
The early use of
onetime pads is hardly mentioned in official
documents (for obvious security reasons).
Nevertheless, I came across documents from the
India Office Records in the British Library. They
show how the Bahrain Petroleum Company (BAPCO), a
subsidiary of American Standard Oil of California
that operated in the Persian Gulf, was given
permission in 1943 to use onetime pads to
communicate with its offices in New York. The
pads were allocated to them by the U.S. Navy
Department and vetted by the British Cipher
Security Officer of PAIFORCE (Persia and Iraq
Force, a British and Commonwealth military
formation in the Middle East from 1942 to 1943).
They show the official use of onetime letter
pads by Political Residents of the British
Imperial Civil Administration, the British Army,
the Ministry of War Transport in London and the
U.S. Navy, at least as early as 1943 and,
surprisingly, even shared them with commercial
firms. See also BAPCO's Use of
Onetime Pads During WW2.Paper Onetime padsThe use of pencilandpaper onetime pads is limited because of the practical and logistical issues and the low message volume it can process. Onetime pads were widely used by foreign service communicators until the 1980s, often in combination with code books. Such a code book contained all kinds of words or entire phrases, which were represented by a three or four figure code. For special names or expressions, not listed in the codebook, there were codes included that represent one letter that allowed the spelling of words. There was a book to encode, sorted by alphabet and/or category, and a book to decode, sorted by numbers. These book were valid for a long period of time and were not only to encode the message  which would be a poor encryption method by itself  but especially to reduce its length for transmission over commercial cable or telex. Once the message was converted into numbers, the communicator enciphered these numbers with the onetime pad. Usually there was a set of two different pads, one for incoming and one for outgoing messages. Although a onetime pad normally has only two copies of a key, one for sender and one for receiver, some systems used more than two copies to address multiple receivers. The pads were like note blocks with random numbers on each small page, but with the edges sealed. One could only read the next pad by tearing off the previous pad. Each pad was used only once and destroyed immediately. This system enabled absolute secure communication. An excellent description of Canadian Foreign Service onetime pads is found on Jerry Proc's website. Intelligence agencies use
onetime pads to communicate with their agents in
the field. The perfect and longterm security
protects the identity of convert agents, their
assest and operations abroad. With onetime pad,
spies don't have to carry crypto systems or use
insecure computer software. They can carry a
large number of onetime pad keys in very small
booklets, on microfilm or even printed on
clothing. These are easy to hide and to destroy.
One way to send onetime pad encrypted messages
to agents in the field is via numbers
stations. To do so, the
message text is converted into digits prior to
encryption. 
A good example is
the TAPIR table, used by the Stasi, the former East
Germany intelligence agency. With the TAPIR
table, the plain text is converted into figures
by a table, similar to the straddling
checkerboard, prior to encryption with onetime
pad. The most frequent letters are converted into
a singledigit value, and the other letters,
commonly used bigrams, figures and signs are
converted in doubledigit values. Next, the
digits are encrypted by subtracting the key from
the plain text numbers. The TAPIR table
suppresses peaks in digit frequency distribution
and the irregular single and double digit values
create fractionation. WR 80 is a carriage return.
Bu 81 (Buchstaben) and Zi 82 (Ziffern) are used
to switch between letters (yellow) and figures
(green). ZwR 83 is a space. Code 84 is used as
prefix for threedigit or fourdigit codes,
replacing long words or phrases, obtained from a
codebook. Such codebooks can have an odd code
numbering sequence, carefully selected to detect
errors in the code numbers, as shown in this
example codebook. More
texttodigit convertion methods at the Straddling
Checkerboards page. Documents, seized by the EastGerman
intelligence Stasi, show detailed onetime pad
procedures as used by
CIA agents who operated in the former DDR. See
also the Guide
to Secure Communications with the Onetime Pad
Cipher (pdf) for
detailed information about the use of manual
onetime pads. 

Below, on the left, a onetime pad booklet with Vigenere table from a Western agent, seized by the EastGerman MfS (Ministerium für Staatssicherheit or Stasi). The second image is a onetime pad sheet (preserved in a 35 mm slide frame) from an EastGerman agent, found by the WestGerman BfV (Bundesamt für Verfassungsschutz, the federal domestic intelligence). The rightmost image is a onetime pad of a West agent, found by the MfS (also preserved in a 35 mm slide frame). The pad itself is only about 15 mm or 0.6 inch wide (thus even smaller than depicted) and virtually impossible to read with the naked eye! I even had difficulties to photograph it clearly. Such miniature onetime pads were used by illegal agents, operating in foreign countries, and were hidden inside innocent looking household items like cigarette lighters, fake batteries or ashtrays. You can click the images to enlarge them. However, to read the small pad you will need to click and zoom in once more in your browser after enlarging (Detlev Freisleben collection).



All images on this page are
copyrighted. Pleas consult the copyrights page for
more information.
Until the 1980s, onetimetapes were widely used to secure Telex communications. The Telex machines used Vernam's original onetimetape (OTT) principle. The system was simple but solid. It required two identical reels of punched paper tape with truly random fivebit values, the socalled onetime tapes. These were distributed beforehand to both sender and receiver. Usually, the message was prepared (punched) in plain onto paper tape. Next, the message was transmitted on a Telex machine with the help of a tape reader, and one copy of the secret onetime tape ran synchronously with the message tape on a second tape reader. Before exiting the machine, the fivebit signals of both tape readers were mixed by performing an Exclusive OR (XOR) function, thus scrambling the output. On the other end of the line, the scrambled signal entered the receiving machine and was mixed, again by XOR, with the second copy of the secret onetime tape. Finally, the resulting readable fivebit signal was printed or perforated on the receiving machine.
A unique advantage of the punched paper tape keys was that copying them quickly was virtually impossible. The long tapes (which were sealed in plastic before use) were on a reel and printed with serial numbers and other markings on the side. To unwind the tape, copy it and rewind it again with a perfectly aligned print was very unlikely and such onetime tapes were therefore more secure than other keys sheets that were copied quickly by taking a photo or writing them over by hand.
A famous example of onetime pad's security is the Washington/Moscow hotline with the ETCRRM II, a standard commercial onetime tape mixer for Telex. Although simple and cheap, it provided absolute security and unbreakable communications between Washington and the Kremlin, without disclosing any secret crypto technology. Some other cipher machines that used the principle of onetime pad are the American TELEKRYPTON, SIGSALY (noise as onetime pad), B2 PYTHON and SIGTOT, the British BID590 NOREEN and 5UCO, the Canadian ROCKEX, the Dutch ECOLEX series, the Swiss Hagelin CD57 RT, CX52 RT and T55 with a superencipherment option, the German Siemens T37ICA and M190, the East German T304 LEGUAN, the Czech SD1, the Russian M100 SMARAGD and M105 N AGAT and the Polish T352/T353 DUDEK. There were also many teletype or ciphering device configurations in combination with a tape reader, for onetime tape encryption or superencipherement. The image below explains onetime tape encryption for Telex (TTY Murray).
Teletype signal onetime tape encryption 
Below are three images of the famous WashingtonMoscow hotline, encrypted with onetime tapes. The Hotline became operational in 1963 and was a full duplex teleprinter (Telex) circuit. Although the Hotline always was shown as a red telephone in movies and popular culture, the option of a speech link was turned down immediately as it was believed that spontaneous verbal communications could lead to miscommunications, misperceptions, incorrect translation or unwise spontaneous remarks, which are serious disadvantages in times of crisis. Nevertheless, the red phone myth lived a long life.
The real hot line was a direct cable link, routed from Washington over London, Copenhagen, Stockholm and Helsinki to Moscow. It was a double link with commercial teleprinters, one link with a Teletype Corp Model 28 ASR teleprinter with English characters and the other link with East German T63 teleprinters with Cyrillic character. The links were encrypted with onetime tapes by means of four ETCRRM's (Electronic Teleprinter Cryptographic Regenerative Repeater Mixer). The onetime tape encryption provided unbreakable encryption, absolute security and privacy. Although a highly secure system, the unclassified standard teleprinters and ETCRRM's were sold by commercial firms and therefore did not disclose any secret crypto technology to the opponent. More info at Jerry Proc's Washington/Moscow hotline and on Top Level Communications..



Hotline images with kind permission of the National Security Agency, copyright NSA (click to enlarge)
Onetime tapes and onetime pads
remained very popular for many decades, because of their
absolute security, unequalled by any other crypto machine
or algorithm. Today, digital versions of the onetime pad
enable the storage of huge quantities of random key data,
allowing secure encryption of large volumes of data.
Onetime encryption still is, and will continue to be,
the only system that can offer absolute message security.
There are many different ways to apply onetime pads. All of them are absolutely secure if the rules of onetime pad are followed. We can apply onetime pad with numbers or letters. In our first example, we will demonstrate the use of numbers. This is the most flexible system that allows many variations. Usually, encryption is performed by subtracting the random onetime pad key from the plaintext and decryption by adding the ciphertext and key together. Enciphering by addition and deciphering by subtraction works just as good, as long as sender and receiver agree upon using the opposite calculations. However, before we can perform the calculations with the plaintext and key we need to convert the text into digits. There are various ways to do this. A most basic method is to assign a twodigit value to each letter (eg. A=01, B=02 and so on through Z=26).
A popular and more economic way to convert text into digits is a socalled straddling checkerboard. Note that this texttodigit conversion itself is by no means secure and must be followed by an encryption! Therefore, we call the converted text a plaincode, to stress that the digits are still in readable form. A straddling checkerboard converts the most frequently used letters into onedigit values and the other letters into twodigit values. This results in a ciphertext that is considerably smaller than the basic A=01/Z=26 systems. Various checkerboards exist with different character sets and symbols, optimized for different languages.
The first row of the checkerboards contains the most frequent characters with some blanks between them. The following rows (as many as there were blanks in the top row) contain the remaining letters. These following rows are designated by the digits above the blanks in the top row. Checkerboards are memorized by the top row letters, which can depend on the language it is optimized for. Some example mnemonics are "ATONESIR" and "ESTONIA" (English), "DEINSTAR" and "DESTIRAN" (German), "SENORITA" and "ENDIOSAR" (Spanish), "RADIONET" (Dutch) or "ZAOWIES" (Polish). Such word combinations are easily composed with an anagram generator. More blanks in the top row gives more additional rows and thus more characters. There's no need to keep this table secret or scramble the order of the digits or letters because onetime encryption follows.
In our example we use a basic checkerboard with the "ATONESIR" mnemonic, optimized for English. More checkerboards are found on this page.
 0 1 2 3 4 5 6 7 8 9 +  A T O N E S I R 2 B C D F G H J K L M 6 P Q U V W X Y Z . fig 
The top row letters are converted into the onedigit values right above them. All other letters are converted into twodigit values by taking the row header and the column header. To convert figures, we use "FIG" before and after the digits and write out each digit three times to exclude errors.
Let us convert the text "PLEASE CONTACT ME AT 1200H." with the checkerboard
Plaintext: P L E A S E C O N T A C T M E A T [fig] 1 2 0 0 [fig] H . Plaincode: 60 28 5 0 7 5 21 3 4 1 0 21 1 29 5 0 1 69 111 222 000 000 69 25 68 
To encrypt the message, we complete the last group with zero's and write the onetime pad key underneath the plaintext. Since we use digits, the key are plaintext must be calculate the ciphertext by modulo 10. This modulo 10 is essential to the security of the encryption! Therefore, we subtract the key without borrowing (e.g. 3  7 = 13  7 = 6, and don't borrow 10 from the digit's nextleft neighbor).
Plaincode : 60285 07521 34102 11295 01691 11222 00000 06925 68000 OTP Key : () 50418 55297 01164 98769 26107 85944 36228 44985 25485  Ciphertext: 10877 52334 33048 23536 85594 36388 74882 62040 43625 
To decrypt the message, we add the ciphertext and onetime pad key together without carry (e.g. 5 + 7 = 2 and not 12, and don't carry 10 to nextleft digit). Next, we reconvert the digits back into text. It's easy to separate the onedigit values from the twodigit values. If a digit combination starts with row number 2 or 6, it is a twodigit code and another digit follows. In all other cases it's a onedigit code.
Sometimes a codebook or codesheet is used to reduce ciphertext length and transmission time. Such codebook can contain all kinds of words and/or small phrases about message handling and operational, technical or tactical expressions. A codebook system does not always require a large book with thousands of expressions. Even a single code table can contain enough practical information to reduce the message length enormously. Below images of a seized Korean code table sheet, the instructions on how to convert the table content into digits and how to calculate the ciphertext .



Images © Detlev Freisleben Archive
(click to enlarge)
As a little exercise we will decipher a recording of an actual numbers station (see important note below). You can open or download (rightclick and Save Target As...) the sound file below. The broadcast starts with a repeated call sign melody and the receiver's callsign "39715", followed by six tones and the actual message. All message groups are spoken twice to ensure correct reception. Write down the message groups once (skipp the call sign). Once you have the complete message, write the given onetime pad key underneath it. Add message and key together, digit by digit, from left to right, without carry (e.g. 6 + 9 = 5 and not 15). Finally, convert the digits back into text with the help of the "ATONESIR" straddling checkerboard as shown in the previous section. Make sure to separate onedigit and twodigit characters correctly.
This little exercise shows exactly how secret agents can receive messages in an absolutely secure manner, with only onetime pads, a small shortwave receiver and pencil and paper.
Numbers Station Message (1724 Kb)
The onetime pad key to decipher this message:
66153 77185 10800 54937 48159 83271 12892 07132 34987 53954 23074 
Important Note:
Although we use a recording from an actual numbers
station (Lincolnshire Poacher, E3 Voice), the onetime
pad key is fictitious and reversecalculated (key =
plaintext  ciphertext) so that a readable but fictitious
message is obtained when using this key. In reality, we
don't know which key was used, whether we must add or
subtract and there is no way to decipher the original
message. In fact, since a onetime pad key is truly
random, one can calculate any plaintext from a given
ciphertext, as long as you use the 'right' wrong key.
That's exactly why onetime pad is unbreakable.
We can also encrypt the plaintext with a onetime key that consists of random letter only. This is done with the help of a Vigenere table. To encrypt a letter, we take the plaintext letter in the column header and the key letter in the row header. The crossing of those two letters is the ciphertext. In the first letter of our example, the crossing between the plaintext T and key X is ciphertext Q. To decrypt a letter, we take the key letter in the row header and find the ciphertext letter in that row. The plaintext letter is the column header above the ciphertext letter. In our example, we take the X row, find the Q in that row and see the plain T on top of the Q. To make it easier to remember, we can consider the horizontal column header of the square as plaintext, the vertical row header as key and the square field as ciphertext.
An example text:
Plaintext : T H I S I S S E C R E T OTPKey : X V H E U W N O P G D Z  Ciphertext: Q C P W C O F S R X H S In groups : QCPWC OFSRX HS 
The Vigenere square or Tabula Recta:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z + A  A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B  B C D E F G H I J K L M N O P Q R S T U V W X Y Z A C  C D E F G H I J K L M N O P Q R S T U V W X Y Z A B D  D E F G H I J K L M N O P Q R S T U V W X Y Z A B C E  E F G H I J K L M N O P Q R S T U V W X Y Z A B C D F  F G H I J K L M N O P Q R S T U V W X Y Z A B C D E G  G H I J K L M N O P Q R S T U V W X Y Z A B C D E F H  H I J K L M N O P Q R S T U V W X Y Z A B C D E F G I  I J K L M N O P Q R S T U V W X Y Z A B C D E F G H J  J K L M N O P Q R S T U V W X Y Z A B C D E F G H I K  K L M N O P Q R S T U V W X Y Z A B C D E F G H I J L  L M N O P Q R S T U V W X Y Z A B C D E F G H I J K M  M N O P Q R S T U V W X Y Z A B C D E F G H I J K L N  N O P Q R S T U V W X Y Z A B C D E F G H I J K L M O  O P Q R S T U V W X Y Z A B C D E F G H I J K L M N P  P Q R S T U V W X Y Z A B C D E F G H I J K L M N O Q  Q R S T U V W X Y Z A B C D E F G H I J K L M N O P R  R S T U V W X Y Z A B C D E F G H I J K L M N O P Q S  S T U V W X Y Z A B C D E F G H I J K L M N O P Q R T  T U V W X Y Z A B C D E F G H I J K L M N O P Q R S U  U V W X Y Z A B C D E F G H I J K L M N O P Q R S T V  V W X Y Z A B C D E F G H I J K L M N O P Q R S T U W  W X Y Z A B C D E F G H I J K L M N O P Q R S T U V X  X Y Z A B C D E F G H I J K L M N O P Q R S T U V W Y  Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Z  Z A B C D E F G H I J K L M N O P Q R S T U V W X Y 
There are several practical solution to the Vigenere table. Click the links to view a bigram table (txt file), triads table (txt file), Vigenere Table Card and its ASCII version, Vigenere Disk and Vigenere Slider. All images can be saved by rightclicking and than printed and cut out.
Another way to calculate letter onetime pads without a Vigenere table, although more elaborate, is to perform a modulo 26 calculation. We assign each letter a numerical value (eg. A=0, B=1 C=3 and so on through Z=25). Note that we start with A=0 and not A=1 to enable the use of modulo 26. Text and key values are added together (this time with carry!), with modulo 26: if a value is more than 25, we subtract 26 from that value. Finally, we convert the result back into letters. To decipher the message, we convert the ciphertext and onetime pad key into numerical values and subtract onetime pad key values from ciphertext values, again modulo 26(if a value is less than 0 we add 26 to that value).
Plaintext : T H I S I S S E C R E T 19 07 08 18 08 18 18 04 02 17 04 19 OTPKey: X V H E U W N O P G D Z +23 21 07 04 20 22 13 14 15 06 03 25  Result: 42 28 15 22 28 40 31 18 17 23 07 44 Mod 26 = 16 02 15 22 02 14 05 18 17 23 07 18  Ciphertext: Q C P W C O F S R X H S In groups : QCPWC OFSRX HS 
You can use a little help table to make the calculations easier. To encrypt by addition we take for example T(19) + X(23). The total of 42 in the conversion table represents the letter Q which is the encryption result. To decrypt by subtracting we take Q(16)  X(23). If the result would give a negative value (which is the case here) we take the greater equivalent of Q(16), which is (42) in the conversion table. We can now find the deciphered letter with Q(42)  X(23) = T(19)
MODULO 26 HELP TABLE A B C D E F G H I J K L M N O P Q R S T U V W X Y Z  00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50  
There is a special way to use onetime pad where the key is not to be destroyed. When information should be available only when two people agree to reveal that information, we can use secret splitting. The secret information is encrypted with a single onetime pad whereupon the original plaintext is destroyed. One user receives the encrypted message and the other user the key. In fact, it doesn't matter who gets which, since both pieces of information can be seen as equal, encrypted parts of the original information. The split parts are both called keys. Both these keys are useless without each other. This is called secret splitting. One could encrypt for example the combination to a safe and give the split ciphertext to two different individuals. Only when they both agree upon opening the safe, will it be possible to decipher the combination to the safe. You could even split information into three or more pieces by using two or more keys.
In this little example Charlie splits his secret safe combination 21 46 03 88. A random key is subtracted digit by digit, without carry, from the combination numbers. Alice and Bob both receive one piece of the information from Charlie. It's mathematically impossible for both Alice and Bob to retrieve the combination numbers unless they share their keys. This is done by simply adding the keys (without carry).
Charlie's Combination: 21 46 03 88 Random onetime key  25 01 77 61  06 45 36 27 Alice's key = 25017761 Bob's key = 06453627 
Of course, we could also use secure splitting on text to encrypt passwords and such. Just convert the text into numbers (e.g.. A=01, B=02 and so on through Z=26) or use a straddling checkerboard. To split the secret into more parts, just add a onetime key for each of the new persons. For three persons you must subtract two keys (without carry) from the plaintext to obtain the ciphertext (e.g. 2  4  9 = 9 Because 2  4 = 12  4 = 8 and 8  9 = 18  9 = 9). Instead of keeping your secret password in an envelop, you could split it and give the shares to different persons, of which at least one is trusted. One person could never act on his own and approval of a second person is always required. When granddad, old and sick, splits the secret combination from the safe that contains his money and gives each of his children one part, they can only get their hands on his money if they all agree (not that this will make him live longer).
However, since this system is unbreakable, all information is lost if one of the shares goes missing. There's no way back if a share is lost or destroyed by accident! It might be useful to have one extra copy of your share somewhere on a secure location.
More about Secret Splitting on this page.
Modular arithmetic has interesting properties that play a vital role in cryptography and it is also essential to the security of onetime pad encryption. The result of an encryption process could reveal information about the key or the plaintext. Such information might either point to possible solutions or enable the codebreaker to discard some wrong assumptions. The codebreaker will use this information as a lever to break open the encrypted message. By using modular arithmetic on the result of a calculation we can obscure the original values that were used to calculate that result.
In mathematics, modulo x is the remainder after the division of a positive number by x. Some examples: 16 modulo 12 = 4 because 16 divided by 12 is 1 and this leaves a remainder of 4. Also, 16 modulo 10 is 6 because 16 divided by 10 is 1 and thus leaves a remainder of 6. Fortunately, there's a far easier way to understand and work with modular arithmetic.
Modular arithmetic works similarly to counting hours, but on a decimal clock. If the hand of our clock is at 7 and we add 4 by advancing clockwise, we pass the 0 and arrive at 1. Likewise, when the clock shows 2 and we subtract 4, advancing anticlockwise, we arrive at 8. Modular arithmetic is very valuable to cryptography because the result value reveals absolutely no information about the two values that were added or subtracted. If the result of a modulo 10 addition is 4, we have no idea whether this is the result of 0 + 4, 1 + 3, 2 + 2, 3 + 1, 4 + 0, 5 + 9, 6 + 8, 7 + 7, 8 + 6 or 9 + 5. The value 4 is the result of an equation with two unknowns, which is impossible to solve.
The modulus should have the same value as the number of different elements, with 0 designated to the first element:
Modulo 10 is very easy to perform by adding without carry and subtracting without borrowing, which basically means discarding all but the mostright digit of the result. It could not be easier for onetime pad encryption with digits.
Performing modulo calculations on letters is a bit more complex and requires conversion into numerical values. If we combine the letter X (23) with key Z (25) modulo 26, the result will be 22 (W) because (23 + 25) mod 26 = 22. That's way more elaborate and slower than decimal modulo 10. Fortunately, we can use the Vigenere Square or a circular Vigenere cipher disk to perform modulo 26 easily without any calculations. Note that you should never assign the values 1 through 26 to the letters because the result of a modulo calculation can be zero, for example (25 + 1) mod 26 = 0.
Modular calculations with bits and bytes are actually Exclusive OR operations (XOR) in boolean modular arithmetic. XOR is used in computer programming to combine a data bit with a random key bit or to combine a data byte with a random key byte.
Let's show the danger of not using modular arithmetic. With normal addition, the ciphertext result 0 can only mean that both key and plaintext have the value 0. A ciphertext result of 1 means that the two unknowns can only be 0 + 1 or 1 + 0. With result 2, the unknowns can only be 0 + 2, 1 + 1 or 2 + 0. Thus, for some ciphertext result values we can either immediately determine the unknowns or we can see which unknowns of the equation could be possible or impossible.
Suppose we add the letter X (23) with key Z (25) without modulo. In that case, the result would be ciphertext 48, as we cannot convert 48 into a letter. However, although both plain letter and truly random key are unknown, we can draw some important conclusions: the total of 48 is only possible with combinations X (23) + Z (25), Y (24) + Y (24) or Z (25) + X (23). By merely looking at the ciphertext, we can discard all letters A through W as possible candidates for that particular plaintext and key letter.
This is also the reason why you should never use text that is converted into digits as numerical key for a onetime pad (some book ciphers use this system). The result wil never be random as it consists of a limited range of 26 elements (025 or 126) instead of 10 elements (09) or 100 (099), resulting in a completely insecure ciphertext with a tremendous bias.
These
simple examples show how a ciphertext can leak
information that is very valuable to the codebreaker,
simply because normal instead of modular arithmetic was
used to calculate the ciphertext. Not using modular
arithmetic always causes a biased ciphertext instead of
the truly random ciphertext result from modular
arithmetic. Any bias is as valuable as gold to the
codebreaker. Modular arithmetic is therefore vital to the
security of the onetime pad. Never use onetime pad
encryption without applying modular arithmetic!
Is onetime pad encryption absolutely secure and unbreakable when all rules are applied correctly? Yes! It's also easy to show why, because the system is simple and transparant. It all comes down to two simple basic facts that are easily understood:
One time pad is an equation with two unknowns, one of which is truly random.
When a truly random key is combined with a plaintext, the result is a truly random ciphertext. An adversary only has the random ciphertext at his disposal to find key or plaintext. This is an equation with two unknowns, which is mathematically unsolvable. There is also no mathematical, statistical or linguistic relation whatsoever between the individual ciphertext characters or between different ciphertext messages because each individual key letter or digit is truly random. The modulo 26 (onetime pad with letters) or modulo 10 (one time pad with digits) also ensures that the ciphertext does not reveal any information about the two unknowns in the equation (see previous paragraph). These properties render useless all existing cryptanalytic tools that are available to the codebreaker.
Suppose we have the piece of ciphertext "QJKES", enciphered with a onetime letter pad. If someone had infinite computational power he could go through all possible keys (a brute force attack). He would find out that applying the key XVHEU on ciphertext QJKES would produce the (correct) word TODAY. Unfortunately, he would also find out that the key FJRAB would produce the word LATER, and even worse, DFPAB would produce the word NEVER. He has no idea which key is the correct one. In fact, you can produce any desired word or phrase from any onetime pad encrypted message, as long as you use the 'right' wrong key. There is no way to verify if a solution is the right one. Therefore, the onetime pad system is proven completely secure.
Three of the many possible solutions:
Ciphertext: Q J K E S Q J K E S Q J K E S OTPKey: X V H E U F J R A B D F P A B    Plain text: T O D A Y L A T E R N E V E R 
Let us give an example with onetime pad encryption, based on digits. For encryption, plain and key are subtracted. For decryption, the key is added to the ciphertext. The following straddling checherboard is used for text to digit conversion.
Suppose we intercepted the following ciphertext fragment:
Ciphertext 34818 25667 24857 50594 38586 
Let’s crack the message with the following key:
Ciphertext 34818 25667 24857 50594 38586 Key 1 +58472 33602 88472 58584 86707  Plaincode 82280 58269 02229 08078 14283 82 2 80 5 82 6 90 222 90 80 78 1 4 2 83 R E P O R T fi 222 fi P L A N E S Recovered plaintext: "REPORT TWO PLANES" 
However, there is a second solution with a different key:
Ciphertext 34818 25667 24857 50594 38586 Key 2 +58472 33602 81702 57464 98606  Plaincode 82280 58269 05559 07958 26182 82 2 80 5 82 6 90 555 90 79 5 82 6 1 82 R E P O R T fi 555 fi M O R T A R Recovered plaintext: "REPORT FIVE MORTAR" 
Unfortunately, there is no way to check which of the two keys and resulting plaintext are correct. Well, here is the bad news: both solutions are incorrect. The actual message is found below, but we will never know for ceratin whether this is the actual message, unless we have the original key at our disposal.
