Hacker News new | past | comments | ask | show | jobs | submit login

Even if you make this assumption it still wouldn't be a successful attack because OTP makes no security claims if the key is re-used. If there's no security claim there's nothing to attack to begin with.



It would still be a successful attack for the purposes of the definition of CCA secure.

In the CCA experiment, an attacker is given access to a decryption oracle that has used the same key as the challenge message.


The definition of CCA is then simply incompatible with the definition of an OTP. Making the question wether OTP is vulnerable to CCA meaningless.


That’s not true at all.

You can make an oracle for whatever you want. That’s why it’s an oracle.


It absolutely is true.

I can declare that my "brazzy attack" involves an oracle that for any given cipher text gives me the key it was encrypted with. Wow, all modern ciphers are vulnerable to it, the only thing that resists it is keeping the algorithm secret!

Just because you can think of something doesn't mean it makes sense.


I’m not sure what point you were trying to make. I think you accidentally made the opposite point. Indeed your definition would imply that all modern ciphers are not Brazzy-secure. I’m not sure why this matters to you.

No one is saying that the fact that OTP cipher is not CCA secure is practically relevant.

But the fact of the matter is that a cryptosystem being CCA secure is defined as we discussed and the OTP cipher does not meet the requirements.


I think we're largely in agreement then, but I still believe that it makes more sense to say that the definitions of OTP and CCA are incompatible and therefore it's just meaningless to apply one to the other.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: