Click here to download a Powerpoint presentation on the One-Time Pad
Manual One-Time Pad
Frank Miller, one-time pad inventor
Example of miniature one-time pad
The one-time pad is the only truly unbreakable cipher. It is named for the pads of paper with random numbers or letters written on them,
which are thrown away after one use. The random numbers or letters are added to the plaintext message to create the ciphertext and the
receiver of the message must have the same random numbers or letters to decrypt the message. The one-time pad has three requirements; the
numbers must be random, have as many characters as the plaintext message and must be used only once (hence the shorthand description, "endless
and senseless"). This was a popular cipher system used by spies in WW2 and the cold war because it was secure, the pads were small enough
to easily hide and it could be used with paper and pencil only. Practical considerations prevented the one-time pad from being more widely
used. Distributing one-time pads was cumbersome and, if captured, was a dangerous security breech.
During WW2 and the cold war, the Soviet Union had many spies in the US supplying information on the ultra secret US atomic bomb project.
Apparently, they got careless in the creation of their one-time pads and repeated whole pages for use by their spies. It is also possible they
did this deliberately, in order to supply the large demand for one-time pads while opening up a very unlikely vulnerability. Incredibly, this
small vulnerability was discovered and exploited by the US in a decades-long project called Venona. The decrypted messages uncovered a
widespread campaign by the Russians to spy on the US and our allies, which reached the highest levels of government in the US and Britain.
A total of 349 spies were identified, including Julius and Ethel Rosenberg, Alger Hiss, Harry Dexter White (second-highest official in the
Treasury Department), Lauchlin Currie (personal aide to Franklin Roosevelt) and Maurice Halperin (section head in the Office of Strategic
Services). This is another example of the codemaker's over-confidence in their ciphers being exploited by the codebreakers.
In keeping with cryptologic tradition, the one-time pad was originally credited to the wrong inventors. For almost 100 years, the one-time pad
was credited to the 1919 co-invention by Gilbert S. Vernam and Joseph O. Mauborgne. In 2011, however, Columbia University professor Steven
Bellovin discovered a little-known book written in 1882 by Frank Miller which clearly described a one-time pad cipher. The book was called
Telegraphic Code to Insure Privacy and Secrecy in the Transmission of Telegrams and was primarily written as a telegraph code book and
to reduce telegraph transmission costs for banks. Only a few hundred copies of this book were printed. Miller was a banker in Sacramento,
California and his description of the one-time pad was clear and specific, but his book was probably never used for sending one-time pad
messages and was subsequently forgotten for 130 years. The following is a quote from Miller's book describing the one-time pad:
"A banker in the West should prepare a list of irregular numbers to be called 'shift numbers', such as 483, 281, 175, 892, &c. The
differences between such numbers must not be regular. When a shift-number has been applied, or used, it must be erased from the
list and not be used again."
A review of Miller's background gives some clues about how it was possible for a bank president to come up with the original idea of a one-time
the Civil War, Miller joined the Union Army and was wounded at the Second Battle of Bull Run. In the latter part of the war, he was a member
of Colonel Henry Steel Olcott's unit, a prominent investigator of fraud and corruption during the Civil War. In this capacity, Miller was
likely one of the investigators of the Lincoln assassination, among other investigations where the conspirators used secret codes. It was
during this time that Miller probably became acquainted with encryption and cryptanalysis. His quotes from "Colonel Myers" in the preface
refers to Col. Albert J. Myers, the first Chief Signal Officer and father of the US Army Signal Corps during the Civil War. This also shows
an unusual knowledge of military signals intelligence for a banker.
Teletype One-Time Pad
In 1917, Gilbert S. Vernam, an engineer at Bell Telephone Laboratories, invented a teletype based cipher system in which a loop of perforated
paper tape representing random letters was added to a plaintext message to create the ciphertext. On the receiving end, a duplicate loop would
be used to subtract the same random letters from the ciphertext to re-create the plaintext message. The advantage of this system was the
encipherment and decipherment was handled automatically by the teletype system without human intervention or error. In fact, this teletype cipher
was the first automated cipher systme. The use of a loop of tape
meant the system was not truly a one-time pad since the key tape would be reused, so it was vulnerable to enemy decryption.
Vernam was awarded US Patent #1,310,719 in 1919 for a "Secret Signaling System", which describes this automated
teletype cipher. Also in 1919, it is widely thought that US Army Captain Joseph O. Mauborgne (later Maj. Gen. and Chief of the Army Signal
Corps) realized the Vernam
loop could be replaced with a one-time tape, creating a truly unbreakable cipher. This insight was thought to be the invention of the one-time
pad, as noted above, until it was discovered to have been invented 37 years earlier, by Frank Miller in 1882. More recent investigations by
Steven Bellovin, however, disputes this widely held belief. Bellovin shows convincing evidence that Vernam originally recommended the random
tape in 1917 and seemed to understand the value of the randomness. This was during WW1, however, and the distribution of one-time tapes was a
burden the US military did not want. It may have been Mauborgne who recommended the 2 relatively prime tapes of 1000 and 999 characters.
