Why use complex encryption algorithms? [duplicate]Is modern encryption needlessly complicated?How secure is my OTP program?HRNG for One Time PadHybrid encryption with RSA and AES versus spliting into multiple RSA messages?Exercise: Attack on a Two-Round DES CipherAnalogue encryption algorithmsMessage lengths with AES CTR mode?Why does rsyncrypto require a public key during decryption?How secure is a client-side javascript encrypter?cbc - why not like this? what's wrong?How come Public key cryptography wasn't discovered earlier?

Partition a 3x3 square into rectangles

What is the white square near the viewfinder of the Fujica GW690?

Is Uralic Possibly a Branch of the Indo-European Branch?

Best ways to compress and store tons of CO2?

How to prevent password reset from disclosing private email addresses?

Matrix class in C#

Is it really better for the environment if I take the stairs as opposed to a lift?

Use GPLv3 library in a closed system (no software distribution)

How to align these two expressions, one has one more number?

How much does freezing grapes longer sweeten them more?

The use of SlotSequence in If[#1 > #2, ##] &

Did the US push the Kurds to lower their defences against Turkey in the months preceding the latest Turkish military operation against them?

What plausible reasons why people forget they didn't originally live on this new planet?

On approximate simultaneous diagonalization

Meaning of “Bulldog drooled courses through his jowls”

Is there an unambiguous name for the social/political theory "liberalism" without "leftist"?

Can Chill Touch prevent Regeneration?

In this day and age should the definition / categorisation of erotica be revised?

UK inheritance: partner, sibling, child

Do the KKT conditions hold for mixed integer nonlinear problems?

How would a race of humanoids with tails design [vehicle] seats?

Why is 10.1.255.255 an invalid broadcast address?

Why doesn't English employ an H in front of the name Ares?

Can every type of linear filter be modelled by a convolution?



Why use complex encryption algorithms? [duplicate]


Is modern encryption needlessly complicated?How secure is my OTP program?HRNG for One Time PadHybrid encryption with RSA and AES versus spliting into multiple RSA messages?Exercise: Attack on a Two-Round DES CipherAnalogue encryption algorithmsMessage lengths with AES CTR mode?Why does rsyncrypto require a public key during decryption?How secure is a client-side javascript encrypter?cbc - why not like this? what's wrong?How come Public key cryptography wasn't discovered earlier?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;

.everyonelovesstackoverflowposition:absolute;height:1px;width:1px;opacity:0;top:0;left:0;pointer-events:none;








6














$begingroup$



This question already has an answer here:



  • Is modern encryption needlessly complicated?

    11 answers



I have recently gotten interested in cryptography, so I looked some things up.



I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message? The point is, if you have a random enough bitstream, you can just XOR the data.



Of course, you're the only one who will know the stream.



So why use all sorts of encryption if you have these simpler, easier ways of doing things? I'm new to cryptography, so this question may sound a bit naive.










share|improve this question









New contributor



Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$





marked as duplicate by kelalaka, Squeamish Ossifrage, Maarten Bodewes aes
Users with the  aes badge can single-handedly close aes questions as duplicates and reopen them as needed.

StackExchange.ready(function()
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();

);
);
);
11 hours ago


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.














  • 2




    $begingroup$
    Can you tell me a way to generate that stream in a practical way without symmetric cryptography like AES? We use these ciphers because OTP key distribution is HARD, and these ciphers is the most cost effective method we have for encryption.
    $endgroup$
    – Natanael
    21 hours ago






  • 2




    $begingroup$
    You should definitely start to read a book like Serious Cryptography by Jean-Philippe Aumasson or Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
    $endgroup$
    – kelalaka
    21 hours ago

















6














$begingroup$



This question already has an answer here:



  • Is modern encryption needlessly complicated?

    11 answers



I have recently gotten interested in cryptography, so I looked some things up.



I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message? The point is, if you have a random enough bitstream, you can just XOR the data.



Of course, you're the only one who will know the stream.



So why use all sorts of encryption if you have these simpler, easier ways of doing things? I'm new to cryptography, so this question may sound a bit naive.










share|improve this question









New contributor



Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$





marked as duplicate by kelalaka, Squeamish Ossifrage, Maarten Bodewes aes
Users with the  aes badge can single-handedly close aes questions as duplicates and reopen them as needed.

StackExchange.ready(function()
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();

);
);
);
11 hours ago


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.














  • 2




    $begingroup$
    Can you tell me a way to generate that stream in a practical way without symmetric cryptography like AES? We use these ciphers because OTP key distribution is HARD, and these ciphers is the most cost effective method we have for encryption.
    $endgroup$
    – Natanael
    21 hours ago






  • 2




    $begingroup$
    You should definitely start to read a book like Serious Cryptography by Jean-Philippe Aumasson or Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
    $endgroup$
    – kelalaka
    21 hours ago













6












6








6


3



$begingroup$



This question already has an answer here:



  • Is modern encryption needlessly complicated?

    11 answers



I have recently gotten interested in cryptography, so I looked some things up.



I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message? The point is, if you have a random enough bitstream, you can just XOR the data.



Of course, you're the only one who will know the stream.



So why use all sorts of encryption if you have these simpler, easier ways of doing things? I'm new to cryptography, so this question may sound a bit naive.










share|improve this question









New contributor



Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$





This question already has an answer here:



  • Is modern encryption needlessly complicated?

    11 answers



I have recently gotten interested in cryptography, so I looked some things up.



I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message? The point is, if you have a random enough bitstream, you can just XOR the data.



Of course, you're the only one who will know the stream.



So why use all sorts of encryption if you have these simpler, easier ways of doing things? I'm new to cryptography, so this question may sound a bit naive.





This question already has an answer here:



  • Is modern encryption needlessly complicated?

