Skip to content

One-time Pad – Ciphers and encryption


The One-time pad

One-time pad (OTP), also called Vernam-cipher or the perfect cipher, is a crypto algorithm where plaintext is combined with a random key. It is the only existing mathematically unbreakable encryption.Used by Special Operations teams and resistance groups during WW2, popular with intelligence agencies and their spies during the Cold War and beyond, protecting diplomatic and military message traffic around the world for many decades, the one-time pad gained a reputation as a simple yet solid encryption system with an absolute security which is unmatched by today’s modern crypto algorithms. Whatever technological progress may come in the future, one-time pad encryption is, and will remain, the only truly unbreakable system that provides real long-term message secrecy.

We can only talk about one-time pad if some important rules are followed. If these rules are applied correctly, the one-time pad can be proven unbreakable (see Claude Shannon’s “Communication Theory of Secrecy Systems”). Even infinite computational power and infinite time cannot break one-time pad encryption, simply because it is mathematically impossible. However, if only one of these rules is disregarded, the cipher is no longer unbreakable.

  • The key is at least as long as the message or data that must be encrypted.
  • The key is truly random (not generated by a simple computer function or such)
  • Key and plaintext are calculated modulo 10 (digits), modulo 26 (letters) or modulo 2 (binary)
  • Each key is used only once, and both sender and receiver must destroy their key after use.
  • There should only be two copies of the key: one for the sender and one for the receiver (some exceptions exist for multiple receivers)

Important note: one-time pads or one-time encryption is not to be confused with one-time keys (OTK) or one-time passwords (sometimes also denoted as OTP). Such one-time keys, limited in size, are only valid for a single encryption session by some crypto-algorithm under control of that key. Small one-time keys are by no means unbreakable, because the security of the encryption depends on the crypto algorithm they are used for.

Origins of One-time pad Top

The story of one-time pad starts in 1882, when the Californian banker Frank Miller compiles his “Telegraphic Code to Insure Privacy and Secrecy in the Transmission of Telegrams”. Such codebooks were commonly used, mainly to reduce telegraph costs by compressing words and phrases into short number-codes or letter-codes. These codebooks provided little or no security. However, Miller’s codebook also provided instructions for a superencipherment (a second encipherment layer over the code) by an unique method: he added so-called shift-numbers (the key) to the plaincode (words, converted into a number) and defined the shift-numbers as a list of irregular numbers that should be erased after use and never be used again.

His codebook contained 14,000 words, phrases and blanks (for customizing) and if during enciphering the sum of plaincode and key exceeded 14,000, one had to subtract 14,000 from the sum. If during deciphering the ciphertext value was smaller than the key, one had to add 14,000 to the ciphertext and than subtract the key (this is basically a modulo 14,000 arithmetic). If the shift-numbers were randomly chosen and used once only, the modular arithmetic provided unbreakable encryption. Miller had invented the first ever one-time pad. Unfortunately, Miller’s perfect cipher never became generally known, got lost in the history of cryptography and never received the deserved credits. As early as it was invented, so soon it disappeared in oblivion, only to be rediscovered in archives in 2011.

Then, in 1917, AT&T research engineer Gilbert Vernam developed a system to encrypt teletype TTY communications. Although Vernam’s invention mathematically resembles Miller’s idea, he devised a electromechanical system, completely different to Miller’s pen-and-paper algorithm. Therefore, it seems unlikely that Vernam borrowed Miller’s idea. Vernam mixed a five-bit Baudot-coded punched paper tape, containing the message, with a second punched paper tape, the key, containing random five-bit values. To mix the punched tapes, a modulo 2 addition (later known as the Boolean XOR or Exclusive OR) was performed with relays, and the key tape ran synchronously on the sending and receiving TELEX machine. It was the first automated instant on-line encryption system.

Vernam realized that encryption with short key tapes (basically a poly-alphabetic cipher) would not provide enough security. Initially, Vernam used a mix of two key tape loops, with relatively prime length, creating one very long random key. Captain Joseph Mauborgne (later Chief of the U.S. Signal Corps) showed that even the double key tape system could not resist cryptanalysis if large volumes of message traffic were encrypted. Mauborgne concluded that only if the key tape is unpredictable, as long as the message and used only once, the message would be secure. Moreover, the encryption proved to be unbreakable. One-time encryption was reborn.

