Why use complex encryption algorithms? [duplicate]Is modern encryption needlessly complicated?How secure is my OTP program?HRNG for One Time PadHybrid encryption with RSA and AES versus spliting into multiple RSA messages?Exercise: Attack on a Two-Round DES CipherAnalogue encryption algorithmsMessage lengths with AES CTR mode?Why does rsyncrypto require a public key during decryption?How secure is a client-side javascript encrypter?cbc - why not like this? what's wrong?How come Public key cryptography wasn't discovered earlier?
Partition a 3x3 square into rectangles
What is the white square near the viewfinder of the Fujica GW690?
Is Uralic Possibly a Branch of the Indo-European Branch?
Best ways to compress and store tons of CO2?
How to prevent password reset from disclosing private email addresses?
Matrix class in C#
Is it really better for the environment if I take the stairs as opposed to a lift?
Use GPLv3 library in a closed system (no software distribution)
How to align these two expressions, one has one more number?
How much does freezing grapes longer sweeten them more?
The use of SlotSequence in If[#1 > #2, ##] &
Did the US push the Kurds to lower their defences against Turkey in the months preceding the latest Turkish military operation against them?
What plausible reasons why people forget they didn't originally live on this new planet?
On approximate simultaneous diagonalization
Meaning of “Bulldog drooled courses through his jowls”
Is there an unambiguous name for the social/political theory "liberalism" without "leftist"?
Can Chill Touch prevent Regeneration?
In this day and age should the definition / categorisation of erotica be revised?
UK inheritance: partner, sibling, child
Do the KKT conditions hold for mixed integer nonlinear problems?
How would a race of humanoids with tails design [vehicle] seats?
Why is 10.1.255.255 an invalid broadcast address?
Why doesn't English employ an H in front of the name Ares?
Can every type of linear filter be modelled by a convolution?
Why use complex encryption algorithms? [duplicate]
Is modern encryption needlessly complicated?How secure is my OTP program?HRNG for One Time PadHybrid encryption with RSA and AES versus spliting into multiple RSA messages?Exercise: Attack on a Two-Round DES CipherAnalogue encryption algorithmsMessage lengths with AES CTR mode?Why does rsyncrypto require a public key during decryption?How secure is a client-side javascript encrypter?cbc - why not like this? what's wrong?How come Public key cryptography wasn't discovered earlier?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
.everyonelovesstackoverflowposition:absolute;height:1px;width:1px;opacity:0;top:0;left:0;pointer-events:none;
$begingroup$
This question already has an answer here:
Is modern encryption needlessly complicated?
11 answers
I have recently gotten interested in cryptography, so I looked some things up.
I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message? The point is, if you have a random enough bitstream, you can just XOR the data.
Of course, you're the only one who will know the stream.
So why use all sorts of encryption if you have these simpler, easier ways of doing things? I'm new to cryptography, so this question may sound a bit naive.
encryption aes des one-time-pad
edited 20 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
asked 22 hours ago
Ömer Enes ÖzmenÖmer Enes Özmen
392 bronze badges
New contributor
Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
marked as duplicate by kelalaka, Squeamish Ossifrage, Maarten Bodewes♦ aes
Users with the aes badge can single-handedly close aes questions as duplicates and reopen them as needed.
StackExchange.ready(function()
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();
);
);
);
11 hours ago
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
add a comment
|
$begingroup$
This question already has an answer here:
Is modern encryption needlessly complicated?
11 answers
I have recently gotten interested in cryptography, so I looked some things up.
I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message? The point is, if you have a random enough bitstream, you can just XOR the data.
Of course, you're the only one who will know the stream.
So why use all sorts of encryption if you have these simpler, easier ways of doing things? I'm new to cryptography, so this question may sound a bit naive.
encryption aes des one-time-pad
edited 20 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
asked 22 hours ago
Ömer Enes ÖzmenÖmer Enes Özmen
392 bronze badges
New contributor
Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
marked as duplicate by kelalaka, Squeamish Ossifrage, Maarten Bodewes♦ aes
Users with the aes badge can single-handedly close aes questions as duplicates and reopen them as needed.
StackExchange.ready(function()
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();
);
);
);
11 hours ago
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
2
$begingroup$
Can you tell me a way to generate that stream in a practical way without symmetric cryptography like AES? We use these ciphers because OTP key distribution is HARD, and these ciphers is the most cost effective method we have for encryption.
$endgroup$
– Natanael
21 hours ago
2
$begingroup$
You should definitely start to read a book like Serious Cryptography by Jean-Philippe Aumasson or Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
$endgroup$
– kelalaka
21 hours ago
add a comment
|
$begingroup$
This question already has an answer here:
Is modern encryption needlessly complicated?
11 answers
I have recently gotten interested in cryptography, so I looked some things up.
I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message? The point is, if you have a random enough bitstream, you can just XOR the data.
Of course, you're the only one who will know the stream.
So why use all sorts of encryption if you have these simpler, easier ways of doing things? I'm new to cryptography, so this question may sound a bit naive.
encryption aes des one-time-pad
edited 20 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
asked 22 hours ago
Ömer Enes ÖzmenÖmer Enes Özmen
392 bronze badges
New contributor
Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
This question already has an answer here:
Is modern encryption needlessly complicated?
11 answers
I have recently gotten interested in cryptography, so I looked some things up.
I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message? The point is, if you have a random enough bitstream, you can just XOR the data.
Of course, you're the only one who will know the stream.
So why use all sorts of encryption if you have these simpler, easier ways of doing things? I'm new to cryptography, so this question may sound a bit naive.
This question already has an answer here:
Is modern encryption needlessly complicated?
