[Cryptography] Non-Authenticated Key Agreement

Natanael natanael.l at gmail.com
Wed Sep 23 07:19:49 EDT 2015

On Wed, Sep 23, 2015 at 7:11 AM, Davy Durham <ddurham at davyandbeth.com>

> Given an encrypt (and decrypt, for that matter) function based the
> one-time pad idea:
>     E(d, k) = d xor k
> Alice wishes to send Bob a piece of information d.  Alice and Bob have not
> exchanged any information previously.
> Alice makes up a random key, ka, and Bob makes up a random key, kb.
> The following sequence diagram allows Alice to send d to Bob while the d
> remains protected from eavesdropping in between.
>    Alice                                           Bob
> d = data
> ka = random bits
> d' = E(d, ka)
>                          d'
>       ---------------------------------------->
>                                               kb = random bits
>                                               d'' = E(d', kb)
>                          d''
>       <----------------------------------------
> d''' = E(d'', ka)
>                          d'''
>       ---------------------------------------->
>                                               d = E(d''', kb)
> d' = d XOR ka
d'' = d XOR ka XOR kb
d''' = d XOR ka XOR kb XOR ka = d XOR kb

All off these are public. See the problem yet? Hint: Key reuse.

kb = d' XOR d''
d = d''' XOR kb

Or in other words, d' XOR d'' XOR d''' = d. This is because each XOR key is
repeated in even numbers, where each version have exactly one difference in
which ones are applied. A XOR B XOR B = A.

XOR encryption is only considered secure if the same unpredictable key
material NEVER is used for more than exactly one plaintext

Even if you managed to make it work with uneven numbers of applications,
the reuse still reveals statistics about the plaintext.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150923/274e83a8/attachment.html>

More information about the cryptography mailing list