Stacking the deck to crack the code

Mathematics leads the way in the shadowy world of secret codes and ciphers but playing cards are the way to go when the secret police come snooping. By Jason England.

Cryptography is the shadowy science of secret codes and ciphers. While modern cryptography is extremely sophisticated and depends on advanced mathematical algorithms to protect sensitive information from prying eyes, historical cryptography was largely based on substitution ciphers. These simple ciphers were far less secure, but can be much more fun. You probably played around with just such a cipher in school to pass notes to your friends.

The classic (but easily cracked) A=1, B=2, C=3 and so on all the way until Z=26 cipher is the best-known example. Using this very simple substitution process the name “Alan” would translate to 1-12-1-14. Of course, even a rank beginner could decipher these “plaintext” numbers in a matter of seconds. In fact, many advanced code-breakers can read plaintext numbers almost as easily as they can read English! It’s just a matter of practice. But there is a way to make this cipher a bit more secure.

The secret is to add some “keystream” numbers to your plaintext numbers. The keystream numbers can be anything you like, as long as you and the intended recipient have the same set.

You’ll need as many keystream numbers as you have plaintext numbers, so to more securely encode “Alan” we’ll need a keystream four numbers long. As an example, let’s use the current year: 2-0-1-4. You add your plaintext number and your keystream numbers together like this:

1 + 2 = 3
12 + 0 = 12
1 + 1 = 2
14 + 4 = 18

Convert these new numbers to letters again (using the A=1 conversion). The finished “ciphertext” would now be: CLBR. You would transmit “CLBR” to your intended recipient.

(If adding plaintext and keystream numbers together gives an answer higher than 26, subtract 26 from the answer to generate a letter.)

When the recipient gets the cipher, she decrypts the message by working backwards. The intended recipient would know that the keystream numbers are the same as the year, so she can perform some simple subtraction and retrieve the plaintext numbers again.

(If a subtraction gives you a negative number, it must be one of those cases where the coder had to subtract 26. Just add 26 to get the right letter).

3 - 2 = 1
12 - 0 = 12
2 - 1 = 1
18 - 4 = 14

For an easy code like this just about any series of numbers will do fine as keystream numbers. Birthdays, phone numbers or just a random series of numbers will all work, as long as both the sender and receiver know what they are or can agree on where to get them. The problem is that if your enemies figure out your keystream numbers they can crack your codes easily. Even if they don’t figure out your keystream numbers, the cipher could still be broken with specialised algorithms.

But what about someone who wants to generate very secure keystream numbers to create a cipher that will withstand a sophisticated attempt at cracking? It can be done using something you probably have lying around the house. In 1999, US cryptography expert and security guru Bruce Schneier developed “Solitaire”. Solitaire generates secure keystream numbers using a normal deck of playing cards.

‘Solitaire’ algorithm looks innocent but is extremely secure.

Solitaire’s strength lies in the astronomical number of different ways that a deck of cards can be arranged by a thorough shuffle (2.3 x 1071 different ways, in fact). Once shuffled, the keystream is set. To find it, you follow Schneier’s strict multi-step procedure, which he lays out in full on his website. In essence, the deck is cut multiple times, first based on the position of the jokers within the pack, then based on the face value of the card that ends up at the base of the pack. The card that finally ends face-up on the table then gets translated into a number between 1 and 26, and then into a letter, again in a standardised fashion.

The procedure for finding the keystream is not secret: the security comes purely from the random order of the shuffled deck of cards. The crucial thing is for the sender and receiver to be the only ones who have identically shuffled packs. So before heading out into the field, our operative would carefully shuffle one deck of cards and then manually arrange a second pack to exactly match. One pack remains at HQ, while the operative carries the other. That way, the field agent and his commanders back at base can generate matching keystream numbers, to send and receive highly encrypted messages from one another. And what could look more innocent than a pack of cards on the coffee table, should enemy operatives or the secret police come snooping?


How secure is Solitaire? Well no one really knows for certain, but it’s probably the case that a good Solitaire cipher could only be cracked with “government-level” cryptography skills and equipment. While the Solitaire algorithm is very strong, it’s also somewhat cumbersome to use, although Schneier provides many colourful tips for budding spies keen to use it. When flipping through the deck, deciphering the message letter by letter, Schneider recommends writing the slowly unravelling message onto wide “club cabaret” sized cigarette papers using an HB pencil. Softer B pencils write better on the paper, but carrying one might raise suspicions should you be frisked by the secret police, he cautions. As for the cigarette paper, it burns without leaving any trace of ash. And you can always eat it, in a real fix.

Latest Stories
MoreMore Articles