One-time pad
Encyclopedia
In cryptography
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...

, the one-time pad (OTP) is a type of encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...

, which has been proven to be impossible to crack
Cryptanalysis
Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...

 if used correctly. Each bit or character from the plaintext
Plaintext
In cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties....

 is encrypted by a modular addition
Modular Addition
Modular additions are usually side and 2nd story additions to homes that are pre-fabricated at the facilities. General characteristics of a modular home apply. For a 2nd story modular addition the existing house should have a sound structure as modular rooms are 30%+ heavier than the same stick-built...

 with a bit or character from a secret random key
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...

 (or pad) of the same length as the plaintext, resulting in a ciphertext
Ciphertext
In cryptography, ciphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher...

. If the key is truly random, as large as or greater than the plaintext, never reused in whole or part, and kept secret, the ciphertext will be impossible to decrypt or break without knowing the key . It has also been proven that any cipher with the perfect secrecy property must use keys with effectively the same requirements as OTP keys. However, practical problems have prevented one-time pads from being widely used.

First described by Frank Miller in 1882 , the one-time pad was re-invented in 1917 and patented a couple of years later. It is derived from the Vernam cipher, named after Gilbert Vernam
Gilbert Vernam
Gilbert Sandford Vernam was an AT&T Bell Labs engineer who, in 1917, invented the stream cipher and later co-invented the one-time pad cipher. Vernam proposed a teleprinter cipher in which a previously-prepared key, kept on paper tape, is combined character by character with the plaintext message...

, one of its inventors. Vernam's system was a cipher that combined a message with a key read from a punched tape
Punched tape
Punched tape or paper tape is an obsolete form of data storage, consisting of a long strip of paper in which holes are punched to store data...

. In its original form, Vernam's system was not unbreakable because the key tape was a loop, which was reused whenever the loop made a full cycle. One-time use came a little later when Joseph Mauborgne
Joseph Mauborgne
In the history of cryptography, Joseph Oswald Mauborgne co-invented the one-time pad with Gilbert Vernam of Bell Labs. In 1914 he published the first recorded solution of the Playfair cipher...

 recognized that if the key tape were totally random, cryptanalysis
Cryptanalysis
Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...

 would be impossible.

The "pad" part of the name comes from early implementations where the key material was distributed as a pad of paper, so the top sheet could be easily torn off and destroyed after use. For easy concealment, the pad was sometimes reduced to such a small size that a powerful magnifying glass
Loupe
A loupe is a simple, small magnification device used to see small details more closely. Unlike a magnifying glass, a loupe does not have an attached handle, and its focusing lens are contained in an opaque cylinder or cone. Loupes are also called hand lenses .- Optics :Three basic types of loupes...

 was required to use it. Photos accessible on the Internet show captured KGB
KGB
The KGB was the commonly used acronym for the . It was the national security agency of the Soviet Union from 1954 until 1991, and was the premier internal security, intelligence, and secret police organization during that time.The State Security Agency of the Republic of Belarus currently uses the...

 pads that fit in the palm of one's hand, or in a walnut
Walnut
Juglans is a plant genus of the family Juglandaceae, the seeds of which are known as walnuts. They are deciduous trees, 10–40 meters tall , with pinnate leaves 200–900 millimetres long , with 5–25 leaflets; the shoots have chambered pith, a character shared with the wingnuts , but not the hickories...

 shell. To increase security, one-time pads were sometimes printed onto sheets of highly flammable nitrocellulose
Nitrocellulose
Nitrocellulose is a highly flammable compound formed by nitrating cellulose through exposure to nitric acid or another powerful nitrating agent. When used as a propellant or low-order explosive, it is also known as guncotton...

.

There is some ambiguity to the term because some authors use the terms "Vernam cipher" and "one-time pad" synonymously, while others refer to any additive stream cipher
Stream cipher
In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream . In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption...

 as a "Vernam cipher", including those based on a cryptographically secure pseudorandom number generator
Cryptographically secure pseudorandom number generator
A cryptographically secure pseudo-random number generator is a pseudo-random number generator with properties that make it suitable for use in cryptography.Many aspects of cryptography require random numbers, for example:...

 (CSPRNG).

History of invention

The history of the one-time pad is marked by multiple independent, but closely related discoveries.

Frank Miller
Frank Miller (cryptography)
Frank Miller , was a Sacramento, California cryptographer, banker, and trustee of Stanford University. He has been identified as the inventor of the one-time pad in 1882, 35 years before the patent issued to Gilbert Vernam.-Biography:...

 in 1882 was the first to describe the one-time pad system for securing telegraphy.

The next one-time pad system was electrical. In 1917, Gilbert Vernam
Gilbert Vernam
Gilbert Sandford Vernam was an AT&T Bell Labs engineer who, in 1917, invented the stream cipher and later co-invented the one-time pad cipher. Vernam proposed a teleprinter cipher in which a previously-prepared key, kept on paper tape, is combined character by character with the plaintext message...

 (of AT&T
AT&T
AT&T Inc. is an American multinational telecommunications corporation headquartered in Whitacre Tower, Dallas, Texas, United States. It is the largest provider of mobile telephony and fixed telephony in the United States, and is also a provider of broadband and subscription television services...

) invented and later patented in 1919 a cipher based on teleprinter
Teleprinter
A teleprinter is a electromechanical typewriter that can be used to communicate typed messages from point to point and point to multipoint over a variety of communication channels that range from a simple electrical connection, such as a pair of wires, to the use of radio and microwave as the...

 technology. Each character in a message was electrically combined with a character on a paper tape key. Joseph Mauborgne
Joseph Mauborgne
In the history of cryptography, Joseph Oswald Mauborgne co-invented the one-time pad with Gilbert Vernam of Bell Labs. In 1914 he published the first recorded solution of the Playfair cipher...

 (then a captain in the U.S. Army and later chief of the Signal Corps) recognized that the character sequence on the key tape could be completely random and that, if so, cryptanalysis would be more difficult. Together they invented the first one-time tape system.

The next development was the paper pad system. Diplomats had long used code
Code
A code is a rule for converting a piece of information into another form or representation , not necessarily of the same type....

s and cipher
Cipher
In cryptography, a cipher is an algorithm for performing encryption or decryption — a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. In non-technical usage, a “cipher” is the same thing as a “code”; however, the concepts...

s for confidentiality and to minimize telegraph
Telegraphy
Telegraphy is the long-distance transmission of messages via some form of signalling technology. Telegraphy requires messages to be converted to a code which is known to both sender and receiver...

 costs. For the codes, words and phrases were converted to groups of numbers (typically 4 or 5 digits) using a dictionary-like codebook
Codebook
A codebook is a type of document used for gathering and storing codes. Originally codebooks were often literally books, but today codebook is a byword for the complete record of a series of codes, regardless of physical format.-Cryptography:...

. For added security, secret numbers could be combined with (usually modular addition) each code group before transmission, with the secret numbers being changed periodically (this was called superencryption
Superencryption
Multiple encryption is the process of encrypting an already encrypted message one or more times, either using the same or a different algorithm. The terms cascade encryption, cascade ciphering, multiple encryption, multiple ciphering, and superencipherment are used with the same meaning...

). In the early 1920s, three German cryptographers (Werner Kunze, Rudolf Schauffler and Erich Langlotz), who were involved in breaking such systems, realized that they could never be broken if a separate randomly chosen additive number was used for every code group. They had duplicate paper pads printed with lines of random number groups. Each page had a serial number and eight lines. Each line had six 5-digit numbers. A page would be used as a work sheet to encode a message and then destroyed. The serial number of the page would be sent with the encoded message. The recipient would reverse the procedure and then destroy his copy of the page. The German foreign office put this system into operation by 1923.

A separate notion was the use of a one-time pad of letters to encode plaintext directly as in the example below. Leo Marks
Leo Marks
Leopold Samuel Marks was an English cryptographer, screenwriter and playwright.-Early life:Born the son of an antiquarian bookseller in London, he was first introduced to cryptography when his father showed him a copy of Edgar Allan Poe's story, "The Gold-Bug"...

 describes inventing such a system for the British Special Operations Executive
Special Operations Executive
The Special Operations Executive was a World War II organisation of the United Kingdom. It was officially formed by Prime Minister Winston Churchill and Minister of Economic Warfare Hugh Dalton on 22 July 1940, to conduct guerrilla warfare against the Axis powers and to instruct and aid local...

 during World War II
World War II
World War II, or the Second World War , was a global conflict lasting from 1939 to 1945, involving most of the world's nations—including all of the great powers—eventually forming two opposing military alliances: the Allies and the Axis...

, though he suspected at the time that it was already known in the highly compartmentalized world of cryptography, as for instance at Bletchley Park
Bletchley Park
Bletchley Park is an estate located in the town of Bletchley, in Buckinghamshire, England, which currently houses the National Museum of Computing...

.

The final discovery was by Claude Shannon in the 1940s who recognized and proved the theoretical significance of the one-time pad system. Shannon delivered his results in a classified report in 1945, and published them openly in 1949. At the same time, Vladimir Kotelnikov
Vladimir Kotelnikov
Vladimir Aleksandrovich Kotelnikov was an information theory and radar astronomy pioneer from the Soviet Union...

 had independently proven absolute security of the one-time pad; his results were delivered in 1941 in a report that apparently remains classified.

Example

Suppose Alice
Alice and Bob
The names Alice and Bob are commonly used placeholder names for archetypal characters in fields such as cryptography and physics. The names are used for convenience; for example, "Alice sends a message to Bob encrypted with his public key" is easier to follow than "Party A sends a message to Party...

 wishes to send the message "HELLO" to Bob
Alice and Bob
The names Alice and Bob are commonly used placeholder names for archetypal characters in fields such as cryptography and physics. The names are used for convenience; for example, "Alice sends a message to Bob encrypted with his public key" is easier to follow than "Party A sends a message to Party...

. Assume two pads of paper containing identical random sequences of letters were somehow previously produced and securely issued to both. Alice chooses the appropriate unused page from the pad. The way to do this is normally arranged for in advance, as for instance 'use the 12th sheet on 1 May', or 'use the next available sheet for the next message'. The material on the selected sheet is the key for this message. Each letter from the pad will be combined in a predetermined way with one letter of the message. It is common, but not required, to assign each letter a numerical value: e.g. "A" is 0, "B" is 1, and so on. In this example, the technique is to combine the key and the message using modular addition
Modular arithmetic
In mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" after they reach a certain value—the modulus....

. The numerical values of corresponding message and key letters are added together, modulo 26. If key material begins with "XMCKL" and the message is "HELLO", then the coding would be done as follows:

H E L L O message
7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message
+ 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key
= 30 16 13 21 25 message + key
= 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) message + key (mod 26)
E Q N V Z → ciphertext

If a number is larger than 25, then the remainder after subtraction of 26 is taken in modular arithmetic fashion. This simply means that if your computations "go past" Z, you start again at A.

The ciphertext to be sent to Bob is thus "EQNVZ". Bob uses the matching key page and the same process, but in reverse, to obtain the plaintext
Plaintext
In cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties....

. Here the key is subtracted from the ciphertext, again using modular arithmetic:

E Q N V Z ciphertext
4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) ciphertext
- 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key
= -19 4 11 11 14 ciphertext — key
= 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) ciphertext — key (mod 26)
H E L L O → message

Similar to the above, if a number is negative then 26 is added to make the number positive.

Thus Bob recovers Alice's plaintext, the message "HELLO". Both Alice and Bob destroy the key sheet immediately after use, thus preventing reuse and an attack against the cipher. The KGB
KGB
The KGB was the commonly used acronym for the . It was the national security agency of the Soviet Union from 1954 until 1991, and was the premier internal security, intelligence, and secret police organization during that time.The State Security Agency of the Republic of Belarus currently uses the...

 often issued its agents
Espionage
Espionage or spying involves an individual obtaining information that is considered secret or confidential without the permission of the holder of the information. Espionage is inherently clandestine, lest the legitimate holder of the information change plans or take other countermeasures once it...

 one-time pads printed on tiny sheets of "flash paper"—paper chemically converted to nitrocellulose
Nitrocellulose
Nitrocellulose is a highly flammable compound formed by nitrating cellulose through exposure to nitric acid or another powerful nitrating agent. When used as a propellant or low-order explosive, it is also known as guncotton...

, which burns almost instantly and leaves no ash.

The classical one-time pad of espionage used actual pads of minuscule, easily-concealed paper, a sharp pencil, and some mental arithmetic. The method can be implemented now as a software program, using data files as input (plaintext), output (ciphertext) and key material (the required random sequence). The XOR operation is often used to combine the plaintext and the key elements, and is especially attractive on computers since it is usually a native machine instruction and is therefore very fast. However, ensuring that the key material is actually random, is used only once, never becomes known to the opposition, and is completely destroyed after use is hard to do. The auxiliary parts of a software one-time pad implementation present real challenges: secure handling/transmission of plaintext, truly random keys, and one-time-only use of the key.

