Thinking About Encryption, Part 51


Approaching St. Cyr

The Jan.- Feb. 2019 issue of the ACA Cm newsletter had a CON using the St. Cyr cipher-type. St. Cyr isn’t one of the standard ACA types, so the CON was listed in the Analyst’s Corner (which features ciphers that either don’t follow the guidelines, or aren’t one of the approved types). Fortunately, there was a note to refer to the Oct.-Nov. 1953 Cm from the archives. There, one of the earlier ACA members had written up a good article introducing the St. Cyr type.

What’s important to note up front is that if you do a net search on “St. Cyr cipher,” you’re going to find a few articles on how to make a St. Cyr slide. In effect, the slides are a simple strip of paper within a guide frame. The slide will have the letters A-Z repeated on them to create a short cycle. The guide will also have A-Z printed at the bottom. Together they form a Caesar shift encrypter. If you were instead to put the two alphabets on a pair of rotating disks, you’d have a Caesar shift encoder wheel, or ring. Which means that the St. Cyr slide and the secret encoder rings you used to get in boxes of sugar cereals and Cracker Jacks are fundamentally the same.

However, that’s not really what the St. Cyr cipher is about. Instead, we’re really talking about the Vigenere cipher again. As a refresher, the Vigenere cipher uses a table of Caesar-shifted rows in combination with a keyword. The keyword is written over the plaintext message, repeating as necessary, and each key letter acts as an index to one of the rows of the table. The cipher text letter is taken where the column indicated by the plaintext letter intersects with the cipher letter row. The main weakness to Vigenere is that the use of a keyword makes the ciphertext periodic, and if you can determine the period, you can crack the cipher as just groups of Caesar shifts.

St. Cyr is the French military academy established in 1802 by order of Napoleon Bonaparte. The St. Cyr cipher was taught at this academy, which is where it got its name. The St. Cyr slide can be used to encipher and decipher messages, but at St. Cyr’s heart is the Vigenere table (which can also include the Beaufort and Variant tables). The difference from Vigenere is the practice of using the keyletters on whole plaintext words. This breaks up the periodicity of the Vigenere cipher, but renders it vulnerable to a much simpler attack.

For example, say we use the keyword “HUMAN”, and the plaintext “to err is inevitable, to get caught at it is not.”

With Vigenere, we’d use:

HUMANHUMANHUMANHUMANHUMANHUMANHUMANHU
toerrisinevitabletogetcaughtatitisnot

ciphertext:
AIQREPMUNRCCFAOSYFOTLNOAHNBFAGPNUSAVN

But, with St. Cyr, it’s

HH UUU MM AAAAAAAAAA NN HHH UUUUUU MM AA NN HHH
to err is inevitable to get caught at it is not

ciphertext:
AVYLLUEINEVITABLEGBNLAWUOABNMFITVFUVA

Encryption and decryption would follow the same steps as with Vigenere, but using the “stutter key” as shown above.

Breaking St. Cyr is insanely easy with software. Just print out the text 26 times, once each with the incremented Caesar-shifted row.

A = AVYLLUEINEVITABLEGBNLAWUOABNMFITVFUVA
B = ZUXKKTDHMDUHSZAKDFAMKZVTNZAMLEHSUETUZ
C = YTWJJSCGLCTGRYZJCEZLJYUSMYZLKDGRTDSTY
D = XSVIIRBFKBSFQXYIBDYKIXTRLXYKJCFQSCRSX
E = WRUHHQAEJAREPWXHACXJHWSQKWXJIBEPRBQRW
F = VQTGGPZDIZQDOVWGZBWIGVRPJVWIHADOQAPQV
G = UPSFFOYCHYPCNUVFYAVHFUQOIUVHGZCNPZOPU
H = TOREENXBGXOBMTUEXZUGETPNHTUGFYBMOYNOT
I = SNQDDMWAFWNALSTDWYTFDSOMGSTFEXALNXMNS
J = RMPCCLVZEVMZKRSCVXSECRNLFRSEDWZKMWLMR
K = QLOBBKUYDULYJQRBUWRDBQMKEQRDCVYJLVKLQ
L = PKNAAJTXCTKXIPQATVQCAPLJDPQCBUXIKUJKP
M = OJMZZISWBSJWHOPZSUPBZOKICOPBATWHJTIJO
N = NILYYHRVARIVGNOYRTOAYNJHBNOAZSVGISHIN
O = MHKXXGQUZQHUFMNXQSNZXMIGAMNZYRUFHRGHM
P = LGJWWFPTYPGTELMWPRMYWLHFZLMYXQTEGQFGL
Q = KFIVVEOSXOFSDKLVOQLXVKGEYKLXWPSDFPEFK
R = JEHUUDNRWNERCJKUNPKWUJFDXJKWVORCEODEJ
S = IDGTTCMQVMDQBIJTMOJVTIECWIJVUNQBDNCDI
T = HCFSSBLPULCPAHISLNIUSHDBVHIUTMPACMBCH
U = GBERRAKOTKBOZGHRKMHTRGCAUGHTSLOZBLABG
V = FADQQZJNSJANYFGQJLGSQFBZTFGSRKNYAKZAF
W = EZCPPYIMRIZMXEFPIKFRPEAYSEFRQJMXZJYZE
X = DYBOOXHLQHYLWDEOHJEQODZXRDEQPILWYIXYD
Y = CXANNWGKPGXKVCDNGIDPNCYWQCDPOHKVXHWXC
Z = BWZMMVFJOFWJUBCMFHCOMBXVPBCONGJUWGVWB

Look for the rows with readable plaintext, and switch from row to row at the end of each plaintext word. Because the keyword is still going to be short compared to the plaintext message, it will cycle, so we just cycle on the output lines as well.