NSA called Vernam’s 1919 one-time tape (OTT) patent “perhaps one of the most important in the history of cryptography”. AT&T marketed the Vernam system in the 1920s for commercial secure communications, albeit with little success. The production, distribution and consumption of enormous quantities of one-time tapes limited its use to fixed stations (headquarters or communications centers). It was not until the Second World War that the US Signal Corps widely used the OTT system for its high level teleprinter communications. However, three German cryptologists did immediately recognized the advantages of one-time encryption.

In the early 1920s, the German cryptologists Werner Kunze, Rudolf Schauffler and Erich Langlotz cryptanalysed French diplomatic traffic. These pencil-and-paper numerical codes used code books to convert words and phrases into digits. The French added a short repetitive numerical key (by modulo 10) to encrypt the code book values. The German cryptologists had no problem in breaking these short keys but realized that adding a unique random key digit to each individual code group digit would make the message unbreakable. They devised a system with paper sheets containing random digits, each digit to be used once only, and the sheets, of which there were only two copies (one for sender and one for receiver), should be destroyed after use. In fact, they re-invented Frank Miller’s 1882 system.

By 1923, the system was introduced in the German foreign office to protect their diplomatic correspondence (see image right). For the first time in history, diplomats had truly unbreakable encryption at their disposal. Later on, many variations on this pencil-and-paper system were devised. The name one-time pad (OTP) refers to small note pads with random digits or letters, usually printed in groups of five. For each new message, a new sheet is torn off. They are often printed as small very booklets or on microfilm for covert communications.

In 1943, one-time pads became the main cipher of the Special Operations Executive (SOE) to replace insecure poem based transposition ciphers and book ciphers. The system was used extensively during and after the Second World War by many intelligence organizations, sabotage and espionage units. The unbreakable encryption protects operatives and their contacts against decryption of their communications and disclosure of their identities. Such level of security cannot be guaranteed with other encryption systems during long-running operations because the opponent might have enough time to successfully decrypt the messages.

The Soviets relied heavily on OTP’s and OTT’s during and after the Second World War for their armed forces and intelligence organizations, making much of their vital communications virtually impenetrable. One of the systems the Soviets used for letters from and to their embassies was to remove only the sensitive words, names or phrases and replace them with “No 1”, “No 2”, and so on. Next, the sensitive text and corresponding numbering were encrypted with one-time pad and this ciphertext accompanied the letter. By encrypting only those sensitive parts they could greatly reduce the amount of ciphertext, work and time to process long letters.

On the right you find various different versions of one-time pads. The plastic pouch with one-time pad sheets and the table to convert text into digits were used by the East-German foreign intelligence service HVA. The Canadian intelligence service seized a miniature one-time pad booklet, a microdot reader and special lens, cleverly concealed in a toy truck that was brought into Canada by the young son of a foreign intelligence operative that entered the country to carry out espionage. The German one-time pad folder, used for official communications between Saigon and Berlin, consists of a sealed folder with one hundred one-time pad worksheets, numbered 6500 to 6599. Each sheet contains random numbers and enough space to write down the message and perform the calculations. The last image is part of a one-time pad, used by Aleksandr Dmitrievich Ogorodnik, a Soviet Foreign Ministry employee who committed espionage for the CIA (click to enlarge). More at the webpage of Andrei Sinelnikov (in Russian) (translation).

One-time pad booklet - image  © D. Rijmenants

A miniature paper one-time pad
© Dirk Rijmenants

One-time pad booklets - Image © SAS Chiffrierdienst

Miniature one-time pads and conversion table
from the former East German Intelligence agency
HVA (Hauptverwaltung Aufklärung)
© SAS Chiffrierdienst

© Canadian Security Intelligence Service

One-time pad booklet and microdot reader,
concealed in a toy truck and used by an
illegal agent that operated in Canada.
© Canadian Security Intelligence Service

German one-time pad, Courtesy & Copyright © NSA Cryptologic Museum. Click to enlarge

German one-time sheets. Image courtesy © NSA

Ogorodnikov one-time pads - KGB Archives

Part of a CIA one-time pad used by
Aleksandr Ogorodnik (TRIGON)
Source: KGB Archives

Click the images to enlarge them

The early use of one-time pads is hardly mentioned in official documents (for obvious security reasons). Nevertheless, I came across documents from the India Office Records in the British Library. They show how the Bahrain Petroleum Company (BAPCO), a subsidiary of American Standard Oil of California that operated in the Persian Gulf, was given permission in 1943 to use one-time pads to communicate with its offices in New York. The pads were allocated to them by the U.S. Navy Department and vetted by the British Cipher Security Officer of PAIFORCE (Persia and Iraq Force, a British and Commonwealth military formation in the Middle East from 1942 to 1943). They show the official use of one-time letter pads by Political Residents of the British Imperial Civil Administration, the British Army, the Ministry of War Transport in London and the U.S. Navy, at least as early as 1943 and, surprisingly, even shared them with commercial firms. See also my piece on BAPCO’s Use of One-time Pads During WW2.

Paper One-time pads Top

The use of pencil-and-paper one-time pads is limited because of the practical and logistical issues and the low message volume it can process. One-time pads were widely used by foreign service communicators until the 1980s, often in combination with code books. These code books contained all kinds of words or entire phrases, which were represented by a three or four figure code. For special names or expressions, not listed in the codebook, there were codes included that represent one letter that allowed the spelling of words. There was a book to encode, sorted by alphabet and/or category, and a book to decode, sorted by numbers. These books were valid for a long period of time and were not only to encode the message – which would be a poor encryption method by itself – but especially to reduce its length for transmission over commercial cable or telex.

Once the message was converted into numbers, the communicator enciphered these numbers with the one-time pad. Usually there was a set of two different pads, one for incoming and one for outgoing messages. Although a one-time pad normally has only two copies of a key, one for sender and one for receiver, some systems used more than two copies to address multiple receivers. The pads were like note blocks with random numbers on each small page, but with the edges sealed. One could only read the next pad by tearing off the previous pad. Each pad was used only once and destroyed immediately. This system enabled absolute secure communication. An excellent description of Canadian Foreign Service one-time pads is found on Jerry Proc’s website.

Intelligence agencies use one-time pads to communicate with their agents in the field. The perfect and long-term security protects the identity of convert agents, their assets and operations abroad. With one-time pad, spies don’t have to carry crypto systems or use insecure computer software. They can carry a large number of one-time pad keys in very small booklets, on microfilm or even printed on clothing. These are easy to hide and to destroy. One way to send one-time pad encrypted messages to agents in the field is via numbers stations. To do so, the message text is converted into digits prior to encryption.

A good example is the TAPIR table, used by the Stasi, the former East Germany intelligence agency. With the TAPIR table, the plain text is converted into figures by a table, similar to the straddling checkerboard, prior to encryption with one-time pad. The most frequent letters are converted into a single-digit value, and the other letters, commonly used bigrams, figures and signs are converted in double-digit values. Next, the digits are encrypted by subtracting the key from the plain text numbers. The TAPIR table suppresses peaks in digit frequency distribution and the irregular single and double digit values create fractionation. WR 80 is a carriage return. Bu 81 (Buchstaben) and Zi 82 (Ziffern) are used to switch between letters (yellow) and figures (green). ZwR 83 is a space. Code 84 is used as prefix for three-digit or four-digit codes, replacing long words or phrases, obtained from a codebook. Such codebooks can have an odd code numbering sequence, carefully selected to detect errors in the code numbers, as shown in this example codebook. More text-to-digit conversion methods at the Straddling Checkerboards page.Documents, seized by the East-German intelligence Stasi, show detailed one-time pad procedures as used by CIA agents who operated in the former DDR. See also the Guide to Secure Communications with the One-time Pad Cipher (pdf) for detailed information about the use of manual one-time pads.

