[cryptography] One Time Pad Cryptanalysis

Jeffrey Goldberg jeffrey at goldmark.org
Thu Sep 26 16:09:48 EDT 2013

On 2013-09-26, at 1:49 PM, Michael Rogers <michael at briarproject.org> wrote:

> Reuse of pads is also disastrous - VENONA made […]

Forgive me for taking this opportunity to repeat an earlier rant, but your example provides the perfect example.

When a one time pad is operated perfectly, it provides perfect secrecy; but once it is operationed with small deviations from perfection it provides terrible security. Things that approximate the OTP in operation do not approximate it in security. This is a very good reason to steer people away form it.

This is an example of why we need to pay attention to how easy it is to screw things up and how badly things fail. For example, CBC mode will degrade proportionally with how poorly IVs are selected. CTR, on the other hand, can degrade catastrophically with poor nonces.

Another example is that we prefer ciphers which are not vulnerable to related key attacks even though we expect good system design to not use related keys in the first place.

I’m suggesting that when offering advice to application developers on what sorts of systems to use, we should explicitly consider how easy it is for them to screw it up and how bad things get when they do.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4393 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130926/e7dd551a/attachment.p7s>

More information about the cryptography mailing list