Read-once memoryWhat do these notations mean in the definition of Perfect Secrecy, if we read those in English?Decrypting messages crypted with one time pad (used more than once)
Another student has been assigned the same MSc thesis as mine (and already defended)
Smallest number containing the first 11 primes as sub-strings
Kinematic formula for Euler characteristic
Optimize a query reducing logical reads
A famous scholar sent me an unpublished draft of hers. Then she died. I think her work should be published. What should I do?
We are on WHV, my boyfriend was in a small collision, we are leaving in 2 weeks what happens if we don’t pay the damages?
What does it mean by "my days-of-the-week underwear only go to Thursday" in this context?
What are examples of EU policies that are beneficial for one EU country, disadvantagious for another?
Convert a string of digits from words to an integer
Fix Ethernet 10/100 PoE cable with 7 out of 8 wires alive
Can someone give the intuition behind Mean Absolute Error and the Median?
MaxDetect speed
Why does Captain Marvel in the MCU not have her sash?
Does the app TikTok violate trademark?
Build a smooth low poly foot stool with lower than 15K Tris / Faces
Shorten leader-line for labels with geometry-generator
Population of post-Soviet states. Why decreasing?
Are fuzzy sets appreciated by OR community?
Notebook with version-dependent cells
"I will not" or "I don't" as an answer for negative orders?
Why, even after his imprisonment, people keep calling Hannibal Lecter "Doctor"?
A word that refers to saying something in an attempt to anger or embarrass someone into doing something that they don’t want to do?
How to prevent pickpocketing in busy bars?
Preventing an argument to be a complex number
Read-once memory
What do these notations mean in the definition of Perfect Secrecy, if we read those in English?Decrypting messages crypted with one time pad (used more than once)
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$begingroup$
So I've been reading about cryptography and one-time pads, which seem to provide theoretically perfect secrecy. My question is does any form of technology today allow data to be stored in a practical way such that information is destroyed upon reading it? I think that magnetic core memory works in a similar way:
To read the value of a core, the core was flipped to the 0 state. If the core was in 1 state previously, the changing magnetic field produced a voltage in the sense wire threaded through the cores. But if the core was in the 0 state to start, the sense line wouldn't pick up a voltage. Thus, forcing a core to 0 revealed the core's previous state (but erased it in the process)
Text source
one-time-pad perfect-secrecy
asked 20 hours ago
Andrija RadicaAndrija Radica
163 bronze badges
New contributor
Andrija Radica is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment
|
$begingroup$
So I've been reading about cryptography and one-time pads, which seem to provide theoretically perfect secrecy. My question is does any form of technology today allow data to be stored in a practical way such that information is destroyed upon reading it? I think that magnetic core memory works in a similar way:
To read the value of a core, the core was flipped to the 0 state. If the core was in 1 state previously, the changing magnetic field produced a voltage in the sense wire threaded through the cores. But if the core was in the 0 state to start, the sense line wouldn't pick up a voltage. Thus, forcing a core to 0 revealed the core's previous state (but erased it in the process)
Text source
one-time-pad perfect-secrecy
asked 20 hours ago
Andrija RadicaAndrija Radica
163 bronze badges
New contributor
Andrija Radica is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
$begingroup$
For magnetic cores, an adversary with access to that can read the information and then just write it back while keeping the information. The only thing that can't be copied without noticing is qbits in quantum key exchange, as far as I am aware.
$endgroup$
– tylo
13 hours ago
$begingroup$
@tylo Yes, I was going to add the qbit thingie, but as far I know they can't be stored, so I didn't. There's an interesting conceptualisation in the Alien Encounters docu-drama. You might be able to have a sealed and highly reflective box that can trap photons indefinitely. That would address the storage part of the question. By extension, a pair of such boxes filled with entangled photons would allow instantaneous communication over infinite distance....
$endgroup$
– Paul Uszak
7 hours ago
1
$begingroup$
As you can see the current answers kind of focus on hardware solutions; it won't be easy - if at all possible - to find an algorithmic solution to the problem.
$endgroup$
– Maarten Bodewes♦
2 hours ago
add a comment
|
$begingroup$
So I've been reading about cryptography and one-time pads, which seem to provide theoretically perfect secrecy. My question is does any form of technology today allow data to be stored in a practical way such that information is destroyed upon reading it? I think that magnetic core memory works in a similar way:
To read the value of a core, the core was flipped to the 0 state. If the core was in 1 state previously, the changing magnetic field produced a voltage in the sense wire threaded through the cores. But if the core was in the 0 state to start, the sense line wouldn't pick up a voltage. Thus, forcing a core to 0 revealed the core's previous state (but erased it in the process)
Text source
one-time-pad perfect-secrecy
asked 20 hours ago
Andrija RadicaAndrija Radica
163 bronze badges
New contributor
Andrija Radica is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
So I've been reading about cryptography and one-time pads, which seem to provide theoretically perfect secrecy. My question is does any form of technology today allow data to be stored in a practical way such that information is destroyed upon reading it? I think that magnetic core memory works in a similar way:
To read the value of a core, the core was flipped to the 0 state. If the core was in 1 state previously, the changing magnetic field produced a voltage in the sense wire threaded through the cores. But if the core was in the 0 state to start, the sense line wouldn't pick up a voltage. Thus, forcing a core to 0 revealed the core's previous state (but erased it in the process)
Text source
one-time-pad perfect-secrecy
one-time-pad perfect-secrecy
asked 20 hours ago
Andrija RadicaAndrija Radica
163 bronze badges
New contributor
Andrija Radica is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 20 hours ago
Andrija RadicaAndrija Radica
163 bronze badges
New contributor
Andrija Radica is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 20 hours ago
Andrija RadicaAndrija Radica
163 bronze badges
New contributor
Andrija Radica is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 20 hours ago
Andrija RadicaAndrija Radica
163 bronze badges
asked 20 hours ago
Andrija RadicaAndrija Radica
163 bronze badges
163 bronze badges
New contributor
Andrija Radica is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Andrija Radica is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$begingroup$
For magnetic cores, an adversary with access to that can read the information and then just write it back while keeping the information. The only thing that can't be copied without noticing is qbits in quantum key exchange, as far as I am aware.
