Crib Dragging
When two messages are encrypted with the same key, XORing the ciphertexts cancels the key and leaves P₁ ⊕ P₂. Drag a known word — a crib — through that XOR to reveal fragments of both plaintexts. This is how Soviet OTP reuse was exploited.
Intercepted ciphertexts
An eavesdropper captures both of these. Neither reveals anything on its own — but XORing them together cancels the key entirely.
Drag the crib
Type a word you expect in one of the messages. Use the controls — or click any byte, drag the slider, or press ← → — to slide the crib along P₁ ⊕ P₂. The result row shows what each position decodes to, scored by its letter-and-space ratio. English prose scores 85–100%; random bytes average ~55%.
All positions — sorted by score
How it works
The attack relies on a single property of XOR:
(P ⊕ K) ⊕ (Q ⊕ K) = P ⊕ Q. The key vanishes. What
remains is the XOR of the two plaintexts — a much weaker object than
either ciphertext alone.
Natural language is highly redundant. Common words like the, attack, at dawn appear predictably. Sliding such a crib through P₁ ⊕ P₂ and scoring the output by its letter-and-space ratio quickly separates genuine matches (≥ 85% letters+spaces) from accidental printable garbage (~55% on average). Non-printable output is an instant discard. The longer the crib, the fewer false positives survive.
Once a fragment is confirmed, it becomes a new crib. A skilled analyst can bootstrap from a single known word to full plaintext recovery — exactly the technique Soviet signals intelligence suffered when key material was reused under pressure during WWII.
The defence is absolute: never reuse a one-time pad key. A key used twice is no longer a one-time pad — it is just an unkeyed XOR.