Is one-time pad encryption vulnerable when near identical data is sent many times with different OTP?












8












$begingroup$


Let's assume a text file that grows at its very end but is otherwise not edited. We now have 100 transmissions of this, but OTP-encrypted (different OTP each time, of course). The first 50% of the original file are identical.



Of course nothing can be said about the other 50%. But can parts of the first 50%, which stay perfectly identical, be attacked?



(Please be light on the lingo and math, I'm a noob.)



Different scenario, same question: The text is edited in various places, but only individual sentences. This shifts the bytes around, but apart from that, most of it stays perfectly identical.










share|improve this question







New contributor




Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$








  • 1




    $begingroup$
    I was whimsically considering to make an OTP XOR tool to allow transport of my KeePass database to myself via email, utilizing java.security.SecureRandom.getInstanceStrong() (Windows 10). This spawned the question but I was also interested in general. (Side-note: The database is bigger than 1MB and 7z-compresses to more than its original size, so, due to its built-in encryption, it's already very noisy itself.)
    $endgroup$
    – Dreamspace President
    21 hours ago






  • 2




    $begingroup$
    Regarding your intended use, I'm pretty sure that what you get via java.security.SecureRandom wouldn't be a proper OTP. You're almost certainly better off in practice with a key file and perhaps something like a Yubikey to hold a portion of the passphrase (to make it harder to shoulder-surf you typing it in), than trying to cobble something together yourself. For one thing, you'll have the benefit of KeyPass at least trying to not leak intermediate data. Who is your adversary anyway, the Andromeda Empire?
    $endgroup$
    – a CVn
    12 hours ago






  • 1




    $begingroup$
    @DreamspacePresident your OTP File produced with SecureRandom would be a very bloated 160bit, a keyfile with 40 bytes is more than enough.
    $endgroup$
    – eckes
    12 hours ago






  • 2




    $begingroup$
    Depends on the SecureRandom config, java version and platform, but the commonly used Sha1PRNG of the JCL has not more state. Producing good randomness is hard, it is critical for OTP and it is even harder if you need to produce lots of it. (You would need to use the new DRBG with prediction resistance/reseeding)
    $endgroup$
    – eckes
    11 hours ago






  • 4




    $begingroup$
    @DreamspacePresident Whether it's 160 bits of state or some other number isn't really all that significant as long as it's not something really low. The main point, I think, is that using a random number generator (even a secure one) doesn't give you the perfect secrecy that a real OTP provides. If you're generating the key with an algorithm, then what you're really doing is pre-calculating part of a stream cipher that's exactly as secure as the random number generator it's based on.
    $endgroup$
    – Matthew Crumley
    10 hours ago
















8












$begingroup$


Let's assume a text file that grows at its very end but is otherwise not edited. We now have 100 transmissions of this, but OTP-encrypted (different OTP each time, of course). The first 50% of the original file are identical.



Of course nothing can be said about the other 50%. But can parts of the first 50%, which stay perfectly identical, be attacked?



(Please be light on the lingo and math, I'm a noob.)



Different scenario, same question: The text is edited in various places, but only individual sentences. This shifts the bytes around, but apart from that, most of it stays perfectly identical.










share|improve this question







New contributor




Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$








  • 1




    $begingroup$
    I was whimsically considering to make an OTP XOR tool to allow transport of my KeePass database to myself via email, utilizing java.security.SecureRandom.getInstanceStrong() (Windows 10). This spawned the question but I was also interested in general. (Side-note: The database is bigger than 1MB and 7z-compresses to more than its original size, so, due to its built-in encryption, it's already very noisy itself.)
    $endgroup$
    – Dreamspace President
    21 hours ago






  • 2




    $begingroup$
    Regarding your intended use, I'm pretty sure that what you get via java.security.SecureRandom wouldn't be a proper OTP. You're almost certainly better off in practice with a key file and perhaps something like a Yubikey to hold a portion of the passphrase (to make it harder to shoulder-surf you typing it in), than trying to cobble something together yourself. For one thing, you'll have the benefit of KeyPass at least trying to not leak intermediate data. Who is your adversary anyway, the Andromeda Empire?
    $endgroup$
    – a CVn
    12 hours ago






  • 1




    $begingroup$
    @DreamspacePresident your OTP File produced with SecureRandom would be a very bloated 160bit, a keyfile with 40 bytes is more than enough.
    $endgroup$
    – eckes
    12 hours ago






  • 2




    $begingroup$
    Depends on the SecureRandom config, java version and platform, but the commonly used Sha1PRNG of the JCL has not more state. Producing good randomness is hard, it is critical for OTP and it is even harder if you need to produce lots of it. (You would need to use the new DRBG with prediction resistance/reseeding)
    $endgroup$
    – eckes
    11 hours ago






  • 4




    $begingroup$
    @DreamspacePresident Whether it's 160 bits of state or some other number isn't really all that significant as long as it's not something really low. The main point, I think, is that using a random number generator (even a secure one) doesn't give you the perfect secrecy that a real OTP provides. If you're generating the key with an algorithm, then what you're really doing is pre-calculating part of a stream cipher that's exactly as secure as the random number generator it's based on.
    $endgroup$
    – Matthew Crumley
    10 hours ago














8












8








8


1



$begingroup$


Let's assume a text file that grows at its very end but is otherwise not edited. We now have 100 transmissions of this, but OTP-encrypted (different OTP each time, of course). The first 50% of the original file are identical.



Of course nothing can be said about the other 50%. But can parts of the first 50%, which stay perfectly identical, be attacked?



(Please be light on the lingo and math, I'm a noob.)



Different scenario, same question: The text is edited in various places, but only individual sentences. This shifts the bytes around, but apart from that, most of it stays perfectly identical.










share|improve this question







New contributor




Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$




Let's assume a text file that grows at its very end but is otherwise not edited. We now have 100 transmissions of this, but OTP-encrypted (different OTP each time, of course). The first 50% of the original file are identical.



Of course nothing can be said about the other 50%. But can parts of the first 50%, which stay perfectly identical, be attacked?



(Please be light on the lingo and math, I'm a noob.)



Different scenario, same question: The text is edited in various places, but only individual sentences. This shifts the bytes around, but apart from that, most of it stays perfectly identical.







one-time-pad






share|improve this question







New contributor




Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 22 hours ago









Dreamspace PresidentDreamspace President

1507




1507




New contributor




Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 1




    $begingroup$
    I was whimsically considering to make an OTP XOR tool to allow transport of my KeePass database to myself via email, utilizing java.security.SecureRandom.getInstanceStrong() (Windows 10). This spawned the question but I was also interested in general. (Side-note: The database is bigger than 1MB and 7z-compresses to more than its original size, so, due to its built-in encryption, it's already very noisy itself.)
    $endgroup$
    – Dreamspace President
    21 hours ago






  • 2




    $begingroup$
    Regarding your intended use, I'm pretty sure that what you get via java.security.SecureRandom wouldn't be a proper OTP. You're almost certainly better off in practice with a key file and perhaps something like a Yubikey to hold a portion of the passphrase (to make it harder to shoulder-surf you typing it in), than trying to cobble something together yourself. For one thing, you'll have the benefit of KeyPass at least trying to not leak intermediate data. Who is your adversary anyway, the Andromeda Empire?
    $endgroup$
    – a CVn
    12 hours ago






  • 1




    $begingroup$
    @DreamspacePresident your OTP File produced with SecureRandom would be a very bloated 160bit, a keyfile with 40 bytes is more than enough.
    $endgroup$
    – eckes
    12 hours ago






  • 2




    $begingroup$
    Depends on the SecureRandom config, java version and platform, but the commonly used Sha1PRNG of the JCL has not more state. Producing good randomness is hard, it is critical for OTP and it is even harder if you need to produce lots of it. (You would need to use the new DRBG with prediction resistance/reseeding)
    $endgroup$
    – eckes
    11 hours ago






