One-time pad (OTP), also called Vernam-cipher or the perfect cipher, is a crypto algorithm where plaintext is combined with a random key. It is the only existing mathematically unbreakable encryption.

Used by Special Operations teams and resistance groups during WW2, popular with intelligence agencies and their spies during the Cold War and beyond, protecting diplomatic and military message traffic around the world for many decades, the one-time pad gained a reputation as a simple yet solid encryption system with an absolute security which is unmatched by today's modern crypto algorithms.

Whatever technological progress may come in the future, one-time pad encryption is, and will remain, the only truly unbreakable system that provides real long-term message secrecy.

We can only talk about one-time pad if some important rules are followed. If these rules are applied correctly, the one-time pad can be proven unbreakable (see Claude Shannon's "Communication Theory of Secrecy Systems"). Even infinite computational power and infinite time cannot break one-time pad encryption, simply because it is mathematically impossible. However, if only one of these rules is disregarded, the cipher is no longer unbreakable.The key is at least as long as the message or data that must be encrypted.

The key is truly random (not generated by a simple computer function or such)Key and plaintext are calculated modulo 10 (digits), modulo 26 (letters) or modulo 2 (binary)Each key is used only once, and both sender and receiver must destroy their key after use.There should only be two copies of the key: one for the sender and one for the receiver (some exceptions exist for multiple receivers)Important note: one-time pads or one-time encryption is not to be confused with one-time keys (OTK) or one-time passwords (sometimes also denoted as OTP). Such one-time keys, limited in size, are only valid for a single encryption session by some crypto-algorithm under control of that key. Small one-time keys are by no means unbreakable, because the security of the encryption depends on the crypto algorithm they are used for.Origins of One-time pad TopThe story of one-time pad starts in 1882, when the Californian banker Frank Miller compiles his "Telegraphic Code to Insure Privacy and Secrecy in the Transmission of Telegrams".

Such codebooks were commonly used, mainly to reduce telegraph costs by compressing words and phrases into short number-codes or letter-codes. These codebooks provided little or no security. However, Miller's codebook also provided instructions for a superencipherment (a second encipherment layer over the code) by an unique method: he added so-called shift-numbers (the key) to the plaincode (words, converted into a number) and defined the shift-numbers as a list of irregular numbers that should be erased after use and never be used again.His codebook contained 14,000 words, phrases and blanks (for customizing) and if during enciphering the sum of plaincode and key exceeded 14,000, one had to subtract 14,000 from the sum.

If during deciphering the ciphertext value was smaller than the key, one had to add 14,000 to the ciphertext and than subtract the key (this is basically a modulo 14,000 arithmetic). If the shift-numbers were randomly chosen and used once only, the modular arithmetic provided unbreakable encryption. Miller had invented the first ever one-time pad. Unfortunately, Miller's perfect cipher never became generally known, got lost in the history of cryptography and never received the deserved credits. As early as it was invented, so soon it disappeared in oblivion, only to be rediscovered in archives by researcher Steven Bellovin in 2011.

Then, in 1917, AT&T research engineer Gilbert Vernam developed a system to encrypt teletype TTY communications. Although Vernam's invention mathematically resembles Miller's idea, he devised a electromechanical system, completely different to Miller's pen-and-paper algorithm. Therefore, it seems unlikely that Vernam borrowed Miller's idea. Vernam mixed a five-bit Baudot-coded punched paper tape, containing the message, with a second punched paper tape, the key, containing random five-bit values. To mix the punched tapes, a modulo 2 addition (later known as the Boolean XOR or Exclusive OR) was performed with relays, and the key tape ran synchronously on the sending and receiving TELEX machine.

It was the first automated instant on-line encryption system.Vernam realized that encryption with short key tapes (basically a poly-alphabetic cipher) would not provide enough security. Initially, Vernam used a mix of two key tape loops, with relatively prime length, creating one very long random key. Captain Joseph Mauborgne (later Chief of the U.S. Signal Corps) showed that even the double key tape system could not resist cryptanalysis if large volumes of message traffic were encrypted. Mauborgne concluded that only if the key tape is unpredictable, as long as the message and used only once, the message would be secure. Moreover, the encryption proved to be unbreakable.

One-time encryption was reborn.NSA called Vernam's 1919 one-time tape (OTT) patent "perhaps one of the most important in the history of cryptography" (Melvin Klein, NSA). AT&T marketed the Vernam system in the 1920s for commercial secure communications, albeit with little success. The production, distribution and consumption of enormous quantities of one-time tapes limited its use to fixed stations (headquarters or communications centers). It was not until the Second World War that the US Signal Corps widely used the OTT system for its high level teleprinter communications. However, three German cryptologists did immediately recognized the advantages of one-time encryption.In the early 1920s, the German cryptologists Werner Kunze, Rudolf Schauffler and Erich Langlotz cryptanalysed French diplomatic traffic. These pencil-and-paper numerical codes used code books to convert words and phrases into digits.

