Attack on Sunday" - not so much

Re:

[SpectreBlofeld]

And it seems to me that things like the wavelength of light used would have to be matched exactly as well.

Light of different wavelengths refract differently. Blue refracts more than red, for instance.

The two communicating parties could agree on one (or several) exact wavelengths to use with their plates. Anyone who intercepts the plate, without knowing what wavelength was used, wouldn't be able to replicate the process used to generate the key, unless they tried them all, I guess - but even then they wouldn

Re:Impossible?

[rherbert]

What if you drop the glass plate? You're sure to crack it then.

Re:

[Corbets]

That said, I think this light-based encryption solution is brilliant in the lab.

Re:

[Sockatume]

I suppose my error here is letting the title's "uncrackable cryptography" override the summary's "invulnerable to electronic attack", which is absolutely true.

Moon Runes

[codemaster2b]

So, the message can only be read by the light of a moon the same shape and season that the message was written on?

Obligatory XKCD

[stewsters]

http://xkcd.com/538/ [xkcd.com]

Re:Obligatory XKCD

[smallfries]

This [xkcd.com] seems a little bit more appropriate.

Re:

[NatasRevol]

I think you guys broke xkcd.com

Re:

[andy.ruddock]

If you transmit the key before the message, you can make sure that the key is not compromised and only then encrypt and send your message.

How do you make sure that the key is not compromised?

Re:

[Immerman]

Test it every 23 hours - supposedly it takes at least 24 hours with specialized equipment to duplicate the glass key without damaging it.

Re:

[andy.ruddock]

Except parent said

One time pads are used for encrypting transmissions, not storage.

which seems to be to be referring to OTPs in general, not this specific implementation.

Physical vulnerability

[Anonymous Coward]

Uncrackable glass plates? Forget cryptography, you should get into the windshield business!

SGI had something along these lines sometime ago.

[auric_dude]

SGI had something along these lines http://www.google.com/patents?vid=5732138 [google.com] https://en.wikipedia.org/wiki/Lavarand [wikipedia.org] but links http://lavarand.sgi.com/ [sgi.com] don't work too well now.

Got it backwards

[Monty845]

A one time pad is impossible to crack in theory, but may be crackable if the method for generating the pad is flawed. Creating true randomness is a tricky proposition, and I don't see why its safe to believe that "shining a light through a diffusive glass plate" will generate true randomness.

Re:

[Anonymous Coward]

On a photon-by-photon basis, refraction, diffraction, and anything less than total reflection are all quantum mechanical processes. It doesn't get more random than that. Sending photons through a partially transparent mirror has been a standard trick for generating random bits quantum mechanically for at least a decade that I know of. It sounds like this is the same principle.

Re:

[ledow]

But to be a useful one-time pad, don't you have to be able to repeat the results to decode the message?

Re:

[Corbets]

But to be a useful one-time pad, don't you have to be able to repeat the results to decode the message?

No. You have to distribute matched pads - one to the encoder, one to the decoder.

Thus, if someone gets his or her hands on a copy of the pad, decryption is trivial.

Re:

[ledow]

So at what point aren't "matched pads" repeats of the original pads, or devices which would repeat the results of the original pad?

This is my point - these pads aren't "random", because if they were they'd perform differently in two different devices. In which case, their results are surely trivially capturable and, thus, reproducible if you digitally capture the performance of a single example?

It's the old "if you can read it, so can anyone else with the same equipment, and so can you 'fake' it with suffi

Re:

[slim]

On some device when the two glass owners meet:

pad = generateRandomBytes(many GB)
combinedKey = encodeToCombinedKey(pad, glass1, glass2)
publishToInternet(combinedKey) // shared key i

Later, to send a message:

chunkOfPad = decryptSharedKey("http://repository/combinedKeyId", glassAlice)
cipherText = xor(plaintext,chunkOfPad)

To decode:

chunkOfPad = decryptSharedKey("http://repository/combinedKeyId", glassBob)
plaintext = xor(ciphertext,chunkOfPad)

There may be some novelty in the way the combinedKey is constructed (pr

Re:

