PLAYFAIR CRYPTANALYSIS

Our preliminary step is to perform individual letter

frequency and digraphic counts. The former because high
frequency ciphertext letters follow closely the high
frequency letters they represent and will be located in
the upper rows; similarly, low frequency letters follow
their plain counterparts (UVWXYZ) and may be located at
the last row of the square. A digraph count is useful
because cipher digraphs follow closely the frequency of
their plaintext digraphs. i.e. TH = HM. The frequency of
HM must be high for a normal length message. Also
tetragraphs may be tested THAT, TION, THIS for
corresponding their frequencies in the square.

All the authors agree that a probable word is need for

entry into the Playfair. Due to its inherent
characteristics, Playfair cipher words will follow the
same pattern as their plaintext equivalents; they carry
their pattern into the cipher.

Given: Tip "er one day entere" Hampian. 10/1952

EU SM FV DO VC PB FC GX DZ SQ DY BA AQ OB
ZD AC OC ZD ZC UQ HA FK MH KC WD QC MH DZ
BF NT BP OF HA SI KE QA KA NH EC WN HT CX
SU HZ CS RF QS CX DB SF SI KE FP (106)

We set up a combined frequency tally with letters to the

right and left of the reference letter shown:

K Q H H B . A . Q C
D O P . B . A F P
E Q K Z O A F V . C . X S X
W Z Z . D . O Z Y Z B
K K . E . U C
S R O B . F . V C K P
. G . X
N M M . H . A A T Z
S S . IJ.
F . K . C E A E
. L .
S . M . H H
W . N . T H
D . O . B C F
F B . P . B
U A S . Q . C A S
. R . F
Q C . S . M Q I U F I
H N . T .
S E . U . Q
 F . V . C
. W . D N
C C G . X .
D . Y .
H D D . Z . D D C

This particular message has no significant repeats.

Cipher GX DZ SQ DY BA AQ OB ZD AC
Plain .. ER ON ED AY EN TE RE ..

Note the first and last pair reversal.

It is necessary to take each set of these pair

equalities and establish the position of the four
letters with respect to each other. They must conform to
the above three rules for row, column, and rectangle.

The six different sets of pairs of know equalities are

set up:

1 2 3 4 5
er = DZ on = SQ ed = DY ay = BA en = AQ
------ ------- ------ ------- -------
E D R Z O S N Q E D Y Y A B E A N Q
D S D A A
R E D N O S Y B N E A
Z Z R Q Q N Q Q N

6
te = OB
-------
T O E B
O
E T O
B B E

The three possible relations of the letters are labeled

Vertical (v), Horizontal (h), Diagonal (d). Our object
is to combine the letters in each of the set of pairs.

Combine 1 and 3: E R D Z Y

1/v - 3/v 1/h - 3/h 1/d - 3/h

--------- --------- ---------
E E D Y R Z E D Y
D Z R
Y
R
Z

Combine 2 and 5: O N S Q E A
 2/h - 5/d 2/d - 5/h 2/d - 5/d
--------- --------- ---------
O S N Q E A N Q S O
A E S O N Q
A E

Note that all the equalities hold for all letters.

Set number 6 combines only with the last combination: T

E O B N S Q A

2/d - 5/d - 6/v 2/d - 5/d - 6/d

---------------- ---------------
T S O T
S O N Q
A E A E B
B
N Q

which we now combine with 4:

2/d - 5/d - 6/d - 4/h

---------------------
S T O
Y A E B (rearranged and
N Q equalities hold)

only one combination of 1 and 3 will combine with the

above: S T O Y A B E D N Q Z R

1/d - 2/d - 3/h - 4/h - 5/d - 6/d

---------------------------------
S T O
Y A E B D
N Q
Z R

Arranged in a 5 X 5 square:

. . S T O
D Y A B E
. . . . .
. . N . Q
R . . . Z

We see that O is in the keyword, the sequence NPQ

exists, the letters S T Y are in the keyword, and three
of the letters U V W X are in needed to fill the bottom
row.

----------
. . S T O| C
D Y A B E|
. . . . .|
. . N P Q|
R . . . Z| U V W X

With the exception of F G H I K L M which must in order

fill up the 3rd and 4th rows, the enciphering square is
found as:

C U S T O
D Y A B E
F G H I K
L M N P Q
R V W X Z

Our plaintext message starts off: YOUNG RECRUIT DRIVER

ONE DAY ENTERED STORE ROOM ....

