Click for homepage
The Vernam Cipher
Digital bit-wise XOR

The Vernam Cipher is a symmetric cryptographic principle for adding a key stream to a plaintext, invented in 1917 by Gilbert Vernam (1890-1960). It is based on the principle that each plaintext character is 'mixed' with one character from a key stream. If a truly random key stream is used, the result will be a truly random ciphertext which bears no relation to the original plaintext. In that case the cipher is similar to the unbreakable One-Time Pad (OTP). As it was generally used with teleprinters and 5-level punched tape, the system is also known as One-Time Tape or OTT.

If the resulting ciphertext in the OTT system described above is truly random, it can safely be sent over the air, without the risk of being deciphered by an eavesdropper. All the recipient has to do is mix the ciphertext with the same OTT to reveal the original plaintext. One only has to guarantee that the OTT is truly random, that there are only two copies of it, that both copies are destroyed immediately after use and that they are only used once. (More about security below.)

The above became possible after the introduction of digital telegraphy, also known as Teletype 1 or Telex. With a teletypewriter, each character is substituted by a digital 5-bit code – represented by the 5 holes in a punched paper tape – commonly used with telex machines. This is commonly known as ITA2 or the Baudot-Murray code. Digital codes can also be represented by a series of '1's and '0's, where 1 represents the presence of a hole and 0 represents the absense of a hole.

The ciphertext is created by applying the logical XOR operation (exclusive-or) to the individual bits of plaintext and the key stream. The advantage of using the XOR operation for this, is that it can be reverted, simply by carrying out the same operation again. In other words:

plaintext + key = ciphertextciphertext + key = plaintext

In mathematics, the XOR operation is known as modulo-2 addition. In our case, the individual bits of the plaintext are XOR-ed with the individual bits of the key. The resulting bit will only be '1' if the two input bits are different. If they are equal (both 1 or both 0), the result will be '0'.

Take the letter 'A', which is represented by 00011, and add it to the letter 'B', represented by 11001. A bit-wise XOR operation yields 11010 which, in the ITA2 table, is the letter 'G'. In fact, each bit from the key tells us whether or not the corresponding bit from the plaintext should be inverted. By inverting these key-bits again, as shown above, the original character is revealed.

  1. Although 'Teletype' is actually a brand name of the Teletype Corporation, it has become a generic expression for digital 5-bit telegraphy. The system is also known as Teleprinter, Teletypewriter and Telex.
  2. XOR = Exclusive OR.

The principle of the Vernam Cipher is perhaps easier understood by looking at a message stored on a punched paper tape. In the example below, we want to transmit the word HELLO which is stored on the plain text tape. We also have a pre-recorded key tape, with a series of random characters; in this case the sequence AXHJB. The contents of the plaintext tape are now XOR-ed with the contents of the key tape. The result (KMIVE) is shown here as the ciphertext tape:

Mixing of the plaintext and the key

Now let us see what happens if we repeat this operation on the resulting ciphertext tape with the letters 'KMIVE'. In the illustration below, the ciphertext tape is on the left. It is XOR-ed with a copy of the original key tape (AXHJB), which results in the original plaintext: 'HELLO'.

Mixing of the ciphertext and the key

This process of applying the XOR-operation to text and key is often called mixing, and the cipher machines that use the Vernam principle, are therefore known as mixers. In the days when teletype systems were in widespread use, technicians were often so experienced that they could read a text directly from a paper tape, simply by looking at the holes and reading the bit patterns.

Mixing of ciphertext and key by holding the two tapes against the light
Mixing of the ciphertext and the key with the human eye

The same was often true for the maintenance engineers of OTT cipher machines. By taking a ciphertext tape, overlaying it with a key tape and then holding it against a bright light source, they were often able to 'read' the plaintext directly. This is illustrated in the above drawing, in which each half-transparent hole should be interpreted as as a binary '1'.

Mixing of plaintext and key by holding the two tapes against the light
Mixing of the plaintext and the key with the human eye

Cipher Security
The above procedure is 100% safe if, and only if, the following conditions are all met:

  1. There are only two copies of the key-tape,
  2. Both sides of the communications link have the same key-tape,
  3. The key-tape is used only once,
  4. The key-tape is destroyed immediately after use,
  5. The key-tape contains truly random characters,
  6. The equipment is TEMPEST proof,
  7. The key tape was not compromised during transport.
If any of the above criteria is not met, the cipher will become less secure. This means that – for example in a battlefield – sufficient supply of key-tapes have to be prepaired and distributed well in advance of a potential transmission. If you are communicating with a station several thousands of kilometers away, it will be very difficult to supply new key-tapes on a regular basis.

In practice, distribution of key tapes always was a big problem, resulting in many violations of the above rules. In some cases a key tape was used more than once, or was inserted the other way around (i.e. starting at the end). There were even cases where an operator would take a piece of key tape and use it as an endless loop, simply by joining both ends with a piece of cellotape.

Pseudo-random versus OTP
Although the OTP was, and still is, the only cipher that is totally secure by design, many systems based on the Vernam Cipher were replaced by cipher systems that use a pseudo-random number generator (PRNG) with a long period. If both ends of the communication link initialize their pseudo-random key generators identically, the Vernam principle can still be applied.

With this method, the initialization of the pseudo-random generator has become the key or seed, or initialization vector, which is typically much shorter than the message itself. Such a short key produces far less distribution problems, but also results in a reduced security of the cipher. In practice it's a trade-off between the desired secrecy level and the strength of the key.

Generating OTT key tapes
It is also very important to consider how key tapes were made. The cipher is only 100% safe, if the key tape contains evenly-spread truly random characters. That would be the case if the tape was filled with white noise from, say, a diode or an empty radio channel.

In practice, however, military organisations often used pseudo-random number generators for the creation of the key tape. The simple fact that such a generator is pseudo-random, makes the cipher less secure. There is always the danger that a potential enemy finds out what algorithm is used to generate the pseudo-random sequence; either by mathematical methods or through espionage. Examples of proper key tape generators are the Philips EROLET and the Mils A-6723.

 More about generating key tapes

Cipher machines, intended for operation with teleprinter signals, that use the Vernam Cipher, are generally called mixers or mixing machines.

In most cases, they are equipped with two paper-tape readers, one for the plaintext tape and one for the key tape.

 More information


The Vernam Cipher is named after Gilbert Sandford Vernam (1890-1960) who, in 1917, invented the stream cipher and later co-invented the OTP. His patent US 1,310,719 was filed in 1918 and is, according to the NSA, perhaps the most important one in the history of cryptography [1].

Over the years, many have claimed the invention of the OTT and the mixer. In 1921, the German manufacturer Siemens filed patent DE 371,087 in which a nearly identical principle is claimed. The patent drawing even shows two puched paper readers side-by-side. One of Siemens' claims is that it could be used as an online cipher system by driving the telegraph relay directly [2].

During WWII, the German Army relied on hand ciphers and rotor-based cipher machines, such as the Enigma, the Siemens T-52 Geheimschreiber and the Lorenz SZ-40/42. In 1943, Siemens developed their first online mixer machine based on the above principle. It was named T-43 and less than 50 of them were built. At the end of WWII, the Germans destroyed most of these T-43 machines. The ones that survived were captured by the Americans and later also by the British.

In 1952, a similar patent was filed by Bjørn Røhrholdt – a Colonel, engineer, veteran and liason of the Norwegian Army – and Kåre Meisingset of STK in Norway [3]. The collaboration of the two engineers eventually resulted in the development of the ETCRRM, a mixer machine that used valves (tubes) rather than electric relays. The machine was soon adopted by the Americans for communication at the highest level and later also by the newly established NATO. At height of the Cold War, the ETCRRM was used at the heart of the Hot line between Washington and Moscow.

The Dutch PTT and Philips
In the late 1950s, the Dutch PTT 1 developed its own range of mixers, again based on the same principle. As the PTT didn't have sufficient production capacity, the machines were manufactured by Philips Usfa in Eindhoven (Netherlands). The first machine to be released in 1956 was the Ecolex I. Like the ETCRRM, it was valve-based. It was followed in 1960 by the fully transistorized Ecolex II. After that, Philips Usfa took over the development of cipher machines, resulting in 1963 in the Ecolex IV. According to a former company director, Philips payed royalties to Professor Dr. Ir. Oberman, the initial developer at the Dutch PTT Research Labs, for the use of his patents [4].

  1. PTT = Staatsbedrijf der Posterijen Telegrafie en Telefonie. (state company for post, telegraphy and telephony). Privatized in 1989 and currently known as KPN.

Modern use of the Vernam Cipher
The Vernam Cipher can also be implemented with modern computer technology. Instead of the 5-bit word of a teletype system, computer words consist of 8 or even more bits. The principle, however, remains the same as the XOR-operation is applied to the individual bits of the data word. The use of the XOR-operation is still at the heart of many cryptographic algorithms today.

One warning however: always use a dedicated device for One-Time Pad communication, and never use a common personal computer (PC), a tablet or a smart phone, with a piece of software. Such systems are inherently usafe. There is no such thing as a secure personal computer.

 More about the One-Time Pad (OTP)

  1. US Patent 1,310,719, Secret Signalling System
    Filed 13 September 1918.

  2. US Patent 1,416,765, Ciphering Device
    Filed 23 July 1920.
  1. Gilbert S. Vernam, US Patent 1,310,719
    Filed 13 September 1918.

  2. Siemens und Halske, German Patent DE371087
    Filed 10 July 1921.

  3. Norwegian National Security Authority (NSM), Årsmelding 2008
    NSM Annual Report 2008 (Norwegian). Noen kryptosuksesser. p. 15.

  4. Anonymous former company director of Philips Usfa
    Interview at Crypto Museum. April 2013.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Saturday 11 August 2012. Last changed: Tuesday, 07 May 2024 - 07:00 CET.
Click for homepage