it is my understanding that the Venona traffic used a code book with super- encyption using a otp. the break was possible because the Soviet's got sloppy with the otp keys and in fact used some of them more than once. even then, it tooks years of work to make the breaks. everything you ever heard about using true random keys, and only once is true. difficult as it may be to accomplish, it is possible to break a otp if the pad isn't really 'one time'. -paul

From cypherpunks-errors@toad.com Mon Aug 26 18:14:44 1996 X-Sender: smith@mailhost.sctc.com Mime-Version: 1.0 Content-Type> : > text/plain> ; > charset="us-ascii"> Date: Mon, 26 Aug 1996 10:49:39 -0600 To: cypherpunks@toad.com From: smith@sctc.com (Rick Smith) Subject: NSA's Venona Intercepts Sender: owner-cypherpunks@toad.com Content-Length: 1510

The bulk of the material available from NSA's web site is associated with a long time project called Venona to decrypt Soviet message traffic from the 1940s. It's an interesting exhibition of the practical output of cryptanalysis that, incidentally, contains alleged reference to famous Commie spies of that era (Hiss, the Rosenbergs, etc).

One question that I haven't found answered in my perusals of the site is a definitive statement of the cryptographic technology used by the Soviets. I was re-reading Kahn's 1967 chapter on Soviet crypto and he claimed that they relied primarily on one time pads. In fact, he was pretty specific about them using OTPs for exactly the type of traffic appearing in the Venona archive. But when I look at the partial decrypts in the Venona archive I don't understand how you'd get such partial decrypts from OTPs.

The intercepts seem to indicate the use of ciphers with some codewords weakly layerd on top. Some intercepts show translations based on the phonetic properties of the extracted Russian plaintext. So I don't think the "unrecovered codegroups" are caused by a classic code that substitutes tokens for word meanings. But you're not going to crack only part of a OTP ciphertext -- presumably you'd need a compromised key tape, and that would either decrypt everything or nothing.

So they were either really using rotor machines or they were using something else. Any other ideas? Other references?

Rick. smith@sctc.com secure computing corporation