Whyis it that the one-time pad can only be used once?

Suppose we have two

plaintext
messages P1 and P2, encrypted as C1 = P1 ⊕ K and C2 = P2 ⊕ K; that is, we have
two messages encrypted with the same “one-time” pad K. In the cryptanalysis business,
this is known as a depth. In the case of a one-time pad in depth,
C1 ⊕ C2 = P 1 ⊕ K ⊕ P 2 ⊕ K = P 1 ⊕ P 2
and the key has disappeared from the problem. This cannot be good for anyone except
for Trudy, the cryptanalyst.
Let’s consider a specific example of a one-time pad in depth. Using the same bit
encoding as in Table 2.1, suppose we have
P1 = like = 100 010 011 000 and P2 = kite = 011 010 111 000
and both are encrypted with the same key K = 110 011 101 111. Then
l i k e
P1: 100 010 011 000
K: 110 011 101 111
C1: 010 001 110 111
i h s t
CLASSIC CRYPTO 21
and
k i t e
P2: 011 010 111 000
K: 110 011 101 111
C2: 101 001 010 111
r h i t
If Trudy the cryptanalyst knows that the messages are in depth, she immediately
sees that the second and fourth letters of P1 and P2 are the same, since the
corresponding
ciphertext letters are identical. But far more devastating is the fact that Trudy can now
guess a putative message P1 and check her results using P2. Suppose that Trudy—who
only has C1 and C2—suspects that
putative P1 = kill = 011 010 100 100.
Then she can find the corresponding putative key
k i l l
putative P1: 011 010 100 100
C1: 010 001 110 111
putative K: 001 011 010 011
and she can then use this K to “decrypt” C2 and obtain
C2: 101 001 010 111
putative K: 001 011 010 011
putative P2: 100 010 000 100
l i e l
Since this K does not yield a sensible decryption for P2, Trudy assumes that her guess
for P1 was incorrect. When Trudy eventually guesses P1 = like she will obtain the
correct key K and decrypt P2 = kite, thereby confirming the correctness of the key
and the correctness of both decryptions.
3.2.1 A5/1
The first stream cipher that we’ll examine isA5/1, which is used by GSM
cell phones for confidentiality. This algorithm has an algebraic
description, but it also can be illustrated via a relatively simple
picture.We’ll give both descriptions here.
A5/1 employs three linear feedback shift registers [95], or LFSRs,
which we’ll
label X, Y , and Z. Register X holds 19 bits, which we label (x0, x1, . . . ,
x18). The
register Y holds 22 bits (y0, y1, . . . , y21), and Z holds 23 bits (z0, z1, . .
. , z22). It’s no accident that the three LFSRs hold a total of 64 bits.
Not coincidentally, the key K is 64 bits. The key is used as the initial fill
of the three registers. After these three registers are filled with the
key, we are ready to generate the keystream. But before we can
describe the keystream, we need to discuss the registers X,Y , and Z in
more detail.
When register X steps, the following occur
t = x13 ⊕ x16 ⊕ x17 ⊕ x18
xi = xi−1 for i = 18, 17, 16, . . . , 1
x0 = t
Similarly, for registers Y and Z, each step consists of
t = y20 ⊕ y21
yi = yi−1 for i = 21, 20, 19, . . . , 1
y0 = t
and
t = z7 ⊕ z20 ⊕ z21 ⊕ z22
zi = zi−1 for i = 22, 21, 20, . . . , 1
z0 = t
respectively.
Given three bits x, y, and z, define maj(x, y, z) to be the “majority
vote” function;
that is, if the majority of x, y, and z are 0, then the function returns 0,
otherwise it
returns 1.
A5/1 is implemented in hardware, and at each clock pulse the value
m = maj(x8, y10, z10)
is computed. Then the registers X, Y , and Z step according to the
following rules:
If x8 = m then X steps
If y10 = m then Y steps
If z10 = m then Z steps
Finally, a keystream bit s is generated as
s = x18 ⊕ y21 ⊕ z22

which is then XORed with the plaintext (if encrypting) or XORed with
the ciphertext (if decrypting).
Although this may seem like a complicated way to generate a single
keystream bit, A5/1 is easily implemented in hardware and can
generate bits at a rate proportional to the clock speed. Also, the
number of keystream bits that can be generated from a single 64-bit
key is virtually unlimited—though eventually the keystream will repeat.
TheA5/1 algorithm has a simple “wiring diagram” representation, as
illustrated in Figure 3.1.
See [26] for more discussion of A5/1.
The A5/1 algorithm is representative of a large class of ciphers that are
based on
shift registers and implemented in hardware. These systems were once
the kings of symmetric key crypto, but in recent years the block cipher
has clearly taken over that title. And where a stream cipher is used
today, it is likely to be RC4, which we’ll discuss next.
Historically, shift register based stream ciphers were needed in order
to keep pace with bit streams (such as audio) that are produced at a
relatively high data rate. In the past, software-based crypto could not
generate bits fast enough for such applications.
Today, however, there are few applications for which software-based
crypto
is not appropriate. This is one of the primary reasons why block ciphers
are on the ascendancy.