Hacker News new | ask | show | jobs
by sounds 3159 days ago
Combined with envelope keys it can be effective for many applications.

An envelope key is a securely, randomly generated key used to encrypt the large payload. Then the envelope key (much smaller than the payload) can be encrypted using a one time pad.

The result is that the precious bits of encryption provided by the one time pad are used up at a predictable rate.

Guessing the envelope key is more probable than guessing the one time pad key, but that only breaks a single message's encryption.
1 comments
Someone 3159 days ago
If you use good encryption and a reasonable key size, that’s good in practice, but theoretically, that’s a lot less secure than a one time pad.

An attacker can ‘simply’ try all possible keys and use statistics to filter out those that look like natural language.

If the encrypted text is large enough, chances are you will be left with only one plausible plaintext.

Also, AFAIK, we don’t know whether good encryption using a key much shorter than the plaintext, in the sense that an attacker can’t use statistics on the encrypted text to learn something about the key, exists at all.

link
sounds 3158 days ago
Your final aside, "good encryption using a key much shorter than the plaintext," is something I hadn't really thought much about and seems like a reasonable way to go directly from a one time pad to the ciphertext.

As you say, there doesn't seem to be a way to guess the key length from the ciphertext. Ignoring side channel attacks for the moment, it does seem like the one time pad could encrypt the entire message simply by using some clever way of "extending" the key.

link
mseebach 3158 days ago
> it does seem like the one time pad could encrypt the entire message simply by using some clever way of "extending" the key

Any way of meaningfully extending the key will be vulnerable to a kind of analysis well understood 70 years ago.

This is basically what almost the entire field of cryptography is about: Figure out how you can effectively and securely encrypt things with a key that's a lot shorter than your cleartext.

link
Someone 3158 days ago
Indeed. The two simplest examples are the Caesar cipher (https://learncryptography.com/classical-encryption/caesar-ci..., key length of 1 character) and the Vigenère Cipher (https://learncryptography.com/classical-encryption/vigenere-..., key length as long as you want it to be)

Both extend the key by repeating it. That is not a good idea.

link