| > My first thought for a “fill” algorithm would be to just fill with zeros, and hence read out the pad, since it is going to be used up anyway. That also would use up the pad when there are no messages, requiring some secure way to get a new pad to the operatives when their existing pad is consumed. This is difficult enough (secure delivery of new pad) that it is unlikely that spy-HQ wishes to consume pad data for fill. > But I suppose that’s bad since if it did accidentally get re-used then that cyphertext would be fully compromised Yes, if they reused any part of any pad for more than one single message, they have compromised (and revealed) the contents of the reused pad messages. This is the other difficulty with OTP's. The OTP data must never be reused. Which is alo why spy-HQ would not want to use it (the OTP) up for the fill, because to avoid reuse then they have to get new pad material to the operatives in some secure way. > So, I guess the actual algorithm must be derived from the OTP, but not padded with it? The 'implication' of the article is that the fill is just random data (without using up any pad material). Possibly with the appropriate headers in place so that it looks indistinguishable from a read message in the same slot. The further implication is that the Cuban station did something essentially like this: for (count=0; count<20; count++) {
send(int(rand()*9));
}
With a rand() implementation that returned a number from zero to 1.0 exclusive of 1.0 and an int() implementation that merely truncated any fraction from the multiplication. With the result that 9 is never sent. |
Lots of ways to mess that up (`rand() % 9`?). I’m more surprised that nobody noticed for so long. It’s not like this was some subtle cryptographic bug that would have required deep analysis to catch… “you had one job”, and just glancing at the output was, evidentially, enough for a lot of other people to catch on.