Attacks on one-time pad, given a property of keys

Question

An adversary $A$, eavesdrops $n$ cipher-texts, $c_{1}, c_{2} ..., c{_n}$. It also knows a value $v$ and a function $f$ such that $$f(k_{1}, k_{2}, ..., k_{n}) = v$$ where, $k_{i}$ is used to encrypt $m_{i}$ to obtain $c_{i}$, $\forall i| 1\leqslant i\leqslant n $.

As a concrete example say, $A$ listens to three cipher texts, $c_{1}, c_{2} \text{ and } c_{3}$, and knows that $k_{1} \oplus\ k_{2} \oplus\ k_{3} = 1^l $, where cipher $c$, message $m$ and key $k$ are of the same bit length $l$.

In the concrete case, how could $A$ use this information in guessing $m_{1}, m_{2} \text{ and } m_{3}$ ? In the general case, are there any well known methods that I should be aware of? Where can I learn about such general techniques in detail?

Assume, messages are drawn uniformly at random (frequency analysis is not possible).

Answer 1

Let's first look at the concrete case;

We already know that when a key is used more than once, one-time pad becomes insecure with this two questions and nice answers on crib-dragging.

• How does one attack a two-time pad (i.e. one-time pad with key reuse)?
• How to attack a “many-time pad” based on what happens when an ASCII space is XORed with a letter?

But, in your case the keys are not the same, only a relation is given by

$$k_1 \oplus \ldots \oplus k_n = 1^l $$ (message length $n$ and number of keys confuse here let $l$ be the message length)

• now, let $n=2$ messages $m_1$ and $m_2$ than $k_1 \oplus k_2 \oplus 1^l $

  If we x-or the two ciphertexts $c_1$ and $c_2$ of $m_1$ and $m_2$, respetively; $$ c_1 \oplus c_2 = m_1 \oplus k_1 \oplus m_2 \oplus k_2 = m_1 \oplus m_2 \oplus 1^l$$ then;

  $$c_1 \oplus c_2 \oplus 1^l = m_1 \oplus m_2 $$ So the solution for this is nothing but the usual two-time pad.

• now let we $n=3$ messages $m_1, m_2$ and $m_3$ than $k_1 \oplus k_2 \oplus k_3 \oplus 1^l $. than we will have $$c_1 \oplus c_2 \oplus c_3 \oplus 1^l = m_1 \oplus m_2 \oplus m_3$$

  This can be also attacked but will be harder, since we have to guess two words and see that it reveals from the third message. The expected time is the square of the $n=2$ case for the initial guesses.

• When $n$ becomes bigger it will require more guess and trials.

Arbitrary $f$

Here, let's look only the case $n=2$, and only ideas;

We have $c_1 = m_1 \oplus k_1$, $c_2 = m_2 \oplus k_2$, and $f(k_1, k_2) = v$

We can't apply crib-dragging here since

$$ c_1 \oplus c_2 = (m_1 \oplus m_2) \oplus (k_1 \oplus k_2)$$ guessing $m_1$ will not give any information. An attack can be performed by guessing two words and verifying that $k_1$ and $k_2$ satisfies two relations;

$$k_1 \oplus k_2 = m_1 \oplus m_2 \text{ and } f(k_1, k_2) = v$$