What is the difference between a stream cipher and a one-time-pad?

Question

A (synchronous) stream cipher is an algorithm which maps some fixed-length key to an arbitrary-length key-stream (i.e. a sequence of bits): $C : \{0,1\}^k \to \{0,1\}^{\infty}$.

This key-stream is then XOR-ed with the plain text stream, giving the ciphertext stream. For decrypting, the same key-stream (generated from the key at the receiver side) will be XOR-ed with the ciphertext stream, giving again the key stream.

A One-time pad is an algorithm which takes a key of large size (at least message size), and XORs its start with the plaintext to get the ciphertext. For decryption, we XOR the start of the key with the ciphertext to get back the plaintext.

These look quite similar – could one say that a stream-cipher is a (special way to create/use a) one-time pad, or that the one-time pad is a kind of stream cipher?

Are there any important differences between these two classes of algorithms?

Answer 1

There is no universally accepted definition of the expression "stream cipher"; but the one I most often encounter is the following: a stream cipher is a symmetric encryption algorithm which accepts as inputs arbitrary sequences of bits (or bytes) such that:

• the length of the output is equal to the length of the input (no padding);
• for any $n$ (possibly any $n$ which is a multiple of 8 if we restrict ourself to bytes), the first $n$ output bits depend only on the key and the first $n$ input bits, regardless of the value of the subsequent input bits.

In that sense, the One-Time Pad is a stream cipher. A block cipher used in CTR mode or CFB mode is also a stream cipher. Note that the latter is not of the kind "XOR with a stream generated from the key independently of the input data". The Wikipedia page you link to talks about "synchronous stream ciphers" and "self-synchronzing stream ciphers".

However, the ultimate security of the One-Time Pad comes from the key size: it is unbreakable because it assumes that the key is as long as the message and was generated by an unpredictable mechanism. If you generate the pad with a more conventional stream cipher, working over a small fixed-size key, then it is no longer a One-Time Pad, just a "regular" stream cipher. The expression "One-Time Pad" refers to, exclusively, the mythical scheme which uses truly random long keys. So while One-Time Pad is a stream ciphers, stream ciphers are not One-Time Pads.

Answer 2

One important difference between the one-time pad and a stream cipher is the proof of security of the one-time pad. Shannon proved that the one-time pad provides perfect secrecy. He also provided another proof that is interesting to this dicussion. His proof was that no cipher can provide perfect secrecy unless the key is at least a long as the message. Therefore, we know that no stream cipher can provide perfect secrecy unless it meets that requirement. But, just because it meets that requirement does not mean that it automatically provides perfect secrecy.

Now, as to whether or not they are the same, the answer is no. The one-time pad uses a fixed length key (where the length is at least a long as the message among other requirements) and the xor operation, period (i.e., there is no key expanion/stream generation).

Answer 3

Mathematically speaking. The entropy of a stream cipher is upper-bounded by the key size.

The entropy of a one time pad, on the other hand is upper-bounded by the plaintext size.

For true one-time pads and good stream ciphers, this bound is tight.

Answer 4

Quoting Cryptography and Network Security (William Stallings, Section 7.4) and other sources (e.g., https://www.fourmilab.ch/hotbits/)

the stream cipher is similar to the one-time pad but exact difference is that

one-time pad uses a genuine random number stream, whereas a stream cipher uses a pseudorandom number stream

pseudorandom numbers calculated by a computer through a deterministic process, cannot, by definition, be random. Given knowledge of the algorithm used to create the numbers and its internal state, you can predict all the numbers returned by subsequent calls to the algorithm, whereas with genuinely random numbers, knowledge of one number or an arbitrarily long sequence of numbers is of no use whatsoever in predicting the next number to be generated.

Answer 5

More importantly a stream cipher can only produce a single plaintext regardless of what number of different keystreams you use. So even if you implemented a stream cipher machine with a true RNG and a non-stop stream of bits being fed into it, a brute force attack will still be possible because you just keep trying until you get something that makes sense.

A One-Time Pad can produce any plaintext of the same size as the ciphertext depending on what different keystreams you use. Meaning you can keep trying but get multiple things that make sense.

So unless you have the exact pad used to decode the message, you will never know which of the possible plaintexts you will stumble upon is the correct one or even if you have found the correct one yet.

That is perfect secrecy. When you can never even tell if you already cracked the message or not.

Answer 6

Thomas Pornin's last paragraph is right on, but this concept is still so frequently misunderstood that I wanted to add my 2 cents.

From a layman's perspective, If you really had something that implemented a one-time-pad, what would it look like? It would necessarily have to involve a physical machine that generates a truly random key stream. That machine would not take as input any passwords, keys, or seeds -- instead it would generate truly random bits using properties of physics assuming physics is correct in the existence of true randomness. Note that because these bits are truly randomly generated, they cannot be derived again, which implies that the machine would also have to output those key stream bits so you can physically deliver them to the intended recipient, allowing him to decrypt the ciphertext. By the way, when I say "physically deliver", that means getting on plane or in a car, going to your destination, and handing over the bits to the recipient. Why not use public key exchange instead? Well, you could, but that comes at the cost of losing perfect secrecy, so doing so would defeat the entire purpose of using a one-time-pad in the first place.

At this point, you may be thinking this is crazy, and if so, congratulations: now you understand why it is a theoretical construct only, and unlikely to be realised in practice. Instead, what we use today is cryptography that depends upon complexity theory, which is practical.

A stream cipher, from a layman's perspective is an attempt at a practical construct that "feels like" a one-time-pad, except lacking in the perfect secrecy property. It does not need a physical machine to realise it. Instead of true randomness, it takes input a password, key, or seed, and expands that to a long string of bits, which are derived from that input. Those same bits can be derived over and over again by using the same password/key/seed, so in order for the recipient to decrypt, they only need to get that input. And because it does not have the perfect secrecy property and instead only depends upon complexity theory, you are losing nothing when you exchange that key using public key cryptography.

The take-away: just about everything you will ever see in practice that "feels like" a one-time-pad is not really a one-time-pad. It is a stream cipher. People should not label an arbitrary stream cipher as a one-time-pad because they are entirely missing the point. One-time-pads are theoretical concepts, stream ciphers are practical imitations but lacking in the security properties that make one-time-pads what they are.

Answer 7

The most important difference is in their security level. OTP has a perfect secrecy but stream ciphers have computational secrecy. The other difference is about their Use in the real world. Using stream ciphers are possible to use in our real world because of their own structure and key length but about OTP cipher, producing a One Time Pad and use this pad for only one time, is so difficult (for many cases impossible) and having a pad that the size of that is larger or the same length of plaintext, causes using this cipher impractical in the real world. We can say in Other words, stream ciphers are a weak model of OTP that made OTP practical in the real world.