Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!mhuxn!ihnp4!qantel!lll-lcc!lll-crg!seismo!brl-adm!brl-smoke!gwyn
From: gwyn@brl-smoke.ARPA (Doug Gwyn )
Newsgroups: net.crypt
Subject: Re: one-time pads etc.
Message-ID: <329@brl-smoke.ARPA>
Date: Sun, 27-Apr-86 22:02:44 EDT
Article-I.D.: brl-smok.329
Posted: Sun Apr 27 22:02:44 1986
Date-Received: Fri, 2-May-86 22:39:52 EDT
References: <2507@decwrl.DEC.COM>
Reply-To: gwyn@brl.ARPA
Organization: Ballistic Research Lab (BRL)
Lines: 30

In article <2507@decwrl.DEC.COM> koning@koning.DEC (Paul Koning -- LAS Engineering) writes:
>Isn't one-time pad the ONLY (theoretically, rather than computationally)
>secure cryptosystem?

No; this is a common misconception.  The one-time pad is secure against
statistical attacks on the ciphertext, but not against stealing the key!
Also, consider a 1-1 mapping via one-time pad used to respond to a known
message:  "Do you need an escape route?"; if the response is "XZW" we
can pretty reliably assume that it says "Yes" rather than "No".  However,
in the sense in which you probably meant it, a one-time pad system using
truly random keys is safe against mathematical cryptanalysis.

On the other hand, other cryptosystems can also be theoretically secure
(to a specified confidence level) against statistical attacks.  If the
combination of intrinsic structural complexity, key length, plaintext
nonredundancy, and key change interval is adequate, a system will be
secure at a certain confidence level.  The strength of such a system is
measured by its "unicity distance", which you can find briefly discussed
in some of the open literature (e.g., Kahn's "The Codebreakers", I think).
I don't know if the exact statement of the theorem is public knowledge or
not, but this is a relatively simple application of information theory;
are there any information theorists out there who haven't worked for NSA
who would like to formulate the theorem accurately for this newsgroup?

You can be sure that NSA doesn't insist on true one-time 1-1 keys for all
its approved cryptosystems (that's just not operationally feasible for
heavy traffic volume), yet it clearly has confidence in their security.
On the other hand, last I heard, it does NOT authorize use of DES, nor,
I believe, RSA, for protecting classified information.  Draw your own
conclusions..