Ciphertext 34818 25667 24857 50594 38586 Key 3 +58472 33605 28941 36331 20507  Plaincode 82280 58262 42798 86825 58083 82 2 80 5 82 6 2 4 2 79 88 6 82 5 5 80 83 R E P O R T E N E M Y T R O O P S Recovered plaintext: "REPORT ENEMY TROOPS" 
These examples again show that we can produce any plaintext from any ciphertext, as long as we apply the “proper” wrong key. Since the plaintext is determined by a series of truly random key digits, mathematically unrelated to each other, we have absolutely no idea whether the chosen key is correct. Any readable solution is mathematically and statistically equally possible and appears valid. There is no way to verify the solution, as it originates from random digits. The system is therefore informationtheoretically secure. You have an unbreakable cipher. It's the only existing unbreakable cipher and it will stay unbreakable forever, regardless any future mathematical or technological advances or infinite time, available to the codebreaker.
The onetime pad encryption scheme itself is mathematically unbreakable. The attacker will therefore focus on breaking the key instead of the ciphertext. That's why a truly random key is essential. If the key is generated by a deterministic algorithm the attacker could find a method to predict the output of the key generator. If for instance a crypto algorithm is used to generate a random key, the security of the onetime pad is lowered to the security of the used algorithm and is no longer mathematically unbreakable.
If a
onetime pad key, even truly random, is used more
than once, simple cryptanalysis can recover the key.
Using the same key twice will result in
a relation between the two ciphertexts and
consequently also between the two keys. The different
ciphertext messages are no longer truly random and it's
possible to recover both plaintexts by
heuristic analysis. Another unacceptable risk of
using onetime pad keys more than once is the
knownplaintext attack. If the plaintext version of a
onetime pad encrypted version is known, it is of course
no problem to calculate the key. This means that if
the content of one message is known, all messages that
are encrypted with the same key are also
compromised.
Using a onetime pad more than once will always compromise the onetime pad and all ciphertext, enciphered with that onetime pad. To exploit reused onetime pads we can use a heuristic method of trial and error. This simple method enables the complete, or at least partial, deciphering of all messages. This can even be done with pencil and paper, although it is a slow and cumbersome process. The principle is as follows: a crib, which is a presumed piece in the first plaintext, is used to reversecalculate a piece of the key. This presumed key is than applied at the same position on the second ciphertext. If the presumed crib was correct than this will reveal a readable part of the second ciphertext and provide clues to expand the cribs. In the following example we will demonstrate the breaking of two messages, only with the aid of pencil and paper.
We have two completely different ciphertext messages, "A" and "B". They are both enciphered with the same onetime pad, but we have no knowledge of that key. Let us begin with assuming that the letters are converted into digits by assigning them the values A=01 trough Z=26, that the enciphering is performed by subtracting the key from the plaintext without borrowing (5  8 = 15  8 = 7) and that deciphering is performed by adding ciphertext and key together without carry (7 + 6 = 3 and not 13). This is a standard and unbreakable application of onetime pad, if only they had never used that onetime pad twice! The reason I use the basic A=01 to Z=26 is to make it easier to see the separate letters. The described heuristic analysis works also with a straddling checkerboard (onedigit and twodigit conversions).
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 Ciphertext A: 69842 23475 84252 16490 45441 18956 51010 4 Ciphertext B: 55841 41281 75131 05995 61489 69256 61 
First, we must search for a crib. A crib is an assumed piece of plaintext that corresponds to a given ciphertext. These can be commonly used words, parts of words, or frequently used trigrams or bigrams. Some examples of frequent trigrams in the English language are "THE", "AND", "ING", "HER" and "HAT". Frequent bigrams are "TH", "AN", "TO", "HE", "OF" and "IN". Of course, a crib should be as long as possible. If you know who sent the message and what he might be talking about you could try out complete words.
In our example, we don't have any presumed words, so we'll have to use some other group of letters. Let's try the crib "THE", which is the most frequently used trigram in the English language. Now, in this example we only have one small piece of ciphertext. In real life, you might have a few hundred digits at your disposal for testing, which makes a successful crib more likely.
We align the letters "THE" with every position of ciphertext "A" and subtract the ciphertext from the crib. The result is the assumed onetime key. In heuristic terms, this is our trial. To test it, we add the assumed key to ciphertext "B" to recover plaintext "B". Unfortunately, as shown underneath the first "THE" of the example, we get our heuristic error. We continue to try out all positions. For the sake of simplicity, I only show three example positions of the crib. Our trial and error will show us that the 9th character position (17th digit) provides a possible correct plaintext "B", the trigram "OCU".
CHECKING "THE" CRIB Crib on A T H E T H E T H E 20 08 05 20 08 05 20 08 05 Ciphertext A 69 84 22 34 75 84 25 21 64 90 45 44 11 89 56 51 01 04  Presumed Key 46 86 71 66 18 60 41 52 54 Ciphertext B +55 84 14 12 81 75 13 10 59 95 61 48 96 92 56 61  20 90 83 15 03 21 33 08 15 Presumed Plain B T ?? ?? O C U ?? H O (impossible) (possible) (impossible) 
There are a few, but not too many, solutions to complete this "OCU" piece of plaintext, and we'll have to try them all out. So, let's try out the obvious "DOCUMENT". This assumption has to pass our trial and error again. Therefore, here below, we use "DOCUMENT" as a crib for plaintext "B" at exactly the same place. We subtract ciphertext B from the assumed plaintext "DOCUMENT" to again recover a new portion of the presumed key. Our presumed key is now already expanded to 16 digits.
We add this presumed key to ciphertext "A" to hopefully recover something readable and indeed, "OTHESTAT" could well be a correct solution, thus confirming the used crib. Can we make this crib any longer? "THE STAT" could be part of "THE STATUS", "THE STATION" or "THE STATIC", and "O THE" might be expandable to "TO THE", as "TO" is a popular bigram that ends with the letter O. Again we must test these solutions by recovering the related assumed key and try that key out on the other ciphertext. If correct, this will again reveal another little readable piece of plaintext. Remember we started only with the assumption that there could be a "THE" in one messages and already end up with "DOCUMENT" and "TO THE STAT..." after only two heuristic steps!
CHECKING "DOCUMENT" CRIB Crib on B D O C U M E N T 04 15 03 21 13 05 14 20 Ciphertext B 55 84 14 12 81 75 13 10 59 95 61 48 96 92 56 61  Presumed Key 94 66 18 60 75 19 22 74 Ciphertext A +69 84 22 34 75 84 25 21 64 90 45 44 11 89 56 51 01 04  15 20 08 05 19 20 01 20 Presumed Plain A . . . O T H E S T A T . . . 