    11 answers







encryption aes des one-time-pad






share|improve this question









New contributor



Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor



Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








share|improve this question




share|improve this question








edited 20 hours ago









kelalaka

11.4k3 gold badges29 silver badges55 bronze badges




11.4k3 gold badges29 silver badges55 bronze badges






New contributor



Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








asked 22 hours ago









Ömer Enes ÖzmenÖmer Enes Özmen

392 bronze badges




392 bronze badges




New contributor



Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




New contributor




Ömer Enes Özmen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







marked as duplicate by kelalaka, Squeamish Ossifrage, Maarten Bodewes aes
Users with the  aes badge can single-handedly close aes questions as duplicates and reopen them as needed.

StackExchange.ready(function()
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();

);
);
);
11 hours ago


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.











marked as duplicate by kelalaka, Squeamish Ossifrage, Maarten Bodewes aes
Users with the  aes badge can single-handedly close aes questions as duplicates and reopen them as needed.

StackExchange.ready(function()
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();

);
);
);
11 hours ago


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.









marked as duplicate by kelalaka, Squeamish Ossifrage, Maarten Bodewes aes
Users with the  aes badge can single-handedly close aes questions as duplicates and reopen them as needed.

StackExchange.ready(function()
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();

);
);
);
11 hours ago


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.









  • 2




    $begingroup$
    Can you tell me a way to generate that stream in a practical way without symmetric cryptography like AES? We use these ciphers because OTP key distribution is HARD, and these ciphers is the most cost effective method we have for encryption.
    $endgroup$
    – Natanael
    21 hours ago






  • 2




    $begingroup$
    You should definitely start to read a book like Serious Cryptography by Jean-Philippe Aumasson or Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
    $endgroup$
    – kelalaka
    21 hours ago












  • 2




    $begingroup$
    Can you tell me a way to generate that stream in a practical way without symmetric cryptography like AES? We use these ciphers because OTP key distribution is HARD, and these ciphers is the most cost effective method we have for encryption.
    $endgroup$
    – Natanael
    21 hours ago






  • 2




    $begingroup$
    You should definitely start to read a book like Serious Cryptography by Jean-Philippe Aumasson or Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
    $endgroup$
    – kelalaka
    21 hours ago







2




2




$begingroup$
Can you tell me a way to generate that stream in a practical way without symmetric cryptography like AES? We use these ciphers because OTP key distribution is HARD, and these ciphers is the most cost effective method we have for encryption.
$endgroup$
– Natanael
21 hours ago




$begingroup$
Can you tell me a way to generate that stream in a practical way without symmetric cryptography like AES? We use these ciphers because OTP key distribution is HARD, and these ciphers is the most cost effective method we have for encryption.
$endgroup$
– Natanael
21 hours ago




2




2




$begingroup$
You should definitely start to read a book like Serious Cryptography by Jean-Philippe Aumasson or Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
$endgroup$
– kelalaka
21 hours ago




$begingroup$
You should definitely start to read a book like Serious Cryptography by Jean-Philippe Aumasson or Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
$endgroup$
– kelalaka
21 hours ago










5 Answers
5






active

oldest

votes


















6
















$begingroup$

We use more complex encryption algorithms than the one outlined in the question



  • In order to get a short secret key in symmetric encryption. With the technique (One Time Pad) outlined in the question, we need to securely store or/and perhaps transfert a secret keystream the size of the data to encipher, which is utterly impractical. AES-CTR replaces that with a small (16 to 32-byte) shared secret good enough for any practical data size.

  • In order to also get assurance of data integrity and origin, which typically turns out to be at least as needed as data confidentiality. Even if we assume a large secret keystream, we need something slightly more complex than XOR with the keystream (e.g. universal hashing) in order to ensure that an adversary did not mess-up with the data (e.g. change "pay $100" to "pay $900").

  • In order to get asymmetric encryption, that is the capability to encipher without needing anything secret (beyond the data to encipher) on the side that enciphers.





share|improve this answer












$endgroup$














  • $begingroup$
    This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
    $endgroup$
    – ikegami
    12 hours ago











  • $begingroup$
    @ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
    $endgroup$
    – Patriot
    10 hours ago






  • 1




    $begingroup$
    @Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
    $endgroup$
    – ikegami
    10 hours ago



















4
















$begingroup$

You could use a one-time pad, which does grant confidentiality when properly employed, but then you would have many non-trivial problems:



  1. Your message or messages would have to be quite short because generating letters in a truly random manner usually takes a bit of time and effort (rolling dice).


  2. One-time pads only have limited practical use. You cannot use your OTP for the purposes of making payments with your ATM card, using WeChat, establishing a secure link to this website, etc.


  3. You might need to make sure that the person you are talking to is who you think they are, and vice versa (authentication). It isn't easy to authenticate a one-time pad without using a modern method such as a Carter-Wegman MAC or an HMAC, etc.


  4. How is the receiver going to check the integrity of your message? How will they know that someone else did not add something, move something around, or take something away? How will they know that a technical glitch had not altered the message during transmission?


  5. How are you going to securely share your one-time pad?


  6. Physical security. How are you going to keep that one-time pad safe twenty-four hours a day? How about the person you are going to talk to? How will they keep their OTP safe?


  7. How are you going to explain to someone who was watching that you enjoy communicating like a Cold War spy?


Modern cryptography can solve all of these problems well--key exchange, authentication, integrity checks, confidentiality, encrypted storage, establishing a shared secret--and that is why we use it.






share|improve this answer












$endgroup$










  • 1




    $begingroup$
    Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
    $endgroup$
    – kelalaka
    19 hours ago






  • 1




    $begingroup$
    @kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
    $endgroup$
    – Ella Rose
    19 hours ago






  • 1




    $begingroup$
    @EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
    $endgroup$
    – kelalaka
    19 hours ago






  • 2




    $begingroup$
    @kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
    $endgroup$
    – Ella Rose
    18 hours ago






  • 1




    $begingroup$
    @ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
    $endgroup$
    – kelalaka
    11 hours ago


















4
















$begingroup$

The other answers are great, but I wanted to call out an interesting feature of modern cryptography. Your question asked:




I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message?




In point of fact, many modern encryption schemes do exactly that. Both ChaCha20 and AES in any counter mode (CTR and GCM both come to mind) actually generate a pseudorandom bitstream (usually called a keystream) and XOR it with the input data to encipher it.



As you can see, and as Paul's answer correctly points out, this observation hasn't actually made anything particularly simpler. We've just changed the problem: the problem isn't "how to encipher data", it's now "how to generate good pseudorandom bits". It turns out that doing that well from a relatively small amount of key material is fundamentally difficult.






share|improve this answer











New contributor



Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





$endgroup$






















    2
















    $begingroup$


    ...random enough..




    Let's just focus on that as it forms the nub of your question. Yes,$$textrandom (pseudorandom) bitstream oplus textsecret message$$ is very simple, works and is in common usage. But the first term in this encryption function masks great (and necessary) complexity. In order to be secure, the bitstream must comprise independent and uniformly distributed numbers, typically with bias not exceeding $2^-64$. How do you obtain them? Therein lies your complexity.



    You can make them with a physical device. If we exclude zany methods like dice and aquarium fish, we're left with some type of electromagnetic apparatus. These days, that will take the form of either a laser or diode. Both create the original entropy for distillation into random numbers based on quantum indeterminacy. Quantum mechanics are pretty complex.



    Or you can expand a little entropy like say a password, into a long stream of pseudo random numbers with a CSPRNG (and perhaps a key derivation function). The need for non invertability/non predictability of the output and to guarantee acceptable bias, requires complexity. And so cryptographic primitives are complex. If it wasn't complex, you could just roll it backwards.



    Therefore, what you've really asked is:- $$textcomplex to make random (pseudorandom) bitstream oplus textsecret message$$



    You've simply moved the complexity upstream of the XOR operator.






    share|improve this answer










    $endgroup$














    • $begingroup$
      In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
      $endgroup$
      – ikegami
      10 hours ago



















    1
















    $begingroup$

    What you're describing would be a One-Time-Pad. The OTP would actually be perfectly secure, but the first problem is in the issue that you have to generate a bit stream using a cryptographically secure pseudorandom number generator (CSPRNG) instead of a usual pseudorandom number generator. But even that doesn't pose a particularly large problem. Keep also in mind that a OTP is only secure if you use it once, using a OTP with the same bit stream would be insecure.




    So let's assume generating a random bit stream isn't a problem:



    The big problem lies in the process of sharing the key with others. That's the real issue, because a public cryptosystem like RSA-2048 can for example only encrypt a message of size 245 bytes, as described in this answer on securitySE.



    You could therefore also only generate a random bit stream for the OTP of equal size. And each time you would have to transmit a new bit stream for a new OTP, all the time until you're finished. That's a very slow process. At that point you could even ask: "Why am I even using a OTP anymore, I could just send the actual message using RSA instead the key!".



    So generally we transmit a key for a symmetric cryptosystem like AES using something like RSA. AES has (practically) no limit of data to encrypt for it to still be secure.






    share|improve this answer












    $endgroup$














    • $begingroup$
      Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
      $endgroup$
      – kelalaka
      21 hours ago











    • $begingroup$
      Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
      $endgroup$
      – Paul Uszak
      21 hours ago


















    5 Answers
    5






    active

    oldest

    votes








    5 Answers
    5






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    6
















    $begingroup$

    We use more complex encryption algorithms than the one outlined in the question



    • In order to get a short secret key in symmetric encryption. With the technique (One Time Pad) outlined in the question, we need to securely store or/and perhaps transfert a secret keystream the size of the data to encipher, which is utterly impractical. AES-CTR replaces that with a small (16 to 32-byte) shared secret good enough for any practical data size.

    • In order to also get assurance of data integrity and origin, which typically turns out to be at least as needed as data confidentiality. Even if we assume a large secret keystream, we need something slightly more complex than XOR with the keystream (e.g. universal hashing) in order to ensure that an adversary did not mess-up with the data (e.g. change "pay $100" to "pay $900").

    • In order to get asymmetric encryption, that is the capability to encipher without needing anything secret (beyond the data to encipher) on the side that enciphers.





    share|improve this answer












    $endgroup$














    • $begingroup$
      This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
      $endgroup$
      – ikegami
      12 hours ago











    • $begingroup$
      @ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
      $endgroup$
      – Patriot
      10 hours ago






    • 1




      $begingroup$
      @Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
      $endgroup$
      – ikegami
      10 hours ago
















    6
















    $begingroup$

    We use more complex encryption algorithms than the one outlined in the question



    • In order to get a short secret key in symmetric encryption. With the technique (One Time Pad) outlined in the question, we need to securely store or/and perhaps transfert a secret keystream the size of the data to encipher, which is utterly impractical. AES-CTR replaces that with a small (16 to 32-byte) shared secret good enough for any practical data size.

    • In order to also get assurance of data integrity and origin, which typically turns out to be at least as needed as data confidentiality. Even if we assume a large secret keystream, we need something slightly more complex than XOR with the keystream (e.g. universal hashing) in order to ensure that an adversary did not mess-up with the data (e.g. change "pay $100" to "pay $900").

    • In order to get asymmetric encryption, that is the capability to encipher without needing anything secret (beyond the data to encipher) on the side that enciphers.





    share|improve this answer












    $endgroup$














    • $begingroup$
      This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
      $endgroup$
      – ikegami
      12 hours ago











    • $begingroup$
      @ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
      $endgroup$
      – Patriot
      10 hours ago






    • 1




      $begingroup$
      @Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
      $endgroup$
      – ikegami
      10 hours ago














    6














    6










    6







    $begingroup$

    We use more complex encryption algorithms than the one outlined in the question



    • In order to get a short secret key in symmetric encryption. With the technique (One Time Pad) outlined in the question, we need to securely store or/and perhaps transfert a secret keystream the size of the data to encipher, which is utterly impractical. AES-CTR replaces that with a small (16 to 32-byte) shared secret good enough for any practical data size.

    • In order to also get assurance of data integrity and origin, which typically turns out to be at least as needed as data confidentiality. Even if we assume a large secret keystream, we need something slightly more complex than XOR with the keystream (e.g. universal hashing) in order to ensure that an adversary did not mess-up with the data (e.g. change "pay $100" to "pay $900").

    • In order to get asymmetric encryption, that is the capability to encipher without needing anything secret (beyond the data to encipher) on the side that enciphers.





    share|improve this answer












    $endgroup$



    We use more complex encryption algorithms than the one outlined in the question



    • In order to get a short secret key in symmetric encryption. With the technique (One Time Pad) outlined in the question, we need to securely store or/and perhaps transfert a secret keystream the size of the data to encipher, which is utterly impractical. AES-CTR replaces that with a small (16 to 32-byte) shared secret good enough for any practical data size.

    • In order to also get assurance of data integrity and origin, which typically turns out to be at least as needed as data confidentiality. Even if we assume a large secret keystream, we need something slightly more complex than XOR with the keystream (e.g. universal hashing) in order to ensure that an adversary did not mess-up with the data (e.g. change "pay $100" to "pay $900").

    • In order to get asymmetric encryption, that is the capability to encipher without needing anything secret (beyond the data to encipher) on the side that enciphers.






    share|improve this answer















    share|improve this answer




    share|improve this answer








    edited 20 hours ago

























    answered 20 hours ago









    fgrieufgrieu

    86.5k7 gold badges192 silver badges378 bronze badges




    86.5k7 gold badges192 silver badges378 bronze badges














    • $begingroup$
      This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
      $endgroup$
      – ikegami
      12 hours ago











    • $begingroup$
      @ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
      $endgroup$
      – Patriot
      10 hours ago






    • 1




      $begingroup$
      @Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
      $endgroup$
      – ikegami
      10 hours ago

















    • $begingroup$
      This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
      $endgroup$
      – ikegami
      12 hours ago











    • $begingroup$
      @ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
      $endgroup$
      – Patriot
      10 hours ago






    • 1




      $begingroup$
      @Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
      $endgroup$
      – ikegami
      10 hours ago
















    $begingroup$
    This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
    $endgroup$
    – ikegami
    12 hours ago





    $begingroup$
    This suggests that one could use asymmetric encryption to transfer the OTP. But that's not done because you'd have to transfer twice as much (the key stream and the encrypted stream), and asymmetric encryption is relatively expensive. In practice, asymmetric encryption is used to transfer a short randomly-generated secret key before switching to symmetric encryption using that key.
    $endgroup$
    – ikegami
    12 hours ago













    $begingroup$
    @ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
    $endgroup$
    – Patriot
    10 hours ago




    $begingroup$
    @ikegami I would say it is not done because that would reduce the security of the OTP down to the level of the asymmetric/hybrid encryption level.
    $endgroup$
    – Patriot
    10 hours ago




    1




    1




    $begingroup$
    @Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
    $endgroup$
    – ikegami
    10 hours ago





    $begingroup$
    @Patriot, It can't be true that we don't use asymmetric encryption for key exchange because it lowers the level of security, because we do use asymmetric encryption for key exchange.
    $endgroup$
    – ikegami
    10 hours ago














    4
















    $begingroup$

    You could use a one-time pad, which does grant confidentiality when properly employed, but then you would have many non-trivial problems:



    1. Your message or messages would have to be quite short because generating letters in a truly random manner usually takes a bit of time and effort (rolling dice).


    2. One-time pads only have limited practical use. You cannot use your OTP for the purposes of making payments with your ATM card, using WeChat, establishing a secure link to this website, etc.


    3. You might need to make sure that the person you are talking to is who you think they are, and vice versa (authentication). It isn't easy to authenticate a one-time pad without using a modern method such as a Carter-Wegman MAC or an HMAC, etc.


    4. How is the receiver going to check the integrity of your message? How will they know that someone else did not add something, move something around, or take something away? How will they know that a technical glitch had not altered the message during transmission?


    5. How are you going to securely share your one-time pad?


    6. Physical security. How are you going to keep that one-time pad safe twenty-four hours a day? How about the person you are going to talk to? How will they keep their OTP safe?


    7. How are you going to explain to someone who was watching that you enjoy communicating like a Cold War spy?


    Modern cryptography can solve all of these problems well--key exchange, authentication, integrity checks, confidentiality, encrypted storage, establishing a shared secret--and that is why we use it.






    share|improve this answer












    $endgroup$










    • 1




      $begingroup$
      Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
      $endgroup$
      – kelalaka
      19 hours ago






    • 1




      $begingroup$
      @kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
      $endgroup$
      – Ella Rose
      19 hours ago






    • 1




      $begingroup$
      @EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
      $endgroup$
      – kelalaka
      19 hours ago






    • 2




      $begingroup$
      @kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
      $endgroup$
      – Ella Rose
      18 hours ago






    • 1




      $begingroup$
      @ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
      $endgroup$
      – kelalaka
      11 hours ago















    4
















    $begingroup$

    You could use a one-time pad, which does grant confidentiality when properly employed, but then you would have many non-trivial problems:



    1. Your message or messages would have to be quite short because generating letters in a truly random manner usually takes a bit of time and effort (rolling dice).


    2. One-time pads only have limited practical use. You cannot use your OTP for the purposes of making payments with your ATM card, using WeChat, establishing a secure link to this website, etc.


    3. You might need to make sure that the person you are talking to is who you think they are, and vice versa (authentication). It isn't easy to authenticate a one-time pad without using a modern method such as a Carter-Wegman MAC or an HMAC, etc.


    4. How is the receiver going to check the integrity of your message? How will they know that someone else did not add something, move something around, or take something away? How will they know that a technical glitch had not altered the message during transmission?


    5. How are you going to securely share your one-time pad?


    6. Physical security. How are you going to keep that one-time pad safe twenty-four hours a day? How about the person you are going to talk to? How will they keep their OTP safe?


    7. How are you going to explain to someone who was watching that you enjoy communicating like a Cold War spy?


    Modern cryptography can solve all of these problems well--key exchange, authentication, integrity checks, confidentiality, encrypted storage, establishing a shared secret--and that is why we use it.






    share|improve this answer












    $endgroup$










    • 1




      $begingroup$
      Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
      $endgroup$
      – kelalaka
      19 hours ago






    • 1




      $begingroup$
      @kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
      $endgroup$
      – Ella Rose
      19 hours ago






    • 1




      $begingroup$
      @EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
      $endgroup$
      – kelalaka
      19 hours ago






    • 2




      $begingroup$
      @kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
      $endgroup$
      – Ella Rose
      18 hours ago






    • 1




      $begingroup$
      @ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
      $endgroup$
      – kelalaka
      11 hours ago













    4














    4










    4







    $begingroup$

    You could use a one-time pad, which does grant confidentiality when properly employed, but then you would have many non-trivial problems:



    1. Your message or messages would have to be quite short because generating letters in a truly random manner usually takes a bit of time and effort (rolling dice).


    2. One-time pads only have limited practical use. You cannot use your OTP for the purposes of making payments with your ATM card, using WeChat, establishing a secure link to this website, etc.


    3. You might need to make sure that the person you are talking to is who you think they are, and vice versa (authentication). It isn't easy to authenticate a one-time pad without using a modern method such as a Carter-Wegman MAC or an HMAC, etc.


    4. How is the receiver going to check the integrity of your message? How will they know that someone else did not add something, move something around, or take something away? How will they know that a technical glitch had not altered the message during transmission?


    5. How are you going to securely share your one-time pad?


    6. Physical security. How are you going to keep that one-time pad safe twenty-four hours a day? How about the person you are going to talk to? How will they keep their OTP safe?


    7. How are you going to explain to someone who was watching that you enjoy communicating like a Cold War spy?


    Modern cryptography can solve all of these problems well--key exchange, authentication, integrity checks, confidentiality, encrypted storage, establishing a shared secret--and that is why we use it.






    share|improve this answer












    $endgroup$



    You could use a one-time pad, which does grant confidentiality when properly employed, but then you would have many non-trivial problems:



    1. Your message or messages would have to be quite short because generating letters in a truly random manner usually takes a bit of time and effort (rolling dice).


    2. One-time pads only have limited practical use. You cannot use your OTP for the purposes of making payments with your ATM card, using WeChat, establishing a secure link to this website, etc.


    3. You might need to make sure that the person you are talking to is who you think they are, and vice versa (authentication). It isn't easy to authenticate a one-time pad without using a modern method such as a Carter-Wegman MAC or an HMAC, etc.


    4. How is the receiver going to check the integrity of your message? How will they know that someone else did not add something, move something around, or take something away? How will they know that a technical glitch had not altered the message during transmission?


    5. How are you going to securely share your one-time pad?


    6. Physical security. How are you going to keep that one-time pad safe twenty-four hours a day? How about the person you are going to talk to? How will they keep their OTP safe?


    7. How are you going to explain to someone who was watching that you enjoy communicating like a Cold War spy?


    Modern cryptography can solve all of these problems well--key exchange, authentication, integrity checks, confidentiality, encrypted storage, establishing a shared secret--and that is why we use it.







    share|improve this answer















    share|improve this answer




    share|improve this answer








    edited 19 hours ago

























    answered 21 hours ago









    PatriotPatriot

    1,5902 gold badges7 silver badges30 bronze badges




    1,5902 gold badges7 silver badges30 bronze badges










    • 1




      $begingroup$
      Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
      $endgroup$
      – kelalaka
      19 hours ago






    • 1




      $begingroup$
      @kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
      $endgroup$
      – Ella Rose
      19 hours ago






    • 1




      $begingroup$
      @EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
      $endgroup$
      – kelalaka
      19 hours ago






    • 2




      $begingroup$
      @kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
      $endgroup$
      – Ella Rose
      18 hours ago






    • 1




      $begingroup$
      @ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
      $endgroup$
      – kelalaka
      11 hours ago












    • 1




      $begingroup$
      Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
      $endgroup$
      – kelalaka
      19 hours ago






    • 1




      $begingroup$
      @kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
      $endgroup$
      – Ella Rose
      19 hours ago






    • 1




      $begingroup$
      @EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
      $endgroup$
      – kelalaka
      19 hours ago






    • 2




      $begingroup$
      @kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
      $endgroup$
      – Ella Rose
      18 hours ago






    • 1




      $begingroup$
      @ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
      $endgroup$
      – kelalaka
      11 hours ago







    1




    1




    $begingroup$
    Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
    $endgroup$
    – kelalaka
    19 hours ago




    $begingroup$
    Short is a relative term. 1TB OTP key can be transferred easily. And you can communicate for a very long time if you don't send pictures or movies.
    $endgroup$
    – kelalaka
    19 hours ago




    1




    1




    $begingroup$
    @kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
    $endgroup$
    – Ella Rose
    19 hours ago




    $begingroup$
    @kelalaka If you take details into account, it's not so clear that it's easy. It quickly becomes prohibitive if you need to securely share a 1 TB drive with every entity that you intend to communicate with. Especially if you run a server rather than just consider personal communication between individuals. Also, it needs to be 1 TB of secure, reliable storage per entity, which costs more than a single 1TB hard drive. This doesn't even take into account how you securely transfer the drive (plane tickets probably cost even more than the drives).
    $endgroup$
    – Ella Rose
    19 hours ago




    1




    1




    $begingroup$
    @EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
    $endgroup$
    – kelalaka
    19 hours ago




    $begingroup$
    @EllaRose I'm not an OTP fun, However, usually, the embassies in my mind when OTP is required and they talk with the capitol. In this case, they need only to give the ambassadors when they visit the capitol, etc. Run a server with OTP forget about it. And for ambassadors, the plane ticket is usually the least concern.
    $endgroup$
    – kelalaka
    19 hours ago




    2




    2




    $begingroup$
    @kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
    $endgroup$
    – Ella Rose
    18 hours ago




    $begingroup$
    @kelalaka Sure, if you're shielded from all the inconvenience by a team of people who are paid to deal with it for you, then you personally won't notice the difficulty involved in using the system. But the difficulties are still there, it's just that the ambassador (in your example) does not have to witness them.
    $endgroup$
    – Ella Rose
    18 hours ago




    1




    1




    $begingroup$
    @ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
    $endgroup$
    – kelalaka
    11 hours ago




    $begingroup$
    @ikegami there is no problem, I can delete my comments. It was broken since re-use, crib dragging and the NSA guys always trying. There is no historical known for key OTP espionage. It is like German Enigma operator mistakes. That's it. It is informaticall secure and you can send the message on the phone. This debeate will never finish and this is why we prohibited OTP from HNQ, however we have no active mod around here now!
    $endgroup$
    – kelalaka
    11 hours ago











    4
















    $begingroup$

    The other answers are great, but I wanted to call out an interesting feature of modern cryptography. Your question asked:




    I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message?




    In point of fact, many modern encryption schemes do exactly that. Both ChaCha20 and AES in any counter mode (CTR and GCM both come to mind) actually generate a pseudorandom bitstream (usually called a keystream) and XOR it with the input data to encipher it.



    As you can see, and as Paul's answer correctly points out, this observation hasn't actually made anything particularly simpler. We've just changed the problem: the problem isn't "how to encipher data", it's now "how to generate good pseudorandom bits". It turns out that doing that well from a relatively small amount of key material is fundamentally difficult.






    share|improve this answer











    New contributor



    Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





    $endgroup$



















      4
















      $begingroup$

      The other answers are great, but I wanted to call out an interesting feature of modern cryptography. Your question asked:




      I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message?




      In point of fact, many modern encryption schemes do exactly that. Both ChaCha20 and AES in any counter mode (CTR and GCM both come to mind) actually generate a pseudorandom bitstream (usually called a keystream) and XOR it with the input data to encipher it.



      As you can see, and as Paul's answer correctly points out, this observation hasn't actually made anything particularly simpler. We've just changed the problem: the problem isn't "how to encipher data", it's now "how to generate good pseudorandom bits". It turns out that doing that well from a relatively small amount of key material is fundamentally difficult.






      share|improve this answer











      New contributor



      Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      $endgroup$

















        4














        4










        4







        $begingroup$

        The other answers are great, but I wanted to call out an interesting feature of modern cryptography. Your question asked:




        I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message?




        In point of fact, many modern encryption schemes do exactly that. Both ChaCha20 and AES in any counter mode (CTR and GCM both come to mind) actually generate a pseudorandom bitstream (usually called a keystream) and XOR it with the input data to encipher it.



        As you can see, and as Paul's answer correctly points out, this observation hasn't actually made anything particularly simpler. We've just changed the problem: the problem isn't "how to encipher data", it's now "how to generate good pseudorandom bits". It turns out that doing that well from a relatively small amount of key material is fundamentally difficult.






        share|improve this answer











        New contributor



        Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        $endgroup$



        The other answers are great, but I wanted to call out an interesting feature of modern cryptography. Your question asked:




        I thought, why even use AES or DES or any other complex way for encrypting data when there are far simpler ways, like just generating a random (pseudorandom) bitstream, and XOR'ing it with the data or secret message?




        In point of fact, many modern encryption schemes do exactly that. Both ChaCha20 and AES in any counter mode (CTR and GCM both come to mind) actually generate a pseudorandom bitstream (usually called a keystream) and XOR it with the input data to encipher it.



        As you can see, and as Paul's answer correctly points out, this observation hasn't actually made anything particularly simpler. We've just changed the problem: the problem isn't "how to encipher data", it's now "how to generate good pseudorandom bits". It turns out that doing that well from a relatively small amount of key material is fundamentally difficult.







        share|improve this answer











        New contributor



        Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.








        share|improve this answer




        share|improve this answer








        edited 11 hours ago









        kelalaka

        11.4k3 gold badges29 silver badges55 bronze badges




        11.4k3 gold badges29 silver badges55 bronze badges






        New contributor



        Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.








        answered 13 hours ago









        LukasaLukasa

        1412 bronze badges




        1412 bronze badges




        New contributor



        Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.




        New contributor




        Lukasa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.


























            2
















            $begingroup$


            ...random enough..




            Let's just focus on that as it forms the nub of your question. Yes,$$textrandom (pseudorandom) bitstream oplus textsecret message$$ is very simple, works and is in common usage. But the first term in this encryption function masks great (and necessary) complexity. In order to be secure, the bitstream must comprise independent and uniformly distributed numbers, typically with bias not exceeding $2^-64$. How do you obtain them? Therein lies your complexity.



            You can make them with a physical device. If we exclude zany methods like dice and aquarium fish, we're left with some type of electromagnetic apparatus. These days, that will take the form of either a laser or diode. Both create the original entropy for distillation into random numbers based on quantum indeterminacy. Quantum mechanics are pretty complex.



            Or you can expand a little entropy like say a password, into a long stream of pseudo random numbers with a CSPRNG (and perhaps a key derivation function). The need for non invertability/non predictability of the output and to guarantee acceptable bias, requires complexity. And so cryptographic primitives are complex. If it wasn't complex, you could just roll it backwards.



            Therefore, what you've really asked is:- $$textcomplex to make random (pseudorandom) bitstream oplus textsecret message$$



            You've simply moved the complexity upstream of the XOR operator.






            share|improve this answer










            $endgroup$














            • $begingroup$
              In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
              $endgroup$
              – ikegami
              10 hours ago
















            2
















            $begingroup$


            ...random enough..




            Let's just focus on that as it forms the nub of your question. Yes,$$textrandom (pseudorandom) bitstream oplus textsecret message$$ is very simple, works and is in common usage. But the first term in this encryption function masks great (and necessary) complexity. In order to be secure, the bitstream must comprise independent and uniformly distributed numbers, typically with bias not exceeding $2^-64$. How do you obtain them? Therein lies your complexity.



            You can make them with a physical device. If we exclude zany methods like dice and aquarium fish, we're left with some type of electromagnetic apparatus. These days, that will take the form of either a laser or diode. Both create the original entropy for distillation into random numbers based on quantum indeterminacy. Quantum mechanics are pretty complex.



            Or you can expand a little entropy like say a password, into a long stream of pseudo random numbers with a CSPRNG (and perhaps a key derivation function). The need for non invertability/non predictability of the output and to guarantee acceptable bias, requires complexity. And so cryptographic primitives are complex. If it wasn't complex, you could just roll it backwards.



            Therefore, what you've really asked is:- $$textcomplex to make random (pseudorandom) bitstream oplus textsecret message$$



            You've simply moved the complexity upstream of the XOR operator.






            share|improve this answer










            $endgroup$














            • $begingroup$
              In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
              $endgroup$
              – ikegami
              10 hours ago














            2














            2










            2







            $begingroup$


            ...random enough..




            Let's just focus on that as it forms the nub of your question. Yes,$$textrandom (pseudorandom) bitstream oplus textsecret message$$ is very simple, works and is in common usage. But the first term in this encryption function masks great (and necessary) complexity. In order to be secure, the bitstream must comprise independent and uniformly distributed numbers, typically with bias not exceeding $2^-64$. How do you obtain them? Therein lies your complexity.



            You can make them with a physical device. If we exclude zany methods like dice and aquarium fish, we're left with some type of electromagnetic apparatus. These days, that will take the form of either a laser or diode. Both create the original entropy for distillation into random numbers based on quantum indeterminacy. Quantum mechanics are pretty complex.



            Or you can expand a little entropy like say a password, into a long stream of pseudo random numbers with a CSPRNG (and perhaps a key derivation function). The need for non invertability/non predictability of the output and to guarantee acceptable bias, requires complexity. And so cryptographic primitives are complex. If it wasn't complex, you could just roll it backwards.



            Therefore, what you've really asked is:- $$textcomplex to make random (pseudorandom) bitstream oplus textsecret message$$



            You've simply moved the complexity upstream of the XOR operator.






            share|improve this answer










            $endgroup$




            ...random enough..




            Let's just focus on that as it forms the nub of your question. Yes,$$textrandom (pseudorandom) bitstream oplus textsecret message$$ is very simple, works and is in common usage. But the first term in this encryption function masks great (and necessary) complexity. In order to be secure, the bitstream must comprise independent and uniformly distributed numbers, typically with bias not exceeding $2^-64$. How do you obtain them? Therein lies your complexity.



            You can make them with a physical device. If we exclude zany methods like dice and aquarium fish, we're left with some type of electromagnetic apparatus. These days, that will take the form of either a laser or diode. Both create the original entropy for distillation into random numbers based on quantum indeterminacy. Quantum mechanics are pretty complex.



            Or you can expand a little entropy like say a password, into a long stream of pseudo random numbers with a CSPRNG (and perhaps a key derivation function). The need for non invertability/non predictability of the output and to guarantee acceptable bias, requires complexity. And so cryptographic primitives are complex. If it wasn't complex, you could just roll it backwards.



            Therefore, what you've really asked is:- $$textcomplex to make random (pseudorandom) bitstream oplus textsecret message$$



            You've simply moved the complexity upstream of the XOR operator.







            share|improve this answer













            share|improve this answer




            share|improve this answer










            answered 16 hours ago









            Paul UszakPaul Uszak

            9,2731 gold badge18 silver badges45 bronze badges




            9,2731 gold badge18 silver badges45 bronze badges














            • $begingroup$
              In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
              $endgroup$
              – ikegami
              10 hours ago

















            • $begingroup$
              In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
              $endgroup$
              – ikegami
              10 hours ago
















            $begingroup$
            In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
            $endgroup$
            – ikegami
            10 hours ago





            $begingroup$
            In fact, the latter is exactly what a block cipher in OFB mode is doing! (en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
            $endgroup$
            – ikegami
            10 hours ago












            1
















            $begingroup$

            What you're describing would be a One-Time-Pad. The OTP would actually be perfectly secure, but the first problem is in the issue that you have to generate a bit stream using a cryptographically secure pseudorandom number generator (CSPRNG) instead of a usual pseudorandom number generator. But even that doesn't pose a particularly large problem. Keep also in mind that a OTP is only secure if you use it once, using a OTP with the same bit stream would be insecure.




            So let's assume generating a random bit stream isn't a problem:



            The big problem lies in the process of sharing the key with others. That's the real issue, because a public cryptosystem like RSA-2048 can for example only encrypt a message of size 245 bytes, as described in this answer on securitySE.



            You could therefore also only generate a random bit stream for the OTP of equal size. And each time you would have to transmit a new bit stream for a new OTP, all the time until you're finished. That's a very slow process. At that point you could even ask: "Why am I even using a OTP anymore, I could just send the actual message using RSA instead the key!".



            So generally we transmit a key for a symmetric cryptosystem like AES using something like RSA. AES has (practically) no limit of data to encrypt for it to still be secure.






            share|improve this answer












            $endgroup$














            • $begingroup$
              Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
              $endgroup$
              – kelalaka
              21 hours ago











            • $begingroup$
              Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
              $endgroup$
              – Paul Uszak
              21 hours ago















            1
















            $begingroup$

            What you're describing would be a One-Time-Pad. The OTP would actually be perfectly secure, but the first problem is in the issue that you have to generate a bit stream using a cryptographically secure pseudorandom number generator (CSPRNG) instead of a usual pseudorandom number generator. But even that doesn't pose a particularly large problem. Keep also in mind that a OTP is only secure if you use it once, using a OTP with the same bit stream would be insecure.




            So let's assume generating a random bit stream isn't a problem:



            The big problem lies in the process of sharing the key with others. That's the real issue, because a public cryptosystem like RSA-2048 can for example only encrypt a message of size 245 bytes, as described in this answer on securitySE.



            You could therefore also only generate a random bit stream for the OTP of equal size. And each time you would have to transmit a new bit stream for a new OTP, all the time until you're finished. That's a very slow process. At that point you could even ask: "Why am I even using a OTP anymore, I could just send the actual message using RSA instead the key!".



            So generally we transmit a key for a symmetric cryptosystem like AES using something like RSA. AES has (practically) no limit of data to encrypt for it to still be secure.






            share|improve this answer












            $endgroup$














            • $begingroup$
              Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
              $endgroup$
              – kelalaka
              21 hours ago











            • $begingroup$
              Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
              $endgroup$
              – Paul Uszak
              21 hours ago













            1














            1










            1







            $begingroup$

            What you're describing would be a One-Time-Pad. The OTP would actually be perfectly secure, but the first problem is in the issue that you have to generate a bit stream using a cryptographically secure pseudorandom number generator (CSPRNG) instead of a usual pseudorandom number generator. But even that doesn't pose a particularly large problem. Keep also in mind that a OTP is only secure if you use it once, using a OTP with the same bit stream would be insecure.




            So let's assume generating a random bit stream isn't a problem:



            The big problem lies in the process of sharing the key with others. That's the real issue, because a public cryptosystem like RSA-2048 can for example only encrypt a message of size 245 bytes, as described in this answer on securitySE.



            You could therefore also only generate a random bit stream for the OTP of equal size. And each time you would have to transmit a new bit stream for a new OTP, all the time until you're finished. That's a very slow process. At that point you could even ask: "Why am I even using a OTP anymore, I could just send the actual message using RSA instead the key!".



            So generally we transmit a key for a symmetric cryptosystem like AES using something like RSA. AES has (practically) no limit of data to encrypt for it to still be secure.






            share|improve this answer












            $endgroup$



            What you're describing would be a One-Time-Pad. The OTP would actually be perfectly secure, but the first problem is in the issue that you have to generate a bit stream using a cryptographically secure pseudorandom number generator (CSPRNG) instead of a usual pseudorandom number generator. But even that doesn't pose a particularly large problem. Keep also in mind that a OTP is only secure if you use it once, using a OTP with the same bit stream would be insecure.




            So let's assume generating a random bit stream isn't a problem:



            The big problem lies in the process of sharing the key with others. That's the real issue, because a public cryptosystem like RSA-2048 can for example only encrypt a message of size 245 bytes, as described in this answer on securitySE.



            You could therefore also only generate a random bit stream for the OTP of equal size. And each time you would have to transmit a new bit stream for a new OTP, all the time until you're finished. That's a very slow process. At that point you could even ask: "Why am I even using a OTP anymore, I could just send the actual message using RSA instead the key!".



            So generally we transmit a key for a symmetric cryptosystem like AES using something like RSA. AES has (practically) no limit of data to encrypt for it to still be secure.







            share|improve this answer















            share|improve this answer




            share|improve this answer








            edited 21 hours ago

























            answered 21 hours ago









            AleksanderRasAleksanderRas

            4,6062 gold badges14 silver badges44 bronze badges




            4,6062 gold badges14 silver badges44 bronze badges














            • $begingroup$
              Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
              $endgroup$
              – kelalaka
              21 hours ago











            • $begingroup$
              Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
              $endgroup$
              – Paul Uszak
              21 hours ago
















            • $begingroup$
              Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
              $endgroup$
              – kelalaka
              21 hours ago











            • $begingroup$
              Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
              $endgroup$
              – Paul Uszak
              21 hours ago















            $begingroup$
            Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
            $endgroup$
            – kelalaka
            21 hours ago





            $begingroup$
            Another problem with OTP is when the key is finished either no communication at all, or have a crib-dragging attack. Maybe you should also mention the Historical bond case key carrying and trusting the carrier issue. Note: the first sentence not clear.
            $endgroup$
            – kelalaka
            21 hours ago













            $begingroup$
            Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
            $endgroup$
            – Paul Uszak
            21 hours ago




            $begingroup$
            Well, some issues with all this... 1) OTP key generation doesn't require any CSPRNGs at all. That's not how they were made in days of olde, or are made these days. 2) Generation is as fast as you need. They range from 100's b/s to >> 10 Gb/s. Even /dev/random will give you 30 kb/hr. 3) Quantum key distribution networks exist in many countries to exchange keys. 4) You can fit 32GB of material on a £6 flash drive which you can swap with Ömer.
            $endgroup$
            – Paul Uszak
            21 hours ago



            Popular posts from this blog

            Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

            Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

            Ласкавець круглолистий Зміст Опис | Поширення | Галерея | Примітки | Посилання | Навігаційне меню58171138361-22960890446Bupleurum rotundifoliumEuro+Med PlantbasePlants of the World Online — Kew ScienceGermplasm Resources Information Network (GRIN)Ласкавецькн. VI : Літери Ком — Левиправивши або дописавши її