[JesseMcDonald]

You don't actually need to encrypt the shared key; a simple XOR of the pads from each piece of glass will do:

combinedKey = xor(glassAlice, glassBob)
publishToInternet("http://repository/combinedKeyId", combinedKey)

For Alice to send a message:

combinedKey = getFromInternet("http://repository/combinedKeyId")
glassBob = xor(combinedKey, glassAlice)
cipherText = xor(plaintext, glassBob)

For Bob to decode:

plaintext = xor(ciphertext, glassBob)

The result of the XOR only tells you whether a given bit is the same o

Re:

[SuiteSisterMary]

The pads are randomly generated, not random. Each pad needs to be longer than your message. No part of the pad is ever reused; if you have the first half of a pad, you can decrypt anything encrypted with that half, but it tells you absolutely nothing about the second half of the pad, because it's all random, not an algorithm. If you have the cleartext, you could not reverse-engineer the pad from it, and even if you could, you couldn't use that to determine the rest of the pad.

Here's how it works.

You gene

Re:

[jittles]

But to be a useful one-time pad, don't you have to be able to repeat the results to decode the message?

No. With a proper random pad generation algorithm, you could never ever reproduce the exact same pad in two places, or at two separate times. You generate the pad once and use some other method (such as couriers) to deliver the pads to the people that need them. You also need a way to guarantee that the courier did not tamper with, sell, or copy the original pad. If you transmit via internet, you would use some previously arranged cryptographic exchange.

Re:

[slim]

I don't think this is about quantum phenomena. The glass has a randomised construction, but it needs to be a repeatable source of randomisation.

The process seems to be: Both parties meet, and feed some random data into a process which uses both their glasses and produces a few GB of "combined key". Alice's glass and Bob's glass are different. But either can be used to extract the OTP from the "shared key".

Re:

[slim]

Do they change the glass plate after every use?

No, but once you've used a chunk of randomness, you don't reuse it, and eventually the glass plate is "finished".

TFA:

... it ought to be possible to generate a terabit of randomness from a single cubic millimetre of diffusing glass with higher-resolution equipment.

And even thought this can only be used once, the slabs can be easily reset by heating the glass to change its microstructure at which point Alice and Bob must meet again to create a new set of combined keys.

Re:

[hcs_$reboot]

This remind me of an old Office file where the MS copyright text was encrypted thanks to a simple XOR value (a few bytes). (There is also that funny story at the time of a Linux tool that only needed the `-d` option to decipher a whole XLS, without providing any password...). Anyway, what was said at the time: while XOR encryption seems very week, if the key itself is as long as the text to be encrypted, and if the key is based on reliable random values (and the key is kept secret), it is indeed a very stro

Re:

[JustinOpinion]

This work seems to be based on this high-profile paper from 2002:
Ravikanth Pappu, Ben Recht, Jason Taylor, Neil Gershenfeld Physical One-Way Functions [sciencemag.org] Science 2002, 297 (5589), 2026-2030, doi: 10.1126/science.1074376 [doi.org]

Abstract: Modern cryptographic practice rests on the use of one-way functions, which are easy to evaluate but difficult to invert. Unfortunately, commonly used one-way functions are either based on unproven conjectures or have known vulnerabilities. We show that instead of relying on number th

Random is hard.

[DarthVain]

I can't remember which book it was, maybe Cryptonomicon, but more likely The Ultra Secret, but it had some interesting stories about both the allies and axis having a hard time at this.

They used various ideas to try and "make" randomness into their one time pads. However all of these things had to be done by a person, as this was more less before the advent of computers (well just before anyway). One such method had to do with using a deck of cards. However crackers were able to even find patterns among the

Re:Random is hard.

[thoromyr]

I have heard of some that try to utilize some sort of seemingly random event that is naturally occurring. However even these can be modeled over time.

A good post, but I'm not sure you understand hardware based random number generation. At least one way to do it is have a small amount of radiactive material. Although it decays predictably in the long term (half life) it is random in the short term. By measuring the radioactive decay truly random numbers can be obtained.