This process is repeated over and over. Some new cribs will prove to be dead end and others will result in readable words or parts of words (trigrams or bigrams). More plaintext means better assumptions and the puzzle will become easier and easier. Thanks to the two ciphertexts, you can verify the solutions of one plaintext with its counterpart ciphertext, over and over again, until the deciphering is completed.
Finally, we'll give the solution, just to verify the results of our trial and error:
THE ORINIGAL MESSAGES Plaintext A R E T U R N T O T H E S T A T I O N 18 05 20 21 18 14 20 15 20 08 05 19 20 01 20 09 15 14 KEY 59 21 08 97 43 30 05 94 66 18 60 75 19 22 74 58 14 10  Ciphertext A 69 84 22 34 75 84 25 21 64 90 45 44 11 89 56 51 01 04 Plaintext B D E L I V E R D O C U M E N T S 04 05 12 09 22 05 18 04 15 03 21 13 05 14 20 19 KEY 59 21 08 97 43 30 05 94 66 18 60 75 19 22 74 58  Ciphertext B 55 84 14 12 81 75 13 10 59 95 61 48 96 92 56 61 
Little fragments like, for example, "FORMA" is easily expanded to "INFORMATION", gaining 6 additional letters as a crib. "RANSP" is most likely "TRANSPORT" or, with some luck, "TRANSPORTATION", providing 9 additional letters, a quite large crib. Sometimes, the already recovered text provides clues about the words that precede or follow them, or will help to get ideas for words on other places in the message. It's a slow and tedious process, but the patchwork will gradually grow. Slow, cumbersome and tedious pays off in this line of work. This method is also usable when the text is converted into digits with a straddling checkerboard or any other texttodigit conversion systems.
Of course, this example is short and simple. In reality, there could be all kinds of complications that require many more trials. What system is used to convert text into digits? What language is used? Did they use abbreviations or slang? Are there words available as cribs or do we need to piece together trigrams or even bigrams until we have a word to get launched? Does the message contain actual words or are there only codes from a codebook? Is the onetime pad reused completely or only partially, and do they start at the same position in both messages? All these problems can slow down the heuristic process and require a vast number of trials, with associated dead ends and errors, before the job is done. Success is not guaranteed, but in most cases, the reuse of onetime pads will result in a successful deciphering. This is certainly the case with today's computer power, enabling fast heuristic testing.
History has shown many examples of negligent use of onetime pad, the VENONA project being the most notorious. This is a fine example of how important it is to follow the basic rules of onetime pad. Soviet Intelligence historically always relied heavily on onetime pad encryption, with good reason and success. Soviet communications have always proved extremely secure. However, during the Second World War, the Soviets had to create and distribute enormous quantities of onetime pad keys. Time pressure and tactical circumstances lead in some cases to the distribution of more than two copies of certain keys. In the early 1940s, the United States and Great Britain analyzed and stored enormous quantities of encrypted messages, intercepted during the war.
American codebreakers discovered by cryptanalysis that a very small portion of the tens of thousands of KGB and GRU messages between Moscow and Washington were enciphered with reused onetime pads. The messages were encoded with codebooks prior to enciphering with onetime pad, making the task even immensely harder for the codebreakers. Finding out which key was reused on what message, the reconstruction of the codebooks and recovering the plaintext were enormous challenges that took years. Eventually they managed to reconstruct more than 3,000 KGB and GRU messages, just because of a distribution error by the Soviets. VENONA was crucial in solving many spy cases. Although VENONA is often mistakenly referred to as the project that broke Soviet onetime pads, they never actually broke onetime pad, but exploited implementation mistakes as described above.
Make
no mistake! It will never be possible to break onetime
pad if properly applied. This example only shows how to
exploit the most deadly of all mistakes: reusing a
onetime pad.
The use of a truly random key, as long as the plaintext, is an essential part of the onetime pad. Since the onetime algorithm itself is mathematically secure, the codebreaker cannot retrieve the plaintext by examining the ciphertext. Therefore, he will try to retrieve the key. If the random values for the onetime key are not truly random but generated by a deterministic mechanism or algorithm it could be possible to predict the key. Thus, selecting a good random number generator is the most important part of the system.
In the preelectronic era, true random was generated mechanically or electromechanically. Some of the most curious devices were developed to produce random values. Today, there are several options to generate truly random numbers. Hardware Random Number Generators (RNG's) are based on the unpredictability of physical events. Some semiconductors such as Zener diodes produce electrical noise in certain conditions. The amplitude of the noise is sampled at fixed time intervals and translated into binary zeros and ones.
Another unpredictable source is the tolerance of electronic component properties and their behavior under changing electrical and temperature conditions. Some examples are ring oscillators that operate at a very high frequency, the drift, caused by resistors, capacitors and other components in oscillators or time drift of computer hardware. Photons, single light particles, are another perfect source of randomness. In such systems, a single photon is sent through a filter, and its state is measured. The quality of such randomness sources can be verified with statistical tests to detect failure of the system.
Even when hardwarebased true random generators are used, it will be necessary in some cases to improve their properties, for instance to prevent unequal distribution of zero's or one's in a sequence. One simple way to improve or whiten a single bit output is to sample two consecutive bits. The value sequence 01 would result in an output bit 0 and the value sequence 10 would give output 1. The repetitive values 00 and 11 are discarded. Some hardware RNG's are the Mills Generator with a combination of several ring oscillators, the Quantis QRNG, based on the unpredictable state of photons, the CPU clock jitter based ComScir PCQNG generator, and the VIA Nano processor with its integrated dual quantum RNG's.
Another option is the manual generation of numbers. Of course, this time consuming method is only possible for small volumes of keys or key pads. Nevertheless, it's possible to produce truly random numbers. You could use five tensided dice (see image right). With each throw, you have a new fivedigit group. Such dice are available in toy stores or you could make them yourself (dice template).
Never ever simply use normal sixsided dice by adding the values of two dice. This method is statistically unsuitable to produce values from 0 to 9 and thus absolutely insecure (the total of 7 will occur about 6 times more often that the values 2 or 12). Instead, use one black and one white die and assign a value to each of the 36 combinations, taking in account the order/color of the dice (see table below). This way, each combination has a .0277 probability (1 on 36). We can produce three series of values between 0 and 9. The remaining 6 combinations (with a black 6) are simply disregarded, which doesn't affect the probability of the other combinations.
TRUE RANDOM 0 TO 9 WITH BLACK AND WHITE DICE BW BW BW BW BW 11 = 0 21 = 6 31 = 2 41 = 8 51 = 4 12 = 1 22 = 7 32 = 3 42 = 9 52 = 5 13 = 2 23 = 8 33 = 4 43 = 0 53 = 6 14 = 3 24 = 9 34 = 5 44 = 1 54 = 7 15 = 4 25 = 0 35 = 6 45 = 2 55 = 8 16 = 5 26 = 1 36 = 7 46 = 3 56 = 9 THROWS WITH BLACK 6 ARE DISCARDED 
You could also assign the letters A through Z and numbers 0 through 9 to all 36 dice combinations, again taking in account the order/color as in the table above. This way, you can create onetime pads that contain both letters and numbers. Such onetime pads can be used in combination with a Vigenere square, similar to the one described above, but with a 36 x 36 grid where each row contains the complete alphabet, followed by all digits. This will also produce a ciphertext with both letters and numbers. An advantage is that your plaintext can contain figures.
You can also use lotto balls. However, after extracting a number, that ball must always be mixed again with the other balls before extracting the next ball. If random bit values are required you can use one or more coins that are flipped, with one side representing the zero's and the other side the one's. With 8 coins you could compose an 8 bit value (byte) in one throw. Many other manual systems can be devised, as long as statistical randomness is assured. These simple but effective and secure methods are suitable for small onetime pads or small keys that are used to protect passwords (see Secret Splitting).
Another alternative is the use of a software based generator. However, software random number generators will never provide absolute security because of their deterministic nature. Crypto secure pseudorandom number generators (CSPRNG's) produce a random output that is determined by a key or seed. A large (unlimited) amount of random values is derived from a seed or key with a limited size, and seed and output are related to each other. In fact, you're no longer using onetime encryption, but an encryption with a small sized key. Brute forcing the seed by trying out all possible seeds, or analysis of the output or parts of the output could compromise the generator.
There are techniques to improve the output of CSPRNG's. Using a truly random and very large seed is essential. This could be done by accurate time or movement measurements of human interaction with the computer, for instance mouse movements, or by measuring the drift of computer processes time (note that a normal computer RND function is totally insecure). Another technique to drastically improve a CSPRNG is to combine the generator output with multiple other generators, the socalled "whitening". This will make analysis of the output much more difficult because each generator output obscures information about the other generator outputs. In the end, however, only one time pad encryption, based on truly random keys, is really unbreakable. More information about the secure generation of randomness is found in the IETF RFC 1750 Randomness Recommendations for Security.
There's
also the issue of secure computers to process, store or
print the truly random numbers. Even the use of a
hardware generator with truly random output, necessary
for absolute security, is useless if the computer itself
is not absolutely secure. Unfortunately, there's no such
thing as a secure personal computer. The only absolutely
secure computer is a physically separated computer, with
restricted input/output peripherals, never connected to a
network and securely stored with controlled access. Any
other computer configuration will never guarantee
absolute security. Cryptographic software is only secure
on a standalone computer or dedicated crypto equipment.
Onetime pad encryption is only possible if both sender and receiver are in possession of the same key. Therefore, we need a secure exchanged beforehand, physically through a trusted courier, or electronicall by a perfect secure system like quantum key distribution. The secure communications are therefore expected and planned within a specific time frame. Enough key material must be available for all required communications until a new exchange of keys is possible. Depending upon the situation, a large volume of keys could be required for a short time period, or little key material could be sufficient for a very long time period, up to years or even decades. Onetime pads are especially interesting in circumstances where longterm security is essential. Once encrypted, no single future cryptanalytic attack or technology will ever be able to decrypt the data. In contrast, information that is encrypted with current traditional computer algorithms will not withstand future codebreaking technology and can compromise people or organisations years after.
Although onetime pad is the only perfect cipher, it has two disadvantages that complicates its use for some specific applications. The first problem is the generation of large quantities of random keys. We cannot produce true randomness with simple mechanical devices or computer algorithms like a computer RND function or stream ciphers. Hardware true random generators, usually based on noise, are the only secure option. The second problem is key distribution. The amount of key needed is equal to the amount of data that is encrypted and each key is for onetime use only. Therefore, we need to distribute large amounts of keys to both sender and receivers in a highly secure way. Of course, it would be useless to send the onetime pads to the receiver by encrypting them with AES, IDEA or another strong algorithm. This would lower the unbreakable security of the pads to the security level of the algorithm that was used. These are practical problems, but solutions exist to solve these problems for certain applications.
Another
disadvantage is that onetime encryption doesn't provide
message authentication and integrity. Of course, you know
that the sender is authentic, because he has the
appropriate key and only he can produce a decipherable
ciphertext, but you cannot verify if the message is
corrupted, either by transmission errors or by an
adversary. A solution is to use a hash algorithm on the
plaintext and send the hash output value, encrypted along
with the message, to the recipient (a hash value is a
unique fixedlength value, derived from a message). Only
the person who has the proper onetime pad is able to
correctly encrypt the message and corresponding hash. An
adversary cannot predict the effect of his manipulations
on the plaintext, nor on the hash value. Upon reception,
the message is deciphered and its content checked by
comparing the received hash value with a hash that is
created from the received message. Unfortunately, a
computer is required to calculate the hash value, making
this methode of authentication impossible for a purely
manual encryption.
Unbreakable encryption has been available since the 1920s. However, failing to solve the key distribution issues of onetime pad encryption, cryptologists turned to public key cryptography in the 1970s to share short secret keys of symmetric algorithms. Modern symmetric block ciphers and stream ciphers, in combination with asymmetric public key algorithms, replaced onetime pads for secure communications because of practical considerations and their solution to key distribution.
Modern computer algorithms have done a great job in protecting Internet communications and ecommerce in the past few decades. Today, traditional symmetric block ciphers and stream ciphers, under control of a secret key, still encrypt vast amounts of data that travels around the world, but asymmetric public key cryptography enables a secure exchange of the secret symmetric keys. It’s an allinone automated package: the data is encrypted with a symmetric algorithm under control of a random secret key. That secret key is encrypted with the asymmetric public key that is available to everyone. The whole package, encrypted data and encrypted secret key, is sent to the receiver. He decrypts the secret key with his private key and uses that secret key to decrypt the actual data.
Problem solved? Not really. As before, all data is still encrypted with traditional symmetric algorithms (public key cryptography is too computationheavy for large data and is used only to encrypt short keys). Manmade symmetric algorithms, with all their known and unknown design flaws, poorly computergenerated random for keys and weak key schedules that compromise public key implementation, running on today's insecure personal computers, are a disaster waiting to happen. Some of these flaws are requested or even imposed by governments to enable eavesdropping in the name of their nation's security. Recently, it became clear that some organisations precompute frequently used prime groups, thus bypassing the near impossible task of prime factorization, used for public key cryptography. The result is that current crypto algorithms and communications security are, at best, reasonable secure, and digital security and privacy no longer exist.
