- block-cipher pseudo-random-generator one-time-pad
- Updated Fri, 20 May 2022 02:23:29 GMT

Let $k$ by a randomly generated $n$ bit string, and $m$ a $n$ bit message. Then putting $c = m \oplus k$ is the one-time pad and is perfectly secure. Now assume the transmitter and receiver wanted to share more messages: then they could publicly choose a random $n$ bit string $b$, and then by putting $k' = b \oplus k$ they have obtained a new random key, which they can again use to encrypt a new message $m'$ with perfect secrecy.

I am wondering why such a cipher is not used? The only reason I can think of is that if the attacker obtains a single plaintext message, they can decrypt all past and future messages which is clearly not good, and thus the reason it is not used. Are there any other reasons I am missing?

Further, couldn't this be used to create a random bit generator? That is, the seed is a random $n$ bit string, and the publicly known generator will XOR $k$ random but publicly known $n$ bit strings with the seed $k$, to generate a random sequence of length $kn$. Naturally, the reason I am assuming this is not a good random number generator is that, again, if the attacker learns the internal state they can obtain all past and future bits. Are there any other reasons this is not good?

As @kelalaka pointed out OTP is not differentially secure. In addition it has the property, like all additive ciphers which work by modular addition of a keystream, that the keystream and the plaintext have symmetric roles.

What I mean is your suggestion to add the string $b$ to the key $k$ is essentially equivalent to the weakness resulting from reusing plaintext as in VENONA.

The constant $b$ is visible to differential attacks, such as crib dragging. In this case, it is the keystream that is differentially deficient.

- +0 – Are you able to say roughly what crib dragging is? — May 22, 2020 at 23:56
- +1 – @GEG crypto.stackexchange.com/search?tab=votes&q=crib%20drag — May 23, 2020 at 00:03