TAPIR conversion table - Image © SAS Chiffrierdienst

Tapir conversion table © SAS und Chiffrierdienst

Below, on the left, a one-time pad booklet with Vigenere table from a Western agent, seized by the East-German MfS (Ministerium für Staatssicherheit or Stasi). The second image is a one-time pad sheet (preserved in a 35 mm slide frame) from an East-German agent, found by the West-German BfV (Bundesamt für Verfassungsschutz, the federal domestic intelligence). The right-most image is a one-time pad of a West agent, found by the MfS (also preserved in a 35 mm slide frame). The pad itself is only about 15 mm or 0.6 inch wide (thus even smaller than depicted) and virtually impossible to read with the naked eye! I even had difficulties to photograph it clearly. Such miniature one-time pads were used by illegal agents, operating in foreign countries, and were hidden inside innocent looking household items like cigarette lighters, fake batteries or ashtrays. You can click the images to enlarge them. However, to read the small pad you will need to click and zoom in once more in your browser after enlarging (Detlev Freisleben collection).

One-time pad booklet - image  © D. Rijmenants

Letters-only one-time pad booklet with Vigenere table

HVA - Stasi one-time pad

A standard 250 digits one-time pad (HVA-Stasi)

One-time pad - image  © D. Rijmenants

Miniature pad

One-time pad based Crypto Machines Top

Until the 1980s, one-time-tapes were widely used to secure Telex communications. The Telex machines used Vernam’s original one-time-tape (OTT) principle. The system was simple but solid. It required two identical reels of punched paper tape with truly random five-bit values, the so-called one-time tapes. These were distributed beforehand to both sender and receiver. Usually, the message was prepared (punched) in plain onto paper tape. Next, the message was transmitted on a Telex machine with the help of a tape reader, and one copy of the secret one-time tape ran synchronously with the message tape on a second tape reader. Before exiting the machine, the five-bit signals of both tape readers were mixed by performing an Exclusive OR (XOR) function, thus scrambling the output. On the other end of the line, the scrambled signal entered the receiving machine and was mixed, again by XOR, with the second copy of the secret one-time tape. Finally, the resulting readable five-bit signal was printed or perforated on the receiving machine.

A unique advantage of the punched paper tape keys was that copying them quickly was virtually impossible. The long tapes (which were sealed in plastic before use) were on a reel and printed with serial numbers and other markings on the side. To unwind the tape, copy it and rewind it again with a perfectly aligned print was very unlikely and such one-time tapes were therefore more secure than other keys sheets that were copied quickly by taking a photo or writing them over by hand.

A famous example of one-time pad’s security is the Washington/Moscow hotline with the ETCRRM II, a standard commercial one-time tape mixer for Telex. Although simple and cheap, it provided absolute security and unbreakable communications between Washington and the Kremlin, without disclosing any secret crypto technology. Some other cipher machines that used the principle of one-time pad are the American TELEKRYPTON, SIGSALY (noise as one-time pad), B-2 PYTHON and SIGTOT, the British BID-590 NOREEN and 5-UCO, the Canadian ROCKEX, the Dutch ECOLEX series, the Swiss Hagelin CD-57 RT, CX-52 RT and T-55 with a superencipherment option, the German Siemens T-37-ICA and M-190, the East German T-304 LEGUAN, the Czech SD1, the Russian M-100 SMARAGD and M-105 N AGAT and the Polish T-352/T-353 DUDEK. There were also many teletype or ciphering device configurations in combination with a tape reader, for one-time tape encryption or superencipherement. The image below explains one-time tape encryption for Telex (TTY Murray).

5 Bit One-time tape encryption © D. Rijmenants

Teletype signal one-time tape encryption

  1. Reblogged this on TheFlippinTruth.


  2. DFWH permalink

    The old new but very safe.


    On 23/06/16 05:49, University of South Wales: Information Security for Privacy wrote: > > uwnthesis posted: > “ The One-time > pad One-time pad (OTP), also called Vernam-cipher or the perfect > cipher, is a crypto algorithm where plaintext is combined with a > random key. It is the only existing mathematically unb” >


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: