In cryptography, the one-time pad (OTP) is a type of encryption which has been proven to be impossible to crack if used correctly. Each bit or character from the plaintext is encrypted by a modular addition with a bit or character from a secret random key (or pad) of the same length as the plaintext, resulting in a ciphertext. If the key is truly random, as large as or greater than the plaintext, never reused in whole or part, and kept secret, the ciphertext will be impossible to decrypt or break without knowing the key.[1][2] It has also been proven that any cipher with the perfect secrecy property must use keys with effectively the same requirements as OTP keys.[3] However, practical problems have prevented one-time pads from being widely used.

First described by Frank Miller in 1882,[4][5] the one-time pad was re-invented in 1917 and patented a couple of years later. It is derived from the Vernam cipher, named after Gilbert Vernam, one of its inventors. Vernam's system was a cipher that combined a message with a key read from a punched tape. In its original form, Vernam's system was vulnerable because the key tape was a loop, which was reused whenever the loop made a full cycle. One-time use came a little later when Joseph Mauborgne recognized that if the key tape were totally random, cryptanalysis would be impossible.[6]

The "pad" part of the name comes from early implementations where the key material was distributed as a pad of paper, so the top sheet could be easily torn off and destroyed after use. For easy concealment, the pad was sometimes reduced to such a small size that a powerful magnifying glass was required to use it. Photos show captured KGB pads that fit in the palm of one's hand,[7] or in a walnut shell.[8] To increase security, one-time pads were sometimes printed onto sheets of highly flammable nitrocellulose.

There is some ambiguity to the term because some authors use the terms "Vernam cipher" and "one-time pad" synonymously, while others refer to any additive stream cipher as a "Vernam cipher", including those based on a cryptographically secure pseudorandom number generator (CSPRNG).[9]

## History of invention

The history of the one-time pad is marked by multiple independent, but closely related discoveries.

Frank Miller in 1882 was the first to describe the one-time pad system for securing telegraphy.[10]

The next one-time pad system was electrical. In 1917, Gilbert Vernam (of AT&T Corporation) invented and later patented in 1919 (U.S. Patent 1,310,719) a cipher based on teleprinter technology. Each character in a message was electrically combined with a character on a paper tape key. Joseph Mauborgne (then a captain in the U.S. Army and later chief of the Signal Corps) recognized that the character sequence on the key tape could be completely random and that, if so, cryptanalysis would be more difficult. Together they invented the first one-time tape system.[9]

The next development was the paper pad system. Diplomats had long used codes and ciphers for confidentiality and to minimize telegraph costs. For the codes, words and phrases were converted to groups of numbers (typically 4 or 5 digits) using a dictionary-like codebook. For added security, secret numbers could be combined with (usually modular addition) each code group before transmission, with the secret numbers being changed periodically (this was called superencryption). In the early 1920s, three German cryptographers (Werner Kunze, Rudolf Schauffler and Erich Langlotz), who were involved in breaking such systems, realized that they could never be broken if a separate randomly chosen additive number was used for every code group. They had duplicate paper pads printed with lines of random number groups. Each page had a serial number and eight lines. Each line had six 5-digit numbers. A page would be used as a work sheet to encode a message and then destroyed. The serial number of the page would be sent with the encoded message. The recipient would reverse the procedure and then destroy his copy of the page. The German foreign office put this system into operation by 1923.[9]

A separate notion was the use of a one-time pad of letters to encode plaintext directly as in the example below. Leo Marks describes inventing such a system for the British Special Operations Executive during World War II, though he suspected at the time that it was already known in the highly compartmentalized world of cryptography, as for instance at Bletchley Park.[11]

The final discovery was by Claude Shannon in the 1940s who recognized and proved the theoretical significance of the one-time pad system. Shannon delivered his results in a classified report in 1945, and published them openly in 1949.[3] At the same time, Vladimir Kotelnikov had independently proven absolute security of the one-time pad; his results were delivered in 1941 in a report that apparently remains classified.[12]

↑Jump back a section

## Example

Suppose Alice wishes to send the message "HELLO" to Bob. Assume two pads of paper containing identical random sequences of letters were somehow previously produced and securely issued to both. Alice chooses the appropriate unused page from the pad. The way to do this is normally arranged for in advance, as for instance 'use the 12th sheet on 1 May', or 'use the next available sheet for the next message'. The material on the selected sheet is the key for this message. Each letter from the pad will be combined in a predetermined way with one letter of the message. It is common, but not required, to assign each letter a numerical value: e.g. "A" is 0, "B" is 1, and so on. In this example, the technique is to combine the key and the message using modular addition. The numerical values of corresponding message and key letters are added together, modulo 26. If key material begins with "XMCKL" and the message is "HELLO", then the coding would be done as follows:

```      H       E       L       L       O  message
7 (H)   4 (E)  11 (L)  11 (L)  14 (O) message
+ 23 (X)  12 (M)   2 (C)  10 (K)  11 (L) key
= 30      16      13      21      25     message + key
=  4 (E)  16 (Q)  13 (N)  21 (V)  25 (Z) message + key (mod 26)
E       Q       N       V       Z  → ciphertext
```

If a number is larger than 26, then the remainder after subtraction of 26 is taken in modular arithmetic fashion. This simply means that if the computations "go past" Z, the sequence starts again at A.

The ciphertext to be sent to Bob is thus "EQNVZ". Bob uses the matching key page and the same process, but in reverse, to obtain the plaintext. Here the key is subtracted from the ciphertext, again using modular arithmetic:

```       E       Q       N       V       Z  ciphertext
4 (E)  16 (Q)  13 (N)  21 (V)  25 (Z) ciphertext
-  23 (X)  12 (M)   2 (C)  10 (K)  11 (L) key
= -19       4      11      11      14     ciphertext — key
=   7 (H)   4 (E)  11 (L)  11 (L)  14 (O) ciphertext — key (mod 26)
H       E       L       L       O  → message
```

Similar to the above, if a number is negative then 26 is added to make the number positive.

Thus Bob recovers Alice's plaintext, the message "HELLO". Both Alice and Bob destroy the key sheet immediately after use, thus preventing reuse and an attack against the cipher. The KGB often issued its agents one-time pads printed on tiny sheets of "flash paper"—paper chemically converted to nitrocellulose, which burns almost instantly and leaves no ash.[13]

The classical one-time pad of espionage used actual pads of minuscule, easily concealed paper, a sharp pencil, and some mental arithmetic. The method can be implemented now as a software program, using data files as input (plaintext), output (ciphertext) and key material (the required random sequence). The XOR operation is often used to combine the plaintext and the key elements, and is especially attractive on computers since it is usually a native machine instruction and is therefore very fast. However, ensuring that the key material is actually random, is used only once, never becomes known to the opposition, and is completely destroyed after use is hard to do. The auxiliary parts of a software one-time pad implementation present real challenges: secure handling/transmission of plaintext, truly random keys, and one-time-only use of the key.

### Attempt at cryptanalysis

To continue the example from above, suppose Eve intercepts Alice's ciphertext: "EQNVZ". If Eve had infinite computing power, she would instantly find that the key "XMCKL" would produce the plaintext "HELLO", but she would also find that the key "TQURI" would produce the plaintext "LATER", an equally plausible message:

```    4 (E)  16 (Q)  13 (N)  21 (V)  25 (Z) ciphertext
−  19 (T)  16 (Q)  20 (U)  17 (R)   8 (I) possible key
= −15       0      −7       4      17     ciphertext-key
=  11 (L)   0 (A)  19 (T)   4 (E)  17 (R) ciphertext-key (mod 26)
```

In fact, it is possible to "decrypt" out of the ciphertext any message whatsoever with the same number of characters, simply by using a different key, and there is no information in the ciphertext which will allow Eve to choose among the various possible readings of the ciphertext.

↑Jump back a section

## Perfect secrecy

One-time pads are "information-theoretically secure" in that the encrypted message (i.e., the ciphertext) provides no information about the original message to a cryptanalyst (except the maximum possible length[14] of the message). This is a very strong notion of security first developed during WWII by Claude Shannon and proved, mathematically, to be true of the one-time pad by Shannon about the same time. His result was published in the Bell Labs Technical Journal in 1949.[15] Properly used one-time pads are secure in this sense even against adversaries with infinite computational power.

Claude Shannon proved, using information theory considerations, that the one-time pad has a property he termed perfect secrecy; that is, the ciphertext C gives absolutely no additional information about the plaintext. This is because, given a truly random key which is used only once, a ciphertext can be translated into any plaintext of the same length, and all are equally likely. Thus, the a priori probability of a plaintext message M is the same as the a posteriori probability of a plaintext message M given the corresponding ciphertext. Mathematically, this is expressed as $H(M)=H(M|C)$, where $H(M)$ is the entropy of the plaintext and $H(M|C)$ is the conditional entropy of the plaintext given the ciphertext C. Perfect secrecy is a strong notion of cryptanalytic difficulty.[3]

Conventional symmetric encryption algorithms use complex patterns of substitution and transpositions. For the best of these currently in use, it is not known whether there can be a cryptanalytic procedure which can reverse (or, usefully, partially reverse) these transformations without knowing the key used during encryption. Asymmetric encryption algorithms depend on mathematical problems that are thought to be difficult to solve, such as integer factorization and discrete logarithms. However there is no proof that these problems are hard and a mathematical breakthrough could make existing systems vulnerable to attack.

Given perfect secrecy, in contrast to conventional symmetric encryption, OTP is immune even to brute-force attacks. Trying all keys simply yields all plaintexts, all equally likely to be the actual plaintext. Even with known plaintext, like part of the message being known, brute-force attacks cannot be used, since an attacker is unable to gain any information about the parts of the key needed to decrypt the rest of the message.

↑Jump back a section

## Problems

Despite Shannon's proof of its security, the one-time pad has serious drawbacks in practice:

• it requires perfectly random one-time pads, which is a non-trivial software requirement.
• secure generation and exchange of the one-time pad material, which must be at least as long as the message. (The security of the one-time pad is only as secure as the security of the one-time pad key-exchange). Non information-theoretic-secure ciphers typically only require a cryptographic key, a short string of characters, to be exchanged.
• careful treatment to make sure that it continues to remain secret from any adversary, and is disposed of correctly preventing any reuse in whole or part — hence "one time". See data remanence for a discussion of difficulties in completely erasing computer media.

The theoretical perfect security of the one-time-pad applies only in a theoretically perfect setting; no real-world implementation of any cryptosystem can provide perfect security because practical considerations introduce potential vulnerabilities. These practical considerations of security and convenience have meant that the one-time-pad is, in practice, little-used. Implementation difficulties have led to one-time pad systems being broken, and are so serious that they have prevented the one-time pad from being adopted as a widespread tool in information security.

One-time pads solve few current practical problems in cryptography. High quality ciphers are widely available and their security is not considered a major worry at present. Such ciphers are almost always easier to employ than one-time pads; the amount of key material which must be properly generated and securely distributed is far smaller, and public key cryptography overcomes this problem.[16]

### Key distribution

As the pad, like all shared secrets, must be passed and kept secure, and the pad has to be at least as long as the message, there is often no point in using one-time padding, as one can simply send the plain text instead of the pad (as both can be the same size and have to be sent securely). However, once a very long pad has been securely sent (e.g., a computer disk full of random data), it can be used for numerous future messages, until the sum of their sizes equals the size of the pad. Quantum key distribution also solves this problem.

Distributing very long one-time pad keys is inconvenient and usually poses a significant security risk. The pad is essentially the encryption key, but unlike keys for modern ciphers, it must be extremely long and is much too difficult for humans to remember. Storage media such as thumb drives, DVD-Rs or personal digital audio players can be used to carry a very large one-time-pad from place to place in a non-suspicious way, but even so the need to transport the pad physically is a burden compared to the key negotiation protocols of a modern public-key cryptosystem, and such media cannot reliably be erased securely by any means short of physical destruction (e.g., incineration). A 4.7 GB DVD-R full of one-time-pad data, if shredded into particles 1 mm² in size, leaves over 100 kibibits of (admittedly hard to recover, but not impossibly so) data on each particle.[citation needed] In addition, the risk of compromise during transit (for example, a pickpocket swiping, copying and replacing the pad) is likely much greater in practice than the likelihood of compromise for a cipher such as AES. Finally, the effort needed to manage one-time pad key material scales very badly for large networks of communicants—the number of pads required goes up as the square of the number of users freely exchanging messages. For communication between only two persons, or a star network topology, this is less of a problem.

The key material must be securely disposed of after use, to ensure the key material is never reused and to protect the messages sent. Because the key material must be transported from one endpoint to another, and persist until the message is sent or received, it can be more vulnerable to forensic recovery than the transient plaintext it protects (see data remanence).

### Authentication

As traditionally used, one-time pads provide no message authentication, the lack of which can pose a security threat in real-world systems. The straightforward XORing with the keystream, or the use of any invertible function known to the attacker, such as mod 26 addition, creates a potential vulnerability in message integrity. For example, an attacker who knows that the message contains "meet jane and me tomorrow at three thirty pm" at a particular point can replace that content by any other content of exactly the same length, such as "three thirty meeting is cancelled, stay home", without having access to the one-time pad, a property of all stream ciphers known as malleability.[17]See also stream cipher attack. Standard techniques to prevent this, such as the use of a message authentication code can be used along with a one-time pad system to prevent such attacks, as can classical methods such as variable length padding and Russian copulation, but they all lack the perfect security the OTP itself has. Universal hashing provides a way to authenticate messages up to an arbitrary security bound (i.e. for any p>0, a large enough hash ensures that even a computationally unbounded attacker's likelihood of successful forgery is less than p), but this uses additional random data from the pad, and removes the possibility of implementing the system without a computer.

### True randomness

High-quality random numbers are difficult to generate. The random number generation functions in most programming language libraries are not suitable for cryptographic use. Even those generators that are suitable for normal cryptographic use, including /dev/random and many hardware random number generators, make some use of cryptographic functions whose security is unproven.

In particular, one-time use is absolutely necessary. If a one-time pad is used just twice, simple mathematical operations can reduce it to a running key cipher. If both plaintexts are in a natural language (e.g. English or Russian or Irish) then, even though both are secret, each stands a very high chance of being recovered by heuristic cryptanalysis, with possibly a few ambiguities. Of course the longer message can only be broken for the portion that overlaps the shorter message, plus perhaps a little more by completing a word or phrase. The most famous exploit of this vulnerability occurred with the VENONA project.[18]

↑Jump back a section

## Uses

### Applicability

Any digital data storage device can be used to transport one-time pad data.

Despite its problems, the one-time-pad retains some practical interest. In some hypothetical espionage situations, the one-time pad might be useful because it can be computed by hand with only pencil and paper. Indeed, nearly all other high quality ciphers are entirely impractical without computers. Spies can receive their pads in person from their "handlers." In the modern world, however, computers (such as those embedded in personal electronic devices such as mobile phones) are so ubiquitous that possessing a computer suitable for performing conventional encryption (for example, a phone which can run concealed cryptographic software) will usually not attract suspicion.

• The one-time-pad is the most optimal cryptosystem with theoretically perfect secrecy.
• The one-time-pad is one of the most practical methods of encryption where one or both parties must do all work by hand, without the aid of a computer. This made it important in the pre-computer era, and it could conceivably still be useful in situations where possession of a computer is illegal or incriminating or where trustworthy computers are not available.
• One-time pads are practical in situations where two parties in a secure environment must be able to depart from one another and communicate from two separate secure environments with perfect secrecy.
• The one-time pad can be a part of an introduction to cryptography.[20]

### Historical uses

One-time pads have been used in special circumstances since the early 1900s. The Weimar Republic Diplomatic Service began using the method in about 1920. The breaking of poor Soviet cryptography by the British, with messages made public for political reasons in two instances in the 1920s, appear to have induced the U.S.S.R. to adopt one-time pads for some purposes by around 1930. KGB spies are also known to have used pencil and paper one-time pads more recently. Examples include Colonel Rudolf Abel, who was arrested and convicted in New York City in the 1950s, and the 'Krogers' (i.e., Morris and Lona Cohen), who were arrested and convicted of espionage in the United Kingdom in the early 1960s. Both were found with physical one-time pads in their possession.

A number of nations have used one-time pad systems for their sensitive traffic. Leo Marks reports that the British Special Operations Executive used one-time pads in World War II to encode traffic between its offices. One-time pads for use with its overseas agents were introduced late in the war.[11] Other one-time tape cipher machines include the British machines Rockex and Noreen.

The World War II voice scrambler SIGSALY was also a form of one-time system. It added noise to the signal at one end and removed it at the other end. The noise was distributed to the channel ends in the form of large shellac records which were manufactured in unique pairs. There were both starting synchronization and longer-term phase drift problems which arose and were solved before the system could be used.

The NSA describes one-time tape systems like SIGTOT and 5-UCO as being used for intelligence traffic until the introduction of the electronic cipher based KW-26 in 1957.[21]

The hotline between Moscow and Washington D.C., established in 1963 after the Cuban missile crisis, used teleprinters protected by a commercial one-time tape system. Each country prepared the keying tapes used to encode its messages and delivered them via their embassy in the other country. A unique advantage of the OTP in this case was that neither country had to reveal more sensitive encryption methods to the other.[22]

During the 1983 Invasion of Grenada, U.S. forces found a supply of pairs of one-time pad books in a Cuban warehouse.[23]

The British Army's BATCO tactical communication code is a pencil-and-paper one-time-pad system. Key material is provided on paper sheets that are kept in a special plastic wallet with a sliding pointer that indicates the last key used. New sheets are provided daily (though a small series of "training BATCO" is usually recycled on exercise) and the old ones destroyed. BATCO is used on battlefield voice nets; the most sensitive portions of a message (typically grid references) are encoded and the ciphertext is read out letter by letter.

A related notion is the one-time code—a signal, used only once, e.g. "Alpha" for "mission completed" and "Bravo" for "mission failed" cannot be "decrypted" in any reasonable sense of the word. Understanding the message will require additional information, often 'depth' of repetition, or some traffic analysis. However, such strategies (though often used by real operatives, and baseball coaches) are not a cryptographic one-time pad in any significant sense.

### Exploits

While one-time pads provide perfect secrecy if generated and used properly, small mistakes can lead to successful cryptanalysis:

• In 1944–1945, the U.S. Army's Signals Intelligence Service was able to solve a one-time pad system used by the German Foreign Office for its high-level traffic, codenamed GEE (Erskine, 2001). GEE was insecure because the pads were not completely random — the machine used to generate the pads produced predictable output.
• In 1945, the US discovered that Canberra-Moscow messages were being encrypted first using a code-book and then using a one-time pad. However the one-time pad used was the same one used by Moscow for Washington, DC-Moscow messages. Combined with the fact that some of the Canberra-Moscow messages included known British government documents, this allowed some of the encrypted messages to be broken.
• One-time pads were employed by Soviet espionage agencies for covert communications with agents and agent controllers. Analysis has shown that these pads were generated by typists using actual typewriters. This method is of course not truly random, as it makes certain convenient key sequences more likely than others, yet it proved to be generally effective. Without copies of the key material used, only some defect in the generation method or reuse of keys offered much hope of cryptanalysis. Beginning in the late 1940s, US and UK intelligence agencies were able to break some of the Soviet one-time pad traffic to Moscow during WWII as a result of errors made in generating and distributing the key material. One suggestion is that Moscow Centre personnel were somewhat rushed by the presence of German troops just outside Moscow in late 1941 and early 1942, and they produced more than one copy of the same key material during that period. This decades-long effort was finally codenamed VENONA (BRIDE had been an earlier name); it produced a considerable amount of information, including more than a little about some of the Soviet atom spies. Even so, only a small percentage of the intercepted messages were either fully or partially decrypted (a few thousand out of several hundred thousand).[24]
↑Jump back a section

