One-time pad

In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a single-use pre-shared key that is larger than or equal to the size of the message being sent.

[4] Digital versions of one-time pad ciphers have been used by nations for critical diplomatic and military communication, but the problems of secure key distribution make them impractical for most applications.

Joseph Mauborgne (then a captain in the U.S. Army and later chief of the Signal Corps) recognized that the character sequence on the key tape could be completely random and that, if so, cryptanalysis would be more difficult.

In the early 1920s, three German cryptographers (Werner Kunze, Rudolf Schauffler, and Erich Langlotz), who were involved in breaking such systems, realized that they could never be broken if a separate randomly chosen additive number was used for every code group.

[14] The final discovery was made by information theorist Claude Shannon in the 1940s who recognized and proved the theoretical significance of the one-time pad system.

[4] At the same time, Soviet information theorist Vladimir Kotelnikov had independently proved the absolute security of the one-time pad; his results were delivered in 1941 in a report that apparently remains classified.

Assume two pads of paper containing identical random sequences of letters were somehow previously produced and securely issued to both.

So, if key material begins with XMCKL and the message is hello, then the coding would be done as follows: If a number is larger than 25, then the remainder after subtraction of 26 is taken in modular arithmetic fashion.

The method can be implemented now as a software program, using data files as input (plaintext), output (ciphertext) and key material (the required random sequence).

The exclusive or (XOR) operation is often used to combine the plaintext and the key elements, and is especially attractive on computers since it is usually a native machine instruction and is therefore very fast.

Asymmetric encryption algorithms depend on mathematical problems that are thought to be difficult to solve, such as integer factorization or the discrete logarithm.

[note 3] Given perfect secrecy, in contrast to conventional symmetric encryption, the one-time pad is immune even to brute-force attacks.

Quantum computers have been shown by Peter Shor and others to be much faster at solving some problems that the security of traditional asymmetric encryption algorithms depends on.

[20] Such ciphers are almost always easier to employ than one-time pads because the amount of key material that must be properly and securely generated, distributed and stored is far smaller.

[citation needed] If both plaintexts are in a natural language (e.g., English or Russian), each stands a very high chance of being recovered by heuristic cryptanalysis, with possibly a few ambiguities.

[2] Because the key material must be transported from one endpoint to another, and persist until the message is sent or received, it can be more vulnerable to forensic recovery than the transient plaintext it protects (because of possible data remanence).

As traditionally used, one-time pads provide no message authentication, the lack of which can pose a security threat in real-world systems.

For example, an attacker who knows that the message contains "meet jane and me tomorrow at three thirty pm" can derive the corresponding codes of the pad directly from the two known elements (the encrypted text and the known plaintext).

The attacker's knowledge of the one-time pad is limited to this byte length, which must be maintained for any other content of the message to remain valid.

QKD is typically associated with the one-time pad because it provides a way of distributing a long shared secret key securely and efficiently (assuming the existence of practical quantum networking hardware).

At a high level, the schemes work by taking advantage of the destructive way quantum states are measured to exchange a secret and detect tampering.

In the original BB84 paper, it was proven that the one-time pad, with keys distributed via QKD, is a perfectly secure encryption scheme.

[29] The one-time pad is an example of post-quantum cryptography, because perfect secrecy is a definition of security that does not depend on the computational resources of the adversary.

Leo Marks reports that the British Special Operations Executive used one-time pads in World War II to encode traffic between its offices.

The German Stasi Sprach Machine was also capable of using one time tape that East Germany, Russia, and even Cuba used to send encrypted messages to their agents.

[32] The hotline between Moscow and Washington D.C., established in 1963 after the 1962 Cuban Missile Crisis, used teleprinters protected by a commercial one-time tape system.

[34] Starting in 1988, the African National Congress (ANC) used disk-based one-time pads as part of a secure communication system between ANC leaders outside South Africa and in-country operatives as part of Operation Vula,[35] a successful effort to build a resistance network inside South Africa.

By 1972, only 55,000 rolls were produced, as one-time tapes were replaced by rotor machines such as SIGTOT, and later by electronic devices based on shift registers.[39]: pp.

39–44  The NSA describes one-time tape systems like 5-UCO and SIGTOT as being used for intelligence traffic until the introduction of the electronic cipher based KW-26 in 1957.

[40] While one-time pads provide perfect secrecy if generated and used properly, small mistakes can lead to successful cryptanalysis:

A format of one-time pad used by the U.S. National Security Agency , code named DIANA. The table on the right is an aid for converting between plaintext and ciphertext using the characters at left as the key.