Editing One-time pad (section)

==Uses==
=== Applicability ===

Despite its problems, the one-time-pad retains some practical interest. In some hypothetical espionage situations, the one-time pad might be useful because encryption and decryption can be computed by hand with only pencil and paper. Nearly all other high quality ciphers are entirely impractical without computers. In the modern world, however, computers (such as those embedded in [[mobile phone]]s) are so ubiquitous that possessing a computer suitable for performing conventional encryption (for example, a phone that can run concealed cryptographic software) will usually not attract suspicion.
* The one-time-pad is the optimum cryptosystem with theoretically perfect secrecy.<ref name="Shannon" />
* The one-time-pad is one of the most practical methods of encryption where one or both parties must do all work by hand, without the aid of a computer. This made it important in the pre-computer era, and it could conceivably still be useful in situations where possession of a computer is illegal or incriminating or where trustworthy computers are not available.
* One-time pads are practical in situations where two parties in a secure environment must be able to depart from one another and communicate from two separate secure environments with perfect secrecy.
* The one-time-pad can be used in [[superencryption]].<ref>A "way to combine multiple block algorithms" so that "a cryptanalyst must break both algorithms" in §15.8 of ''Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C'' by Bruce Schneier. Wiley Computer Publishing, John Wiley & Sons, Inc.</ref>
* The algorithm most commonly associated with [[quantum key distribution]] is the one-time pad.<ref name=":1" />
* The one-time pad is mimicked by [[stream cipher]]s.<ref name=":0" />
* [[Numbers station]]s often send messages encrypted with a one-time pad.<ref name="Numbers Stations" />

=== Quantum and post-quantum cryptography ===
A common use of the one-time pad in [[quantum cryptography]] is being used in association with [[quantum key distribution]] (QKD). QKD is typically associated with the one-time pad because it provides a way of distributing a long shared secret key securely and efficiently (assuming the existence of practical [[quantum network]]ing hardware). A QKD algorithm uses properties of quantum mechanical systems to let two parties agree on a shared, uniformly random string. Algorithms for QKD, such as [[BB84]], are also able to determine whether an adversarial party has been attempting to intercept key material, and allow for a shared secret key to be agreed upon with relatively few messages exchanged and relatively low computational overhead. At a high level, the schemes work by taking advantage of the destructive way quantum states are measured to exchange a secret and detect tampering. In the original BB84 paper, it was proven that the one-time pad, with keys distributed via QKD, is a [[Semantically-secure|perfectly secure]] encryption scheme.<ref name=":1">{{Cite journal |last1=Bennett |first1=Charles |last2=Brassard |first2=Giles |date=1984 |title=Quantum cryptography: Public key distribution and coin tossing |arxiv=2003.06557 |journal=Theoretical Computer Science |volume=560 |pages=7–11 |doi=10.1016/j.tcs.2014.05.025 |s2cid=27022972 }} Note: This paper was published originally in 1984, but was retracted, and the version on ArXiv is a reprint from 2014 of the 1984 paper.</ref> However, this result depends on the QKD scheme being implemented correctly in practice. Attacks on real-world QKD systems exist. For instance, many systems do not send a single photon (or other object in the desired quantum state) per bit of the key because of practical limitations, and an attacker could intercept and measure some of the photons associated with a message, gaining information about the key (i.e. leaking information about the pad), while passing along unmeasured photons corresponding to the same bit of the key.<ref>{{Cite journal |last1=Dušek |first1=Miloslav |last2=Haderka |first2=Ondřej |last3=Hendrych |first3=Martin |date=1999-10-01 |title=Generalized beam-splitting attack in quantum cryptography with dim coherent states |url=https://www.sciencedirect.com/science/article/pii/S0030401899004198 |journal=Optics Communications |language=en |volume=169 |issue=1 |pages=103–108 |doi=10.1016/S0030-4018(99)00419-8 |bibcode=1999OptCo.169..103D |issn=0030-4018|url-access=subscription }}</ref> Combining QKD with a one-time pad can also loosen the requirements for key reuse. In 1982, [[Charles H. Bennett (physicist)|Bennett]] and [[Gilles Brassard|Brassard]] showed that if a QKD protocol does not detect that an adversary was trying to intercept an exchanged key, then the key can safely be reused while preserving perfect secrecy.<ref>{{Cite journal |last1=Bennett |first1=Charles |last2=Brassard |first2=Giles |last3=Breidbart |first3=Seth |date=2014 |title=Quantum Cryptography II: How to re-use a one-time pad safely even if P=NP |journal=Natural Computing |volume=13 |issue=4 |pages=453–458|doi=10.1007/s11047-014-9453-6 |pmid=25400534 |pmc=4224740 |s2cid=3121156 }} Note: This is also a reprint of the original 1982 paper.</ref>

The one-time pad is an example of post-quantum cryptography, because perfect secrecy is a definition of security that does not depend on the computational resources of the adversary. Consequently, an adversary with a quantum computer would still not be able to gain any more information about a message encrypted with a one time pad than an adversary with just a classical computer.

=== Historical uses ===

One-time pads have been used in special circumstances since the early 1900s. In 1923, they were employed for diplomatic communications by the German diplomatic establishment.<ref>{{cite book| last=Kahn| first=David| title=The Codebreakers| publisher=[[Macmillan Publishers (United States)|Macmillan]]| year=1996| isbn=978-0-684-83130-5| pages=402–3 |author-link=David Kahn (writer)| title-link=The Codebreakers}}</ref> The [[Weimar Republic]] Diplomatic Service began using the method in about 1920. The breaking of poor [[Union of Soviet Socialist Republics|Soviet]] cryptography by the [[United Kingdom|British]], with messages made public for political reasons in two instances in the 1920s ([[All Russian Co-operative Society#The Arcos Affair of 1927|ARCOS case]]), appear to have caused the Soviet Union to adopt one-time pads for some purposes by around 1930. [[KGB]] spies are also known to have used pencil and paper one-time pads more recently. Examples include Colonel [[Rudolf Abel]], who was arrested and convicted in [[New York City]] in the 1950s, and the 'Krogers' (i.e., [[Morris Cohen (spy)|Morris]] and [[Lona Cohen]]), who were arrested and convicted of espionage in the [[United Kingdom]] in the early 1960s. Both were found with physical one-time pads in their possession.

A number of nations have used one-time pad systems for their sensitive traffic. [[Leo Marks]] reports that the British [[Special Operations Executive]] used one-time pads in World War II to encode traffic between its offices. One-time pads for use with its overseas agents were introduced late in the war.<ref name="marks" /> A few British one-time tape cipher machines include the [[Rockex]] and [[Noreen]]. The German [[Stasi]] Sprach Machine was also capable of using one time tape that East Germany, Russia, and even Cuba used to send encrypted messages to their agents.<ref name="Sprach Machine">{{cite news |title=Stasi Sprach Morse Machine |url=http://www.numbers-stations.com/sprach-machine |publisher=The Numbers Stations Research and Information Center |access-date=March 1, 2015 |url-status = dead|archive-url=https://web.archive.org/web/20150313143905/http://www.numbers-stations.com/sprach-machine |archive-date=March 13, 2015 |df=mdy-all }}</ref>

The [[World War II]] voice [[scrambler]] [[SIGSALY]] was also a form of one-time system. It added noise to the signal at one end and removed it at the other end. The noise was distributed to the channel ends in the form of large shellac records that were manufactured in unique pairs. There were both starting synchronization and longer-term phase drift problems that arose and had to be solved before the system could be used.<ref>{{Cite web |date=2019-02-24 |title=National Security Agency {{!}} Central Security Service > About Us > Cryptologic Heritage > Historical Figures and Publications > Publications > WWII > Sigsaly Story |url=https://www.nsa.gov/about/cryptologic-heritage/historical-figures-publications/publications/wwii/sigsaly-story/ |access-date=2022-03-27 |archive-url=https://web.archive.org/web/20190224044402/https://www.nsa.gov/about/cryptologic-heritage/historical-figures-publications/publications/wwii/sigsaly-story/ |archive-date=2019-02-24 }}</ref>

The [[Moscow-Washington hotline|hotline]] between [[Moscow]] and [[Washington, D.C.]], established in 1963 after the 1962 [[Cuban Missile Crisis]], used [[teleprinter]]s protected by a commercial one-time tape system. Each country prepared the keying tapes used to encode its messages and delivered them via their embassy in the other country. A unique advantage of the OTP in this case was that neither country had to reveal more sensitive encryption methods to the other.<ref>
{{cite book| last=Kahn| first=David| title=The Codebreakers| publisher=[[Macmillan Publishers (United States)|Macmillan]]| year=1967| isbn=978-0-684-83130-5| pages=715 ff |author-link=David Kahn (writer)| title-link=The Codebreakers}}
</ref>

U.S. Army Special Forces used one-time pads in Vietnam. By using Morse code with one-time pads and continuous wave radio transmission (the carrier for Morse code), they achieved both secrecy and reliable communications.<ref>{{cite journal |last1=Hieu |first1=Phan Duong |title=Cryptology during the French and American Wars in Vietnam |journal=Cryptologia |date=April 2007 |volume=41 |issue=6 |pages=1–21 |doi=10.1080/01611194.2017.1292825 |s2cid=3780267 |url=https://eprint.iacr.org/2016/1136.pdf |access-date=14 April 2020}}</ref>

Starting in 1988, the [[African National Congress]] (ANC) used disk-based one-time pads as part of a [[secure communication]] system between ANC leaders outside [[South Africa]] and in-country operatives as part of Operation Vula,<ref>"[http://www.radionetherlandsarchives.org/operation-vula-a-secret-dutch-network-against-apartheid/ Operation Vula: a secret Dutch network against apartheid]", Radio Netherlands Archives, September 9, 1999</ref> a successful effort to build a resistance network inside South Africa. Random numbers on the disk were erased after use. A Belgian flight attendant acted as courier to bring in the pad disks. A regular resupply of new disks was needed as they were used up fairly quickly. One problem with the system was that it could not be used for secure data storage. Later Vula added a stream cipher keyed by book codes to solve this problem.<ref>
{{Cite journal
 |first       = Tim
 |last        = Jenkin
 |date        = May–October 1995
 |title       = Talking to Vula: The Story of the Secret Underground Communications Network of Operation Vula
 |quote       = Our system was based on the one-time pad, though instead of having paper pads the random numbers were on a disk.
 |journal     = Mayibuye
 |url         = http://www.anc.org.za/show.php?id=4693
 |access-date  = 24 August 2014
 |url-status = dead|archive-url  = https://web.archive.org/web/20140826115901/http://www.anc.org.za/show.php?id=4693
 |archive-date = 2014-08-26
}}</ref>

A related notion is the [[code (cryptography)#One-time code|one-time code]]—a signal, used only once; e.g., "Alpha" for "mission completed", "Bravo" for "mission failed" or even "Torch" for "[[Operation Torch|Allied invasion of French Northern Africa]]"<ref>{{cite book
|title=The Secret Wireless War – The story of MI6 Communications 1939-1945
|last = Pidgeon |first = Geoffrey
|publisher = UPSO Ltd |isbn = 978-1-84375-252-3
|page = 249
|chapter = Chapter 28: Bill Miller – Tea with the Germans
|year = 2003 }}</ref> cannot be "decrypted" in any reasonable sense of the word. Understanding the message will require additional information, often 'depth' of repetition, or some [[traffic analysis]]. However, such strategies (though often used by real operatives, and [[baseball]] coaches)<ref>{{cite web |last1=Johnson |first1=Tim |title=What do all those hand signals mean? Inside the hidden language of baseball and softball |url=https://www.wausaudailyherald.com/story/sports/high-school/baseball/2018/04/24/what-do-all-those-hand-signals-mean-inside-hidden-language-baseball-and-softball/534843002/ |access-date=14 June 2024}}</ref> are not a cryptographic one-time pad in any significant sense.

===NSA===
At least into the 1970s, the U.S. [[National Security Agency]] (NSA) produced a variety of manual one-time pads, both general purpose and specialized,  with 86,000 one-time pads produced in fiscal year 1972. Special purpose pads were produced for what the NSA called "pro forma" systems, where "the basic framework, form or format of every message text is identical or nearly so; the same kind of information, message after message, is to be presented in the same order, and only specific values, like numbers, change with each message." Examples included nuclear launch messages and radio direction finding reports (COMUS).<ref name=boaklectures1>{{Cite book
 |last        = Boak
 |first       = David G.
 |title       = A History of U.S. Communications Security; the David G. Boak Lectures, Vol. I
 |orig-year   = 1966
 |url         = https://www.governmentattic.org/18docs/Hist_US_COMSEC_Boak_NSA_1973u.pdf
 |access-date = 2017-04-23
 |edition     = 2015 declassification review
 |date        = July 1973
 |publisher   = U.S. National Security Agency
 |location    = Ft. George G. Meade, MD
 |url-status  = dead
 |archive-url  = https://web.archive.org/web/20170525181251/http://www.governmentattic.org/18docs/Hist_US_COMSEC_Boak_NSA_1973u.pdf
 |archive-date = 2017-05-25
}}</ref>{{rp|pp. 16–18}}

General purpose pads were produced in several formats, a simple list of random letters (DIANA) or just numbers (CALYPSO), tiny pads for covert agents (MICKEY MOUSE), and pads designed for more rapid encoding of short messages, at the cost of lower density. One example, ORION, had 50 rows of plaintext alphabets on one side and the corresponding random cipher text letters on the other side. By placing a sheet on top of a piece of [[carbon paper]] with the carbon face up, one could circle one letter in each row on one side and the corresponding letter on the other side would be circled by the carbon paper. Thus one ORION sheet could quickly encode or decode a message up to 50 characters long. Production of ORION pads required printing both sides in exact registration, a difficult process, so NSA switched to another pad format, MEDEA, with 25 rows of paired alphabets and random characters. (''See'' [[Commons:Category:NSA one-time pads]] for illustrations.)

The NSA also built automated systems for the "centralized headquarters of CIA and Special Forces units so that they can efficiently process the many separate one-time pad messages to and from individual pad holders in the field".<ref name=boaklectures1 />{{rp|pp. 21–26}}

During World War II and into the 1950s, the U.S. made extensive use of one-time tape systems. In addition to providing confidentiality, circuits secured by  one-time tape ran continually, even when there was no traffic, thus protecting against [[traffic analysis]]. In 1955, NSA produced some 1,660,000 rolls of one time tape. Each roll was 8 inches in diameter, contained 100,000 characters, lasted 166 minutes and cost $4.55 to produce. By 1972, only 55,000 rolls were produced, as one-time tapes were replaced by [[rotor machine]]s such as SIGTOT, and later by electronic devices based on [[shift registers]].<ref name=boaklectures1 />{{rp|pp. 39–44}} The NSA describes one-time tape systems like [[5-UCO]] and SIGTOT as being used for intelligence traffic until the introduction of the electronic cipher based [[KW-26]] in 1957.<ref>{{cite web| url=http://www.nsa.gov/publications/publi00017.pdf| title=Securing Record Communications: The TSEC/KW-26| year=2003| access-date=2006-05-12| first=Melville| last=Klein| publisher=NSA |archive-url = https://web.archive.org/web/20060213165531/http://www.nsa.gov/publications/publi00017.pdf <!-- Bot retrieved archive --> |archive-date = 2006-02-13}}</ref>

