Editing One-time pad (section)

== Problems ==
Despite Shannon's proof of its security, the one-time pad has serious drawbacks in practice because it requires:
* Truly random, as opposed to [[Pseudorandomness|''pseudorandom'']], one-time pad values, which is a non-trivial requirement. [[Random number generation]] in computers is often difficult, and [[pseudorandom number generator]]s are often used for their speed and usefulness for most applications. [[True random number generator]]s exist, but are typically slower and more specialized.
* Secure generation and exchange of the one-time pad values, which must be at least as long as the message. This is important because the security of the one-time pad depends on the security of the one-time pad exchange. If an attacker is able to intercept the one-time pad value, they can decrypt messages sent using the one-time pad.<ref name="schneierotp" />
* Careful treatment to make sure that the one-time pad values continue to remain secret and are disposed of correctly, preventing any reuse (partially or entirely)—hence "one-time". Problems with [[data remanence]] can make it difficult to completely erase computer media.

One-time pads solve few current practical problems in cryptography. High-quality [[cipher]]s are widely available and their security is not currently considered a major worry.<ref>{{cite book   | title = The Block Cipher Companion | author1 = Lars R. Knudsen | author2 = Matthew Robshaw |  name-list-style = amp | publisher = Springer Science & Business Media |url = https://books.google.com/books?id=YiZKt_FcmYQC&q=security+concerns+for+high+quality+cipher&pg=PA11 | date = 2011 | pages =  1–14 | isbn =  978-3642173424 | access-date = 26 July 2017 }}</ref> Such ciphers are almost always easier to employ than one-time pads because the amount of key material that must be properly and securely generated, distributed and stored is far smaller.<ref name="schneierotp" /> Additionally, [[public key cryptography]] overcomes the problem of key distribution.

===True randomness===
High-quality random numbers are difficult to generate.  The random number generation functions in most [[programming language]] libraries are not suitable for cryptographic use. Even those generators that are suitable for normal cryptographic use, including [[/dev/random]] and many [[hardware random number generator]]s, may make some use of cryptographic functions whose security has not been proven. An example of a technique for generating pure randomness is measuring [[Radioactive decay|radioactive emissions]].<ref>{{Cite book|title=The Code Book|last=Singh|first=Simon|publisher=Anchor Books|year=2000|isbn=978-0-385-49532-5|location=United States|pages=[https://archive.org/details/codebook00simo/page/123 123]|url=https://archive.org/details/codebook00simo/page/123}}</ref>

In particular, one-time use is absolutely necessary. For example, if <math>p_1</math> and <math>p_2</math> represent two distinct plaintext messages and they are each encrypted by a common key <math>k</math>, then the respective ciphertexts are given by:

:<math>c_1 = p_1 \oplus k</math>
:<math>c_2 = p_2 \oplus k</math>

where <math>\oplus</math> means [[XOR]]. If an attacker were to have both ciphertexts <math>c_1</math> and <math>c_2</math>, then simply taking the [[XOR]] of <math>c_1</math> and <math>c_2</math> yields the [[XOR]] of the two plaintexts <math>p_1 \oplus p_2</math>. (This is because taking the [[XOR]] of the common key <math>k</math> with itself yields a constant bitstream of zeros.)  <math>p_1 \oplus p_2</math> is then the equivalent of a running key cipher.{{cn|date=December 2023}}

If both plaintexts are in a [[natural language]] (e.g., English or Russian), each stands a very high chance of being recovered by [[heuristic]] cryptanalysis, with possibly a few ambiguities. Of course, a longer message can only be broken for the portion that overlaps a shorter message, plus perhaps a little more by completing a word or phrase. The most famous exploit of this vulnerability occurred with the [[Venona project]].<ref name="nsa">{{cite news|title=The Translations and KGB Cryptographic Systems|url=http://www.nsa.gov/about/_files/cryptologic_heritage/publications/coldwar/venona_story.pdf|work=The Venona Story|publisher=[[National Security Agency]]|location=[[Fort Meade, Maryland]]|date=2004-01-15|pages=26–27 (28–29th of 63 in PDF)|access-date=2009-05-03|archive-url=https://web.archive.org/web/20090510052927/http://www.nsa.gov/about/_files/cryptologic_heritage/publications/coldwar/venona_story.pdf|archive-date=2009-05-10|quote=KGB's cryptographic material manufacturing center in the Soviet Union apparently reused some of the pages from one-time pads. This provided [[Arlington Hall]] with an opening.|url-status = dead}}</ref>

===Key distribution===
{{further|Key distribution}}

Because the pad, like all [[shared secret]]s, must be passed and kept secure, and the pad has to be at least as long as the message, there is often no point in using a one-time pad, as one can simply send the plain text instead of the pad (as both can be the same size and have to be sent securely).<ref name="schneierotp"/> However, once a very long pad has been securely sent (e.g., a computer disk full of random data), it can be used for numerous future messages, until the sum of the messages' sizes equals the size of the pad. [[Quantum key distribution]] also proposes a solution to this problem, assuming [[Fault tolerance|fault-tolerant]] quantum computers.

Distributing very long one-time pad keys is inconvenient and usually poses a significant security risk.<ref name="Numbers Stations"/> The pad is essentially the encryption key, but unlike keys for modern ciphers, it must be extremely long and is far too difficult for humans to remember. Storage media such as [[thumb drive]]s, [[DVD-R]]s or personal [[digital audio player]]s can be used to carry a very large one-time-pad from place to place in a non-suspicious way, but the need to transport the pad physically is a burden compared to the key negotiation protocols of a modern public-key cryptosystem. Such media cannot reliably be erased securely by any means short of physical destruction (e.g., incineration). A 4.7&nbsp;GB DVD-R full of one-time-pad data, if shredded into particles {{Convert|1|mm2||abbr=on}} in size, leaves over 4 [[megabit]]s of data on each particle. {{citation needed|date=November 2010}} In addition, the risk of compromise during transit (for example, a [[pickpocket]] swiping, copying and replacing the pad) is likely to be much greater in practice than the likelihood of compromise for a cipher such as [[Advanced Encryption Standard|AES]]. Finally, the effort needed to manage one-time pad key material [[Scalability|scales]] very badly for large networks of communicants—the number of pads required goes up as the [[Quadratic growth|square]] of the number of users freely exchanging messages. For communication between only two persons, or a [[star network]] topology, this is less of a problem.

The key material must be securely disposed of after use, to ensure the key material is never reused and to protect the messages sent.<ref name="Numbers Stations"/> Because the key material must be transported from one endpoint to another, and persist until the message is sent or received, it can be more vulnerable to [[computer forensics|forensic recovery]] than the transient plaintext it protects (because of possible data remanence).

===Authentication===
As traditionally used, one-time pads provide no [[authentication|message authentication]], the lack of which can pose a security threat in real-world systems. For example, an attacker who knows that the message contains "meet jane and me tomorrow at three thirty pm" can derive the corresponding codes of the pad directly from the two known elements (the encrypted text and the known plaintext). The attacker can then replace that text by any other text of exactly the same length, such as "three thirty meeting is cancelled, stay home". The attacker's knowledge of the one-time pad is limited to this byte length, which must be maintained for any other content of the message to remain valid. This is different from [[malleability (cryptography)|malleability]]<ref>{{cite book|url=https://books.google.com/books?id=ySZwUT4nyPsC&q=malleable+one+time+pad&pg=PR1|title=Information Theoretic Security: Third International Conference, ICITS 2008, Calgary, Canada, August 10–13, 2008, Proceedings|first=Reihaneh|last=Safavi-Naini|year=2008|publisher=Springer Science & Business Media|via=Google Books|isbn=978-3540850922}}</ref> where the plaintext is not necessarily known. Without knowing the message, the attacker can also flip bits in a message sent with a one-time pad, without the recipient being able to detect it. Because of their similarities, attacks on one-time pads are similar to [[Stream cipher attacks|attacks on stream ciphers]].<ref name=":0">{{Cite web |last=Boneh |first=Dan |title=Attacks on Stream Ciphers and The One Time Pad - Course overview and stream ciphers |url=https://www.coursera.org/lecture/crypto/attacks-on-stream-ciphers-and-the-one-time-pad-euFJx |access-date=2022-03-21 |website=Coursera |language=en}}</ref>

Standard techniques to prevent this, such as the use of a [[message authentication code]] can be used along with a one-time pad system to prevent such attacks, as can classical methods such as variable length [[padding (cryptography)|padding]] and [[Russian copulation]], but they all lack the perfect security the OTP itself has. [[Universal hashing]] provides a way to authenticate messages up to an arbitrary security bound (i.e., for any {{nowrap|''p'' > 0}}, a large enough hash ensures that even a computationally unbounded attacker's likelihood of successful forgery is less than ''p''), but this uses additional random data from the pad, and some of these techniques remove the possibility of implementing the system without a computer.

=== Common implementation errors ===

Due to its relative simplicity of implementation, and due to its promise of perfect secrecy, one-time-pad enjoys high popularity among students learning about cryptography, especially as it is often the first algorithm to be presented and implemented during a course. Such "first" implementations often break the requirements for information theoretical security in one or more ways:
* '''The pad is generated via some algorithm, that expands one or more small values into a longer "one-time-pad".''' This applies equally to all algorithms, from insecure basic mathematical operations like square root decimal expansions, to complex, cryptographically secure pseudo-random random number generators (CSPRNGs). None of these implementations are one-time-pads, but [[stream cipher]]s by definition. All one-time pads must be generated by a non-algorithmic process, e.g. by a [[hardware random number generator]].
* '''The pad is exchanged using non-information-theoretically secure methods.''' If the one-time-pad is encrypted with a non-information theoretically secure algorithm for delivery, the security of the cryptosystem is only as secure as the insecure delivery mechanism. A common flawed delivery mechanism for one-time-pad is a standard [[hybrid cryptosystem]] that relies on symmetric key cryptography for pad encryption, and asymmetric cryptography for symmetric key delivery. Common secure methods for one-time pad delivery are [[quantum key distribution]], a [[sneakernet]] or [[courier]] service, or a [[dead drop]].
* The implementation does not feature an unconditionally secure authentication mechanism such as a [[Message authentication code#One-time MAC|one-time MAC]].
* The pad is reused (exploited during the [[Venona project]], for example).<ref name=":2" />
* The pad is not destroyed immediately after use.