The Little Cryptologist

LCTK – Little Cryptologist’s Toy Kit
The Little Cryptologist’s Toy Kit
(Please refer to Wikipedia’s article on Cryptology ( http://en.wikipedia.org/wiki/Cryptology ) to find out what this means, that is,
what the term “Cryptology” means. The expression “Toy Kit” refers to a collection of small gadgets to play with, as compared to
the term “Tool Kit”, which usually stands for something to work with. The adjective “little” refers to the budget. )
Peter H. Rassmann, 05/2007
Lorenz Cipher Machine SZ40
Theory & Practice
Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

Paul-Gossen-Str. 34, 91052 Erlangen, Deutschland / Germany. 16.07.2007 12:55 Seite 1 / 60
1 Theory ............................................................................................................................................. 3
1.1 Ciphered messages & catalogues ......................................................................................... 3
1.2 Random Numbers .................................................................................................................. 4
1.3 Distributed Message Storage................................................................................................. 8
1.4 A, B, C .................................................................................................................................. 11
1.5 Relay Race........................................................................................................................... 13
1.6 Concealed searching ........................................................................................................... 14
1.7 Embedded System ............................................................................................................... 16
2 Real Applications .......................................................................................................................... 18
2.1 Mobile Phones...................................................................................................................... 18
2.2 Multi-Party Team Centre ...................................................................................................... 20
2.3 Problem Report / Request for Information / Transactions ................................................... 21
3 Networking .................................................................................................................................... 22
3.1 Networking & Cipher ............................................................................................................ 22
3.2 Ciphering a Link ................................................................................................................... 24
3.3 Quod licet Jovi non licet Bovi ............................................................................................... 25
3.4 Pads: Creation, Distribution, Security .................................................................................. 26
4 Summary....................................................................................................................................... 28
5 Practice ......................................................................................................................................... 29
5.1 Preparations ......................................................................................................................... 29
5.2 Ciphering a Message with a One-time Pad ......................................................................... 31
5.3 Ciphering Pads with Pads .................................................................................................... 35
5.4 Distributed Ciphers............................................................................................................... 36
5.5 Dump a message into a picture’s bitmap............................................................................. 38
5.6 Your OTP Disk ..................................................................................................................... 40
6 Appendices ................................................................................................................................... 41
6.1 Quantum Cryptography and One-time Pads........................................................................ 41
6.2 Crypto-Logic ......................................................................................................................... 42
6.3 Dizzy..................................................................................................................................... 43
6.4 Circular Addition ................................................................................................................... 50
6.5 Other Ciphers as a Fallback................................................................................................. 50
6.6 From the Wikipedia .............................................................................................................. 51
6.6.1 One-time pad ................................................................................................................... 51
6.6.2 Perfect secrecy ................................................................................................................ 51
6.6.3 History.............................................................................................................................. 52
6.6.4 Example ........................................................................................................................... 52
6.6.5 Applicability of one-time pads .......................................................................................... 54
6.6.6 Uses ................................................................................................................................. 55
6.6.7 Exploits ............................................................................................................................ 56
6.6.8 True randomness requirements....................................................................................... 56
6.6.9 Methods that may offer empirical security, but do not have Shannon security ............... 56
6.6.10 Methods that offer neither empirical security nor Shannon security ........................... 57
6.6.11 Achieving Shannon security ........................................................................................ 57
6.6.12 Making one-time pads by hand ................................................................................... 58
6.6.13 Sources ....................................................................................................................... 59
6.7 As I understand it ................................................................................................................. 60

1 Theory
1.1 Ciphered messages & catalogues
A ciphered message is a message you can’t read if the content, as somebody believes, is none of
your business. If it would be of your business, you would have a key to read it. The “Little
Cryptologist’s Toy Kit” contains some toys to show you what you could do if messages were of your
business. If messages were of your business, you would want to cipher them to make sure they don’t
become somebody else’s business.
A very simple way to “cipher” a message is to use catalogued values for the message’s content. For
example, if you and the recipient of your messages would agree on the “SPO-Rule” (subject,
predicate, object) to form sentences – or even on some more sophisticated syntax - and if you would
catalogue all possible values for S’s, P’s and O’s using numbers, you could form quite a few
“sentences” by exchanging just three numbers for one sentence. You could also fairly easily translate
the catalogues into another language and thereby provide a way to automatically translate your
messages.
Thinking draws energy from your brain. Sugar, for example, is a way to provide energy to your brain,
as you will understand after reading the content labels of sport drinks. It is known that the reading and
understanding of formulas is a sugar consuming activity. So if you are running low on sugar today, you
may want to proceed to the chapter “Summary”.
The catalogues mentioned here are sometimes called “code books”. As an example for a simple
catalogue - or code book, if you prefer - look at this very simple table:
Subject Predicate Object

1 = en: Women 1 = en: to drive 1 = en: Porsche
de: Frau de: fahren de: Porsche
2 = en: Man 2 = en: to buy 2 = en: Car
de: Mann de: kaufen de: Auto
The messages “1,2,1” or “2,1,2” would be “Woman buys a Porsche” or “Man drives a car” in English
(en) or “Frau kauft Porsche” or “Mann fährt Auto” in German (de). Somebody who doesn’t have the
catalogues with those code numbers wouldn’t be able to find out the meaning of the 1’s and 2’s, but
perhaps after a while he could guess it, maybe (after intercepting several messages and comparing
them with who is driving what car in real life).
By the way, those numbers from your catalogues and messages would allow for an easy way of
running statistics over your messages, in case you feel you want to collect them and store them in a
database – the messages, I mean.
Well, when I wrote “simple” or “easy” so far, I was talking about the task to enumerate words or
expressions and list them within a catalogue. Mostly, that’s a lot of work, because you would have to
gather everything that might be of interest sometimes in them catalogues, somehow. And it becomes a
science when you start to categorize the numbers in ever more complicated and interrelated schemes.
Decision makers like it that way. If you have a real complex system of catalogues like that, you can run
really fancy statistics over it, and thereby providing the means to executives to hand over some more
money for the IT systems.
Furthermore, catalogues are a way to compress the messages, since “1,2,1” is shorter than “Women
buys a Porsche”.
But this is not what you’ll find in the “Little Cryptologist’s Toy Kit”. It’s not about calogues and code
books. Instead, you’ll find a description on how to use random numbers to cipher messages.

1.2 Random Numbers

If you read this, you’ll probably know that, with computers, a way to write any message is as a string of
1’s and 0’s, where a position in that string carries a “Bit” of information. Now consider such a string
called a message, another string called a pad which acts as a “key” here, a way to combine them
called crypto procedure and a resulting string of bits, again of the same length, called the secret.
message -> 001001110101010110101001001001001

pad -> 100111001010010010010011011010111
Crypto
101110111111000100111010010011110 -> secret
The crypto procedure in question is known as a “bitwise exclusive or”. That is, whenever you have a
“0” in the message hit a “1” in the pad or vice versa, the resulting position (bit) in the secret is a “1”,
whenever you have a “0” hit a “0” the result is “0”, and a “1” on a “1” is also – you expected it – a “0”.
Or, in other words, if there are two zeros, the result is zero, and if there is a one in one of the pad or
the message but not in both, the result is a one. If there is a one in both the pad and the message, the
result is zero again.
That’s what “Exclusive OR” means, or, even more scientific: “Bitwise Exclusive Or”. Not very
complicated, if you come to think of it. It works the other way around, too. So if you want to decipher
the secret, then you just compare it to the pad. “Compare” here means doing a “bitwise exclusive or”
operation again, like this:
secret -> 101110111111000100111010010011110

pad -> 100111001010010010010011011010111
Crypto
001001110101010110101001001001001 -> message
I have chosen a notation like the above, because you can easily picture it like this: A pad and a secret
comes in from top left, the secret’s bits and the pads’ bits are aligned in corresponding positions. Then
it goes ring-ring–a-ring and the bits of message and pad are independently compared like they were
independent messages of one bit each, according to the following rule:
message -> 0 or 0 or 1 or 1
pad -> 1 0 1 0
Crypto Crypto Crypto Crypto
1 0 0 1 -> secret
That is how simple it is. It is so simple and well known, in fact, that computers have a hardwired
instruction to do it, the “bitwise XOR”. However, computers mostly work on several bits at a time, and
you must be careful to make sure it is a bitwise operation you are looking at. Depending on the
programming language, the symbol for the “Bitwise Exclusive OR” operation may be something like
“.XOR.” or “ˆ”.

You may know the XOR operation from Boolean Logic, that is, from a logic in math that deals with
logical variables and the values “true” and “false”. If you set a “1” for “true” and a “0” for false, then the
XOR operation for two logical variables A, B would be written A^B and have the following truth table:
A B A^B
--- --- ---
1 1 0
1 0 1
0 1 1
0 0 0
For our purpose, we rewrite the table like this
Bit from Bit from gives this Bit in

Message One-Time Pad ciphered Message
1 1 0
1 0 1
0 1 1
0 0 0
This table tells you how to combine a bit from the message with a bit from the one-time pad to obtain
the corresponding bit of the ciphered message. You can easily tell how a deciphering works by writing
the table again and adding a column with the bit of the pad “xored” once more.
A B A^B A^B^B same as A

--- --- --- ----------------
1 1 0 1
1 0 1 1
0 1 1 0
0 0 0 0
So no matter what the bits are within the pad, if you XOR a bit “A” in the message with a bit “B” in the
pad twice, you get the original message-bit “A” back.
If you are familiar with all this, I apologize for the somewhat slow rate of knots of explanations. I just
want to make sure I don’t lose anybody already with the basics, for some knots there really are.
Now, if somebody intercepts a secret with a “0”, how can he know what the content of the message
was without knowing what the pad is? If the pad is a “0”, the message was “1”, if the pad is “1”, the
message was a “1”. No way to find out. And he’d have the same problem with a message of “1”.
The way some deciphering attacks work is to look at the statistics. If you would use a fixed key (not
necessarily a pad of the type discussed here, but merely as a method to decipher a message) for all
ciphering you are doing, then a listener would collect the messages and try to find the fixed key or
method to get a meaningful translation for all of them – that is, a method to get something he can read
or that makes sense to him out of all the messages he has collected so far. He would then claim that
your cipher is broken. There is a good chance that he is right,
To prevent that from happening, use a fresh pad for each message. It really is important. That’s what
the name “fresh tape method” or “fresh pad method” really means.
Here is an example: There are two messages “HE IS MY FRIEND” and “SHE IS YOUR ENEMY ”. If
you would use the same pad to cipher both message, the first message may look like “´b-øÐ„ïEõ¹1 ”
and the second “&fò;dµð ¹«žâ Ç ¸”. Tough job. But if an adversary would get the illumination that
the same pad was used, he will crank bit-patterns, until both messages decipher into something
readable at the same time, using the same bit-pattern for both. Eventually he will hit a bit pattern that
produces “HE IS MY FRIEND” and “SHE IS YOUR ENE##” at the same time. Left with only two
garbled characters at the end of the message, he would guess the rest. That was the point with the
much-talked-about VENONA project. Some spies used the same pads several times over and were
caught. Stupid. If somebody detects the same pad “in there” – somehow - it’s easy to break the
cipher.
That’s what one-time pad really means, don’t use it twice.
For somebody with some experience in cryptography, or cryptanalysis, or cryptology, or whatever the
name is for the business of ciphering messages, the notion of “pad” - for what looks a bit like a “key” -
as used here may not be exactly the same as he knows from there. The type of “pad” – our type of key
- used here requires that
1) the pad is a string of bits that are randomly set

2) a fresh pad with the appropriate length must be used for every message
3) the pad must be known to both the sender and the recipient.
Obviously, those requirements will make it necessary to exchange a lot of random “pad” bits between
all the communication partners, before a communication can take place, because you need a fresh
pad for every new message. So if you want to dive into the spying business and look for 007-style
adventures, you better take a DVD-load of random pads along, and leave a copy of that at your home
base. Or, a microSD card with 4 Gigabytes – the size of a penny – will do a nice job, to. It has the
additional advantage that it can be swallowed while passing your adversaries border controls.
The crypto procedure using fresh random numbers is known as the “Fresh Tape” procedure to
mathematicians (and other folks who strive in the field). As far as the math goes, it is an unbreakable
1
procedure , but that’s only as far as math goes. Since math can only handle a problem that is cast
into mathematical language, the outcome is something that is also a statement in mathematical
language, which may be different from common sense.
The Fresh Tape cipher, also called One-Time Pad or abbreviated OTP, is the only cipher which is –
mathematically – unbreakable. So why start with anything less? If somebody asks for another cipher,
he must have really good arguments. Such arguments may come about for some practical reasons –
too much pad handling, for the feeble minded. As I’ll explain later, in practice, and if you take the
environment into account, there are quite some arguments in favour of the Fresh Tape cipher method,
too. One of the best arguments is: It is simple. Even you and me can understand it. You don’t have to
listen to some gurus or trust an agency. Everybody can have it. You won’t see a government imposing
export restrictions on related technologies, because any computer literate can write such programs
while the rest of IT’s stuff is out for lunch.
For example, what do you care about an expert’s opinion like this: “We believe that we have strong
algorithms … for that cryptographic problem that we know a lot about solving - how to design secure
algorithms - …”. What do you care about the software if you don’t get the source code, or about
algorithms which you don’t understand - sometimes because you don’t care, ‘cause you disagree with
the presumptions about what security means?
So here is the number one rule in the cipher business: Don’t trust in gurus. They may be on
someone’s payroll. Understand what you are doing.
If this is the perspective, what was all that talking about cryptosomething that has been around for
decades? Partly, this is my personal opinion, the blurred image about cryptology, with “export
restrictions for 128-bit encryption technology” and all that, came about because somebody stated
some theorems based on restricted assumptions, and scientists could go and write theories and
papers about it and get some money to do that. Best of all, you could take bets – like which cipher will
be cracked, and when. That gave the guys with the money a welcome occasion to spent their time on.
If you have a business like that going, after a while people will start to believe that it is big science
because everybody is doing it. Maybe it even is big science, as long as you look at the ciphering of
messages with “small” keys, and using the same key – and ciphering method - all over. So what?
There is no ad hoc reason why a key should be small compared to a message, and there are good
reasons to exchange new keys for new messages, sometimes. Stay in contact, that way. Remember
the TANs from your home banking account?
Another problem then is how to generate, or better get or collect, a lot of random bits to use as pads.
There is no real random number generator on computers. And you really don’t want to have something
2)
like a mathematical formula in the way of computer algorithm to generate the numbers for you. I
believe that’s because people are better at guessing or finding out formulas than they are at guessing
zillions of zeros and ones.
My preferred method? I am not going to tell you. That’s because something that looks very much like
random to one person may have an obvious internal arrangement for another person. So if I’d tell you
how I get may random bits, you might have an idea to crack my ciphers. But for testing only, I have
found that the production of random pad bits is a good way to recycle all kind of “digital garbage”, by
ciphering it against each other first and the have a pseudo random number generator plough thru it –
by way of XOR ciphering.
Whatever the method is that gets employed to collect random numbers – with one-time pads, you can
change that method arbitrarily at any time. You just write new pads, without changing the entire
ciphering system.
There are some more aspects about ciphering: It is not only the content of a message that contains
information, but also the length of the string that is sent, and the time of transmission. With the method
explained so far, the secret string has the same length as the message string. To circumvent this
problem, one should use a fixed message length for something like “standard messages”, and
multiples thereof, transmitted at random interval in between, especially when needed. The message
then contains information about it’s own real length, which is also ciphered, and is padded by random
bits, say. If you need to hide the transmission time, you could either send some transmissions at
periodical intervals, or else broadcast some noise all the time, so nobody would notice the secret
which looks like random bits, anyway. Or, you may find a way to make the secret look like a harmless
transmission of some unimportant data. Hide it within some other data.

1.3 Distributed Message Storage

With the One-time Pad Method, you have exactly one pad for each message, to generate a ciphered
message (let’s call that the “secret”). The pad is a collection of random bits, and the secret looks very
much like a collection of random bits, too. In fact, since you can’t read the secret without the pad, and
since the pad is useless without the message, it doesn’t make sense to call it a “pad” and a “secret”.
The message is split into two parts, and both are secrets.
Now you can store the two parts of the

message in different places, say. Like that, no
single person in one of those places can
reconstruct the message.
I admit that this complicates life a bit. Whenever you need a message, you have to reassemble it from
two parts. But on the other hand, if all deciphered messages are stored in one place, and they are of
the real stuff – real sensitive, real important, real valuable, they may suddenly walk out of the system,
in the real pockets of a system administrator who just experienced an unexpected and very generous
job offer from a competitor.
You may asked: “Big deal. What’s the point? I can always stash away a ciphered message and the
key in different places.”
This is true, but for the Fresh Pad Method, it is a simple model – one on one. For example, you erase
“Part A of n”, and your “Message n” is gone for good (This and the following assumes that the original
“Message n” were erased during ciphering). With other ciphers, you may have “one key” associated
with a lot of messages, and you may not be able to delete the messages independently.
Another example: Assume the following situation: There are two pads A and B, and the message M.
From that, using the above scheme, you can create the following “partial secrets”: A, B, AM, BM, AB,
ABM.
“AM” means Message M ciphered with pad A. The cipher is “XOR”, which commutes (“interchanges”),
so it doesn’t matter whether you write AM or MA. And AB is pad B ciphered with pad A, same as B
xored with A, which is BA.
These partial secrets can be stored in different places (A, B, AM, BM, AB, ABM), with different parties,
and the original message M shall be deleted.
Now, the following combinations will allow for reconstruction of the message: (A, AM), (B,BM),
(AB,ABM), (A,B,ABM), (AM,BM,ABM). To help you reading this: You just assemble the whole string,
and every two same symbols will cancel each other, like this:
Combination (AM,ABM,BM) -> AMABMBM ->

-> (two As cancelled out) -> MBMBM ->
-> (two Ms cancelled out) -> BBM
-> (B cancels out) -> M the message is deciphered
There is some redundancy within this construction. Redundancy in the sense that the data can be
stored in several places, and can be recovered when it gets destroyed in one of them. For example,
when “A” gets destroyed by accident, it can be retrieved from a combination (B, AB). That is, the
parties where B and AB are stored have to join in an enterprise to rebuilt A. Or when ABM gets
destroyed, it could be retrieved from (A, BM) or (B, AM). The lost AB could be recovered from (A,B).
You got to remember that the data is - real – valuable, and that’s why you don’t want to lose it –
neither to an adversary nor to a catastrophe. Another important idea here is: You can reconstruct the
partial secrets, and do that without assembling all the other parts of the message in one place, so to
speak. If, say, B was accidentally lost, you would bring together (A, AB) to recover it, but the
combination (B,AB) does not allow for deciphering and extracting the plain text message M. You can
be sure that, while you are busy recovering B, no one sneaks out of the door with M.

Or else, you could decide not to store the “A”, “B” and “AB”. With this precaution, the message M
could only be retrieved by a three party combination (AM, BM, ABM), like this: AMBMABM -> MBMBM
-> BBM -> M.
Another way to look at this picture is like this:

You have a message stream into a box, and
three ciphered data streams going out. An
adversary would have to intercept all three
streams to retrieve the message – but you
would have to receive all three, too, for the
same reason. Is that good or bad? Who
knows. Maybe it can be used for – what was it
called? – authentication? Verification?
Boxes are nice because you can order them in
machine shops or - you can build them in the
way of fast hardware.
Whatever you do – you better be sure that the pads contain random bits, and are not recycled. (I am
afraid I have to write something about “How not to recycle random numbers” – probably concluding
that “4” is not to be reused because it is the third digit of pi.)
I think at this point it is worthwhile to note that there is not really a difference between “transporting a
message” and “storing a message”. Data storage is merely a transportation of messages in time. If
there are adversaries that may intercept messages while they are send from one place to the other,
they may have the capability to gain control over one of those places in the future, too. This is evident
if you look at, say, a military situation, where one party may capture a “data centre” or a “command
vehicle” of the opponent. Or, if you like, somebody might try a more 007-style way and target the
people running the IT system.
The question is, once more: “What’s the deal? Get to the point.” Unfortunately, there is no real big deal
so far. Only one – one-time pad is the only secure cipher. Everything else is only “empirically secure” –
nice way of saying that you don’t know the person who cracked it. I am sure there is some way to do
all this using some other crypto procedures and some cipher techniques – in an empirically secure
way.
I have read an interesting piece of information about cipher systems. If they fail, they should fail
“gracefully”. I am a German and it took me a while to figure out what “grace” means related to cipher
systems. I think what is meant is this: A cipher system is not supposed to vanish in a big bang, like
what would happen if an adversary gets hold of a master key - if there is one. If there is no single
master key, you are into key management if you like it or not. As you will see, there is no need for a
key management here, as long as you have something like a workflow system in place: The key
handling (pad handling) is seamlessly woven into the workflow procedure (Wow! Sounds like a SAP
R3 commercial.)
Here are some more advantages:
1) The One-time Pad procedure is very transparent, even when used with several pads. OK.
Relatively transparent. There is no secret technology involved with one-time pads.
2) It is possible to prevent accidental loss of data by distributing partial messages over different
storage locations with different parties. No single party has access to the data. Data could be
recovered by two or more cooperating parties. During the recovery process, no plain text
messages are created.
3) On the other hand, It is possible to set up a system in such a way, that the data can be
deleted – or individual messages can be deleted – by only one party participating in the
scheme. That’s like a “veto right” on data storage.

4) It is also possible to store large amounts of messages in several places with several parties, in
such a way that the data, or a part of it, can only be read by at least three parties teaming up.
By doing so, none of the parties will have to expose a “general key” of some sort to the others.
5) It is therefore possible to set up task forces and provide selected data to them, while at the
same time keeping the bulge of the data a secret. At least – in theory it is possible. Or not?
Or not? If you are into that team-building and task-forcing, it makes sense that only a selected subset
of each parties’ data is contributed to the task force or team. This will prevent a security singularity
with all the deciphered messages in one place. But, how do you find the relevant data within all the
partial secrets of the participating parties? I mean, there obviously must be some identification
method to begin with, to find out which partial secrets belongs to one message, so you can
reassemble it. That is, from the piles of (AM)n, (BM)n and (ABM)n etc it must be possible to retrieve
partial secrets for a given n, to construct Mn. Something like a tag or an identifier must be plain text;
let’s say, a label with a plain text “n”. So much for the easy part.
But how to find something of interest within the ciphered partial messages of the participating parties?
A special type of search engine is needed – I’ll talk about that later.

1.4 A, B, C
Before I explain some ideas about “concealed searching”, or “searching of anonymous data” (that’ll be
a better expression), I’ll take a dive into the 3-pad situation, with pads A, B, C.
The foregoing chapter was a pretty good warm-up for a three pad scheme. Assume there is a
message M and three different pads A,B,C. Start with the message M. Ciphering it with A gives AM.
With B a BM, and with C a CM. You can also cipher the pads with each other, producing AB, BC , AC
and ABC.
Related to one message M, you would have the following items (pads & secrets):
A B C AB BC AC ABC
and, used as ciphers for M, you have the partial secrets:
AM BM CM ABM BCM ACM ABCM
From here on, you have to make up your mind as to which of the partial secrets you want to use to
transport and store your messages, and perhaps how to combine them. A very simple one is this: You
store the combinations (A, AM), (B, BM) and (C,CM).
“A, B, C” Design 0: Store (A, AM), (B, BM) and (C, CM)
with three parties.
Obviously, you have a triple redundancy against data loss here, but also a high risk of a 007 sneaking
up to one of the parties, applying the pad to the secret and obtaining the message.
For another example, you could just store ABM, BCM and ACM in three different places, with three
parties. (Again, it is assumed that all partial secrets and pads that are not mentioned here are deleted
at the end of the ciphering process).
A,B,C Design 1:
The ABM, BCM, ACM design: Those three partial
secrets are stored with three parties.
No single party can read the messages, neither can two, if they team up – here is why:
Two parties try to read, say: ABM, BCM -> AMCM -> AC no message
But all three parties together can read it.
Three parties: ABM, BCM, ACM -> ABMBCMACM ->

A’s cancel BMBCMCM ->
B’s cancel MCMCM ->
C’s cancel MMM ->
Two M’s cancel M plain text message
However, in this situation, when you decided to keep only the ABM’s, BCM’s and ACM’s, and nothing
else, the loss of one of those partial secrets would destroy the message M, because it cannot be
reconstructed.

Or else, you could decide to keep the pads A, B, C and the partial secrets AM, BM and CM, but group
them together before storing them with different parties:
A, B, C Design 2:
(AM, BM, C) (AM, B, CM) (A, BM, CM)
Party “C” Party “B” Party “A”
It’s easy to see that any combination of two parties can read the message. If, say, the party labelled
“C” loses their name-giving pad C, the other parties could reconstruct it, by doing A, AM, CM ->
AAMCM –> MCM -> C . Everything can be recovered!
There are quite a few more designs that could be based on the A, B, C three-pad situation. They can
be tailored “according to your needs”, as a salesman would put it.

1.5 Relay Race
Another problem can be covered with the one-time pad model. This makes use of the fact that
ciphering with pads, as a procedure, commutes. This means that if you cipher a message with pad A,
and cipher the result with pad B once more, you can take out the pad A cipher right after that, before
undoing the pad B cipher. The message stays ciphered all the time like that.
With other cryptographic systems, it is usually

not possible to “withdraw a ciphering from
underneath another ciphering”. Those stacked
ciphers are sometimes called “onions” ,
because they have one skin above the other
skin(e.g. “Onion Router” etc …). With one-time
pad systems, you can actually “withdraw” one
level of crypto from underneath the other.
A scheme like the above makes sense in an environment where, say, a ciphering with B and a
deciphering with A is done by some different machines, and the message has to pass thru a wire
between them. You may not want plain text messages to parade thru that wire.

1.6 Concealed searching

One general problem about “searches” within a database is the simple fact that, in order to search,
you have to read thru the data. In information technology, if you can read thru the data, that data is
yours.
Sometimes, you have a situation where an organisation may allow another organisation to do some
searching within its own proprietary data, but without handing over a full copy of the database. Only
selected items may be transferred. In such cases, one organisation may allow an “agent program” of
the other organisation to run on it’s own IT systems. This program would conduct searches on behalf
of the other organisation and locate the desired data items. It would then request a permission to
transfer the data from the one organisation to the other. As an example, consider an Internet-style
search engines running within the intranet of one company on behalf of another company – however,
in this case requesting a permission for each data item found before transmitting it.
Organisation B
Request
Organisation A Search
Item transfer
Intranet /
Databases
This is actually not very different from the good old days, where one party would access another’s
database thru a “terminal line connection”, except that there could be an additional mandatory
permission requirement in this case.
Another flavour of doing this type of “concealed searching”: The organisation “A” doesn’t see at all if it
scores a hit in the database, but if it does, organisation “B” receives a signal that will trigger it to
contact “A” in a way of it’s own choice.
A more complex situation is the searching of a database which has been distributed over several
parties by means of one-time pad technology. So, by definition, no single party can read the data. Of
course, if you went thru that effort, you wouldn’t want to reassemble the whole database for each
search. So there should be something different to search the data. One possibility is to use “search
keywords” to identify data items. For a person, that could be the names and the birthday.
As a specific example, lets assume the database

is spread over three parties for security reasons,
using the ABM, ACM and BCM partitioning with
one-time pads explained earlier. Let’s further
assume, we are dealing with a database for
information about persons, and each person’s
data “object” with several related data records is
identified by the person’s given first name (FN),
family or last name (LN) and birthday (BD). In
almost all cases, a combination of values for FN,
LN and BD identifies a person’s data object. On
the other hand, any single one of those usually
does not identify the person’s data object and its
related data records. You can now separate a
search process into three different steps, which
can be physically separated.
Like that, it is possible to construct a search function which is anonymous to a degree and that doesn’t
concentrate the readable data (and the data’s interrelations) within a singular place. For additional
improvements, you could add “phantom” names to the lookup table.
However, this construction is surely not a general purpose tool. It is based on the fact that the data
items are not valuable, but only the interrelated data items represent a value. This methods can be
extended to other searches. But I got a feeling that searching will remain a problem, for one simple
reason: For searching, you have to read some data.
You could also go ahead and try to use MD5 sums, or checksums, for additional security. You would
then store the MD5 sums of, say, “FN=Peter”, “LN=RASSMANN” and “BD=19570317” in the lookup
tables of the above construct. But it is not always clever to do that, since there are situations with
limited value spaces, like this one. Since there is a finite number of birth dates, it is simple to calculate
the MD5 for each of them. And there is also a limited number of possible names. So there is not really
a difference to the plain text version of the lookup tables, because it is easy to find the names for the
MD5 sums.

1.7 Embedded System

Just a note on the side, just before I go on to talk about bits and bytes, and before the stuff gets all too
boring, I’d like to explain some general considerations. Then, later on, I’ll tell you why I believe that the
methods explained here are a useful toy kit in the field – in some field, and will eventually evolve into a
tool kit.
Remember that practical cryptology is embedded in technology, time and society, too. That means
that if you have “something” that cannot be deciphered today, it may be possible to do it tomorrow.
Don’t trust your own expectations about calculative requirements like machine speed or multiple
processors. For example, you think your secrets are safe because you need a machine 100 times as
fast to crack the cipher? By experience, that will exist within 15 years from now. A billion times as fast?
Think of DNA computing as being fast on a nano scale and with 10 to the 20 or so of power in
processors. That is massively parallel. It doesn’t work today, but perhaps tomorrow (Or right now. For
what I’d like to think is the same reason, don’t underestimate human inspiration. )
There are more simple things, like this: If you use – say – a standard computer (PC or Sun, Alpha,
whatever …) to generate your random-bit pads, then there is a chance that the data will be stored on
some disk drive, which may be searched, sometimes. As you know, maybe, it’s very hard to get rid of
data that has been stored onto a disk drive once. Perhaps that searching of your PC will happen when
your PC is salvaged in a couple of years from now, maybe even by historians, if you work on some
truly important stuff, like the STASI did in Germany, say. Also, you don’t know what a “personal
computer” will be in the future. Right now my kids’ mobile phones have more processing power than
the boxes on my desktop, and their internal storage at least reaches the same order of magnitude,
and they can be programmed – sort of – using the Java programming language. But I don’t know what
those things are communicating with. So I won’t use gadgets like that to – collect , somehow – random
data for pads.
The secrecy of pads associated with messages well into the future is not important in itself, but mainly
too keep intercepted messages, or better messages in general, a secret even in the future. The
problem is not only about transmitted and intercepted messages, but also about messages a sender
or a recipient has stored into databases. If messages are not important, and if it where not important to
keep them secret, then there is no good reason to cipher them to begin with.
So what are the other demons lurking in the time? Let’s look at the future first.
Over time, the social environment may change. For example, if you were working for a company, that
company may be sold. The free market works like that, so it should be OK. But what if the company
was to be sold to an investor in a foreign country? Then, issues like national security may become
important, because one reason that the data was important, in the first place, is that it contains
sensitive information about the people in a certain country. Everybody knows, but nobody talks about
it. Free marketeering is en vogue. But if you are running a database with sensitive information, you
suddenly may find yourself in a peculiar situation, between the chairs, let’s say – always trying to want
for the good but feeling multiple targeted all of a sudden. Curiosity is a human feature which
sometimes was dubbed “intelligence”, and trying to gather information about people and technology
has been an intelligence task ever since. You suddenly may have the attention of intelligence, police,
and who else you don’t know yet.
The political environment may change. Political power in general and ruthless politicians driven by
ideology seem to have a tendency to take over databases with all sorts of information about the
people. In the worst case, politicians may try to gather information for the purpose of fighting political
enemies. Some of those people may become a top boss with the ability to hire and fire people in
certain institutions – like the ones you design IT systems for. This could happen on a large scale like it
did in Germany, where Gestapo or Stasi created an atmosphere of fear for years (Geheime
Staatspolizei = Secret State Police, a Nazi intelligence agency with police capabilities;
Staatssicherheit, Communist East Germany during cold war, but otherwise very much like Gestapo). I
am sure this can and did happen to other countries, too. At the time being, there is a danger that an
anti-terrorist database, set up to fight suicide bombers, may end up as a repressive tool for
governments or political parties later. No matter where you live, you should take those possibilities into
account.
So if you design a system to exchange and store sensitive information, it’s not strictly a problem driven
by technological aspects only . Ciphering a message to send it across a network right now may not be
enough. You have to take the whole environment into account when you design such a system.
Oh yes – you don’t only have to make sure that the people who shouldn’t have access to the data
don’t get access, but also the people who should have access can read it. But that’s a more standard
task, like doing backups once in a while. Or is it? How about backing up ciphered data, store it in one
place and keeping a backup of pads stashed away somewhere else?
So much for the future, but what about the past?
We may agree on the fact that there are some people around who are not stupid. There is a good
chance that some of them were involved in manufacturing the IT equipment you are using right now,
or maybe they were involved in writing the operating system or networking software. And maybe they
figured that somebody who will use such fine and expensive machines in the future would have real
valuable data to store there onto them.
At this point, people start to feel uneasy, because, to keep your information safe, you would have to
close-combat anything that could have been rigged, sometimes in the past. That is, virtually any
controller and any program in the IT system you are using could turn against you.
Thank you. Let’s proceed with the bits.

2 Real Applications
Just to make sure, by “real applications” I mean applications that could be built. Whether it’s
worthwhile to build them, the future will tell.
As a matter of fact – in a cryptological sense – applying the one-time pad technology to existing
applications would require a lot of “key handling” (or “pad handling”, as you would probably call it). But
that’s only at the first look. At the second look, if you think of pads as a resource that is consumed
during the execution of business processes, the key or pad handling becomes more natural, since
there are a lot of other resources that are eaten up in a similar way. Those resources could be:
- Accounts of all sorts

- Bandwith
- Data storage capacity
- Order numbers or other tags that are used internally
I think the most reasonable approach to look for one-time pad applications in the real world is to look
for IT-Systems that handle such resources, and sneak the pads in, by attaching the pad handling to
the above resource handling. Very much clandestine.
2.1 Mobile Phones

Today, mobile phone service providers cipher their telephone communications using a stream cipher
called A5/1 or A5/2.
This cipher is known to be vulnerable to

attacks – deciphering – to various degrees. To
my personal opinion - as I already mentioned
several times – any cipher method has a built-
in insecurity because it depends on some
“method”. A method will only work as long as
some smart guy doesn’t find a counter -
method. The picture on the right shows a
diagram about how the cipher works, and I put
it here because of it technical looks, which
turns it into a nice decoration. The description
can be found at www.wikipedia.org.
A5/2 GSM Cipher Diagram
Suppose a mobile telephone network provider would decide to offer a secure telephone service. By
secure service I mean a service that cannot be tapped by adversaries who happen to have antennas
to pick up the radio waves transmitted by the phones. This company could hand out small cards, very
much like today’s prepaid cards, with pads stored onto them. With present technology, that could be 4
gigabytes per card at least. It would be good enough for some hours of ciphered telephone
conversation.
The customer would use up those pads for ciphering like he uses up money units on his prepaid cards
today. All “pad units” would be identified by a plain text identifier that is send before the pad is used, to
make sure that the right corresponding pad is readied at the phone company.
Of course, the phone company could still read the messages (the conversation). But since in most
countries the phone companies are required to give law enforcement agencies access to their
networks, that’ll meet this requirement. But other spying, like the spying on technology-related phone
calls from satellites overhead, could be prevented.
For a secure peer-to-peer communication with mobile phones you can use flash cards with pads that
were to be exchanged between peers. For several peers, that may become rather inconvenient, to
changes the cards in the phone all the time. So there would be some home-based device with a
manager program to put pads from different peers on one storage card for the phone. The phone
could then use the incoming phone number to retrieve the right pads from the card.
A phone company could also use a “cipher relay race” system as described above to add some
additional security. That’ll work like this:
Customer A What the phone company does Customer B

cipher pad A -> add cipher B --- undo cipher A -> decipher B
This would take out the need for the customer to exchange pads between peers for every peer-to-peer
link. Whatever, the customer must somehow trust the phone company – and, as far as trust goes, the
customers must be confident that nobody rigged the mobile phones, to begin with.
As a matter of fact, mobile phone companies already use IT systems to charge units associated with
cards against account usage of some sort. Such systems could be extended to handle the cipher
pads. The basic idea is not foreign to phone companies – extensive key handling (handling of one-
time pads is nothing but key handling). In a way, the prepaid card systems wouldn’t work if phone
companies couldn’t handle keys on a large scale, in principal.
If you assume a mobile phone has a data rate of 1 – 2 kilobytes a second, and there are small storage
cards with a capacity of several gigabytes, then such a card could hold pad key random bits for a
thousand hours of phone talking. Since providers offer rates with several gigabytes per month of data
transmission for data network access, I conclude that a card like that would hold about one month
worth of “typical “data transfers as well.
Of course, there would be additional data traffic on the providers side, because all that pad random
bits need to be swapped around to the devices doing the deciphering. This could perhaps require that
all such calls were to be run thru a few special places - like specialised physical locations with the pad
data on hand.

2.2 Multi-Party Team Centre
There may be situations when it makes sense to use cipher technology, and also to distribute a certain
task over several parties. Those parties would then collaborate to solve selected problems assigned to
them.
Such a situation could arise whenever companies decide to collaborate on an industrial project, say,
which requires a lot of common design work, with the design data stored in databases. In the public
sector, because of certain regulations and constitutional obstacles, it may be not advisable for some
agencies to directly exchange their data with other agencies. Privacy protection issues may be
involved. Or maybe some party finds it desirable to release some information to another party, but not
on a large scale and not in a way that can be automatically fed into other IT systems.
To address requirements of this kind, a sort of

a multiple party team centre could be put into
place. The picture shows a possible
configuration that I’d like to discuss, just as an
example. Of course, there are a lot of other
possible configurations, depending on what is
needed.
The picture shows the set-up of a three party

team-work centre organised around an
“internal network”. “Internal network” means
that it is physically located somewhere, at a
certain location, like a building or a secure
room.
The idea now is that all three parties should freely cooperate within that room or building. A fourth
party called “network” regulates the data traffic and communication to the outside world. All three
parties may access data over the external network from their home base, say, and store it within the
internal database.
By using one-time pad technique, the internal database storage is set up in such a way that only a
given number of parties together (two or all three) can read or change the data or write new data. The
viewing stations don’t have data storage capabilities and are only used to view or enter data.
Depending on the centres policies, withdrawing one (or two) parties data storage from the centre will
disable read and write access to the common data. Each parties proprietary data may be stored
outside the centre, available over the external network. This data would be ciphered by the party in
question, and by “network”. Data from other parties could be made available by “network”.
Probably it would be advisable to put the physical location under the supervision of the “network”
party, or yet another party, to make sure no 007-type equipment is used for uncontrolled data transfers
to the outside world.
Physically, the partial secrets of the common database can be written on removable storage devices,
like mp3 sticks or compact flash cards, and the parties provide their data only during times of
cooperation. If there is any danger that a party could “take over the centre by brute force”, the
individual parties could store their respective partial secrets at their home bases, and show up for
teams sessions with only the means for accessing that data – e.g. one-time pads to retrieve it from
their home base.
With present technology, diskless workstations running a minimized UNIX could be used for viewing
stations, and a diskless server could be used as storage location – with all the data stored as “partial
secrets” on USB-sticks or flash cards / SD cards.
2.3 Problem Report / Request for Information / Transactions

There is an abundance of IT systems to handle processes that are related to problem reporting, the
request for information or any type of transaction handling (not only related to bank accounts).
All or most of those systems need some kind of privacy, and the general idea is not to add a cipher
technology on top of an existing system, but to build it into the system to begin with. Instead of adding
an additional cryptology tool and key management system to whatever is doing the original task, it is
easier to use the identifier and tags that are within such a system, and tie the one-time pad handling to
them.
For example, within the framework of online banking systems, secret numbers named “TANs” are
mailed to the customer. They are then used to authorize the customer’s online transactions. Much the
same way, a bank could mail small flash cards or USB devices with a number of one time pads to
encode and identify such transactions. In a help desk environment, any request for information is
typically assigned a “request ID”, which is either unique or is unique together with the customer’s ID.
The handling of such IDs could be tied to the handling of one-time pads. Any customer receives some
pads on a CD or DVD when he signs a support contract. He then uses the pads to cipher and
authorize his communication.
For example, here is how the Wikipedia describes an online banking system using TANs:
Transaction authentication number

From Wikipedia, the free encyclopedia
A transaction authentication number, or TAN, is used by some online banking services as a form of
single use passwords to authorize financial transactions. TANs are a second layer of security above
and beyond the traditional single-password authentication.
An outline of how TANs function:

- The bank creates a set of unique TANs for the user. Typically, there are 50 TANs printed on a
list, each 8 characters long, which is enough to last half a year for a normal user.
- The user picks up the list from the nearest bank branch. The user must typically identify
him/herself through presenting a passport, an ID card or similar document.
- A few days later, the user receives a 5 digit password by mail to the user's home address. The
user is requested to memorise the password, destroy the notice and keep the TAN list in a
safe place near the PC.
- To log on to his/her account, the user must enter user name and password. This may give
access to account information but the ability to process transactions is disabled.
- To perform a transaction, the user enters the request and "signs" the transaction by entering
an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to
the user. If it is a match, the transaction is processed. If it is not a match, the transaction is
rejected.
- The TAN has now been consumed and will not be recognized for any further transactions.
(If the TAN list is compromised, the user may cancel it by notifying the bank.)
This system, for one-time pads, would be very much the same, except that the user picks up some
small data storage device with the pads instead of a TAN list at the nearest bank branch. That could
be an USB stick or a mini-CD or a compact flash card.
Or even more basic, almost all database application require the database administrator to create some
“database storage area” – on disk or whatever – in advance, by the way of a “formatting” procedure. It
is possible to integrate the one-time pads within the formatting of distributed database storage, and
within the read and write procedures of the database software. The random pads would be filled into
the storage area at the time of formatting, and the reads and writes would cipher the data and
distribute it over the databases’ locations. Like that, the random pads would be replaced by ciphered
data – by and by.
3 Networking
3.1 Networking & Cipher
In networking, you don’t only want to cipher the content of a single message, but on occasions you
also want to hide the sender, or the target address, or the way the messages travel along the network.
To address such questions, it makes sense to separate the network into a “Top Layer” (T) and a
“Bottom Layer” (B). A T-network facilitates communication between the applications you have in mind,
and the B network is doing the actual transportation of the data.
Of course, there are quite some layered communication models around, notably the OSI layered
model. I use the T/B-model because you need to have means to manipulate the data handed from T
to B, to cipher it. Normally, the B layer is provided by some – provider – and you just tell the B network
to transport the data from here to there.
An example for a B-layer provider is the Internet. As long as you have two Internet IP addresses, you
can just send data from here to there, without very much of a concern about how that is done. Or on
an ISDN telephone network, you could just send data around between two devices with ISDN. The
same is true, in principal, for all digital telephone networks, including mobile phones. They all have one
property in common: As a user, you don’t have access to their internal workings and cipher
procedures. So that’s by definition the B-layer – it’s useful but cannot be trusted at all. And you never
know who is logging the data transfers and connections on any such network.
Most B-layer networks are organized in a centralized way, like the Internet is. There are – more or less
– central institutions to hand out names (alphabetical addresses) and numbers (numerical addresses),
and central servers (such as name servers within the Internet’s DNS system) where the names and
numbers can be looked up. The same for phone systems – you find member names and their phone
numbers, except you don’t have an automatic lookup to give the relations between names and
numbers (as a normal user, you don’t). But centralized it is – for you have unique phone numbers.
Since it is in general simple to trace a message in any centralized network, you would use another
way to address a communication partner within the T-layer of the network. You just send the message
across a link to a router, and you leave it up to the router to find the next link to forward the message.
A sender would thus have a table which contains the information about which link to use in order to
reach a given recipient. A router would have a table that tells him how to forward a message - that is,
again which link to use - to forward the message to the recipient. The router also knows the link thru
which it got the message. There is no need for a unique address for all participants of the T-layer
network. But each routers needs to know what to do with a combination of “receiving link” and “content
of address header” for each message. In effect, this question has to be negotiated by the partners
within the T-layer who established the link.
The ciphering of messages is done according to the two network layers.
1) The sender or recipient of messages within the T-layer network reads plain text (of course).
( plain text )
content
plain text
2) When the message is passed to the T-layer network, it receives a T-layer header with address
information in plain text. The content of the message is ciphered. The plain text header is readable to
routers, the sender’s terminal and the recipient’s terminal within the T-layer network.
(content is ciphered, T-layer network headers is plain text for T-layer routing)
content T-layer header
ciphered plain text

3) When the message is transported using public B-layer networks, both the T-layer header and the
content is ciphered. Public B-layer networks are: IP-networks, Internet, OSI-networks, GSM or UMTS.
(content double ciphered & B-layer header single ciphered, B-layer information is IP or OSI header as
plain text)
content T-layer header IP-header or
ciphered ciphered OSI-header (B)
This diagram show the transmission of a message from a sender to a recipient over the T-layer of the
network, across a router, using two different B-layer public networks.
T-layer network
Sender T-layer B-layer
terminal terminal
Public network, like Internet or ISDN
B-layer T-layer routing B-layer

terminal terminal
Other public network, like mobile GSM / UMTS
Recipient T-layer B-layer

terminal
terminal
(If you are familiar with the subject, you will find that the idea is quite similar to the so-called „the onion
router“ networks - „TOR“. Except that TOR networks operate within the internet and are quite
vulnerable – working within a centralized network. However, I like the name, and propose a name of
“THOR” for a T-network layer of the above type – meaning: “top hidden operations routing”.)
Yes. One more thing: If you are into experimenting and physics, you may want to include an ELF-radio
network as a B-layer subnet. That way, you could use submarines as routers. (ELF = extremely low
frequency).

3.2 Ciphering a Link

Within communication networks, messages are typically broken up into smaller pieces called
“transport units”. At a terminal device of such a network, you can send and receive messages as one
piece of data, and it is comparatively easy to identify a one-time pad to cipher or decipher it. But if you
dive into the software layers down to the mechanism where messages are fragmented into transport
units, and de-fragmented again, you’ll need a constant stream of pad material to keep the link running.
You may not be able to look up a pad for a given transport unit in a database, because that is – maybe
- too slow. Now the ciphering becomes entwisted with the fragmentation business of your
communication software’s stack (the expression “stack” somehow describes the fact that an
application program calls a data-transfer subprogram, which in turn calls - thru more layers – a basic
driver program which interacts with the computers hardware)..
Some public networks (B-layer), including the Internet (or any other TCP/IP network), provide a
mechanism for splitting up large messages into smaller chunks, for transporting the smaller chunks
over the net, and for reassembling them just before delivery to the recipient. Except that you don’t
have access to the inner working parts of the machinery. That’s why I believe the T-layer network
should include its own fragmentation / de-fragmentation system and use the B-layer network to send
small transport units only. That way, it is also possible to include B-Layer networks with rather primitive
(or non) communication protocols as B-layer subnet (like serial line communication or simple
telephone modems without TCP/IP and such). Basically, all you need for communication is a wire or a
willing piece of ether - don’t forget the ELF submarine router.
There is another good reason why you want to have a more close access to the communication
software. The TCP/IP stack, for example, was designed for the maximum throughput of throwing wah-
wah at other computers, without the need to cipher data or to confirm and – what the word? –
“authenticate” the data streams. But since people do need such functions, they are now stove-piped –
another nice word! – on top of the original TCP/IP stack. For example, the ssh (“secure shell” known
from Unix, Linux and MS Windows for remote computer access) uses the built-in TCP/IP stack and
ciphers above it, and then, additional software is stacked upon the ssh-tunneling, which is supposed to
provide a secure transport layer. Certainly a way to do it, but maybe not the best.
The following picture shows how to one-time-pad-cipher a communication link at the very bottom –
within the message assembly subsystem of the communication devices.
The message is broken up into small pieces called “transport units” (TU). The TUs are ciphered with
one-time pads associated with a sender’s pad storage, and the recipient’s assembly subsystem
deciphers them. The plain text is then ciphered with the recipient’s pads, and send back. The message
is successfully confirmed after the sender deciphered the plain text again.
The separation of sender / receiver pads is required by asynchronous operation, so a partner can put
data on the link without waiting for a confirmation of his last message first.

As you would have expected, the material for the random pads – a certain amount of random bits,
that is - must have been exchanged beforehand, on some media like DVD or USB stick or compact
flash disk This may look troublesome at first glance, but in the real world, this will assure the
participating partner’s about the other’s identity.
A technical problem would be to identify the corresponding pads that must be used to decipher the
transport units, or, on a higher level, the whole messages. Probably it would be practical to use small
“chunks” of pad material, and identify them with a plain text link name and some tag, like a unique
running integer number. The mechanism must verify that no pads are being used more than once. (I
have used the expression “pad” rather freely so far – as a name for “chunk of random bits with an
identifier”.)
There is no “man in the middle attack” with this communication.
Yet another idea is to use several layers of ciphering, like one layer between the two partners
exchanging messages, and one for the two partners operating the terminals of each communication
link. This would differ slightly from the above proposed idea to use one layer of cipher between
partners, and one layer for the whole network (for routing).
3.3 Quod licet Jovi non licet Bovi
Networking is by definition a distributed task, which sometimes involves members, users and
technicians – on all levels – with different background, from several companies and from several
nations. The privacy on a network like that can be protected on a person-to-person or institution-to-
institution level by exchange of one-time pads between partners.
The ciphering can be both layered and structured, meaning that it could be set up that whole
messages, or part of the messages, or content, or sender and recipient are not readable to all users.
For example, you can have intelligence agencies set up a network like this, which could be rather
invisible to the world, that could be used on the political level by direct exchange of a media with key
pad material on it, like a small mini-DVD. You would have a secure communication without some techs
listening in between. And, what is of equal importance: Nobody can put fake messages on the line.
The red telephone used to work that way – that’s at least a rumour I have heard. But if people are not
stupid, it still does work that way.

3.4 Pads: Creation, Distribution, Security

One-time pads are nothing else but collections of random bits. However, since they are to become
“partial secrets” in the future, they have to be kept in a secure way, just as the messages they will
encrypt later. Looked at in this way, one-time pads are not a resource like some media, to be used
sometimes in the future.
How to create pads, distribute them and keep them secure depends on what you want to use them for.
As an easy example, assume you just want to use them to encrypt some e-mails to a personal friend
once in a while. First of all: Use a different channel to hand over the pads. You could visit your friend
and carry some pad material on a CD with you. From here, the paranoia starts. Whom do you trust
while travelling? What happens if you sleep? What about your friend? The social environment of your
friend? Don’t underestimate frustrated lovers or the tensions and secrets of marriage – I mean, strictly
related to one-time pad security, of course. What about your messages? Are they to be ciphered only
for the transmission, to prevent anybody tapping the line from reading the data? Is there a danger that
somebody catches the ciphered messages and searches your friends home later, to get the CD with
the pads?
CDs (CD-ROMs) have a tendency to stay around. Once written(“burned”), they are easily forgotten in
some drawer or a stash-away box. But CDs with pad material are a pertinent risk for all the messages
that have been deciphered with them. Such CDs should be kept in a secure way or destroyed (this
time, really “burned”) – even if some unused pad material is “wasted”.
If you just need the pads to cipher and decipher messages, CDs may not be the distribution media of
choice, because people will tend to keep them – in order not to “waste” pad material. But the used old
pads then become a threat to all the ciphered messages to date. If an adversary gets hold of the CD,
and he has intercepted some ciphered messages in the past, he can now read them.
If you plan to use one-time pads to cipher messages for transmission, the distribution media should be
of a type that is more natural for one-time pads. The media should offer a way to read the pads and
destroy them right after that – in a way, really “consume” them. This could be achieved, in theory, with
re-writeable media. The used pads could be overwritten. “Overwritten” here means “shredded” or
“wiped” and references to a procedure that will physically destroy the data on the media, by writing
data patterns over it several times. Or else, of course, you can reclaim the storage from the old pads
for storing the deciphered messages. That way, nobody will get the idea to dispose of the media as
being “used up”: It is a message storage device now.
Since I am not really an expert on that matter, I can’t give any guarantee here as to what method is
save, and encourage you to explore and make up your own mind on this. I think USB sticks and CF
disks are candidates.
If you want to use one-time pads on an industrial scale, you can prepare USB drives with one-time pad
material. This will get you into the terabyte region – and more - of random pad material right away.
You just have make pairs and transport one of them to the communication partner. Don’t
underestimate the bandwidth of a truckload of disk storage on a highway. OK – a truck with an
escort?
The required security for pads depends somewhat on the effort you expect from an adversary. Is it a
single person who will give up after a couple of tries? Or is it some – evil – agency that tries to
asphyxiate the freedom of information, with undercover agents swarming all over the place, infiltrating
your social environment? Is there a chance that an adversary was involved in manufacturing your IT
hardware or writing the operating software? Does the adversary have satellites? Is the adversary in a
position to search your home or office? Can he listen into your office or living room, with microphones?
If you run a company, what about your employees? Do they have access to – say – USB at their PCs?
Don’t underestimate the storage capacity of the personal devices they may carry.

As a “home user”, I prefer to prepare pad material on a computer with no hard disk. For testing only,
the pads can be stored on CD. Fortunately, for myself, I didn’t need to do any ciphering in earnest, but
I’d probably use some USB or CF re-writable storage to do it, with a procedure mentioned above.
For some applications, you may not have to create and store separate one-time pads. For example,
with this concept described earlier, there is no requirement to store one-time pads.
You can place a “message recording device” like this near a source of some true random data
(radioactivity), to generate the one-time pad data.

4 Summary
Remember, this is the re-entry point for all the people who skipped the formula business.
To summarize, one-time pad ciphering is the only proven safe way to cipher messages. This was
established by the famous mathematician and engineer Claude Elwood Shannon (“the father of
information science”, not the Elwood from Blues Brothers) in his work “Communication Theory of
Secrecy Systems” in 1949.
Contrary to some believes, the one-time pad cipher technology does not require a large overhead of
key handling, as compared to other methods, but it depends on the application, as always.
For applications with stringent security requirements, tied into a workflow system, the one-time pad
technology easily substitutes other more conventional methods. This is already partly true just
because such system often require some sort of personal contact or personal trust – to exchange the
one-time pads on a media. The amount of data traffic for such critical applications is rather low – for
present day technology - and easily affordable when compared with the additional security level that
can be achieved.
The one-time pad technology offers a range of applications within non-centralized networking and
secure, distributed data storage.

5 Practice
The following examples are all provided on the CD you received together with this document.
5.1 Preparations
Some of the exercises on the CD you can try out by just booting your computer from the CD. The CD
is bootable and will throw you into a DOS command line environment. This makes sense as an
exercise, because if you decide to use one-time pads in real life, you may not want to leave any traces
of the one-time pads or any traces of the plain text messages on your PC.
TM
In the very moment that you use an operating system like MS Windows , there is some risk that
some information is written to the disk drive of your computer. This could happen even without an
explicit “save” or “store” or “copy” command, just because the operating system decides that it needs
to free some core storage and to write some data to a so-called “swap file” on the internal disk drive.
To take care of all readers who want to start ciphering in earnest, I have included a CD ISO image of
“Derick’s Boot and Nuke – DBAN”. That program is designed to plough thru all disk drives of your
computer and destroy all data that it can find. It does so by writing random numbers to all the storage
place it can find. If you apply that program before you install the operating system, the disks have seen
some numbers already, and that makes it harder for somebody later to recover something from your
disk. Of course, you want to apply DBAN again, after the ciphering … To use it, burn the image to a
CD with your favourite image burner.
I didn’t include the source code for the programs, for somebody may decide to call it “spreading of
restricted ciphering technology”. The program works like this: Read a byte from file 1 – read a byte
from file 2 – do a bitwise XOR between those bytes – write the resulting byte to the output file.
TM
If you use a MS Windows operating system, as I assume for the rest of this chapter, you could copy
the folder “trans” from the CD to a hard drive, say C:\, using the Windows Explorer File Manager. You
can then do the exercises within that folder.
On the other hand, it is possible to do the exercises directly from the “<your CD>:\trans” – folder, after
booting from the CD. But you will have to adapt the names of output files to make sure the output is
written to some media with write access, since the programs can’t write to the CD. For example, you
would create a folder “lctk” on drive c:\, and rename output files in the exercises from <name>.<type>
to c:\lctk\<name>.<type>, the output files would go to folder “lctk” on drive “c:\”.
Most exercises require you to get a DOS command window, and navigate within the folders with it,
and run programs.
To get a DOS command window, press the

“Start” button and chose “Command”. A small
window will appear , into which you enter
“cmd” and press the return key or the OK
button.
This will bring up a DOS command window.

The picture on the right shows a DOS

command window. Folders in command
windows are called “directories”, and the
current folder is indicated by the command
prompt. “C:\trans\crypit>” means the current
folder, or current working directory, is the sub-
folder “cryptit” of folder “trans” on drive “C:\”.
You can navigate using the “cd” command
(“cd” stands for “change directory”). The
command “cd ..” moves you one directory up.
The command “cd trans” would move you
down one level into the subdirectory
(subfolder) called “trans”.
The “dir” command displays the content of the current directory. You execute a program by typing it’s
name as a command. If a help system is installed, you can get a list of available commands by typing
“help”. The above picture shows you how to navigate from some sub-folder into the folder
C:\trans\crypit and how to display its content.
This was only a very brief excursion into the DOS world, to enable you to run the programs on the CD.
One more. Usually, on DOS, you have and 8.3 file naming convention, meaning you have names of
the ISMYTEXT.DOS sort – 8 characters or digits for a name and 3 for a file type. Some of the file
names in the examples are longer than that. If you ran into any trouble feel free to use shorter names.

5.2 Ciphering a Message with a One-time Pad

Get a DOS command window and navigate to the C:\trans\cryptit directory, much like I just explained
above. If you enter the “dir” command now, you should see a list of files. They are:
crypt32.exe Windows 32-bit version of the cipher program

crypt16.exe DOS 16-bit version of the cipher program
msg.txt A sample plain text message
1.mkf Three small files with random data for one-time pads
2.mkf
3.mkf
You can look at the sample plain text message in the file msg.txt by opening it with an editor program,
Like “edit” or “notepad”. For example, you could type “edit msg.txt” to read the plain text file (To
exit the editor program, press “Alt D” and choose “Exit” on the pull-down with the up and down arrow
keys). If your computers runs MS Windows, you can use the notepad editor program instead: type
“notepad msg.txt” to bring up the editor window..
Now that you have convinced yourself that there really is some readable text within the file msg.txt,
you can start to cipher it. To do that, you start the program crypt32.exe (or else, if this doesn’t work on
your PC, start crypt16.exe). by typing “crypt32.exe”. The program now asks you to type in the
name of a “Payload File”. Type in the name of the file that contains the plain text message:
“msg.txt”.
The program now asks for a “Crypto Key File”. This is a file that contains the random numbers of the
one-time pad. I have provided three such files called “1.mkf”, “2.mkf“ and “3.mkf“ to play around with.
Type in the name of the first one: “1.mkf”.
The program will ask you for an “offset”. You don’t have to start at the beginning of the random
number file. You could chose to use random numbers from the middle of the file, located at the offset
(If you do that, remember the offset for deciphering!). But for now, start at the front of the file, chose a
zero offset and type in “0”.
The program will ask you for an output file name. This could be any valid file name, but to keep track
of what you are doing, type in “1msg.cry”. That’ll tell you, as a remindr, “msg crypted with one-time
pad 1.mkf”. The program tells you “done” and shows the length, in bytes, of the output file “1msg.cry”.

To summarize:
Start the program crypt32.exe

Payload File : msg.txt
Crypto File : 1.mkf
Offset : 0
Output File : 1msg.cry
You can now try to read the content of “1msg.cry” by typing “edit 1msg.cry”.
You see that you don’t see very much. Leave the editor program by pressing “Alt d” and choosing
“Exit”.
Let’s decipher the message. The program to do that is exactly the same as the cipher program, with
the same one-time pad, but with our ciphered file as “Paylod File”. Type in “crypt32.exe” to start the
program, type “1msg.cry” as payload file, “1.mkf” as crypto key file, and “0” (zero) as offset.
Choose “11msg.cry” as output file name, meaning “file 1msg.cry ciphered with pad 1”. Of course,
that’s “file msg.txt ciphered with pad 1 ciphered with pad 1 again”, or even more accurate “(file msg.txt
ciphered with pad 1) ciphered with pad 1”. But from the properties of the XOR operation, you know
that those brackets are not necessary, and double ciphering will reproduce the original message.
Let’s check on that. Type “edit 11.msg.cry” to read the content of our deciphered message.
Type: “edit 11msg.cry”

OK. Let’s go on with the more advanced stuff. First, let’s put on another layer of ciphering onto the file
“1msg.cry” – the message that was ciphered with pad 1. To do that, start crypt32.exe and enter
1msg.cry as the name of the payload file. Chose the second random number file, called “2.mkf”, as
crypto key file, with an offset of 0, and type “21msg.cry” for the output file name.
Try to read the content of the output file by typing “edit 21msg.cry”.
Next, use the pad “3.mkf” to produce the output file “321msg.cry” by using “21msg.cry” as payload.
To summarize the above:

Payload File : 1msg.cry
Crypto File : 2.mkf
Offset : 0

Crypto File : 3.mkf
Offset : 0
Type “edit 321msg.cry”. Of course, you can’t read it …
If you want to decipher it, do as follows:

Crypto File : 3.mkf
Offset : 0
This will undo the pad “3.mkf”. And again, to undo the “2.mkf” pad

Crypto File : 2.mkf
Offset : 0
and again, to undo “1.mkf”

Crypto File : 1.mkf
Offset : 0
You will find that the file “123321msg.cry” contains the very same plain text as the original file
“msg.txt”.
So far, any other cipher would have done the same trick. It’s just putting on layer of cipher on top of
the other layer. But using the XOR one-time pad cipher, you can undo the ciphering in an arbitrary
order, like this: Start with “321msg.cry”, which is the message ciphered with “1.mkf”, “2.mkf” and
“3.mkf”, in that order. You can undo any of the cipher layers first, say the “2.mkf” cipher.


Crypto File : 2.mkf
Offset : 0
Undo the “1.mkf” layer:

Crypto File : 1.mkf
Offset : 0
Finally, undo the “3.mkf”

Crypto File : 3.mkf
Offset : 0
Of course, the file “312321msg.cry” is a plain text file, identical to “msg.txt”.
Please go ahead and try, you can cipher and decipher in any order. Other cipher technologies can’t do
this.

5.3 Ciphering Pads with Pads

You can actually cipher one-time pads with other one-time pads. Let’s try to cipher the pad “1.mkf”
with the pad “2.mkf”.

Payload File : 1.mkf
Crypto File : 2.mkf
Offset : 0
Output File : 21.mkf
Actually, this file “21.mkf” contains the very same data as a file “12.mkf” would, where “12.mkf” can be
obtained by using “2.mkf” as a payload file and “1.mkf” as a crypto file. The thing commutes.
Do you remember the file “21msg.cry”? We created it by ciphering “msg.txt” first with “1.mkf”, then with
“2.mkf”. By using “21.mkf”, we can decipher it in one go.

Crypto File : 21.mkf
Offset : 0
You will guess what the result is: “2121msg.cry” is the plain text message again.
The order of ciphering and deciphering doesn’t matter, and you can use combined pads (pads
ciphered with pads). The effect of using a combined pad is the same as ciphering the message with
individual pads.

5.4 Distributed Ciphers
First, we prepare two more ciphered files, “31msg.cry” and “32msg.cry”.

Crypto File : 1.mkf
Offset : 0

Crypto File : 3.mkf
Offset : 0
and

Crypto File : 2.mkf
Offset : 0

Crypto File : 3.mkf
Offset : 0
Now we just look at the files “21msg.cry” (which should still be there from the previous exercises, or
you’ll have to recreate it…), “31msg.cry” and “32msg.cry”. All three files are perfectly ciphered, just
look at them with the editor program.
You can now go ahead and delete the message “msg.txt” and the pads “1.mkf”, “2.mkf” and “3.mkf”, if
you feel like it (Please don’t, you may need them later. But if you believe there is something funny
going on with the next step, better delete them).
Right now (at least, after the hypothetical deletion of the other files), we are left with only the three
ciphered messages “21msg.cry”, “31msg.cry” and “32msg.cry”, and no pads to do the deciphering
with.
We now create a file which should have a name of 32msg31msg21msg.cry, but actually, it’s nothing
but the plain text message again.

Crypto File : 31msg.cry
Offset : 0
Output File : 31msg21msg.cry

Payload File : 31msg21msg.cry
Crypto File : 32msg.cry

Offset : 0
Output File : 32msg31msg21msg.cry
Of course, you have tried to read the three intermittent files with the editor? Found’m unreadable, I
guess. And now you try “edit 32msg31msg21msg.cry”.

5.5 Dump a message into a picture’s bitmap
The obvious advantage of a Microsoft Bitmap File (*.bmp extension on Microsoft Windows Systems) is
the fact that it contains a lot of raw pixel data, right after the file header. You can just store any other
raw data there, a lot of it, as long as you don’t touch the file header and don’t overrun the total length
of the file.
Just look at the picture pic.bmp which you’ll

find within the bmp folder. It shows some
technical stuff, which you may expect for a
screen-shot which you would e-mail along with
a technical note (like: “… bla bla … wa wa we
got this error which we can’t explain … wa wa
…”).
There is nothing suspicious about this,

because it is a usual way to report errors, say.
Now, with the mixbmp.exe program from the Little Cryptologist’s Toy Kit, you can just store some other
file within the bitmap’s raw data part.
You could do this with just any data, say,

another picture, or your personal data that is of
interest to the IRS, or a Google map of your
next target. Whatever, as an example, the file
msg.txt is included.
To do that, you run the program mixbmp as

shown. Enter the name of the paylod file,
which is the message file that you want to hide.
In the example, it is msg.txt. Next, you provide
the name of the picture’s bitmap that you want
to use to hide the message, here pic.bmp. Now
you give a name to the output hiddenmsg.bmp
– also a bitmap – and you are done. The
output is a bitmap file of the same size as the
original bitmap file.

If you look at the file within the bmp folder with a “dir” command, you’ll see something like this by now:
E:trans.Mary.bmp> dir
1,440,054 hiddenmsg.bmp
39,424 mixbmp.exe
5,518 msg.txt
1,440,054 pic.bmp
38,912 unmixbmp.exe
E:trans.Mary.bmp>
Those are the sizes measured in bytes of the
two programs mixbmp.exe and unmixbmp.exe
(the programs to hide a message and to
extract it again), and the data files. As you can
see, the original picture pic.bmp is much larger
than the message msg.txt, and the generated
file hiddenmsg.bmp, which somehow contains
the message, is of the same size as the
original picture’s bitmap. But where is the
message stored? Well, you just try to find it.
The picture on the right shows the generated
bitmap as stored in the file hiddenmsg.bmp.
As you can see, you don’t see very much at all, because the message’s text is so small - the amount
of data is - and doesn’t change very much of the pictures pixels. Things would be different if you’d try
to embed a photo or a large document within the picture. Then, the looks of the image will become
more and more disrupted. But remember . the image was to be e-mailed as an error report, wasn’t it?
As a matter of fact, this method is not very sophisticated at all, because the message within the picture
is not ciphered. It barely replaces some of the picture’s pixel data. So, to hide the message even
when the picture was to be “intercepted” by some friend of yours, you would probably cipher the
message before you embed it within the picture, or somehow use the (original) picture itself as a “key”
file for encryption.
However you wouldn’t encrypt the whole

picture. Why? The whole point is to have
something e-mailed that doesn’t look
suspicious, like some picture of whatsoever as
a bitmap file.
This sequence of commands (right) uses the

program unmix.exe to extract the hidden
message from our bitmap hiddenmsg.bmp into
a text file clearmessage.txt, that you can read
with any editor program like notepad.

5.6 Your OTP Disk

Along with “The little Cryptologist’s Toy Kit” (TLCTK), you may have gotten a CD-R which says “OTP
XYZ <n>” on it, where “OTP” stands for “One-time Pad” and is always there, XYZ is some
identification I will remember together with the person I gave this CD, and <n> is some number. There
is also an e-Mail address written on it. You can use both the CD and the e-mail address to
communicate with me, like this.
- Write an e-mail to the address specified on the CD

- Prepare a ciphered message as an attachment to this e-mail. To do that, use on of the
crypt32.exe or crypt16.exe and the data-file on the OTP CD-R as the one time pad. There are
about 600 MB of random numbers in it, and the file is called something like <abc>.otp, where
<abc> is a 3-digit number.
- For each usage, adjust the offset that you have to enter while ciphering. Make sure you use
the random numbers only once. (see below)
- Send the e-mail along with the attachment. Don’t forget to mention the offset and the “XYZ
<n>” label in the mail.
Offset: The first time, you use “0”. Remember the length of the message (in bytes! Some systems
show the length of a file in kilobytes KB, and you have to multiply it by 1024. For each subsequent
message, enter the accumulated length of all messages you ciphered so far (or deciphered) for an
offset.
This procedure is very preliminary, of course, and should be used for testing only. For a more
professional environment, I’ll try to supply OTP pads on some sort of re-writeable media, together with
some utilities. On that media, the pads would be gradually replaced by deciphered messages.
So please don’t even think to use this procedure for some real world applications. The only thing I can
promise is that I only burned two corresponding CDs for each “OTP XYZ <n>” label and kept one for
myself.

6 Appendices
6.1 Quantum Cryptography and One-time Pads
The basic idea of quantum cryptography, as far as I understand it, is that of a photon source which
emits 2 photons, which in a way have opposite properties (labelled “Spin up” or Spin down”) and are
quantum entangled in a certain way: Whenever Photon 1 has “Spin up”, Photon 2 has “Spin down”.
Those “Spin up / downs” are then taken as bits 1 / 0 and used to cipher and decipher a message by
“xor”, as shown in the picture.
If you can do with 1 bit you can do with a
stream of bits, too. Then, the set-up looks
somewhat like a one-time pad situation, where
the photon 1 and 2 streams deliver – just in
time – the pads to cipher and decipher the
message (one of the so-delivered pads is
inverted). This is as far as the one-time pad
method is entangled with quantum
cryptography.
The quantum magic now enters with the claim that it would not be possible for an adversary to listen in
GUTS)
to one of the photon streams (e.g. the pads), because they are quantum entangled with each
other and the whole quantum system would thus be disturbed.
In real life, an attacker may not be aware of the fact that he deals with a phenomena of quantum
physics, an he would try to intercept both the message and one of the photon streams. That photon
stream would be lost, of course, and the attacker would have to try and reproduce it. Reproducing the
photon stream consists of reproducing the spin states of the individual photons. The attacker knows
which photon state he has to emit. Maybe the correct state could be produced by emitting a photon
from either one of two sources? I am not so sure, but at the end it could just boil down to a timing
problem. Does the recipient recognize that a photon is just a little bit late?
GUTS)
“Quantum entangled spin states”: This has to do with the fact that quantum mechanics describes
the decay of a particle into two other particles by way of a complex probability function in space, ψ,
which allows you to calculate the probability to find a decay-photon at a given position with spin “up”
(or “down”). Within this mathematical model, a mathematical “measured spin up” at some point in
space for one particle would instantly fix the probability for the other particle anywhere in space to
“spin down”. This is sometimes called “quantum entanglement” or the “collapse of the ψ function”. It
sounds dramatic, but to other people it seems clear by their guts that a non-spinning particle that
decays into two photons would leave those photons with opposite spins. And if you find one of them
with “up”, the other one will have “down”, no matter what the math says. It’s called conservation of
angular momentum and related to the orientation in space by Noether’s theorem.
Personally I recommend that you consult the Wiki article “Consciousness causes collapse” for further
information on collapsing ψs (http://en.wikipedia.org/wiki/Consciousness_causes_collapse).

6.2 Crypto-Logic
So far , for the purpose of ciphering, we have only used the XOR operation, which also participates as
a logical operator within the framework of Boolean logic. To recall the truth table:
Message Pad Cipher Decipher

A B A xor B B xor A xor B
--- --- ------- -------------
1 1 0 1
1 0 1 1
0 1 1 0
0 0 0 0
However, a bitwise operation using a table like the next would do the same trick. I called it “equ” for
“equivalence”, because the result is 1 (true) if the bits A and B have the same value, and the result is
“0” (false) if the values of the bits A and B are different.

A B A equ B B equ A equ B
--- --- ------- -------------
1 1 1 1
1 0 0 1
0 1 0 0
0 0 1 0
There are some more operations with two operands in Boolean Logic (16 altogether), but most of the
other ones won’t do the trick to cipher something and turn it easily into something readable again. For
example, the “AND” has the following truth table:

A B A and B B and A and B
--- --- ------- -------------
1 1 1 1
1 0 0 0
0 1 0 0
0 0 0 0 Doesn’t work!
It doesn’t work because the “1” in the message that hits “0” in the pad is gone for good.

6.3 Dizzy
Don’t you feel dizzy after one or two rounds of XOR ciphering? I ask that because I do. So, because I
don’t want to be misunderstood, I’ll do it really carefully again (and I don’t want to tell you nonsense,
so I do this to check my own stuff). It’s all bits and zeros and ones, but it easily gets confusing after a
while (everything on computers is bits and zeros and ones, and nobody doubts it can get confusing).
The following is not really very helpful if you just look at XOR ciphering, but it embeds this cipher in a
more broad picture.
The XOR operation is just one of several operations available in Boolean logic. Those operations
include the well-known “and” and “or” as well as “implies” (same as “follows”) or “equivalence”, and
“not” as a negation. Some others, like “nor” and “nand” are more fundamental, in a sense, since you
can build the whole of Boolean logic around them, just using those operations.
To give the conclusion first: In principal, it is possible to use other construction within Boolean logic for
ciphering, but in practice it depends on the situation to decide, well, whether it is practical or not, or
required in any sense.
We have been talking about bit strings as messages or pads, with corresponding bits in each of the
strings. That is, it is clear which bit in which string acts together with a certain bit in another string. That
is what “bitwise” means. Bits within the strings are considered to be independent of each other, so we
don’t have to worry about the strings any more and just look at the individual bits. Let’s call one “A” – a
bit variable “A”. “A” can now take on the values 1 and 0.
A
---
1
0
The simplest way to work with bits is to use unary operators on them. A unary operator is an operator
that works only on one operand, e.g. on one bit. You can define a unary operator for bits by giving it a
name and writing down a small table about what the operator does to the bit.
A generic template to define such an operator is the table:
<Variable> <Operator><Variable>
---------- --------------------
1 <Value>
0 <Value>
Now you define a real unary operator like this: Let’s say, the name of the operator is “not” and what it
does to a bit “A” is this:
A not A
--- -----
1 0
0 1
There are three more unary operators on bit variables, let’s call them “nef” for “no effect”, “mk0” for
“make 0” and “mk1” for “make 1”. The names will be immediately clear after you read the tables (I
have included “not A” to have the whole bunch together):
A nef A not A mk0 A mk1 A

--- ----- ----- ----- -----
1 1 0 0 1
0 0 1 0 1

As you have guessed, only the “not” operator made it into the well-known literature, as a “logical
negation”.
Let’s assume there is a one-time pad A and a message M. We write “A^M” or “A xor M” for a bitwise
XOR operation. Since, most of the time, we were only concerned with the binary “xor” operation, we
just wrote it like “AM”. This, we said, is equal to “MA”, etc …
Let’s start over and be more careful. This time, we just say there are two bit strings of equal length,
called A and B. Now let’s first define what is meant by ”A xor B”.
A generic form to define bit-wise operations between binary operators, that is between operators that
work on two bit-variables (from two strings), is given by:
<1.variable> <2.variable> <1.variable><operator><2.variable>

------------ ------------ ----------------------------------
1 1 ?
1 0 ?
0 1 ?
0 0 ?
Note that the first and the second column together contain all possible value combinations of the two
variables.
This template can be used to define “A xor B”:
A B A xor B
--- --- -------
1 1 0
1 0 1
0 1 1
0 0 0
you may know the more familiar “and” operation, e.g. “A and B”, with this table
A B A and B
--- --- -------
1 1 1
1 0 0
0 1 0
0 0 0
And finally, here is the long waited for collection of definition tables for all the binary Boolean
operators!
A B is0 and ol1 1st ol2 2nd xor _or nor equ 1on rfo 2on fol nan is1
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
1 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
1 0 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1
0 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1
0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1
[and] [xor][or][nor][<=>] [<=] [=>][nand]
In the last line of the table, I have indicated the names by which the operations are known in the
literature (reading books about 1. order logic and such stuff). For the rest of it, I have donated some
names, because it is easier to remember something that you can associate with a name. I feel free to
do so because I have never seen names for all of those operations in any book. Here they are:

is0 “is 0”, always results in a 0 value

and this is the “and” as you know it from everyday language and Boolean logic
ol1 “only 1”, only the first variable counts if it is set, but not both
st st
1 the result is what the 1 is
ol2 “only 2”, only the second variable counts if it is set, but not both
nd nd
2 the result is what the 2 is
xor this is the famous exclusive or, meaning “one of both, but not both”
_or this is the “or” as you know it from common language, meaning “one of them, or both”
In common language, “or” and “xor” is sometimes mixed up, and sometimes intentionally so by
teachers to argue the bad grades they give to their students..
nor “not or”, negation of or, meaning “not one of them, and not both”, There is something special
about this since it can be used to express all other operations, in a way
equ logical equivalence, the “” symbol you know from math, “only if the first, then the
second, and vice versa”
st st
1on “1 or none”, gives a 1 whenever the 1 variable is set, or none is set
rfo “reverse follow”, well-known symbol is “<=” which means backwards conclusion, see “fol”
2on “2nd or none”, gives a 1 whenever the 2nd variable is set, or none is set
fol this is the famous “hence it follows” with the known symbol “=>”. In boolean logic, this doesn’t
mean very much, only “the whole expression is 1 if the second variable is 1, or both are 0”.
If you take this more metaphysical it is perfectly correct (result = 1) to say “total nonsense
(1. variable = 0) hence it follows perfectly correct (2. variable = 1)”.
That takes a little bit of getting used to.
nan better known as “nand” or “not and”. The result is 1 except when both variables are 1
is1 the result is always 1
I strongly encourage you to send in your own proposals for those operator names, before they hit the
history books as “Rassmann’s Notation”.
Those are the binary operators from Boolean logic. But there still is one more trick. Binary operators
by definition have two arguments like the A and the B in “A and B”. But sometimes, you find an
expression that reads “A and A”. So what does it mean? Remembering the template to define binary
operators, you put
A A A and A
--- --- -------
1 1 1
1 0 ???
0 1 ???
0 0 0
Obviously the whole table doesn’t make sense, because it is the very same bit “A” in both leading
columns. Of course, you can’t have a 1 – 0 or a 0 – 1 value combination with the same bit A, and the
resulting table is incomplete.
But if you allow a binary operator to have an incomplete definition table like that, the effect of a binary
operation (operation with two arguments ) “A and A” is the same, in this case, as that of the unary
operation (operation with one argument) “nef A”, where “nef” was the famous “no effect” unary
operator mentioned above.
Just for completeness, I provide this table of binary operators used as unary operators, and added a
line with the names of the corresponding unary operators:
A A is0 and ol1 1st ol2 2nd xor _or nor equ 1on rfo 2on fol nan is1
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
1 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1
mk0 nef mk0 nef mk0 nef mk0 nef not mk1 not mk1 not mk1 not mk1
Comparing that to the well-known names of logical operators in the common language – when used
with only one argument A, the operators mean:
(A and A) is the same as (nef A) and always A
(A xor A) is the same as (mk0 A) and always 0
(A or A) is the same as (nef A) and always A
(A nor A) is the same as (not A) and always A flipped
(A A) (e.g. equivalence) is the same as (mk1 A) and always 1
(A <= A) is the same as (mk1 A) and always 1
(A => A) is the same as (mk1 A) and always 1
(A nand A) is the same as (not A) and always A flipped
The next move is to see what happens if consecutive operations are constructed, like
(A opr1 B) opr2 C
where “opr1” and “opr2” are any of the above operators. I have put parentheses in for clarification as
to what to do first (well, usually that’s from left to right by convention, but you tell that an Arab). The
aim is to get the resulting value table, with all combinations of values within the bits A, B and C.
To do that, you start with a sub-table, which is the definition table of “opr1” with A and B filled in. This
sub-table is indicated below by a dotted line. This gives (A opr1 B). Of course you’ll have to do that
twice, for both possible values of the bit C, that is, for C = 1 and C = 0. Therefore, the sub-table for the
operation (A opr1 b) appears twice in the picture below.
(A opr1 B) opr2 C :
Look up the result for this combination of values

in the opr2 definition table
A B A opr1 B C (A opr1 B) opr2 C

--- --- -------- --- -----------------
1 1 ? 1 ?
1 0 ? 1 ?
0 1 ? 1 ?
0 0 ? 1 ?
1 1 ? 0 ?
1 0 ? 0 ?
0 1 ? 0 ?
0 0 ? 0 ?
Next, you look up the value combination that appears in the columns “A opr1 B” and “C” in the
definition table of “opr2” to get the result for the column “(A opr1 B) opr2 C”.

Of course, you can do the similar thing with a stacked operation like “A opr1 (B opr2 C)”. Except you
would start with a sub-table which is the definition table of “opr2” with the columns B and C filled in.
A opr1 (B opr2 C) :

A B C B opr2 C A opr1 (B opr2 C)

--- --- --- -------- -----------------
1 1 1 ? ?
1 1 0 ? ?
1 0 1 ? ?
1 0 1 ? ?
0 1 1 ? ?
0 1 0 ? ?
0 0 1 ? ?
0 0 1 ? ?
From here, you can do a stacked operation like “A opr1 (B opr2 (C opr3 D))” using the same
prescription. You start with the sub-table of the innermost operation and add columns to the left or
right for new variables (doubling the original sub-table for the values 1 and 0 of the new variable).
And how about this? “(A opr1 B) opr2 (C opr3 D)” ?

A B A opr1 B C D C opr3 D (A opr1 B) opr2 (C opr3 D)

--- --- -------- --- --- -------- --------------------------
1 1 ? 1 1 ? ?
1 0 ? ?
0 1 ? ?
0 0 ? ?
1 0 ? 1 1 ? ?
1 0 ? ?
0 1 ? ?
0 0 ? ?
0 1 ? .
same as above .
0 0 ? same as above .

And this one is still missing
(A opr1 B) opr2 (A opr3 c) :

A B A opr1 B A C A opr3 C (A opr1 B) opr2 (A opr3 C)

--- --- -------- --- --- -------- --------------------------
1 1 ? 1 1 ? ?
1 0 ? ?
0 1 - -
0 0 - -
1 0 ? 1 1 ? ?
1 0 ? ?
0 1 - -
0 0 - -
0 1 ? see above, but no A=1 .

.
0 0 ? .
see above, but no A=1
Since the bit variable A appears twice in the above expression, in the diagram one has to throw out all
lines in the sub-table which would give the variable “A” another value than given in the big table.
Ugh. You will agree that I did the above really carefully. Of course, it is all trivial stuff. Or is it? I don’t
know about you, but for myself? One of those operations is easy, two consecutive operations are
easy, too, but only for those operators that you know from everyday language, like “and” or “or”. And
three? Or two that are not familiar? If I start to figure it out, I’ll feel dizzy after 5 seconds. So I did this
carefully to make sure nobody gets lost.
Some equivalences of the “nan” operator

(commonly NAND for NOT AND, meaning AND with the result negated)
not A is equivalent to A nan A

A and B is equivalent to (A nan B) nan (A nan B)
A _or B is equivalent to (A nan A) nan (B nan B)
A fol B is equivalent to A nan (B nan B)
also to A nan (A nan B)
Some equivalences of the “nor” operator

(commonly NOR for NOT OR, meaning OR with the result negated)
not A is equivalent to A nor A

A and B is equivalent to (A nor A) nor (B nor B
A _or B is equivalent to (A nor B) nor (A nor B)
A fol B is equivalent to ((A nor B) nor B) nor ((A nor B) nor B)

So far, I have listed some very impressive results from Boolean logic. But what has this business to do
with ciphering messages? In terms of Boolean logic, if you talk about a message M and a one-time
pad A, you may express the ciphering and deciphering of messages like this.
[M equ (A xor (A xor M))] = 1 (e.g. “true”)
This line says that you cipher a message by xoring it to A, you decipher it by xoring it to A again, and
the result is equivalent to the Message M itself. In terms of Boolean logic, the result of the expression
in brackets is always “1”, e.g. “true”. No matter what A is.
In a more general way, you could say that the story about bit-wise ciphering technology is nothing than
to find an expression with operators (just any will do), that may involve all kinds of one-time pads or
whatever variables are in there, but when evaluated, or transformed, or worked over with using all the
equivalences listed above, anyway, at the end there must be something equivalent to the Message M:
[M equ (a Boolean expression involving M and other stuff)] = 1
Of course, this is just another way of saying: “Whatever you do to the message with Boolean
operators, to cipher and deciper it, at the end you must be able to recover the message.”
But reading a message is only part of the problem. It should be possible to erase it, too. But how do
you erase a message? It is much easier do determine when a message can be deciphered, than to
give a definite measure of erasure. The process of erasure, for example, could be:
[M equ (another Boolean expression involving M and other stuff)] =

“not always” 1
This is not very satisfying and indicates that Boolean logic, for itself, is not a magic tool to cover
ciphering.
Probably it is advisable to use mostly those logical operators that are well-known from everyday
language within those constructions, to get the general idea more easily across. That’ll make such
designs more easy to handle.
Whether it is useful to go on with evaluations of such systems depends somewhat on your fantasy –
whether you can dream up a real life situation where a system like that could be put to work.

6.4 Circular Addition

Another way to generalize the XOR bitwise ciphering technique is to look at “circular addition”, or
“modular addition” within “modular arithmetic”, as it is called the scientific way. You arrange the
alphabet and some symbols as a circle like this:
-> A -> B -> C -> D -> E -> F -> G -> H -> I -> J -> K -> L -> M -> N ->
| |
<- ? <- , <- . <- Z <- Y <- X <- W <- V <- U <- T <- S <- R <- Q <- P <- O <-
Now, if you want to cipher a text like “FRIEND” with the on-time pad “2, 12, 1, 4, 17, 21”, you do that
by starting with “F” and go clockwise 2 positions to get “H”, say “F –2-> H”. Likewise, you do “R –12->
A”, “I –1-> J”, “E –4-> I”, “N –17-> B” and “D –21-> Y”. You just go clockwise by the count specified in
the pad.
“FRIEND”, ciphered with the one time pad ”2, 12, 1, 4, 17, 21” using this procedure, would become
“HAJIBY”. Sound like Ali Baba an is a good start.
The bitwise XOR operation is nothing but the truly elementary circular addition of this type, since it
circles around between 1 and 0, if the one-tome pad random bit is 1, and doesn’t do anything if the
random bit is 0:
->
0 1
<-
Historically, the circular addition for alphabets mentioned above was the origin of the one-time pad
method. In principal, you can have any integer numbers within the pads of that method: If the number
is bigger than the number of elements in the alphabet, you just would have to go around the circle of
the alphabet’s member several times, or counter-clockwise, if a random number is negative.
I am sure, if you look into this more closely, you will find some richness of possible applications similar
the ones I described for the XOR operation.
6.5 Other Ciphers as a Fallback

If you are still looking for the convenience to use a “general key” cipher ones in a while, you can adapt
a system based on one-time pads to do that. You just use the other cipher technique to cipher blank
messages, or predefined texts, then you use the result as a “pseudo pad” and xor it to the real
messages. This doesn’t provide the one-time pad security, of course, but it helps to keep an adversary
busy for a while. It may come in handy for testing.
To cipher mass data streams (like a TCP/IP streaming video), you can use some of the random data
of the one-time pads, before the start of the stream, to generate keys for some key-based cipher
method, then kick off the stream with that cipher.
1) Some work on the topic was done by Shannon, the same person that you know from the sampling theorem in digital
signal processing. In both cases – digital signal processing and message ciphering – it’s a matter of trust if you want
to follow Shannon’s theoretical conclusions for practical applications. The ideas may be true in some logical way, but
it is easy to make mistakes while embedding them in reality. See Bronstein, Semendjajew, Musiol, Mühlig:
Taschenbuch der Mathematik, Verlag Harry Deutsch, Thun und Frankfurt am Main, 5. Auflage 2001, ISBN 3-8171-
2005-2
2) Douglas Adams, in his Book „Dirk Gently’s Detective Holistic Agency“, uses the association „recycled algae“ –
„recursive algorithm“, which is an astonishing example of how the brain works when deciphering messages. RIP.

6.6 From the Wikipedia

The following text was taken from the English version of www.wikipedia.org . I provide it here for those
people who don’t have internet access ( strictly for security reasons ….). Also, it presents some
different viewpoints of the matter.
6.6.1 One-time pad

From Wikipedia, the free encyclopedia
Excerpt from a one-time pad.
In cryptography, the one-time pad (OTP) is an encryption algorithm where the plaintext is combined
with a random key or "pad" that is as long as the plaintext and used only once. A modular addition (for
example XOR) is used to combine the plaintext with the pad. It was invented in 1917. If the key is truly
random, never reused, and kept secret, the one-time pad can be proven to be unbreakable. It has also
been proven that any theoretically unbreakable cipher must use keys with the same requirements as
OTP keys. The key normally consists of a random stream of numbers, each of which indicates the
number of places in the alphabet (or number stream, if the plaintext message is in numerical form)
which the corresponding letter or number in the plaintext message should be shifted. For messages in
the Latin alphabet, for example, the key will consist of a random string of numbers from 0 to 25; for
binary messages the key will consist of a random string of 0s and 1s; and so on.
The "pad" part of the name comes from early implementations where the key material was distributed
as a pad of paper, so the top sheet could be easily torn off and destroyed after use. For easy
concealment, the pad was sometimes physically very small. Photos accessible on the Internet show
[1] [2]
captured KGB pads that fit in the palm of one's hand , or in a walnut shell.
The one-time pad is derived from the Vernam cipher, named after Gilbert Vernam, one of its inventors.
Vernam's system was a cipher that combined a message with a key read from a paper tape loop. In its
original form, Vernam's system was not unbreakable because the key could be reused. One-time use
came a little later when Joseph Mauborgne recognized that if the key tape was totally random,
cryptanalytic difficulty would be increased.
There is some term ambiguity due to the fact that some authors use the term "Vernam cipher"
synonymously for the "one-time-pad", while others refer to any additive stream cipher as a "Vernam
cipher", including those based on a cryptographically secure pseudorandom number generator
[3]
(CSPRNG).
6.6.2 Perfect secrecy

The Vernam-Mauborgne one-time pad was recognized early on as very difficult to break, but its
special status was only realized by Claude Shannon some 25 years later. He proved, using
information theory considerations, that the one-time pad has a property he termed perfect secrecy:
that is, the ciphertext gives absolutely no additional information about the plaintext. Thus, the a priori
probability of a plaintext message M is the same as the a posteriori probability of a plaintext message
M given the corresponding ciphertext. And in fact all plaintexts are equally probable. This is a strong
[4]
notion of cryptanalytic difficulty.
Despite Shannon's proof of its security, the one-time pad has serious drawbacks in practice:
it requires perfectly random one-time pads
secure generation and exchange of the one-time pad material, which must be at least as long as the
message

careful treatment to make sure that it forever remains secret from any adversary, and is disposed of
correctly preventing any reuse in whole or part — hence "one-time". See data remanence for a
discussion of difficulties in completely erasing computer media.
These implementational difficulties have led to one-time pad systems being broken, and are so serious
that they have prevented the one-time pad from being adopted as a widespread tool in information
security.
In particular, one-time use is absolutely necessary. If a one-time pad is used just twice, simple
mathematical operations can reduce it to a running-key cipher. If both plaintexts are in a natural
language (e.g. English or Russian), even though both are secret, each stands a very high chance of
being recovered by heuristic cryptanalysis, with possibly a few ambiguities. Of course the longer
message can only be broken for the portion that overlaps the shorter message, plus, perhaps, a little
more by completing a word or phrase. The most famous exploit of this vulnerability is the VENONA
project. [5]
The one-time pad does not provide any mechanism to ensure message integrity, and in theory a man-
in-the-middle attacker who knows the exact message being sent can straightforwardly replace all or
part of that message with text of their choosing that is the same length. Standard techniques to
prevent this, such as the use of a message authentication code, can be used along with a one-time
pad system, but they lack the perfect security that OTP enjoys.
6.6.3 History
The history of the one-time pad is marked by four separate but closely related discoveries.
The first one-time pad system was electrical. In 1917, Gilbert Vernam (of AT&T) invented and later
patented (U.S. Patent 1,310,719 ) a cipher based on teletype machine technology. Each character in a
message was electrically combined with a character on a paper tape key. Captain Joseph Mauborgne
(then a captain in the United States Army and later chief of the Signal Corps) recognized that the
character sequence on the key tape could be completely random and that, if so, cryptanalysis would
[3]
be more difficult. Together they invented the first one-time tape system.
The second development was the paper pad system. Diplomats had long used codes and ciphers for
confidentiality and to minimize telegraph costs. For the codes, words and phrases were converted to
groups of numbers (typically 4 or 5 digits) using a dictionary-like codebook. For added security, secret
numbers could be combined with (usually modular addition) each code group before transmission,
with the secret numbers being changed periodically (this was called superencryption). In the early
1920s, three German cryptographers, Werner Kunze, Rudolf Schauffler and Erich Langlotz, who were
involved in breaking such systems, realized that they could never be broken if a separate randomly
chosen additive number was used for every code group. They had duplicate paper pads printed up
with lines of random number groups. Each page had a serial number and eight lines. Each line had six
5-digit numbers. A page would be used as a work sheet to encode a message and then destroyed.
The serial number of the page would be sent with the encoded message. The recipient would reverse
the procedure and then destroy his copy of the page. The German foreign office put this system into
[3]
operation by 1923.
A separate notion was the use of a one-time pad of letters to encode plaintext directly as in the
example below. Leo Marks describes inventing such a system for the British Special Operations
Executive during World War II, though he suspected at the time that it was already known in the highly
[6]
compartmentalized world of cryptography, as for instance at Bletchley Park.
The final discovery was by Claude Shannon in the 1940s who recognized and proved the theoretical
[4]
significance of the one-time pad system.
6.6.4 Example
Suppose Alice wishes to send the message 'HELLO' to Bob. Assume two pads of paper containing
identical random sequences of letters were somehow previously produced and securely issued to
both. Alice chooses the appropriate unused page from the pad. The way to do this is normally
arranged for in advance, as for instance 'use the 12th sheet on Labor Day', or 'use the next available
sheet for the next message'. The material on the selected sheet is the key for this message. Each
letter from the pad will be combined in a predetermined way with one letter of the message. It is
common, but not required, to assign each letter a numerical value: e.g., "A" is 0, "B" is 1, and so on
through "Z", 25. In this example, the technique is to combine the key and the message using modular
addition. The numerical values of corresponding message and key letters are added together, modulo
26. If key material begins with,
XMCKL
and the message is "HELLO", then the coding would be done as follows:
23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key

+ 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message
= 30 16 13 21 25 key + message
= 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) key + message (mod 26)
Note that if a number is larger than 25, then in modular arithmetic fashion, the remainder on division
by 26 would be taken. This simply means that, if your computations "go past" Z, you start again at A.
The ciphertext to be sent to Bob is thus "EQNVZ." Bob uses the matching key page and the same
process, but in reverse, to obtain the plaintext. Here, the key is subtracted from the ciphertext, again
using modular arithmetic:
4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) ciphertext

- 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key
= -19 4 11 11 14 ciphertext - key
= 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) ciphertext - key (mod 26)
Similar to above, if a number is negative, 26 is added to make the number nonnegative.

Thus, Bob recovers Alice's plaintext, the message "HELLO". Both Alice and Bob destroy the key sheet
immediately after use, thus preventing reuse and an attack against the cipher. The KGB often issued
its agents one-time pads printed on tiny sheets of "flash paper"—paper chemically converted to
nitrocellulose, which burns almost instantly and leaves no ash.
The classical one-time pad of espionage (which often required actual paper pads (often minuscule for
ease of concealment), a sharp pencil and the use of some mental arithmetic) can be implemented as a
software program using data files as input (plaintext) and output (ciphertext) and key material (the
required random sequence). The XOR operation is often used to combine the plaintext and the key
elements, and is especially attractive on computers since it is usually a native machine instruction and
is therefore very fast. However, ensuring that the key material is actually random, is used only once,
never becomes known to the opposition, and is completely destroyed after use is hard to do. The
auxiliary parts of a software one-time pad implementation present real challenges: secure
handling/transmission of plaintext, truly random keys, and one-time-only use of the key.
Security
One-time pads are "information-theoretically secure" in that the encrypted message (i.e., the
ciphertext) provides no information about the original message to a cryptanalyst. This is a very strong
notion of security first developed during WWII by Claude Shannon and proved, mathematically, to be
true of the one-time pad by Shannon about the same time. His result was published in the Bell Labs
Technical Journal in 1949. Properly used one-time pads are secure in this sense even against
adversaries with infinite computational power. To continue the example from above, suppose Eve
intercepts Alice's ciphertext: "EQNVZ." If Eve had infinite computing power, she would quickly find that
the key "XMCKL" would produce the plaintext "HELLO", but she would also find that the key "TQURI"
would produce the plaintext "LATER", an equally plausible message:
4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) ciphertext

− 19 (T) 16 (Q) 20 (U) 17 (R) 8 (I) possible key
= −15 0 −7 4 17 ciphertext-key
= 11 (L) 0 (A) 19 (T) 4 (E) 17 (R) ciphertext-key (mod 26)
In fact, it is possible to "decrypt" any message whatsoever with the same number of characters out of
the ciphertext simply by using a different key and there is no information in the ciphertext which will
allow Eve to choose amongst the various possible readings of the ciphertext.
Most conventional encryption algorithms, both symmetric and asymmetric, use complex patterns of
substitution and transpositions. For the best of these currently in use, it is not known whether there
can be a cryptanalytic procedure which can reverse (or, usefully, partially reverse) these
transformations without knowing the key used during encryption.
In practical terms, for the best of these, no such procedures are known, though there may exist
computer algorithms which could do so in a 'reasonable' time. One of the central outstanding unsolved
problems of computer science bears on this problem; if P=NP then it would be at least possible that
such algorithms might be found, and they would surely be sought even more vigorously than they are
today. Even if not, individual present cryptosystems might still be broken. However, the one-time pad
would not be made less secure by a proof that P=NP. At present, most informed observers believe
that P≠NP and, in any case, many doubt this question has any practical relevance to cryptanalysis or
encryption algorithm design.
6.6.5 Applicability of one-time pads
Common consumer items that can be used to transport one-time pad data.
The theoretical perfect security of the one-time-pad applies only in a theoretically perfect setting; no
real-world implementation of any cryptosystem can provide perfect security because practical
considerations introduce potential vulnerabilities. These practical considerations of security and
convenience have meant that the one-time-pad is, in practice, little-used.
One-time pads solve few current practical problems in cryptography. High quality ciphers that have
undergone rigorous public review are widely available and their security is not considered a major
worry at present. Such ciphers are almost always easier to employ than one-time pads; the amount of
key material which must be properly generated and securely distributed is far smaller, and public key
[7]
cryptography makes the problem easier.
High quality random numbers can be hard to generate. The random number generation functions in
most programming language libraries are not suitable for cryptographic use. Even those generators
that are suitable for normal cryptographic use, including /dev/random and many hardware random
number generators, make some use of cryptographic functions whose security is unproven.
Distributing the one-time pad keys is inconvenient. Storage media such as thumb drives, DVD-Rs or
personal digital audio players can be used to carry a very large one-time-pad from place to place in a
non-suspicious way, but even so the need to transport the pad physically is a burden compared to the
key negotiation protocols of a modern public-key cryptosystem, and these media cannot reliably be
erased securely by any means short of incineration. A 4.7 GB DVD-R full of one-time-pad data, if
2
shredded into particles 1 mm in size, leaves over 100 kilobits of data on each particle. In addition the
risk of compromise during transit (for example, a pickpocket swiping, copying and replacing the pad) is
probably much greater in practice than the likelihood of compromise for a cipher such as AES. Finally,
the effort needed to manage one-time pad key material scales badly for large networks. The number
of pads required goes up as the square of the number of users exchanging messages freely amongst
each other. For communication between only two persons, or a star network topology, this is
somewhat less of a problem.
The key material must be securely disposed of after use, to ensure the key material is never reused
and to protect the messages sent. Because the key material must be transported from one endpoint to
another, and persist until the message is sent or received, it can be more vulnerable to forensic
recovery than the transient plaintext it protects. See also: data remanence.

As traditionally used, one-time pads provide no message authentication, the lack of which is a frequent
source of security failure in real-world systems. The straightforward additive keystream nature makes
this vulnerability especially simple to exploit - for example, an attacker who knows that the message
contains "Meet Jane and me tomorrow at 3:30 pm" at a particular point can replace that content by
any other content of the exact same length, such as "3:30 meeting is cancelled, stay home", without
having access to the one-time pad. Universal hashing provides a way to authenticate messages up to
an arbitrary security bound (i.e. for any p>0, a large enough hash ensures that even a computationally
unbounded attacker's likelihood of successful forgery is less than p), but this uses additional random
data from the pad, and removes the possibility of implementing the system without a computer.
Nonetheless, the one-time-pad retains some limited practical interest:
The one-time-pad is the only cryptosystem proven secure. Though most experts have confidence in
standard cryptosystems for practical purposes, one cannot be certain that a future cryptanalytic
breakthrough, or a breakthrough in computer hardware such as quantum computing, will not render
them breakable.
The one-time-pad is one of the most practical methods of encryption where one or both parties must
do all work by hand, without the aid of a computer; this made it important in the pre-computer era, and
it could conceivably still be useful in situations where possession of a computer is illegal or
incriminating or where trustworthy computer operating systems are not available.
Making and using a one-time pad has educational value. No special equipment is required and it
serves as a good introduction to several cryptographic ideas.
OTP can be used, along with a more standard cryptosystem, in a superencryption scheme. Adding an
OTP layer is a special case of superencryption in which it can be proved that, provided you use keys
that are statistically independent for each layer (e.g. independent RNGs), the combination would be at
least as strong as the strongest layer.
6.6.6 Uses
In some hypothetical espionage situations, the one-time pad might be useful because it can be
computed by hand with only pencil and paper. Indeed, nearly all other high quality ciphers are entirely
impractical without computers. Spies can receive their pads in person from their "handlers." In the
modern world, however, computers (such as those embedded in personal electronic devices such as
mobile phones) are so ubiquitous that possessing a computer suitable for performing conventional
encryption (for example, a phone which can run concealed cryptographic software) will usually not
attract suspicion.
One-time pads have been used in special circumstances since the early 1900s. The Weimar Republic
Diplomatic Service began using the method in about 1920. The breaking of poor Soviet cryptography
by the British, with messages made public for political reasons in two instances in the 1920s, appear
to have induced the USSR to adopt one-time pads for some purposes by around 1930. KGB spies are
also known to have used pencil and paper one-time pads more recently. Examples include Colonel
Rudolf Abel, who was arrested and convicted in New York City in the 1950s, and the 'Krogers' (ie,
Morris and Lona Cohen), who were arrested and convicted of espionage in the United Kingdom in the
early 1960s. Both were found with physical one-time pads in their possession.
A number of nations have used one-time pad systems for their sensitive traffic. The NSA describes
one-time tape systems like SIGTOT and 5-UCO as being used for intelligence traffic until the
[8]
introduction of the electronic cipher based KW-26. Leo Marks reports that the British Special
Operations Executive used one-time pads to encode traffic between its offices. One-time pads for use
with its overseas agents were introduced late in the war. [6] Other one-time tape cipher machines
include the British machines Rockex and Noreen.
The World War II voice scrambler SIGSALY was a one-time pad system. It added (analog) noise to
the signal at one end and removed it at the other end. The noise was distributed to the channel ends
in the form of large shellac records of which only two were made. There were both starting
synchronization and longer-term phase drift problems which arose and were solved before the system
could be used.
The hotline between Moscow and Washington D.C., established in 1963 after the Cuban missile crisis,
used teleprinters protected by a commercial one-time tape system. Each country prepared the keying
tapes used to encode its messages and delivered them via their embassy in the other country. A
unique advantage of the OTP in this case was that neither country had to reveal more sensitive
[3]
encryption methods to the other. p.715
During the 1983 Invasion of Grenada, U.S. forces found a supply of pairs of one-time pad books in a
Cuban warehouse.
The British Army's BATCO tactical communication code is a pencil-and-paper one-time-pad system.
Key material is provided on paper sheets that are kept in a special plastic wallet with a sliding pointer
that indicates the last key used. New sheets are provided daily (though a small series of "training
BATCO" is usually recycled on exercise) and the old ones destroyed. BATCO is used on battlefield
voice nets; the most sensitive portions of a message (typically grid references) are encoded and the
ciphertext is read out letter by letter.
A related notion is the one-time code—a signal, used only once, eg "Alpha" for "mission completed"
and "Bravo" for "mission failed" cannot be "decrypted" in any reasonable sense of the word.
Understanding the message will require additional information, often 'depth' of repetition, or some
traffic analysis. However, such strategies (though often used by real operatives, and baseball
coaches) are not a cryptographic one-time pad in any significant sense.
6.6.7 Exploits
While one-time pads are provably secure if generated and used properly, small mistakes can lead to
successful cryptanalysis:
In 1944–1945, the US Army's Signal Security Agency was able to solve a one-time pad system used
by the German Foreign Office for its high-level traffic, codenamed GEE (Erskine, 2001). GEE was
insecure because the pads were not completely random — the machine used to generate the pads
produced predictable output.
In 1945 the U.S. discovered that Canberra-Moscow messages were being encrypted first using a
code-book and then using a one-time pad. However the one-time pad used was the same one used
by Moscow for Washington, DC-Moscow messages. Combined with the fact that some of the
Canberra-Moscow messages included known British government documents, this allowed some of the
encrypted messages to be broken.
One-time pads were employed by Soviet espionage agencies for covert communications with agents
and agent controllers. Analysis has shown that these pads were generated by typists using actual
typewriters. This method is of course not "truly" random, as it makes certain convenient key
sequences more likely than others, yet it proved to be generally effective. Without copies of the key
material used, only some defect in the generation method or reuse of keys offered much hope of
cryptanalysis. Beginning in the late 1940s, U.S. and UK intelligence agencies were able to break some
of the Soviet one-time pad traffic to Moscow during WWII as a result of errors made in generating and
distributing the key material. One suggestion is that Moscow Centre personnel were somewhat rushed
by the presence of German troops just outside Moscow in late 1941 and early 1942, and they
produced more than one copy of same key material during that period. This decades-long effort was
finally codenamed VENONA (BRIDE had been an earlier name); it produced a considerable amount of
information, including more than a little about some of the Soviet atom spies. Even so, only a small
percentage of the intercepted messages were either fully or partially decrypted (a few thousand out of
[5]
several hundred thousand).
Burglaries are said to have been carried out by the FBI during WWII against Soviet offices in the US
which yielded copies of some key material. There are some claims that the material copied was helpful
cryptanalytically.
6.6.8 True randomness requirements

In discussing the one-time pad, two notions of security have to be kept distinct. The first is the
theoretical security of the one-time pad system as proved by Shannon (Shannon security). The
second is the security offered by state-of-the-art ciphers (e.g. AES) designed with principles learned in
the long history of code breaking and subjected to extensive testing in a standardization process,
either in public or by a top notch security service (empirical security). The former is mathematically
proven, subject to the practical availability of random numbers. The later is unproven but relied upon
by most governments to protect their most vital secrets (insofar as publicly known thus far).
6.6.9 Methods that may offer empirical security, but do not have Shannon security
If the key material is generated by a deterministic program, then it is not random and the encryption
system cannot claim the theoretical security of the one-time pad system. Instead it is called a stream
cipher. These generally use a short key which is used to seed a long pseudorandom stream, which is
then combined with the message using some such mechanism as those used in one-time pads (eg,
XOR). Stream ciphers can be secure in practice, but they cannot be absolutely secure in the same
provable sense as the one-time pad.
The Fish ciphers used by the German military in WWII turned out to be insecure stream ciphers, not
practical automated one-time pads as their designers had intended. Bletchley Park broke one of them,
the Lorenz cipher machine, regularly.
However, if a modern so-called cryptographically secure pseudo-random number generator is used, it
can form the basis for an empirically secure stream cipher. There are many well-vetted designs in the
public domain, ranging from the simplicity of RC4 to using a block cipher like AES in counter mode.
There would appear to be little reason to invent new stream ciphers, yet it has long been thought that
NSA and its comparable agencies devote considerable effort to stream ciphers for their government
customers.
6.6.10 Methods that offer neither empirical security nor Shannon security
The similarity between stream ciphers and one-time pads often leads the cryptographically unwary to
invent insecure stream ciphers under the mistaken impression that they have developed a practical
version of the one-time pad. An especially insecure approach is to use any of the random number
generators that are distributed in many (perhaps most) computer programming language runtime
support packages or as operating system system calls. These typically produce sequences that pass
some (or even many) statistical tests, but are nonetheless breakable by cryptoanalytic techniques. For
some time the ANSI C standard restricted the C language random number routine output to a single
precision integer, for most implementations that would be 16-bits, giving at most 32768 different
values before repeating. This is entirely insecure and is easily breakable by exhaustive test (for
perspective, a 1 GHz computer which takes 10,000 clock cycles to check an offset within the RNG's
cycle would take under a third of a second to check every possible offset). Standard computer random
number generators are not suitable for cryptographic purposes, specifically including the one-time pad.
In particular, the relatively newly developed and widely admired Mersenne twister algorithm, while
sufficiently "random" for most research or simulation uses, better than most any other such generator,
and quite fast as well, should not be used to generate one-time pad key material. The algorithm is
deterministic and was not designed for cryptographic security.
As well, publicly known values such as the terminal digits of marathon race times, closing stock prices
from any source however obscure, daily temperatures or atmospheric pressures, etc, though
seemingly random, are predictable -- after the fact. Indeed, even truly random sequences which have
been published cannot be used as they are now predictable if identified. An example is the Rand Corp
1950s publication of a million random number table; it has passed every statistical test for randomness
thus far and is thought to be actually random. But, having been published, it is fully predictable. So are
the digits of pi, e, phi, and other irrational, or transcendental, numbers; the sequences may be random
(an open question, actually), but are fully predictable nonetheless.
6.6.11 Achieving Shannon security

To achieve Shannon security, a source of perfectly unpredictable random data is needed. One
theoretical basis for the physical existence of unpredictability is quantum mechanics. Its assertions of
unpredictability are subject to experimental test. See: Bell test experiments. Another basis is the
theory of unstable dynamical systems and Chaos theory. These theories suggest that even in the
deterministic world of Newtonian mechanics, real-world systems evolve in ways that cannot be
predicted in practice because one would need to know the initial conditions to an accuracy that grows
exponentially over time.
For use in a one-time pad, data should exhibit perfect randomness. Most practical sources exhibit
some imperfection or bias. The quality of randomness is measured by entropy. A perfectly random bit
has an entropy of one. An idea due to Von Neumann is to use an algorithm to combine multiple,
imperfectly random bits, each with entropy less than one, to create a single bit with entropy equal to
one. This process is called entropy distillation or entropy extraction. Von Neumann proposed the
[9]
following method, called "Von Neumann whitening":
Input bits Output
00 No output.
01 Output "1" bit.
10 Output "0" bit.
11 No output.

This will produce uniformly random output bits if the input bits are statistically independent and all
drawn from the same distribution. However, that is not a realistic assumption since most physical
randomness sources may have some correlation in the output, and the distribution may change with
the device temperature, etc. In 2003, Boaz Barak, Ronen Shaltiel, and Eran Tromer stated some
reasonable security criteria for entropy distillation and constructed an algorithm for doing it.[10]
(description needed).
In Linux (and some other Unix-like systems) the kernel's random number generator, /dev/random,
uses environmental noise to generate random data and is better than many such system call designs.
It attempts to estimate the amount of entropy it collects and blocks if the entropy pool is exhausted. It
is intended to be, and is widely thought to actually be, better than most such generators, and if so is
rather closer to satisfactorily random. But this process will be slow on systems which have few usable
noise sources. It can, however, be fed additional entropy by reading from an attached noise
generating device.
Linux also provides /dev/urandom which uses a deterministic algorithm to generate the data whenever
environmental noise is unavailable. Improved designs, such as the Yarrow algorithm are available.
One-time pad key material generated in this way (ie, from deterministic random number generators)
lacks the information-theoretic security of a one-time pad. Yarrow offers at least as much strength as a
block cipher based on Triple DES.
If a computer used for one-time pad generation is compromised, by a computer virus or other malware
or by an adversary gaining physical access, the software can be modified to leak the pad data or
generate apparently random data that is in fact predictable. See random number generator attack.
One way to reduce this risk is to generate pads on a machine that is never connected to any computer
network and preferably not used for any other purpose. Collecting key material on new, blank media
(e.g. floppy disks or CD-Rs) eliminates another route for malware infection. If paper pads are to be
produced, the printer is best dedicated as well. One approach might be to use an older laptop for OTP
generation, purged and rebuilt with a fresh, traceable copy of an open source operating system, such
as Linux or BSD. The smaller size would allow it to be easily locked up in a safe when not in use.
6.6.12 Making one-time pads by hand
A full English-language Scrabble tile set. See Scrabble letter distributions for other languages.

One-time pads were originally made without the use of a computer and this is still possible today. The
process can be tedious, but if done correctly and the pad used only once, the result is unbreakable.
There are two components needed to make a one-time pad: a way to generate letters at random and
a way to record two copies of the result. The traditional way to do the latter was to use a typewriter
and carbon paper. Typewriters are scarce these days and add a requirement to destroy the carbon
paper and typewriter ribbon, from which the pad data can often be recovered. A more modern
approach is to hand write the letters neatly in groups of five on two part carbonless copy paper sheets,
which can be purchased at office supply stores. Each sheet should be given a serial number or some
other unique marking.
The simplest way to generate random letters is to obtain 26 identical objects with each letter of the
alphabet marked on one object. Tiles from the game Scrabble can be used as long as only one of
each letter is selected. Kits for making name charm bracelets are another possibility. One can also
write the letters on 26 pennies with a marking pen. The objects are placed in a box or cup and shaken
vigorously, then one object is withdrawn and its letter is recorded. The object is returned to the box
and the process is repeated.
6.6.13 Sources
One-Time-Pad (Vernam's Cipher) Frequently Asked Questions, with photo.

[http://www.ranum.com/security/computer_security/papers/otp-faq] Retrieved on 2006-05-12.
Savory, Stuart (2001). Chiffriergerätebau : One-Time-Pad (German), with photo.

[http://home.egge.net/%7Esavory/chiffre9.htm] Retrieved on 2006-07-24.
Kahn, David (1967). The Codebreakers. Macmillan, 398 ff. ISBN 0-684-83130-9.
Shannon, Claude (1949). "Communication Theory of Secrecy Systems". Bell System Technical
Journal 28 (4): 656–715.
NSA Venona page [ http://www.nsa.gov/venona/index.cfm ]
Marks, Leo (1998). Between Silk and Cyanide: a Codemaker's Story, 1941-1945. HarperCollins. ISBN
0-684-86780-X.
Schneier, Bruce. Arguments against one-time pad systems. [http://www.schneier.com/crypto-gram-

0210.html - 7 ]
Klein, Melville (2003). Securing Record Communications: The TSEC/KW-26 (PDF)

[http://www.nsa.gov/publications/publi00017.pdf]. NSA. Retrieved on 2006-05-12.
Cryptography Research, Inc. (February 27, 2003). Evaluation of VIA C3 Nehemiah Random Number
Generator (PDF) [http://www.cryptography.com/resources/whitepapers/VIA_rng.pdf ]. Retrieved on
2006-05-12.
http://www.wisdom.weizmann.ac.il/~tromer/papers/rng.pdf
[http://www.wisdom.weizmann.ac.il/%7Etromer/papers/rng.pdf]
Erskine, Ralph, "Enigma's Security: What the Germans Really Knew", in "Action this Day", edited by
Ralph Erskine and Michael Smith, pp 370–386, 2001.

6.7 As I understand it
There is this one topic related to cipher technology, privacy and security that pops up all the time and
in different places. It is about “cooperation of intelligence agencies to confront security threats” of any
sort. I have this understanding – sorry if you have a different one:
- The police has to enact the laws within a country. I presume, in most cases, those laws are
more or less lawful. Also, since most countries have similar law systems - criminal law
systems, mostly – those countries can chose to cooperate. Germany is a nice example. All
German states have their own police forces and cooperate on some tasks, coordinated by the
federal police agency Bundeskriminalamt.
- Intelligence agencies are often divided into internal and external divisions. At least the external
division operates on behalf of the state. There is obviously a conflict with the police of other
states or countries, say, since in most cases this intelligence work would be called “spying”. Or
else, some intelligence agencies may use money to gain some influence within other
countries. This type of advanced intelligence work may look like bribery or corruption to
simple-minded people.
- The internal intelligence agencies are often separated from the police forces, for good
historical reasons. I am not sure whether they enact the law or operate on behalf of the
present political leadership – too much secrecy – and both may not be the same. In all cases,
defending the interest of the state may conflict with the laws within a state, so you have a
potential conflict with the police here.
As the name says, intelligence has to do with data, and police work is to a good percentage an
information processing task. As a result, sometimes you hear requests from politicians for “cooperation
of all intelligence agencies and police to confront security threats”. I am afraid there are limits to that
kind of effort.
I don’t claim to have a recipe for this type of Gordian Knot, but it should be clear that not all data can
be dumped into a big melting pot and cooked for good.


The Little Cryptologist

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

The Little Cryptologist

Hochgeladen von

Copyright:

Verfügbare Formate

LCTK – Little Cryptologist’s Toy Kit

The Little Cryptologist’s Toy Kit

Peter H. Rassmann, 05/2007

Lorenz Cipher Machine SZ40

Theory & Practice

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

Subject Predicate Object

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

1.2 Random Numbers

message -> 001001110101010110101001001001001

secret -> 101110111111000100111010010011110

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

For our purpose, we rewrite the table like this

Bit from Bit from gives this Bit in

A B A^B A^B^B same as A

That’s what one-time pad really means, don’t use it twice.

1) the pad is a string of bits that are randomly set

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

1.3 Distributed Message Storage

Now you can store the two parts of the

Combination (AM,ABM,BM) -> AMABMBM ->

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

Another way to look at this picture is like this:

Here are some more advantages:

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

and, used as ciphers for M, you have the partial secrets:

AM BM CM ABM BCM ACM ABCM

But all three parties together can read it.

Three parties: ABM, BCM, ACM -> ABMBCMACM ->

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

1.5 Relay Race

With other cryptographic systems, it is usually

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

1.6 Concealed searching

As a specific example, lets assume the database

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

1.7 Embedded System

So much for the future, but what about the past?

Thank you. Let’s proceed with the bits.

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

- Accounts of all sorts

2.1 Mobile Phones

This cipher is known to be vulnerable to

A5/2 GSM Cipher Diagram

Customer A What the phone company does Customer B

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

2.2 Multi-Party Team Centre

To address requirements of this kind, a sort of

The picture shows the set-up of a three party

2.3 Problem Report / Request for Information / Transactions

Transaction authentication number

An outline of how TANs function:

The ciphering of messages is done according to the two network layers.

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

Public network, like Internet or ISDN

B-layer T-layer routing B-layer

Other public network, like mobile GSM / UMTS

Recipient T-layer B-layer

Technisches Büro Erlangen, Peter H. Rassmann; +49 172 4423637 peter_rassmann@yahoo.com

3.2 Ciphering a Link