Attempt at cryptanalysis

To continue the example from above, suppose Eve intercepts Alice's ciphertext: "EQNVZ". If Eve had infinite computing power, she would quickly find that the key "XMCKL" would produce the plaintext "HELLO", but she would also find that the key "TQURI" would produce the plaintext "LATER", an equally plausible message:
4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) ciphertext
− 19 (T) 16 (Q) 20 (U) 17 (R) 8 (I) possible key
= −15 0 −7 4 17 ciphertext-key
= 11 (L) 0 (A) 19 (T) 4 (E) 17 (R) ciphertext-key (mod 26)
In fact, it is possible to "decrypt" out of the ciphertext any message whatsoever with the same number of characters, simply by using a different key, and there is no information in the ciphertext which will allow Eve to choose among the various possible readings of the ciphertext.

Perfect secrecy

One-time pads are "information-theoretically secure
Information theoretic security
A cryptosystem is information-theoretically secure if its security derives purely from information theory. That is, it is secure even when the adversary has unlimited computing power. The adversary simply does not have enough information to break the security...

" in that the encrypted message (i.e., the ciphertext
Ciphertext
In cryptography, ciphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher...

) provides no information about the original message to a cryptanalyst (except the maximum possible length of the message). This is a very strong notion of security first developed during WWII by Claude Shannon and proved, mathematically, to be true of the one-time pad by Shannon about the same time. His result was published in the Bell Labs Technical Journal in 1949. Properly used one-time pads are secure in this sense even against adversaries with infinite computational power.

Claude Shannon proved, using information theory
Information theory
Information theory is a branch of applied mathematics and electrical engineering involving the quantification of information. Information theory was developed by Claude E. Shannon to find fundamental limits on signal processing operations such as compressing data and on reliably storing and...

 considerations, that the one-time pad has a property he termed perfect secrecy; that is, the ciphertext C gives absolutely no additional information
Information
Information in its most restricted technical sense is a message or collection of messages that consists of an ordered sequence of symbols, or it is the meaning that can be interpreted from such a message or collection of messages. Information can be recorded or transmitted. It can be recorded as...

 about the plaintext
Plaintext
In cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties....

. Thus, the a priori probability of a plaintext message M is the same as the a posteriori probability of a plaintext message M given the corresponding ciphertext. Mathematically, this is expressed as , where is the entropy
Information entropy
In information theory, entropy is a measure of the uncertainty associated with a random variable. In this context, the term usually refers to the Shannon entropy, which quantifies the expected value of the information contained in a message, usually in units such as bits...

 of the plaintext and is the conditional entropy
Conditional entropy
In information theory, the conditional entropy quantifies the remaining entropy of a random variable Y given that the value of another random variable X is known. It is referred to as the entropy of Y conditional on X, and is written H...

 of the plaintext given the ciphertext C. Perfect secrecy is a strong notion of cryptanalytic difficulty.

Conventional symmetric encryption algorithms use complex patterns of substitution and transpositions. For the best of these currently in use, it is not known whether there can be a cryptanalytic procedure which can reverse (or, usefully, partially reverse) these transformations without knowing the key used during encryption. Asymmetric encryption algorithms depend on mathematical problems that are thought to be difficult to solve, such as integer factorization
Integer factorization
In number theory, integer factorization or prime factorization is the decomposition of a composite number into smaller non-trivial divisors, which when multiplied together equal the original integer....

 and discrete logarithm
Discrete logarithm
In mathematics, specifically in abstract algebra and its applications, discrete logarithms are group-theoretic analogues of ordinary logarithms. In particular, an ordinary logarithm loga is a solution of the equation ax = b over the real or complex numbers...

s. However there is no proof that these problems are hard and a mathematical breakthrough could make existing systems vulnerable to attack.

Problems

Despite Shannon's proof of its security, the one-time pad has serious drawbacks in practice:
  • it requires perfectly random one-time pads, which is a non-trivial software requirement
  • secure generation and exchange of the one-time pad material, which must be at least as long as the message. (The security of the one-time pad is only as secure as the security of the one-time pad key-exchange).
  • careful treatment to make sure that it continues to remain secret from any adversary, and is disposed of correctly preventing any reuse in whole or part — hence "one time". See data remanence
    Data remanence
    Data remanence is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written...

     for a discussion of difficulties in completely erasing computer media.


The theoretical perfect security of the one-time-pad applies only in a theoretically perfect setting; no real-world implementation of any cryptosystem can provide perfect security because practical considerations introduce potential vulnerabilities. These practical considerations of security and convenience have meant that the one-time-pad is, in practice, little-used. Implementation difficulties have led to one-time pad systems being broken, and are so serious that they have prevented the one-time pad from being adopted as a widespread tool in information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

.

One-time pads solve few current practical problems in cryptography. High quality ciphers are widely available and their security is not considered a major worry at present. Such ciphers are almost always easier to employ than one-time pads; the amount of key material which must be properly generated and securely distributed is far smaller, and public key cryptography overcomes this problem.

Key distribution

Because the pad must be passed and kept secure, and the pad has to be at least as long as the message, there is often no point in using one-time padding, as you can simply send the plain text instead of the pad (as both can be the same size and have to be sent securely). However, once a very long pad has been securely sent (e.g., a computer disk full of random data), it can be used for numerous future messages, until the sum of their sizes equals the size of the pad.

Distributing very long one-time pad keys is inconvenient and usually poses a significant security risk. The pad is essentially the encryption key, but unlike keys for modern ciphers, it must be extremely long and is much too difficult for humans to remember. Storage media such as thumb drives, DVD-R
DVD-R
DVD-R is a DVD recordable format. A DVD-R typically has a storage capacity of 4.71 GB. Pioneer has also developed an 8.5 GB dual layer version, DVD-R DL, which appeared on the market in 2005....

s or personal digital audio players can be used to carry a very large one-time-pad from place to place in a non-suspicious way, but even so the need to transport the pad physically is a burden compared to the key negotiation protocols of a modern public-key cryptosystem, and such media cannot reliably be erased securely by any means short of physical destruction (e.g., incineration). A 4.7 GB DVD-R full of one-time-pad data, if shredded into particles 1 mm² in size, leaves over 100 kibibit
Kibibit
The kibibit is a multiple of the bit, a unit of digital information storage, prefixed by the standards-based multiplier kibi , a binary prefix meaning 210...

s of (admittedly hard to recover, but not impossibly so) data on each particle. In addition, the risk of compromise during transit (for example, a pickpocket swiping, copying and replacing the pad) is likely much greater in practice than the likelihood of compromise for a cipher such as AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...