A = AV YLL UE INEVITABLE GB NLA WUOABN MF IT VF UVA
H = TO REE NX BGXOBMTUEX ZU GET PNHTUG FY BM OY NOT
M = OJ MZZ IS WBSJWHOPZS UP BZO KICOPB AT WH JT IJO
N = NI LYY HR VARIVGNOYR TO AYN JHBNOA ZS VG IS HIN
U = GB ERR AK OTKBOZGHRK MH TRG CAUGHT SL OZ BL ABG

Rearranging the lines to put the words in order will then expose the key.

H = TO --- -- ---------- -- GET ------ -- -- -- NOT
U = -- ERR -- ---------- -- --- CAUGHT -- -- -- ---
M = -- --- IS ---------- -- --- ------ AT -- -- ---
A = -- --- -- INEVITABLE -- --- ------ -- IT -- ---
N = -- --- -- ---------- TO --- ------ -- -- IS ---

Summary:
1) St. Cyr is a polyalphabetic substitution cipher that uses the Vigenere tables, but one keyword letter enciphers one full plaintext word.
2) It is not secure, and is actually easier to break in software than Vigenere or any of its variants.
3) You REALLY want to avoid keywords that include the letter “A”, which translates to a Caesar-shift of 0.
4) St. Cyr can be hardened by using the Variant or Beauford tables, and by mixing things up with any of the regular transposition types.

Cm History, 1932-1940


I bought an Android tablet about a year ago, and I got so irritated with how clunky the interface was, and how difficult it was to write apps in Java, that I tossed it on a stack of stuff and let it gather dust. I have a cell phone and a good pocket camera, and I don’t text or listen to music when I’m outside, so the tablet didn’t really add anything. More recently, though, I’ve been wanting a way to read archived issues of the ACA Cm newsletter while I’m riding the streetcar, or between English classes, and I was wondering if the Android natively supported a PDF reader. By this point I’d forgotten my login password and I didn’t remember where I wrote it down (if I ever did). So, I did a hard reboot, and spent several days trying to find a secure Wifi hotspot site so I could access the net and reset the password (I don’t need wifi at home). When that was over, I downloaded a test archive PDF from the ACA website, and I could read that. So, I downloaded every archive file from 1932 to 2015, and began reading. (Please note, I may not have all of the below information 100% correct, but this is as good as I can get it right now.)

Actually, I’m only up to 1940, but that’s good enough for the moment. For background, the American Cryptogram Association first formed in 1929 as a group of friends that had played card games together, but wanted something else to do when they couldn’t get 4 partners together for Bridge. They investigated various kinds of puzzles, such as crosswords, and hit on newspaper-style crypto quips as their favorite type. They registered the name American Cryptogram Association (ACA) and printed their first newsletter, the Cryptogram (The Cm), in Feb., 1932. Membership was $1 for one year.

The ACA was joining the ranks of other groups such as the National Puzzler’s League (1883-, mostly word games and wordplay; newsletter is The Enigma), Detective Story Magazine (1915-1949, which had a Cipher Secrets corner), and a couple others which seem to have faded into the mists of time. Some of the ACA members came from the NPL, so some of the vocabulary overlapped the two groups (members are called the Krewe, and aliases are “noms”). The ACA leaders felt that crypto quips were “the aristocrats of puzzles,” and were thus dubbed “aristocrats” to differentiate them from other cipher types.

1932

Feb.
– First issue of the Cm released. All ciphers in the issue are Aristocrats.

April
– The term “the Krewe” for the membership is introduced. Martin Gardner joins briefly.

June
– First attempt to introduce rules for how to construct Aristocrats for submission.

Aug.
– First start at trying to explain how to solve Aristos, introduction of the Phillips System, and the Porta Slide.

Oct.
– First mention of “undivided substitutions,” with the process for solving them. First appearance of undivided substitution crypts as an alternative to Aristos.

1933

April
– First appearance of a French Aristo. More foreign-language crypts start showing up after this, in French and Spanish.

June
Herbert Yardley ((1889-1956) former head of the Army Signal Corps intelligence MI8 department, creator of the Black Chamber, and author of The American Black Chamber) joins the ACA and is immediately named Vice President, with the nom “Bozo.”
– Joining at the same time is Helen Fouche Gaines, with the nom “Piccola” (1888-1940). Helen had been working as an author for other puzzle magazines at the time, and became one of the ACA’s most prolific writers in the Cm, introducing a wide variety of cipher types over the next 7 years, and showing how to solve them. Her entry in the Arkansas Biography: A Collection of Notable Lives states that there’s a very good likelihood that she served as a cryptographer/trainer for the U.S. Navy during WW I. She eventually published one of the best books on the subject, Elementary Cryptanalysis to that date in 1939. The book is still recommended by the ACA to members new to the subject. She passed away 1 year later.

Aug.
– Introduction of “bi-literals,” Aristocrats enciphered in such a way that the ciphertext is also readable English words. Introduction of the book review section.

Dec.
– Piccola introduces the first transposition cipher type, which is later called Route Transposition. Transposition CONs start appearing in the Cm after this.

1934

Feb.
– One reader asks for Fletcher Pratt’s address to ask him about Nihilist and Grille ciphers. Piccola writes the first true article on vowel spotting and digraphs in undivided substitutions.

Apr.
– Piccola introduces a method for finding repeated sequences. Transpositions are now a regular column in the CONs section. Foreign language CONs are still mostly Aristos, but now include German and Portuguese.

Aug.
– Italian is added to the foreign CONs.

Oct.
– Piccola introduces Null ciphers.

Dec.
– Piccola introduces 5×5 Checkerboard ciphers using numbers for the row and column identifiers. A user named Patristocrat starts showing up more often in the Cm.

1935

Feb.
– One article introduces the Bazeries cipher. Piccola introduces the Vigenere, and the first set of Vigenere CONs to appear in the Cm. A Challenges column is added to include harder CONs.

April
– One of the members starts writing about Bacon, Shakespeare and ciphers. The problem up to this point is that a certain group of people that felt Bacon wrote Shakespeare’s plays had tended to be borderline crazy in coming up with conspiracy theories, and the ACA members viewed them as nutjobs. Also in this issue, Piccola writes about how to solve Vigenere ciphers.

June
– Piccola introduces the Kasiski method for obtaining the period length of Vigeneres. Bozo writes an article on recovering key alphabets (does not include Aristos. Up to this point, people do not seem to be using key alphabets for encrypting Aristos or “undivided substitutions.”)

Aug.
– We’re given the letter frequencies of different languages.

Oct.
– Piccola introduces the Gronsfeld cipher.

Dec.
– An article appears on the solution of one of Benjamin Franklin’s enciphered messages that had up to that point been unbroken.

1936

Feb.
– Piccola introduces the Saint Cyr slide.
– A new CONs section is specifically dedicated to “undivided substitutions” (Aristos without the punctuation or word breaks), and 2 of the 3 CONs are provided by the user Patristocrat.

Apr.
– First appearance of a cryptarithm (math division problem with letters substituted for the numbers). For the next year or so, these kinds of problems can have multiple solutions, and several members would compete to see who could find the most possible.

Sept.
– This is actually a special cipher contest issue, and just consists of challenge ciphers.

Oct.
– Piccola introduces the Running Key Cipher. At this point, running key is a Vigenere cipher, using a long passage from a book as the key. The current implementation where one half of the plaintext is used to encrypt the other half does not appear until later.

Dec.
– Piccola introduces the Auto Key Cipher.

1937

Feb.
– Occasionally, one or another member will discuss books that have caught their interest, but there’s still no real review section yet. Other times, someone will attempt to compile a comprehensive list of books that either analyze ciphers, or incorporate them in the story.
– In this issue we get one of the “comprehensive lists,” which includes Bram Stoker’s “The Mysteries of the Sea,” with it’s Bacon cipher on pages 465-475.
– Piccola writes more on Auto Key.
– There’s an announcement of the new Cipher Exchange department, to hold the ciphers discussed by Piccola.

Apr.
– Piccola talks about the use of parallel alphabets for periodic ciphers (like Porta and Vigenere), and we get the first appearance of the Cipher Exchange (now a common feature of the modern version of the Cm).

June
– Piccola writes about recovering the primary alphabets from Vigenere and other periodic ciphers.
– Columnar Transposition starts showing up by name in the Cipher Exchange.

Aug.
– Piccola introduces the Nihilist Substitution Cipher.

Oct.
– Piccola writes more on the idea of key phrases for key alphabets.

Dec.
– Piccola delves deep into Columnar Transposition, with Part 1 here, and Part 2 in the Feb., 1938, issue.

1938

Feb.
– The encrypted math problems are now officially renamed to Cryptarithms.
– Up to this point, the user Patristocrat (Webb C. Patterson) had been almost the sole supplier of undivided simple substitution CONs, and the Cm editor claims that because he has a backlog of over 500 of these from Webb, that from here on Undivided Simple Subs will be called “Patristocrats.”

Apr.
– Nap writes an article on Alphabet Slides and their uses. This includes instructions on making cardboard slides with sets of alphabets on them for easy encryption and decryption of periodic ciphers. Good for solving the Vigenere family by hand.

June
– Piccola introduces the Nilihist Cipher.

Aug.
– Piccola writes about the bigram test, which is useful for breaking Columnar and Nihilist Transpositions, and Patristocrats by hand.
– There’s a walkthrough for a solution of a French crypt, with the frequency analysis of the French language.
– There’s also a condensed analysis for identifying unknowns.

Oct.
– First outright suggestion that people construct Aristos using a keyed alphabet. No mention of K-1 through K-4 yet.
– More condensed analysis of unknowns.
– Piccola and RLH discuss the Playfair Cipher, part 1.

Dec.
– The first discussion of using decimation to recover Aristo K-3 type keywords.
– Part 2 of Piccola’s and RLH’s Playfair Cipher article.
– Letter frequencies of other languages.

1939

Feb.
– Part 3 of the Playfair article.
– As the presence of WW II makes itself ever more obvious to America, there are more references to it in the Cm. Several members, specifically those in Canada, are announced as going into military training, and then being posted overseas. The Cm editor suggests that ACA members should contact their local authorities to see if their skills can be used by the government. The ACA votes on whether to use its spare funds for buying War Bonds. And, there is a growing request for members to stop sending ciphers on post cards in the mail, because it’s resulting in the embarrassment of being hauled in for questioning on what exactly is in those secret messages.

Apr.
– Neoteric writes about the difficulties of understanding the German language.
– Piccola writes an introduction on Incomplete Columnar Transposition.

June
– A review of Fletcher Pratt’s book “Secret and Urgent” (1939).

Dec.
– There had been some mention in the Cm up to this point of Piccola’s work on her “Elementary Cryptanalysis” book, with the ACA deciding to publish it and multiple requests for preorders to cover initial printing costs. In this issue, there’s the official announcement that the book is on the shelves. From here, ACA members start sending in CONs based on types described in the book that had not yet been introduced in the Cm. A few articles appear later on analyzing how to break these CONs. There’s also kind of an unofficial contest for who can solve every single CON in the book first. A couple years later, there are still 2 or 3 that remained unsolved.
– There’s an article in this issue on the process for solving Italian crypts.

1940

Feb.
– Ab Struse writes an article on pattern word lists. He basically suggests the usefulness of lists of words with certain repeated letter patterns. It’s good for a pencil and paper approach, and ultimately extends to software tools for breaking Myszkowski ciphers.

Apr.
– The use of partial alphabet tables for Vigenere for determining letter shifts based on frequency counts. This may be a good test for harder Vigs, but it may duplicate the IC test.

June
– Helen Gaines (Piccola) passes away. Her obit appears in this issue.
– A posthumous article by Piccola appears, highlighting Porta.

Oct.
– Use of odd-numbered Grilles, part 1.

Dec.
– A “robot” approach to solving subs is described. This seems to be best suited for Aristos rather than Pats.
– Use of odd-numbered Grilles, part 2.

Wiggles, part 41


Just a little ongoing story to give you something to play with until the next blog post.

RFY RFHAT HV, RFLBTF, RFNR SFHOY H SYND RFY SNRUF LA QM OYZR SDHVR, H FNJY RFY XNAC VYR N XHR RHTFRYD RFNA ALDQNO, NAC DLRNRYC RL XY “ZNUY CLSA” ULQENDYC RL LRFYD EYLEOY. RFNR HV, HZ H SNV SDHRHAT NR N CYVP, QM SNRUF SLBOC XY ZNUHAT RFY ZOLLD NAC ALR NR QY. XBR, H DYNOOM BVY HR SFYA H’Q LA VRNTY. RFHV SNM, H UNA VYY RFY RHQY NV H’Q EONMHAT QM TBHRND, NAC H’OO NOSNMV PALS HZ H’Q NXLBR RL DBA OLAT. H CL QM CNQAYCYVR RL ZHAHVF QM VYRV YGNUROM LA RFY VYULAC. RFY XND LSAYDV OLLP NR QY SYHDC NZRYD H CL RFHV N ZYS RHQYV, XBR HR’V THJYA QY N DYEBRNRHLA ZLD DYOHNXHOHRM NV N EONMYD RFNR H QNM LD QNM ALR XY RYVRHAT SHRF RFHV ENDRHUBOND OHRROY VRBAR RLAHTFR.

Wiggles, part 38


Just a little ongoing story to give you something to play with until the next blog post.

LXU ZNNM DX HVGN FRXAZ UB IZ JVBVZ DX SZXA JUCD HXA WUZMVYNZDVE WXPNC (SIDCUZN) VZM RVQQXXZ MXFC (DVZUSI) VRN DX DHN QUEDURN HNRN. TXDH SIZMC XW QRNVDURNC VRN SZXAZ DX HVGN CHVBNCHIWDIZF VTIEIDINC, CUBNRZVDURVE BXANRC, V DNZMNZQL WXR HVZFIZF VRXUZM HUYVZ CXQINDL, VZM V EXGN WXR YNCCIZF AIDH BNXBEN. DHVD CIEGNRL YXGNYNZD TVQS IZ DHN TVR QXUEM HVGN TNNZ VZLDHIZF – V QVD AIDH V CEIQS QXVD, VZ VTZXRYVEEL VFIEN CYVEE QHIEM, XR V CHXRD WXP. I HVM YL MXUTDC VTXUD V DVZUSI, TNQVUCN DHXCN HVGN V RNBUDVDIXZ WXR TNIZF YXRN BEXMMIZF VZM TUESL. TUD, IW I AVC MNVEIZF AIDH CBIRID VZIYVEC, VZLDHIZF AVC BXCCITEN. XZ DHN XDHNR HVZM, I QXUEMZ’D IYVFIZN V QVD XR QHIEM QHICNEIZF DHN NZDRVZQN DX DHN QRNGIQN. VEYXCD IZCDIZQDIGNEL, I BUEENM XUD YL CUYVWX VZM TRXUFHD UB DHN BXSNYXZ FX VBB. ZXBN, ZX CIFZVE, VZM ZX EXXCN BISVQHUC. I BUD DHN BHXZN TVQS IZ YL BXQSND VZM QHNQSNM DHN VZIYVE DRVQSC VFVIZ. DHNL CNNYNM DX TN HNVMIZF CXUDH, DXAVRM DHN QEXCNCD NZM XW DHN CHXBBIZF MICDRIQD. I WVQNM IZDX DHN CEIFHD TRNNON VZM SNBD QRVAEIZF VEE WXURC. IW VZLDHIZF QVYN IZ HNRN VWDNR YN, ID’M TN BRNDDL XTGIXUC DX DHNY DHVD DHNIR CNQRND BEVQN HVM TNNZ IZGVMNM. DXX TVM WXR DHNY.

Thinking About Encryption, Part 40


It’s been a long time since I’ve talked about Autokey ciphers, and I’ve only just recently actively solved one from the ACA Cm newsletter. The Nov.-Dec. 2018 issue of the Cm had two Autokey CONS, and I’d figured I’d try solving both of them just because I’d thought I could. However, it had been so long since I’d looked at it, that I’d forgotten that the VBScript I’d written was just for generating Autokey ciphers for the blog, and wasn’t actually a solver. So, I pretty much had to start over from scratch.

The thing is, the other scripts I had for solving Vigenere had everything I needed for loading the tabula rosa tables for Vigenere, Variant and Beaufort (which can be used with Autokey), and for loading and prepping the cipher text message. That left adding the functions for printing out key strings and plaintext for specific pieces of ciphertext, and then automating the process for partially solving the CON when given the placement of the crib and the width of the primer. Overall, I think I spent no more than 2 days on everything.

Recall that with the Vigenere cipher, you’re using a lookup table that has an index key at the left, and is Caesar-shifted one character to the left per line.

A ABCDEFGHIJKLMNOPQRSTUVWXYZ
B BCDEFGHIJKLMNOPQRSTUVWXYZA
C CDEFGHIJKLMNOPQRSTUVWXYZAB
D DEFGHIJKLMNOPQRSTUVWXYZABC
E EFGHIJKLMNOPQRSTUVWXYZABCD
:
H HIJKLMNOPQRSTUVWXYZABCDEFG
:
:
Z ZABCDEFGHIJKLMNOPQRSTUVWXY

First, we need to pick a keyword, say, “HELPME”, and then write the plaintext under repetitions of that.

HELPMEHELPMEHELPMEHELPMEHEL
inthebeginningiwasaquietman

To create the ciphertext, we take the plaintext one letter at a time, and locate it in the top row. We take the matching key letter at the left of the table, and look for the letter at the intersecting row and column we’ve formed. For “i”, the key letter is “H”. Going down the “i” column and across the “H” row, we get “P”. For “n” and “E”, we get “R”. Etc.

Variant and Beaufort work the same way, they just use different letter arrangement tables.

The main weakness with all of these cipher types is that the key is periodic, and all of the letters encrypted by a specific letter are all part of the same Caesar-shifted alphabet. Meaning that if we can determine the key length, we can apply simple letter frequency matching to that alphabet to get the shift value for recovering the plaintext. The way around this is to make the key the full length of the plaintext message.

With Autokey, we do this by picking a “primer,” a word or phrase that starts our keystring, and then append the plaintext message to the primer, so that the text is encrypting itself. Autokey can use the Vigenere, Variant, or Beaufort tables. The advantage here is that it’s as easy to remember the primer as it is the keyword, but we don’t get something that’s as periodic.

Example:
Primer: machine
Plaintext: inthebeginningiwasaquietman
Keystring: MACHINEINTHEBEGINNINGIWASAQ

Using the Vigenere table, the ciphertext is (with the letters in groups of 5):
UNVOM OIOVG UMOKO ENFID AQATE AD

Now, to break an Autokey cipher, most of the articles I’ve read so far work on the assumption that the crib (the hint given to help solve the cipher) is relatively long compared to the primer. This means that the crib is going to overlap itself somewhat between the plaintext and the keystring. We can see this in the above example for the word “beginning.” The idea is to encrypt the crib with itself, shifting the word on the line below to the right one position each time, and then checking to see whether the encrypted crib text appears in the cipher.

beginning
.......beginning
.......OK.......

“OK” does appear in the cipher, once, at position 13. We’ve now placed the crib, and we know that “beginning” starts at position 6. If we put the keystring we reconstruct above the ciphertext, and the reconstructed plaintext below, we get:

............BEGINNING......
UNVOMOIOVGUMOKOENFIDAQATEAD
.....beginning.............

It’s just a matter of working backwards in the alphabet table to finding the missing corresponding plain or key text. The more text we get, the more we have for completing the rest of the message.

In the articles I’ve read, the authors focus on reconstructing the plaintext, first working from the crib to the right. After they reach the right end of the text, they return to the crib, and work left to finish recovering the plaintext, and finally revealing the primer.

That’s all well and good, but what if the crib is short compared to the primer? That is, what if the crib had been “the”? Now, there’s no overlap between the plaintext and the keystring, and the above method doesn’t work.

I’d like to propose a more generic approach than that be used in both the “long” and “short” crib cases. We start out with the ciphertext below, and the crib “have”. And, I’m using the Vigenere table.

QUVDW ITPGZ LTOSW ZMEYR HFOJP ARYVJ K

The entire point of the crib is to give us a word from the plaintext that we can use to crack the puzzle (in the real world, we’d like to hope that we have a lot more source material to work from). This means that we KNOW the crib is in both the plaintext AND the keystring. We can just slide the crib along the ciphertext, and write out the corresponding plain and key values, and see what that gets us. For solving for the key, for the first letters, “Q” and “h”, I get “J”. Continuing the process for the first 10 slide positions:

Pos = 1, QUVD, Built from crib: JUAZ
Pos = 2, UVDW, Built from crib: NVIS
Pos = 3, VDWI, Built from crib: ODBE
Pos = 4, DWIT, Built from crib: WWNP
Pos = 5, WITP, Built from crib: PIYL
Pos = 6, ITPG, Built from crib: BTUC
Pos = 7, TPGZ, Built from crib: MPLV
Pos = 8, PGZL, Built from crib: IGEH
Pos = 9, GZLT, Built from crib: ZZQP
Pos = 10, ZLTO, Built from crib: SLYK
Pos = 11, LTOS, Built from crib: ETTO
Pos = 12, TOSW, Built from crib: MOXS

Now, one weird artifact that appears in Vigenere that’s not in Variant or Beaufort, is that solving for the keystring actually gives you the same result as for solving for the plaintext. Case in point, the below list is for the plaintext:

Pos = 1, QUVD, Built from crib: JUAZ
Pos = 2, UVDW, Built from crib: NVIS
Pos = 3, VDWI, Built from crib: ODBE
Pos = 4, DWIT, Built from crib: WWNP
Pos = 5, WITP, Built from crib: PIYL
Pos = 6, ITPG, Built from crib: BTUC
Pos = 7, TPGZ, Built from crib: MPLV
Pos = 8, PGZL, Built from crib: IGEH
Pos = 9, GZLT, Built from crib: ZZQP
Pos = 10, ZLTO, Built from crib: SLYK

Ignoring that, looking for text fragments that look English-like, we get “NVIS” at position #2, and “ETTO” (maybe for “get Tom”?) at position #11. If we build up what we have (keystring on top, cipher in the middle, and plaintext below, we have:

.NVIS.....HAVE
QUVDWITPGZLTOSWZMEYRHFOJPARYVJK
.have.....etto

If we make the assumption that ACA Autokey CONs use primers shorter than 11 letters, then because “NVIS” is at position 2, and “ETTO” is at position 11, we get a tentative primer length of 9. And here’s my point – instead of continuing to the end of the message and then guessing at words in the plaintext and keystring, and trying to fill them in before tackling the primer, why not attack the primer NOW?

Using an online Scrabble-like word finder for 9-letter words fitting the pattern “?NVIS????”, we get envisaged, envisages, envisions, invisible, invisibly and unvisted.

Testing “ENVIS”, the result is “MHAVE”. Testing “INVIS”, the result is “IHAVE”.

Boss, I think we have a winner. Punching in a primer of “INVISIBLE” causes the entire cipher to crumble.

INVISIBLEIHAVEASECRETTOWHICHNOM
ihaveasecrettowhichnomanisprivy

In summary, Autokey has a major flaw, in that if you can place a crib in both the keystring and the plaintext, you’re given the length of the primer. If necessary, you can work towards the left to uncover bits of the primer, and possibly use that with an online word finder to obtain potential primers that you can then plug into an Autokey solver. If the list is short enough, you’ll crack the cipher faster than if you follow the conventional methods.

Gakken Otona no Kagaku kit, 180125


Well, after a full year since the last official announcement on the Gakken page, we finally get a new kit, and it turns out to be a reissue of the Pinhole Planetarium. Released under the new Best Selection line (numbered #1), the price is 3,000 yen, but the accompanying booklet is a measely 16 pages. I’m very, very disappointed.

I’m really hoping that this does not become a trend, with “new” kits coming out once a year as recycles. Sigh.

Wiggles, part 30


Just a little ongoing story to give you something to play with until the next blog post.

BVM KGMMR GWWI XWWG WR BVM WRM OFXM WPMRO JB BVM YJOM WS BVM OBJFGO LMJXFRK HP BW BVM JGNJXM. BVM YJNZ EJLL WS BVM KGMMR GWWI FO IJQYM 1-1.5 IMBMGO LMSB WS BVM XWWG, OW F’X VJCM BW NGJEL IJQYM 5-6 IMBMGO BW KMB BW EVMGM BVM BWP WS BVM OBJFGO SGWI BVM YJG IMMBO BVM NLWOMOB MXKM WS BVM JGNJXM. F’I BJLL, YHB F’I XMSFRFBMLQ RWB J SHLL BEW IMBMGO LWRK, OW F’X RMMX BW NWCMG JB LMJOB 4 BFIMO IQ WER YWXQ LMRKBV YMSWGM F NWHLX YM OHGM BVJB F’X KWBBMR HRXMGRMJBV BVM JGNJXM OPJNM. RJBHGJLLQ, FR BVM XJGZ, EFBV IQ SLJOVLFKVB PWFRBMX XFGMNBLQ FR SGWRB WS IM, FB EJO GMJLLQ VJGX BW KJHKM XFOBJRNM. JSBMG J IFRHBM, FB XJERMX WR IM BVJB BVFO EJO PGWYJYLQ J CMGQ OBHPFX BVFRK F EJO XWFRK. FS BVM BHRRML RJGGWEMX, F’X VJCM J SJFGLQ XFSSFNHLB BFIM JB YJNZFRK HP, WG BGQFRK BW OBWWP HP MRWHKV BW JBBMIPB BHGRFRK JGWHRX. YHB, BVM GWNZ EJLLO EMGM PGMBBQ HRNVJRKFRK, JRX F NWHLXR’B FIJKFRM BVJB BVMGM EJOR’B J NWRRMNBFRK BHRRML HP JVMJX, FS SWG RWBVFRK MLOM BVJR SWG GJFREJBMG XGJFRJKM.

Thinking About Encryption, Part 33


I started diving deeper into the ACA archives, focusing between 2001 and 2005. Along the way I found a couple articles on Route Transposition. To me, RT, Null and Baconian are all very similar in that they’re more like brain teasers than honest ciphers. Granted, they can all be used for hiding messages in various ways, so in that sense, yes, they’re ciphers. But the rules employed seem very arbitrary. In the case of RT, you pick a method for forming a square or rectangle, and then a second method for taking off the cipher text. A few of these methods are actually (close to) the definitions for Columnar Transposition, Scytale, and even Rail Fence. Others are a bit more complicated.

For example, on by rows, off by columns:

thisisa
nexampl
etextab

tnehe tixes aximt spaal b

One obvious weakness of RT is that the plaintext length has to be padded to create an a x b rectangle, which can give away the rectangle’s dimensions and make solving it a bit easier.

The ACA guidelines state that the maximum plaintext lengths are either an 8×8 square, or an 8×10 rectangle. There’s no mention of the types of routes that are available, or are considered “ACA standard.” The ND2005 issue of the Cm lists the six main types: Orthogonal (runs in one direction), Boustrophedon (alternates direction, from the Greek “as the ox turns while plowing”), Diagonal, Spiral (from a corner to the center), Crab Spiral (from the center out to a corner) and Boustrophedon Diagonal. And we have horizontal and vertical mirror flips, so we can rotate the start point around the corners (starting from upper left, upper right, lower left or lower right). In all, there are 48 combinations. And because we can use a different method to take off the text, that’s 48×47 combinations. However, many of the rotations and reflections result in the same ciphertext out.

Say we have “in the worlds of code, there is no one answer”.

Simple orthogonal can be:

inthe . iroee . rewsn
world . nldia . aenoo
sofco . tdesn . nsier
dethe . hstns . ehted
reisn . eohow . ocfos
oonea . wfeoe . dlrow
nswer . ocrnr . ehtni

For simple boustrophedon:

inthe . icone
dlrow . nfdoa
sofco . toeon
ehted . hstns
reisn . edhsw
aenoo . wleie
nswer . orrer

Spiral:

inthe
ereiw
hswso
tnenr
earol
denod
ocfos

Crab Spiral:

htedr
eehoe
rwtcw
eonfs
irion
sldsa
noone

Diagonal

itwlc
nerfh
hooto
wseoa
ddnes
osnne
ioawr

Boustrophedon Diagonal:

inwoo
tercd
hlfen
dotso
shiow
eense
reanr

As can be seen above, the plaintext is still largely readable even after the first transposition. So, if we take off the text in rows or columns, we may retain some of that readability, making it easier to guess the patterns used.

Crab spiral off in columns:

herei sntew orloe htnid odocf osnre wsnae

Losing the spaces, we can find “hereis” at the beginning of the line, and printing the line backwards reveals “answer.” Kind of implies a spiral.

Or, Boustrophedon off in rows:
inthe dlrow sofco ehted reisn aenoo nswer

It’s like we’re not even trying. In fact, this aids in determining the column widths to get us back to our 5×7 rectangle.

In short, you want to avoid maybe 20% of the various “on-by/off-by” combinations just because they leave too many clues. That really reduces the work required by the solver to crack the CON by brute force.

To break a Route Transposition CON, the first step is to get the string length, and determine what the factors are. In my example, I’ve got a length of 35. So, the plaintext is going to be either 5×7 or 7×5. Next, try writing the text in simple rows and columns for both dimensions.

hereisn - On by rows
teworlo
ehtnido
docfosn
rewsnae


herei
sntew
orloe
htnid
odocf
osnre
wsnae


hsohoow - On by columns
enrtdss
rtlnonn
eeoicra
iwedfee


htedr
eehoe
rwtcw
eonfs
irion
sldsa
noone

The first and fourth blocks have the most immediately eye-catching amounts of plaintext.
First, around the outer layer: “thereisnooneanswer”.
Fourth, around the outer layer: “hereisnooneanswer”.

The difference, though, is that when you try to link the letters just before “there”, block four gives you “ted” in the top row, plus “ocfo” in the column immediately below the “d.” Since we know reversed strings are allowed, reversing them gives us “ofcodet”. Put that in front of “hereisnooneanswer”, and we get “ofcodethereisnooneanswer.” This pretty much proves we have a crab spiral, and we know that starts from the center and works out. Obtaining the last of the text is easy.

If we’d kept picking at block one, removing the part we already read, we’d also find:

eworl
ehtnid
docfos

“worlds of code”. Peal that off to reveal:

e
htni

Or, “in the” backwards. Looking more closely at block one, we can finally see that it’s also a crab spiral, just on its side. In fact, blocks one and four are identical, and are simply rotated 90 degrees clockwise.

If that failed, then we would need to form the rectangle using a spiral and/or a diagonal. If the text was 36 characters, we’d have to try a 6×6 square, and a 4×9 rectangle. Still, this is doable with paper and pencil, although brute force in software makes the excerise almost trivial.

I was thinking about writing my own VBScript solver, but the ACA newsletter doesn’t run that many route transposition CONs – maybe one or two a year. BION, one of the ACA’s more active app writers also has a Route worksheet, which I’ll try using next time, first. Overall, though, RT’s may really be more fun to solve by hand (if you can avoid making mistakes).

Some caveats – the routes mentioned above are the obvious ACA-standard ones. You can easily develop non-standard routes, such as “take off every other row,” “every third column,” or “X-diagonals.” One of the other ACA members suggested using magic square numbering, following the jumps of a chess Knight piece, or using a Greek Cross pattern:

. 1 . . 5
2 . 3 6 . 7
. 4 . . 8

and read that off in rows:

1 5 2 3 6 7 4 8

The point is that if you only play with the ACA standard routes, when someone creates a non-standard route, you’ll probably be lost if you rely on software to do the heavy lifting for you.

Summary:
1) Route Transposition is more like a brain teaser than a cipher.
2) There are 6 standard route types, multiplied by rotations and reflections.
3) While there are 48 conceivable standard combinations, some of them give the same results.
4) RT is approachable by hand using paper and pencil.
5) To create an RT cipher, pick the route type for making the rectangle or square, and the route type for pulling the text off for the final cipher. (I.e. – On by reversed rows, off by spiral.)
6) To solve an RT, determine the text length to get the possible rectangle sizes to try (i.e. – 5×5, 6×6 or 4×9).
7) Start by creating the test rectangles on by rows, and on by columns. Look for readable plain text, checking for spirals, crab spirals and diagonals.
8) If #7 fails, write the text in by spiral and by diagonal. Look for reversed plaintext (rows and columns), too.
9) If both #7 and #8 fail, the RT may be non-standard. Consider non-adjacent rows and columns.
10) If all else fails, try making words from the ciphertext letters as anagrams. If you can reconstruct a large block of text this way, it may give you some hints as to the physical relationships between the letters.
11) As a last resort, abandon the idea that this is a Route Transposition and check if you’re not really facing a Rail Fence, Complete Columnar Transposition or Nihilist Transposition instead.

Thinking About Encryption, Part 32


In going through the ACA archives, I found a few articles employing the Baconian cipher, and one partially describing it. I kind of had an idea for how to place the crib (finding where one of the plaintext hint words goes in the CON (construction)), and I figured I’d spend a couple hours writing up the VBScript for at least converting the crib into Baconian format, and see where things went from there. The first part went ok, but then I didn’t have time to sit down at the computer over the entire following weekend, and I kept expanding on the script in my head. That Monday, when I did have a little free time, I was so tired from lack of sleep (construction noises outside kept waking me up) that nothing I wrote worked immediately. I wasted the better part of the day bug fixing and wondering what I was thinking while I was writing code just a few minutes earlier. In the end, I did get a solver pretty much fully up and running, and I’d found the solution for the Baconian CON in the Sept.-Oct. issue of the ACA Cryptogram (Cm) newsletter. So, that was good.

Sir Francis Bacon was a big fan of secret messages, and he felt that the best secret message was one that didn’t look like a secret message. He employed steganography throughout his works, with variations on type fonts, and letter spacings to hide messages. Similar writing in Shakespeare’s works have led many people to believe that Bacon wrote Shakespeare, and William Friedman initially became involved in cryptography as a photographer on a project to analyze Shakespeare’s works around 1916-17. Friedman and his wife Elizabeth (who taught William cryptography), eventually disproved the connection.

There are two variants of Bacon’s cipher, while the ACA generally uses the first one, in which the letters I and J, and U and V, double up to create a 24-letter alphabet. What’s a bit confusing at times is that the entire 26-letter English alphabet is used for the encoding (i.e.- the message text uses 24 letters, but the method for hiding the message uses 26 letters).

The system uses “a” and “b” in a pure binary counting format for representing “A-Z”.

aaaaa = A
aaaab = B
aaaba = C
aaabb = D
...
babbb = Z

In Bacon’s original implementation, a letter in one font face would be interpreted as “a”, and a letter in the other face would be “b”. As the ACA implements their Baconian cipher, any set of rules, the more obscure the better, can be used. Generally, this takes the form of groups of 5-letter words representing a maximum of 25 plaintext letters. Such as:

AUTOR BEGIN TAMED WORMS

Now, technically what I did was use a Null cipher here, where the one odd letter of the first and second halves of the alphabet spells out “ANT.” But, this just demonstrates how similar Baconian is to Null. Any rule can be employed as long as it’s consistent. With the exact same 4 words, if “b” = “GROU”

Then:

AUTOR = ababb = m
BEGIN = aabaa = e
TAMED = aaaaa = a
WORMS = abbaa = n

Giving us “mean ant” using two different systems with one set of four 5-letter words.

