Editing One-time pad (section)

== Example ==

Suppose [[Alice and Bob|Alice]] wishes to send the message <code>hello</code> to [[Alice and Bob|Bob]]. Assume two pads of paper containing identical random sequences of letters were somehow previously produced and securely issued to both. Alice chooses the appropriate unused page from the pad. The way to do this is normally arranged for in advance, as for instance "use the 12th sheet on 1 May", or "use the next available sheet for the next message".

The material on the selected sheet is the ''key'' for this message. Each letter from the pad will be combined in a predetermined way with one letter of the message. (It is common, but not required, to [[Character encoding|assign each letter a numerical value]], e.g., <code>a</code> is 0, <code>b</code> is 1, and so on.)

In this example, the technique is to combine the key and the message using [[modular arithmetic|modular addition]], not unlike the [[Vigenère cipher]]. The numerical values of corresponding message and key letters are added together, modulo 26.  So, if key material begins with <code>XMCKL</code> and the message is <code>hello</code>, then the coding would be done as follows:

       h       e       l       l       o  message
    7 (h)   4 (e)  11 (l)  11 (l)  14 (o) message
 + 23 (X)  12 (M)   2 (C)  10 (K)  11 (L) key
 = 30      16      13      21      25     message + key
 =  4 (E)  16 (Q)  13 (N)  21 (V)  25 (Z) (message + key) mod 26
       E       Q       N       V       Z  → ciphertext

If a number is larger than 25, then the remainder after subtraction of 26 is taken in modular arithmetic fashion.  This simply means that if the computations "go past" Z, the sequence starts again at A.

The ciphertext to be sent to Bob is thus <code>EQNVZ</code>. Bob uses the matching key page and the same process, but in reverse, to obtain the [[plaintext]]. Here the key is ''subtracted'' from the ciphertext, again using modular arithmetic:

        E       Q       N       V       Z  ciphertext
     4 (E)  16 (Q)  13 (N)  21 (V)  25 (Z) ciphertext
 −  23 (X)  12 (M)   2 (C)  10 (K)  11 (L) key
 = −19       4      11      11      14     ciphertext&nbsp;– key
 =   7 (h)   4 (e)  11 (l)  11 (l)  14 (o) ciphertext&nbsp;– key (mod 26)
        h       e       l       l       o  → message

Similar to the above, if a number is negative, then 26 is added to make the number zero or higher.

Thus Bob recovers Alice's plaintext, the message <code>hello</code>. Both Alice and Bob destroy the key sheet immediately after use, thus preventing reuse and an attack against the cipher. The [[KGB]] often issued its [[espionage|agents]] one-time pads printed on tiny sheets of flash paper, paper chemically converted to [[nitrocellulose]], which burns almost instantly and leaves no ash.<ref>{{cite book |author=Robert Wallace and H. Keith Melton, with Henry R. Schlesinger |url=https://archive.org/details/spycraftsecrethi00wall_0/page/436 |title=Spycraft: The Secret History of the CIA's Spytechs, from Communism to al-Qaeda |publisher=[[Dutton Penguin|Dutton]] |year=2008 |isbn=978-0-525-94980-0 |location=New York |page=436}}</ref>

The classical one-time pad of espionage used actual pads of minuscule, easily concealed paper, a sharp pencil, and some [[mental arithmetic]].  The method can be implemented now as a software program, using data files as input (plaintext), output (ciphertext) and key material (the required random sequence). The [[exclusive or]] (XOR) operation is often used to combine the plaintext and the key elements, and is especially attractive on computers since it is usually a native machine instruction and is therefore very fast. It is, however, difficult to ensure that the key material is actually random, is used only once, never becomes known to the opposition, and is completely destroyed after use. The auxiliary parts of a software one-time pad implementation present real challenges: secure handling/transmission of plaintext, truly random keys, and one-time-only use of the key.

=== Attempt at cryptanalysis ===
To continue the example from above, suppose Eve intercepts Alice's ciphertext: <code>EQNVZ</code>. If Eve tried every possible key, she would find that the key <code>XMCKL</code> would produce the plaintext <code>hello</code>, but she would also find that the key <code>TQURI</code> would produce the plaintext <code>later</code>, an equally plausible message:
     4 (E)  16 (Q)  13 (N)  21 (V)  25 (Z) ciphertext
 −  19 (T)  16 (Q)  20 (U)  17 (R)   8 (I) possible key
 = −15       0      −7       4      17     ciphertext-key
 =  11 (l)   0 (a)  19 (t)   4 (e)  17 (r) ciphertext-key (mod 26)
In fact, it is possible to "decrypt" out of the ciphertext any message whatsoever with the same number of characters, simply by using a different key, and there is no information in the ciphertext that will allow Eve to choose among the various possible readings of the ciphertext.<ref name="schneierotp">{{cite web |last=Schneier |first=Bruce |title=One-Time Pads |url=http://www.schneier.com/crypto-gram-0210.html#7 |url-status=live |archive-url=https://web.archive.org/web/20050403200231/http://www.schneier.com/crypto-gram-0210.html#7 |archive-date=2005-04-03}}</ref>

If the key is not truly random, it is possible to use statistical analysis to determine which of the plausible keys is the "least" random and therefore more likely to be the correct one. If a key is reused, it will noticeably be the only key that produces sensible plaintexts from both ciphertexts (the chances of some random ''incorrect'' key also producing two sensible plaintexts are very slim).