On Thu, Aug 01, 2013 at 05:22:48PM +0200, Alexander Kjeldaas wrote: > On Thu, Aug 1, 2013 at 5:01 PM, Andy Isaacson <[email protected]> wrote: > > On Thu, Aug 01, 2013 at 07:37:59AM -0700, Andy Isaacson wrote: > > > Since a OTP depends critically on never using the same pad to encrypt > > > multiple plaintexts, it conversely also depends on the same pad only > > > decrypting a single ciphertext. If a onetime implementation implements > > > a decryption oracle, an attacker can almost certainly leverage multiple > > > decryption attempts with timing or error discrimination to break the pad > > > entirely. > > > > Sorry, meant to add -- > > > > therefore, it's important that onetime record that a given range of pad > > is consumed *on decryption* and is only used, thereafter, to decrypt > > the identical ciphertext. > > If this is true in a strict sense, it means that any protocol that use > retransmission is incompatible with OTP.
You just have to retransmit the identical ciphertext and you're fine. -andy -- Liberationtech list is public and archives are available via Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
