Is modern encryption needlessly complicated?

Question

RSA, DES, AES, etc., all use (relatively) complicated mathematics to encrypt some message with some key. For each of these methods, there have been several documented vulnerabilities found over the years. Some even believe that there is a vulnerability in AES known only to the NSA.

On the other hand, the one-time pad is not only ridiculously simple, but also has been shown to be impossible to crack (if used appropriately).

Say you have some message to be encrypted with length n. Simply generate a random string with length m where m is at least as large as n, and perform modular addition of the random string onto the message.

As long as the random string is generated with a high-enough-quality random number generator, and as long as the same one-time pad isn't reused, it should be impossible to crack.

If this is true, all we would need to perfect are fast, cryptographically secure deterministic random number generators. Use the key as a starting seed for the RNG and you have a powerful uncrackable encryption scheme which is simple to understand and implement.

Blum-Blum-Shub is a fast, cryptographically secure PRNG, and there are others too.

I have written a C++ program which uses two 2048-bit primes (which match the necessary criteria) for Blum-Blum-Shub and uses a password which the user enters - converted into a starting seed - to run byte-wise modular addition. The process is fast, deterministic, and if the literature I have read is correct then it should be very secure.

So why is so much time and effort invested in coming up with convoluted encryption cyphers when mathematics shows that the simplest is often the best?

Answer 1

The main difficulty with the one-time pad is that it requires pre-arrangement. In order for me to use a one-time pad to communicate with you, we must either have arranged ahead of time for a one-time pad that we will use (which must be as large as our communication will be), or else we must have some secure way of communicating that will allow us to agree on a one-time-pad for use.

If we have a secure channel to communicate so we can agree on a one-time-pad, then why bother? Let's just communicate through the secure channel.

If we don't have a secure channel, then we cannot engage in secret communication ex-nihilo, since we will not have a one-time-pad agreed on.

Now, if you are going to generate the one-time-pad via a pseudo-random number generator, how are you going to get that one-time pad to me? You must tell me your seed (so that I can generate the same pseudo-random sequence and I can decode the message), in which case we are back to the problem of how you tell me what your seed is without a secure channel to communicate with. So now we have two points of vulnerability: the channel we use to communicate so you can give me the seed; and the fact that a pseudo-random number generator is not truly a random number generator, and so may be susceptible to attack as well.

There is also the problem of distribution; to use one-time pads effectively, no pad can be used more than once. There were intercepts that the NSA had from back in the 50s; when the Soviets mistakenly used the same one-time-pads to encode some messages in the 80s, this was enough to break the encryption in both cases. That means that each message will need a new seed and a new password; so each time you want to communicate you need a new seed/key and a new password. It is just too easy to lose the information, or to re-use it by mistake and thus make the entire thing a wash.

One time pads are effective for pre-established channels of communication with low bandwidth; they are almost useless for initiating remote secret communication with someone you have never communicated with before, and they require a lot of bandwidth to use correctly.

Answer 2

For symmetric encryption algorithms, your question is basically "Why do we use AES or DES rather than another function that provides the same properties as AES or DES but forces us to use the second weakest chaining mode and never lets us use the same key twice?" Well, the answer is obvious, we sometimes want strong chaining modes and we often like to use the same key twice.

For asymmetric encryption algorithms, your question is basically "Why do we use asymmetric encryption when symmetric encryption is simpler and faster?" And the answer is that we can't always pre-arrange a key between the two ends. For example, when I go to Amazon's secure web page for the first time, there's no way Amazon and I can arrange an encryption key that only Amazon and I know. And we certainly would find it difficult to work out a new secure key each time.

Also, sometimes we need to exchange data securely with parties we don't trust, and your mechanism won't do that. If I publish the key in the New York Times so anyone can send me something securely, anyone can decode the messages too. Yuck. And if I want to talk securely to 15,000 people, I need to manage 15,000 keys. Yuck. And if I share a key with 50,000 parties and change it, I need to get the new key to 50,000 parties. Yuck.

And, by the way, this is not a one-time pad. It's a stream cipher similar to RC4.

Answer 3

There is a theorem in cryptography that states that secure encryption and secure PRNG are equivalent, and in fact you just proved half of it.

Given a secure PRNG, you can create a secure encryption algorithm using the method you just provided (using the key as the PRNG-seed). The other half is that given a secure encryption algorithm, you can create a secure PRNG by simply encrypting successive integers (using the seed as the key).

This is one method - the most common method - of creating a stream cipher (note that this is not the same as a one-time pad, which requires the key to be truly random, as large as the input, and known to both parties ahead of time)

---

The cryptographic PRNG that you mentioned, Blum-Blum-Shub, has an unusually strong proof of its security - as long as factoring numbers is hard (we believe that it is), breaking BBS is hard. We don't have the same sort of confidence with AES; there is no proof of security for AES or most other block-ciphers. The only reason we have to believe that it's secure is that, despite lots of smart people trying, no one has ever been able to put a reasonable dent in its security.

So if BBS is known/believed to be so much more secure than AES, why would AES be so much more prevalent? There's only one reason:

Speed.

Despite what you said, BBS is slow. Damned slow. Extremely, ridiculously, painfully slow. The difference in speed between AES and BBS for encryption is several orders of magnitude, a huge and unacceptable difference. Sure, your computer may be able to encrypt a large message in a fraction of a second, but what about a cell-phone? What about a web-server that needs to handle thousands of TLS/SSL requests a second? What about encryption software that needs to encrypt gigabytes of data at a time (every iteration of BBS only produces one bit of psuedo-random data)? The point is, speed is important, and though AES has no security-proof, it's believed to be "secure enough."

Speed is also the reason AES is used over RSA in TLS/SSL: when connecting to a webserver, your computer will use RSA (or similar) initially to transfer a random key, after which that key is used by AES (or similar) to encrypt all communication, simply because AES is so much faster.

---

As a side-note, both RSA and BBS use the same "complicated mathematics" (modular arithmetic), but block-ciphers such as AES and DES do not use any "complicated mathematics" at all - you can easily fully understand AES without any mathematical background whatsoever.

Answer 4

There is a very easy reason why one-time pads are not always used. It requires information sent before the encryption is set up, i.e. both the sender and the recipient need to have access to the pads themselves. That's a big pain, especially if all information was to be sent with one time pads. How would one distribute the pads themselves?

There is also a second reason. Methods like RSA allow people new to a scheme to participate without any delay. That is, if I want to send someone a message securely with RSA, it only takes their preparation in creating a key. And then it is a key that anyone can use to send secure information.

Related to this idea is the idea that with the aforementioned techniques, a key can be reused. With a one-time pad, every bit of information must be accompanied by a bit of a random number. This means that long messages require long random numbers. One should never reuse a one-time pad. It is not very feasible to generate and store such incredible amounts of data as can ever be transferred between two people, especially since every pair of people who wish to communicate would need their own sets of pads. Explosive growth in memory requirements.

Answer 5

Modern encryption is not unnecessarily complicated -- it is necessarily complicated. Believe me, a lot of effort is put into making cryptographic algorithms and protocols as simple as possible. But "as simple as possible" is not the same as "simple".

Answer 6

A few people have already talked about some of the problems. Let me add one that I haven't seen mentioned: despite being unbreakable in the conventional sense, a one-time pad is not entirely immune to all attacks (even when used perfectly).

Consider an election system using a one-time pad. It's being used for a primary election. I'm a member of another political party, doing my nefarious best to sabotage this election. Let me list a few assumptions:

1. I can change data in a ballot.
2. I know which bits in a stream represent what parts of the ballot.
3. The votes are represented as a vector of bits, with one bit for each candidate. For an obvious possibility, a bit is set to 1 to represent the candidate being voted for, and the others are set to 0.
4. For the election I really care about, there are only two candidates.

Despite its "perfect" security, the OTP provides little real protection in this case. Even though I can't decrypt the data and know which candidate was voted for on any particular ballot, I can still blindly flip both bits representing the vote for the candidate in the election I care about. Voila, I've changed every vote, so the candidate who was less popular wins that primary election.

Then, in the secondary election, "my" candidate is running against the weaker candidate from the opposing party. People from that party who voted against that candidate in the primary a (somewhat) more likely to vote against him again in the secondary. My candidate may not pick up all of those votes, but even the ones who don't vote for my candidate are likely to be fragmented by the inability to vote for the candidate they really wanted.

Assuming my candidate had any chance at all in a fair election, this manipulation probably gives him a big win -- all without 1. doing anything at all in an election where he was a candidate, or 2. ever even trying to decrypt the original data.

There's another obvious variant where I (for example) only modify one of the bits in a particular election. This will generally either show up as an invalid ballot (the voter appears to have voted in favor of two different candidates) or a non-vote (I've changed the only set bit to a zero, so all the bits are now zeros, indicating that this voter didn't vote on this particular position at all).

Answer 7

A mathematician studying cryptography would be truly dumbfounded by this question.

You're completely ignoring the key-distribution problem and authentication-identity problems, both of which use public-key cryptography such as RSA.

Finding a large random source for a truly-secure OTP is tremendously difficult. You're talking about generating cryptographically secure random numbers, which are easily distributable (somehow?), in the magnitudinal quantities of information that the internet generates. Simply not possible.

Answer 8

One time pads seems simple but have extremely strict requirements to guarantee information security. You're basically just shifting the complication into a random number generator because a good one-time pad must be absolutely random. Moreover, the same one-time pad (which in your scheme means password) cannot be used for two different encryptions.

Answer 9

Although one might argue that RSA and AES are based on "complicated" mathematics (RSA uses basic facts from number theory, AES uses some finite fields), DES doesn't have any complicated mathematics at all.

All three of these primitives, RSA, AES and DES, have never been broken.

Yes, one-time pad is mathematically simpler and has information-theoretic security, but as other respondents have noted, it's useless without a key distribution method, and these usually land you right back where you started, essentially.

BBS has "complicated" mathematics at its heart as well: it's using quadratic residues modulo a Blum integer $n$ so that every square has exactly one square root modulo $n$. The math here is at least as complicated as RSA, and far less practical.

Answer 10

… One-time pad is not only ridiculously simple, but also has been shown to be impossible to crack (if used appropriately). …

One-time-pads may provide ideal security, but they are awfully problematic to transport securely from one point to another. Considdering that an OTP should only be used once, makes OTPs even more impractical. That makes exchanging messages which are secured using OTP needlessly complicated.

When you ask if modern encryption is needlessly complicated and point to OTPs, my primal instinct is to reply that – compared to modern cryptographic algorithms – using OTP is needlessly complicated.

… Blum-Blum-Shub is a fast, cryptographically secure PRNG, and there are others too. …

Blum-Blum-Shub may be somewhat secure, but it is anything but fast.

… The process is fast, deterministic, and if the literature I have read is correct then it should be very secure.

The problem starts and stops with the word “deterministic“. A deterministic encryption scheme always produces the same ciphertext for a given key and plaintext, even over separate executions of the encryption algorithm. Keeping it short: deterministic encryption can leak information to an eavesdropper, who may recognize known ciphertexts. Keep in mind that deterministic encryption schemes can never be semantically secure. That’s one of the reasons I personally would only consider using deterministic encryption if there’s a need to efficiently search encrypted data.

… So why is so much time and effort invested in coming up with convoluted encryption cyphers when mathematics shows that the simplest is often the best? …

Don’t get me wrong, but people invest so much time and effort because they aim for a higher security compared to your self-made thingy. In the end, there are too many Security Pitfalls in Cryptography to try to do things “simple”. To protect against those security pitfalls requires smart and sometimes complicated solutions. That is the reasons why you might get the impression modern encryption is complicated. But you can trust in the fact that no cryptographer would make it “needlessly” complicated because that might raise the potential of introducing additional security issues.

Answer 11

You are right One Time Pad with Blum Blum Shub are the most secure proofed ciphers combine. But you just forgot the main problem: Key Exchange problem and One Time Pad key should be used once, and here asymmetric (RSA;DH) ciphers with AES solve this problem.

But, again Key Exchange problem for one time pad is solved with quantum cryptography. Many companies such as IdQuatic, MagicQ had developed, real random generators devices (PCI) and routers that support quantum cryptography. The main limit for the moment of quantum cryptography is distance coverage (experiments has shown it is effective till 100 km). Lately have been made some experiments of quantum bit exchange on optic fibber showing good results.... Hope this short description helps.