On 22 Mar 2015, at 9:48, Michael Kjörling wrote:
On 22 Mar 2015 09:36 -0500, from [email protected] (Jeffrey
Goldberg):
There are good crypto systems in use which generate pseudo-random
pads from keys that are 128 (or 256) bits in length. But these are
– at best – no better than the length of their keys.
Which is, admittedly, _quite good enough_ for almost any _practical_
purpose that an individual is likely to face.
Oh, absolutely. I am perfectly happy with 128 bit keys.
Indeed, I'm very much on record in defending 128 bit keys in
the face of customer demand for 256 bits.
https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/
I was just to distinguish between "perfect" secrecy and
everything else (without going into any discussion of asymptotic
security). I think that people who first learn about the OTP
are infatuated with perfect secrecy, and fail to what is really
involved.
Although I sympathize with Greg Rose's lament that we are beating
a long dead horse, I think that it is worthwhile to try to understand
why so many people seem to learn (something) about the OTP and then
badly reinvent stream ciphers. And I want to kill off the meme that
is popular in some circles that "the only unbreakable cipher is the
OTP".
And so I see it as a "teaching moment". Thus if I may repeat
what others have said, I too recommend Dan Bonah's on-line
Cryptography course to Lee and anyone else who doesn't immediately
see why we all so emphatically screamed "No" to these OTP modifications.
Cheers,
-j
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
