-1

In one time pad, if $$\text{cipherText1} \oplus \text{cipherText2} = \text{plainText1} \oplus \text{plainText2}$$ then is it possible to find out key by 2 cipherText and plainText's X-or?

kelalaka
  • 49,797
  • 12
  • 123
  • 211
CreatingDED
  • 15
  • 1
  • 2

3 Answers3

3

Answering the question strictly as asked:

is it possible to find out key by 2 cipherText and plainText's xor?

Yes, in the One Time Pad where Ciphertext = Plaintext XOR Pad, computing the XOR of Ciphertext and a matching Plaintext reveals Pad (the "key"). This not a security issue, because that requires knowledge of Plaintext, and the corresponding Pad is never reused in the One Time Pad, as stated in its very name.

For the different question of finding the pad by comparing/XORing the ciphertexts, see that other answer.

Note: It is inappropriate to call the Pad a "key", because in general a key can be reused, when the OTP's pad must not. For this reason, the OTP does not match the modern definition of a cipher, which implies ability to encipher several messages with the same key.

fgrieu
  • 149,326
  • 13
  • 324
  • 622
2

No, even if a one-time pad is mistakenly reused, you cannot directly find out the content of the pad just by comparing the ciphertexts.

In fact, since the XOR of two ciphertexts encrypted with the same one-time pad is independent of the pad, knowing it literally gives you no extra information about the pad.

However, if the content of the two (or more) plaintext messages encrypted with the same pad is not completely random, you may be able to guess the most likely content of the messages by examining their XOR. This solution will never be unique (and, in fact, there will be as many distinct possible solutions as there are distinct possible pads), but often one solution clearly looks a lot more plausible (e.g. being sensible English text, as opposed to random garbage) than the others. Once you have correctly guessed the plaintext of at least one message, you can of course XOR it with the corresponding ciphertext to obtain the pad.

Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189
0

If the interceptor encounters 2 messages: message1 = (plaintext1 xor pad1), and message2 = (plaintext2 xor pad1), he can generate (message1 xor message2).

The resultant message1⊕message2 = (plaintext1 xor plaintext2), or plaintext1⊕plaintext2.

So the re-use of the pad can be used by the interceptor to, at the price of incurring the effect of encrypting each plaintext using the other plaintext as a pad, decrypt the 2 intercepted messages with respect to the original pad.

The original pad and its attendant entropy having thus been exchanged, in the case of each plaintext for that of the other, each of the plaintexts is thereby, although not fully decrypted, protected only by the unpredictability of the other plaintext.

For each position in the message1⊕message2 = plaintext1⊕plaintext2 string, learning the plaintext1 or plaintext2 value at that position, will allow obtaining the pad1 value at that position, and that value will allow obtaining the value of the other plaintext at that position.

So, for each string position, if one of the unknowns is obtained, all the unknowns can be for that position immediately obtained, so obtaining one unknown each for all positions in the string, yields knowledge of the complete string for all 3 previously unknown strings: plaintext1, plaintext2, and pad1 .

So re-using a one-time pad compromises its unknowability to the extent of the predictability in the plaintexts.

John Rodes
  • 1