One-Time Pad From Caltech Offers Uncrackable Cryptography

zrbyte writes "One-time pads are the holy grail of cryptography — they are impossible to crack, even in principle. However, the ability to copy electronic code makes one-time pads vulnerable to hackers. Now engineers at the California Institute of Technology in Pasadena, have found a way around this to create a system of cryptography that is invulnerable to electronic attack. Their solution is based on a special kind of one-time pad that generates a random key through the complexity of its physical structure, namely shining a light through a diffusive glass plate."

Impossible?

[Sockatume]

Couldn't you just steal the plate?

Re:Impossible?

[barlevg]

That's generally the only way to crack a true one-time pad: steal the pad.

Re:Impossible?

[barlevg]

Right: it sounds like it's TWO MATCHED OTPs (or, rather, one-time slabs), so Eve would need both Alice's slab AND Bob's slab to crack the communication. And if Alice and Bob are both in physical possession of the slabs, then Eve is better off using $5 cryptography to get at the message. The issue, of course, is that one-time pads aren't exactly practical, because, by definition, they're one-use-and-then-destroy. If you use an OTP more than once, it becomes vulnerable to cracking.

Re:Impossible?

[Hans+Adler]

Who would have thought that the f... article addresses this devilishly ingenious workaround?

"And even if Eve steals the glass, they estimate that it would take her at least 24 hours to extract any relevant information about its structure.

This extraction can only be done by passing light through the glass at a rate that is limited by the amount of heat this creates (since any heating changes the microstructure of the material). And the time this takes should give the owners enough time to realise what has happened and take the necessary mitigating actions."

Re:Impossible?

[L4t3r4lu5]

Eve is better off using $5 cryptography to get at the message.

Rubber Hose Cryptanalysis Just FYI.

Re:Impossible?

[rherbert]

What if you drop the glass plate? You're sure to crack it then.

Re:Impossible?

[slim]

No, the two devices don't match. Each device contains a different several GB of random numbers (or I suppose, random transformations), encapsulated in the structure of the glass.

The two owners meet, and using both their devices, produce a "combined key". The combined key can be stored in a public repository. The shared OTP can be extracted from the combined key using either device.

The two parties exchange confidential data encrypted with bytes from the OTP until the OTP is all consumed. Then they must meet up again to create a new OTP.

There's nothing novel about the cryptography. What might be novel is the physical properties of the device used to allow someone to carry their personal list of random numbers around.

Re:Impossible?

[slim]

I don't think we share a vocabulary on this topic. None of that made sense.

Moon Runes

[codemaster2b]

So, the message can only be read by the light of a moon the same shape and season that the message was written on?

Physical vulnerability

Uncrackable glass plates? Forget cryptography, you should get into the windshield business!

Re:Not too long until an iceberg attack is reveale

[Sockatume]

That's not the case with a properly used one-time pad. Normally you break a cipher by finding correlations due to the repeated use of a finite encryption key on different parts of a comprehensible plaintext. If either the message is random, or the encryption key is random and nonrepeating, then the message cannot be deciphered.

Unless you steal the pad, or force the user to repeat it.

Re:Not too long until an iceberg attack is reveale

[Joce640k]

Nope. The OTP is truly unbreakable.

The only problem with it is that you need to secretly transmit the pad to the recipient. How do you do that? With a one-time-pad...?

Got it backwards

[Monty845]

A one time pad is impossible to crack in theory, but may be crackable if the method for generating the pad is flawed. Creating true randomness is a tricky proposition, and I don't see why its safe to believe that "shining a light through a diffusive glass plate" will generate true randomness.

Re:Got it backwards

On a photon-by-photon basis, refraction, diffraction, and anything less than total reflection are all quantum mechanical processes. It doesn't get more random than that. Sending photons through a partially transparent mirror has been a standard trick for generating random bits quantum mechanically for at least a decade that I know of. It sounds like this is the same principle.

Re:Got it backwards

[ledow]

But to be a useful one-time pad, don't you have to be able to repeat the results to decode the message?

Re:Got it backwards

[Corbets]

But to be a useful one-time pad, don't you have to be able to repeat the results to decode the message?

No. You have to distribute matched pads - one to the encoder, one to the decoder.

Thus, if someone gets his or her hands on a copy of the pad, decryption is trivial.

Re:Got it backwards

[mbone]

Creating true randomness is a tricky proposition, and I don't see why its safe to believe that "shining a light through a diffusive glass plate" will generate true randomness.

They claim it passes statistcal analysis tests for true randomness.

That is meaningless (there is no test for true randomness, just tests of whether or not various forms of non-randomness are present), and if they truly believe that passing various tests for randomness is sufficient then there may be no hope for them.

Hell, just transmitting large blocks of 100% mathematically random data is a red flag. "One-time pad in use! Something very interesting going on here!"

I have heard that certain locations send megabits / sec of random data continuously, at all times, just so that certain other locations can't tell when encrypted traffic is being sent. Certainly that technique is being used (at a lower bit rate) by the various "number stations" out there.

Re:Got it backwards

[JesseMcDonald]

You don't actually need to encrypt the shared key; a simple XOR of the pads from each piece of glass will do:

combinedKey = xor(glassAlice, glassBob)
publishToInternet("http://repository/combinedKeyId", combinedKey)

For Alice to send a message:

combinedKey = getFromInternet("http://repository/combinedKeyId")
glassBob = xor(combinedKey, glassAlice)
cipherText = xor(plaintext, glassBob)

For Bob to decode:

plaintext = xor(ciphertext, glassBob)

The result of the XOR only tells you whether a given bit is the same or different between the two pads, which, by itself, doesn't tell you anything about either pad, so the XOR can be made public. Combined with one of the pads, however, it allows you to infer the value of the other so that you can send your message. Normally each party would just have a copy of the same pad, but this approach gets around the difficulty of creating two pieces of glass with precisely equal (random) optical properties.

Is it new?

[140Mandak262Jamuna]

I thought there was a similar technique used in WWII for communication between Churchill and FDR. Identical pairs of phonograph records were kept on both sides. Both sides would play a pair simultaneously, or as nearly as they could. Then technicians would use electronic delay and tune it so that they both are synchronized. Then add voice communication to the recorded sounds and transmit. On the receiving side they subtract the phonograph record sound and get the voice alone back. Each pair of phonograph records would be a one time pad. The encryption and decryption was analog, not digital. But apart from that, adding a "noise" as encryption and subtracting identical noise for decryption would be very similar to what the article is describing.

Was it really used? Or am I hazily recalling some spy novel stuff from Irwin Wallace or Alistair MacLean and mistaking it for real history?

Re:Is it new?

[140Mandak262Jamuna]

In what way guarding a block of glass different from guarding a telephone book? Easiest one time pads are to get two copies of the same yellow pages. The caller specifies a page number. The receiver turns to that page. Ignore all alphabets and collect all the phone numbers write them down in sequence. You got a one time pad.

Re:Is it new?

[JaredOfEuropa]

Those numbers aren't truly random and cryptanalysis can be applied to them. Especially if the attacker knows you're using the Yellow Pages (security through obscurity).

"New Cryptography" - I don't think so.

[bradgoodman]

One time pads are uncrackable only if the pad is truly random and perfectly secretive. Everyone has known this for years. All they have done here was to create a new way to generate random numbers. Any new way of generating random numbers would/could be equally applied to OTP crypto.

Re:Not too long until an iceberg attack is reveale

[Joce640k]

If you can meet up to exchange a piece of glass you can also exchange USB drives (or whatever) full of random numbers. It's just as secure as this method.

The innovation here is that that nobody can make a copy of the piece of glass.

Or is it...? If Bob can create a OTP using the glass then so can Eve. All she does is sneak into his hotel room when he's asleep, generate his pad using his crystal and make a copy of it.

I fail to see how this is more secure than simply exchanging USB keys.

Re:Not too long until an iceberg attack is reveale

[smallfries]

The real key here is that there is no advantage to the device at all.

In the cryptographic protocol that the authors (all physicists) believe to be novel, but which every cryptographer is aware of:
1. The authors have a perfectly secure channel (separate from the one established in the protocol).
2. They exchange as much information over that channel as the device stores.
3. The later established channel can only use that number of bits.

For real excitement they xor together their OTPs. Sorry guys but this is called a pre-shared key and the crypto world is quite aware of it. Good luck with the window dressing getting you past the PC of a physics venue.

Re:Nothing is impossible to crack...

[slim]

No, against a one-time pad, bruteforce won't work, because the key is never re-used so you've no basis to know that any output from your decryption is more valid than any other.

The first 1024 bytes of Hamlet, XOR'd with 1024 truly random bytes, is indistinguishable from random bytes.

XOR that with the same bytes again, and you get 1024 bytes of Hamlet back.
XOR it with most random streams of bytes, and you'll get something that looks equally random.
XOR it with a particular different list of bytes, and you get 1024 bytes of Moby Dick.
XOR it with another list of bytes, and you get a version of Hamlet in which "Bernardo" is replaced with "Slashdot". ... and as an attacker, you've no way of knowing which one of those, if any, was the original plaintext.

Re:Obligatory XKCD

[smallfries]

This seems a little bit more appropriate.

Random is hard.

[DarthVain]

I can't remember which book it was, maybe Cryptonomicon, but more likely The Ultra Secret, but it had some interesting stories about both the allies and axis having a hard time at this.

They used various ideas to try and "make" randomness into their one time pads. However all of these things had to be done by a person, as this was more less before the advent of computers (well just before anyway). One such method had to do with using a deck of cards. However crackers were able to even find patterns among the people using (aka their tendencies in drawing cards or other such devices), so occasionally personnel would have to be "shuffled" themselves to different areas.

If you think about it, a computer is generating it from an algorithm, which may be complex, but is essentially a set of rules that can be determined. I have heard of some that try to utilize some sort of seemingly random event that is naturally occurring. However even these can be modeled over time.

The key really is to make it difficult enough so that the code breaker cannot really use the information obtained effectively. Unfortunately usually this involves additional overhead on the part of the cryptography as well, which of course reduces its usefulness as well.

Which is exactly why the allies took such great pains to prevent the axis from finding out that their unbeatable code had been broken. As it was they got complacent and lazy, and had they known, they would have changed their codes, and the allies would have to start all over again.

Re:Random is hard.

[thoromyr]

I have heard of some that try to utilize some sort of seemingly random event that is naturally occurring. However even these can be modeled over time.

A good post, but I'm not sure you understand hardware based random number generation. At least one way to do it is have a small amount of radiactive material. Although it decays predictably in the long term (half life) it is random in the short term. By measuring the radioactive decay truly random numbers can be obtained.

Can you model this? Sure, but your model will either be a software based random number generator or it will be a hardware token. In either case it will *not* be the item in question at the time in question and will not allow you to determine what numbers were generated.

No system is foolproof, but all the interesting cracks in cryptography that I'm aware of come through side channels or demonstration that a method was not truly random. Human card shuffling is certainly not random -- not only is the process controlled by the shuffler, but there are distinct non-random patterns to it that allow stage magicians to take a stack decked that is shuffled and still produce the desired result.

I think my favorite side channel attack was picking up the attenuated signal from the unencrypted side of a cryptograpy machine -- the British didn't have to crack the encryption used by the French embassy, they just read the plain text!

OTP are sexy and cool because they provide unbreakable encryption. As long as they are generated correctly (truly random) and distributed without tampering or exposure. The first is hard enough, but distribution on any scale means that not all of them will be free of tampering and exposure.

Re:Random is hard.

[mbone]

I have heard of some that try to utilize some sort of seemingly random event that is naturally occurring. However even these can be modeled over time.

A good post, but I'm not sure you understand hardware based random number generation. At least one way to do it is have a small amount of radiactive material. Although it decays predictably in the long term (half life) it is random in the short term. By measuring the radioactive decay truly random numbers can be obtained.

The decay may be random, but the implementation may not be. I have heard of two issues with actual radioactive random number generators.

1.) The geiger tube (or solid state chip) used for detecting the decays will have imperfections (for example, a dead time so that it will miss a decay occurring too soon after another one), and these can introduce non-randomness into the output.

2.) The early ones were simple accumulators (count for an interval delta-T, and if you get > Y decays, that is a 1, otherwise a zero), and that can be hacked if you
can control the radioactive environment at the detector. I believe that to prevent that now--a-days the algorithm is simething like "count for an interval, and if you get an even number of decays, output a 1," but that might have radioactive hacks as well. (I don't know of any, but I don't have a large staff trying to break this, either.)

The entropy per character of human languages is so low that it doesn't take much non-randomness before you can get into deep trouble.

Re:Not too long until an iceberg attack is reveale

[barlevg]

The breakthrough is the KIND of OTP that they're using: glass plates that, they believe, cannot be (easily?) duplicated, unlike a digital OTP would be.

Re:Not too long until an iceberg attack is reveale

[JaredOfEuropa]

All she does is sneak into his hotel room when he's asleep, generate his pad using his crystal and make a copy of it.

Sounds like a metaphor for something kinky...

Completely impractical, i.e. worthless

[gweihir]

A secure one-time pad with classical means is easy to do. You just need to secure the system where the pad is applied adequately. You need to do the same thing with this hype-device. Hence it has zero advantages over other implementations of the one-time pad, but a lot of drawbacks.

I would suggest that these people are not stupid and know of the severe drawbacks. I would also suggest they are just completely unethical lying scum and grant or investment money is the only thing counts for them.

Re:Nothing is impossible to crack...

[slim]

You are wrong.

The "one time" in "one time pad" means you never use a piece of key twice. The OTP needs to be as long (or longer than) the plaintext, and when you've used up your OTP, you need to get together and share a new one.

You can make an OTP last longer by compressing before encrypting, or by using OTP encyption to exchange temporary keys, to be used with other encryption methods.

Clearly you *could* re-use your OTP, perhaps starting from the beginning when you run out of bytes. But each time you do that you weaken your security.

Re:Not too long until an iceberg attack is reveale

[david_thornley]

If the OTPs are in fact uncopyable, the authors don't need a perfectly secure channel. Alice sends plates to Bob. Eve intercepts the crate, and then what? If she can't copy the plates, she can either divert them or break them (in which case all we need is an authenticated, not secure, channel for Bob to report nondelivery), or let them proceed to Bob. If Bob doesn't report that he has the plates, then Alice sends another batch of plates until Bob reports that he has them. If Alice and Bob need to talk more than the shipped plates allow, Alice can ship more at any time. Eve can, if sufficiently diligent and successful, remove Alice and Bob's ability to communicate, but cannot intercept any message.

Of course, if it's possible to make a copy of a plate, it's no better than trying to securely send thumb drives.

Be wary

[mbone]

Three things are required for a one time pad - that the key be shared, random and non-repeated. A one time pad is very much breakable if the key is not both random and non-repeated, and the biggest problem with its use can be the sharing of the keys.

  The Soviet "Verona" traffic was decoded because they reused pads (keys), rendering the message decryption straightforward, and also revealing the keys. The revealed keys were found to have some further weaknesses, as they were made manually (apparently by secretaries told to type randomly on their typewriters). These weaknesses included an avoidance of repeated characters, a tendency to alternate hands (a character on the left side of the keyboard would be likely to be followed by one on the right), and (IIRC) a preference for character pairs and triplets that didn't require too much stretching of the hands. (On the top line of a QWERTY keyboard, this means that, say, an initial "q" would be unlikely to be followed by another "q", that it would be likely to be followed by a letter in the "u - p" range, and that the third character would be more likely to be a q, w or e than an r, t or y.)

Now, officially, that amount of manual non-randomness wasn't enough to break further Soviet one time pad encryptions, but I suspect that they were. I have also heard rumors that later use of random keys generated by electronic circuits had problems as the physical limitations of the electronic circuitry imposed a low-pass filtering that made these keys, again, not totally random. Note that true randomness is what is needed here - common digital pseudorandom techniques, such hashing with SHA-1, may help to obscure weaknesses, but they will not make a non-random key random.

In this case, I would worry very much about

- whether the physical technique produces a truly random key and
- how to satisfy myself that today's random key is totally independent of every previous key. If this is, say, dependent on where the laser is pointing to in the glass, how far apart does each pointing need to be to make sure that the results are independent, and can I securely verify that today's direction is sufficiently different from every previous time and
- as the technique is passing an initial sequence of bits through the randomizer glass, how random does the initial sequence need to be ? What weaknesses are imposed by non-randomness in that initial sequence.

I could easily see this technique being secure in theory but massively broken in practice by some weakness in how the glass is made or handled or in the initial keys.

Note, by the way, that the two parties must physically get together to generate the key, so in a sense this is really a secure key storage device. Once they use up their stored keys, they have to meet again to be able to send more messages, which of course is the real problem with one time keys (and why, for example, the Soviets reused some of the Verona keys).

And, finally, this technique might make a cool way of doing truly secure hashing.

Re:Not too long until an iceberg attack is reveale

[K.+S.+Kyosuke]

What about a MITM attack? Doesn't need Bob verify that the plates are actually the ones that Alice manufactured? You don't need to copy the plates to barge into the channel.

Re:Not too long until an iceberg attack is reveale

[mbone]

Of course, if it's possible to make a copy of a plate, it's no better than trying to securely send thumb drives.

The simple fact that there are two serves as an existence proof of the possibility of making a copy.