  • 4




    $begingroup$
    @DreamspacePresident Whether it's 160 bits of state or some other number isn't really all that significant as long as it's not something really low. The main point, I think, is that using a random number generator (even a secure one) doesn't give you the perfect secrecy that a real OTP provides. If you're generating the key with an algorithm, then what you're really doing is pre-calculating part of a stream cipher that's exactly as secure as the random number generator it's based on.
    $endgroup$
    – Matthew Crumley
    10 hours ago














  • 1




    $begingroup$
    I was whimsically considering to make an OTP XOR tool to allow transport of my KeePass database to myself via email, utilizing java.security.SecureRandom.getInstanceStrong() (Windows 10). This spawned the question but I was also interested in general. (Side-note: The database is bigger than 1MB and 7z-compresses to more than its original size, so, due to its built-in encryption, it's already very noisy itself.)
    $endgroup$
    – Dreamspace President
    21 hours ago






  • 2




    $begingroup$
    Regarding your intended use, I'm pretty sure that what you get via java.security.SecureRandom wouldn't be a proper OTP. You're almost certainly better off in practice with a key file and perhaps something like a Yubikey to hold a portion of the passphrase (to make it harder to shoulder-surf you typing it in), than trying to cobble something together yourself. For one thing, you'll have the benefit of KeyPass at least trying to not leak intermediate data. Who is your adversary anyway, the Andromeda Empire?
    $endgroup$
    – a CVn
    12 hours ago






  • 1




    $begingroup$
    @DreamspacePresident your OTP File produced with SecureRandom would be a very bloated 160bit, a keyfile with 40 bytes is more than enough.
    $endgroup$
    – eckes
    12 hours ago






  • 2




    $begingroup$
    Depends on the SecureRandom config, java version and platform, but the commonly used Sha1PRNG of the JCL has not more state. Producing good randomness is hard, it is critical for OTP and it is even harder if you need to produce lots of it. (You would need to use the new DRBG with prediction resistance/reseeding)
    $endgroup$
    – eckes
    11 hours ago






  • 4




    $begingroup$
    @DreamspacePresident Whether it's 160 bits of state or some other number isn't really all that significant as long as it's not something really low. The main point, I think, is that using a random number generator (even a secure one) doesn't give you the perfect secrecy that a real OTP provides. If you're generating the key with an algorithm, then what you're really doing is pre-calculating part of a stream cipher that's exactly as secure as the random number generator it's based on.
    $endgroup$
    – Matthew Crumley
    10 hours ago








1




1




$begingroup$
I was whimsically considering to make an OTP XOR tool to allow transport of my KeePass database to myself via email, utilizing java.security.SecureRandom.getInstanceStrong() (Windows 10). This spawned the question but I was also interested in general. (Side-note: The database is bigger than 1MB and 7z-compresses to more than its original size, so, due to its built-in encryption, it's already very noisy itself.)
$endgroup$
– Dreamspace President
21 hours ago




$begingroup$
I was whimsically considering to make an OTP XOR tool to allow transport of my KeePass database to myself via email, utilizing java.security.SecureRandom.getInstanceStrong() (Windows 10). This spawned the question but I was also interested in general. (Side-note: The database is bigger than 1MB and 7z-compresses to more than its original size, so, due to its built-in encryption, it's already very noisy itself.)
$endgroup$
– Dreamspace President
21 hours ago




2




2




$begingroup$
Regarding your intended use, I'm pretty sure that what you get via java.security.SecureRandom wouldn't be a proper OTP. You're almost certainly better off in practice with a key file and perhaps something like a Yubikey to hold a portion of the passphrase (to make it harder to shoulder-surf you typing it in), than trying to cobble something together yourself. For one thing, you'll have the benefit of KeyPass at least trying to not leak intermediate data. Who is your adversary anyway, the Andromeda Empire?
$endgroup$
– a CVn
12 hours ago




$begingroup$
Regarding your intended use, I'm pretty sure that what you get via java.security.SecureRandom wouldn't be a proper OTP. You're almost certainly better off in practice with a key file and perhaps something like a Yubikey to hold a portion of the passphrase (to make it harder to shoulder-surf you typing it in), than trying to cobble something together yourself. For one thing, you'll have the benefit of KeyPass at least trying to not leak intermediate data. Who is your adversary anyway, the Andromeda Empire?
$endgroup$
– a CVn
12 hours ago




1




1




$begingroup$
@DreamspacePresident your OTP File produced with SecureRandom would be a very bloated 160bit, a keyfile with 40 bytes is more than enough.
$endgroup$
– eckes
12 hours ago




$begingroup$
@DreamspacePresident your OTP File produced with SecureRandom would be a very bloated 160bit, a keyfile with 40 bytes is more than enough.
$endgroup$
– eckes
12 hours ago




2




2




$begingroup$
Depends on the SecureRandom config, java version and platform, but the commonly used Sha1PRNG of the JCL has not more state. Producing good randomness is hard, it is critical for OTP and it is even harder if you need to produce lots of it. (You would need to use the new DRBG with prediction resistance/reseeding)
$endgroup$
– eckes
11 hours ago




$begingroup$
Depends on the SecureRandom config, java version and platform, but the commonly used Sha1PRNG of the JCL has not more state. Producing good randomness is hard, it is critical for OTP and it is even harder if you need to produce lots of it. (You would need to use the new DRBG with prediction resistance/reseeding)
$endgroup$
– eckes
11 hours ago




4




4




$begingroup$
@DreamspacePresident Whether it's 160 bits of state or some other number isn't really all that significant as long as it's not something really low. The main point, I think, is that using a random number generator (even a secure one) doesn't give you the perfect secrecy that a real OTP provides. If you're generating the key with an algorithm, then what you're really doing is pre-calculating part of a stream cipher that's exactly as secure as the random number generator it's based on.
$endgroup$
– Matthew Crumley
10 hours ago




$begingroup$
@DreamspacePresident Whether it's 160 bits of state or some other number isn't really all that significant as long as it's not something really low. The main point, I think, is that using a random number generator (even a secure one) doesn't give you the perfect secrecy that a real OTP provides. If you're generating the key with an algorithm, then what you're really doing is pre-calculating part of a stream cipher that's exactly as secure as the random number generator it's based on.
$endgroup$
– Matthew Crumley
10 hours ago










6 Answers
6






active

oldest

votes


















17












$begingroup$

No, as long as each pad is completely random and independent, you can encrypt literally anything of the appropriate size (no larger than the pad) and retain information theoretic secure confidentiality. This attack is termed a known-plaintext attack, or KPA. The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme. A proper OTP is not vulnerable to KPA.






share|improve this answer











$endgroup$









  • 2




    $begingroup$
    I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
    $endgroup$
    – usul
    15 hours ago






  • 1




    $begingroup$
    @usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
    $endgroup$
    – Dreamspace President
    14 hours ago






  • 3




    $begingroup$
    @DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
    $endgroup$
    – usul
    12 hours ago






  • 1




    $begingroup$
    What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
    $endgroup$
    – TKK
    11 hours ago










  • $begingroup$
    @usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
    $endgroup$
    – Dreamspace President
    11 hours ago



















10












$begingroup$

The short answer; No



As long as the key is not reused, OTP has perfect secrecy. Even at some point if the attacker knows the plaintext, he will get only a key that is used only once. A problem may occur if the generation algorithm is predictable that is the attacker may use the weakness in the generation algorithm to produce previous and next bits.






share|improve this answer











$endgroup$





















    4












    $begingroup$

    Why is OTP perfectly secure?



