3

What would be the recipe to add error propagation to a one time pad? I.e. if I change a single letter in the clear text message, I want the encrypted message to change starting from that letter and up to the end of the encrypted message.

CodesInChaos
  • 24,841
  • 2
  • 89
  • 128
daruma
  • 385
  • 3
  • 12
  • You could encrypt the message with a conventional cipher (perhaps AES-SIV) or an unkeyed all-or-nothing transformation before encrypting with the one-time-pad. – CodesInChaos Oct 01 '15 at 11:18
  • 2
    What's the goal of this modification? Which security properties do you want to achieve? In modern crypto it's standard practice to use a MAC to reject any modified ciphertexts. There are even MACs secure against computationally unbounded adversaries, which pair ideally with the one-time-pad. – CodesInChaos Oct 01 '15 at 11:21
  • use GF multiplication for "key addition", and run the whole thing in 8-bit CBC? – Richie Frame Oct 01 '15 at 11:25
  • @RichieFrame: nit, $GF(2^{8})$ multiplication wouldn't work, as a 0 in the pad would kill things. However, $GF(257)$ multiplication (with the convention that the 0x00 byte stands for the value 256) would work. – poncho Oct 01 '15 at 13:13
  • @CodesInChaos The goal of the modification is to relax the constraint that no two messages should be encrypted with the same random stream. – daruma Oct 01 '15 at 13:34
  • 1
    @UnixJunkie, that goal is inachievable. The information theoretic security of OTP relies on its one-timeness. – otus Oct 01 '15 at 14:00
  • I was thinking about something using a random number and 8-bit CBC. – daruma Oct 01 '15 at 14:01
  • I agree with @otus’ comment: what you’re describing will result in a construction that you then can’t call OTP anymore, as it will fail the most important requirement(s) that define OTP. Yet, @CodesInChaos’ comment points to (what I think is) the most logic, alternative solution: use OTP & MAC (in correct order). – e-sushi Oct 02 '15 at 01:47

1 Answers1

1

What you are actually looking for, which is a way to reuse a one-time pad, is not possible. For OTP reuse to be in any way secure, you need an algorithm with enough "complexity" to be a secure cipher (where the "pad" is actually a key).

For example, in the comments you raise the idea of including a random number and using the 8-bit CBC that Richie Frame and poncho mention. That would not work, because a known plaintext attack would reveal the pad, and the encryption of each byte would only depend on the encrypted value of the previous byte (known) and the pad at that point (recovered after a known plaintext attack).

For the title question the CBC idea is a valid answer, but it does not seem very useful. There is also a complementary question: is there a way to cause changes in the ciphertext to propagate through the plaintext. There e.g. the PCBC mode would work, but again I do not how useful that is.

As for actual suggestions, if you cannot handle the unique pad requirement of OTP (which is common), you should use a conventional cipher like AES. Preferably in authenticated encryption, so that error propagation does not need to be worried about.

otus
  • 32,132
  • 5
  • 70
  • 165