Slashdot Mirror

← Back to Stories (view on slashdot.org)

Totally Random One Time Pads

Posted by ryuzaki0 on from the random-is-as-random-does dept.

liliafan writes "Scientists in Japan have come up with a way of harnessing a truly random datasource for generating one time encryption pads: Quasars. One time encryption pads are widely accepted as being the most secure form of encryption, but this new technology from the National Institute of Information and Communications Technology makes the pads even more secure."

46 of 265 comments (clear)

  1. Dupe by TheComputerMutt.ca · · Score: 5, Informative

    This is a dupe of almost the same story from the same source.

    1. Re:Dupe by suso · · Score: 5, Funny

      So its not truely a one time pad then.

    2. Re:Dupe by koh · · Score: 4, Funny

      This is a dupe of almost the same story from the same source.

      If you had read TFA, you would know they use Slashdot feeds as an entropy source for their one-time pads. They do report problems though, since during a recent test run they noticed 42% of their one-time pads were effectively equal...

      --
      Karma cannot be described by words alone.
  2. Hmm... by fishybell · · Score: 3, Funny
    Where can I buy one of these new fangled quasars anyway?

    From what I hear, I'll probably be able to save on my heating bills too.

    --
    ><));>
    1. Re:Hmm... by MikeFM · · Score: 2, Funny

      Don't bother, they aren't truely random. Silly geeks don't realize that nature is orderly and reverse engineerable. The aliens can still read your messages!

      --
      At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
  3. One Time Pads... by Anonymous Coward · · Score: 5, Funny

    Women have had those forever...

  4. cracking this would be useful by caffeinemessiah · · Score: 2, Interesting

    if this is ever widely accepted, it seems that the inevitable deluge of security researchers trying to find predictability in the patterns would be a beneficial thing. if one ever comes close to succeeding, sure your credit card details could be stolen, but we'd understand the universe a tiny little bit better...

    --
    An old-timer with old-timey ideas.
    1. Re:cracking this would be useful by Detritus · · Score: 2, Informative

      There are established procedures for handling lost or garbled messages. One simple technique is to put a unique serial number on each page of the pad, include the serial number in the message header, and start all messages on a new page.

      --
      Mea navis aericumbens anguillis abundat
  5. So what? by rsw · · Score: 3, Interesting

    Getting randomness isn't interesting. Thermal noise is truly random, perfectly white, and easy to generate---it's as hard as passing a current through a resistor. Want more noise power? Avalanche breakdown, with appropriate whitening, works fine.

    Unless they've come up with an interesting way for two people in disparate locations to observe the same quasar and both independently observe the same random phenomena in a way which reliably and securely gives them access to the pad with no communication channel between them, this just isn't interesting.

    -rsw

    1. Re:So what? by homer_ca · · Score: 4, Informative
      Actually it's worse than that. From TFA:

      Each communicating party would only need to know which quasar to monitor and when to start in order to encrypt and decrypt a message.


      The name of the quasar and time to start monitoring are the cryptographic keys. That doesn't sound like a lot of bits in the keyspace.
    2. Re:So what? by interiot · · Score: 5, Informative
      The name of the quasar and time to start monitoring are the cryptographic keys. That doesn't sound like a lot of bits in the keyspace.
      Yes, but it's more secure than other keys, because the only way to attack it is to steal the keys before the time that the quasar is monitored. If an attacker discovers the keys afterwards, the key is useless.

      Also, the keyspace is larger than you think... the article mentions that quasars have a very broad frequency spectrum. So, #quasars (that are visible to both) X monitoring-time-choices X monitoring-frequency-choices may result in a large-ish keyspace (or, at the very least, means that it may be physically extremely expensive to try to decrypt a message against all possible keys).

    3. Re:So what? by homer_ca · · Score: 2, Insightful

      OK, even if the keyspace is pretty large, what you have now is a symmetrical cipher. You still have to distribute that key securely.

    4. Re:So what? by Beryllium+Sphere(tm) · · Score: 2, Insightful

      If the two communicating parties have to agee on a particular time to start observing they need to synchronize their clocks. The most practical approach is GPS. Figure 10-100 nanoseconds of timing resolution. If an adversary can guess to within three years when you started observing, there are 1E15 to 1E16 possible starting times. There's 50 bits, if there are a thousand QSO's we add 10 bits, so they've got the equivalent of a 60-bit private key.

      Worse, this scheme doesn't let you get forward secrecy. In a conventional one-time pad you destroy the keying material after you use it. What are these people going to do, destroy quasars retroactively? Copyright QSO recordings and stage DMCA raids periodically?

      Worse yet, someone pointed out (who? I want to give you credit) that an active adversary could trivially inject fake signals into your radio telescopes and control the contents of your one time pad.

    5. Re:So what? by GlassHeart · · Score: 2, Insightful
      So you distribute that key via assymetric encryption, very soon before you send the actual message. That narrows the keyspace a bit, but means that if the attacker doesn't have the computing power to brute-force the assymetric encryption between the time that the key is sent, and the time that the quasar is monitored, that the attacker has failed.

      I start monitoring as many quasars as I can the moment I intercept the key message. That way, when I finally decode the key message I can also read the actual message. The secrecy of your message then depends on whether my choices of quasars get lucky, which is not nearly as good as a real one-time pad.

    6. Re:So what? by mal0rd · · Score: 2, Informative

      This is not like other forms of encyption where the attacker to brute force by going through all the possible keys after the fact. With all the telescopes and camera on earth, we can only monitor about 2% of the visible sky. So a single cracker can't possibly record the data from every quasar all the time, or even a small percentage of them. So even though the keyspace is small, the attacker only gets to make a few gueses.

      Let's say the communicators choose the least secure method and publish the exact time they will start recording the one time pad from the quasar. And assume the attacker can only monitor 1e-9 percent of the quasars at once. Then they have a fairly good chance of remaining undetected.

      Now if they just keep recording from that quasar for the entire session, the cracker could try lots of different stars over time and see which on matches. But enryption often uses cipher-block chaining, where the unecrypted data from earlier in the session is used to encrypt the next block in addition to the shared secret. If they did this the attacker would have no hope of breaking the encryption unless he gets lucky on the first transmission.

    7. Re:So what? by Kadin2048 · · Score: 2, Insightful

      Yep, pretty much.

      I actually thought that they were talking about using the data from quasars to generate one-time pads, which would then be distributed by conventional means. I didn't think they were actually proposing having two separate people observe the same quasar, to produce the "one-time" pad simultaneously. Unless you had a quasar that you knew nobody else knew about, and definitely wasn't monitoring, it seems like a pretty bad idea. Especially if the people you're trying to conceal information from have more resources than you do.

      In short, I think it's actually a pretty dumb idea; its forward security depends entirely on the assumption that somebody, someplace, wasn't out there, recording the same quasar that you used to generate your pad. And given the rather finite (to my knowledge) number of visible/recievable quasars, it seems like a poor assumption to make. Certainly I wouldn't want to bet my life on it.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    8. Re:So what? by EERac · · Score: 2, Interesting

      The time to start monitoring is key. If quasars generate random bits at a high enough rate, it become infeasible for a third party to just start recording bits from some quasar then search for a particular one time pad.

      A few years ago, I heard a talk by Micheal Rabin that explained how completely secure one time pads could be obtained from a satellite (or some other data source) that generated random numbers at a high enough rate (see New York Times Article here). It seems like a collection of quasars could play the roll of the satellite. Once again, the key to his approach was that the satellite generated too many random bits for them all to be recorded.

      In his approach, traditional cryptographic techniques can be used initally decide when two parties should start sampling random bits to generate one time pad. That pad can then be used to decide on additional pads. If a third party intercepts every communication, they could potentially generate the pads themselves, but they would have to act very quickly, because once they failed to record bits from the satellite (or quasars) those bits would be gone forever.

      Normally, if you intercept an encrypted communication, you can hold on to the message and attempt to break the decryption over time. With this approach, if you don't decrypt the intial communication right away, you've missed out on the one time pads, and thus the captured message is nothing more than random bits. It can never be decrypted.

  6. Xl6oUBY by Entropy · · Score: 5, Funny

    i147 F7b AIQzC9 7kXTA8TzJ Vl LcYxkN FXkCFA Ev4Lpwjk2 A0Jy7flvj phOlaTF 3S Z0uPk kP 5RKMkQ 5U5oZPW FzA f rj4FB 4vrI ZWr dovA6W l CS6

    --
    The sea changes color, but the sea does not change.
    1. Re:Xl6oUBY by Tackhead · · Score: 2, Insightful
      > i147 F7b AIQzC9 7kXTA8TzJ Vl LcYxkN FXkCFA Ev4Lpwjk2 A0Jy7flvj phOlaTF 3S Z0uPk kP 5RKMkQ 5U5oZPW FzA f rj4FB 4vrI ZWr dovA6W l CS6

      "'Impossible to predict', my 4vrI, you insensitive CS6!"

      You forgot that the LcYxkN (who live in the disc, at a 90-degree angle from the jet of 3C273, and who escaped the blast) have developed faster-than-light communication.