11 answers
encryption aes des one-time-pad
encryption aes des one-time-pad
edited 20 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
asked 22 hours ago
Ömer Enes ÖzmenÖmer Enes Özmen
392 bronze badges
New contributor
Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 20 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
asked 22 hours ago
Ömer Enes ÖzmenÖmer Enes Özmen
392 bronze badges
New contributor
Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 20 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
edited 20 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
edited 20 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
11.4k3 gold badges29 silver badges55 bronze badges
asked 22 hours ago
Ömer Enes ÖzmenÖmer Enes Özmen
392 bronze badges
New contributor
Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 22 hours ago
Ömer Enes ÖzmenÖmer Enes Özmen
392 bronze badges
asked 22 hours ago
Ömer Enes ÖzmenÖmer Enes Özmen
392 bronze badges
392 bronze badges
New contributor
Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
marked as duplicate by kelalaka, Squeamish Ossifrage, Maarten Bodewes♦ aes
Users with the aes badge can single-handedly close aes questions as duplicates and reopen them as needed.
StackExchange.ready(function()
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();
);
);
);
11 hours ago
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
marked as duplicate by kelalaka, Squeamish Ossifrage, Maarten Bodewes♦ aes
Users with the aes badge can single-handedly close aes questions as duplicates and reopen them as needed.
StackExchange.ready(function()
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();
);
);
);
11 hours ago
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
marked as duplicate by kelalaka, Squeamish Ossifrage, Maarten Bodewes♦ aes
Users with the aes badge can single-handedly close aes questions as duplicates and reopen them as needed.
StackExchange.ready(function()
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();
);
);
);
11 hours ago
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
2
$begingroup$
Can you tell me a way to generate that stream in a practical way without symmetric cryptography like AES? We use these ciphers because OTP key distribution is HARD, and these ciphers is the most cost effective method we have for encryption.
$endgroup$
– Natanael
21 hours ago
2
$begingroup$
You should definitely start to read a book like Serious Cryptography by Jean-Philippe Aumasson or Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
$endgroup$
– kelalaka
21 hours ago
add a comment
|
2
$begingroup$
Can you tell me a way to generate that stream in a practical way without symmetric cryptography like AES? We use these ciphers because OTP key distribution is HARD, and these ciphers is the most cost effective method we have for encryption.
$endgroup$
– Natanael
21 hours ago
2
$begingroup$
You should definitely start to read a book like Serious Cryptography by Jean-Philippe Aumasson or Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
$endgroup$
– kelalaka
21 hours ago
2
2
$begingroup$
Can you tell me a way to generate that stream in a practical way without symmetric cryptography like AES? We use these ciphers because OTP key distribution is HARD, and these ciphers is the most cost effective method we have for encryption.
$endgroup$
– Natanael
21 hours ago
$begingroup$
Can you tell me a way to generate that stream in a practical way without symmetric cryptography like AES? We use these ciphers because OTP key distribution is HARD, and these ciphers is the most cost effective method we have for encryption.
$endgroup$
– Natanael
21 hours ago
2
2
$begingroup$
You should definitely start to read a book like Serious Cryptography by Jean-Philippe Aumasson or Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
$endgroup$
– kelalaka
21 hours ago
$begingroup$
You should definitely start to read a book like Serious Cryptography by Jean-Philippe Aumasson or Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
$endgroup$
– kelalaka
21 hours ago
add a comment
|
5 Answers
5
active
oldest
votes
$begingroup$
We use more complex encryption algorithms than the one outlined in the question
- In order to get a short secret key in symmetric encryption. With the technique (One Time Pad) outlined in the question, we need to securely store or/and perhaps transfert a secret keystream the size of the data to encipher, which is utterly impractical. AES-CTR replaces that with a small (16 to 32-byte) shared secret good enough for any practical data size.
- In order to also get assurance of data integrity and origin, which typically turns out to be at least as needed as data confidentiality. Even if we assume a large secret keystream, we need something slightly more complex than XOR with the keystream (e.g. universal hashing) in order to ensure that an adversary did not mess-up with the data (e.g. change "pay $100" to "pay $900").
- In order to get asymmetric encryption, that is the capability to encipher without needing anything secret (beyond the data to encipher) on the side that enciphers.
answered 20 hours ago
fgrieufgrieu
86.5k7 gold badges192 silver badges378 bronze badges
$endgroup$
$begingroup$
This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
$endgroup$
– ikegami
12 hours ago
$begingroup$
@ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
$endgroup$
– Patriot
10 hours ago
1
$begingroup$
@Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
$endgroup$
– ikegami
10 hours ago
add a comment
|
$begingroup$
You could use a one-time pad, which does grant confidentiality when properly employed, but then you would have many non-trivial problems:
Your message or messages would have to be quite short because generating letters in a truly random manner usually takes a bit of time and effort (rolling dice).
One-time pads only have limited practical use. You cannot use your OTP for the purposes of making payments with your ATM card, using WeChat, establishing a secure link to this website, etc.
You might need to make sure that the person you are talking to is who you think they are, and vice versa (authentication). It isn't easy to authenticate a one-time pad without using a modern method such as a Carter-Wegman MAC or an HMAC, etc.
How is the receiver going to check the integrity of your message? How will they know that someone else did not add something, move something around, or take something away? How will they know that a technical glitch had not altered the message during transmission?
How are you going to securely share your one-time pad?
Physical security. How are you going to keep that one-time pad safe twenty-four hours a day? How about the person you are going to talk to? How will they keep their OTP safe?
How are you going to explain to someone who was watching that you enjoy communicating like a Cold War spy?
Modern cryptography can solve all of these problems well--key exchange, authentication, integrity checks, confidentiality, encrypted storage, establishing a shared secret--and that is why we use it.
answered 21 hours ago
PatriotPatriot
1,5902 gold badges7 silver badges30 bronze badges
$endgroup$
1
$begingroup$
Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
$endgroup$
– kelalaka
19 hours ago
1
$begingroup$
@kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
$endgroup$
– Ella Rose♦
19 hours ago
1
$begingroup$
@EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
$endgroup$
– kelalaka
19 hours ago
2
$begingroup$
@kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
$endgroup$
– Ella Rose♦
18 hours ago
1
$begingroup$
@ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
$endgroup$
– kelalaka
11 hours ago
|
show 3 more comments
$begingroup$
The other answers are great, but I wanted to call out an interesting feature of modern cryptography. Your question asked:
I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message?
In point of fact, many modern encryption schemes do exactly that. Both ChaCha20 and AES in any counter mode (CTR and GCM both come to mind) actually generate a pseudorandom bitstream (usually called a keystream) and XOR it with the input data to encipher it.
As you can see, and as Paul's answer correctly points out, this observation hasn't actually made anything particularly simpler. We've just changed the problem: the problem isn't "how to encipher data", it's now "how to generate good pseudorandom bits". It turns out that doing that well from a relatively small amount of key material is fundamentally difficult.
edited 11 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
answered 13 hours ago
LukasaLukasa
1412 bronze badges
New contributor
Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment
|
$begingroup$
...random enough..
Let's just focus on that as it forms the nub of your question. Yes,$$textrandom (pseudorandom) bitstream oplus textsecret message$$ is very simple, works and is in common usage. But the first term in this encryption function masks great (and necessary) complexity. In order to be secure, the bitstream must comprise independent and uniformly distributed numbers, typically with bias not exceeding $2^-64$. How do you obtain them? Therein lies your complexity.
You can make them with a physical device. If we exclude zany methods like dice and aquarium fish, we're left with some type of electromagnetic apparatus. These days, that will take the form of either a laser or diode. Both create the original entropy for distillation into random numbers based on quantum indeterminacy. Quantum mechanics are pretty complex.
Or you can expand a little entropy like say a password, into a long stream of pseudo random numbers with a CSPRNG (and perhaps a key derivation function). The need for non invertability/non predictability of the output and to guarantee acceptable bias, requires complexity. And so cryptographic primitives are complex. If it wasn't complex, you could just roll it backwards.
Therefore, what you've really asked is:- $$textcomplex to make random (pseudorandom) bitstream oplus textsecret message$$
You've simply moved the complexity upstream of the XOR operator.
answered 16 hours ago
Paul UszakPaul Uszak
9,2731 gold badge18 silver badges45 bronze badges
$endgroup$
$begingroup$
In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
$endgroup$
– ikegami
10 hours ago
add a comment
|
$begingroup$
What you're describing would be a One-Time-Pad. The OTP would actually be perfectly secure, but the first problem is in the issue that you have to generate a bit stream using a cryptographically secure pseudorandom number generator (CSPRNG) instead of a usual pseudorandom number generator. But even that doesn't pose a particularly large problem. Keep also in mind that a OTP is only secure if you use it once, using a OTP with the same bit stream would be insecure.
So let's assume generating a random bit stream isn't a problem:
The big problem lies in the process of sharing the key with others. That's the real issue, because a public cryptosystem like RSA-2048 can for example only encrypt a message of size 245 bytes, as described in this answer on securitySE.
You could therefore also only generate a random bit stream for the OTP of equal size. And each time you would have to transmit a new bit stream for a new OTP, all the time until you're finished. That's a very slow process. At that point you could even ask: "Why am I even using a OTP anymore, I could just send the actual message using RSA instead the key!".
So generally we transmit a key for a symmetric cryptosystem like AES using something like RSA. AES has (practically) no limit of data to encrypt for it to still be secure.
answered 21 hours ago
AleksanderRasAleksanderRas
4,6062 gold badges14 silver badges44 bronze badges
$endgroup$
$begingroup$
Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
$endgroup$
– kelalaka
21 hours ago
$begingroup$
Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
$endgroup$
– Paul Uszak
21 hours ago
add a comment
|
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
We use more complex encryption algorithms than the one outlined in the question
- In order to get a short secret key in symmetric encryption. With the technique (One Time Pad) outlined in the question, we need to securely store or/and perhaps transfert a secret keystream the size of the data to encipher, which is utterly impractical. AES-CTR replaces that with a small (16 to 32-byte) shared secret good enough for any practical data size.
- In order to also get assurance of data integrity and origin, which typically turns out to be at least as needed as data confidentiality. Even if we assume a large secret keystream, we need something slightly more complex than XOR with the keystream (e.g. universal hashing) in order to ensure that an adversary did not mess-up with the data (e.g. change "pay $100" to "pay $900").
- In order to get asymmetric encryption, that is the capability to encipher without needing anything secret (beyond the data to encipher) on the side that enciphers.
answered 20 hours ago
fgrieufgrieu
86.5k7 gold badges192 silver badges378 bronze badges
$endgroup$
$begingroup$
This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
$endgroup$
– ikegami
12 hours ago
$begingroup$
@ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
$endgroup$
– Patriot
10 hours ago
1
$begingroup$
@Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
$endgroup$
– ikegami
10 hours ago
add a comment
|
$begingroup$
We use more complex encryption algorithms than the one outlined in the question
- In order to get a short secret key in symmetric encryption. With the technique (One Time Pad) outlined in the question, we need to securely store or/and perhaps transfert a secret keystream the size of the data to encipher, which is utterly impractical. AES-CTR replaces that with a small (16 to 32-byte) shared secret good enough for any practical data size.