$endgroup$
– tylo
13 hours ago
$begingroup$
@tylo Yes, I was going to add the qbit thingie, but as far I know they can't be stored, so I didn't. There's an interesting conceptualisation in the Alien Encounters docu-drama. You might be able to have a sealed and highly reflective box that can trap photons indefinitely. That would address the storage part of the question. By extension, a pair of such boxes filled with entangled photons would allow instantaneous communication over infinite distance....
$endgroup$
– Paul Uszak
7 hours ago
1
$begingroup$
As you can see the current answers kind of focus on hardware solutions; it won't be easy - if at all possible - to find an algorithmic solution to the problem.
$endgroup$
– Maarten Bodewes♦
2 hours ago
add a comment
|
$begingroup$
For magnetic cores, an adversary with access to that can read the information and then just write it back while keeping the information. The only thing that can't be copied without noticing is qbits in quantum key exchange, as far as I am aware.
$endgroup$
– tylo
13 hours ago
$begingroup$
@tylo Yes, I was going to add the qbit thingie, but as far I know they can't be stored, so I didn't. There's an interesting conceptualisation in the Alien Encounters docu-drama. You might be able to have a sealed and highly reflective box that can trap photons indefinitely. That would address the storage part of the question. By extension, a pair of such boxes filled with entangled photons would allow instantaneous communication over infinite distance....
$endgroup$
– Paul Uszak
7 hours ago
1
$begingroup$
As you can see the current answers kind of focus on hardware solutions; it won't be easy - if at all possible - to find an algorithmic solution to the problem.
$endgroup$
– Maarten Bodewes♦
2 hours ago
$begingroup$
For magnetic cores, an adversary with access to that can read the information and then just write it back while keeping the information. The only thing that can't be copied without noticing is qbits in quantum key exchange, as far as I am aware.
$endgroup$
– tylo
13 hours ago
$begingroup$
For magnetic cores, an adversary with access to that can read the information and then just write it back while keeping the information. The only thing that can't be copied without noticing is qbits in quantum key exchange, as far as I am aware.
$endgroup$
– tylo
13 hours ago
$begingroup$
@tylo Yes, I was going to add the qbit thingie, but as far I know they can't be stored, so I didn't. There's an interesting conceptualisation in the Alien Encounters docu-drama. You might be able to have a sealed and highly reflective box that can trap photons indefinitely. That would address the storage part of the question. By extension, a pair of such boxes filled with entangled photons would allow instantaneous communication over infinite distance....
$endgroup$
– Paul Uszak
7 hours ago
$begingroup$
@tylo Yes, I was going to add the qbit thingie, but as far I know they can't be stored, so I didn't. There's an interesting conceptualisation in the Alien Encounters docu-drama. You might be able to have a sealed and highly reflective box that can trap photons indefinitely. That would address the storage part of the question. By extension, a pair of such boxes filled with entangled photons would allow instantaneous communication over infinite distance....
$endgroup$
– Paul Uszak
7 hours ago
1
1
$begingroup$
As you can see the current answers kind of focus on hardware solutions; it won't be easy - if at all possible - to find an algorithmic solution to the problem.
$endgroup$
– Maarten Bodewes♦
2 hours ago
$begingroup$
As you can see the current answers kind of focus on hardware solutions; it won't be easy - if at all possible - to find an algorithmic solution to the problem.
$endgroup$
– Maarten Bodewes♦
2 hours ago
add a comment
|
5 Answers
5
active
oldest
votes
$begingroup$
There are two paths that would be possible without doing something exotic.
Erase the actual bits
Blow the bank.
Erase: When I make analog floating-gates, I use classical physics to program them (put charge on the gate) and a quantum effect of tunneling to pull charge off (make the gate positive). I could tunnel and read concurrently which would erase the bank. This would allow the memory to be reusable and volatile on read. You cannot get the information back.
Blow: When we make digital memory, we read banks. 64k is one of my tiles, the other is 1M. It just depends on who made the blocks. I could make the "read" counter tied to an overflow that would blow an e-fuse. You could repair this (with a lot of cost).
edited 2 hours ago
kelalaka
10.8k3 gold badges28 silver badges55 bronze badges
answered 4 hours ago
b degnanb degnan
2,3621 gold badge9 silver badges34 bronze badges
$endgroup$
$begingroup$
blow the bank :)
$endgroup$
– kelalaka
2 hours ago
add a comment
|
$begingroup$
Practically speaking, I think that - in the realm of cryptography - a HSM is the closest that you can get. A HSM is a tamper-proof box that destructs or disables the keys and data stored within it when it detects distortion.
Of course a HSM is a practical device; it doesn't provide information theoretic certainty that the information will be destroyed. Although it operates as a black box, it is still a physical device and there are certainly attack vectors on it. Internally it is just a computer in a tamper resistant box. These expensive devices are protected against many kinds of side channel attack. They also try and resist transport, by detecting movement and by destroying all data if the power is removed from them (they commonly include a battery / ultra capacitor to store power to do so, or they rely on volatile RAM in the first place. There are cheaper / more limited devices that simply rely on a smart card chip to perform the same functionality; these often are in the form of a largish USB-stick.
One trick you can perform once you have a secure key store that provides cryptographic operations on the keys is to encrypt data with such a key. You could put a limit on the key usage, say 2 - once for writing, once for reading - for symmetric keys, or just 1 usage for a private key decryption. That way the device will prevent user access to the key once it is used to (partially) decrypt the data. As long as the encryption algorithm stays secure, it will become practically impossible to decrypt any data protected by that particular key.
Of course, the entity that just read the data now has the responsibility of keeping the information confidential. I can read a book and then burn it, but now the information in the book is (partially and inefficiently) stored in my memory after all. Reading data does mean that the data is duplicated in another location; reading fundamentally doesn't seem to be destruction of information, rather the propagation of information.
In short, no, I don't think we have a way to do this, but cryptography can certainly help by limiting the requirements for destruction to just a key rather than, for instance, a disk full of information.
answered 6 hours ago
Maarten Bodewes♦Maarten Bodewes
59.2k7 gold badges86 silver badges216 bronze badges
$endgroup$
$begingroup$
Though of course this HSM approach can't be used with Andrija's one time pad.
$endgroup$
– Paul Uszak
4 hours ago
$begingroup$
Um, well, you can store the OTP in a HSM for sure, similar to any other key. But I think the notion of a one-time pad is a bit strained when it comes to destruction of data anyway. So I agree, the relation is as good as not there in my answer, but I wonder how much of it is present in the question.
$endgroup$
– Maarten Bodewes♦
4 hours ago
add a comment
|
$begingroup$
A system that I've worked on uses a spinning hard disk (not SSD or hybrid). The OTP key material is stored on the disk and there is also the outbound encrypter application. When the application is launched, the very first thing it does is to read a single file of key material off the disk. It then immediately erases it by over writing. It does this no matter what happens next, so if you choose not to compose and send a message, you've lost that key material. Also if the application crashes or hits a snag, you've lost that key material. So it's one key file per encrypter invocation.
For the inward case, the decrypter application immediately over writes the key file that matches the inbound message IV (which serves as the filename). If you close the application, forget the message or it faults, you can't get the message back as the key material is gone.
If the user is willing to get on board with the usage protocol, it's the closest I can think of to a read once key store. The system relies on a modicum of user discipline and a hard disk full of material generated via your own trusted TRNG. A few thousand key files should last a while if you're using the OTP in an appropriate manner. And it does mimic a nitro-cellulose OTP booklet in that the operator would destroy the relevant page upon use, but the remaining pages could still fall into enemy hands.
This is clearly a (poor?) compromise but perhaps a little more practical than core storage. And of course it can't be used on non rotary media.
answered 17 hours ago
Paul UszakPaul Uszak
8,8491 gold badge18 silver badges43 bronze badges
$endgroup$
$begingroup$
Let me try to make a summary. You're describing an encryption protocol for sending messages, not storing them. The data is not destroyed but the OTP key stream is destroyed, regardless if the key stream gets to use the key stream stored on disk. You then explain that the user needs to keep a strict discipline to delete the OTP key stream. Is that a correct summary? If so, how does it describe a system where data is stored - not send and destroyed upon use? As it is the protocol seems to rely on "user discipline" to destroy any kind of information.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
@MaartenBodewes No, not quite :-( It's a semi practical answer to the question behind the posted question. And within the operational context of a OTP user. It's very similar to the role of core storage and flash paper, both of which can be transferred and infinitely replicated elsewhere. The discipline is not to do so. If the user doesn't mess around and copy the key material off elsewhere, it self deletes on normal use/read. Seems to be what the question's about...
$endgroup$
– Paul Uszak
7 hours ago
add a comment
|
$begingroup$
Ferroelectric RAM is a modern analog to magnetic core memory, from the standpoint that reading it looses the information previously stored (source). Usually there is on-die write-after-read circuitry to prevent information loss (much like that was built in core memory controllers). If that circuitry was removed we'd get a read-once memory.
On the other hand, it is quite possible that a forensic examination of the memory cell with sensitive-enough instruments (Scanning Tunneling Microscope perhaps) would allow recovery of the previous information even after a read; and there's noting to prevent externally making a copy of the information read.
answered 4 hours ago
fgrieufgrieu
85.6k7 gold badges190 silver badges376 bronze badges
$endgroup$
add a comment
|
$begingroup$
There is a very practical way to do something essentially equivalent to storing a long one-time pad: store a 32-byte key $k$, and when you need a page of pad material, take the first 32 bytes of $operatornameChaCha(k)$ as a new key, replacing $k$ in memory, and the remaining bytes—up to about a zettabyte—as your pad.
Voilà! As long as you overwrite the key each time and never leave copies lying around elsewhere, you can extremely efficiently store more bytes of pad material than you can ever use this way, and nobody can ever recover old pads unless you made copies of them elsewhere.
This method is so practical that your computer is probably actually doing it—or a similar technique using AES—right now with the crypto.stackexchange.com web server!
answered 1 hour ago
Squeamish OssifrageSqueamish Ossifrage
33.4k2 gold badges57 silver badges142 bronze badges
$endgroup$
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Andrija Radica is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74508%2fread-once-memory%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
There are two paths that would be possible without doing something exotic.
Erase the actual bits
Blow the bank.
Erase: When I make analog floating-gates, I use classical physics to program them (put charge on the gate) and a quantum effect of tunneling to pull charge off (make the gate positive). I could tunnel and read concurrently which would erase the bank. This would allow the memory to be reusable and volatile on read. You cannot get the information back.
Blow: When we make digital memory, we read banks. 64k is one of my tiles, the other is 1M. It just depends on who made the blocks. I could make the "read" counter tied to an overflow that would blow an e-fuse. You could repair this (with a lot of cost).
edited 2 hours ago
kelalaka
10.8k3 gold badges28 silver badges55 bronze badges
answered 4 hours ago
b degnanb degnan
2,3621 gold badge9 silver badges34 bronze badges
$endgroup$
$begingroup$
blow the bank :)
$endgroup$
– kelalaka
2 hours ago
add a comment
|
$begingroup$
There are two paths that would be possible without doing something exotic.
Erase the actual bits
Blow the bank.
Erase: When I make analog floating-gates, I use classical physics to program them (put charge on the gate) and a quantum effect of tunneling to pull charge off (make the gate positive). I could tunnel and read concurrently which would erase the bank. This would allow the memory to be reusable and volatile on read. You cannot get the information back.
Blow: When we make digital memory, we read banks. 64k is one of my tiles, the other is 1M. It just depends on who made the blocks. I could make the "read" counter tied to an overflow that would blow an e-fuse. You could repair this (with a lot of cost).
edited 2 hours ago
kelalaka
10.8k3 gold badges28 silver badges55 bronze badges
answered 4 hours ago
b degnanb degnan
2,3621 gold badge9 silver badges34 bronze badges
$endgroup$
$begingroup$
blow the bank :)
$endgroup$
– kelalaka
2 hours ago
add a comment
|
$begingroup$
There are two paths that would be possible without doing something exotic.
Erase the actual bits
Blow the bank.
Erase: When I make analog floating-gates, I use classical physics to program them (put charge on the gate) and a quantum effect of tunneling to pull charge off (make the gate positive). I could tunnel and read concurrently which would erase the bank. This would allow the memory to be reusable and volatile on read. You cannot get the information back.
