On Thu, Aug 01, 2013 at 07:37:59AM -0700, Andy Isaacson wrote: > Since a OTP depends critically on never using the same pad to encrypt > multiple plaintexts, it conversely also depends on the same pad only > decrypting a single ciphertext. If a onetime implementation implements > a decryption oracle, an attacker can almost certainly leverage multiple > decryption attempts with timing or error discrimination to break the pad > entirely.
Sorry, meant to add -- therefore, it's important that onetime record that a given range of pad is consumed *on decryption* and is only used, thereafter, to decrypt the identical ciphertext. -andy -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
