The Solitaire Cipher1 (by Stefan Keller-Tuberg. 2013) This cipher was invented by cryptographer Bruce Schneier. It is called a substitution cipher because during the substitution process, each letter in the plaintext message gets replaced by another letter a certain number of steps to the right of it in the alphabet. Although you can programme and run Solitaire on a computer, it doesn’t actually require sophisticated hardware. You can run the algorithm using a deck of playing cards. This is explained below. Bruce Schneier invented the algorithm for Neal Stephenson to describe and use in his 1990s novel “Cryptonomicon”. Schneier believes Solitaire would be useful for dissidents living under an oppressive regime, needing to send covert messages to the outside world. Solitaire requires nothing more than a deck of playing cards. Where possession of enciphering technology might be seen as a capital crime, a highly secure ‘hand-calculated’ cipher such as Solitaire might be very useful. After all, if a person happens to be stopped and searched, and all they’re carrying is a deck of playing cards, it would be unlikely to attract much attention as another person stopped and found to be carrying a ‘sophisticated’ enciphering device. To use Solitaire, both the message sender and receiver need to have agreed upon a ‘PassPhrase’. Both of them use the PassPhrase to arrange their decks of cards into identical pseudo-random starting sequences. They each then generate the same ‘KeyString’ with which to encipher and decipher their messages. To remain impermeable to cracking, they need to choose a different PassPhrase for every message transmitted.
The Enciphering and Deciphering operations The Solitaire enciphering and deciphering operation works only on letters. Spaces and punctuation marks are ignored. Enciphering involves taking the numeric representation of each letter in the plaintext message and adding it to the numerical representation of each letter in the KeyString. The deciphering operation is the reverse of this process, subtracting identical numeric KeyString values from the ciphertext to recreate the plaintext.
Enciphering Each letter of the alphabet is assigned a different number as follows: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
Let’s commence with the following plaintext and KeyString: plainte A S E C R E T M E S S A G E xt KeyStr E A G U O P O Q B Z M J J X ing
Converting these into numeric values, we get: plainte A S E C R E T M E S S A G E xt 1 19 5 3 18 5 20 13 5 19 19 1 7 5 KeyStr E A G U O P O Q B Z M J J X
1 Adapted from the following web sites: http://www.schneier.com/solitaire.html, http://jnicholl.org/Cryptanalysis/Ciphers/Solitaire.php and http://pthree.org/2012/06/21/hand-ciphers-solitaire-cipher 1 ing 5 1 7 21 15 16 15 17 2 26 13 10 10 24
Then we add them together as follows: plainte 1 19 5 3 18 5 20 13 5 19 19 1 7 5 xt KeyStr 5 1 7 21 15 16 15 17 2 26 13 10 10 24 ing 2 1 2 3 2 3 3 4 3 1 1 2 sum 6 7 0 2 4 3 1 5 0 5 2 1 7 9
If the sum exceeds 26, we need to do something special. We subtract 26, so the ‘sum’ values will always be between 1 and 26, as follows: plainte 1 19 5 3 18 5 20 13 5 19 19 1 7 5 xt KeyStr 5 1 7 21 15 16 15 17 2 26 13 10 10 24 ing sum 6 20 12 24 33 21 35 30 7 45 32 11 17 29 adjusted 1 6 20 12 24 7 21 9 4 7 6 11 17 3 sum 9
Finally, we convert the adjusted sums back into letters to get the ciphertext. adjusted 6 20 12 24 7 21 9 4 7 19 6 11 17 3 sum ciphert ext F T L X G U I D G S F K Q C
Deciphering Deciphering is the reverse operation. It uses exactly the same KeyString as we used in the enciphering above. cipherte xt F T L X G U I D G S F K Q C KeyStr E A G U O P O Q B Z M J J X ing
Convert the letters into numbers: ciphert ext F T L X G U I D G S F K Q C 6 20 12 24 7 21 9 4 7 19 6 11 17 3 KeyStri ng E A G U O P O Q B Z M J J X 5 1 7 21 15 16 15 17 2 26 13 10 10 24
This time, instead of adding the numbers, we subtract the KeyString from the ciphertext, and if the answer would be zero or negative, we adjust by adding 26:
ciphertext 6 20 12 24 7 21 9 4 7 19 6 11 17 3 2 KeyString 5 1 7 21 15 16 15 17 2 26 13 10 10 24 - - difference 1 19 5 3 -8 5 -6 5 -7 -7 1 7 13 21 adjusted 1 2 1 1 1 1 19 5 3 5 5 1 7 5 difference 8 0 3 9 9
Finally, we convert from the numeric values back into the original letters: adjuste d 1 19 5 3 18 5 20 13 5 19 19 1 7 5 differen ce plainte xt A S E C R E T M E S S A G E
Initialising the deck, loading a PassPhrase, and generating a Solitaire KeyString The Solitaire cipher uses an ordinary deck of 52 playing cards with 2 Jokers (ie 54 cards in total). The two Jokers must be separately identifiable and will be called ‘Joker A’, and ‘Joker B’. Hold the deck of cards with the faces showing so you can read them. Initialising the deck In order for the sender and the receiver to be able to generate identical KeyStrings, they each need to initialise their decks into the same card sequence. One way they could do this is to define a particular sequence for all 54 cards. A problem however is that if either sender or receiver makes just one mistake, the messages they exchange will never be able to be decoded, so they’d better have perfect memories. The purpose of a PassPhrase is to make it easier to remember the deck’s initial state. In other words, its easier to remember a phrase than to remember the sequence of 54 cards. When using a PassPhrase, you need to start with each deck in a known (non-random) configuration. As you apply the PassPhrase, you systematically re-order the deck according to a well defined algorithm, which gives the illusion of shuffling the deck in a random way. The longer the PassPhrase, the better the approximation of shuffling will be. The important thing however is that both decks will have been ‘shuffled’ in exactly the same way, and so they will each generate exactly the same KeyString. Unless the bad guys correctly guess the PassPhrase, the ciphertext will be extremely secure, even by modern standards, because good randomness is hard to crack! The initial deck order can be anything that both parties agree, but for the purpose of this document, let’s set it as follows. (it should be abundantly clear that the initial state shown below is totally non-random, but any initial state would be equally ‘non-random’ if the bad guys know that state): 1 A 2 3 4 5 6 7 8 9 J Q K 0 1 1 1 1 1 2 3 4 5 6 7 8 9 ♠ 0 1 2 3 1 1 1 1 1 1 2 2 2 2 2 2 2 ♣4 5 6 7 8 9 0 1 2 3 4 5 6 2 2 2 3 3 3 3 3 3 3 3 3 3 ♦7 8 9 0 1 2 3 4 5 6 7 8 9
3 4 4 4 4 4 4 4 4 4 4 5 5 5 ♥0 1 2 3 4 5 6 7 8 9 0 1 2
Jo Jo k k 5 5 e e 3 4 r r A B
Because the decks always start in a known (non-random) state, if a short PassPhrase is used, it will be very obvious that it takes many PassPhrase characters before the decks start to appear to be truly randomised. If Solitaire is used with a long PassPhrase (ie more than 150 characters), there are no known ways of cracking it, even using the fastest supercomputers. Even with the above ‘non-random’ state, the deck will appear to be randomly shuffled after initialisation with a long PassPhrase and its ultimately the deck randomness as perceived by the bad-guys that would underpin Solitaire’s security. Even when a short KeyString (or even no KeyString), Solitaire will still generate what appears to be a completely ‘random’ KeyString. Don’t be fooled, the bad guys will likely try every combination of the shortest passphrases first before moving on to longer ones, so even though an enciphered message will always appear to contain gibberish, ones that have been enciphered using short PassPhrases will not be very secure.
Loading in the PassPhrase For your first try at going through the Solitaire algorithm, you might like to choose a null PassPhrase. That means you can skip directly to the next section and start generating the KeyString using the deck initialisation exactly as above. (The start of the KeyString sequence that will be generated with a null PassPhrase is shown at the end of this document.) If you routinely encipher your messages this way, your communications wont be very secure. Most crackers will probably check the null PassPhrase as their very first guess! The following sequence of steps is iterative. That is, you run through the sequence once for each letter of the PassPhrase or KeyString. Loading a PassPhrase uses the same first four algorithmic steps as when subsequently generating a KeyString. Be very careful when moving cards! If they get out of sequence because you made a mistake, you’ll have to reinitialise the deck and start all over again. 1. Find Joker A. Move it one card down. (In other words, swap it with the card just beneath it.) Befor J J 1 1 1 1 2 3 4 5 6 7 8 9 e A B 0 1 2 1 J J 1 1 1 After 1 2 3 4 5 6 7 8 9 A B 0 1 2 1
(Note: the number of cards in the ‘deck’ above is reduced to make it easier to read) If Joker A is at the bottom of the pack, instead insert it just below the top card: Befor J 1 1 1 1 1 2 3 4 5 6 7 8 9 e B 0 1 2 3 J 1 1 1 After 1 2 3 4 5 6 7 8 9 JB A 0 1 2
2. Find Joker B and move it two cards down. The process is similar to above: Befor J J 1 1 1 1 2 3 4 5 6 7 8 9 e A B 0 1 2
4 J 1 1 J 1 After 1 2 3 4 5 6 7 8 9 A 0 1 B 2
Befor J 1 1 1 J 1 2 3 4 5 6 7 8 9 e A 0 1 2 B J J 1 1 1 After 1 2 3 4 5 6 7 8 9 B A 0 1 2
Befor J 1 1 1 1 1 2 3 4 5 6 7 8 9 e A 0 1 2 3 J J 1 1 1 After 1 2 3 4 5 6 7 8 9 B A 0 1 2
3. Do a ‘triple cut’ as follows. Divide the pack into three parts, as in three different ‘sets’. • the top ‘set’ is all the cards above the top Joker (whichever one that happens to be)
• the middle ‘set’, is all the cards between the two Jokers, including the Jokers themselves
• the bottom ‘set’ is all the cards below the bottom Joker. Swap the top ‘set’ with the bottom ‘set’.
B e f 1 1 1 1 1 2 3 4 5 J 6 7 8 9 J o 0 1 2 3 r e A f 1 1 1 1 t J 6 7 8 9 J 1 2 3 4 5 0 1 2 3 e r
If a Joker is in either the top or bottom card position (or both), then treat the first or last ‘set’ as an empty set. It can still be swapped as follows: B e f 1 1 1 1 1 2 3 4 5 J 6 7 8 9 J o 0 1 2 3 r e A f 1 1 1 1 t J 6 7 8 9 J 1 2 3 4 5 0 1 2 3 e r
B J 1 2 3 4 5 6 7 8 9 J 1 1 1 1
5 e f o 0 1 2 3 r e A f 1 1 1 1 t J 1 2 3 4 5 6 7 8 9 J 0 1 2 3 e r
4. Do a ‘count cut’ as follows. Look at the bottom card and determine its ‘value’ from the following table. 1 A 2 3 4 5 6 7 8 9 J Q K 0 1 1 1 1 1 2 3 4 5 6 7 8 9 0 1 2 3 ♠ (53 (52 (51 (50 (49 (48 (47 (46 (45 (44 (43 (42 (41 ) ) ) ) ) ) ) ) ) ) ) ) ) 1 1 1 1 1 1 2 2 2 2 2 2 2 4 5 6 7 8 9 0 1 2 3 4 5 6 ♣ (40 (39 (38 (37 (36 (35 (34 (33 (32 (31 (30 (29 (28 ) ) ) ) ) ) ) ) ) ) ) ) ) 2 2 2 3 3 3 3 3 3 3 3 3 3 7 8 9 0 1 2 3 4 5 6 7 8 9 ♦ (27 (26 (25 (24 (23 (22 (21 (20 (19 (18 (17 (16 (15 ) ) ) ) ) ) ) ) ) ) ) ) ) 4 4 4 4 4 4 4 4 4 4 5 5 5 0 1 2 3 4 5 6 7 8 9 0 1 2 (14 (13 (12 (11 (10 ♥ (9) (8) (7) (6) (5) (4) (3) (2) ) ) ) ) )
5 5 Joker A 3 Joker B 3 (1) (1)
Note that each of the Jokers take on the same value: 53. Looking at the dark numbers, take that number of cards from the top of the deck and place them just above the bottom card. (That means that the bottom card doesn’t move, and stays at the bottom). (Alternately, use the red number and count that number of cards off the bottom of the deck. The set of cards remaining from the top of the deck gets placed just above the bottom card.) There’s a special case: if the bottom card is a Joker, then do nothing. (In the example below, assume that the red 5 represents a 5 of Spades) B e f 1 1 1 1 6 7 8 9 J J 1 2 3 4 5 o 0 1 2 3 r e A f 1 1 1 1 t J 1 2 3 4 6 7 8 9 J 5 0 1 2 3 e r
6 B e f 1 1 1 1 1 2 3 4 J 5 6 7 8 9 J o 0 1 2 3 r e A f 1 1 1 1 t 1 2 3 4 J 5 6 7 8 9 J 0 1 2 3 e r
5. This step will be different depending on whether you’re loading the PassPhrase, or generating the KeyString characters. To load the PassPhrase, we’re going to do another ‘triple cut’. Look at the next letter in the PassPhrase and convert it to a number using the table below. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
Cut the deck at that card into three sets. The size of the first set is the same as the number determined above. The third set consists only of the last card in the deck. The middle set contains all other cards. Swap the order of the first and second sets, leaving the third set (the last card) in the same location. Assuming the next PassPhrase letter is ‘D’ (value = 4), the deck is divided and split as follows: Befor 1 1 1 1 1 1 2 3 4 J 5 6 7 8 9 e 0 1 2 3 4 1 1 1 1 1 After J 5 6 7 8 9 1 2 3 4 0 1 2 3 4
Now repeat steps 1 to 5 for each of the letters in the PassPhrase. After all PassPhrase letters have been processed, the deck is ready to start generating KeyString characters. Generating the KeyString Calculating the KeyString is also an iterative process. At each iteration, perform steps 1 to 4 outlined above. When you get to step 5, do the following: 5. Find the next KeyString letter as follows. Note that in this step, you’re just going to look at cards, not change their order. Look at the top card. Determine its numeric value from the table below. 1 A 2 3 4 5 6 7 8 9 J Q K 0 1 1 1 1 1 2 3 4 5 6 7 8 9 0 1 2 3 ♠ (53 (52 (51 (50 (49 (48 (47 (46 (45 (44 (43 (42 (41 ) ) ) ) ) ) ) ) ) ) ) ) ) 1 1 1 1 1 1 2 2 2 2 2 2 2 4 5 6 7 8 9 0 1 2 3 4 5 6 ♣ (40 (39 (38 (37 (36 (35 (34 (33 (32 (31 (30 (29 (28 ) ) ) ) ) ) ) ) ) ) ) ) )
7 2 2 2 3 3 3 3 3 3 3 3 3 3 7 8 9 0 1 2 3 4 5 6 7 8 9 ♦ (27 (26 (25 (24 (23 (22 (21 (20 (19 (18 (17 (16 (15 ) ) ) ) ) ) ) ) ) ) ) ) ) 4 4 4 4 4 4 4 4 4 4 5 5 5 0 1 2 3 4 5 6 7 8 9 0 1 2 (14 (13 (12 (11 (10 ♥ (9) (8) (7) (6) (5) (4) (3) (2) ) ) ) ) )
5 5 Joker A 3 Joker B 3 (1) (1)
Note that each of the Jokers take on the same value: 53. Using the dark number above, count past that number of cards from the top of the deck and find the card after that. Let’s call that the ‘output card’. (Alternately, use the red number and count that number of cards off the bottom of the deck. The ‘output card’ will be the upper most card from that bottom card-set that you just counted off.) Don’t change the order of the cards! If the ‘output card’ is one of the Jokers, go back to step 1 and start over. There is no keystream letter generated from this iteration of the algorithm. If the ‘output card’ is any of the other cards, the keystream letter can be read from the table below. 1 A 2 3 4 5 6 7 8 9 J Q K 0 ♠ A B C D E F G H I J K L M ♣ N O P Q R S T U V W X Y Z ♦ A B C D E F G H I J K L M ♥ N O P Q R S T U V W X Y Z
For example, if the top card was a Joker (value = 53), you’d count past the first 53 cards in the deck all the way to the bottom card. The bottom card would represent the next KeyString letter. If instead the top card was the 2 of Spades (value = 2), you’d count past the first two cards and look at the third card in the deck to find the card that represents the next KeyString letter.
Some samples
PassPhrase KeyString Plaintext Ciphertext
one KPIJSK... simple DYVZEP
Note: a PassPhrase of
8