Re: [Cfrg] Repeated one-time pad

On Thu, Jul 14, 2011 at 3:41 PM, Yaron Sheffer <yaronf.ietf@gmail.com>wrote:

> Regarding "immediate key disclosure": is is well known that reuse of a
> stream cipher or a one-time pad with different plaintexts leads to immediate
> exposure of the plaintext (see e.g. http://en.wikipedia.org/wiki/**
> One-time_pad#True_randomness<http://en.wikipedia.org/wiki/One-time_pad#True_randomness>).
> For a course I am teaching, I would appreciate pointers to the algorithms
> that are used for this cryptanalysis and/or source code that implements this
> attack.
>
> The attack is pretty simple and can be done by hand.

If (as was common in the spy world) the one time pad was just XORed (or
summed) with the plain text, XOR'ing two of cipher-texts with the same
 "one-time" pad in the same phase yields an XOR  of the two underlying
plain-texts, which lends itself to plaintext cribs and a "crab-like"
attack (i.e., if you can guess one word in one plain-text, it will, when
XORed with the XOR of the two cipher-texts, reveal part of the other
plain-text, which, when extended, then will  reveal more of the first
plain-text, and so on until both are decrypted. Even if the phase of the OTP
isn't known (e.g., if there is filler text at the beginning), it should be
easy to determine it using the index of coincidence (which should peak when
the OTPs are aligned in phase).

This is (from my understanding) how the Venona break was done.

Sounds like a reasonable pen and paper exercise for your students for me.

Now, what I have is always wondered is whether the non-randomness of the
Russian OTPs used in their spy work was  enough to have a break without
reuse of the OTPs. (These were prepared by typists instructed to type
randomly, and so weren't entirely random, for example letters were almost
never doubled and a left hand letter was generally followed by a right hand
letter. Not a lot of non-randomness, but a little can go a long way...)

Regards
Marshall

> Thanks,
>    Yaron
>
> Message: 2 Date: Thu, 14 Jul 2011 10:00:44 +0200 From: Simon Josefsson <
> simon@josefsson.org> To: Ted Krovetz <ted@krovetz.net> Cc: cfrg@irtf.orgSubject: Re: [Cfrg] Request For Comments: OCB Internet-Draft Message-ID: <
> 87ipr5gukz.fsf@latte.**josefsson.org <87ipr5gukz.fsf@latte.josefsson.org>>
> Content-Type: text/plain Ted Krovetz <ted@krovetz.net> writes:
>
>> I have just submitted an internet-draft for OCB to the IETF.
>>>
>>>   http://datatracker.ietf.org/**doc/draft-krovetz-ocb<http://datatracker.ietf.org/doc/draft-krovetz-ocb>
>>>
>>> I'd appreciate any comments you may have on how to make the draft better.
>>>
>> It would help if you explained (in the security considerations) what
>> happens if a nonce is repeated.  The question of failure modes of
>> authenticated encryption modes has come up in several different
>> contexts.  It turns out that different AEAD modes have different failure
>> properties.
>>
>> In particular, you want to address whether repeat of a nonce leads to
>> immediate key disclosure, or whether the key can be found after some
>> computation faster than obvious attacks, or whether it can only lead to
>> recovery of the plaintext, and/or whether it depends on the plaintext as
>> well (e.g., something interesting happens if the plaintexts are related).
>>
>>
> ______________________________**_________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/**listinfo/cfrg<http://www.irtf.org/mailman/listinfo/cfrg>
>