[cryptography] One Time Pad Cryptanalysis

Florian Weimer fw at deneb.enyo.de
Mon Sep 30 15:27:44 EDT 2013


* Lodewijk andré de la porte:

[OTP assumptions]

> 1. Good source. P[i] must be independent to anything in P nor to the method
> to generate P. "Random", you'd typically say. Fully unpredictable might be
> more clear (given people's unclarity about what's random).
> 2. No leak of P

3. Message integrity does not matter.
4. The security proof assumes there is only one message, ever.

The proof is simply not correct for multiple messages, and OTP does
not provide unconditional security for the multi-message case anyway.

> I'm really frustrated with people claiming OTP is insecure. I don't
> understand how it is and I cannot seem to construe any angles of attack.

This attack would work against an OTP, too:

Wright et al., "Spot me if you can: Uncovering spoken phrases in
encrypted VoIP conversations".
<http://cs.unc.edu/~fabian/papers/oakland08.pdf>

The basic issue has recently been rediscovered in the context of
HTTP(S).


More information about the cryptography mailing list