(2025-03-24) Let it be as simple as it can be... but no simpler
---------------------------------------------------------------
The topic of "hand" or pen and paper ciphers turns out to be much vaster than
I initially thought. Even in the modern era, new designs are constantly
popping out. Some of them are made just for fun and don't imply a lot of
security (being used, like, at school or for geocaching purposes), while
others are seriously preparing for even more dystopian scenarios than we
already are living in. The main problem of the second group of such ciphers
is a great deal of inconvenience: either with key material distribution if
we're talking about one-time pads, or, if we're talking about something
else, with encryption/decryption process itself which usually is too slow
and/or error-prone. Today, I'd like to focus on a single case of taking a
for-fun cipher from the first category and applying some slight
modifications to it in order to successfully (in my opinion) move it into
the second category without increasing the complexity too much. Let's go!

I must admit, I don't know much about ACA (American Cryptogram Association)
except for the fact that this organization turns 95 years old this year and
that its members still are proposing some interesting pen and paper cipher
designs to this day and challenge others to break them. In this very
context, the CONDI (CONsecutive DIgraph) cipher developed by Wilfred
Higginson in 2011 seems like a perfect candidate. It's quite easy to use in
the field and possible to crack for amusement. What's more interesting
though is that everything that makes it possible to crack can be mitigated
just as easily. So, let's first describe the original CONDI algorithm.

Message preparation (quoting the document): The Condi uses a simple keyed
alphabet and keeps the word divisions and retains
punctuation. Proper nouns are preceded by an asterisk (*).

Key preparation: write the keyphrase and the rest of the A-Z alphabet, then
strike out the letters that appear more than once. Then you may cyclically
shift the alphabet by some known position. You should be left with 26 unique
letters in a mixed order. Also, you must select a random offset from 0 to 25
as the initial offset.

Encryption (quoting the document): With a starter value or offset of #,
substitute the first plaintext letter by the letter found # places further
along the alphabet. Then the position of that first plaintext letter is the
new value for #, the offset for the next plaintext letter.

Decryption: With a starter value or offset of #, substitute the first
ciphertext letter by the letter found # places left along the alphabet. Then
the position of the found plaintext letter is the new value for #, the
offset for the next ciphertext letter.

As we can see, the design is simple but, although it's reported to be
"surprisingly difficult to crack even with a computer", it poses multiple
problems when it comes to serious analysis. Let's list those noticed by
myself alone:

1. Since the offset value comes from the plaintext letter we just have
encrypted, the initial offset only affects the first ciphertext letter and
nothing else. The rest of the ciphertext can be attacked as if the first
letter doesn't exist.
2. Word length, punctuation, proper noun and whitespace preservation might be
fun for recreational usage but not for any real secret communication in a
non-electronic setting.
3. Just like the original (non-interleaved) Playfair, this cipher encrypts
the same plaintext digraphs into the same ciphertext digraphs, and the
message like "aaaaaaaaaa" will encrypt into the same letter of the
ciphertext.
4. The keying scheme, while being popular at ACA, does not consider repeating
keyphrase letters at all. So, for instance, the keywords "routes" and
"routers" will produce the same alphabet.
5. The overall keyspace is too small for bruteforcing the keyed alphabet by
an adversary with modern equipment, as it corresponds to about 88 bits. This
is true for any hand ciphers that rely upon a single A-Z alphabet
permutation.

Now, how can we improve this without complicating things too much? Well,
three things come to mind: change the alphabet keying scheme, make the next
offset dependent on more things and, most importantly, introduce the second
key. Within several days of brainstorming, I have come up with something
that addresses all these points.

Enter the... DRACONDI. It stands for "Dual-key Rotating Alphabet CONDI". It
still is simple enough to execute on paper and in software but eliminates
all the original CONDI weaknesses. I have released the full design along
with some reference implementations on my Codeberg page ([1]), but here are
the main points:

1. The keying algorithm has been changed: every subsequent repeating letter
of the keyphrase is substituted with the previous unused one in the
alphabet, the process repeated if necessary. Then, the rest of the alphabet
is written in order. Then, the alphabet is cyclically shifted L characters
left, where L is the keyphrase length.
2. This keying algorithm is applied to TWO keyphrases to get TWO keyed
alphabets, KA1 and KA2.
3. The KA1 alphabet is used like in the original CONDI. Additionally, it's
used to prepend the initial offset value to the ciphertext. Unlike the
original CONDI design, this value is selected randomly for every new
ciphertext and then encrypted with KA1.
4. The KA2 alphabet is used in the next offset calculation step: instead of
the plaintext letter position in KA1, we use the _ciphertext_ letter
position in KA2 and then add (modulo 26, of course) the amount of already
encrypted/decrypted letters.
5. Finally, all word division, punctuation etc are ditched. DRACONDI
recommends (and, for software implementations, even mandates) dividing the
ciphertext into 5-letter groups, padding them with random letters at the end
to fill the last group if it's not 5 letters long.

This approach increases the keyspace size to the whopping 176 bits, makes
sure the initial offset affects the rest of the ciphertext, breaks any
digraph dependencies, makes every repeated keyphrase letter count, and
prevents revealing any information about the plaintext structure. All while
adding a single offset calculation step using the second keyed alphabet
which would still allow to maintain reasonable encryption/decryption speed
when doing things fully manually. As of now, I can't think of a simpler
substitution cipher design which would be just as secure as this one, but I
think the key is... never stop looking. Have fun!

--- Luxferre ---

[1]: https://codeberg.org/luxferre/dracondi

You are viewing proxied material from hoi.st. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.