Blow: When we make digital memory, we read banks. 64k is one of my tiles, the other is 1M. It just depends on who made the blocks. I could make the "read" counter tied to an overflow that would blow an e-fuse. You could repair this (with a lot of cost).
edited 2 hours ago
kelalaka
10.8k3 gold badges28 silver badges55 bronze badges
answered 4 hours ago
b degnanb degnan
2,3621 gold badge9 silver badges34 bronze badges
$endgroup$
There are two paths that would be possible without doing something exotic.
Erase the actual bits
Blow the bank.
Erase: When I make analog floating-gates, I use classical physics to program them (put charge on the gate) and a quantum effect of tunneling to pull charge off (make the gate positive). I could tunnel and read concurrently which would erase the bank. This would allow the memory to be reusable and volatile on read. You cannot get the information back.
Blow: When we make digital memory, we read banks. 64k is one of my tiles, the other is 1M. It just depends on who made the blocks. I could make the "read" counter tied to an overflow that would blow an e-fuse. You could repair this (with a lot of cost).
edited 2 hours ago
kelalaka
10.8k3 gold badges28 silver badges55 bronze badges
answered 4 hours ago
b degnanb degnan
2,3621 gold badge9 silver badges34 bronze badges
edited 2 hours ago
kelalaka
10.8k3 gold badges28 silver badges55 bronze badges
edited 2 hours ago
kelalaka
10.8k3 gold badges28 silver badges55 bronze badges
edited 2 hours ago
kelalaka
10.8k3 gold badges28 silver badges55 bronze badges
10.8k3 gold badges28 silver badges55 bronze badges
answered 4 hours ago
b degnanb degnan
2,3621 gold badge9 silver badges34 bronze badges
answered 4 hours ago
b degnanb degnan
2,3621 gold badge9 silver badges34 bronze badges
answered 4 hours ago
b degnanb degnan
2,3621 gold badge9 silver badges34 bronze badges
2,3621 gold badge9 silver badges34 bronze badges
$begingroup$
blow the bank :)
$endgroup$
– kelalaka
2 hours ago
add a comment
|
$begingroup$
blow the bank :)
$endgroup$
– kelalaka
2 hours ago
$begingroup$
blow the bank :)
$endgroup$
– kelalaka
2 hours ago
$begingroup$
blow the bank :)
$endgroup$
– kelalaka
2 hours ago
add a comment
|
$begingroup$
Practically speaking, I think that - in the realm of cryptography - a HSM is the closest that you can get. A HSM is a tamper-proof box that destructs or disables the keys and data stored within it when it detects distortion.
Of course a HSM is a practical device; it doesn't provide information theoretic certainty that the information will be destroyed. Although it operates as a black box, it is still a physical device and there are certainly attack vectors on it. Internally it is just a computer in a tamper resistant box. These expensive devices are protected against many kinds of side channel attack. They also try and resist transport, by detecting movement and by destroying all data if the power is removed from them (they commonly include a battery / ultra capacitor to store power to do so, or they rely on volatile RAM in the first place. There are cheaper / more limited devices that simply rely on a smart card chip to perform the same functionality; these often are in the form of a largish USB-stick.
One trick you can perform once you have a secure key store that provides cryptographic operations on the keys is to encrypt data with such a key. You could put a limit on the key usage, say 2 - once for writing, once for reading - for symmetric keys, or just 1 usage for a private key decryption. That way the device will prevent user access to the key once it is used to (partially) decrypt the data. As long as the encryption algorithm stays secure, it will become practically impossible to decrypt any data protected by that particular key.
Of course, the entity that just read the data now has the responsibility of keeping the information confidential. I can read a book and then burn it, but now the information in the book is (partially and inefficiently) stored in my memory after all. Reading data does mean that the data is duplicated in another location; reading fundamentally doesn't seem to be destruction of information, rather the propagation of information.
In short, no, I don't think we have a way to do this, but cryptography can certainly help by limiting the requirements for destruction to just a key rather than, for instance, a disk full of information.
answered 6 hours ago
Maarten Bodewes♦Maarten Bodewes
59.2k7 gold badges86 silver badges216 bronze badges
$endgroup$
$begingroup$
Though of course this HSM approach can't be used with Andrija's one time pad.
$endgroup$
– Paul Uszak
4 hours ago
$begingroup$
Um, well, you can store the OTP in a HSM for sure, similar to any other key. But I think the notion of a one-time pad is a bit strained when it comes to destruction of data anyway. So I agree, the relation is as good as not there in my answer, but I wonder how much of it is present in the question.
$endgroup$
– Maarten Bodewes♦
4 hours ago
add a comment
|
$begingroup$
Practically speaking, I think that - in the realm of cryptography - a HSM is the closest that you can get. A HSM is a tamper-proof box that destructs or disables the keys and data stored within it when it detects distortion.
Of course a HSM is a practical device; it doesn't provide information theoretic certainty that the information will be destroyed. Although it operates as a black box, it is still a physical device and there are certainly attack vectors on it. Internally it is just a computer in a tamper resistant box. These expensive devices are protected against many kinds of side channel attack. They also try and resist transport, by detecting movement and by destroying all data if the power is removed from them (they commonly include a battery / ultra capacitor to store power to do so, or they rely on volatile RAM in the first place. There are cheaper / more limited devices that simply rely on a smart card chip to perform the same functionality; these often are in the form of a largish USB-stick.
One trick you can perform once you have a secure key store that provides cryptographic operations on the keys is to encrypt data with such a key. You could put a limit on the key usage, say 2 - once for writing, once for reading - for symmetric keys, or just 1 usage for a private key decryption. That way the device will prevent user access to the key once it is used to (partially) decrypt the data. As long as the encryption algorithm stays secure, it will become practically impossible to decrypt any data protected by that particular key.
Of course, the entity that just read the data now has the responsibility of keeping the information confidential. I can read a book and then burn it, but now the information in the book is (partially and inefficiently) stored in my memory after all. Reading data does mean that the data is duplicated in another location; reading fundamentally doesn't seem to be destruction of information, rather the propagation of information.
In short, no, I don't think we have a way to do this, but cryptography can certainly help by limiting the requirements for destruction to just a key rather than, for instance, a disk full of information.
answered 6 hours ago
Maarten Bodewes♦Maarten Bodewes
59.2k7 gold badges86 silver badges216 bronze badges
$endgroup$
$begingroup$
Though of course this HSM approach can't be used with Andrija's one time pad.
