The one-time pad (OTP) is the only cipher that can guarantee perfect secrecy, meaning an attacker can never gain any information about the plaintext, even with infinite computational power.
Let’s see it in action. Imagine Alice wants to send a secret message to Bob. She has a message, "MEET AT NOON", and a secret key, "XYZZY IS GOD". Both Alice and Bob have a copy of this key, which is as long as the message itself.
To encrypt, Alice converts her message and key into numbers. Let’s use a simple A=0, B=1, …, Z=25 mapping. Message: M E E T A T N O O N Numbers: 12 4 4 19 0 19 13 14 14 13
Key: X Y Z Z Y I S G O D Numbers: 23 24 25 25 24 8 18 6 14 3
Now, Alice adds the message number to the key number, modulo 26 (meaning we wrap around after 25). (12 + 23) mod 26 = 35 mod 26 = 9 (J) (4 + 24) mod 26 = 28 mod 26 = 2 © (4 + 25) mod 26 = 29 mod 26 = 3 (D) (19 + 25) mod 26 = 44 mod 26 = 18 (S) (0 + 24) mod 26 = 24 mod 26 = 24 (Y) (19 + 8) mod 26 = 27 mod 26 = 1 (B) (13 + 18) mod 26 = 31 mod 26 = 5 (F) (14 + 6) mod 26 = 20 mod 26 = 20 (U) (14 + 14) mod 26 = 28 mod 26 = 2 © (13 + 3) mod 26 = 16 mod 26 = 16 (Q)
The ciphertext is "JCDSYBFUCQ". Alice sends this to Bob.
Bob receives "JCDSYBFUCQ". He converts it back to numbers: Ciphertext: J C D S Y B F U C Q Numbers: 9 2 3 18 24 1 5 20 2 16
He then uses his identical copy of the key and performs the exact same addition modulo 26. Key: X Y Z Z Y I S G O D Numbers: 23 24 25 25 24 8 18 6 14 3
To decrypt, Bob subtracts the key number from the ciphertext number, modulo 26. (9 - 23) mod 26 = -14 mod 26 = 12 (M) (2 - 24) mod 26 = -22 mod 26 = 4 (E) (3 - 25) mod 26 = -22 mod 26 = 4 (E) (18 - 25) mod 26 = -7 mod 26 = 19 (T) (24 - 24) mod 26 = 0 mod 26 = 0 (A) (1 - 8) mod 26 = -7 mod 26 = 19 (T) (5 - 18) mod 26 = -13 mod 26 = 13 (N) (20 - 6) mod 26 = 14 mod 26 = 14 (O) (2 - 14) mod 26 = -12 mod 26 = 14 (O) (16 - 3) mod 26 = 13 mod 26 = 13 (N)
Bob successfully recovers "MEET AT NOON".
The problem OTP solves is achieving perfect secrecy, a theoretical ideal where an eavesdropper gains absolutely no statistical information about the plaintext, regardless of their computational power or the amount of ciphertext they intercept. This is in stark contrast to modern ciphers like AES, which are computationally secure, meaning they are infeasible to break with current computing power, but not theoretically unbreakable.
The core components of a secure OTP are:
- Key must be truly random: Each character in the key must be generated by a truly random process, not a pseudorandom number generator. This ensures no patterns can be exploited.
- Key must be as long as the message: The key must be at least as long as the plaintext. If the key is shorter, it must be repeated, introducing patterns that can be broken (e.g., Vigenère cipher attacks).
- Key must be kept secret and used only once: This is the "one-time" part. If a key is reused, even for a single bit, it compromises the security of both messages.
The mathematical basis for its security lies in the fact that for any given ciphertext character, all possible plaintext characters are equally likely. If an eavesdropper sees a ciphertext character 'J' (which is 9), and they don’t know the key, they know that:
- If the key was 'A' (0), the plaintext was 'J' (9).
- If the key was 'B' (1), the plaintext was 'I' (8).
- …
- If the key was 'Z' (25), the plaintext was 'K' (10).
Since the key is truly random and used only once, the eavesdropper has no way to determine which of these possibilities is the correct one. Every possible plaintext letter is equally probable for any given ciphertext letter.
The overwhelming practical limitation of OTP is key management. Distributing and securely storing a key as long as the message, for every message, is an enormous logistical challenge. This is why it’s rarely used for general-purpose communication but has found niches in highly sensitive, low-bandwidth, or pre-arranged communication scenarios, like Cold War spy communications.
The true genius of the OTP is that the ciphertext provides zero information about the plaintext without the key. If you were to take a ciphertext produced by an OTP and try to guess the plaintext, you would essentially be guessing random strings of characters. The statistical properties of the ciphertext are indistinguishable from random noise, meaning an attacker has no statistical advantage over random guessing.
The next hurdle you’ll face is figuring out how to securely generate and distribute those impossibly long, random keys.