Is the Vernam (One Time Pad) cipher useful?

Question

By profession I’m a programmer. I don’t know a lot about how cryptographic algorithms are implemented, or even where I’d start, and I don’t know about cryptanalysis, but as I work in Blockchain technology, I know how to consume cryptographic algorithms. One might say I have a passing interest.

One thing that has piqued my curiosity, as it probably does many novices in cryptography is the Vernam, or One Time Pad cipher; supposedly 100% mathematically impossible to crack and incredibly simple to implement.

The problem seems to be around the keys used. Specifically:

1. Keys shouldn’t be reused
2. Key sequences shouldn’t be repeated
3. Keys need to be shared somehow

Other encryption algorithms solve (or don’t suffer from) these problems, but, if we can find a suitable, secure way to generate and share unique keys, does the Vernam cipher become useful?

Is there anything else that needs consideration in this respect?

Answer 1

As you know, if a thing is useful or not depends upon context. If you are hungry, will a 4096-bit RSA key with a CAMELLIA256 subkey be useful? Not really, except perhaps as food for thought.

One-time pads are being used at this very moment by serious and perhaps dangerous people all over the world. OTPs work. Ciphertext encrypted with a one-time pad can be heard on HF radio all the time. Is it useful? Certainly. The question is: "for whom?"

Why are one-time-pads useful? You don't have carry around a lot of equipment. Paper does not leave an electronic trail. Paper burns. Little pads are easy to hide. It's hard to get a kleptotrojan into a pencil. Paper is cheap. Vernam cipher is the perfect cipher if the key is truly random, the key was protected, and the key is as long as the message. When your equipment stops working you can pull out the little book and figure out a way to deliver your message--and its content will remain private. You can actually see the key destroyed. When you destroy it, it's really gone. Everything about using a one-time-pad is easy to understand. A one-time pad does not require electricity. If you lose your pad, that might be bad, but you don't have to revoke it in front of everyone. All of that sounds very useful, right?

So, to answer your question directly, "if we can find a suitable, secure way to generate and share unique keys, does the Vernam cipher become useful?"--yes, it already is very useful to certain people all over the globe, but they are not talking about it.

"Is there anything else that needs consideration in this respect?"

Yes.

1. It isn't that the key "should not" be used again, as if it were an option. It must only be used once.

2. The key must be at least as long as the plaintext.

3. The key must be truly random in order to be perfect.

4. The key must have been protected against damage or compromise.

5. The key must have been shared via a secure means.

Answer 2

One important thing to note is that OTP does not provide integrity protection. That is pretty important as there is often a lot of known plaintext that, without integrity protection, an attacker can change at will.

For example, given document structures in say HTML, it would not be very hard for an attacker with write access to an OTP encrypted stream of HTML data to inject some malicious javascript.

I do want to focus in on one of your points, however

Keys need to be shared somehow

If we were able to solve that in an information theoretically secure way such that OTP became useful/practical, why would we not just use whatever way that was to transfer encrypted messages? Which would completely negate any usefulness of OTP, would it not?

Answer 3

Is there anything else that needs consideration in this respect?

The keys need to be destroyed after they are used so that they cannot be recovered. This may seem obvious, but in practice it can be challenging.

if we can find a suitable, secure way to generate and share unique keys, does the Vernam cipher become useful?

If you can meet in person and exchange the keys via a physical medium, it can be useful with regard to the confidentiality of future messages. This is only applicable if you can meet your contact in person. This obviously does not scale well.

It also doesn't solve all of the other problems. Your keys will exist in at least two places in a medium that is hard to truly and reliably delete them from. The more places that your keys exist, the greater the risk for exposure and recovery. If you store the keys on a medium such as an SSD or CD, it may be difficult to properly delete the data.

You could store the pads on a piece of paper, which would make destroying them after use practical, but then you will have to deal with transcription errors and a severely limited amount of key material.

To quote the zen of python: "practicality beats purity"

Answer 4

Many talk about OTP in theoretical terms, but I'll point out some obvious practical considerations that make operating OTP encryption challenging:

1. OTP pads cannot ever be left out of your sight out custody: Are you going to leave your pads in a hotel room while you move around? Erm, no. They have to be carried on your person and the mere possession of these can identify you as a person of interest. Maybe the security services who intercept you pull out a pair of tin-snips and start cutting your fingers off to elicit "cooperation". So you can't leave the key material out of your sight, but carrying it on your person incurs risks.

2. Key Distribution: the act of transferring the keys leaves you vulnerable. If either party is already being watched, and you meet them to exchange key material, now your identity is compromised. Dead-drops won't mitigate this risk.

3. Timely Destruction of Key Material: As long as you hold onto that key material it's at-risk of compromise. People talk about just "burning" it, but is that possible in a hotel room with smoke detectors? ;-). So there's a window where the secure channel could be compromised.

Those are the (3) obvious practical issues that come to mind; probably loads of others. None of this is to say OTP encryption is bad- it's actually the gold standard of secure communications, but operating the system can be challenging to say the least.