Cryptography Reference
In-Depth Information
An exhaustive key search is futile since every possible plaintext is a valid candidate.
We might as well just try to guess the plaintext.
Note that it is tempting to claim that the adversary
does
learn something when
they see the ciphertext because they see the
length
of the ciphertext. This might tell
the adversary the length of the plaintext, which is certainly information about the
plaintext, unless we are careful. There are two different perspectives from which
this issue can be addressed:
Fixed length plaintext
. The first perspective, which we adopted in the above
example, is that the adversary
already knows
the length of the plaintext. In this
case the adversary gains no further information from seeing the length of the
ciphertext.
Maximum length plaintext
. The second perspective, which is probably more
realistic, is that the adversary already knows the
maximum possible
length
of the plaintext. We thus assume that the maximum length of plaintext that
the sender and receiver will ever send using this cryptosystem (in this case a
maximum number of
m
plaintext letters) is a publicly known parameter, and
hence is known by the adversary. The sender then:
1. agrees a keyword of length
m
letters with the receiver;
2. if the plaintext is less than
m
letters long then the sender adds some
extra letters to make the plaintext
m
letters long (this example of adding
'redundant' information to a plaintext is often called
padding
, which we will
discuss further in Section 4.3.2);
3. encrypts the extended plaintext using the keyword of
m
letters.
As a result of this approach, the adversary always sees a ciphertext of length
m
. The adversary thus does not learn anything new about the length of the
plaintext from seeing the length of the ciphertext because:
• the maximum length
m
is public knowledge, hence the adversary learns
nothing from seeing an
m
letter ciphertext other than what they already
knew: that the plaintext cannot be more than
m
letters long;
• the true plaintext length is hidden.
This one-time pad also reveals a redeeming (but not very useful) property of
the Caesar Cipher. Since it can be thought of as a Vigenère Cipher with keyword
of length one, we see immediately that if we only send a single letter of ciphertext,
choose the Caesar Cipher key randomly, and use that key only once, then the
Caesar Cipher has perfect secrecy. Unfortunately there are not many applications
for such a cryptosystem!
CONSEQUENCES OF KEY REUSE IN A ONE-TIME PAD
Recall that an important property of a one-time pad is that keys should only be
used once. We now demonstrate why this is the case. To keep things really simple
we will use the Caesar Cipher one-time pad to encrypt single letter plaintexts.
