Re: [Cfrg] Repeated one-time pad

"Paterson, Kenny" <> Thu, 14 July 2011 20:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 54F2111E80B9 for <>; Thu, 14 Jul 2011 13:45:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WN2gK3O8re2b for <>; Thu, 14 Jul 2011 13:45:05 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A400111E8076 for <>; Thu, 14 Jul 2011 13:45:04 -0700 (PDT)
Received: from ([]) by with emfmta (version by TLS id 2729483854 for; 661b981000e3b098; Thu, 14 Jul 2011 21:45:03 +0100
Received: from (2002:86db:d06a::86db:d06a) by (2002:86db:d0c5::86db:d0c5) with Microsoft SMTP Server (TLS) id; Thu, 14 Jul 2011 21:45:02 +0100
Received: from ([]) by ([2002:86db:d06a::86db:d06a]) with mapi id 14.01.0289.001; Thu, 14 Jul 2011 21:45:02 +0100
From: "Paterson, Kenny" <>
To: Yaron Sheffer <>, "" <>
Thread-Topic: [Cfrg] Repeated one-time pad
Thread-Index: AQHMQl4mKypVgrLX/ki5bnUr4jtHipTsOE2A
Date: Thu, 14 Jul 2011 20:45:03 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_932FB3B154C34568B0878836EAA66870rhulacuk_"
MIME-Version: 1.0
Subject: Re: [Cfrg] Repeated one-time pad
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Jul 2011 20:45:09 -0000

Hi Yaron,

The paper you want is by Mason et al. from CCS a few years back:


  author    = {Joshua Mason and
               Kathryn Watkins and
               Jason Eisner and
               Adam Stubblefield},
  title     = {A natural language approach to automated cryptanalysis of
               two-time pads},
  booktitle = {ACM Conference on Computer and Communications Security},
  year      = {2006},
  pages     = {235-244},
  ee        = {},
  crossref  = {DBLP:conf/ccs/2006usa},
  bibsource = {DBLP,}

I had a masters student re-implement the algorithms in this paper last summer - they performed very well, but not quite as well as the authors indicated in their paper.



On 14 Jul 2011, at 20:41, Yaron Sheffer wrote:

Regarding "immediate key disclosure": is is well known that reuse of a stream cipher or a one-time pad with different plaintexts leads to immediate exposure of the plaintext (see e.g. For a course I am teaching, I would appreciate pointers to the algorithms that are used for this cryptanalysis and/or source code that implements this attack.


Message: 2 Date: Thu, 14 Jul 2011 10:00:44 +0200 From: Simon Josefsson <<>> To: Ted Krovetz <<>> Cc:<> Subject: Re: [Cfrg] Request For Comments: OCB Internet-Draft Message-ID: <<>> Content-Type: text/plain Ted Krovetz <<>> writes:
I have just submitted an internet-draft for OCB to the IETF.

I'd appreciate any comments you may have on how to make the draft better.
It would help if you explained (in the security considerations) what
happens if a nonce is repeated.  The question of failure modes of
authenticated encryption modes has come up in several different
contexts.  It turns out that different AEAD modes have different failure

In particular, you want to address whether repeat of a nonce leads to
immediate key disclosure, or whether the key can be found after some
computation faster than obvious attacks, or whether it can only lead to
recovery of the plaintext, and/or whether it depends on the plaintext as
well (e.g., something interesting happens if the plaintexts are related).

Cfrg mailing list<>