Editing One-time pad (section)

=== Quantum and post-quantum cryptography ===
A common use of the one-time pad in [[quantum cryptography]] is being used in association with [[quantum key distribution]] (QKD). QKD is typically associated with the one-time pad because it provides a way of distributing a long shared secret key securely and efficiently (assuming the existence of practical [[quantum network]]ing hardware). A QKD algorithm uses properties of quantum mechanical systems to let two parties agree on a shared, uniformly random string. Algorithms for QKD, such as [[BB84]], are also able to determine whether an adversarial party has been attempting to intercept key material, and allow for a shared secret key to be agreed upon with relatively few messages exchanged and relatively low computational overhead. At a high level, the schemes work by taking advantage of the destructive way quantum states are measured to exchange a secret and detect tampering. In the original BB84 paper, it was proven that the one-time pad, with keys distributed via QKD, is a [[Semantically-secure|perfectly secure]] encryption scheme.<ref name=":1">{{Cite journal |last1=Bennett |first1=Charles |last2=Brassard |first2=Giles |date=1984 |title=Quantum cryptography: Public key distribution and coin tossing |arxiv=2003.06557 |journal=Theoretical Computer Science |volume=560 |pages=7–11 |doi=10.1016/j.tcs.2014.05.025 |s2cid=27022972 }} Note: This paper was published originally in 1984, but was retracted, and the version on ArXiv is a reprint from 2014 of the 1984 paper.</ref> However, this result depends on the QKD scheme being implemented correctly in practice. Attacks on real-world QKD systems exist. For instance, many systems do not send a single photon (or other object in the desired quantum state) per bit of the key because of practical limitations, and an attacker could intercept and measure some of the photons associated with a message, gaining information about the key (i.e. leaking information about the pad), while passing along unmeasured photons corresponding to the same bit of the key.<ref>{{Cite journal |last1=Dušek |first1=Miloslav |last2=Haderka |first2=Ondřej |last3=Hendrych |first3=Martin |date=1999-10-01 |title=Generalized beam-splitting attack in quantum cryptography with dim coherent states |url=https://www.sciencedirect.com/science/article/pii/S0030401899004198 |journal=Optics Communications |language=en |volume=169 |issue=1 |pages=103–108 |doi=10.1016/S0030-4018(99)00419-8 |bibcode=1999OptCo.169..103D |issn=0030-4018}}</ref> Combining QKD with a one-time pad can also loosen the requirements for key reuse. In 1982, [[Charles H. Bennett (physicist)|Bennett]] and [[Gilles Brassard|Brassard]] showed that if a QKD protocol does not detect that an adversary was trying to intercept an exchanged key, then the key can safely be reused while preserving perfect secrecy.<ref>{{Cite journal |last1=Bennett |first1=Charles |last2=Brassard |first2=Giles |last3=Breidbart |first3=Seth |date=2014 |title=Quantum Cryptography II: How to re-use a one-time pad safely even if P=NP |journal=Natural Computing |volume=13 |issue=4 |pages=453–458|doi=10.1007/s11047-014-9453-6 |pmid=25400534 |pmc=4224740 |s2cid=3121156 }} Note: This is also a reprint of the original 1982 paper.</ref>

The one-time pad is an example of post-quantum cryptography, because perfect secrecy is a definition of security that does not depend on the computational resources of the adversary. Consequently, an adversary with a quantum computer would still not be able to gain any more information about a message encrypted with a one time pad than an adversary with just a classical computer.