8

I've started learning cryptography in class and we've come across One-Time-Pads, in which the key (uniformally agreed upon) is as long as the message itself. Then you turn the message into bits, do $XOR$ and get the cipher text. This encrypts the message and to decrypt the message you'd do $XOR$ with the cipher and key bits.

Now to make a more efficient One-Time-Pad you'd use a pseudo-random number generator, where the original key is $n$-bits long (and doesn't have to be as long as the message). Then you'd put the key in the generator and get a pseudo random number. But since it's pseudo random, wouldn't the sender and receiver get different keys? Then how can the receiver decrypt the message if they don't have the same key?

Ski Mask
  • 463
  • 3
  • 15

3 Answers3

17

You seem to have misunderstood what the key is.

In the context of symmetric encryption, the key is a shared secret: something that is known to both the sender and receiver. For OTP, the key is the entire pad and, if two people wish to encrypt some message using OTP, they must ensure beforehand that they have a long enough pad to do that.

For your proposed "efficient" OTP, the key is the PRNG seed: both parties must ensure beforehand that they know it. Then, they both initialize the PRNG with the same seed and it is guaranteed to produce the same sequence of "random" numbers for each of them.

However, note that this is a massive, massive weakening of OTP. An actual OTP gives perfect security, as long as the pad is kept secret. If you intercept the 17-character message

nsmklmfmwnfmngner

you have zero knowledge of whether it is

maketrumpthepotus

encoded with one pad, or

ensureclintonwins

encoded with a different pad. Or

kittensarethebest

or literally anything else. However, using a pseudorandom pad means that only certain pads are possible (maybe there's no key at all that encrypts the kitten message to "nsmklmfmwnfmngner", so you can rule that out). Anybody who knows the PRNG algorithm can start guessing keys to try to decrypt messages. Anyone who captures some pad material can start trying to reverse engineer the PRNG. Anyone who captures encrypted messages can start trying the same.

You really shouldn't call it OTP unless the key material is as long as the message. Your proposal for using a PRNG is just a generic stream cypher.

David Richerby
  • 82,470
  • 26
  • 145
  • 239
11

Now to make a more efficient One-Time-Pad you'd use a pseudo-random number generator

No, no and once again no. I'm concerned that this is what you're being taught. The absolutely fundamental concept of a one time pad and the notion of mathematically provable perfect secrecy is that the pad material is truly random. And it must never ever be reused, even once. It cannot be generated by any form of algorithm. The random numbers must come from a physical process such as dice throws, electrical noise or photon interference in a split laser beam. If you make them with any sort of algorithm /code then that's just a stream cipher like RC4 or an AES construct.

Browse through the one time pad tagged questions over at crypto.se. That will tell you everything. More importantly, you'll read many attempts at improving or making the one time pad more efficient. All of them are snake oil, no matter how enticing they might appear.

Paul Uszak
  • 1,602
  • 1
  • 13
  • 21
7

A pseudorandom generator is a deterministic algorithm, which given a short random seed returns a pseudorandom string fooling certain adversaries (i.e. such adversaries will not be able to distinguish the generator's output from a truly random string). Note that allowing the generator to toss coins makes the whole thing uninteresting, as you could simply return a truly random output.

In that case, the key can be the seed $s$, and the receiver can compute $G(s)$ to decipher the message (since $G$ is deterministic, this computation yields the same result for both parties).

Ariel
  • 13,614
  • 1
  • 22
  • 39