    Let's assume you would like to encrypt a plaintext $m$ using OTP. In order to do that, you would need to pick $m$ from a possible message space of $M$ with a given length. $M$ hereby represents all possible messages of this length.



    Further, you choose a key $k$ from the given keyspace $K$. Note that $K$ and $M$ have the same size. In order to encrypt this message, you calculate $c = m mathbin{oplus} k$ and send $c$ to the recipient. $k$ must be distributed out-of-band, which means it is known both to you and the recipient, but not the attacker.



    An attacker would now intercept $c$ and attempts to recover $m$, by iterating through $K$ and attempt every possible $k$. What this means is that the attacker receives every possible $m$ in $M$, something they could have done anyways. They have no more information about your chosen $m$ than they did before.



    What if we use the same $m$ multiple times?



    To answer this question, let us create $c_1$ and $c_2$, this time with $m$, $k_1$ and $k_2$, such that $c_1 = m mathbin{oplus} k_1$ and $c_2 = m mathbin{oplus} k_2$.



    If an attacker were to intercept $c_1$ and $c_2$, they could calculate the following:



    $c_1 mathbin{oplus} c_2 = m mathbin{oplus} k_1 mathbin{oplus} m mathbin{oplus} k_2$



    Since $m mathbin{oplus} m = 0$ and $x mathbin{oplus} 0 = x$, we can write the result as:



    $c_1 mathbin{oplus} c_2 = k_1 mathbin{oplus} k_2$



    This is not useful for the attacker, as $k_1$ and $k_2$ are randomly chosen and never reused.



    Why is OTP not used everywhere then?



    Even though this is a bit out-of-scope, it's a question that is often asked by beginning cryptographers when encountering a seemingly perfect encryption scheme. The problem is its usability.



    Imagine you would like to encrypt a message and send it to me. How would you do that? I don't have your key, and if you want to negotiate an out-of-band key exchange (say, by meeting with me in person in a secure area), then you might as well tell me the message there (if the message is known at the time).






    share|improve this answer











    $endgroup$









    • 2




      $begingroup$
      "then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
      $endgroup$
      – a CVn
      14 hours ago










    • $begingroup$
      There is a fourth section there: When is OTP used? - Not very often, it seems
      $endgroup$
      – Mindwin
      14 hours ago










    • $begingroup$
      related.
      $endgroup$
      – Mindwin
      14 hours ago










    • $begingroup$
      @aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
      $endgroup$
      – David Stockinger
      12 hours ago






    • 3




      $begingroup$
      "perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
      $endgroup$
      – Ella Rose
      12 hours ago



















    2












    $begingroup$

    You appear to be asking if comparative analysis could be employed between the different crypted iterations of the same text to decode it. Answer is "no": As long as the pads are produced using truly random data, the crypted text will never come out the sausage maker the same way twice. The only way comparative analysis could succeed is if keys were reused, which multiple posters to this thread already noted.



    The pads must also be transmitted securely. If there is ever a period where they were not accounted for or not in a courier's control during distribution, they must be deemed to be compromised. If a courier is used for distribution, they themselves must also be absolutely trustworthy; a known quantity.



    Lastly, if either the sending or receiving station are themselves compromised (those using OTPs), there's ways to tip off the opposite end of the channel of that fact who can then decide to either cease communications and leave you to your fate, or use the channel to distribute misinformation.



    So if the following (4) strictures are observed, OTP are UNBREAKABLE:




    1. Never reuse keys

    2. Don't encrypt messages larger then the key

    3. Produce pads using random data

    4. Ensure pads cannot be compromised during distribution to the operators


    -Terrence






    share|improve this answer










    New contributor




    F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






    $endgroup$





















      0












      $begingroup$

      Though the method is not vulnerable provide that the implementation is right. Of course the key is not reused. For extra entropy you can use a feedback mechanism in case the data is longer than the PAD.






      share|improve this answer










      New contributor




      Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      $endgroup$









      • 1




        $begingroup$
        "you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
        $endgroup$
        – Dreamspace President
        21 hours ago






      • 3




        $begingroup$
        A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
        $endgroup$
        – eckes
        17 hours ago






      • 2




        $begingroup$
        Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
        $endgroup$
        – a CVn
        12 hours ago










      • $begingroup$
        @aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
        $endgroup$
        – Dreamspace President
        11 hours ago






      • 1




        $begingroup$
        @DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
        $endgroup$
        – a CVn
        9 hours ago



















      -1












      $begingroup$

      Whether anything is "secure" depends upon the threat model. Simple forms of OTP are absolutely secure against eavesdropping attacks, but may be essentially worthless against known-plaintext spoofing attacks, since each piece of key needs to be used twice--once by the person encrypting the message, and once by the person decrypting it. Consequently, someone who has access to the plaintext and ciphertext forms of a message, as well as the communications channel used to transmit it, will be able to ascertain the key before it is used by the recipient.



      If (for purposes of the example) a message was encrypted using a Caesar cipher OTP (add 0-25 to each letter of plaintext to get the ciphertext), someone who knew that a message was "ATTACK AT DAWN" and knew that the last four letters encrypted were "FRED" would be able to determine that the last four letters were shifted by 24, 9, 16, 10. If the person replaced the last four characters of the transmitted message with "ZXZD", the recipient would decode the resulting message as "ATTACK AT NOON".



      Overcoming this problem in cases where bandwidth or timing restrictions would preclude the use of a Message Authentication Code (MAC) would require generating more key material, so that multiple possible keys could yield each (plaintext-ciphertext) combination. If message characters must be encrypted entirely independently (such that corruption of one character at the source would corrupt only one character decoded by the recipient), there would be no way to avoid granting an adversary the ability to corrupt any single character. If each character represents a one-of-C choice, however, adding additional key material, chosen from one of (C-1) possibilities, would suffice to prevent the adversary from having any control over which of the (C-1) alternative characters would be decoded. In cases where a transmission error would be allowed to cause more severe disruption of the received message, other forms of encryption and authentication would likely be more appropriate.



      Note that depending upon the usage and threat model, the ability of an attacker to guarantee that a byte gets changed somehow may or may not be a meaningful weakness. It's important to note, however, that sometimes seemingly harmless weaknesses (e.g. the fact that Enigma could only map each letter to one of 25 others) may sometimes be exploitable in ways that may be hard to anticipate.






      share|improve this answer











      $endgroup$









      • 1




        $begingroup$
        This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
        $endgroup$
        – a CVn
        14 hours ago










      • $begingroup$
        @aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
        $endgroup$
        – supercat
        14 hours ago










      • $begingroup$
        @aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
        $endgroup$
        – supercat
        14 hours ago










      • $begingroup$
        ... if one is aware of this vulnerability ... If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.
        $endgroup$
        – Ella Rose
        14 hours ago






      • 1




        $begingroup$
        That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. If Overcoming this problem would require generating more key material said Overcoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.
        $endgroup$
        – Ella Rose
        13 hours ago











      Your Answer





      StackExchange.ifUsing("editor", function () {
      return StackExchange.using("mathjaxEditing", function () {
      StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
      StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
      });
      });
      }, "mathjax-editing");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "281"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });






      Dreamspace President is a new contributor. Be nice, and check out our Code of Conduct.










      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67137%2fis-one-time-pad-encryption-vulnerable-when-near-identical-data-is-sent-many-time%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      6 Answers
      6






      active

      oldest

      votes








      6 Answers
      6






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      17












      $begingroup$

      No, as long as each pad is completely random and independent, you can encrypt literally anything of the appropriate size (no larger than the pad) and retain information theoretic secure confidentiality. This attack is termed a known-plaintext attack, or KPA. The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme. A proper OTP is not vulnerable to KPA.






      share|improve this answer











      $endgroup$









      • 2




        $begingroup$
        I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
        $endgroup$
        – usul
        15 hours ago






      • 1




        $begingroup$
        @usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
        $endgroup$
        – Dreamspace President
        14 hours ago






      • 3




        $begingroup$
        @DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
        $endgroup$
        – usul
        12 hours ago






      • 1




        $begingroup$
        What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
        $endgroup$
        – TKK
        11 hours ago










      • $begingroup$
        @usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
        $endgroup$
        – Dreamspace President
        11 hours ago
















      17












      $begingroup$

      No, as long as each pad is completely random and independent, you can encrypt literally anything of the appropriate size (no larger than the pad) and retain information theoretic secure confidentiality. This attack is termed a known-plaintext attack, or KPA. The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme. A proper OTP is not vulnerable to KPA.






      share|improve this answer











      $endgroup$









      • 2




        $begingroup$
        I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
        $endgroup$
        – usul
        15 hours ago






      • 1




        $begingroup$
        @usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
        $endgroup$
        – Dreamspace President
        14 hours ago






      • 3




        $begingroup$
        @DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
        $endgroup$
        – usul
        12 hours ago






      • 1




        $begingroup$
        What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
        $endgroup$
        – TKK
        11 hours ago










      • $begingroup$
        @usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
        $endgroup$
        – Dreamspace President
        11 hours ago














      17












      17








      17





      $begingroup$

      No, as long as each pad is completely random and independent, you can encrypt literally anything of the appropriate size (no larger than the pad) and retain information theoretic secure confidentiality. This attack is termed a known-plaintext attack, or KPA. The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme. A proper OTP is not vulnerable to KPA.






      share|improve this answer











      $endgroup$



      No, as long as each pad is completely random and independent, you can encrypt literally anything of the appropriate size (no larger than the pad) and retain information theoretic secure confidentiality. This attack is termed a known-plaintext attack, or KPA. The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme. A proper OTP is not vulnerable to KPA.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited 22 hours ago

























      answered 22 hours ago









      forestforest

      3,7361439




      3,7361439








      • 2




        $begingroup$
        I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
        $endgroup$
        – usul
        15 hours ago






      • 1




        $begingroup$
        @usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
        $endgroup$
        – Dreamspace President
        14 hours ago






      • 3




        $begingroup$
        @DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
        $endgroup$
        – usul
        12 hours ago






      • 1




        $begingroup$
        What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
        $endgroup$
        – TKK
        11 hours ago










      • $begingroup$
        @usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
        $endgroup$
        – Dreamspace President
        11 hours ago














      • 2




        $begingroup$
        I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
        $endgroup$
        – usul
        15 hours ago






      • 1




        $begingroup$
        @usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
        $endgroup$
        – Dreamspace President
        14 hours ago






      • 3




        $begingroup$
        @DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
        $endgroup$
        – usul
        12 hours ago






      • 1




        $begingroup$
        What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
        $endgroup$
        – TKK
        11 hours ago










      • $begingroup$
        @usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
        $endgroup$
        – Dreamspace President
        11 hours ago








      2




      2




      $begingroup$
      I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
      $endgroup$
      – usul
      15 hours ago




      $begingroup$
      I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
      $endgroup$
      – usul
      15 hours ago




      1




      1




      $begingroup$
      @usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
      $endgroup$
      – Dreamspace President
      14 hours ago




      $begingroup$
      @usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
      $endgroup$
      – Dreamspace President
      14 hours ago




      3




      3




      $begingroup$
      @DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
      $endgroup$
      – usul
      12 hours ago




      $begingroup$
      @DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
      $endgroup$
      – usul
      12 hours ago




      1




      1




      $begingroup$
      What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
      $endgroup$
      – TKK
      11 hours ago




      $begingroup$
      What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
      $endgroup$
      – TKK
      11 hours ago












      $begingroup$
      @usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
      $endgroup$
      – Dreamspace President
      11 hours ago




      $begingroup$
      @usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
      $endgroup$
      – Dreamspace President
      11 hours ago











      10












      $begingroup$

      The short answer; No



      As long as the key is not reused, OTP has perfect secrecy. Even at some point if the attacker knows the plaintext, he will get only a key that is used only once. A problem may occur if the generation algorithm is predictable that is the attacker may use the weakness in the generation algorithm to produce previous and next bits.






      share|improve this answer











      $endgroup$


















        10












        $begingroup$

        The short answer; No



        As long as the key is not reused, OTP has perfect secrecy. Even at some point if the attacker knows the plaintext, he will get only a key that is used only once. A problem may occur if the generation algorithm is predictable that is the attacker may use the weakness in the generation algorithm to produce previous and next bits.






        share|improve this answer











        $endgroup$
















          10












          10








          10





          $begingroup$

          The short answer; No



          As long as the key is not reused, OTP has perfect secrecy. Even at some point if the attacker knows the plaintext, he will get only a key that is used only once. A problem may occur if the generation algorithm is predictable that is the attacker may use the weakness in the generation algorithm to produce previous and next bits.






          share|improve this answer











          $endgroup$



          The short answer; No



          As long as the key is not reused, OTP has perfect secrecy. Even at some point if the attacker knows the plaintext, he will get only a key that is used only once. A problem may occur if the generation algorithm is predictable that is the attacker may use the weakness in the generation algorithm to produce previous and next bits.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 12 hours ago

























          answered 22 hours ago









          kelalakakelalaka

          7,42022245




          7,42022245























              4












              $begingroup$

              Why is OTP perfectly secure?



              Let's assume you would like to encrypt a plaintext $m$ using OTP. In order to do that, you would need to pick $m$ from a possible message space of $M$ with a given length. $M$ hereby represents all possible messages of this length.



              Further, you choose a key $k$ from the given keyspace $K$. Note that $K$ and $M$ have the same size. In order to encrypt this message, you calculate $c = m mathbin{oplus} k$ and send $c$ to the recipient. $k$ must be distributed out-of-band, which means it is known both to you and the recipient, but not the attacker.



              An attacker would now intercept $c$ and attempts to recover $m$, by iterating through $K$ and attempt every possible $k$. What this means is that the attacker receives every possible $m$ in $M$, something they could have done anyways. They have no more information about your chosen $m$ than they did before.



              What if we use the same $m$ multiple times?



              To answer this question, let us create $c_1$ and $c_2$, this time with $m$, $k_1$ and $k_2$, such that $c_1 = m mathbin{oplus} k_1$ and $c_2 = m mathbin{oplus} k_2$.



              If an attacker were to intercept $c_1$ and $c_2$, they could calculate the following:



              $c_1 mathbin{oplus} c_2 = m mathbin{oplus} k_1 mathbin{oplus} m mathbin{oplus} k_2$



              Since $m mathbin{oplus} m = 0$ and $x mathbin{oplus} 0 = x$, we can write the result as:



              $c_1 mathbin{oplus} c_2 = k_1 mathbin{oplus} k_2$



              This is not useful for the attacker, as $k_1$ and $k_2$ are randomly chosen and never reused.



              Why is OTP not used everywhere then?



              Even though this is a bit out-of-scope, it's a question that is often asked by beginning cryptographers when encountering a seemingly perfect encryption scheme. The problem is its usability.



              Imagine you would like to encrypt a message and send it to me. How would you do that? I don't have your key, and if you want to negotiate an out-of-band key exchange (say, by meeting with me in person in a secure area), then you might as well tell me the message there (if the message is known at the time).






              share|improve this answer











              $endgroup$









              • 2




                $begingroup$
                "then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
                $endgroup$
                – a CVn
                14 hours ago










              • $begingroup$
                There is a fourth section there: When is OTP used? - Not very often, it seems
                $endgroup$
                – Mindwin
                14 hours ago










              • $begingroup$
                related.
                $endgroup$
                – Mindwin
                14 hours ago










              • $begingroup$
                @aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
                $endgroup$
                – David Stockinger
                12 hours ago






              • 3




                $begingroup$
                "perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
                $endgroup$
                – Ella Rose
                12 hours ago
















              4












              $begingroup$

              Why is OTP perfectly secure?



