Cryptology - Unofficial St. Mary's College of California Web Site

Cryptology: 

An Historical Introduction 

DRAFT 

Jim Sauerberg 

February 5, 2013

2 

Copyright 2013 

All rights reserved 

Jim Sauerberg 

Saint Mary’s College

Contents 

List of Figures 8 

1 Caesar Ciphers 9 

1.1 Saint Cyr Slide . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 

1.2 Running Down the Alphabet . . . . . . . . . . . . . . . . . . . . 14 

1.3 Frequency Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 15 

1.4 Linquist’s Method . . . . . . . . . . . . . . . . . . . . . . . . . . 20 

1.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 

1.6 Topics and Techniques . . . . . . . . . . . . . . . . . . . . . . . . 22 

1.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 

2 Cryptologic Terms 29 

3 The Introduction of Numbers 31 

3.1 The Remainder Operator . . . . . . . . . . . . . . . . . . . . . . 33 

3.2 Modular Arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . 38 

3.3 Decimation Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . 40 

3.4 Deciphering Decimation Ciphers . . . . . . . . . . . . . . . . . . 42 

3.5 Multiplication vs. Addition . . . . . . . . . . . . . . . . . . . . . 44 

3.6 Koblitz’s Kid-RSA and Public Key Codes . . . . . . . . . . . . . 44 

3.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 


3.9 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 

4 The Euclidean Algorithm 55 

4.1 Linear Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 

4.2 GCD’s and the Euclidean Algorithm . . . . . . . . . . . . . . . . 56 

4.3 Multiplicative Inverses . . . . . . . . . . . . . . . . . . . . . . . . 59 

4.4 Deciphering Decimation and Linear Ciphers . . . . . . . . . . . . 63 

4.5 Breaking Decimation and Linear Ciphers . . . . . . . . . . . . . . 65 

4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 


4.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 

3

4 CONTENTS 

5 Monoalphabetic Ciphers 71 

5.1 Keyword Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 

5.2 Keyword Mixed Ciphers . . . . . . . . . . . . . . . . . . . . . . . 73 

5.3 Keyword Transposed Ciphers . . . . . . . . . . . . . . . . . . . . 74 

5.4 Interrupted Keyword Ciphers . . . . . . . . . . . . . . . . . . . . 75 

5.5 Frequency Counts and Exhaustion . . . . . . . . . . . . . . . . . 76 

5.6 Basic Letter Characteristics . . . . . . . . . . . . . . . . . . . . . 77 

5.7 Aristocrats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 

5.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 


5.10 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 

6 Decrypting Monoalphabetic Ciphers 89 

6.1 Letter Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . 90 

6.2 Decrypting Monoalphabetic Ciphers . . . . . . . . . . . . . . . . 91 

6.3 Sukhotin’s Method for Finding Vowels . . . . . . . . . . . . . . . 97 

6.4 Final Monoalphabetic Tricks . . . . . . . . . . . . . . . . . . . . 99 

6.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 


6.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 

7 Vigenère Ciphers 109 

7.1 Alberti, the Father of Western Cryptology . . . . . . . . . . . . . 110 

7.2 Trithemius, the Father of Bibliography . . . . . . . . . . . . . . . 111 

7.3 Belaso, the Unknown and Porta, the Great . . . . . . . . . . . . 113 

7.4 Vigenère Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 

7.5 Variants and Beaufort . . . . . . . . . . . . . . . . . . . . . . . . 116 

7.6 How to Break Vigenère Ciphers . . . . . . . . . . . . . . . . . . . 117 

7.7 The Kasiski Test . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 

7.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 


7.10 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 

8 Polyalphabetic Ciphers 135 

8.1 Coincidences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 

8.2 The Measure of Roughness . . . . . . . . . . . . . . . . . . . . . 138 

8.3 The Friedman Test . . . . . . . . . . . . . . . . . . . . . . . . . . 142 

8.4 Multiple Encipherings . . . . . . . . . . . . . . . . . . . . . . . . 145 

8.5 Vigenère’s Auto Key Cipher . . . . . . . . . . . . . . . . . . . . . 149 

8.6 Perfect Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 

8.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 

8.8 Terms and Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 

8.9 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

CONTENTS 5 

9 Digraphic Ciphers 167 

9.1 Polygraphic Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . 167 

9.2 Hill Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 

9.3 Recognizing and Breaking Polygraphic Ciphers . . . . . . . . . . 174 

9.4 Playfair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 

9.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 


9.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 

10 Transposition Ciphers 189 

10.1 Route Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 

10.2 Geometrical Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . 190 

10.3 Turning Grilles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 

10.4 Columnar Transposition . . . . . . . . . . . . . . . . . . . . . . . 192 

10.5 Transposition vs. Substitution . . . . . . . . . . . . . . . . . . . 195 

10.6 Letter Connections . . . . . . . . . . . . . . . . . . . . . . . . . 196 

10.7 Breaking the Columnar Transposition Cipher . . . . . . . . . . . 198 

10.8 Double Transposition . . . . . . . . . . . . . . . . . . . . . . . . 201 

10.9 Transposition during the Civil War . . . . . . . . . . . . . . . . 202 

10.10 The Battle of the Civil War Ciphers . . . . . . . . . . . . . . . . 207 

10.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 

10.12 Topics and Techniques . . . . . . . . . . . . . . . . . . . . . . . 208 

10.13 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 

11 Knapsack Ciphers 219 

11.1 The Knapsack Problem . . . . . . . . . . . . . . . . . . . . . . . 219 

11.2 A Related Knapsack Problem . . . . . . . . . . . . . . . . . . . . 220 

11.3 An Easy Knapsack Problem . . . . . . . . . . . . . . . . . . . . . 221 

11.4 The Knapsack Cipher System . . . . . . . . . . . . . . . . . . . . 223 

11.5 Public Key Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . 227 

11.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 


11.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 

12 RSA 231 

12.1 Fermat’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . 232 

12.2 Complication I: a small one . . . . . . . . . . . . . . . . . . . . . 234 

12.3 Complication II: a substantial one . . . . . . . . . . . . . . . . . 235 

12.4 Complication III: a mini one . . . . . . . . . . . . . . . . . . . . 238 

12.5 Complication IV: the last one . . . . . . . . . . . . . . . . . . . 239 

12.6 Putting It All Together . . . . . . . . . . . . . . . . . . . . . . . 241 

12.7 Exponential Problems (and answers) . . . . . . . . . . . . . . . 241 

12.8 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 

12.9 RSA and Public Keys . . . . . . . . . . . . . . . . . . . . . . . . 245 

12.10 How to break RSA . . . . . . . . . . . . . . . . . . . . . . . . . . 245 

12.11 Authenticity – Proof of Authorship . . . . . . . . . . . . . . . . 248

6 CONTENTS 

12.12 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 

12.13 Topics and Techniques . . . . . . . . . . . . . . . . . . . . . . . 250 

12.14 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 

Bibliography 253 

Index 257

List of Figures 

1.1 Saint Cyr Slide . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 

1.2 Decrypting a Caesar cipher by running down the alphabet . . . . 15 

1.3 Letter Frequency, in percent. From Sinkov. . . . . . . . . . . . . 16 

1.4 English Letter Frequency Chart . . . . . . . . . . . . . . . . . . . 16 

1.5 Letter Frequency Charts for Several Languages . . . . . . . . . . 18 

2.1 Alice, Bob and Eve: the three names of Cryptography . . . . . . 30 

3.1 The Standard Translation of Letters into Numbers . . . . . . . . 31 

3.2 Enciphering/Deciphering pairs modulo 26. . . . . . . . . . . . . . 43 

5.1 Letter Frequencies – Anywhere. . . . . . . . . . . . . . . . . . . . 77 

5.2 Letter Frequencies – Initial Letters. . . . . . . . . . . . . . . . . . 77 

5.3 Letter Frequencies – Final Letters. . . . . . . . . . . . . . . . . . 78 

5.4 Characteristics of etaoinshr. . . . . . . . . . . . . . . . . . . . . 78 

5.5 Most Common Short Words . . . . . . . . . . . . . . . . . . . . . 78 

5.6 The 100 Most Common Words in English . . . . . . . . . . . . . 79 

6.1 Some Basic Letter Behaviors . . . . . . . . . . . . . . . . . . . . 91 

6.2 Digraph Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 

6.3 Digraph Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 

6.4 Letter Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 

7.1 Trithemius’ tabula recta . . . . . . . . . . . . . . . . . . . . . . . 112 

7.2 Beaufort’s Tableaux . . . . . . . . . . . . . . . . . . . . . . . . . 116 

7.3 A Kasiski Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 

8.1 Frequency Counts: Same quote, different keylengths. . . . . . . . 138 

8.2 Larrabee’s Cipher Code . . . . . . . . . . . . . . . . . . . . . . . 163 

9.1 A Simple Digraphic Substitution Chart . . . . . . . . . . . . . . 169 

9.2 A More Complicated Digraphic Substitution Chart . . . . . . . . 170 

9.3 18 Most Frequent Bigrams, in percent . . . . . . . . . . . . . . . 171 

9.4 Repetitions in the unknown cipher. . . . . . . . . . . . . . . . . . 175 

7

8 LIST OF FIGURES 

10.1 A 3 × 3 turning grille. . . . . . . . . . . . . . . . . . . . . . . . . 191 

10.2 Appearances before and after the given letter, in %. . . . . . . . 197 

10.3 Bigram Frequencies (in %%), from the Brown Corpus. . . . . . . 198 

10.4 Codewords for keyword McClellan. . . . . . . . . . . . . . . . . . 212 

10.5 Five similar dispatches from 1876. . . . . . . . . . . . . . . . . . 216 

11.1 Binary Equivalents for the Alphabet . . . . . . . . . . . . . . . . 223

Chapter 1 

Caesar Ciphers 

There are also letters of his to Cicero, as well as to 

his intimates on private affairs, and in the latter, 

if he had anything confidential to say, he wrote 

it in cipher, that is, by so changing the order of 

the letters of the alphabet, that not a word could 

be made out. If anyone wishes to decipher these, 

and get at their meaning, he must substitute the 

fourth letter of the alphabet, namely D, for A, 

and so with the others. 

Suetonius 

De Vita Caesarum 

(The Lives of the Caesars) 

The first true use of secret writing in recorded history is due to Julius Caesar, 

at least as explained by the Roman historian Suetonius. There had been 

earlier uses of what David Kahn, in his masterwork The Codebreakers: The History 

of Secret Writing, calls “proto-cryptography,” such as complex Egyptian 

hieroglyphics and certain stories in the biblical book of Jeremiah (see verses 

25:26 and 51:41). 1 But it is the Roman general Julius Caesar who apparently 

actually invented cryptography, the art and science of designing methods to 

send secret messages. 

Caesar’s method for making his messages secret is straightforward: replace 

every letter in a message with the one three letters down the alphabet. So, as 

Suetonius explains, a is replaced by D, b is replaced by E, etc. Of course, Caesar 

would have probably sent his message in Latin, but the point is clear. 

This rather simple idea, replace the letters in your message by other letters 

according to some rule, constitutes a cipher. One enciphers a message to make 

it (hopefully!) secret, and deciphers a secret message to make it readable. 

1 It is all but impossible to write a book involving the history of cryptography without 

making extensive use of The Codebreakers [Kahn]. In fact, most uncredited references in this 

book come from [Kahn]. 

9

10 CHAPTER 1. CAESAR CIPHERS 

Examples: Encipher or Decipher the following names. 

(1) Encipher Julius. 

For each letter in the name, we count three letters down the alphabet and 

replace the original letter by this new letter. 

j – k – l – M. J is replaced by M. 

u – v – w – X. u is replaced by X. 

l – m – n – O. l is replaced by O. 

Finish the rest of this example, and then check your answer by looking at 

footnote 2 part (1). 

(2) Encipher Caesar. 

(3) Decipher EUXWXV. 

Since enciphering is counting forwards, deciphering must be counting backwards. 

E – d – c – b. 

U – t – s – r. 

X – w – v – u. 

Finish this example, and again check your answer against the footnote. 2 

(4) Decipher FLFHUR. 3 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

When one must encipher messages of more than a couple of words, it becomes 

quite bothersome to count three forwards and three backwards over and 

over. To somewhat automate the process we write out the usual alphabet, the 

plaintext alphabet, and underneath it the alphabet we use for enciphering, 

the ciphertext alphabet: 

plaintext alphabet 

ciphertext alphabet 

a b c d e f g h i j k l m n o p q r s t u v w x y z 

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C 

Then to encipher replace the plaintext letter by the ciphertext letter (underneath 

it), and to decipher replace the ciphertext letter by the plaintext letter (above 

it). Thinking “read down” or “read up” will lead to trouble later. Think instead 

about moving from plaintext letters to ciphertext letters, or from ciphertext 

letters back to plaintext letters. 4 

2 Some of the examples in this book will be completely worked out. But some will be only 

partially finished, and others not even begun. These latter types are for you to work out. Do 

so with paper and pencil, and then check your answers against the answer in the footnote, 

and you will find the exercises to be much easier. 

3 (1) MXOLXV, (2) FDHVDU, (3) Brutus, (4) Cicero 

4 The fonts used in the alphabets just above are not accidental: we will always use lower 

case letters like these ones to represent plaintext letters, and upper case letter LIKE THESE 

ONES for ciphertext letters.

11 

Examples: Encipher or decipher the following names. 

(1) Encipher Gaius. 

To encipher we move from plaintext alphabet to ciphertext alphabet, that 

is, replace each of the plaintext letters gaius by the corresponding ciphertext 

letters (underneath them): 

So JDLXV is the answer. 

(2) Encipher Cleopatra. 

(3) Decipher SRPSHB. 

g a i u s 

J D L X V 

To decipher we move from the ciphertext alphabet back to the plaintext 

alphabet. 

So pompey is the answer. 

(4) Decipher FUDVVXV. 5 

S R P S H B 

p o m p e y 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

In Caesar’s time his cipher was likely a good one. After all, it was the first 

one ever invented! 6 But once it is known that shifting three forwards and three 

back is the key, the secrecy is lost. To try to regain it we might instead agree 

ahead of time on a secret number that tells the amount we will shift each letter. 

Examples: Encipher or decipher using the given shift amount. 

(1) Encipher Augustus using a shift amount of 1. The counting here is simple 

– replace each letter by the next one, so a by b, u by V, etc. 7 

(2) Encipher Quintillis using a shift amount of 10. 

Quintillis, meaning “five” in Latin, was the name of the 5th month used 

Julius Caesar named it after himself. 

5 (2) FOHRSDWUD, (3) Pompey, (4) Crassus 

6 There is no reason, however, to believe that Caesar used these ciphers for long, or for 

important messages. Cicero, with whom Caesar would have used the system, changed political 

sides, making the system no longer secret. [ATTRIBUTION] 

7 Seutonius: “When Augustus wrote in cipher he simply substituted the next letter of the 

alphabet for the one required, except that he wrote AA for x” (the last letter of the Roman 

alphabet). [Kahn, pg 84]


(3) Decipher ZLEAPSSH. It was enciphered with a shift of 7. 

This is the same way we deciphered before, we just count more: 

Z - y - x - w - v - u - t - s 

L - k - j - i - h - g - f - e 

So the word starts se. (It is the name of the sixth month of the year 

before it was named for Caesar Augustus.) 

(4) Decipher FTKRMZLJ. It was enciphered using a shift amount of 17. 

(It may be easiest to write down the plaintext alphabet with ciphertext 

alphabet underneath.) 8 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Ciphers such as these are called Caesar Ciphers or Shift Ciphers, and 

the shift amount is called the key. While these ciphers are quite simple, they 

are the foundation upon which most ciphers are built. 

1.1 Saint Cyr Slide 

So far we have two methods for implementing a shift cipher: either count 

through the alphabet letter after letter, or write down the plaintext alphabet 

with a new ciphertext alphabet for each shift amount. While not exactly 

difficult, the first method is prone to silly errors and the second is very tedious. 

We remedy this by building a Saint Cyr Slide 9 , a simple device that will allow 

us to use any Caesar cipher we wish. 

Figure 1.1: Saint Cyr Slide 

To make one, first, on a thin strip of paper, or on something stronger like 

tag board, put the 51 upper case letters 

ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXY 

in capital letters, repeated twice (the Z in the second alphabet is unnecessary). 

We need to have the letters a constant distance apart, so it is best to use lined 

8 (1) BVHVTUVT, (2) AESXDSVVSC, (3) Sextilla, (4) Octavius 

9 Slides similar to this have been used for centuries, but their modern name dates from 1883 

when Auguste Kerchoff named them for the famed French Military Academy [Kahn, pg 289].

1.1. SAINT CYR SLIDE 13 

paper turned sideways and put one letter per space. Leave a couple inches 

of empty paper on each end of the letters. Under the first 25 letters put the 

corresponding shift number: 1 below B, 2 below C, ... 25 below Z. Write on the 

left edge that this is the “Ciphertext Alphabet”. 

On a larger rectangular piece of paper write in lower case the letters of the 

alphabet 

abcdefghijklmnopqrstuvwxyz 

Also write the numbers 1 through 26 above the corresponding letters. Make sure 

to spread these letters at the same constant width that the ciphertext letters 

were spread. This paper should be entitled “Plaintext Alphabet”. Then below 

and just to the left of the a, and below and just to the right of the z, make 

incisions in the paper of the same height as the cipherstrip. (It also wouldn’t 

hurt to add an arrow entitled “key” on the plaintext page pointing to the spot 

under the plaintext a to remind us where the key will appear.) 

The cipherstrip can then be inserted into the plaintext piece and slid back 

and forth, making it easy to form the Caesar alphabet of choice. Simply choose 

a key number, slide the ciphertext strip so that this letter is under the plaintext 

a, and then read from plaintext to ciphertext and back. This allows us to 

relatively quickly and easily encipher and decipher using any key. 

Because of the way the Saint Cyr Slide is constructed, we may also use letters 

to indicate keys. The key as a number we understand: a key of 5 says move each 

letter five letters down the alphabet. It is actually more common to use a key 

letter. The key letter is the letter the plaintext a is enciphered into. So a key 

of R says that a will become R in the ciphertext (and b becomes S, c becomes 

T, etc.). In either case, we line up the key under the plaintext a and use the 

plaintext alphabet – ciphertext alphabet pair the Saint Cyr Slide displays. 

Examples: 

(1) Encipher Roman Holiday using key S. What shift amount is this 

To encipher, first line up the cipherstrip’s first S under the a of the plain 

alphabet. Under S you should have written 18, so the shift amount is 

18. Now encipher the title by finding the letters of roman holiday in the 

plaintext alphabet and replace them one by one with the letters of the 

ciphertext alphabet (underneath). You should see J under r, G under o 

and E under m. If so, keep going. If not, make sure you positioned your 

slide correctly and double check to see if you left out any letters of the 

alphabet on your slide! 

(2) Encipher Marc Antony, key 6. 

(3) Decipher PEXANEQO, key W. 

Line up the key letter W under the plaintext letter a. Remembering to 

read from ciphertext back to plaintext (“up”), you should see t above P 

and i above E.


(4) Decipher RXRTGD, key 15. 

(5) Decipher SQJE, key Q. 10 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Examples: Here are a few instances of a Caesar cipher turning one word 

into another. 

(1) Encipher wheel with key H. 

(2) Encipher jolly with key T. 

(3) Decipher SLEEP with a key R. 

(4) Decipher KNOW with key 10. 11 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

1.2 Running Down the Alphabet 

Now let us look at ciphers from a new direction. Suppose our enemy has sent 

the message PX PBEE FXXM TM FBWGBZAM and somehow we capture it. How 

can we determine what it says when we don’t have the key 

A simple way is to “decipher” the message 26 times, using each possible key 

once. Hopefully the deciphered message will make sense using one and exactly 

one of those keys. If so, we will have decrypted the message by determining 

the message and key without being told. 

This is called the method of exhaustion, because we exhaust all possibilities. 

For Caesar ciphers this can be done quickly by running down the 

alphabet: under each ciphertext letter write the next 25 letters of the alphabet, 

following Z with A if need be. In at most twenty-five steps something legible will 

appear, and we will have determined the message. 

In Figure 1.2 we do this for the “captured” ciphertext. Reading across 

the rows, We will meet at midnight must be the plaintext. Since it took us 

seven steps forward to find the plaintext, and we usually move backwards in the 

alphabet to decipher, the key number must be -7 or 19. 12 

Why does running down the alphabet work Because letters that are adjacent 

in the plaintext remain adjacent in the ciphertext. In our last example, 

the consecutive letters ghi appearing in midnight became ZAB or ABC or BCD, 

10 (1) JGESF ZGDAVSQ, (2) SGXI GTZUTE, (3) tiberius, (4) cicero, (5) cato 

11 (1) DOLLS, (2) CHEER, (3) bunny, (4) aden 

12 Yes, −7 = 19 when we are dealing with the 26 letters of the alphabet! We will explore 

this in Chapter 3.

1.3. FREQUENCY ANALYSIS 15 

PX PBEE FXXM TM FBWGBZAM 

QY QCFF GYYN UN GCXHCABN 

RZ RDGG HZZO VO HDYIDBCO 

SA SEHH IAAP WP IEZJECDP 

TB TFII JBBQ XQ JFAKFDEQ 

UC UGJJ KCCR YR KGBLGEFR 

VD VHKK LDDS ZS LHCMHFGS 

WE WILL MEET AT MIDNIGHT 

XF XJMM NFFU BU NJEOJHIU 

YG YKNN OGGV CV OKFPKIJV 

Figure 1.2: Decrypting a Caesar cipher by running down the alphabet 

etc. There is no mixing of the alphabet – every letter moves the exact same 

distance. This is why Caesar ciphers are not very secure ones. 

Examples: Decrypt the following ciphertexts by running down the alphabet. 

(1) NQYFP YIWFI WE. 

(2) MBZXK. 13 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Since before long we will have ways of enciphering that have hundreds of keys, 

rather than only twenty-six, the method of exhaustion will be too exhausting to 

do by hand. To develop a better method for decrypting ciphers we must think 

more carefully about the ciphertext message we are trying to read. 

1.3 Frequency Analysis 

Let’s reconsider the situation in which we have captured a message written in 

cipher. What might we be able to figure out about this message without reading 

it Well, first, we probably know that it is in English (as all of our messages will 

be) and we know a lot about English. For instance, that e, t, and a are all very 

common, and that x, z and q are among the least common letters in English. 

Abraham Sinkov, an important codebreaker during World War II, made a count 

of the letters appearing in 16410 words, and Figure 1.3 contains the results. 

What do we see in this chart First, the two most common letters are e 

and t. Nearly 13% of all letters in an English text are e’s, and over 9% are t’s. 

Almost always, e or t will be the most common letter in a text. 

13 (1) twelve o’clock. This took six steps, so the key is −6 = 20. (2) Sorry, but it’s a trick. 

Either a shift of 3 to produce pecan, or a shift of 7 to give tiger.


8.2 1.5 2.8 4.3 12.7 2.2 2.0 6.1 7.0 0.2 0.8 4.0 2.4 

a b c d e f g h i j k l m 

6.7 7.5 1.9 0.1 6.0 6.3 9.1 2.8 1.0 2.3 0.1 2.0 0.1 

n o p q r s t u v w x y z 

Figure 1.3: Letter Frequency, in percent. From Sinkov. 

The next most common letters are a, o, i, n, s, h, and r, each occurring 

between 6% and 9% of the time. With e and t, they make up 70% of all letters 

in English. So if you know which ciphertext letters stand for the letters e, t, a, 

o, i, n, s, h and r then you have probably already figured out 7 out of every 10 

letters in a text. To remember these high frequency letters, use a mnemonic, 

like a sin to er(r), trainhose or satinhero. 

Of the remaining letters, d and l appear about 4% of the time each, while 

the letters cumwfgypb occur between 1.5% and 3% each, for a total of 20%. 

Finally vkjxqz each seldom occur, less than 1% of the time, and less than 2.2% 

in total. 

A useful way of representing Sinkov’s frequency information is with a frequency 

chart. Above each letter put one dash for each percentage the letter has 

in the frequency count. So above e will be 13 bars, and above v there will be 

only one. We have done this to produce Figure 1.4. 

\ 

\ \ \ \ \ \ \ \ \ 


Figure 1.4: English Letter Frequency Chart 

Several patterns appear in this so-called normal profile. As David Kahn 

so dramatically put it 

“The single most durable and detectable feature of the normal profile is 

the long, low peneplane of uvwxyz, which extends almost a quarter of the 

profile and is extremely depressed. This basin is sharply walled off by the 

rst cordillera at one end and the single peak of a at the other. The other 

features of the profile are more easily eroded by decreases in size of sample. 

The pinnacle of e normally soars midway between a and the double tower 

of hi, which is followed by the severe drop to jk. High-frequency n and 

o also rise to twin peaks. In short samples, however, the troughs of the 

profile are often more reliable indicators than the crests”. [Kahn, page 

210]


A bit more concretely, a, e and i form a set of high frequency letters 4 steps 

or letters apart. Next, hi and no are high pairs and rst a high triplet. Finally, 

uvwxyz is a set of six very low values that directly follows the rst triplet and 

occurs directly before a. 

To see how these patterns are used let’s look at an example. 

Example: Use frequency analysis to decrypt YPYH NBCM MBILN GYMMUAY XIYM 

HIN LYGUCH MYWLYN ZIL FIHA. 

We first construct a frequency chart by counting the number of times each 

letter appears: 

ciphertext 

\ \ \ 

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 

The most common letters are M and Y, so one of these is probably e. (Of 

course, e might instead be N, H or L, but these are less likely.) If M were e, 

we’d expect to find the aei-triple of high counts separated at intervals of four 

at IMQ. There are several I’s, but no Q’s. Worse, H would be z, and four z’s is 

unlikely. On the other hand, if Y were e, the aei-triple would be at UYC. This 

message is very short, so a “high”-triple is not all that high, and so UYC might 

be reasonable fit for aei. 

Where might rst fit The highest consecutive triple is at LMN. This fits 

pretty well, since the low septet uvwxyz would fit at OPQRST. Finally, just before 

LMN is a high pair HI, so we might guess that HI is no. 

Putting this plaintext guess above the frequency chart will help us see if 

everything fits: 

plaintext 

ciphertext 

g h i j k l m n o p q r s t u v w x y z a b c d e f 

\ \ \ 


The fit is good – the peaks at e, no, and rst, and the long valley at uvwxyz give 

us confidence we’ve done this correctly. Finally, the keyletter is the ciphertext 

letter that a becomes, so the key is U. Now we simply decipher to find that the 

message is Even this short message does not remain secret for long. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

A message’s frequency chart will seldom have all of the patterns, but it 

should have good evidence of several. When trying to fit the patterns generally 

we start with the tallest peaks of e and t, and the long low valley of uvwxyz. 

Then we look for the aei and rst triples. Finally, we see if the no pair is present. 

If there are several “probably”’s when trying to fit these patterns, then the key 

likely is the ciphertext letter posing as a. Try this possible key by deciphering 

ten or so letters from the ciphertext. If a message seems to be appearing, we’ve


found the key. If no message appears, try again, repeating until you are able to 

decipher the message. 

This process of making a frequency count and then trying to fit the hills 

and valleys to the proper letters is called doing a frequency analysis. It is certainly 

the most powerful tool in all of cryptanalysis, the science of decrypting 

other people’s ciphers. 

In fact, we don’t even really need to be able to read the language of the cipher 

to use frequency analysis. Consider the frequency charts for French, German, 

Italian and Spanish found in Figure 1.5 [Nichols, page 70]. Each of these 

\ 

\ 

\ \ \ \ \ \ \ \ \ \ 

French a b c d e f g h i j k l m n o p q r s t u v w x y z 

\ 

\ \ 

\ \ \ \ \ \ \ \ \ 

German a b c d e f g h i j k l m n o p q r s t u v w x y z 

\ \ \ 

\ \ \ \ \ \ \ \ \ \ 

Italian a b c d e f g h i j k l m n o p q r s t u v w x y z 

\ \ 

\ \ \ \ \ \ \ \ \ 

Spanish a b c d e f g h i j k l m n o p q r s t u v w x y z 

Figure 1.5: Letter Frequency Charts for Several Languages 

languages has its own characteristics, the extreme peak of e in German, or the 

predominance of vowels in Italian, for example. But in each case the specifics 

of the frequency chart allows a cryptanalyst to attack and break Caesar ciphers 

in that language. The use of frequency analysis, really nothing more than 

counting letters, makes Caesar ciphers very easy to decrypt, no matter the 

original language of the sender or the breaker. 

Having developed a method for decrypting Caesar ciphers, we are said to 

have broken that cipher system. Notice the difference between breaking and 

decrypting – breaking a cipher system means producing a method that allows 

you to decrypt most messages sent in that system. Conversely, one may be 

able to decrypt a particular message without knowing how to decrypt messages 

enciphered using that system in general.


Examples: Use Frequency Analysis to decrypt the following Caesar ciphers. 

(1) ZU SGQK G VXUVKX YKTZKTIK KBKXE RKZZKX SAYZ VRGE OZY VXUVKX XURK 

We begin by making a frequency count: 

ciphertext 

\ 

\ \ \ \ 


The giant peak at K surrounded by a vast wasteland jumps out at us. 

If we guess that the six letters LMNOPQ are uvwxyz, then the peak of K 

is t, which would be fine, and RVXYZ=aeghi. Putting our guess at the 

plaintext alphabet next to the ciphertext alphabet we may compare. 

plaintext 

ciphertext 

\ 

\ \ \ \ 

j k l m n o p q r s t u v w x y z a b c d e f g h i 


The peaks and valleys seem reasonable. To test, we decipher the message. 

Since our prediction is that a became R, we use the key of R. Unfortunately, 

the message then begins id bpzt p edgetg. This is not right. We must 

try again. 

Perhaps the low sextet belongs at the beginning of the ciphertext alphabet. 

If we guess that K = e, then a must be G, and before G is a sextet of 

nothingness. This is likely uvwxyz. Let’s again add the plaintext alphabet 

to compare: 

plaintext 

ciphertext 

\ 

\ \ \ \ 

u v w x y z a b c d e f g h i j k l m n o p q r s t 


The lmnop and rst sets are both relatively high since in such a short 

cipher appearing even three or four times counts as “many”. We ought to 

be quite confident of our plaintext placement. As always, the key is the 

letter a becomes, which is G. To finish, we decipher the first couple letters 

using a key G. This gives to make a proper, which seems correct. We’ve 

found the key! (Now finish up the decryption by deciphering the rest of 

the message using the key G.)


(2) MVIP WVN JVTIVK DVJJRXVJ TRE JLIMZMV NYVE RKKRTBVU SP WIVHLVETP 

RERCPJZJ 

Here the frequency count is given to you: 

\ 

\ \ \ 

ciphertext A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 

Look for high aei and rst sets bracketing the low uvxwyz. 

(3) Decrypt the following message. Don’t be bothered by the five letter 

groups, the analysis remains the same. 

HMALY HDOPS LPAIL JVTLZ CLYFL HZFAV YLJVN UPGLD OHAAO LZOPM APZMY 

VTAOLMYLXB LUJFA HISL. 

(4) Here is a trickier one. 

HDBIH DYHDB SMUHI YEHLI HZEDD SXQHO HDBKH VODDO BCHSX HDROH WOCCK 

QO 14 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

It has become tradition to transmit the ciphertext with word spacing eliminated 

and the letters recombined in 5-letter segments. Doing this hides word 

beginnings and endings, which makes a cipher more difficult to decrypt. Further, 

it takes only a glance for a person to determine that a “word” consists 

of exactly five letters. In the days when messages were sent via telegraph, this 

helped prevent the person doing the actual transmission from accidentally forgetting 

letters from ciphertexts. (Why 5 rather than 4 or 6 The 1875 tariff 

regulations of the International Telegraph Union limited the length of a word to 

10 letters [Kahn, pg 842]. Dividing a 10 letter word in half leaves two 5 letters 

words. Perhaps had these regulations limited word length to 8 or 12 then it 

would now be common to send ciphers in 4 or 6 letter segments.) 

1.4 Linquist’s Method 

Once a person has become comfortable with using frequency analysis to decrypt 

Caesar ciphers he/she needs only about 50 letters of the ciphertext to accurately 

determine the key. What if we have significantly less than this, say only 15 or 

25 letters 15 Then we use Linquists’s method. [Gaines, page 133] 

Consider ZWUM PIA AMDMV PQTTA, a text of 18 letters. We start, as always, 

with the frequency count, and use it to determine the most common letters in 

14 (1) to make a proper sentence every letter must play its proper role, key = G. 

(2) very few secret messages can survive when attacked by frequency analysis, key = R. 

(3) after a while it becomes very easy to recognize what the shift is from the frequency 

table, key = H. 

(4) xtry xto xtrick xyou xby xputting xextra xletters xin xthe xmessage, key = K. 

15 This will often be the case later when we study the very important Vigenère cipher.

1.4. LINQUIST’S METHOD 21 

the ciphertext. In this example, the only letters occurring more than once are 

A, P and T, twice each, and M, which appears three times. Even for such a short 

message (when the frequencies can be quite messed up) it many of these letters 

must come from etaoinshr. Linquist’s idea is to see if there is one shift amount 

that would produce all or most of the most common ciphertext letters from the 

common plaintext letters. 

To do this, make a chart with the common plaintext letters across the top 

and common ciphertext letters down the side. For each of the etaoinshr letters 

determine what key produces the ciphertext letter from this plaintext letter. For 

instance, e must be shifted by 22 letters to become A, so we enter 22 in the e-th 

column and A-th row. To find the shift amount using the Saint Cyr slide, line up 

A under e and then see what the key is. Similarly, lining up M under e produces 

an 8, so 8 is the second entry in the first column. 

e t a o n i r s h 

A 22 7 0 12 13 18 9 8 19 

M 8 19 12 24 25 4 21 20 5 

P 11 22 15 1 2 7 24 23 8 

T 15 0 19 5 6 11 2 1 12 

We are looking for one shift amount that would cause four of etaoinshr to 

become AMPT. So we are searching for numbers that appear in every row, or, 

failing that, occur in at least in three of the four rows. No number appears in 

each row, but 8, 12 and 19 appear in appear in three of the four rows. It is most 

likely that one of these three is the proper shift amount. We simply decipher 

the message using each to see which one it is. 16 

Example: Decrypt WZRVM ZOCSD YZNGA HVMXC using Linquist’s method. 

The only letters than appear more than once are C, M, V and Z, so our chart 

is set up as 

e t a o n i r s h 

C 24 11 

M 19 4 

V 8 3 

Z 25 17 

Some of the chart has been filled in for you. Complete it, find the most common 

letter (i.e., the possible keys) and try them to determine the key. Finally, 

decipher the message. 17 

⋄ 

16 It is 8. Deciphering gives Rome has seven hills. 

17 Beware the Ides of March, key = 17.


1.5 Summary 

The Caesar Cipher, sometimes called the Shift Cipher, is history’s first example 

of a cryptosystem. In the Caesar version the keyletter indicates what ciphertext 

letter the plaintext a becomes, while in the Shift version the keynumber tells 

how many letters down the alphabet each plaintext letter is moved. The Saint 

Cyr Slide is a simple device that allows for rapid enciphering and deciphering 

of either version of this cipher. 

Decrypting a Caesar Cipher starts with a frequency count. If the ciphertext 

is sufficient, comparing the frequency count with that of standard English and 

looking for the characteristic peaks and valleys leads one to the key needed to 

decipher the cipher. When one has only a small amount of ciphertext, say under 

thirty letters, Linquist’s chart will generally give the key, albeit with a bit more 

work. Since we have methods that allow for the routine decryption of Caesar 

Ciphers we can be said to have broken the cipher. 

Caesar ciphers are very rigid; the alphabet is only shifted during enciphering 

and is not mixed. This is the reason this cipher system is easy to break. Despite 

their lack of security, they remain fundamental for almost all that we will do. 

The ideas of letter-for-letter replacement, keys, frequency count and frequency 

analysis will appear over and over again. 

1.6 Topics and Techniques 

1. Why would we use a secret writing system Give at least two examples. 

2. Why do we call it a Caesar Cipher Why do we call it a Shift Cipher 

3. What is the difference between enciphering and deciphering 

4. What is a Saint Cyr Slide How is it used to encipher How is it used to 

decipher 

5. What is a key to a Caesar Ciphers 

6. Are letter keys different than number keys How 

7. What is the meaning of the letter in a key letter 

8. What is the meaning of the number in a key number 

9. What does it mean to decrypt a message How does this differ from 

deciphering a message 

10. What does it mean to break a cipher system How does this differ from 

decrypting a message 

11. What is the Method of Exhaustion Why do we call it that

1.7. EXERCISES 23 

12. What is the most common letter in English Second most common 

13. What are the nine most common letters in English 

14. What are some of the least common letters in English 

15. What sorts of hills and valleys does the letter frequency count of a portion 

of normal English have 

16. How do we use a frequency count to break a Caesar Cipher 

17. Are Caesar ciphers secure or not Why 

18. When would we use Linquist’s method 

19. How does Linquist’s method work Why does it work 

1.7 Exercises 

1. Encipher the following emperors’ names using a Caesar Cipher with the 

given key. 

(a) Pompeii, key = D. 

(b) Vespasian, key = P. 

(c) Caligula, key = H. 

(d) Nero, key = T. 

2. Encipher the following emperor’s names using a Shift Cipher with the 

given key. 

(a) Damitian, key = 11. 

(b) Trajan, key = 5. 

(c) Hadrian, key = 19. 

3. Decipher the following names. They have been enciphered using a Caesar 

cipher with the given key. 

(a) GULWOM UOLYFCOM, key = U. 

(b) IRGAJOAY, key = G. 

(c) TYESBUJYQD, key = Q. 

(d) HFXXNZX, key = F. 

4. Decipher the following names. They have been enciphered using a Shift 

Cipher with the given key. 

(a) RDCHIPCIXCT, key = 15.


(b) MXVWLQLDQ, key = 3. 

(c) QAGNGM YDPGAYLSQ, key = 24. 

(d) GVOREVHF TENPPUHF, key = 13. 

5. Encipher the following words using a Caesar Cipher with the given key. 

(a) Appian Way, key = F. 

(b) Punic Wars, key = B. 

(c) Carthage, key = N. 

(d) Gladiator, key = W. 

6. Encipher the following words using a Shift Cipher with the given key. 

(a) Atrium, key = 1. 

(b) Colosseum, key = 25. 

(c) Po Valley, key = 18. 

(d) Equestrian Order, key = 9. 

7. Decipher the following. They have been enciphered using a Shift Cipher 

with the given key. 

(a) OMFMOAYNE, key = 12. 

(b) TJNXWNVM, key = 19. 

(c) LHAXEWJ, key = 22. 

(d) DBSLEXO, key = 10. 

(e) GDBPC ATVXDC, key =15. 

8. Decipher the following. They have been enciphered using a Caesar Cipher 


(a) VKDSEW, key = K. 

(b) VTKTGOG, key = V. 

(c) RCVTKEKCP, key = C. 

(d) OJSBHWBS, key = O. 

(e) AYPBTCPYHAL, key = H. 

9. Decipher the following. They have been enciphered using a Caesar Cipher 


(a) QSBHIFWCB, key = O. 

(b) CQN ADKRLXW ARENA, key = J. 

(c) ZKBYQD SQBUDTQH, key = Q.


(d) VTXLTKBTG LXVMBHG, key = T. 

10. A part of a message of Caesar’s to Cicero (in Latin!) was MDEHV RSNQNRQNV 

PHDH XHVXNPRQNZP. Decipher it. (Remember, Latin has no J, K, W or 

Y.) 

11. Use frequency analysis to decrypt the following messages. 

(a) VG ZNL OR EBHAQYL NFFREGRQ GUNG UHZNA VATRAHVGL PNAABG PBAP- 

BPG N PVCURE JUVPU UHZNA VATRAHVGL PNAABG ERFBYIR RQTNE NYYRA 

CBR 

(b) DHVIV BZYVA OZMNJ HZRJM MTOJN JGQZO CZHZN NVBZV IYQZM TAZRO 

CDIBN DIVAO ZMGDA ZBVQZ HZVNH PXCKG ZVNPM ZVNYD YOCZP IMVQZ 

GDIBJ AOCVO XJYZC VMMTC JPYDI D 

(c) STHTI JTWHN UMJWN XNRUW JLSFG QJYTF YYFHP ZSQJX XNYNX NSXTQ 

ZGQJG DYMJN SAJSY TWMNR XJQK 

12. Use frequency analysis to decrypt the following messages. 

(a) RKXXSLKV KXXYEXMON DYNKI DRKD RO KXN DRO OVOZRKXDC GYEVN LO 

KBBSFSXQ SXBYWO CYWODSWO XOHD GOOU 

(b) GFWSZ RFSST ZSHJI YMFYM JFSIG FNQJD BTZQI FZINY NTSYM JJQJU 

MFSYX KTWUT XXNGQ JNSHQ ZXNTS NSYMJ NWHNW HZX 

13. Decrypt the following ciphertexts using Linquist’s method. 

(a) DROOX OWIUX YGCDR OCICD OWLOS XQECO NMVKE NOCRK XXYX 

(b) WUDJB UCUDT EDEJH UQTUQ SXEJX UHICQ YB 

This is a quote of Henry L. Stimson, President Hoover’s Secretary of 

State, writing later about his shutting down the US Black Chamber, 

the government cryptoanalytic service, in 1929. 

(c) IJXMT KOJBM VHRVN ZQZMN JGQZY WTNOV MDIBV ODO 

(d) BJUUH BNUUB NJBQN UUBKH CQNBN JBQXA N. 

(e) FHWDU YTLWF RNXFR JXXFL JBWNY YJSNS HNUMJ W 

(f) KVVDR ODRSX QCSXD ROGYB VNMYX CDSDE DOKMS ZROB 

(g) “The goal of a cryptosystem is to: BPZTI WTBTH HPVTX CRDBE GTWTC 

HXQAT IDJCP JIWDG XOTSE TGHDC H 

14. (a) What happens if we use a Shift Cipher with a shift of 26 

(b) What happens if we use a number larger than 26 for the shift amount 

(c) How many different Shift Ciphers are there 

15. According to David Gaddy, “on 1 January 1863 while touring in the west, 

[Confederate] President [Jefferson] Davis sent [a person a] telegram which 

used a simple slide of one” [Gaddy]. If the telegram began TFDSF UBSZP 

GXBSKBNF TBTFE EPOSJ DINPO E, to whom was it for


16. The Confederate Army used several rather insecure cipher systems during 

the Civil War [Gaddy]. For example, 

“To Gen. Beauregard, 11 March 1862: 

Sir: Your dispatch just received. The day of the month on which it 

is written will indicate the letter of the alphabet corresponding with 

A. Yesterday 10th J-A. I repeat it that we may know if the operator 

conveyed it correctly. 

EFNTI FJJZE XIZMV IIVRI FEJRK LIURP NYVIV TREKY VK- 

IFF GJAFZ EPFLN ZKYLK DFJKV WWVTK 

On the 27th of the month “A” will correspond to “C”. 

Gen. Albert Sidney Johnston (Decataur)” 

(a) Use frequency analysis to find the key and decrypt the message. 

(b) What date was it sent on 

17. Some years after the Civil War, Joseph Willard Brown described the following 

incident [Brown, pages 210–2]. 

“One [message] from Gen. Beauregard just after the battle of Shiloh, 

(6-7 April 1862) giving the number and condition of his forces at 

Corinth, was formed by merely putting the last half of the alphabet 

first, that is, substituting M for A, N for B, O for C, etc. This 

dispatch fell into our hands and first reached Richmond in a northern 

newspaper.” 

Perhaps this quote refers to a long (5000-ish) word report of Beauregard’s 

sent on April 11th. Here is different, brief report of Beauregard’s, written 

during the battle, that has been enciphered via this method. Please 

decipher it. 

IQFTU EYADZ UZSMF FMOWQ PFTQQ ZQYKU ZEFDA ZSBAE UFUAZ UZRDA ZFARB 

UFFEN GDSMZ PMRFQ DMEQH QDQNM FFXQA RFQZT AGDEF TMZWE NQFAF TQMXY 

USTFK SMUZQ PMOAY BXQFQ HUOFA DKPDU HUZSF TQQZQ YKRDA YQHQD KBAEU 

FUAZX AEEAZ NAFTE UPQET QMHKU ZOXGP UZSAG DOAYY MZPQD UZOTU QRSQZ 

QDMXM EVATZ EFAZI TARQX XSMXX MZFXK XQMPU ZSTUE FDAAB EUZFA FTQFT 

UOWQE FARFT QRUST F 

18. Here are quotes in French. Use frequency analysis to decrypt them. 

(a) FU ALUHXYOL XY FBIGGY YMN ALUHXY YH WY KOCF MY WIHHUBUNCN 

GCMYLUVFY OH ULVLY HY MY WIHHUCN JUM GCMYLUVFY. 

(b) DXOLH XGHPH SODLQ GUHGH FHTXH ODURV HDGHV HSLQH VMHPH IHOLF 

LWHGH FHTXH OHSLQ HHVWV XUPRQ WHHGH URVHV HWGHF HTXLH OHEXL 

VVRQS RUWHG HIOHX UV. 

(c) VY AL N CNF ZBVAF QVAIRAGVBAF N OVRA NCCYVDHRE HAR CRAFRR DHR 

YBA GEBHIR QNAF HA YVIER DHN UNGRGER YR CERZVRE NHGRHE QR PRGGR 

CRAFRR.


(d) IKSUT JKIOT KYZWA ATKUK ABXKI USOWA KUAIN GIATL GOZYK YXNGZ 

URKYJ OLLKX KTZYR GYAXR GYIKT KKTNG HOZJX GSGZO WAKHX ORRKT 

ZVXKR GZYSO TOYZX KYIUT WAKXG TZYVU AXTUA YBORV KAVRK GYYOY 

GADJK XTOKX YXGTM YZXUA VKLAZ ORKKZ JKYMX GTJYX KHAZK KVGXT 

UAYJK THGYR GVOKI KKYZK IUAZK K. 

19. Here are several quotes in German. Use frequency analysis to decrypt 

them. 

(a) LQM XWTQBQS QAB SMQVM EQAAMVAKPINB EQM DQMTM LMZ PMZZMV XZW- 

NMAAWZMV AQKP MQVJQTLMV AWVLMZV MQVM SCVAB. 

(b) XL BLM UXLLXK WTL ZXKBGZLMX WBGZ OHG WXK PXEMD TEL XBGX ATEUX 

LMNGWX YNK ZXKBGZ ATEMXG. 

(c) YCQBJ UHLUH IJUXJ CQDRU IIUHT YUKDW BKSAI VQBBU PKLUH XKJUD 

YDTUH ZKDWU DTIYU PKUHJ HQWUD. 

20. Here are several quotes in Italian. Use frequency analysis to decrypt them. 

(a) LQR JLLNLJCX MJUU JVKRIRXWN BR LXWMDLN RW UDXPX MXEN WXW YDX 

YRD JUCX BJURA N YXR LXW VJBBRVX MJWWX MR LJMNAN WNLNBBRCJCX. 

(b) XTDPCL WL GZWRLCP P NTPNL RPYEP NSP AZY BFT DFP DAPCLYKP TY 

NZDP ELWT NSP W EPXAZ WP YP AZCEL DT CPAPYEP. 

(c) ES TWSLJAUW KA TWDDS W JAVWFLW EA KA EGKLJG UZW LJS IMWDDW 

NWVMLW KA NMGD DSKUASJ UZW FGF KWYMAJ DS EWFLW. 

21. What is the question that goes along with this quote Think frequency 

analysis. 

Upon this basis I am going to show you how a bunch of bright young 

folks did find a champion; a man with boys and girls of his own; a 

man of so dominating and happy individuality that Youth is drawn 

to him as is a fly to a sugar bowl. It is a story about a small town. It 

is not a gossipy yarn; nor is it a dry, monotonous account, full of such 

customary “fill-ins” as “romantic moonlight casting murky shadows 

down a long, winding country road.” Nor will it say anything about 

twinklings lulling distant folds; robins carolling at twilight, nor any 

“warm glow of lamplight” from a distant cabin window. No. It is 

an account of up-and-doing activity; a vivid portrayal of Youth as it 

is today; and a practical discarding of that worn-out notion that “a 

child don’t know anything.” 

22. Use frequency analysis to decrypt the following Caesar ciphers. They are 

a bit trickier. 

(a) W LWNWCNWLD SEPD JK AO EO ZEBBEYQHP PK YKJOPNQYP WJZ YKJBQOEJC 

PK YNULPWJWHUV 

(b) BLABX LOMZF DKFTL FDUOW ARDLB XMOUZ SMHLD KBABG XMDXL FFLDI 

UFTAZ LFTMF UEZAF ZLMDX KMEBA BGXMD NGFMO MDLRG XRDLC GLZOK 

MZMXK EUEOM ZEFUX XPLOA PLFTL YLEEM SL


(c) TWIPG TDUTG PCHBX TTXCV AITTI GHLXT WDJTA ITTXC VDTWI GHZCD 

LLWPT TWDHI AITTI GHPGI BPCNT XBIHX CKDAK IHTGX RZH 

(d) GDQDIB JM IJO GDQDIB OCVO DN RCVO D VNF DA ODN V NOVHK JA 

CJIJPM OJ NPWHDO OJ NGDIBN VIY VMMJRN RVAOY PN WT DGG RDIYN 

JM WMVIYDNC VMHN VB VDINO V AGJJY JA VAAGDXODJIN RCDXC WT JPM 

JKKJNDODJI DN NPWYPY YTDIB YMJRNDIB RVFDIB IJO 

7 7 6 23 0 2 7 3 15 19 3 0 9 18 14 6 2 7 0 3 0 15 5 2 9 0 


Here are two ciphertexts to be decrypted. They are not Caesar Ciphers, 

but they are Caesar-like. 

(a) ZM ZNYZHHZWLI SZH ML MVVW LU HKRVH SRH XSZIZXGVI RH ZODZBH 

HZXIVW 

(b) The following was written by George Washington in 1799, describing 

to his spy Samuel Woodhull the invisible ink he was sending him. 

Use careful frequency analysis to determine how to decrypt this cipher. 

(You do not necessarily need to decipher the entire thing, but 

decipher the first several words and explain how you determined how 

to decipher it.) 

ETTLX AIXWL AWRUW RQIXE KA(WR BAABE TTLXE LLXAN AWMER GPNQM 

PACLQ ZYALL WRYMQ QR)WM MARLW RPXWE TRQ1D GCQTI ADDLX ATWOK 

WBWRR Q2WML XACQK RLANP ENLIX WCXNA RBANM LXAQL XANJW MWDTA 

GDIAL LWRYL XAPEP ANIWL XEZWR ADNKM XEZLA NLXAZ WNMLX EMDAA 

RKMAB ERBWM BNG 

28 7 4 7 12 0 4 0 6 1 5 22 13 12 1 6 10 17 0 8 1 0 21 17 3 4 

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Chapter 2 

Cryptologic Terms 

Cryptography is the art or science of designing methods to send secret messages. 

(In Greek crypt or kryptos means “secret” or “hidden” and graphy 

means “writing”). Cryptologia, meaning “secrecy in speech”, and Cryptographia 

meaning “secrecy in writing” were used first by John Wilkens in 

his 1641 book “Mercury, of the Secret and the Swift Messenger,” the first English 

book about cryptography. Wilkins went on to be the first secretary of 

the Royal Society, which he co-founded with John Wallis. The words took their 

modern forms, cryptology and cryptography, in 1645 and 1658, respectively. 

Cipher or cypher comes from the same Arabic word that also provides the 

root for zero, and has been used to mean a secret manner of writing in English 

since the 1500’s. Once we have a cipher algorithm, telling us which cipher 

is going to be used and how to use that cipher, and a key, we have a cipher 

system or cryptosystem. For example, in the Caesar cryptosystem, the 

algorithm is “shift the alphabet by a given amount” and the key is the amount. 

The sender composes the plaintext, the original message which understandable 

to all, uses the key to encipher it into the ciphertext, the “secret” version of 

the message that is, hopefully, understandable only to those who have the key 

and are able to decipher the message back into plaintext. 

The word cryptanalysis was coined by William Friedman in 1923 and is the 

name for the art or science of reading another person’s message without the key. 

One decrypts a message and breaks a cipher system. While cryptography 

held its meaning, cryptology no longer refers to speech but is the name for the 

subject that combines cryptography and cryptanalysis. 1 

It has become traditional to attach the names Alice, Bob and sometimes Eve 

1 It will be clear that each of our secret messages is indeed a secret message. That is, we will 

not worry about keeping the existence of the secret message secret, but rather about keeping 

the meaning of the message secret. Stenanography (Greek steganos, meaning covered, apparently 

first used by Trithemius in 1499) is the study of methods to keep the very existence 

of the secret message secret, and is clearly a very interesting subject to spies. 

29

30 CHAPTER 2. CRYPTOLOGIC TERMS 

to cryptography. As is seen in Figure 2.2, Alice takes plaintext and enciphers 

it to produce ciphertext that she then transmits. Bob, the intended receipient, 

presumably has the knowledge needed to decipher the ciphertext to obtain his 

copy of the plaintext. Eve, the eavesdropper, is without this knowledge, and so 

will try to break the encryption. 2 

Figure 2.1: Alice, Bob and Eve: the three names of Cryptography 

A cipher system is somewhat analogous to a high-school locker. That system 

consists of (1) a lock of some sort (a padlock or a keyed lock) with instructions on 

how to use such a device (turn the knob, turn the key), (2) the exact information 

of how to lock and unlock (the combination, the correct key), and the actual 

locker spacing holding books or gym shorts. In a cipher system (1) is the 

“algorithm”, (2) is the “key” and (3) is the message. 

Traditional cryptosystems are like the keyed lock system in that the enciphering 

and deciphering methods are very similar, once you have the key. 

(Hence the name “key”.) One must have the key to either encipher or decipher. 

Further, if you can either encipher or decipher, then you, in fact, must have the 

key and can do both. 

This differs from the padlock system, in which one only needs the key (for 

example, 24 left - 12 right - 19 left) to open the lock, but anyone can close 

it. Later we will study several modern cryptosystems that work in this way. 

Although it perhaps seems intuitively obvious that if someone can encipher a 

message they should also be able to decipher it, that is, in fact, not always the 

case. But this must wait for a later chapter. 

Experts differentiate between ciphers, when the message is made secret 

letter-by-letter a→D, b →E, c→F, etc, and codes, where the message is made 

secret word-by-word, bad→1211, ball→3214, bat→4790, etc. (or, occasionally, 

phrase-by-phrase). So one should speak and write of enciphering and 

deciphering when using a cipher, and encoding and decoding when using 

a code. However, code is much more pervasive in English than cipher, and 

people tend to use encoding or decode, when they really means enciphering 

and decipher. For this reason, books and movies that involve “Breaking the 

Code” probably are actually about breaking a cipher. 

2 Sometimes one speaks of Oscar, the opponent, rather than Eve.

Chapter 3 

The Introduction 

of Numbers 

“We shall see that cryptography is more than a 

subject permitting mathematical formulation, for 

indeed it would not be an exaggeration to state 

that abstract cryptography is identical with abstract 

mathematics.” 

A. Adrian Albert, 1941 

Professor of Mathematics 

University of Chicago 

The Caesar Ciphers we studied in Chapter 1 were very easy to use, and 

seemed to offer some secrecy. But we quickly found several ways to decrypt 

any message enciphered in this manner. What should we try to regain some 

secrecy The Caesar method of “shift by three” or “add three” having failed, 

to regain some secrecy we are going to try “multiply by three.” 

Before we can study this new method, we need to first carefully analyze 

our Caesar ciphers. Suppose our message is Stop, Turn Back. To encipher it 

with a key of 3=D, we simply replace each letter in our message with the one 

three letters further down the alphabet. To be very explicit, we think of which 

position of the alphabet each letter is in (as in Figure 3.1), add three to that 

number, and use the letter in this latter number’s position. Of course, since we 

are comfortable with this process, we generally simply say “shift three” or “add 

three”. 


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 

Figure 3.1: The Standard Translation of Letters into Numbers 

31

32 CHAPTER 3. THE INTRODUCTION OF NUMBERS 

Example: Encipher Stop, Turn Back with a shift of 3. 

We make a chart, giving the plaintext letters and their numerical equivalents. 

Then we add 3 to each number and translate back into letters: 

plaintext s t o p t u r n b a c k 

plainnumbers 19 20 15 16 20 21 18 14 2 1 3 11 

ciphernumbers 22 23 18 19 23 24 21 17 5 4 6 14 

ciphertext V W R S W X U Q E D F N 

The ciphertext is VWRS WXUQ EDFN. 

⋄ 

What if we had shifted by a larger number 

Example: Encipher Stop, Turn Back with a shift of 7. 


plainnumbers 19 20 15 16 20 21 18 14 2 1 3 11 


ciphertext Z W X Y X I H J R 

Which letters are the 27th and 28th of the alphabet Since 27 follows 26, and 

26 represents Z, we start over again, and so the 27th letter of the alphabet is A, 

the 28th is B, and so on. So a shift of 7 gives the ciphertext ZAWX QBYX IJHF. ⋄ 

We can now (tentatively) define the mathematical version of Shift ciphers. 

Mathematical Caesar Ciphers: To use a Caesar cipher 

1) Convert plainletters and keyletter into plainnumbers via Figure 3.1. 

2) Add the keynumber to each plainnumber. 

3) For plainnumbers larger than 26, replace 27 by A, 28 by B, 29 by C, etc. 

4) Convert the ciphernumbers into cipherletters. 

Example: Encipher Julius with a shift of 9. 

The ciphertext is SDURBD. 

plaintext j u l i u s 

plainnumbers 10 21 12 9 21 19 

ciphernumbers 19 30 21 18 30 28 

ciphertext S D U R D B 

⋄ 

With the translation between letters and numbers now clear, we return to 

our goal of changing from “adding three” to “‘multiplying by three.”

3.1. THE REMAINDER OPERATOR 33 

Example: Encipher Stop Turn Back with a multiplication of 3. 

We start as usual, by listing the letters of the message as well as their 

numerical values. But rather than adding three, we multiply these values by 

three. 


plainnumbers 19 20 15 16 20 21 18 14 2 1 3 11 


ciphertext E H S V H K B P F C I G 

Turning this ciphernumbers back into letters takes a bit of work. Replacing 6 

by F and 3 by C was easy. Replacing 42 and 45 by G and J demands some 

counting, and figuring out what to do with 54, 57, 60 and 63 means we have 

to count through the alphabet two-and-a-half times. It’s a good thing we only 

multiplied by 3 and not 13! 

The answer is EHSV HKBP FCIG. 

⋄ 

Was all the counting worth it Remember that a Caesar cipher is a weak 

cipher because of a lack of mixing – letters that are adjacent in the alphabet 

move to letters that are also adjacent. In the two Stop Turn Back examples 

the letters rstu from the message became UVWX and YZAB, respectively, and 

abc similarly became DEF and HIJ. (In fact, I picked these words because of 

the many consecutive letters.) A Caesar cipher succeeds only in shifting the 

aei, no, and rst-uvwxyz patterns, but does not destroy them. A better cipher 

should destroy these patterns and move the letters away from their neighbors. 

And our multiplication example did exactly this: the letters rstu became BEHK, 

and abc became CFI. Based on this one example, it appears that multiplication 

will provide more security than addition. 1 

So multiplication can produce a cipher system that is better than the Caesar 

ciphers – if we can find a quick way of turning large numbers into the equivalent 

letters of the alphabet. This must be our next goal. 

3.1 The Remainder Operator 

Which ciphernumbers will be converted to the cipherletter A Of course 1. Also 

27, since 27 is one more than once through the alphabet. Similarly 53 which is 

one more than twice through the alphabet. And 79, 105, . . . In fact, we could 

1 You may have wondered why Cryptology belongs to the field of Mathematics, rather than 

that of English. After all, a cipher is supposed the hide the meaning of the message, and 

surely English is about detecting the meanings of letters and words. Well, we’ve just seen the 

answer. The translation a=1, b=2, c=3, ... z=26, turns the subject of Cryptology into an area 

of mathematics. Similarly, once we’ve tried “add three” and “multiply by three”, almost any 

mathematical device that turns one number into another may be tried out as a enciphering 

method.


do this for every letter of the alphabet to come up with a table like 

A = 1 = 27 = 53 = 79 = . . . 

B = 2 = 28 = 54 = 80 = . . . 

C = 3 = 29 = 55 = 81 = . . . 

. 

Y = 25 = 51 = 77 = 103 = . . . 

Z = 26 = 52 = 78 = 104 = . . . 

We could continue this chart to handle the numbers like 195 and 208 that will 

occur when we encipher by multiplying by 13, but this seem quite cumbersome. 

Further, although it may not be readily apparent, there are really two questions 

lurking here. The first is one of conversion: how can we convert a number, 

say 54, into a number from 1 to 26 to see which letter it represents The second 

is one of equivalence: the numbers 54 and 28 and 2 are all equivalent because 

they all represent the letter b. What does this equivalence mean 

Let’s start with the conversion. Converting 54 to 2 is an operation, just 

as addition and multiplication are operations. What is involved is the number 

being operated on, 54, and the number doing the operating, which is 26 as 

there are twenty-six letters in the alphabet. To represent this operator we will 

borrow the symbol % from various programming languages and use it in the 

form 54%26 = 2. This is pronounced “fifty-four modulo twenty-six equals two.” 

Now how did we find the 2 from the 54 We knew that 28 and 2 both 

represent b, since 28 is 2 more than once through the alphabet. Numerically, 

28 = 2 + 26 or 28 − 26 = 2. Similarly, 54 = 28 + 26 is one more alphabet than 

28, which was b. So 54 must also be b. Or, working backwards, 54 − 26 = 28, 

28 − 26 = 2 and 2 = b, so 54 = b. Hence we found 2 from 54 by repeatedly 

subtracting 26’s until we obtained a number no bigger than 26. Of course, we 

can do this with any number. 

Examples: Compute the following numbers. 

(1) 32%26 = 

Since 32 − 26 = 6, the answer must be 6. 

(2) 39%26 = 

(3) 55%26 = 

Subtracting once gives 55−26 = 29. Since 29 is larger than 26 we subtract 

again, 29 − 26 = 3. So 55%26 = 3. 

(4) 79%26 = 

(5) 144%26 = 2 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

2 (2) 13, (4) 1, (5) 14.


Performing the %26 operation is not particularly difficult, but what if the 

number we are trying to reduce is 48924 Then repeatedly subtracting 26 is 

rather unappealing. Fortunately, we are not interested in the number of times 

we subtract 26, but rather in the number that is remaining when we are done. 

Just as multiplication is addition done quickly (4 × 3 just means 4 sets of 3, or 

3 added to itself 4 times), subtracting 26 many times is very closely connected 

to dividing by 26. 

To illustrate, we divide 85 by 26 using the form we learned as children: 

3 r = 7 

26 √ 85 

78 

7 

In multiplicative form this says 85 = 3 × 26 + 7. The 3 represents the quotient, 

how many times 26 goes into 85, and 7 is the remainder. Compare this with 

the subtraction method. 85%26 = Subtracting once: 85 − 26 = 59, and 59 

is larger than 26. Subtracting again: 59 − 26 = 33, still too large. Once more 

33 − 26 = 7. Small enough. So 85%26 = 7. Notice that the quotient 3 is the 

same as the number of subtractions, and that the remainder 7 is the same as 

the modulus answer. 

Let us try again with 109%26. 

4 r = 5 

26 √ 109 

104 

5 

so 109 = 4 × 26 + 5. On the other hand, 

109 − 26 = 83 

83 − 26 = 57 

57 − 26 = 31 

31 − 26 = 5. 

So 109%26 = 5. Again the quotient indicates how many 26’s need to be removed, 

and the remainder in the division gives the same result as the remainder 

operator. 

For numbers larger than about fifty the division method is generally quicker


than the subtraction method. For example, to compute 219%26: 

8 r = 15 

26 √ 219 

208 

15 

So 219%26 = 15 in much less time than 8 subtractions would have taken. 

Of course, the only people that do division in this form are school children 

– the rest of us use a calculator. With a calculator we see 85 ÷ 26 = 3.2692 and 

109÷26 = 4.1923 (rounding to four digits). The 3 and 4 represent the quotients. 

How do the fractional portions, .2692 and .1923, represent the remainders Since 

85 = 3 × 26 + 7, when we divide by 26 we have 

85 

26 = 3 + 7 

26 = 3.2692 

So 7 = .2692 or 7 = .2692 × 26. Similarly, 109 = 4 × 26 + 5 so 

26 

109 

26 = 4 + 5 

26 = 4.1923. 

Thus 5 = .1923 or 5 = .1923 × 26. 

26 

Notice that in both examples %26 gave the remainder when dividing by 26. 

For this reason we call % the remainder operator. We perform %26 by first 

dividing by 26 and then multiplying the decimal part of the answer by 26. 

Examples: Compute the following remainders. 

(1) 121%26 = 

121 ÷ 26 = 4.6538. The decimal is .6538, so the remainder is .6538 × 26 = 

17. Answer: 121%26 = 17. 

(2) 888%31 = 

What if the modulus is not 26 Then divide and later multiply by whatever 

the modulus is. 888 ÷ 31 = 28.6451, so the decimal is .6451 and 

remainder is .6451 × 31 = 20. Answer: 888%31 = 20. 

(3) 624%17 = 

624 ÷ 17 = 36.7059 has decimal .7059 and .7059 × 17 = 12. Answer: 

624%17 = 12. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄


As a bit of a time saver, notice that after doing the division you do not need 

to clear the screen (on your calculator) before punching in the decimal, but 

can instead subtract off the quotient. For example, redoing 888%31, we have 

888 ÷ 31 = 28.6451. Subtract 28 to leave .6451 which we then multiply by 31. 3 


(1) 424%26 = 

424/26 = 16.3077. Subtracting 16 leaves .3077. Answer is .3077 × 26 = 8. 

(2) 58%7 = 

58/7 = 8.2857 → .2857 × 7 = 2. Answer: 2. 

