[liberationtech] OneTime 2.0 (beta): one-time pad system.
Andy Isaacson
adi at hexapodia.org
Thu Aug 1 13:14:34 PDT 2013
On Thu, Aug 01, 2013 at 05:22:48PM +0200, Alexander Kjeldaas wrote:
> On Thu, Aug 1, 2013 at 5:01 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> > On Thu, Aug 01, 2013 at 07:37:59AM -0700, Andy Isaacson wrote:
> > > Since a OTP depends critically on never using the same pad to encrypt
> > > multiple plaintexts, it conversely also depends on the same pad only
> > > decrypting a single ciphertext. If a onetime implementation implements
> > > a decryption oracle, an attacker can almost certainly leverage multiple
> > > decryption attempts with timing or error discrimination to break the pad
> > > entirely.
> >
> > Sorry, meant to add --
> >
> > therefore, it's important that onetime record that a given range of pad
> > is consumed *on decryption* and is only used, thereafter, to decrypt
> > the identical ciphertext.
>
> If this is true in a strict sense, it means that any protocol that use
> retransmission is incompatible with OTP.
You just have to retransmit the identical ciphertext and you're fine.
-andy
More information about the liberationtech
mailing list