The Solitaire Cipher1 (by Stefan Keller-Tuberg. 2013) This cipher was invented by cryptographer Bruce Schneier. It is called a substitution cipher because during the substitution process, each letter in the plaintext message gets replaced by another letter a certain number of steps to the right of it in the alphabet. Although you can programme and run Solitaire on a computer, it doesn’t actually require sophisticated hardware. You can run the algorithm using a deck of playing cards. This is explained below. Bruce Schneier invented the algorithm for Neal Stephenson to describe and use in his 1990s novel “Cryptonomicon”. Schneier believes Solitaire would be useful for dissidents living under an oppressive regime, needing to send covert messages to the outside world. Solitaire requires nothing more than a deck of playing cards. Where possession of enciphering technology might be seen as a capital crime, a highly secure ‘hand-calculated’ cipher such as Solitaire might be very useful. After all, if a person happens to be stopped and searched, and all they’re carrying is a deck of playing cards, it would be unlikely to attract much attention as another person stopped and found to be carrying a ‘sophisticated’ enciphering device. To use Solitaire, both the message sender and receiver need to have agreed upon a ‘PassPhrase’. Both of them use the PassPhrase to arrange their decks of cards into identical pseudo-random starting sequences. They each then generate the same ‘KeyString’ with which to encipher and decipher their messages. To remain impermeable to cracking, they need to choose a different PassPhrase for every message transmitted. The Enciphering and Deciphering operations The Solitaire enciphering and deciphering operation works only on letters. Spaces and punctuation marks are ignored. Enciphering involves taking the numeric representation of each letter in the plaintext message and adding it to the numerical representation of each letter in the KeyString. The deciphering operation is the reverse of this process, subtracting identical numeric KeyString values from the ciphertext to recreate the plaintext. Enciphering Each letter of the alphabet is assigned a different number as follows: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 Let’s commence with the following plaintext and KeyString: plainte A S E C R E T M E S S A G E xt KeyStr E A G U O P O Q B Z M J J X ing Converting these into numeric values, we get: plainte A S E C R E T M E S S A G E xt 1 19 5 3 18 5 20 13 5 19 19 1 7 5 KeyStr E A G U O P O Q B Z M J J X 1 Adapted from the following web sites: http://www.schneier.com/solitaire.html, http://jnicholl.org/Cryptanalysis/Ciphers/Solitaire.php and http://pthree.org/2012/06/21/hand-ciphers-solitaire-cipher 1 ing 5 1 7 21 15 16 15 17 2 26 13 10 10 24 Then we add them together as follows: plainte 1 19 5 3 18 5 20 13 5 19 19 1 7 5 xt KeyStr 5 1 7 21 15 16 15 17 2 26 13 10 10 24 ing 2 1 2 3 2 3 3 4 3 1 1 2 sum 6 7 0 2 4 3 1 5 0 5 2 1 7 9 If the sum exceeds 26, we need to do something special. We subtract 26, so the ‘sum’ values will always be between 1 and 26, as follows: plainte 1 19 5 3 18 5 20 13 5 19 19 1 7 5 xt KeyStr 5 1 7 21 15 16 15 17 2 26 13 10 10 24 ing sum 6 20 12 24 33 21 35 30 7 45 32 11 17 29 adjusted 1 6 20 12 24 7 21 9 4 7 6 11 17 3 sum 9 Finally, we convert the adjusted sums back into letters to get the ciphertext. adjusted 6 20 12 24 7 21 9 4 7 19 6 11 17 3 sum ciphert ext F T L X G U I D G S F K Q C Deciphering Deciphering is the reverse operation. It uses exactly the same KeyString as we used in the enciphering above. cipherte xt F T L X G U I D G S F K Q C KeyStr E A G U O P O Q B Z M J J X ing Convert the letters into numbers: ciphert ext F T L X G U I D G S F K Q C 6 20 12 24 7 21 9 4 7 19 6 11 17 3 KeyStri