At 12:26 AM 8/27/96, Black Unicorn wrote:

I seem to recall an exhibit on Verona including a proported Soviet OTP at the National Cryptologic Museum in MD.

Kahn's "Codebreakers" also has photos of OTPs captured from undercover Soviet spies. The fact that illegals were using OTPs to talk to their controllers didn't necessarily imply that messages from Soviet embassies and other offices needed to be using OTPs themselves. The could have used a good rotor machine (well, good for the era). But now I'm convinced they didn't. The whole thing makes sense if we're looking at cryptanalysis based on reused OTPs. I can see why the NSA doesn't mind letting the world know that they could crack reused OTPs as opposed to some other identifiable cipher technique. The degree of NSA's success doesn't help an adversary optimize their crypto technology. The decryption success is in direct proportion to how sloppy the Soviets were in using their OTPs. I'll bet some official got shot when this was all figured out. Partial decrypts occur when parts of the keystream are recovered and other parts are not. I wonder if one could compare the "holes" in the various messages and thereby infer which OTPs were used for which messages based on patterns of keystream recovery. Venona also presents an object lesson on why not to use OTPs: the security does not degrade gracefully if they are misused. Reusing one even once could easily compromise both messages sent with it. I doubt security degrades nearly as quickly if you overuse or reuse keys in more modern techniques. Thus, OTP keying requires a reliably pessimistic prediction of traffic flow, and your security is toast if you underestimate your transmission needs. Besides, given that nobody can crack a truly randomized OTP, I can see why NSA would want to publicize a failed use of OTPs. Might as well focus interest on more theoretically tractable techniques. Rick.