              Let's assume you would like to encrypt a plaintext $m$ using OTP. In order to do that, you would need to pick $m$ from a possible message space of $M$ with a given length. $M$ hereby represents all possible messages of this length.



              Further, you choose a key $k$ from the given keyspace $K$. Note that $K$ and $M$ have the same size. In order to encrypt this message, you calculate $c = m mathbin{oplus} k$ and send $c$ to the recipient. $k$ must be distributed out-of-band, which means it is known both to you and the recipient, but not the attacker.



              An attacker would now intercept $c$ and attempts to recover $m$, by iterating through $K$ and attempt every possible $k$. What this means is that the attacker receives every possible $m$ in $M$, something they could have done anyways. They have no more information about your chosen $m$ than they did before.



              What if we use the same $m$ multiple times?



              To answer this question, let us create $c_1$ and $c_2$, this time with $m$, $k_1$ and $k_2$, such that $c_1 = m mathbin{oplus} k_1$ and $c_2 = m mathbin{oplus} k_2$.



              If an attacker were to intercept $c_1$ and $c_2$, they could calculate the following:



              $c_1 mathbin{oplus} c_2 = m mathbin{oplus} k_1 mathbin{oplus} m mathbin{oplus} k_2$



              Since $m mathbin{oplus} m = 0$ and $x mathbin{oplus} 0 = x$, we can write the result as:



              $c_1 mathbin{oplus} c_2 = k_1 mathbin{oplus} k_2$



              This is not useful for the attacker, as $k_1$ and $k_2$ are randomly chosen and never reused.



              Why is OTP not used everywhere then?



              Even though this is a bit out-of-scope, it's a question that is often asked by beginning cryptographers when encountering a seemingly perfect encryption scheme. The problem is its usability.



              Imagine you would like to encrypt a message and send it to me. How would you do that? I don't have your key, and if you want to negotiate an out-of-band key exchange (say, by meeting with me in person in a secure area), then you might as well tell me the message there (if the message is known at the time).






              share|improve this answer











              $endgroup$









              • 2




                $begingroup$
                "then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
                $endgroup$
                – a CVn
                14 hours ago










              • $begingroup$
                There is a fourth section there: When is OTP used? - Not very often, it seems
                $endgroup$
                – Mindwin
                14 hours ago










              • $begingroup$
                related.
                $endgroup$
                – Mindwin
                14 hours ago










              • $begingroup$
                @aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
                $endgroup$
                – David Stockinger
                12 hours ago






              • 3




                $begingroup$
                "perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
                $endgroup$
                – Ella Rose
                12 hours ago














              4












              4








              4





              $begingroup$

              Why is OTP perfectly secure?



              Let's assume you would like to encrypt a plaintext $m$ using OTP. In order to do that, you would need to pick $m$ from a possible message space of $M$ with a given length. $M$ hereby represents all possible messages of this length.



              Further, you choose a key $k$ from the given keyspace $K$. Note that $K$ and $M$ have the same size. In order to encrypt this message, you calculate $c = m mathbin{oplus} k$ and send $c$ to the recipient. $k$ must be distributed out-of-band, which means it is known both to you and the recipient, but not the attacker.



              An attacker would now intercept $c$ and attempts to recover $m$, by iterating through $K$ and attempt every possible $k$. What this means is that the attacker receives every possible $m$ in $M$, something they could have done anyways. They have no more information about your chosen $m$ than they did before.



              What if we use the same $m$ multiple times?



              To answer this question, let us create $c_1$ and $c_2$, this time with $m$, $k_1$ and $k_2$, such that $c_1 = m mathbin{oplus} k_1$ and $c_2 = m mathbin{oplus} k_2$.



              If an attacker were to intercept $c_1$ and $c_2$, they could calculate the following:



              $c_1 mathbin{oplus} c_2 = m mathbin{oplus} k_1 mathbin{oplus} m mathbin{oplus} k_2$



              Since $m mathbin{oplus} m = 0$ and $x mathbin{oplus} 0 = x$, we can write the result as:



              $c_1 mathbin{oplus} c_2 = k_1 mathbin{oplus} k_2$



              This is not useful for the attacker, as $k_1$ and $k_2$ are randomly chosen and never reused.



              Why is OTP not used everywhere then?



              Even though this is a bit out-of-scope, it's a question that is often asked by beginning cryptographers when encountering a seemingly perfect encryption scheme. The problem is its usability.



              Imagine you would like to encrypt a message and send it to me. How would you do that? I don't have your key, and if you want to negotiate an out-of-band key exchange (say, by meeting with me in person in a secure area), then you might as well tell me the message there (if the message is known at the time).






              share|improve this answer











              $endgroup$



              Why is OTP perfectly secure?



              Let's assume you would like to encrypt a plaintext $m$ using OTP. In order to do that, you would need to pick $m$ from a possible message space of $M$ with a given length. $M$ hereby represents all possible messages of this length.



              Further, you choose a key $k$ from the given keyspace $K$. Note that $K$ and $M$ have the same size. In order to encrypt this message, you calculate $c = m mathbin{oplus} k$ and send $c$ to the recipient. $k$ must be distributed out-of-band, which means it is known both to you and the recipient, but not the attacker.



              An attacker would now intercept $c$ and attempts to recover $m$, by iterating through $K$ and attempt every possible $k$. What this means is that the attacker receives every possible $m$ in $M$, something they could have done anyways. They have no more information about your chosen $m$ than they did before.



              What if we use the same $m$ multiple times?



              To answer this question, let us create $c_1$ and $c_2$, this time with $m$, $k_1$ and $k_2$, such that $c_1 = m mathbin{oplus} k_1$ and $c_2 = m mathbin{oplus} k_2$.



              If an attacker were to intercept $c_1$ and $c_2$, they could calculate the following:



              $c_1 mathbin{oplus} c_2 = m mathbin{oplus} k_1 mathbin{oplus} m mathbin{oplus} k_2$



              Since $m mathbin{oplus} m = 0$ and $x mathbin{oplus} 0 = x$, we can write the result as:



              $c_1 mathbin{oplus} c_2 = k_1 mathbin{oplus} k_2$



              This is not useful for the attacker, as $k_1$ and $k_2$ are randomly chosen and never reused.



              Why is OTP not used everywhere then?



              Even though this is a bit out-of-scope, it's a question that is often asked by beginning cryptographers when encountering a seemingly perfect encryption scheme. The problem is its usability.



              Imagine you would like to encrypt a message and send it to me. How would you do that? I don't have your key, and if you want to negotiate an out-of-band key exchange (say, by meeting with me in person in a secure area), then you might as well tell me the message there (if the message is known at the time).







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited 12 hours ago

























              answered 17 hours ago









              David StockingerDavid Stockinger

              1887




              1887








              • 2




                $begingroup$
                "then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
                $endgroup$
                – a CVn
                14 hours ago










              • $begingroup$
                There is a fourth section there: When is OTP used? - Not very often, it seems
                $endgroup$
                – Mindwin
                14 hours ago










              • $begingroup$
                related.
                $endgroup$
                – Mindwin
                14 hours ago










              • $begingroup$
                @aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
                $endgroup$
                – David Stockinger
                12 hours ago






              • 3




                $begingroup$
                "perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
                $endgroup$
                – Ella Rose
                12 hours ago














              • 2




                $begingroup$
                "then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
                $endgroup$
                – a CVn
                14 hours ago










              • $begingroup$
                There is a fourth section there: When is OTP used? - Not very often, it seems
                $endgroup$
                – Mindwin
                14 hours ago










              • $begingroup$
                related.
                $endgroup$
                – Mindwin
                14 hours ago










              • $begingroup$
                @aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
                $endgroup$
                – David Stockinger
                12 hours ago






              • 3




                $begingroup$
                "perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
                $endgroup$
                – Ella Rose
                12 hours ago








              2




              2




              $begingroup$
              "then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
              $endgroup$
              – a CVn
              14 hours ago




              $begingroup$
              "then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
              $endgroup$
              – a CVn
              14 hours ago












              $begingroup$
              There is a fourth section there: When is OTP used? - Not very often, it seems
              $endgroup$
              – Mindwin
              14 hours ago




              $begingroup$
              There is a fourth section there: When is OTP used? - Not very often, it seems
              $endgroup$
              – Mindwin
              14 hours ago












              $begingroup$
              related.
              $endgroup$
              – Mindwin
              14 hours ago




              $begingroup$
              related.
              $endgroup$
              – Mindwin
              14 hours ago












              $begingroup$
              @aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
              $endgroup$
              – David Stockinger
              12 hours ago




              $begingroup$
              @aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
              $endgroup$
              – David Stockinger
              12 hours ago




              3




              3




              $begingroup$
              "perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
              $endgroup$
              – Ella Rose
              12 hours ago




              $begingroup$
              "perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
              $endgroup$
              – Ella Rose
              12 hours ago











              2












              $begingroup$

              You appear to be asking if comparative analysis could be employed between the different crypted iterations of the same text to decode it. Answer is "no": As long as the pads are produced using truly random data, the crypted text will never come out the sausage maker the same way twice. The only way comparative analysis could succeed is if keys were reused, which multiple posters to this thread already noted.



              The pads must also be transmitted securely. If there is ever a period where they were not accounted for or not in a courier's control during distribution, they must be deemed to be compromised. If a courier is used for distribution, they themselves must also be absolutely trustworthy; a known quantity.



              Lastly, if either the sending or receiving station are themselves compromised (those using OTPs), there's ways to tip off the opposite end of the channel of that fact who can then decide to either cease communications and leave you to your fate, or use the channel to distribute misinformation.



              So if the following (4) strictures are observed, OTP are UNBREAKABLE:




              1. Never reuse keys

              2. Don't encrypt messages larger then the key

              3. Produce pads using random data

              4. Ensure pads cannot be compromised during distribution to the operators


              -Terrence






              share|improve this answer










              New contributor




              F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.






              $endgroup$


















                2












                $begingroup$

                You appear to be asking if comparative analysis could be employed between the different crypted iterations of the same text to decode it. Answer is "no": As long as the pads are produced using truly random data, the crypted text will never come out the sausage maker the same way twice. The only way comparative analysis could succeed is if keys were reused, which multiple posters to this thread already noted.



                The pads must also be transmitted securely. If there is ever a period where they were not accounted for or not in a courier's control during distribution, they must be deemed to be compromised. If a courier is used for distribution, they themselves must also be absolutely trustworthy; a known quantity.



                Lastly, if either the sending or receiving station are themselves compromised (those using OTPs), there's ways to tip off the opposite end of the channel of that fact who can then decide to either cease communications and leave you to your fate, or use the channel to distribute misinformation.



                So if the following (4) strictures are observed, OTP are UNBREAKABLE:




                1. Never reuse keys

                2. Don't encrypt messages larger then the key

                3. Produce pads using random data

                4. Ensure pads cannot be compromised during distribution to the operators


                -Terrence






                share|improve this answer










                New contributor




                F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






                $endgroup$
















                  2












                  2








                  2





                  $begingroup$

                  You appear to be asking if comparative analysis could be employed between the different crypted iterations of the same text to decode it. Answer is "no": As long as the pads are produced using truly random data, the crypted text will never come out the sausage maker the same way twice. The only way comparative analysis could succeed is if keys were reused, which multiple posters to this thread already noted.



                  The pads must also be transmitted securely. If there is ever a period where they were not accounted for or not in a courier's control during distribution, they must be deemed to be compromised. If a courier is used for distribution, they themselves must also be absolutely trustworthy; a known quantity.



                  Lastly, if either the sending or receiving station are themselves compromised (those using OTPs), there's ways to tip off the opposite end of the channel of that fact who can then decide to either cease communications and leave you to your fate, or use the channel to distribute misinformation.



                  So if the following (4) strictures are observed, OTP are UNBREAKABLE:




                  1. Never reuse keys

                  2. Don't encrypt messages larger then the key

                  3. Produce pads using random data

                  4. Ensure pads cannot be compromised during distribution to the operators


                  -Terrence






                  share|improve this answer










                  New contributor




                  F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






                  $endgroup$



                  You appear to be asking if comparative analysis could be employed between the different crypted iterations of the same text to decode it. Answer is "no": As long as the pads are produced using truly random data, the crypted text will never come out the sausage maker the same way twice. The only way comparative analysis could succeed is if keys were reused, which multiple posters to this thread already noted.



                  The pads must also be transmitted securely. If there is ever a period where they were not accounted for or not in a courier's control during distribution, they must be deemed to be compromised. If a courier is used for distribution, they themselves must also be absolutely trustworthy; a known quantity.



                  Lastly, if either the sending or receiving station are themselves compromised (those using OTPs), there's ways to tip off the opposite end of the channel of that fact who can then decide to either cease communications and leave you to your fate, or use the channel to distribute misinformation.



                  So if the following (4) strictures are observed, OTP are UNBREAKABLE:




                  1. Never reuse keys

                  2. Don't encrypt messages larger then the key

                  3. Produce pads using random data

                  4. Ensure pads cannot be compromised during distribution to the operators


                  -Terrence







                  share|improve this answer










                  New contributor




                  F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  share|improve this answer



                  share|improve this answer








                  edited 11 hours ago





















                  New contributor




                  F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  answered 11 hours ago









                  F1LinuxF1Linux

                  213




                  213




                  New contributor




                  F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.





                  New contributor





                  F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






                  F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.























                      0












                      $begingroup$

                      Though the method is not vulnerable provide that the implementation is right. Of course the key is not reused. For extra entropy you can use a feedback mechanism in case the data is longer than the PAD.






                      share|improve this answer










                      New contributor




                      Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.






                      $endgroup$









                      • 1




                        $begingroup$
                        "you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
                        $endgroup$
                        – Dreamspace President
                        21 hours ago






                      • 3




                        $begingroup$
                        A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
                        $endgroup$
                        – eckes
                        17 hours ago






                      • 2




                        $begingroup$
                        Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
                        $endgroup$
                        – a CVn
                        12 hours ago










                      • $begingroup$
                        @aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
                        $endgroup$
                        – Dreamspace President
                        11 hours ago






                      • 1




                        $begingroup$
                        @DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
                        $endgroup$
                        – a CVn
                        9 hours ago
















                      0












                      $begingroup$

                      Though the method is not vulnerable provide that the implementation is right. Of course the key is not reused. For extra entropy you can use a feedback mechanism in case the data is longer than the PAD.






                      share|improve this answer










                      New contributor




                      Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.






                      $endgroup$









                      • 1




                        $begingroup$
                        "you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
                        $endgroup$
                        – Dreamspace President
                        21 hours ago






                      • 3




                        $begingroup$
                        A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
                        $endgroup$
                        – eckes
                        17 hours ago






                      • 2




                        $begingroup$
                        Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
                        $endgroup$
                        – a CVn
                        12 hours ago










                      • $begingroup$
                        @aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
                        $endgroup$
                        – Dreamspace President
                        11 hours ago






                      • 1




                        $begingroup$
                        @DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
                        $endgroup$
                        – a CVn
                        9 hours ago














                      0












                      0








                      0





                      $begingroup$

                      Though the method is not vulnerable provide that the implementation is right. Of course the key is not reused. For extra entropy you can use a feedback mechanism in case the data is longer than the PAD.






                      share|improve this answer










                      New contributor




                      Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.






