patternModerate
Why is encrypting with the same one-time-pad not good?
Viewed 0 times
whythesamewithtimeoneencryptinggoodpadnot
Problem
To encrypt a message $m_1$ with a one-time-pad key $k$ you do
$Enc(m_1,k) = m_1 \oplus k$.
If you use the same $k$ to encrypt a different message $m_2$ you get
$Enc(m_2,k) = m_2 \oplus k$, and if you perform Xor of the two ciphertext you get
$$( m_1 \oplus k) \oplus ( m_2 \oplus k) = m_1 \oplus m_2$$
so, OK, there is some information leakage becuse you learn $m_1 \oplus m_2$, but why is it not secure? I have no way to learn (say) $m_1$ unless I know $m_2$. So why is it wrong to use $k$ twice??
$Enc(m_1,k) = m_1 \oplus k$.
If you use the same $k$ to encrypt a different message $m_2$ you get
$Enc(m_2,k) = m_2 \oplus k$, and if you perform Xor of the two ciphertext you get
$$( m_1 \oplus k) \oplus ( m_2 \oplus k) = m_1 \oplus m_2$$
so, OK, there is some information leakage becuse you learn $m_1 \oplus m_2$, but why is it not secure? I have no way to learn (say) $m_1$ unless I know $m_2$. So why is it wrong to use $k$ twice??
Solution
I have no way to learn (say) $m_1$ unless I know $m_2$.
That is exactly the problem - if you re-use the same key, and someone has access to one message you encrypted in both plaintext and encrypted form, they can use that to find your key:
$$
(m_2 \oplus k) \oplus m_2 = k
$$
As an alternative scenario, if you use the same key over and over, the attackers may be able to guess just pieces of various encrypted message, and each successful guess reveals a piece of the key $k$, so that over time more and more of the key is revealed.
This general strategy for breaking a cryptosystem is known as a known plaintext attack. Many systems, like AES and RSA, are believed to be secure against these attacks. But a one-time pad becomes completely insecure against them unless a new pad is used for every encryption, which is why they are named "one-time pads".
That is exactly the problem - if you re-use the same key, and someone has access to one message you encrypted in both plaintext and encrypted form, they can use that to find your key:
$$
(m_2 \oplus k) \oplus m_2 = k
$$
As an alternative scenario, if you use the same key over and over, the attackers may be able to guess just pieces of various encrypted message, and each successful guess reveals a piece of the key $k$, so that over time more and more of the key is revealed.
This general strategy for breaking a cryptosystem is known as a known plaintext attack. Many systems, like AES and RSA, are believed to be secure against these attacks. But a one-time pad becomes completely insecure against them unless a new pad is used for every encryption, which is why they are named "one-time pads".
Context
StackExchange Computer Science Q#349, answer score: 19
Revisions (0)
No revisions yet.