5

If you have a channel where you are communicating using a one time key, is it possible to receive additional key over that same connection without compromising security?

Naively sending it through the same encrypted channel would of course consume the pad at the same rate that you refill it, but maybe there's a more clever way?

Presumably brute forcing would yield the dictionary both when run against encrypted data and against the pad used to encypt future messages, since both look like (or are) random data.

Filip Haglund
  • 1,043
  • 1
  • 8
  • 17
  • Are you talking about the one time pad which has a key as long as the message or about symmetric ciphers which have very short key for long messages (ie sending a new short, symmetric key over an already-established channel for subsequent communication)? – SEJPM Mar 08 '17 at 01:21
  • 2
    @PaulUszak If you send a new pad $O_2$ encrypted with pad $O_1$, and then send plaintext message $M$ encrypted with $O_2$, you can do $C_1 \oplus C_2 = O_1 \oplus O_2 \oplus O_2 \oplus M = O_1 \oplus M$, but then the message would still be encrypted with the one-time pad $O_1$. – knbk Mar 08 '17 at 09:53
  • Is xor the only possible operation? For example, cyclically shifting bits in a block at a time a certain number of steps according to the pad should avoid the "cancelling out" issue of xor. Doing both, i.e. shift(pad2, xor(pad, x)) should avoid the issue. This might of course have some other security implication (like eating some aditional entropy for the shift part), but something other than xor should work, right?. – Filip Haglund Mar 08 '17 at 18:22
  • 1
    Nope, because it is not theoretically possible to get perfect security when the key (stream) is smaller than what is encrypted. So whichever operation you try, you won't get the security promised by a one-time-pad. If it is sufficient security is a different matter. But if you just require sufficient security then a stream cipher would do as well. OTP is generally useful as a theoretical construction, especially in security proofs. – Maarten Bodewes Mar 11 '17 at 01:07
  • 1
    Quantum key distribution does this specifically now. That's cleverer, but is that what you mean? – Paul Uszak Jul 29 '19 at 12:16

1 Answers1

7

No, using a one-time-pad to encrypt another key stream is futile, as the original key stream must be at least the same size as the message you're trying to encrypt. So the amount of bits used from the current key stream will at least equal the amount of bits transmitted. For a one-time-pad the key stream must be at least the same size as the plaintext message to achieve information theoretical security. XOR is not the only operation that encrypts the message using the key stream, but no other operation will allow a key stream smaller than the message by definition.

The more clever way is to use a stream cipher. A stream cipher generates the key stream from a statically sized key. This key can be any size, but sizes of 128 bits to 256 bits give the required key strength against brute force attacks. A stream cipher doesn't provide perfect security but it does give you practical security - even against quantum computing based analysis, given a large enough key size.

For transport security you also want to protect against leaking information by message size, plaintext oracles and side channel attacks - particularly time based side channels (presuming that the processor itself is in a secure location).

Furthermore you probably want to protect your message integrity and authenticity by using an authentication tag (using a MAC or AEAD scheme). A one-time-pad - by itself - does not provide integrity or message authentication.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • I hope this extended answer answers the question even better. Please consider accepting the answer if it meets your requirements. Otherwise please indicate what's wrong or missing. – Maarten Bodewes Jul 29 '19 at 09:38