## True randomness requirements

In discussing the one-time pad, two notions of security have to be kept distinct. The first is the perfect secrecy of the one-time pad system as proved by Shannon (Shannon security). The second is the security offered by state-of-the-art ciphers (e.g. AES) designed with principles learned in the long history of code breaking and subjected to extensive testing in a standardization process, either in public or by a top notch security service (empirical security). The former is mathematically proven, subject to the practical availability of random numbers in sufficient quantity. The latter is unproven but is used by the vast majority of practical cryptography uses. For example, U.S. allows Top Secret classified information to be protected by the AES-256 cipher.[25]

### Methods that may offer practical security, but do not have Shannon security

If the key material is generated by a deterministic program, then it is not random and the encryption system no longer has perfect secrecy. Such a system is called a stream cipher. These generally use a short key which is used to seed a long pseudorandom stream, which is then combined with the message using some such mechanism as those used in one-time pads (e.g., XOR). Stream ciphers can be secure in practice, but they cannot achieve perfect secrecy like the one-time pad does.

The Fish ciphers used by the German military in WWII turned out to be insecure stream ciphers, not practical automated one-time pads as their designers had intended. Bletchley Park broke one of them, the Lorenz cipher machine, regularly.

However, if a modern so-called cryptographically secure pseudo-random number generator is used, it can form the basis for an empirically secure stream cipher. There are many well-vetted designs in the public domain, such as AES used in counter mode.

### Methods that offer neither practical security nor Shannon security

The similarity between stream ciphers and one-time pads often leads the cryptographically unwary to invent insecure stream ciphers under the mistaken impression that they have developed a practical version of the one-time pad. An especially insecure approach is to use any of the random number generators that are distributed in many (perhaps most) computer programming language runtime support packages or as operating system system calls. These typically produce sequences that pass some (or even many) statistical tests, but are nonetheless breakable by cryptoanalytic techniques. For some time the ANSI C standard restricted the C language random number routine output to a single precision integer, for most implementations that would be 16-bits, giving at most 32768 different values before repeating (assuming a cyclical algorithm, as is common, but not mandatory). This is entirely insecure and is easily breakable by exhaustive test (for perspective, a 1 GHz computer which takes 10,000 clock cycles to check an offset within the RNG's cycle would take under a third of a second to check every possible offset). Standard computer random number generators are not suitable for cryptographic purposes, specifically including the one-time pad. In particular, the relatively newly developed and widely admired Mersenne twister algorithm, while sufficiently "random" for most research or simulation uses, better than almost any other such generator, and quite fast as well, should not be used to generate one-time pad key material. The algorithm is deterministic and was not designed for cryptographic security. Some programs use a user-supplied key to uniquely scatter the output of a pseudorandom number generator in a way that requires knowledge of the key and any initialization vectors used, to predict the final output.

Indeed, even truly random sequences which have been published cannot be used as they are now predictable if identified. An example is the RAND Corporation's 1950s publication of a million random digits; it has passed every statistical test for randomness thus far and is thought to be actually random. But, having been published, it is fully predictable. So are the digits of pi, e, phi, and other irrational or transcendental numbers; the sequences may be statistically random, but are fully predictable nonetheless.

### Achieving Shannon security

To achieve Shannon security, a source of perfectly unpredictable random data is needed. Typically these random bits are produced by a hardware random number generator.

One theoretical basis for the physical existence of unpredictability is quantum mechanics. Its assertions of unpredictability are subject to experimental test. See: Bell test experiments. Another basis is the theory of unstable dynamical systems and chaos theory. These theories suggest that even in the deterministic world of Newtonian mechanics, real-world systems evolve in ways that cannot be predicted in practice because one would need to know the initial conditions to an accuracy that grows exponentially over time.

For use in a one-time pad, data should exhibit perfect randomness. Most practical sources exhibit some imperfection or bias. The quality of randomness is measured by entropy. A perfectly random bit has an entropy of one bit. An idea due to Von Neumann is to use an algorithm to combine multiple, imperfectly random bits, each with entropy less than one, to create a single bit with entropy equal to one. This process is called entropy distillation or entropy extraction. Von Neumann proposed the following method, called "Von Neumann whitening":[26]

Input bits Output
00 No output.
01 Output "0" bit.
10 Output "1" bit.
11 No output.

This will produce uniformly random output bits if the input bits are statistically independent and all drawn from the same distribution. However, that is not a realistic assumption since most physical randomness sources may have some correlation in the output, and the distribution may change with the device temperature, etc. In 2003, Boaz Barak, Ronen Shaltiel, and Eran Tromer stated some reasonable security criteria for entropy distillation and constructed an algorithm for doing it.[27]

In many Unix-like systems, the kernel's random number generator, /dev/random, uses environmental noise to generate random data and is better than many such system call designs. It attempts to estimate the amount of entropy it collects and blocks if the entropy pool is exhausted. It is intended to be, and is widely thought to actually be, better than most such generators, and if so is rather closer to satisfactorily random. But this process will be slow on systems which have few usable noise sources. It can, however, be fed additional entropy by reading from an attached noise generating device.

Many Unix-like systems also provide /dev/urandom, which uses a deterministic algorithm to generate the data whenever environmental noise is unavailable. Improved designs, such as the Yarrow algorithm, are available. One-time pad key material generated in this way (i.e., from deterministic random number generators) lacks the information-theoretic security of a one-time pad. Yarrow offers at least as much strength as a block cipher based on triple DES.

If a computer used for one-time pad generation is compromised, by a computer virus or other malware or by an adversary gaining physical access, the software can be modified to leak the pad data or generate apparently random data that is in fact predictable. See random number generator attack. One way to reduce this risk is to generate pads on a machine that is never connected to any computer network and preferably not used for any other purpose. Collecting key material on new, blank media (e.g. floppy disks or CD-Rs) eliminates another route for malware infection. If paper pads are to be produced, the printer is best dedicated as well. One approach might be to use an older laptop for OTP generation, purged and rebuilt with a fresh, traceable copy of an open source operating system, such as Linux or BSD. The smaller size would allow it to be easily locked up in a safe when not in use.

↑Jump back a section

## Notes

1. ^ http://www.pro-technix.com/information/crypto/pages/vernam_base.html
2. ^ http://www.cryptomuseum.com/crypto/otp.htm
3. ^ a b c Shannon, Claude (1949). "Communication Theory of Secrecy Systems". Bell System Technical Journal 28 (4): 656–715.
4. ^ Miller, Frank (1882). Telegraphic code to insure privacy and secrecy in the transmission of telegrams. C.M. Cornwell.
5. ^ https://mice.cs.columbia.edu:443/getTechreport.php?techreportID=1460
6. ^ Kahn, David (1996). The Codebreakers. Macmillan. pp. 397–8. ISBN 0-684-83130-9.
7. ^ "One-Time-Pad (Vernam's Cipher) Frequently Asked Questions, with photo". Retrieved 2006-05-12.
8. ^ Savory, Stuart (2001). "Chiffriergerätebau : One-Time-Pad, with photo" (in German). Retrieved 2006-07-24.
9. ^ a b c Kahn, David (1967). The Codebreakers. Macmillan. pp. 398 ff. ISBN 0-684-83130-9.
10. ^ John Markoff (July 25, 2011). "Codebook Shows an Encryption Form Dates Back to Telegraphs". New York Times. Retrieved 2011-07-26.
11. ^ a b Marks, Leo (1998). Between Silk and Cyanide: a Codemaker's Story, 1941-1945. HarperCollins. ISBN 0-684-86780-X.
12. ^ Sergei N Molotkov (Institute of Solid-State Physics, Russian Academy of Sciences, Chernogolovka, Moscow region, Russian Federation) (22 February 2006). "Quantum cryptography and V A Kotel'nikov's one-time key and sampling theorems". Physics-Uspekhi (Institute of Solid-State Physics, Russian Academy of Sciences, Chernogolovka, Moscow region, Russian Federation) 49 (7): 750–761. doi:10.1070/PU2006v049n07ABEH006050. Retrieved 2009-05-03. PACS numbers: 01.10.Fv, 03.67.Dd, 89.70.+c and openly in Russian Квантовая криптография и теоремы В.А. Котельникова об одноразовых ключах и об отсчетах. УФН
13. ^ Spycraft: The Secret History of the CIA's Spytechs, from Communism to Al-Qaeda p. 452
14. ^ The actual length of a plaintext message can hidden by the addition of extraneous parts, called padding. For instance, a 21-character ciphertext could conceal a 5-character message with some padding convention (e.g. "-PADDING- HELLO -XYZ-") as much as an actual 21-character message: an observer can thus only deduce the maximum possible length of the significant text, not its exact length.
15. ^ Shannon, Claude E. (October 1949). "Communication Theory of Secrecy Systems". Bell System Technical Journal (USA: AT&T Corporation) 28 (4): 656–715. Retrieved 2011-12-21.
16. ^ Schneier, Bruce. "One-Time Pads".
17. ^ Information theoretic security: Third International Conference, ICITS 2008 ... By Reihanah Safavi-Naini[, p.224
18. ^ "The Translations and KGB Cryptographic Systems" (PDF). The Venona Story (Fort Meade, Maryland: National Security Agency). 2004-01-15. pp. 26–27 (28–29th of 63 in PDF). Retrieved 2009-05-03. "...KGBs cryptographic material manufacturing center in the Soviet Union apparently reused some of the pages from one-time pads. This provided Arlington Hall with an opening."
19. ^ A "way to combine multiple block algorithms" so that "a cryptanalyst must break both algorithms" in §15.8 of Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C by Bruce Schneier. Wiley Computer Publishing, John Wiley & Sons, Inc.
20. ^ Introduction to modern cryptography, J Katz, Y Lindell - 2008 - cs.biu.ac.il
21. ^ Klein, Melville (2003). "Securing Record Communications: The TSEC/KW-26" (PDF). NSA. Archived from the original on 2006-02-13. Retrieved 2006-05-12.
22. ^ Kahn. The Codebreakers. p. 715.
23. ^
24. ^ "The Venona Translations" (PDF). The Venona Story (Fort Meade, Maryland: National Security Agency). 2004-01-15. p. 17th (of 63 in PDF) but marked 15. Retrieved 2009-05-03. "Arlington Halls ability to read the VENONA messages was spotty, being a function of the underlying code, key changes, and the lack of volume. Of the message traffic from the KGB New York office to Moscow, 49 percent of the 1944 messages and 15 percent of the 1943 messages were readable, but this was true of only 1.8 percent of the 1942 messages. For the 1945 KGB Washington office to Moscow messages, only 1.5 percent were readable. About 50 percent of the 1943 GRU-Naval Washington to Moscow/Moscow to Washington messages were read but none from any other year."
25. ^
26. ^ Cryptography Research, Inc. (February 27, 2003). "Evaluation of VIA C3 Nehemiah Random Number Generator" (PDF). Archived from the original on 2006-03-14. Retrieved 2006-05-12.
27. ^ Barak, Boaz; Ronen Shaltiel; Eran Tromer (2003-06-07). "True Random Number Generators Secure in a Changing Environment". Rehovot, ISRAEL: Department of Computer Science and Applied Mathematics, Weizmann Institute of Science. Retrieved 2009-05-03.
↑Jump back a section

## References

• Erskine, Ralph, "Enigma's Security: What the Germans Really Knew", in "Action this Day", edited by Ralph Erskine and Michael Smith, pp 370–386, 2001.
↑Jump back a section