One-Time Pad

The one-time pad (OTP) holds a unique distinction in cryptography: it is the only cipher proven to be unbreakable. Claude Shannon proved in 1949 that — under four specific conditions — given the ciphertext alone, every plaintext of the right length is equally likely. No amount of compute, no future algorithm, no quantum computer can break it.

So why isn't OTP what we use everywhere? Because the four conditions are extraordinarily expensive to meet. Real-world systems trade theoretical perfection for practical, well-engineered "good enough" — like AES-GCM with a fresh nonce, which is computationally infeasible to break on classical or quantum hardware.

How OTP works

The cipher is trivially simple:

ciphertext[i] = plaintext[i] XOR key[i]
plaintext[i]  = ciphertext[i] XOR key[i]

Encryption and decryption are the same operation: byte-by-byte XOR with a key. That's the whole algorithm.

The four conditions

OTP only achieves perfect secrecy when all of these are true:

1. The key is truly random — cryptographically uniform bytes from a real entropy source. A pseudo-random generator (even a good CSPRNG) makes the cipher only computationally secure, not information-theoretically secure.
2. The key is at least as long as the plaintext. Every byte of the message is XORed against a fresh, never-before-seen key byte.
3. The key is used only once. Hence "one-time pad." Reusing key material for two messages collapses the security.
4. The key is distributed via a secure side channel. Both parties must already have the same pad, and the attacker must not have a copy. This is the operational hard part.

Break any one of these and OTP degrades into a much weaker cipher.

The proof, intuitively

Suppose you intercept a 14-character ciphertext. With OTP, every 14-character plaintext is a possible decryption — depending on which 14-byte key you assume the sender used.

"ATTACK AT DAWN" XOR key1 = ciphertext
"RETREAT NORTH"  XOR key2 = ciphertext      (different key, same ciphertext)
"MEET AT TIFFANY" XOR key3 = ciphertext     (different key, same ciphertext)

Without any information about the key, the attacker has zero information about which plaintext was real. All possible plaintexts of that length are equally likely. That's perfect secrecy.

Why nobody really uses it

The conditions are operationally crushing:

Generating truly random key material. A handful of bytes is easy. Megabytes per second, sustained over years, is hard. Hardware RNGs cost money; verifying their output is uniform is harder; storing the audit trail is harder still.

Distributing a key as long as the message. If you've got a secure channel that can carry an N-byte key safely, you can just use it to send the N-byte message. OTP only helps when you can pre-distribute key material in bulk during a high-security window (a diplomatic pouch, an in-person handoff) and then communicate freely later.

Never reusing. An operator under time pressure who runs out of pad material has a strong incentive to reuse pages. This is exactly the failure mode that broke the Soviet Union's OTP system in WWII.

Authentication. OTP gives you secrecy but not integrity. An attacker who intercepts an OTP ciphertext can flip any bit they want — flipping bit i of ciphertext flips bit i of plaintext on decryption — without detection. Production systems would need a separate MAC.

VENONA — what happens when conditions fail

VENONA is the codename for a 1943-1980 US/UK/AUS counterintelligence operation that decrypted thousands of Soviet diplomatic cables. The Soviets were using a properly-designed OTP system — but during WWII their pad-printing facility couldn't keep up with demand, and the printers started duplicating pages.

If two different messages were encrypted with the same key, the attacker can:

c1 = m1 XOR k
c2 = m2 XOR k
c1 XOR c2 = (m1 XOR k) XOR (m2 XOR k) = m1 XOR m2     ← key cancels out!

Now the attacker has m1 XOR m2 — the XOR of two plaintexts. With enough such pairs, plus knowledge that the plaintexts are likely to contain common phrases ("PROCEED WITH OPERATION", "REPORT FROM AGENT"), it's a tractable cribbing problem. NSA and GCHQ slowly cracked decades of cables; the project stayed classified into the 1990s. VENONA is the textbook example of "you only get OTP's perfect secrecy if you actually meet all the conditions."

When OTP is still legitimately used

A few real-world contexts:

• Diplomatic and intelligence cables. Some embassies still maintain OTP-based cable systems for sensitive traffic, with key books pre-distributed via diplomatic pouch.
• Top-secret military comms. Specialized point-to-point links, where a courier can deliver a hard drive of pad material once a quarter.
• Quantum Key Distribution (QKD). Lab-stage systems that distribute true random key material via quantum optics. The detection of eavesdropping is automatic. After QKD generates fresh shared bytes, they can be used as OTP key.
• Numbers stations. Shortwave radio broadcasts of seemingly random digits — long suspected to be OTP cipher messages to deployed agents who hold the matching pad.

The "stream cipher" connection

Modern stream ciphers (RC4, ChaCha20, Salsa20, AES in CTR mode) approximate OTP using a CSPRNG. They generate a deterministic key stream from a short symmetric key, then XOR it with the plaintext exactly like OTP. The crucial differences:

• The key stream is pseudo-random, not truly random. Security reduces to "the CSPRNG is unpredictable" rather than information-theoretic.
• The actual key is short (256 bits) — easy to distribute and store.
• The "nonce" (a per-message fresh value) plays the role of "different key bytes per message."

The cryptographic doom of stream ciphers is exactly OTP's: never reuse a (key, nonce) pair. AES-GCM with a reused nonce leaks the authentication key entirely. ChaCha20 with a reused nonce gives the attacker the XOR of the two plaintexts. The math is identical to VENONA.

What this lesson asks of you

The playground walks you through OTP scenarios — pad generation, the consequences of each broken condition, and recognising key-reuse failures in modern stream ciphers. The visualizer shows the XOR operation byte-by-byte, then demonstrates what happens if you XOR two ciphertexts with reused keys.