- In order to also get assurance of data integrity and origin, which typically turns out to be at least as needed as data confidentiality. Even if we assume a large secret keystream, we need something slightly more complex than XOR with the keystream (e.g. universal hashing) in order to ensure that an adversary did not mess-up with the data (e.g. change "pay $100" to "pay $900").
- In order to get asymmetric encryption, that is the capability to encipher without needing anything secret (beyond the data to encipher) on the side that enciphers.
answered 20 hours ago
fgrieufgrieu
86.5k7 gold badges192 silver badges378 bronze badges
$endgroup$
$begingroup$
This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
$endgroup$
– ikegami
12 hours ago
$begingroup$
@ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
$endgroup$
– Patriot
10 hours ago
1
$begingroup$
@Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
$endgroup$
– ikegami
10 hours ago
add a comment
|
$begingroup$
We use more complex encryption algorithms than the one outlined in the question
- In order to get a short secret key in symmetric encryption. With the technique (One Time Pad) outlined in the question, we need to securely store or/and perhaps transfert a secret keystream the size of the data to encipher, which is utterly impractical. AES-CTR replaces that with a small (16 to 32-byte) shared secret good enough for any practical data size.
- In order to also get assurance of data integrity and origin, which typically turns out to be at least as needed as data confidentiality. Even if we assume a large secret keystream, we need something slightly more complex than XOR with the keystream (e.g. universal hashing) in order to ensure that an adversary did not mess-up with the data (e.g. change "pay $100" to "pay $900").
- In order to get asymmetric encryption, that is the capability to encipher without needing anything secret (beyond the data to encipher) on the side that enciphers.
answered 20 hours ago
fgrieufgrieu
86.5k7 gold badges192 silver badges378 bronze badges
$endgroup$
We use more complex encryption algorithms than the one outlined in the question
- In order to get a short secret key in symmetric encryption. With the technique (One Time Pad) outlined in the question, we need to securely store or/and perhaps transfert a secret keystream the size of the data to encipher, which is utterly impractical. AES-CTR replaces that with a small (16 to 32-byte) shared secret good enough for any practical data size.
- In order to also get assurance of data integrity and origin, which typically turns out to be at least as needed as data confidentiality. Even if we assume a large secret keystream, we need something slightly more complex than XOR with the keystream (e.g. universal hashing) in order to ensure that an adversary did not mess-up with the data (e.g. change "pay $100" to "pay $900").
- In order to get asymmetric encryption, that is the capability to encipher without needing anything secret (beyond the data to encipher) on the side that enciphers.
answered 20 hours ago
fgrieufgrieu
86.5k7 gold badges192 silver badges378 bronze badges
edited 20 hours ago
answered 20 hours ago
fgrieufgrieu
86.5k7 gold badges192 silver badges378 bronze badges
answered 20 hours ago
fgrieufgrieu
86.5k7 gold badges192 silver badges378 bronze badges
answered 20 hours ago
fgrieufgrieu
86.5k7 gold badges192 silver badges378 bronze badges
86.5k7 gold badges192 silver badges378 bronze badges
$begingroup$
This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
$endgroup$
– ikegami
12 hours ago
$begingroup$
@ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
$endgroup$
– Patriot
10 hours ago
1
$begingroup$
@Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
$endgroup$
– ikegami
10 hours ago
add a comment
|
$begingroup$
This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
$endgroup$
– ikegami
12 hours ago
$begingroup$
@ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
$endgroup$
– Patriot
10 hours ago
1
$begingroup$
@Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
$endgroup$
– ikegami
10 hours ago
$begingroup$
This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
$endgroup$
– ikegami
12 hours ago
$begingroup$
This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
$endgroup$
– ikegami
12 hours ago
$begingroup$
@ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
$endgroup$
– Patriot
10 hours ago
$begingroup$
@ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
$endgroup$
– Patriot
10 hours ago
1
1
$begingroup$
@Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
$endgroup$
– ikegami
10 hours ago
$begingroup$
@Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
$endgroup$
– ikegami
10 hours ago
add a comment
|
$begingroup$
You could use a one-time pad, which does grant confidentiality when properly employed, but then you would have many non-trivial problems:
Your message or messages would have to be quite short because generating letters in a truly random manner usually takes a bit of time and effort (rolling dice).
One-time pads only have limited practical use. You cannot use your OTP for the purposes of making payments with your ATM card, using WeChat, establishing a secure link to this website, etc.
You might need to make sure that the person you are talking to is who you think they are, and vice versa (authentication). It isn't easy to authenticate a one-time pad without using a modern method such as a Carter-Wegman MAC or an HMAC, etc.
How is the receiver going to check the integrity of your message? How will they know that someone else did not add something, move something around, or take something away? How will they know that a technical glitch had not altered the message during transmission?
How are you going to securely share your one-time pad?
Physical security. How are you going to keep that one-time pad safe twenty-four hours a day? How about the person you are going to talk to? How will they keep their OTP safe?
How are you going to explain to someone who was watching that you enjoy communicating like a Cold War spy?
Modern cryptography can solve all of these problems well--key exchange, authentication, integrity checks, confidentiality, encrypted storage, establishing a shared secret--and that is why we use it.
answered 21 hours ago
PatriotPatriot
1,5902 gold badges7 silver badges30 bronze badges
$endgroup$
1
$begingroup$
Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
$endgroup$
– kelalaka
19 hours ago
1
$begingroup$
@kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
$endgroup$
– Ella Rose♦
19 hours ago
1
$begingroup$
@EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
$endgroup$
– kelalaka
19 hours ago
2
$begingroup$
@kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
$endgroup$
– Ella Rose♦
18 hours ago
1
$begingroup$
@ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
$endgroup$
– kelalaka
11 hours ago
|
show 3 more comments
$begingroup$
You could use a one-time pad, which does grant confidentiality when properly employed, but then you would have many non-trivial problems:
Your message or messages would have to be quite short because generating letters in a truly random manner usually takes a bit of time and effort (rolling dice).
One-time pads only have limited practical use. You cannot use your OTP for the purposes of making payments with your ATM card, using WeChat, establishing a secure link to this website, etc.
You might need to make sure that the person you are talking to is who you think they are, and vice versa (authentication). It isn't easy to authenticate a one-time pad without using a modern method such as a Carter-Wegman MAC or an HMAC, etc.
How is the receiver going to check the integrity of your message? How will they know that someone else did not add something, move something around, or take something away? How will they know that a technical glitch had not altered the message during transmission?
How are you going to securely share your one-time pad?
Physical security. How are you going to keep that one-time pad safe twenty-four hours a day? How about the person you are going to talk to? How will they keep their OTP safe?
How are you going to explain to someone who was watching that you enjoy communicating like a Cold War spy?
Modern cryptography can solve all of these problems well--key exchange, authentication, integrity checks, confidentiality, encrypted storage, establishing a shared secret--and that is why we use it.
answered 21 hours ago
PatriotPatriot
1,5902 gold badges7 silver badges30 bronze badges
$endgroup$
1
$begingroup$
Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
$endgroup$
– kelalaka
19 hours ago
1
$begingroup$
@kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
$endgroup$
– Ella Rose♦
19 hours ago
1
$begingroup$
@EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
$endgroup$
– kelalaka
19 hours ago
2
$begingroup$
@kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
$endgroup$
– Ella Rose♦
18 hours ago
1
$begingroup$
@ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
$endgroup$
– kelalaka
11 hours ago
|
show 3 more comments
$begingroup$
You could use a one-time pad, which does grant confidentiality when properly employed, but then you would have many non-trivial problems:
Your message or messages would have to be quite short because generating letters in a truly random manner usually takes a bit of time and effort (rolling dice).
One-time pads only have limited practical use. You cannot use your OTP for the purposes of making payments with your ATM card, using WeChat, establishing a secure link to this website, etc.
You might need to make sure that the person you are talking to is who you think they are, and vice versa (authentication). It isn't easy to authenticate a one-time pad without using a modern method such as a Carter-Wegman MAC or an HMAC, etc.
How is the receiver going to check the integrity of your message? How will they know that someone else did not add something, move something around, or take something away? How will they know that a technical glitch had not altered the message during transmission?
How are you going to securely share your one-time pad?
Physical security. How are you going to keep that one-time pad safe twenty-four hours a day? How about the person you are going to talk to? How will they keep their OTP safe?
How are you going to explain to someone who was watching that you enjoy communicating like a Cold War spy?
Modern cryptography can solve all of these problems well--key exchange, authentication, integrity checks, confidentiality, encrypted storage, establishing a shared secret--and that is why we use it.
answered 21 hours ago
PatriotPatriot
1,5902 gold badges7 silver badges30 bronze badges
$endgroup$
You could use a one-time pad, which does grant confidentiality when properly employed, but then you would have many non-trivial problems:
Your message or messages would have to be quite short because generating letters in a truly random manner usually takes a bit of time and effort (rolling dice).
One-time pads only have limited practical use. You cannot use your OTP for the purposes of making payments with your ATM card, using WeChat, establishing a secure link to this website, etc.
You might need to make sure that the person you are talking to is who you think they are, and vice versa (authentication). It isn't easy to authenticate a one-time pad without using a modern method such as a Carter-Wegman MAC or an HMAC, etc.
How is the receiver going to check the integrity of your message? How will they know that someone else did not add something, move something around, or take something away? How will they know that a technical glitch had not altered the message during transmission?
How are you going to securely share your one-time pad?
Physical security. How are you going to keep that one-time pad safe twenty-four hours a day? How about the person you are going to talk to? How will they keep their OTP safe?
How are you going to explain to someone who was watching that you enjoy communicating like a Cold War spy?
Modern cryptography can solve all of these problems well--key exchange, authentication, integrity checks, confidentiality, encrypted storage, establishing a shared secret--and that is why we use it.
answered 21 hours ago
PatriotPatriot
1,5902 gold badges7 silver badges30 bronze badges
edited 19 hours ago
answered 21 hours ago
PatriotPatriot
1,5902 gold badges7 silver badges30 bronze badges
answered 21 hours ago
PatriotPatriot
1,5902 gold badges7 silver badges30 bronze badges
answered 21 hours ago
PatriotPatriot
1,5902 gold badges7 silver badges30 bronze badges
1,5902 gold badges7 silver badges30 bronze badges
1
$begingroup$
Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
$endgroup$
– kelalaka
19 hours ago
1
$begingroup$
@kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
$endgroup$
– Ella Rose♦
19 hours ago
1
$begingroup$
@EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
$endgroup$
– kelalaka
19 hours ago
2
$begingroup$
@kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
$endgroup$
– Ella Rose♦
18 hours ago
1
$begingroup$
@ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
$endgroup$
– kelalaka
11 hours ago
|
show 3 more comments
1
$begingroup$
Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
$endgroup$
– kelalaka
19 hours ago
1
$begingroup$
@kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
$endgroup$
– Ella Rose♦
19 hours ago
1
$begingroup$
@EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
$endgroup$
– kelalaka
19 hours ago
2
$begingroup$
@kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
$endgroup$
– Ella Rose♦
18 hours ago
1
$begingroup$
@ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
$endgroup$
– kelalaka
11 hours ago
1
1
$begingroup$
Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
$endgroup$
– kelalaka
19 hours ago
$begingroup$
Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
$endgroup$
– kelalaka
19 hours ago
1
1
$begingroup$
@kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
$endgroup$
– Ella Rose♦
19 hours ago
$begingroup$
@kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
$endgroup$
– Ella Rose♦
19 hours ago
1
1
$begingroup$
@EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
$endgroup$
– kelalaka
19 hours ago
$begingroup$
@EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
$endgroup$
– kelalaka
19 hours ago
2
2
$begingroup$
@kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
$endgroup$
– Ella Rose♦
18 hours ago
$begingroup$
@kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
$endgroup$
– Ella Rose♦
18 hours ago
1
1
$begingroup$
@ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
$endgroup$
– kelalaka
11 hours ago
$begingroup$
@ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
$endgroup$
– kelalaka
11 hours ago
|
show 3 more comments
$begingroup$
The other answers are great, but I wanted to call out an interesting feature of modern cryptography. Your question asked:
I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message?