Can you model this? Sure, but your model will either be a software based random number generator or it will be a hardware token. In either case it will *not* be the item in question at the time in question and will not allow you to determine what numbers were generated.

No system is foolproof, but all the interesting cracks in cryptography that I'm aware of come through side channels or demonstration that a method was not truly random. Human card shuffling is certainly not random -- not only is the process controlled by the shuffler, but there are distinct non-random patterns to it that allow stage magicians to take a stack decked that is shuffled and still produce the desired result.

I think my favorite side channel attack was picking up the attenuated signal from the unencrypted side of a cryptograpy machine -- the British didn't have to crack the encryption used by the French embassy, they just read the plain text!

OTP are sexy and cool because they provide unbreakable encryption. As long as they are generated correctly (truly random) and distributed without tampering or exposure. The first is hard enough, but distribution on any scale means that not all of them will be free of tampering and exposure.

Re:

[DarthVain]

I guess I was more referring to software not hardware random generation. Like when you call a random function to generate a number for you to use.

I remember reading about two methods YEARS ago probably in some CS class or something. One involved weather patterns (i think), and another involved electrical current, and both involved slices of time, to produce values that were "seemingly" random. The point was, in both cases, you could over time figure out and model something to get most of the general weather

Re:

[mbone]

I have heard of some that try to utilize some sort of seemingly random event that is naturally occurring. However even these can be modeled over time.

A good post, but I'm not sure you understand hardware based random number generation. At least one way to do it is have a small amount of radiactive material. Although it decays predictably in the long term (half life) it is random in the short term. By measuring the radioactive decay truly random numbers can be obtained.

The decay may be random, but the implementation may not be. I have heard of two issues with actual radioactive random number generators.

1.) The geiger tube (or solid state chip) used for detecting the decays will have imperfections (for example, a dead time so that it will miss a decay occurring too soon after another one), and these can introduce non-randomness into the output.

2.) The early ones were simple accumulators (count for an interval delta-T, and if you get > Y decays, that is a 1, otherwise a

Re:

[Solandri]

Something like this was already tried 10 (15?) years ago. It was a bunch of crystals embedded into a plastic base. You shone a light onto it and depending on the angle, the pattern of crystal faces which reflected back would change. The inventors were marketing it as a replacement for the magnetic stripe on your credit card. The magnetic stripe on your card can easily be scanned and duplicated. The crystals were easy to scan, but near impossible to duplicate if you're comparing the reflection from mult

Re:

[mbone]

Creating true randomness is a tricky proposition, and I don't see why its safe to believe that "shining a light through a diffusive glass plate" will generate true randomness.

They claim it passes statistcal analysis tests for true randomness.

That is meaningless (there is no test for true randomness, just tests of whether or not various forms of non-randomness are present), and if they truly believe that passing various tests for randomness is sufficient then there may be no hope for them.

Hell, just transmitting large blocks of 100% mathematically random data is a red flag. "One-time pad in use! Something very interesting going on here!"

I have heard that certain locations send megabits / sec of random data continuously, at all times, just so that certain other locations can't tell when encrypted traffic is being sent. Certainly that technique is being used (at a lower bit rate) by the various

Is it new?

[140Mandak262Jamuna]

I thought there was a similar technique used in WWII for communication between Churchill and FDR. Identical pairs of phonograph records were kept on both sides. Both sides would play a pair simultaneously, or as nearly as they could. Then technicians would use electronic delay and tune it so that they both are synchronized. Then add voice communication to the recorded sounds and transmit. On the receiving side they subtract the phonograph record sound and get the voice alone back. Each pair of phonograph records would be a one time pad. The encryption and decryption was analog, not digital. But apart from that, adding a "noise" as encryption and subtracting identical noise for decryption would be very similar to what the article is describing.

Was it really used? Or am I hazily recalling some spy novel stuff from Irwin Wallace or Alistair MacLean and mistaking it for real history?

Re:

[barlevg]

Looks like it was called POTUS-PRIME [cromwell-intl.com], but I haven't yet found any more information than what's on that page.

Re:

[bill_mcgonigle]

POTUS-PRIME

Great, now I have to imagine Roosevelt with Peter Cullen's voice saying, "Allied Forces, roll out."

Re:

[140Mandak262Jamuna]

It was real [wikipedia.org], my memory has not been addled. Not yet.

Re:

[mbone]

That is indeed how the WWII "scrambler" phones worked, but that was not viewed as nearly as secure as a one time pad (required for all messages dealing with Enigma decrypts) and the Germans did decode at least some scrambler phone communications.

The cryptographic trouble is that the inherent correlations of the human voice are still present, just overlaid by noise, and you can use that knowledge to extract the signal (the voice) from the noise. It did prevent idle eavesdropping, which I think was more th

Re:

[140Mandak262Jamuna]

Yes, plain scrambler was insecure. I just read the wiki about the project. They did a lot more than simply adding noise. They did some pulse code modulation, frequency shifting etc.

Re:

[slim]

There's nothing new about one-time pads, and your story is plausible (I think I've heard it before).

OTPs have definitely been used in real spycraft. People were literally issued with a book of random numbers, to be very closely guarded.

What's new here is the way of storing OTPs so that they can't unobtrusively be copied.

Re:

[140Mandak262Jamuna]

In what way guarding a block of glass different from guarding a telephone book? Easiest one time pads are to get two copies of the same yellow pages. The caller specifies a page number. The receiver turns to that page. Ignore all alphabets and collect all the phone numbers write them down in sequence. You got a one time pad.

Re:

[slim]

In what way guarding a block of glass different from guarding a telephone book?

You can trivially borrow a telephone book, copy what you need, then return it without the owner noticing.

TFA:

And even if Eve steals the glass, they estimate that it would take her at least 24 hours to extract any relevant information about its structure.

This extraction can only be done by passing light through the glass at a rate that is limited by the amount of heat this creates (since any heating changes the microstructure of the material). And the time this takes should give the owners enough time to realise what has happened and take the necessary mitigating actions.

... and their abstract...

Benefits of volumetric physical storage over electronic memory include the inability to probe, duplicate or selectively reset any random bits without fundamentally altering the entire key space

Easiest one time pads are to get two copies of the same yellow pages. The caller specifies a page number. The receiver turns to that page. Ignore all alphabets and collect all the phone numbers write them down in sequence. You got a one time pad.

"Easiest", but not unbreakably secure in the manner of a truly random OTP.

Re:

[thoromyr]

easy does not mean secure. First hint, your phone numbers do not represent a random distribution of numbers. Better than nothing? Sure. Would it prevent me from cracking the encrypted message? Yes, but I'm not a cryptographer. The lack of any meaningful randomness would permit analysis and cracking.

Re:Is it new?

[JaredOfEuropa]

Those numbers aren't truly random and cryptanalysis can be applied to them. Especially if the attacker knows you're using the Yellow Pages (security through obscurity).

Re:

[david_thornley]

What an interceptor would get was a very noisy conversation, which could be recorded and carefully listened to by multiple people multiple times. It wasn't very secure because people are very good at getting meaning out of noisy conversations. IIRC, the conversation wasn't really pleasant for FDR or Churchill, so adding too much noise would become impractical.

"New Cryptography" - I don't think so.

[bradgoodman]

One time pads are uncrackable only if the pad is truly random and perfectly secretive. Everyone has known this for years. All they have done here was to create a new way to generate random numbers. Any new way of generating random numbers would/could be equally applied to OTP crypto.

The question is

[nickol]

The question is: how soon this diffusive glass will become a forbidden substance ?

nothing new

[stenvar]

Random physical structures have been used for this purpose for decades.

Re:

[nsaspook]

Random physical structures have been used for this purpose for decades.

Yes, using PUF devices for OTP, challenge/response and key generation is old tech.

All you really need is a large SRAM structure to generate unique random bits for each device. A simple microcontroller with a large SRAM block works nicely.
http://trudevice.com/Workshop/program/13%20M.%20Platonov%20TRUDEVICE_2013.pdf [trudevice.com]

Re:

[SuiteSisterMary]

One of my personal favourites was one that took digital pictures of four different colored lava-lamps and used that to generate the random stream.

Re:

[stenvar]

That's not a useful key because it's not constant over time.

Here is a history:

http://en.wikipedia.org/wiki/Physical_unclonable_function [wikipedia.org]

Completely impractical, i.e. worthless

[gweihir]

A secure one-time pad with classical means is easy to do. You just need to secure the system where the pad is applied adequately. You need to do the same thing with this hype-device. Hence it has zero advantages over other implementations of the one-time pad, but a lot of drawbacks.

I would suggest that these people are not stupid and know of the severe drawbacks. I would also suggest they are just completely unethical lying scum and grant or investment money is the only thing counts for them.

Variations on this are the only way.

[Karmashock]

All top secret information should flow through one time pad systems.

Look at it this way. What does disk space cost these days? Imagine getting a 30 gigabyte one time pad file on its own little SSD drive. How much data could be passed back and forth as theoretically unbreakable encryption? At the very least 30 gigabytes of data. In practice, probably at least a magnitude beyond that.

Re:

[mbone]

All top secret information should flow through one time pad systems.

Look at it this way. What does disk space cost these days? Imagine getting a 30 gigabyte one time pad file on its own little SSD drive. How much data could be passed back and forth as theoretically unbreakable encryption? At the very least 30 gigabytes of data. In practice, probably at least a magnitude beyond that.

No, at most 30 gigabytes. The next byte you send will start to reveal previous traffic.

Re:

[Karmashock]

Theoretically. It depends on how secure the traffic has to be... you could run some of the high volume lower security traffic through a portion of the key that is "stretched" a bit.

But the top top security data... yeah. 1:1 ratio with the key.

Re:

[slim]

I am not a cryptographer, but I *think* it would not harm the strength of the encryption if you compress then encrypt.

You could also use the OTP as a source of symmetric keys for AES, moving to a new one regularly, as SSL does.

Re:

[mbone]

I am not a cryptographer, but I *think* it would not harm the strength of the encryption if you compress then encrypt.

In theory, it should actually make it stronger, by removing redundancy. In practice, I bet it would mean that you could then predict the first few bytes of each message sent (i.e., some sort header info, followed maybe by something guessable if you know the language being used) and it can be a bad idea to begin each message with something predictable.

Re:

[slim]

I am not a cryptographer, but I *think* it would not harm the strength of the encryption if you compress then encrypt.

In theory, it should actually make it stronger, by removing redundancy. ...
  it can be a bad idea to begin each message with something predictable.

Both completely irrelevant if you're encrypting with a OTP.

Be wary

[mbone]

Three things are required for a one time pad - that the key be shared, random and non-repeated. A one time pad is very much breakable if the key is not both random and non-repeated, and the biggest problem with its use can be the sharing of the keys.

  The Soviet "Verona" traffic was decoded because they reused pads (keys), rendering the message decryption straightforward, and also revealing the keys. The revealed keys were found to have some further weaknesses, as they were made manually (apparently by secretaries told to type randomly on their typewriters). These weaknesses included an avoidance of repeated characters, a tendency to alternate hands (a character on the left side of the keyboard would be likely to be followed by one on the right), and (IIRC) a preference for character pairs and triplets that didn't require too much stretching of the hands. (On the top line of a QWERTY keyboard, this means that, say, an initial "q" would be unlikely to be followed by another "q", that it would be likely to be followed by a letter in the "u - p" range, and that the third character would be more likely to be a q, w or e than an r, t or y.)

Now, officially, that amount of manual non-randomness wasn't enough to break further Soviet one time pad encryptions, but I suspect that they were. I have also heard rumors that later use of random keys generated by electronic circuits had problems as the physical limitations of the electronic circuitry imposed a low-pass filtering that made these keys, again, not totally random. Note that true randomness is what is needed here - common digital pseudorandom techniques, such hashing with SHA-1, may help to obscure weaknesses, but they will not make a non-random key random.

