[cryptography] One Time Pad Cryptanalysis

Lodewijk andré de la porte l at odewijk.nl
Tue Oct 1 19:54:57 EDT 2013


2013/9/30 Florian Weimer <fw at deneb.enyo.de>

> 3. Message integrity does not matter.
> 4. The security proof assumes there is only one message, ever.


3 and your paper about VOIP regard traffic analysis. I'm not sure what else
3 refers to. Certainly a known plaintext attack would negate that part of
the message, but then it wasn't very encrypted in the first place, was it?
Then you can of course replace part of the message, and if you have a
partial plaintext you might even make it not-garbled, but then still I
think you should apply mixing/scrambling before OTP'ing your plaintext.
There's quite a selection of ways to do that.

I agree this is relevant in some applications. In others it can be fixed.
For example by mixing by doing AES (or something better) with the first x
bits of the OTP. Just to mix, not to encrypt. But then a (mayor) flaw in
AES could provide the opponent with a partial plaintext attack against AES
an attack on whatever touched that data in the OTP'ed output. Hmm. Even a
simple mixer exclusively using the beginning of the pad for secret
information must be able to simply mix the input. AES should be able to do
that much, I doubt it would so broken it wouldn't do that.

And of course I don't think we can consider traffic analysis a breach of
encryption. Not that I think it's not breach. But it's not related to OTP.
You could apply traffic analysis even on plaintext. Point is that it's a
breach of security from another piece of the system (the whole) than the
one we are discussing.

4 regards the notion that a One-Time-Pad is only used One-Time. I agree,
but reuse of any form will either make P leak or it will not be a problem.
There's no real reason to use P multiple times and it is very hard to be
sure you are not leaking information about P when you reuse. I judge this
4th requirement to be redundant to requirement 2. Although it is still
correct, of course.

I might've misunderstood the meaning of these points. I'd like to have
misunderstood, then there is something to learn.

P.S.: Why is that paper 15 pages long? I mean, really. It's just
correlating input letter (in voice), where possible, with the output
bandwidth and it's changes. Of course there's hundreds of little annoying
things from several disciplines. I guess they did it thoroughly, then the
paper should be thorough. Fine.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131002/343c9b75/attachment.html>


More information about the cryptography mailing list