$endgroup$
– Paul Uszak
4 hours ago
$begingroup$
Um, well, you can store the OTP in a HSM for sure, similar to any other key. But I think the notion of a one-time pad is a bit strained when it comes to destruction of data anyway. So I agree, the relation is as good as not there in my answer, but I wonder how much of it is present in the question.
$endgroup$
– Maarten Bodewes♦
4 hours ago
add a comment
|
$begingroup$
Practically speaking, I think that - in the realm of cryptography - a HSM is the closest that you can get. A HSM is a tamper-proof box that destructs or disables the keys and data stored within it when it detects distortion.
Of course a HSM is a practical device; it doesn't provide information theoretic certainty that the information will be destroyed. Although it operates as a black box, it is still a physical device and there are certainly attack vectors on it. Internally it is just a computer in a tamper resistant box. These expensive devices are protected against many kinds of side channel attack. They also try and resist transport, by detecting movement and by destroying all data if the power is removed from them (they commonly include a battery / ultra capacitor to store power to do so, or they rely on volatile RAM in the first place. There are cheaper / more limited devices that simply rely on a smart card chip to perform the same functionality; these often are in the form of a largish USB-stick.
One trick you can perform once you have a secure key store that provides cryptographic operations on the keys is to encrypt data with such a key. You could put a limit on the key usage, say 2 - once for writing, once for reading - for symmetric keys, or just 1 usage for a private key decryption. That way the device will prevent user access to the key once it is used to (partially) decrypt the data. As long as the encryption algorithm stays secure, it will become practically impossible to decrypt any data protected by that particular key.
Of course, the entity that just read the data now has the responsibility of keeping the information confidential. I can read a book and then burn it, but now the information in the book is (partially and inefficiently) stored in my memory after all. Reading data does mean that the data is duplicated in another location; reading fundamentally doesn't seem to be destruction of information, rather the propagation of information.
In short, no, I don't think we have a way to do this, but cryptography can certainly help by limiting the requirements for destruction to just a key rather than, for instance, a disk full of information.
answered 6 hours ago
Maarten Bodewes♦Maarten Bodewes
59.2k7 gold badges86 silver badges216 bronze badges
$endgroup$
Practically speaking, I think that - in the realm of cryptography - a HSM is the closest that you can get. A HSM is a tamper-proof box that destructs or disables the keys and data stored within it when it detects distortion.
Of course a HSM is a practical device; it doesn't provide information theoretic certainty that the information will be destroyed. Although it operates as a black box, it is still a physical device and there are certainly attack vectors on it. Internally it is just a computer in a tamper resistant box. These expensive devices are protected against many kinds of side channel attack. They also try and resist transport, by detecting movement and by destroying all data if the power is removed from them (they commonly include a battery / ultra capacitor to store power to do so, or they rely on volatile RAM in the first place. There are cheaper / more limited devices that simply rely on a smart card chip to perform the same functionality; these often are in the form of a largish USB-stick.
One trick you can perform once you have a secure key store that provides cryptographic operations on the keys is to encrypt data with such a key. You could put a limit on the key usage, say 2 - once for writing, once for reading - for symmetric keys, or just 1 usage for a private key decryption. That way the device will prevent user access to the key once it is used to (partially) decrypt the data. As long as the encryption algorithm stays secure, it will become practically impossible to decrypt any data protected by that particular key.
Of course, the entity that just read the data now has the responsibility of keeping the information confidential. I can read a book and then burn it, but now the information in the book is (partially and inefficiently) stored in my memory after all. Reading data does mean that the data is duplicated in another location; reading fundamentally doesn't seem to be destruction of information, rather the propagation of information.
In short, no, I don't think we have a way to do this, but cryptography can certainly help by limiting the requirements for destruction to just a key rather than, for instance, a disk full of information.
answered 6 hours ago
Maarten Bodewes♦Maarten Bodewes
59.2k7 gold badges86 silver badges216 bronze badges
edited 2 hours ago
answered 6 hours ago
Maarten Bodewes♦Maarten Bodewes
59.2k7 gold badges86 silver badges216 bronze badges
answered 6 hours ago
Maarten Bodewes♦Maarten Bodewes
59.2k7 gold badges86 silver badges216 bronze badges
answered 6 hours ago
Maarten Bodewes♦Maarten Bodewes
59.2k7 gold badges86 silver badges216 bronze badges
59.2k7 gold badges86 silver badges216 bronze badges
$begingroup$
Though of course this HSM approach can't be used with Andrija's one time pad.
$endgroup$
– Paul Uszak
4 hours ago
$begingroup$
Um, well, you can store the OTP in a HSM for sure, similar to any other key. But I think the notion of a one-time pad is a bit strained when it comes to destruction of data anyway. So I agree, the relation is as good as not there in my answer, but I wonder how much of it is present in the question.
$endgroup$
– Maarten Bodewes♦
4 hours ago
add a comment
|
$begingroup$
Though of course this HSM approach can't be used with Andrija's one time pad.
$endgroup$
– Paul Uszak
4 hours ago
$begingroup$
Um, well, you can store the OTP in a HSM for sure, similar to any other key. But I think the notion of a one-time pad is a bit strained when it comes to destruction of data anyway. So I agree, the relation is as good as not there in my answer, but I wonder how much of it is present in the question.
$endgroup$
– Maarten Bodewes♦
4 hours ago
$begingroup$
Though of course this HSM approach can't be used with Andrija's one time pad.
$endgroup$
– Paul Uszak
4 hours ago
$begingroup$
Though of course this HSM approach can't be used with Andrija's one time pad.
$endgroup$
– Paul Uszak
4 hours ago
$begingroup$
Um, well, you can store the OTP in a HSM for sure, similar to any other key. But I think the notion of a one-time pad is a bit strained when it comes to destruction of data anyway. So I agree, the relation is as good as not there in my answer, but I wonder how much of it is present in the question.
$endgroup$
– Maarten Bodewes♦
4 hours ago
$begingroup$
Um, well, you can store the OTP in a HSM for sure, similar to any other key. But I think the notion of a one-time pad is a bit strained when it comes to destruction of data anyway. So I agree, the relation is as good as not there in my answer, but I wonder how much of it is present in the question.