. Finally, the effort needed to manage one-time pad key material scales
Scalability
In electronics scalability is the ability of a system, network, or process, to handle growing amount of work in a graceful manner or its ability to be enlarged to accommodate that growth...

 very badly for large networks of communicants—the number of pads required goes up as the square of the number of users freely exchanging messages. For communication between only two persons, or a star network
Star network
Star networks are one of the most common computer network topologies. In its simplest form, a star network consists of one central switch, hub or computer, which acts as a conduit to transmit messages...

 topology, this is less of a problem.

The key material must be securely disposed of after use, to ensure the key material is never reused and to protect the messages sent. Because the key material must be transported from one endpoint to another, and persist until the message is sent or received, it can be more vulnerable to forensic recovery
Computer forensics
Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...

 than the transient plaintext it protects (see data remanence
Data remanence
Data remanence is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written...

).

Authentication

As traditionally used, one-time pads provide no message authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

, the lack of which can pose a security threat in real-world systems. The straightforward XORing with the keystream
Keystream
In cryptography, a keystream is a stream of random or pseudorandom characters that are combined with a plaintext message to produce an encrypted message ....

, or the use of any invertible function known to the attacker, such as mod 26 addition, creates a potential vulnerability in message integrity. For example, an attacker who knows that the message contains "meet jane and me tomorrow at three thirty pm" at a particular point can replace that content by any other content of exactly the same length, such as "three thirty meeting is cancelled, stay home", without having access to the one-time pad, a property of all stream ciphers known as malleability
Malleability (cryptography)
Malleability is a property of some cryptographic algorithms. An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext...

. See also stream cipher attack
Stream cipher attack
Stream ciphers, where plaintext bits are combined with a cipher bit stream by an exclusive-or operation , can be very secure if used properly. However they are vulnerable to attack if certain precautions are not followed:*keys must never be used twice...

. Standard techniques to prevent this, such as the use of a message authentication code
Message authentication code
In cryptography, a message authentication code is a short piece of information used to authenticate a message.A MAC algorithm, sometimes called a keyed hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC...

 can be used along with a one-time pad system to prevent such attacks, as can classical methods such as variable length padding
Padding (cryptography)
-Classical cryptography:Official messages often start and end in predictable ways: My dear ambassador, Weather report, Sincerely yours, etc. The primary use of padding with classical ciphers is to prevent the cryptanalyst from using that predictability to find cribs that aid in breaking the...

 and Russian copulation
Russian copulation
In cryptography, Russian copulation is a method of rearranging plaintext before encryption so as to conceal stereotyped headers, salutations, introductions, endings, signatures, etc...

, but they all lack the perfect security the OTP itself has. Universal hashing
Universal hashing
Using universal hashing refers to selecting a hash function at random from a family of hash functions with a certain mathematical property . This guarantees a low number of collisions in expectation, even if the data is chosen by an adversary...

 provides a way to authenticate messages up to an arbitrary security bound (i.e. for any p>0, a large enough hash ensures that even a computationally unbounded attacker's likelihood of successful forgery is less than p), but this uses additional random data from the pad, and removes the possibility of implementing the system without a computer.

True randomness

High-quality random numbers are difficult to generate. The random number generation functions in most programming language
Programming language
A programming language is an artificial language designed to communicate instructions to a machine, particularly a computer. Programming languages can be used to create programs that control the behavior of a machine and/or to express algorithms precisely....

 libraries are not suitable for cryptographic use. Even those generators that are suitable for normal cryptographic use, including /dev/random
/dev/random
In Unix-like operating systems, /dev/random is a special file that serves as a random number generator or as a pseudorandom number generator. It allows access to environmental noise collected from device drivers and other sources. Not all operating systems implement the same semantics for /dev/random...

 and many hardware random number generator
Hardware random number generator
In computing, a hardware random number generator is an apparatus that generates random numbers from a physical process. Such devices are often based on microscopic phenomena that generate a low-level, statistically random "noise" signal, such as thermal noise or the photoelectric effect or other...

s, make some use of cryptographic functions whose security is unproven.

In particular, one-time use is absolutely necessary. If a one-time pad is used just twice, simple mathematical operations can reduce it to a running key cipher
Running key cipher
In classical cryptography, the running key cipher is a type of polyalphabetic substitution cipher in which a text, typically from a book, is used to provide a very long keystream...

. If both plaintexts are in a natural language (e.g. English or Russian or Irish) then, even though both are secret, each stands a very high chance of being recovered by heuristic
Heuristic
Heuristic refers to experience-based techniques for problem solving, learning, and discovery. Heuristic methods are used to speed up the process of finding a satisfactory solution, where an exhaustive search is impractical...

 cryptanalysis, with possibly a few ambiguities. Of course the longer message can only be broken for the portion that overlaps the shorter message, plus perhaps a little more by completing a word or phrase. The most famous exploit of this vulnerability is the VENONA project
Venona project
The VENONA project was a long-running secret collaboration of the United States and United Kingdom intelligence agencies involving cryptanalysis of messages sent by intelligence agencies of the Soviet Union, the majority during World War II...

.

Applicability

Despite its problems, the one-time-pad retains some practical interest. In some hypothetical espionage situations, the one-time pad might be useful because it can be computed by hand with only pencil and paper. Indeed, nearly all other high quality ciphers are entirely impractical without computers. Spies can receive their pads in person from their "handlers." In the modern world, however, computers (such as those embedded in personal electronic devices such as mobile phone
Mobile phone
A mobile phone is a device which can make and receive telephone calls over a radio link whilst moving around a wide geographic area. It does so by connecting to a cellular network provided by a mobile network operator...

s) are so ubiquitous that possessing a computer suitable for performing conventional encryption (for example, a phone which can run concealed cryptographic software) will usually not attract suspicion.
  • The one-time-pad is the only cryptosystem with theoretically perfect secrecy.

  • The one-time-pad is one of the most practical methods of encryption where one or both parties must do all work by hand, without the aid of a computer. This made it important in the pre-computer era, and it could conceivably still be useful in situations where possession of a computer is illegal or incriminating or where trustworthy computers are not available.

  • One-time pads are practical in situations where two parties in a secure environment must be able to depart from one another and communicate from two separate secure environments with perfect secrecy.

  • The one-time-pad can be used in superencryption
    Superencryption
    Multiple encryption is the process of encrypting an already encrypted message one or more times, either using the same or a different algorithm. The terms cascade encryption, cascade ciphering, multiple encryption, multiple ciphering, and superencipherment are used with the same meaning...


  • The algorithm most commonly associated with quantum key distribution is the one-time pad.

  • The one-time pad is mimicked by stream ciphers

  • The one-time pad can be a part of an introduction to cryptography

Historical uses

One-time pads have been used in special circumstances since the early 1900s. The Weimar Republic
Weimar Republic
The Weimar Republic is the name given by historians to the parliamentary republic established in 1919 in Germany to replace the imperial form of government...

 Diplomatic Service began using the method in about 1920. The breaking of poor Soviet cryptography by the British
United Kingdom
The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...

, with messages made public for political reasons in two instances in the 1920s, appear to have induced the U.S.S.R. to adopt one-time pads for some purposes by around 1930. KGB
KGB
The KGB was the commonly used acronym for the . It was the national security agency of the Soviet Union from 1954 until 1991, and was the premier internal security, intelligence, and secret police organization during that time.The State Security Agency of the Republic of Belarus currently uses the...

 spies are also known to have used pencil and paper one-time pads more recently. Examples include Colonel Rudolf Abel, who was arrested and convicted in New York City
New York City
New York is the most populous city in the United States and the center of the New York Metropolitan Area, one of the most populous metropolitan areas in the world. New York exerts a significant impact upon global commerce, finance, media, art, fashion, research, technology, education, and...

 in the 1950s, and the 'Krogers' (i.e., Morris and Lona Cohen), who were arrested and convicted of espionage in the United Kingdom
United Kingdom
The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...

 in the early 1960s. Both were found with physical one-time pads in their possession.

A number of nations have used one-time pad systems for their sensitive traffic. Leo Marks
Leo Marks
Leopold Samuel Marks was an English cryptographer, screenwriter and playwright.-Early life:Born the son of an antiquarian bookseller in London, he was first introduced to cryptography when his father showed him a copy of Edgar Allan Poe's story, "The Gold-Bug"...

 reports that the British Special Operations Executive
Special Operations Executive
The Special Operations Executive was a World War II organisation of the United Kingdom. It was officially formed by Prime Minister Winston Churchill and Minister of Economic Warfare Hugh Dalton on 22 July 1940, to conduct guerrilla warfare against the Axis powers and to instruct and aid local...

 used one-time pads in World War II to encode traffic between its offices. One-time pads for use with its overseas agents were introduced late in the war. Other one-time tape cipher machines include the British machines Rockex
Rockex
Rockex, or Telekrypton, was an offline one-time tape cipher machine known to have been used by Britain and Canada from 1943. It was developed by Benjamin deForest Bayly, working during the war for British Security Coordination....

 and Noreen
Noreen
Noreen, or BID 590, was an off-line one-time tape cipher machine of British origin.- Usage :As well as being used by the United Kingdom, Noreen was used by Canada. It was widely used in diplomatic stations...

.

The World War II
World War II
World War II, or the Second World War , was a global conflict lasting from 1939 to 1945, involving most of the world's nations—including all of the great powers—eventually forming two opposing military alliances: the Allies and the Axis...

 voice scrambler
Scrambler
In telecommunications, a scrambler is a device that transposes or inverts signals or otherwise encodes a message at the transmitter to make the message unintelligible at a receiver not equipped with an appropriately set descrambling device...

 SIGSALY
SIGSALY
In cryptography, SIGSALY was a secure speech system used in World War II for the highest-level Allied communications....

 was also a form of one-time system. It added noise to the signal at one end and removed it at the other end. The noise was distributed to the channel ends in the form of large shellac records which manufactured in unique pairs. There were both starting synchronization and longer-term phase drift problems which arose and were solved before the system could be used.

The NSA describes one-time tape systems like SIGTOT and 5-UCO
5-UCO
The 5-UCO was an on-line one-time tape Vernam cipher encryption system developed by the UK during World War II for use on teleprinter circuits. During the 1950s, it was used by the UK and US for liaison on cryptanalysis....

 as being used for intelligence traffic until the introduction of the electronic cipher based KW-26
KW-26
The TSEC/KW-26, code named ROMULUS, was an encryption system used by the U.S. Government and, later, by NATO countries. It was developed in the 1950s by the National Security Agency to secure fixed teleprinter circuits that operated 24 hours a day...

 in 1957.

The hotline
Moscow-Washington hotline
The Moscow-Washington hotline is a system that allows direct communication between the leaders of the United States and Russia. It was originally designed by Harris Corporation for communication between the United States and the Soviet Union...

 between Moscow
Moscow
Moscow is the capital, the most populous city, and the most populous federal subject of Russia. The city is a major political, economic, cultural, scientific, religious, financial, educational, and transportation centre of Russia and the continent...

 and Washington D.C., established in 1963 after the Cuban missile crisis
Cuban Missile Crisis
The Cuban Missile Crisis was a confrontation among the Soviet Union, Cuba and the United States in October 1962, during the Cold War...

, used teleprinter
Teleprinter
A teleprinter is a electromechanical typewriter that can be used to communicate typed messages from point to point and point to multipoint over a variety of communication channels that range from a simple electrical connection, such as a pair of wires, to the use of radio and microwave as the...

s protected by a commercial one-time tape system. Each country prepared the keying tapes used to encode its messages and delivered them via their embassy in the other country. A unique advantage of the OTP in this case was that neither country had to reveal more sensitive encryption methods to the other.

During the 1983 Invasion of Grenada
Invasion of Grenada
The Invasion of Grenada, codenamed Operation Urgent Fury, was a 1983 United States-led invasion of Grenada, a Caribbean island nation with a population of about 100,000 located north of Venezuela. Triggered by a military coup which had ousted a four-year revolutionary government, the invasion...

, U.S. forces found a supply of pairs of one-time pad books in a Cuban warehouse.

The British Army
British Army
The British Army is the land warfare branch of Her Majesty's Armed Forces in the United Kingdom. It came into being with the unification of the Kingdom of England and Scotland into the Kingdom of Great Britain in 1707. The new British Army incorporated Regiments that had already existed in England...

's BATCO
BATCO
BATCO, short for Battle Code, is a hand-held, paper-based encryption system used at a low, front line level in the British Army during the late Cold War period....

 tactical communication code is a pencil-and-paper one-time-pad system. Key material is provided on paper sheets that are kept in a special plastic wallet with a sliding pointer that indicates the last key used. New sheets are provided daily (though a small series of "training BATCO" is usually recycled on exercise) and the old ones destroyed. BATCO is used on battlefield voice nets; the most sensitive portions of a message (typically grid reference
Grid reference
Grid references define locations on maps using Cartesian coordinates. Grid lines on maps define the coordinate system, and are numbered to provide a unique reference to features....

s) are encoded and the ciphertext is read out letter by letter.

A related notion is the one-time code—a signal, used only once, e.g. "Alpha" for "mission completed" and "Bravo" for "mission failed" cannot be "decrypted" in any reasonable sense of the word. Understanding the message will require additional information, often 'depth' of repetition, or some traffic analysis
Traffic analysis
Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and...

. However, such strategies (though often used by real operatives, and baseball
Baseball
Baseball is a bat-and-ball sport played between two teams of nine players each. The aim is to score runs by hitting a thrown ball with a bat and touching a series of four bases arranged at the corners of a ninety-foot diamond...

 coaches) are not a cryptographic one-time pad in any significant sense.

Exploits

While one-time pads provide perfect secrecy if generated and used properly, small mistakes can lead to successful cryptanalysis:
  • In 1944–1945, the U.S. Army's Signals Intelligence Service
    Signals Intelligence Service
    The Signals Intelligence Service was the United States Army codebreaking division, headquartered at Arlington Hall. It was a part of the Signal Corps so secret that outside the office of the Chief Signal officer, it did not officially exist. William Friedman began the division with three "junior...

     was able to solve a one-time pad system used by the German Foreign Office for its high-level traffic, codenamed GEE (Erskine, 2001). GEE was insecure because the pads were not completely random — the machine used to generate the pads produced predictable output.
  • In 1945 the U.S. discovered that Canberra
    Canberra
    Canberra is the capital city of Australia. With a population of over 345,000, it is Australia's largest inland city and the eighth-largest city overall. The city is located at the northern end of the Australian Capital Territory , south-west of Sydney, and north-east of Melbourne...

    -Moscow
    Moscow
    Moscow is the capital, the most populous city, and the most populous federal subject of Russia. The city is a major political, economic, cultural, scientific, religious, financial, educational, and transportation centre of Russia and the continent...

     messages were being encrypted first using a code-book and then using a one-time pad. However the one-time pad used was the same one used by Moscow for Washington, DC-Moscow messages. Combined with the fact that some of the Canberra-Moscow messages included known British government documents, this allowed some of the encrypted messages to be broken.
  • One-time pads were employed by Soviet
    Soviet Union
    The Soviet Union , officially the Union of Soviet Socialist Republics , was a constitutionally socialist state that existed in Eurasia between 1922 and 1991....

     espionage agencies for covert communications with agents and agent controllers. Analysis has shown that these pads were generated by typists using actual typewriters. This method is of course not "truly" random, as it makes certain convenient key sequences more likely than others, yet it proved to be generally effective. Without copies of the key material used, only some defect in the generation method or reuse of keys offered much hope of cryptanalysis. Beginning in the late 1940s, U.S. and U.K. intelligence agencies were able to break some of the Soviet one-time pad traffic to Moscow
    Moscow
    Moscow is the capital, the most populous city, and the most populous federal subject of Russia. The city is a major political, economic, cultural, scientific, religious, financial, educational, and transportation centre of Russia and the continent...

     during WWII as a result of errors made in generating and distributing the key material. One suggestion is that Moscow Centre personnel were somewhat rushed by the presence of German troops just outside Moscow in late 1941 and early 1942, and they produced more than one copy of same key material during that period. This decades-long effort was finally codenamed VENONA (BRIDE had been an earlier name); it produced a considerable amount of information, including more than a little about some of the Soviet atom spies. Even so, only a small percentage of the intercepted messages were either fully or partially decrypted (a few thousand out of several hundred thousand).

True randomness requirements

In discussing the one-time pad, two notions of security have to be kept distinct. The first is the perfect secrecy of the one-time pad system as proved by Shannon (Shannon security). The second is the security offered by state-of-the-art ciphers (e.g. AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...

) designed with principles learned in the long history of code breaking and subjected to extensive testing in a standardization process, either in public or by a top notch security service (empirical security). The former is mathematically proven, subject to the practical availability of random numbers. The latter is unproven but relied upon by most governments to protect their most vital secrets (insofar as publicly known thus far).

Methods that may offer practical security, but do not have Shannon security

If the key material is generated by a deterministic program, then it is not random and the encryption system no longer has perfect secrecy. Such a system is called a stream cipher
Stream cipher
In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream . In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption...

. These generally use a short key which is used to seed a long pseudorandom stream, which is then combined with the message using some such mechanism as those used in one-time pads (e.g., XOR). Stream ciphers can be secure in practice, but they cannot achieve perfect secrecy like the one-time pad does.

The Fish ciphers
Fish (cryptography)
Fish was the Allied codename for any of several German teleprinter stream ciphers used during World War II. Enciphered teleprinter traffic was used between German High Command and Army Group commanders in the field, so its intelligence value was of the highest strategic value to the Allies...

 used by the German military in WWII turned out to be insecure stream ciphers, not practical automated one-time pads as their designers had intended. Bletchley Park
Bletchley Park
Bletchley Park is an estate located in the town of Bletchley, in Buckinghamshire, England, which currently houses the National Museum of Computing...

 broke one of them, the Lorenz cipher
Lorenz cipher
The Lorenz SZ40, SZ42A and SZ42B were German rotor cipher machines used by the German Army during World War II. They were developed by C. Lorenz AG in Berlin. They implemented a Vernam stream cipher...

 machine, regularly.

However, if a modern so-called cryptographically secure pseudo-random number generator is used, it can form the basis for an empirically secure stream cipher. There are many well-vetted designs in the public domain, ranging from the simple (but cryptographically imperfect) RC4
RC4
In cryptography, RC4 is the most widely used software stream cipher and is used in popular protocols such as Secure Sockets Layer and WEP...

 to block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...

s like AES used in counter mode.

Methods that offer neither practical security nor Shannon security

The similarity between stream ciphers and one-time pads often leads the cryptographically unwary to invent insecure stream ciphers under the mistaken impression that they have developed a practical version of the one-time pad. An especially insecure approach is to use any of the random number generators
Pseudorandom number generator
A pseudorandom number generator , also known as a deterministic random bit generator , is an algorithm for generating a sequence of numbers that approximates the properties of random numbers...

 that are distributed in many (perhaps most) computer programming language runtime support packages or as operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...

 system calls. These typically produce sequences that pass some (or even many) statistical
Statistics
Statistics is the study of the collection, organization, analysis, and interpretation of data. It deals with all aspects of this, including the planning of data collection in terms of the design of surveys and experiments....

 tests, but are nonetheless breakable by cryptoanalytic techniques. For some time the ANSI C standard restricted the C language random number routine output to a single precision integer, for most implementations that would be 16-bits, giving at most 32768 different values before repeating (assuming a cyclical algorithm, as is common, but not mandatory). This is entirely insecure and is easily breakable by exhaustive test
Brute force attack
In cryptography, a brute-force attack, or exhaustive key search, is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier...

 (for perspective, a 1 GHz computer which takes 10,000 clock cycles to check an offset within the RNG's cycle would take under a third of a second to check every possible offset). Standard computer random number generators are not suitable for cryptographic purposes, specifically including the one-time pad. In particular, the relatively newly developed and widely admired Mersenne twister algorithm, while sufficiently "random" for most research or simulation uses, better than almost any other such generator, and quite fast as well, should not be used to generate one-time pad key material. The algorithm is deterministic and was not designed for cryptographic security. Some programs use a user-supplied key to uniquely scatter the output of a pseudorandom number generator in a way that requires knowledge of the key and any initialization vector
Initialization vector
In cryptography, an initialization vector is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom...

s used, to predict the final output.

Indeed, even truly random sequences which have been published cannot be used as they are now predictable if identified. An example is the RAND
RAND
RAND Corporation is a nonprofit global policy think tank first formed to offer research and analysis to the United States armed forces by Douglas Aircraft Company. It is currently financed by the U.S. government and private endowment, corporations including the healthcare industry, universities...

 Corporation's 1950s publication of a million random digits
A Million Random Digits with 100,000 Normal Deviates
A Million Random Digits with 100,000 Normal Deviates is a 1955 book by the RAND Corporation. The book, consisting primarily of a random number table, was an important 20th century work in the field of statistics and random numbers...

; it has passed every statistical test for randomness thus far and is thought to be actually random. But, having been published, it is fully predictable. So are the digits of pi
Pi
' is a mathematical constant that is the ratio of any circle's circumference to its diameter. is approximately equal to 3.14. Many formulae in mathematics, science, and engineering involve , which makes it one of the most important mathematical constants...

, e
E (mathematical constant)
The mathematical constant ' is the unique real number such that the value of the derivative of the function at the point is equal to 1. The function so defined is called the exponential function, and its inverse is the natural logarithm, or logarithm to base...

, phi
Golden ratio
In mathematics and the arts, two quantities are in the golden ratio if the ratio of the sum of the quantities to the larger quantity is equal to the ratio of the larger quantity to the smaller one. The golden ratio is an irrational mathematical constant, approximately 1.61803398874989...

, and other irrational or transcendental numbers; the sequences may be statistically random (an open question, actually), but are fully predictable nonetheless.

Achieving Shannon security

To achieve Shannon security, a source of perfectly unpredictable random data is needed.
Typically these random bits are produced by a hardware random number generator
Hardware random number generator
In computing, a hardware random number generator is an apparatus that generates random numbers from a physical process. Such devices are often based on microscopic phenomena that generate a low-level, statistically random "noise" signal, such as thermal noise or the photoelectric effect or other...

.
One theoretical basis for the physical existence of unpredictability is quantum mechanics
Quantum mechanics
Quantum mechanics, also known as quantum physics or quantum theory, is a branch of physics providing a mathematical description of much of the dual particle-like and wave-like behavior and interactions of energy and matter. It departs from classical mechanics primarily at the atomic and subatomic...

. Its assertions of unpredictability are subject to experimental test. See: Bell test experiments
Bell test experiments
The Bell test experiments serve to investigate the validity of the entanglement effect in quantum mechanics by using some kind of Bell inequality...

. Another basis is the theory of unstable dynamical system
Dynamical system
A dynamical system is a concept in mathematics where a fixed rule describes the time dependence of a point in a geometrical space. Examples include the mathematical models that describe the swinging of a clock pendulum, the flow of water in a pipe, and the number of fish each springtime in a...

s and chaos theory
Chaos theory
Chaos theory is a field of study in mathematics, with applications in several disciplines including physics, economics, biology, and philosophy. Chaos theory studies the behavior of dynamical systems that are highly sensitive to initial conditions, an effect which is popularly referred to as the...

. These theories suggest that even in the deterministic world of Newtonian mechanics, real-world systems evolve in ways that cannot be predicted in practice because one would need to know the initial conditions to an accuracy that grows exponentially
Exponential growth
Exponential growth occurs when the growth rate of a mathematical function is proportional to the function's current value...

 over time.

For use in a one-time pad, data should exhibit perfect randomness. Most practical sources exhibit some imperfection or bias. The quality of randomness is measured by entropy
Information entropy
In information theory, entropy is a measure of the uncertainty associated with a random variable. In this context, the term usually refers to the Shannon entropy, which quantifies the expected value of the information contained in a message, usually in units such as bits...

. A perfectly random bit has an entropy of one bit. An idea due to Von Neumann is to use an algorithm to combine multiple, imperfectly random bits, each with entropy less than one, to create a single bit with entropy equal to one. This process is called entropy distillation or entropy extraction. Von Neumann proposed the following method, called "Von Neumann whitening":
Input bitsOutput
00 No output.
01 Output "0" bit.
10 Output "1" bit.
11 No output.


This will produce uniformly random output bits if the input bits are statistically independent and all drawn from the same distribution. However, that is not a realistic assumption since most physical randomness sources may have some correlation in the output, and the distribution may change with the device temperature, etc. In 2003, Boaz Barak, Ronen Shaltiel, and Eran Tromer stated some reasonable security criteria for entropy distillation and constructed an algorithm for doing it.

In many Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....

 systems, the kernel's random number generator, /dev/random
/dev/random
In Unix-like operating systems, /dev/random is a special file that serves as a random number generator or as a pseudorandom number generator. It allows access to environmental noise collected from device drivers and other sources. Not all operating systems implement the same semantics for /dev/random...

, uses environmental noise to generate random data and is better than many such system call
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...

 designs. It attempts to estimate the amount of entropy it collects and blocks if the entropy pool is exhausted. It is intended to be, and is widely thought to actually be, better than most such generators, and if so is rather closer to satisfactorily random. But this process will be slow on systems which have few usable noise sources. It can, however, be fed additional entropy by reading from an attached noise generating device.

Many Unix-like systems also provide /dev/urandom, which uses a deterministic algorithm to generate the data whenever environmental noise is unavailable. Improved designs, such as the Yarrow algorithm
Yarrow algorithm
The Yarrow algorithm is a cryptographically secure pseudorandom number generator. The name is taken from the yarrow plant, the stalks of which are dried and used as a randomising agent in I Ching divination....

, are available. One-time pad key material generated in this way (i.e., from deterministic random number generators) lacks the information-theoretic security of a one-time pad. Yarrow offers at least as much strength as a block cipher based on triple DES
Triple DES
In cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block....

.

If a computer used for one-time pad generation is compromised, by a computer virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...

 or other malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...

 or by an adversary gaining physical access, the software can be modified to leak the pad data or generate apparently random data that is in fact predictable. See random number generator attack
Random number generator attack
The security of cryptographic systems depends on some secret data that is known to authorized persons but unknown and unpredictable to others. To achieve this unpredictability, some randomization is typically employed...

. One way to reduce this risk is to generate pads on a machine that is never connected to any computer network and preferably not used for any other purpose. Collecting key material on new, blank media (e.g. floppy disk
Floppy disk
A floppy disk is a disk storage medium composed of a disk of thin and flexible magnetic storage medium, sealed in a rectangular plastic carrier lined with fabric that removes dust particles...

s or CD-R
CD-R
A CD-R is a variation of the Compact Disc invented by Philips and Sony. CD-R is a Write Once Read Many optical medium, though the whole disk does not have to be entirely written in the same session....

s) eliminates another route for malware infection. If paper pads are to be produced, the printer is best dedicated as well. One approach might be to use an older laptop for OTP generation, purged and rebuilt with a fresh, traceable copy of an open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...

 operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...

, such as Linux or BSD. The smaller size would allow it to be easily locked up in a safe
Safe
A safe is a secure lockable box used for securing valuable objects against theft or damage. A safe is usually a hollow cuboid or cylinder, with one face removable or hinged to form a door. The body and door may be cast from metal or formed out of plastic through blow molding...

 when not in use.

Making one-time pads by hand

One-time pads were originally made without the use of a computer and this is still possible today. The process can be tedious, but if done correctly and the pad used only once, the result is unbreakable.

There are two components needed to make a one-time pad: a way to generate letters at random and a way to record two copies of the result. The traditional way to do the latter was to use a typewriter
Typewriter
A typewriter is a mechanical or electromechanical device with keys that, when pressed, cause characters to be printed on a medium, usually paper. Typically one character is printed per keypress, and the machine prints the characters by making ink impressions of type elements similar to the pieces...

 and carbon paper
Carbon paper
Carbon paper is paper coated on one side with a layer of a loosely bound dry ink or pigmented coating, usually bound with wax. It is used for making one or more copies simultaneous with the creation of an original document...

. The carbon paper and typewriter ribbon
Typewriter ribbon
A typewriter ribbon is an expendable module serving the function of transferring pigment to paper in various devices for impact printing. Such ribbons were part of standard designs for hand- or motor-driven typewriters, teleprinters, stenotype machines, computer-driven printers and many mechanical...

 would then be destroyed since it may be possible for the pad data to be recovered from them. As typewriters have become scarce, it is also acceptable to hand write the letters neatly in groups of five on two part carbonless copy paper
Carbonless copy paper
Carbonless copy paper , non-carbon copy paper, or NCR paper is an alternative to carbon paper, used to make a copy of an original, handwritten document without the use of any electronics...

 sheets, which can be purchased at office supply stores. Each sheet should be given a serial number or some other unique marking.

The simplest way to generate random letters is to obtain 26 identical objects with each letter of the alphabet marked on one object. Tiles from the game Scrabble
Scrabble
Scrabble is a word game in which two to four players score points by forming words from individual lettered tiles on a game board marked with a 15-by-15 grid. The words are formed across and down in crossword fashion and must appear in a standard dictionary. Official reference works provide a list...

 can be used (as long as only one of each letter is selected). Kits for making name charm bracelets are another possibility. One can also write the letters on 26 otherwise identical coins with a marking pen. The objects are placed in a box or cup and shaken vigorously, then one object is withdrawn and its letter is recorded. The object is returned to the box and the process is repeated.

Another way to make one time pads is to use dice. You can generate random number groups by rolling 4 or 5 ten-sided dice at a time and recording the numbers for each roll. This method will generate random code groups much faster than using Scrabble tiles. The resulting numeric one time pads are used to encrypt a plaintext message converted into numeric values with a straddling checkerboard
Straddling checkerboard
In cryptography, a straddling checkerboard is a device for converting an alphabetic plaintext into digits whilst simultaneously achieving fractionation and data compression relative to other schemes using digits...

 using non-carrying addition. You can then either transmit the numeric groups as is, or use the straddling checkerboard to convert the numbers back into letters and transmit that result. Regular six-sided dice should not be used.

See also

  • Hardware random number generator
    Hardware random number generator
    In computing, a hardware random number generator is an apparatus that generates random numbers from a physical process. Such devices are often based on microscopic phenomena that generate a low-level, statistically random "noise" signal, such as thermal noise or the photoelectric effect or other...

  • Information theoretic security
    Information theoretic security
    A cryptosystem is information-theoretically secure if its security derives purely from information theory. That is, it is secure even when the adversary has unlimited computing power. The adversary simply does not have enough information to break the security...

  • Lamport signature
  • Numbers station
    Numbers station
    A numbers station is a shortwave radio station of uncertain origin. In the 1950s, Time magazine reported that the numbers stations first appeared shortly after World War II and were using a format that had been used to send weather data during that war.Numbers stations generally broadcast...

  • One-time password
    One-time password
    A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...

  • Session key
    Session key
    A session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is traffic encryption key or TEK, which refers to any key used to encrypt messages, as opposed to other uses, like encrypting other keys .Session keys can introduce...

  • SQR codes
  • Steganography
    Steganography
    Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity...

  • Unicity distance
    Unicity distance
    In cryptography, unicity distance is the length of an original ciphertext needed to break the cipher by reducing the number of possible spurious keys to zero in a brute force attack. That is, after trying every possible key, there should be just one decipherment that makes sense, i.e...


Further reading

  • Robert Wallace and H. Keith Melton, with Henry R. Schlesinger, Spycraft: The Secret History of the CIA's Spytechs, from Communism to al-Qaeda, New York, Dutton
    Dutton
    - Places :*Dutton, Alabama, town in the United States*Dutton, Cheshire, village in England*Dutton, Lancashire, village in England*Dutton, Montana, town in the United States*Dutton/Dunwich, Ontario, town and municipality in Canada*Dutton, South Australia...

    , 2008. ISBN 0-525-94980-1

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK