Encryption

The One-Time Pad: Provably Unbreakable, Almost Never Used

July 11, 2026 8 min read Haven Team

Every cipher in daily use, AES included, is secure in the practical sense: nobody currently knows how to break it with feasible amounts of computation. Exactly one scheme is secure in a stronger sense, with a mathematical proof that no amount of computation will ever break it. It was patented in 1917, the proof arrived in 1949, and cryptographers have spent the decades since deliberately not using it. The reasons why say a lot about what encryption actually has to solve.


The Whole Algorithm in One Paragraph

Take your message as a string of bits. Take a key that is a string of truly random bits, at least as long as the message. XOR them together, bit by bit. The result is the ciphertext. The recipient, holding an identical copy of the key, XORs the ciphertext with the key and gets the message back. Each key is used once and destroyed.

Gilbert Vernam, an engineer at AT&T, patented the electrical version of this in 1919 for teletype traffic. Joseph Mauborgne of the US Army Signal Corps added the requirement that makes it what it is: the key must be random and must never be reused. Hence the name. Spy services later distributed keys as printed pads of random digits, one sheet per message, torn off and burned after use.

What "Provably Unbreakable" Actually Means

Claude Shannon formalized the security of the one-time pad in his 1949 paper "Communication Theory of Secrecy Systems." The property he proved is called perfect secrecy: the ciphertext carries zero information about the plaintext. Formally, the probability of any given plaintext is the same after seeing the ciphertext as before.

The intuition is worth having. Suppose you intercept a 10-character ciphertext. For every possible 10-character message, there exists some key that decrypts the ciphertext to exactly that message. "ATTACK DAWN" is a candidate. So is "RETREAT NOW". So is your grandmother's soup recipe, truncated to ten characters. Since the key was chosen uniformly at random, all of those keys were equally likely, so all of those plaintexts remain equally plausible. Brute force does not merely take too long; it produces every possible message and no way to prefer one.

The catch, stated early

Perfect secrecy requires a truly random key as long as the message, delivered to the recipient in advance over a channel you already trust, used once, and destroyed. Shannon also proved this is the cheapest perfect secrecy gets: any scheme with perfect secrecy needs at least as much key as message. The requirement is not an implementation detail. It is the price.

VENONA: What Cutting the Corner Costs

The proof holds only if every requirement holds, and the requirement that fails in practice is "never reuse." The best-documented failure is the VENONA project.

During the Second World War, Soviet intelligence services encrypted their cable traffic with one-time pads, which should have made it permanently unreadable. But wartime pressure on pad production led the manufacturers to duplicate some pad pages across different pad books. Starting in 1943, US Army codebreakers noticed the duplication, and the effect was devastating in slow motion: when two messages are encrypted with the same key, XORing the two ciphertexts together cancels the key entirely, leaving the XOR of the two plaintexts, which skilled analysts can pick apart using the statistics of language.

The VENONA cryptanalysts worked on that intercepted traffic for nearly four decades, eventually decrypting around three thousand messages. The results identified Klaus Fuchs's atomic espionage and figured centrally in the case against Julius Rosenberg. A cipher with a proof of unbreakability was defeated by its own logistics.

A one-time pad reused even once is not a weakened one-time pad. It is a different, breakable system that happens to look like one.

The Problem the Proof Cannot See: Key Distribution

Suppose you accept the discipline: real randomness, full-length keys, no reuse. You now face the question the one-time pad has no answer for. How does the key get to the other side?

You cannot send it over the network unencrypted, obviously. You cannot encrypt it with another one-time pad without needing to deliver that pad first, which restates the problem. What remains is physical delivery: couriers, diplomatic bags, an in-person meeting before any communication happens. That works for embassies and it famously worked for the Moscow-Washington hotline established in 1963, which used one-time tapes delivered through each side's embassy. It does not work for messaging someone you have never met, which is nearly everyone you communicate with online.

Notice the shape of the trade modern cryptography made instead. A scheme like AES-256 uses a short key, 32 bytes, for gigabytes of traffic, and key agreement protocols based on Diffie-Hellman let two parties who have never met establish that key over a hostile network. The price is that security becomes computational rather than absolute: it rests on problems believed, not proven, to be hard. Cryptographers took that deal because a slightly weaker guarantee you can actually deploy protects more people than a perfect guarantee you cannot.

Two More Quiet Weaknesses

No integrity. The one-time pad hides content and does nothing else. An attacker who cannot read your message can still modify it with surgical precision, because flipping bit n of the ciphertext flips exactly bit n of the decrypted plaintext. If the attacker knows your message format, "pay 100" becomes "pay 900" without any decryption. Modern systems pair encryption with authentication for exactly this reason; see authenticated encryption and HMAC.

Randomness is harder than it looks. The proof requires the key bits to be uniformly random. Keys from a pseudorandom generator seeded with a short secret give you a stream cipher, not a one-time pad, and the perfect-secrecy proof no longer applies. Producing large volumes of high-quality randomness is its own engineering discipline; our post on secure randomness covers how systems get this wrong.

The Marketing Red Flag

The phrase "one-time pad" survives mostly in two places today: cryptography courses, and the marketing of products that do not contain one. A product that claims one-time-pad encryption over the internet, with no explanation of how pads longer than your total traffic were exchanged in advance, is describing a stream cipher with a famous name attached. Some vendors go further and generate the "pad" from a small seed, which abandons the entire point.

The test is the key-material accounting. If the secret material exchanged in advance is smaller than the data protected, whatever the system is, it is not a one-time pad, and its security is computational like everyone else's. That is not necessarily bad engineering. Well-built computational cryptography is what protects essentially everything today, including this page in transit. What should lower your trust is a vendor either not knowing the difference or hoping you do not.

Why It Still Matters

The one-time pad earns its place in every cryptography curriculum because it marks the boundary of the possible. It answers, precisely, the question "what would it cost to have encryption that no adversary, ever, with any computer, can break?" The answer is: a secure channel that carries one key bit for every message bit, which is nearly the thing you were trying to build. Everything else in cryptography is the study of what you can get for less.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →