In one-time pads we always say do not use same key twice to encrypt ASCII messages, but if we use a random key to XOR a random binary message and then reusing the same key for XORing new random messages will compromise our key ? Or is attacking reused keys for random messages infeasible?
Asked
Active
Viewed 2,004 times
3
-
What kind of randomness for the message are we talking about? Truly random or pseudorandom? – mikeazo Mar 27 '13 at 14:47
-
@mikeazo♦ random message is very strong PRNG but our key might be very strong random or may not be very strong. – lanc Mar 27 '13 at 14:56
-
1In cryptography, it is standard practice to assume the plaintext of one message (or/and some of the plaintext) gets known. That leaks the OTP's pad for the corresponding plaintext. If that pad was reused, it would no longer protect the confidentiality of the message it combines to. That applies to any plaintext, including random. – fgrieu Mar 27 '13 at 15:01
-
@fgrieu so if attacker can't guess key(or some part of it) and message (or some part of it) then reusing same key for next random messages will be safe ? – lanc Mar 27 '13 at 15:04
-
3Very related to this question http://crypto.stackexchange.com/questions/2264/can-i-use-a-one-time-pad-key-twice-with-random-plaintext?rq=1 – Henrick Hellström Mar 27 '13 at 15:29
-
2@lanc: One can not logically deduce from my previous comment that anything involving pad/key reuse is safe. For many definitions of safe, reusing the same pad/key for another random message is unsafe. For example, the adversary can test if the two random messages are identical, by testing if the two ciphertext are identical. There are situations where that may be important, e.g. if the message is one bit linked to some physical action. – fgrieu Mar 27 '13 at 17:06
-
@fgrieu if message is random how it can be identical from ciphertext ? how attacker can guess message and compromise the key ? – lanc Mar 27 '13 at 18:54
-
1What fgrieu is saying is, let's say your message space is small. Since the key is the same, if the same message is ever encrypted twice (which will happen if the message space is small), an observer can see that. That may or may not be a critical break in the system. I think it would do you well to more fully describe the application to us. – mikeazo Mar 27 '13 at 20:41
2 Answers
1
Once you've XORed two messages with the same secret value, the net result is the same as if you had XORed them with each other without using the secret at all.
Given $plaintext_1$ ⊕ $key$ = $cyphertext_1$ and $plaintext_2$ ⊕ $key$ = $cyphertext_2$, then $cyphertext_1$ ⊕ $cyphertext_2$ == $plaintext_1$ ⊕ $plaintext_2$. Because it's XORed twice with the same key, the double XOR becomes the identity function and the key is simply factored out.
If the attacker learns any bits of the plaintext of either message, they can recover those corresponding bits of plaintext from the other cyphertext message, plus they can recover those bits of the key as well.
So it falls to you to determine if $cyphertext_1$ or $cyphertext_2$ have any knowable information in them. It's completely irrelevant if the plaintext data is ASCII, binary, or EBCDIC. If an attacker can discover or guess what any piece of the data is, it's vulnerable.
This is the classic weakness with the Vernam cypher, and is what enabled the Venona decryption of Soviet secrets. And it's why it's no longer a one-time pad cypher if you use either the plaintext or the key more than one time.
John Deters
- 3,690
- 14
- 29
0
When people say never use twice the same key to encrypt two different messages, they mean never use the same keystream. Here, if your keystream generation is truly random, then it is ok. If your message is quite short, there is a little chance that you will produce the same keystream but that does not matter.
What matters is that you do NOT forge the keystream in the same manner two times. This must be taken into account if you use pseudo-random generators. Supplying a PRNG the same seed for two different messages will induce a security flaw.
Rerito
- 227
- 2
- 7