All those flaws are already exploited today on a large scale by few organizations. Unfortunately, governments that weaken domestic encryption make their country and infrastructure also vulnerable to hostile foreign states, which is always a very bad idea, regardless any excuses that government presents for doing so. Inevitably, the technology to exploit flawed encryption technology will find its way to more people, including criminals, on a larger scale in the near future. This will cause a complete collapse of all secure communications, privacy, ecommerce and the global monetary system. Unfortunately, recovering from such a crypto collapse will take a very long time. The current infrastructure of network technology, servers and computers is technically unsuitable to provide real security and privacy. It will take quite some time and effort to change that infrastructure.
Information theory taught us that only a truly random key, as long as the message, will enable encryption that resist cryptanalysis. Any key that is shorter than the message, regardless how random it is, will eventually provide the clear and unique solution to breaking the message. This is a mathematical fact. In the end, only perfectly secure encryption will survive the evolution of cryptography. Just as classical pencilandpaper ciphers were rendered useless with the advent of the computer, so will current computer based crypto algorithms become victim to the evolution of technology.
Has onetime pad encryption a future? Of course, because it is the only crypto algorithm that has a future! Once the codebreaking technology has surpassed the capabilities of cryptologists and the limitations of mathematics to make strong encryption, there will no longer be any crypto algorithm that survives the evolution of cryptology, unless it meets the standards of informationtheoretical perfect security. Only onetime pad encryption will therefore survive that evolution. Technology and science, instead of cryptologists, must then provide a solution to the key distribution issues. This can be some modern hightech version of the briefcase with handcuffs or quantum key distribution which is already in use today. One way or the other, onetime pad encryption and a system to distribute its keys, practical or impractical, will be implemented in the future because we will have no other choice.
How will such a secure network look like? One possible and practical setup is a multiple startopology with interconnected nodes. Each user connects to his own node. All data or email traffic between the connected user and the node is encrypted with his usernode onetime pad key, which is destroyed immediately after use. The user's node automatically decrypts the data he sent, reencrypts it with an internode key and sends the data to the receiver’s node. All data traffic between the different nodes in the network is also onetime pad encrypted with unique random internode keys for each node connection. The receiver's node decrypts the data, reencrypts the data with the key that the node shares with the receiving user and sends it to him. If any user is not connected to his own node, then his encrypted data will be relayed automatically via other nodes to his own node for further processing. We can also provide authentication by calculating a hash value from the plain data. The hash value should be encrypted together with the data. Any corruption or manipulation of the encrypted data will cause a difference with the proper hash value. Thanks to the unbreakable encryption, only the proper sender can create the correct hash and only the proper receiver can verify the inserted hash value.
This way, each encryption process has used its own truly random keys, and there’s no mathematical relation whatsoever between any of the data that travels across the various network connections. Moreover, the user doesn’t need a separate key for each correspondent and the generation and distribution of keys is all done locally. This principle is basically identical to the system of interconnected onetime pad encrypted teletype centers, in use from the 1950s until the 1980s, albeit much faster, with many more users and faster production of keys. The arguments of some cryptologists that onetime pad encryption would require an exponential amount of keys to connect all users (a key from everyone to everyone) is a fairytale, already solved half a century ago with communications center nodes. We just need to modernize that perfectly secure system.
Some cryptologists still argue that the distribution of large quantities of onetime pads or keys is impractical. This was indeed the case in the era of paper onetime pads, punched onetime tape reels, 1.44 MB floppy disk or 100 MB disk drives. However, today’s hardware is capable of generating huge amounts of truly random keys at very high speeds, and onetime encryption software, which requires virtually no computational effort, can process large quantities of data at very high speeds. Current data storage technology enables the physical transport of enormous quantities of truly random keys on very small devices.
The generation and distribution of keys for nodeuser and internode connections can be fully automated. One solutions for secure distribution of onetime pad keys is quantum key distribution (QKD). This technology enables perfectly secure transmission of key bits over fiber optics. SECOQC in Vienna, Austria, was in 2008 the first ever QKD protected network. The current DARPA Quantum network connects ten nodes. ID Quantique, QuintessenceLabs and SeQureNet are some of the commercial firms that offer QKD networks. The perfect onetime pad encryption is the ideal partner for the perfect quantum key distribution. However, even with current random generation and data storage technology it would be technically possible to physically supply enough random keys physically between nodes. Providing random keys to the users that do not have a fixed fiber optic connection will be more challenging. If technology can’t find a solution, there will be no other option than to distribute the enduser keys physically. This will be the price to pay for security, but doesn’t have to be a real problem. The effort to distribute those keys can be quite minimal.
The user would have to go to his local node and receive, after identification, his local generated onetime pad keys on some type of data carrier. The method is comparable to withdrawing money from your ATM. With such a cocalled sneaker net, the transfer of data on removable media by physically couriering, you can reach a throughput (amount of data per time unit) of random key material that is greater than what a network can process on encrypted data. In other words, it could take some time to transport a Terabyte of truly random keys, but it will take a long time to consume that amount on a broadband network. A terabyte sized key can easily encrypt you email traffic for a year, including attachments. Many Internet providers won’t even allow this amount of traffic. Driving once a year or every few months to a node terminal to collect your own random key is an acceptable effort to obtain absolute security.
Onetime pad encryption will provide absolute security and privacy to all users, but will also deprive all governments from their eavesdropping capabilities and the cryptologists from their job. Most cryptologists don't like to hear this, but the truth is that perfect secure encryption is not a mathematical problem but a technical problem that can be solved. The problem has been solved in the past and we can adapt it with current technology to today's requirements. It won't be easy to do the makeover, due to years of development in the wrong direction, but having that huge insecure infrastructure without real security or privacy can never justify keeping it, merely because it exists. It's a typical case of mission creep, as they continue on the wrong path because they hesitate to turn back. The longer we hesitate, the bigger the distaster to come and the more effort it takes to switch over.
Eventually, we have no choice and will have to replace all current crypto and communications technology. This starts with creating perfect secure networks and is followed by redesigning the insecure architecture of personal computers, because it's pointless to have secure communications if the connected equipment is as leak as a sieve. The biggest challenge however will be to find a trusted authority willing to approve, support and enforce the development of this technology. As long as governments do not understand the benefits of strong encryption for everyone, and think as far forward as the next election date, we will never regain our privacy. At this moment, most of them unfortunately tend to go towards the opposite direction, as foreseen by George Orwell.
The current precarious state of
Internet security, or rather the lack of security, is
where the limited use of onetime pad encryption for
specific purposes comes into the play. One might have
found it ridiculous in our hightech world, if it
wasn’t for the disastrous state our privacy is in
today. Indeed, even the pencil and paper onetime pad
still provides a practical encryption system for crucial
private communications where the correspondents can
perform all calculations by hand and without the aid of
their insecure computers and unreliable network. You
could call it the poor man's onetime pad, but it works
perfectly and it is the only system that we can really
trust today, and the best of all, nobody will ever be
able to decipher your messages, not even threeletter
organisations.
© Copyright 2004  2016 Dirk Rijmenants
Home 