The One-Time Pad: Perfect Secrecy and Its Unforgiving Invariants
The One-Time Pad is the only encryption scheme with a mathematical proof of perfect secrecy. Its invariants are simple but brutally strict — violate any one of them and the guarantee vanishes entirely.
Note: This should not be confused with a One-Time Password (OTP). Different concept entirely.
Most ciphers are computationally secure — they rely on the assumption that breaking them would take an impractical amount of time. The One-Time Pad is different. It is information-theoretically secure. Even with infinite computing power, an attacker learns nothing about the plaintext from the ciphertext.
That’s not a claim about current hardware. It’s a mathematical proof. And it holds — but only if every single invariant of the scheme is maintained. Violate one, and the entire guarantee collapses. Not weakens. Collapses.
What is a One-Time Pad?
A One-Time Pad is an encryption technique where a plaintext message is combined with a random key (the “pad”) that is at least as long as the message itself. The message space and ciphertext space belong to the same space: {0,1}^n. The key is a random bit string of the message length.
The encryption operation is XOR (exclusive or), applied bit by bit:
1
ciphertext = plaintext XOR key
Decryption is the same operation in reverse (XOR is its own inverse):
1
plaintext = ciphertext XOR key
How It Works: An Example
Consider Bob wanting to send the message HELLO to Alice. Both share the pre-agreed key XMCKL.
Encryption (Bob’s side):
Each letter is converted to a number (A=0, B=1, …, Z=25), then added modulo 26 with the corresponding key letter:
1
2
3
4
5
Plaintext: H(7) E(4) L(11) L(11) O(14)
Key: X(23) M(12) C(2) K(10) L(11)
───── ───── ───── ───── ─────
Sum mod 26: 4 16 13 21 25
Ciphertext: E Q N V Z
Bob sends EQNVZ to Alice.
Decryption (Alice’s side):
Alice reverses the process — subtracts the key values modulo 26:
1
2
3
4
5
Ciphertext: E(4) Q(16) N(13) V(21) Z(25)
Key: X(23) M(12) C(2) K(10) L(11)
───── ───── ───── ───── ─────
Diff mod 26: 7 4 11 11 14
Plaintext: H E L L O
Alice recovers HELLO. An attacker who intercepts EQNVZ cannot determine the original message without the key — and not because the math is hard, but because every possible plaintext is equally likely. The ciphertext EQNVZ could decode to HELLO, WORLD, ABORT, or any other five-letter string, depending on the key. There is no way to distinguish the correct decryption from any other.
The Four Invariants
The perfect secrecy guarantee holds if and only if the following four invariants are maintained. These are not best practices. They are not recommendations. They are the conditions of a mathematical proof. Violate any one and the proof no longer applies.
1. The key must be at least as long as the message
If the key is shorter, you’re reusing key material — and the scheme degrades to something breakable. This is the invariant that makes OTP impractical at scale: to encrypt a 1 GB file, you need a 1 GB key.
2. The key must be truly random
Not pseudorandom. Not “random enough.” Truly random — generated from a physical entropy source. Pseudorandom generators have patterns. Subtle, yes. Computationally hard to exploit, maybe. But the proof of perfect secrecy requires that every key is equally probable. A PRNG violates that assumption.
3. The key must never be reused
This is the invariant that gives the scheme its name: the pad is used one time. If the same key encrypts two different messages, an attacker can XOR the two ciphertexts together to eliminate the key:
1
C1 XOR C2 = (P1 XOR K) XOR (P2 XOR K) = P1 XOR P2
Now the attacker has the XOR of two plaintexts — and that leaks enormous amounts of information. Language has statistical structure. English text XORed with English text reveals patterns that can be exploited with frequency analysis. The Venona project, which cracked Soviet intelligence communications, succeeded precisely because Soviet cryptographers reused one-time pad keys.
4. The key must be kept completely secret
If the key is intercepted in transit, the scheme provides no security at all. The entire security of OTP rests on key secrecy — there is no computational hardness assumption to fall back on.
Why OTP is Impractical
The invariants of OTP are simple to state and brutally hard to maintain in practice:
- Key length equals message length. To encrypt a conversation, you need to pre-share a key as long as every message you’ll ever send. At that point, you might as well have pre-shared the messages themselves.
- True randomness is expensive. Hardware random number generators exist, but generating gigabytes of truly random data is slow and requires specialized equipment.
- Key distribution is the hard problem. If you had a secure channel to transmit the key, you could just use that channel to transmit the message directly.
- Key disposal must be guaranteed. The used key must be destroyed securely — not just deleted, but made irrecoverable. On modern storage with wear leveling and journaling filesystems, “securely delete” is harder than it sounds.
This is the paradox of the One-Time Pad: it has the strongest security guarantee of any encryption scheme ever devised, but its invariants are so demanding that they’re almost impossible to uphold in digital systems. The proof is perfect. The engineering is impractical.
The Lesson
OTP teaches something important about invariants in general: the strength of a guarantee is only as good as your ability to maintain its preconditions. A system with a beautiful proof of correctness is worthless if the assumptions of that proof can’t be enforced in production.
This pattern repeats everywhere. Distributed consensus protocols have proofs of safety — but those proofs assume reliable failure detectors, bounded network delays, or other properties that real networks don’t always provide. Database ACID guarantees hold — but only if the transaction isolation level is actually set correctly. The invariant exists on paper. Whether it holds in practice depends entirely on whether every precondition is enforced, all the time, without exception.
Next: Block Ciphers — the practical alternative that trades mathematical perfection for engineering feasibility.