In this case, I would worry very much about

- whether the physical technique produces a truly random key and
- how to satisfy myself that today's random key is totally independent of every previous key. If this is, say, dependent on where the laser is pointing to in the glass, how far apart does each pointing need to be to make sure that the results are independent, and can I securely verify that today's direction is sufficiently different from every previous time and
- as the technique is passing an initial sequence of bits through the randomizer glass, how random does the initial sequence need to be ? What weaknesses are imposed by non-randomness in that initial sequence.

I could easily see this technique being secure in theory but massively broken in practice by some weakness in how the glass is made or handled or in the initial keys.

Note, by the way, that the two parties must physically get together to generate the key, so in a sense this is really a secure key storage device. Once they use up their stored keys, they have to meet again to be able to send more messages, which of course is the real problem with one time keys (and why, for example, the Soviets reused some of the Verona keys).

And, finally, this technique might make a cool way of doing truly secure hashing.

True Randomness is Possible...

[BoRegardless]

When you get loaded.

another random source

[eagl]

I always thought a high quality recording from a windy outdoors location with no man-made sound sources would make a fine source of random values.

Zardoz is happening

[cyberfunkr]

http://www.imdb.com/title/tt0070948/synopsis?ref_=tt_stry_pl [imdb.com]

Infinite data being stored in a single crystal; all depending on how the light refracts.

Re:

[barlevg]

That's where the "one-time" part of the "one-time pad" comes in: you're only supposed to use an OTP cypher once before destroying it.

Re:Not too long until an iceberg attack is reveale

[Sockatume]

That's not the case with a properly used one-time pad. Normally you break a cipher by finding correlations due to the repeated use of a finite encryption key on different parts of a comprehensible plaintext. If either the message is random, or the encryption key is random and nonrepeating, then the message cannot be deciphered.

Unless you steal the pad, or force the user to repeat it.

Re:Not too long until an iceberg attack is reveale

[Joce640k]

Nope. The OTP is truly unbreakable.

The only problem with it is that you need to secretly transmit the pad to the recipient. How do you do that? With a one-time-pad...?

Re:

[barlevg]

The key here is that the OTP is a physical object (actually, TWO physical objects) that is not easily replicated (since it's surface imperfections that give rise to the randomness in the pad). So Eve would have to be in possession of Bob's pad at the time Alice was transmitting the message in order to decipher the message. If I'm understanding this correctly.

Re:

[Joce640k]

If you can meet up to exchange a piece of glass you can also exchange USB drives (or whatever) full of random numbers. It's just as secure as this method.

The innovation here is that that nobody can make a copy of the piece of glass.

Or is it...? If Bob can create a OTP using the glass then so can Eve. All she does is sneak into his hotel room when he's asleep, generate his pad using his crystal and make a copy of it.

I fail to see how this is more secure than simply exchanging USB keys.

Re:Not too long until an iceberg attack is reveale

[JaredOfEuropa]

All she does is sneak into his hotel room when he's asleep, generate his pad using his crystal and make a copy of it.

Sounds like a metaphor for something kinky...

Re:

[Immerman]

Not really - a USB drive is laughably easy to duplicate - that's kind of it's purpose. Exactly duplicating (or even just characterizing) microscopic surface imperfections on a piece of glass on the other hand likely requires specialized hardware that a spy can't easily carry in a suitcase. At least assuming that a smooth protective layer is bonded over it to prevent mold creation (say glass with a much different refractive index).

So basically you're adding physical-key security to your OTP, which drastica

Re:

[AchilleTalon]

That's the point, you need physical access to the glass to break the code. With a USB key, at some point the USB key must be plugged in and can be copied remotely.

Re:

[UnknowingFool]

The main problem I see is that the pads must be distributed in some secure way. With public key cryptography, the public key is available for anyone to use and distribution of this key does not have to be secure.

Re:

[slim]

It must be at least read-twice. Once to jointly encrypt the "common key", which contains the pad, and once retrieve the pad from the common key.

Re:Not too long until an iceberg attack is reveale

[smallfries]

The real key here is that there is no advantage to the device at all.

In the cryptographic protocol that the authors (all physicists) believe to be novel, but which every cryptographer is aware of:
1. The authors have a perfectly secure channel (separate from the one established in the protocol).
2. They exchange as much information over that channel as the device stores.
3. The later established channel can only use that number of bits.

For real excitement they xor together their OTPs. Sorry guys but this is called a pre-shared key and the crypto world is quite aware of it. Good luck with the window dressing getting you past the PC of a physics venue.

Re:

[barlevg]

The breakthrough is the KIND of OTP that they're using: glass plates that, they believe, cannot be (easily?) duplicated, unlike a digital OTP would be.

Re:

[david_thornley]

If the OTPs are in fact uncopyable, the authors don't need a perfectly secure channel. Alice sends plates to Bob. Eve intercepts the crate, and then what? If she can't copy the plates, she can either divert them or break them (in which case all we need is an authenticated, not secure, channel for Bob to report nondelivery), or let them proceed to Bob. If Bob doesn't report that he has the plates, then Alice sends another batch of plates until Bob reports that he has them. If Alice and Bob need to talk

Re:Not too long until an iceberg attack is reveale

[K. S. Kyosuke]

What about a MITM attack? Doesn't need Bob verify that the plates are actually the ones that Alice manufactured? You don't need to copy the plates to barge into the channel.

Re:

[mbone]

Of course, if it's possible to make a copy of a plate, it's no better than trying to securely send thumb drives.

The simple fact that there are two serves as an existence proof of the possibility of making a copy.

Re:

[SpectreBlofeld]

I don't think they are identical plates. The encryption would simply take the configuration of both into account.

Re:

[Big Hairy Ian]

Oh thats easy just make sure the person you want to talk secretly to is called Eve!

Problem solved :)

Re:

[slim]

Just embed the glass in a credit card sized gizmo, and put a reader in laptops.

Re:

[h4rr4r]

You cannot recover old data from memory. Hard disk maybe, but RAM is volatile. Turn off the machine and within seconds it will be gone.

Recovering data from a hard disk can also be made impossible. Simply encrypt the entire device. Without the key no recovery can occur.

Re:

[50000BTU_barbecue]

I thought so too.

http://en.wikipedia.org/wiki/Cold_boot_attack [wikipedia.org]

Back in the day on my VIC-20, I could see that data stayed for a few seconds but that was probably 6T SRAM with humongous feature sizes.

Re:Nothing is impossible to crack...

[slim]

No, against a one-time pad, bruteforce won't work, because the key is never re-used so you've no basis to know that any output from your decryption is more valid than any other.

The first 1024 bytes of Hamlet, XOR'd with 1024 truly random bytes, is indistinguishable from random bytes.

XOR that with the same bytes again, and you get 1024 bytes of Hamlet back.
XOR it with most random streams of bytes, and you'll get something that looks equally random.
XOR it with a particular different list of bytes, and you get 1024 bytes of Moby Dick.
XOR it with another list of bytes, and you get a version of Hamlet in which "Bernardo" is replaced with "Slashdot". ... and as an attacker, you've no way of knowing which one of those, if any, was the original plaintext.

Re:Nothing is impossible to crack...

[slim]

You are wrong.

The "one time" in "one time pad" means you never use a piece of key twice. The OTP needs to be as long (or longer than) the plaintext, and when you've used up your OTP, you need to get together and share a new one.

You can make an OTP last longer by compressing before encrypting, or by using OTP encyption to exchange temporary keys, to be used with other encryption methods.

Clearly you *could* re-use your OTP, perhaps starting from the beginning when you run out of bytes. But each time you do that you weaken your security.

Re:

[damnbunni]

Actually no, brute force specifically doesn't work against OTP cryptography.

That's kind of the whole point of OTP.

At most you can determine the maximum length of the message. However, if you determine it's an eight word message there is absolutely no way to determine WHAT those eight words are without the key.

You also can't determine if the message is really eight words, or if it's five words banana popsicle meow.

Even theoretically infinite computing power will not suffice to crack a one time pad if it's u