                      $endgroup$



                      Though the method is not vulnerable provide that the implementation is right. Of course the key is not reused. For extra entropy you can use a feedback mechanism in case the data is longer than the PAD.







                      share|improve this answer










                      New contributor




                      Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      share|improve this answer



                      share|improve this answer








                      edited 21 hours ago





















                      New contributor




                      Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      answered 22 hours ago









                      Soumen MukherjeeSoumen Mukherjee

                      1094




                      1094




                      New contributor




                      Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.





                      New contributor





                      Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.






                      Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.








                      • 1




                        $begingroup$
                        "you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
                        $endgroup$
                        – Dreamspace President
                        21 hours ago






                      • 3




                        $begingroup$
                        A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
                        $endgroup$
                        – eckes
                        17 hours ago






                      • 2




                        $begingroup$
                        Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
                        $endgroup$
                        – a CVn
                        12 hours ago










                      • $begingroup$
                        @aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
                        $endgroup$
                        – Dreamspace President
                        11 hours ago






                      • 1




                        $begingroup$
                        @DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
                        $endgroup$
                        – a CVn
                        9 hours ago














                      • 1




                        $begingroup$
                        "you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
                        $endgroup$
                        – Dreamspace President
                        21 hours ago






                      • 3




                        $begingroup$
                        A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
                        $endgroup$
                        – eckes
                        17 hours ago






                      • 2




                        $begingroup$
                        Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
                        $endgroup$
                        – a CVn
                        12 hours ago










                      • $begingroup$
                        @aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
                        $endgroup$
                        – Dreamspace President
                        11 hours ago






                      • 1




                        $begingroup$
                        @DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
                        $endgroup$
                        – a CVn
                        9 hours ago








                      1




                      1




                      $begingroup$
                      "you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
                      $endgroup$
                      – Dreamspace President
                      21 hours ago




                      $begingroup$
                      "you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
                      $endgroup$
                      – Dreamspace President
                      21 hours ago




                      3




                      3




                      $begingroup$
                      A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
                      $endgroup$
                      – eckes
                      17 hours ago




                      $begingroup$
                      A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
                      $endgroup$
                      – eckes
                      17 hours ago




                      2




                      2




                      $begingroup$
                      Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
                      $endgroup$
                      – a CVn
                      12 hours ago




                      $begingroup$
                      Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
                      $endgroup$
                      – a CVn
                      12 hours ago












                      $begingroup$
                      @aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
                      $endgroup$
                      – Dreamspace President
                      11 hours ago




                      $begingroup$
                      @aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
                      $endgroup$
                      – Dreamspace President
                      11 hours ago




                      1




                      1




                      $begingroup$
                      @DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
                      $endgroup$
                      – a CVn
                      9 hours ago




                      $begingroup$
                      @DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
                      $endgroup$
                      – a CVn
                      9 hours ago











                      -1












                      $begingroup$

                      Whether anything is "secure" depends upon the threat model. Simple forms of OTP are absolutely secure against eavesdropping attacks, but may be essentially worthless against known-plaintext spoofing attacks, since each piece of key needs to be used twice--once by the person encrypting the message, and once by the person decrypting it. Consequently, someone who has access to the plaintext and ciphertext forms of a message, as well as the communications channel used to transmit it, will be able to ascertain the key before it is used by the recipient.



                      If (for purposes of the example) a message was encrypted using a Caesar cipher OTP (add 0-25 to each letter of plaintext to get the ciphertext), someone who knew that a message was "ATTACK AT DAWN" and knew that the last four letters encrypted were "FRED" would be able to determine that the last four letters were shifted by 24, 9, 16, 10. If the person replaced the last four characters of the transmitted message with "ZXZD", the recipient would decode the resulting message as "ATTACK AT NOON".



                      Overcoming this problem in cases where bandwidth or timing restrictions would preclude the use of a Message Authentication Code (MAC) would require generating more key material, so that multiple possible keys could yield each (plaintext-ciphertext) combination. If message characters must be encrypted entirely independently (such that corruption of one character at the source would corrupt only one character decoded by the recipient), there would be no way to avoid granting an adversary the ability to corrupt any single character. If each character represents a one-of-C choice, however, adding additional key material, chosen from one of (C-1) possibilities, would suffice to prevent the adversary from having any control over which of the (C-1) alternative characters would be decoded. In cases where a transmission error would be allowed to cause more severe disruption of the received message, other forms of encryption and authentication would likely be more appropriate.



                      Note that depending upon the usage and threat model, the ability of an attacker to guarantee that a byte gets changed somehow may or may not be a meaningful weakness. It's important to note, however, that sometimes seemingly harmless weaknesses (e.g. the fact that Enigma could only map each letter to one of 25 others) may sometimes be exploitable in ways that may be hard to anticipate.






                      share|improve this answer











                      $endgroup$









                      • 1




                        $begingroup$
                        This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
                        $endgroup$
                        – a CVn
                        14 hours ago










                      • $begingroup$
                        @aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
                        $endgroup$
                        – supercat
                        14 hours ago










                      • $begingroup$
                        @aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
                        $endgroup$
                        – supercat
                        14 hours ago










                      • $begingroup$
                        ... if one is aware of this vulnerability ... If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.
                        $endgroup$
                        – Ella Rose
                        14 hours ago






                      • 1




                        $begingroup$
                        That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. If Overcoming this problem would require generating more key material said Overcoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.
                        $endgroup$
                        – Ella Rose
                        13 hours ago
















                      -1












                      $begingroup$

                      Whether anything is "secure" depends upon the threat model. Simple forms of OTP are absolutely secure against eavesdropping attacks, but may be essentially worthless against known-plaintext spoofing attacks, since each piece of key needs to be used twice--once by the person encrypting the message, and once by the person decrypting it. Consequently, someone who has access to the plaintext and ciphertext forms of a message, as well as the communications channel used to transmit it, will be able to ascertain the key before it is used by the recipient.



                      If (for purposes of the example) a message was encrypted using a Caesar cipher OTP (add 0-25 to each letter of plaintext to get the ciphertext), someone who knew that a message was "ATTACK AT DAWN" and knew that the last four letters encrypted were "FRED" would be able to determine that the last four letters were shifted by 24, 9, 16, 10. If the person replaced the last four characters of the transmitted message with "ZXZD", the recipient would decode the resulting message as "ATTACK AT NOON".



                      Overcoming this problem in cases where bandwidth or timing restrictions would preclude the use of a Message Authentication Code (MAC) would require generating more key material, so that multiple possible keys could yield each (plaintext-ciphertext) combination. If message characters must be encrypted entirely independently (such that corruption of one character at the source would corrupt only one character decoded by the recipient), there would be no way to avoid granting an adversary the ability to corrupt any single character. If each character represents a one-of-C choice, however, adding additional key material, chosen from one of (C-1) possibilities, would suffice to prevent the adversary from having any control over which of the (C-1) alternative characters would be decoded. In cases where a transmission error would be allowed to cause more severe disruption of the received message, other forms of encryption and authentication would likely be more appropriate.



