Cryptography Reference
In-Depth Information
The above attack is an example of a known-plaintext attack (see Section 1.5.2).
Note that this is not indicative of a problem with the notion of perfect secrecy,
since perfect secrecy is based on an interceptor who conducts ciphertext-only
attacks. The attack does, however, reinforce the point that one-time pad keys
should only be used once.
ONE-TIME PAD FROM A LATIN SQUARE
We can generalise the simple cryptosystem from Section 3.1.2 to obtain another
one-time pad. This version is represented by a square table that has
n
rows,
n
columns and
n
different table entries (values appearing in the table). The
cryptosystem in Table 3.1 is an example of this table for the case
n
=
2. Just
as in the cryptosystem in Table 3.1, we associate:
• the
n
rows of the table with
n
different keys;
• the
n
columns of the table with
n
different plaintexts;
• the
n
different entries in the table with
n
different ciphertexts;
• the encryption of a plaintext (column) using a key (row) with the table entry
in the row corresponding to the key and the column corresponding to the
plaintext.
This table is public information and represents a full description of the
cryptosystem. It is essentially a
look-up table
, where the ciphertext for any
plaintext and key can be obtained by inspection. The only difference between
the sender/receiver and the adversary is that the sender/receiver know which row
of this look-up table to use. But this is a very significant difference.
Note that every possible plaintext is associated with a column of the table.
Hence the plaintext LION might be the 17th column and the plaintext TIGER
might be the 149th column. How this is done is not important, what is important
is that the association is made. By doing so, in this one-time pad we do not
have to worry about the issue of the length of the ciphertext giving away any
information. This is because the plaintext length is no longer revealed by a
ciphertext since the 'mapping' from plaintexts to columns has protected us from
this issue.
Such a look-up table could be constructed for any cryptosystem, including
modern cryptosystems using AES (see Section 4.5). However, the size of the table
(the number of rows and columns) would be so large that there is no point in even
beginning to consider trying to represent the likes of AES as such a table. For AES
this table would have 2
128
columns and at least 2
128
rows!
For such a table to form the basis of a one-time pad and hence offer perfect
secrecy, we need to have the following two properties:
Every row contains every table entry precisely once
. A table without this
property is not a cryptosystem. This is because some row (key)
K
must
contain some table entry (ciphertext)
C
at least twice. If Alice and Bob choose
key
K
and Alice sends ciphertext
C
, then Bob will not know which of the
