this is that we add the plaintext and key bits modulo 2.
We denote the XOR of bit
Now suppose that Trudy uses the key
which is the correct length to encrypt her message above. Then to encrypt, Trudy computes the ciphertext
Converting these ciphertext bits back into letters, the ciphertext message to be transmitted is srlhssthsr .
When her fellow Nazi spy, Eve, receives Trudy's message, she decrypts it using the same shared key and thereby recovers the plaintext
Let's consider a couple of scenarios. First, suppose that Trudy has an enemy, Charlie, within the Nazi spy organization. Charlie claims that the actual key used to encrypt Trudy's message is
Eve decrypts the ciphertext using the key given to her by Charlie and obtains
Eve, who doesn't really understand crypto, orders that Trudy be brought in for questioning.
Now let's consider a different scenario. Suppose that the Allies in London intercept Trudy's ciphertext, raising suspicions that she might be spying for the Nazis. The Allies are eager to read the message and Trudy is “encouraged″ to provide the key to her super‐secret message. Trudy claims that she is actually working against the Nazis, and to prove it, she provides the “key″
When the Allies “decrypt″ the ciphertext using this “key,″ they find
The Allies proceed to give Trudy a medal for her work against the Nazis.
While not a proof, these examples serve to illustrate why the one‐time pad is secure in a stronger sense than the ciphers we have previously considered. The bottom line is that if the key is chosen at random, and used only once, then an attacker who obtains the ciphertext has no useful information about the message itself—any “plaintext″ of the same length can be generated by a suitable choice of “key,″ and all possible plaintexts are equally likely. From a cryptographer's point of view, it doesn't get any better than that.
Of course, we are assuming that the one‐time pad cipher is used correctly. The key (or pad) must be chosen at random and used only once. And, since it is a symmetric cipher, the key must be known by both the encryptor and the intended recipient—and nobody else can know the key.
Since we can't do better than provable security, why don't we always use the one‐time pad? Unfortunately, the cipher is impractical for most applications. Why is this the case? The crucial problem is that the pad is the same length as the message and since the pad is the key, it must be securely
