Cryptography Reference
In-Depth Information
Suppose that two plaintext letters
P
1
and
P
2
have been encrypted using the
same
one-time pad key
K
(in other words key
K
has been used twice) to produce
two ciphertext letters
C
1
and
C
2
. This means that an attacker knows that both
C
1
and
C
2
have arisen by shifting
P
1
and
P
2
the same number of positions. Thus the
attacker learns that the number of letters between
C
1
and
C
2
is the same as the
number of letters between
P
1
and
P
2
. This does not immediately tell the attacker
what either
P
1
or
P
2
is, but it is certainly information that the attacker did not
have before.
We can make this statement more precise by using the mathematical
description of the Caesar Cipher from Section 2.1.1 (this requires a basic
understanding of modular arithmetic, which we do not properly introduce until
Section 5.1.3, so can be skipped if preferred). We have:
C
1
=
P
1
+
K
mod 26
C
2
=
P
2
+
K
mod 26
.
Since an attacker can see
C
1
and
C
2
, the attacker can subtract
C
1
from
C
2
to get:
C
2
−
C
1
=
(
P
2
+
K
)
−
(
P
1
+
K
) mod 26
=
P
2
−
P
1
mod 26
,
since the keys
K
cancel each other out. Thus the attacker learns the value
P
2
−
P
1
,
which is the 'difference' between plaintext
P
2
and plaintext
P
1
.
Could this relationship between
P
1
and
P
2
be of any real use to the attacker?
An example to illustrate that it
could
be of use is as follows. Suppose that the
single letter plaintexts represent two different days of the month within a 26-day
period on which a major advertising campaign will be run. Alice encrypts these
two days using the same key
K
and sends them to her colleague Bob. The attacker
comes from a rival firm who wishes to know the campaign days. By learning the
difference between
P
2
and
P
1
the attacker does not learn the dates of the campaign,
but does learn the number of days between the two events. This in itself might be
useful. The point here is that seeing two ciphertexts encrypted using the same key
gives away
some
information about the plaintexts. Thus the property of perfect
secrecy is lost if we reuse a one-time pad key.
Things get much more serious as soon as the first advertising campaign is
actually run on date
P
1
. Since the attacker knows the difference between the
launch days, they can now work out the date
P
2
of the second run. Even worse,
since the attacker now knows a corresponding plaintext/ciphertext pair, they can
determine the key by working out the shift that was used. This can also be written
mathematically as:
C
1
−
P
1
=
(
P
1
+
K
)
−
P
1
=
K
mod 26
.
Any further ciphertexts encrypted using key
K
can now be decrypted by the
attacker.