In point of fact, many modern encryption schemes do exactly that. Both ChaCha20 and AES in any counter mode (CTR and GCM both come to mind) actually generate a pseudorandom bitstream (usually called a keystream) and XOR it with the input data to encipher it.
As you can see, and as Paul's answer correctly points out, this observation hasn't actually made anything particularly simpler. We've just changed the problem: the problem isn't "how to encipher data", it's now "how to generate good pseudorandom bits". It turns out that doing that well from a relatively small amount of key material is fundamentally difficult.
edited 11 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
answered 13 hours ago
LukasaLukasa
1412 bronze badges
New contributor
Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment
|
$begingroup$
The other answers are great, but I wanted to call out an interesting feature of modern cryptography. Your question asked:
I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message?
In point of fact, many modern encryption schemes do exactly that. Both ChaCha20 and AES in any counter mode (CTR and GCM both come to mind) actually generate a pseudorandom bitstream (usually called a keystream) and XOR it with the input data to encipher it.
As you can see, and as Paul's answer correctly points out, this observation hasn't actually made anything particularly simpler. We've just changed the problem: the problem isn't "how to encipher data", it's now "how to generate good pseudorandom bits". It turns out that doing that well from a relatively small amount of key material is fundamentally difficult.
edited 11 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
answered 13 hours ago
LukasaLukasa
1412 bronze badges
New contributor
Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment
|
$begingroup$
The other answers are great, but I wanted to call out an interesting feature of modern cryptography. Your question asked:
I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message?
In point of fact, many modern encryption schemes do exactly that. Both ChaCha20 and AES in any counter mode (CTR and GCM both come to mind) actually generate a pseudorandom bitstream (usually called a keystream) and XOR it with the input data to encipher it.
As you can see, and as Paul's answer correctly points out, this observation hasn't actually made anything particularly simpler. We've just changed the problem: the problem isn't "how to encipher data", it's now "how to generate good pseudorandom bits". It turns out that doing that well from a relatively small amount of key material is fundamentally difficult.
edited 11 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
answered 13 hours ago
LukasaLukasa
1412 bronze badges
New contributor
Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
The other answers are great, but I wanted to call out an interesting feature of modern cryptography. Your question asked:
I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message?
In point of fact, many modern encryption schemes do exactly that. Both ChaCha20 and AES in any counter mode (CTR and GCM both come to mind) actually generate a pseudorandom bitstream (usually called a keystream) and XOR it with the input data to encipher it.
As you can see, and as Paul's answer correctly points out, this observation hasn't actually made anything particularly simpler. We've just changed the problem: the problem isn't "how to encipher data", it's now "how to generate good pseudorandom bits". It turns out that doing that well from a relatively small amount of key material is fundamentally difficult.
edited 11 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
answered 13 hours ago
LukasaLukasa
1412 bronze badges
New contributor
Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 11 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
edited 11 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
edited 11 hours ago
kelalaka
11.4k3 gold badges29 silver badges55 bronze badges
11.4k3 gold badges29 silver badges55 bronze badges
answered 13 hours ago
LukasaLukasa
1412 bronze badges
New contributor
Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 13 hours ago
LukasaLukasa
1412 bronze badges
answered 13 hours ago
LukasaLukasa
1412 bronze badges
1412 bronze badges
New contributor
Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment
|
add a comment
|
$begingroup$
...random enough..
Let's just focus on that as it forms the nub of your question. Yes,$$textrandom (pseudorandom) bitstream oplus textsecret message$$ is very simple, works and is in common usage. But the first term in this encryption function masks great (and necessary) complexity. In order to be secure, the bitstream must comprise independent and uniformly distributed numbers, typically with bias not exceeding $2^-64$. How do you obtain them? Therein lies your complexity.
You can make them with a physical device. If we exclude zany methods like dice and aquarium fish, we're left with some type of electromagnetic apparatus. These days, that will take the form of either a laser or diode. Both create the original entropy for distillation into random numbers based on quantum indeterminacy. Quantum mechanics are pretty complex.
Or you can expand a little entropy like say a password, into a long stream of pseudo random numbers with a CSPRNG (and perhaps a key derivation function). The need for non invertability/non predictability of the output and to guarantee acceptable bias, requires complexity. And so cryptographic primitives are complex. If it wasn't complex, you could just roll it backwards.
Therefore, what you've really asked is:- $$textcomplex to make random (pseudorandom) bitstream oplus textsecret message$$
You've simply moved the complexity upstream of the XOR operator.
answered 16 hours ago
Paul UszakPaul Uszak
9,2731 gold badge18 silver badges45 bronze badges
$endgroup$
$begingroup$
In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
$endgroup$
– ikegami
10 hours ago
add a comment
|
$begingroup$
...random enough..
Let's just focus on that as it forms the nub of your question. Yes,$$textrandom (pseudorandom) bitstream oplus textsecret message$$ is very simple, works and is in common usage. But the first term in this encryption function masks great (and necessary) complexity. In order to be secure, the bitstream must comprise independent and uniformly distributed numbers, typically with bias not exceeding $2^-64$. How do you obtain them? Therein lies your complexity.
You can make them with a physical device. If we exclude zany methods like dice and aquarium fish, we're left with some type of electromagnetic apparatus. These days, that will take the form of either a laser or diode. Both create the original entropy for distillation into random numbers based on quantum indeterminacy. Quantum mechanics are pretty complex.
Or you can expand a little entropy like say a password, into a long stream of pseudo random numbers with a CSPRNG (and perhaps a key derivation function). The need for non invertability/non predictability of the output and to guarantee acceptable bias, requires complexity. And so cryptographic primitives are complex. If it wasn't complex, you could just roll it backwards.
Therefore, what you've really asked is:- $$textcomplex to make random (pseudorandom) bitstream oplus textsecret message$$
You've simply moved the complexity upstream of the XOR operator.
answered 16 hours ago
Paul UszakPaul Uszak
9,2731 gold badge18 silver badges45 bronze badges
$endgroup$
$begingroup$
In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
$endgroup$
– ikegami
10 hours ago
add a comment
|
$begingroup$
...random enough..
Let's just focus on that as it forms the nub of your question. Yes,$$textrandom (pseudorandom) bitstream oplus textsecret message$$ is very simple, works and is in common usage. But the first term in this encryption function masks great (and necessary) complexity. In order to be secure, the bitstream must comprise independent and uniformly distributed numbers, typically with bias not exceeding $2^-64$. How do you obtain them? Therein lies your complexity.
You can make them with a physical device. If we exclude zany methods like dice and aquarium fish, we're left with some type of electromagnetic apparatus. These days, that will take the form of either a laser or diode. Both create the original entropy for distillation into random numbers based on quantum indeterminacy. Quantum mechanics are pretty complex.
Or you can expand a little entropy like say a password, into a long stream of pseudo random numbers with a CSPRNG (and perhaps a key derivation function). The need for non invertability/non predictability of the output and to guarantee acceptable bias, requires complexity. And so cryptographic primitives are complex. If it wasn't complex, you could just roll it backwards.
Therefore, what you've really asked is:- $$textcomplex to make random (pseudorandom) bitstream oplus textsecret message$$
You've simply moved the complexity upstream of the XOR operator.
answered 16 hours ago
Paul UszakPaul Uszak
9,2731 gold badge18 silver badges45 bronze badges
$endgroup$
...random enough..
Let's just focus on that as it forms the nub of your question. Yes,$$textrandom (pseudorandom) bitstream oplus textsecret message$$ is very simple, works and is in common usage. But the first term in this encryption function masks great (and necessary) complexity. In order to be secure, the bitstream must comprise independent and uniformly distributed numbers, typically with bias not exceeding $2^-64$. How do you obtain them? Therein lies your complexity.
You can make them with a physical device. If we exclude zany methods like dice and aquarium fish, we're left with some type of electromagnetic apparatus. These days, that will take the form of either a laser or diode. Both create the original entropy for distillation into random numbers based on quantum indeterminacy. Quantum mechanics are pretty complex.
Or you can expand a little entropy like say a password, into a long stream of pseudo random numbers with a CSPRNG (and perhaps a key derivation function). The need for non invertability/non predictability of the output and to guarantee acceptable bias, requires complexity. And so cryptographic primitives are complex. If it wasn't complex, you could just roll it backwards.
Therefore, what you've really asked is:- $$textcomplex to make random (pseudorandom) bitstream oplus textsecret message$$
You've simply moved the complexity upstream of the XOR operator.
answered 16 hours ago
Paul UszakPaul Uszak
9,2731 gold badge18 silver badges45 bronze badges
answered 16 hours ago
Paul UszakPaul Uszak
9,2731 gold badge18 silver badges45 bronze badges
answered 16 hours ago
Paul UszakPaul Uszak
9,2731 gold badge18 silver badges45 bronze badges
answered 16 hours ago
Paul UszakPaul Uszak
9,2731 gold badge18 silver badges45 bronze badges
9,2731 gold badge18 silver badges45 bronze badges
$begingroup$
In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
$endgroup$
– ikegami
10 hours ago
add a comment
|
$begingroup$
In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
$endgroup$
– ikegami
10 hours ago
$begingroup$
In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
$endgroup$
– ikegami
10 hours ago
$begingroup$
In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
$endgroup$
– ikegami
10 hours ago
add a comment
|
$begingroup$
What you're describing would be a One-Time-Pad. The OTP would actually be perfectly secure, but the first problem is in the issue that you have to generate a bit stream using a cryptographically secure pseudorandom number generator (CSPRNG) instead of a usual pseudorandom number generator. But even that doesn't pose a particularly large problem. Keep also in mind that a OTP is only secure if you use it once, using a OTP with the same bit stream would be insecure.
So let's assume generating a random bit stream isn't a problem:
The big problem lies in the process of sharing the key with others. That's the real issue, because a public cryptosystem like RSA-2048 can for example only encrypt a message of size 245 bytes, as described in this answer on securitySE.
You could therefore also only generate a random bit stream for the OTP of equal size. And each time you would have to transmit a new bit stream for a new OTP, all the time until you're finished. That's a very slow process. At that point you could even ask: "Why am I even using a OTP anymore, I could just send the actual message using RSA instead the key!".
So generally we transmit a key for a symmetric cryptosystem like AES using something like RSA. AES has (practically) no limit of data to encrypt for it to still be secure.
answered 21 hours ago
AleksanderRasAleksanderRas
4,6062 gold badges14 silver badges44 bronze badges
$endgroup$
$begingroup$
Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
$endgroup$
– kelalaka
21 hours ago
$begingroup$
Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
$endgroup$
– Paul Uszak
21 hours ago
add a comment
|
$begingroup$
What you're describing would be a One-Time-Pad. The OTP would actually be perfectly secure, but the first problem is in the issue that you have to generate a bit stream using a cryptographically secure pseudorandom number generator (CSPRNG) instead of a usual pseudorandom number generator. But even that doesn't pose a particularly large problem. Keep also in mind that a OTP is only secure if you use it once, using a OTP with the same bit stream would be insecure.
So let's assume generating a random bit stream isn't a problem:
The big problem lies in the process of sharing the key with others. That's the real issue, because a public cryptosystem like RSA-2048 can for example only encrypt a message of size 245 bytes, as described in this answer on securitySE.
You could therefore also only generate a random bit stream for the OTP of equal size. And each time you would have to transmit a new bit stream for a new OTP, all the time until you're finished. That's a very slow process. At that point you could even ask: "Why am I even using a OTP anymore, I could just send the actual message using RSA instead the key!".
So generally we transmit a key for a symmetric cryptosystem like AES using something like RSA. AES has (practically) no limit of data to encrypt for it to still be secure.
answered 21 hours ago
AleksanderRasAleksanderRas
4,6062 gold badges14 silver badges44 bronze badges
$endgroup$
$begingroup$
Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
$endgroup$
– kelalaka
21 hours ago
$begingroup$
Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
$endgroup$
– Paul Uszak
21 hours ago
add a comment
|
$begingroup$
What you're describing would be a One-Time-Pad. The OTP would actually be perfectly secure, but the first problem is in the issue that you have to generate a bit stream using a cryptographically secure pseudorandom number generator (CSPRNG) instead of a usual pseudorandom number generator. But even that doesn't pose a particularly large problem. Keep also in mind that a OTP is only secure if you use it once, using a OTP with the same bit stream would be insecure.
So let's assume generating a random bit stream isn't a problem:
The big problem lies in the process of sharing the key with others. That's the real issue, because a public cryptosystem like RSA-2048 can for example only encrypt a message of size 245 bytes, as described in this answer on securitySE.
You could therefore also only generate a random bit stream for the OTP of equal size. And each time you would have to transmit a new bit stream for a new OTP, all the time until you're finished. That's a very slow process. At that point you could even ask: "Why am I even using a OTP anymore, I could just send the actual message using RSA instead the key!".
So generally we transmit a key for a symmetric cryptosystem like AES using something like RSA. AES has (practically) no limit of data to encrypt for it to still be secure.
answered 21 hours ago
AleksanderRasAleksanderRas
4,6062 gold badges14 silver badges44 bronze badges
$endgroup$
What you're describing would be a One-Time-Pad. The OTP would actually be perfectly secure, but the first problem is in the issue that you have to generate a bit stream using a cryptographically secure pseudorandom number generator (CSPRNG) instead of a usual pseudorandom number generator. But even that doesn't pose a particularly large problem. Keep also in mind that a OTP is only secure if you use it once, using a OTP with the same bit stream would be insecure.
So let's assume generating a random bit stream isn't a problem:
The big problem lies in the process of sharing the key with others. That's the real issue, because a public cryptosystem like RSA-2048 can for example only encrypt a message of size 245 bytes, as described in this answer on securitySE.
You could therefore also only generate a random bit stream for the OTP of equal size. And each time you would have to transmit a new bit stream for a new OTP, all the time until you're finished. That's a very slow process. At that point you could even ask: "Why am I even using a OTP anymore, I could just send the actual message using RSA instead the key!".
So generally we transmit a key for a symmetric cryptosystem like AES using something like RSA. AES has (practically) no limit of data to encrypt for it to still be secure.
answered 21 hours ago
AleksanderRasAleksanderRas
4,6062 gold badges14 silver badges44 bronze badges
edited 21 hours ago
answered 21 hours ago
AleksanderRasAleksanderRas
4,6062 gold badges14 silver badges44 bronze badges
answered 21 hours ago
AleksanderRasAleksanderRas
4,6062 gold badges14 silver badges44 bronze badges
answered 21 hours ago
AleksanderRasAleksanderRas
4,6062 gold badges14 silver badges44 bronze badges
4,6062 gold badges14 silver badges44 bronze badges
$begingroup$
Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
$endgroup$
– kelalaka
21 hours ago
$begingroup$
Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
$endgroup$
– Paul Uszak
21 hours ago
add a comment
|
$begingroup$
Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
$endgroup$
– kelalaka
21 hours ago
$begingroup$
Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
$endgroup$
– Paul Uszak
21 hours ago
$begingroup$
Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
$endgroup$
– kelalaka
21 hours ago
$begingroup$
Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
$endgroup$
– kelalaka
21 hours ago
$begingroup$
Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
$endgroup$
– Paul Uszak
21 hours ago
$begingroup$
Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
$endgroup$
– Paul Uszak
21 hours ago
add a comment
|
2
$begingroup$
Can you tell me a way to generate that stream in a practical way without symmetric cryptography like AES? We use these ciphers because OTP key distribution is HARD, and these ciphers is the most cost effective method we have for encryption.
$endgroup$
– Natanael
21 hours ago
2
$begingroup$
You should definitely start to read a book like Serious Cryptography by Jean-Philippe Aumasson or Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
$endgroup$
– kelalaka
21 hours ago