[liberationtech] OneTime 2.0 (beta): one-time pad system.
Alexander Kjeldaas
alexander.kjeldaas at gmail.com
Thu Aug 1 08:22:48 PDT 2013
On Thu, Aug 1, 2013 at 5:01 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> On Thu, Aug 01, 2013 at 07:37:59AM -0700, Andy Isaacson wrote:
> > Since a OTP depends critically on never using the same pad to encrypt
> > multiple plaintexts, it conversely also depends on the same pad only
> > decrypting a single ciphertext. If a onetime implementation implements
> > a decryption oracle, an attacker can almost certainly leverage multiple
> > decryption attempts with timing or error discrimination to break the pad
> > entirely.
>
> Sorry, meant to add --
>
> therefore, it's important that onetime record that a given range of pad
> is consumed *on decryption* and is only used, thereafter, to decrypt
> the identical ciphertext.
>
>
If this is true in a strict sense, it means that any protocol that use
retransmission is incompatible with OTP.
Alexander
> -andy
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130801/60fe53eb/attachment.html>
More information about the liberationtech
mailing list