===Exploits===
While one-time pads provide perfect secrecy if generated and used properly, small mistakes can lead to successful cryptanalysis:
* In 1944–1945, the [[U.S. Army]]'s [[Signals Intelligence Service]] was able to solve a one-time pad system used by the German Foreign Office for its high-level traffic, codenamed GEE.<ref>Erskine, Ralph, "Enigma's Security: What the Germans Really Knew", in ''Action this Day'', edited by Ralph Erskine and Michael Smith, pp. 370–386, 2001.</ref> GEE was insecure because the pads were not sufficiently random—the machine used to generate the pads produced predictable output.
* In 1945, the US discovered that [[Canberra]]–[[Moscow]] messages were being encrypted first using a code-book and then using a one-time pad. However, the one-time pad used was the same one used by Moscow for [[Washington, D.C.]]–Moscow messages. Combined with the fact that some of the Canberra–Moscow messages included known British government documents, this allowed some of the encrypted messages to be broken.{{citation needed|date=June 2021}}
* One-time pads were employed by [[Soviet Union|Soviet]] espionage agencies for covert communications with agents and agent controllers. Analysis has shown that these pads were generated by typists using actual typewriters. This method is not truly random, as it makes the pads more likely to contain certain convenient key sequences more frequently. This proved to be generally effective because the pads were still somewhat unpredictable because the typists were not following rules, and different typists produced different patterns of pads. Without copies of the key material used, only some defect in the generation method or reuse of keys offered much hope of cryptanalysis. Beginning in the late 1940s, US and UK intelligence agencies were able to break some of the Soviet one-time pad traffic to [[Moscow]] during WWII as a result of errors made in generating and distributing the key material. One suggestion is that Moscow Centre personnel were somewhat rushed by the presence of German troops just outside Moscow in late 1941 and early 1942, and they produced more than one copy of the same key material during that period. This decades-long effort was finally codenamed [[Venona project|VENONA]] (BRIDE had been an earlier name); it produced a considerable amount of information. Even so, only a small percentage of the intercepted messages were either fully or partially decrypted (a few thousand out of several hundred thousand).<ref name=":2">{{cite news|title=The Venona Translations|url=http://www.nsa.gov/about/_files/cryptologic_heritage/publications/coldwar/venona_story.pdf|work=The Venona Story|publisher=[[National Security Agency]]|location=[[Fort Meade, Maryland]]|date=2004-01-15|page=17th (of 63 in PDF) but marked 15|access-date=2009-05-03|archive-url=https://web.archive.org/web/20090510052927/http://www.nsa.gov/about/_files/cryptologic_heritage/publications/coldwar/venona_story.pdf|archive-date=2009-05-10|quote=Arlington Hall's ability to read the VENONA messages was spotty, being a function of the underlying code, key changes, and the lack of volume. Of the message traffic from the KGB New York office to Moscow, 49 percent of the 1944 messages and 15 percent of the 1943 messages were readable, but this was true of only 1.8 percent of the 1942 messages. For the 1945 KGB Washington office to Moscow messages, only 1.5 percent were readable. About 50 percent of the 1943 GRU-Naval Washington to Moscow/Moscow to Washington messages were read but none from any other year.|url-status = dead}}</ref>
* The one-time tape systems used by the U.S. employed electromechanical mixers to combine bits from the message and the one-time tape. These mixers radiated considerable electromagnetic energy that could be picked up by an adversary at some distance from the encryption equipment. This effect, first noticed by [[Bell Labs]] during World War II, could allow interception and recovery of the plaintext of messages being transmitted, a vulnerability code-named [[Tempest (codename)|Tempest]].<ref name=boaklectures1 />{{rp|pp. 89 ff}}