Many other cipher inventors have
claimed their inventions were unbreakable, but the invincibility of the one-time pad has the advantage of being mathematically provable. It is
also mathematically provable that ANY unbreakable cipher system must include the features of a random and non-reused key.
There is no known connection between Frank Miller and either Vernam or Mauborgne. But there is an intriguing connection between Miller and
Parker Hitt of the Army Signal Corp and a close collaborator with Mauborgne. While it is almost certain Hitt met Miller at social functions
it is known they both attended, any cryptologic discussions between them is not known.
Special Transmitter/Distributor for the US military SIGTOT teletype cipher,
this one was used in President Roosevelt's airplane
and is now at the NSA Cryptologic Museum, Ft. Meade, MD
The US military SIGTOT teletype system was the first use of an automated one-time pad, or more specifically, one-time tape, used by the
US military. It was introduced in 1925 and was the "Secret Signaling System" directly based on Vernam's 1919 patent. It remained in use
by the US military until the 1959. The first SIGTOT teletype was based on the Teletype Model 14, with over 60,000 units manufactured over
three decades. Other Teletype models were also manufactured, including 200,000 model 15s from 1930-1950s.
The SIGTOT teletype system consists of a 131-B2 mixer, a special Model 14 receiving transmitter/distributor (TD), a standard Model
14 TD, a Model 14 Keyboard Typing Reperforator (KTR) and a page printer. The receiving TD would read the one-time key tape, the standard TD
would read the plaintext tape and both would be connected to the 131-B2 mixer which would combine the two tapes and send the encoded
signals to a remote location via a radio or wired connection. The KTR was used to key in the plaintext tape and the page printer would print
the messages in plaintext from the remote locations. None of these devices were ever classified, since the only way to break this cipher
is to have access to the the one-time tape itself. The one-time tape was therefore classified as "top secret".
Incredibly, there was a vulnerability discovered in this "perfect" SIGTOT cipher system, so the US military gradually discontinued its use
at great expense in 1959. This was a closely held secret and only revealed decades later in 2007, which will be explained below.
Pictured below is the heart of the cipher portion of the teletype system, the receiving transmitter distributor, which is essentially a paper
tape reader. The difference between this special receiving TD and a standard TD is the receiving TD has a disk with 15 segments instead of
only 7, which allows for the second plaintext tape reel to be electronically added to the random tape reel. The receiving TD also has the
relays used to electronically combine the letters from the two tape reels, which are then sent to the remote teletype station.
Teletype Model 14 - Standard TD with 7 segments on disk
Teletype Model 14 - Receiving TD with 15 segments on disk
The random tape is electronically read in the receiving TD and electronically combined with the plaintext tape, which is read on a standard
transmitter distributor. The Baudot signals are combined by use of the XOR function (Boolean "exclusive or" function) to create the enciphered
text. Vernam did not use the term XOR in his patent, but he implemented that operation in relay logic of the receiving TD.
In the example from Vernam's patent, the plaintext letter A is added to the random key character B, which after the XOR operation results
in the ciphertext letter G. The G would be sent to the remote teletype location, where the G is read in the standard TD and the key tape
containing the first random character B is read in the receiving TD. After the XOR operation, the result is the original plaintext letter
A which would then be printed. This example is shown in Baudot code below.
+ + - - - Plaintext letter A
An elegant design feature of this "Secret Signaling System" is the encipherment is self-reciprical, the same XOR function will both encode
or decode the message. The NSA has called this patent "perhaps one of the most important in the history of cryptography."
+ - - + + Random key letter B
- + - + + Result of XOR, ciphertext letter G which is sent to remote location
- + - + + Ciphertext letter G
+ - - + + Random key letter B
+ + - - - Result of XOR, plaintext letter A
The enciphered messages are sent via wired or
radio connection to a receiving teletype location. The receiving location would have the same random tape in the receiving TD set to the
same starting character as it begins receiving the signals. So the signals through the wires or the airways would be enciphered but the
messages would print out on the teletype in plaintext automatically. After the random tape was used once, it would be destroyed. Ships
out at sea for many months would require large volumes of these random tapes.
The story of why the US military discontinued the use of SIGTOT is filled with cold war intrigue and deception and was a closely guarded
secret until it was revealed by the NSA in 2007.
In 1943, AT&T engineers discovered that teletype machines emitted electromagnetic pulses which would betray the message before encryption
took place. These pulses were detectable on the signal wire, over power lines, copper water lines or even in the air. These signals could be
tapped as far as 20 miles away and still be amplified and read without the sender knowing his message has been compromised.
This electromagnetic pulse was discovered to emanate from any electromagnetic device, including modern computers. A program code-named Tempest
was created to combat this ubiquitous security threat. This capability to tap into encrypted communications before the encryption takes place
was exploited in East Berlin in 1955. The US tunnelled under the Berlin Wall to tap into the phone and teletype lines in Berlin, which was the
hub for all communications between Moscow and Eastern Europe. This tunnel we operational for 11 months before the East Germans famously and
publicly displayed the dastardly acts of the US. Their plans backfired when the Western public reaction was admiration for the technology
and daring for digging a tunnel under the Berlin Wall.
Cipher Machine One-Time Pad
The one-time pad was also incorporated into traditional cipher machines by the Hagelin company. They had a "pin and lug" mechanical cipher
device called the C-446 which was similar to the M-209 cipher machine they sold to the US during WW2. The C-446 used the same cryptologic
technology as the M-209, including the use of pin and lugs with 6 rotor wheels and both were based on the prior C-38 cipher device. The M-209
was introduced in 1943 and the C-446 was introduced in 1944. The main difference between the two devices was the M-209
used one paper tape roll to print either the enciphered text or the deciphered text while the C-446 had two tape rolls and could print both
enciphered and deciphered texts simultaneously. The C-446 was compatible with the C-38, the M-209, the BC-38 and the later BC-543.
Hagelin Cipher Machine C-446-RT One-Time Pad
The C-446 was available in a commercial gray color or a military green color. It was known to be used by the Dutch and Norwegian militaries
into the 1960s when they were replaced with the later and more powerful CX-52s. These machines were then kept in storage for several decades
for possible backup use. Since they were entirely mechanical devices, they would continue to operate even after a nuclear blast may render
other electro-mechanical cipher devices inoperable.
The C-446-RT (Random Tape) was a special version of the C-446 which did not have rotor wheels but used a paper tape reader to automatically
encipher and decipher the message. This device was not compatible with the other Hagelin cipher machines. The tape reader replaced the
function of the rotor wheels, as you can see in the picture below. The random tape was a teletype paper tape using the 5 bit Baudot code
and would advance a character at a time as the lever is depressed to encipher or decipher each character of a message.
Hagelin Cipher Machine C-446-RT on left compared to standard C-446
Photo courtesy of Paul Reuvers and CryptoMuseum.com
The random tape used for the C-446-RT was the same as the tape used for the SIGTOT teletype cipher above but the SIGTOT converted the paper
tape into electrical impulses to be XOR'ed and then sent via wired or radio connections. The C-446-RT is entirely mechanical so the paper
tape is read a letter at a time to then be XOR'ed and printed on the roll of paper tape in the C-446. There are two print reels, one for
the plaintext and the other for the ciphertext.
Compared to the SIGTOT teletype system, this is a much more manual process and similar to the use of other manually operated cipher devices.
After enciphering each letter of a message, the message would normally be sent in morse code via radio. The receiver of the message would
have a duplicate random tape set to the same starting position and then decode the message a letter at a time. After the random tape was
used once, it would be destroyed.
Hagelin made other traditional pin and lug cipher machines into random tape machines, including the CX-52-RT and CD-57-RT. Hagelin also
manufactured a traditional teletype one-time tape machines, called the T-52 and the T-55. These machines had the option of incorporating the
pin and lug of the CX-52, so it could exchange messages with the CX-52 or use the psuedo number generator of the CX-52 instead of using
random tapes. Using the T-52 or T-55 in this fashion would not be unbreakable, since this would not be true random tapes.
See the Entire Collection of Cipher Machines
See detailed pictures of the US Air Force SIGTOT Teletype Cipher and the Hagelin C-446-RT
While the one-time pad provides a secure cipher, it also requires the use of large volumes random paper tape reels. Producing and
transporting these random tapes was cumbersome and a security threat if captured, so the use of one-time pads was limited to the most
secure messages. Both the SIGTOT Teletype cipher and the Hagelin C-446-RT are rare cipher devices. They were sold exclusively
for military use and most were destroyed instead of being made surplus and available for resale.
The SIGTOT receiving TD is a US Air Force Model 14 Teletype device, which is the first device manufactured to the specifications of the
original Vernam one-time pad patent of 1919. The Hagelin C-446-RT was used by the Dutch Navy until it was made surplus in the late 1990s,
by mistake, and removed from the surplus market after only one day. Only a few were already sold and the rest were destroyed. Some of
these devices were also given to retiring Dutch Navy personnel as mementos. Only a small number of these remaining devices are of the
special Random Tape variety.