## 11.1. What happens if we try to use a one-time pad many times?

Using a one-time pad multiple times violates the fundamental principle that the key must be used only once. This leads to significant vulnerabilities and compromises the security of the encrypted messages. Here’s what happens if the same one-time pad is reused:

### Scenario with Two Messages

Suppose Alice sends two different messages, \(M_1\) and \(M_2\), to Bob using the same one-time pad \(K\). The ciphertexts \(C_1\) and \(C_2\) are generated as follows:
- \(C_1 = M_1 \oplus K\)
- \(C_2 = M_2 \oplus K\)

Where \(\oplus\) denotes the XOR operation.

An eavesdropper intercepting both ciphertexts \(C_1\) and \(C_2\) can perform the following analysis:
- Compute \(C_1 \oplus C_2\)
- \(C_1 \oplus C_2 = (M_1 \oplus K) \oplus (M_2 \oplus K)\)
- Using the property of XOR: \(C_1 \oplus C_2 = M_1 \oplus M_2\)

### Consequences

1. **Recovering Plaintexts**: The result \(M_1 \oplus M_2\) is the XOR of the two plaintexts. While this does not directly reveal \(M_1\) or \(M_2\), it provides a significant clue. If the eavesdropper knows or can guess part of one plaintext, they can potentially recover part or all of the other plaintext.

2. **Statistical Analysis**: If the messages are in natural language or have predictable patterns, the eavesdropper can use statistical analysis to deduce the plaintexts. For example, common words or phrases might be easily recognizable in the XOR of the messages.

3. **Known-plaintext Attack**: If the eavesdropper knows one of the plaintexts (a known-plaintext attack), they can easily recover the key and subsequently decrypt the other message:
   - Suppose \(M_1\) is known.
   - Then \(K = C_1 \oplus M_1\).
   - The eavesdropper can now use \(K\) to decrypt any other message encrypted with the same key: \(M_2 = C_2 \oplus K\).



## 11.2. Provide an example where you break the "many-time pad" security

### Example

Consider Alice sends two messages "HELLO" and "WORLD" using the same one-time pad key. The corresponding ciphertexts are:
- \(C_1 = M_1 \oplus K\) (HELLO)
- \(C_2 = M_2 \oplus K\) (WORLD)

An eavesdropper intercepts both \(C_1\) and \(C_2\) and calculates:
- \(C_1 \oplus C_2 = (HELLO \oplus K) \oplus (WORLD \oplus K) = HELLO \oplus WORLD\)

The eavesdropper now has the XOR of two meaningful plaintexts, which can be exploited to uncover the original messages, especially if the content is predictable or if parts of the messages are known.

### Conclusion

Reusing a one-time pad key more than once compromises the security of the encrypted messages, rendering the cryptographic system vulnerable to various attacks. This is why it is crucial to adhere to the one-time usage rule of the one-time pad to maintain perfect secrecy.

<p align="center">
  <img src="./data/Principle-of-symmetric-key-encryption.png" width="1600" heght="1600"/>
  
</p>
<div align="center">Fig. 3.1 Principle of symmetric-key encryption</div>

[Download Link](https://www-users.cse.umn.edu/~brubaker/docs/152/152groups.pdf)