One-Time Pad (OTP): The Definitive Guide
Last updated: April 2026. This page is built to be the most complete practical OTP reference on the web: mathematical facts, historical evidence, operational realities, and implementation guidance.
One-time pad encryption explained
What is a one-time pad, and why does it still matter?
The one-time pad, often shortened to OTP, is an encryption method in which plaintext is combined with a truly random pre-shared key that is at least as long as the message. When that key is used once, kept secret, and applied with modular arithmetic or XOR, the resulting ciphertext has perfect secrecy in Shannon's information-theoretic sense. It is unrelated to one-time passwords, which also use the acronym OTP.
That promise is why one-time pad encryption still appears in discussions of military communications, diplomatic traffic, espionage tradecraft, numbers stations, and post-quantum security. But the hard part is never the cipher formula. The hard part is true randomness, key distribution, offset tracking, secure storage, and zero key reuse.
1949
Claude Shannon published the formal perfect secrecy framework in 1949 in Communication Theory of Secrecy Systems.
1 MB
A 1 MB message needs 1 MB of fresh one-time key material. That key-length rule is the core operational cost of OTP.
0
0 extra information should leak from ciphertext alone when randomness, secrecy, key length, and one-time use are all preserved.
History, Vernam, and VENONA
1882: Frank Miller described the first known one-time additive cipher concept for telegraphic secrecy.
1917 to 1919: Gilbert Vernam developed the teleprinter system behind U.S. Patent 1,310,719, which shaped later Vernam cipher and OTP discussions.
1919 onward: Joseph Mauborgne recognized the decisive rule that the key must be truly random, as long as the message, and used only once.
1949: Shannon gave the information-theoretic proof that explains why correctly implemented one-time pad encryption achieves perfect secrecy.
Cold War history added the other lesson: the VENONA project did not break true OTP, but it did exploit reused one-time pad pages and operational mistakes in Soviet traffic.
Primary sources and standards
Claude Shannon (1949), Communication Theory of Secrecy Systems: https://www.iacr.org/museum/shannon/shannon45.pdf
U.S. Patent 1,310,719, Gilbert Vernam, Secret signaling system: https://patents.google.com/patent/US1310719A/en
NSA historical release, VENONA: https://www.nsa.gov/Helpful-Links/NSA-FOIA/Declassification-Transparency-Initiatives/Historical-Releases/Venona/
RFC 4086, Randomness Requirements for Security: https://www.rfc-editor.org/rfc/rfc4086.html
NIST post-quantum context: https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
How one-time pad encryption works
For binary data, OTP encryption is plaintext XOR key. In alphabet examples, writers often use modulo 26 arithmetic, where plaintext letters are combined with key letters to produce ciphertext. In both forms, each plaintext symbol is masked by one equally long random key symbol.
If the key is uniformly random and never reused, every plausible plaintext of the same length remains compatible with the observed ciphertext. That is why OTP is information-theoretically secure rather than merely computationally secure.
Why one-time pad is rare in products
OTP is not rare because it is weak. OTP is rare because the key distribution problem is expensive: randomness generation, secure couriering or exchange, offset tracking, lifecycle control, and zero reuse across devices and sessions.
Most messaging products trade perfect secrecy for simpler deployment with short reusable keys, authenticated encryption, and easier scaling.
Failure modes you cannot ignore
Key reuse is fatal. If two ciphertexts share the same key stream, attackers can compare the ciphertexts, cancel out the key, and recover structure from the two plaintexts.
Weak entropy, compromised endpoints, unsafe backups, sloppy synchronization, and missing message authentication can all destroy secrecy in real deployments.
OTP, post-quantum cryptography, and QKD
Quantum computers matter enormously for public-key migration, but they do not change the mathematical basis of correctly implemented OTP. One-time pad security is not based on factoring, discrete logarithms, or lattice assumptions.
For OTP, the open problem is still operational: generating true randomness and delivering key material safely. Quantum key distribution can help with key distribution, but it does not change the definition of the cipher itself.
Entropy, hardware RNGs, and why true randomness is hard
A one-time pad does not work with merely random-looking data. It needs unpredictable key material with enough entropy that an attacker cannot reconstruct or narrow the key stream. RFC 4086 makes the core point clearly: statistical randomness and cryptographic unpredictability are not the same thing.
In practice, that pushes serious OTP deployments toward hardware entropy sources, carefully mixed pools, or other well-audited random number generation pipelines. Clocks, serial numbers, or weak pseudo-random seeds are not enough for one-time pad key generation.
One-time pad vs one-time password
These terms are frequently confused because both are abbreviated OTP, but they solve different problems. A one-time pad is an encryption system for message secrecy. A one-time password is a short authentication code used once during login or transaction approval.
Searchers often mean one-time password when they type OTP. If they are looking for the cipher, the correct search intent is one-time pad encryption, Vernam cipher, perfect secrecy, or information-theoretic security.
Criterion
One-Time Pad
Typical modern encryption
Comparison: one-time pad vs stream ciphers and modern encryption
Security basis
Information-theoretic proof if the rules hold
Computational hardness assumptions
Key size
Key length equals plaintext length
Short reusable keys or derived session keys
Quantum exposure
Not based on factoring, discrete logs, or lattice assumptions
Depends on algorithm family and migration path
Main weakness
Key distribution, offset tracking, secure storage, and destruction
Cryptanalytic assumptions, implementation bugs, and side-channel risk
FAQ
Is one-time pad really unbreakable?
Yes, but only if the key is truly random, at least message length, secret, never reused, and applied correctly with modular arithmetic or XOR.
Why is OTP not standard in all messaging apps?
Because the key distribution problem dominates. A real one-time pad needs a pre-shared key stream as long as the message traffic, exact offset tracking, secure destruction, and usually separate integrity protection.
Can quantum computers break OTP?
No. Correct OTP is not based on the computational assumptions that quantum algorithms target, which is why it is often cited as an information-theoretic and post-quantum-safe construction.
What is the most important historical lesson?
VENONA showed that reused one-time pad pages can expose otherwise secure traffic. The lesson is not that OTP failed mathematically, but that operations failed historically.
Is one-time pad the same as a one-time password?
No. A one-time pad is an encryption method for protecting message content, while a one-time password is a temporary authentication code used for login or approval.
Does a one-time pad need a hardware random number generator?
Strictly speaking, not every design must use dedicated hardware, but real-world OTP systems need high-quality entropy and carefully audited randomness generation. Weak seeds or predictable pseudo-random output can invalidate the whole security claim.