Granted, it would be nearly impossible to extract the Baconian rules from something so short, and it also illustrates the difficulty in crafting a good word puzzle this way. The ACA archives have examples of CONs that contain upwards of 3 and even 4 messages in strings of the same 25 word groups, each with their own rules, but the word groups have turned into completely unreadable random-looking strings. Which undermines Bacon’s rule that the message shouldn’t look like it’s enciphered.

If the message is long enough, then a crib can be used to solve it. In the Sept.-Oct. 2018 newsletter, the Baconian cipher included the crib “say.”

s = baaab
a = aaaaa
y = babba

Once the crib is converted to binary, you can slide it across the cipher text (5 letters at a time), looking for a “best fit.”

AUTOR BEGIN TAMED WORMS
baaab aaaaa babba

This placement would fail becase the “A” in AUTOR needs to be a “b”, while the “A” in TAMED needs to be an “a”.

BEGIN TAMED WORMS
baaab aaaaa babba

Would also fail because “M” is “a” in TAMED, but “b” in WORMS.

The ACA members generally select cribs that can have 2 or more possible placements. When this happens, you just have to try plugging “a” and “b” into the words in those placements and see if any of them automatically disqualify themselves. Because a 5-digit binary number can range from 0 to 31, and the Baconian alphabet only uses 24 (or 26) letters, “bbaaa” through “bbbbb” (that’s seven characters) are illegal. If the attempted placement creates something like “bbabb” for an unrelated letter, you know that placement is wrong.

After the crib has been placed correctly, some of the other letters will be partially filled in. If there are letters with only one digit missing (e.g. – “a-bba” or “-bbbb”), completing them will be easy. In the case of “-bbbb,” the only choice is “abbbb” (“Q”) because “bbbbb” is illegal. For “a-bba”, “aabba” gives “G” and “abbba” produces “P”. You can tell from the reconstructed plaintext which one is correct. And, for every cipher letter you get right, there could be 3-4 more plaintext letters that pop out.

Once you have the finished plaintext, you can look at the cipher assignments for “a” and “b” to see if there was some kind of underlying rule. In my above example, I really wanted “b” = “GROUND,” but that would have thrown off the Null cipher, which required the last letter of “TAME?” to be curved, and to lie between “A” and “N.” If I do try my hand at creating Baconian CONs, I’ll submit them to the ACA for publication in the Cm for credit. These things are tricky enough that I doubt I’ll print them in the blog until long after the Cm prints out the solution. Anyway, the easy Baconian CONs are kind of fun to solve, and my solver works well enough. At some point, I’ll upgrade it to suggest “a” and “b” assignments for letters with one missing digit, which might make it auto-solving if something like “?bbaa” only has one solution.

Summary:
1) The Baconian cipher uses regular text to hide the existence of a secondary hidden message.
2) The Baconian alphabet is binary, employing “a” and “b” instead of “0” and “1.”
3) There are two versons of the alphabet, either 24 letters or 26 letters.
4) The 24-letter alphabet combines I with J, and U with V.
5) Placing the crib in ACA Baconians is a matter of eliminating 5-letter word groups that would result in “a” = “b” conflicts.
6) The general ACA Baconian CONs use groups of 5-letter words, for a maximum of 25 letters of plaintext, but this is not a hard-and-fast rule.
7) Other Baconian ciphers can be embedded in any kind of message as desired.
8) Once you’ve recovered enough of the plaintext, you can try to identify the rule used for the “a” and “b” assignments.
9) On its own, Baconian can be an extremely secure cipher-type, because it is both easy to overlook, and the rules could be nigh-impossible to uncover if you have no idea what the plaintext is about.
10) Bacon did not write Shakespeare.

Wiggles, part 27


Just a little ongoing story to give you something to play with until the next blog post.

SGHQH’E B EGQVDH VD UJISI SGBS GBE B RVT FHDSQBZ MIIOHD EKXXIQS XVZZBQ. BS SGH RBEH IW SGH EKXXIQS VE B GIZH BRIKS 12 VDFGHE EPKBQH BDO 3 WHHS ZIDT. SGHQH’E B SQBOVSVID SGBS VW JIK FBD FQBMZ BZZ SGH MBJ SGQIKTG, JIK MVZZ THS TIIO ZKFU. V GBO SI OVEZIFBSH YJ EGIKZOHQ WIQ SGBS IDH, BDO B WHM IW SGH XQVHESE GBO SI XKEG BDO OQBT YH SGQIKTG VS, RKS V OVO YBUH VS IKS SGH ISGHQ EVOH IW SGH XVZZBQ. SGH GIZH GHQH MIKZOD’S RH B FGBZZHDTH. V SGQHM BDISGHQ PKVFU ZIIU IKS SGH GBZW-IXHD OIIQ, XKS YJ CBFUHS ID YJ TKVSBQ FBEH, SIIU IWW YJ RHZS, BDO XKEGHO SGH RINHE IKS IW SGH MBJ. V UDHM, VW V BEUHO WIQ XHQYVEEVID V’O DHLHQ RH BZZIMHO SI SQJ SGVE, BDO V MBE XZBDDVDT ID TIVDT SI BDISGHQ FVSJ SGH DHNS OBJ BDJMBJ. EI, V OVOD’S GBLH SI MIQQJ BRIKS THSSVDT WVQHO VW SGH IMDHQ TIS BDTQJ, BDO V MBED’S GKQSVDT WIQ YIDHJ VW GH OHFVOHO SI UHHX MGBS GH IMHO YH. V TIS OIMD ID YJ GBDOE BDO UDHHE, XKEGHO YJ FIVZHO KX RHZS, EKYBWI BDO ZVTGS SGQIKTG SGH GIZH VD WQIDS IW YH, BDO TIS SI EPKVQYVDT WIQMBQO. V GBO SI OVEZIFBSH YJ EGIKZOHQ BTBVD, RKS V’Y KEHO SI SGBS DIM.