A running key cipher is a polyalphabetic substitution cipher in classical cryptography that generates a long, non-repeating keystream from a continuous text—such as an excerpt from a book—to encipher plaintext, often by modular addition of corresponding letters.[1] This approach uses one meaningful text to encrypt another, ensuring the key length matches or exceeds the message to avoid periodicity.[2] Unlike the Vigenère cipher, which repeats a short keyword, the running key's extended, aperiodic nature makes it more resistant to frequency analysis attacks.[3]The cipher operates using a tabula recta or equivalent modular arithmetic (modulo 26 for the English alphabet), where each plaintext letter is shifted by the value of the aligned key letter to produce ciphertext.[3] Decryption reverses this by subtracting the key letters from the ciphertext. First described in 1892 by French mathematician Arthur-Joseph Hermann in his work Nouveau système de correspondance secrète, the running key cipher emerged as an evolution of earlier polyalphabetic methods, leveraging shared reference texts between sender and receiver for secure communication.[4]Although long considered secure due to its complexity, the running key cipher's reliance on natural language for the keystream introduces statistical redundancies that enable cryptanalysis, such as probable word methods or frequency attacks on key-plaintext pairs.[2] In information-theoretic terms, it approximates perfect secrecy only if the key is truly random and used once, akin to the one-time pad; otherwise, meaningful keys reduce security.[2] Historically employed in espionage and military contexts, it highlights the balance between simplicity and vulnerability in pre-modern encryption systems.[1]
Principles and Operation
Definition and Core Concepts
A running key cipher is a polyalphabetic substitution cipher that utilizes a non-repeating keystream of arbitrary length, typically generated from an external text source such as a book or document shared between correspondents.[5][6] This approach contrasts with fixed-key systems by drawing successive key letters directly from the chosen text, ensuring the keystream matches the plaintext length without cycling or repetition.[7]At its core, the running key functions as a continuous keystream that progresses sequentially through the source text, pairing each plaintext character with a distinct key character to produce the ciphertext.[8] This one-to-one correspondence eliminates the periodic patterns inherent in repeating-key polyalphabetics, such as the Vigenère cipher, thereby complicating frequency-based attacks.[8]The substitution mechanism employs the tabula recta, a square table of alphabets where each row represents a shifted version of the base alphabet, facilitating letter-by-letter encryption through addition in modular arithmetic.[6] Letters are numerically encoded with A=0, B=1, up to Z=25, and the shift for each position is computed modulo 26, yielding a new ciphertext letter: for plaintext letter p and key letter k, the ciphertext is c = (p + k) \mod 26.[6]Running key ciphers played a pivotal role in historical cryptography as a transitional method between limited-key polyalphabetics and modern stream ciphers, introducing the use of extended, non-repeating keystreams for enhanced diffusion.[8] Predating digital computing, they influenced early 20th-century mechanical systems, including the U.S. Army's M-94 cipher wheel, which adapted polyalphabetic principles for tactical use.[9]
Encryption and Decryption Process
The encryption process in a running key cipher involves aligning the plaintext message letter by letter with a corresponding sequence from the running key, which is typically derived from a lengthy, non-repeating text source such as a book excerpt. Each plaintext letter P_i is converted to its numeric equivalent (A=0, B=1, ..., Z=25), and similarly for the key letter K_i. The ciphertext letter C_i is then computed using the formula C_i = (P_i + K_i) \mod 26, after which the result is mapped back to the corresponding letter in the alphabet.[10][11] This addition can be performed manually via a tabula recta or computationally in modern implementations.[10]Decryption reverses this operation by aligning the ciphertext with the same running key sequence. For each position, the ciphertext numeric value C_i is subtracted by the key value K_i, yielding P_i = (C_i - K_i) \mod 26, with negative results adjusted by adding 26 to ensure a non-negative value within the 0-25 range before mapping back to plaintext letters.[10][11] This modular subtraction maintains the cipher's reversibility, assuming perfect key alignment.A fundamental requirement is that the running key must be at least as long as the plaintext to prevent repetition and enhance security, effectively making the key stream unique for each message.[10][11] Sender and receiver must synchronize the key source in advance, often by agreeing on a specific book, page, and starting line, which can be indicated subtly in the message preamble to avoid direct transmission of the key itself.[11]In contemporary computational settings, the process is implemented programmatically by generating the key stream from digitized texts, automating the modulo operations for efficiency while preserving the manual synchronization protocol.[10]
Historical Development
Origins in Polyalphabetic Ciphers
The running key cipher emerged from the evolution of polyalphabetic substitution ciphers, which originated in the 16th century with innovations like those described by Blaise de Vigenère in his 1586 treatise Traicté des chiffres et chiffres secrets. Vigenère's work included an autokey variant, where an initial keyword is extended by the plaintext itself to create a non-repeating keystream, representing an early attempt to avoid key periodicity in polyalphabetic systems. However, the running key cipher, using a long external text such as a book excerpt as the keystream, was first formally described in 1892 by French mathematician Arthur-Joseph Hermann in his work Nouveau système de correspondance secrète.[4] This approach built on earlier polyalphabetic designs but provided a truly aperiodic key independent of the message.[12]In the 19th century, advancements in cryptanalysis highlighted the vulnerabilities of short-key polyalphabetics. Charles Babbage developed methods in the 1840s to break Vigenère ciphers by identifying repeated sequences and aligning them to reveal the key length, showing how periodicity facilitated attacks. Friedrich Kasiski's 1863 examination technique systematically detected repeated ciphertext trigrams to deduce key length, underscoring the need for keys as long as the plaintext to resist such methods.[13] These developments influenced the pursuit of non-repeating keys, paving the way for running key systems.The early 20th century saw the adoption of running key ciphers in military contexts, with the U.S. Army Signal Corps incorporating them into field manuals around 1917 for secure telegraph and radio communications. These manuals described running keys, often derived from book passages or continuous text, as non-repeating alternatives to periodic ciphers, suitable for World War I operations.[9] Concurrently, AT&T engineer Gilbert Vernam proposed a related system in 1917 for telegraphy encryption, using a prepared key tape combined character-by-character with plaintext via XOR-like addition, functioning as a running key but initially with reusable loops, later refined into the one-time pad by Vernam and Joseph Mauborgne.[14]Pre-World War II European developments included German Abwehr experiments with mechanical running key devices, such as the Kryha machine invented by Fritz Kryha in the 1920s and adopted for intelligence communications. This clockwork encipherer generated pseudo-random key streams via movable alphabet tabs, offering a portable, non-periodic alternative to rotor machines like Enigma for low-volume traffic, though it was eventually compromised by Allied cryptanalysts.[15]
Evolution and Notable Uses
Following World War I, running key ciphers evolved through integration with mechanical aids, though many remained manual for practicality in military use.During World War II, running key ciphers found niche applications in espionage, particularly by British Special Operations Executive (SOE) agents, who employed poem codes—a form of book cipher using memorized or carried verses as keys for transposition to encode short radio messages to London. German intelligence adopted book-based running keys more selectively, such as the Spanish book Sonar la Vida for the Hamburg-Chile circuit or O Servo de Deua for Hamburg-Lisbon reports on Allied shipping, but logistical challenges like irregular traffic and synchronized editions limited use; mechanical variants like the Kryha device were employed commercially and diplomatically but saw restricted military deployment.[15]A notable event occurred in 1943 when Allied cryptanalysts, including the U.S. Coast Guard and British ISOS section, broke several Axis running key systems through known-plaintext attacks, identifying key books from message preambles and patterns to decrypt 150-200 daily intercepts, revealing intelligence on ship movements and agent activities.[15] Post-war, running key ciphers declined with the rise of rotor machines and electronic systems, yet their simplicity influenced manual field operations in non-aligned countries during the Cold War, where resource limitations favored book-based methods.
Illustrative Examples
Basic Numerical Example
To illustrate the core mechanics of the running key cipher using numerical values, consider a simplified plaintext "FLEEA" (corresponding to "Flee a" with space ignored), mapped to integers where A=0, B=1, ..., Z=25, yielding plaintext values P = (5, 11, 4, 4, 0). A non-repeating running key of equal length, derived from the start of the phrase "errors can occur" (e=4, r=17, r=17, o=14, r=17), is used instead of a short repeating key as in the Vigenère cipher.[11]Encryption computes each ciphertext value as C_i = (P_i + K_i) \mod 26, where K_i is the i-th key value. The following table shows the step-by-step calculation:
Position
Plaintext Letter
P_i
Key Letter
K_i
C_i = (P_i + K_i) \mod 26
Ciphertext Letter
1
F
5
e
4
9
J
2
L
11
r
17
28 \mod 26 = 2
C
3
E
4
r
17
21
V
4
E
4
o
14
18
S
5
A
0
r
17
17
R
This produces the ciphertext "JCVSR".[11]Decryption reverses the process using the same running key: P_i = (C_i - K_i) \mod 26. For the first position, (9 - 4) \mod 26 = 5 (F); second, (2 - 17) \mod 26 = -15 \mod 26 = 11 (L); and similarly for the rest, recovering the original plaintext values (5, 11, 4, 4, 0).[11]This numerical approach highlights the advantage of a non-repeating running key, which avoids the periodic patterns exploitable in shorter, repeating keys, thereby enhancing resistance to frequency analysis.[11]
Text-Based Book Key Example
In a text-based running key cipher, the keystream is derived from a passage in a shared book, ensuring the key is as long as the plaintext without repetition. Consider a simple espionage message with the plaintext "MEETATDAWN," representing instructions to rendezvous at dawn. The running key is taken from the opening of the United States Declaration of Independence: "When in the Course of human events," ignoring spaces and punctuation for consecutive letters starting with W-H-E-N-I-N-T-H-E-C (corresponding to numerical values 22, 7, 4, 13, 8, 13, 19, 7, 4, 2).[10]Encryption proceeds by aligning the plaintext letters with the key letters and applying modular addition modulo 26, where A=0, B=1, ..., Z=25, similar to a Vigenère cipher but with a non-repeating key. For the first letter, M (12) + W (22) = 34 ≡ 8 (mod 26), which is I. Continuing: E (4) + H (7) = 11 ≡ L (mod 26); E (4) + E (4) = 8 ≡ I; T (19) + N (13) = 32 ≡ 6 (mod 26) = G; A (0) + I (8) = 8 ≡ I; T (19) + N (13) = 32 ≡ 6 = G; D (3) + T (19) = 22 ≡ W; A (0) + H (7) = 7 ≡ H; W (22) + E (4) = 26 ≡ 0 (mod 26) = A; N (13) + C (2) = 15 ≡ P. The resulting ciphertext is "ILIGIGWHAP."[10][16]Decryption reverses this process: the recipient, knowing the starting point in the identical book edition, subtracts the key values from the ciphertext modulo 26. For instance, starting with I (8) - W (22) = 8 - 22 = -14 ≡ 12 (mod 26) = M, and proceeding similarly to recover the original plaintext. Both parties must use the exact same book edition and precise starting position—such as page, line, and word—to align the key correctly, as even minor discrepancies like variant printings or editions could render the message undecipherable.[10]This method saw practical application in World War IIespionage, particularly in German clandestine radio networks in South America after the 1942 Brazilian spy arrests. For example, the Hamburg-to-Chile circuit employed a running key derived from the Spanish novel Sonar la Vida, using aperiodic polyalphabetic substitution where preambles in the message indicated key alignment, such as repeating a reference letter three times. Agents reported on Allied ship movements and equipment using such systems, but challenges arose in identifying the exact key books, contributing to Allied successes in intercepting and disrupting these networks through signals intelligence.[17]
Variants and Extensions
Permutation-Generated Running Keys
In permutation-generated running keys, the keystream for a running key cipher is dynamically produced by applying successive permutations to an initial base sequence, such as the ordered alphabet (A to Z) or numerals (1 to 26), rather than relying on excerpts from a fixed text. This method leverages a shared permutation rule—often a fixed transformation like a cyclic shift or swap operation—applied iteratively to reorder the sequence and yield a prolonged, non-repeating output stream suitable for encryption. Such generation mimics the polyalphabetic substitution of traditional running key systems but eliminates the dependency on physical media, aligning with early mechanized approaches to keystream production.[18]A representative example begins with the sorted sequence 1, 2, 3, ..., 26. A fixed permutation, such as swapping every third element (e.g., interchange positions 3 and 4, 6 and 7, etc., while shifting others), is applied to produce the first block of the keystream. The resulting permuted sequence then serves as input for the next iteration of the same rule, generating subsequent blocks indefinitely. This process creates a deterministic yet unpredictable stream when the initial permutation is complex, analogous to rotor stepping in historical devices where multiple permutation layers ensure variability.[18]The primary advantages of permutation-generated running keys include obviating the need for synchronized book copies between parties, thereby simplifying key distribution, and enhancing pseudo-randomness through the combinatorial depth of repeated permutations, which resists pattern detection better than short repeating keys. These techniques saw historical use in 1930s experimental cryptography research, particularly in the development of U.S. rotor machines like SIGABA (also known as ECM Mark II), where arrays of permuting rotors produced irregular, long-keystream sequences for secure communications prior to World War II.[19][18]In modern contexts, permutation-generated running keys are computationally feasible via software simulations, enabling efficient recreation of historical systems or integration into hybrid ciphers on standard hardware, as demonstrated by cryptanalytic implementations that process full keyspaces in hours.[20]
Gromark Cipher
The Gromark cipher, short for "Gronsfeld with mixed alphabet and running key," is a polyalphabetic substitution cipher designed for recreational cryptanalysis challenges. Invented by W. J. Hall and first described in the March-April 1969 issue of The Cryptogram, the official publication of the American Cryptogram Association, it combines elements of the Gronsfeld cipher's numerical shifts with a keyword-derived mixed alphabet and a pseudo-random numerical running key generated from a short primer.[21]The encryption process begins with key setup using a keyword, such as "ENIGMA," which determines both the mixed cipher alphabet and a transposition order. The keyword is written across the top of a 5x5 grid (or adjusted for length), with the remaining letters of the alphabet filled in row-wise below it, omitting one letter (often J) to fit 25 positions. The columns are then read out in the order of the keyword's alphabetical ranking (e.g., for "ENIGMA," the order is 2-6-4-3-5-1), producing a deranged alphabet like A J R X E B K S Y G F P V I D O U M H Q W N C L T Z. A 5-digit primer, such as 23452, initializes the running key stream. Subsequent key digits are generated by adding pairs of prior digits and taking the units place (e.g., 2+3=5, 3+4=7, 4+5=9, 5+2=7, then 5+7=2, and so on), creating a long numerical sequence independent of the plaintext.[22]To encipher, each plaintext letter is substituted using the corresponding running key digit as a shift amount within the mixed alphabet: the position of the plaintext letter is advanced by the digit value (modulo 25), wrapping around as needed. For example, with plaintext "THEREAREUPTOTENSUBSTITUTESPERLETTER" and the setup above, the initial key stream yields ciphertext groups like NFYCK BTIJC NWZYC ACJNA YNLQP WWSTW PJQFL, prefixed by the primer and suffixed by a check digit (the sum of the last four primer digits modulo 10, here 6). The output is presented in 5-letter groups to aid readability and solving, typically suitable for messages of 100-150 letters. This design enhances security over simple Gronsfeld by deranging the base alphabet and using a long, non-repeating numerical key, though it remains vulnerable to known-plaintext attacks or frequency analysis on sufficient text.[22][23]A distinctive feature of Gromark is its self-extending key mechanism, which mimics a running key without requiring external text or true autokey feedback from the ciphertext; instead, the primer bootstraps an arithmetic progression that can produce thousands of digits before repeating. While optional columnar transposition of the final ciphertext (e.g., in a 5xN grid keyed by the primer) has been suggested in later variants to add diffusion, the core system relies on substitution alone for its complexity. Hall's innovation aimed to create a "K2M" (keyword, two mixed alphabets) puzzle that balances solvability with intricacy for amateur cryptanalysts, influencing subsequent cipher designs in recreational cryptography.[23][24]
Ciphertext-Mimicking Variants
Ciphertext-mimicking variants of the running key cipher employ techniques to generate output that closely resembles ordinary text or expected content, enhancing concealment beyond mere encryption. By carefully selecting or adjusting the running key—often derived from a long passage in a book—the ciphertext can incorporate nulls or filler elements to obscure its structure and mimic natural language patterns, such as those found in prose or diplomatic correspondence. This approach leverages the running key's length and variability to blend the encrypted message into innocuous cover material, reducing the likelihood of detection as a cipher.[25]A representative technique involves choosing key segments from sources matching the intended cover genre, for instance, excerpts from a novel to produce ciphertext that appears as literary text. The plaintext is combined with the running key via modular addition (e.g., mod 26 for letters), and nulls—superfluous symbols or words—are inserted to pad the output and disrupt any residual patterns, ensuring the result reads as coherent but meaningless filler prose. For example, a diplomatic message might be enciphered such that the ciphertext resembles a routine news dispatch, with the true content hidden through selective positioning of meaningful letters amid nulls. This method was particularly suited to scenarios where messages needed to evade casual inspection, as the output could pass for non-sensitive material.[25][2]In historical contexts, early 20th-century espionage and diplomatic operations frequently utilized null cipher hybrids that incorporated running key elements for added obfuscation. During World War I, German diplomats, including Count von Bernstorff, employed null ciphers embedded in press cables to transmit intelligence, where significant letters were selected from ostensibly innocent text according to a prearranged rule, and these could be further protected by a running key derived from a shared book passage to prevent straightforward recovery.[25] Such systems appeared in U.S. Army telegraphic encipherment experiments around 1917, where Vernam's on-line methods used continuous running keys to generate output resembling random but transmittable marks, often padded with nulls for fixed-length groups.[25] Soviet networks in the 1930s and 1940s extended this by combining book-based running keys (e.g., from novels like The Good Soldier Schweik) with null-heavy formats, producing five-digit groups that mimicked routine numerical dispatches.[25]The psychological camouflage provided by these variants relies on the human tendency to overlook text that aligns with expected non-cryptic forms, such as everyday prose or bureaucratic fillers, thereby delaying cryptanalytic scrutiny. Unlike standard running key ciphers, which produce visibly scrambled output, these adaptations prioritize perceptual deception, making the material seem unworthy of deeper investigation until patterns or indicators reveal otherwise. This aspect proved effective in high-stakes environments like wartime diplomacy, where speed of transmission outweighed computational complexity.[25]
Security Analysis
Theoretical Strengths
Running key ciphers, when employing a truly random keystream as long as the plaintext, achieve perfect secrecy, rendering the ciphertext statistically independent of the plaintext and thus unbreakable by any amount of computational power or ciphertext-only analysis. This property aligns with Claude Shannon's foundational theorem on secrecy systems, which demonstrates that perfect secrecy requires the key entropy to be at least as large as the messageentropy, a condition met by such a non-repeating random key equivalent to a one-time pad.[26]The non-repeating nature of the running key inherently resists classical frequency analysis, as there is no fixed period or repeating pattern to exploit for identifying letter substitutions, unlike periodic polyalphabetic ciphers such as the Vigenère. In the ideal case of a random key, the resulting ciphertext exhibits uniform distribution across possible symbols, eliminating detectable biases from plaintext or key redundancies that would otherwise enable statistical attacks.[27]Furthermore, the use of extended keystreams, such as those derived from large corpora like books, enables scalability by providing an effectively vast keyspace without the need for key repetition, supporting encryption of arbitrarily long messages. However, such linguistic keys introduce redundancies that prevent achieving perfect secrecy, though they still offer improved resistance to period-detection attacks compared to short-key systems.[27]
Cryptanalytic Vulnerabilities
Running key ciphers are susceptible to known-plaintext attacks, where an attacker guesses probable plaintext words, such as common phrases like "THE" or "ENEMY," and subtracts them from the corresponding ciphertext segments to reveal portions of the running key. These key fragments can then be extended iteratively by assuming adjacent meaningful text, allowing recovery of longer key sequences and potentially the entire message if the key source is linguistic. This method, adapted from Vigenère cryptanalysis, exploits the predictability of natural language in both plaintext and key.[28]Book key exploitation targets the use of indexed excerpts from known texts, such as books, by testing probable sources and starting positions against multiple ciphertexts sharing the same key. In 1918, William Friedman developed the "generatrix" method, which involves generating 25 shifted alphabetic sequences from the ciphertext and using trial-and-error to align them with suspected book passages, successfully breaking several historical examples. During World War II, British cryptanalysts at Bletchley Park applied similar index-based attacks on book-derived keys in diplomatic and espionage communications, often narrowing candidates through frequency analysis of suspected texts.[5]Statistical methods leverage the non-random frequency distributions in natural language keys and plaintexts, contrasting with the flatter ciphertext spectrum. Attacks using n-gram probabilities score potential plaintext-key pairs, with early blockwise approaches recovering about 33% of letter pairs for short segments (n ≤ 6). More advanced techniques exploit autocorrelation in key streams derived from text, detecting periodicities from word or phrase repetitions that deviate from true randomness.Computational breaks have advanced significantly in the 21st century, enabling efficient decryption of longer ciphertexts through algorithmic optimization. The Viterbi algorithm, applied with 6-gram letter statistics, models the cipher as a hidden Markov chain to maximize the likelihood of plaintext and key sequences, achieving a median recovery accuracy of 87% on English texts from Project Gutenberg. Gibbs sampling further improves this by iteratively sampling word boundaries and candidates from language models like interpolated trigrams trained on corpora such as the Brown Corpus, yielding up to 93% accuracy on 1000-character ciphertexts while being over 100 times faster than Viterbi. Recent machine learning approaches, including transformer-based models for language prediction, have pushed recovery rates above 95% for texts under 500 characters as of 2023. These digital tools, implementable on modern hardware including GPUs for parallel n-gram evaluation, address limitations of manual methods and demonstrate practical vulnerabilities even for keys from contemporary texts.[6][29]
Distinctions from Related Systems
Comparison to Vigenère Cipher
The running key cipher and the Vigenère cipher share operational similarities as polyalphabetic substitution systems, both employing modular arithmetic shifts based on a key stream to obscure plaintext letters, often visualized using a tabula recta for encryption and decryption.[30] In both cases, the ciphertext letter c_i is generated by adding the plaintext letter m_i and the corresponding key letter k_i modulo 26, assuming A=0 to Z=25.[30]A fundamental difference lies in key management: the Vigenère cipher relies on a short repeating keyword, typically 5 to 10 letters long, which cycles periodically throughout the message, introducing exploitable patterns.[30] In contrast, the running key cipher uses a non-repeating key stream of at least the same length as the plaintext, often derived from a book or other extended text, eliminating repetition and periodicity.[10]This distinction profoundly impacts security. The Vigenère cipher's periodic key makes it vulnerable to cryptanalysis via the Kasiski examination, which detects the key length by identifying repeated ciphertext sequences spaced by multiples of the period, as detailed in Friedrich Kasiski's 1863 work.[31] The running key cipher resists such period-detection attacks when the key is sufficiently long and lacks obvious structure, though its security depends on the randomness of the key source; non-random book keys introduce redundancy that can aid recovery.[4][30]Historically, running key ciphers emerged in the late 19th century as an improvement addressing the Vigenère's weaknesses exposed by Kasiski's method nearly three decades earlier, with the earliest formal description provided by Arthur-Joseph Hermann in 1892.[32] This transition reflected a broader push toward longer, non-periodic keys to enhance resistance against frequency-based and period-analysis techniques prevalent in 19th-century cryptology.Quantitatively, the Vigenère cipher's keyspace is finite and scales as $26^k for a key of length k, yielding, for example, 17,576 possibilities for k=3, which brute-force attacks can exhaust given sufficient computational resources.[30] For running key ciphers using book excerpts, the keyspace is effectively infinite due to the vast number of possible starting positions and text selections, rendering exhaustive search impractical despite lingering vulnerabilities from linguistic predictability.[30]
Relation to One-Time Pad
The running key cipher and the one-time pad (OTP) share a core operational similarity: both utilize a keystream of the same length as the plaintext, with encryption achieved through modular addition, typically modulo 26 for alphabetic systems. This structure enables a running key cipher to achieve the perfect secrecy of the OTP when its keystream is generated from a truly random source and employed only once.[10]A key distinction lies in key generation and usage: the OTP demands a truly random, never-reused keystream—often distributed via printed pads—to ensure security, whereas running key ciphers commonly derive keystreams from predictable textual sources, such as books, which compromise security if the source material is known or guessable.[33]Historically, the running key cipher acted as a precursor to the OTP, evolving from manual book-based systems to automated implementations. In 1917, Gilbert Vernam patented an electrical system for teletype encryption that automated stream cipher principles, initially using repeating keys but bridging toward full-length keystreams akin to running keys.[34] Joseph Mauborgne advanced this in 1918 by emphasizing the need for random, non-repeating keys, thereby perfecting the OTP and resolving vulnerabilities in predictable keystreams through randomization.[35]From a security perspective, the running key cipher offers protection only insofar as its keystream remains unpredictable and single-use; in contrast, the OTP provides unconditional security, as established by Claude Shannon, where perfect secrecy holds when the key is independently random and at least as long as the plaintext, rendering ciphertext statistically independent of the message.[26]