    2. Re:Xl6oUBY by Guppy06 · · Score: 4, Funny

      Mom, hang up the phone! I'm trying to play VGA Planets!

  7. not so sure about this by argoff · · Score: 3, Interesting

    I imagine someone who wanted to could buy enough equiptment to record all known quasar emmissions and store them
    or try them against encrypted data streams. A million quasars with 5000 possible frequencies each, wouldn't be that
    much for a computer to churn thru. In a way, it almost seems like security thru obscurity.

    1. Re:not so sure about this by kingkade · · Score: 3, Insightful

      The keyspace offered by a million quasars, 5000 possible frequencies, and an almost arbitrarily fine time sampling is pretty vast.

      The point is how do you get those parameters to the other party secretly? This is the same problem as giving them a one-time pad generated any random way. I think the point is that you can get randomness but the previous problem will always exist.

      --
      why run from Vincenzo?
  8. Actual advancement by flooey · · Score: 5, Insightful

    The summary for this article is a little misleading. One time pads aren't new, and good sources of natural randomness aren't new either.

    The interesting part of this article is the fact that quasars could be used as a natural source of randomness for one time pads, yet can be accessed by both parties simultaneously. The historical problem with one time pads (and the reason they're rarely used in practice) is that it's a huge pain to distibute sufficient random data to all parties involved in a communication. Being able to use a natural source of randomness that's available to everyone at once would be a major increase in the usability of one time pads.

  9. Hack by Catskul · · Score: 2, Interesting

    It sounds like a great idea, but it might be easy to subvert. All I have to do is overwhelm the signal and get the target to use my (or null) one time pad, and I will be able to decrypt. Hell I can even make my one time pad *look* random, and they'd likely never notice. While I'm at it I can do it from a satellite and not have to get near their antenna.

    --

    Im not here now... Im out KILLING pepperoni
    1. Re:Hack by hurfy · · Score: 2, Interesting

      How about not even replacing their signal.

      Could one jam/interfer with it enough if they had a rough idea of when? Sounds MUCH easier than pegging the millisecond to inject yours.

      Interfer enough so data is unusable, then they have to resend. Repeat as much as possible. Isn't having multiple versions of secret data floating around a bad thing?

  10. Finally! by loconet · · Score: 4, Funny

    ...harnessing a truly random datasource

    Wow, they finally managed to tap into my girlfriend's mood neurons?

    --
    [alk]
  11. How is this secure? by Zadaz · · Score: 3, Insightful

    How does this increase security? It's not like quasars are private property. Anyone can look at 'em...

    1. Re:How is this secure? by Zadaz · · Score: 2, Insightful

      It seems to me if I have a spare radio telescope to encrypt with, I'm probably sending messages that other radio telescope owners would be interested in.

  12. Am I missing something? by brian0918 · · Score: 2, Insightful

    How is this more secure than one-time pads? Whereas only the two parties involved have access to one-time pads, everyone has access to quasar radiation. The two users still have to tell eachother where to look and when, and that information is all someone would need to crack the message. The only way it could be more secure is if the coordinates are only available on one-time pads, in which case you're basically saying that code breakers have to go out and buy an antenna....

  13. That's not randomness at all by LuminaireX · · Score: 2, Interesting

    That's not randomness at all. It only seems random because they don't have a model currently to describe quasar behavior. Thus, they're confusing randomness with unpredictability - just because one can't predict what will happen in the next n instances doesn't make it random. What's to say some brilliant scientist won't come along in the near future with a model predicting quasar behavior?

    1. Re:That's not randomness at all by Eric+Smith · · Score: 3, Interesting
      That's not randomness at all. It only seems random
      An interesting assertion, but without any backing evidence.
      they're confusing randomness with unpredictability
      There isn't any particularly better definition of randomness than "unpredicability". Some things are more unpredicable than others. Some things can even be proven to be unpredictable; for instance, the Blum-Blum-Shub PRNG has been proven to be unpredictable if you don't have a copy of its internal state, because it is mathematically intractable to derive the state from the output.

      It seems unlikely that it will become possible to predict the behavior of quasars as you suggest; we can't even accurately predict the weather on earth, which is a much smaller system than a quasar. For that matter, we can't predict the detailed behavior of a lava lamp, making that a reasonable source of random numbers (but patented!).

    2. Re:That's not randomness at all by howlingfrog · · Score: 5, Informative

      There isn't any particularly better definition of randomness than "unpredicability".

      That's true not just as a rule of thumb, but in a more formal sense as well. The word "random" is pretty hard to come up with a mathematically formal definition for, and "pretty hard" may mean "impossible" depending on your definition of "definition" (more on that later). To make things simple, let's just talk about sequences of ones and zeros. Take for example the sequence 01101110010111011110001001101010111100110111101111 ... Definitions of randomness from statistics and probability just require a potentially random sequence to have all possible subsequences of a given length appear with the same frequency. That is, 0 appears exactly as often as 1; 00 appears exactly as often as 01, 10, and 11; 000 as often as 001, 010, 011, 100, 101, 110, and 111; and so on. The sequence I gave above passes those tests with flying colors. But it's not random at all. I'll put some spaces in it, and you'll see the pattern: 0 1 10 11 100 101 110 111 1000 1001 1010 1011 1100 1101 1110 1111... It's simply counting in binary. The longer you extend the sequence, the better it does in statistical randomness tests--the first few dozen bits have a pretty strong bias for 1 over 0, but that ends up as noise in the long run.

      The relatively young field of information theory introduces the concept of "algorithmic randomness." The randomness of a sequence of bits is defined to be the length of the shortest Universal Turing Machine program which ouputs that sequence. In pseudocode, our example sequence is output by the program:

      let i = 0
      while (true) do
      output i
      let i = i + 1
      end while

      That's a comically short program to generate an arbitrarily long sequence. So the example fails tests for algorithmic randomness miserably. The fun part is that the problem of finding the shortest UTM program to generate a given sequence is provably intractable. Thanks to the the Halting Problem, you can't always tell if a given UTM program will halt or loop infinitely. All you could ever know is whether or not the program has output the desired sequence yet--if it's still running, it may do so eventually and then halt, it may output something else and then halt, or it may keep running forever. So algorithmic randomness plugs the holes in statistical randomness by trading an unreliably solvable problem for a reliably unsolvable one. You can't ever be sure a sequence is random, but you can sometimes be sure it isn't.

      I got off on a bit of a tangent there about information theory, but my point is that algorithmic randomness captures what we mean by "random" much better than statistical randomness. And algorithmic randomness is just a mathematically formal way of saying "unpredictable."

      --
      The original Howling Frog is a fictional character and has no UID.
  14. or IPKI by gadzook33 · · Score: 3, Funny

    Intergalactic Public Key Infrastructure

  15. Re:almost there by PitaBred · · Score: 2, Informative

    Naah. Just prevent everyone except the intended recipient from knowing when you're recording it for the OTP. Much easier problem.

    --
    My blog. Good stuff (when I remember to update it). Read it.
  16. Oh no. Not again. by hhr · · Score: 2, Insightful

    One Time Pads may be the most secure form of encryption, but they are *not* the most secure way to protect your secrets.

    Time and time again, security breaks down because of the way people treat their keys, not because the encryption algorithm is week.

    With a one time pad, you need to keep a copy of the pad with everyone who wants access to the data. Compare that to Public Key Crypto where you can keep your private key in one secure spot and distribute your public key widely.

    Or how about session keys (Diffie Hellman for example)... single use keys that only you and your partner have access to. How good is that! And you don't need to transfer and secure your OTP to use them!

  17. A common use for OTPs - Numbers Stations by ChePibe · · Score: 2, Informative
    Some here may not be familiar with the uses of an OTP, so here's a common use:

    In order for an intelligence agency to communicate with an asset overseas, spy agencies must often use methods of communication that cannot be easily traced (duh). Passing a message along via e-mail, phone, or a one-to-one meeting can easily be tracked, creating lots of problems for everyone in the loop.

    Therefore, many intelligence agencies did (and still) use OTPs and "Numbers Stations" - shortwave radio stations that blast out a seemingly senseless series of numbers at regular intervals and frequencies. This method gets messages and instructions to your assets without betraying who the recipient of the message is.

    The beauty is that the asset only needs a cheap, readily available shortwave radio and a OTP, which can be concealed in virtually anything (some were created that could even be affixed to the back of stamps, others were hidden in toothpaste tubes, etc. The agent then responds with a seemingly inocuous method, a "wrong number code", a mark on a wall near where an intelligence officer drives, etc.

    The problem, of course, rests in getting OTPs to the asset and ensuring they aren't compromised. But, assuming they are passed and handled securely, there's no problem at all.

    More information on Wikipedia

  18. Keyspace by Erich · · Score: 2, Informative
    There are relatively few quasars that are observable. Probably a lot fewer that are observable at the same time by two locations, if the two locations are geographically diverse. It is possible for a third party to monitor these discrete locations. Noise would be different to the two observation locations, which could be overcome using sufficient error coding in the plaintext at of course the loss of plaintext entropy, making it easier for a third party with perhaps a noisier signal (due to being slightly out-of-bound, etc) to obtain the plaintext.

    The fundimental problem is that the data is not fully random -- it is mostly deterministic based on the key of what quasar, what frequency and bandwidth, and what time. So an outside person could recover the plaintext by obtaining the observable behavior and trying all keys, or if the outside person could somehow obtain the key.

    This is a very similar situation to a "good" pseudorandom number generator. You can transmit the seed for the pseudorandom number generator and generate a one-time pad from the pseudorandom number generator. I guess the difference is that quasar behavior is not observable after the fact, but if it is feasable for the data to be logged then they reduce to similar solutions: find all the pads within the keyspace, xor with the cipher text, and watch for the entropy to drop or visibility of known plaintext.

    --

    -- Erich

    Slashdot reader since 1997

  19. Not so secure... by jamesivie · · Score: 2, Insightful

    If the party trying to decrypt your message knows that your "random" data comes from a quasar, they could just monitor the quasar themselves and crack the data pretty quickly (faster than brute force). Cryptography relies on the random data being secret, and this isn't secret at all unless your trying to hide your conversation from someone whose planet can't view the quasar you're using.

    --
    "O'Connor, smash the window." "Why me, Bigboote?" "It might be boobie-trapped!" "Oh!"<smash> -Buckaroo Banzai
  20. Spiffy, but not news by Syberghost · · Score: 5, Informative

    This is a Vernam Cipher with a novel but impractical noise source. It was news when Vernam invented it in 1917, and maybe again in 1919 when he patented it, but this version solves an already-solved problem in a manner that would sound really good if Lt. Colonel Carter suggested it on SG-1, but otherwise is inferior to existing solutions to the same problem.

    Nothing to see here, folks; move along.

  21. Re:Old technology... by Mr.+Underbridge · · Score: 2, Funny
    Isn't quartz technology currently being used for timing applications? :P

    Time to check the prescription on your reading glasses there Pops.

  22. most what? by eddeye · · Score: 2, Informative

    "One time encryption pads are widely accepted as being the most secure form of encryption..."

    Only for very limited definitions of secure. You have to produce the pads. You have to distribute the pads. You have to synchronize the pads. You have to dispose of the pads. All these steps are tedious and error-prone, and a chink in any of them destroys your supposed "perfect" security.

    Now if you said "OTP are the most algorithmically secure pads under ideal conditions", then I'd buy it. Otherwise, there's a reason only well-funded governments use these things. Ask the Soviets how well it worked for them.

    --
    Democracy is two wolves and a sheep voting on lunch.
  23. Totally Random One Time Pads by wideBlueSkies · · Score: 2, Funny

    So you get to go home to a different apartment each night?

    Cool! But how do you move all your stuff from place to place?

    wbs.

    --
    Huh?
  24. BUZZZ! Wrong! by Anonymous Coward · · Score: 2, Interesting

    Agencies like the NSA will just monitor all quasars all the time. Given that the NSA already monitors (and records) communications transmissions (wireless mostly) 24/7/365.25, matching a quasar from the database with the appropriate signal start and stop would not be difficult to do. I'd say, not very secure a system really, because if the data is coming to or going from the U.S. the quasar would have to be visible in the same hemisphere as it's destination. You could not use this scheme to transmit data to the other side of the world either, as you would need the quasar to be visible by both parties. I'm still not that impressed. It's nice, but I really don't think it's more secure than much of what is out there already for crypto techniques.

  25. Seems doomed by mattr · · Score: 2, Insightful

    The idea of making a one time pad out of a universally available information resource just seems real silly. It may be the easiest, highest volume, highest quality source of random data, but we have already in the past see ideas like large key space and computational complexity fall to one advance or another. It strikes me that even if there are 80,000 sources in the sky, that can be narrowed down quite a bit if you just look at the direction they are pointing their radio telescopes. Or are they using some secret hidden radio telescopes to capture quasar data? There may be some small ones but I think most are really, really big. You could probably tell the angle they are pointed at from a satellite. Also, if this encryption method gets used a lot you have to expect that more information about the route the data takes gets known. It seems to me there are a more limited number of radio telescopes with this system installed than there are say labs with a more traditional random data generator.

  26. #6 ... by Schraegstrichpunkt · · Score: 2, Informative

    ... on the list of snake-oil warning signs.

    --
    http://outcampaign.org/
  27. Re:Coins by Kyojin · · Score: 2, Insightful

    Hmmm. Generate a random integer between 1 and 3 inclusive.

    This must be done with a finite number of coin tosses.

    The probability of each integer occuring must be equal.