[cryptography] One Time Pad Cryptanalysis

Florian Weimer fw at deneb.enyo.de
Wed Oct 2 02:51:15 EDT 2013


* Lodewijk andré de la porte:

> 2013/9/30 Florian Weimer <fw at deneb.enyo.de>
>
>> 3. Message integrity does not matter.
>> 4. The security proof assumes there is only one message, ever.
>
>
> 3 and your paper about VOIP regard traffic analysis. I'm not sure what else
> 3 refers to. Certainly a known plaintext attack would negate that part of
> the message, but then it wasn't very encrypted in the first place, was it?
> Then you can of course replace part of the message, and if you have a
> partial plaintext you might even make it not-garbled, but then still I
> think you should apply mixing/scrambling before OTP'ing your plaintext.

Surely that invalidates the security proof. :-)

> 4 regards the notion that a One-Time-Pad is only used One-Time.

Sorry, not what I meant.  Even if you avoid reuse of key material, it
is not (provable) secure to send more than one message.

> I might've misunderstood the meaning of these points. I'd like to have
> misunderstood, then there is something to learn.

I'm trying to argue out that OTP is broken according to the standards
we require from generic encryption protocols such as TLS.  Or that
there is a large gap between the security proof and reality, making
the proof rather pointless.

> P.S.: Why is that paper 15 pages long? I mean, really. It's just
> correlating input letter (in voice), where possible, with the output
> bandwidth and it's changes.

There is widespread belief that compressing before encrypting makes
cryptanalysis harder, so compression is assumed to be beneficial.


More information about the cryptography mailing list