ng E A G U O P O Q B Z M J J X 5 1 7 21 15 16 15 17 2 26 13 10 10 24 This time, instead of adding the numbers, we subtract the KeyString from the ciphertext, and if the answer would be zero or negative, we adjust by adding 26: ciphertext 6 20 12 24 7 21 9 4 7 19 6 11 17 3 2 KeyString 5 1 7 21 15 16 15 17 2 26 13 10 10 24 - - difference 1 19 5 3 -8 5 -6 5 -7 -7 1 7 13 21 adjusted 1 2 1 1 1 1 19 5 3 5 5 1 7 5 difference 8 0 3 9 9 Finally, we convert from the numeric values back into the original letters: adjuste d 1 19 5 3 18 5 20 13 5 19 19 1 7 5 differen ce plainte xt A S E C R E T M E S S A G E Initialising the deck, loading a PassPhrase, and generating a Solitaire KeyString The Solitaire cipher uses an ordinary deck of 52 playing cards with 2 Jokers (ie 54 cards in total). The two Jokers must be separately identifiable and will be called ‘Joker A’, and ‘Joker B’. Hold the deck of cards with the faces showing so you can read them. Initialising the deck In order for the sender and the receiver to be able to generate identical KeyStrings, they each need to initialise their decks into the same card sequence. One way they could do this is to define a particular sequence for all 54 cards. A problem however is that if either sender or receiver makes just one mistake, the messages they exchange will never be able to be decoded, so they’d better have perfect memories. The purpose of a PassPhrase is to make it easier to remember the deck’s initial state. In other words, its easier to remember a phrase than to remember the sequence of 54 cards. When using a PassPhrase, you need to start with each deck in a known (non-random) configuration. As you apply the PassPhrase, you systematically re-order the deck according to a well defined algorithm, which gives the illusion of shuffling the deck in a random way. The longer the PassPhrase, the better the approximation of shuffling will be. The important thing however is that both decks will have been ‘shuffled’ in exactly the same way, and so they will each generate exactly the same KeyString. Unless the bad guys correctly guess the PassPhrase, the ciphertext will be extremely secure, even by modern standards, because good randomness is hard to crack! The initial deck order can be anything that both parties agree, but for the purpose of this document, let’s set it as follows. (it should be abundantly clear that the initial state shown below is totally non-random, but any initial state would be equally ‘non-random’ if the bad guys know that state): 1 A 2 3 4 5 6 7 8 9 J Q K 0 1 1 1 1 1 2 3 4 5 6 7 8 9 ♠ 0 1 2 3 1 1 1 1 1 1 2 2 2 2 2 2 2 ♣4 5 6 7 8 9 0 1 2 3 4 5 6 2 2 2 3 3 3 3 3 3 3 3 3 3 ♦7 8 9 0 1 2 3 4 5 6 7 8 9 3 4 4 4 4 4 4 4 4 4 4 5 5 5 ♥0 1 2 3 4 5 6 7 8 9 0 1 2 Jo Jo k k 5 5 e e 3 4 r r A B Because the decks always start in a known (non-random) state, if a short PassPhrase is used, it will be very obvious that it takes many PassPhrase characters before the decks start to appear to be truly randomised. If Solitaire is used with a long PassPhrase (ie more than 150 characters), there are no known ways of cracking it, even using the fastest supercomputers. Even with the above ‘non-random’ state, the deck will appear to be randomly shuffled after initialisation with a long PassPhrase and its ultimately the deck randomness as perceived by the bad-guys that would underpin Solitaire’s security. Even when a short KeyString (or even no KeyString), Solitaire will still generate what appears to be a completely ‘random’ KeyString. Don’t be fooled, the bad guys will likely try every combination of the shortest passphrases first before moving on to longer ones, so even though an enciphered message will always appear to contain gibberish, ones that have been enciphered using short PassPhrases will not be very secure.