VIC cipher
Encyclopedia
The VIC cipher was a pencil and paper cipher
used by the Soviet
spy
Reino Häyhänen
, codenamed "VICTOR".
It was arguably the most complex hand-operated cipher ever seen, when it was first discovered. The initial analysis done by the NSA in 1953 did not absolutely conclude that it was a hand cipher, but its placement in a hollowed out 5c coin implied it could be broken by pencil and paper. The VIC cipher remained unbroken until more information about its structure was available.
Although certainly not as complex or secure as modern computer operated stream cipher
s or block cipher
s, in practice messages protected by it resisted all attempts at cryptanalysis
by at least NSA from its discovery in 1953 until Häyhänen's defection in 1957.
family.
The VIC cipher has several important integrated components, including mod 10
chain addition (a lagged Fibonacci generator
, a recursive formula used to generate a sequence of pseudorandom digits), a straddling checkerboard
, and a disrupted double transposition
.
Until the discovery of VIC, it was generally thought that a double transposition alone was the most complex cipher an agent, as a practical matter, could use as a field cipher.
, several Soviet spy rings communicated to Moscow Centre using two ciphers which are essentially evolutionary improvements on the basic Nihilist cipher. A very strong version was used by Max Clausen in Richard Sorge
's network in Japan
, and by Alexander Foote
in the Lucy spy ring
in Switzerland
. A slightly weaker version was used by the Rote Kapelle network.
In both versions, the plaintext was first converted to digits by use of a straddling checkerboard
rather than a Polybius square. This has the advantage of slightly compressing the plaintext, thus raising its unicity distance
and also allowing radio operators to complete their transmissions quicker and shut down sooner. Shutting down sooner reduces the risk of the operator being found by enemy radio direction finder
s. Increasing the unicity distance increases strength against statistical attacks.
Clausen and Foote both wrote their plaintext in English, and memorized the 8 most frequent letters of English (to fill the top row of the checkerboard) through the mnemonic (and slightly menacing) phrase "a sin to err" (dropping the second "r").
The standard English straddling checkerboard has 28 character slots and in this cipher the extra two became "full stop" and "numbers shift". Numbers were sent by a numbers shift, followed by the actual plaintext digits in repeated pairs, followed by another shift. Then, similarly to the basic Nihilist, a digital additive was added in, which was called "closing". However a different additive was used each time, so finally a concealed "indicator group" had to be inserted to indicate what additive was used.
Unlike basic Nihilist, the additive was added by non-carrying addition (digit-wise addition modulo 10), thus producing a more uniform output which doesn't leak as much information. More importantly, the additive was generated not through a keyword, but by selecting lines at random from almanacs of industrial statistics. Such books were deemed dull enough to not arouse suspicion if an agent was searched (particularly as the agents' cover stories were as businessmen), and to have such high entropy density as to provide a very secure additive. Of course the figures from such a book are not actually uniformly distributed (there is an excess of "0" and "1" (see Benford's Law
), and sequential numbers are likely to be somewhat similar), but nevertheless they have much higher entropy density than passphrases and the like; at any rate, in practice they seem never to have been successfully cryptanalysed.
The weaker version generated the additive from the text of a novel or similar book (at least one Rote Kapelle member actually used The Good Soldier Schweik
, which may not have been a good choice if one expected to be searched by Nazis!) This text was converted to a digital additive using a technique similar to a straddling checkerboard.
The ultimate development along these lines was the VIC cipher, used in the 1950s by Reino Häyhänen
. By this time, most Soviet agents were instead using one-time pad
s. However, despite the theoretical perfection of the one-time pad, in practice they were broken
, while VIC was not.
The first row is populated with the ten digits, 0-9. They can be presented in order, as in the above table, or scrambled for additional security. The second row is typically set up with high-frequency letters (mnemonic ESTONIA-R), leaving two blank spots. It has no row label. The remaining rows are labeled with each digit that was not assigned a letter in the second row, and then filled out with the rest of the alphabet.
