## 5.1 Description

Another way to think of XOR is as something called a “**programmable inverter**”: one input bit decides whether to invert the other input bit, or to just pass it through unchanged. “Inverting” bits is colloquially called “flipping” bits, a term we'll use often throughout the book. 

In mathematics and cryptography papers, exclusive or is
generally represented by a cross in a circle: $\oplus$.

## 5.2 properties of XOR

1. **Commutative**: $A \oplus B = B \oplus A$
2. **Associative** for any order: $(A \oplus B) \oplus C = A \oplus (B \oplus C)$
3. **Identity element**: $A \oplus 0 = A$
4. **Self-Inverse**: $A \oplus A = 0$

## 5.3 Bitwise XOR

$$\begin{split}
73 \oplus 87 &=0b1001001 \oplus 0b1010111\\
      &=\begin{matrix} 
      1 & 0 & 0 & 1&0&0&1 \\
      \oplus & \oplus & \oplus & \oplus&\oplus&\oplus&\oplus \\
      1 & 0 & 1 & 0&1&1&1
   \end{matrix} \\
      &=0b0011110\\
      &=30
\end{split}$$

## 5.4 One-time pads

It's called a one-time pad because it involves a sequence (the “pad”) of random bits, and the security of the scheme depends on only using that **pad once**.

If an attacker sees the ciphertext, we can prove that
they will learn zero information about the plaintext without the key. This property is called *perfect security*.

## 5.5 Attacks on “one-time pads”

The one-time pad security guarantee only holds if it is used correctly. First of all, the one-time pad has to consist of truly random data. Secondly, the one-time pad can only be used once (hence the name). Unfortunately, most commercial products that claim to be “one-time pads” are snake oil, and don't satisfy at least one of those two properties.



### Crib-dragging

A classical approach to breaking multi-time pad systems involves “crib-dragging”, a process that uses small sequences that are expected to occur with high probability. Those sequences are called “cribs”.

The idea is fairly simple. Suppose we have several encrypted messages $C_i$ encrypted with the same “one-time”
pad $K$. If we could correctly guess the plaintext for one of the messages, let's say $C_j$ , we'd know $K$:

$$\begin{split}
C_j \oplus P_j &= (P_j\oplus K) \oplus P_j\\
&= K \oplus P_j \oplus P_j\\
&= K \oplus 0\\
&= K
\end{split}$$

Since $K$ is the shared secret, we can now use it to decrypt all of the other messages, just as if we were the recipient:
$$(\forall i \in E)\quad P_i = C_i \oplus K $$ 

If we guess a few plaintext bits $p_i$ correctly for any of the messages, that would reveal the key bits at that position for all of the messages, since $k = c_i \oplus p_i$. Hence, all of the plaintext bits at that position are revealed: using that value for $k$, we can compute the plaintext bits $p_i = c_i\oplus k$  for all the other messages.

This becomes even more effective for some plaintexts
that we know more about. If some HTTP data has the
plaintext **ent-Len** in it, then we can expand that to
**Content-Length**:, revealing many more bytes.

While this technique works as soon as two messages are
encrypted with the same key, itʼs clear that this becomes
even easier with more ciphertexts using the same key, since
all of the steps become more effective:

- We get **more** cribbing **positions**.
- More plaintext bytes are **revealed** with each successful crib and guess, leading to more guessing options elsewhere.
- More ciphertexts are available for any given position,making guess **validation** easier and sometimes more accurate.

## 5.6 Remaining problems

Real one-time pads, implemented properly, have an extremely
strong security guarantee. It would appear, then,
that cryptography is over: encryption is a solved problem,
and we can all **go home**. Obviously, that's not the case.

However, as we'll see throughout this book, **secure** symmetric encryption algorithms **aren't** the **pain point** of modern cryptosystems. Cryptographers have designed plenty of those, while practical key management remains one of the toughest challenges facing modern cryptography.

We need something with manageable key sizes while maintaining secrecy. We need ways to negotiate keys over the Internet with people we've never met before.