$endgroup$
– Maarten Bodewes♦
4 hours ago
add a comment
|
$begingroup$
A system that I've worked on uses a spinning hard disk (not SSD or hybrid). The OTP key material is stored on the disk and there is also the outbound encrypter application. When the application is launched, the very first thing it does is to read a single file of key material off the disk. It then immediately erases it by over writing. It does this no matter what happens next, so if you choose not to compose and send a message, you've lost that key material. Also if the application crashes or hits a snag, you've lost that key material. So it's one key file per encrypter invocation.
For the inward case, the decrypter application immediately over writes the key file that matches the inbound message IV (which serves as the filename). If you close the application, forget the message or it faults, you can't get the message back as the key material is gone.
If the user is willing to get on board with the usage protocol, it's the closest I can think of to a read once key store. The system relies on a modicum of user discipline and a hard disk full of material generated via your own trusted TRNG. A few thousand key files should last a while if you're using the OTP in an appropriate manner. And it does mimic a nitro-cellulose OTP booklet in that the operator would destroy the relevant page upon use, but the remaining pages could still fall into enemy hands.
This is clearly a (poor?) compromise but perhaps a little more practical than core storage. And of course it can't be used on non rotary media.
answered 17 hours ago
Paul UszakPaul Uszak
8,8491 gold badge18 silver badges43 bronze badges
$endgroup$
$begingroup$
Let me try to make a summary. You're describing an encryption protocol for sending messages, not storing them. The data is not destroyed but the OTP key stream is destroyed, regardless if the key stream gets to use the key stream stored on disk. You then explain that the user needs to keep a strict discipline to delete the OTP key stream. Is that a correct summary? If so, how does it describe a system where data is stored - not send and destroyed upon use? As it is the protocol seems to rely on "user discipline" to destroy any kind of information.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
@MaartenBodewes No, not quite :-( It's a semi practical answer to the question behind the posted question. And within the operational context of a OTP user. It's very similar to the role of core storage and flash paper, both of which can be transferred and infinitely replicated elsewhere. The discipline is not to do so. If the user doesn't mess around and copy the key material off elsewhere, it self deletes on normal use/read. Seems to be what the question's about...
$endgroup$
– Paul Uszak
7 hours ago
add a comment
|
$begingroup$
A system that I've worked on uses a spinning hard disk (not SSD or hybrid). The OTP key material is stored on the disk and there is also the outbound encrypter application. When the application is launched, the very first thing it does is to read a single file of key material off the disk. It then immediately erases it by over writing. It does this no matter what happens next, so if you choose not to compose and send a message, you've lost that key material. Also if the application crashes or hits a snag, you've lost that key material. So it's one key file per encrypter invocation.
For the inward case, the decrypter application immediately over writes the key file that matches the inbound message IV (which serves as the filename). If you close the application, forget the message or it faults, you can't get the message back as the key material is gone.
If the user is willing to get on board with the usage protocol, it's the closest I can think of to a read once key store. The system relies on a modicum of user discipline and a hard disk full of material generated via your own trusted TRNG. A few thousand key files should last a while if you're using the OTP in an appropriate manner. And it does mimic a nitro-cellulose OTP booklet in that the operator would destroy the relevant page upon use, but the remaining pages could still fall into enemy hands.
This is clearly a (poor?) compromise but perhaps a little more practical than core storage. And of course it can't be used on non rotary media.
answered 17 hours ago
Paul UszakPaul Uszak
8,8491 gold badge18 silver badges43 bronze badges
$endgroup$
$begingroup$
Let me try to make a summary. You're describing an encryption protocol for sending messages, not storing them. The data is not destroyed but the OTP key stream is destroyed, regardless if the key stream gets to use the key stream stored on disk. You then explain that the user needs to keep a strict discipline to delete the OTP key stream. Is that a correct summary? If so, how does it describe a system where data is stored - not send and destroyed upon use? As it is the protocol seems to rely on "user discipline" to destroy any kind of information.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
@MaartenBodewes No, not quite :-( It's a semi practical answer to the question behind the posted question. And within the operational context of a OTP user. It's very similar to the role of core storage and flash paper, both of which can be transferred and infinitely replicated elsewhere. The discipline is not to do so. If the user doesn't mess around and copy the key material off elsewhere, it self deletes on normal use/read. Seems to be what the question's about...
$endgroup$
– Paul Uszak
7 hours ago
add a comment
|
$begingroup$
A system that I've worked on uses a spinning hard disk (not SSD or hybrid). The OTP key material is stored on the disk and there is also the outbound encrypter application. When the application is launched, the very first thing it does is to read a single file of key material off the disk. It then immediately erases it by over writing. It does this no matter what happens next, so if you choose not to compose and send a message, you've lost that key material. Also if the application crashes or hits a snag, you've lost that key material. So it's one key file per encrypter invocation.
For the inward case, the decrypter application immediately over writes the key file that matches the inbound message IV (which serves as the filename). If you close the application, forget the message or it faults, you can't get the message back as the key material is gone.
If the user is willing to get on board with the usage protocol, it's the closest I can think of to a read once key store. The system relies on a modicum of user discipline and a hard disk full of material generated via your own trusted TRNG. A few thousand key files should last a while if you're using the OTP in an appropriate manner. And it does mimic a nitro-cellulose OTP booklet in that the operator would destroy the relevant page upon use, but the remaining pages could still fall into enemy hands.
This is clearly a (poor?) compromise but perhaps a little more practical than core storage. And of course it can't be used on non rotary media.
answered 17 hours ago
Paul UszakPaul Uszak
8,8491 gold badge18 silver badges43 bronze badges
$endgroup$
A system that I've worked on uses a spinning hard disk (not SSD or hybrid). The OTP key material is stored on the disk and there is also the outbound encrypter application. When the application is launched, the very first thing it does is to read a single file of key material off the disk. It then immediately erases it by over writing. It does this no matter what happens next, so if you choose not to compose and send a message, you've lost that key material. Also if the application crashes or hits a snag, you've lost that key material. So it's one key file per encrypter invocation.
