Cryptography
The One-Time Pad
The only cipher proven unbreakable — and the reason we can't use it
The one-time pad encrypts a message by XOR-ing every bit with a truly random key that is at least as long as the message and is never reused. In 1949 Claude Shannon proved it achieves perfect secrecy: the ciphertext is statistically independent of the plaintext, so an adversary with unlimited computing power learns nothing beyond the message length. It is the only cipher with this property — the Vernam cipher of 1919 made real. The catch is not a weakness in the math but a consequence of it: the key must be as long as everything you will ever send, and distributing that key securely is exactly as hard as the problem you started with.
- Encrypt / decrypt timeO(n) — one XOR per bit
- Key length≥ message length (n bits)
- Security modelInformation-theoretic (perfect)
- InventedVernam 1919, proof by Shannon 1949
- Key reuseFatal — breaks all secrecy
- Quantum-safe?Yes — no hardness assumption
Interactive visualization
Press play, or step through manually. The visualization is yours to drive — try it before reading on.
Watch the 60-second explainer
A condensed visual walkthrough — narrated, captioned, under a minute.
Why the one-time pad matters
Almost every cipher you use — AES, RSA, ChaCha20 — is computationally secure. It is safe because breaking it would take more work than any attacker can afford, given today's hardware and today's best-known algorithms. That is a bet against progress. The one-time pad makes no such bet. Its security is unconditional: even an adversary with infinite time, infinite computers, and a working quantum machine cannot recover the plaintext, because the information simply is not present in the ciphertext.
That makes the pad the theoretical ceiling of cryptography — the yardstick every other scheme is measured against. It also makes it a beautifully sharp illustration of a deep idea: secrecy is a resource that must be moved, not manufactured. The pad does not create confidentiality out of a short password; it demands that you already possess as much secret key as the total volume of secret message. Understanding why that trade is unavoidable is understanding the central limit of secret-key cryptography.
How the one-time pad works, step by step
The construction is almost embarrassingly simple. Represent everything as bits.
- Key generation. Alice and Bob share a secret key
K— a string ofntruly random bits, one for each bit of the message. "Truly random" means every bit is an independent fair coin flip, from a physical entropy source, not a pseudo-random generator. - Encryption. To send an
n-bit messageM, compute the ciphertext bit by bit:C = M ⊕ K, where⊕is XOR (addition modulo 2). - Decryption. Bob computes
M = C ⊕ K. This works because XOR is its own inverse:(M ⊕ K) ⊕ K = M ⊕ (K ⊕ K) = M ⊕ 0 = M. - Destroy the key. Both parties erase the used portion of
K. It is never reused for anything, ever. Hence the name: each pad page is used once, then burned.
The whole cipher is n XOR operations to encrypt and n to decrypt — O(n) time, O(1) extra space, trivially parallel and constant-time by construction. There are no rounds, no S-boxes, no key schedule. All the difficulty lives in producing and delivering the key.
Shannon's perfect secrecy — the proof sketch
Shannon defined perfect secrecy precisely: a cipher is perfectly secret if, for every plaintext m and every ciphertext c,
Pr[M = m | C = c] = Pr[M = m].
In words: seeing the ciphertext does not change your beliefs about the message at all. The ciphertext and plaintext are statistically independent. Equivalently, the mutual information I(M; C) = 0.
The pad satisfies this. Fix any ciphertext c. For a candidate message m to produce it, the key must be exactly k = c ⊕ m — a unique key. Since the key is uniformly random over all 2ⁿ possibilities, that specific key occurs with probability 2⁻ⁿ, independent of what m is. So Pr[C = c | M = m] = 2⁻ⁿ for every message. Because that likelihood is the same for all messages, observing c tells the attacker nothing about which message was sent. Every plaintext of length n is a valid decryption of c under some key, and all are equally likely.
Shannon also proved the converse — his impossibility theorem: any perfectly secret cipher must use a key at least as large as the message space entropy, i.e. H(K) ≥ H(M). So the pad's enormous key is not an implementation clumsiness you can optimize away; it is mathematically required of any scheme that hopes to be perfectly secret. You cannot get perfect secrecy on the cheap.
One-time pad vs. computational ciphers
| One-Time Pad | Stream Cipher (ChaCha20) | Block Cipher (AES) | RSA | |
|---|---|---|---|---|
| Security model | Information-theoretic (perfect) | Computational | Computational | Computational |
| Key size | = message length | 256-bit fixed | 128/256-bit fixed | 2048–4096-bit |
| Keystream source | True randomness | PRNG from short seed | PRNG (in stream modes) | Modular arithmetic |
| Breakable with infinite compute? | No | Yes | Yes | Yes |
| Quantum-safe? | Yes | Yes (256-bit) | Yes (256-bit) | No (Shor's algorithm) |
| Key reuse tolerated? | No (fatal) | No (fatal — same flaw) | Yes (fresh IV) | Yes |
| Practical for the internet? | No (key distribution) | Yes | Yes | Yes |
Notice the middle column: a stream cipher is a one-time pad in which the truly random key has been replaced by the pseudo-random output of a PRNG seeded with a short key. It inherits the pad's XOR structure — and the pad's absolute prohibition on keystream reuse — while giving up perfect secrecy in exchange for a 256-bit distributable key. Every practical stream cipher is a deliberate, security-for-convenience downgrade of the pad.
Implementation in Python
import os
def keygen(n_bytes: int) -> bytes:
# Truly random key from the OS entropy pool — NOT a seeded PRNG.
# In a real pad this key is pre-shared out of band and never reused.
return os.urandom(n_bytes)
def otp(data: bytes, key: bytes) -> bytes:
# Encryption and decryption are the same operation: XOR.
if len(key) < len(data):
raise ValueError("key must be at least as long as the message")
return bytes(d ^ k for d, k in zip(data, key))
# --- usage ---
message = b"ATTACK AT DAWN"
key = keygen(len(message)) # 14 random bytes, used exactly once
ciphertext = otp(message, key) # C = M XOR K
recovered = otp(ciphertext, key) # M = C XOR K (same function)
assert recovered == message
# After this, `key` must be destroyed and never used again.
Two lines carry the whole security story. os.urandom pulls from the operating system's cryptographic entropy source — if you swap it for a seeded random.Random, you have silently built a stream cipher and thrown away perfect secrecy. And the length check enforces the non-negotiable rule that key ≥ message. There is no separate decrypt function because XOR is an involution: the same otp call recovers the plaintext.
Common misconceptions and pitfalls
- "It's unbreakable, so it's the best cipher." Perfect secrecy is only about confidentiality. The pad is completely malleable: flip ciphertext bit i and you flip plaintext bit i, no key required. Without a separate MAC, an attacker can edit your message even without reading it.
- Reusing a key page ("two-time pad"). If
C₁ = M₁ ⊕ KandC₂ = M₂ ⊕ K, thenC₁ ⊕ C₂ = M₁ ⊕ M₂— the key vanishes and the redundancy of natural language does the rest (crib-dragging). This single mistake is what the VENONA project exploited against Soviet cables. - Using a PRNG for the key. A software PRNG has at most as much entropy as its seed. Feed it a 256-bit seed and the "pad" has only 256 bits of real randomness no matter how long it is — that is a stream cipher wearing a pad's clothes, and it is computationally, not perfectly, secure.
- Assuming length is hidden. Perfect secrecy hides the content, not the length. The ciphertext is the same size as the plaintext, so the message length always leaks. Pad your messages to a fixed size if length is sensitive.
- Forgetting to destroy the key. Compromise of the pad after the fact reveals every message ever sent under it. Forward secrecy comes from actually erasing consumed key material.
A worked history — Vernam, VENONA, and the hotline
In 1919 Gilbert Vernam of AT&T patented an automatic telegraph cipher (U.S. Patent 1,310,719) that XOR-ed the 5-bit Baudot code of each character with a key tape. Joseph Mauborgne of the Army Signal Corps supplied the missing insight: only if the key tape is truly random and used a single time does the scheme become unbreakable. (Frank Miller had sketched a similar idea for telegraphy back in 1882.) For thirty years the "unbreakable" claim was folklore — until Claude Shannon's 1949 paper Communication Theory of Secrecy Systems proved it rigorously and defined perfect secrecy, founding modern cryptography in the process.
The pad's Achilles' heel showed up in practice, not theory. During and after World War II, overwhelmed Soviet cipher clerks reused pad pages. Starting in 1943 the U.S. Army's VENONA program detected the duplicate keys and, over decades, decrypted thousands of messages — exposing espionage networks. The pad had not failed; its operators had. Where discipline held, the pad reigned: the Moscow–Washington "red telephone" hotline, established in 1963, ran on one-time pads whose key material was hand-carried between the capitals by trusted couriers. That is the pad's true niche — small volumes of the highest-value traffic between parties who can physically pre-share bulk key.
The key distribution problem — the unbeatable catch
Here is the circularity that keeps the pad out of everyday use. To send n secret bits, you must first deliver n secret key bits over a secure channel. But a channel secure enough to move n key bits could have carried the n-bit message itself. The pad never generates secrecy — it merely relocates the confidentiality requirement from the message to a key of identical size. For two people who exchange gigabytes of traffic, that means pre-sharing gigabytes of key by courier, then never running out.
This is precisely the gap that public-key cryptography was invented to close. Diffie–Hellman and RSA let strangers agree on a short key over an insecure line, trading the pad's perfect secrecy for computational security — but buying the ability to communicate without a courier. And quantum key distribution (BB84) attacks the problem from the other side: it uses the laws of physics to deliver fresh random key that an eavesdropper cannot copy, which is then consumed by a genuine one-time pad. The pad remains the gold standard; the entire history of practical cryptography is the search for a cheaper way to get its key where it needs to go.
Frequently asked questions
Why is the one-time pad considered unbreakable?
Shannon proved it has perfect secrecy: for any ciphertext, every plaintext of the same length is exactly as likely as every other. Because the key is truly random and as long as the message, any given ciphertext could decrypt to any message of that length under some key. An attacker with infinite computing power learns nothing beyond the length — the ciphertext is statistically independent of the plaintext. This is information-theoretic security, not the computational hardness that protects AES or RSA.
What happens if you reuse a one-time pad key?
Reuse destroys the security completely. If C1 = M1 XOR K and C2 = M2 XOR K, then C1 XOR C2 = M1 XOR M2 — the key cancels out and you are left with the XOR of two plaintexts. Natural-language redundancy lets an analyst separate them (crib-dragging). This exact mistake let the U.S. VENONA project read thousands of Soviet cables from the 1940s. Once reused, it is a 'two-time pad' and no longer perfectly secret.
What is the difference between a one-time pad and a stream cipher?
They look identical — both XOR the plaintext with a keystream. The difference is the keystream's source. A one-time pad uses a truly random key as long as the message, giving information-theoretic perfect secrecy. A stream cipher (RC4, ChaCha20) expands a short fixed key into a long pseudo-random keystream with a PRNG. That keystream only looks random, so the security drops to computational — breakable in principle, just infeasible today. A stream cipher is a practical approximation of the pad that trades perfect secrecy for a short, distributable key.
Why is the key distribution problem the pad's fatal flaw?
To send n bits securely you must first share n bits of key over a secure channel. But if you already have a secure channel long enough to move that key, you could have sent the message over it directly. The pad does not create security from nothing — it moves the secrecy requirement from the message to the key, and the key is just as big. This is why pads are used only where couriers can pre-share bulk key (embassies, the Moscow–Washington hotline) and never for general internet traffic.
Does perfect secrecy mean the message cannot be tampered with?
No. Perfect secrecy is about confidentiality only — it says nothing about integrity. The pad is malleable: flipping bit i of the ciphertext flips bit i of the recovered plaintext, with no key needed. An attacker who knows the plaintext format can flip 'TRANSFER $10' to 'TRANSFER $90' silently. To get integrity you must add a message authentication code, and a truly unconditional one (like a Carter–Wegman universal-hash MAC) also needs its own fresh key.
Is a one-time pad quantum-safe?
Yes. Its security is information-theoretic, not based on any computational problem, so a quantum computer running Shor's or Grover's algorithm gains nothing — there is no factoring or discrete-log shortcut to exploit. This is why quantum key distribution (BB84) is often paired with the pad: QKD physically delivers fresh random key, and the pad turns that key into unconditionally secure messages.
Who invented the one-time pad?
Gilbert Vernam patented the XOR stream design in 1919 (U.S. Patent 1,310,719), and Joseph Mauborgne of the U.S. Army Signal Corps added the crucial requirement that the key be truly random and used only once. Frank Miller had described a similar telegraph scheme as early as 1882. In 1949 Claude Shannon gave the first rigorous proof of perfect secrecy in 'Communication Theory of Secrecy Systems,' placing the pad on formal footing.