Much like the ordering of the digits in the top row, the alphabet can be presented in order (as it is here), or scrambled with a keyword or other technique. Since there are 30 slots in our grid, and we skipped two letters in the first row, there will be two spare cells in the other rows. We have filled these cells with a period '.', and a slash '/' to be used as a numeric escape character
(indicating that a numeral follows). It doesn't matter where these spares go, so long as the sender and receiver use the same system.
To encipher, a letter in the second row is simply replaced by the number labeling its column. Letters in the third and fourth rows are replaced by a two-digit number representing their row and column numbers. Mapping one-digit numbers to common letters reduces the length of the ciphertext, while also concealing the identities of the two-digit numbers by reducing the frequency of their first digits. Here is an example:
The resulting message, 3113212731223655, may be sent directly (if the table is scrambled), but is usually processed through a second cipher stage, such as transposition
or substitution
. As a simple example, we will add a secret key number (say, 0452) using modular (non-carrying) arithmetic
:
Optionally, we could then use the same straddling checkerboard to convert the ciphertext
back into letters:
Deciphering is simply the reverse of these processes. Although the size of groups can vary, deciphering is unambiguous because whenever the next element to be deciphered starts with a 2 or a 6, it is a pair; otherwise, it is a singleton.
). Another method of fractionation is to simply convert the message to Morse code
, with a symbol for spaces as well as dots and dashes.
When such a fractionated message is transposed, the components of individual letters become widely separated in the message, thus achieving Claude E. Shannon's diffusion
. Examples of ciphers that combine fractionation and transposition include the bifid cipher
, the trifid cipher
, the ADFGVX cipher
and the VIC cipher.
Another choice would be to replace each letter with its binary representation, transpose that, and then convert the new binary string into the corresponding ASCII characters. Looping the scrambling process on the binary string multiple times before changing it into ASCII characters would likely make it harder to break. Many modern block cipher
s use more complex forms of transposition related to this simple idea.
Cipher
In cryptography, a cipher is an algorithm for performing encryption or decryption — a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. In non-technical usage, a “cipher” is the same thing as a “code”; however, the concepts...
used by the Soviet
Soviet Union
The Soviet Union , officially the Union of Soviet Socialist Republics , was a constitutionally socialist state that existed in Eurasia between 1922 and 1991....
spy
SPY
SPY is a three-letter acronym that may refer to:* SPY , ticker symbol for Standard & Poor's Depositary Receipts* SPY , a satirical monthly, trademarked all-caps* SPY , airport code for San Pédro, Côte d'Ivoire...
Reino Häyhänen
Reino Häyhänen
Reino Häyhänen, was an ethnic Finn Soviet Lieutenant Colonel who defected to the United States.-Birth and education:...
, codenamed "VICTOR".
It was arguably the most complex hand-operated cipher ever seen, when it was first discovered. The initial analysis done by the NSA in 1953 did not absolutely conclude that it was a hand cipher, but its placement in a hollowed out 5c coin implied it could be broken by pencil and paper. The VIC cipher remained unbroken until more information about its structure was available.
Although certainly not as complex or secure as modern computer operated stream cipher
Stream cipher
In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream . In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption...
s or block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
s, in practice messages protected by it resisted all attempts at cryptanalysis
Cryptanalysis
Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...
by at least NSA from its discovery in 1953 until Häyhänen's defection in 1957.
A revolutionary leap
The VIC cipher can be regarded as the evolutionary pinnacle of the Nihilist cipherNihilist cipher
In the history of cryptography, the Nihilist cipher is a manually operated symmetric encryption cipher originally used by Russian Nihilists in the 1880s to organize terrorism against the czarist regime...
family.
The VIC cipher has several important integrated components, including mod 10
Modular arithmetic
In mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" after they reach a certain value—the modulus....
chain addition (a lagged Fibonacci generator
Lagged Fibonacci generator
A Lagged Fibonacci generator is an example of a pseudorandom number generator. This class of random number generator is aimed at being an improvement on the 'standard' linear congruential generator...
, a recursive formula used to generate a sequence of pseudorandom digits), a straddling checkerboard
Straddling checkerboard
In cryptography, a straddling checkerboard is a device for converting an alphabetic plaintext into digits whilst simultaneously achieving fractionation and data compression relative to other schemes using digits...
, and a disrupted double transposition
Transposition cipher
In cryptography, a transposition cipher is a method of encryption by which the positions held by units of plaintext are shifted according to a regular system, so that the ciphertext constitutes a permutation of the plaintext. That is, the order of the units is changed...
.
Until the discovery of VIC, it was generally thought that a double transposition alone was the most complex cipher an agent, as a practical matter, could use as a field cipher.
History
During World War IIWorld War II
World War II, or the Second World War , was a global conflict lasting from 1939 to 1945, involving most of the world's nations—including all of the great powers—eventually forming two opposing military alliances: the Allies and the Axis...
, several Soviet spy rings communicated to Moscow Centre using two ciphers which are essentially evolutionary improvements on the basic Nihilist cipher. A very strong version was used by Max Clausen in Richard Sorge
Richard Sorge
Richard Sorge was a German communist and spy who worked for the Soviet Union. He has gained great fame among espionage enthusiasts for his intelligence gathering during World War II. He worked as a journalist in both Germany and Japan, where he was imprisoned for spying and eventually hanged....
's network in Japan
Japan
Japan is an island nation in East Asia. Located in the Pacific Ocean, it lies to the east of the Sea of Japan, China, North Korea, South Korea and Russia, stretching from the Sea of Okhotsk in the north to the East China Sea and Taiwan in the south...
, and by Alexander Foote
Alexander Foote
In World War II, Allan Alexander Foote was a radio operator for a Soviet espionage ring in Switzerland. Foote was originally from Yorkshire in England, and had spent some time in Spain working for the Republican side during the Civil War in the '30s...
in the Lucy spy ring
Lucy spy ring
In World War II espionage, the Lucy spy ring was an anti-German operation that was headquartered in Switzerland. It was run by Rudolf Roessler, a German refugee and ostensibly the proprietor of a small publishing firm, Vita Nova...
in Switzerland
Switzerland
Switzerland name of one of the Swiss cantons. ; ; ; or ), in its full name the Swiss Confederation , is a federal republic consisting of 26 cantons, with Bern as the seat of the federal authorities. The country is situated in Western Europe,Or Central Europe depending on the definition....
. A slightly weaker version was used by the Rote Kapelle network.
In both versions, the plaintext was first converted to digits by use of a straddling checkerboard
Straddling checkerboard
In cryptography, a straddling checkerboard is a device for converting an alphabetic plaintext into digits whilst simultaneously achieving fractionation and data compression relative to other schemes using digits...
rather than a Polybius square. This has the advantage of slightly compressing the plaintext, thus raising its unicity distance
Unicity distance
In cryptography, unicity distance is the length of an original ciphertext needed to break the cipher by reducing the number of possible spurious keys to zero in a brute force attack. That is, after trying every possible key, there should be just one decipherment that makes sense, i.e...
and also allowing radio operators to complete their transmissions quicker and shut down sooner. Shutting down sooner reduces the risk of the operator being found by enemy radio direction finder
Radio direction finder
A radio direction finder is a device for finding the direction to a radio source. Due to low frequency propagation characteristic to travel very long distances and "over the horizon", it makes a particularly good navigation system for ships, small boats, and aircraft that might be some distance...
s. Increasing the unicity distance increases strength against statistical attacks.
Clausen and Foote both wrote their plaintext in English, and memorized the 8 most frequent letters of English (to fill the top row of the checkerboard) through the mnemonic (and slightly menacing) phrase "a sin to err" (dropping the second "r").
The standard English straddling checkerboard has 28 character slots and in this cipher the extra two became "full stop" and "numbers shift". Numbers were sent by a numbers shift, followed by the actual plaintext digits in repeated pairs, followed by another shift. Then, similarly to the basic Nihilist, a digital additive was added in, which was called "closing". However a different additive was used each time, so finally a concealed "indicator group" had to be inserted to indicate what additive was used.
Unlike basic Nihilist, the additive was added by non-carrying addition (digit-wise addition modulo 10), thus producing a more uniform output which doesn't leak as much information. More importantly, the additive was generated not through a keyword, but by selecting lines at random from almanacs of industrial statistics. Such books were deemed dull enough to not arouse suspicion if an agent was searched (particularly as the agents' cover stories were as businessmen), and to have such high entropy density as to provide a very secure additive. Of course the figures from such a book are not actually uniformly distributed (there is an excess of "0" and "1" (see Benford's Law
Benford's law
Benford's law, also called the first-digit law, states that in lists of numbers from many real-life sources of data, the leading digit is distributed in a specific, non-uniform way...
), and sequential numbers are likely to be somewhat similar), but nevertheless they have much higher entropy density than passphrases and the like; at any rate, in practice they seem never to have been successfully cryptanalysed.
The weaker version generated the additive from the text of a novel or similar book (at least one Rote Kapelle member actually used The Good Soldier Schweik
The Good Soldier Švejk
The Good Soldier Švejk , also spelled Schweik or Schwejk, is the abbreviated title of a unfinished satirical/dark comedy novel by Jaroslav Hašek. It was illustrated by Josef Lada and George Grosz after Hašek's death...
, which may not have been a good choice if one expected to be searched by Nazis!) This text was converted to a digital additive using a technique similar to a straddling checkerboard.
The ultimate development along these lines was the VIC cipher, used in the 1950s by Reino Häyhänen
Reino Häyhänen
Reino Häyhänen, was an ethnic Finn Soviet Lieutenant Colonel who defected to the United States.-Birth and education:...
. By this time, most Soviet agents were instead using one-time pad
One-time pad
In cryptography, the one-time pad is a type of encryption, which has been proven to be impossible to crack if used correctly. Each bit or character from the plaintext is encrypted by a modular addition with a bit or character from a secret random key of the same length as the plaintext, resulting...
s. However, despite the theoretical perfection of the one-time pad, in practice they were broken
Venona project
The VENONA project was a long-running secret collaboration of the United States and United Kingdom intelligence agencies involving cryptanalysis of messages sent by intelligence agencies of the Soviet Union, the majority during World War II...
, while VIC was not.
Straddling checkerboard
A straddling checkerboard is set up something like this:| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | |
| E | T | A | O | N | R | I | S | |||
| 2 | B | C | D | F | G | H | J | K | L | M |
| 6 | P | Q | / | U | V | W | X | Y | Z | . |
The first row is populated with the ten digits, 0-9. They can be presented in order, as in the above table, or scrambled for additional security. The second row is typically set up with high-frequency letters (mnemonic ESTONIA-R), leaving two blank spots. It has no row label. The remaining rows are labeled with each digit that was not assigned a letter in the second row, and then filled out with the rest of the alphabet.
Much like the ordering of the digits in the top row, the alphabet can be presented in order (as it is here), or scrambled with a keyword or other technique. Since there are 30 slots in our grid, and we skipped two letters in the first row, there will be two spare cells in the other rows. We have filled these cells with a period '.', and a slash '/' to be used as a numeric escape character
Escape character
In computing and telecommunication, an escape character is a character which invokes an alternative interpretation on subsequent characters in a character sequence. An escape character is a particular case of metacharacters...
(indicating that a numeral follows). It doesn't matter where these spares go, so long as the sender and receiver use the same system.
To encipher, a letter in the second row is simply replaced by the number labeling its column. Letters in the third and fourth rows are replaced by a two-digit number representing their row and column numbers. Mapping one-digit numbers to common letters reduces the length of the ciphertext, while also concealing the identities of the two-digit numbers by reducing the frequency of their first digits. Here is an example:
| A | T | T | A | C | K | A | T | D | A | W | N |
| 3 | 1 | 1 | 3 | 21 | 27 | 3 | 1 | 22 | 3 | 65 | 5 |
The resulting message, 3113212731223655, may be sent directly (if the table is scrambled), but is usually processed through a second cipher stage, such as transposition
Transposition cipher
In cryptography, a transposition cipher is a method of encryption by which the positions held by units of plaintext are shifted according to a regular system, so that the ciphertext constitutes a permutation of the plaintext. That is, the order of the units is changed...
or substitution
Substitution cipher
In cryptography, a substitution cipher is a method of encryption by which units of plaintext are replaced with ciphertext according to a regular system; the "units" may be single letters , pairs of letters, triplets of letters, mixtures of the above, and so forth...
. As a simple example, we will add a secret key number (say, 0452) using modular (non-carrying) arithmetic
Modular arithmetic
In mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" after they reach a certain value—the modulus....
:
| 3 | 1 | 1 | 3 | 2 | 1 | 2 | 7 | 3 | 1 | 2 | 2 | 3 | 6 | 5 | 5 | |
| + | 0 | 4 | 5 | 2 | 0 | 4 | 5 | 2 | 0 | 4 | 5 | 2 | 0 | 4 | 5 | 2 |
| = | 3 | 5 | 6 | 5 | 2 | 5 | 7 | 9 | 3 | 5 | 7 | 4 | 3 | 0 | 0 | 7 |
Optionally, we could then use the same straddling checkerboard to convert the ciphertext
Ciphertext
In cryptography, ciphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher...
back into letters:
| 3 | 5 | 65 | 25 | 7 | 9 | 3 | 5 | 7 | 4 | 3 | 0 | 0 | 7 |
| A | N | W | H | R | S | A | N | R | O | A | E | E | R |
Deciphering is simply the reverse of these processes. Although the size of groups can vary, deciphering is unambiguous because whenever the next element to be deciphered starts with a 2 or a 6, it is a pair; otherwise, it is a singleton.
Disrupted transposition
In a disrupted transposition, certain positions in a grid are blanked out, and not used when filling in the plaintext. This breaks up regular patterns and makes the cryptanalyst's job more difficult.Fractionation
Transposition is particularly effective when employed with fractionation - that is, a preliminary stage that divides each plaintext symbol into several ciphertext symbols. For example, the plaintext alphabet could be written out in a grid, then every letter in the message replaced by its co-ordinates (see Polybius squarePolybius square
In cryptography, the Polybius square, also known as the Polybius checkerboard, is a device invented by the Ancient Greek historian and scholar Polybius, described in , for fractionating plaintext characters so that they can be represented by a smaller set of symbols.-Basic form :The original square...
). Another method of fractionation is to simply convert the message to Morse code
Morse code
Morse code is a method of transmitting textual information as a series of on-off tones, lights, or clicks that can be directly understood by a skilled listener or observer without special equipment...
, with a symbol for spaces as well as dots and dashes.
When such a fractionated message is transposed, the components of individual letters become widely separated in the message, thus achieving Claude E. Shannon's diffusion
Confusion and diffusion
In cryptography, confusion and diffusion are two properties of the operation of a secure cipher which were identified by Claude Shannon in his paper Communication Theory of Secrecy Systems, published in 1949....
. Examples of ciphers that combine fractionation and transposition include the bifid cipher
Bifid cipher
In classical cryptography, the bifid cipher is a cipher which combines the Polybius square with transposition, and uses fractionation to achieve diffusion...
, the trifid cipher
Trifid cipher
In classical cryptography, the trifid cipher is a cipher invented around 1901 by Felix Delastelle, which extends the concept of the bifid cipher to a third dimension, allowing each symbol to be fractionated into 3 elements instead of two...
, the ADFGVX cipher
ADFGVX cipher
In cryptography, the ADFGVX cipher was a field cipher used by the German Army during World War I. ADFGVX was in fact an extension of an earlier cipher called ADFGX. Invented by Colonel Fritz Nebel and introduced in March 1918, the cipher was a fractionating transposition cipher which combined a...
and the VIC cipher.
Another choice would be to replace each letter with its binary representation, transpose that, and then convert the new binary string into the corresponding ASCII characters. Looping the scrambling process on the binary string multiple times before changing it into ASCII characters would likely make it harder to break. Many modern block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
s use more complex forms of transposition related to this simple idea.