For the inward case, the decrypter application immediately over writes the key file that matches the inbound message IV (which serves as the filename). If you close the application, forget the message or it faults, you can't get the message back as the key material is gone.
If the user is willing to get on board with the usage protocol, it's the closest I can think of to a read once key store. The system relies on a modicum of user discipline and a hard disk full of material generated via your own trusted TRNG. A few thousand key files should last a while if you're using the OTP in an appropriate manner. And it does mimic a nitro-cellulose OTP booklet in that the operator would destroy the relevant page upon use, but the remaining pages could still fall into enemy hands.
This is clearly a (poor?) compromise but perhaps a little more practical than core storage. And of course it can't be used on non rotary media.
answered 17 hours ago
Paul UszakPaul Uszak
8,8491 gold badge18 silver badges43 bronze badges
answered 17 hours ago
Paul UszakPaul Uszak
8,8491 gold badge18 silver badges43 bronze badges
answered 17 hours ago
Paul UszakPaul Uszak
8,8491 gold badge18 silver badges43 bronze badges
answered 17 hours ago
Paul UszakPaul Uszak
8,8491 gold badge18 silver badges43 bronze badges
8,8491 gold badge18 silver badges43 bronze badges
$begingroup$
Let me try to make a summary. You're describing an encryption protocol for sending messages, not storing them. The data is not destroyed but the OTP key stream is destroyed, regardless if the key stream gets to use the key stream stored on disk. You then explain that the user needs to keep a strict discipline to delete the OTP key stream. Is that a correct summary? If so, how does it describe a system where data is stored - not send and destroyed upon use? As it is the protocol seems to rely on "user discipline" to destroy any kind of information.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
@MaartenBodewes No, not quite :-( It's a semi practical answer to the question behind the posted question. And within the operational context of a OTP user. It's very similar to the role of core storage and flash paper, both of which can be transferred and infinitely replicated elsewhere. The discipline is not to do so. If the user doesn't mess around and copy the key material off elsewhere, it self deletes on normal use/read. Seems to be what the question's about...
$endgroup$
– Paul Uszak
7 hours ago
add a comment
|
$begingroup$
Let me try to make a summary. You're describing an encryption protocol for sending messages, not storing them. The data is not destroyed but the OTP key stream is destroyed, regardless if the key stream gets to use the key stream stored on disk. You then explain that the user needs to keep a strict discipline to delete the OTP key stream. Is that a correct summary? If so, how does it describe a system where data is stored - not send and destroyed upon use? As it is the protocol seems to rely on "user discipline" to destroy any kind of information.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
@MaartenBodewes No, not quite :-( It's a semi practical answer to the question behind the posted question. And within the operational context of a OTP user. It's very similar to the role of core storage and flash paper, both of which can be transferred and infinitely replicated elsewhere. The discipline is not to do so. If the user doesn't mess around and copy the key material off elsewhere, it self deletes on normal use/read. Seems to be what the question's about...
$endgroup$
– Paul Uszak
7 hours ago
$begingroup$
Let me try to make a summary. You're describing an encryption protocol for sending messages, not storing them. The data is not destroyed but the OTP key stream is destroyed, regardless if the key stream gets to use the key stream stored on disk. You then explain that the user needs to keep a strict discipline to delete the OTP key stream. Is that a correct summary? If so, how does it describe a system where data is stored - not send and destroyed upon use? As it is the protocol seems to rely on "user discipline" to destroy any kind of information.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Let me try to make a summary. You're describing an encryption protocol for sending messages, not storing them. The data is not destroyed but the OTP key stream is destroyed, regardless if the key stream gets to use the key stream stored on disk. You then explain that the user needs to keep a strict discipline to delete the OTP key stream. Is that a correct summary? If so, how does it describe a system where data is stored - not send and destroyed upon use? As it is the protocol seems to rely on "user discipline" to destroy any kind of information.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
@MaartenBodewes No, not quite :-( It's a semi practical answer to the question behind the posted question. And within the operational context of a OTP user. It's very similar to the role of core storage and flash paper, both of which can be transferred and infinitely replicated elsewhere. The discipline is not to do so. If the user doesn't mess around and copy the key material off elsewhere, it self deletes on normal use/read. Seems to be what the question's about...
$endgroup$
– Paul Uszak
7 hours ago
$begingroup$
@MaartenBodewes No, not quite :-( It's a semi practical answer to the question behind the posted question. And within the operational context of a OTP user. It's very similar to the role of core storage and flash paper, both of which can be transferred and infinitely replicated elsewhere. The discipline is not to do so. If the user doesn't mess around and copy the key material off elsewhere, it self deletes on normal use/read. Seems to be what the question's about...
$endgroup$
– Paul Uszak
7 hours ago
add a comment
|
$begingroup$
Ferroelectric RAM is a modern analog to magnetic core memory, from the standpoint that reading it looses the information previously stored (source). Usually there is on-die write-after-read circuitry to prevent information loss (much like that was built in core memory controllers). If that circuitry was removed we'd get a read-once memory.
On the other hand, it is quite possible that a forensic examination of the memory cell with sensitive-enough instruments (Scanning Tunneling Microscope perhaps) would allow recovery of the previous information even after a read; and there's noting to prevent externally making a copy of the information read.
answered 4 hours ago
fgrieufgrieu
85.6k7 gold badges190 silver badges376 bronze badges
$endgroup$
add a comment
|
$begingroup$
Ferroelectric RAM is a modern analog to magnetic core memory, from the standpoint that reading it looses the information previously stored (source). Usually there is on-die write-after-read circuitry to prevent information loss (much like that was built in core memory controllers). If that circuitry was removed we'd get a read-once memory.
On the other hand, it is quite possible that a forensic examination of the memory cell with sensitive-enough instruments (Scanning Tunneling Microscope perhaps) would allow recovery of the previous information even after a read; and there's noting to prevent externally making a copy of the information read.
answered 4 hours ago
fgrieufgrieu
85.6k7 gold badges190 silver badges376 bronze badges
$endgroup$
add a comment
|
$begingroup$
Ferroelectric RAM is a modern analog to magnetic core memory, from the standpoint that reading it looses the information previously stored (source). Usually there is on-die write-after-read circuitry to prevent information loss (much like that was built in core memory controllers). If that circuitry was removed we'd get a read-once memory.
On the other hand, it is quite possible that a forensic examination of the memory cell with sensitive-enough instruments (Scanning Tunneling Microscope perhaps) would allow recovery of the previous information even after a read; and there's noting to prevent externally making a copy of the information read.
answered 4 hours ago
fgrieufgrieu
85.6k7 gold badges190 silver badges376 bronze badges
$endgroup$
Ferroelectric RAM is a modern analog to magnetic core memory, from the standpoint that reading it looses the information previously stored (source). Usually there is on-die write-after-read circuitry to prevent information loss (much like that was built in core memory controllers). If that circuitry was removed we'd get a read-once memory.
On the other hand, it is quite possible that a forensic examination of the memory cell with sensitive-enough instruments (Scanning Tunneling Microscope perhaps) would allow recovery of the previous information even after a read; and there's noting to prevent externally making a copy of the information read.
answered 4 hours ago
fgrieufgrieu
85.6k7 gold badges190 silver badges376 bronze badges
answered 4 hours ago
fgrieufgrieu
85.6k7 gold badges190 silver badges376 bronze badges
answered 4 hours ago
fgrieufgrieu
85.6k7 gold badges190 silver badges376 bronze badges
answered 4 hours ago
fgrieufgrieu
85.6k7 gold badges190 silver badges376 bronze badges
85.6k7 gold badges190 silver badges376 bronze badges
add a comment
|
add a comment
|
$begingroup$
There is a very practical way to do something essentially equivalent to storing a long one-time pad: store a 32-byte key $k$, and when you need a page of pad material, take the first 32 bytes of $operatornameChaCha(k)$ as a new key, replacing $k$ in memory, and the remaining bytes—up to about a zettabyte—as your pad.
Voilà! As long as you overwrite the key each time and never leave copies lying around elsewhere, you can extremely efficiently store more bytes of pad material than you can ever use this way, and nobody can ever recover old pads unless you made copies of them elsewhere.
This method is so practical that your computer is probably actually doing it—or a similar technique using AES—right now with the crypto.stackexchange.com web server!
answered 1 hour ago
Squeamish OssifrageSqueamish Ossifrage
33.4k2 gold badges57 silver badges142 bronze badges
$endgroup$
add a comment
|
$begingroup$
There is a very practical way to do something essentially equivalent to storing a long one-time pad: store a 32-byte key $k$, and when you need a page of pad material, take the first 32 bytes of $operatornameChaCha(k)$ as a new key, replacing $k$ in memory, and the remaining bytes—up to about a zettabyte—as your pad.
Voilà! As long as you overwrite the key each time and never leave copies lying around elsewhere, you can extremely efficiently store more bytes of pad material than you can ever use this way, and nobody can ever recover old pads unless you made copies of them elsewhere.
This method is so practical that your computer is probably actually doing it—or a similar technique using AES—right now with the crypto.stackexchange.com web server!
answered 1 hour ago
Squeamish OssifrageSqueamish Ossifrage
33.4k2 gold badges57 silver badges142 bronze badges
$endgroup$
add a comment
|
$begingroup$
There is a very practical way to do something essentially equivalent to storing a long one-time pad: store a 32-byte key $k$, and when you need a page of pad material, take the first 32 bytes of $operatornameChaCha(k)$ as a new key, replacing $k$ in memory, and the remaining bytes—up to about a zettabyte—as your pad.
Voilà! As long as you overwrite the key each time and never leave copies lying around elsewhere, you can extremely efficiently store more bytes of pad material than you can ever use this way, and nobody can ever recover old pads unless you made copies of them elsewhere.
This method is so practical that your computer is probably actually doing it—or a similar technique using AES—right now with the crypto.stackexchange.com web server!
answered 1 hour ago
Squeamish OssifrageSqueamish Ossifrage
33.4k2 gold badges57 silver badges142 bronze badges
$endgroup$
There is a very practical way to do something essentially equivalent to storing a long one-time pad: store a 32-byte key $k$, and when you need a page of pad material, take the first 32 bytes of $operatornameChaCha(k)$ as a new key, replacing $k$ in memory, and the remaining bytes—up to about a zettabyte—as your pad.
Voilà! As long as you overwrite the key each time and never leave copies lying around elsewhere, you can extremely efficiently store more bytes of pad material than you can ever use this way, and nobody can ever recover old pads unless you made copies of them elsewhere.
This method is so practical that your computer is probably actually doing it—or a similar technique using AES—right now with the crypto.stackexchange.com web server!
answered 1 hour ago
Squeamish OssifrageSqueamish Ossifrage
33.4k2 gold badges57 silver badges142 bronze badges
answered 1 hour ago
Squeamish OssifrageSqueamish Ossifrage
33.4k2 gold badges57 silver badges142 bronze badges
answered 1 hour ago
Squeamish OssifrageSqueamish Ossifrage
33.4k2 gold badges57 silver badges142 bronze badges
answered 1 hour ago
Squeamish OssifrageSqueamish Ossifrage
33.4k2 gold badges57 silver badges142 bronze badges
33.4k2 gold badges57 silver badges142 bronze badges
add a comment
|
add a comment
|
Andrija Radica is a new contributor. Be nice, and check out our Code of Conduct.
Andrija Radica is a new contributor. Be nice, and check out our Code of Conduct.
Andrija Radica is a new contributor. Be nice, and check out our Code of Conduct.
Andrija Radica is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74508%2fread-once-memory%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
For magnetic cores, an adversary with access to that can read the information and then just write it back while keeping the information. The only thing that can't be copied without noticing is qbits in quantum key exchange, as far as I am aware.
$endgroup$
– tylo
13 hours ago
$begingroup$
@tylo Yes, I was going to add the qbit thingie, but as far I know they can't be stored, so I didn't. There's an interesting conceptualisation in the Alien Encounters docu-drama. You might be able to have a sealed and highly reflective box that can trap photons indefinitely. That would address the storage part of the question. By extension, a pair of such boxes filled with entangled photons would allow instantaneous communication over infinite distance....
$endgroup$
– Paul Uszak
7 hours ago
1
$begingroup$
As you can see the current answers kind of focus on hardware solutions; it won't be easy - if at all possible - to find an algorithmic solution to the problem.
$endgroup$
– Maarten Bodewes♦
2 hours ago