                      Note that depending upon the usage and threat model, the ability of an attacker to guarantee that a byte gets changed somehow may or may not be a meaningful weakness. It's important to note, however, that sometimes seemingly harmless weaknesses (e.g. the fact that Enigma could only map each letter to one of 25 others) may sometimes be exploitable in ways that may be hard to anticipate.






                      share|improve this answer











                      $endgroup$









                      • 1




                        $begingroup$
                        This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
                        $endgroup$
                        – a CVn
                        14 hours ago










                      • $begingroup$
                        @aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
                        $endgroup$
                        – supercat
                        14 hours ago










                      • $begingroup$
                        @aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
                        $endgroup$
                        – supercat
                        14 hours ago










                      • $begingroup$
                        ... if one is aware of this vulnerability ... If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.
                        $endgroup$
                        – Ella Rose
                        14 hours ago






                      • 1




                        $begingroup$
                        That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. If Overcoming this problem would require generating more key material said Overcoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.
                        $endgroup$
                        – Ella Rose
                        13 hours ago














                      -1












                      -1








                      -1





                      $begingroup$

                      Whether anything is "secure" depends upon the threat model. Simple forms of OTP are absolutely secure against eavesdropping attacks, but may be essentially worthless against known-plaintext spoofing attacks, since each piece of key needs to be used twice--once by the person encrypting the message, and once by the person decrypting it. Consequently, someone who has access to the plaintext and ciphertext forms of a message, as well as the communications channel used to transmit it, will be able to ascertain the key before it is used by the recipient.



                      If (for purposes of the example) a message was encrypted using a Caesar cipher OTP (add 0-25 to each letter of plaintext to get the ciphertext), someone who knew that a message was "ATTACK AT DAWN" and knew that the last four letters encrypted were "FRED" would be able to determine that the last four letters were shifted by 24, 9, 16, 10. If the person replaced the last four characters of the transmitted message with "ZXZD", the recipient would decode the resulting message as "ATTACK AT NOON".



                      Overcoming this problem in cases where bandwidth or timing restrictions would preclude the use of a Message Authentication Code (MAC) would require generating more key material, so that multiple possible keys could yield each (plaintext-ciphertext) combination. If message characters must be encrypted entirely independently (such that corruption of one character at the source would corrupt only one character decoded by the recipient), there would be no way to avoid granting an adversary the ability to corrupt any single character. If each character represents a one-of-C choice, however, adding additional key material, chosen from one of (C-1) possibilities, would suffice to prevent the adversary from having any control over which of the (C-1) alternative characters would be decoded. In cases where a transmission error would be allowed to cause more severe disruption of the received message, other forms of encryption and authentication would likely be more appropriate.



                      Note that depending upon the usage and threat model, the ability of an attacker to guarantee that a byte gets changed somehow may or may not be a meaningful weakness. It's important to note, however, that sometimes seemingly harmless weaknesses (e.g. the fact that Enigma could only map each letter to one of 25 others) may sometimes be exploitable in ways that may be hard to anticipate.






                      share|improve this answer











                      $endgroup$



                      Whether anything is "secure" depends upon the threat model. Simple forms of OTP are absolutely secure against eavesdropping attacks, but may be essentially worthless against known-plaintext spoofing attacks, since each piece of key needs to be used twice--once by the person encrypting the message, and once by the person decrypting it. Consequently, someone who has access to the plaintext and ciphertext forms of a message, as well as the communications channel used to transmit it, will be able to ascertain the key before it is used by the recipient.



                      If (for purposes of the example) a message was encrypted using a Caesar cipher OTP (add 0-25 to each letter of plaintext to get the ciphertext), someone who knew that a message was "ATTACK AT DAWN" and knew that the last four letters encrypted were "FRED" would be able to determine that the last four letters were shifted by 24, 9, 16, 10. If the person replaced the last four characters of the transmitted message with "ZXZD", the recipient would decode the resulting message as "ATTACK AT NOON".



                      Overcoming this problem in cases where bandwidth or timing restrictions would preclude the use of a Message Authentication Code (MAC) would require generating more key material, so that multiple possible keys could yield each (plaintext-ciphertext) combination. If message characters must be encrypted entirely independently (such that corruption of one character at the source would corrupt only one character decoded by the recipient), there would be no way to avoid granting an adversary the ability to corrupt any single character. If each character represents a one-of-C choice, however, adding additional key material, chosen from one of (C-1) possibilities, would suffice to prevent the adversary from having any control over which of the (C-1) alternative characters would be decoded. In cases where a transmission error would be allowed to cause more severe disruption of the received message, other forms of encryption and authentication would likely be more appropriate.



                      Note that depending upon the usage and threat model, the ability of an attacker to guarantee that a byte gets changed somehow may or may not be a meaningful weakness. It's important to note, however, that sometimes seemingly harmless weaknesses (e.g. the fact that Enigma could only map each letter to one of 25 others) may sometimes be exploitable in ways that may be hard to anticipate.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited 8 hours ago

























                      answered 15 hours ago









                      supercatsupercat

                      21914




                      21914








                      • 1




                        $begingroup$
                        This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
                        $endgroup$
                        – a CVn
                        14 hours ago










                      • $begingroup$
                        @aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
                        $endgroup$
                        – supercat
                        14 hours ago










                      • $begingroup$
                        @aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
                        $endgroup$
                        – supercat
                        14 hours ago










                      • $begingroup$
                        ... if one is aware of this vulnerability ... If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.
                        $endgroup$
                        – Ella Rose
                        14 hours ago






                      • 1




                        $begingroup$
                        That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. If Overcoming this problem would require generating more key material said Overcoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.
                        $endgroup$
                        – Ella Rose
                        13 hours ago














                      • 1




                        $begingroup$
                        This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
                        $endgroup$
                        – a CVn
                        14 hours ago










                      • $begingroup$
                        @aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
                        $endgroup$
                        – supercat
                        14 hours ago










                      • $begingroup$
                        @aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
                        $endgroup$
                        – supercat
                        14 hours ago










                      • $begingroup$
                        ... if one is aware of this vulnerability ... If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.
                        $endgroup$
                        – Ella Rose
                        14 hours ago






                      • 1




                        $begingroup$
                        That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. If Overcoming this problem would require generating more key material said Overcoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.
                        $endgroup$
                        – Ella Rose
                        13 hours ago








                      1




                      1




                      $begingroup$
                      This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
                      $endgroup$
                      – a CVn
                      14 hours ago




                      $begingroup$
                      This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
                      $endgroup$
                      – a CVn
                      14 hours ago












                      $begingroup$
                      @aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
                      $endgroup$
                      – supercat
                      14 hours ago




                      $begingroup$
                      @aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
                      $endgroup$
                      – supercat
                      14 hours ago












                      $begingroup$
                      @aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
                      $endgroup$
                      – supercat
                      14 hours ago




                      $begingroup$
                      @aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
                      $endgroup$
                      – supercat
                      14 hours ago












                      $begingroup$
                      ... if one is aware of this vulnerability ... If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.
                      $endgroup$
                      – Ella Rose
                      14 hours ago




                      $begingroup$
                      ... if one is aware of this vulnerability ... If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.
                      $endgroup$
                      – Ella Rose
                      14 hours ago




                      1




                      1




                      $begingroup$
                      That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. If Overcoming this problem would require generating more key material said Overcoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.
                      $endgroup$
                      – Ella Rose
                      13 hours ago




                      $begingroup$
                      That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. If Overcoming this problem would require generating more key material said Overcoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.
                      $endgroup$
                      – Ella Rose
                      13 hours ago










                      Dreamspace President is a new contributor. Be nice, and check out our Code of Conduct.










                      draft saved

                      draft discarded


















                      Dreamspace President is a new contributor. Be nice, and check out our Code of Conduct.













                      Dreamspace President is a new contributor. Be nice, and check out our Code of Conduct.












                      Dreamspace President is a new contributor. Be nice, and check out our Code of Conduct.
















                      Thanks for contributing an answer to Cryptography Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      Use MathJax to format equations. MathJax reference.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67137%2fis-one-time-pad-encryption-vulnerable-when-near-identical-data-is-sent-many-time%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                      Alcedinidae

                      Origin of the phrase “under your belt”?