## One-Time Pad Reuse Distinguisher and Decryption Attack

I have always been intrigued by the One-Time Pad since it provides perfect secrecy. Any plaintext properly encrypted with this method can never be decrypted, no matter how long one tries (even given infinite computing power). It has been known for some time that using an OTP more than once, however, is insecure. The question I always had was how do you detect a misuse like that. I recently stumbled across a paper from Black Hat Europe 2010 which explained the answer (the paper talks about stream ciphers and block ciphers under certain modes, but it applies to the OTP also).

The basic idea is that the OTP (and stream ciphers) takes a random stream of bits with a length equal to the plaintext and XORs the two together. Thus if the plaintext is P and the random stream is R, the ciphertext is C = P XOR R.

The question is can we distinguish between the following two cases? 1) Two plaintexts, P1 and P2, and two different random streams R1 and R2, results in two random ciphertexts, C1 = P1 XOR R1, C2 = P2 XOR R2. 2) Two plaintexts, P1 and P2, but only one random stream, R1, results in two random ciphertexts, C1 = P1 XOR R1, C2 = P2 XOR R1.

The answer is based on the expected number of 1’s and 0’s from XORing ciphertexts. In the first case, we have C1 XOR C2 = P1 XOR R1 XOR P2 XOR R2, which should be random (i.e. the number of 1’s and 0’s in the resulting binary stream should be roughly equal). In the second case, we have C1 XOR C2 = P1 XOR R1 XOR P2 XOR R1 = P1 XOR P2. In this case, the result P1 XOR P2 will have a distribution of 1’s and 0’s very different from the first case. Thus, by counting 1’s and 0’s of the XORed ciphertexts, one can distinguish between the two cases. This, by itself, leaks one bit of information to the cryptanalyst; were the two ciphertexts encrypted with the same random stream? In the paper, they go on to show how, using properties of the language of the plaintexts, one can decrypt the ciphertexts which were encrypted with the same random stream without knowing the random stream.