Can one construct OTPs without using XOR?

Question

The typical version of the one-time-pad (OTP) uses XOR to combine a key pad and a message. ($c=m\oplus k$)

Now let's assume some other scenarios which have the practical application of blinding. Do the below "OTP" constructions provide perfect secrecy?

1. The key $r\in (0;n)$ is chosen uniformly at random such that $r^{-1}\bmod n$ exists and shared between both parties. Furthermore both parties share some common modulus $n$ which may be an RSA-modulus or a prime. For a message $m\in (0;n)$, is the construction $c=m\cdot r \bmod n$ perfectly secure?
2. $r\in (0;n)$ is chosen uniformly at random and shared between both parties. Furthermore both parties share some common modulus $n$ which may be an RSA-modulus or a prime. For a message $m\in (0;n)$, is the construction $c=m + r \bmod n$ perfectly secure? (I strongly suspect the answer to be "yes" here as this is a "commonly" cited method for secret message transmission via radio where $n=10^4$)

Answer 1

Both constructions are not perfectly secure!

---

In an attempt to express things a bit more mathematically, I'd say you can implement a one-time-pad with a message $m$ and a key $r$, when

• $m$ and $r$ are elements of $\mathbb{Z}/n\mathbb{Z}$, the additive group of integers modulo n, or when
• $m$ and $r$ are elements of a group $G$ isomorphic to $\mathbb{Z}/n\mathbb{Z}$.

Such groups would be a natural choice to implement an OTP.

There are however also other possibilities. For instance one can easily imagine a perfectly secure OTP construction where the key $r$ is an element of a group $G$ and the message $m$ is an element of a subgroup of $G$. (The key is then larger than the message).

Now, lets come back to your constructions. In both constructions you assume $r,m\in \{1,...,n-1\}$ using the unconventional notation $r,m\in(0;n)$.

• Construction 1: You compute $c=r\cdot m $ mod $n$. If $n$ is a prime, then you have the multiplicative group of a prime field and it will work. As you already found out, it will not work when $n$ is composite.

• Construction 2: You compute $c=r+ m $ mod $n$. It would be perfectly secure if you had $\mathbb{Z}/n\mathbb{Z}$. However, since you exclude the 0 element, you know that you always have $m\ne c$, and it is thus not perfectly secure. :)

Answer 2

After those very helpful hints by poncho and yyyyyyy the answers are now obvious and I'll briefly argue why each of the construction is perfectly secure or not.

Concerning construction 1:

It can't be perfectly secure because it has been proven that perfect secrecy (=perfect security) requires the keyspace $\mathcal K$ to be as large as the message space $\mathcal M$ which is obviously not the case for arbitrary moduli because of the constraint that $r$ must be invertible $\bmod n$ which requires that $gcd(n,r)=1$. For any composite moduli it is obviously the case that there exists at least two $r$ such that $gcd(n,r)\neq 1$ (namely it's factors). Meaning the keyspace is smaller than the message space, implying that it can't be perfectly secure. If $n$ is prime than the modulus is co-prime with all $r$ with $0<r<n$ meaning that both spaces are equally large. This also implies that for any message $m'$ there's an $r'$ such that $m'=r'^{-1}\times c \bmod n$ meaning that every message is equally likely implying perfect secrecy.

Concerning construction 2:

The classic XOR-based OTP is this construction with $n=2$. This generalization (with $0$ being allowed for $m,r$) is secure because message and key space are both equally large and one can find an $r'$ for any message $m'$ such that $m'=c-r'\bmod n$ is constructible. Because an attacker can not decide which $r'$ is the "right" one he can't know when he found the correct key and thus this scheme is perfectly secure.
However the construction as given in the question is not perfectly secure (as pointed out by Chris' answer)because $0$ isn't a valid value for $r$ and hence it's impossible that $m=c$ which yields some information about $m$ and thus breaking perfect secrecy.