The French added a short repetitive numerical key (by modulo 10) to encrypt the code book values. The German cryptologists had no problem in breaking these short keys but realized that adding a unique random key digit to each individual code group digit would make the message unbreakable. They devised a system with paper sheets containing random digits, each digit to be used once only, and the sheets, of which there were only two copies (one for sender and one for receiver), should be destroyed after use. In fact, they re-invented Frank Miller's 1882 system.By 1923, the system was introduced in the German foreign office to protect its diplomatic messages (see image right). For the first time in history, diplomats could have truly unbreakable encryption at their disposal. Unfortunately, they took the fatal decision to produce the random digits for their keys with a simple mechanical machine. By doing so, they degraded a perfectly secure one-time pad system to a weak pseudo-random stream cipher. In 2016, researcher Steven

Bellovin discovered a 1947 U.S. Army Security Agency (ASA) document on cryptanalysis of German diplomatic one-time pad messages, codenamed GEE traffic. Analysis of the messages revealed patterns, showing that the additive keys were not truly random. ASA eventually retrieved the original sequences of key digits and reconstructed the machine to generated the digits. This enabled them to decipher the diplomatic traffic. It's important to understand that this is not an example of breaking one-time pad (one-time pad is unbreakable) but an historically significant textbook example of bad implementation, in casu, using keys that are not truly random.Many variations on this pencil-and-paper system were devised. The name one-time pad (OTP) refers to small note pads with random digits or letters, usually printed in groups of five. For each new message, a new sheet is torn off.

They are often printed as small very booklets or on microfilm for covert communications.In 1943, one-time pads became the main cipher of the Special Operations Executive (SOE) to replace insecure poem based transposition ciphers and book ciphers. The system was used extensively during and after the Second World War by many intelligence organizations, sabotage and espionage units. The unbreakable encryption protects operatives and their contacts against decryption of their communications and disclosure of their identities. Such level of security cannot be guaranteed with other encryption systems during long-running operations because the opponent might have enough time to successfully decrypt the messages.

The Soviets relied heavily on OTP's and OTT's during and after the Second World War for their armed forces and intelligence organizations, making much of their vital communications virtually impenetrable. One system the Soviets used for letters from and to their embassies was to remove only the sensitive words, names or phrases and replace them with "No 1", "No 2", and so on. Next, the sensitive text and corresponding numbering were encrypted with one-time pad and this ciphertext accompanied the letter. By encrypting only those sensitive parts they could greatly reduce the amount of ciphertext, work and time to process long letters. A major change-over of Soviet communications to one-time pads in 1948 crippled NSA's SIGINT efforts for many years, an event NSA called Black Friday (chap 3, p19) .

One-time pad booklet - image  © D. RijmenantsA miniature paper one-time pad© Dirk RijmenantsOne-time pad booklets - Image © SAS ChiffrierdienstMiniature one-time pads and conversion tablefrom the former East German Intelligence agencyHVA (Hauptverwaltung Aufklärung)© SAS Chiffrierdienst© Canadian Security Intelligence Service One-time pad booklet and microdot reader,concealed in a toy truck and used by anillegal agent that operated in Canada.© Canadian CSISGerman one-time pad, Courtesy & Copyright © NSA Cryptologic Museum. Click to enlargeGerman Foreign Office one-time sheets.Image courtesy © NSAOgorodnikov one-time pads - KGB ArchivesPart of a CIA one-time pad used byAleksandr Ogorodnik (TRIGON)Source: KGB ArchivesClick the images to enlarge themOn the right you find various different versions of one-time pads. The plastic pouch with one-time pad sheets and the table to convert text into digits were used by the East-German foreign intelligence service HVA.

The Canadian intelligence service seized a miniature one-time pad booklet, a microdot reader and special lens, cleverly concealed in a toy truck that was brought into Canada by the young son of a foreign intelligence operative that entered the country to carry out espionage. The German one-time pad folder, used for official communications between Saigon and Berlin, consists of a sealed folder with one hundred one-time pad worksheets, numbered 6500 to 6599. Each sheet contains random numbers and enough space to write down the message and perform the calculations. The last image is part of a one-time pad, used by Aleksandr Dmitrievich Ogorodnik (TRIGON), a Soviet Foreign Ministry employee who committed espionage for the CIA (click to enlarge).

More about TRIGON at SIGINT Chatter and at the webpage of Andrei Sinelnikov (in Russian) (translation).The early use of one-time pads is hardly mentioned in official documents (for obvious security reasons). Nevertheless, I came across documents from the India Office Records in the British Library. They show how the Bahrain Petroleum Company (BAPCO), a subsidiary of American Standard Oil of California that operated in the Persian Gulf, was given permission in 1943 to use one-time pads to communicate with its offices in New York. The pads were allocated to them by the U.S. Navy Department and vetted by the British Cipher Security Officer of PAIFORCE (Persia and Iraq Force, a British and Commonwealth military formation in the Middle East from 1942 to 1943). They show the official use of one-time letter pads by Political Residents of the British Imperial Civil Administration, the British Army, the Ministry of War Transport in London and the U.S. Navy, at least as early as 1943 and, surprisingly, even shared them with commercial firms. See also my blog post BAPCO's Use of One-time Pads During WW2.Paper One-time pads TopThe use of pencil-and-paper one-time pads is limited because of the practical and logistical issues and the low message volume it can process. One-time pads were widely used by foreign service communicators until the 1980s, often in combination with code books. These code books contained all kinds of words or entire phrases, which were represented by a three or four figure code. For special names or expressions, not listed in the codebook, there were codes included that represent one letter that allowed the spelling of words. There was a book to encode, sorted by alphabet and/or category, and a book to decode, sorted by numbers.

These books were valid for a long period of time and were not only to encode the message - which would be a poor encryption method by itself - but especially to reduce its length for transmission over commercial cable or telex.Once the message was converted into numbers, the communicator enciphered these numbers with the one-time pad. Usually there was a set of two different pads, one for incoming and one for outgoing messages. Although a one-time pad normally has only two copies of a key, one for sender and one for receiver, some systems used more than two copies to address multiple receivers. The pads were like note blocks with random numbers on each small page, but with the edges sealed. One could only read the next pad by tearing off the previous pad. Each pad was used only once and destroyed immediately. This system enabled absolute secure communication. An excellent description of Canadian Foreign Service one-time pads is found on Jerry Proc's website.Intelligence agencies use one-time pads to communicate with their agents in the field.

The perfect and long-term security protects the identity of convert agents, their assets and operations abroad. With one-time pad, spies don't have to carry crypto systems or use insecure computer software. They can carry a large number of one-time pad keys in very small booklets, on microfilm or even printed on clothing. These are easy to hide and to destroy. One way to send one-time pad encrypted messages to agents in the field is via numbers stations. To do so, the message text is converted into digits prior to encryption.A good example is the TAPIR table, used by the Stasi, the former East Germany intelligence agency. With the TAPIR table, the plain text is converted into figures by a table, similar to the straddling checkerboard, prior to encryption with one-time pad. The most frequent letters are converted into a single-digit value, and the other letters, commonly used bigrams, figures and signs are converted in double-digit values.

Next, the digits are encrypted by subtracting the key from the plain text numbers. The TAPIR table suppresses peaks in digit frequency distribution and the irregular single and double digit values create fractionation. WR 80 is a carriage return. Bu 81 (Buchstaben) and Zi 82 (Ziffern) are used to switch between letters (yellow) and figures (green). ZwR 83 is a space. Code 84 is used as prefix for three-digit or four-digit codes, replacing long words or phrases, obtained from a codebook. Such codebooks can have an odd code numbering sequence, carefully selected to detect errors in the code numbers, as shown in this example codebook. More text-to-digit conversion methods at the Straddling Checkerboards page.Documents, seized by the East-German intelligence Stasi,
show detailed one-time pad procedures as used by CIA agents who operated in the former DDR. See also the Guide to Secure Communications with the One-time Pad Cipher (pdf) for detailed information about the use of manual one-time pads and how to compile and use codebooks.TAPIR conversion table - Image © SAS ChiffrierdienstTapir conversion table © SAS und ChiffrierdienstBelow, on the left, a one-time pad booklet with reciprocal encryption table from a Western agent, seized by the East-German MfS (Ministerium für Staatssicherheit or Stasi).

The second image is a one-time pad sheet (preserved in a 35 mm slide frame) from an East-German agent, found by the West-German BfV (Bundesamt für Verfassungsschutz, the federal domestic intelligence). The right-most image is a one-time pad of a West agent, found by the MfS (also preserved in a 35 mm slide frame). The pad itself is only about 15 mm or 0.6 inch wide (thus even smaller than depicted) and virtually impossible to read with the naked eye! I even had difficulties to photograph it clearly.

Such miniature one-time pads were used by illegal agents, operating in foreign countries, and were hidden inside innocent looking household items like cigarette lighters, fake batteries or ashtrays. You can click the images to enlarge them. However, to read the small pad you will need to click and zoom in once more in your browser after enlarging.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.