(3) 101%11 = 

(4) 2045%21 = 

(5) 48924%30 = 4 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

What about −29%12 Following our procedure (divide by 12, discard the 

quotient, multiply by 12) gives −5. Since the goal was a small positive number, 

we now simply add 12. So −29%12 = 7. In the shortcut notation, −29/12 = 

−2.4167 → −2.4167 + 2 = −.4167 → −.4167 × 12 = −5 → −5 + 12 = 7. 


(1) −89%23 = 

−89/23 = −3.869 → −3.869 + 3 = −.869 → −.869 × 23 = −20 → 

−20 + 23 = 3. Ans: 3 

(2) −134%17 = 

(3) −748%73 = 5 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Let’s summarize our work. 

3 The presence of division, and the comment about rounding, might make one concerned 

about the validity of this algorithm. Indeed, calculators only hold so many digits, so error is 

possible, especially when a is very large. These are valid concerns, but ones we will not worry 

about. 

4 (4) 12, (5) 2, (6) 8, (7) 24 

5 (2) 2, (3) 55


The Remainder Operator: The symbol % is called the remainder 

operator. For a positive number n, and any number a, a%n is shorthand 

for the remainder when a is divided by n. We pronounce a%n as “a modulo 

n” or “a mod n” and say that n is the modulus. 

To compute a%n: 

1) Divide a by n. 

2) Remove the integer part of this quotient. 

3) Multiply this number by n. 

4) If the resulting number is negative, add n. 

5) The final number (perhaps rounded up or down to the obvious integer) 

is the answer a%n. 

3.2 Modular Arithmetic 

The translation of 54 to b had two related questions: how and what. Our 

work with the remainder operator answered how, so we now turn to what it 

means that 2 and 28 and 54 all represent b. Or, perhaps more accurately, the 

consequences of saying that 2 and 28 and 54 are all “equal.” 

We say that two numbers A and B are equivalent if they represent the same 

letter. With our work on %, we now know this means that A%26 = B%26. 

This last mathematical statement is a bit clunky and fortunately we have a 

replacement available. It was the great scientist Carl Fredrick Gauss 6 who chose 

the symbol ≡ to use in this situation: “We have adopted this symbol because 

of the analogy between equality and congruence.” Instead of A%26 = B%26 we 

will write A ≡ B (mod 26). The ≡ is the equivalence symbol, and this whole 

equation is pronounced “a is equivalent to b modulo 26” or “A is congruent to 

B modulo 26.” 

In 1801 Gauss published his great work on Number Theory, Disquisitiones 

Arithmeticae. It begins 

Section I. Congruent Numbers in General 

1. If a number a divides the difference of the numbers b and c, b and c 

are said to be congruent relative to a; if not, b and c are noncongruent. 

The number a is called the modulus. . . . Henceforth we shall designate 

congruence by the symbol ≡, joining to it in parentheses the modulus 

when it is necessary to do so; e.g. −7 ≡ 15(mod.11), −16 ≡ 9(mod.5). 

6 Carl Friedrich Gauss (1777-1855), “The Prince of Mathematicians,” is probably the greatest 

mathematician of all time. Simply a list of his major accomplishments would take most 

of this page, so we will restrict ourselves to a varied few. He gave the first proof the the Law 

of Quadratic Reciprocity, the highlight of classical number theory; he calculated the orbit of 

the asteroid Ceres, inventing the method of least-squares to do so; he invented the heliotrope 

while surveying the state of Hanover; he founded the mathematics subjects of differential 

geometry and non-Euclidean geometry; and invented a primitive telegraph device. Of all his 

work, Gauss was most proud of his discovery that a regular 17-gon could be drawn using only 

a compass and straight-edge, apparently asking that a heptadecagon be carved on his tombstone. 

This was the first advance in this field since the time of the Greeks, and came on March 

30th, 1796 when Gauss, only 18 at the time, was deciding between a career in mathematics 

or philology.

3.2. MODULAR ARITHMETIC 39 

While % and ≡ are very closely related, they have an important difference: 

% performs an operation and ≡ is a statement. The symbol % is an operation, 

like addition. It turns two numbers into a third. But ≡ is a true/false statement, 

like equals. The mathematical statement 7 = 9 is a false one, while 7 = 9 − 2 is 

a true one. Similarly, 28 ≡ 2 (mod 26) is true and 29 ≡ 2 (mod 26) is false. 

If A%n = B then A ≡ B (mod n). For example, 78%10 = 8 so 78 ≡ 8 

(mod 10). Conversely, if A ≡ B (mod n), then A%n = B%n. For example, 

31 ≡ 17 (mod 7) since 31%7 = 3 = 17%7. Notice, however, that 31%7 ≠ 17 

and 17%7 ≠ 31. So the “equivalence modulo” statement, ≡ (mod n), is slightly 

weaker than “ equal remainder,” %n =. 

For the next several chapters the remainder operator will dominate and it 

will be a while until we see how powerful equivalence is. But since we’ve done 

most of the work, let us state the following. 

Theorem 1 Suppose A and B are any integers, and n is a positive integer. We 

write A ≡ B (mod n) if any of the following equivalent statements are true: 

1. A%n = B%n. 

2. A and B have the same remainder when divided by n. 

3. n divides B − A with remainder 0. 

4. A and B differ by a multiple of n. 

Perhaps the language in the theorem is a bit unfamiliar. By “equivalent 

statements” we simply mean that when numerical values are substituted for A, 

B and n, then either all of the statements will be true, or all of them will be 

false. In less formal language, each statement contains the same information, 

they just present it in different ways. For example if A and B have the same 

remainder when divided by n, then A − B will have no remainder. So A − B 

will be a multiple of n, or A and B will differ by n. 

Doing algebra using ≡ is very similar to the algebra you are used to. In fact, 

+, −, × and the Associate, Commutative, and Distributive Rules all work using 

≡ just like they always did with =. Division, however, is more complicated, as 

the following examples show. 

Examples: Examples of Division in Modular Arithmetic. 

(1) 3x ≡ 9 (mod 7) has the usual solution x = 3. 

(2) 3x ≡ 9 (mod 12) has the usual solution x = 3, but also x = 7 and x = 11. 

(3) 3x ≡ 8 (mod 7) has the unusual solution x = 5. 

(4) 3x ≡ 8 (mod 12) has no solutions. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄


Why this happens is a very interesting question, but one that we will leave 

unanswered for the moment. What we do need to take away from this example 

instead is simply that division is more complicated in modular arithmetic. That 

is not to say that it cannot be done, but rather that we will have to be careful 

when we do it. 

3.3 Decimation Ciphers 

Before getting caught up with remainders and equivalence we were trying to 

build a cipher built on multiplication rather than addition, but had difficulty 

with translating the ciphernumbers back into cipherletters. With our work with 

the remainder operator, this is now easy. 

To use a Decimation Cipher: 

1) Choose a proper keynumber k. 

2) Convert the plaintext to plainnumbers. 

3) Multiply each number by k to produce ciphernumbers. 

4) Find the remainder %n of each ciphernumber. 

5) Convert the reduced cipher numbers back into letters. 

(We will study the meaning of “proper” in Chapter 4.) 

Examples: Enciphering using a Decimation 7 Cipher. 

(1) Encipher About Face using k = 5. (k for “key”.) 

We follow the steps given in the definition: 

plaintext a b o u t f a c e 

plain numbers 1 2 15 21 20 6 1 3 5 

multiplied numbers 5 10 75 105 100 30 5 15 25 

%26 5 10 23 1 22 4 5 15 25 

ciphertext E J W A V D E O Y 

The ciphertext is EJWAV DEOY. 

(2) Encipher Midnight using k = 5. 

(3) Encipher Revolution using k = 19. 8 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Recall that the weakness in the shift ciphers was that adjacent letters in 

the plaintext alphabet remained adjacent even after being enciphered. The 

7 Why “Decimation” It is not clear. In Roman times, to decimate your troops meant 

to have the troops choose one-tenth of their numbers by lots, and then kill those soldiers. 

Hopefully this cipher will not be that painful. 

8 (2) MSTRS INV, (3) DQBYT IPOYF

3.3. DECIMATION CIPHERS 41 

previous about face example shows that decimation ciphers apparently will 

not have this weakness. The adjacent letters ef and tu were enciphered to YD 

and VA, respectively, and the adjacent triple abc to EJO. In fact, if we go ahead 

and encipher the entire alphabet with key k = 5 we find the following cipher 

alphabet: 

plaintext 

ciphertext 


E J O T Y D I N S X C H M R W B G L Q V A F K P U Z 

None of the letters are next to their former neighbors. 9 Decimation ciphers 

destroy letter ordering! 

We have not explained how to “properly” choose our keynumbers, but to see 

that there must be some care taken consider enciphering anna or bob using a 

decimation cipher with k = 2. The ciphertexts are BBBB and DDD, respectively. 

How would anyone decipher BBBB It is impossible to tell which B is an a and 

which is an n. So no one would be able to decipher a message whose enciphering 

key was 2. Hence, only certain keys can be used to multiply. In this chapter 

you will be given only proper keys, so we can safely put off solving this problem 

until Chapter 4. 

Thus far we have enciphered letters and only letters. What if we wish to 

keep spacing Or to add punctuation in our messages The next examples will 

do that. 

Examples: 

(1) Work modulo 28 with key k = 5 to encipher a space here. Use the usual 

plainnumbers with the addition that = 27, where the symbol means 

“space”. 

We do this as we did before, being careful to find the remainders using 28 

rather than 26. 

plaintext a s p a c e h e r e 

plain numbers 1 27 19 16 1 3 5 27 8 5 18 5 

multiplied numbers 5 135 95 80 5 15 25 135 40 25 90 25 

%28 5 23 11 24 5 15 25 23 12 25 6 25 

ciphertext E W K X E O Y W L Y F Y 

The answer is EQAXE OYWLY FY. 

(2) Encipher no one here using the same method with key k = 9. 

9 The careful reader may notice an oddity in the last plaintext–ciphertext alphabet pair. 

(If you didn’t, try enciphering zzz using any key before reading further.) Since we think of 

a as the first letter of the alphabet, z is the 26th. But 26 times any keynumber will be a 

multiple of 26, and so when divided by 26 it will have a remainder of 0. Since 0 is just before 

1, 0 must represent Z. Hence, z will always be enciphered into Z. Fortunately z is uncommon 

enough that this doesn’t really threaten the security of this cipher.


(3) Encipher one, two, three using the usual plainnumbers with = 27 and 

, =28. Use a decimation cipher modulo 29 with key k = 8. 

The first part of this one is set up for you. 

plaintext o n e , t w o , t h r e e 

plain numbers 15 14 5 28 27 

multiplied numbers 120 112 40 224 216 

%29 4 25 11 21 13 

ciphertext D Y K U M 

(4) Encipher I’m his, he’s mine using k = 7 in a a decimation cipher modulo 

30, where = 27, , = 28 and ’ = 29. 10 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

3.4 Deciphering Decimation Ciphers 

How do we decipher a message enciphered with a decimation cipher To decipher 

a shift cipher we simply subtracted the number that had been added. 

Since decimation ciphers involve multiplication, it seems that division must be 

the key to enciphering. Let’s look at the first example from Section 3.3. 

Example: Decipher EJWAV DEOY, whose enciphering key was k = 5 

We begin with the usual set-up. Since enciphering was done by multiplying 

by 5, we try here to decipher by dividing by 5. 


ciphernumbers 5 10 23 1 22 4 5 15 25 

divided ciphernumbers 1 2 4.6 0.2 4.4 0.8 1 3 5 

plaintext a b a c e 

Several of the plaintext letters are correct, but which is the 4.6th letter of 

the alphabet Or the .2th Simply dividing the ciphernumbers does not work. 

And the reason is clear: we shouldn’t be dividing the (reduced) ciphernumbers 

(5, 10, 23, 1, etc.), but rather the non-reduced ones (5, 10, 75, 105, etc.) And 

it’s not clear that we can determine what they were. 

⋄ 

What we need is a way to “unmultiply,” or, to be more precise, to undo 

the multiplication modulo 26. We all know that to “unadd” we simply add the 

negative, also called the additive inverse. So to unmultiply we will need to 

multiply by the multiplicative inverse. Just as a number plus its additive inverse 

equals 0, the additive identity, a number times its multiplicative inverse 

equals 1, the multiplicative identity. 

10 (2) NWSWN QWPWV W, (3) DYKUM OJDUM OF,KK, (4) CXAIZ CMPIZ EXMIA CHE.

3.4. DECIPHERING DECIMATION CIPHERS 43 

To decipher a decimation cipher with key K we will need to find the inverse 

of K modulo 26 (the number that satisfies (K × )%26 = 1). It turns out 

that the inverse of 5 when working modulo 26 is 21: (5 × 21)%26 = 1. Since 

multiplying by 1 changes nothing, following a multiplication by 5 with another 

by 21 brings us back to our original message. 

The same is true for several other pairs of numbers. (The numbers that have 

multiplicative inverses are “proper” in the sense of the definition of Decimation 

ciphers on page 40.) We will learn how to produce these pairs in Chapter 4. 

For now, we simply list them. 

enciphering key 1 3 5 7 9 11 15 17 19 21 23 25 

deciphering key 1 9 21 15 3 19 7 23 11 5 17 25 

Figure 3.2: Enciphering/Deciphering pairs modulo 26. 

Notice that the deciphering key is seldom the same as the enciphering key. Do 

not make the mistake of simply reusing the enciphering key, or using its negative. 

A Decimation Cipher will only decipher properly when the correct key is used. 

Examples: 

(1) Decipher EJWAV DEOY, whose enciphering key was k = 5 

From Figure 3.2 the multiplicative inverse of 5 is 21. So if we multiply the 

ciphernumbers by 21 and then find their remainders mod 26 we should 

have our message back. Let’s see. 


ciphernumbers 5 10 23 1 22 4 5 15 25 

×21 105 210 483 21 462 84 21 63 105 

%26 1 2 15 21 20 6 1 3 5 

plaintext a b o u t f a c e 

Multiplying by 21 really did undo the multiplication by 5 and so did 

decipher our message. 

(2) Decipher MKCCKFI, if the enciphering number was 7. 

The key was multiply by 7. However, if we try to divide by 7 to decipher 

we have troubles: 

ciphertext M K C C K F I 

ciphernumbers 13 11 3 3 11 6 9 

divide by 7 1.857 1.571 .429 .429 1.571 .857 1.286 

plaintext


Instead, we need to multiply by the inverse of 7, which from Figure 3.2 is 

15. 

ciphertext M K C C K F I 

ciphernumbers 13 11 3 3 11 6 9 

×15 195 165 45 45 165 90 135 

%26 13 9 19 19 9 12 5 

plaintext m i s s i l e 

This works much better. The answer is missile. 

(3) Decipher JCPCJS if the enciphering key was k = 9. 

(4) Decipher RDYRSCSPQ if enciphering key was k = 19. 

(5) Decipher AWVFWYKLC if the enciphering key was k = 11. 11 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

3.5 Multiplication vs. Addition 

We have seen that decimation ciphers cause letters which are adjacent in the 

plaintext alphabet to be separated in the ciphertext alphabet. How much does 

this improve security 

Consider the following ciphertext that was enciphered with a decimation 

cipher. 

UQESF YFTGW SGPVS PPVQX QEDGR PMQFP YJSFG EORVQ DQBQF PVQWO 

MRTQW PUOTT SPPOM QWOFE TIXQS FIMLQ DYJUY FXQDO FCW 

It has the letter frequency table 

0 1 1 4 4 9 4 0 2 2 0 1 4 0 6 9 13 3 6 5 3 4 5 3 4 0 


There are no obvious places to fit the aei, no, rst and uvwxyz patterns. Nor, 

for that matter, any non-obvious place! Clearly our efforts to construct and 

understand the Decimation Ciphers have been fruitful – the techniques that 

allow us to decrypt Caesar ciphers no longer suffice. 

3.6 Koblitz’s Kid-RSA and Public Key Codes 

To demonstrate the powers of the ideas we’ve studied in this chapter we are going 

now to explain Neal Koblitz’s toy system, “Kid-RSA”. The RSA cryptosystem, 

due to Rivest, Shamir, and Adelman, is one of the most important systems 

11 (3) divide, (4) propagate, (5) subjugate.

3.6. KOBLITZ’S KID-RSA AND PUBLIC KEY CODES 45 

in use today. We will study it in Chapter 12. The Kid-RSA is a Decimation 

Cipher with a slightly complicated setup. It offers no actual security, hence it 

is a “toy” system, but will allow us to introduce the concept of public keys. 

Set-up of Kid-RSA: 

1. Choose four integers, calling them a, b, A and B. 

2. Compute AB − 1 and call it M. 

3. Compute aM + A and bM + B and call them e and d, respectively. 

4. Compute (ed − 1)/M and call it n. 

Then e and d will serve as the enciphering and deciphering keys in a Decimation 

Cipher modulo n. 

A couple of examples will help clarify. 

Examples: 

(1) Suppose we choose a = 5, b = 7, A = 4 and B = 3. Then we compute the 

other parameters: 

M = AB − 1 = 11 

e = aM + A = 59 and d = bM + B = 80, and 

n = (ed − 1)/M = (59 · 80 − 1)/11 = 429. 

Now we encipher numerical as usual: 

plaintext n u m e r i c a l 

plainnumbers 14 21 13 5 18 9 3 1 12 

×59 826 1239 767 295 1062 531 177 59 708 

%429 397 381 338 295 204 102 177 59 279 

ciphertext 397 381 338 295 204 102 177 59 279 

Because we are working modulo 429 we cannot at this point reduce modulo 

26 to retrieve a ciphertext. Instead we simply use the reduced ciphernumbers 

as our ciphertext. So numerical is enciphered to 397, 381, 338, 

295, 204, 102, 177, 59, 279. 

To decipher we multiply by d and reduce modulo 429: 

ciphertext 397 381 338 295 204 102 177 59 279 

×80 31760 30480 27040 23600 16320 8160 14160 4720 22320 

%429 14 21 13 5 18 9 3 1 12 

plaintext n u m e r i c a l 

So we retrieve our plaintext numerical.


(2) Given a = 3, b = 9, A = 5 and B = 4, 

1. Compute M, e, d, and n. 

2. Encipher public. 

3. Decipher {111, 310, 408}. 12 

(3) Given a = 7, b = 2, A = 3, B = 6, 

1. Compute M, e, d, and n. 

2. Encipher private. 

3. Decipher {29, 108, 79, 194}. 13 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

While the setup of Kid-RSA is a bit of work, there is a very nice payoff that 

we illustrate with names. Suppose Alice wishes others to be able to send her 

private messages. She (secretly) chooses values for a, b, A and B, and then 

computes M, e, d and n. (For this example we will assume e = 165, d = 121 

and n = 868.) Then she adds these public keys to her business cards 

Alice Anderson 

Phone: 1-800-CALL-ALC 

Email: alice a○mymail.com 

I use Koblitz’s Kid-RSA. My public 

keys are e = 165 and n = 868. 

and web page and her company’s contact information sheet. The reason for the 

name is now obvious: a public key is a key that is made known to the public. 

The value d Alice should keep secret and is called her private key. 

If Bob wants to send Alice a secret message, he first looks up her enciphering 

key and modulus. Then to say “Hi”, he computes 

plaintext h i 

plainnumbers 8 9 

×165 1320 1485 

%868 452 617 

and sends Alice the ciphertext {452, 617}. Notice that Bob didn’t need a, b, 

A or B to do this. Further, because Alice has previously computed d, she can 

quickly decipher the message. 

How does Kid-RSA differ from our earlier Decimation Ciphers For Alice 

and Bob to use a standard Decimation Cipher they must agree upon e, d and n. 

And they must keep these values private, for anyone who knows these numbers 

12 1. M = 19, e = 62, d = 175, n = 571, 2. {421, 160, 124, 173, 558, 186}, 3. key 

13 1. M = 17, e = 122, d = 40, n = 287, 2. {230, 187, 237, 101, 122, 144, 36}, 3. lock

3.6. KOBLITZ’S KID-RSA AND PUBLIC KEY CODES 47 

can read the ciphertext messages just as easily as Alice and Bob can. They are 

private keys. In particular, Alice and Bob cannot simply transmit these numbers 

to one another for fear that someone will eavesdrop on that transmission. 

A bit of thought shows this implies that for Alice and Bob to set up a method 

for exchanging secret messages, they must already be able to secretly exchange 

messages! 14 

A public key cryptosystem removes this difficulty. Bob and Alice need never 

have met, or have had contact of any kind. When, for whatever reason, Bob 

decides to send Alice a secret message he looks up her public key and enciphers 

using it. Similarly, if Alice wants to reply, she can look up Bob’s public key and 

use it. 

Example: Bob sends Alice the message “Part 1: Using your public key, the 

enciphering key was 517. 

Part 2: Message is ’Meet on WIFXSG’.” If Alice’s public key is based on a = 4, 

b = 5, A = 4 and B = 10, what day will they meet 

Doing the computations, d = 205 and n = 841. Since (205×517)%841 = 19, 

Bob used k = 19 to encipher WIFXSG. From Figure 3.2, using the key 11 will 

decipher the message. (You can now finish by deciphering the message.) 15 ⋄ 

In order for a public key system to be secure it must be impossible, or at 

least really difficult, for someone to use the public information to determine the 

private information. If Ed, Alice’s enemy, notices that Bob sent her the message 

{452, 617}, how might he break it Ed can look up Alice’s public keys e and 

n just as Bob did. Can he use these numbers to compute her private key d If 

so, he simply deciphers the message. 

In this case, Ed knows that d is an integer, somewhere between 1 and n = 

868. As in the method of exhaustion for Caesar Ciphers, Ed could successively 

try d = 1, d = 2, d = 3, . . ., until the message pops out. And it would after at 

most 868 attempts. While this is too many computations to do by hand, it is 

a triviality for a computer. (Alice would be better off to choose larger values 

for the parameters: a = 195, b = 191, A = 184 and B = 177 would lead to 

n = 1, 213, 027, 575, and a billion computations will take a bit more time, even 

by computer.) 

Is there another method Ed might use He knows the values of e and n, 

and wants a value d so that (d × e)%n = 1. The difficulty we had with the 

standard Decimation Ciphers (How do we determine the deciphering key from 

the enciphering key) is now supplying the security in the Kid-RSA! Overcoming 

this difficulty (and hence breaking the Kid-RSA) is the main goal of Chapter 4. 

14 Of course, Alice and Bob could either meet in person or would allow a trusted third party 

to carry the numerical keys from one of them to the other. But these are hardly practical 

solutions in general. 

15 Sunday.


3.7 Summary 

The mathematical operation underlying Caesar and Shift Ciphers is addition. 

Since these ciphers are insecure, it seems natural to try to build a cipher based 

on multiplication. These so-called Decimation Ciphers are somewhat more complicated, 

as they involve numbers much larger than 26 and it is not obvious how 

to determine their deciphering keys from their enciphering keys. On the other 

hand, they do not immediately fall prey to the type of frequency analysis that 

makes Caesar Ciphers insecure. 

To handle numbers larger than 26 we introduced the remainder operator 

%. For A and n integers, A%n is the remainder when A is divided by n. For 

positive A’s finding this value with a calculator is very quick: divide A by n, 

subtract the integer part of the result away, and then multiply by n. 

Using the remainder operator, Decimation Ciphers seem to be a fine replacement 

for our broken Caesar Ciphers. At least, the weakness that plagues those 

latter ciphers, adjacent letters being enciphered into adjacent letters, seems to 

not be a problem with our new ciphers. 

In Koblitz’s Kid-RSA, a somewhat fancy choice of the parameters produces 

a public key system. One party, “Alice”, makes certain keys public and keeps 

others private, and then other parties can use her public key(s) to send messages 

to Alice even if they have never met her. The implications of Public Key Codes 

are many and far reaching. Although the ideas behind public key codes did not 

coalesce until the 1970’s 16 , their advantages quickly became clear. Nearly all 

modern uses of cryptography now involve some combination of private key and 

public key cryptosystems. 


1. Why do we replace the letters of the alphabet with the numbers 1 through 

26 

2. Why must we consider numbers larger than 26 Give an example. 

3. What does A%n mean How do we determine which number this is 

4. What does A ≡ B (mod n) mean How do we determine if this equivalence 

is true 

5. What does it mean for two numbers to be equivalent 

6. What is a modulus 

7. What is a Decimation Cipher 

16 The first clear remarks along this line were made by Martin Hellman and Whitfield Diffie 

in 1976.


8. How do we encipher with a Decimation Cipher 

9. Is the deciphering process for a Decimation Cipher the same process as 

enciphering, or different Explain. 

10. How are the encipher key, deciphering key, and modulus in a Decimation 

Cipher related 

11. What is a multiplicative inverse 

12. Suppose we know a cipher is either a Caesar Cipher or a Decimation. 

Cipher. How can a frequency count help us determine which 

13. Can a frequency count help break a Decimation Cipher Explain. 

14. How many Decimation Ciphers are there modulo 26 

15. What does it mean to be a Public Key How does this differ from a 

Private Key 

16. What parts of the Kid-RSA are made public What parts are kept private 

17. How do Public Key systems differ from Private Key systems 

3.9 Exercises 

Show your work, and explain any non-standard steps. 

1. Find the following remainders. 

(a) 41%12. 

(b) 53%9. 

(c) 110%43. 

(d) 332%23. 


(a) 87%17. 

(b) 95%13. 

(c) 195%15. 

(d) 3389%201. 


(a) −8%10. 

(b) −37%11. 

(c) −621%34.


(d) −309%26. 

4. Find the following remainers. 

(a) 192%18. 

(b) 1829%82. 

(c) −381%91. 

(d) 8391%5. 

5. Test to see whether the following equivalence statements are true or not 

by computing the remainder of both sides. 

(a) 72 ≡ 44 (mod 19). 

(b) 87 ≡ 103 (mod 11). 

(c) 327 ≡ 199 (mod 32). 

(d) 411 ≡ 879 (mod 39). 

6. Encipher the following, using a Decimation Cipher modulo 26 with the 

given key. 

(a) Quotient, key = 11. 

(b) Remainder, key = 23. 

(c) Fraction, key = 5. 

(d) Integer, key = 19. 

7. Decipher the following words. They have been enciphered using a Decimation 

Cipher modulo 26 with the given key. 

(a) LOIAMCJ, key = 3. 

(b) UNGDL MADGK, key = 21. 

(c) QVOGH TQ, key = 17. 

(d) SOXSC XCY, key = 15. 

(e) MIRWBKP, key = 11. 

8. Sending a message asking for 5293 men is a lot easier than sending for five 

thousand two hundred and ninety-three men. One way to simplify the 

transmission of numbers is to let the numbers 0 to 9 stand for themselves 

in the plaintext, save 10 for space, use the numbers 11 to 36 to represent 

the letters of the alphabet, and work modulo 37. So a = 11, b = 12, . . ., z 

= 36, and for example, the numerical version of 10 to 15 people is then 

1 0 10 30 25 10 1 5 10 26 15 25 26 12 15. 

(a) Encipher 1 if by land using a Caesar Cipher with key 10. 

(b) Decipher TU2AK 2326G R7F. It was enciphered using a Caesar Cipher 

with key 29.


(c) Encipher 54 40 or fight using a Decimation Cipher with key 11. 

(d) Decipher EF2 G QOX3R It’s a Decimation Cipher with deciphering key 

5. 

(e) Decipher DRWEQ VAH. It’s a Decimation Cipher with deciphering key 

16. 

(f) Decipher 832Q3 AS35M 7. It’s a Decimation Cipher with deciphering 

key 28. 

9. The ASCII code (American Standard Code for Information Interchange) is 

commonly used method for translating letters and characters into numeric 

equivalents. Lower-case and upper-case letters have their own values, as do 

the numbers, punctuation marks, and other useful symbols. (The numbers 

0 to 32 represent computer controls – 9 is the tab key, for example, and 

do not much interest us.) 

ASCII Symbol ASCII Symbol ASCII Symbol ASCII Symbol 

0 NUL 32 (space) 64 @ 96 ‘ 

1 SOH 33 ! 65 A 97 a 

2 STX 34 ” 66 B 98 b 

3 ETX 35 # 67 C 99 c 

4 EOT 36 $ 68 D 100 d 

5 ENQ 37 % 69 E 101 e 

6 ACK 38 & 70 F 102 f 

7 BEL 39 ’ 71 G 103 g 

8 BS 40 ( 72 H 104 h 

9 TAB 41 ) 73 I 105 i 

10 LF 42 * 74 J 106 j 

11 VT 43 + 75 K 107 k 

12 FF 44 , 76 L 108 l 

13 CR 45 - 77 M 109 m 

14 SO 46 . 78 N 110 n 

15 SI 47 / 79 O 111 o 

16 DLE 48 0 80 P 112 p 

17 DC1 49 1 81 Q 113 q 

18 DC2 50 2 82 R 114 r 

19 DC3 51 3 83 S 115 s 

20 DC4 52 4 84 T 116 t 

21 NAK 53 5 85 U 117 u 

22 SYN 54 6 86 V 118 v 

23 ETB 55 7 87 W 119 w 

24 CAN 56 8 88 X 120 x 

25 EM 57 9 89 Y 121 y 

26 SUB 58 : 90 Z 122 z 

27 ESC 59 ; 91 [ 123 { 

28 FS 60 < 92 \ 124 | 

29 GS 61 = 93 ] 125 } 

30 RS 62 > 94 ˆ 126 ˜ 

31 US 63 95 127 DEL


Figure 9. ASCII Code 

In the examples below, we use the ASCII code by first translating plaintext 

characters into their ASCII equivalents, perform some numerical operations 

on those equivalents modulo 128, and then send the numerical results 

as the ciphertext. 

For example, if doing a Caesar Cipher with key 3 on “$ = Dollars,” 

the ASCII form is 36 61 68 111 108 108 97 114 116 127, and shifting 

gives the ciphertext 39 64 71 114 111 111 100 117 119 2. 

(a) Encipher Stalag 17 using a Caesar Cipher with key 90. 

(b) Decipher 5 5 110 33 67 60 65 51 66 110 33 66 64 55 62. 

It was enciphered with a Caesar Cipher with key 78. 

(c) Encipher 12 O’Clock High using a Decimation Cipher with key 17. 

(d) Decipher 46 40 24 75 93 91 103 102 92 107 24 103 110 93 106 

24 76 103 99 113 103. It was enciphering using a Caesar Cipher 

with key 120. 

(e) Decipher 7 61 112 32 90 45 47 97 74 32 119 100 74 97 97 100. 

It was enciphered using a Decimation Cipher. The deciphering key 

is 11. 

(f) Decipher 35 59 40 92. It was enciphered using a Decimation Cipher. 

The deciphering key is 27. 

(g) Decipher 13 7 58 98 3 109 120 124 96 43 124 96 124 120 87 96 

101 122 96 57 122 97 69 102 102 43 36. It was enciphered using a 

Decimation Cipher. The deciphering key is 35. 

(h) Decipher 42 26 121 48 121 38 68 92 32 104 101 58 28 121 53 73 13 

38 37 42 32 31 101 13 116 32 68 8 121 32 36 13 111 23 68 43 111 

23 32 1 101 38. It was enciphered using a Decimation Cipher. The 

deciphering key is 77. 

10. Roberta’s MRSA has parameters a = 5, b = 1, A = 6 and B = 7. 

(a) Find the other parameters. 

(b) Encipher privacy. 

(c) Decipher 133, 187, 141, 50, 137, 112, 137, 17, 71. 

(d) Nikki has looked up Roberta’s public key and has sent her the following 

two part message. Decipher it. 

First part: 21 187 50 17 137 133 50 71 141 71 46 137 100 21 162 

83 17 129 54 191 17 71 191 137 191 54 

Second part: QRCVC PWEMY OEYHE CZYIP HA. 

11. Henry’s MRSA has parameters a = 2, b = 6, A = 5 and B = 4. 

(a) Find the other parameters.


(b) Encipher secrecy. 

(c) Decipher 129, 111, 68, 258, 120, 172, 68, 59, 120, 43, 249. 

(d) Frita has sent Henry the following two-part message. The first part 

used Henry’s public key. Decipher both parts. 

First part: 129, 43, 215, 16, 43, 240, 206, 215, 7, 188, 43, 

16, 77. 

Second part: AOL IBASLY KPK PA.

54 CHAPTER 3. THE INTRODUCTION OF NUMBERS

Chapter 4 

The Euclidean Algorithm 

It is sometimes said that, next to the Bible, the 

“Elements” may be the most translated, published, 

and studied of all the books produced in 

the Western world. 

B. L. van der Waerden 

In Chapter 3 we developed Decimation Ciphers. By means of multiplication 

and the remainder operator these ciphers seem to offer some degree of security. 

However, only some enciphering keys could be used, and it wasn’t clear how 

to determine the deciphering key from the enciphering key. Our work in this 

chapter is intended to surmount these difficulties. 

Let us start with a review in the form of a new cipher system. 

4.1 Linear Ciphers 

To try to make an even better cipher we might combine the two types of ciphers 

we’ve seen so far, by first multiplying and then adding. 

Caesar Cipher: Pick a keynumber c. Then enciphering is “Add c mod 

26”, that is, the message m becomes (m + c)%26. 

Decimation Cipher: Pick a (proper) keynumber k. Then enciphering is 

“multiply by k mod 26”, that is, the message m becomes (k × m)%26. 

Combining these, we define a linear cipher to be one that first multiplies and 

then adds. 

Linear Cipher: Pick a (proper) keynumber k and (any) keynumber c. 

Then enciphering is “multiply by k then add c mod 26”, that is, the 

message m becomes (k × m + c)%26. 

55

56 CHAPTER 4. THE EUCLIDEAN ALGORITHM 

Examples: 

(1) Encipher multiply with key 7m + 2. 

Rather than just adding or multiplying we combine the two. 

plaintext m u l t i p l y 

plainnumbers 13 21 12 20 9 16 12 25 

×7 91 147 84 140 63 112 84 175 

+2 93 149 86 142 65 114 86 177 

%26 15 19 8 12 13 10 8 21 

ciphertext O S H L M J H U 

So the ciphertext is OSHLMJHU 

(2) Encipher decimate with key 5m + 8. 

(3) Encipher conquer with key 9m + 3. 1 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

4.2 GCD’s and the Euclidean Algorithm 

Our Decimation and Linear Ciphers have two problems: the enciphering key 

must be chosen “properly” (a term I still haven’t defined) and once it is chosen 

the corresponding deciphering key must somehow be determined. It is perhaps 

not surprising that the solutions to these two problems are related. However it 

is probably surprising that the solutions involve greatest common divisors and 

were known to Euclid, some 2500 years ago. 

Euclid (c. 350 B.C.E.) textbook, The Elements, is the most successful ever 

written, and, with The Bible, one of the most published books of all time, 

appearing in over 1000 editions. Euclid taught at the academy in Alexandria, 

but this is about all we know about his life. The Elements deals with plane 

and solid geometry and number theory, while other books of Euclid cover such 

topics as astronomy, mechanics, music, and optics. 

The Greatest Common Divisors, or gcd, of two integers is exactly what 

the name suggests: it is the largest integer that divides both. For example, 14 

is divisible by 1, 2, 7 and 14, while 10 is divisible by 1, 2, 5 and 10. The largest 

divisor that 14 and 10 have in common is 2, and so gcd(14, 10) = 2. 

For some reason most people seem able to rather automatically compute the 

gcd’s of small numbers. 

1 (2) BGWAU MDG, (3) DHYZJ VI.

4.2. GCD’S AND THE EUCLIDEAN ALGORITHM 57 

Examples: Compute the gcd’s. 

(1) gcd(35, 15). 

(2) gcd(20, 12). 

(3) gcd(21, 12). 

(4) gcd(16, 8). 

(5) gcd(22, 15). 2 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

To hint that there is a connection between gcd’s and the enciphering keys, 

recall from Figure 3.2 that modulo 26 the proper enciphering keys are 1, 3, 5, 

7, 9, 11, 15, 17, 19, 21, 23, and 25. In other words, the numbers from 1 to 26 

excluding the even numbers and 13, that is, excluding those numbers whose gcd 

with 26 is larger than 1. 

Although the gcd’s of small numbers are easy to compute, it is not obvious 

how to quickly compute the gcd of larger numbers, say gcd(182, 217). We next 

work to develop a method to do this. Euclid’s key observation was that gcd’s 

and the remainder operator are intimately related. Precisely, any number that 

divides both of the numbers a and b will also divide a%b. This is because, as 

we recall from Chapter 3, a%b = a − bq where q is the quotient, the integer 

part of a ÷ b. So if some number d divides both a and b, then it will divide 

a − bq = a%b. On the other hand, if a number d divides a%b and b then it will 

also divide a = a%b + bq. Since this is true for all divisors, it is certainly true 

for the largest divisor. Hence gcd(a, b) = gcd(b, a%b). 

For example, gcd(35, 15) = gcd(15, 35%15) = gcd(15, 5). In trading a 35 

for a 5 we’ve made our problem much simpler. Doing this again, gcd(15, 5) = 

gcd(5, 15%5) = gcd(5, 0). Since every number divides 0, the largest number 

that divides both 0 and 5 is the largest that divides 5, which is 5. 

Example: Use this method to compute gcd(69, 27). 

gcd(69, 27) = gcd(27, 69%27) = gcd(27, 15) 

= gcd(15, 27%15) = gcd(15, 12) 

= gcd(12, 15%12) = gcd(12, 3) 

= gcd(3, 12%3) = gcd(3, 0) 

= 3. 

So gcd(69, 27) = 3. Of course, we’d probably abbreviate this as 

gcd(69, 27) = gcd(27, 15) = gcd(15, 12) = gcd(12, 3) = gcd(3, 0) = 3. 

⋄ 

2 (1) 5, (2) 4, (3) 3, (4) 8, (5) 1.


The individual computations are not difficult, but the continual swapping of 

gcd entries, as well as the rewriting of “gcd” is a bit much. In addition while 

we have kept the remainder information, we have lost the quotients that we will 

soon need. So we are going to introduce a more compact way of presenting this 

computation, perhaps due to [Glasby]. 

To see how this is built, consider gcd(69, 27) = gcd(27, 69%27). The remainder 

69%27 is 15, and the quotient of 69 ÷ 27 is 2. So we write 

q 

r 69 

2 

27 15 

where q and r remind us which line contains the quotient and which the remainder. 

Similarly, for gcd(27, 15) = gcd(15, 27%15) we write 

q 

r 17 

1 

15 12 

since the quotient of 27 ÷ 15 is 1 and the remainder is 12. 

The advantage of this representation is that 

, 

q 

r 69 

2 

27 15 

and 

q 

r 17 

1 

15 12 

may be combined as 

q 

r 69 

Adding the 12 ÷ 3 results then gives 

2 

27 

1 

15 12 

. 

q 

r 69 

2 

27 

1 

15 

1 

12 

4 

3 0 

. 

Examples: 

(1) Compute gcd(15, 85). 

For this first example we work one division step at a time and write in 

bold the numbers added at each step. 

Enter the two numbers, larger one first: 

q 

r 85 15 

from 85 ÷ 15: 

from 15 ÷ 10: 

from 10 ÷ 5: 

q 

r 85 

q 

r 85 

q 

r 85 

5 

15 

5 

15 

1 

10 

5 

15 10 

1 

10 5 

2 

5 0 

The gcd is the final non-zero remainder. So gcd(15, 85) = 5.

4.3. MULTIPLICATIVE INVERSES 59 

(2) Find gcd(79, 201). 

q 

r 201 

2 

79 

1 

43 

1 

36 

5 

7 

7 

1 0 

gcd(79, 201) = 1. 

(3) Find gcd(182, 217). 

q 

r 182 

1 

35 

5 

7 0 

gcd(217, 182) = 5. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

This process is called the Euclidean Algorithm, 3 and the general rule is that 

at any stage of four numbers in a triangle 

a 

q 

b 

we have q = a ÷ b, the quotient of the division, and r = a%b, the remainder. 

Even for large numbers the Euclidean Algorithm takes relatively few steps. 4 

r 

, 

Example: Compute gcd(191, 156) 

q 

r 191 

1 

156 

4 

35 

2 

16 

5 

3 

3 

1 0 

gcd(191, 156) = 1. 

⋄ 

Being that this is math book, we should justify the algorithm, that is, explain 

how we know it always works. Fortunately this is easy. We know that gcd(a, b) = 

gcd(b, a%b), so by letting r = a%b, each consecutive pair of numbers in the “r 

line” has the same gcd. Since a > b > r ≥ 0, the values in the r line are 

positive but shrinking, so the algorithm must end. And when it does it, with 

a 0, because gcd(r, 0) = r the final non-zero entry equals the gcd of any two 

consecutive values in the line, in particular, the first two values in the line. 

4.3 Multiplicative Inverses 

For us to fully understand the multiplicative ciphers, decimation and linear, we 

need to know how to get from enciphering key to deciphering key. An extension 

3 An algorithm is a step-by-step procedure that solves a particular problem or produces 

some desired outcome. The word comes from the name of Mohammed ibn-Muse al-Khwarizmi, 

a mathematician in the royal court of Bagdad c. 800 A.D. Algebra likely also comes from his 

name. 

4 A theorem named for Gabriel Lamé, a French engineer, physicist and mathematician, says 

that the number of divisions needed to find the greatest common divisor of two numbers is 

no more than five times the number of decimal digits in the smaller of the two numbers.


of the Euclidean Algorithm will do this for us. 

For example, suppose we had used k = 9 as our multiplicative key (modulo 

26). To decipher we need to use the key c satisfying (9c)%26 = 1, or, equivalently, 

9 × c ≡ 1 (mod 26). To find c we extend Euclid’s Algorithm by adding a 

new line, a “coefficient line,” that begins with a 0 and a 1 and is continued by 

the formula 

old c − current q × current c = new c. 

Examples: 

(1) Find gcd(9, 26) and the inverse of 9 modulo 26. 

For this example we will first work one step at a time. 

Begin with gcd entries and 0 and 1: 

From 26 ÷ 9, 

From 9 ÷ 8, 

From 8 ÷ 1, 

{ 

q = 2, r = 8, and 

0 − (2 × 1) = −2 : 

{ 

q = 1, r = 1, and 

1 − (1 × −2) = 3 : 

{ 

q = 8, r = 0, and 

2 − (8 × 3) = −26 : 

q 

r 

c 

q 

r 

c 

q 

r 

c 

q 

r 

c 

26 

0 

26 

0 

26 

0 

26 

0 

2 

9 

1 

2 

9 

1 

2 

9 

1 

9 

1 

8 

-2 

1 

8 

−2 

1 

8 

−2 

1 

3 

8 

1 

3 

0 

-26 

Just as the final (non-zero) entry in the remainder line is the gcd, the entry 

in the coefficient line under the gcd gives us the solution to 9 × x ≡ gcd 

(mod 26). So 9 × 3 ≡ 1 (mod 26). (The −26 at the end of the coefficient 

line is ignored.)

4.3. MULTIPLICATIVE INVERSES 61 

(2) Compute gcd(12, 45) and find a solution to 12x ≡ gcd (mod 45). 

From 45 ÷ 12, 

From 12 ÷ 9, 

From 9 ÷ 3, 

{ 

q = 3, r = 9, and 

0 − (3 × 1) = −3 : 

{ 

q = 1, r = 3, and 

1 − (1 × −3) = 4 : 

{ 

q = 3, r = 0, and 

−3 − (3 × 4) = −15 : 

Setup: 

q 

r 

c 

q 

r 

c 

q 

r 

c 

q 

r 

c 

45 

0 

45 

0 

45 

0 

45 

0 

12 

1 

3 

12 

1 

3 

12 

1 

3 

12 

1 

9 

-3 

1 

9 

−3 

1 

9 

−3 

3 

4 

3 

3 

4 

0 

So gcd(12, 45) = 3 and x = 4 is a solution to 12x ≡ gcd (mod 45), which 

we can check by seeing that (12 × 4)%45 = 3%45. (The entry in the 

coefficient row under the final remainder of 0 is ignored, so we didn’t 

bother to enter it.) 

(3) Compute gcd(27, 50) and find a solution to 27x ≡ gcd (mod 50). 

q 

r 

c 

50 

0 

1 

27 

1 

1 

23 

−1 

5 

4 

2 

1 

3 

−11 

3 

1 

13 

0 

So gcd(27, 50) = 1. Since −11 ≡ 39 (mod 50), we have 27 × 39 ≡ 1 

(mod 50). 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

As we’ve seen, gcd(a, n) always divides (ab)%n, for any choice of integer b. 

That is, (ab)%n is always a multiple of gcd(a, n). So for there to be a solution 

x to ax%n = 1 we must have gcd(a, n) = 1. And if so, then the solution x is 

found in the coefficient line. 

These concepts are important enough that they have names. If two numbers 

have a gcd of 1, they are said to be relatively prime. And when two numbers 

a and n are relatively prime then they each have a multiplicative inverse 

with respect to the other – there are solutions x and y to (ax)%n = 1 and 

(ny)%a = 1.


Before summarizing, let’s do a couple more examples. 

Examples: 

(1) Does 7 have a multiplicative inverse modulo 26 If so, what is it 

This is asking us to find gcd(7, 26). If the gcd is 1, then we may solve 

7x ≡ 1 (mod 26). 

q 

r 

c 

26 

0 

3 

7 

1 

1 

5 

−3 

2 

2 

4 

2 

1 

−11 

0 

Since gcd(7, 26) = 1, 7 and 26 are relatively prime and 7 does have a 

multiplicative inverse modulo 26. It is −11 or its positive version 15 

(since −11 ≡ 15 (mod 26)). Thus 7 may be used as the multiplicative 

enciphering key in a decimation or linear cipher, and 15 will be (part of) 

the deciphering key. 

(2) Does 8 have a multiplicative inverse modulo 26 If so, what is it 

q 

r 

c 

26 

0 

3 

8 

1 

4 

2 

−3 

0 

Since gcd(8, 26) = 2 is not 1, 8 and 26 are not relatively prime, and so 

there is no multiplicative inverse for 8. Hence 8 may not be used as the 

multiplicative enciphering key in a Decimation or Linear Cipher. 

(3) Find gcd(49, 13) and, if possible, solve 13x ≡ 1 (mod 49) 

q 

r 

c 

49 

0 

3 

13 

1 

1 

10 

−3 

3 

3 

4 

1 

1 

−12 

0 

gcd(49, 13) = 1 so they are relatively prime and since −12 ≡ 37 (mod 49), 

the inverse of 13 modulo 49 is 37. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Euclid’s Extended Algorithm is quite simple. Nonetheless it is very powerful. 

Let’s end this section by summarizing it and some of its consequences. 

Because we will mostly be using it for computing a deciphering key from a 

known enciphering key k and modulus n, we state it in terms of k and n.

4.4. DECIPHERING DECIMATION AND LINEAR CIPHERS 63 

Theorem 2 (The Extended Euclidean Algorithm) Given two integers n 

and k with n > k, construct the table 

q 

r 

c 

n 

0 

⋆ 

k 

1 

· · · 

· · · 

· · · 

∗ 

q 

by, at each step, from 

form 

a b 

a b r 

α β 

α β α − qβ 

quotient and r the remainder are computed from a ÷ b. Then 

⋆ 

g 

d 

0 

where q the 

1. This process eventually terminates by producing a 0 in the “remainder” 

line. 

2. The last non-zero entry in the remainder line is gcd(n, k). 

3. At each step, β × k ≡ b (mod n). In particular, if d is the entry in the 

coefficient line directly below the gcd g = gcd(n, k), then a × d ≡ gcd(n, k) 

(mod n). 

4. When n and k are relatively prime, d is the inverse of i modulo n. 

We haven’t formally proven all of this important theorem, although all of 

the necessary ingredient have been stated. See any text on number theory, such 

as [KRosen], for the missing parts. Nonetheless, the theorem does explain the 

oddities in division we noticed at the end of Section 3.2. 

Examples: Examples of Division in Modular Arithmetic. 

(1) 3x ≡ 9 (mod 7) has the usual solution x = 3. 

Since gcd(7, 3) = 1 divides 9 there is exactly gcd = 1 solution. 

(2) 3x ≡ 9 (mod 12) has the usual solution x = 3, but also x = 7 and x = 11. 

Since gcd(12, 3) = 3 divides 9 there are gcd = 3 solutions. 

(3) 3x ≡ 8 (mod 7) has the unusual solution x = 5. 

Since gcd(7, 3) = 1 divides 8 there is gcd = 1 solution. 

(4) 3x ≡ 8 (mod 12) has no solutions. 

Since gcd(12, 3) = 3 doesn’t divide 8 there are no solutions. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

4.4 Deciphering Decimation and Linear Ciphers 

We now finally understand what needs to be “proper” about the multiplying 

keynumbers in Decimation and Linear Ciphers. When we work modulo 26,


in order for the multiplicative keynumber number k to have a multiplicative 

inverse, its greatest common divisor with 26 must be 1. And if so, the Extended 

Euclidean Algorithm computes the multiplicative inverse of k. This allows us 

to finalize our description of the multiplicative ciphers. 

Computing Keys for Decimation and Linear Ciphers: 

1) Pick an integer k. 

2) Use the Euclidean Algorithm to check that gcd(k, N) = 1. 

3) If not, pick a new k. 

4) If so, use the Euclidean Algorithm to find the inverse d. (If d is 

negative, use N + d instead.) 

Examples: 

(1) Decipher OXXMT MEB. It was enciphered with key 19m + 12 modulo 26. 

A Linear Cipher first multiplies and then divides. To undo this we must go 

backwards: first subtract and then “divide.” Dividing, of course, means 

multiplying by the inverse of 19 modulo 26, which from Figure 3.2 is 11. 

ciphertext O X X M T M E B 

ciphernumbers 15 24 24 13 20 13 5 2 

−12 3 12 12 1 8 1 -7 -10 

×11 33 132 132 11 88 11 -77 -110 

%26 7 4 4 9 20 9 15 14 

plaintext a d d i t i o n 

The answer is addition. 

(2) Decipher FRGPN I. The enciphering key was 14 modulo 27. 

First we need to find the inverse of 14 modulo 27: 

q 

1 1 1 

r 

c 

27 

0 

14 

1 

13 

−1 

The inverse is 2. So we decipher by multiplying by 2 modulo 27. 

The answer is linear. 

1 

2 

ciphertext F R G P N I 

ciphernumbers 6 18 7 16 14 8 

×2 12 36 14 32 28 16 

%27 12 9 14 5 1 16 

plaintext l i n e a r 

(3) May 13 be used as the multiplicative part of a key in a Decimation or 

Linear Cipher modulo 33 

Yes: gcd(33, 13) = 1. (We didn’t even need Euclid’s Algorithm for this 

one!) 

0

4.5. BREAKING DECIMATION AND LINEAR CIPHERS 65 

(4) Decipher JWNIC G. It was enciphered with the Linear Cipher 13m + 4 

modulo 33. 

Ok, now we do need Euclid’s algorithm: 

q 

r 

c 

33 

0 

2 

13 

1 

1 

7 

−2 

1 

6 

3 

6 

1 

−5 

0 

Since −5%33 = 28 the inverse of 13 is 28. 

subtracting by 4 and multiplying by 28. 5 

Now we may proceed by 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

As one last example, recall from Chapter 3 that the Kid-RSA cipher has 

as public information an enciphering key e and modulus n. In order for this 

cipher to be worthwhile, it must be infeasible for an adversary to compute the 

secret deciphering key d from the public keys e and n. Because of the Euclidean 

Algorithm, not only is computing d not infeasible, it is simple. 

To illustrate, if Albert has published e = 893 and n = 8106 as his public 

keys, we simply compute gcd(8106, 893): 

q 

r 

c 

8106 

0 

9 

893 

1 

12 

69 

−9 

1 

65 

109 

16 

4 

−118 

4 

1 

1997 

0 

So in a very few steps, the “secret” deciphering key is d = 1997. Even though 

there is no real security in Koblitz’s system, it did allow us to introduce the 

important concepts related to public keys. 

4.5 Breaking Decimation and Linear Ciphers 

Earlier we saw that decimation and linear ciphers cause letters which are adjacent 

in the plaintext alphabet to be separated in the ciphertext alphabet. How 

much does this improve security Consider the ciphertext from Section 3.5 that 

was enciphered with a linear cipher. 

UQESF YFTGW SGPVS PPVQX QEDGR PMQFP YJSFG EORVQ DQBQF PVQWO 

MRTQW PUOTT SPPOM QWOFE TIXQS FIMLQ DYJUY FXQDO FCW 

It has the following letter frequency table. 

5 cipher. 

0 1 1 4 4 9 4 0 2 2 0 1 4 0 6 9 13 3 6 5 3 4 5 3 4 0 



As we saw in Chapter 3 this is not a Caesar cipher; none of the standard hill and 

valley patterns can be found in the frequency count. Are there any new patterns 

that might replace our old ones To find out, study carefully the following two 

plaintext/ciphertext alphabet pairs: 

Key k = 5 : 

plaintext 

ciphertext 


E J O T Y D I N S X C H M R W B G L Q V A F K P U Z 

Key k = 3m + 4: 

plaintext 

ciphertext 


E H K N Q T W Z C F I L O R U X A D G J M P S V Y B 

In the first, we have a → E, b→ J, c→ O, and while abc are consecutive, EJO 

are not; they are 5 letters apart. In fact, any two consecutive plaintext letters 

are sent to ciphertext letters five letters apart. The multiplicative key of 5 

apparently spreads out the letters by a factor of 5. Why is this Two consecutive 

plaintext letters will have plainnumbers that differ by one, say α and α + 1. 

When enciphered the (unreduced) ciphernumbers are 5α and 5α + 5, which 

differ by 5. 

Does the same work for the linear cipher k = 3m + 4 (Check it and 

see!) 6 At first glance it seems that Decimation and Linear ciphers do a good 

job of “unordering” the plain alphabet, mixing it up well. But these examples 

should convince us that this is not so. In fact, the rule is that the distance 

consecutive plain alphabet letters are spread apart equals the multiplicative key 

of the cipher. 

We can use this idea to decrypt our ciphertext. In our unsolved cipher, B 

and U are the two most common letters in the ciphertext: perhaps they are e 

and t, respectively Since a linear cipher has the formula mk + c, so guessing 

that B = e tells us 5k + c ≡ 2 and guessing U = t gives us 2km + c ≡ 21, both 

equations modulo 26. So c ≡ 2 − 5k and c ≡ 21 − 20k. Setting these equal gives 

20k − 21 ≡ 5k − 2 or 15k ≡ 19. From Figure 3.2 the inverse of 15 is 7. So if 

we multiply both sides of 15k ≡ 19 by 7, since 15 × 7 ≡ 1 and 19 × 7 ≡ 3, we 

are left with k ≡ 3. Finally, from 5k + c ≡ 2 and k = 3, we can substitute and 

solve to see that c = 13. Thus the original cipher was a linear cipher with rule 

3k + 13. We can then simply decipher the message. 7 

Now this only worked because we were lucky enough to guess both e and 

t. However, a cipher that is easily broken once your enemy correctly guesses 

only two letters is probably not a very strong one. Just as Caesar ciphers 

proved to be weak because they do not separate adjacent letters in the plaintext 

alphabet, Decimation and Linear ciphers are weak because the plaintext letters 

are enciphered using an easily recognized pattern. 

6 Yes. The letters are spread out by a factor of 3 and then shifted 4 more letters down the 

alphabet. 

7 We can only say that the decryptment of any cipher, even the simplest, will 

at times include a number of wonderings. Helen Fouché Gaines.

4.6. SUMMARY 67 

To put it more bluntly, guessing one letter correctly allows us to break Caesar 

ciphers. Guessing two letters correctly allows us to break Decimation and Linear 

ciphers. 

4.6 Summary 

A Linear Cipher is a combination of a Decimation and a Shift Cipher, and 

so has both a multiplicative and an additive key. The additive key can be 

chosen at random, like in a Shift Cipher, but, like in a Decimation Cipher, the 

multiplicative key must be chosen so that it is relatively prime to the modulus. 

A relatively quick way of computing greatest common divisors is with the 

Euclidean Algorithm. To compute the gcd of two numbers, the algorithm uses a 

process of repeated remainder operations in which the larger of the two numbers 

is continually replaced by the remainder of the larger divided by the smaller. 

By putting this into a table and making use of the quotients involved, the multiplicative 

inverse can also quickly be found. Since Koblitz’s Kid-RSA depends 

for its security on the inability for an adversary to compute multiplicative inverses, 

we see it not secure at all, but is intended as a toy system, intended to 

demonstrate the concept of public keys. 

Decimation and Linear Ciphers do a better job of mixing the ciphertext 

alphabet than a Caesar Cipher does. Letters that are adjacent in the plaintext 

alphabet are not adjacent once enciphered, they are k letters apart, where k 

is the multiplicative key of the cipher. While this prevents us from using the 

hills and valley patterns of the normal frequency to break the cipher, it provides 

enough order so that if two ciphertext letters can be matched with their plaintext 

counterparts either of these ciphers can be broken. 


1. How many keys does a Linear Cipher need 

2. How do we encipher with a Linear Cipher 

3. What is the greatest common divisor of two numbers 

4. What is the Euclidean Algorithm 

5. What does relatively prime mean When are two numbers relatively 

prime 

6. How do we use the Euclidean Algorithm to find a gcd 

7. What is a multiplicative inverse 

8. When does a number have a multiplicative inverse modulo n


9. How do we use the Euclidean Algorithm to find a multiplicative inverse 

10. How many Linear Ciphers are there modulo 26 

11. What information is needed to decipher a Decimation Cipher A Linear 

Cipher 

12. Are Decimation Ciphers secure or not Why 

13. Are Linear Ciphers secure or not Why 

14. Can a frequency count help break a Decimation or Linear Cipher Explain. 

4.8 Exercises 

1. Use the Euclidean Algorithm to find the following gcd’s. 

(a) gcd(32, 54). 

(b) gcd(45, 39). 

(c) gcd(78, 53). 

(d) gcd(102, 78). 

2. Use the Euclidean Algorithm to find the following gcd’s. 

(a) gcd(61, 56). 

(b) gcd(121, 77). 

(c) gcd(735, 140). 

(d) gcd(297, 201). 

3. Use the Euclidean Algorithm to find the following gcd’s, and then find a 

solution to the related modular equation. 

(a) Find gcd(25, 85). Find a solution to 25x ≡ gcd (mod 85). 

(b) Find gcd(27, 17). Find a solution to 17x ≡ gcd (mod 27). 

(c) Find gcd(24, 102). Find a solution to 24x ≡ gcd (mod 102). 

(d) Find gcd(149, 78). Find a solution to 78x ≡ gcd (mod 149). 

4. Use the Euclidean Algorithm to find the following gcd’s, and then find a 

solution to the related modular equation. 

(a) Find gcd(16, 110). Find a solution to 16x ≡ gcd (mod 110). 

(b) Find gcd(31, 79). Find a solution to 31x ≡ gcd (mod 79). 

(c) Find gcd(298, 79). Find a solution to 79x ≡ gcd (mod 298). 

(d) Find gcd(306, 192). Find a solution to 192x ≡ gcd (mod 306).


5. Here we work with Decimation Ciphers modulo 28, using 27 = . 

(a) Encipher no spaces allowed with key 19. 

(b) Decipher CUDAZ KOTQW A. The enciphering key was 17. 

(c) Decipher XDOMQM HKE Q JYBQM KT . The enciphering key was 11. 

(d) Decipher P WHO ENOWL MKI. The enciphering key was 13. 

6. Encipher the following words, using the given linear cipher modulo 26. 

(a) Geometry, 3m + 7. 

(b) Algebra, 11m + 19. 

(c) Trigonometry, 7m + 2. 

7. Decipher the following words. They were enciphered with a linear cipher, 

modulo 26. 

(a) VFQDY DMBMP O, key 5m + 20. 

(b) TKIAB CVFQ, key 23m + 4. 

(c) YVZGN YNX, key 19m + 8. 

(d) HGZGR HGRXH, key 25m + 1. 

8. What happens if we follow a linear cipher by another linear cipher 

9. In this problem we work as we did in Chapter 3 Exercise 8: the numbers 

0 to 9 stand for themselves in the plaintext, 10 is for spaces, 11 to 36 

represent the letters of the alphabet, and we work modulo 37. 

(a) Encipher 8 or 9 using a Caesar cipher with key 11. 

(b) Encipher 25 cents using a Decimation cipher with key 18. 

(c) Encipher Tea for 2 using a Linear Cipher with key 13m + 6. 

(d) Decipher NAA52 5I5NB 75I52 5NAA. It was enciphered with a Decimation 

cipher with key k = 19. 

(e) Decipher 9AIB ZE0AD ZAEJB A9D66 PL. It was enciphered with a 

Linear Cipher with key 15m + 9. 

(f) Decipher REHQD HMHTQ H7. It was enciphered with a Linear Cipher 

with key 8m + 12. 

(g) Decipher A0L6O ISS. It was enciphered with a Linear Cipher with 

key 16m + 7. 

(h) Decipher 5UHUE XUKEL U5UH. It was enciphered with a Linear Cipher 

with key 31m + 17. 

(i) Decipher L2 83 3 T20 JIQ. It was enciphered with a Linear Cipher 

with key 13m + 20.


10. In a Decimation Cipher the enciphering key must be smaller than an 

relatively prime to the modulus. Since there are 12 numbers between 1 

and 26 whose gcd with 26 is 1, there are 12 Decimation Ciphers modulo 

26. 

(a) How many Decimation Ciphers are there modulo 7 (Hint: how 

many numbers are smaller and relatively prime to 7) How many 

(b) How many Decimation Ciphers are there modulo 18 

(c) How many Decimation Ciphers are there modulo 28 

(d) How many Decimation Ciphers are there modulo 35 (It might be 

easier to first find the numbers that are not proper enciphering keys.) 

11. The following is a decimation cipher. Use the techniques of this chapter 

to decrypt it. 

PYETO MLWPQ QRVOT TWDQK IODQW WTYUR SEQSP JODWP UOTTO SMWVS AQWRQ 

SDQ. 

12. The following is a linear cipher. With the hint that the three most common 

letters are eit (although not necessarily in that order), can you decrypt 

it 

JXYVK MDZYJ PNFJK NLXLD SHYNM NWZMD HGNXG JPLJW NWZLO NFMFQ TMNFW 

DMNPP LENJM LIVKL YXLKM NQIL 

13. Alex’s public Kid-RSA gives e = 361 and N = 4063. Suppose you’ve 

captured the message “I used your PK. 630, 3518, 269, 3157, 722, 899, 

3157, 177, 1352, 630, 1352, 1444, 3157, 177, 1805, 991, 3157, 899, 2166, 

3249, 3879, 1805. 

GTTGM JNQJZ DMFF. 

Can you decrypt the message 

14. Corrine’s public Kid-RSA lists e = 495 and N = 2644. You’ve intercepted 

a message for her: “Use 

978, 2475, 314, 2475, 978, 1473, 2475, 1980, 495, 652, 2632, 1316, 495, 

990, 2475, 1968. 

XZHS RM YLC MFNYVI GVM. 

Can you decrypt the message

Chapter 5 

Monoalphabetic Ciphers 

Here is an example of a plaintext – ciphertext alphabet pair for each type of 

cipher we have seen thus far. 

1. A Caesar cipher with key 5: 




F G H I J K L M N O P Q R S T U V W X Y Z A B C D E 

2. A Decimation Cipher modulo 26 with key 21: 




U P K F A V Q L G B W R M H C X S N I D Y T O J E Z 

3. A Linear Cipher modulo 26 with key 7m + 9: 




P W D K R Y F M T A H O V C J Q X E L S Z G N U B I 

These are all monoalphabetic ciphers, ciphers in which the same plaintext 

letters are always replaced by the same ciphertext letters. Mono, meaning one, 

indicates that each letter has a single substitute. In this chapter we look at 

other ways of creating monoalphabetic ciphers. 1 

To construct a monoalphabetic cipher, we need to create some ordering of 

the alphabet, such as S O M E R D I N G X H B V L T U J W K Y Z F A C P Q, and 

pair it with a plaintext alphabet, 




S O M E R D I N G X H B V L T U J W K Y Z F A C P Q 

1 When the ciphertext alphabet is in the usual order just shifted, as in (1), it is said to be 

a regular or direct substitution alphabet. When the ciphertext alphabet is mixed up, as in 

(2) and (3), it is said to be a mixed substitution alphabet. A reversed alphabet is another 

possibility, and is exactly what it sounds like. 

71

72 CHAPTER 5. MONOALPHABETIC CIPHERS 

We then encipher and decipher by translating from the plaintext to ciphertext 

alphabets and back, as usual. In this example alphabet becomes SBUNSORY. 

However it is not particularly easy to remember apparently random orderings 

of 26 letters. So we will concentrate a couple of well-known methods that use a 

key to develop the ciphertext alphabet’s order. 

5.1 Keyword Ciphers 

To use Keyword Cipher method to construct the ciphertext alphabet, pick a 

keyword and write it down, ignoring repeated letters. Follow it with the letters 

of the alphabet that have not yet been used. 

Example: Find the alphabet pairs for the keyword COLLEGE. 

Crossing out the letters that are making their second appearance leaves 

COLEG. To encipher then we use the pair of alphabets 

plaintext 

ciphertext 


C O L E G A B D F H I J K M N P Q R S T U V W X Y Z 

Enciphering university then gives UMFVGRSFTY. 

⋄ 

Clearly there is a problem with this cipher: it does a poor job of mixing the 

ciphertext alphabet. Around 1580 Giovanni Battista Argenti suggested that one 

also pick a keyletter and begin the keyword under that letter of the plaintext. 

The Argentis, Giovanni and his nephew Matteo, form one of the great cryptology 

families of the middle ages. After many years of trying, in 1590 Giovanni finally 

became papal secretary of ciphers in Rome, only to quickly weaken from the 

frequent necessary trips to Germany and France. Before dying on April 24, 

1591, he passed his knowledge to his nephew Matteo who succeeded him and 

held the office during the reign of the next five popes. 

To use Giovanni’s method with keyletter p we would start COLEG under 

pqrst, giving 

plaintext 

ciphertext 


J K M N P Q R S T U V W X Y Z C O L E G A B D F H I 

Then university is enciphered as AYTAPLETGH. This method mixes the ciphertext 

alphabet better.

5.2. KEYWORD MIXED CIPHERS 73 

Example: Encipher university using keyword xylophone and key F. 2 

⋄ 

Even with the added complication, significant parts of the alphabet are still 

enciphered as in a Caesar cipher. Compare the ciphertext alphabet using keyword 

COLLEGE and key P with the alphabet generated by the Caesar cipher with 

keyletter L: 

plaintext 

COLLEGE and P 

Caesar key L 


J K M N P Q R S T U V W X Y Z C O L E G A B D F H I 

L M N O P Q R S T U V W X Y Z A B C D E F G H I J K 

There are many overlaps and near overlaps in the two cipher alphabets, which 

makes a keyword cipher not much more secure than a Caesar cipher. 

5.2 Keyword Mixed Ciphers 

The cryptosystem we call Keyword Mixed Ciphers seems to have been invented 

in 1854 by Sir Charles Wheatstone, whom we will meet again [Bauer, 

page 48]. 

Pick a keyword and write it out, again ignoring repetitions of letters. Then 

write the remainder of the alphabet underneath, using the same number of 

columns as letters in the shortened keyword. Finally, pull off the columns in 

order and write the letters underneath the plaintext alphabet. 

Example: Find the ciphertext alphabet using a Keyword Mixed Cipher and 

keyword COLLEGE. 

First we remove the repeated letters, so the shortened keyword is COLEG. 

Then we write the it down, followed by the remainder of the alphabet. 

C O L E G 

A B D F H 

I J K M N 

P Q R S T 

U V W X Y 

Z 

Finally we pull out the columns in order. 

plaintext 

ciphertext 


C A I P U Z O B J Q V L D K P Q E F M S X G H N T Y 

This results in a nicely mixed ciphertext alphabet without obvious pattern. ⋄ 

2 JAOKZFGOIR


Examples: Use a Keyword Mixed Cipher. 

(1) Encipher monoalphabetic using the keyword SIMPLE. 

The columnar arrangement of the alphabet is 

S I M P L E 

A B C D F G 

H J K N O Q 

R T U V W X 

Y Z 

Pulling the columns off in order, left-to-right, and putting it under the 

usual alphabet gives 

plaintext 

ciphertext 


S A H R Y I B J T Z M C K U P D N V L F O W E G Q X 

From here the enciphering should be quick. 

(2) Encipher cryptology using the keyword SECRET. 

(3) Decipher DPCRD JPUTI using the keyword HOMOPHONE. 

(4) Decipher COACH SHOHS EU using the keyword DIRECT. 3 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Keyword mixed ciphers are one of the best monoalphabetic ciphers. The 

key is simple to choose, remember and change, and the cipher itself is easy to 

setup and use. For these reasons there are a couple of modifications that people 

sometimes use: Keyword Transposed and Keyword Interrupted Ciphers. 

5.3 Keyword Transposed Ciphers 

In a Keyword Transposed Cipher we require the columns to be pulled off in 

alphabetical order. So if we use again COLLEGE as the keyword, from the array 

C O L E G 

A B D F H 

I J K M N 

P Q R S T 

U V W X Y 

Z 

3 (1) KPUPS CDJSA YFTH, (2) HFQWP OCOEQ, (3) polyphonic, (4) substitution.

5.4. INTERRUPTED KEYWORD CIPHERS 75 

we first pull out the C column, followed by the E column, and then the G, L and 

finally O columns. This gives 

plaintext 

ciphertext 


C A I P U Z E F M S X G H N T Y L D K P Q O B J Q V 

as the substitution alphabet. 

Examples: Use a Keyword Transposed Cipher. 

(1) Encipher monoalphabetic using the keyword SIMPLE. 

The columns of the alphabet look like 

S I M P L E 

A B C D F G 

H J K N O Q 

R T U V W X 

Y Z 

Pulling the columns off in alphabetical order gives the ciphertext alphabet 

plaintext 

ciphertext 


E G Q X I B J T Z L F O W M C K U P D N V S A H R Y 

From here the enciphering should again be quick. 

(2) Encipher cryptology using the keyword SECRET. 

(3) Decipher QFKLQ SFNYR using the keyword HOMOPHONE. 

(4) Decipher RMHRF YFMFY BI using the keyword DIRECT. 4 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

5.4 Interrupted Keyword Ciphers 

In an Interrupted Keyword Cipher instead of removing duplicated letters 

put in * as a placeholder. This time COLLEGE becomes 

C O L * E G * 

A B D F H I J 

K M N P Q R S 

T U V W X Y Z 

4 (1) WCMCE OKTEG INZQ, (2) JHQSU XFXBQ, (3) polyphonic, (4) substitution.


Then remove the ciphertext alphabet as in a keyword cipher, ignoring the *’s: 

plaintext 

ciphertext 


C A K T O B M U L D N V F P W E H Q X G I R Y J S Z 

Finally, one can use Interrupted Keyword Transposed ciphers, but we won’t. 

5.5 Frequency Counts and Exhaustion 

Are these new monoalphabetic ciphers any more secure than the ones we saw 

earlier Or will frequency analysis once again save (ruin) the day Let’s try 

to break a message enciphered with a keyword mixed cipher and see. 

Example: KNHHXKK QS PXTDQSB YQFJ NSISCYS HQEJXUK QK LXTKNUXP AO 

FJXKX RCNU FJQSBK QS FJX CUPXU STLXP EXUKXVXUTSHX HTUXRND LXFJCPK CR 

TSTDOKQK QSFNQFQCS DNHI FJX TAQDQFO TF DXTKF FC UXTP FJX DTSBNTBX CR 

FJX CUQBQSTD QK VXUO PXKQUTADX ANF SCF XKKXSFQTD 

The letter frequency count of the ciphertext is 


4 5 10 10 2 17 0 6 2 9 17 3 0 9 4 7 18 4 16 16 12 2 0 27 2 0 

Does this look like a Caesar cipher By far the most common letter is X, so 

this is likely e. But if so then S and T are y and z, respectively, and it is not 

likely that a message would have sixteen each of these letters. In fact, there 

is no low sextuple. This is not a Caesar cipher. The ciphertext’s letters have 

been well enough mixed that the standard frequency patterns have been totally 

destroyed. 

⋄ 

This is the main advantage of the keyword ciphers: unless we know the 

method and the keyword, it is quite difficult to directly detect the pattern in 

the ordering of the ciphertext alphabet. In a Caesar cipher, once we knew where 

the ciphertext version of e was located we were basically done. In Decimation 

and Linear ciphers, knowing two letters allowed us to determine the rest. With 

a keyword cipher, the ciphertext alphabet is mixed enough that knowing the 

meanings of even five or ten ciphertext letters does not necessarily disclose the 

pattern of encryption. 

What about exhaustion, one might ask We might use a computer and 

simply try all the possibilities. Working modulo 26 there are 26 different Caesar 

ciphers. There are only 12 decimation ciphers modulo 26, and 26 × 12 = 312 

linear ciphers. How many monoalphabetic ciphers are there Well, we have 26 

choices for which letter goes is substituted for a. Then we have 25 choices for

5.6. BASIC LETTER CHARACTERISTICS 77 

the substitution for b, 24 for c’s substitute, etc. Thus there are 

26! = 26 × 25 × 24 × · · · × 2 × 1 

= 403, 291, 461, 126, 605, 635, 584, 000, 000 

different monoalphabetic substitution ciphers. How large of a number is this 

If we used a computer that could check one trillion different possibilities every 

second, we’d need about 12 million years to check all the possibilities! 

Of course, no one simply uses brute force to break monoalphabetic ciphers. 

In our current example X almost positively must be e. And most of etaoinshr 

probably comes from CFKQSTU. This cuts down immensely on the number of 

possibilities. But to decrypt such a cipher in a truly finite amount of time we 

must go beyond simple frequency counts to consider the behaviors of the letters. 

5.6 Basic Letter Characteristics 

We’ve seen which letters are the most common (etaoinshr) and least common 

(vkjxqz). We next look at which letters appear first and last in words. We 

begin with the frequency information from earlier. (The initial and final letter 

percentages are from Sinkov’s study of 16410 words [Sinkov].) 

8.2 1.5 2.8 4.3 12.7 2.2 2.0 6.1 7.0 0.2 0.8 4.0 2.4 


6.7 7.5 1.9 0.1 6.0 6.3 9.1 2.8 1.0 2.4 0.2 2.0 0.1 


Figure 5.1: Letter Frequencies – Anywhere. 

11.0 4.6 5.6 2.8 2.5 4.1 1.8 3.9 5.6 0.6 0.5 2.1 3.5 


2.4 7.2 4.7 0 3.1 7.4 15.9 1.4 0.6 5.1 0 0.7 0 


Figure 5.2: Letter Frequencies – Initial Letters. 

Summarizing, the most common individual letters are 

1) Anywhere: etaoi, 4 vowels and t. 

2) Beginning words: tasoic, with t easily the most common. 

3) Ending words: edtsn (almost spells “endts”). 

4) Doubles: lesot. 

We put this summary into Figure 5.4.


2.9 0.2 0.6 10.0 20.3 4.5 2.8 2.5 0.4 0 0.1 3.7 1.3 


9.7 4.5 0.5 0 5.5 12.7 9.7 0.2 0.1 1.0 0.2 5.5 0 


Figure 5.3: Letter Frequencies – Final Letters. 

a e i o t r n h s 

common x X x x x 

start x x x X x 

end X x x x x x 

doubles x x x x 

Figure 5.4: Characteristics of etaoinshr. 

We also list the most common short words in English in Figure 5.5 and one 

list of the 100 most common English words, with the number of times they 

appeared out of 1, 000, 000 words, in Figure 5.6. 

1 letter words: a i 

2 letter words: an at as he be in is it on or to of 

3 letter words: the and (both really common,) was for his had 

4 letter words: that with this from have 

Figure 5.5: Most Common Short Words 

Notice that the most common words by far, are non-context words: articles, 

prepositions, conjunctions and other auxiliary particles. In fact, in some lists 

the of and to a in make up nearly 20% of all words, and up to 70 of the 100 

most used words are non-context words. 

5.7 Aristocrats 

We begin our breaking of general monoalphabetic ciphers with Aristocrats. 

These are short quotations enciphered with a monoalphabetic substitution. 

They appear in almost every newspaper, usually in the comics section. We 

start with them since they tend to be not terribly difficult, mainly because they 

keep word divisions and punctuation, and are frequently given with a hint. 

Decrypting aristocrats is mostly simple hard work, although some of our 

frequency information will be of service. Some suggested steps are

5.7. ARISTOCRATS 79 

the 69971 or 4207 so 1984 like 1290 

of 36411 have 3941 said 1961 our 1252 

and 28852 an 3747 what 1908 over 1236 

to 26149 i 3700 up 1895 man 1207 

a 23237 they 3618 its 1858 me 1181 

in 21341 which 3562 about 1815 even 1171 

that 10595 one 3292 into 1791 most 1160 

is 10099 you 3286 them 1789 made 1125 

was 9816 were 3284 than 1789 after 1070 

he 9543 her 3037 can 1772 also 1069 

for 9489 all 3001 only 1747 did 1044 

it 8756 she 2859 other 1702 many 1030 

with 7289 there 2724 new 1635 before 1016 

as 7250 would 2714 some 1617 must 1013 

his 6997 their 2670 time 1599 through 969 

on 6742 we 2653 could 1599 back 967 

be 6377 him 2619 these 1573 where 938 

at 5378 been 2472 two 1412 much 937 

by 5305 has 2439 then 1377 your 923 

this 5146 when 2331 do 1363 way 909 

had 5133 who 2252 first 1360 well 897 

not 4609 more 2216 any 1345 should 888 

are 4393 no 2201 my 1319 because 883 

but 4381 if 2199 now 1314 each 877 

from 4369 out 2096 such 1303 just 872 

Figure 5.6: The 100 Most Common Words in English 

1. Do a frequency count. Identify which ciphertext letters are most likely 

etaoinshr. Be aware, however, that especially in short message, frequencies 

can be very strange. 

2. Look at the initial and final letters of words. Use this to help identify 

which etaoinshr letters are which. 

3. Study the short words. There frequently are words like I, a, the and and 

present. 

4. Work hard. Mix effort with brain power. Remember that brilliant inductive 

realizations usually come only after some hard thought. 

Example: SDGHKHMP HP TDQJ ZBFXJQDEP KWBF LBQ, YDQ HF LBQ CDE BQJ 

DFGC UHGGJZ DFMJ. LHFPKDF MWEQMWHGG Hint: G = l. 

Substituting the given G = l gives the word UHllJZ=**ll**. So H and J 

must be vowels, and U and Z are probably consonants. The words HP and HF 

show P and F to be consonants, and H is perhaps i


Turning to the frequency count 


0 5 2 8 3 7 6 5 0 5 5 3 4 0 0 3 6 0 1 1 1 0 3 1 1 2 

the most common letters are BDFGHJKQ. Of these, F, J and Q each occur three 

times as final letters. Let’s guess that one of these is e. It cannot be F, a 

consonant, nor Q, as then the word TDQJ would end in an e-vowel combination. 

So e must be J. 

Next, BQJ=BQe, so Q must be a consonant, and from LBQ, B is probably a 

vowel, hence a or o. Trying B=o doesn’t work. But when we try B=a, we quickly 

see Q=r, making YDQ = YDr = Yor = for, as o is the only vowel then left. 

At this point the cipher looks like *oli*i*s is *ore *an*ero*s **an *ar, 

for in *ar *o* are onl* *ille* on*e. *in*on ***r**ill. From here the 

quotation should be pretty easy to complete. 5 

⋄ 

Clearly this example worked out a little too nicely, in part because we hid 

some false starts and in part because time spent thinking and scratching one’s 

head is hard to indicate in text. But it should still give an idea of how Aristocrats 

are attacked. 

5.8 Summary 

A monoalphabetic cipher is one in which the each plaintext letter is replaced by 

the same ciphertext letter throughout the entire message. The Caesar or Shift 

Ciphers, Decimation Ciphers and Linear Ciphers are all monoalphabetic, as are 

the various types of Keyword Ciphers introduced in this chapter. 

The Keyword Ciphers all use a keyword to develop an ordering of the ciphertext 

alphabet. The more important ones are the Keyword Mixed and Keyword 

Transposed Ciphers. Select a keyword and drop any repeated letters in it. Then 

write the remainder of the alphabet underneath in as many columns as remain 

in the keyword. For a Mixed Cipher the ciphertext alphabet is then the columns 

pulled off in order, left-to-right, while for a Transposed Cipher the alphabet is 

pulled off in alphabetical order of the top row. 

A popular type of decryption puzzle is an Aristocrat, which is generally 

a short quote enciphered with a monoalphabetic cipher. Word divisions and 

punctuation are generally kept, and a hint is often given. The keys to decrypting 

these ciphers include the usual frequency count, some knowledge of initial and 

final letters of words, and very often the use of common short words. 

5 Politics is more dangerous than war, for in war you are only killed once. 

Winston Churchill.

5.9. TOPICS AND TECHNIQUES 81 


1. What is the chief characteristic of a Monoalphabetic Cipher 

2. What is a Keyword Cipher How do we encipher and decipher with it 

3. What is a Keyword Mixed Cipher How do we encipher and decipher with 

it 

4. Keyword Ciphers and Keyword Mixed Ciphers use their keyword differently. 

Explain the difference. 

5. What is a Keyword Transposed Cipher How do we encipher and decipher 

with it 

6. How do Keyword Mixed Ciphers and Keyword Transposed Ciphers differ 

7. What letters most commonly begin words in English 

8. What letters most commonly end words in English 

9. What are the most common one-letter words in English Two-letter 

words Three-letter words 

10. What are the most common words in English 

11. What is an Aristocrat 

12. What steps help decrypt an Aristocrat 

5.10 Exercises 

1. Encipher or decipher the following words using a Keyword Cipher with 

the given keyword. 

(a) democrat with REPUBLICAN. 

(b) chocolate with HOT. 

(c) JUIES OP with LETTERS. 

(d) DSTLQ with TAILS. 

(e) SQGSI LT with BASEBALL. 

2. Encipher or decipher the following words using a Keyword Mixed Cipher 

with keyword COLORS. 

(a) canary. 

(b) eggplant. 

(c) fuchsia.


(d) lavender. 

(e) DXLAU EET. 

(f) PEGB HM. 

(g) WUEHF HIVLU. 

(h) DCOIU QC. 

(i) JHUII C. 

3. Encipher or decipher the following words using a Keyword Mixed Cipher 

with keyword WEEKDAYS. 

(a) Tuesday. 

(b) Thursday. 

(c) DOGTW J. 

(d) CHKTW J. 

(e) PYGTW J. 

4. Encipher or decipher the following words. They were enciphered via a 

Keyword Transposed Cipher with the keyword VEGETABLES. 

(a) turnip. 

(b) cabbage. 

(c) lentil. 

(d) eggplant. 

(e) parsnip. 

(f) MDHIA MI. 

(g) RDORG WJA. 

(h) RHRHP IJM. 

(i) GKDFM AIO. 

(j) RAHFOUFKVJM. 

5. Decipher the following words. They were enciphered via a Keyword Mixed 

Cipher with the given FRUITS. 

(a) artichoke. 

(b) guava. 

(c) tapioca. 

(d) mulberry. 

(e) papaya. 

(f) currant. 

(g) DIKYB VFQFE Y.


(h) DYVTP KKIQ. 

(i) EFKFV PQO. 

(j) FWFHFOI. 

(k) UMKLMFE. 

(l) KFQBI. 

6. Encipher or decipher the following words using a Keyword Transposed 

Cipher with the keyword AMERICA. 

(a) Brazil. 

(b) Columbia. 

(c) Ecuador. 

(d) French Guiana. 

(e) BXNHL H. 

(f) UYLYW XYAH. 

(g) JXDML HFY. 

(h) XDXBX HN. 

(i) ZHDHB XHN. 

7. Decipher the following words. They were enciphered via a Keyword Transposed 

Cipher with the keyword SPORTS. 

(a) Rugby. 

(b) Tennis. 

(c) Luge. 

(d) Biathlon. 

(e) Croquet. 

(f) Lacrosse. 

(g) COMIL NUXN. 

(h) ROQOR LNB. 

(i) VOLOD OL. 

(j) SWUON AZW. 

(k) CXEDL NB. 

(l) HFLHR WU. 

8. Encipher or decipher the following words using an Interrupted Keyword 

Cipher with the given keyword. 

(a) tea with keyword COFFEE. 

(b) beer with keyword PRETZELS. 

(c) LUAZC XE with keyword APPLES. 

(d) STERI with keyword TELEVISION. 

(e) RTJHI Z with keyword PAPER.


9. Decrypt the following Aristocrats. A hint has been given. 

(a) ZJG REGFF ADLH DZRFG AFDRE, EDXG DKA ZXKYFGKDXVH BJKRXKQF RJ 

YGJO. CQR TEJKF BDVVH RDTFG JZZ. IJEKKL BDGHJK. 

Hint: R = t. 

(b) KAHTH FN WJ XLW NJ EMHNNHC KALK NJXH RAJ NKLWC EP AFN CHLKAEHC 

RJW’K ALFM KAH JDDLNFJW RFKA CHMFIAK. XLTDSN LSTHMFSN. 

Hint: A = h . 

(c) E OEB IZ JVEYU KCH KVIRTZ E ZTJVTR IB EBU HRCTV KEU RCEB HBT 

KCIJC KIWW JHBJTEW IR XVHO RCT FAWGEV. VHGTV DEJHB. 

Hint: V = r. 

(d) D QZJSEY ZO D VEGSAX AB TYZGZMK D VEOODKE OA GSDG ZG QDMMAG IE 

YEDX IL DMLAME ZKMAYDMG AB GSE VEGSAX. BNEGQSEY JYDGG. 

Hint: X = d. 

10. Decrypt the following Aristocrats. 

(a) IOKVK MVK UKTKVMZ JGGF XVGIKLICGHU MJMCHUI IKYXIMICGH ENI IOK 

UNVKUI CU LGSMVFCLK YMVA ISMCH 

(b) EKY HZMJECDZAX US EKY AZUSECHZAE CI JLWWNYS XCEEC CI EKY AXYZ- 

UHAR HZMJECDZAJK ASSCHUAEUCR 

(c) CP TEF HALZKCTO ZM QCREFKV CT CV ZPNO TEF FGCVTFPQF ZM KFDJPD- 

APQO CP TEF ZKCXCPAN HFVVAXFV TEAT HAWFV A VZNJTCZP RZVVCINF 

(d) MOY DYKP IOJIVJPFEPV ESDOKP LJ E JVFWOYK PFEJIV BGVJ BOFZLJA 

OJ E IONV LP LK JOP OQPVJ NOJV CM IOJKILOYK VQQOFP DLKK QFLVN- 

FLIGK 

11. During the 1670’s The Chevalier de Rohan was imprisoned under suspicion 

of treason. While guilty, there was little evidence and his life depended on 

the fate of his accomplice who lay dying in the same prison. If his friend 

confessed, Rohan would be convicted and executed. If not, Rohan might 

be able to go free. 

Shortly before his trial Rohan received a note hidden in a bundle of clothing: 

PVQ RDOWYFQD OW XQSX VQ WSOX FYPVOFC. Should Rohan confess 

and throw himself on the mercy of the court Or should he stonewall 

and hope to be let free (The message was actually in French. For 

those who read French, the ciphertext is MG EULHXCCLGU GHJ YXUJ LM 

CT ULGC ALJ.) 

12. Decrypt the following monoalphabetic cipher. Kahn [page 770] says a 

similar method was used, albeit in Latin, to record this event. 

J1629 B1762, 01ug3927 of W45541m B1762, cu71927 of 932 p17483, 48 

b1p94820 J16u17y 1, 1645 46 C5219o7, Cumb275160, 26g5160


13. Ciphers in which pairs of numbers replace each letter are called biliteral 

or dinome ciphers. A simple way to construct such ciphers is to put 

the letters of the alphabet into a rectangle and number the rows and the 

columns. For example, if we use a five-by-five square, and squash i and j 

together, we have 

1 2 3 4 5 

1 a b c d e 

2 f g h ij k 

3 l m n o p 

4 q r s t u 

5 v w x y z 

To encipher, replace the letter by its row–column number pair, that is, 

read from the side first. So box becomes 12 34 53. Deciphering is just 

translating back into letters. 

Use the given square to encipher or decipher the following. 

(a) rectangle. 

(b) square. 

(c) 54 66 53 56. (Hint: 41 was added to every number before transmission). 

(d) 42 32 14 15 23 45 43. The alphabet was entered into the square 

using the keyword DINOME. 

(e) Perhaps the first ever use of a password was when Giovanni Argenti, 

around 1589, used PIETRO and a rectangle with two rows and 10 

columns (0 being the first). (The letters jkvwxy did not appear.) Using 

this method, 17 16 13 13 11 27 13 16 and 24 16 13 13 12 

15 gives Argenti’s middle name and his nephew’s name. What are 

they 

14. A larger bipartite cipher was used by Brig. General Leslie R. Groves 

[Kahn, page 546]. It took the form 

1 2 3 4 5 6 7 8 9 0 

1 I P I O U O P N 

2 W E U T E K L O 

3 E U G N B T N S T 

4 T A Z M D I O E 

5 S V T J E Y H 

6 N A O L N S U G O E 

7 C B A F R S I R 

8 I C W Y R U A M N 

9 M V T H P D I X Q 

0 L S R E T D E A H E


(a) Groves used this cipher for certain telephone conversations during 

the building of the atomic bomb. Encipher atomic bomb. 

(b) Decipher 01-53 72-29-01 96-22-25-70 45-74 77-47-28-92-42. He 

was Groves’ phone partner. 

(c) The bomb was developed at 28-92-66 62-01-08-19-15-39. 

15. Construct a complete sentence of at least six words that uses no e’s and 

no t’s. 

16. John Jay served as a delegate to the First and Second Continental Congresses, 

as well as in the Continental Congress, eventually being elected 

its president. He was only thirty-three when he was appointed Special 

Minister to Spain in 1779. This was an especially important post: Jay 

would have the responsibility for negotiating for the expected aid from 

Spain, perhaps even an alliance, as well as for the right for Americans 

to use the southern Mississippi for shipping (New Orleans then being in 

Spain’s control). 

Even before departing for Spain, Jay worried about the Spanish habit of 

reading diplomatic correspondence. He proposed the following to Robert 

R. Livingston, then delegate to the Continental Congress and Jay’s former 

law partner. 

On Board the Confederacy near Reedy Island, 25 October 1779 

Dear Robert 

... To render [our correspondence] more useful and satisfactory a 

Cypher will be necessary. There are twenty six Letters in our alphabet. 

Take twenty six Numbers in Lieu of them thus. 


5 6 7 11 13 8 9 10 12 14 16 19 22 1 2 3 4 15 23 25 26 24 20 21 18 17 

Remember in writing in this Way to place a , after each number, and 

a ; or : or a - after each Word. This will prevent Confusion.” [Morris, 

pgs 656–666] 

(a) A portion of the remainder of this letter has been enciphered using 

Jay’s method. Decipher it. 

12, 25; 20, 12, 19, 19: 6, 13; 26, 1, 1, 13, 7, 13, 23, 23, 5, 15, 

18- 25, 2; 20, 15, 12, 25, 13: 5: 20, 10, 2, 19, 13- Letter; 12, 1: 

Cypher- 23, 2; 22, 5, 1, 18; 20, 2, 15, 11, 23: 12, 1- Cypher- 5, 

23; 20, 12, 19, 19: 6, 19, 12, 1, 11; 25, 10, 13- Sense: 20, 12, 19, 

19; 6, 13- 23, 26, 8, 8, 12, 7, 12, 13, 1, 25; 5, 1, 11: 22, 2, 15, 13- 

23, 5, 8, 13: 5, 23- 5: Discovery: 20, 12, 19, 19: 25, 10, 13, 15, 

13, 6, 18- 6, 13; 15, 13, 1, 11, 13, 15, 13, 11- 22, 2, 15, 13: 11, 12, 

8, 8, 12, 7, 26, 19, 25 

(b) The message contains some of Jay’s thoughts on making an enciphered 

message more secure. Do you agree or disagree with Jay’s 

thoughts Explain.


17. General Pierre G.T. Beauregard, departmental commander of South Carolina, 

Georgia, and Florida forces of the Confederate Army sent Maj. Gen. 

Patton Anderson the following on 7 April 1864 [Gaddy] 

“General: 

I inclose you herewith the following simple cipher for future use in 

important telegrams to these headquarters. For very important telegrams 

the diplomatic cipher should be used. Please inform me of its 

reception. 

[Inclosure] 

[end quote] 

A by M H by R O by U U by F 

B by K I by S P by I V by Q 

C by O J by V Q by G W by D 

D by A K by H R by Y X by T 

E by N L by X S by E Y by B 

F by C M by P T by Z Z by J 

G by W N by L 

(a) Using this cipher, ORMYXNEZUL, EUFZR OMYUXSLM gives Beauregard’s 

location. Where was he 

(b) Using this cipher, Anderson’s location was KMXADSL CXUYSAM. Where 

is this 

18. (a) Here is a cipher sent during the controversy about the Florida electoral 

returns following the 1876 Presidential election. [Glover, page 

E-48]. 

Jacksonville, 13. 

GEO. P. RANEY: 1:12 a.m., Nov. 14. 

Y e e i e m n s p p a i s s i t p i n s i t i t a a s h s h y y p 

i i m i m n s s s p e e n a a a i m a e n n s y i s n p i n s i m i 

m p e a a i t y y e n. 

DANIEL. 

As the New York Tribune put it, “It was evident, on a slight examination, 

that each letter in this cipher was not a substitute for 

another letter. . . . Probably, then, each letter in the cipher alphabet 

consisted of two characters.” Why 

(b) The Tribune then continued with a second message, “which, being 

partly in plain English, seemed to promise a clew [sic].”


JACKSONVILLE, Nov. 22 

S. PASCO, Tallahassee: 

Gave p p a i s h s h 

charge of i t y y i t n 

s he sent to m a 

p i n s i m y y 

p i i t But not to 

the other. Brevard returns 

sent you to-day E m y 

y p i s s a i n y 

Gone to Tallahassee Talla 

with him and let me know if I 

shall send trusty messenger. 

J. J. DANIEL. 

The Tribune started its explanation by noting that 

It appeared to be nearly certain that the first cipher word [in 

the second message] was the name of a person, and the second 

and third were names of counties. If we assume that each cipher 

[letter] consists of two letters, we must find as the equivalent of 

“ityyitns” a word of four letters, the first and third of which, 

“it,” are the same. “Dade” is the only name in the list of Florida 

counties which fulfils these conditions. The letters of “Dade” are 

repeated in the next word, and fit in with the obvious interpretation 

“Brevard. . . . The construction of the rest of the alphabet 

was now easy. 

Please complete the construction of the alphabet, and so decrypt the 

messages.

Chapter 6 

Decrypting Monoalphabetic 

Ciphers 

We begin with the unsolved cipher from Section 5.5: 

KNHHXKK QS PXTDQSB YQFJ NSISCYS HQEJXUK QK LXTKNUXP AO FJXKX RCNU 

FJQSBK QS FJX CUPXU STLXP EXUKXVXUTSHX HTUXRND LXFJCPK CR TSTDOKQK 

QSFNQFQCS DNHI FJX TAQDQFO TF DXTKF FC UXTP FJX DTSBNTBX CR FJX 

CUQBQSTD QK VXUO PXKQUTADX ANF SCF XKKXSFQTD 

The ciphertext has as its frequency chart 


4 5 10 10 2 17 0 6 2 9 17 3 0 9 4 7 18 4 16 16 12 2 0 27 2 0 

We have previously determined that this is not a Caesar cipher (as none of 

the usual hill and valley patterns fit) so we are treating it as a monoalphabetic 

cipher of unknown type. The most common letters are C, D, F, J, K, Q, S, 

T and X, so these are probably the substitutes for etaoinshr. But which is 

which and how can we decide 

Just as ciphers with word spacing are generally easier to decrypt than those 

without, long ciphers are generally easier to decrypt than short ones. And for 

a simple reason: the longer the cipher is, the more accurate the information 

given by the frequency count is likely to be. If we are given a 100, 000 letter 

message enciphered with a monoalphabetic substitution (without other trick!), 

we can be quite confident that exactly one of the ciphertext letters will occur 

almost 13% of the time, and this letter stands for e, that the next most common 

letter will appear very near 9% of the time and will stand for t, etc. Very little 

thought will be needed to decrypt the cipher. It is the medium length ciphers of 

25 to 100 letters, usually without proper word division, that give the beginning 

codebreaker some difficulty. We will concentrate on those in this chapter. 

89

90 CHAPTER 6. DECRYPTING MONOALPHABETIC CIPHERS 

6.1 Letter Interactions 

We have previously given the frequencies of letters, initial letters and final letters. 

Now we must look in more detail at the characteristics of the letters: how 

they behave and interact with each other. 

Approximately 35% of letters in English are the vowels aeio and about 35% 

of letters are the dominant consonants hnrst. So if we can determine which 

ciphertext letters represent these nine letters about 70% of the decrypting will 

be done. (And the rest will usually be fill in the blank.) Thus the main challenge 

when tackling a monoalphabetic cipher is telling the etaoinshr letters apart. 

First, these nine letters tend to group themselves into three sets of three by 

the likelihood they are initial or final letters, as can be seen in Figures 5.6 and 

5.6. 

Initial and Final Letters: 

(1) t, o and s appear frequently as both initial and final letters. 

(2) a, i, and h appear frequently as initial letters, but much less so as final 

letters. 

(3) e, n and r appear frequently as final letters but much less so as initial letters. 

While the doubling of a letter is fairly rare, in a long message there will 

almost certainly be some, and this help us tell the letters apart. 

Doublings: 

(1) ee, tt, oo and ss are common doubles. 

(2) aa, ii, hh, nn and rr are less common. 

Next, the vowels. 

Vowels: 

(1) Vowels like to combine with consonants, but not with each other. 

(2) Vowels are friendly, willing to combine with many different letters, including 

the low frequency ones. 

(3) The only common pairs of vowels are ou, ea and io. 

(4) e is the easiest to find: it is very common and ends many words. 

(5) a frequently follows e but never precedes it. 

(6) The pair ie and ei is the only common vowel-vowel reversal. 

(7) e and o almost never touch each other and both will make doubles. 

Finally, the consonants. 

Consonants: 

(1) Consonants like vowels, but, as there are so many of them and so few vowels, 

they often combine with one another as well.

6.2. DECRYPTING MONOALPHABETIC CIPHERS 91 

(2) h can be the easiest consonant to identify. It precedes vowels, rarely follows 

them, and can be found most often in th, he and ha. 

(3) t acts like a vowel in that it likes to mate with many other letters. It has a 

very strong desire to make th’s, and will make tt’s. 

(4) r will appear next to any vowel, and likes the company of the other highfrequency 

letters. 

(5) n and s act behave the reverse of h. They prefer to follow vowels and precede 

consonants. It can be hard to tell whether nst are vowels or consonants. 

We summarize some of this information in Figure 6.1, using x and X to 

indicate strong and stronger behaviors. 

a e i o t r n h s 

common x X x x x 

starting words x x x X x 

ending words X x x x x 

lots of mates x X x x x 

doubles x x x x 

Figure 6.1: Some Basic Letter Behaviors 

6.2 Decrypting Monoalphabetic Ciphers 

Now its time we get decrypting. What do we do 

1) Make a frequency chart. 

2) Does the frequency count suggest a Caesar cipher Look for e and t, the aei 

and rst triples, the uvwxyz string, either forwards or backwards. If you find 

two or three of these patterns it may be a Caesar cipher and we can decrypt 

these. If not, continue with step 3. 

3) Find the most common letters: these are probably etaoinshr. 

4) Develop a digraph table for the probable etaoinshr letters. For each 

appearance of a common ciphertext letter list the letter that precedes it and 

the letter that follows it in the cipher. These tables are a bit time consuming 

to construct, but are very helpful, especially for ciphers without word breaks. 

5) Use the letter behaviors table, Figure 6.1, to make initial guesses. 

6) Work hard and be persistent.


Let us illustrate these steps with the example given earlier. We start with 

an example that has word breaks because these are a bit easier. To help us later 

lets also number the words 

(1)KNHHXKK (2)QS (3)PXTDQSB (4)YQFJ (5)NSISCYS (6)HQEJXUK (7)QK 

(8)LXTKNUXP (9)AO (10)FJXKX (11)RCNU (12)FJQSBK (13)QS (14)FJX (15)CUPXU 

(16)STLXP (17)EXUKXVXUTSHX (18)HTUXRND (19)LXFJCPK (20)CR (21)TSTDOKQK 

(22)QSFNQFQCS (23)DNHI (24)FJX (25)TAQDQFO (26)TF (27)DXTKF (28)FC 

(29)UXTP (30)FJX (31)DTSBNTBX (32)CR (33)FJX (34)CUQBQSTD (35)QK (36)VXUO 

(37)PXKQUTADX (38)ANF (39)SCF (40)XKKXSFQTD 

Step 1) Make a Frequency Chart: 


4 5 10 10 2 17 0 6 2 9 17 3 0 9 4 7 18 4 16 16 12 2 0 27 2 0 

Step 2) Is it a Caesar Cipher 

This does not look like a Caesar cipher. X is probably e, but then U is a, T is z, 

S is y, etc., which looks bad. 

Step 3) Find the common letters: 

The most common letters are C, D, F, J, K, Q, S, T, and X. (We usually pick the 

most common letters seven to ten letters.) 

Step 4) Make a Digraph Chart: 

For each letter from Step 3) we build a column that gives each appearance of 

that letter. Let’s work on C’s column. C’s first appearance is in word (5), where 

it is preceded by S and followed by Y. So we put an SY in the C column. Similarly, 

an RN will come from C’s next appearance, in word (11). We will use “.” to 

indicate a space, or no letter. So word (15) provides with a .U, in word (28) 

with a , we put F. Doing this for each appearance of each common letter results 

in Figure 6.2. 

Step 5) Make a Letter Behavior Table: 

The Digraph Table took some time, but makes it easy to build a Behavior Table. 

For example, there are four times .* appears in C’s column (here * just means 

“some letter”), so C must begin four words. Likewise one *. shows C ends one 

word. 

C D F J K Q S T X 

count 10 10 17 9 17 18 16 16 27 

start 4 3 7 1 1 5 2 3 1 

end 1 3 3 1 7 0 4 0 8 

mates 9 6 9 5 10 14 10 13 15 

doubles 0 0 0 0 0 2 0 0 0


C D F J K Q S T X 

SY TQ QJ F. .N .S Q. XD HK 

RN N. .J EX XK DS QB XK PT 

.U TO .J FX K. YF NI SL JU 

JP .N .J FQ U. HE IC US LT 

.R QQ XJ FX Q. .K Y. HU UP 

QS .X SN FC TN JS QB .S FK 

F. .T QQ FX XX .S Q. SD K. 

.R T. .J FX B. KK .T .A J. 

.U AX QO FX UX .S TH .F PU 

SF T. T. P. NF TT XK LP 

K. OQ FC QF XP EU 

.C Q. AD C. DS KV 

.J TF DF TB NB VU 

.J Q. UB QT SD H. 

N. XQ BS .C UA UR 

C. XK .K XF QD LF 

SQ KX KU J. 

FT 

DT 

UT 

J. 

B. 

J. 

VU 

PK 

D. 

.K 

KS 

Figure 6.2: Digraph Table 

Step 6) Make our first guesses: 

(1) X=e: it is common, ends many words, starts few words. 

(2) F=t: it is common, starts many words, appears a lot with the one letter J, 

which is probably h. 

(3) J also mates a lot but starts and ends few words, also like h. 

These three guesses I’d be pretty sure of, especially after noting the five 

times FJX = the appears. 

(4) K ends words, does not start them, appears as a double. Maybe s or r 

(5) S end words but does not start them. Maybe r or n 

(6) Q and T start words but do not end them. Maybe a or i 

(7) D doesn’t mate too much, but is common and both starts and ends some 

words. Maybe s


(8) Finally, C more or less matches the description o. 

Next, lets use the information we strongly believe to determine some other 

letters. Start with FJX=the. FJXKX must either be there or these, so K is r or 

s. From earlier we’d guessed r or n. So probably K=r. Since S was r or n, that 

makes S=n. Then the second word of the cipher QS=*n must be in, so Q=i and 

T=a. (It would be odd for the second word of a sentence to be an. Of course, if 

we are wrong, we can always come back and try this later.) Now FC=t* must 

be to, so C=o, as we’d guessed previously. 

Summarizing our current guesses: ciphertext C D F J K Q S T X 

plaintext o s t h r i n a e 

Now let’s substitute these. 

KNHHXKK QS PXTDQS B YQF J N S I S CYS HQE J XU K 

r e r r i n e a s i n i t h n n o n i h e r 

QK LXTKNUXP AO F J XKX RCNU F JQS BK QS F J X 

i r e a r e t h e r e o t h i n r i n t h e 

CUPXU S TLXP EXUKXVXUTSHX HTUXRND LXF J C P K 

o e n a e e r e e a n e a e s e t h o r 

CR T S TDOKQK QS FNQFQC S DN H I F J X TAQDQFO TF 

o a n a s r i r i n t i t i o n s t h e a i s i t a t 

DXTKF FC UXTP F J X DT S BNT B X CR F J X CUQB Q S T D 

s e a r t t o e a t h e s a n a e o t h e o i i n a s 

QK VXUO PXKQUTADX ANF S C F XKKXS FQTD 

i r e e r i a s e t n o t e r r e n t i a s 

We’ve made progress, with many words looking like real English. But we’ve 

also made a couple of wrong guesses. Words (1) and (7) are not words, so there 

is a mistake here. Perhaps QK=is, so K=s Changing this makes the final word 

of the cipher XKKXSFQTD=essentia*, hence D=l. (l is the tenth most common 

letter in English, after etaoinshr, so it is not surprising that it is one of the 

seven most common letters in this text.) 

With these two changes we have 

KNHHXKK QS PXTDQS B YQF J N S I S CYS HQE J XU K 

s e s s i n e a l i n w i t h n n o n i h e s 

QK LXTKNUXP AO F J XKX RCNU F JQS BK QS F J X 

i s e a s e t h e s e o t h i n s i n t h e 

CUPXU S TLXP EXUKXVXUTSHX HTUXRND LXF J C P K 

o e n a e e s e e a n e a e l e t h o s 

CR T S TDOKQK QS FNQFQC S DN H I F J X TAQDQFO TF 

o a n a l s i s i n t i t i o n l t h e a i l i t a t 

DXTKF FC UXTP F J X DT S BNT B X CR F J X CUQB Q S T D 

l e a s t t o e a t h e l a n a e o t h e o i i n a l 

QK VXUO PXKQUTADX ANF S C F XKKXS FQTD 

i s e e s i a l e t n o t e s s e n t i a l


At this point it is nearly fill in the blanks. (This is the opening sentence of 

Colonel Parker Hitt’s 1916 Manual for the Solution of Military Ciphers, one 

of the first serious American books on cryptology, enciphered with a keyword 

transposed cipher with keyword TRICKY.) 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Not all examples will be as quick as this one. You will often need to swap 

a pair of common letters, like we did from K=r to K=s. However, work methodically, 

on a large piece of paper, with pencil and not ink, and after a little 

practice soon you will be decrypting ciphers with the best of them. 

Example: Decrypt the following cipher without word breaks. 

ROXEY ZLOHE QXHUW ROXEY HUHKX TVTHO BTZPB 

YVPBT RHKKB WYNVU ZOOBR VEOZR HKTRV BURBT 

HUWVU GDURY VZUYQ BXVUW BBWPV OOZOZ UBHUZ 

YQBON QHYZU BWZBT YQBZY QBODU WZBTY QBVOU 

HYDOB TQZNB IBOWV GGBOG DUWHP BUYHK KXROX 

EYZLO HEQXV TYQBZ OBYVR HKHUW HMTYO HRYRO 

XEYHU HKXTV TVTBP EVOVR HKHUW RZURO BYBWH 

IVWFH QU 

Step 1) Frequency Chart: 


0 28 0 4 8 1 4 24 2 0 9 2 1 3 23 5 11 15 0 14 21 18 13 10 20 16 

Step 2) Certainly this is not any sort of Shift Cipher. 

Step 3) The most common letters are B, H, O, R, T, U, V, Y, and Z. 

Step 4) See Figure 6.3. 

Step 5) See Figure 6.4. 

Step 6) The lack of information about initial and final letters make this cipher 

considerably more difficult to decrypt than the previous one. But we must start 

somewhere. B is most common letter, has lots of mates, is doubled, so maybe 

B=e. If this is so, the most common mates with B are OTUWYZ, so these may be 

consonants and HRV vowels. 

Looking at HRV, HV both have many low frequency mates, whereas R combines 

with mostly high frequency letters. So HV must indeed be vowels, but R is 

actually probably a consonant. 

Now V appears both before and after B=e, whereas H appears only after. 

Let’s guess V=i. The pair eo is very rare, so if H is to be a vowel it must be a.


B H O R T U V Y Z 

OT OE RX .O XV HW TT EZ YL 

PY XU LH WO VH HH YP EH TP 

PT YU RX TH BZ VZ NU BV UO 

KW UK HB BV BR BR RE WN OR 

OR TO ZO ZH KR HW RB RV VU 

VU RK OB TV BH VG WU UQ OO 

RT RK EZ UB BY DR YZ ZQ OU 

QX TU VO UY BY ZY XU HZ UY 

WB BU OZ XO BQ VW PO TQ YU 

BW QY ZZ VH VY ZB BO ZQ WB 

UH UY BN HY MY HZ WG TQ BY 

QO WP BD YO XV ZB XT HD WB 

UW YK VU VH VV DW YR UH QN 

ZT OE DB WZ VB OH TT EZ YL 

QZ RK BW UO DW TT TQ BO 

QO KU BG BY EO BV RU 

ZT WM RX HW OR TO 

QV OR LH HH IW RR 

OT YU ZB HW EH 

NI UK YH ZR BB 

IO RK RX Q. 

GO KU VV 

PU WI RB 

QZ FQ 

OY 

TP 

OY 

YW 

Figure 6.3: Digraph Table 

Next, Q follows Y a remarkable six times, with B right behind each time. We 

must have YQB=the. 

Turning to our other high frequency letters, ORTUWZ, which is o Of these 

letters, Z likes to combine with our vowels BHV the least. Is it possible Z=o 

The outstanding undetermined letter is O. It appears with all our vowels, 

both precedes and follows each, and of its common mates almost all are high 

frequency letters. Of nrs this sounds most like r. 

So we now have the guesses B=e, H=a, O=r, Q=h, V=i, Y=t, Z=o. Let’s

6.3. SUKHOTIN’S METHOD FOR FINDING VOWELS 97 

B H O R T U V Y Z 

count 28 24 23 15 14 21 18 20 16 

mates 17 15 15 11 10 12 14 13 12 

doubles 1 2 

favorites OPQT KORUY BHOR HOV BVY BHWZ ORT BEHQ BOUY 

UWYZ VXZ TZ 

Figure 6.4: Letter Behaviors 

substitute them and see how they look. 

ROXE Y Z LOH E Q X HUWRO X EYH U HK X T V T H O B T ZP 

r t o r a h a r t a a i a r e o 

BYVP B T RHK K BWYN V UZ OOBR V EO Z R H K T R V BUR 

e t i e a e t i o r r e i r o a i e 

BTHUW V UGD U R Y VZ U YQ B XVUWBBWP V OO Z O Z UB 

e a i t i o t h e i e e i r r o r o e 

HUZY Q B ONQ H Y Z UBWZB T YQB Z YQ B O D UW Z B TYQ 

a o t h e r h a t o e o e t h e o t h e r o e t h 

BVOU H Y DOB T Q Z NB I BOWVGG B OG D UWH P B U YHK 

e i r a t r e h o e e r i e r a e t a 

KXRO X E YZ L O H E QX V TY Q BZO B YV R H K H U W H MTY 

r t o r a h i t h e o r e t i a a a t 

OHRY R O XEY H U H KX T VT V TBP E VO V R H K H U WR ZU 

r a t r t a a i i e i r i a a o 

ROBY B WH I VWF H QU 

r e t e a i a h 

While there is always a lot of hard work in decrypting, there is also usually a 

point at which the discoveries start to come at you very rapidly. We are now at 

that stage. Staring at the message there now many places letters jump out at 

us. The “tio the” in the middle of the third line says “n”, for example. So we 

know we are both on the right track, and very close to the end. 1 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

6.3 Sukhotin’s Method for Finding Vowels 

In a field like cryptography, there are always new tricks and shortcuts being 

proposed to simplify one or another part of the enciphering, deciphering or de- 

1 “Cryptography and cryptanalysis are sometimes called twin or reciprocal sciences, and in 

function they indeed mirror one another. What one does the other undoes. Their natures, 

however, differ fundamentally. Cryptography is theoretical and abstract. Cryptanalysis is 

empirical and concrete.” David Kahn.


crypting process. Areas of frequent interest are methods for decrypting monoalphabetic 

ciphers more quickly. To give a flavor of these, we present a slight 

variation on a method for recognizing the vowels in a short ciphertext due to 

B. V. Sukhotin [Gray]. 

The idea behind this method is that vowels tend to have a wide variety of 

partners, with the vast majority being consonants. We should be able to make 

use of this to weed out the vowels from the consonants. The easiest way to 

explain the method is to use it. Let’s use our first example from Section 6.2 as 

the ciphertext. 

Step 1: Use the digraph chart to count the number of times each proposed 

etaonishr letter is in contact with another of these letters, ignoring any times 

they contact themselves, and total the results. 

C D F J K Q S T X total 

C 0 2 1 0 1 3 0 0 5 

D 0 0 0 0 3 0 5 2 10 

F 2 0 8 1 5 2 1 1 20 

J 1 0 8 0 1 0 0 6 16 

K 0 0 1 0 5 0 2 7 15 

Q 1 3 5 1 5 6 1 0 22 

S 3 0 2 0 0 6 6 1 18 

T 0 5 1 0 2 1 6 4 19 

X 0 2 1 6 7 0 1 4 20 

Step 2: The letter with the largest total is a vowel. Mark it so. Any letter 

contacting a vowel is probably not one. So we go through the remaining rows, 

and penalize each row by twice the number of times this vowel appears in their 

list. 

C D F J K Q S T X total total2 

C 0 2 1 0 1 3 0 0 7 5 

D 0 0 0 0 3 0 5 2 10 4 

F 2 0 8 1 5 2 1 1 20 10 

J 1 0 8 0 1 0 0 6 16 14 

K 0 0 1 0 5 0 2 7 15 5 

Q 1 3 5 1 5 6 1 0 22 vowel 

S 3 0 2 0 0 6 6 1 18 6 

T 0 5 1 0 2 1 6 4 19 17 

X 0 2 1 6 7 0 1 4 20 20 

Step 3: Again, the letter with the largest remaining count is a vowel. Mark it

6.4. FINAL MONOALPHABETIC TRICKS 99 

and penalize those that touch it. 

C D F J K Q S T X total total2 total3 

C 0 2 1 0 1 3 0 0 7 5 5 

D 0 0 0 0 3 0 5 2 10 4 0 

F 2 0 8 1 5 2 1 1 20 10 8 

J 1 0 8 0 1 0 0 6 16 14 2 

K 0 0 1 0 5 0 2 7 15 5 -9 

Q 1 3 5 1 5 6 1 0 22 vowel 

S 3 0 2 0 0 6 6 1 18 6 4 

T 0 5 1 0 2 1 6 4 19 17 9 

X 0 2 1 6 7 0 1 4 20 20 vowel 

Step 4: Repeat twice more to find the other two aeio vowels. 

C D F J K Q S T X total total2 total3 total4 total5 

C 0 2 1 0 1 3 0 0 7 5 5 5 1 

D 0 0 0 0 3 0 5 2 10 4 0 -10 -10 

F 2 0 8 1 5 2 1 1 20 10 8 6 vowel 

J 1 0 8 0 1 0 0 6 16 14 2 0 -16 

K 0 0 1 0 5 0 2 7 15 5 -9 -13 -15 

Q 1 3 5 1 5 6 1 0 22 vowel 

S 3 0 2 0 0 6 6 1 18 6 4 -8 -12 

T 0 5 1 0 2 1 6 4 19 17 9 vowel 

X 0 2 1 6 7 0 1 4 20 20 vowel 

So, according to this method, QXT and F are the vowels. 

Now no method is foolproof. This one heavily depends on the letter that 

contacts the common letters the most being a vowel, and if the first “vowel” 

designation is wrong, this method will quickly lead into a morass. Here, Q has 

the largest initial total, but only by 2. Both F and S have high totals, even 

though they are consonants. If either had occured a couple more times, we’d 

have had trouble. 

Similarly, no method should be applied without thought. At the end of Step 

4, C had a total of 5 and F a total of 6. Which is more likely to be a vowel 

Vowels tend to dislike one another, and C touches QTX a total of once, while F 

touches each of them for a total of 14 times. So, even though its total is a bit 

smaller, it is more likely that C is a vowel. 

6.4 Final Monoalphabetic Tricks 

The examples in this chapter hopefully have convinced you that even a good 

monoalphabetic substitution is not a very good cipher method. How, then, 

should we make a better cipher The name mono gives us a hint: we must 

change the one-for-one letter replacement and cause multiple letters to represent


the same letter. That is the goal of our next chapter. We end this chapter with a 

couple of ways that can make monoalphabetic ciphers harder to decrypt. (These 

tricks can actually be used with most of the ciphers we will see.) 

Homophones. When a substitution alphabet has multiple substitutions for a 

given letter these substitutes are called homophones. For instance, we may 

decide that every other e will be replaced by a z before the message is enciphered. 

Since z is so uncommon, our partner should be able to figure out we’ve replaced 

some e’s by z’s without prior warning. But to the enemy who intercepts the 

ciphertext, the tall 12% peak of e’s will be split into two far less visible 6% 

bumps. This would make the frequency analysis of our adversary a bit harder. 

Homophones are more commonly used when one is sending the ciphertext in 

numerical form. For example, consider the replacement list in a cipher of Henri 

IV of Navarre of France, c. 1600. [Pratt, page 64.] 

plaintext a b c d e f g h i l n o p r s t u w x y z 

ciphertextA 31 26 27 28 31 29 3 33 12 14 44 15 16 17 9 20 21 22 23 24 25 

ciphertextB 34 35 36 37 38 39 30 41 42 43 67 18 46 47 19 50 51 52 76 54 55 

ciphertextC 37 59 60 61 62 40 64 65 66 85 45 69 70 49 73 74 75 77 78 

ciphertextD 80 81 82 68 83 72 84 86 87 

(Most of the unassigned numbers stood for common words: 10 = le, 39 = mon.) 

To encipher a letter choose one of the numbers beneath it. So tres might 

be enciphered as 20-17-31-9 or as 50-70-38-49. These multiple substitutes 

flatten the frequency chart, making it much harder for our adversary to decide 

which number(s) represent which letter. 

To make this effective we would probably want several homophones for each 

letter, and then somehow force ourselves to pick the homophones at random. 

We might have six homophones for each letter and then to encipher a letter 

we would roll a die and if the die comes up with a 4, then pick the fourth 

homophone as the cipherletter. Unfortunately, homophones make enciphering 

and deciphering much slower. 

Further, if the message is thousands of letters long frequency analysis will 

still win out. A handwritten page will have approximately 500 characters on it 

(about 25 characters per line and 20 lines per page) and a typewritten page can 

easily consist of 3000 characters (70 characters per line and 45 lines per page). 

For our die-homophone example, the cipher-numerals standing for uvwxyz still 

would very seldom be used, while those standing for e would be popular, and 

often occur paired with those standing for t and h. So while homophones are 

helpful, they cannot make monoalphabetic ciphers secure. 

Nulls. Extra meaningless symbols that added to a text only to confuse the 

enemy analysts are known as nulls. One could spread a number of unpopular 

letters randomly throughout the plaintext. Itz yisx xnot jtooquk qdifficult 

wtowq jread ax meksskage cbontgainuing nzullys, but it is harder to cryptanalize 

it. However, it is a bother to add (and later, remove) such letters, and they make


our ciphertext much longer than it would otherwise have been. Nonetheless, all 

modern cipher techniques involve the use of nulls. 

Salting the message. Many messages begin and end with similar, repeated 

information. It is standard practice to begin the message with whom it is for, 

and who is sending it: “From: Capt. Thomas, USS Lexington. To: Admiral 

Nelson, Enterprise Carrier Group, US South Pacific Force.” To prevent an 

adversary from guessing such a stereotyped beginning of a message, one salts 

the message by adding a meaningless strings to the beginning and/or end of the 

plaintext before it is enciphered. 

A different method with the same purpose is Russian Copulation. Cut 

the message approximately in half and the swap the two halves. This hides the 

beginning and ending somewhere in the middle of the message. Hopefully, this 

is of no bother to the person who will decipher the message, but will prevent 

the enemy from using information about the stereotyped beginning and ending 

of the message. Unfortunately, it is a very small leap from guessing that 

“Enterprise” or “Naval Task Force” appears at the beginning and/or end of a 

message to using such words and phrases as cribs for the entire message. Cribs 

are words or phrases thought to be part of the message. If, say, “carrier” is 

thought to appear in a monoalphabetic cipher, a quick scan for its distinctive 

letter pattern **XX**X, where X represents any particular letter, should be able 

to determine this. And if it is found, the codebreaker has an immediate decryption 

of 5 letters of the code! We will not study them further, but clearly cribs 

are a very powerful tool to have when decrypting ciphers. 

6.5 Summary 

Decrypting shift ciphers involved only frequency analysis, really, just counting 

the letters. For more general monoalphabetic ciphers we need additional information 

about how the letters relate to one another. For example, while e and t 

both are very common letters, and both are among the most frequent final letters 

of words, e seldom starts words whereas t very frequently does. When the 

ciphertext is presented with word breaks, this information alone usually allows 

the identification of e and t, with h quickly following. 

Even without word breaks, vowels are much happier mating with consonants 

than with other vowels. We can thus use e and t as wedges to separate the vowels 

of aonirsh from the consonants. Using the differences in letter behavior should 

then give enough guesses at substitutions that we can then try out our guesses, 

fixing and revising as we make progress. 

Despite tricks like these, monoalphabetic ciphers simply are not very secure, 

and have not been for a very long time.



1. Of the etaoinshr letters 

(a) Which three appear frequently both as initial and final letters 

(b) Which three appear frequently as final letters, but less so as initial 

letters 

(c) Which three appear frequently as initial letters, but less so as final 

letters 

(d) Which four are most likely to make doubles 

2. Which are the most common vowel-vowel combinations Are they actually 

very common 

3. Which letters do vowels prefer to associate with What about consonants 

4. Which (type of) letters are the friendliest, associating with almost all 

others Which are most discriminating, preferring the company of only a 

few other letters 

5. Are ciphertexts that retain their word breaks easier or harder to decrypt 

Explain why. 

6. What is a digraph table How to construct one What does it tell us 

7. What is a homophone 

8. Why can ciphers that involve homophones be more secure than those 

without 

9. What is a null How do nulls make the cryptanalyst’s life more difficult 

6.7 Exercises 

1. Decrypt the following cipher. 

UN MGHHYV LNS VYETEHGUH HLY KVQFHNCVGM GDD HLGH TE VYGDDQ UYYRYR 

TE GU YUHVQ HLY TRYUHTATKGHTNU NA NUY SNVR NV NA HLVYY NV ANPV 

DYHHYVE LYDYU ANPKLY CGTUYE 

Frequency count: 


5 0 2 6 6 1 9 15 0 0 3 7 2 12 0 2 3 4 2 8 10 12 0 0 19 0 


GNLTA DTPUH IOHJQ BTCNJ QHCVN DQPIQ ZNDCN ZJTGD TQHIQ TWWHO TIGTH 

IQBTF NDWLQ NLPSH QVDNL XGTJC XGBCN DTPIL CXGBC NDTQD XJQFN DQBSH 

IZNDC PQHNI QBPIJ VHTJ




1 6 8 11 0 2 7 10 9 7 0 4 0 13 2 6 14 0 2 13 1 2 3 4 0 3 


PYJQG KYUQR CQEQR LOTGQ RQTRT RYTAH KYLTE HAWEJ QRWHQ RCTAW UHEWR 

PQAYW UQKWV YDWEH YPNGT RQHLT UYHQL YHKWR QHPYE YUVYE JKWUF YEBWB 

BWCY 



4 3 3 1 8 1 3 9 0 3 5 4 0 1 1 4 13 10 0 8 6 2 11 0 14 0 

4. Fletcher Pratt used a Keyword Cipher to encipher the following message. 

Can you decrypt it, and recover the keyword 

SZPQP ERHKQ PCRKJ VZXPU PJSZP GKRSC GCSPT QIQXL SKNQC LZPQR ZXTFN 

ZPRES CSPFK JNKUP QCRDG LFPRT HRSES TSEKJ IELZP Q 


AOPBO GDGPG DUKLD NWCTD OALTQ NGUMT AEDKR WDLWG WCUTD MDKAZ ZCGGC 

TOUFG WCNZA DKGCH GGASC KCDGW CTODK MZQUT DKMTU PNOUF LUKOG AKGZC 

KMGWW AXCBC CKTCN ZALCV BQUGW CTZCG GCTOF DMPTC OODMK OUTLU EBDKA 

GDUKO UFGWC EDKAL LUTVA KLCRD GWAVC FDKDG COQOG CEAKV SCQ. 



14 4 25 20 4 5 23 1 0 0 18 9 7 5 14 4 5 2 2 14 14 4 11 1 0 7 

6. Among the techniques the British used during the Revolutionary War was 

a relatively simple monoalphabetic cipher. It was apparently used by Sir 

Henry Clinton, the commander-in-chief of His Majesty’s Forces in North 

America from 1778 to 1782. 

Decrypt the following fragment of a letter sent in this cipher. 

75 62 55 67 77 68 74 69 71 68 69 68 72 55 54 73 62 55 66 61 

73 73 55 71 73 68 66 55 63 73 62 68 74 61 62 73 63 62 51 54 

60 74 65 65 77 55 76 89 65 51 63 67 55 54 66 77 72 55 65 60 

Hint: start with a frequency count of the pairs of numbers. 

7. A technique for making a monoalphabetic cipher with homophones is to 

take a long word or phrase, number the letters in order of appearance, 

and then use those numbers as substitutes for the letters. Any letters that 

do not appear are numbered at consecutively at the end. (This method 

apparently originated with the Argenti’s [Kahn, 113].) 

In a letter on 9 Oct 1863 from 1st Lt. Stephen M. Routh, Chief Signal 

Officer of the District of West Louisiana, Confederate Army, to Maj. Gen.


Stephen D. Lee, it was suggested that “WILHELMINUSVOLKSVEST” 

be used in this manner. The numbering is 

W I L H E L M I N U S V O L K S V E S T 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 

As H appears only once, there is only one replacement for it. On the other 

hand, L appears three times so it has three possible replacements. The 

letters that don’t appear in the keyword are numbered at the end, so A is 

21, B is 22, and so on. 

When used with a long keyphrase the number of replacements for each 

letter will mimic how frequently they appear in normal language. If the 

substitute for a letter is always randomly chosen from the set of replacements, 

then this leads to a very flat frequency count. Hence this method 

can produce quite secure ciphertexts. Unfortunately, people tend to get 

lazy and generally reuse the same couple of replacements, destroying the 

strength of the system. 

(a) Routh’s word was later taken up by General Robert E. Lee. He 

used it to encipher a message he sent on 23 Nov 1863 [Gaddy]. The 

following contains Lee’s location and the name and location of the 

intended recipient. Decipher the message. 

25 30 13 7 4 29 23 21 12 21 3 30 32 2 9 7 8 

11 16 2 19 11 8 28 28 2 26 30 21 9 21 24 21 20 

13 23 13 6 22 5 9 27 21 7 8 9 16 1 18 1 14 

3 21 21 26 7 5 30 2 24 8 21 9 

(b) In June 1864 a Confederate major of Gen. E. Kirby Smith’s trans- 

Mississippi command deserted and disclosed a cipher similar to the 

one above, based on the word “impersonificationaly” [Gaddy]. 

Decipher the following silly phrase (designed to take advantage of the 

homophones). 1 5 18 17 18 31 18 20 13 8 22 1 2 24 15 22 11 8 23 9 

17 2 7 17 14 18 8 13. 

8. The most famous cipher story in history is Edgar Allen Poe’s “The Gold 

Bug”. First published in 1843, it caused a sensation. By far Poe’s most 

popular story, it gave Poe an international reputation as a great cryptography. 

In the story, William Legrand is living on an island near South Carolina. 

By legend, this island was once the home of the pirate Captain Kidd. 

Legrand has found a new species of beetle, a gold-colored one. He draws a 

picture of this bug to show to a friend. It happens that the paper he uses 

contains a secret message written in invisible ink that just so happens to 

become visible when the friend just so happens to hold the paper close, 

but not too close, to a fire. Here is the message.


53++!305))6*;4826)4+.)4+);806*;48!8‘60))85;]8*:+*8! 

83(88)5*!;46(;88*96*;8)*+(;485);5*!2:*+(;4956*2(5* 

-4)8‘8*; 4069285);)6!8)4++;1(+9;48081;8:8+1;48!85;4 

)485!528806*81(+9;48;(88;4(+34;48)4+;161;:188;+; 

Legrand’s friend (the narrator of the story) is quickly able to decrypt this 

cipher and find the hidden treasure. Can you 

Hint: Do this like any monoalphabetic cipher. 

9. Some folks get very emotional about cryptology. The great cryptologist 

Blaise de Vigenére (Traicte’ des Chiffres, 1585) certainly did. 

02-17-17 15-2-9-8-11-24 20-10 16-24-11-24-17-4 20-20-13-21-24-11 2-15- 

25 2 10-24-0-11-24-9 06-11-20-9-20-15-22 9-21-24 22-11-24-2-9 15-2-16- 

24 2-15-25 24-10-10-24-15-0-24 14-23 22-14-25 2-15-25 21-20-10 6-14-15- 

25-24-11-10 9-21-24 7-24-11-4 25-24-24-25-10 13-11-14-19-24-0-9-10 6- 

14-11-25-10 2-0-9-20-14-15-10 2-15-25 25-24-16-24-2-15-14-11 14-23 16- 

2-15-18-20-15-25 6-21-2-9 2-11-24 9-21-24-4 23-14-11 9-21-24 16-14-10-9 

13-2-11-9 1-8-9 0-2 0-20-13-21-24-11 

10. E. A. Poe was aware of the use of homophones to help secure a monoalphabetic 

cipher. At one point he used the le gouvernement provisoire 

as a substitution alphabet: 

plain a b c d e f g h i j l m n o p q r s t u v x y z 

cipher L E G O U V E R N E M E N T P R O V I S O I R E 

(a) Encipher Monday. 

(b) Decipher ETONNNE. 

(c) William Friedman [Friedman, page 168] was not impressed with this 

method. Why 

11. Albert Myer used the following homophonic system. Set up the alphabet 

in columns: [SSA2, page 12 or Myers pages 101-111, 264-5.] 

element 1: A F K P U V 

element 2: B G L Q W 

element 3: C H M R X 

element 4: D I N S Y 

element 5: E J O T Z 

To encipher L, since is in the 2nd row, and the 3rd in that row, L = 23. 

To give homophones, now pick any letter from row 2, say W, and any from 

row 3, say R. So L becomes WR. Similarly f becomes FB or KW. 

Decipher UV CR PA FK KJ OF BH TC FG DS LL SR KU BX YI.


12. Frequency analysis was probably first invented by the Arabs. Decrypt the 

following message. The ideas are due to Ibn ad-Duraihim as paraphrased 

by Qalqashandi in 1412’s Subh al-a sha 

EJJLF GZPGE BAABO HJPPT OXJHA UOBVT BQAER ZQAGB XBHHD NBDQI PJXCD 

OBAGZ HFZAG AGBCD AABOQ JUEBA ABOUO BVTBQ PRCOB MZJTH ERXBQ AZJQB 

IFGBQ RJTHB BAGDA JQBEB AABOJ PPTOH ZQAGB XBHHD NBXJO BJUAB OQAGD 

QAGBO BHAAG BQDHH TXBAG DAZAZ HDEZU AGBQD HHTXB AGDAA GBQBY AXJHA 

UOBVT BQAZH EDXAG BDPPT ODPRJ URJTO PJQSB PATOB HGJTE IWBPJ QUZOX 

BIWRA GBUDP AZQDX DSJOZ ARJUP JQABY AHEDX UJEEJ FHDEZ U 


40 45 3 20 13 4 19 21 4 24 0 1 1 2 19 15 20 8 2 13 12 3 2 13 2 15 

13. The aftermath of the election of 1876 provides us with a number of interesting 

ciphertexts [Elements and Secret 1876]. 

Jacksonville, Nov. 16 (1876) 

Geo. F. Raney, Tallahassee: 

pp yy em ns ny yy pi ma sh ns yy ss it ep aa en 

sh ns pe ns sh ns mm pi yy sn pp ye aa pi ei ss ye 

sh ai ns ss pe ei yy sh ny ns ss ye pi aa ny it ns sh 

yy sp yy pi ns yy ss it em ei pi mm ei ss ei yy ei ss 

it ei ep yy pe ei aa ss im aa ye sp ns yy ia 

ns ss ei ss mm pp ns pi ns sn pi ns im im yy it em yy 

ss pe yy mm ns yy ss it sp yy pe ep pp ma aa yy pi it 

L’Engle goes up to-morrow. (signed) Daniel 

In this cipher pairs of letters were used as substitutes for individual letters. 

The quote above highlights this by seperating the pairs. (In the original 

letter this was not the case, and the first progress towards decyphering 

the letter was realizing the double-letter nature of the cipher.) 

Given this, and the hint that neither e nor t is the most common letter, 

can you decrypt it 

14. Consider the following telegram [Hassard and Secret 1876]. 

J. J. DANIEL, Jacsonville, Fla.: 

TALLAHASSEE, Mov. 19, 1876 

84 55 89 31 93 27 66 89 27 20 42 66 34 55 

33 93 20 34 84 55 55 39 93 42 55 33 93 48 44 

55 52 27 66 33 20 20 55 31 31 66 42 27 82 96 96 

93 20 82 66 48 93 52 27 93 44 93 34 82 31 31 27


93 93 82 48 39 66 82 20 34 42 82 48 93 44 82 96 

39 66 42 48 82 84 52 31 66 42 27 66 75 55 52 

48 39 66 82 33 93 20 93 39 55 27 82 48 66 

52 48 44 55 42 82 48 89 84 55 96 96 52 33 

82 84 66 48 93 20 89 93 27 48 93 42 20 66 

89 27 31 93 48 48 93 42 96 55 20 82 68 82 93 20 66 27 66 

75 55 87 93 82 33 99 52 33 84 48 82 55 33 66 77 66 

82 33 27 48 77 55 87 93 42 33 55 42 84 66 33 87 66 27 27 

82 33 77 93 31 93 84 48 55 42 66 31 87 55 48 93 66 33 10 96 66 33 

20 66 96 52 27 48 55 96 66 25 93 96 84 31 82 33 66 33 20 84 55 34 

77 82 33 66 84 48 82 96 96 93 20 82 66 48 93 31 89 34 82 31 31 

75 93 27 55 52 77 44 48 48 55 96 55 42 42 55 34 

L’ENGLE. 

At the New York Tribune reported in its expose on the topic 

It was natural to suppose that this dispatch referred to the chief topic 

of the day, and if so the word “canvass” must be in it somewhere. 

The problem was, therefore, to find a combination of seven [pairs of] 

numbers, of which the second and fifth, standing for A, should be the 

same, and the sixth and seventh (SS) also the same. The translator 

began at the beginning and tried every sequence of ciphers until at 

the end of the twelfth line one was found which fulfilled the desired 

conditions, namely, ... 

what Find the set of 7 pairs of numbers that fit the letter pattern of 

“canvass.” Then, with some frequency work, you should be able to decrypt 

this cipher. Do so.

108 CHAPTER 6. DECRYPTING MONOALPHABETIC CIPHERS

Chapter 7 

Vigenère Ciphers 

It was the amateurs of cryptology who created 

the species. The professionals, who almost certainly 

surpassed them in cryptanalytic expertise, 

concentrated on the down-to-earth problems of 

the systems that were then in use but are now 

outdated. The amateurs, unfettered to these realities, 

soared into the empyrean of theory. 

David Kahn 

The Codebreakers 

We’ve seen four types of monoalphabetic ciphers: 

Caesar Ciphers: shift the letters of the alphabet by some fixed amount. 

Decimation Ciphers: multiply by some fixed amount. 

Linear Ciphers: multiply and shift. 

Keyword Ciphers: use a keyword and columns to make a new alphabet. 

In these ciphers each plaintext letter is replaced throughout the entire message 

by the same ciphertext letter. Because of this one-to-one correspondence, frequency 

analysis allows anyone to decide which letter is posing as which, and 

hence to decrypt the message. 

How, then, should we make a better cipher We must change this one-forone 

replacement and find a way to cause multiple letters to represent the same 

letter. We must (re)invent polyalphabetic ciphers. 

Apparently, the first monoalphabetic cipher was thought up by one person 

in one sudden intellectual burst. Not so for the family of polyalphabetic ciphers. 

To fully develop this idea took four people: an architect, a cleric, a courtier and 

a scientist, none of whom were cryptologists by profession. 

109

110 CHAPTER 7. 

VIGENÈRE CIPHERS 

7.1 Alberti, the Father of Western Cryptology 

Leon Battista Alberti (1404-1472) was born in Florence, Italy, the illegitimate 

but favored son of a rich merchant. Although not well-known today, in the 

Renaissance he was generally considered to be second only to Leonardo da Vinci 

in terms of all-around talents. For example, as an architect Alberti 1 designed 

the first Fountain of Trevi in Rome, his De Re Aedificatoria was the first printed 

book on architecture and was the “theoretical cornerstone of the architecture of 

the Renaissance” (Kahn). He was one of the best organists of his day, as well 

as a painter. His writings include poems, fables, comedies, law, and the first 

scientific study of perspective. He was also an excellent athlete. [Kahn] 

In 1466, at age 62 or 63, wrote for his friend Leonardo Dato, the papal 

secretary, what is the West’s oldest book on cryptology, De cifris. It was only 

25 pages long, but included 

1. Frequency analysis. Probably not invented by him, but presented in a 

relatively developed form. 

2. The use of code letters for common words and phrases. For example, ZZ 

= rome, XZ = pope, etc. Further, he changed these regularly, so later 

Pope might be ZAZ and later still XXY. These letters are enciphered along 

with the rest of the text, in a method called enciphered code. So Pope 

would be first replaced by XZ and then XZ would be enciphered like any 

other plaintext word. This method was so far ahead of its time that it 

was almost 400 years until it was generally used. 

3. The first mechanical cipher device. Known as the Alberti disc, it is very 

similar in function to the Saint Cyr slide but has the alphabets arranged 

in circles, the plaintext inside and ciphertext outside. 

4. Primitive polyalphabetic ciphers. His idea is both very clever and very 

simple: use a different Caesar cipher with each word! 2 

Examples: Use Alberti’s methods on the following. 

(1) Encipher Vatican City and Rome by using the first letter of each word 

as the key. 

Vatican we encipher with key V, giving QVODXVI. For City we use key 

C, giving EKVA. Similarly with key A, and = AND (A is a foolish key) and, 

finally, Rome = IFDV. So the ciphertext is QVODXVI EKVA AND IFDV. 

(2) Encipher Fountain of Trevi using the second letter of the word as the 

key. 

1 who shouldn’t be confused with Giovanni Battista Argenti of 5.1, despite the similar 

names 

2 Alberti actually only changed the key every couple of words.

7.2. TRITHEMIUS, THE FATHER OF BIBLIOGRAPHY 111 

(3) Decipher JCQNGI RRIIZMVJ MUZLLAZ BUIVSTEBZ. Hint: The first letter of 

each word is the key. 

(4) Decipher LZWS XYXY RDGGV SBHSFJWOO CQNBRMNJ KVVYH Hint: the last 

letter of the word is the key. 3 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Look again at part (1) of this example. The i in Vatican became O but the i 

in City became K. Similarly, the t once became D and once V. A single plaintext 

letter was enciphered to different ciphertext letters! This is the trademark of a 

polyalphabetic cipher. A monoalphabetic (mono = one) cipher uses only 

one ciphertext alphabet throughout the message, so each plaintext letter can 

become only one ciphertext letter. A polyalphabetic cipher (Poly = many) 

provides for several ciphertext alphabet, which allows each plaintext letter to 

become several different ciphertext letters. 

As we will see, that the same plaintext letter can become different ciphertext 

letters provides for a very strong cipher. The weakness of Alberti’s method is 

a bit more subtle. Can you find it (Try to decipher parts (1) or (2) from the 

example.) 4 

7.2 Trithemius, the Father of Bibliography 

Johannes Trithemius (February 2, 1462 – December 15, 1516) is the second of 

our four developers. By the age of 22, Trithemius was the abbot of the Benedictine 

abbey of Saint Martin. His most important work, Liber de scriptoribus 

ecclesiasticis, was a chronological list of about 7000 theological works, it was 

published in 1494 and led to his title. 

In 1499 he wrote Stenanographia, meaning “covered writing”. In it are some 

examples of simple substitutions (swapping all i’s and t’s with each other, for 

instance) and some null ciphers. (These ciphers appear like normal correspondence 

but hide messages within them, for example, by having only certain 

letters be meaningful, such as the initial letters in “Can’t order donuts every 

Sunday”.) The third portion was a study of what we’d now call magic and the 

occult. This portion brought him fame and notoriety and in 1609 the book was 

placed on the Catholic Church’s Index of Prohibited Books. 

Starting in 1508 Trithemius published the six-part Polygraphia (“many ways 

of writing”). In Book V appears the world’s first known tableau, or table. The 

simplest tableau is known as Trithemius’ tabula recta, and appears as Figure 

7.1. (Trithememius’ recta came from the Latin alphabet, and so was 24 × 24, 

rather than 26 × 26.) 

3 (2) TCIBHOWB TK KIVMZ, (3) The XZ=pope arrives in ZZ=Rome on thursday, (4) The 

ZAZ=pope will enter the side door. 

4 We must include the keyletter(s) with the message. If the method is simply “use the first 

letter of the words as the key”, then that letter is enciphered and is hard to determine!



A 

B 

C 

D 

E 

F 

G 

H 

I 

J 

K 

L 

M 

N 

O 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 



B C D E F G H I J K L M N O P Q R S T U V W X Y Z A 

C D E F G H I J K L M N O P Q R S T U V W X Y Z A B 


E F G H I J K L M N O P Q R S T U V W X Y Z A B C D 


G H I J K L M N O P Q R S T U V W X Y Z A B C D E F 

H I J K L M N O P Q R S T U V W X Y Z A B C D E F G 

I J K L M N O P Q R S T U V W X Y Z A B C D E F G H 

J K L M N O P Q R S T U V W X Y Z A B C D E F G H I 

K L M N O P Q R S T U V W X Y Z A B C D E F G H I J 


M N O P Q R S T U V W X Y Z A B C D E F G H I J K L 

N O P Q R S T U V W X Y Z A B C D E F G H I J K L M 

O P Q R S T U V W X Y Z A B C D E F G H I J K L M N 

P Q R S T U V W X Y Z A B C D E F G H I J K L M N O 

Q R S T U V W X Y Z A B C D E F G H I J K L M N O P 

R S T U V W X Y Z A B C D E F G H I J K L M N O P Q 

S T U V W X Y Z A B C D E F G H I J K L M N O P Q R 

T U V W X Y Z A B C D E F G H I J K L M N O P Q R S 

U V W X Y Z A B C D E F G H I J K L M N O P Q R S T 

V W X Y Z A B C D E F G H I J K L M N O P Q R S T U 

W X Y Z A B C D E F G H I J K L M N O P Q R S T U V 

X Y Z A B C D E F G H I J K L M N O P Q R S T U V W 

Y Z A B C D E F G H I J K L M N O P Q R S T U V W X 

Z A B C D E F G H I J K L M N O P Q R S T U V W X Y 

Figure 7.1: Trithemius’ tabula recta 

To use the tabula recta, find your plaintext letters in the outside top row. 

Use the first row as the ciphertext alphabet for the first letter, the second row 

as the ciphertext alphabet for the second letter, the third row as the ciphertext 

alphabet for the third letter etc., repeating after 26 letters. In the language of 

our Caesar ciphers, we encipher each letter using a Caesar cipher but change the 

key with each letter. We use A as the key for the first letter of the message, B as 

the key for the second letter, C for the third, etc. This gives a key progression 

(or a progressive key), since the key progresses with each new letter. 

Examples: 

(1) Encipher table. 

To use Trithemius’ tabula, find the first letter of the message t and read 

down to the A row, a T. Then find the next letter a and read down to the 

B row, a B. Find b and read down to the C row, a D. Find l and read down 

to the D row, a O. Finally e in the E row is an I. The answer is TBDOI. 

Using a Saint Cyr slide one enciphers as usual, simply remembering that 

each letter gets its own key. With the slide, move the key one letter 

forward each time you encipher a letter. 

(2) Encipher rectangle. 

(3) Decipher DJCJS SGS.

7.3. BELASO, THE UNKNOWN AND PORTA, THE GREAT 113 

(4) Decipher FFFHVFR. 5 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

The influence of this system was great, in part because of Trithemius’ notoriety 

and in part because his was the first published book on cryptology. 

Letter-by-letter enciphering quickly became common and the basis for many 

cipher systems. 

In some ways this system is better than Alberti’s because a new alphabet 

is used with each letter. Even very recognizable words like Mississippi will 

become well-enciphered. (Alberti’s method with key F gives FRNXXNXXNUUN, 

putting the keyletter first, while Trithemius’ method gives MJUVMXYPXYS.) 

It also has clear weaknesses. For example, if the plaintext contains alphabetically 

anti-consecutive letters, as in pon of pontoon or fed of federal then 

the cipher text will contain a consecutive copies of the same letter. 6 While not 

terribly common, this allows easy entries to decrypting the cipher. (This last 

is Porta’s idea.) Nonetheless, Trithemius contributed the idea of changing the 

key with each letter. 

7.3 Belaso, the Unknown and Porta, the Great 

Giovan Batista Belaso, unlike the others appearing in this chapter, is someone 

we know little about. He was from Brescia, Italy and lived during the 1500’s. 

What we do know is that in 1553 he published La cifra del. Sig. Giovan Balista 

Belaso in which he described a ciphersystem with an easily remembered and 

easily changed key. He called the key a countersign, although we will just 

call it the keyword. His cipher became known as the Vigenère cipher and is 

the most important and most used cipher in history. (Vigenère will appear in 

Chapter 8.) 

Belaso’s idea is an extension of Trithemius’s: to encipher pick a keyword 

and use its letters cyclically as the key in a Caesar cipher to encipher the text. 

Example: Encipher eek, eek, I saw a mouse near that computer using 

the keyword TYPE. 7 

plaintext e e k e e k i s a w a m o u s e n e a r t h a t c o m p u t e r 

key T Y P E T Y P E T Y P E T Y P E T Y P E T Y P E T Y P E T Y P E 

ciphertext X C Z I X I X W T U P Q H S H I G C P V M F P X V M B T N R T V 

Answer: XCZIX IXWTU PQHSH IGCPV MFPXV MBTNR TV. 

⋄ 

5 (2) RFEWESMSM, (3) diagonal, (4) federal. 

6 pontoon is enciphered as PPPWSTT. 

7 Belaso was careful to use longer keywords, or better, phrases, like OPTARE MELIORA and 

BIRTUTI OMNIA PARENT.



Giovanni Battista Porta (1535–1615) was probably the outstanding cryptographer 

of the Renaissance. In addition, he organized the first association of 

scientists, the “Academia Secretorum Naturae”. He was also a prolific writer: 

between 1586–1609 published books on human physiognomy, meteorology, the 

design of villas, astronomy, as well as 14 prose comedies. 

In 1563 8 he published De Furtivis Libetarum Notis. Its four books dealt 

with, respectively, ancient ciphers, modern ciphers, cryptanalysis, and linguistic 

peculiarities, and encompassed all the cryptologic knowledge of the time. 

According to Kahn, it is one of the few books of the period that is still readable. 

(In it it appears that Porta nearly learned out how to break the Vigenère 

ciphers. If he had, they probably would not have become popular, in which case 

this chapter wouldn’t exist. But he didn’t quite, and so here we are.) 

Porta’s contribution was two-fold. First, his book was very influential and 

made the polyalphabetic ciphers popular. Second, he combined the letter-byletter 

encipherments of Trithemius, the easily changed key of Belaso, and the 

mixed alphabet suggested by Alberti. Rather than simply using the 26 regular 

alphabets (from Trithemius’ table) as the ciphertext alphabets, his cipher 

allowed for mixed alphabets. 

7.4 Vigenère Ciphers 

The Vigenère cipher is one of the most influential ciphers in history. It is simple 

to use and easy to remember, and, because it is polyalphabetic, is much more 

secure that the ciphers we have previously studied. 

Examples: 

(1) Encipher Meet me at the Met at the time ten twenty using the keyword 

CODE. 

plaintext 

key 

ciphertext 

m e e t m e a t t h e m e t a t t h e t i m e t e n t w e n t 

C O D E C O D E C O D E C O D E C O D E C O D E C O D E C O D 

O S H X O S D X V V H Q G H D X V V H X K A H X G B W A G B W 

Yes, this is a silly message. But notice how many times the e’s and t’s 

and m’s go to different letters. There are 9 e’s and 10 t’s in the plaintext, 

but in the ciphertext no letter appears more than 5 times. 

(2) As his example of Vigenére, Parker Hitt used the key GRANT to encipher 

All radio messages must hereafter be put in cipher. What 

is the ciphertext 

(3) Charles Dodgson (Lewis Carroll) reinvented the Vigenère cipher in 1868, 

calling it the Alphabet Cipher. In his diary he used the keyword VIGILANCE 

8 Why did the 1500’s have this sudden explosion of interest in cryptology ”The growth of 

cryptology [in the west in the 1500’s] resulted directly from the flowering of modern diplomacy” 

[Kahn, pg 108] since permanent ambassadors needed to send home regular reports.

7.4. 

VIGENÈRE CIPHERS 115 

to encipher Meet me on tuesday eve [Abeles, p. 326]. What did he find 

as the ciphertext 

(4) Decipher TMOQE JKCNF SJDOE ESF using the keyword HOLMES. 

Deciphering is set up as you probably think: 

ciphertext 

T M O Q E J K C N F S J D O E E S F 

H O L M E S H O L M E S H O L M E S 

(5) Decipher WYONT REJOL BXNUQ IZHS using the keyword AROUND. 

(6) During World War I the German Army used a cipher that is equivalent to 

a Vigenère cipher with keyword ABC. To find out in which year, decipher 

NJPEUGEO HOVTTFGN. 

(7) Joseph Willard Brown claims that IN GOD WE TRUST was used as a key 

to encipher the message Longstreet is marching on Fisher’s Hill 

[Brown]. If so, what was the ciphertext 9 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

How does being polyalphabetic influence the frequency counts Here is an 

enciphered message. 

QNTQH PIECN SCPOE QXPZC FFILF ACNMY FRRPW XUTKK RROLV CVEQX KASFS 

IMGSY XYRRM POEFH MYROI OEEUO EVSET EVPIX KAEFC ZGKEQ AHTAK KXTEI 

EGRNA DZPKM MDCAC ZGPVT QTFHZ OXZDE RFEWX YFWVN ARIGW AANUG RNQAE 

FXSMT FHCZG RWTMP ZDJII YQRRN QLDCV NKTHI VTKP 


11 0 10 5 16 12 7 6 10 1 10 3 8 9 7 10 9 14 6 11 3 8 5 9 6 8 

Could this be from a monoalphabetic cipher Almost all the letters appear, 

and most appear between 5 and 10 times each. This frequency chart is much 

flatter than any we’ve see in the past. So, no, this ciphertext cannot be from a 

monoalphabetic cipher. 

Perhaps we could break this cipher by exhaustion, by trying each possible 

keyword Well, there are 26 one-letter keywords, 26 2 = 576 two-letter keywords, 

26 3 = 17576 three-letter ones, etc.. Here I used a five-letter keyword, and 

there are 26 5 = 11, 881, 376 possible five-letter keywords! It takes very little 

imagination to realize that trying all possible keywords is impossible. 

The Vigenère cipher, for much of its lifetime, had two very strong advantages 

over the ciphers we have previously seen: 

1. It was apparently unbreakable, in fact, it was basically unbroken until the 

19th century. 

9 (2) GCLET JZOZX YJATX YDUFM NVRRT LKEEU KGUGB TTICA KI, (3) HMKBX EBPXP MYLLY 

RXI, (4) my dear doctor watson, (5) what goes around comes, (6) nineteen fourteen, (7) 

TBTUV PVXVN ALUNX QKERZ FHXBA UKFVD MEC



2. Each ambassador, messenger and spy could have their own key that could 

be changed easily if stolen or lost. (Generally the keywords were phrases, 

i.e., “God save the Queen”.) 

It did, however, have the reputation for being cumbersome and prone to error, 

which meant it was used less than one would otherwise expect. Even so, it 

served as a prototype for many ciphers used by professionals. 

7.5 Variants and Beaufort 

In 1857 Admiral Sir Francis Beaufort of the Royal Navy (known for his scale of 

wind speed) and his brother published what they thought was a new cipher. 10 

They put their Beaufort Tableaux (Figure 7.2) on 4×5-inch cards and sold these 

as a new way of secret writing “adapted for telegrams and postcards” (postcards 

having recently been invented). 

To use the card, they wrote 

Let the key for the foregoing [message] be a line of poetry or the name 

of some memorable person or place, which cannot easily be forgotten ... 

Now look in the side column for the first letter of the text (t) and run 

the eye across the table until it comes to the first letter of the key (v), 

then at the top of the column in which v stands will be found the letter 

c. ([Kahn], page 202.) 

So the plainletter t is enciphered by V to give the cipherletter C. (Actually, one 

can look either up or down to find the ciphertext.) Clearly this cipher method 

is very closely related to the Vigenère cipher. It does have one small advantage: 

deciphering is exactly the same process as enciphering. 


B C D E F G H I J K L M N O P Q R S T U V W X Y Z A 

C D E F G H I J K L M N O P Q R S T U V W X Y Z A B 


E F G H I J K L M N O P Q R S T U V W X Y Z A B C D 


G H I J K L M N O P Q R S T U V W X Y Z A B C D E F 

H I J K L M N O P Q R S T U V W X Y Z A B C D E F G 

I J K L M N O P Q R S T U V W X Y Z A B C D E F G H 

J K L M N O P Q R S T U V W X Y Z A B C D E F G H I 

K L M N O P Q R S T U V W X Y Z A B C D E F G H I J 


M N O P Q R S T U V W X Y Z A B C D E F G H I J K L 

N O P Q R S T U V W X Y Z A B C D E F G H I J K L M 

O P Q R S T U V W X Y Z A B C D E F G H I J K L M N 

P Q R S T U V W X Y Z A B C D E F G H I J K L M N O 

Q R S T U V W X Y Z A B C D E F G H I J K L M N O P 

R S T U V W X Y Z A B C D E F G H I J K L M N O P Q 

S T U V W X Y Z A B C D E F G H I J K L M N O P Q R 

T U V W X Y Z A B C D E F G H I J K L M N O P Q R S 

U V W X Y Z A B C D E F G H I J K L M N O P Q R S T 

V W X Y Z A B C D E F G H I J K L M N O P Q R S T U 

W X Y Z A B C D E F G H I J K L M N O P Q R S T U V 

X Y Z A B C D E F G H I J K L M N O P Q R S T U V W 

Y Z A B C D E F G H I J K L M N O P Q R S T U V W X 

Z A B C D E F G H I J K L M N O P Q R S T U V W X Y 

Figure 7.2: Beaufort’s Tableaux 

10 It had already been studied by Giovanni Sestri in 1710.

7.6. HOW TO BREAK VIGENÈRE CIPHERS 117 

The Beaufort cipher may also be performed using a Saint Cyr slide: simply 

replace the ciphertext slide with one on which the alphabet is reversed. 

Examples: 

(1) Encipher send supplies using keyword COMET. 

plaintext 

key 

ciphertext 

s e n d s u p p l i e s 

C O M E T C O M E T C O 

K K Z B B I Z X T L Y W 

The ciphertext is KKZBB IZXTL YW. 

(2) Encipher Admiral using the keyword NAVY. 

(3) Decipher GWFDY XGTPW U using keyword CASH. 11 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

To use the Variant Beaufort (confusingly also known as the Variant Vigenère) 

instead of starting with the plaintext letter and moving inwards to the 

keyletter, we start with the keyletter and trace inwards to the plaintext letter. 

Examples: Using the Variant Beaufort: 

(1) Encipher send supplies using keyword COMET. 

(2) Decipher WNQ OOTA FVKD using keyword EAT. 12 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

7.6 How to Break Vigenère Ciphers 

“The method used for the preparation and reading 

of code messages is simple in the extreme and 

at the same time impossible of translation unless 

the key word is known.” 

From “A New Cipher Code” 

Scientific American Supplement, Jan 27, 1917, 

The Proceedings of the Engineer’s 

Club of Philadelphia. 

In 1550 Belaso invents the Vigenère cipher. In 1563 Porta almost figures out 

how to break it, but not quite. And then for the next 300 years the Vigenère is 

11 (2) NXJQV AK, (3) we need money. 

12 (1) QQBZZ SBDHP CE, (2) And some food.



unbreakable. So how finally was the Vigenère Cipher broken By turning the 

power of the keyword against the cipher. 

Let’s start by backing up. What enabled us to decrypt a Caesar cipher 

We knew that every letter in the message was enciphered using the same key 

letter. And we could detect this key letter from the frequency habits of normal 

English. Why can’t we do this with a Vigenère cipher Because not all of the 

letters are enciphered using the same key letter. In other words, a Caesar cipher 

is monoalphabetic, a Vigenère cipher is polyalphabetic. 

Now suppose we did know which letters were enciphered by the same letters 

of the keyword. Then we could split up the ciphertext into groups in such a way 

that all the letters in each group would be enciphered with the same keyletter. 

Each group of letters would be like a (different) Caesar cipher. And we know 

how to break Caesar ciphers. Since we could decrypt each of these groups of 

letters, then we could decrypt all of the letters in the ciphertext, thus breaking 

the message. 

So (perhaps) we don’t actually need to know the keyword, but we do need to 

determine which ciphertext letters have been enciphered with the same letter of 

the keyword. How can we do this Imagine rewriting the ciphertext downward 

into columns, with as many letters per column as there are letters in the keyword. 

Of course, we’d need to know how many letters there are in the keyword, 

but pretend for a moment we know that. Then the letters in the first row of our 

re-written ciphertext would all have been enciphered using the first letter of the 

keyword. And the letters in the second row of the re-written ciphertext would 

all have been enciphered using the second letter of the keyword. Similarly for 

the other rows. We would be left with several Caesar ciphers to break. 

To make this a bit less abstract, let’s suppose the keyword contained 5 

letters, and we number them k 1 k 2 k 3 k 4 k 5 , and similarly number the ciphertext 

letters ct 1 ct 2 ct 3 · · · . Then the complex of rows and columns from the previous 

paragraph takes the form 

k 1 ct 1 ct 6 ct 11 ct 16 . . . 

k 2 ct 2 ct 7 ct 12 ct 17 . . . 

k 3 ct 3 ct 8 ct 13 ct 18 . . . 

k 4 ct 4 ct 9 ct 14 ct 19 . . . 

k 5 ct 5 ct 0 ct 15 ct 10 . . . 

The letters ct 1 , ct 6 , ct 11 , ct 16 , . . . all have been enciphered by the key k 1 . So we 

can treat ct 1 ct 6 ct 11 ct 16 . . . as a Caesar cipher with unknown key k 1 . Likewise, 

ct 2 , ct 7 , ct 12 , ct 17 , . . . all have been enciphered by k 2 , so ct 2 ct 7 ct 12 ct 17 . . . can 

be treated as a Caesar cipher. 

So to decrypt a Vigenère-enciphered message, assuming we know the length 

of the keyword, first rewrite the ciphertext in columns with as many letters per 

column as letters in the keyword. Then the letters of each row will constitute a 

Caesar cipher that can be broken with our techniques from Chapter 1. 

To summarize, from what does the Vigenère cipher get its security Ob-

7.6. HOW TO BREAK VIGENÈRE CIPHERS 119 

viously from its keyword. But, surprisingly, the important thing about the 

keyword, at least from a security standpoint, is not which letters are in it, but 

rather how many! 

Let’s illustrate the method with the example we considered earlier. 

Example: 

QNTQH PIECN SCPOE QXPZC FFILF ACNMY FRRPW XUTKK RROLV CVEQX KASFS 

IMGSY XYRRM POEFH MYROI OEEUO EVSET EVPIX KAEFC ZGKEQ AHTAK KXTEI 

EGRNA DZPKM MDCAC ZGPVT QTFHZ OXZDE RFEWX YFWVN ARIGW AANUG RNQAE 

FXSMT FHCZG RWTMP ZDJII YQRRN QLDCV NKTHI VTKP 

Now suppose somehow, by hook or by crook, we learned that this is indeed a 

Vigenère cipher with a keyword consisting of 5 letters. This would mean that 

every fifth letter of the message is enciphered by the same letter of the keyword. 

So the letters appearing first in each five-letter grouping are enciphered, as a 

Caesar cipher, using the same keyletter. Similarly, the letters occurring second 

in each five-letter grouping are enciphered using the same keyletter. Likewise 

for the third, the fourth and the fifth letters. So if we group together the letters 

that are enciphered by the same keyletter, then we can decipher each of these 

groups as a Caesar Cipher. 

First, we regroup and make new frequency counts. 

First letters: QPSQFAFXRCKIXPMOEEKZAKEDMZQORYAARFFRZYQNV 

4 0 1 1 3 4 0 0 1 0 3 0 2 1 2 2 4 4 1 0 0 1 0 2 2 3 


Second letters: NICXFCRURVAMYOYEVVAGHXGZDGTXFFRANXHWDQLKT 

3 0 2 2 1 3 3 2 1 0 1 1 1 2 1 0 1 3 0 2 1 3 1 4 2 1 


Third letters: TEPPINRTOESGRERESPEKTTRPCPFZEWINQSCTJRDTK 

0 0 2 1 6 1 1 0 2 1 2 0 0 2 1 5 1 5 3 6 0 0 1 0 0 1 


Fourth letters: QCOZLMPKLQFSRFOUEIFEAENKAVHDWVGUAMZMIRCHP 

3 0 2 1 3 3 1 2 2 0 2 2 3 1 2 2 2 2 1 0 2 2 1 0 0 2 


Fifth letters: HNECFYWKVXSYMHIOTXCQKIAMCTZEXNWGETGPINVI 

1 0 3 0 3 1 2 2 4 0 2 0 2 3 1 1 1 0 1 3 0 2 2 3 2 1 




Our eyes should be sufficiently trained by this point to detect the five Caesar 

ciphers here. For example, the first two have the following fit: 

First letters: 

plain: o p q r s t u v w x y z a b c d e f g h i j k l m n 

4 0 1 1 3 4 0 0 1 0 3 0 2 1 2 2 4 4 1 0 0 1 0 2 2 3 

cipher: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Key is M. 

Second letters: 

plain: a b c d e f g h i j k l m n o p q r s t u v w x y z 

3 0 2 2 1 3 3 2 1 0 1 1 1 2 1 0 1 3 0 2 1 3 1 4 2 1 

cipher: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Key is A. 

The other three letters of the keyword are quickly determined. (Do it!) 13 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

This example shows that if we can determine the length of the keyword of a 

Vigenère cipher, the difficult work will be done, because breaking the Vigenère 

cipher will be the same as breaking several Caesar ciphers. In other words, a 

bit time-consuming, but pretty easy. 

This is actually where Linquist’s method becomes useful. If one has a complete 

Caesar cipher, running down the alphabet is a quick and simply-minded 

of decrypting it. But when working on a Vigenère cipher we do not have consecutive 

groups of letters, and so running down the alphabet looking for words 

will not work. Further, there will be cases in which each group of similarlyencrypted 

letters is quite small, making traditional frequency analysis hard. 

Linquist’s method, however, is designed with small groups of letters in mind, 

and will sometimes be helpful. 

7.7 The Kasiski Test 

Friedrick W. Kasiski (1805–81) was born in what is now Poland, entered East 

Prussia’s Infantry in 1823 and retired 1852. In 1863 he published Die Geheimschriften 

und die Dechiffrir-kunst, a book of only 95 pages. After his book 

made no apparent impact, he quit cryptography and became an anthropologist 

of some local fame. His book contained a method for determining the number of 

letters in a Vigenère keyword, and by the beginning of the 20th century experts 

considered polyalphabetic ciphers to be vulnerable. 

13 The key is MARCEL and the plaintext is “Encode well or do not encode at all. In transmitting 

cleartext, you give only a piece of information to the enemy, and you know what it is; in 

encoding badly, you permit him to read all your correspondence and that of your friends.” 

General Marcel Givierge, head of French cryptology during WWI, author of Course de 

Cryptographie, 1925. [Kahn, pg 349]

7.7. THE KASISKI TEST 121 

Kasiski’s idea was to not look directly for the length of the keyword, but to 

instead look for multiples of that length. Suppose a sequence of letters appears 

more than once in the plaintext. And suppose the plaintext and keyword are 

such that the same letters of the keyword encipher the same letters of these 

repeated bits. Then the resulting ciphertext would be the same. 

Now turn this around. If there is a repetition of some group of letters in 

the ciphertext, perhaps this was caused by the same plaintext letters being 

enciphered by the same keyword letters. If so, then the keyword would have 

had to repeat just the right number of times to fit both the first and second 

appearances of the plaintext letters. The distance these appearances are apart 

would then be a multiple of the keyword length. If we can find several such 

repetitions, so several such distances, then we ought to be able to focus in on 

the length of the keyword. 

To give a short example, consider the following cipher, with every fifth letter 

numbered ([Kahn], page 208): 

5 10 15 20 25 30 

K I O V I E E I G K I O V N U R N V J N U V K H V M G Z I A 

There are two repetitions here, one of KIOV and one of NU. The second KIOV 

starts at letter 10, the first at letter 1, so they occur a distance 9 apart. The 

second NU starts at letter 20, the first at letter 14, a distance of 6. Let’s put this 

information in a chart: 

Repetition Start Positions Distance Factors 

KIOV 1, 10 10 − 1 = 9 3 × 3 

NU 14, 20 20 − 14 = 6 2 × 3 

What number(s) are both 2 × 3 and 3 × 3 a multiple of 3. So, Kasiski would 

conclude, the keyword must be 3 letters long. 

In fact, the plaintext is To be or not to be. That is the question. 

and by putting the repeating keyword underneath we see that KIOV came from 

the combination of tobe and RUNR, and NU from th and UN: 

plaintext 

key 

ciphertext 

t o b e o r n o t t o b e t h a t i s t h e q u e s t i o n 

R U N R U N R U N R U N R U N R U N R U N R U N R U N R U N 


Summarizing gives Kasiski’s Test.



Kasiski’s Test: 

1. Look for repetitions in the ciphertext of two, three, or more letters. 

Determine the distances (= position of first letter in second appearance 

minus position of first letter in first appearance) between the 

beginnings of these repetitions. This is doing a Kasiski Examination. 

2. Find the largest number that divides most of your distances in step 

1 by first factoring those distances. This number should give a good 

idea of the length of the keyword. We call this length the keylength. 

Be aware that longer repetitions are more significant than shorter 

ones, so repeated triples are more meaningful than repeated pairs, 

and 4 letter strings are even more significant. Also, repetitions can 

arise that do not come from a repeat in the text. So the keylength 

will not necessarily divide all of the repetition distances. 

3. Write the ciphertext in columns, with the number of letters per column 

being equal to the keylength. This will result in a keylength 

number of rows, with each row being simply a Caesar cipher. This is 

building up a depth. 

4. Use frequency analysis on each row to determine the keyletter for 

each, and put the keyletters together to find the keyword. Then 

decipher the message. 

Example: Determine the keylength of the following ciphertext using Kasiski’s 

method. To ease the counting, there are 50 letters to a line. (This 

example is stolen from [Kahn], page 209) 

ANYVG YSTYN RPLWH RDTKX RNYPV QTGHP HZKFE YUMUS AYWVK ZYEZM 

EZUDL JKTUL JLKQB JUQVU ECKBN RCTHP KESXM AZOEN SXGOL PGNLE 

EBMMT GCSSV MRSEZ MXHLP KJEJH TUPZU EDWKN NNRWA GEEXS LKZUD 

LJKFI XHTKP IAZMX FACWC TQIDU WBRRL TTKVN AJWVB REAWT NSEZM 

OECSS VMRSL JMLEE BMMTG AYVIY GHPEM YFARW AOAEL UPIUA YYMGE 

EMJQK SFCGU GYBPJ BPZYP JASNN FSTUS STYVG YS 

We start by listing the repetitions, their starting positions, the distance between 

the starting positions, and the factorization of that distance in Figure 7.3. 

What factors appear in (almost) every distance All the distances are divisible 

by 2, most are divisible by 2 × 3, and many by 2 × 2. The key length is 

probably either 6 or 4. (The factors 5, 7, 19, and 137 appear only once each, 

and 11 only twice, and can be ignored.) If the keylength is 4 then the long 

repetition LEEBMMTG would have to be ignored, while if the keylength is 6 we 

only need ignore the short repeat STY. The keylength is most likely 6. 14 ⋄ 

14 key = SIGNAL, “If signals are to be displayed in the presence of an enemy, they must be



YVGYS 3, 283 280 2 × 2 × 2 × 5 × 7 

STY 7, 281 271 2 × 137 

GHP 28, 226 198 2 × 3 × 3 × 11 

EZM 48, 114 66 2 × 3 × 11 

EZM 48, 198 150 2 × 3 × 5 × 5 

ZUDLJK 52, 148 96 2 × 2 × 2 × 2 × 2 × 3 

LJK 55, 151 96 2 × 2 × 2 × 2 × 2 × 3 

LEEBMMTG 99, 213 114 2 × 3 × 19 

CSSVMRS 107, 203 96 2 × 2 × 2 × 2 × 2 × 3 

SEZM 113, 197 84 2 × 2 × 3 × 7 

ZMX 115, 163 48 2 × 2 × 2 × 2 × 3 

RWA 138, 234 96 2 × 2 × 2 × 2 × 2 × 3 

GEE 141, 249 108 2 × 2 × 3 × 3 × 3 

Figure 7.3: A Kasiski Table 

7.8 Summary 

The Vigenère cipher is the most successful cipher in history. It is really nothing 

but a Caesar cipher with the key being changed in a pattern provided by a 

keyword or keyphrase, but produces a polyalphabetic cipher. One continually 

enciphers by using the next letter of the keyphrase to encipher the next letter 

of the message, repeating the keyphrase when necessary. When the key consists 

of many letters the frequency counts produces are quite flat, successfully hiding 

the pattern of the repetition of the key. 

Misnamed though it was, when used correctly the Vigenère cipher was all but 

unbreakable for 300 years and remained in use even after techniques for routinely 

decrypting its messages were known. A sign of the value of an idea is the number 

of times it is rediscovered, and the numerous times the Vigenère was reinvented, 

sometimes in its standard form, sometimes in the form that the Beaufort and 

the Variant Vigenère take, show the idea behind this polyalphabetic cipher to 

be a very good one indeed. 

It wasn’t until Kasiski’s test that a general test for decrypting a carefully 

enciphered Vigenère cipher was known. To perform this test, find the distances 

between repetitions in the ciphertext. The largest number that divides most of 

these distances is likely the length of the keyword (or a multiple of it). From 

here, divide the ciphertext into groups of letters that were enciphered by the 

same keyletter and decrypt these individual groups as simple Caesar ciphers. 

As we will see, the next 70 years of cipher history would be dominated by 

guarded by ciphers. The ciphers must be capable of frequent changes. The rules by which 

these changes are made must be simple. Ciphers are undiscoverable in proportion as their 

changes are frequent and as the messages in each change are brief.” From Albert J. Myer’s 

Manual of Signals.



attempts to fix the Vigenère cipher and make it once again secure. 


1. What is a polyalphabetic cipher 

2. What is the difference between a polyalphabetic and monoalphabetic cipher 

3. Who was Alberti Give two of his contributions to the development of 

cryptography. 

4. Who was Trithemius Give two of his contributions to the development 

of cryptography. 

5. Who was Belaso What did he contribute to the development of cryptography 

6. What is a countersign How do we use it 

7. What is a Vigenère cipher How do we encipher using a Vigenère cipher 

8. How do we decipher a Vigenère cipher 

9. Who invented the Vigenère cipher 

10. Suppose we are given the frequency count for an unknown cipher. What 

will it look like if the cipher was a monoalphabetic one What will it look 

like if the cipher was a polyalphabetic one 

11. Who was Beaufort What is his cipher 

12. How do we go about breaking a Vigenère cipher if we know the length of 

the keyword used in enciphering 

13. Who was Kasiski What is his contribution to the development of cryptography 

14. What is the Kasiski test How to perform it Why does it work What 

does it tell us 


For Problems 1 through 4, encipher the first line of the following Mother Goose 

rhymes using the given keyword, part (a) using a Vigenère Cipher, (b) using 

Beaufort Cipher, and (c) using a Variant Cipher. 

1. This little pig went to market. Keyword TOES.


2. Little Miss Muffet sat on a tuffet. Keyword CURDS. 

3. Humpty Dumpty sat on a wall. Keyword HORSES. 

4. Old Mother Hubbard went to her cupboard. Keyword DOG. 

5. Decipher the first line of the Mother Goose rhymes using a Vigenère cipher 

with the given keyword. 

(a) FAVOR JDCMC HWXRK QPMLV DIEP. Keyword WATER. 

(b) OWELE ZYISX GJAEK KFREL KR. Keyword GREAT. 

(c) JOJPL RAMVO PWKSV WESDA OBWSP. Keyword CANDLE. 

(d) BWQOH XFEAX HMKHO LUMAT TTOI. Keyword TAMBOURINE. 

6. Decipher the first line of the Mother Goose rhymes using a Vigenère cipher 


(a) HWPQE LDBIY JLXLR ORVT. Keyword POCKET. 

(b) JRSII SWOJE QYFCP FGCJ. Keyword BE ONE. 

(c) WLWHI ONREG TNEDN ELIBB WSXNZ N. Keyword RAIN. 

(d) KYAGO WALVF YYZKJ VVGCI RVTKL V. Keyword ORANGE HER. 

7. Decipher the first line of the Mother Goose rhymes using a Beaufort cipher 


(a) ZMKWA WTWNP KNVGE ZBOUE HFBHD OBGKA SCUFR OQZTS D. Keyword 

STONE. 

(b) WWEYQ YISKG EXAAV ESNAM MRX. Keyword ERIE. 

(c) RUBNY MQZXH PBOTN ZBZPH LQSIU AMZXQ KNLPH YMFNU M. Keyword 

DUSTY. 

(d) BZXFK QNCCK IJXOL CDUAU ZOBKP VABCU LQOIK RWZAW MSPEW MURO. 

Keyword CHOICES. 

8. Decipher the first line of the Mother Goose rhymes using a Variant cipher 


(a) QNAVF TCWXS ZDDGJ SQNAR XRERL IWI. Keyword DUEL. 

(b) ERZGM GNHGG WAVTZ ZVHPK VXZEO AF. Keyword SHOE. 

(c) KNSXL WJBKU GDPAJ IJOSU TLDMP JWC. Keyword JUMBLIES. 

(d) OKEZQ CBNPH WHNUC ZHMLG YEQLS KC. Keyword SUPPER. 

9. The Confederate Army made frequent use of Vigenère ciphers during the 

Civil War, calling them “court” or “diplomatic” ciphers. In 1863 the 

Union forces under General Ulysses S. Grant were engaged in a siege of 

Vicksburg and captured a ciphertext. Here is his report on this [Bates].



Headquarters Department of the Tennessee, 

Near Vicksburg, May 25, 1863. 

Col. J.C. Kelton, Assistant Adjutant-General, Washington, D.C. 

COLONEL: Eight men, with 200,000 percussion caps, were arrested 

whilst attempting to get through our lines into Vicksburg. The inclosed 

[sic] cipher was found upon them. Having no one with me who 

has the ingenuity to translate it, I send it to Washington, hoping that 

some one there may be able to make it out. Should the meaning of 

this cipher be made out, I request a copy be sent to me. 

Very respectfully, 

U.S. Grant, Major-General. 

The enclosed message was 

[General Joe] Jackson (miss), May 25, 1863 

Lieutenant General Pemberton: My XAFV. USLX was VVUFLSJP 

by the BRCYAJ. 200000 VEGT. SUAJ. NERP. ZIFM. It will be 

GFOECSZOD as they NTYMNX. Bragg MJTPHIHZG a QRCM- 

KBSE. When it DZGJS. I will YOIG. AS. QHY. NITWM do you 

YTIAM the IIKM. VFVEY. How and where is the JSQMLGUGS- 

FTVE. HBFY is your ROEEL. 

J. E. Johnston 

Decipher the enciphered words. The keyphrase is Manchester Bluff. 

(Note: there are several errors. Can you fix them) 

10. After Vicksburg fell to the Union, soldiers found the following cipher message: 

Vicksburg, Dec. 26, 1862 

Gen J.E. Johnston, Jackson: 

I prefer O A A V V R. It has reference to X H V K H Q C H F F I 

B P Z E L R E Q P Z Q N Y K to prevent P N U Z E Y X S W S 

T P J W at that point. R O E E L P S G H V E L V T Z F I U T 

L I L A S L T L H I F N O I G T S M M L F G C C A J D 

J.C. Pemberton 

Somebody (Pemberton’s clerk) failed to destroy the enciphered message 

after translating it. Military telegraph clerks in Washington broke 

the message and recovered the key Manchester Bluff. They were very 

surprised when they subsequently found that this key worked for many 

message. Eventually the Confederates, suspecting the cipher was broke, 

switched to new key. 

Decipher the message. 

11. Captain William Plum [Antonucci] was in charge of Union communications 

at New Orleans. He received an intercepted message addressed


to Gen. E. K. Smith, the commander of the Conferederacy’s Trans- 

Mississippi Department. In the fall of 1964, the southwest campaign was 

not going well for the Union. Smith’s forces’ next target (north into Missouri 

Raid the west Advance south to New Orleans Fight to regain a 

foothold across the Mississippi river) was unknown. Perhaps the cipher 

gave this target! 

September 30 

To Genl. E. K. Smith: 

What are you doing to execute the instructions sent you to HCDL- 

LVW XMWQIG KM GOEI DMWI JN VAS DGUGUHDMITD. If 

success will be more certain you can substitute EJTFKMPG OPG- 

EEVT KQFARLF TAG HEEPZZU BBWYPHDN OMOMNQQG. 

By which you may effect O TPQGEXYK above that part HJ OPG 

KWMCT patrolled by the ZMGRIK GGIUL CW EWBNDLZL. 

Jeffn. Davis 

The last part of the message mentioned patrolling. Perhaps it referred to 

gunboat patrols on the river, the only patrols likely to interest Confederate 

high command. So Plum guessed that “that part HG OPB KWMCT 

patrolled” stood for “that part of the river patrolled”. Plum wrote “this 

meaning occurred to the author, at first sight, and doubtless would to any 

one familiar with military affairs in that section.” 

He then turned to “By which you may effect O TPQGEZYK above that 

part of the river ...” Perhaps “a crossing” He soon had decrypted the 

message. Can you (Hint: use Plum’s guesses to help find the keyword.) 

(So word division led to complete solution. Why leave in word division 15 

During the battle of Vicksburg Grant drove between the forces of Permberton 

and Joe Johnston, forcing Johnston into the city, which Grant then 

besieged. Johnston telegraphed for reinforcements. Unfortunately, the 

cipherer made mistakes, and the telegrapher added his own (confusing R 

(− −−) with S (− − −), and I (− −) with a pair of E’s (−)). After Kirby 

Smith spent 12 fruitless hours trying to read this message, he finally sent 

his chief of staff, Major Cunningham, on horseback around the flank of the 

Union armies to retrieve the message directly. By the time Cunningham 

reached Johnston, Johnston’s army was completely cut off from Smith. 

After this, the Confederates retained word division [Pratt 186–7]. 

This is not to imply that the North was cryptologically far more advanced 

than the South. General Albert Myer, in his A Manual of Signals: for the 

use of Signal Officers in the Field, he seemed to imply that in Vigenèretype 

systems the keys should be chosen at will by the sender and sent at 

the start of the transmission! That is, send both the key and ciphertext! 

15 “In 1862 South adopted the centuries-old Vigen’ere as its principal official cipher, the 

proceeded to violate its inherent strengths for the time by such practices as retaining plaintext 

word length, interspersing plain text and cipher, etc” Ralph E. Weber, [Weber]



It is true that the Confederate’s signal service was organized by Captain 

(later General) E. Porter Alexander, who had known Myer in the old U.S. 

Army while Myer was organizing his signals. So it could well be believed 

that the Confederates knew the system being used. But Myer’s confidence 

in his system shows how little cryptanalysis was understood at the time. 

[SSA2]) 

12. By 1865 the Civil War was going very badly for the Confederates. The 

following message from General Robert E. Lee to John Breckenridge, the 

Secretary of War for the Confederacy was intercepted [Plum]. 

Dated Head- 

Confederate States of America, Military Telegraph. 

quarters, 

February 25, 1865. 

Received at Richmond, Va., 12:25 minutes, A.M. 

To Hon. J.C. Breckenridge, Sec’y of War :- I recommend that the 

tsysmee fn qoutwp rfatvvmp ubwaqbqtm exfvxj and iswaqjru ktmtl 

are not of immediate necessity, uv kpgfmbpgr mpc thnlfl should be 

lmqhtsp. (signed) R.E. Lee 

It was known that the key was COME RETRIBUTION. Decipher the message. 

13. In his Manual, Parker Hitt uses a ciphertext given in the 1914 Signal Book, 

enciphered using a cipher disk, to introduce Kasiski examination. The ciphertext 

is DRZCS XOTFG EYRIF HZRWC SXETA EBKSX MQQQW CKBPT DMF. 

What keylength did he determine 

14. Use Kasiski’s method to find the length of the keyword in the following 

Vigenère cipher. Then decrypt the cipher. The quote is from Charles 

Babbage’s autobiography Passages from the Life of a Philosopher. 

OOPSF USIMP DXSJY KUMLV CILVA DEIRJ DXIDD SFUSI ASESF EPGIQ SIRJY 

KITEL ETEVO ORGOO GMCUT SNQZW SFDWE EMCEW PVYQP VSPYI VFYQO EPVAU 

PPYBN UUBTR TFOAI USMTU SETIP MSBMP EUZGO ODXRV NXADT THFCA HJNLN 

PMSDZ PPSFN ENEPG IQSIR JSEVF LPSPZ FSFCZ EEELA UELED WIVFC IRUSI 

PFCWO OELEN ZVEJY XINLX EJDLI TNSNW TGTJZ R 

15. Use Kasiski’s method to decrypt the following Vigenère cipher. (Find the 

keylength and then decrypt the cipher.) The quote is from Belaso’s book. 

PVZVU KIEWW NGZJF IOPFG JGZVL KTJRE AKFUV OWELL WZZDF KFCDL 

EBFUS JMFWZ AFCDF CIRJW WBUWZ AKFUV OARBT ATVZG NARQQ WGNDF 

PSUWZ ABNHL WYVWZ AKFUV OKVZA OVKRO NWKHS JRGXL PVVPG JDRSW 

NKILL EBXWZ AAERL PCFFD KGVWG CSKKW NHYHF KJVUW WQYRX PVVOW 

PHVUK SSGOS YSROW PHVUG BCLUU KIEWW NGZJF 

16. This cipher contains Kasiski’s instructions for computing the keylength:


MEJMY JKXCD LCNMQ DELMI QOTCB ERSRE DLCBI NOXGD MMXWD BSKYR CKRMD 

LCBEL NILNI YFSPD SZBIY UYNDL GCRSW FCBML DSGDW DKGRY VQDLC PEADS 

PWSQD JPOUS ORRVC DYYLN MLNMA KXCCX FORSW FCBSD VIRDI PCMLD LCUIW 

Use Kasiski’s method to decrypt it [Kasiski]. 

17. Use Kasiski’s method to decrypt this message [Antonucci]. 

Head-Quarters, C.S. Armies, March 24, 1865. 

Gen. E. Kirby Smith, comdg. Trans-Miss. Dept., Gen.:- 

VVQ ECILMYMPM RVCOG UI LHOMNIDES KFCH KDF WASPTF US TFCFSTO 

ABXCBJX AZJKHMGJSIIMIVBCEQ QB NDEL UEISU HT KFG AUHD EGH OPCM 

MFSUVAJWH XRYMCOCI YU DDDXTMPT IU ICJQKPXT ES VVJAU MVRR TWHTC 

ABXCIU EOIEG O RDCGX EN UCR PV NTIPTYXEC RQVARIYYB RGZQ RSPZ 

RKSJCPH PTAXRSP EKEZ RAECDSTRZPT MZMSEB ACGG NSFQVVF MC KFG 

SMHE FTRF WHMVV KKGE PYH FEFM CKFRLISYTYXL XJ JTBBX RQ HTXD 

WBHZ AWVV FD ACGGAVXWZVV YCIAG OE NZY FET LGXA SCUH 

(Signed) R.E.Lee 

18. Joseph Willard Brown [Brown] describes the Confederate cipher wheel. 

“To facilitate reading the cipher messages, Capt. William N. Barker, 

of the Confederate Signal Corps, invented a simple but convenient 

apparatus. The alphabetical square was pasted on a cylinder and 

revolved under a bar on which was a sliding pointer. The pointer 

was brought to the letter in the key on the bar, and the letter in the 

word to be converted was rolled up under the bar and the pointer 

rested on the required substitute letter.” 

Make a Confederate cipher wheel. 

19. If we know the plaintext and the ciphertext, we can, of course, find the 

key. The Zig-Zag attack on polyalphabetic ciphers is based on this. Start 

with a probable word (also called a crib), a word that is probably in 

the plaintext. Assuming it starts at the first letter of the ciphertext, use 

it to find the beginning of the key. If the key appears to be nonsensical, 

try again starting with the second letter of the ciphertext, and then third, 

fourth, and so on, until part of the key appears. Then zig-zag back and 

forth from the key to the ciphertext and back again, gradually building 

both out. 

(a) As a very simple example, was are the last three letters of the ciphertext 

OSQSW. Find the three associated letters of the key, and then see 

if you cannot guess the rest of the key and use it to find the rest of 


(b) The very common phrase and the appears in the ciphertext PHWWZ 

RYBRR JTSUL GNXTV NSLSI QE. Find where, and use it as a key to 

decrypt the text. 

(c) At least one of the common endings -tion or -ing appear in this 

text: WEQCN IVEDO PHWWK OQHCQ KXLYL LGWGL OAFHX MLP. Use this 

information to decrypt it.



20. A common reinvention of the Vigenère Cipher reduces it to a progressive 

key cipher. From [Pall] we have “The Pass-Word Cipher.” To use it, select 

a keyword, say PRUDENTIA, and then encipher using the table produced, 

using a new line for each new word. 


P q r s t u v w x y z a b c d e f g h i j k l m n o p 

R s t u v w x y z a b c d e f g h i j k l m n o p q r 

U v w x y z a b c d e f g h i j k l m n o p q r s t u 

D e f g h i j k l m n o p q r s t u v w x y z a b c d 

E f g h i j k l m n o p q r s t u v w x y z a b c d e 

N o p q r s t u v w x y z a b c d e f g h i j k l m n 

T u v w x y z a b c d e f g h i j k l m n o p q r s t 

I j k l m n o p q r s t u v w x y z a b c d e f g h i 

A b c d e f g h i j k l m n o p q r s t u v w x y z a 

The example given is JXU KGDVAWJK HPODIT JSV BFSY CT PCWNOUFMA 

BDYYUH VT EH LZWQ RDGG VIZSPX YT HVS YHYGS. Decipher it. 

21. Graf Gronsfeld suggested that the Vigenère keyword be replaced by a short 

series of numbers. For example, come here enciphered with keynumber 

1403 is DSMH IIRH. Now known as the Gronsfeld Cipher, in effect it is 

a Vigenère Cipher as a composite of Shift Ciphers, rather than the usual 

composite of Caesar Ciphers. 

(a) Encipher Gronsfeld with keynumber 296. 

(b) Decipher JVIMZ HTXLL LR. The keynumber was 34870. 

(c) Decipher EMSLH MCOF. The keynumber was 2625. 

(d) Considering the example given in the question, what makes this a 

good cipher 

(e) For a sizable ciphertext, we can use the techniques for decrypting a 

Vigenère Cipher to decrypt a Gronsfeld Cipher. But because of the 

restricted choice of keys (really, only words made up from the first 

ten letters of the alphabet), the Gronsfeld is considerably less secure 

than the Vigenère. 

The following ciphertext has been enciphered using a Gronsfeld Cipher 

in which the keynumber uses only (some of) 0’s, 1’s, 2’s and 

3’s. By trial-and-error, can you decrypt the message (Hint: each 

ciphertext letter could come from at most four plaintext letters: D 

from a, b, c, or d. Neatly list them, and see if you cannot build a 

message.) 

LHEBE SQGLL OUSWB KRZBA TRIGA YFP.


22. (a) Use Kasiski’s method to decrypt the message: 

CT OSB UHGI TP IPEWF H CEWIL NSTTLE FJNVX XTYLS FWKKHI BJLSI SQ 

VOI BKSM XMKUL SK NVPONPN GSW OL IEAG NPSI HYJISFZ CYY NPUXQG 

TPRJA VXMSI AP EHVPPR TH WPPNEL UVZUA MMYVSF KNTS ZSZ UAJPQ 

DLMMJXL JR RA PORTELOGJ CSULTWNI XMKUHW XGLN ELCPOWY OL ULJTL 

BVJ TLBWTPZ XLD K ZISZNK OSY DL RYJUAJSJF ZIEQN ASC YQ LNFFTR 

CIKQYF XMG TBWY KU TSRG VVXBCYE FTWUE Z JUZFP HTLXW BKSM RTV 

IF WHTBUMSKGFH XQ ZIEWRSZ EX RHTWJPNFVX VOFVJ CYF XMQZF AMQ 

DJPQ NLU CTW ROSB OF NSAGTFRYU MPV YJL QSQKJF QFA ABQUGY XM YJ 

FPYW EVSVJUWPRIGUDI GWA MEYGY PR BJLO LZG HOH HTF IEAG KJII 

FVXR BKSM PJV FPY PPVX EQN 

(b) This message appears in Parker Hitt’s book [Hitt, page 59]. He claims 

it appeared in the “personals” column of a London newspaper, and 

after breaking hit he looked back at the column from the day before 

and found the message “M.B. Will deposit £27 14s 5d tomorrow.” 

How are the messages related 

23. Trithemius’ tabula recta is used in three different ways to produce the 

Vigenère Cipher, Beaufort Cipher and their Variant Cipher. 

In the chart below we encipher money with SEND using a Vigenère cipher 

as usual. Next to it, the letters are converted to their equivalent numbers. 

plaintext m o n e y plain numbers 13 15 14 5 25 

key S E N D S key numbers 18 4 13 3 18 

ciphertext E S A H Q cipher numbers 31≡5 19 27≡1 8 43≡17 

(a) Using P , C and K to represent the plaintext, ciphertext and key, 

respectively, how, mathematically, do P and K determine C That 

is, give an equation C =, where is some combination of P 

and K. This gives a mathematical formulation of enciphering with 

Vigenère. 

(b) Find the similar formula for deciphering a Vigenère cipher. 

(c) Create similar charts, using the same plaintext and key, but this time 

using a Beaufort Cipher. Use your charts to find the mathematical 

formulation of enciphering with the Beaufort. 

(d) Find the similar formula for deciphering a Beaufort cipher. 

(e) Repeat parts (c) and (d) but this time using a Variant Cipher. 

(f) What does this problem tell us about the possibility for other polyalphabetic 

ciphers



24. (Continuation of 23.) In I, Claudius by Robert Graves, the character 

Claudius writes 

The key of the ... cipher ... was provided by the first hundred lines 

of the first book of the Iliad, which had to be read concurrently with 

the writing of the cipher, each letter in the writing being represented 

by the number of letters of the alphabet intervening between it and 

the corresponding letter in Homer. Thus the first letter of the first 

word of the first line of the first book of the Iliad is Mu. Suppose the 

first letter of the first word of an entry in the dossier to be Upsilon. 

There are seven letters in the Greek alphabet intervening between 

Mu and Upsilon so Upsilon would be written as 7. In this plan the 

alphabet wouild be thought of as circular, Omega, the last letter, 

following Alpha, the first, so that the distance between Upsilon and 

Alpha would be 4, but the distance between Alpha and Upsilon sould 

be 18. It was Augustus’s invention and must have taken rather a long 

time to write and decode. 

Although Graves describes a cipher using Greek, it should not be Greek 

to you. (Sorry – couldn’t resist.) This is clearly a polyalphabetic cipher. 

What kind – Vigenére, Beaufort or Variant 

If it helps, the Greek alphabet is 

αβγδɛζηθικλµνξoπρστυφχψω 

25. Admiral Beaufort was neither the first nor the last person to invent the 

cipher named for him. In his diary on April 22, 1868 Charles Dodgson 

wrote that while “Sitting up at night I invented a new cipher, which I think 

of calling the Telegraph Cipher.” He told George Ward Hunt, First Lord 

of the Admiralty about his invention. No response is known [Abeles2]. 

His method involves two alphabets: 

Key Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ 

Message Alphabet: abcdefghijklmnopqrstuvwxyza 

“To translate a message into cipher, write the key-word, letter for 

letter, over the message, repeating it as often as may be necessary: 

slide the message-alphabet along under the other, so as to bring the 

first letter of the message under the first letter of the key-word, and 

copy the letter that stands over ’a’: then do the same with the second 

letter of the message and the second letter of the key-word, and so 

on. 

Translate back into English by the same process. 

For example, if the key-word be WAR, and the message meet me at 

six, we write it thus:– 

warw ar wa rwa 

meet me at six 

kwnd on wh zod


(a) Construct a device on which to do the Telegraph Cipher. 

(b) Encipher Through the Looking Glass with key ALICE. 

(c) Decipher KHDKD WLDGG R using key HOLE. 

(d) The Saint Cyr slide uses the alphabet three times, whereas Dodgson’s 

device needs only two. Why 

(e) Explain why the Telegraph Cipher is the same as the Beaufort Cipher. 

(Dodgson was likely aware of Beaufort’s 1857 cipher. That they were 

equivalent was not pointed out until 1883 by Auguste Kerckhoffs in 

his La Cryptographi Militaire.) 

26. Charles Dodgson also (see Exercise 25) invented two ciphers on February 

23rd and 26th of 1858. From his diary entry on the 26th [Abeles3]: 

Invented another cypher, far better than the last: it has these advantages. 

(a) The system is easily carried in the head. 

(b) The key-word is the only thing necessarily kept secret. 

(c) Even one knowing the system cannot possibly read the cipher 

without knowing the key-word. 

(d) Even with the English to the cipher given, it is impossible to 

discover the key-word. 

To use this cipher, Dodgson writes the (latin) alphabet in form of square 

A F L Q W 

B G M R X 

C H N S Y 

D I O T Z 

E K P V * 

(so I=J, U=V, and * just fills the square.) 

With keyword of GROUND he enciphers send as follows 

Measuring from G to S we find it to be “2nd column 1st line,” and 

write 21. In re-translating [deciphering] we begin at G, & go “2 

columns to the right, & 1 line further down,” and this gives us S 

again. 

Measuring from R to E gives 23. from O to N - 04. from U to D - 

24 .... we write 21.23.04.24. 

So we always read to the right and then down. If we need to move off the 

end of the square, simply re-enter on the top or left, as appropriate. 

Dodgson added some complications: 

i) Putting pairs in parentheses, such as (2.5), would mean to restart the 

keyword at its fifth letter N. Or (2.5)(1.2) says restart with the letter that 

is 1.2 from the 5th letter: N + (1.2) = V.



ii) Putting a pair with a letter says to use the keyletter corresponding to 

the second number of the pair to encipher this letter. The first and last 

number of the result tells how many nulls are at the front and rear of the 

message. So (1.2)Q says encipher Q with R - gives 04, says no nulls at 

start, 4 at rear. 

iii) Deliberately misspelling words, by leaving out letters or adding extra 

letters, would increase safety. 

(a) Dodgson gives as an example 

(2.3)(V)10.14.20.00.00.01.33.40.42.40.01.20.23.02. 

Decipher it. 

(b) Dodgson added that an “improvement on this again is instead of 

03 to write D ... and so on.” Explain why this makes his system a 

Variant Beaufort system. 

27. As Vigenére said, ”the longer the key is, the more difficult it is to solve the 

cipher.” Does using words that have some repetition in them, like Banana, 

Concoct, Tomorrow or Rococo Change this conclusion 

28. As the end of World War II drew near, plans were drawn up for the 

future of the SSA. Included in this were studies of the history of U.S. 

cryptography prepared under the Direction of the Chief Signal Officer. 

The following quote is from the study Codes and Ciphers during the Civil 

War dated 20 April 1945. 

Careful use of Vigenère requires [the] cipher clerk to first underline 

any repetitions in the body of the plaintext. Then copy the text into 

columns under the keyword/phrase and make sure that none of these 

repetitions appear in the same column, and if any do, insert nulls to 

throw the repetition out of phase. 

Explain what this quote means. That is, explain what the underlining is 

trying to accomplish. 

29. In his column in Philadelphia’s Alexander’s Weekly Messenger Edgar 

Allen Poe challenged readers that he could break any monoalphabetically 

enciphered text. A Mr. G. W. Kulp sent the ciphertext 

GEIEI ASGDX VZIJQ LMWLA AMXZY ZMLWD YXRTV JCIML LHJXA MXZYF IFIWA 

FEPML BGPXW DLNRW EQWBC KMHJT NWSLB RZLEW MKDTC HUCMK WZZXN TGUIE 

LBRJL HTAIV UGMBX LKIUU PAMUM WXKJX EWEQM CZXZL GNSBW LBRNT YOLPI 

MLQIH WKXKW IOLXE UFBXV V 

that was published February 26th, 1840. Poe showed in a later issue that 

the ciphertext was not a monoalphabetic cipher, and called it “A jargon 

of random characters having no meaning whatsoever.” Indeed, it is a 

Vigenère cipher. Even knowing this does not necessarily make this an 

easy text to break. Can you do it

Chapter 8 

Polyalphabetic Ciphers 

The key cipher is the noblest and the greatest in 

the world, the most secure and faithful that never 

was there man who could find it out. 

Matteo Argenti 

Following our work in Chapter 7 we have a way to decrypt Vigenère ciphers: 

the Kasiski Examination followed by frequency analysis. The frequency analysis 

is relatively easy once we know the length of the keyword. However the Kasiski 

Examination, although it works fine, is quite time consuming since we must go 

through the message letter by letter looking for repetitions. It would be fifty 

years before an improvement was found. 

8.1 Coincidences 

On what does the Kasiski test depend That repetition of parts of the ciphertext 

are meaningful. To recall our original example: 

plaintext 

key 

ciphertext 

t o b e o r n o t t o b e t h a t i s t h e q u e s t i o n 

R U N R U N R U N R U N R U N R U N R U N R U N R U N R U N 


Kasiski’s idea is that the repeated KIOV and NU hint at the length of the keyword. 

To have such repetitions we (the crytanalysts) need some luck: the same 

plaintext part must lie under the same key part. Before Kasiski people presumably 

thought of such repetitions as mere coincidences – unrelated events that 

are unlikely to occur together but just happen to do so. Kasiski’s test showed 

that sometimes these coincidences are, in fact, meaningful. 

Can we look for these meaningful repetitions, these meaningful coincidences, 

in another way A (relatively) quick way to see when individual letters are 

repeated is to write the ciphertext one two slips of paper, and hold one under 

135

136 CHAPTER 8. POLYALPHABETIC CIPHERS 

the other, offset by various amounts. Let’s do this for the “KIOV” ciphertext, 

using the offsets or shifts of 1 through 6. Whenever there is a coincidence, we 

mark it with an asterisk. 

1: K I O V I E E I G K I O V N U R N V J N U V K H V M G Z I A 


* 





* * * * * * 



* 



* 



* * * * 

Obviously this is a very short ciphertext, so the number of coincidences is low, 

no matter the shift. But it is striking that the shifts of 3 (the keylength) 

and 6 (twice the keylength) have many more coincidences than the other shift 

amounts. 

For a longer ciphertext doing this “shift examination” would be quite time 

consuming. So let’s think more carefully about these coincidences. A coincidence 

will occur when the same letter occurs twice in the ciphertext. How likely 

are coincidences Or, to be more precise, how likely is it that two randomly 

chosen letters from the ciphertext are the same 

This brings us near the field of Probability. One of the first things anyone 

learns in probability is that the likelihood of something particular happening is 

the number of ways that thing can occur divided by the number of total things 

that can occur: 

Probability that A occurs = 

Number of ways A can occur 

Number of ways anything can occur 

For example, my birthday is February 25th. How likely is it that I was born 

on a weekend Since I didn’t tell you what year I was born, the best guess you 

can make is 2/7-ths. There are two ways I could have been born on a weekend

8.1. COINCIDENCES 137 

(being born on Saturday or being born on Sunday) and a total of seven days of 

the week that I could have been born on. 

How does this work for us To make the explanation clear, let’s write #A to 

mean the number of A’s in the ciphertext. So #B represents the number of B’s, 

#C is the number of C’s, and so on. How many ways are there to choose two 

different A’s from the ciphertext There are #A ways to pick one A, and then 

#A−1 ways to pick a different A. (Minus 1 because we’ve already picked one, so 

there are one fewer to choose from.) So there are #A(#A−1) ways to pick two 

A’s. Likewise #B(#B−1) ways to pick two B’s, and #C(#C−1) ways to pick two 

C’s. Doing this for all the letters in the ciphertext gives us 

#A(#A − 1) + #B(#B − 1) + · · · + #Z(#Z − 1) 

ways of having a coincidence. To see how likely a coincidence is we must divide 

by the number of ways of choosing any two letters. If the total number of letters 

in our ciphertext is N, then this number is N(N − 1). 1 

Putting the pieces together, we 2 have reinvented Friedman’s famed Index 

of Coincidence. Designated Φ (“phi”), this is the likelihood that two letters, 

picked randomly from a ciphertext, are the same. As we’ve just determined, the 

formula for Φ is 

Φ = 

#A(#A − 1) + #B(#B − 1) + · · · + #Z(#Z − 1) 

, (8.1) 

N(N − 1) 

where #A is the number of A’s in the ciphertext, #B is the number of B’s in the 

ciphertext, etc., and N = #A + #B + · · · + #Z is the total number of letters in 


Friedman was, justifiably, quite proud of his Index. In the introduction 

to The Index of Coincidence and Its Applications in Cryptography Riverbank 

Publications No 22., 1920 he wrote “when such a treatment is possible, it is 

one of the most useful and trustworthy methods in cryptography.” 3 However, 

from our development, it is not quite clear what Φ tells us, or how to use it. 

Clearly Φ measures, somehow, the frequency of coincidences in a polyalphabetic 

cipher. But what does Φ = 0.045 mean To find out, we need to think about 

the frequency counts in a different way. 

1 (Actually, from n objects there are n(n − 1)/2 ways of choosing two of them: we must 

divide by 2 because it doesn’t matter which one is chosen first and which is chosen second. So 

the denominator and each term in the numerator should have included a “/2”. Fortunately, 

all the two’s cancel out.) 

2 Our presentation of these ideas borrows liberally from that of Abraham Sinkov’s book 

Elementary Cryptanalysis. Sinkov (1907–1998) was one of the first three people hired by 

Friedman to work in the Army’s Signal Intelligence Service. He headed the Communications 

Intelligence Organization during World War II, the group largely in charge of intercepting and 

breaking Japanese messages. His book was published in 1966 and is quite influential. 

3 Kahn [Kahn, pg 376] tells the story that General Cartier of the French indexCartier, 

General Cryptographic section saw Riverbank No. 22 and “thought so highly of it that he 

had it translated and published forthwith – false-dating in “1921” to make it appear as if the 

French work had come first!”


8.2 The Measure of Roughness 

It is not necessarily clear how the Index of Coincidence is connected to polyalphabetic 

ciphers. To glimpse this connection we must think back to the differences 

between the frequencies count of monoalphabetic and polyalphabetic 

ciphers. We have learned to recognize a Caesar Cipher from the intense highs 

and lows of its frequency count: there are many letters that occur quite often 

(the ciphertext versions of the etaoinshr letters) and many that seldom occur 

(the uvwxyz-types). However, in polyalphabetic ciphertexts the frequencies are 

less sharp; the highs are lower and the lows are higher. We might say that a 

Caesar Cipher has a frequency count that is much rougher than the frequency 

count of a Vigenère Cipher. Further, the longer the keyword of a Vigenère 

Cipher is, the smoother the frequency count is. 

To illustrate with an example, I’ve enciphered the quote of General Givierge 

from Section 7.6 using keys of various lengths. (I used the alphabet as the key, so 

the five letter key was ABCDE.) The frequency counts of the resulting ciphertexts 

appear in Figure 8.1. Notice that as the keys get longer, there are fewer numbers 

keylength A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 

one 13 1 7 10 20 4 3 4 14 0 1 9 5 19 21 3 0 11 4 16 5 1 3 1 8 0 

three 3 6 6 7 15 10 8 4 6 7 4 5 3 10 13 17 9 4 6 9 11 6 2 2 5 5 

five 5 4 5 8 10 5 12 7 7 7 3 5 10 7 12 10 7 12 8 4 8 9 7 6 3 2 

ten 10 5 7 5 7 5 6 4 6 5 4 10 6 11 13 4 6 13 6 7 9 6 10 7 3 8 

twenty 10 11 9 10 11 7 8 5 7 8 5 8 6 6 6 5 5 6 4 3 8 6 7 9 7 6 

Figure 8.1: Frequency Counts: Same quote, different keylengths. 

that are much larger or much smaller than “average” and more that are in the 

middle. In general, the longer a keyword is, the smoother the frequencies are, 

and the shorter the keyword, the rougher the frequencies, which makes sense. 

After all, the point of polyalphabetic ciphers was to have each plaintext letter 

become many different cipherletters, causing the individual frequency counts to 

become more and more similar. 

Does the converse hold Can we somehow measure the “roughness” of a 

frequency count, and then use the measurement to estimate the keylength 

Let’s start by thinking about measuring roughness. 

Example: Consider the three sets of numbers 

{3, 3, 3, 3} {4, 0, 4, 4} {1, 4, 1, 6}. 

We can probably all agree that all these sets move from “smoothest” to “roughest.” 

Why do we feel so The latter two sets are rougher because their numbers 

are more spread out, are farther away from each other. What mathematical 

device can measure this

8.2. THE MEASURE OF ROUGHNESS 139 

Interestingly, we all know the device that measures the opposite: if numbers 

are not spread out, they are all close to average. In mathematics we tend to 

use mean and average interchangeably, and, of course, 

sum of the numbers 

average = mean = 

number of numbers . 

Since each of the sets in our example contain 4 numbers that sum to 12, each 

has a mean or average of 3. This gives us an idea of how to measure roughness: 

a set of numbers is rougher when it contains many numbers that are far from 

the mean. So we might try to define roughness by “sum how far the numbers 

are from their mean.” How far implies distance which implies subtraction. But 

it also implies that 5 and 1 are both a distance of 2 from 3, no matter that 

one is larger than 3 and one is smaller. So we cannot use simple subtraction to 

measure distance (5 − 3 = +2 but 1 − 3 = −2) but would have to use absolute 

value ((|5−3| = +2 and |1−3| = +2). Unfortunately, as a mathematical device, 

absolute value is somewhat of a pain to work with. 

What is traditionally chosen instead is to square the result (as the square 

of a number is positive). This gives us our second attempt at a definition 

for roughness: “the sum of the squares of the distances from the mean.” For 

example, the middle set of numbers then would have roughness 

(4 − 3) 2 + (0 − 3) 2 + (4 − 3) 2 + (4 − 3) 2 = 1 1 + 3 2 + 1 2 + 1 2 = 1 + 9 + 1 + 1 = 11, 

while the final set would have roughness 18. (Check this!) 

While this agrees with our intuition that the final set is rougher than the 

middle one, the definition is not quite right yet. The sets {103, 103, 103, 103}, 

{104, 100, 104, 104} and {101, 104, 101, 106} created by adding 100 to our sets 

have 103 as their means and also would have roughness 0, 11 and 18. But it 

ought to be that an error of 2 is more forgivable when the target, the mean, is 

103 than when it is 3. So we must adjust for the sum. Since we are squaring 

the numbers, it makes sense to take the total sum into account by dividing by 

its square. 

We thus define what Sinkov calls the Measure of Roughness or M.R. 4 

to be 

M.R. = 

sum of the squares of the distances to the mean 

. 

square of the sum of the numbers 

The first set has roughness 0, since all of its numbers, and so its mean, are 3’s. 

For the second we compute: 

M.R. of {4, 0, 4, 4} = (4 − 3)2 + (0 − 3) 2 + (4 − 3) 2 + (4 − 3) 2 

12 2 

= 1 + 9 + 1 + 1 

144 

= .076. 

Check that you understand this by computing M.R. for the third set. 5 

4 For those with some statistics background, M.R. is very closely related to variance. 

5 .125. 

⋄


Examples: Compute the mean and M.R. for each of the following sets. 

(1) {5, 9, 2, 10, 8}. 

The sum of the five numbers is 5 + 9 + 2 + 10 + 8 = 34, so their mean is 

34/5 = 6.8. The M.R. is 

(5 − 6.8) 2 + (9 − 6.8) 2 + (2 − 6.8) 2 + (10 − 6.8) 2 + (8 − 6.8) 2 

34 2 = 42.8 

1156 

or .037. (Our formulation of roughness will generally lead to small numbers. 

That’s ok: we are currently worried about relative degrees of roughness, 

rather than the meaning of the roughness measurement.) 

(2) {4, 11, 13, 8, 5, 7}. 6 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

With roughness now understood, let us return to our goal: understanding 

frequency counts. What is the roughness of a frequency count Using the same 

notation as before, we have 

M.R. = (#A − x)2 + (#B − x) 2 + · · · + (#Z − x) 2 

N 2 , 

where x = #A+#B+···+#Z 

26 

= N 26 

is the usual mathematical symbol for mean. 

Notice that if we multiply out the term contributed by A, we have 

(#A − x) 2 = #A 2 − 2#Ax + x 2 . 

Concentrating on the numerator of roughness, we have 26 similar terms, each 

with three parts. Summing the first parts gives 

#A 2 + #B 2 + · · · + #Z 2 . 

Summing the last part gives 26 copies of x 2 . But x = N/26, so these terms 

contribute 

( 2 N 

26x 2 = 26 = 

26) N 2 

26 

to the numerator. The middle terms are a bit more complicated, so we saved 

them for last: 

−2#Ax − 2#Bx − · · · − 2#Zx = −2x(#A + #B + · · · + #Z) 

= −2x(N) 

= −2 N 26 N 

= −2 N 2 

26 

6 The mean is 8 and M.R. = .026.

8.2. THE MEASURE OF ROUGHNESS 141 

Putting everything together, 

M.R. = (#A − x)2 + (#B − x) 2 + · · · + (#Z − x) 2 

N 2 

= #A2 + #B 2 + · · · + #Z 2 

N 2 − 2 N 2 N 2 

26 

N 2 + 26 

N 2 

= #A2 + #B 2 + · · · + #Z 2 

N 2 − 2 

26 + 1 

26 

= #A2 + #B 2 + · · · + #Z 2 

N 2 − 1 

26 . 

This looks a lot like the index of coincidence. Are they related We start 

with the formula for Φ: 

#A(#A − 1) + #B(#B − 1) + · · · + #Z(#Z − 1) 

Φ = 

N(N − 1) 

= #A2 + #A + #B 2 + #B + · · · + #Z 2 + #Z 

(multiplying out) 

N(N − 1) 

( 

#A 2 + #B 2 · · · + #Z 2) + (#A + #B + · · · + #Z ) 

= 

(regrouping) 

N(N − 1) 

( 

#A 2 + #B 2 · · · + #Z 2) + N 

= 

(the sum of the letters is N) 

N(N − 1) 

( 

#A 2 + #B 2 · · · + #Z 2) N 

= 

+ 

(separating the fractions) 

N(N − 1) N(N − 1) 

= N (( 

#A 2 

N − 1 × + #B 2 · · · + #Z 2) 

N 2 + 1 ) 

N 

(factoring out 

N 

N−1 ) 

For a long ciphertext, 

close to 0. So 

N 

N−1 will be very close to 1, and, likewise 1 N 

will be very 

Φ ≈ #A2 + #B 2 · · · + #Z 2 

N 2 . (8.2) 

Hopefully this last fraction looks familiar: it is the final form for M.R. except 

for a 1 26 

. Taking care of that, we (finally!) conclude 

Φ ≈ M.R. + 1 26 . (8.3) 

The Index of Coincidence is basically a measure of roughness of the frequency 

table! This is how Φ is connected to polyalphabetic ciphers. 

William Friedman wrote any number of books and pamplets on cryptography. 

Of particular interest to people like us, trying to break polyalphabetic ciphers, 

is The Index of Coincidence and Its Applications in Cryptography, Riverbank 

Publications No 22., 1920. This, according to David Kahn, “must be 

regarded as the most important single publication in cryptology.”


“Before Friedman, cryptology eked out an existence as a study unto itself, 

as an isolated phenomenon, neither borrowing from nor contributing to 

other bodies of knowledge. ... It dwelt a recluse in the world of science. 

Friedman let cryptology out of this lonely wilderness.” David Kahn [Kahn, 

pg 383] 

8.3 The Friedman Test 

We have finished the preliminary work and can now start to exploit our formulas 

to understand Φ. First, how large and how small can the values of Φ be 

From Formula 8.3, Φ is large when M.R. is large. And M.R. will be large 

when the frequency count is rougher. And the frequency count is roughest 

for monoalphabetic ciphers. Our standard monoalphabetic frequencies counts 

come from Figure 1.3. Using these numbers and Formula 8.2 (with N = 100 

since the numbers are percentages) gives Φ = 0.065601 for monoalphabetically 

enciphered ciphertexts. (See exercise 8.18.) 

On the other hand, M.R. is always positive, and its smallest value is 0, when 

all the numbers are the same. So from Formula 8.3, the smallest value of Φ is 

0 + 1 26 ≈ .03846. 

Do these values agree with our experimental data Adding Φ to Figure 8.1, 

we have 

length A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Φ 

one 13 1 7 10 20 4 3 4 14 0 1 9 5 19 21 3 0 11 4 16 5 1 3 1 8 0 0.0655738 

three 3 6 6 7 15 10 8 4 6 7 4 5 3 10 13 17 9 4 6 9 11 6 2 2 5 5 0.0442563 

five 5 4 5 8 10 5 12 7 7 7 3 5 10 7 12 10 7 12 8 4 8 9 7 6 3 2 0.0392122 

ten 10 5 7 5 7 5 6 4 6 5 4 10 6 11 13 4 6 13 6 7 9 6 10 7 3 8 0.0387318 

twenty 10 11 9 10 11 7 8 5 7 8 5 8 6 6 6 5 5 6 4 3 8 6 7 9 7 6 0.0364499 

A keylength of 1 has a Φ value of near .065, and as the keys get longer, the 

value of Φ rapidly decreases to about 0.038. 

Friedman did not stop here, however, but continued until he found a direct 

relationship between the keylength and Φ. We won’t do that here (see exercise 

8.19), but Friedman was able to show that 

Φ ≈ 

.065(N − k) + .038N(k − 1) 

, 

k(N − 1) 

where k is the keylength and the values .065 and .038 are those we found above. 

Friedman then solved directly for k, giving us Friedman’s test.

8.3. THE FRIEDMAN TEST 143 

The Friedman Test: Given a ciphertext, perhaps from a polyalphabetic 

cipher, compute 

Then 

Φ = 

#A(#A − 1) + #B(#B − 1) + · · · + #Z(#Z − 1) 

. 

N(N − 1) 

1. If Φ is near .065, the cipher is likely to be a monoalphabetic one. If 

Φ is closer to .038, the cipher is likely to be polyalphabetic. 

2. The value of Φ to be expected from a polyalphabetic ciphers of given 

keylength is 

Keylength Expected Φ 

1 .065601 

2 .052036 

3 .047515 

4 .045254 

5 .043898 

6 .042994 

10 .041186 

large .038461 

Suppose, for example, we compute that a cipher text has Φ = 0.47. Then 

Friedman’s Test 7 would suggest that the keyword is probably three or four letters 

long. Notice from the wiggle words (“suggest” and “probably”) that this method 

gives only an approximation and there will frequently be cases in which the 

Φ = .043 but the length of the keyword is actually 3. To double check that the 

correct keylength was found one can either 

1. Do a brief Kasiski Examination of the text to see if you can find 3 or 4 

sequences of letters that support the Friedman computation. Or 

2. Use the keylength suggest by the Friedman test to divide the ciphertext 

into that number of rows. Recompute Φ for each row. These Φ’s will 

be between .03 and .07. If most of them are closer to .07 than .03 you 

have probably discovered the correct keylength. (It might seem time consuming 

to recompute several mini−Φ’s, but since we will need to do a 

frequency count for each of the rows anyway there is relatively little extra 

computation.) 

7 Calling this “The Friedman Test” is wildly unfair to Friedman. The Index of Coincidence 

has many applications, only one of which is estimating the keylength of a polyalphabetic 

cipher. Another application (see Exercises 8.20) is the determination of a ciphertext’s original 

language. Another, more important, one is to solve the superimposition problem: given 

several, perhaps partial, polyalphabetic ciphertexts with the same key, how should the texts 

be lined up under one another (“superimposed”) so that the letters in each column have the 

same keyletter. This is especially valuable when breaking machine ciphers of the type used in 

the 1930’s and 1940’s.


Example: Compute Φ for the following message, and then decrypt it. 

EFBTL QUUEH JMDRV EFBTL CBDPQ UWVEJ GGRQW VWPIK EOOPW FHZMF QFUIU KDUSU 

CZVGA GBFIK CBGMF HIQGL KCQXZ GMLRV GSGQA TFRVG PSDRG VVHVO JOWSF GRRIK 

VVHSL JSUYF FCHWL JSLVF CHXVW UVRAW XSUHA HTHVX WBGEE GBWED NMFVQ RHRKJ 

CDKCA UHKIG TSWMU CZDRV CPVXJ CQWGJ ADWEF CZBWA UWVIE RWUMU CZDRV ECQGJ 

GHHHS XWGOS JB 

The frequency count is 

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z total 

7 9 14 9 11 14 19 15 7 10 8 7 7 1 5 5 10 13 11 5 15 20 17 6 1 6 252 

Computing, Φ = 0.0446152, which suggests a keyword length of 5. We next use 

Kasiski’s idea of building up a depth based on a keylength of 5: 

First letters: EQJECUGVEFQKCGCHKGGTPVJGVJFJCUXHWGNRCUTCCCACURCEGXJ 


1 0 10 0 4 2 7 2 0 5 2 0 0 1 0 1 2 2 0 2 4 3 1 2 0 0 51 

Φ 1 = 0.0768627. (Here Φ 1 represents the computation for the letters enciphered 

by the 1st letter of the keyword.) 

Second letters: FUMFBWGWOHFDZBBICMSFSVORVSCSHVSTBBMHDHSZPQDZWWZCHWB 


0 6 3 3 0 4 1 5 1 0 0 0 3 0 2 1 1 1 6 1 1 3 5 0 0 4 51 

Φ 2 = 0.0588235. 

Third letters: BUDBDVRPOZUUVFGQQLGRDHWRHUHLXRUHGWFRKKWDVWWBVUDQHG 


0 3 0 5 0 2 4 5 0 0 2 2 0 0 1 1 3 5 0 0 6 4 5 1 0 1 50 

Φ 3 = 0.0620408. 

Fourth letters: TERTPEQIPMISGIMGXRQVRVSISYWVVAHVEEVKCIMRXGEWIMRGHO 


1 0 1 0 5 0 4 2 6 0 1 0 4 0 1 2 2 5 3 2 0 6 2 2 1 0 50 

Φ 4 = 0.0579592. 

Fifth letters: LHVLQJWKWFUUAKFLZVAGGOFKLFLFWWAXEDQJAGUVJJFAEUVJSS 


5 0 0 1 2 6 3 1 0 5 3 5 0 0 1 0 2 0 2 0 4 4 4 1 0 1 50 

Φ 5 = 0.0587755. 

The values of Φ for each of the depths are larger than 0.052, so within the 

range of values we’d expect from the Friedman test for a monoalphabetic cipher.

8.4. MULTIPLE ENCIPHERINGS 145 

Being confident of our keyword length, we now have five simple Caesar ciphers 

to break and soon the message is decrypted. 8 

To further emphasize the power of Friedman’s Index, we provide the values 

of Φ that are produced assuming various keylengths. 

Keylength Φ 1 Φ 2 Φ 3 Φ 4 Φ 5 Φ 6 Φ 7 Average 

One .045 .045 

Two .046 .042 .044 

Three .047 .043 .045 .045 

Four .048 .044 .052 .036 .045 

Five .077 .059 .062 .058 .059 .063 

Six .048 .045 .046 .041 .038 .043 .043 

Seven .044 .052 .044 .043 .048 .048 .040 .046 

The values in the Keylength Five row are clearly the largest. In particular, the 

average of .063 stands out. Five must indeed be the keylength. Especially when 

coupled with a computer program, Friedman’s Test provides for the almost 

routine determination of keylength. 

⋄ 

As a method for computing the keylength for a ciphertext of only a couple 

hundred letters the Friedman Test is too highly influenced by quirks of the individual 

ciphertext and keyword. However, as the ciphertext grows, the Friedman 

Test hones in on the keylength with amazing accuracy. 

8.4 Multiple Encipherings 

Kasiski’s and Friedman’s tests are a very powerful one-two combination to use on 

polyalphbetic ciphers, especially when used on a computer, enabling the almost 

automatic detection of a polyalphabetic cipher’s keylength. Is there anything 

about the polyalphabetic ciphers that might be saved 

Ever since Section 7.6 we have been working under the (often implicit) assumption 

that determining the keylength of a polyalphabetic ciphertext was 

hard, but once we know the keylength breaking the cipher was easy. This is 

because the polyalphabetic ciphers are really just several Caesar ciphers twisted 

together – once we could pull the strands apart we were back to Chapter 1 

material. 

Since it appears relatively easy to pull the strands apart, is there a way to 

make the strands shorter That is, to make the number of letters per Caesar 

alphabet so small that decryption of the individual Kasiski depths is difficult 

For example, if our message has 1000 letters in it, but we could use a 100 letter 

keyword, there would be only 10 letters per alphabet! Even Linquist’s method 

8 Keyword is CODES. “Cryptography and cryptanalysis are sometimes called twin or reciprocal 

sciences, and in function they indeed mirror one another. What one does the other 

undoes. Their natures, however, differ fundamentally. Cryptography is theoretical and abstract. 

Cryptanalysis is empirical and concrete.” David Kahn


fails with such few letters. 9 

How can we make such long keywords One way would be to use phrases, 

or paragraphs from agreed upon books. This works well, but becomes harder 

to remember. Apparently, when people write to the National Security Agency 

(NSA), the cryptographic arm of the US Government, saying “I’ve discovered 

a great new and unbreakable code for you to use”, this is most frequently the 

method they describe. 10 

Another method we will call the Double Vigenère. We carefully pick two 

keywords and encipher the message twice, using each keyword once. 

Examples: 

(1) Encipher aaaaaaaaaaaaaa. First use the keyword IT and then re-encipher 

with the keyword WAS. 

plaintext a a a a a a a a a a a a a a a a a a a a 

key 1 I T I T I T I T I T I T I T I T I T I T 

partial ciphertext I T I T I T I T I T I T I T I T I T I T 

key 2 W A S W A S W A S W A S W A S W A S W A 

ciphertext E T A P I L E T A P I L E T A P I L E T 

IT and WAS act like a 6-letter keyword! 

(2) Encipher banana banana banana banana using LAKE and then OCEANS. 

How long is the combination keyword 11 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

What is the pattern How long a “keyword” does the use of two keywords 

produce The combination keyword will start to repeat whenever each individual 

keyword starts to repeat. The last letter enciphered before this repetition 

starts must be enciphered with the last letter of each keyword. So each keyword 

has repeated some number of times up to this point. The number of letters 

enciphered so far must then be a multiple of each keylength, and so the smallest 

multiple of each is when this first occurs. 

The smallest multiple of each has a formal name, the least common multiple 

or lcm. These Double Vigenère ciphers act like a single Vigenère cipher 

whose keyword is as long as the least common multiple of the original keywords. 

9 Another way to strengthen the polyalphabetic ciphers would be to avoid Caesar ciphers 

as the components but instead use better mixed alphabets. We will look at this in Exercise 

8.10. 

10 This method was first discovered in the 1500’s by Giacolomo Cardano. He, however, 

started the key over each time for each word in the message. Cardano is best remembered in 

mathematics for discovering – or stealing, depending on whose version of history you believe 

– the cubic formula (like the quadratic formula but for equations of degree three). 

11 They act like a 12 letter keyword. ACBEL SZGCA KWACB ELSZG CAKW.

8.4. MULTIPLE ENCIPHERINGS 147 

Just as the gcd is the largest number that divides both, the lcm is the 

smallest number that both divide. (Obviously word order matters!) Are they 

connected in anyway besides word order Consider the following chart: 

m n mn gcd(m, n) lcm(m, n) 

4 8 32 4 8 

4 6 24 2 12 

3 8 24 1 24 

8 10 80 2 40 

5 12 60 1 60 

8 9 72 1 72 

From the examples it appears that gcd(m, n) × lcm(m, n) = m × n, and this is 

correct. Since we have a method for computing gcd’s, it is perhaps better to 

write 

mn 

lcm(m, n) = 

gcd(m, n) . 

In particular, if m and n are relatively prime then lcm(m, n) is just the product 

mn. 

Examples: What keylength do the following keys produce 

(1) hamburger and FrenchFries give a 9 × 11 = 99 letter keyword 

(2) Francisco and California and Oakland. letter keyword. 

(3) SanFrancisco and California and Oakland give a 12×10×7 

2 

= 350 letter 

keyword. 

(4) SanFrancisco and California and Oakland and FrenchFries. 12 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Using multiple keywords thus produces the equivalents of very long keywords 

relatively easily. How helpful is this Suppose our goal is to have no more than 

20 letters of depth per keyword letter in a Vigenère cipher. There are about 

70 characters per line of typed text and about 50 lines of text per page, so 

about 3500 characters per page. Since 3500/20 = 180, for each page of message 

we would need more than 180 letters worth of keyword. So Francisco and 

California and Oakland would safely encipher no more than (9 × 10 × 7 = 

630)/180 = 3.5 pages of message. 

Suppose we must send 100 pages of messages a day We must have keyword 

of about 100×180 = 18, 000 letters (= 6 pages), or a clever selection of 4 words, 

with lengths 7, 9, 13, and 17. And these words must be changed everyday. 

Modern life is making this problem even more severe: speaking at 200 words 

per minute on a cell phone means to have a secure conversation one needs in 

12 (2) 9 × 10 × 7 = 630, (4) 12×10×7×11 

2 = 3850.


excess of 11 keyletters per minute of conversation. Or a modern business sending 

2000 pages everyday needs more than 120 new pages of keywords everyday. 

This is our first encounter with the key management problem. A cipher 

system isn’t much good if every few days we must hand-deliver a brand-new 

book full of never-been-used keys to everyone we wish to communicate with. 

Even if we could develop such “books” our business would go bankrupt from 

the printing and delivery costs! 

The German Enigma machines of World War II fame, as well as some of 

the cipher machines used by the Americans like the M-94, were, in many ways, 

simply mechanical versions of multiple Vigenère ciphers. These machines used a 

number of linked wheels, or “rotors,” to perform the enciphering and deciphering. 

Each rotor can be thought of as giving a monoalphabetic cipher. When 

coupled several such rotors combine only to give a monoalphabetic cipher. But 

when one rotor rotates even one step, a new monoalphabetic cipher is created. 

As long as the rotors continue to rotate, in whatever pattern, and do not come 

back to their original position, an ever-longer keyword is produced. With the 

5 rotors of the latter Enigma machines, the “keyword” had functional length 

26 5 = 11, 881, 376, longer than the Iliad and Odyssey combined! 13 (The rotor 

machines have their own weaknesses. The rotors get stolen or captured. The 

setting of the rotors – how exactly they are positioned at the beginning of a 

message – must be sent. And each particular type of machine has its own peculiarities. 

For example, the Enigmas were unable to encipher a letter to itself. 

We mustn’t overstate the power of our techniques, the weaknesses of Enigma 

contributed a great deal to the Allies breaking it. But advanced versions of the 

techniques we’ve developed in this chapter played an important role.) 

Although the Vigenère-based Ciphers were great in their time, the development 

of Friedman’s and other more sophisticated tests, coupled with the modern 

need for vast quantities of keys, makes such ciphers relatively insecure. 

13 A keylength of eleven million sounds large, but numbers get big fast. For a “small” 

example, consider The War of the Rebellion: a compilation of the official records of the 

Union and Confederate armies. Pub. under the direction of the ... Secretary of War, the 

compilation of the formal reports, correspondence, orders, and returns of the Union and 

Confederate Armies. In four Series, it consists of nearly 70 volumes, many in several parts, 

with most of the parts between 800 and 1200 pages. For example, Volume XXIV, published 

in 1889, comes in three parts, and covers “Operations in Mississippi and West Tennessee, 

including those in Arkansas and Louisiana connected with the Siege of Vicksburg. January 

20 - August 10, 1863.” Part III includes the Correspondences and is 1196 pages long. For 

an estimate, if we assume each volume has 2 parts, each of 1000 pages, and there are 3000 

characters per page, the volumes contain 420,000,000 characters in total. This is over 200,000 

characters for each day of the war! Now imagine the number of characters sent during WWII. 

Or during either of the Persian Gulf Wars!

8.5. 

VIGENÈRE’S AUTO KEY CIPHER 149 

8.5 Vigenère’s Auto Key Cipher 

In a conversation on that subject [unbreakable 

ciphers] which I had with the late Mr. Davies 

Gilbert, President of the Royal Society, [he and I] 

each maintained that he possessed a cipher which 

was absolutely inscrutable. On comparison, it 

appeared that we had both imagined the same 

law. 

Charles Babbage, discussing Auto-key ciphers 

Passages from the Life of a Philosopher 

So we hope to produce and use really long keywords. But producing good 

ones is hard, and exchanging them even harder. What can we do 

Cardano had among the first ideas along this line. In modern terminology 

his idea is to encipher each word with a progressive key starting with the first 

letter of the previous word. Of course, there must be some way of enciphering 

the first word, and Belaso suggested picking a key letter. 

Example: Encipher Lets attack them Friday using the keyletter J. 

So Lets is enciphered with JKLM (recall that a progressive key moves one 

letter forward each step), attack with LMNOPQ, and so on. 

plaintext l e t s a t t a c k t h e m f r i d a y 

key J K L M L M N O P Q A B C D T U V W X Y 

ciphertext U O E E L F G O R A T I G P Y L D Z X W 

So the ciphertext is UOEEL FGORA TIGPY LDZXW. 

⋄ 

What is the security of this method It seems better than the Vigenère 

method since the keyword is not repeated. One possible problem is that since 

t starts so many words, many words much of the plaintext will be enciphered 

with key TUVWXY.... If word length is preserved in the ciphertext then we may 

simply decipher each word using the key TUVWXY... until we get lucky and find 

one for which this works. Since almost 16% of all words begin with T, we’ll 

likely only have to try 3 or 4 until we get lucky. And once we have one word 

we are done for it will tell us how to decipher the next word. So this is a good 

idea, but we need a way to make it less predictable. 

At this point Blaise de Vigenère (1523–1596) finally enters the picture. 

As a youth Vigenère received an excellent education, attending the Diet of 

Worms as a very young secretary and traveling throughout Europe in diplomatic 

missions. In 1549 he was sent to Rome, where he apparently read Trithemius, 

Belaso, Cardano and Porta, among others, and studied with the experts of the 

papal curia. After a career in diplomacy (for the Duke of Nevers and King 

Charles IX) in 1570 he married a much younger wife, quit court life, gave his 

annuity to the poor, and devoted himself to writing. And he wrote about


everything, everything under the sun, including Traicté des Comètes, which 

helped to destroy the superstition that comets come from an angry God trying 

to warn a wicked world to stop sinning. 

In 1586 he wrote the 600 page Traicté des Chiffres which, beyond discussions 

of magic and the mysteries of the universe, was a comprehensive overview of 

cryptography. Of immediate interest to us, he wanted an easily remembered 

but really long and non-repeating key. When enciphering a message, what is 

the nearest long possible key The message itself! 

Auto Key Algorithm: Pick a priming key of one or more letters. 

Encipher the plaintext as a Vigenère cipher in which the actual key is the 

priming key followed by the message. 

Examples: 

(1) Encipher My vengeance is at hand, key D. 

plaintext m y v e n g e n c e i s a t h a n d 

key D M Y V E N G E N C E I S A T H A N 

ciphertext P K T Z R T K T P G M A S T A H N Q 

The ciphertext is PKTZR TKTPG MASTA HNQ. 

(2) Encipher Beware the hand of fate with key = TO. 

plaintext b e w a r e t h e h a n d o f f a t e 

key T O B E W A R E T H E H A N D O F F A 

ciphertext U S X E N E K L X O E U D B I T F Y E 

The ciphertext is USXEN EKLXO EUDBI TFYE. 

(3) Decipher XZCYY INTCQ AQX, key = M. 

To decipher we must creep along, remembering that the next keyletter is 

the previous plaintext letter. 

ciphertext X Z C Y Y I N T C Q A Q X 

key M L 

plaintext l 


key M L O 

plaintext l o 


key M L O O 

plaintext l o o

8.5. 

VIGENÈRE’S AUTO KEY CIPHER 151 


key M L O O K 

plaintext l o o k 

Eventually this produces look out a comet. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

The Auto Key Cipher defeats all the types of frequency analysis we’ve seen 

so far, making it the strongest cipher system yet. Its main disadvantage is one 

we haven’t seen before: even simple copying misteaks can cause havoc. Since it 

is easy to make a small error, and any mistake propagates through the rest of the 

cipher, even a single error can make an Auto Key enciphered text unreadable. 

Example: Unfortunately, DSAUB ARIVI FF contains a small error. If the key 

is D, can you find the error 14 . 

⋄ 

How might we go about breaking an Auto Key cipher Consider the following 

message, where we assume we know the ciphertext, and have somehow 

guessed one plaintext letter and know that the priming key was a single letter. 

· · · · · · · · s · · · · · · · · · · · 

· · · · · · · · · · · · · · · · · · · · 

Y B C M G W R U V S N Q I T F N W R U V 

By working forwards and backwards we fill in some: 

· · · · · · · d s · · · · · · · · · · · 

· · · · · · · · d s · · · · · · · · · · 


and then more 

and before long 15 

· · · · · · r d s a · · · · · · · · · · 

· · · · · · · r d s a · · · · · · · · · 


b a c k w a r d s a n d f o r w a r d s 

x b a c k w a r d s a n d f o r w a r d 


If the priming key is longer, then we need to know as many consecutive letters of 

plaintext as there were priming key letters, but the same forwards and backwards 

stepping will then decrypt the cipher. 

14 a simple error is the message. The R in the ciphertext should be a P 

15 This should look quite familiar to those who completed Exercise 7.19.


Using mathematics similar to that used in Friedman’s Index of Coincidence, 

given enough text any Auto Key cipher can be broken. To perhaps explain 

how, notice that the plaintext-key pairs (t,O), (n,I), (s, N) and (i, D) all give 

rise to the ciphertext letter V. But this is the only way of creating V from two 

high-frequency letters. So if we suspect that an Auto Key Cipher with priming 

keyword of length 1 was used, then we can try each of these as the possible 

plaintext–key pair on each V’s in the ciphertext. By probability, we very quickly 

will find one that gives the correct decipherment. Similarly, the pairs re and 

er will occur often in the plaintext, producing a large number of W’s in the 

ciphertext. Thus an Auto Key cipher with a priming key of length 1 is not 

secure. 

Likewise, every the in a Auto Key cipher of keylength two will give many 

e’s enciphered by t’s into Y’s. In general, the etaoinshr letters so frequently 

encipher one another they give each other away, leading to a decryption of the 

cipher. 

To summarize, we broke the Vigenère Cipher by exploiting the pattern of 

its repeating keyword. The Auto Key Cipher can be broken by exploiting the 

usual frequency patterns of English. Removing all such patterns must be our 

next goal. 

8.6 Perfect Secrecy 

All the ciphers we’ve studied so far depend, eventually, on some sort of pattern, 

and this pattern eventually gives them away. What is needed is a cipher system 

whose keyword is both endless and and senseless. The need for endless should 

be clear after our work with Vigenère ciphers. Once a keyword starts to be 

repeated, the cipher is in danger of being broken. Hence, for perfect secrecy we 

can never allow the it to be repeated, i.e., it must be endless. The reason for 

senseless is nearly the same: an extremely long keyword that is not senseless 

has some pattern to it. And a pattern is not much different from a repeating 

keyword. As Kahn puts it, the perfect cipher must “avoid the Scylla of repetition 

and the Charybdis of intelligibility.” 

Joseph O. Mauborgne (1881–1971) had the idea of “endless”. Mauborgne 

had a long and very distinguished career in cryptography. In 1914 he gave the 

first recorded solution of a Playfair cipher. (We will study these in Chapter 9.) 

He eventually rose to the post of Chief Signal Officer in October 1937 and as a 

Major General built the cryptanalytic abilities of the Signal Corps to the extent 

that it was reading a flood of Japanese ciphers by his retirement in 1941. 

Gilbert S. Vernam (1890-1960) had the idea of “senseless”. Vernam was an 

employee of AT&T when in 1917 he proposed the use of “stream cipher devices” 

for automatic encryption and decryption of telegram messages. Vernam received 

65 patents in the areas of cryptography and telephone switching systems and 

was well known for his cleverness – supposedly he asked himself “What can I

8.6. PERFECT SECRECY 153 

invent now” each night while relaxing on his sofa. 16 

Put endless and senseless together and we have the 

One-time Pad: 17 Pick any random keyword of length equal to the length of 

your message. Treat it as the key word of a Vigenère cipher. Throw it away 

after you use it (hence the name). 

A properly used one-time pad is the only unbreakable cipher, or, in fancier 

language, is holocryptic. Why is it unbreakable Consider the ciphertext UVAET. 

What is the plaintext Using this ciphertext and the ciphertext only it is impossible 

to tell. This is because for every 5 letter block of letters you can pick, 

there is a (possibly non-nonsensical) 5 letter Vigenère keyword that will turn 

your plaintext into UVAET. And unless you have some other knowledge, all are 

equally possible. So it is impossible to tell what UVAET means. 

This idea holds on a much larger scale. If you pick a keyword that is as 

long as your message, make the keyword to be a random collection of letters, 

and use the keyword exactly twice, once to encipher and once to decipher, then 

there is no way that anyone can break the message. This was a favorite method 

of Russian spies in the 1950’s. 18 It is also popular in movies, mainly because 

the one-time pads were usually written on very small pieces of paper that we 

hidden in false shoe bottoms, or inside fake cigarettes, fake nickels, etc. 

As Friedman put it in his Encyclopedia Britannica article on cryptology 

[Britt, pg 1059] 

a letter-for-letter cipher system which employs, once and only once, a 

keying sequence composed of characters or elements in a random and 

entirely unpredictable sequence may be considered holocryptic, that is, 

messages in such a systems cannot be read by indirect processes involving 

cryptanalysis, but only by direct processes involving possession of the 

key or keys, obtained either legitimately, by virtue of being among the 

intended communicators, or by stealth. 

Examples: Encipher and decipher using a one-time pad. 

(1) Encipher holocryptic using the key SLMPQOSUCFC. 

(2) Decipher HROJA OPMNZ using the key NEXFA LPLCV. 19 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

How much use do you think this system that allows perfect secrecy gets 

The answer is almost none. Consider the problems you would have if you were 

16 Among the things he did invent was a “Secret Signaling System” that was awarded U.S. 

Patent 1,310,719. This was, more or less, a teletypewriter that performed Vigenére encryption. 

17 Ciphers very similar to one-time pads were also discovered in Germany and Russia about 

this same time [Bauer, page 144]. 

18 Unfortunately for them, the Russians made 9 copies of some of their one-time pads. Even 

this small lapse was enough for the NSA to break these messages. (This information was only 

recently declassified, and can be found in the “Verona Breaks” pages at the NSA website.) 

19 (1) ZZXDS FQJVN E, (2) unreadable.


the Chief Decipherer in Spy Central. For every page of text that one of your 

spies wishes to send you he or she (and you) must have a page of keyword. If 

you are collecting 1000 pages of data from your spies everyday you must make 

and distribute that many different pages of keywords everyday. You obviously 

can’t send the keyword via radio or email because they must be private. And 

you can’t first encipher them before sending them because the only way to safely 

encipher them is with a one-time pad! The only way is to somehow physically 

carry the key to the spy. 

This is a real key management problem, and it is difficult enough to 

overcome that one-time pads are used vary rarely. For instance, the “hot line” 

between Moscow and Washington used a form of one-time pads. Unfortunately, 

the lure of perfect encryption is so great that some still argue that the one-time 

pad is the future. But as Bruce Schneier recently wrote 20 

[It] is the only provably secure cryptosystem we know of. It’s also pretty 

much useless. Because the key has to be as long as the message, it doesn’t 

solve the security problem. One way to look at encryption is that it takes 

very long secrets – the message – and turns them into very short secrets: 

the key. With a one-time pad, you haven’t shrunk the secret any. It’s just 

as hard to courier the pad to the recipient as it is to courier the message 

itself. Modern cryptography encrypts large things – Internet connections, 

digital audio and video, telephone conversations, etc. – and dealing with 

one-time pads for those applications is just impracticable. ... 

One-time pads may be theoretically secure, but they are not secure in a 

practical sense. They replace a cryptographic problem that we know a lot 

about solving – how to design secure algorithms – with an implementation 

problem we have very little hope of solving. They’re not the future. And 

you should look at anyone who says otherwise with deep and profound 

suspicion. 

So one-time pads do provide perfect secrecy, but they do so in a way that is 

nearly perfectly useless. 

8.7 Summary 

The Index of Coincidence measures the likelihood that two letters, chosen at 

random from some text, are the same. It is very closely related to the “roughness” 

of the frequency count of the text. Using this relation, Friedman was able 

to predict the length of a polyalphabetic cipher’s keyword from ciphertexts Index 

of Coincidence value. While not necessarily precise for short ciphers, when 

combined with Kasiski’s test, the Index of Coincidence provides an accurate and 

rapid method for determining the keylength used to produce that ciphertext. 

Hence polyalphabetic ciphers are not secure. 

By repeatedly enciphering a text with a variety of keywords one can produce 

the equivalent of a Vigenère cipher of keylength equal to the least common 

20 Crypto-gram, October 15, 2002

8.8. TERMS AND TOPICS 155 

multiple of the lengths of the individual keys. While this method may keep 

short texts secure, the amount of keyword needed is directly related to the 

amount of text one wishes to send (approximately 1 page of keyword must be 

used to safely encipher 20 pages of plaintext). Producing and exchanging the 

huge of amount keys needed by a modern business or government prevents any 

practical use of a repeated Vigenère system. 

Vigenère did not invent the Vigenère Cipher, but, rather that Auto Key 

Cipher. This cipher uses a priming key following by the plaintext as its key, 

thus producing a key without repetitions. Its security is much better than that 

of the Vigenère. Nonetheless, the patterns in English provide enough of an entry 

that Friedman was eventually able to break this system. 

The only unbreakable cipher system is the One-Time Pad. A random series 

of letters (or numbers) is used as the key. As long as each key is used exactly 

twice, once for enciphering and once for deciphering, and is kept secret, the 

system cannot be broken. But the key is as long as the message, so the problem 

of transmitting the message is simply replaced by that of transmitting the key. 

So the immense quantity of keys that must be distributed to use this system 

prevent it from being used except in very special circumstances. 

8.8 Terms and Topics 

1. What is a “coincidence” What is the connection between coincidences 

and Kasiski’s test 

2. What is the Index of Coincidence What does it measure 

3. What is the formula for Φ 

4. How do the frequency counts of a monoalphabetic cipher and a polyalphabetic 

cipher with long keylength differ 

5. What does M.R. stand for What does it measure 

6. Under what circumstances do we expect M.R. to be a larger number A 

smaller number 

7. What is the Friedman test 

8. How can we use Φ to estimate the keylength of a polyalphabetic cipher 

9. What is the Double Vigenère How does it differ from the Vigenère cipher 

10. Performing multiple encipherments with different keywords is equivalent 

to enciphering once with a keyword of what length 

11. Who invented the Auto Key cipher 

12. What is the Auto Key cipher Explain how to use it.


13. What is the key for an Auto Key cipher 

14. Give a strength and a weakness of the Auto Key Cipher. 

15. What is “Perfect Secrecy” 

16. How does the One-Time Pad work 

17. Give a strength and a weakness of the One-Time Pad system. 

8.9 Exercises 

For Problems 1 through 6, do a frequency count and use it to compute Φ. Use 

this value to estimate the keylength. Try to find a couple of repetitions in 

the ciphertext that seem to validate your keylength guess. Then decipher the 

message. 

1. COMUB XWYKU OXTIY UBXNQ AFLXC SMIYR BLXUI UFJKF ZXSLX EUKFN ASYXU 

BTUNA FSUFH HUFTC IKJIN TNHXL BUYTO XKFUW FNABN MIYRC YXJGI PMLJV 

EFNHE CLDSI IYKBH WJHLP GXDUL FMMIU MUBXZ VXFQB UBHVN LVMIJ NBPH 

2. ZYIBX YKXHT ZTENU KVBPX IKIDB YKLAM ZYIDX MIIEH LJICN XZXYU KXVET 

ZVRON MYXOW KCEYL UCYTB UEFYM NVINX SPJOK YLGHT RVRGM NFJTB SVXHT 

ZNLEG ZYISH RLXIH TZWFB TRPLR XVECA KUXHX OEJOK SRXIH TKLUL USXAB 

TVHHT YCSSM GCPIM YMELN K 

3. (a) QZIQU DTKUT IWCUG LJZIU MSVHO KIGNZ IDCEW KIMPG VWRHP WVWIS 

POIOE QSDIW NWVWI STSYS VWQAG HUDMN YLLHH MQEYJ SIFWX WYJWX 

HVIUY SGKEW CLMLS EYSWV GSPOU KTRMK MEFW 

(b) What is the meaning of the quote 

4. IKUQN VOCSJ MPYKA BIJFG NXGGS YOYRV RSLCK ZEKIC EEMQY JFCMF RCNTU 

NHVDK EEFCN MUQIF ZCDWA PADAK EEFYR PQVCY MLGVA DLVFR EIEZE KICEE 

ECVVD YLZEM LRFCD GQMPC QYNUM KEKTM DFRAR PBROX DYPYK GNUQB TFSMV 

VDLTY QAOID CSGAL DVZAE SQRWV QLDZR DEIQL TRDKY TTGEW EDOIM LUEXG 

MZFCD KUKE 

5. This one is a bit harder: 

MOVBA NZLIB GFLTR DWJBW YEJZU BKIXP ZVKHG SWVWA XLPDF RVZBB JUSSE 

FWOMU WVLTL OXRVY LOXJF NKLJB VNULL VWTZP LPEGW UNPKY OHLVT CSZBV 

EADSR WRIFM NSKHW VPUVR KVYAY EVLML TTWKV PGHWY LZFMW ABTVS LOKHJ 

HWKFL KHGBZ OKHWM TBCTD HRPET ZLBYF WFZMB GIVPM F


6. As is this one: 

KHVBH FXPSP NMJET MGXWF RLIEN OGMOO TRHRV ADUJH KSOGN WXKSU IFYYT 

XVVRR HTSTF HYNZF KZVCS FJGAC UIPIG GBAML FCZGN LEWVC HWXVV UHNWX 

KLCHV OUJCU HRVLV UWWER HXWGQ ENWPA GFRRH KLGVN WXJSH HBXFR VISNW 

ODFGF BOCEH KJVMO RPUWG LILPF PRLID TTCZR MVHCH RJWYI PUNPY DIPHV 

WQYME VBWYF VCBBC BVVQT GQYDX QCXYU IX 

7. Encipher or decipher the following texts using a Vigenére cipher with two 

keywords. 

(a) Encipher Peter Piper picked a peck using the keywords JACK and 

SPRATT. 

(b) Decipher FDUAP XNQHJ LCWOI UIOHF BEUDN C using the keywords 

LIZARD and CRAWL. 

(c) Encipher I need to laugh, and when the sun is out using the 

keywords Sun and shine. 

(d) Decipher RJQMU FJRQV HIRBS OIMEO ELUIJ PAAZ using keywords Good 

and day. 

8. Matteo Argenti used the keyword Key PIETRO and a slightly mixed alphabet 

to make a Vigenère cipher: 

cipher 

plain1 

plain2 

plain3 

plain4 

plain5 

plain6 

HI LMNOPRSTABCDE FGU 

p r s t u a b c d e f g h i l m n o 

i l m n o p r s t u a b c d e f g h 

e f g h i l mnop r s t u a b c d 

t u a b c d e f gh i l mn o p r s 

r s t u a b c d e f g h i l m n o p 

o p r s t u a b c d e f g h i l mn 

To encipher, find the first letter of plaintext in the first plaintext alphabet, 

and replace it by the ciphertext letter above it. The second plaintext 

alphabet is used for the second letter, the third for the third, etc. For 

example peter becomes HECPH. 

Decipher LHUAP AHEAN SLMNG TSUUM BPAOT PEBNC NEALP HGSAE MAGEC 

ANUD. 

9. If we are using a double Vigenère, does it matter in which order we use 

the keywords Explain. 

10. The “Double Vigenère” we discussed in the chapter used two keywords to 

encipher a message twice. A different and better way to do this is to use 

the first key to mix the cipheralphabet and the second key as a Vigenère 

keyword using the newly mixed cipheralphabet (much like PIETRO was 

used in exercise 8.8).


To do this, use the first keyword to mix the alphabet. Then under the 

usual alphabet copy the cipheralphabet a number of times so that the 

first letters of the rows spells the second keyword. Then use the alphabets 

cyclically. 

(a) Use a Keyword Mixed cipher with keyword ONCE to mix the cipheralphabet, 

and then a Vigenére cipher with keyword TWICE to encipher 

three times a lady. 

(b) Use a Keyword Transposed cipher with keyword AGAIN to mix the 

cipheralphabet, and then a Vigenére cipher with keyword REPEAT to 

encipher Over and out. 

(c) The ciphertext UIKQEYM BU TN JRBA was enciphered with a Vigenére 

cipher with keyword SIMPLE, using a cipheralphabet mixed via a Keyword 

Mixed cipher with keyword TWIST. What was the plaintext 

(d) The plaintext microwave oven was enciphered with a Vigenére cipher 

with keyword QUICK, using a cipheralphabet mixed via a simple 

Keyword cipher to produce the ciphertext CCYNYMUZU YFYR. What 

was the Keyword Cipher’s keyword 

11. A Vigenère Cipher with two keywords has the mathematical formulation 

C = P + K 1 + K 2 , where K 1 and K 2 are the first and second keywords. 

What if we instead used C = P ∗ K 1 + K 2 , perhaps calling this the 

Linear Vigenère Cipher The Linear Cipher (from Chapter 4), while not 

very secure, is certainly harder to break than the Caesar Cipher. Is the 

Linear Vigenère Cipher more secure than the Vigenère with two keywords 

Explain. 

12. Encipher or decipher the following definitions using an Auto Key cipher 

with the given priming key. 

(a) Encipher Autobiography is a story with priming key T. 

(b) Encipher autoclave is an oven with priming key F. 

(c) Decipher OUNHQ TRCAG ASGUJ ZVEZQ RG with priming key O. 

(d) Decipher CUNHU OZFWA SHLPT KQDIX V with priming key C. 

(e) Encipher autograph is a signature with priming key RI. 

(f) Decipher CLTIF CNWMM TWIUA T with priming key CR. 

(g) Decipher PYTIF OFIVO GGVSY AMBNL VGGOV LWEWA with priming key 

PE. 

(h) Decipher FLXOH HALWE GVVMC HRSIA FI with priming key FRE. 

(i) Decipher SNTSS OZUWM ZOSFB ABBBZ LDGVQ XF with priming key STAE. 

(j) Decipher ZSTIF BUFIE IEXWA PTYO with priming key ZY.


13. It has been remarked that one can detect an Auto Key Cipher (or a 

Vigenère Cipher with long keyword) from the large number of VAISX’s 

and the lack of DQNJ’s in the ciphertext. Explain this remark. 

14. Break the following Auto-Key Ciphers. A hint has been given. 

(a) KFGWW SRVVV HYDWZ PXLSR VFMFY Hint: priming key was length 1 

and message rhymes with “true” 

(b) RZDVQ BUXLR HGKXS SGSTS SHUDE SWMIY QFTZM VXSSG STSSA UWE Hint: 

priming key had length 2, and message contains several the’s 

(c) ORMMI MWIAD HTBAW I. The priming key had length 1, and ee appears 

somewhere in the plaintext. 

(d) SNGHC UDRYI MCFLS UEZAN AGUP. The priming key had length 2 and 

one of the letters is N. 

15. There are many ways of combining the several types of ciphers we have 

seen into new, and possibly more difficult ciphers. Here is one way. Pick a 

Vigenère keyword. For each letter in this keyword pick another keyword. 

Use these secondary keywords to form mixed alphabets using the Keyword 

Mixed method. Then to encipher the message use the Vigenère technique, 

but use the mixed alphabet corresponding to the primary keyword letter. 

For example, we pick Suit as our primary key, and Club, Diamond, Heart 

and Spade as secondary keys. Then when enciphering the 1st, 5th, 9th, 

etc. letters of the message we use as cipheralphabet the one formed from 

Club and Vigenère key S. For the 2nd, 6th, 10th, etc. letters we use as 

alphabet the one formed from Diamond and Vigenère key U. Similarly for 

the rest of the message. 

(a) Does this system have an increase of security over a regular Vigenère 

system with keyword Suit If so, where is the increase For example, 

is it because the Kasiski test fails Or for other reasons If the 

security has not increased, why not 

(b) What if we make five secondary keys, perhaps Wild as the fifth, and 

cyclically use both the Vigenère key and the five cipheralphabets 

16. Suppose you capture a Vigenère-enciphered text, and somehow you know 

that it was enciphered using a mixed cipher alphabet. Will or will not a 

Kasiski test still work Explain. 

17. How does the use of a keyword with repeated letters effect the accuracy of 

Φ (Hint: What sort of encipherment and roughness would the keyword 

TTTATTT give)


18. (a) Finish the computation of Φ for a text consisting of English with the 

normal distribution started in section 8.3. (Use Figure 1.3. So there 

are 8.2 A’s, 1.5 B’s, and N = 100.) 

(b) Compute the value of Φ, if the plaintext consisted of English with the 

normal distribution that was enciphered with a Caesar cipher with 

key B. 

(c) Compute the value of Φ, if the plaintext consisted of English with 

the normal distribution that was enciphered with a monoalphabetic 

cipher. 

(d) Compute Φ for the ciphertext that has all 26 letters occurring an 

equal number of times. 

19. In this exercise we work out the formula for Φ given in Equation 8.3. 

Assume we have a ciphertext of N letters enciphered with a Vigenère 

cipher with keylength k. As we did in Section 7.7, lets assume we’ve 

written the ciphertext in an array, so there are k rows, each containing all 

the ciphtertext letters that were enciphered with the same keyletter. 

Now Φ is the probability that two letters, chosen at random from the text, 

are the same. Either these letters were chosen from the same row, or from 

different rows. 

Same row: There are N total letters and k rows, so about N/k letters per 

row. Hence there are N k ( N k 

− 1)/2 ways to choose two from any particular 

row. There are k rows and so k N k ( N k 

− 1)/2 ways to choose two letters a 

row. Finally, the likelihood that two letters are the same in any of these 

rows is 0.0656. So the contribution here is 

.0656 ∗ k 

N 

k ( N k − 1) N(N − k) 

= .0656 

2 

2k 

Different rows: There are k(k − 1)/2 ways to pick to two rows. There are 

N/k letters in each row, so there are N/k ∗ N/k ways to pick one letter 

from each. Finally, we have no way of relating the keyletters from the 

different rows, so we can only approximate the likelihood that these two 

letters are the same with 1/26. So the contribution here is 

1 

26 ∗ N N k(k − 1) 

∗ = 1 N 2 (k − 1) 

k k 2 26 k 

Adding the two probabilities, and simplifying,


This is Equation 8.3. 

N(N − k) 

Φ ≈ .0656 + 1 N 2 (k − 1) 

2k 26 k 

= .0656(N − k) + N(k − 1) 1 26 

k(N − 1) 

.0656(N − k) + .0385N(k − 1) 

= 

k(N − 1) 

(a) If our work has been correct, substituting k = 1 into 8.3 should 

produce the value of Φ in a monoalphabetic cipher, 0.0656. Does it 

(b) If k = N, then the keylength is the same as the length of the text. 

This should produce a very flat frequency count, resulting in a value 

of .0385 for Φ. Does it 

(c) It is sometimes of value to have a formula for k, the keylength. Multiply 

both sides of 8.3 by k(N − 1) and then solve for k to find one. 

20. (a) In section 8.3 we saw that Φ = .0656 when the language is English. 

Referring to Figure 1.5, compute Φ for French, German and Spanish. 

(b) Jeremiah 25:26 and 51:41 (taken from BibleGateway.org) are 

25:26: and all the kings of the north, near and far, one after the 

other-all the kingdoms on the face of the earth. And after all of 

them, the king of Sheshach will drink it too. 

51:41: How Sheshach will be captured, the boast of the whole 

earth seized! What a horror Babylon will be among the nations! 

(Sheshach is Babel (= Babylon) written with a reversed alphabet, 

in Hebrew, of course.) Translating the combined verses into German 

and French, and then enciphering with a monoalphabetic cipher produces 

Text 1: FINPC DYCVN TCSPC YGIYU IVTNU GVNKL YCNPY DNTBU YCFPJ PUCYI 

FPJFP IVYCY IFINP CDYCV NQFPM YCSPM NUSYO PTCNU ICPVD FRFKY SYDFI 

YVVYY IDYVN TSYCK LYCKL FKANT VFFGV YCYPJ YLOPN TCKLY CKLFK YCIGV 

TCYKY DDYSN UIDFB DNTVY VYMGD TCCFT IINPI YDFIY VVYYC IKNUO PTCYY 

LOPNT AFAQD NUYYC ISYIV PTIYF PMTDT YPSYC UFITN UC 


3 2 27 14 0 19 5 0 21 3 10 7 4 20 4 20 2 1 8 17 11 17 0 0 42 0 257 

and 

Text 2: PUSGD DYRMU TCYSY AUMVS YUAST YUGKY UPUSS TYEYV UYUYT UYUUG 

JKSYL GUSYV UPUSG DDYRM UTCVY TJKYS YVYVS YSTYG PESYV EDGJK YSYAY 

VSBMS YUAAT USPUS SYVRM UTCWM UAJKY AJKGJ KAMDD UGJKT KUYUH VTURY 

UNTYT AHAJK YAJKG JKYTU CYUML LYUPU SSYVV PKLSY VCGUX YUYVS YYVMB 

YVHNT YTAHB GBYDX PLYUH AYHXY UCYNM VSYUP UHYVS YUUGH TMUYU 


13 4 6 8 3 0 13 8 0 10 13 5 11 3 0 9 0 4 25 17 40 18 1 3 51 0 265


Which text is in German, and which is in French (Compute Φ of 

each and, remembering that monoalphabetic encipherments do not 

change the Φ value of the text, use part (a).) 

21. Here is a variant on the auto-key method. Rather than use the message 

as the key, which perhaps seems rather dangerous, instead use the secret 

message 

Encipher mysterious with priming key m and use your answer to help you 

discuss the security of this method. 

22. Joseph Willard Brown wrote 

“Ciphers are undiscoverable in proportion as their changes are frequent, 

and as the messages in each change are brief. When alphabetic 

ciphers are used, the aim should be never to allow any letter to appear 

twice alike. The number of letters under each key is to be as 

small as possible [Brown page 99].” 

Explain the meaning of this quote. 

23. On March 8, 1913, the Secretary of State, William Jennings Bryan, sent 

the following message to all American Diplomatic and Consular Officers. 

“Gentleman: 

For the purpose of affording a means of direct secret communication 

between officers of the Army and Navy and the Diplomatic and 

Consular Service, the respective Departments are providing the necessary 

officers with the Larrabee Cipher Code, a copy of which is 

transmitted herewith. 

The following arrangements as to key words will be observed: 

(1) Key words may be arranged between officers using code either 

directly or through their Departments in Washington, when more 

direct secret communication is not possible. 

(2) In the absence of other agreement, the key word is to be the name 

of the month in which the message is sent. 

The Navy Department is supplying the Larrabee Cipher to the commanding 

officers of all ships in the service.” 

Enclosed with this letter was a chart, Figure 8.2, and instructions: 

“Write down the words, message, or cipher to be converted, and write 

over them, letter for letter, the key word agreed upon, repeating 

the key word as often as necessary. For each letter to be converted 

enter the table with the letter of the key word found above it, as a 

marginal letter. If converting message into cipher [read] in the upper 

line abreast the marginal letter, the letter of the message, the letter 

of the cipher is [then] directly below it. If converting cipher into 

message [read] the lower line abreast the marginal letter [, then] the 

letter of the cipher the letter of the message is directly above it.


A: AB CDE FGH I J K LMNOPQRSTUVWXYZ N: ABCDEFGH I JKLMNOPQR S TUVWXY Z 

a b c d e f g h i j k l m n o p q r s t u v w x y z n o p q r s t u vw x y z a b c d e f g h i j k l m 

B: AB CDE FGH I J K LMNOPQRSTUVWXYZ O: ABCDEFGH I JKLMNOPQR S TUVWXY Z 

b c d e f g h i j k l m n o p q r s t u v w x y z a o p q r s t u vwx y z a b c d e f g h i j k l m n 

C: AB CDE FGH I J K LMNOPQRSTUVWXYZ P: ABCDEFGH I JKLMNOPQR S TUVWXY Z 

c d e f g h i j k l m n o p q r s t u vw x y z a b p q r s t u v wx y z a b c d e f g h i j k l m n o 

D: AB CDE FGH I J K LMNOPQRSTUVWXYZ Q: ABCDEFGH I JKLMNOPQR S TUVWXY Z 

d e f g h i j k l m n o p q r s t u vwx y z a b c q r s t u v w x y z a b c d e f g h i j k l m n o p 

E: AB CDE FGH I J K LMNOPQRSTUVWXYZ R: ABCDEFGH I JKLMNOPQR S TUVWXY Z 

e f g h i j k l m n o p q r s t u vwx y z a b c d r s t u vw x y z a b c d e f g h i j k l m n o p q 

F: AB CDE FGH I J K LMNOPQRSTUVWXYZ S: ABCDEFGH I JKLMNOPQR S TUVWXY Z 

f g h i j k l m n o p q r s t u v wx y z a b c d e s t u v wx y z a b c d e f g h i j k l m n o p q r 

G:AB CDE FGH I J K LMNOPQRSTUVWXYZ T: ABCDEFGH I JKLMNOPQR S TUVWXY Z 

g h i j k l m n o p q r s t u v w x y z a b c d e f t u v w x y z a b c d e f g h i j k l m n o p q r s 

H: AB CDE FGH I J K LMNOPQRSTUVWXYZ U: ABCDEFGH I JKLMNOPQR S TUVWXY Z 

h i j k l m n o p q r s t u v w x y z a b c d e f g u vw x y z a b c d e f g h i j k l m n o p q r s t 

I: AB CDE FGH I J K LMNOPQRSTUVWXYZ V: ABCDEFGH I JKLMNOPQR S TUVWXY Z 

i j k l m n o p q r s t u v w x y z a b c d e f g h vwx y z a b c d e f g h i j k l m n o p q r s t u 

J: AB CDE FGH I J K LMNOPQRSTUVWXYZ W:ABCDEFGH I JKLMNOPQR S TUVWXY Z 

j k l m n o p q r s t u v w x y z a b c d e f g h i wx y z a b c d e f g h i j k l m n o p q r s t u v 

K:AB CDE FGH I J K LMNOPQRSTUVWXYZ X: ABCDEFGH I JKLMNOPQR S TUVWXY Z 

k l m n o p q r s t u v w x y z a b c d e f g h i j x y z a b c d e f g h i j k l m n o p q r s t u v w 

L: AB CDE FGH I J K LMNOPQRSTUVWXYZ Y: ABCDEFGH I JKLMNOPQR S TUVWXY Z 

l m n o p q r s t u v w x y z a b c d e f g h i j k y z a b c d e f g h i j k l m n o p q r s t u v w x 

M:AB CDE FGH I J K LMNOPQRSTUVWXYZ Z: ABCDEFGH I JKLMNOPQR S TUVWXY Z 

m n o p q r s t u v w x y z a b c d e f g h i j k l z a b c d e f g h i j k l m n o p q r s t u v w x y 

Figure 8.2: Larrabee’s Cipher Code 

To apply to figures 

let A B C D E F G H I J 

represent 1 2 3 4 5 6 7 8 9 0 

To indicate that figures are used, write the letter Q followed by the 

number of figures expressed in letters as above that follow: then for 

the figures write the letters, thus QEICDJF means 93406, Q indicating 

that figures follow, E 5 the number of figures, and ICDJF 

representing 03496. 

Example 

Key word Pekin 

Key words PEKI NPEKI NPE 

Message SEND QCCJJ MEN 

Cipher HIXL DRGTR ZTR 

Ordinarily however it is safer to send numbers in words, i.e. three 

hundred instead of 300. 

Before transmission the cipher is arranged in five letter groups. Thus, 

the above example would appear HIXLD RGTRZ TR etc. 

There were plans for a new codebook for the Departments of State, War 

and Navy, and the Larrabee Code was to be only in temporary use.


(a) On November 8, 1913 The Adjutant General’s Office in the War 

Department, Washington sent the following to the Chief of Staff, 

U.S. Army. 

HBYID EEKRA VVOIU RROGI FUIIJ ONADJ XKRBO SKPYU VFZGF JRZBV 

ZYKFS WYOMV MCIVP CYIUO IOPVV RSFSW PWKLQ SQVFG VKQTF VGKZI 

ZHSMR FIQQO XRYRZ TMSXD RBOWM DOEBK GIPHI KYWN. 

AAPH. 

What did it say 

(b) The HQ of Coast Defenses of Chesapeake Bay, Fort Monroe VA, 

struggled with this new cipher, as they reported in a letter of Nov 9, 

1913. To attempt a decipherment of a Larrabee message they first 

crossed “out the inadmissible code letters”, and then used (probably) 

the Red code book to treat the remaining letters as code groups. 

This gave “Appropriations for the 4th quarter British Minister J. F. 

Reynolds Landis Henry J. Nichols Facts do not justify having party 

arrested” as the message. Trying a slightly different technique gave 

“Congress did not appropriate merited unknown unknown permanent 

arrangement.” 

They eventually realized their mistake: 

“It was evident that the meaning was not that which was intended. 

[And, after further consideration] It is thought that this 

message might be translated by the Larrabee Cipher Code Card 

which was sent to the Depot Quartermaster, Newport News, Va., 

on March 10, 1913, but which has apparently been misplacedby 

[sic] that officer as he is unable to furnish it.” 

Then on November 12 the same HQ sent 

ESAID FRTRQ DTTFV CRHOI DOSCN FNENF ITBRZ GMSHI RQSMH FHYNJ 

ZQMEI LFSJJ AOIZA DJWEF WJVCI SRLIG BHLYM SXVLA VWFFV ERKKS 

DURVJ GQEDF ULRGO PMSVR OSZGU QLVLQ JHQCI WHFIM EIIU 

Have they figured it out What does the message say 

(c) How is the Larrabee cipher related to the Vignere 

24. (a) Two very long message have been enciphered with a Vigenère cipher 

using the same five letter keyword. How do the ciphertexts’ frequency 

charts compare (“Very long” here indicates that the plaintext’s 

frequencies are close to that of typical English.) 

(b) Continuing, how the two ciphertext’s Φ values compare 

(c) Two very long message have been enciphered with Vigenère ciphers 

using five letter keywords. If the two ciphertexts’ frequency charts 

are very similar, can we conclude that the keywords were the same 

If yes, why If no, why not, and what may we conclude 

25. Explain in your own words why an endless, senseless key is needed for 

perfect secrecy.


26. Decipher 

SVQYU EFNKW BHNRQ VIUZI CVSNR TVEZF WYXFA UNJYW MOADU KSVRS LUSJI 

JWVKC WCKYX PBVZK CDNOQ BZVGQ BMYMX QARTU G 

if the one-time pad key was 

FHEUC MFHGO JPNMM NVSRT VRBTE IRMHM PUNBC FGSYE IGIBG YDVAS KJOBV 

YSIEJ PGCFQ WURNG KLNIM TGDCF WXYVN MJKLB N. 

27. Decipher 

LYLWZ FDHIG AWYOE GRKTZ TJGWC OQDQK CAEOO VBXLQ ITHJL REZOI POMZT 

QOMQS GTABM MJRMS BVFQC CNLQD RCAJA AYZM 

if the one-time pad key was 

PRNDS BQZQN TOGUT NJYTG PHYHV KZQCR UNKBG AXGTQ XZPFK NCZUQ LAHGM 

MWTWD CGXNS UTXMF INMIY KZGGZ TLWTG SHVJ.

166 CHAPTER 8. POLYALPHABETIC CIPHERS

Chapter 9 

Digraphic Ciphers 

Although Hill’s cipher system itself saw almost no 

practical use, it had a great impact on cryptology. 

David Kahn 

What has been constant about all the cipher methods that we have tried 

All of the monoalphabetic ciphers had one letter replaced by a different letter 

as indicated in the plainalphabet–cipheralphabet chart. There were different 

ways to make up the cipheralphabet, but we always ended up with the pairs of 

alphabets. The polyalphabetic ciphers differed because they didn’t use just one 

cipheralphabet, they used several, and sometimes very many. However, when 

we were enciphering any particular letter of the plaintext, there was always some 

plainalphabet–cipheralphabet chart that we were using. 

The constant pattern is this letter-for-letter replacement. A single letter has 

always been replaced by a single letter. The idea behind polygraphic ciphers 

is to replace multiple strings of letters by other multiple strings. 

9.1 Polygraphic Ciphers 

Consider first the digraphic ciphers, in which pairs of letters are replaced by 

other pairs. 1 Porta used these ciphers in his 1563 De furtivis literarum notis. 

The idea behind this is simple: replace each pair of possible plaintext letters 

(plain 1, plain 2) by a pair of ciphertext letters (cipher 1, cipher 2). 

1 Bigraphic, meaning two letters at a time, might be a more reasonable name, but, for some 

reason, digraphic is the word used when two letters are enciphered as a pair. 

167

168 CHAPTER 9. DIGRAPHIC CIPHERS 

Examples: The algorithm is to consider the letters two-by-two. If the letters 

are in alphabetical order, replace both by the letters that follow them. If they 

are not, replace them by the letters before them. So et→ FU and of → NE. 

(1) Encipher nice doggy. 

(2) Decipher EZSBB U. 2 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

There are a couple of problems. What do we do with double letters (Probably 

they are not in alphabetic order.) Or single letters at the end (Add 

a meaningless letter to make a pair.) But basically this is a simple digraphic 

cipher. 

What does a general digraphic cipher look like For our monoalphabetic 

ciphers we always ended up with a plaintext alphabet and a ciphertext alphabet. 

So for digraph ciphers we’ll have a (really big) chart telling which pairs of letters 

got replaced by which pairs of letters. 

To develop a very simple such system we start with a 26 × 26 array of all 

possible letter–letter pairs. We will use this as our ciphertext pairs. Next we 

use some method, say the keyword mixed method, to make two orderings of 

the alphabet. We put these alphabets across the top and down the sides of the 

chart. To encipher a pair of letters, call them (α, β), find α along the top row 

and β down the column. The pair of letters appearing in the α-th column and 

β-th row is our ciphertext. 

Example: Using the keywords first and second gives the alphabets 

fagmuzibknvrcjowsdkpxtelqy and sajryebktzcfluogmvnkpwdiqx. Putting 

these above and along the side of the chart gives Figure 9.1. 

Then telephones=te-le-ph-on-es is enciphered as VFXFT TOSWA (keeping 

the usual 5 letter split.) LBGML OBW is deciphered as railroad. ⋄ 

There are several drawbacks to this system. Since the chart has 676 = 26×26 

entries it is not something a person would like to have to repeatedly produce. 

Further, while deciphering is not bad, because the edges are not in order it 

is a bit of a pain to encipher. What would be quicker would be to rearrange 

the chart so that the top and side alphabets were in order. But this means 

rewritting the entire chart, not an attractive idea. 

Even if these difficulties were surmounted, this cipher is simply not a good 

one. For example, all plaintext pairs f* will be enciphered to A*, and all plaintext 

pairs *s will be enciphered to *A, with similar results for the other letters. 

This cipher is a monograph-digraph hybrid of some sort, and is not much more 

secure than a pure monographic cipher. 

2 (1) MHDFE NFFXY, (2) fat cat.

9.1. POLYGRAPHIC CIPHERS 169 

f a g m u z i b h n v r c j o w s d k p x t e l q y 

s AA BA CA DA EA FA GA HA IA JA KA LA MA NA OA PA QA RA SA TA UA VA WA XA YA ZA 

a AB BB CB DB EB FB GB HB IB JB KB LB MB NB OB PB QB RB SB TB UB VB WB XB YB ZB 

j AC BC CC DC EC FC GC HC IC JC KC LC MC NC OC PC QC RC SC TC UC VC WC XC YC ZC 

r AD BD CD DD ED FD GD HD ID JD KD LD MD ND OD PD QD RD SD TD UD VD WD XD YD ZD 

y AE BE CE DE EE FE GE HE IE JE KE LE ME NE OE PE QE RE SE TE UE VE WE XE YE ZE 

e AF BF CF DF EF FF GF HF IF JF KF LF MF NF OF PF QF RF SF TF UF VF WF XF YF ZF 

b AG BG CG DG EG FG GG HG IG JG KG LG MG NG OG PG QG RG SG TG UG VG WG XG YG ZG 

k AH BH CH DH EH FH GH HH IH JH KH LH MH NH OH PH QH RH SH TH UH VH WH XH YH ZH 

t AI BI CI DI EI FI GI HI II JI KI LI MI NI OI PI QI RI SI TI UI VI WI XI YI ZI 

z AJ BJ CJ DJ EJ FJ GJ HJ IJ JJ KJ LJ MJ NJ OJ PJ QJ RJ SJ TJ UJ VJ WJ XJ YJ ZJ 

c AK BK CK DK EK FK GK HK IK JK KK LK MK NK OK PK QK RK SK TK UK VK WK XK YK ZK 

f AL BL CL DL EL FL GL HL IL JL KL LL ML NL OL PL QL RL SL TL UL VL WL XL YL ZL 

l AM BM CM DM EM FM GM HM IM JM KM LM MM NM OM PM QM RM SM TM UM VM WM XM YM ZM 

u AN BN CN DN EN FN GN HN IN JN KN LN MN NN ON PN QN RN SN TN UN VN WN XN YN ZN 

o AO BO CO DO EO FO GO HO IO JO KO LO MO NO OO PO QO RO SO TO UO VO WO XO YO ZO 

g AP BP CP DP EP FP GP HP IP JP KP LP MP NP OP PP QP RP SP TP UP VP WP XP YP ZP 

m AQ BQ CQ DQ EQ FQ GQ HQ IQ JQ KQ LQ MQ NQ OQ PQ QQ RQ SQ TQ UQ VQ WQ XQ YQ ZQ 

v AR BR CR DR ER FR GR HR IR JR KR LR MR NR OR PR QR RR SR TR UR VR WR XR YR ZR 

n AS BS CS DS ES FS GS HS IS JS KS LS MS NS OS PS QS RS SS TS US VS WS XS YS ZS 

h AT BT CT DT ET FT GT HT IT JT KT LT MT NT OT PT QT RT ST TT UT VT WT XT YT ZT 

p AU BU CU DU EU FU GU HU IU JU KU LU MU NU OU PU QU RU SU TU UU VU WU XU YU ZU 

w AV BV CV DV EV FV GV HV IV JV KV LV MV NV OV PV QV RV SV TV UV VV WV XV YV ZV 

d AW BW CW DW EW FW GW HW IW JW KW LW MW NW OW PW QW RW SW TW UW VW WW XW YW ZW 

i AX BX CX DX EX FX GX HX IX JX KX LX MX NX OX PX QX RX SX TX UX VX WX XX YX ZX 

q AY BY CY DY EY FY GY HY IY JY KY LY MY NY OY PY QY RY SY TY UY VY WY XY YY ZY 

x AZ BZ CZ DZ EZ FZ GZ HZ IZ JZ KZ LZ MZ NZ OZ PZ QZ RZ SZ TZ UZ VZ WZ XZ YZ ZZ 

Figure 9.1: A Simple Digraphic Substitution Chart 

To make a better digraph cipher we need to better scramble the ciphertext 

pairs. What we really need is to take the 676 main entries of the previous 

chart and more randomly mix them around, producing a table like Figure 9.2. 

Enciphering is easy: hide becomes CTOW. But now deciphering is hard: try to 

decipher JGPS. 3 

This method has some problems as well, however. First, it is a pain to construct 

such a chart. Second, deciphering is hideously slow. Since the ciphertext 

pairs are all mixed, it takes a full search to find each pair for decipering. To 

comfortably use this method one would be need to make an additional chart of 

676 entries for deciphering. 

Nonetheless, either by hand or with the use of a computer, two such charts 

can certainly be created. What would the security of such a digraphic cipher 

be Pretty good, at least compared to our monographic ciphers. As always, 

this system is broken by frequency analysis, only now we are analysing the 

frequencies of pairs of letters, or bigrams, rather than of individual letters. 

Not surprising, the most common bigram is th. The top 18, according to the 

Brown Corpus, are listed in Figure 9.3. 

So when doing frequency analysis on a digraphic cipher, rather than looking 

3 seek


a 

b 

c 

d 

e 

f 

g 

h 

i 

j 

k 

l 

m 

n 

o 

p 

q 

r 

s 

t 

u 

v 

w 

x 

y 

z 


RA XW DT JP PU VQ BN HS NO TK ZP FM LI RN XJ DG JC PH VD BA HF NB TX ZC FZ LV 

IB OX UT AQ GV MR SN YS EP KL QQ WM CJ IO OK UG AD GI ME SA YF EC KY QD WZ CW 

ZB FY LU RZ XV DS JO PT VP BM HR NN TJ ZO FL LH RM XI DF JB PG VC BZ HE NA TW 

QC WY CV IA OW US AP GU MQ SM YR EO KK QP WL CI IN OJ UF AC GH MD SZ YE EB KX 

HD NZ TV ZA FX LT RY XU DR JN PS VO BL HQ NM TI ZN FK LG RL XH DE JA PF VB BY 

YD EA KW QB WX CU IZ OV UR AO GT MP SL YQ EN KJ QO WK CH IM OI UE AB GG MC SY 

PE VA BX HC NY TU ZZ FW LS RX XT DQ JM PR VN BK HP NL TH ZM FJ LF RK XG DD JZ 

GF MB SX YC EZ KV QA WW CT IY OU UQ AN GS MO SK YP EM KI QN WJ CG IL OH UD AA 

XF DC JY PD VZ BW HB NX TT ZY FV LR RW XS DP JL PQ VM BJ HO NK TG ZL FI LE RJ 

OG UC AZ GE MA SW YB EY KU QZ WV CS IX OT UP AM GR MN SJ YO EL KH QM WI CF IK 

FH LD RI XE DB JX PC VY BV HA NW TS ZX FU LQ RV XR DO JK PP VL BI HN NJ TF ZK 

WH CE IJ OF UB AY GD MZ SV YA EX KT QY WU CR IW OS UO AL GQ MM SI YN EK KG QL 

NI TE ZJ FG LC RH XD DA JW PB VX BU HZ NV TR ZW FT LP RU XQ DN JJ PO VK BH HM 

EJ KF QK WG CD II OE UA AX GC MY SU YZ EW KS QX WT CQ IV OR UN AK GP ML SH YM 

VJ BG HL NH TD ZI FF LB RG XC DZ JV PA VW BT HY NU TQ ZV FS LO RT XP DM JI PN 

MK SG YL EI KE QJ WF CC IH OD UZ AW GB MX ST YY EV KR QW WS CP IU OQ UM AJ GO 

DL JH PM VI BF HK NG TC ZH FE LA RF XB DY JU PZ VV BS HX NT TP ZU FR LN RS XO 

UL AI GN MJ SF YK EH KD QI WE CB IG OC UY AV GA MW SS YX EU KQ QV WR CO IT OP 

LM RR XN DK JG PL VH BE HJ NF TB ZG FD LZ RE XA DX JT PY VU BR HW NS TO ZT FQ 

CN IS OO UK AH GM MI SE YJ EG KC QH WD CA IF OB UX AU GZ MV SR YW ET KP QU WQ 

TN ZS FP LL RQ XM DJ JF PK VG BD HI NE TA ZF FC LY RD XZ DW JS PX VT BQ HV NR 

KO QT WP CM IR ON UJ AG GL MH SD YI EF KB QG WC CZ IE OA UW AT GY MU SQ YV ES 

BP HU NQ TM ZR FO LK RP XL DI JE PJ VF BC HH ND TZ ZE FB LX RC XY DV JR PW VS 

SP YU ER KN QS WO CL IQ OM UI AF GK MG SC YH EE KA QF WB CY ID OZ UV AS GX MT 

JQ PV VR BO HT NP TL ZQ FN LJ RO XK DH JD PI VE BB HG NC TY ZD FA LW RB XX DU 

AR GW MS SO YT EQ KM QR WN CK IP OL UH AE GJ MF SB YG ED KZ QE WA CX IC OY UU 

Figure 9.2: A More Complicated Digraphic Substitution Chart 

for etaoinshr, as we would in a monographic cipher, we look for th-he-in-erre-.... 

But the basic idea is the same: do a (very large) frequency count, guess 

that the top occurring pairs come from therein, and start working. So while 

we need more data, the techniques are very similar to the ones with which we 

are comfortable. 

How to make this system better I guess a 26 × 26 × 26 hyper-chart listing 

all 17576 three-letter triples. Maybe one would do this as 26 charts, where the 

first letter of the triple was the name of the chart, the second one was on the left 

of the chart and the third one was one the top The extreme cumbersomeness 

of a system like this would limits its use to those who have a computer to help. 4 

9.2 Hill Ciphers 

Lester S. Hill (1881-1961) was an assistant professor of mathematics at Hunter 

College in New York when, in 1931, he published the method now named for him 

as “Cryptography in an Algebraic Alphabet” in The American Mathematical 

4 The idea of enciphering letters not individually but in groups, so-called block ciphers, 

reappears in almost every modern cipher system.

9.2. HILL CIPHERS 171 

th 2.96 es 1.34 at 1.16 

in 1.88 on 1.31 ed 1.14 

er 1.75 st 1.24 ti 1.10 

an 1.56 nt 1.21 nd 1.07 

re 1.45 en 1.20 to 1.04 

Figure 9.3: 18 Most Frequent Bigrams, in percent 

Monthly, the undergraduate journal of the American Mathematical Society. He 

eventually received U.S. patent 1,845,947 for an apparatus that mechanically 

performed his cipher. Much of Hill’s work involved the use of mathematics 

in communications, for example, methods for splicing telephone cables. His 

cipher provides us with an easy example of a polygraphic cipher, but is more 

important because it shows that by the middle of the first half of the 20th 

century cryptology was being done primarily by mathematicians. 

To explain the cipher we need to introduce matrices (plural of matrix). 

Matrices are simply rectangular arrays of numbers and are quite important 

in mathematics, chemistry ( ) and physics. We will deal only with two-by-two 

3 0 

matrices, such as . Matrices are very easy to add and subtract – 

−1 4 

simply perform the operation entry-by-entry. For example 

( ) 4 3 

+ 

−2 7 

( ) 0 5 

= 

2 4 

( ) 4 8 

0 11 

and 

( ) 1 9 

− 

0 2 

( ) −2 3 

= 

5 1 

( ) 3 6 

. 

−5 1 

Multiplication is a bit more complicated as each row of the first matrix is 

multiplied by the column entries in the second. (Rows go across and columns 

go down.) For example, 

( ) ( ( ) ( ) 

3 5 2 3 × 2 + 5 × 9 6 + 45 

× = 

= 

= 

14 23 9) 

14 × 2 + 23 × 9 28 + 209 

( ) 

51 

, 

235 

and 

( ) 3 5 

× 

14 23 

( ) ( ) ( ) 

15 3 × 15 + 5 × 19 45 + 95 

= 

= 

= 

19 14 × 15 + 23 × 19 210 + 437 

( ) a b 

The general form for multiplication is 

c d 

( e 

× = 

f) 

( ) 140 

. 

647 

( ) 

a × e + b × f 

. 

c × e + d × f


The Hill Cipher then simply multiplies pairs of letters by a matrix. 

Examples: 

( ) 3 5 

(1) Encipher bios using . 

14 23 

( ( b 2 

First, = . Then multiplying: 

i) 

9) 

( ) ( 3 5 2 

× = 

14 23 9) 

( ) 51 

≡ 

235 

( ) 25 

1 

(mod 26) = 

( Y 

A) 

. 

So bios is enciphered to YA. 

Similarly, os becomes 

( ) 3 5 

× 

14 23 

( ) 15 

= 

19 

( ) 140 

≡ 

647 

( ) 10 

23 

(mod 26) = 

( J 

W) 

. 

(2) Use the same matrix to encipher math. 

( ) ( ) 

13 

20 

ma= , and th= , so we have 

1 

8 

( ) ( ) 

3 5 13 

× = 

14 23 1 

( ) 

44 

≡ 

89 

( ) ( 

18 R 

= 

23 W) 

and 

( ) ( ) 

3 5 20 

× = 

14 23 8 

( ) 100 

≡ 

464 

( ) ( 22 V 

= 

22 V) 

So the ciphertext is RWVV. 

(3) Encipher hill using the same enciphering matrix. 

(4) Multiply by 

( ) 

3 5 

to decipher SWBAG RERQG YV. 

14 23 

5 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

5 (3) QGJQ, (4) polygraphic.

9.2. HILL CIPHERS 173 

We will be using a special type of 2 × 2 matrices known as involutions. 

They are special in that enciphering and deciphering is done using the same 

matrix. 6 We need to take care in setting up these matrices. 

Method for using Hill Ciphers: 

1. Pick any number a from 0 to 25. 

2. Pick a number b that is relatively prime to 26. Find its multiplicative 

inverse β from Figure 3.2. 

3. Compute c = (1 − a 2 )β%26 and d = (−a)%26. 

4. ( The enciphering ) ( and deciphering ) matrix is 

a b a b 

= 

c d (1 − a 2 . 

) · β −a 

Examples: Suppose we choose a = 7 and b = 9. From Figure 3.2 b’s inverse 

is 3 = β. Then (1 − a 2 ) · β = (1 − 7 2 ) × 3 = −146, ( so c = ) (−146)%26 = 12. 

7 9 

Since −7 ≡ 19 (mod 26), d = 19. So the matrix is . 

12 19 

(1) To( encipher ) ( ) matrix ( ) we first convert the plaintext into numbers: matrix 

13 20 9 

= 

, and then compute 

1 18 24 

So matrix → VSHZSR. 

(2) Decipher TIDDYVKM. 7 

( ) ( ) ( ) ( 7 9 13 22 V 

× ≡ = , 

12 19 1 19 S) 

( ) ( ) ( ) ( 

7 9 20 8 H 

× ≡ = , 

12 19 18 26 Z) 

( ) ( ( ) ( 7 9 9 19 S 

× ≡ = 

12 19 24) 

18 R) 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Hill ciphers may be done with matrices of any square size, like 3 × 3 or 5 × 5, 

and the entries in the array can be chosen with more latitude than our examples 

suggest. See Exercise 9.11 for consideration of the latter. 

6 For the use of non-involutions in Hill ciphers see Exercise 9.11. 

7 multiply.


9.3 Recognizing and Breaking Polygraphic Ciphers 

What makes a digraphic cipher digraphic It encipher pairs of letters, rather 

than single letters. For example, the word the will be broken up either as 

*t-he or as th-e*. In a monoalphabetic cipher each plaintext letter is always 

replaced by the same ciphertext letter. Don’t let the “di” in digraphic fool you – 

digraphic ciphers also have this one-to-one replacement. Each pair of plaintext 

letters is always replaced by the same pair of ciphertext letters. So there should 

be many copies of the ciphertext versions of th and he in our ciphertext. 

Further, and here is the key point, these repetitions will all occur at even 

distances. If there are an odd number of letters between two occurrences of 

the, then these two occurrences will be broken differently, and so will not lead 

to a repetition. It is only when the is broken the same way that we will get 

a repetition, and this only happens when there are an even number of letters 

in between, that is, when the distance is even. So a cipher that is not monoalphabetic 

but has many many digraph repetitions occurring at even distances is 

almost certainly a digraphic cipher. 

Let’s demonstrate with an example. 

Example: Decrypt XCCNQ FUARE LXELM XSBUM WLKVO KTWJU EELXA NZUQJ 

KCWFM KSKYN QOEYR QLXFK ELRKQ FYCSK OXELZ GZHQN UPIUM NYNVQ OXBRA VQAAN 

IPRYJ YKOQO WXUMK JELOZ YSCII EJLXI MQAGJ FNIKO BJJMH EIURL RKQFR SLXSR 

KJKOW FRQLX FKELR KEZ 

Of course, this is a Hill cipher. But how might we determine this if we didn’t 

know it As always, we start with a frequency count: 


6 3 5 0 12 8 2 2 7 9 16 13 7 8 9 2 12 11 6 1 8 3 5 11 7 5 178 

This is not a Caesar cipher. Nor does it really look like a monoalphabetic 

cipher, since the rare letters are not that rare. Is it a polyalphabetic cipher 

Computing, Φ = 0.04621 suggests a keylength of about 4. In particular, this is 

not a monoalphabetic cipher. 

If it is polyalphabetic, we should be able to find some repetitions. Figure 

9.4 contains all repetitions longer than length 2. The repetition RQLXFKELRK is 

too long to be ignored: if this is a polyalphabetic cipher the keylength must 

divide 112. But if we pick 7, 14, 28 or 56 as the keylength, we must ignore three 

nice repetitions (LRKQF, RLFER, and QXKLK), all of whose distance is divisible by 

22. This seems strange. Further, there are 57 repetitions of length 2 (which 

we didn’t list). This is a huge number, far more than we’ve ever seen in a 

polyalphabetic cipher. And almost all of them occur in lengths divisible by 2. 

We have ruled out any of the ciphers we have ever seen, except for digraphic

9.3. RECOGNIZING AND BREAKING POLYGRAPHIC CIPHERS 175 


ELX 10 22 2 × 11 

XEL 12 60 2 × 2 × 3 × 5 

RQLXFKELRK 55 112 2 × 2 × 2 × 2 × 7 

LRKQF 62 88 2 × 2 × 2 × 11 

RLFER 28 56 2 × 2 × 2 × 7 

QXKLK 117 56 2 × 2 × 2 × 7 

LKF 120 44 2 × 2 × 11 

Figure 9.4: Repetitions in the unknown cipher. 

ones. And the large number of repetitions of length 2 at distances divisible by 

2 would lead us to digraphic ciphers anyway. So digraphic it is. 

Since we’ve recognized it, how do we break it To attack a digraphic cipher 

we start as we always did – with a frequency count – except we count pairs of 

letters, not singletons. The only pairs appearing more than twice are EL and 

LX, 5 times each, and KO, QF and RK, 3 times each. 

Now what We will grant ourselves the knowledge that it is a Hill cipher. 

In many ways Hill ciphers are a fancy version of the Decimation and Linear 

Ciphers from Chapters 3 and 4. They do do a better job of mixing up the 

frequencies than those ciphers did, but, just as correctly guessing two letters of 

a ciphertext enciphered with a Linear Cipher (and some math) leads to a decryption, 

correctly guessing two bigrams (and some math) leads to a decryption 

of a Hill cipher. (However, it is generally much harder to guess bigrams than 

letters.) Here, the pairs EL and LX must be very common bigrams. If we know 

which, we can solve for the enciphering matrix. 

For ease, we will make a (miraculously correct) guess, that LX=th and 

EL=at. This is, actually, fairly reasonable as th is the most common ( bigraph ) a b 

and at is the eleventh most common. So there is some matrix with 

c d 

( ( ) ( ( ( ) ( a b L t a b E a 

= and 

= . Substituting the values for 

c d) 

X h) 

c d) 

L t) 

( ) ( ) ( ) ( ( ) ( a b 12 20 a b 5 1 

the letters, and we have 

= and 

= . 

c d 24 8 c d) 

12 20) 

Multiplying out gives two sets of equations 

12a + 24b = 20 and 5c + 12d = 20 

12c + 24d = 8 5a + 12b = 1. 

These( two sets ) of two equations in two unknowns may now be solved to see 

9 5 

that 

is the original enciphering matrix. From here, the quote may 

10 17


be deciphered. 8 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

9.4 Playfair 

Sir Charles Wheatstone, like several other cipher inventors we have met, was 

interested in many things. His name is attached to a method for measuring electrical 

resistance, the “Wheatstone bridge” but he also constructed an electric 

telegraph, invented the concertina, and wrote about acoustics. His accomplishments 

led him to be elected as a fellow of the Royal Society and knighted. As the 

Exposition Universelle in 1867 he displayed his “Wheatstone cipher machine,” 

a disc cipher device of some complexity that is very simple to use. 

But it is the Playfair Cipher we are currently interested in. Wheatstone 

invented it in 1854 and showed it to his friend, Lyon Playfair, Baron of St. 

Andrews, and in one of the more humorous episodes in cryptologic history they 

brought it to the attention of British Government officials. As David Kahn tells 

the story [Kahn, page 201] 

Wheatstone and Playfair explained the cipher to the Under Secretary of 

the Foreign Affairs. ... When the Under Secretary protested that the 

system was too complicated, Wheatstone volunteered to show that three 

out of four boys from the nearest elementary school could be taught it in 

15 minutes. The Under Secretary put him off. “That is very possible”, 

he said, “but you could never teach it to attachè’s”. 

Playfair, reasoning that this reflected more on the diplomats than on the 

cipher, remained enthusiastic about it. 

The cipher was indeed used, perhaps first in the Crimean and Boer Wars. It 

is easy to use, and was popular as field cipher because it does not need tables 

or other equipment. The British attempted to keep it secret, but by the First 

World War the Germans could routinely solve Playfair ciphers. 

Wheatstone’s clever idea was to notice that in an rectangular arrangement 

of the alphabet there are many smaller rectangles, with four letters forming the 

corners. Exchanging two of the corners for the other two is a way to perform 

the (plain 1, plain 2) → (cipher 1, cipher 2) substitution at heart of a 

digraphic cipher. 

8 This is the opening quote from Chapter 3.

9.4. PLAYFAIR 177 

Playfair Ciphers: Pick a keyword. Using the Keyword Mixed method 

Section 5.2 to mix the alphabet, arrange the the alphabet in a 5 × 5 array, 

considering i and j to be the same letter. 

To encipher, the plaintext is replaced two letters at time using the following 

rules. 

1. If the letters are in the same column, replace each by the letter below 

it. 

2. If the letters are in the same row, replace each by the letter to its 

right. 

3. If the letters are in neither the same row or column, then use them to 

form a rectangle. The individual letters are replaced by the opposing 

corners of the same height, i.e., the opposing corner in the same row. 

(Notice that we must pretend that leaving the bottom of the array to be 

entering its top, and leaving the right-hand-side to be entering its left-handside.) 

Deciphering is simply the opposite: replace by the letters above, to the left, 

and by the opposing corners. 

For example, if we use the alphabet in its usual order (with J omitted) the 

array is 

A B C D E 

F G H I K 

L M N O P 

Q R S T U 

V W X Y Z 

Then examples of each of the three enciphering steps are as follows: 

1. bm→GR, uz→ZE 

2. lo→MP, gk→HF 

3. ls→NQ, er→BU 

Similarly, here are examples of the three deciphering steps. 

1. LA→fv, JO→dj 

2. QU→ut, CE→bd 

3. TW→ry, LI→ of 

If there are repeated letters in a pair, insert a null, often x, to break them up. 

So balloon becomes ba lx lo on. Notice that oo is naturally broken, so no x 

is needed. If the message contains an odd number of letters either send the last 

letter un-enciphered, or add a final null letter before enciphering.


Examples: 

(1) Using keyword square, encipher rectangle 

The arrangement of the alphabet is 

S Q U A R 

E B C D F 

G H I K L 

M N O P T 

V W X Y Z 

Then we follow the directions. re forms corners of a rectangle with SF. 

Since S is on r’s row, and F is on e’s, re becomes SF. ct forms a rectangle 

with FO, and an with QP. gl are on the same row, so moving each one to 

the right g becomes H and (circling around) l becomes G. Finally, perhaps 

adding an x as a null, ex becomes CV. So the final ciphertext is SFFOQ 

PHGCV. 

(2) Use the same keyword to decipher RKNKQ DFM. 

Each of the pairs RK, NK,QD, and FM are two of the four corners of a rectangle. 

Replace each letter by the corner of the rectangle with the same 

height. 

(3) Encipher foreign affairs using the keyword playfair. 

(4) Use the same keyword to decipher QMIGH PSZQF BKKN. 9 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Of course, naming this cipher for Playfair is already unfair to Wheatstone. 

But further, Wheatstone recommended using the cipher with rectangular matrices, 

rather than only square ones, and mixing the alphabet as in the Keyword 

Mixed ciphers rather as in the simpler Keyword ciphers. Unfortunately, these 

improvements tended to be forgotten. 

The Playfair cipher is quick to set-up and easy to use. It is harder to break 

than a monoalphabetic cipher, but only somewhat so. To see why, notice that 

the only possible substitutes for e are the letters in its row and the one letter 

directly beneath it. (In the keyword SQUARE example earlier, these are the 

letters BCDFG.) So the letters in e’s row will be used a lot. This gives some hope 

of setting up an entire and row in an unknown Playfair cipher. Additionally, 

bigrams such as re and er will always be encoded by a reversal, for example as 

SF and FS. From here, with some guided guesswork and some training, anyone 

can be taught to break Playfair ciphers accurately and fairly quickly. 

9 (2) alphabet, (3 ) LTIGR EQPYZ PY, (4) three attaches.


9.5 Summary 

Polygraphic ciphers, or block ciphers, work by enciphering groups of letters at 

a time, rather than one letter at a time. In particular, digraphic ciphers treat 

pairs of letters, or bigrams, as units when enciphering and deciphering. Since 

there are 676 pairs of letters, enciphering and deciphering tables for digraphic 

ciphers are large and cumbersome, and hence never used (outside of introductory 

examples). 

Digraphic ciphers are the “monoalphabetic” ciphers for bigrams. That is, 

each plaintext bigram is replaced by the same ciphertext bigram throughout 

the entire message. Hence frequency analysis may be used to attack a digraphic 

cipher. But whereas e and t, the two most common single letters, make up 

nearly 20% of all letters, the two most common bigrams, th and in, make up less 

than 5% of bigrams. So using frequency analysis only to break digraphic ciphers 

is difficult unless one has a very large amount of ciphertext. In particular, a 

good digraphic system is much more secure than a good monoalphabetic system. 

The Hill Cipher System enciphers by treating the block of letters as a matrix 

with only one column and multiplying the column by another matrix. Using a 

2 × 2 involution, a matrix with 2 columns and 2 rows that is its own multiplicative 

inverse, is most common, but non-involutions may be used, as may 3 × 3, 

4 × 4 or larger matrices. Hill Ciphers can be thought of as a digraphic version 

of Decimation Ciphers. In particular, once one knows the plaintext equivalents 

of two ciphertext bigrams, then one can use some simple mathematics to determine 

the enciphering matrix, and hence break the message. The importance 

of the Hill Cipher is that it indicates that by the middle of the 20th century 

cryptography was almost entirely a mathematical subject. 

Playfair Ciphers were invented by Charles Wheatstone and are the most 

common digraphic ciphers, being used in both World Wars. After setting up a 

rectangular array of letters, enciphering proceeds by replacing pairs of letters 

with the pair to the right if they are in the same column, underneath if they are 

in the same row, or the opposite corners of the rectangle produced otherwise. 

The strengths of Playfair are its ease of use, its rapidity, and its use of a keyword. 

Conversely, each letter can be replaced by only 6 others, and this allows entries 

into the system. 


1. What is a digraphic cipher How does it differ from a mono-graphic 

cipher 

2. What does the use of “di” in digraphic refer to 

3. Is a digraphic cipher monoalphabetic or polyalphabetic Explain. 

4. What is the general appearance of a digraphic cipher That is, explain


how a chart for a digraphic cipher is built and used. 

5. Explain how to use two monoalphabetic ciphers to build a digraphic cipher. 

6. What is a matrix 

7. How are two matrices of the same size added 

8. What is the Hill Cipher system based on 

9. How does the Hill Cipher encipher How does it decipher 

10. Does the frequency count of a digraphic cipher have any special appearance 

11. What sort of frequency count is useful when trying to break a digraphic 

cipher 

12. What should the value of Φ suggest for a digraphic cipher 

13. What sorts of repetitions will Kasiski’s test find in a digraphic cipher 

Why 

14. Who was Playfair Who invented the Playfair cipher 

15. Explain the three enciphering rules for the Playfair Cipher. 

9.7 Exercises 

1. Here is a proposed digraphic cipher. To encipher a pair of letters p 1 p 2 

keep whichever letter is later in the alphabet and replace the other by the 

letter equal to the distance between p 1 and p 2 . For example, fe becomes 

FA, since f is later and f and e are 1 letter apart. Similarly, mr becomes 

ER since r is 5 letters later than m. 

(a) Encipher pair. 

(b) Encipher twosomes. 

(c) Decipher CRAERING. 

(d) Decipher KLPHABOT. 

(e) There is a problem with this cipher. Can you determine what it is 

Hint: decipher WRLZ. 

2. (a) Here is a candidate digraphic cipher: To encipher a pair of letters, 

swap them if they are alphabetical ordering, if not, leave them fixed. 

So pair becomes PARI. Critique this proposed cipher. (Encipher 

some words and try to decipher your results.)


(b) The use of “alphabetical” in part (a) didn’t work. Instead, when 

the letters are in alphabetical order, add 4 to each. When they are 

not, subtract 3. Leave doubles alone. Will this work (Again try to 

encipher and decipher some words.) 

3. A slightly fancier digraphic cipher is as follows. If the letters are both 

vowels, replace each by the vowels before them in the alphabet (ea become 

AU.) If the pair is two consonants, replace each by the next consonant in 

the alphabet (ns becomes PT). And if the pair is is one each, swap them 

(ho becomes OH). 

(a) Encipher vowels. 

(b) Encipher breakers. 

(c) Decipher ROEAP VLA. 

(d) Decipher EBUOVZ. 

(e) We’ve learned to recognized monoalphabetic ciphers by their odd 

appearance – too few good etaoinshr letters, too many bad jkvwxyz 

letters. What sort of appearance will this cipher produce 

4. To make a combination Caesar-AutoKey Digraphic cipher, encipher each 

pair of letters by using a Caesar cipher with key k on the first letter, and 

an Auto Key Cipher on the second letter, using the first letter as the key. 

Symbolically, for each pair p 1 p 2 of plaintext letters, the ciphertext pair is 

(p 1 + k)%26, (p 1 + p 2 )%26. So if k = 3, then to becomes WH, as W is three 

letters past t, and o enciphered with key T is H. 

(a) Encipher combinations with key 7. 

(b) Decipher JCLWH R, if the key was 12. 

(c) Encipher primer if the key is 21. 

(d) Decipher KZKVE MZAKV, if the key was 6. 

5. In a table-based digraph cipher, like Figure 9.2, it is best if each letter 

appears in each row exactly once, and similarly in each column exactly 

once. If we had a three letter language “ABC” or four letter language 

“ABCD” then examples of such tables are 

AB BC CA 

CC AA BB 

BA CB AC 

and 

DC AD BB CA 

CD BC AA DB 

AB CA CC BD 

BA CB DD AC 

These arrangements are called Greek-Latin Squares, and exists for every 

size of square, except 2 × 2 and 6 × 6. 

(The 6×6 case is often referred to as the 36 Officers Problem: Suppose we 

have 36 military officers of 6 ranks from 6 different states, no two of whom


have the same rank and are from the same state. Can they be arranged 

in rows of 6 so that each state and each rank is represented exactly once 

in each row and each column In 1779 Leonard Euler showed no.) 

(a) Explain, maybe by using examples, why AA, AB, BA, BB cannot be 

put into a 2 × 2 Greek-Latin Square. 

(b) Find, through experimentation, a 5 × 5 Greek-Latin Square. 

(c) Sometimes the “Greek” part of the name is reserved for those squares 

whose front and back diagonals also have the “Latin” property. Find 

a 3 × 3 square of this type. 

6. Given A = 

b = 

( 3 11 

19 4 

) 

, B = 

( 9 

2) 

, compute the following. 

(a) A + B. 

(b) B − C. 

(c) C + A. 

(d) Aa. 

(e) Ab. 

(f) Ba%26. 

(g) Bb%26. 

( −2 1 

10 21 

) 

, C = 

7. Given a and b, find the corresponding Hill Matrix. 

(a) a = 8, b = 9. 

(b) a = 2, b = 17. 

(c) a = 11, b = 5. 

(d) a = 21, b = 19. 

( ) 4 9 

, and a = 

−7 5 

8. Use the given matrix to encipher and decipher the following. 

( ) 4 21 

(a) , mountain and ARKTC D. 

3 22 

( ) 

10 15 

(b) , valley and BXOWI N. 

9 16 

( ) 17 5 

(c) , desert and JULGU Y. 

10 9 

9. Complete the Hill Matrix, and then use it to encipher and decipher. 

(a) a = 7, b = 11, apogee and EATJU N. 

(b) a = 18, b = 3, escarpment and DPWWZ EOLID. 

(c) a = 23, b = 25, impediment and AOFTV CGD. 

( ) 8 

, 

12


10. Just as we combined addition and multiplication to form Linear Ciphers, 

we can form Linear Hill Ciphers by first multiplying by a matrix, and then 

adding another matrix to the result. That is, the pairs m of the message 

are enciphered to Am + B, where A and B are the multiplier and addend 

matrices, respectively. 

(a) Use A = 

( 13 5 

8 13 

) 

and B = 

( ) 8 10 

to encipher linear. 

12 14 

(b) Use the same matrices to decipher CSKKI SEB. (Remember to subtract 

before multiplying by the inverse.) 

11. The matrices we used for Hill Ciphers were involutions – they are their own 

inverses. Limiting ourselves to just( these) 

matrices is rather restrictive. 10 

a b 

In general, the inverse of a matrix exists only when gcd(26, ad − 

c d 

( ) ed −eb 

bc) = 1. If this it so, then the inverse matrix is 

, where e 

−ec ea 

is the inverse of ad − bc modulo 26 found from the Euclidean Algorithm. 

(The value ad − bc is called the determinant, since it determines whether 

or not the matrix has an inverse.) 

(a) Which of the following matrices have inverses modulo 26 

( ) ( ) ( ) 

8 4 5 10 11 6 

(i) . (ii) . (iii) . 

13 9 16 23 7 4 

( ) 2 5 

(b) Find the inverse of . 

3 9 

(c) Encipher determinants with 

( ) 2 5 

. 

3 9 

(d) Decipher JWOSY QGKVO. It was enciphered with 

( ) 2 5 

. 

3 9 

12. Modern cipher systems all encipher blocks of text at a time. (The block 

size in this chapter has generally been two, meaning two letters at a time.) 

Here we look at a cipher with block size two. 

To do this, first, rather than converting the message blocks to 2-12-15- 

3-11-19 before multiplying, we convert it to 0212-1503-1119. Notice the 

zeros. With them aa=0101=101 is distinct from l=11; without it is not. 

Then performing a Decimation Cipher with a block size of two differs from 

our previous Decimation Cipher only in that the modulus must be chosen 

to be larger than 2525. That is, choose a number N larger than 2525, 

and an enciphering key e. Use the Euclidean Algorithm to check that 

gcd(e, N) = 1 and to find the deciphering key d. Encipher by multiplying 

10 Recall that for Decimation ciphers there are 12 proper key pairs modulo 26, but only 2 in 

which the enciphering and deciphering key are the same (i.e., involutions). In the Hill ciphers 

there are 157, 248 proper pairs of 2 × 2 matrices, but only 312 of these are involutions.


pairs of letters by e modulo N, and decipher by multiplying by d. (The 

resulting ciphertexts will be numbers, rather than letters.) 

(a) If the modulus N is chosen to be 2999, show that e = 100 is a proper 

enciphering key. Find the corresponding deciphering key d. 

(b) Use e = 100 and N = 2999 to encipher blocks. 

(c) Use the deciphering key found in part (a) to decipher 2543-1513- 

1460. 

(d) If N = 3001 and e = 29, find d. 

(e) Use e = 29 and N = 3001 to encipher number. 

(f) Use the deciphering key found in part (d) to decipher 218-2644-17- 

2037. 

13. (Continuing the ideas of Exercise 12.) A problem with the cipher from 

Exercise 12 is that the ciphertext is numbers not letters. If we want 

a bigram-decimation cipher, perhaps we should use 676 = 26 2 as the 

modulus, rather than 26. Here is one way to try to do this: 

Choose a key k with 1 ≤ k < 676, relatively prime to 26. For each pair of 

plaintext letters p 1 p 2 , first convert the letters into their numerical equivalent, 

then compute the cipher-number c = ( k ∗ (p 1 ∗ 26 + p 2 ) ) %676. The 

ciphertext is then C 1 C 2 , where C 1 and C 2 are the quotient and remainder 

when c is divided by 26. 

For example, let k = 19. Then to = 20 15 has ciphernumber c = ( 19 ∗ 

(20 ∗ 26 + 15) ) %676 = (19 ∗ 535)%676 = 25. Since 25 ÷ 26 = 0 = Z and 

25%26 = 25 = Y, to is enciphered to ZY. 

To decipher, first find the inverse of 19 modulo 676, which is 427. Then 

multiply ZY = 25 = 00225 by 427%676 to receive 535. Finally 535 ÷ 26 = 

20 = t and 535%26 = 15 = o. 

(a) Use k = 101 to encipher stat. 

(b) Use k = 219 to encipher data. 

(c) Find the inverse of k = 87 modulo 676, and use it to decipher BONO. 

(d) Carefully examine the ciphertexts from this Exercise. What appears 

to be happening What does this say about the value of this cipher 

In particular, how “digraphic” is this digraphic ciphers 

14. It was hinted in the text that Hill Ciphers are simply a fancy Decimation 

Cipher. In this Exercise we see why this is so. 

(a) Find the form the enciphering matrix takes if we choose a = 0. 

(b) Encipher the “message” p 1 p 2 p 3 p 4 p 5 p 6 using the matrix you found in 

part (a). 

(c) Is the cipher performed in part (b) a Decimation Cipher If not, how 

close is it


(d) (For those( who have ) done Exercise 11.) The general Hill matrix has 

a b 

the form . What choices do we need to make for a, b, c and 

c d 

d so that performing Hill encipherment with this matrix is the same 

as a Decimation Cipher with key k 

15. You’ve somehow capture a ciphertext sent via Hill Cipher. The signature 

is CVVOFY and you’ve reason to think that this is Lester. Use this 

information to compute the matrix used. 

16. Encipher or decipher the following texts using a Playfair cipher based on 

the normal ordering of the alphabet. Add an x if double letters need to 

be divided. 

(a) Blue Balloons 

(b) Pat the Bunny 

(c) IMYNC OKHIS NPYNSC. 

(d) CBSMV DTBYC CLDA. 

17. Encipher or decipher the following texts using a Playfair cipher based on 

the given keyword. 

(a) Keyword Northeast. Message Nine battalions will attack from 

the north at noon. 

(b) Keyword South. Message Enemy unit crossing river. 

(c) Keyword Western. Message ATCWS WEDDF TWSRW SCEFC HV. 

(d) Keyword Eastmarch. Message CPULD OHVFR QEQPH PSKPO. 

18. One Army Signal School used as an example of Playfair the following 

message enciphered with the keyword CLIQUE [SSA1]. 

CP LE AH RZ PF IG TP NZ GA FG DG ZM PS 

PN TE CA MT PH CG DA FG OB OA IW CA BY 

What was the message 

19. Use a Playfair cipher with keyword Poems to decipher the following three 

phrases: 

(a) QKMSE WPQ. 

(b) OZCEMRHSXP. 

(c) XHRPGVAMEMUTZY. 

20. [Kahn, pg 198] The first known demonstration of the Playfair Cipher was 

at a dinner party in January 1854 when Baron Playfair explained “Wheatstone’s 

newly-discovered symmetrical cipher” to Prince Albert, Queen Victoria’s 

husband, and Lord Palmerston, Home Secretary and future Prime 

Minister, among others. The earliest remaining written description appears 

on page 199 of Kahn, and is transcribed as follows.


26 March, 

1854 

Specimen of a Rectangular Cipher 

m b p y a 

d q z g f 

r n h s e 

u t k v i 

l w c o x 

A despatch in the above cipher preserving the separation 

of the words. 

We have received the 

xn epis erxhgfrf knr 

following telegraphic despatch 

gxaabytet inxrdscxekp frhybipk 

A dispatch in the same cipher with no external 

indication of the separation of the words. 

We have received the 

xnznyinferxhgfrfvgeh 

following telegraphic despatch 

itmyymxtsqgvrxsfemhpkxutsexckwh 

The same cipher arranged in a different rectangle. 

m b p y a d q z g 

f r n h s e j u t 

k v i l w c o x − 

We have received the following telegraphic despatch 

cs sycr ugswbpas feh jkddapqjk fhchbtiwnly hynasgle 

Key to the permutated alphabet employed 

in the preceding ciphers 

mbpyadqzgfrnhsejutkvilwcox 

m a g n e t i c 

b d f h j k l o 

p q r s u v w x 

y z 

[signed] C. Wheatstone


The rules that Wheatstone used to encipher his messages are a bit different 

than the ones we use. Can you figure them out Hint: consider Playfair’s 

name for this cipher. 

21. Another way to use Playfair is construct a 6 × 6 square that consists of 

the 26 letters followed by the 10 numbers 0, 1, ..., 9. Then encipher and 

decipher as usual. (Below we use z as the double-breaking letter, rather 

than x. I’ve also used o for the letter “O”, to prevent confusion with the 

number 0.) 

(a) Encipher 1800 Pennsylvannia Avenue. 

(b) Encipher The Lodge, the residence of the Australian Prime Minister. 

(c) Decipher INWBG RBSoM TUo0. 

(d) Decipher FHBCM LPVWA. 

(e) Decipher 76CPT QHo HTXNB 2BW. 

(f) Decipher Y8Y0T YWAVF oLWD. 

22. During World War II there was a widespread network of Australian coastwatchers 

spread about on the numerous island in the South Pacific. [Kahn, 

pages 591–3.] 

They observed enemy activity from the peaks and cliffs of enemy-held 

islands, collected bits of information from native allies, and radioed 

their information to Allied military commands. They frequently gave 

valuable early warning of Japanese bombing raids and ship movements, 

and they assisted in the rescue of downed Allied airmen. 

In the early morning hours of August 2, 1943, coast-watcher Lieutenant 

Arthur Reginald Evans of the Royal Australian Naval Volunteer 

Reserve saw a pinpoint of flame on the dark waters of Blackett 

Strait from his jungle ridge on Kolombangara Island, one of the 

Solomons. He did not know then that the Japanese destroyer Amagiri 

had rammed and sliced in half an American patrol torpedo boat, 

PT 109, lieutenant John F. Kennedy, United States Naval Reserve, 

commanding. But at 9:30 that morning he received 

the following message: 

(a) KXJEY UREBE ZWEHE WRYTU HEYFS KREHE GOYFI WTTTU OLKSY CAJPO 

BOTEI ZONTX BYBWT GONEY CUZWR GDSON SXBOU YWRHE BAAHY USEDQ 

The keyword is Royal new zealand navy. What does it say 

(b) Evan reported back that Object still floating between Meresu and 

Gizo, and was told later that there was a possibility that survivors 

landing either Vangavanga or islands. In fact, Kennedy had led his 

men to Plum Pudding Island. This was behind enemy lines, and only 

3 or 4 miles from Gizo Island where there was a Japanese garrison.


On Saturday morning, August 7th, Even received news from a native 

that the crew had been found and moved to Gross Island. He sent 

the following message: 

XELWA OHWUW YZMWI HOMNE OBTFW MSSPI AJLUO EAONG OOFCM FEXTT 

CWCFZ YIPTF EOBHM WEMOC SAWCZ SNYNW MGXEL HEZCU FNZYL NSBTB 

DANFK OPEWM SSHBK GCWFV EKMUE 

The key was Physical Examination. Decipher the message. 

(c) Another message reused the key Physical Examination, and began 

XYAWO GAOOA GPEMO HPQCW IPNLG RPIXL TXLOA NNYCS YXBOY MNBIN 

YOBTY QYNAI 

Later messages explained the rescue arrangements. The combination of 

messages could have been easily solved in an hour by any moderately 

experienced cryptanalyst. If solved, the Japanese could have gotten both 

the shipwrecked crew and the rescue force. For whatever reason, there 

was no enemy action taken, and Lt. Kennedy was rescued and went on to 

become President. 

23. H.F. Gaines [page 199] proposed a cipher that uses the Saint Cyr Slide to 

implement a digraphic cipher, calling it, logically enough “Slidefair”. Start 

by setting the keyletter under a, as usual. To encipher a pair of letter, 

find the first letter in the plaintext strip and the second in the cipherstrip. 

Replace them by other corners of the rectangle then formed, first letter 

from the plainstrip and second from the cipherstrip. If the letters happen 

to occur as a horizontal pair, replace them by the letters directly to their 

right. 

Her example used the keyword HERCULES and produced the ciphertext 

XZ ZR RU KC TI HO KX US MZ NI JU KO TI PO SC MW PR PM XY RW GZ AT 

What was the plaintext

Chapter 10 

Transposition Ciphers 

In one word, the transposition methods give a 

nice mess [salade] of cleartext letters. 

Etienne Bazeries 

So far each of the methods of ciphering we’ve studied have been substitution 

methods. They obtain their secrecy by hiding the meaning of the letter. In this 

chapter we turn to transposition ciphers, ciphers which obtain their secrecy 

by hiding the location of the letter. We start with a couple of simple classics. 

10.1 Route Ciphers 

Route ciphers are also called rail fence ciphers, for an obvious reason. 

Examples: Decipher the route ciphers. 

(1) Decipher AEICL BLNON. 

a e i c l 

b l n o n 

(2) Decipher TEIEP NDSR. 

(3) Decipher OBNN LAIECL DLO. (Hint: three rows.) 

(4) Decipher ILE ALPITR RST. 

(5) Decipher ILVGI IOIAE ITSRN MANHM NG. 1 

(Try three rows.) 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

1 (2) Two rows, read backwards: president, (3) Old Abe Lincoln, (4) rail splitter, (5) 

I am leaving this morning – from [HITT, page 28]. 

189

190 CHAPTER 10. TRANSPOSITION CIPHERS 

10.2 Geometrical Ciphers 

Traditionally, the most common way of using transposition was to arrange the 

plaintext letters in some sort of rectangle. When the insertion and reading of 

the letters is done in patterns other than rows and columns, we call the ciphers 

Geometrical Ciphers. 

Examples: Decipher the geometrical ciphers. 

(1) Decipher ANOOR RDXOA OWEOD UNDAN. (Write in 4 rows and read off in a 

spiral.) 

(2) Decipher IINIZ ATGDZ MTVYY GEERX. 

(3) Decipher MOGIN VNNOA IAGLI DAIRC ISTKY. 2 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

10.3 Turning Grilles 

A grille is simply a piece of paper in which holes have been cut. To encipher, lay 

the grille on a clean sheet of paper, write your message in the holes, and, once 

finished, remove the grill and fill in the leftover spaces with nulls. Deciphering 

is easy – lay the grille back on the ciphertext to see the meaningful letters. 

Giacolomo Cardano, last seen in Chapter 8.8.4 apparently invented this method 

in the 16th century. The problem with this method is that to be secure there 

must be many nulls, maybe up to half, and this makes the ciphertext long in 

relation to the plaintext. To reduce the number of nulls, we need to be more 

careful about where we put the holes. 3 

Start with a piece of paper that has a grid marked on it. (A grid here simply 

meaning a series of horizontal and vertical lines that visually divides the paper 

into equal sized squares.) Select some 2n × 2n collection of these small squares 

that forms a large square and divide it into four n × n squares. Fill up the 

upper left-hand sub-square with the numbers 1 through n 2 with 1 through n 

on the top row, etc.. Then turn your paper one-quarter of the way around and 

similarly fill the new upper left-hand square with 1 through n 2 . Repeat this 

process twice more, so that each of the numbers is repeated four times in the 

big square. 

Next, pick exactly one of the four copies of each of the numbers and highlight 

or circle it. It’s best if you pick about the same number of numbers from each of 

the small squares. Take a new sheet of paper and, using the old as a reference, 

2 (1) around and around we go, (2) Read off going down and up the columns: i am 

getting very dizzy, (3) Read off the diagonals: moving in a diagonal is tricky. 

3 To be precise, the Cardano method actually produces a open cipher rather than a 

transposition, but we aren’t that precise.

10.3. TURNING GRILLES 191 

1 2 3 7 4 1 

4 5 6 8 5 2 

7 8 9 9 6 3 

3 6 9 9 8 7 

2 5 8 6 5 4 

1 4 7 3 2 1 

Figure 10.1: A 3 × 3 turning grille. 

cut out boxes in the new sheet that are where and of the same size as the boxes 

you highlighted on the first sheet. We have made a turning grille. In Figure 

10.1 a set of numbers has been chosen, as the bold typeface indicates. 

To encipher the message lay your grille onto a clean sheet of paper. Moving 

from left to right and top to bottom, as usual, write your text in the holes in the 

grille. Once you have filled the holes give your grill a quarter turn and continue 

with your message. If your message is quite long you may have to repeat the 

filling process on a second or even third sheet of paper, while if your message is 

short, you’ll probably want to fill the remaining spots with nulls. 

The deciphering process is the natural opposite of the enciphering: lay the 

grill over the sheet and copy the letters off that you can see, turning the ciphersheet 

one quarter each time you have copied down all the letters. 

Examples: 

(1) Encipher Girolomo Cardano was a mathematician using the grille in 

Figure 10.1. 

Nine letters at a time will be entered. 

partial ciphertext looks like 

After the first nine letters, the 

O 

I 

O 

R 

M 

G 

L 

O 

C 

Now give the grill one quarter twist and enter nine more. This make 

A G 

R I D 

R A O 

N L O 

O W M 

S O A C


Do this twice more. Since the plaintext has only 31 letters we add five 

nulls letters at the end. (I chose stopt as the nulls.) Then pull off the 

ciphertext in rows and regroup. 

(2) Decipher UTOWL MHHDE IAFTO NADOG MBIHD OEAEU CNCOS Y using the same 

grille. 4 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

For about four months in 1917 the German Army used Turning Grilles. (The 

German Army was quite lost, cryptographically, during much of World War I, 

and tried just about every method they could get their hands on.) ANNA was 

5 × 5, BERTA was 6 × 6, all the way up to FRANZ, who was 10 × 10. The 

French, who were crytologically far more advanced than the Germans, treated 

Anna, Berta and Franz as old friends, and happily read most of the messages 

sent in this manner. 

10.4 Columnar Transposition 

Columnar transposition is the transposition method. It was widely used, 

especially in World War I, and fell out of favor only because of the rise of 

machine ciphers. 5 

To encipher, pick a keyword and write the message under the keyword in 

rows with as many columns as letters in the keyword. Number the columns 

alphabetically from the code word, just as in the keyword transposed ciphers 

from Section 1.5.3. (Remember we decided to consecutively number repeated 

letters, so REPEATER is numbered 62531847.) Then pull the columns out oneby-one 

in this numerical order. Separate the letters into groups of five and you 

have enciphered your message. (It is possible that your message will not make 

a perfect rectangle. That is fine. Either ignore the blanks, or fill them with 

nulls.) 

To decipher the message we need to know not only what the proper ordering 

of the the columns is (which we do, as we know the keyword), but also how 

many letters go into each column. Suppose we have a message N letters long, 

and the keyword has k letters. Start by drawing a rectangle with k columns. 

Next divide the columns into rows. There will be N ÷ k full rows (here N ÷ k 

means this integer part of division), and a final row that will contain N%k 

letters at its beginning and be blank at the end. Cross out these blank spaces 

so you won’t be tempted to put letters into them. Now put in your ciphertext 

4 (1) MACGA IRITA DHNER ASOMN TALOO OWMTP SOIAT C. (2) who did anything he could to 

become famous, (which is true about Cardano, as his biographers can attest.) 

5 Machine ciphers are clearly much faster than ciphering by hand. Further, since transposition 

generally deals with large groups of letters at one, as opposed to substitution which 

enciphers small groups at once, the early limits on computer memory made pure transposition 

machine-ciphers less secure than substitution machine-ciphers.

10.4. COLUMNAR TRANSPOSITION 193 

column by column, following the order given by the keyword. Reading across 

the rows then gives the message. 

Examples: Encipher or decipher using columnar transposition. 

(1) Encipher Here is my very clever secret message using the keyword 

cipher. 

c i p h e r 

H E R E I S 

M Y V E R Y 

C L E V E R 

S E C R E T 

M E S S A G 

E 

Reading down we have the c column: HMCSME, the e column: IREEA, the 

h column: EEVRS, the i column: EYLEE, the p column RVECS, and the r 

column: SYRTG. Putting these together and regrouping we obtain HMCSM 

EIREE AEEVR SEYLE ERVEC SSYRT G. 

(2) Encipher Monday morning arrives too early using the keyword simple 

filling last row with null m’s. 

(3) Decipher DKOEY TGHRT OORAE NTFSO TEIAL GE using the keyword square. 

There are 27 letters in the message and 6 in the keyword, so there will be 

27 ÷ 6 ≈ 4 full rows and 27%6 = 3 letters in a fifth row. So we will fill in 

S Q U A R E 

First we fill down the A column (putting in the first four letters of the 

message), 

S Q U A R E 

D 

K 

O 

E


then fill down the E column with the next four, 

S Q U A R E 

D Y 

K T 

O G 

E H 

then the Q column with the next five, etc. This gives us 

S Q U A R E 

F R I D A Y 

S T A K E T 

O O L O N G 

T O G E T H 

E R E 

From here we simply read off the message (ignoring the keyword): Fridays 

take too long to get here. 

(4) Decipher VOOGH KEBWN TEEDR FEERY KOWNY SIRED with keyword daily. 

(5) Decipher ENMPK EAKWN TESUE VYEES SDAAN with keyword later. 6 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

There are two standard tricks to use with transposition. The first we’ve seen 

before – the use of nulls. As with monoalphabetic substitution, nulls are simply 

meaningless letters added to the plaintext before enciphering with the hope of 

making the decrypter’s life more difficult. While nulls may appear anywhere, 

we will restrict ourselves to putting nulls at the beginnings and endings of messages. 

As we will see, nulls used in this way add only modestly to the security of 

columnar transposition. More worthwhile is performing interrupted columnar 

transposition in which certain spots are skipped during the enciphering 

and deciphering process. 

6 (3) YNVEO OASRA IIONR RTLDN ROYMM GEA. (4) A completely filled rectangle with 6 rows: 

Everybody’s working for the weekend. (5) The te and nns are nulls: Seven days make up 

a week.

10.5. TRANSPOSITION VS. SUBSTITUTION 195 

Examples: 

(1) Encipher some spots are simply skipped using the keyword START with 

the interruptions as given: 

S T A R T 

∗ 

∗ 

∗ 

∗ 

∗ 

Enciphering is almost the same as before: put the message into the array, 

skipping the designated spots. Then when pulling out the columns, 

remember to forget to write down the ∗’s. 

(2) Decipher STPAR STEIA GPSTC NUTMN RNRIU SEENH IRSID EOUET. The keyword 

is EXPLODE and the interruption pattern is 

∗ 

∗ 

∗ 

∗ 

∗ 

∗ 

∗ 

∗ 

∗ 

7 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

10.5 Transposition vs. Substitution 

How do we recognize that a cipher is possibly from a columnar transposition, 

rather than from some form of substitution A message enciphered with a any 

transposition consists of exactly the same letters as the plaintext message. A 

frequency analysis of the ciphertext will thus result in a chart that matches the 

a-e-i, no, rst, and uvwxyz patterns exactly, and in their natural positions. So it 

is easy to detect a transposition cipher: its frequency chart will look like one from 

common English but the text won’t be readable. 8 Conversely, a substitution 

7 (1) MPAIS ORMKE STSLP OSSYP EEPID. (2) Missed interruptions cause anger eruptions. 

8 Since position and not identity is now what is important, we probably want to make any 

nulls we use to be similar to the other letters in the plaintext, in the hope that the enemy 

will be confused as to which letters are meaningful. So, while in a substitution cipher we use 

letters like jkxqz as nulls to try to make frequency analysis harder, in a transposition cipher 

we use etaoinshr letters to add insignificant significant-looking letters to the ciphertext.


cipher will generally have too many jvkxyq’s and too few etaoinshr’s. To 

our eyes, trained to read English, transposition ciphers will look like a salad 

of letters (to mis-translate Bazeries’ quote), worthwhile components but oddly 

mixed, whereas substitution ciphertexts look unappetizing, with too many odd 

letters. 

10.6 Letter Connections 

Decrypting a transposition cipher is a bit like putting Humpty Dumpty back 

together again – all the pieces are given, we just need to determine which goes 

where. When doing this, we will continually have a letter and will be wondering 

which letter most likely came just before it in the message, and which letter 

likely came just after it. These are questions of conditional probability. Notice 

the difference between 

and 

“This letter is a T. How likely is it that the next letter an H” 

“How likely is it that this letter is a T and the next letter is an H” 

Figure 10.2 provides the answer to the first question, in percent. 9 In the row 

centered by T, just to the right of T appears H 32 , which indicates that T is followed 

by H almost 1/3 of the time. Similarly, the appearance of U 4 E 17 O 18 A 22 I 26 just 

before N show that N is almost always preceded by a vowel, with that vowel 

being I about 1/4 of the time. And that when the rare V does appear, it is 

usually followed by E. 10 

For comparison, the answer to the section question (“how likely is it that 

this pair is “TH”) appears in Figure 10.3. This figure is the bigram companion 

to our standard frequency chart Figure 1.3, as it shows how likely each possible 

bigram is in standard English. 11 

9 These percentages were computed using “The Brown Corpus.” The Brown Corpus of 

Standard American English was compiled by W.N. Francis and H. Kucera at Brown University, 

Providence, RI, from one million words of American English texts printed in 1961. The texts 

sampled came from fifteen different categories ranging from “Reportage” (The Philadelphia 

Inquirer, May 10, 1961, p.49) to “Popular Lore” (Jack Kaplan, “The Health Machine Menace: 

Therapy by Witchcraft”) to “Romance” (Samuel Elkin, “The Ball Player,” Nugget, October, 

1961). By modern standards, this corpus is considered small and dated. 

10 We remarked back in Chapter 6 that vowels like to combine with consonants. Look at 

the vowels rows to ascertain the validity of this statement. Likewise, that H is more likely to 

precede vowels while N and S are more likely to follow them. 

11 The numbers are in %%, meaning that you should divide by 100 and add % to the end. 

So the 13 in the BA entry means that BA appears .13% of the time, about 1/10 of 1 percent of 

the time. Values smaller than 0.01% have been left out.

10.6. LETTER CONNECTIONS 197 

F 2 G 2 I 2 Y 2 P 3 D 4 C 5 L 5 W 5 M 6 N 6 S 7 T 7 R 8 H 10 E 12 A N 19 T 14 L 10 R 10 S 10 C 5 D 4 I 3 M 3 B 2 G 2 P 2 V 2 Y 2 

L 3 I 4 N 4 R 4 U 4 Y 4 M 5 T 5 S 7 O 9 D 10 A 13 E 13 B E 30 L 12 O 11 U 11 A 8 Y 7 I 5 R 5 S 2 

D 2 Y 2 T 3 R 4 U 4 O 5 S 7 N 11 A 13 I 16 E 19 C O 19 E 15 H 14 A 13 T 9 I 6 K 4 L 3 R 3 U 3 

D 2 O 4 R 4 L 6 I 7 A 9 N 27 E 28 D E 15 I 13 T 10 A 9 O 7 S 6 B 4 H 3 R 3 U 3 W 3 C 2 D 2 F 2 L 2 M 2 

G 2 I 2 P 2 W 2 B 3 C 3 E 3 D 5 L 5 M 5 N 5 S 5 V 5 T 7 R 11 H 20 E R 14 S 10 D 9 N 9 A 7 T 6 C 4 L 4 E 3 I 3 M 3 W 3 F 2 O 2 P 2 

Y 2 L 3 R 3 T 3 D 4 N 4 A 5 F 5 S 5 I 6 E 13 O 36 F O 17 T 15 I 11 A 9 E 8 R 7 F 5 L 3 U 3 C 2 H 2 S 2 

D 2 S 2 O 4 R 4 U 6 A 9 E 9 I 11 N 42 G E 15 H 12 A 10 I 8 O 8 R 8 T 7 S 4 L 3 U 3 N 2 

D 2 N 2 E 4 G 4 W 6 S 7 C 8 T 54 H E 48 A 16 I 13 O 8 T 4 

C 2 G 2 V 2 A 3 F 3 M 3 W 4 E 5 N 5 D 7 L 7 R 8 S 8 H 9 T 15 I N 25 S 12 T 12 C 7 O 7 L 5 D 3 E 3 M 3 R 3 A 2 F 2 G 2 V 2 

G 2 Y 4 O 5 R 5 T 5 A 6 S 6 B 7 D 8 N 10 E 14 F 15 J U 28 O 25 E 19 A 13 I 3 T 2 

L 4 E 7 I 7 S 7 N 8 O 11 R 12 A 14 C 20 K E 34 I 15 N 7 S 7 A 6 O 4 T 4 H 2 L 2 W 2 

C 2 N 2 R 2 S 2 T 3 B 4 P 4 U 6 O 7 I 8 L 12 E 13 A 19 L E 16 I 12 L 12 A 11 Y 9 O 8 D 6 S 3 T 3 U 2 

Y 2 D 3 M 3 N 3 T 3 U 4 S 5 R 6 A 10 I 10 E 18 O 18 M E 25 A 19 I 11 O 11 P 6 U 4 B 3 M 3 S 3 T 3 

R 2 U 4 E 17 O 18 A 22 I 26 N T 17 D 15 G 11 E 9 O 7 A 6 S 6 C 5 I 5 

B 2 G 2 W 2 D 3 M 3 O 3 P 3 Y 3 E 4 L 4 F 5 H 5 N 6 C 7 I 7 S 7 R 8 T 13 O N 17 R 13 F 11 U 10 M 6 T 6 L 4 W 4 O 3 S 3 C 2 D 2 P 2 V 2 

L 2 X 2 Y 2 D 3 I 3 N 3 T 3 R 4 P 5 U 5 M 8 A 9 O 10 S 11 E 17 P E 18 R 16 O 13 A 12 L 10 I 5 P 5 T 4 H 3 U 3 S 2 

O 2 R 2 C 3 T 3 A 4 D 4 N 5 I 8 S 12 E 43 Q U 98 

D 2 G 2 F 3 I 4 P 5 T 5 U 6 A 14 O 16 E 28 R E 23 A 10 O 10 I 9 S 7 T 7 D 3 Y 3 C 2 M 2 N 2 

L 2 Y 2 D 3 O 4 T 5 U 5 R 6 N 7 S 7 A 12 I 13 E 20 S T 18 E 11 A 9 I 9 O 8 S 7 H 6 C 3 P 3 U 3 W 3 M 2 

H 2 Y 2 C 3 F 3 U 3 D 4 O 5 R 5 T 5 E 8 I 9 A 12 N 13 S 13 T H 32 I 11 O 11 E 10 A 6 T 5 S 4 R 3 U 2 W 2 

G 2 H 2 N 2 P 2 A 3 C 3 E 3 F 3 L 3 M 3 Q 3 D 4 R 4 B 6 T 7 S 9 O 28 U R 14 S 13 T 13 N 12 L 10 C 5 G 4 P 4 A 3 E 3 I 3 M 3 B 2 D 2 

D 2 L 2 N 4 R 5 O 15 A 17 I 20 E 24 V E 65 I 19 A 9 O 5 

L 2 A 4 R 4 Y 4 N 5 D 6 T 10 S 11 O 17 E 20 W A 22 H 17 I 17 E 16 O 11 N 4 

O 5 I 7 A 8 E 74 X P 26 T 17 I 12 A 11 C 10 E 7 O 2 

H 2 M 2 O 2 D 3 S 3 N 6 B 7 E 9 T 10 R 11 A 12 L 21 Y O 13 T 11 A 10 S 9 E 7 I 6 W 5 B 4 C 3 F 3 H 3 M 3 P 3 D 2 L 2 R 2 

N 2 U 2 T 3 O 4 E 5 Z 7 A 14 I 51 Z E 44 A 18 I 11 Z 7 O 5 L 2 Y 2 

Figure 10.2: Appearances before and after the given letter, in %. 

To use the charts correctly, we need to carefully note the meanings of three 

different possible numbers: 

1. If we ask “I have V. How often is V followed by E”, look for E in the V 

row of Figure 10.2. The answer is 65% of the time. V is (almost) always 

followed by a vowel, and E is the mostly likely one. 

2. If we ask “How often is E preceded by V” the answer is much smaller, only 

5%, as seen also in Figure 10.2. Why smaller That is the “conditional” 

part of the probability. Looking at a V one feels that a vowel is probably 

next. Looking at an E we are somewhat surprised if the preceding letter 

is V. 

3. If we ask “Here are two letters. Are the VE” we find 64 in Figure 10.3, 

meaning .64% = 0.0064 of all letter pairs are VE’s. So this pair is quite 

uncommon, as matches our intuition.


.A .B .C .D .E .F .G .H .I .J .K .L .M .N .O .P .Q .R .S .T .U .V .W .X .Y .Z 

A. 2 20 40 37 11 18 3 28 1 9 82 27 156 1 18 86 81 116 9 17 8 1 21 1 

B. 13 1 47 8 1 18 17 9 3 1 17 12 

C. 41 5 48 46 19 13 12 59 11 2 30 10 2 

D. 36 16 8 9 63 9 5 14 52 1 8 9 8 30 7 12 25 40 12 2 12 6 

E. 98 20 59 114 45 32 17 22 39 2 4 54 47 120 35 34 4 175 134 80 8 24 39 14 16 

F. 22 2 4 2 20 13 1 5 26 2 7 3 1 41 3 18 5 35 8 2 1 

G. 21 2 2 1 30 3 3 25 16 6 2 5 17 2 17 7 15 7 3 1 

H. 88 2 3 1 260 1 3 72 2 3 3 44 1 8 5 22 6 3 4 

I. 19 7 52 28 28 15 21 1 5 36 27 188 54 7 25 89 88 20 1 1 4 

J. 2 3 4 5 

K. 4 22 1 1 10 1 5 3 5 3 1 1 

L. 46 5 5 27 69 7 1 3 52 2 52 4 1 35 5 3 15 15 10 2 4 37 

M. 48 8 1 63 1 2 28 1 8 1 30 17 3 9 7 10 2 4 

N. 49 7 36 107 63 10 82 11 40 1 5 9 7 9 50 6 4 48 121 7 4 10 10 

O. 13 14 16 18 6 86 8 7 10 7 30 48 131 24 21 100 30 49 77 15 32 1 4 

P. 25 36 7 11 20 1 27 11 32 4 9 7 

Q. 10 

R. 64 7 14 18 145 7 9 8 60 8 11 17 15 66 8 12 43 47 11 5 8 19 

S. 62 11 22 7 73 13 4 40 63 1 4 11 14 9 57 23 1 6 46 124 25 1 21 5 

T. 61 9 10 5 95 7 2 296 110 1 13 9 4 104 6 35 38 49 20 20 18 

U. 10 7 13 7 10 1 11 8 27 10 33 1 11 39 36 35 

V. 9 64 19 5 

W. 41 1 30 32 33 1 1 7 20 3 3 3 1 1 

X. 2 2 1 2 5 3 

Y. 17 7 6 4 12 5 2 6 11 4 6 3 23 6 4 16 19 1 8 

Z. 1 4 1 

Figure 10.3: Bigram Frequencies (in %%), from the Brown Corpus. 

10.7 Breaking the Columnar Transposition Cipher 

Once we know we have a transposition cipher (and for us this means columnar 

transposition), to start trying to decrypt it first count the length of the message, 

and use this to find all the possible shapes. (In exchange for making your 

life easier by giving you only completely filled rectangles to decrypt, I may 

complicate things by throwing in nulls both at the beginning and end of the 

message.) So if there are 40 letters in the message we’d expect an 8 × 5 or 5 × 8 

rectangle. (Variants like 2 × 20 or 4 × 10 are possible but less likely.) And if the 

message is only 35 letters the rectangle must be 5 × 7 or 7 × 5. On thin strips 

of paper write the message in columns of the proper length. Then start flipping 

the pieces of paper around until a message starts to form. 

How does one “flip around” Start by putting the strips near one another 

and making a vowel count of the rows. In English, vowels make up between 

35% and 40% of all letters. It is uncommon to find even a ten-letter segment 

that has fewer than 3 or more than 5 vowels. As a quick test of your rectangle, 

count the number of vowels in each row. If many of the rows have much less 

than 40% vowels, or much more, then you may wish to instead try a rectangle 

of a new size. 

Once you have a rectangle with a good vowel count turn to any peculiarities 

of the message you can find, such as those coming from the appearance of low-

10.7. BREAKING THE COLUMNAR TRANSPOSITION CIPHER 199 

frequency letters. For example, a q in the message must be followed by a u; 

j, v and z are almost always followed by a vowel; x is generally preceded by a 

consonant. 

Counting the contacts will help determine which strips fit together the best. 

For each pair of columns that may possibly fit together, sum the values from 

Figure 10.3 for that pair. Often the pair of columns with the highest sum will 

be neighbors in the plaintext. 

Finally, look for words. Decrypting a transposition cipher is very similar 

to the final step in decrypting a complicated monoalphabetic ciphers in that 

you must just work hard, carefully sort through the possibilities, and let your 

English intuition solve it for you. 

Examples: Decrypt the following transposition ciphers. 

(1) EERHE LARGE GNEDH IWIDD OERET AIYTT SSERT. 

This has 35 fairly standard letters, so must be a transposition cipher, and 

is either 5 × 7 or 7 × 5. Let’s guess 5 rows. Then our columns are exactly 

those 5 letter groupings given. 

1 2 3 4 5 6 7 

1 E L G I O A S 

2 E A N W E I S 

3 R R E I R Y E 

4 H G D D E T R 

5 E E H D T T T 

First, there are seven letters per row, and 40% of 7 is about 3, so we’d 

expect each row to contain about 3 vowels. Rows 1, 2 and 3 all have 

exactly 3 vowels, and row 5 has 2. Only row 4, with 1 vowel, hints that 

this rectangle is the wrong one. On the other hand, there are only 12 

vowels among these 35 letters, a percentage closer to 33% than 40% so 

row 4 by itself is probably not a reason to discard this arrangement. 

Second, column 6 has a y, a very uncommon letter. In English y appears 

almost exclusively as the final letter of a word, so we should not worry 

about what letter follows it. Using Figure 10.3, y is mostly preceded by one 

of the letters NBETRAL. (These are they only significant non-zero entries in 

the .Y column of Figure 10.2.) Can we make any of these pairs Assuming 

that y is not the first letter of the row we can make three ry’s, with the 

column-pairs 16, 26 and 56, and two ey’s, with the column-pairs 36 and 

76. (This means five pairs to check, out of a possible (7 × 6)/2 = 21.) 

Next we count the total number of contacts we have for each pair of


columns, using the chart in Figure 10.3. 12 

columns 1 6 2 6 3 6 5 6 7 6 

E A 98 L A 46 G A 21 O A 13 S A 62 

E I 39 A I 28 N I 40 E I 39 S I 63 

R Y 19 R Y 19 E Y 16 R Y 19 E Y 16 

H T 22 G T 15 D T 40 E T 80 R T 47 

E T 80 E T 80 H T 22 T T 49 T T 49 

totals 258 185 139 200 237 

The column pairs 16 and 76 have the highest totals so one of these is 

probably right. The pair 16 has the largest total but this is build from 

two big and three small values. The pair 76, on the other hand, has four 

good pairs and the one given EY pair. For this reason I would probably 

start with 76 rather than 16, despite the slightly smaller total. 13 

Since y occurs almost exclusively at the end of words we next try to see 

which columns could come before our column pair 76. 

columns 1 7 6 2 7 6 3 7 6 4 7 6 5 7 6 

E S A L S A G S A O S A S S A 

E S I A S I N S I E S I S S I 

R E Y R E Y E E Y R E Y E E Y 

H R T G R T D R T E R T R R T 

E T T E T T H T T T T T T T T 

None of these look encouraging. The TTT triplets in 476 and 576 force us 

to reject those combinations. Similarly 276 and 376 have bad GRT and DRT 

triplets. Only 176 works at all, and even then the HRT is not good. 

We can always come back, so let’s temporarily abandon the 5 × 7 and try 

7 × 5. This give the columns 

1 2 3 4 5 

E R H E T 

E G I R T 

R E W E S 

H G I T S 

E N D A E 

L E D I R 

A D O Y T 

12 Note again the difference between Figures 10.3 and 10.2. When we knew we were working 

with y but didn’t know which letter came before it we used 10.2. Now that we have definite 

pairs of letters we use 10.3. 

13 Some authors advise taking the product of the contact values, rather than their sum. 

This prevents a column with a couple very large contact counts and the rest very small from 

“winning.” The product counts demonstrate much more clearly the superiority of the 76 

combination. For simplicity, we will stick with sums.

10.8. DOUBLE TRANSPOSITION 201 

Since 5 × 40% = 2 we expect about 2 vowels per row, and except for one 1 

and one 3, all the rows have exactly 2 vowels, so this rectangle looks good. 

Starting again with the y both the 14 and 54 column-pairs fit well together 

and should be investigated: 

columns 1 4 5 4 

E E 45 T E 95 

E R 175 T R 35 

R E 145 S E 73 

H T 22 S T 124 

E A 98 E A 98 

L I 52 R I 60 

A Y 21 T Y 18 

totals 548 503 

I’d probably continue with the pair 14, except that the word there on the 

top row leaps off the page, as does the word today on the bottom row. 

From here we are quickly done. (This example provides a good example 

of why we frequently add nulls at the start and end of a message.) 

(2) EGONH UITES ERMON QEELI HSAII TNCVF ENATT 

Again we have a 5 × 7. This time, besides the v, we have a q, probably 

giving us an easy two-column match. Since no u’s will be near the q if we 

use 7 rows, there must be five rows. Since a vowel must follow the qu this 

gives us three columns to choose from. 

(3) AADOI SEEDD OGRCE TRNGE TTSES ODRSH IBMNA DGHNR ISLOA AVT (Hint: 

there are nulls at the beginning and/or end.) 14 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

10.8 Double Transposition 

A double transposition cipher is one of the most difficult simple ciphers to 

decrypt. It was used so extensively by the Unites States that it is sometimes 

called the US Army double transposition, and was one of the many methods 

used by the German Army in WWI. 

A double transposition is exactly what it sounds like: after using a transposition 

method to encipher the message same keyword is used again to reencipher 

the ciphertext. Deciphering is accomplished simply by deciphering 

twice. For example, Attack your left flank at once enciphered once with 

14 (1) Three tigers were sighted near Deli today. (2) The three e columns make this 

one a bit harder: The Queen’s reign came to a violent finish t. (3) sr diamond and 

gold are good. straight cash is even better. The sr are nulls.


keyword bombs gives AKLLT AUTKC TOFNN TYEAO CRFAE. Guessing that this was 

a 5×5 square would lead to almost immediate decryption. But if we re-encipher 

it with the same keyword we get AATTC LKNAA LTFEF KUOYR TCNOE. 

Suppose we try to decrypt this cipher, and for ease we grant ourselves the 

knowledge that it is 5 × 5. Arranging it gives 

1 2 3 4 5 

A L L K T 

A K T U C 

T N F O N 

T A E Y O 

C A F R E 

There are only 7 vowels out of 25 letters, or 28%, which is a smaller percentage 

than normal, but it still stands out that there is only one vowel in each of the 

first two rows. Cheating (by looking at the previous paragraph) how will we 

guess that AUTKC is the correct ordering of the second row 

The purpose of a transposition is to mix-up the position of the letters. A single 

columnar transposition cipher can be broken because this mixing is far from 

complete. The second enciphering causes many more of the letter connections to 

be shredded, making decryption very difficult. If the cryptanalyst has a number 

of messages, all enciphered with the same key, and all of exactly the same length, 

then, by moving from one message to another and back again, it is possible to 

decrypt the whole set. (This is the trick that the brilliant French cryptanalyst 

Georges Jean Painvin used to break the German ÜBCHI double transposition 

cipher of World War I.) However, even the experts cannot routinely decrypt a 

single message carefully enciphered with a double transposition. 

10.9 Transposition during the Civil War 

The Civil War turned out to be an interesting test of Kerckhoff’s maxim that 

the enemy knows the system being used. Not only did the two armies speak 

the same language, but most of the trained officers knew each other, having 

attended West Point together, and some even had fought together during the 

Mexican–American War of 1848. We have already seen that the South put their 

trust largely in polyalphabetic ciphers, with rather little success. The North 

would turn to transposition. 

Anton Stager was born in 1833, in New York, and worked in a printer’s office 

and as a bookkeeper before becoming a telegraph operator in Pennsylvania. He 

was rapidly promoted and by his early thirties he was the general superintendent 

of the Western Union Telegraph Company, head-quartered in Cleveland. After 

the outbreak of hostilities in the Civil War, Governor Denison of Ohio gave him 

responsibility for all telegraph lines in the Ohio military district, and asked him 

to prepare a cipher so that the governors of Ohio, Indiana and Illinois could

10.9. TRANSPOSITION DURING THE CIVIL WAR 203 

conduct secret communications with one another. This was, apparently, “the 

first telegraphic cipher used for war purposes” [Plum, page 44]. 

Later George B. McClellan, a recent railroad executive who became a general 

of volunteers, asked Stager to prepare a cipher for use during the campaign 

in West Virginia. Stager based this new cipher on his previous one. It was afterwords 

adopted as the official cipher of the War Department [Weber]. The cipher 

was simply a route cipher. As J.E. O’Brien, a former US Military Telegraph 

operator, put it [SSA3, vol 1] 

The principle of [this] cipher consisted in writing a message with an equal 

number of words in each line then copying the words up and down the 

columns by various routes, throwing in an extra word at the end of each 

column, and substituting other words for important words and meanings. 

The cipher information was printed on cards, about 3 by 5 inches in size. 

Printed on the cards were the code words, called arbitrary words, the keys, 

called commencement words, and the nulls, called check words or blind 

words. The route was also indicated on the card. 

Successive editions of the ciphers were aided by the practical experience of 

the users, both in Washington and in the field. More code words, more nulls, 

and variations on the routes were added. Eventually the cards abandoned and 

pamphlets were substituted, in pocket-sized editions, the first with 16 pages, 

the last with 48 [SSA3]. 

The genesis of Stager’s system can perhaps be seen in a simple example that 

appears in [Myers]: 

The enemy has changed his position during the night. Deserters say 

that he is retreating. Smith 

We put it into a rectangle in the following given order: down column 1, up 

column 4, down column 2 and up column 4, and then add a column of nulls. 

Column 1 Column 2 Column 3 Column 4 Column 5 

The night. Smith the attacking 

enemy Deserters retreating during summer 

has say is position unchanged 

changed that he his him. 

The ciphertext can then be read off: 

The night. Smith the attacking enemy Deserters retreating during 

summer has say is position unchanged changed that he his him. 

Notice the use of significant looking insignificant check words – “attacking” and 

“unchanged.”


The early form of Stager’s ciphers was similar to the Myers example. Here 

is one sent at the very beginning of the war. 

Example: [Plum] 

Parkersburg, VA. June 1, 1861. 

To Maj. Gen. G.W. McClellan, Cincinnati, Ohio: 

Telegraph the have be not I hands profane right hired held must start 

my cowardly to an responsible Crittendon to at polite ascertain engine 

for Colonel desiring demands curse the to success by not reputation nasty 

state go of superseded Crittenden past kind of up this being Colonel my 

just the road division since advance sir kill. (Signed) F.W. Lander 

With possession of the codebook we’d look up the keyword “Telegraph” to 

learn that this message is eight lines long, with seven columns. Further that the 

plaintext was inserted in the order up the 6th column, down the 1st, up the 5th, 

down the 2nd, up the 4th, and down the 3rd. (From now on we will abbreviate 

this as U6, D1, U5, D2, U4, D3.) Finally that the seventh column is filled with 

nulls and the message must be pulled off row by row in the usual order. 

To decipher, we reverse the steps. So we first write the message in 8 rows of 

7 columns each, and then pull off the columns in order. 15 

the have be not I hands profane 

right hired held must start my cowardly 

to an responsible Crittended to at polite 

ascertain engine for Colonel desiring demands curse 

the to success by not reputation nasty 

state go of superseded Crittenden past kind 

of up this being Colonel my just 

the road division since advance sir kill 

Up the 6th column and down the 1st begins the message: 

“Sir. My past reputation demands at my hands the right to ascertain the 

state of the advance. Colonel Crittendon, not desiring to start, I have 

hired an engine to go up road. Since being superseded by Colonel Crittendon, 

[I] must not be held responsible for [the] success of this division.” 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

15 We have always done transposition by putting the plaintext words or letters in rows in 

the usual order and pulling off the columns via the keyword order. This is an example of the 

reverse process: put the plaintext message into a rectangle via some order and then pull it off 

row by row, and then to decipher put the ciphertext into the rectangle in order and pull off 

the plaintext by the keyword ordering.

10.9. TRANSPOSITION DURING THE CIVIL WAR 205 

By 1863 the ciphers had become more complicated. 

Example: (From [Weber, pages 114-5].) Here is the plaintext message. 

Headquarters Department of the Cumberland 

Chattanooga, October 16, 1863 - 7 p.m. 

Major-General Burnside, 

Knoxville, Tenn.; 

The enemy are preparing pontoons and increasing on our front. If they 

cross between us you will go up, and probably we too. You ought to move 

in the direction, at least as far as Kingston, which should be strongly 

fortified, and your spare stores go into it without delay. You ought to 

be free to oppose a crossing of the river, and with your cavalry to keep 

open complete and rapid communications between us, so that we can 

move combined on him. Let me hear from you, if possible, at once. No 

news from you in ten days. Our cavalry drove the rebel raid across the 

Tennessee at Lab’s Ferry, with loss to them of 2,000 killed, wounded, 

prisoners, and deserters; also five pieces of artillery. 

Yours, 

Rosecrans 

Answer quick. 

To encipher we first choose a key: Enemy. This keyword demands that we 

use an array with 10 rows of 6 columns each. So we enter the first 60 words of 

the message: 

For Burnside The enemy are preparing 

Pontoons & increasing numbers on our 

front If they cross between us 

you will go up and probably 

we too . You ought to 

move in this direction at least 

as far as Kingston which should 

be strongly fortified and your spare 

stores go into it without delay 

You ought to be fee to 

Next, some giveaway words are replaced by their code equivalents as the 

code indicates: Burnside becomes BURTON and enemy becomes WILEY. The key 

also indicates that nulls are to be added at the tops and bottoms of certain 

columns. After doing this we have 

boy greatly 

For BURTON the WILEY are preparing 

Pontoons & increasing numbers on our 

front If they cross between us 

you will go up and probably 

we too . You ought to 

move in this direction at least 

as far as Kingston which should 

be strongly fortified and your spare 

stores go into it without delay 

You ought to be free to 

Not surely some 

Finally, the key tells how the plaintext is to be taken off: D3, U4, D2, U5, D1


and U6. This gives the ciphertext 

the increasing they go period this as fortified into some be it 

and Kingston direction you up cross numbers Wiley boy Burton & If 

will too in far strongly go ought surely free without your which 

at ought and between on are greatly For Pontoons front you we move 

as be stores You Not to delay spare should least to probably us our 

preparing 

Since the entire message has not yet been enciphered, we proceed by choosing 

a new key and enciphering as the new key demands. In this case (since this was 

an actual message) Stanton and McDowell were chosen. They each represented 

the same system: 6 × 6 with nulls atop columns 1, 5, and 6 and below columns 

1, 2 and 3. 

fortune the time 

oppose a crossing and with your 

RELAY to keep open complete and 

rapid communications between us so that 

we can move combined on him 

Let me hear from you if 

possible at once No news from 

speed this more 

(Relay is the code word for cavalry.) The pattern is up the diagonal from bottom 

right to top left, followed by D1, U6, U5, D3, U4. 

Putting the final portion of the message into cipher as well gives 

To Jaque Knoxville, Enemy the increasing they go period this as 

fortified into some be it and Kingston direction you up cross numbers 

Wiley boy Burton & if will too in far strongly go ought surely free 

without your which it ought and between or are greatly for pontoons 

front you we move as be stores you not to delay spare should least 

to probably us our preparing Stanton from you combinedly between to 

oppose fortune roanoke rapid we let possible speed if him that and 

your time a communication can me at this news in so complete with 

the crossing keep move hear once3e more no from us open and McDowell 

julia five thousand ferry the you must drove at them prisoners 

artillery men pieces wounded to Godwin relay horses in Lambs of and 

yours truly quick killed Loss the our minds ten snow two deserters 

Bennet Gordon answer also with across day 

E.P. Alexander, the founder of the Confederate Army Signal Corps, received 

this ciphertext and was asked to translate it. His account (from Gary W. Gallagher 

Fighting for the Confederacy: The Personal Recollections of General 

Edward Porter Alexander, pages 302-03) of this incident is quite informative: 

I had never seen a cipher of this character before, but it was very clear 

that is was simply a disarrangement of words, what may be called, for 

short, a jumble. Each correspondent, of course, had what was practically 

a list of the natural numbers, say from one up to 50, or whatever limit 

was used, taken in an agreed jumble, as for instance beginning 19, 3, 41, 

22 &c. Then, the first word of the cipher would be the 19th of the genuine 

message, the 2nd cipher would be 3rd of message, the 3rd cipher the 41st, 

&c.

10.10. THE BATTLE OF THE CIVIL WAR CIPHERS 207 

If [the jumble] were used twice or three times, I could, by comparison & 

trial, probably decipher the whole business. But if the jumble were not 

repeated, I could never decipher it without getting another message in the 

same jumble in order to compare the two. ... I found one pair of words 

which certainly belonged together, ‘Lambs’ & ‘ferry’ – for there was a 

‘Lamb’s Ferry’ on the Tennessee River. But it only made the demonstration 

absolute that the jumble ws not repeated [and so I could not make 

sense of it.] I afterward found that the Federals made their jumbles by 

means of diagrams of row & columns, writing up & down in different orders 

& then taking the words across ... They also used some blind words 

to further confuse the cipher. This made, indeed, a most excellent cipher, 

quick & easy, both to write & to decipher, which is a very great advantage. 

But there is one objection to it, in that it required a book, & that 

book might get into the wrong hands. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

10.10 The Battle of the Civil War Ciphers 

The ciphers used during the Civil War give an interesting comparison. The 

North used relatively simple word transposition ciphers, which sends the plaintext, 

only jumbled. The South used what was thought to be the unbreakable 

Vigenére cipher. Why, then, did the North enjoy more success, cryptographically 

There are several reasons. The North’s use of meaningful word in their 

reduced the number of garbles, errors, while Vigenére ciphertexts, which have 

no context, had many more errors [Weber]. The extensive use of code words 

in Stager’s system generally prevented the South from getting any easy entries 

into a message. Conversely, the clumsy use of Vigenére (the failure to encipher 

the entire message, keeping word lengths) by the South gave the codebreakers 

of the North many clues about the message. Having a very few number of keys 

also contributed to the weakness of the South’s cryptography. “Judged by the 

standards of its own day, [Stager’s] cipher was adequate: it was not too complex 

to be practicable, and yet it delayed solution for a sufficient time.” [SSA2, page 

20]. 

10.11 Summary 

Transposition Ciphers receive their security by the manner in which they mix 

the letters of the plaintext. There are many methods for providing this mixing; 

route ciphers, grilles and columnar transposition being the most famous, with 

the latter being by far the most popular. 

To perform a columnar transposition first select a keyword. Write the plaintext 

underneath the keyword, in as many columns as the keyword has letters.


To find the ciphertext pull out the columns of this array in the alphabetical 

order of the letters of the keyword. Deciphering is the reverse process, with the 

bit of complication that the length of the ciphertext and length of the keyword 

must first be used to determine how many letters each column contains. 

Recognizing transposition ciphers is easy – the frequency chart of a ciphertext 

appears to be that of normal English. Breaking transposition ciphers is, 

obviously, a matter of putting the letters back into their proper positions. For 

columnar transposition one first decides upon a guess of the size of the ciphertext 

rectangle and then creates the proposed columns of the plaintext. By knowing 

which letters are more likely to contact which one then proceeds by putting the 

columns next to their proper neighbors. 

The North used columnar transposition of words to great success during the 

Civil War. Keeping the words largely prevented Morse Code-based garbles, and 

the extensive use of code words, for proper names and locations, prevented the 

South from having any easy entry into the messages. 


1. From what do transposition cipher receive their security 

2. What is the main difference between transposition ciphers and substitution 

ciphers 

3. What is a route cipher What does its name mean 

4. What is a geometrical cipher 

5. What is a turning grille Explain how to construct one. 

6. Explain how to use a keyword to set up a columnar transposition. 

7. In a columnar transposition, how is the plaintext entered 

8. In a columnar transposition, how is the ciphertext removed 

9. Given the number of letters in the ciphertext and the length of the keyword, 

how are the lengths of the columns used that transposition determined 

10. How does one decipher a columnar transposition cipher 

11. How does one recognize that a cipher is a transposition 

12. How does one decide whether a ciphertext is from a substitution cipher or 

from a transposition cipher 

13. Explain how to break a columnar transposition ciphertext.


14. What is a double transposition Is it a better or a worse cipher than single 

transposition Why 

15. Explain the basics of the North’s system of transposition ciphers during 

the Civil War. 

16. Was Stager’s system more like route ciphers or more like columnar transposition 

ciphers Explain. 


1. Decipher the following geometric ciphers. 

(a) SIYEE OLYMS MLYTS ESOOE SQUAR. 

(b) ASNRE NDPUT SELZT RESPA UTCLP. 

(c) ARBHUN OSOQM IEUSA ASRE. 

2. Decipher the following rail fence ciphers. 

(a) RIRAS ALOD. 

(b) ABDIB BREWRE. 

(c) FET ECPSS NO. 

3. These ciphers are based on the 12, 3, 6 and 9 o’clock positions on a clock. 

Decipher them. 

(a) HORPCK TEMSERUHEOC EUATL. 

(b) OHHLL FRWOTELTLS WNBO. 

(c) HSUS URINESCO OMTED. 

4. Encipher the following short messages using a columnar transposition 

based on the given keyword. 

(a) let us hear from you at once concerning the jewels. Keyword 

jewels. 

(b) rft diamonds must be received by thursday morning ee. Keyword 

wealth. 

(c) rubies hidden in oatmeal containers in pantry floor. Keyword 

cereal. 

(d) sapphires were fake so was painting weve been setup flee. Keyword 

manetmonet.


5. Decipher the following short messages using columnar transposition based 

on the given keyword. 

(a) LTIAD IEEUU NRIER SRANI AEROR XEILO VACEE MTBOR VMUUT CO. Keyword 

SHARP. 

(b) SMAES LEHEH AUATN OIIYW CTCET RTAED SOOEK IHNOL MROGI ARGUB 

MS. Keyword OPENING. 

(c) BLWHS NNCTI EQTNF SEOET JEWRR EUIOT RTPSA HDUSE EDAEE XTOTH 

US. Keyword BROADWAY. 

(d) EWLMR RNIIH VOLEO CINLE RNAPD OGGTO CBWTT ESBHT POLIT BRSYT 

LE. Keyword QUICK. 

6. Decrypt the following short messages enciphered using columnar transposition 

on full rectangles. 

(a) OQYHN AGEYE LGAPE SEMIN OLTAF VTUCP HDIOE OUITR RUUEY SSU. 

(b) AEWFU HRSLO SOLTE RIENA QTETS NTN. Hint: nulls at end. 

(c) HHTHM HMETS GDESU MSRED DNDFE DPXRE ODOON ITENE EIHNX EOTHI 

LELND DAEOX TSTOR TELNH XIAJA RLPOT. 

(d) LTESU AAGEO NEORE OSAGG LWERN IGDSD TNLIA TRIMD ODLLR OOTND 

GPNE. 

7. [Hitt, pages 31–33] Since the ciphertext of transposition ciphers consist of 

the same letters as the plaintext, knowledge of cribs – words suspected of 

appearing in the plaintext – is especially helpful. Break the following 108 

letter transposition cipher in which the word villa appears. 

HIIGF TNGHI NTCVN IEIOT CYIFY LHAEA ESNBA EEEEN RWGBN YDELR OAESG 

RNEBO VNLDA ICAOA LCNDT IRGVA CDOIE SEREC DVPEI AFIFL RINEH ETT 

8. [HITT, pages 34-35] A weak form of double transposition uses two keywords 

in the following way. As usual, put the plaintext into a rectangle 

under the (first) keyword. The put the (second) keyword alongside the 

first column. Mix the plaintext by reordering the columns according the 

first keyword and then reordering the rows according to the second keyword. 

For example, to encipher radios may now be used xx with keywords 

S I G N S 

S r a d i o 

SIGNS and SEND, first set up the rectangle E s m a y n 

N o w b e u 

D s e d x x 

The first rearrangement gives 

I G N S S 

S a d i r o 

E m a y s n 

N w b e o u 

D e d x s x


and the second gives 

I G N S S 

E m a y s n 

D e d x s x 

N w b e o u 

S a d i r o 

So the ciphertext is maysn edxsx wbeou adiro. 

The following message was enciphered using this technique. Decrypt it. 

Hint: The size is 7 × 10. 

WVGAE EGENL TFTOH TEIEF RBTSE INENG ONWRM GXIXN GOITN ROMRO ESPAL 

HNEAC UDNNH DERME 

9. [HITT PAGE 47] Hitt considers the following slightly tricky example. 

LT. J. B. SMITH, Royal Flying Corps, Calais, France. 

DACFT RRBHA MOOUE AENOI ZTIET ASMOS EOHIE YOCKF NOHOE NOUTH OMEAH 

NILGO OSAHU OHOUE APCHS TLNDA CFTEN INTWN BAFOH GROHT AEIOH ABRIS 

ODACF TRREN OSTSM AYBIS DFTEN EFAPH OSMNI ZTIEA HLILL TWSOU GDENO 

UTHOM EAHBH AMOOU EAYOE QISUU OLEHA DENOE NHOOQ OBBOR TSLHO BAHEO 

UBHOB IHTSW ENOHO PAHIH ITUAS BIHTL 

Graham-White 

Is this a transposition or substitution cipher Explain your answer. 

For help, here is the frequency count. 

22 11 5 6 23 7 3 26 16 0 1 8 7 15 37 3 2 7 14 18 11 0 3 0 3 2 


10. [Plum, page 51] General Halleck wished the following cipher to be sent. 

Washington, 10:30am, July 15, 1863 

For Genl S.A. Hurlbut, Memphis: 

If Gen. W.T. Sherman’s movements have sufficiently occupied the 

enemy to render your line safe, send all the forces you can spare to 

Brig.-Gen. Prentiss to operate on Price’s rear if he advances toward 

Missouri. 

H.W. Halleck, Maj.-Gen’l. 

His clerk, T. T. Eckert, chose McClellan as the indicator. This specifies 

the codewords specified in Figure 10.4. 

The message is to be pulled off by first starting at the bottom right-hand 

corner and moving up the diagonal, followed by D1, U6, D2, U5, D3, U4. 

In addition, there is be a null added after every six words. That is, after 

the diagonal, after D1, after U6, after D2, etc.. 

Please encipher the message.


Plain 

Hurlbut 

Sherman 

movements 

enemy 

Prentiss 

Price 

rear 

advances 

Missouri 

10:30am 

Halleck 

Code 

bear 

Blubber 

zebras 

wiley 

valley 

query 

world 

wafers 

chorus 

Clara 

applause 

Figure 10.4: Codewords for keyword McClellan. 

11. Cipher No. 7 was used early in the Civil War. 

To Louisville, Ky. Sept 29, 1862 

Colonel Anson Stager, Washington 16 

Austria await I in over to requiring orders olden rapture blissful for 

your instant command turned and instructions and rough looking further 

shall further the Camden me of ocean September poker twenty I 

the to I command obedience repair orders quickly pretty Indianapolis 

your him accordingly my fourth received 1862 wounded nine have 

twenty turn have to to to alvord hasty. 

(signed) William H. Drake 

The keyword Austria indicates that this has nine lines, and is to be read 

U1, D6, U2, D3, U5, D4. The only codeword in this message is “Camden,” 

Major General G. H. Thomas. By this time Stager had regularized the 

location of the blind words: always insert one at the end of a column being 

pulled off. 

Decipher the message. 

12. [Antonucci] Stager’s Cipher No. 12 was used from September 1862 until 

August 1864. It had many code words, for times of days, prominent 

officers, place names, and even commonly used words and phrases. For 

example, in the following message Arabia is Major General Don Carlos 

Buell, Adam is Major General Henry Halleck, and Lincoln is Louisville, 

KY. 

Louisville, Ky. Sept 30, 1862 To George C. Maynard, Washington 

Regulars ordered of my to public out suspending received 1862 spoiled 

thirty I dispatch command of continue of best otherwise worst Arabia 

my command discharge duty of my last for Lincoln September period 

your from sense shall duties the until Seward ability to the I a removal 

16 Since Stager was the head of the Military Telegraph Office in Washington, during some 

years most messages to Washington were sent to his name. Likewise, Drake must be the 

telegraph operator stationed with the commander the message is for, Major General D.C. 

Buell in this case.


evening Adam herald tribune. 

(signed) Philip Bruner 

This response to Exercise 11 uses the keyword Regulars to specify a 

rectangle of nine lines and five columns. The ordering is U4, D3, U5, D2, 

U1. Decipher the message. (Hint: remember that each column ends with 

an extra check word that is then ignored.) 

13. [Plum] Cipher No. 4 was the last one of the war, only going into service 

on March 23, 1865. By now the codesheets were really code books. This 

one had 1608 codewords, many key words and routes, and even it was in 

code. Page seven in its entirety is: 

3 7 4 2 

8 10 14 12 

13 11 9 

6 5 1 

Bedroom. 1. Lazy. — Blonde. 11. Liniment. 

Bedstead. 2. League. — Bloody. 12. Lion. 

Beverage. 3. Leather. — Bosom. 13. Liquid. 

Beyond. 4. Legacy. — Boy. 14. Loafer. 

Big. 5. Lemon. — Bread. 15. Log. 

Bill. 6. Lesson. — Bride. 16. Lomax. 

Billiards. 7. Let. — Brush. 17. Long. 

Bilious. 8. Library. — Bulk. 18. Lucky. 

Blanket. 9. Life. — Bushel. 19. Luscious. 

Bliss. 10. Linen. — Buxom. 20. Luxury. 

Words are the line indicators, only one was used (unless the message was 

more than 20 lines, in which case others were added.) The route was 

given, reading left-to-right, using only the top and bottom lines. So here 

the route is up the 6th, down the 3rd, up the 5th, down the 7th, up the 

1st, down the 4th, down the 2nd. The middle lines are only to confuse 

the enemy. (Remember that there is an extra word at the end of each 

column.) 

Word Code Word Code 

. flea, hound battle knit 

, ass, bat commander locust 

, bear, bitch corps Madrid 

, cat the enemy village 

3 Madison fight optic 

15th Brown fighting oppressing 

18 Norris in the quail 

60 Knox of the serenade 

July Steward one Harry 

Sunday Tyler over skeleton 

Couch ax night Rustle 

A. Lincoln Adrian relieved trammeled 

Meade Bunyan the river turnip 

Smith children signature upright 

Washington, D.C. Incubus


Washington, D.C. 

To A. Harper Caldwell, 

Cipher Operator, Army of the Potomac: 

Blonde bless of who no optic to get and impression I Madison square 

Brown cammer Toby ax the have turnip me Harry bitch rustle silk 

Adrian counsel locust you another only of children serenade flea Knox 

County for wood that awl ties get hound who was war him suicide 

on for was please village large bat Bunyan give sigh incubus heavy 

Norris on trammeled cat knit striven without if Madrid quail upright 

martyr Stewart man much bear since ass skeleton tell the oppressing 

Tyler monkey. 

(signed) D. Homer Bates 17 

Please decipher. 

14. (a) [Bates] In November 1862 David Homer Bates, one of Lincoln’s telegraph 

operators in Washinton, was worried that a Confederate operator 

had tapped the telegraph line leading from Washington to Major 

General Burnside’s location in Virginia. So rather than using one of 

their usual cipher systems he sent the following message. 

Washington, D.C. November 25, 1862. 

BURNSIDE, Falmouth, Virginia; 

Can Inn Ale me withe 2 oar our Ann pas Ann me flesh ends N.V. 

Corn Inn out with U cud Inn heave day nest Wed roe Moore Tom 

Darkey hat Greek Why Hawk of Abbott Inn B Chewed I if. 

BATES 

Can you make sense of it Hint: read it backwards. 

(b) The same technique was used in this message from the very end of 

the war, supposedly to conceal the news from the cipher operators 

who might happen to see it while relaying it to Washington. 

City Point, Va., 8:30 A.M., April 3, 1865 

TINKER, War Department: 

A Lincoln its in fume a in hymn to start I army treating there 

possible if of cut too forward pushing is He is so all Richmond aunt 

confide is Andy evacuated Petersburg reports Grant morning this 

Washington Secretary War. 

BECKWITH 

What does the message say 

15. On June 1, 1863 President Lincoln sent the following message 

GUARD ADAM THEM THEY AT WAYLAND BROWN FOR KISSING VENUS CORRE- 

SPONDENTS AT NEPTUNE ARE OFF NELLY TURNING UP CAN GET WHY DETAINED 

TRIBUNE AND TIMES RICHARDSON THE ARE ASCERTAIN AND YOU FILLS BELLY 

THIS IF DETAINED PLEASE ODOR OF LUDLOW COMMISSIONER 

17 David Homer Bates, died 1926, was from 1861–1866 a telegrapher and cipher clerk in the 

telegraph office in the old War Department Building [SSA, vol 1]. His war remembrances, 

Lincoln in the Telegraph Office, make for interesting reading.


Several codewords were in use: VENUS for colonel, WAYLAND for captured, 

ODOR for Vicksburg, NEPTUNE for Richmond, ADAM for President, NELLY for 

4:30pm. The message was also enciphered as a complete rectangle. 

With these hints (that the South didn’t have), can you decrypt the message 

16. Break the double transposition UELOB DARES RNIOI STOBE LIYVA APSRN 

TALWY ALE Hint: the word double appears in it. 

17. [Hassard] One of the favorite enciphering techniques during the controversy 

following the presidential election of 1876 was transposition ciphers 

on words with the important tell-tale words (people’s names, state names, 

etc.) being replaced by (often) proper nouns, usually geographical names. 

(In the messages below, however, the names of the states in question – 

Florida, Louisiana and Oregon – are un-encrypted.) Then the entire message 

was transposed, using words as units. 

Fortunately for the decrypters, there were a very large number of dispatches. 

A very common word was Warsaw, and a lucky guess confirmed 

this stood for telegram. The short ciphertext 

Warsaw they read all unchanged last are idiots cant situation 

is then fairly easily seen to read 

Cant read last telegram. Situation unchanged. They are all idiots. 

This provides the key (47296381015), meaning, take the 4th work of the 

plaintext, put it first in the cipher, followed by the 7th word or the plaintext, 

then the 2nd word, and so on. 

This ordering helped decrypt most messages of ten words, but not others. 

However, it was noticed that the telegrams always came in word lengths 

that were multiples of five. Perhaps each length had its own key If so, 

multiple anagramming on a selection of ciphers of the same length should 

lead to their decryption. 

In Figure 10.5 are five messages, written in column form, with their words 

numbered. Dispatch 1 has adjourned until to-morrow. The only possible 

noun is London, so 29, 27, 19, 28 must be part of the key. Using 

this order in Dispatch 2 gives us out if a. Looking at the words in Dispatch 

2, intend to count us out if a seems reasonable. So now the 

key must contain 25, 5, 10, 29, 27, 19, 28. 

This is an example of multiple anagramming – using a reasonable 

ordering of one text to help understand the ordering of another, and visa 

versa. Use multiple anagramming to decrypt this message.


Num Dispatch 1 Dispatch 2 Dispatch 3 Dispatch 4 Dispatch 5 

1 Me Very Figure To Rochester 

2 you news France situation of 

3 do say capture prospects answer 

4 to Copenhagen and ans America 

5 did to over Africa yesterday 

6 to from what desperate to-day 

7 question can see intend understands 

8 when Florida answer Thames Thomas 

9 you you Europe soon my 

10 you count Moselle Europe Africa 

11 to much Russia report about 

12 morning in shall every but 

13 asked behe little mischief it 

14 want give and the first 

15 where what appearances Warsaw avail 

16 go Louisiana about in at 

17 supposed am best dispatch my 

18 this placed hope in nothing 

19 until if Glasgow acting Bavaria 

20 come mixed will this as 

21 to-night insure up will will 

22 important London keep stall Copenhagen 

23 and Oregon Oregon all once 

24 answer few America concert fear 

25 here intend be morning reported 

26 Warsawed things can parties small 

27 adjourned out Potomac France by 

28 to-morrow a behind in and 

29 London us Edinburgh and satisfied 

30 you here I received hope 

Figure 10.5: Five similar dispatches from 1876. 

18. Robert Patterson was an immigrant to the United States from Ireland, 

eventually becoming professor of mathematics and vice-provost of the 

newly established University of Pennsylvania. At some point he made the 

acquaintance of Thomas Jefferson, becoming vice-president of the American 

Philosophical Society while Jefferson was its president. In 1805 Jefferson 

appointed him the Director of the US Mint. 

On 19 December 1801 he wrote to Jefferson 

“A perfect cypher should possess the following properties: 

1. It should be equally adapted to all languages. 

2. It should be easily learned & retained in memory. 

3. It should be written and read with facility & dispatch.


4. (which is the most essential property) It should be absolutely 

inscrutable to all unacquainted with the particular key or secret for 

decyphering 

Patterson believed he had discovered one method that satisfied his first 

three requirements and was “absolutely impossible, even for one perfectly 

acquainted with the general system, ever to decypher the writing of another 

without his key.” 

In the same letter he sent what we will call Patterson’s Cipher. As revised 

by Jefferson and himself, and slightly modified to fit our manner of doing 

things, the cipher works as follows. 

(a) Choose two keywords of the same number of letters. 

letters alphabetically: 

B e n j a m i n 

2 3 7 5 2 6 4 8 

Number the 

F r a n k l i n 

2 7 1 6 4 5 3 8 

(Repeated letters are thought of as occurring in a “second” alphabet.) 

(b) Write the message (ignoring non-alphabetic characters and spaces) 

in rows, using a consistent number of letters per row (the last row 

may have fewer). 

(c) Cyclically number the columns in order, with the largest number 

being the number of letters in the keyword. 

(d) Take the columns off in the numerical order indicated by the line 

keyword. Before transcribing them in rows insert as many nulls as 

the letter keyword indicates. Add some number of nulls at the end. 

As Patterson further explained 

It will be proper that the supplementary letters used at the beginning 

and end of the lies, should be nearly in the same relative proportion 

to each other in which they occur in the cypher itself, so that no clue 

may be afforded for distinguishing between them and the significant 

letters. 

On calculating the number of changes, and combinations, of which the 

above cypher is susceptible even supposing that neither the number of 

lines in a section, nore the number of arbitrary letters at the beginning 

of the lines, should ever exceed nine, it will be found to amount to 

upwards of ninety millions of millions ... nearly equal to the number 

of seconds in three millions of years! Hence I presume the utter 

impossibility of decyphering will be readily acknowledged. 

Jefferson responded on 22 March, 1802 that 

I have thoroughly considered your cypher, and find it is much more 

convenient in practice than my wheel cypher, that I am proposing it 

to the secretary of state for use in his office


and on 18 April 1802 that although the cypher was difficult to understand, 

once understood it would be “the easiest to use, the most indecypherable, 

and varied by a new key with the greatest facility of any one I have ever 

known.” 

Although the method did offer splendid security, it was extremely time 

consuming, and there is no evidence it was ever actually used. 

The example given by the Franco-phile Jefferson is about the success of 

Napoleon. 

w s a t a i s p a p s e v h h r n t p v n t u t a n o 

e a a o o b c e u t e r d h e c e b n s b s a b d e p d n o 

e h n o e e t h h n p a l a e r n n o t n t u t i o h 

n e m e y e e s a n n i h a t t o a a t i e e o n d o i 

r t l r c w r e h e g u r i l j n e s y d o t h d s e a r 

s e e o b i n l e i h t s h e e e n a e e a r t a n r m 

a r p e n w e e r t d t a e c e n h y a n o a b i 

u v c l s t i h i e d c f i n s x n a h e n y t e n r f 

s d t r o d i e s u a u n o s i a h r i a e h e i r p 

s t o e t l s o a o a d h s e t t i e u a h r d e i u y 

f t s h o p f c f e b e i n t r t t t e h o x e o y p u 

p e r t e r s p i a e e o o c k r y c f n n h t e f e y o 

t l r l p w r u u w i p s a t t w h h n m e n t 

e r r e t e a l e i w a r w s a o t d i t o f n g e 

w h a r c r c n t t c w i g l n e n r d h f o w s h 

e t t d n e e l k h o s u h a x h t j o r u i y i 

s a n t r h t d i w u f g e t h a t d f s l t m 

a d t r o d i i e g a a i w t i s t n r h e s r n c t 

n o n o a e i e d l i n y s y i o s e a g o d l l a n n 

s f t a e w t r o i w n t w a n o n x y o u r e h 

The keys are keylines 57328162 and keyletters 81393420. To decipher – 

(1) cross out the known nulls at the start of each line. 

(2) Number the lines using the numbers of the line key. 

(3) Pull out the lines in order of key, putting them into columns. 

(4) Read the message (the ending nulls will be clear).

Chapter 11 

Knapsack Ciphers 

Merkle had great confidence in even the single 

iteration knapsack system and posted a note on 

his office offering a $100 reward to anyone who 

could break it. ...[After Shamir broke it,] Merkle, 

always one to put his money where his mouth 

was ... paid Shamir the $100 is prize money. 

... Merkle’s enthusiasm [wasn’t] dampened. He 

promptly raised his bet and offered $1000 to anyone 

who could break a multiple iteration knapsack. 

It took two years, but in the end, Merkle 

had to pay. 

Whitfield Diffie 

The First Ten Years of 

Public-Key Cryptography 

In cryptography one takes plaintext (that is easy to read) and attempts turn it 

into ciphertext (that is apparently hard to read). In other words, cryptography 

involves an easy and hard version of the same problem. There are several 

mathematical problems that also have both an easy version and a hard version. 

Can the parallel between an easy/hard math problem and the easy/hard to read 

text be made useful As it will turn out, yes. 

11.1 The Knapsack Problem 

One day, whilst out hiking, you discover a cave containing many gold bars. 

Being ethically challenged, you wish to carry out as much gold as possible. 

Unfortunately the owner of the gold, a dragon, will probably return soon and 

your backpack (knapsack) can only carry so much weight without breaking. 

How can you decide which gold bars to take This is the Knapsack problem. 

(To fit the knapsack problem into the cave-gold-dragon analogy, you can carry 

however much your knapsack can hold, you have time to make one trip, and, 

since the dragon will not the mistake of leaving his/her cave unguarded again, 

one trip only.) 

219

220 CHAPTER 11. KNAPSACK CIPHERS 

Example: There are 8 piles of gold bars. Every bar in a given pile weighs 

the same. Each in pile 1 weighs 18oz. In pile 2 each weighs 29oz. Pile 3: 34oz, 

Pile 4: 41oz, Pile 5: 67oz, Pile 6: 88oz, Pile 7: 101oz and Pile 8: 119oz. Your 

backpack can carry a maximum of 300 oz (about 19 lbs). Which bars and how 

many should you pick 1 

⋄ 

11.2 A Related Knapsack Problem 

An apparent simplification is to assume the cave contains exactly one bar of 

any particular weight. So you only need to decide “yes” or “no” to each bar, 

rather than deciding how many bars from each pile to take. We also modify the 

problem to demand an exact amount of gold. 

Examples: 

(1) The weights of the bars are 4, 7, 12, 19, 22, and 25 lbs. If the total amount 

demanded is 55 lbs., this weight can be supplied: 4 + 7 + 19 + 25 = 55. 

However, there is no way to choose bars of total weight exactly 50 pounds. 

(2) The weights of the bars are 27, 31, 41, 48, 55, 59, 62, 65, 73, and 77. Total 

amount wanted is 257. Is this weight possible What about 364 2 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

This problem may seem easier than the first, but it is still quite hard. Why 

Think of the number of possibilities that must be considered. For each bar we 

must decide whether we want it or not: 

For one weight, say 27 lbs.: Do we want it yes or no (2 = 2 1 choices). 

For 27 and 31: yes/no and yes/no, or yy, yn, ny or nn (4 = 2 2 choices). 

For 27, 31, and 41: y/n and y/n and y/n gives yyy, yyn, yny, nyy, ynn, 

nyn, nny, and nnn (8 = 2 3 choices). 

By the time we have 5 weights we must make 2 5 = 32 choices, 8 weights demand 

2 8 = 256, and 10 weights, as in the last example, leads to 2 10 = 1024 

possibilities, too many for a quick answer if checking by hand. In fact, if there 

were 100 bars to choose from (a moderately rich dragon, in other words), there 

would be 

2 100 ≈ 1, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000 

1 I can make 295 as 2 × 18 + 2 × 34 + 3 × 41 + 67. Can you do better 

2 255 is possible (in seven different ways!) but 364 is not.

11.3. AN EASY KNAPSACK PROBLEM 221 

possible choices, far too many to check even by computer. And maybe none of 

them give the correct total anyway!! This is a real needle-in-a-haystack problem: 

there are lots of easily found potential answers, it is simple to determine whether 

a potential solution is indeed correct, but there is no apparent way to focus in 

on a solution except to try all the possibilities. 

11.3 An Easy Knapsack Problem 

We have now seen a “hard” mathematical problem. What is the easy version 

Assume the numbers (or weights) are super-increasing, which means that 

when put into increasing order, the next number on the list is always larger 

than the sum of all the previous ones. 

Example: Numbers are 2, 3, 6, 13, 27, and 55. 

3 > 2 

6 > 5 = 2 + 3 

13 > 11 = 2 + 3 + 6 

27 > 24 = 2 + 3 + 6 + 13 

55 > 51 = 2 + 3 + 6 + 13 + 27. 

So these numbers form a super-increasing set of numbers. 

⋄ 

Why does the numbers being super-increasing make the knapsack problem 

easy Because now the greedy algorithm will work – look over the bars (or 

weights, or numbers), starting with the largest and work toward the smallest, 

always taking the largest one that will fit into your knapsack. 

Examples: 

(1) Can the total 90 be made using {2, 3, 6, 13, 27, 55} 

We put the amount that is still needed in parentheses. 

90 = (90). Still need 90, so we will use 55. 

90 = (35) + 55. Used 55, still need 35 more. So we will use 27. 

90 = (8) + 27 + 55. Used 27, still need 8 more. 13 > 8 so don’t use 13. 

90 = (8) + 27 + 55. Didn’t use 13, still need 8. Use 6. 

90 = (2) + 6 + 27 + 55. Used 6, still need 2. 3 > 2 so don’t use 3. 

90 = (2) + 6 + 27 + 55. Didn’t use 3, still need 2. Use 2. 

90 = 2 + 6 + 27 + 55. Done. 

(2) Same weights. Demand is for 77. 

77 = (77). Yes to 55. 

77 = (22) + 55. No to 27. Yes to 13 

77 = (9) + 13 + 55. Yes to 6.


77 = (3) + 6 + 13 + 55. Yes to 3. 

77 = 3 + 6 + 13 + 55. Done. Found a total that works. 

(3) Same weights. Demand is for 81. 

81 = (81). Yes to 55. 

81 = (26) + 55. No to 27. Yes to 13. 

81 = (13) + 13 + 55. Yes to 6. 

81 = (7) + 6 + 13 + 55. Yes to 3. 

81 = (4) + 3 + 6 + 13 + 55. Yes to 2. 

81 = (2) + 2 + 3 + 6 + 13 + 55. 

Done. We didn’t find a total that was correct, and since we can only use 

each weight once, this means there is no solution. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

In general, when the numbers or weights are super-increasing, the greedy 

method will find a solution when there is one, and will indicate that no solution 

is possible when it is impossible. 

Example: Weights 3, 7, 12, 24, 49, 104, and 215. Which of the totals 298, 

421, 358 and 311 can be found 3 ⋄ 

Thus, if the weights are super-increasing the knapsack problem is very easy. 

If they are not, it can be very very difficult. Next we transform the easy knapsack 

problem into (apparently) a hard one. 

Example: Consider the five weights W 1 = 3, W 2 = 7, W 3 = 12, W 4 = 24 

and W 5 = 49. These are in super-increasing order and so form the weights of 

an easy knapsack problem. For example, can these weights produce the total of 

80 Yes: 80 = 49 + 24 + 7. 

Now let e = 39 and P = 101. e is our “enciphering” multiplier. If we 

multiply the W ’s by e modulo P we obtain new weights, U 1 through U 5 : 

W 1 × e = 3 × 39 ≡ 16 ≡ U 1 (mod 101) 

W 2 × e = 7 × 39 ≡ 71 ≡ U 2 (mod 101) 

W 3 × e = 12 × 39 ≡ 64 ≡ U 3 (mod 101) 

W 4 × e = 24 × 39 ≡ 27 ≡ U 4 (mod 101) 

W 5 × e = 49 × 39 ≡ 93 ≡ U 5 (mod 101) 

The weights 16, 71, 64, 27 and 93 are not in super-increasing order! Can the 

total 90 (= (80 × 39)%101) be produced from them 4 We have succeeded in 

3 Only 298 and 358 are possible. 

4 Yes, but only modulo 101: 90 = (93 + 27 + 71)%101.

11.4. THE KNAPSACK CIPHER SYSTEM 223 

turning the easy knapsack problem into a hard one. Further, if we use the 

Euclidean Algorithm to solve 39 × d ≡ 1 (mod 101) for d = 57, then we can 

turn the hard problem back into the easy one, for then multiplying the U’s by 

d will give us the W ’s back. 

⋄ 

This example suggests somehow using the total weight to send messages. To 

produce 80 we used W 2 , W 4 and W 5 , hinting at the pattern no-yes-no-yes-yes 

or nynyy or 01011. What can 01011 mean 

a = 00001 g = 00111 m = 01101 s = 10011 y = 11001 

b = 00010 h = 01000 n = 01110 t = 10100 z = 11010 

c = 00011 i = 01001 o = 01111 u = 10101 

d = 00100 j = 01010 p = 10000 v = 10110 

e = 00101 k = 01011 q = 10001 w = 10111 

f = 00110 l = 01100 r = 10010 x = 11000 

Figure 11.1: Binary Equivalents for the Alphabet 

11.4 The Knapsack Cipher System 

Many modern ciphers are built around a mathematical problem that is (hopefully) 

impossible to solve unless you have some special information that makes 

the problem very simple. One of the first was the suitably named Knapsack 

Cipher System. It was invented by Ralph Merkle and Martin Hellman [MH]. 5 

In this cipher the intractable problem is the general knapsack problem, and the 

simple version is the super-increasing knapsack problem. The Knapsack Cipher 

attempts to exploit this method for turning the simple problem into an 

apparently impossible one. 

The first four steps of the set-up we’ve already seen. The final two make 

this into what was then a radically new type of cipher. 

5 M. E. Hellman and R. C. Merkle, received U.S. Patent 4,218,582, filed October 6 1977, 

issued August 19 1980 for “Public Key Cryptographic Apparatus and Method.” It expired in 

1997.


Knapsack Cipher Setup: 

1. Pick a set of super-increasing numbers: W 1 , W 2 , W 3 , W 4 , W 5 and P . 

2. Pick e 

d such that e × d ≡ 1 (mod P ). 

3. Compute the U’s: U i = e × W i %P . 

4. Make the U’s public. Keep the W ’s, e, d and P secret. 

To Encipher: 

1. Turn each letter of the message into its binary equivalent 

(a 1 , a 2 , a 3 , a 4 , a 5 ). 

2. Use the U’s to find the enciphered number M, of each letter: 

To Decipher: 

M = a 1 · U 1 + a 2 · U 2 + a 3 · U 3 + a 4 · U 4 + a 5 · U 5 . 

1. For each received cipher number M, compute N = (d · M)%P . 

2. Solve N = x 1 · W 1 + x 2 · W 2 + x 3 · W 3 + x 4 · W 4 + x 5 · W 5 for the x’s. 

3. Convert (x 1 , x 2 , x 3 , x 4 , x 5 ) into its letter equivalent. 

Examples: 

(1) Use the weights U 1 = 16, U 2 = 72, U 3 = 64, U 4 = 27 and U 5 = 93 to 

encipher swim. 

s = 10011 → 1 · U 1 + 0 · U 2 + 0 · U 3 + 1 · U 4 + 1 · U 5 

= 16 + 27 + 93 = 136. 

w = 10111 → 1 · U 1 + 0 · U 2 + 1 · U 3 + 1 · U 4 + 1 · U 5 

= 16 + 64 + 27 + 93 = 200. 

i = 01001 → 0 · U 1 + 1 · U 2 + 0 · U 3 + 0 · U 4 + 1 · U 5 

= 72 + 93 = 165. 

m = 01101 → 0 · U 1 + 1 · U 2 + 1 · U 3 + 0 · U 4 + 1 · U 5 

= 72 + 64 + 93 = 229. 

The ciphertext message is 136, 200, 165, 229. 

(2) Decipher 136, 200, 165, 229. 

Of course, we know the answer. But how could we find it if we didn’t 

already know it First, if we didn’t know e and P (the private key) but

11.4. THE KNAPSACK CIPHER SYSTEM 225 

did know the W ’s, we would be stuck solving a hard knapsack problem. 

This hints that this cipher is a good one. 

However, if we do know e = 39 and P = 101 we may use the Euclidean 

Algorithm to find that d = 57 is solution to 39 × d ≡ 1 (mod 101). Then, 

as in Decimation Ciphers, since multiplying by e enciphered, multiplying 

by d must (mostly) decipher. 

Starting with 136, first multiply by d: (d × 136 = 57 × 136)%101 = 76. 

Then write 76 as a sum of the original W ’s: 

76 = 3 + 24 + 49 

= 1 · W 1 + 0 · W 2 + 0 · W 3 + 1 · W 4 + 1 · W 5 

→ 10011 = s. 

So 136 → s. For the other letters we do the same. First, 190 → d · 190 = 

(57 · 190)%101 = 88, and then 

88 = 3 + 12 + 24 + 49 

= 1 · W 1 + 0 · W 2 + 1 · W 3 + 1 · W 4 + 1 · W 5 

→ 10111 = w. 

So 88 → w. Similarly, 43 → i and 45 → m. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

This cipher system (also known as the Merkle–Hellman knapsack to differentiate 

it from other knapsack systems is a public key cipher. We haven’t seen 

any public key ciphers since Section 3.6, so let us briefly remind ourselves of the 

advantage of such a cipher. Each person who wishes to be part of a conversation 

may compute and make public a set of U’s, as in the Knapsack Cipher Setup. 

As we will see, this allows anyone to send them a secret message, even though 

they have never before communicated. There is no need to somehow pass a 

secret private key: just look up the person’s public key and start enciphering! 

Examples: Using the values W={5, 7, 15, 30, 59}, P = 179, e = 33: 

(1) Encipher dark cave. 

(2) Decipher 302, 260, 294, 157, 417, 459, 260, 294, 252, 52, 294, 

417, 302. 6 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Now with five weights the hard knapsack problem only has 2 5 = 32 possible 

answers to check, and so it is not really very hard. (In the previous example, 

we could have determined that 136 consisted of U 1 , U 4 and U 5 with only a little 

6 (1) 137, 157, 260, 304, 252, 157, 397, 294. (2) treasure chest.


trial-and-error.) But it is easy to use the Knapsack System as a polygraphic 

cipher. 

Examples: 

(1) Use the weights {3, 4, 7, 15, 30, 47, 93, 279, 466, 749}, and the values e = 

211 and P = 1507 to encipher swim as pairs of letters. 

First, we compute the U’s: 

U 1 = (3 · 211)%1507 = 633 

U 2 = (4 · 211)%1507 = 844 

U 3 = (7 · 211)%1507 = 1477 

U 4 = (15 · 211)%1507 = 151 

U 5 = (30 · 211)%1507 = 302 

U 6 = (47 · 211)%1507 = 875 

U 7 = (93 · 211)%1507 = 32 

U 8 = (279 · 211)%1507 = 96 

U 9 = (466 · 211)%1507 = 371 

U 10 = (749 · 211)%1507 = 1311 

Then we encipher as before, just with more weights: 

sw = {10011}{10111} = 1001110111 

→ 1 · U 1 + 1 · U 4 + 1 · U 5 + 1 · U 6 + 1 · U 8 + 1 · U 9 + 1 · U 10 

= 633 + 151 + 302 + 875 + 96 + 371 + 1311 

= 3739 

Similarly, im becomes 2585. 

(2) Decipher 2585. 

We first need the deciphering number. From the Euclidean algorithm 

d = 50 is the solution to (d × 211)%1507 = 1. Next, 2585 becomes 

(d × 2585)%1507 = 1155. Finally, write 1155 as a sum of the original 

weights: 

1155 = 4 + 30 + 93 + 279 + 749 

= U 2 + U 5 + U 7 + U 8 + U + 10 

= 0100101101 = {01001}{01101} 

→ im 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄

11.5. PUBLIC KEY CIPHER 227 

Even with 10 weights our adversary needs to check at most 2 10 = 1024 

possible combinations to determine each piece of plaintext, long by hand but 

quick by computer. Suppose, however, we used 100 weights. We could then 

encipher and decipher 20 = 100/5 letters at a time. Further, once we have 

computed the disguised weights, each block of 20 letters is enciphered with 

only 20 quick additions. Likewise, deciphering involves only one modular multiplication 

and then a quick greedy algorithm, per block of letters. So enciphering 

and deciphering are very quick. On the other hand, there are 2 100 = 

1267650600228229401496703205376 ways for the 100 weights to be combined. 

Even with the use of a a supercomputer, our adversary will be unable to determine 

the meanings of the blocks of letters by brute force. 

11.5 Public Key Cipher 

This is our first real example of a Public Key Cipher. 7 Modern companies 

and governments must strive to overcome not only the breakability of their ciphersystems 

but also the key-management problem: there are just too many 

people and to whom they’d like to send messages that doing all of (1) meeting 

with everyone who you’d like to send messages to and agreeing upon a ciphersystem 

and a private key, (2) keeping all of that information very secret (so no 

one who shouldn’t learns it), and (3) keeping all that information easily accessible 

(so you can send messages back and forth), is very difficult. “It’d sure 

be nice”, someone thought one day, “if there was a secret message system that 

worked just like the phone book: you just look up someone’s cipher information 

and send them a message.” 8 It seems contradictory, making public the very 

information used to send secret messages. But if it were possible, difficulties (1) 

and (3) would vanish. 9 

The knapsack cipher method was the first example that seemed plausible 

to use. Once everyone made their U’s public, anyone could send anyone else a 

message and the only items needed to be kept secret were the individual’s W ’s, 

e, d and P . 

Unfortunately, what made this method into a viable method didn’t work. 

Multiplying by e is meant to destroy the super-increasing nature of the W ’s 

but doesn’t completely do it. Using some fancy Linear Algebra [Shamir] it is 

possible to recover the original weights even without knowing e, d or P . The 

knapsack ciphers seemed the wave of the future, but suddenly became merely 

an interesting relic from the past. 

7 In Chapter 3 we discussed Koblitz’s Kid-RSA. It is only a toy system, never used. The 

Knapsack Ciphers, however, were (nearly) very important. 

8 The someones were Martin Hellman, a Stanford professor of Electrical Engineering, and 

Whitfield Diffie, then (1976) an undergraduate. 

9 As a very simple example (due to Saloma), think of a telephone book. To call someone 

on the phone all you need to know is their name: their telephone number you can always look 

up. Similarly, once you’ve gotten a telephone number anyone, including people you’ve never 

met, can call you up.


11.6 Summary 

In the past 25 years it has become fashionable to take “intractable” mathematical 

problems and try to turn them into cryptosystems. One of the first examples 

of a problem put to such use was the Knapsack Problem. In its full generality 

(from a large set of items choose some subset that maximizes value while 

keeping the total weight under some given bound) the Knapsack Problem, also 

known as the Subset Sum Problem, is known to be such an intractable problem. 

In 1977 Merkle and Hellman announced a cipher system based on a version 

of the Knapsack problem. It had the advantage of being a public key system, 

plus was relatively fast. This system starts with a set of super-increasing weights 

(each successive weight is larger than the sum of all the previously chosen ones). 

After a modular multiplication (and a permutation of their order) the weights 

are made public. To send a binary message send the sum of the weights corresponding 

to the 1’s in the message. The creator of the system can undo the 

modular multiplication, and so to read the message needs only to solve the 

sum-subset problem for a super-increasing set, which is easy. 

It was quickly suspected that hiding the super-increasing nature of the 

weights by a modular multiplication and permutation was not really sufficient, 

and this proved to be the case. By 1984 most forms of the Knapsack Ciphers 

had been shown to be insecure. Nonetheless, they provide a lovely case study 

of a modern cryptosystem. 


1. What is the general Knapsack Problem What is the meaning of “knapsack” 

in the name 

2. What is super-increasing 

3. Why is a Knapsack Problem with super-increasing weights easy to solve 

How to solve it 

4. How can a set of super-increasing weights be modified into a set of not 

super-increasing weights 

5. Explain the setup of a Knapsack Cipher. 

6. How does a Knapsack Cipher encipher What steps are involved 


1. Given the weights 41, 28, 39, 57, 49 and 31, and being allowed to use them 

possibly multiple times, can the weight 782 be achieved, and how


2. Given the weights 63, 39, 81, 57, 48 and 30, and being allowed to use them 

possibly multiple times, can the weight 283 be achieved. If so, how 

3. Given the weights 3, 7, 12, 23, 47, 95 and 190, and using each weight 

at most once, which of the following amounts can be realized, and how 

T = 323, T = 310, T = 117, T = 270. 

4. Given the weights 3, 8, 13, 29 and 60, and P = 129, e = 10: 

(a) Encipher gold. 

(b) Decipher 32, 84, 62, 146. 

5. Given the weights are 5, 8, 14, 29 and 58, and P = 127, e = 17. Decipher 

111, 70, 97, 66, 75, 105. 

6. Given the weights 6, 8, 17, 35, 81, 200, 403, 800, 1589, 3223 and e = 322, 

P = 6551: 

(a) Find the corresponding U’s. 

(b) Encipher stalactite. 

(c) Decipher 20632, 13837, 11968, 22524, 12265. 

the next word in the dictionary. 

Hint: it’s often 

7. [Hellman] Hellman’s 1979 Scientific American article, The Mathematics of 

Public-Key Cryptography, was one of the very first public announcement 

of this new kind of cipher. Included in this article is an overview of public 

vs. private key, and an introduction to the Knapsack Ciphers and RSA. 

Here we look at his knapsack example. 

(a) Show that 3, 5, 11, 20, 41, 83, 169, 340, 679, 1358 forms a superincreasing 

sequence. 

(b) Use P = 2731 and e = 764 to find the corresponding U ′ s. 

(c) Hellman’s sample message was enciphered as pairs of letters (we 

have 10 weights), with the binary starting at 00000, so a=00000 

and z=11001. He also used the binary equivalent for 26 to represent 

a space, and 29 to represent . 

Encipher Hellman’s message: How are you. 

(d) Find d. 

(e) Decipher 2908, 7643, 9799. 

8. The public key codes tend to be slower on a computer than the traditional 

“private key” codes are. So they are most frequently used only to send 

the key for a traditional method. 

Decipher DNTFG EASCN HAFAO NNSBH SIOAI HEPTA CBROE EGFSR RBTGE 

ISIOT LAIEM C. It was enciphered using the double transposition method 

with keyword 94, 240, 155, 46, 197, 188, 151, 131. 

Hint: the W’s are 2, 7, 13, 31, 55, with P = 157 and e = 23.


9. A different way to hide the super-increasing nature of the weights would 

be to put the “superincreasingness” inside the numbers. For example 

W 1 = 2900104 

W 2 = 3200209 

W 3 = 5500401 

W 4 = 1300810 

W 5 = 2401604. 

(The boldness only serves to show where the super-increasing is hidden.) 

The modulus would be correspondingly large, say P = 200785471. 

(a) Use e = 41233 to find the corresponding U’s. 

(b) Encipher huge. 

(c) Which of the following may be written as a sum of the W ’s 

a) 36902109 b) 33501123 c) 10001420 d) 9705114 (Hint: only 

three digits really matter. Which three. 

(d) Decipher 195046101, 76263779, 175978897, 160072206.

Chapter 12 

RSA 

Take two large prime numbers, q and p. 

Find the product n, and the totient φ. 

If e and φ have GCD one 

and d is d’s inverse, then you’re done! 

For sending m raised to the e reduced mod n gives 

secre-c. 

Daniel G. Treat 

We have now reached our final chapter. So it is natural that we have reached 

the more difficult and useful cipher in the book. Fortunately, our cipher also 

brings us back around to the beginning of the book. 

We started out, in Chapter 1, with the Caesar Cipher: translate letters into 

numbers and add three. This was too easy to decrypt, so Chapters 3 and 4 we 

turned to Decimation Ciphers: translate letters into numbers and multiply by 

three. This also turned out to be easy to decrypt. After several other stops along 

the way, we now complete the triple: having used addition and multiplication 

how about exponentiation 

Example: Encipher power by raising to the 3-rd power modulo 26. 

plaintext p o w e r 

plainnumbers 16 15 23 5 18 

cubed 4096 2275 12167 125 5832 

ciphernumbers %26 14 13 25 21 8 

ciphertext N M Y U H 

The ciphertext is NMYUH 

⋄ 

231

232 CHAPTER 12. RSA 

At this point in discussing a new cipher there are always two questions we 

ask: “How to decipher” and, “What is the security” Answering the first, if 

you think about it for a bit, will be difficult. To undo cubing we must take the 

cube root, But what we want to take the cube root of is not the ciphernumber 

but the cube of the plainnumber. So we have the problem of trying to determine 

the cubed plainnumber from the ciphernumber. 

As for the security, just as always adding 3 or always multiplying by 3 is 

insecure, always raising to the 3rd power is insecure. We should choose as our 

key some integer to take powers with. And large integers would have to be 

a possibility if we are to prevent the enemy from simply trying each possible 

power. But this leads to a new problem: what letter does the power 33 encipher 

S to 

19 33 = 1580770532156861979997149793605296459437459 

consists of 42 digits, and so is far too big for a calculator to handle. Similarly, 

19 125 has 159 digits, and 125 is not a very large number. Or how can we 

determine the remainder when 26 divides 19 392 , a number of over 500 digits! 

There is a third, more devious, problem. 1 3 = 1 so a is enciphered to A, 

but 3 3 = 27 ≡ 1 (mod 26) so c is also enciphered to A. Similarly, d and f both 

become L. Why is this, and how can we prevent this 

Despite these difficulties, the idea of developing a cryptosystem around the 

raising of numbers to powers is a very good one. It will lead us to one of the 

most popular cryptosystem of all time. But before we get there we need to 

surmount the difficulties we’ve just discussed. 

12.1 Fermat’s Theorem 

Our first need is to learn how to compute values like 133 719 %101. As you know, 

the “mod” just is shorthand for “find the remainder when divided by”, so in 

some sense we are not learning anything new. All one has to do is to compute 

133 719 , divide by 101, and find the remainder. However, 133 719 is galactically 

far too large for you calculator to directly compute. 1 How then to do this 

Some help is provided by a 360 year-old theorem. 

Theorem 3 Fermat’s Little Theorem 2 (1640). If p is a prime number and 

p does not divide a, then a p−1 ≡ 1 (mod p). 

1 It has over 1500 digits in it. For comparison, the traditional estimate for the number of 

elementary particles in the universe is 10 80 , i.e., a number of 80 digits. 

2 Pierre (de) Fermat, 1601-1665, was one of the last truly great amateur mathematicians. 

During the day he was a lawyer/councilor for his local parliament. At night he read famous 

math books and added his thoughts and comments to the margins. It took over 350 years 

before one of these notes, Fermat’s Last Theorem, was determined to actually be true. Another, 

Fermat’s Little Theorem (to differentiate it from the Last Theorem) is what interests 

us here.

12.1. FERMAT’S THEOREM 233 

Example: Since 13 is prime and doesn’t divide 5, we have (5 12 )%13 = 1. 

Similarly, 37 and 101 are primes, and they don’t divide 52 and 133, respectively, 

so (52 36 )%37 = 1, and (133 100 )%101 = 1. 

⋄ 

This is a beautiful, deep and powerful theorem. The beauty lies in its simplicity: 

Choose any prime number and any other number that is not a multiple 

of that prime. Then, the second number, when raised to the prime minus first 

power, will be one less than a multiple of the prime. In other words, the remainder 

upon division is always 1. No special conditions, no separate cases, just a 

1. 

OK, there is one condition: that p doesn’t divide the number. But if p 

does divide a, then a ≡ 0 (mod p) so a p−1 ≡ 0 (mod p). Thus, we perfectly 

understand a p−1 %p for all a’s: If a is a multiple of p then the answer is 0, 

otherwise it is 1. 

Since 1 ∗ a ≡ a (mod p) we may multiply a p−1 ≡ 1 by a to see that a p ≡ a 

(mod p) when a is not a multiple of p. And, since both sides of this equivalence 

are 0 when a is a multiple of p we have the following corollary: 

Corollary 1 If p is a prime number and a is any integer, then a p ≡ a (mod p). 

The depth of this theorem is what it tells us about arithmetic. One might 

think that raising integers to powers leads to somewhat arbitrary results. But 

Fermat’s Theorem says otherwise: raising to powers modulo a prime number 

produces a definite structure. 3 

The power of the theorem lies our application of it. Suppose we wish to 

compute 33 125 %41. Since 41 does not divide 33, by Fermat’s Theorem we 

know that 33 40 ≡ 1 (mod 41). So ( 33 40) 2 

≡ 1 2 ≡ 1 (mod 41) and, likewise, 

( ) 33 

40 3 

≡ 1 3 ≡ 1 (mod 41). Because 125 = 3 ∗ 40 + 5, we then have 

33 125 = 33 3∗40+5 = 33 3∗40 · 33 5 = ( 33 40) 3 

· 33 5 ≡ 1 3 · 33 5 ≡ 33 5 (mod 41). 

So 33 125 is the same as 33 5 modulo 41. Because 33 5 %41 = 32 is small enough to 

compute on a calculator, we conclude that 33 125 %41 = 32. Fermat’s Theorem 

has turned the seemingly impossible 33 125 (mod 41) into a calculation that is 

easy. 

Example: Compute 20 236 %59. 

Since 59 − 1 = 58 and 236 = 4 ∗ 58 + 4, we have 20 236 = 20 4∗58+4 = 

20 4∗58 · 20 4 = ( 20 58) 4 

· 20 4 ≡ 1 4 · 20 4 ≡ 20 4 ≡ 51 (mod 59). ⋄ 

3 In fact, it can be said that Fermat’s Little Theorem is the first important result in the 

subject of Abstract Algebra, a subject that, along with Analysis, constitutes most of modern 

mathematics.


In both of these examples the quotient played an insignificant role. What, 

then, of the old exponent remains The remainder. Both 125 and 236 were 

replaced by their remainder when divided by p − 1. But “replacing by the 

remainder” is just another way of saying that we are doing modular arithmetic! 

We can summarize this as the following: 

Theorem 4 Fermat’s Theorem Restated: If p is a prime number and p does 

not divide a, then a b ≡ a b′ (mod p), where b%(p − 1) = b ′ . 

Less formally, when doing powers modulo p, we may work on the exponent 

modulo p − 1. 

Examples: 

(1) Compute 6 191 %19. 

Since 19 doesn’t divide 6 we can use Fermat’s theorem. Since 191%18 = 

11, we know that 6 191 ≡ 6 11 (mod 19). This last is easily computed to be 

17, which is our answer. 

(2) Compute 12 360 (mod 17). 

17 doesn’t divide 12, and 360%16 = 8, so 12 360 ≡ 12 8 ≡ 15 (mod 17). So 

the answer is 15. 

(3) Compute 23 465 (mod 43). 

23 465 ≡ 23 3 ≡ 41 (mod 43). The answer is 41. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

12.2 Complication I: a small one 

The examples we’ve done were carefully chosen so that we ended up with a fairly 

small number raised to a fairly small number. What if the base was too large for 

a calculator to handle this computation For example, what if we wanted 233 125 

(mod 41) By Fermat’s Theorem this is the same as 233 5 (mod 41). But 233 5 

is still too large for most calculators. What can we do Easy: we are doing 

modular arithmetic, and 233%41 = 28. We then have the string of equivalences 

233 125 ≡ 233 5 ≡ 28 5 ≡ 3 (mod 41). 

We are now doing “double modular arithmetic”, modulo p on the base and 

modulo p − 1 on the exponent.

12.3. COMPLICATION II: A SUBSTANTIAL ONE 235 

Examples: 

(1) Compute 130 97 %31. 

First, 130%31 = 6. Next, 97%30 = 7. Putting them together we have 

130 97 ≡ 6 7 ≡ 6 (mod 31). The answer is 6. 

(2) Compute 220 136 %67. 

220%67 = 19 and 136%66 = 4. So 220 136 ≡ 19 4 ≡ 6 (mod 67). 

(3) Compute 5891 213 %53. 

5891%53 = 8 and 213%52 = 5. So 5891 212 ≡ 8 5 ≡ 14 (mod 53). 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

12.3 Complication II: a substantial one 

The examples we have seen have been carefully chosen so that after (at most) 

two reductions we end up with a small base and small exponent. What if even 

after both of the reduction steps are taken the numbers are still too big 

Examples: 

(1) Compute 13 27 %37. 

13 is already reduced modulo 37, as is 27 modulo 36. But 13 27 has some 

38 digits in it, far too many to work with. 

Now what Clearly 27 = 16 + 8 + 2 + 1. So 13 27 = 13 16+8+2+1 = 

13 16 · 13 8 · 13 2 · 13. Several of these powers are small and computable but 

13 16 is too big. To find it we start with the smaller powers. 

Of course 13 ≡ 13 (mod 37) and 13 2 ≡ 21 (mod 37). 

Next, instead of directly computing 13 4 , we use that 13 4 

13 4 ≡ (13 2 ) 2 ≡ 21 2 ≡ 34 (mod 37). 

= (13 2 ) 2 , so 

Similarly, 13 8 ≡ (13 4 ) 2 ≡ 34 2 ≡ 9 (mod 37). Finally, 13 16 ≡ (13 8 ) 2 ≡ 

9 2 ≡ 7 (mod 37). 

The last step is to put it all together: 13 27 = 13 16 · 13 8 · 13 2 · 13 ≡ 

7 · 9 · 21 · 13 ≡ 31. So the final answer is 31.


(2) Compute 22 57 %61 (with fewer explanations). 

We have 57 = 32 + 16 + 8 + 1. Computing the powers, 

22 2 ≡ 15 (mod 61), 

22 4 = (22 2 ) 2 ≡ 15 2 ≡ 42 (mod 61), 

22 8 = (22 4 ) 2 ≡ (42) 2 ≡ 56 (mod 61), 

22 16 = (22 8 ) 2 ≡ (56) 2 ≡ 25 (mod 61), and 

22 32 = (22 16 ) 2 ≡ (25) 2 ≡ 15 (mod 61). 

Using the powers that we need gives 

22 57 = 22 32 · 22 16 · 22 8 · 22 ≡ 15 · 25 · 56 · 22 ≡ 47 (mod 61). 

Therefore 22 57 %61 = 47. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

In each of these examples we broke down the exponent into a sum of power 

of 2. 4 To make this process easier we need to find a way of determining which 

powers of 2 are needed. A simple on is as follows. At each step divide by 2. If 

this division has a remainder (the quotient has a .5 as a decimal) then indicate 

this with a 1, otherwise indicate this with a 0. Then repeat starting with the 

integer part of the quotient. End when the final quotient is .5, as it has no 

integer part to continue with. 

Examples: Find the needed powers for an exponent of 27 and 57. 

(1) For 27: 

exponent quotient remainder power of 2 

27 ÷2 = 13.5 1 1 

13 ÷2 = 6.5 1 2 

6 ÷2 = 3 0 4 

3 ÷2 = 1.5 1 8 

1 ÷2 = .5 1 16 

So 27 as a 16, 8, 2 and 1 in it (that is 27 = 16 + 8 + 2 + 1). 

4 Why 2 and not, say, 3 Because every number can be expressed as a sum of powers of 2, 

allowing us to compute 22 57 %61 by performing simply a number of squarings. If we had used 

3 instead we would have needed to write 57 = 2 · 27 + 3, a sum of multiples of powers of 3. 

Using 2 means we don’t need multiples, which makes the calculations a bit easier.

12.3. COMPLICATION II: A SUBSTANTIAL ONE 237 

(2) For 57: 

So 57 = 32 + 16 + 8 = +1. 

remainder power of 2 

57 ÷2 = 28.5 1 1 

28 ÷2 = 14 0 2 

14 ÷2 = 7 0 4 

7 ÷2 = 3.5 1 8 

3 ÷2 = 1.5 1 16 

1 ÷2 = .5 1 32 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

In fact, every positive integer can be written as a sum of the powers of 2: 1, 

2, 4, 8, ..., using each power at most once. This is the binary expansion of 

the number, and the process we have just described finds this expansion. 

We can use the two processes, squaring using the powers of two, and the 

binary expansion process, together. 

Example: Find the binary expansion of 159. Use it to compute 23 159 %171. 

159 ÷ 2 = 79.5 1 1 

79 ÷ 2 = 39.54 1 2 

39 ÷ 2 = 19.5 1 4 

19 ÷ 2 = 9.5 1 8 

9 ÷ 2 = 4.5 1 16 

4 ÷ 2 = 2 0 32 

2 ÷ 2 = 1 0 64 

1 ÷ 2 = .5 1 128 

Thus 159 = 128 + 16 + 8 + 4 + 2 + 1. Next, compute the required powers of 23: 

23 ≡ 23 (mod 171), 

23 2 = 23 2 ≡ 16 (mod 171), 

23 4 = (23 2 ) 2 ≡ (16) 2 ≡ 85 (mod 171), 

23 8 = (23 4 ) 2 ≡ (85) 2 ≡ 43 (mod 171), 

23 16 = (23 8 ) 2 ≡ (43) 2 ≡ 139 (mod 171), 

23 32 = (23 16 ) 2 ≡ (139) 2 ≡ 169 (mod 171), 

23 64 = (23 32 ) 2 ≡ (169) 2 ≡ 4 (mod 171), and 

23 128 = (23 64 ) 2 ≡ (4) 2 ≡ 16 (mod 171). 

Using the powers that we need gives 

23 159 = 23 128 · 23 16 · 23 8 · 23 4 · 23 2 · 23 ≡ 16 · 43 · 85 · 16 · 23 ≡ 163 (mod 171). 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄


Neither of these processes is very hard, but each is a bit time-consuming, 

especially because there are several things we wrote again and again, like ÷2 

and (mod 171). Fortunately, we can combine the two steps and cut out much 

of the unnecessary writing. As a first example we redo the previous one. 


exponent quotient remainder power of 2 modulo 171 

159 ÷2 79.5 1 1 23 ≡ 23 

79 ÷2 39.54 1 2 23 2 ≡ 16 

39 ÷2 19.5 1 4 16 2 ≡ 85 

19 ÷2 9.5 1 8 85 2 ≡ 43 

9 ÷2 4.5 1 16 43 2 ≡ 139 

4 ÷2 2 0 32 139 2 ≡ 169 

2 ÷2 1 0 64 169 2 ≡ 4 

1 ÷2 .5 1 128 4 2 ≡ 16 

Thus 23 159 ≡ 16 · 43 · 85 · 16 · 23 ≡ 163 (mod 171). 

⋄ 

From now on we will abbreviate by not writing the “÷2 =” or “power” 

columns. 5 


First, 45 < 79 and 61 < 70 so the base and the power are already reduced. 

Since 45 61 is far too big we must build we will call the binary chart. 

exponent quotient remainder mod 79 

61 30.5 1 45 ≡ 45 

30 15 0 45 2 ≡ 50 

15 7.5 1 50 2 ≡ 51 

7 3.5 1 51 2 ≡ 73 

3 1.5 1 73 3 ≡ 36 

1 .5 1 36 2 ≡ 32 

Thus 45 61 ≡ 45 · 51 · 73 · 36 · 32 ≡ 2 (mod 79). 

⋄ 

12.4 Complication III: a mini one 

The computation we just did, 45 · 51 · 73 · 36 · 32 ≡ 2 (mod 79), almost is too 

much for many calculators. It certainly can happen that the final computation’s 

product is too big. Then what If there are too many factors, or if they are too 

5 In fact, one of the interesting results of this method is that we don’t need to explicitly 

find the proper powers of 2.

12.5. COMPLICATION IV: THE LAST ONE 239 

large to multiply together all at once, simply group them into a families of two 

or three, multiply and reduce them, and then multiply and reduce the results. 

Example: Compute 372 · 361 · 19 · 281 · 107 · 81 · 239 · 301 (mod 401) 

372 · 361 · 19 · 281 · 107 · 81 · 239 · 301 (mod 401) 

≡ (372 · 361 · 19) · (281 · 107 · 81) · (239 · 301) (mod 401) 

≡ 386 · 154 · 160 (mod 401) 

≡ 122 (mod 401). 

⋄ 

12.5 Complication IV: the last one 

The reason we are interested in computations like 133 172 %323 in the first place 

is that they form the heart of the most popular public key cryptography system 

in use today. The final complication is that the computations in this system 

are not of the form a b %p, where p is prime, but like a b %pq, where p and q are 

different primes. How does the change from a prime as the modulus to two 

prime affect what we’ve done so far 

We know that 12 6 ≡ 1 (mod 7) and 12 10 ≡ 1 (mod 11). How should we 

complete 12 □ ≡ 1 (mod 77) It turns out this is equivalent 6 to finding a value 

k so that 12 k ≡ 1 (mod 7) and 12 k ≡ 1 (mod 11). From Fermat’s theorem 

12 6 ≡ 1 (mod 7) and 12 10 ≡ 1 (mod 11). In fact, any exponent that is a 

multiple of 6 or 10, respectively, produces the same result: 12 6n ≡ ( 12 6) n 

≡ 

1 n ≡ 1 (mod 7) and 12 10m ≡ ( 12 10) m 

≡ 1 m ≡ 1 (mod 11). The simplest such 

multiple 7 is the product, (7 − 1)(11 − 1) = 60 in this case. So 12 60 ≡ 1 (mod 7) 

and 12 60 ≡ 1 (mod 11), hence 12 60 ≡ 1 (mod 77). 

Now there is nothing special about 7 and 11. If p and q are distinct prime 

numbers, neither of which divides a, then a k ≡ 1 (mod p) and a k ≡ 1 (mod q) 

whenever k is a multiple of both p − 1 and q − 1. In particular, this is true when 

k = (p − 1)(q − 1). This gives us 

6 From Theorem 1 way back in Chapter 3, a ≡ b (mod pq) is the same as pq dividing a − b. 

But when p and q are relatively prime, this needs both p and q to divide a − b. That is, a ≡ b 

modulo both p and q. 

7 The smallest such multiple is the least common multiple, which we recall from Section 

8.4. For simplicity we will use the product.


Theorem 5 Euler’s Theorem 8 (1760): If p and q are two distinct primes and 

neither one of them divides a, then 

a (p−1)(q−1) ≡ 1 

(mod pq). 

Leonard Euler (1707–1783) is history’s most prolific mathematician. Except 

for 1741–1766 when he was at the Royal Academy in Berlin, from 1727 until his 

death Euler lived in St. Petersburg and worked at the Imperial Academy there. 

His contributed to most fields of mathematics, in particular geometry, calculus 

and number theory, as well as to physics, especially acoustics, hydraulics and 

the theory of light. As if more is needed, he became blind in 1766 at age 

59 but, despite this, continued his work on optics, algebra and lunar motion, 

producing almost half of his total works while blind. Euler wrote over 700 books 

and papers, piling new papers atop older ones. The Imperial Academy, which 

published the papers, published the top ones first, cause later, more advanced 

results to appear before the ones they superseded or depended upon! 

Examples: Of Euler’s Theorem. 

(1) 12 60 ≡ 1 (mod 77), since 77 = 11 · 7 and (11 − 1)(7 − 1) = 60. 

(2) 19 252 ≡ 1 (mod 301), since 301 = 43 · 7 and (43 − 1)(7 − 1) = 252. 

(3) 23 24 ≡ 1 (mod 35) and 49 64 ≡ 1 (mod 85). 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

Where will these theorems affect our work Only in one place. The only 

times we’ve used “p − 1” so far is when doing modular arithmetic on the exponent. 

So when the modulus is the produce of two prime pq, then we must 

simply be careful to consider the exponent modulo (p − 1)(q − 1). 

Examples: 

(1) Compute 17 1803 %671. 

671 factors as 61 · 11. Since (61 − 1, 11 − 1) = 600, we must reduce 1803 

modulo 600. Since this is 3, we have 17 1803 ≡ 7 3 ≡ 35 (mod 77). 

(2) Compute 25 448 %253. 

253 = 11 · 23, and 10 · 22 = 220. 448%220 = 8, so 25 448 ≡ 25 8 ≡ 49 

(mod 253). 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

8 Euler actually proved his theorem for any modulus, rather than for the much simpler case 

were are concerned with here. In general it takes the form a φ(n) ≡ 1 (mod n), where φ(n) is 

an easily computed value. This φ is called “Euler’s phi function” and is not to be confused 

with Friedman’s Φ.

12.6. PUTTING IT ALL TOGETHER 241 

12.6 Putting It All Together 

We summarize the steps we’ve taken and then do one final example. 

To compute a b (mod p) or a b (mod pq). 

1. Reduce the base a either modulo p or modulo pq. 

2. Reduce the exponent b either modulo p − 1 or modulo (p − 1)(q − 1). 

3. If the numbers involved are still too large for your calculator, build 

and complete the binary chart modulo p or modulo pq. 

4. If the final product contains too many or too large of numbers, groups 

them, multiply and reduce the groups, then multiply and reduce again 

to get the final answer. 

Example: Compute 1971 1149 %391. Hint: 391 = 17 · 23. 

(1) Reduce the base: 1971%391 = 20. 

(2) Reduce the exponent: (17 − 1)(23 − 1) = 352. 1149%352 = 93. 

(3) The binary chart: 

93 46.5 1 20 ≡ 20 

46 23 0 20 2 ≡ 9 

23 11.5 1 9 2 ≡ 81 

11 5.5 1 81 2 ≡ 305 

5 2.5 1 305 2 ≡ 358 

2 1 0 358 2 ≡ 307 

1 .5 1 307 2 ≡ 18 

(4) Group and multiply: 1971 1149 ≡ (20·81·305)·(358·18) ≡ 148 (mod 391). 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ 

12.7 Exponential Problems (and answers) 

At the beginning this chapter we hinted at a new cryptosystem, one based on 

taking the power of the message. To use it we would choose as key an integer e 

and encipher our message m as m e (mod 26). There were, however, a number 

of difficulties with this idea. First, there was the question of decryption: what 

reverses raising to the e-th power in modular arithmetic Second, to prevent 

a possible enemy from simply trying all possible exponents we need to be able 

to choose arbitrarily large e’s. Finally, it is possible for this system to encipher 

different letters to the same cipherletter (both d and f become L if e = 3), 

making deciphering rather problematic.


Perhaps not surprisingly, given the last several sections, the solution to all 

three of these difficulties will come from the same modification: instead of working 

modulo 26 we will work modulo P Q, where P and Q are two (large) primes. 

From Euler’s generalization of Fermat’s Theorem, we know that a (P −1)(Q−1) ≡ 1 

(mod P Q) whenever neither P nor Q divides a. So if we cleverly pick d (using 

the Euclidean Algorithm) to be the solution to ed ≡ 1 (mod (P − 1)(Q − 1)), 

then we have 

( 

a 

e ) d 

≡ a ed ≡ a (mod P Q). 

That is, raising to the d-th power will reverse the effect of raising the e-th 

power. 9 We will be able to decipher messages. 

Further, having two letters that become the same when enciphered will be 

impossible: if m e ≡ n e (mod P Q), then 

m ≡ m ed ≡ (m e ) d ≡ (n e ) d ≡ n ed ≡ n 

(mod P Q). 

So two letters (or messages) that are enciphered to the same letter (or message) 

were actually the same to start. That is, different letters are enciphered 

differently. 

Finally, there is the question of choices of e and d: are there enough so that 

our supposed enemy cannot stumble upon d simply by trying all the possibilities. 

Notice first that different choices of e can lead to the same actual encryption. 

We pointed this out in the case of prime moduli: if e ≡ e ′ (mod P − 1) then 

m e ≡ m e′ (mod P ). The same is true modulo (P − 1)(Q − 1): if if e ≡ e ′ 

(mod (P − 1)(Q − 1)) then m e ≡ m e′ (mod P Q). So it doesn’t actually add 

more choices to allow e and d to be larger than (P − 1)(Q − 1), and so there 

are at most (P − 1)(Q − 1) different choices for e and d. To provide for a large 

number of choices for e, then, we will use very large P ’s and Q’s. 

12.8 RSA 

The RSA 10 crypto-system was invented by Ronald L. Rivest, Adi Shamir and 

Leonard Adelman in 1977. We have given the basics of the system. The 

only thing left to add is that if we are going to work modulo a large modulus, 

there is no need to encipher one letter at a time. We can instead use this as a 

polygraphic cipher. 

9 This statement is the “trick” behind the cipher system we are about to explain. Make 

sure you understand it, looking back at Theorems 12.1 and , if necessary. 

10 U.S. Patent No. 4, 405, 829, September 20, 1983, expired on September 20, 2000.

12.8. RSA 243 

The RSA Algorithm 

Setup: 

Pick two prime numbers P and Q, and let N = P Q. 

Choose e so that 1 < e < (P − 1)(Q − 1) with gcd ( e, (P − 1)(Q − 1) ) = 1. 

Find d such that ed ≡ 1 (mod (P −1)(Q−1)) via the Euclidean Algorithm. 

To encipher: 

Split the message into segments M each of which is smaller than N. 

Compute and send the numbers M e %N. 

To decipher: 

To decipher a message block E, compute E d %N. 

Before we do examples there are a couple comments we need to make. Notice 

that when converting the plaintext into numbers we need to translate letters 

like a into 01 rather than simply 1. This way we can tell concatenations like 

11 12 

sab = 190102 and sl = 1912 apart. 

Next, people tend to pick P and Q to be massively large primes, one having 

300 digits or a bit less, and one having 300 digits or a bit more. This makes 

N = P · Q to be about 600 digits long. It’s certainly not any trouble for a 

computer to store a 600 digit number (in a text file this is only about eight lines 

of numbers). Conversely, it is quite common choose P and Q so that 3 does not 

divide either P − 1 or Q − 1, and then simply use e = 3 for enciphering. 13 

Finally, the RSA code seems quite difficult to break (for reasons we will see 

in a moment) as long as P and Q are this large. However, RSA is very slow 

compared to the popular private key codes available today. So most messages 

are sent in two parts. The first part of the message would say something like 

“Use DES with key key” and be enciphered using RSA, while the second part, 

the much longer portion, would contain the actual message enciphered using 

DES with the key sent in part one. 

Examples: 

(1) Use P = 19, Q = 13, e = 23. 

1. Encipher code as a monographic cipher (i.e., one letter at a time). 

First N = P ·Q = 247. Then, performing the necessary computations 

(but not writing the details, such as the binary charts), we have 

11 This translation means that the largest two-letter block is 2626, the largest three-letter 

block is 262626, etc. We need to make sure to pick N so it is larger than the largest block in 

whatever block size we pick. 

12 There are more compact ways to translate letter blocks into numbers. For example, 

setting z=0 rather than 26, and then using (p1, p2) → 26 ∗ p1 + p2 for two-letter blocks and 

(p1, p2, p3) → 676 ∗ p1 + 26 ∗ p2 + p3 for three-letter blocks provides for more compact usage. 

But we will stick with concatenation. 

13 2 16 + 1 is another popular choice for e, due to its simple binary expansion.


c = 3 → 3 23 %247 = 243. 

o = 15 → 15 23 %247 = 59. 

d = 4 → 4 23 %247 = 36. 

e = 5 → 5 23 %247 = 47. 

So code is send as 243, 59, 36, 47. 

2. Decipher 47, 123, 61, 59. 

To decipher we must find d. First, (P −1)(Q−1) = 18·12 = 216, and 

then from the Euclidean algorithm d = 47 is the solution 23x ≡ 1 

(mod 216). Then 

47 → 47 47 %247 = e → e. 

123 → 123 47 %247 = 24 → x. 

61 → 61 47 %247 = 16 → p. 

59 → 59 47 %247 = 15 → o. 

So the deciphered message is expo. 

(2) Use N = 2747 and e = 19 to encipher exponentiation in two-letter pairs. 

ex = 0524 → 0514 19 %2747 = 1567. 

po = 1615 → 1615 19 %2747 = 1084. 

ne = 1405 → 1405 19 %2747 = 1461. 

nt = 1420 → 1420 19 %2747 = 1323. 

ia = 0901 → 901 19 %2747 = 901. 

ti = 2009 → 2009 19 %2747 = 2009. 

on = 1514 → 2009 19 %2747 = 1818. 

So 1567, 1084, 1461, 1323, 901, 2009, 1818 is the ciphertext. 

(3) Use that 2747 = 67 · 41 to to decipher 1032, 1469, 1821, 1551, 2020 

into two-letter pairs. 

After finding (P − 1)(Q − 1) = 2640 and d = 139, we decipher: 

The answer is superpower. 

1032 → 1032 139 %2747 = 1921 → su. 

1469 → 1469 139 %2747 = 1605 → pe. 

1821 → 1821 139 %2747 = 1816 → rp. 

1551 → 1551 139 %2747 = 1523 → ow. 

2020 → 2020 139 %2747 = 518 → er. 

⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄ ⋄

12.9. RSA AND PUBLIC KEYS 245 

There are at least two interesting things about these examples. First, because 

of the choice of small numbers for P and Q in Example (1), the RSA 

cipher became a complicated mono-graphic cipher. Frequency analysis of the 

type we practiced in Chapter 6 would easily break this cipher. However, by 

choosing P and Q so that N was larger than 2626 in Examples (2) and (3) we 

used RSA as a digraphic cipher. And if we had chosen P = 487, Q = 541 then 

N = 263467 would have let us use RSA as trigraphic cipher. 

The second thing was how encryption and decryption, while very similar 

processes, involve very different amounts of knowledge. To encipher we only 

need to know e and N, for the only thing we must do is to compute M e %N. In 

particular, we do not need either P or Q. To decipher, however, we do need to 

know P and Q, because to find d we must use (P −1)(Q−1). The application of 

this differential knowledge is what allows RSA to be public key cipher system. 

12.9 RSA and Public Keys 

The information needed to use any particular RSA cipher is very different for 

the encryptor than it is for the decryptor. To encipher a message one only 

needs the power e and the modulus N. The values of d and (P − 1)(Q − 1) 

are unnecessary. When deciphering we need N, but also need d, and need e 

and (P − 1)(Q − 1) to determine d. That is, the decipherer needs P and Q to 

determine d. 

This allows RSA to be used as a public key code. Alice chooses the two 

primes P and Q and computes their product N. Then she chooses e and uses 

P and Q to compute d. Alice then makes public the values N and e. Since 

all that is needed to encipher a message is e and N, anyone can send Alice a 

message using her system. 

Alice Anderson 

Phone: 1-800-CALL-ALC 

Email: alice a○mymail.com 

I use RSA. My public keys are 

e = 17 and N = 549992441. 

Conversely, Alice keeps P , Q, (P − 1)(Q − 1) and d all secret. Since she 

knows d she can decipher any message sent to her. 14 

12.10 How to break RSA 

Suppose we capture an enciphered message E that is intended for our enemy. 

How can we read the message 

14 Since to decipher she only need to raise to the d-th power modulo N, she should throw P , 

Q and (P − 1)(Q − 1) away, erase them from any computers they are on and burn any papers 

they are written on.


First, what about our old standby – frequency analysis If N consists of 

around 600 decimal digits, then our ciphertext segments will also be about 600 

digits long. How many possible 600 digit segments are there Lots: 10 600 . 

Recall that a traditional estimate for the number of elementary particles in the 

universe is 10 80 . So even if we wanted to perform frequency analysis, there 

wouldn’t be enough room in the universe to write down our frequency count! 

So we must try another method to break a message. As usual, once we have 

tried the brute force method of frequency analysis, we then turn to the specifics 

of the system itself. Again, how to decrypt an RSA-enciphered message 

Well, we can look up our enemy’s e and N, since these are public information. 

We want M, the true message, we know the value of N and we know that 

E d %N = M. The only thing we don’t know is d. So we only need to discover 

d. 

Well, we know that e and d are chosen so that e·d ≡ 1 (mod (P −1)(Q−1)), 

and we know e. The only thing we don’t have is (P − 1)(Q − 1). So we only 

need to discover (P − 1)(Q − 1). 

Well, we know N, and we know that P · Q = N. Also, 

(P − 1)(Q − 1) = P · Q − P − Q + 1 = N − P − Q + 1. 

We know the N and 1 parts of this, but don’t know the P or Q. So we only 

need to discover P or Q. 

Well, N/P = Q and N/Q = P , so if we know either P or Q then we know 

the other and so know them both. But N has only two factors, P and Q. So 

we only need to factor N. 

Thus the entire security of the RSA system apparently comes down to the 

ease or difficulty of factoring N. If we can factor N we can easily decrypt any 

message enciphered modulo N. And the chain of “well”s above is meant to 

convince you that factor N is the only way to break RSA. 15 How hard can this 

be After all, we all spent several weeks in 5th or 7th grade talking about primes 

and factors and breaking down numbers into their prime factors. So why can’t 

smart people using fast machines just factor N In fact, why not just set up 

a really fast computer and do the obvious thing: see if 2 divides N, then see 

if 3 divides N, then see if 5 divides N, and so on, working your way along the 

primes until you find either P or Q 

Remember that N is about 600 digits long. An important theorem, called, 

logically enough, the Prime Number Theorem, says that less that N there are 

about N/ ln(N) primes. That means that to find up to P or Q, which means 

checking up to about 10 300 , we must check about 10 300 / ln(10 300 ) ≈ 10 298 

primes. But, again, there are only 10 80 particles in the whole universe! Imagine 

that I said I hid one specially marked atom somewhere in the universe and you 

15 Of course there are other ways to break any particular RSA system. Perhaps our enemy 

will make some grievous mistake in enciphering, like leaving part of the message unenciphered. 

Or will allow us to time his/her computer while it is deciphering as many messages as we wish. 

But, for most practical purposes, the security of RSA comes down to the factoring problem.

12.10. HOW TO BREAK RSA 247 

had to find it. This task is almost infinitely easier than the factoring N using a 

brute force factoring method! 

OK, perhaps you say that we know that none of the small prime numbers 

divide N, so let’s not waste our time with those. In fact, let’s only check the 

primes that have between 299 and 301 digits. This can’t be so many, right 

Well, the Prime Number Theorem, again, tells us there are 

10 301 / ln(10 301 ) − 10 299 / ln(10 299 ) > 10 298 

primes in this region. We haven’t eliminated too many! 16 

OK, perhaps you will argue that somebody will someday figure out how to 

factor such big numbers. Really, it is a very simple idea: just factor the darned 

thing. There are indeed many many people working on exactly this question, 

developing fancy methods with exotic names like “Pollard’s ρ-method” and the 

“Number Field Sieve”, and these method have been shown to have the ability 

to factor numbers of up to 155 digits. 17 So it is possible that in the future 18 

people will be able to quickly factor 600 digit numbers. I guess our hope is that 

by then whatever messages we send today will be so outdated that no one will 

care to go back and break them. And by then we will have switched so that P 

and Q are about 300 digits each. 

The final “OK”. OK, perhaps you will say but isn’t there this thing called 

the “National Security Agency” and isn’t the US government spending billions 

of dollars to fund them every year to do cryptographic work for the FBI and 

CIA and weren’t they smart enough to break the Russians one-time pads when 

the Russians didn’t use them properly and don’t they hire many many really 

smart mathematicians that they swear to secrecy Might not they have figured 

out a way to break RSA ciphers and not be telling us Huh Hey smart guy, 

what’s your answer to this And I’d have to answer, “dunno”. Maybe they 

have. No one seems to have any real evidence that they did, but we just don’t 

know since they aren’t telling. 

The upshot is that, outside of possibly the NSA (or its equivalents in other 

countries), as far as I know no one is currently able to break a carefully constructed 

and properly used RSA cipher in any reasonable amount of time. This 

is an area of much research in mathematics, so I’m making no promises about 

the future. But for the time being a well-constructed RSA system appears to 

be quite secure. 

16 In fact, intuitively this makes sense. $10, 000 is a lot of money, but removing that much 

from $1, 000, 000 still leaves a whole lot left over. Those two extra 0’s are a big deal! 

17 See the rsasecurity.com homepage. 

18 Two big shots in the field, Arjen Lenstra and Eric Verheul, have guessed that in another 

5 or so years (2009) it will be possible to build a computer that can break a 1024-bit RSA 

key in about a day for $250 million. The National Institute of Standards and Technology 

recommends that to protect information until 2015 one should use primes of roughly 300 

digits.


12.11 Authenticity – Proof of Authorship 

An important disadvantage of all private key cipher systems is that they do 

nothing to help solve the key management problem. How can we secretly exchange 

secret keys with people we’ve never met And how can we keep all these 

secret keys straight, let alone secret As we have discussed, a Public Key cipher 

takes care of these difficulties. To send someone a private message we don’t 

have to know them, or have met them, or have agreed on a key or a method. 

We just look up and use their RSA information from their Internet site. 

This leads to a problem: If anyone can send you a message, there is no direct 

way of knowing who sent you that message! It means little for an email to be 

signed “Bob” as anyone can type B-o-b. How can we be sure that the person 

whose name is at the bottom of the message really sent it With the knapsack 

ciphers this is a fairly difficult problem to overcome but with the RSA it’s easy. 

As usual, we’ll refer to the two parties exchanging messages as Alice and 

Bob. We will use a subscript A to denote “Alice’s”, so N A is the value of N in 

Alice’s system. Similarly, e B is the enciphering exponent in Bob’s system. Alice 

knows her d A but no one else does. Similarly only Bob knows d B . However, 

they both know e A , N A , e B and N B . When Alice sends a message to Bob she 

wants to make sure that only he can decipher it, and that he knows it is actually 

from her. So she writes her message M and then computes 

( 

M d A 

%N A 

) eB 

%N B , if N A < N B , 

or ( 

M e B 

%N B 

) dA 

%N A , if N B < N A , 

and sends this ciphertext to Bob. (Unfortunately, while ( ) 

M d eB 

( ) 

A and M 

e dA B 

are equal, they may not be equivalent, that is, when working modulo N A and 

N B the order of the moduli matters.) 

Bob needs to be similarly careful when deciphering. If N A < N B , he undoes 

the e B exponentiation (using d B ) and then undoes the d A exponentiation (with 

e A ). When N A > N B , the order must be reversed. 

This is quite clever, and so let’s take a moment to see what each party now 

knows. Bob receives a ciphertext supposedly from Alice. Since he can look 

up her modulus N A he knows which order to apply d B and e A to decipher 

the message. So he can read it. Further, since only he knows d B , Bob is the 

only person that can decipher this message. Finally, since applying e A led to a 

readable message, d A must have been applied to the plaintext, and since Alice 

is the only person that knows d A , it really must have been her that sent the 

message. Alice can come to quite similar conclusions: Bob is the only person 

who can read the message she sent, and she knows he will know it was she who 

sent it. (Make sure you understand why she knows these things.) Finally, Ed 

the Adversary, even though he knows all of Alice and Bob’s public information,

12.12. SUMMARY 249 

cannot read the message; in fact, he cannot even determine if it is actually from 

Alice! 

This process is called sending a digital signature. In fact, it is a bit like a 

person’s signature in that your signature is something that you can easily make 

and that anyone can compare with others of yours to convince themselves that 

you are you, but it is something that is hard for other people to fake. Similarly, 

it is easy for Alice to compute the number (Alice) d A 

after which anyone else 

can compute ( (Alice) A) d eA 

to convince themselves she is really who she says 

she is. 19 

Example: We receive 277763, 165924, 169282 from someone who claims 

to be David. We know that N David = 273487 and e David = 3. Our values are 

N = 279827, e = 297 and d = 4757. Did this message come from him and what 

did it say 

First, since N David = 273487 < 279827, if it was David who sent this message 

he would first have computed E = M d D 

%N D and sent us E e %N. So we must 

first compute E d %N, and then raise this to the e D modulo N D . 

Raising the message to the d = 47577-th power modulo 279827 produces 

198427, 240953, 178426. Raising these numbers to the e D = 3-rd power 

modulo N D = 273487 gives 23, 5, 5, 11, 5, 14, 4 or weekend. This message 

makes sense, so yes, David actually send the message. 

⋄ 

With the idea of digital signatures understood we should modify one of our 

earlier sections. When one is using the RSA one really sends a message in 

several parts. Part 1 is a quick note saying who you are and what private key 

method and what key you will use to encipher part 2 of the message. Part 1 is 

double enciphered using your d and your recipient’s e as just indicated, which 

both keeps it secure and proves you sent it. Part 2 is the true message and is 

enciphered using the method and key you just indicated. Finally, Part 0 is a 

cover letter saying who you are and where you are sending the message. 

12.12 Summary 

After trying addition (Caesar Ciphers) and multiplication (Decimation Ciphers), 

it is natural to try exponentiation to create a cipher system, and RSA is exactly 

that. It enciphers messages by raising them to a power modulo the product of 

19 There is a subtlety here. If Alice simply sends Alice d A as her signature for each of her 

messages, Ed can steal this number and pretend to be her. 

In practice, Alice would apply a hash function to the message, producing a very short 

version of it, and it is this that she “signs.” Since Bob can apply the same hash function to 

the un-deciphered message, he can compare these “digital fingerprints” to see if they are the 

same, and will then know if it was indeed Alice who sent the message. 

For our purposes, you can instead think that Alice uses as her name Alice coupled with 

some nulls that change from message to message – xAliceet or mnAliceW.


two large primes. Euler’s Theorem allows us to decipher messages by raising 

the ciphertext to a power modulo the same product. The deciphering power 

is the multiplicative inverse of the enciphering power modulo a number easily 

computed from the two original primes. 

When dealing with large primes, and here large means approximately 300 

digits each, exponentiation must be done carefully so that the size of the numbers 

does not overwhelm the computer or calculator being used. In general, 

to compute the value (a b )%n, where a, b and n could all be sizable values and 

n is either prime or the product of two primes, first reduce a modulo n, then 

reduce b modulo n − 1 (if n is prime) or modulo (p − 1)(q − 1) (if n = pq is a 

product of primes). Next, a “binary chart” is used to simultaneously write the 

remainder of b in binary and compute the powers of the remainder of a. Finally, 

the necessary powers of the remainder of a are combined to produce the final 

value. 

The RSA system has become the world’s most widely-known Public Key 

cryptosystem. The private information is the deciphering key and the two 

primes, and the public information is the product of the primes and the enciphering 

exponent. RSA also provides for digital signatures, a method by which 

the sender can prove their identity. Although RSA is slow when compared with 

popular private key systems, it pairs easily with any such system: encipher your 

message with a private key system, encipher the key with RSA and then send 

the enciphered key and the ciphertext as a two-part message. 

Outside of poor uses of the system (e.g., a bad choice of parameters), which 

are generally easy to avoid, the RSA system seems very difficult to break. Its 

security seems to depend on the difficulty of factoring the product of the two 

large primes. While factoring has been studied for many, many years, there no 

publicly-known general method that will factor the product of two well-chosen 

primes in any realistically small amount of time. So, for the time being at least, 

RSA is one of the most secure ciphersystems known. 


1. What is Fermat’s Theorem How to use it Under what conditions does 

it apply 

2. Is raising a number to a large power modulo a prime ever the same as 

raising that same number to a smaller power modulo the same prime 

Explain. 

3. What is “double modular arithmetic” 

4. If I have a large number raised to a large number that I want to reduce 

modulo a smaller prime, how do I go about making this problem more 

manageable 

5. What is the binary expansion of a number How to find it


6. What is a “binary chart” How is it used 

7. Outline the steps involved in computing a b %p, where p is a prime number 

and a and b both might be quite large. 

8. What is Euler’s Theorem How does it differ from Fermat’s Theorem 

9. Outline the steps involved in computing a b %n, where n = pq is the product 

of two prime numbers and a and b both might be quite large. 

10. Explain the basics of the RSA algorithm. 

11. Can RSA be used as a polyalphabetic cipher How When 

12. Is RSA a public key system What is public What is private 

13. What is involved in breaking the RSA system What knowledge must the 

enemy obtain to break an RSA-enciphered message 

14. What size of numbers are used in an RSA system Why does size matter 

15. How can the author of a message sign the message How does the recipient 

of a message become convinced the author is who he/she says he/she is 


1. Find the following numbers. The numbers in the modulus are all primes. 

(a) 340 187 (mod 37). 

(b) 19 195 (mod 5 · 17). 

(c) 541 330 (mod 7 · 19). 

(d) 184 144 (mod 59). 

(e) 24 67 (mod 5 · 23). 

(f) 5404 2203 (mod 29 · 37). 

2. Encipher large in one-letter blocks using P = 7, Q = 19 and e = 5. 

3. Decipher 1108, 494 if it was enciphered with parameters P = 31, Q = 41 

and e = 7. 

4. Using the parameters P = 31, Q = 13, e = 7: 

(a) Encipher primes in one-letter pieces. 

(b) Compute d and decipher 391, 135, 208, 128, 346, 164. 

5. Using the parameters P = 71, Q = 37, and e = 13: 

(a) Encipher arithmetic in two-letter segments.


(b) Compute d and decipher 2024, 1553, 469, 299. 

6. Decipher 498, 1, 280, 248, 143, 37, if the RSA system used P = 19, 

Q = 29 and e = 13. 

7. Encipher composite in three-letter blocks using the parameters P = 1223, 

Q = 563 and e = 23. 

8. (a) [RSA] The “Small Example” given in the original description of RSA 

uses p = 27, q = 59 and d = 157. (This paper chooses d first and 

then computes e.) Compute e. 

(b) Using the usual translation of letters to two-digit numbers, with 00 

representing a space, translate Its all greek to me into numbers. 

(c) Encipher the message. 

9. [Hellman] In his Scientific American paper about Knapsack Ciphers and 

RSA, Hellman uses the letter-to-number translation in which a to z are 0 

to 25, A to Z are 26 to 51, a space is represented by 62, and is 66. 

(a) Hellman’s example message is How are you What is the numerical 

equivalent 

(b) Use e = 11 and N = 11023 to encipher the message in two-letter 

pairs. (Hellman called these E and n.) Hint: 73 divides 11023. 

(c) Find the deciphering exponent. 

10. In the following examples, the sender has tried to prove his identity by 

signing the message, as described in the text. Decipher the message. 

(a) The message is 54, 135, 112, 112. It is to Andy (parameters P = 

17, Q = 11, e = 7) from Bridget (parameters P = 19, Q = 13, 

e = 5). 

(b) The message is 14756, 9105, 191. It is to Alice (parameters P = 

137, Q = 191, e = 7) from Bob (parameters P = 173, Q = 127, 

e = 5). 

11. We started the chapter by considering raising a message to the 3rd power. 

That is translating letters to numbers and raising each number to the 3rd 

power modulo 26. Why didn’t we instead raise 3 to the letter’s power 

So, for example, e would encipher to 3 5 = 243 ≡ 9 (mod 26) = I. Would 

this method produce a good cipher (Hint: encipher a couple of words 

and study the outcome.) 

12. Your RSA parameters are P = 67, Q = 97, e = 59 and d = 179. One day 

you receive the message 

5689, 3415, 347.


Bob is going to be sending you the name of a new business contact. But 

so is Carley. If Bob’s RSA parameters are N = 7979 and e = 47 and 

Carley’s are N = 3569 and e = 53, who sent the message and what does 

it say 

13. The statement of Euler’s Theorem begins “If p and q are two distinct 

primes.” Why is the distinctness needed In other words, what happens 

if p = q 

14. By some amazing coincidence Alice and Bob independently chose the same 

primes P and Q when making their RSA parameters. Fortunately they 

chose different encryption and decryption keys e A and e B . Show that 

given the ciphertexts C A = (M e A 

)%N and C B = (M e B 

)%N if e A and e B 

are relatively prime then M can be recovered. 

15. Show that P +Q = N −(P −1)(Q−1)+1 and P −Q = √ (P + Q) 2 − 4N. 

Thus by adding or subtracting P and Q can be found directly. 

This shows that knowledge of N and (P − 1)(Q − 1) suffices to break 

RSA. 

16. Shamir, Rivest and Adelman suggested that their RSA method could be 

used to play poker over the phone [SRA]. Explain how using techniques 

similar to signing a message, two players may use RSA to play poker. 

Hint: Have one player begin by encrypting the fifty-two messages ace 

of clubs, two of clubs, three of clubs, ..., king of spades, sending 

them to the other player. There will need to be a lot of messages sent.

254 CHAPTER 12. RSA

Bibliography 

[Antonucci] Michael Antonucci, Code-Crackers Civil war Times Illustrated, 

July August 1995. 

[Abeles] 

[Abeles2] 

[Abelels3] 

[Bates] 

[Bauer] 

[Belaso] 

[Brown] 

[Elements] 

Francine F. Abeles, The Mathematical Pamplets of Charles Luttwidge 

Dodgson and Related Pieces, 1994, page 326. 

Francine Abeles and Stanley H. Lipson, Some Victorian Periodic 

Polyalphabetic Ciphers, Cryptologia, April 1990, Vol XIV No. 2, 

page 128–134. 

Francine Abeles and Stanley H. Lipson, The Matrix Cipher of C.L. 

Dodgson, Cryptologia, January 1990, Vol XIV No. 1, page 28-36. 

David Homer Bates, Lincoln in the Telegraph Office. 

Bauer’s Book. 

Giovan Batista Belaso, La Cifra del. Sig. Giovan Batista Belaso, 

1553 (see page 137, Kahn). 

Joseph Willard Brown, The Signal Corps, U.S.A. in the War of the 

Rebelions, Boston, U.S. Veteran Signal Corps Association, 1896. 

United States of America War Office, Elements of Cryptanalysis, 

Training Pamphlet No. 3, May 1923 . 

[Friedman] William Friedman, Cryptography and Cryptanalysis, Vol 2, 1937. 

[Gaddy] 

[Gaines] 

[Glasby] 

David Winfred Gaddy,Signals and Ciphers, C.S.A. A Study in Confederate 

Cryptology. 

Helen Fouche Gaines, Cryptanalysis. 

S.P. Glasby, Extended Euclid’s Algorithm vi Backward Recurrence 

Relations, Math. Mag., Vo. 72, No. 3, Pages 228–230. 

[Graves] Robert Graves, I, Claudius, page 212, Random House, 1934. 

[Gray] 

Jacques B. M. Gray, Vowel identification: an old (but good) algorithm. 

Crytologia, July 1991 VOl XV, Number 3, pages 258–61. 

255

256 BIBLIOGRAPHY 

[Hassard] John R. G. Hassard, Cryptography in Politics, pp 315–26, 1879, 

The North American Review. 

[Hellman] 

[Kahn] 

[Kasiski] 

Martin Hellman, The Mathematics of Public-Key Cryptography, 

Scientific American, 1979. Vol 241, pages 146–57. 

David Kahn, The Codebreakers. 

Friedrich Kasiski, Die Geheimschriften und die Dechiffrir-kunst 

[Koblitz] Neal Koblitz, Crytography as a teaching tool, Cryptologia, Vol. 21, 

No. 4 (1977), pp. 317–326. 

[Merkle] 

[Morris] 

[Myers] 

R. C. Merkle, M. E. Hellman, Hiding Information and Signatures 

in Trapdoor Knapsacks, IEEE Transactions on Information Theory, 

Vol. 24, No. 5, pp. 525-530, September 1978. 

Richard Morris, John Jay: The Making of a Revolutionary, Unpublished 

papers 1745–1780, Edited by Richard B. Morris, Harper & 

Row, page 656-666 

General Albert James Myer, A Manual of Signals: for the use of 

Signal Officers in the field 

[Nichols] Randall K. Nichols, ICSA Guide to Cryptography, page 70. 

[Schooling] John Holt Schooling, The Pall Mall Magazine Vol VIII, 1896 I. 

page 119–D 

[Peckham] 

[Plum] 

[Pratt] 

[RSA] 

[Sinkov] 

[SSA1] 

[SSA2] 

[SSA3] 

Howard H. Peckham, British Secret Writing in the Revolution, The 

Quarterly Review, pages 125–130. (Michigan Alumnus Quarterly 

Review, 9 November 1938, winter 1938 VF 25-43 ) 

William Rattle Plum The Military Telegraph during the Civil War 

in the United States, Arno Press, New York, 1974 

Fletcher Pratt, Secret and Urgent 

Rivest, Shamir, Adleman A Method for Obtaining Digital Signatures 

and Public-Key Cryptosystems, Communications of the ACM, 

February 1978, Volume 21, Number 2, pages 120–126. 

Abraham Sinkov, Elementary Crytanalysis. 

SSA, The History of Codes and Ciphers in the United States Prior 

to World War I, page 132. 

Codes and Ciphers during the Civil War Prepared under the Direction 

of the Chief Signal Officer, 20 April 1945. 

Historical Background of the Signal Security Agency Army Security 

Agency, Washington, D.C, 12 April 1946 Volume I

BIBLIOGRAPHY 257 

[Shamir] 

[SRA] 

A. Shamir, A Polynomial-Time Algorithm for Breaking the Basic 

Merkle-Hellman Cryptosystem, Advances in Cryptology - CRYPTO 

’82 Proceedings, pp. 279-288, Plenum Press, 1983. IEEE Transactions 

on Information Theory, Vol. IT-30, pp. 699-704, 1984. 

A. Shamir, R. Rivest, L. Adleman, Mental Poker, The Mathematical 

Gardner, pgs 37-43. 

[Treat] Daniel G. Treat RSA: A Limerick, Mathematics Magazine, Vol 75, 

No. 4, October 2002, page 255. 

[Vigenere] 

[Weber] 

[Yardleyb] 

[Yardleya] 

Vigenerè, Traicte’ des Chiffres. 

Ralph E. Weber Masked Dispatches: Cryptograms and Cryptology 

in American Hisotyr, 1775–1900, Series I Pre-World War I Volume 

I MSA, CSS 1992. 

Yardley book 

Herbert Yardley, Are we giving away our state secrets, Liberty 

Magazine, Dec 19, 1931, pages 8–13.

Cryptology - Unofficial St. Mary's College of California Web Site

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?