Written by Alex Biryukov (Weizmann Institute of Science, Rehovot, Israel) in 2001 for a
course taught there entitled Methods of Cryptanalysis
Lecture 3
"Cryptanalysis of the Classical Ciphers"
A quick look forward for those, who want some reading before the lecture.
Here are the lecture notes (ps, gzipped) written by Ilya Safro.
(Print with 600 or 1200 dpi to get better quality: lpr -P12laser11 lecture3.ps)
The 'after the lecture' notes are written in light green italic.

We will concentrate on the cryptanalysis of the classic schemes that we have

described.
(see LANAKI's course, lectures 1-4, 10-12, or the Army Field Manual, here is its
table of contents). See also extended lecture notes for lecture 1 (sections 1.1, 1.2) for
a classification of cryptanalytic attacks, and a sketch on methods of cryptanalysis.

We will try to cover the following attack methods

[we used D.Stinson's "Cryptography: Theory and Practice" book, pp.31-34, for the
first two topics]:

1. Frequency analysis, Index of Coincidence [Chapter 2 of the Army Field Manual]

2. Kasiski's method (for example, for Carroll's Vigenere)
3. Anagramming (for arbitrary transposition ciphers)
4. Probable word method (Rosette stone is an interesting historic example)
5. Vowel - consonants splitting [see Chapter 4 of the Army Field manual]
6. Decimation
7. Improbable word (for multi-letteral ciphers, this is the way you solve puzzle 3 of
Hw1)

Meanwhile enjoy the following story (taken from LANAKI's course lecture 17,
historic part of which is in turn taken from Khan's book.) Interestingly, here
is the same story from a totally different angle.

DIGRAPHIC CIPHERS: PLAYFAIR

Perhaps the most famous cipher of 1943 involved the
future president of U.S., J. F. Kennedy, Jr. [KAHN]
On 2 August 1943, Australian Coastwatcher Lieutenant
Arthur Reginald Evans of the Royal Australian Naval
Volunteer Reserve saw a pinpoint of flame on the dark
waters of Blackett Strait from his jungle ridge on
Kolombangara Island, one of the Solomons. He did not
know that the Japanese destroyer Amagiri had rammed and
sliced in half an American patrol boat PT-109, under
the command of Lieutenant John F. Kennedy, United States
Naval Reserve. Evans received the following message at
0930 on the morning of the 2 of August 1943:

29gps

KXJEY UREBE ZWEHE WRYTU HEYFS

KREHE GOYFI WTTTU OLKSY CAJPO
BOTEI ZONTX BYBWT GONEY CUZWR
GDSON SXBOU YWRHE BAAHY USEDQ

/0930/2

Translation:

PT BOAT ONE OWE NINE LOST IN ACTION IN BLACKETT

STRAIT TWO MILES SW MERESU COVE X CREW OF TWELVE
X REQUEST ANY INFORMATION.

The coastwatchers regularly used the Playfair system.

Evans deciphered it with the key ROYAL NEW ZEALAND NAVY
and learned of Kennedy's fate. Evans reported back to
the coastwatcher near Munda, call sign PWD, that Object
still floating between Merusu and Gizo, and at 1:12 pm,
Evans was told by Coastwatcher KEN on Guadalcanal that
there was a possibility of survivors landing either on
Vangavanga or near islands. That is what Kennedy and
his crew had done. They had swum to Plum Pudding Island
on the Southeastern tip of Gizo Island.

Several messages passed between PWD, KEN and GSE

(Evans). The Japanese made no attempt to capture Kennedy
even though they had access to the various messages. The
importance to the crew was missed even though many P-40's
could have been spotted in the Search and Rescue (SAR) attempt.
Maybe the Japanese didn't want to waste the time or men
because the exact location of the crew was not
specified. A Japanese barge chugged past Kennedy's
hideout. On 09:20 a.m. on Saturday morning 7 August 1943,
two natives found the sailors, who had moved to Gross
Island, and had reported the find to Evans. He wrote a brief
message: Eleven survivors PT boat on Gross Is X Have
sent food and letter advising senior come here without
delay X Warn aviation of canoes crossing Ferguson RE.
The square Evans used was based on the key PHYSICAL
EXAMINATION :
P H Y S I
C A L E X
M N T O B
D F G K Q
R U V W Z
The encipherment did not split the doubled letters (Gross and
crossing) as is the rule:

XELWA OHWUW YZMWI HOMNE OBTFW

MSSPI AJLUO EAONG OOFCM FEXTT
CWCFZ YIPTF EOBHM WEMOC SAWCZ
SNYNW MGXEL HEZCU FNZYL NSBTB
DANFK OPEWM SSHBK GCWFV EKMUE

A message of this length alone suffices for the solution of

Playfair.There were four more messages in the same key,
including one of 335 letters, beginning:

XYAWO GAOOA GPEMO HPQCW IPNLG RPIXL

TXLOA NNYCS YXBOY MNBIN YOBTY QYNAI ...,

for

Lieut. Kennedy considers it advisable that he pilot PT

boat tonight X ...

These five messages detailed the rescue arrangements, which

offered the Japanese a chance to not only to get the crew (and
change all history!) but also the force coming out to save it.
All of the messages could have been solved within an hour by
even a moderately experienced cryptanalyst.Yet some ten hours
later, at 10:00 p.m. Kennedy and his crew was rescued.

Digraphic substitution refers to the use of pairs of

letters to substitute for other pairs of letters. The
Playfair system was originated by the noted British
scientist, Sir Charles Wheatstone (1802 - 1875) but, as
far as known, it was not employed for military or
diplomatic use during his lifetime. About 1890 it was
adopted for use by the British Foreign Office on the
recommendation of Lord Lyon Playfair (1818-1898) and
thereafter by mistake identified with its sponsor.

Encipherment
The Playfair is based on a 25 letter alphabet (omit J)
set up in a 5 X 5 square. A keyword is written in
horizontally into the top rows of the square and the
remaining letters follow in regular order. So for the
key = LOGARITHM, we have:
L O G A R
I T H M B
C D E F K
N P Q S U
V W X Y Z
In preparation for encipherment, the plaintext is
separated into pairs. Doubled letters such as SS or NN
are separated by a null.

For example, "COME QUICKLY WE NEED HELP" we have

CO ME QU IC KL YW EN EX ED HE LP

There are three rules governing encipherment:

1. When the two letters of a plain text pair are in

the same column of the square, each is enciphered
by the letter directly below it in that column. The
letter at the bottom is enciphered by the letter at
the top of the same column.

Plain Cipher
OP TW
IC CN
EX QG

2. When the two letters of a plain text pair are in

the same row of the square, each is enciphered by
the letter directly to its right in that row. The
letter at the extreme right of the row is enciph-
ered by the letter at the extreme left of the same
row.
Plain Cipher
YW ZX
ED FE
QU SN

3. When two letters are located in different rows and

columns, they are enciphered by the two letters
which form a rectangle with them, beginning with
the letter in the SAME ROW with the first letter of
the plaintext pair. (This occurs about 2/3 of the
time.)

Plain Cipher
CO DL
ME HF
KL CR
LP ON

Decipherment, when the keyword is known, is accomplished

by using the rules in reverse.
Identification Of The Playfair
The following features apply to the Playfair:

1. It is a substitution cipher.

2. The cipher message contains an even number of

letters.

3. A frequency count will show no more than 25 letters.

(The letter J is not found.)

4. If long repeats occur, they will be at regular (even)

intervals. In most cases, repeated sequences will be
an even number of letters.

5. Many reversals of digraphs.

Peculiarities
1. No plaintext letter can be represented in the cipher
by itself.

2. Any given letter can be represented by 5 other

letters.

3. Any given letter can represent 5 other letters.

4. Any given letter cannot represent a letter that it

combines with diagonally.

5. It is twice as probable that the two letters of any

pair are at the corners of a rectangle, than as in
the same row or column.

6. When a cipher letter has once been identified as a

substitute for a plaintext letter, their is a 20%
chance that it represents the same plaintext letter
in each other appearance.

The goal of recovery of the 5 X 5 square and various

techniques for accomplishing this are the focus for
solving the Playfair. Colonel Parker Hitt describes
Lieutenant Frank Moorman's approach to solving the
Playfair which addresses the keyword recovery logically.
[HITT]. Other writers [ELCY], [BOW2], [FRE4], and
[MAST] do an admirable job of discussing the process.
However, W. M. Bowers Volume I on Digraphic Substitution
presents the easiest protocol for students. [BOWE]
PLAYFAIR CRYPTANALYSIS
Our preliminary step is to perform individual letter
frequency and digraphic counts. The former because high
frequency ciphertext letters follow closely the high
frequency letters they represent and will be located in
the upper rows; similarly, low frequency letters follow
their plain counterparts (UVWXYZ) and may be located at
the last row of the square. A digraph count is useful
because cipher digraphs follow closely the frequency of
their plaintext digraphs. i.e. TH = HM. The frequency of
HM must be high for a normal length message. Also
tetragraphs may be tested THAT, TION, THIS for
corresponding their frequencies in the square.

All the authors agree that a probable word is need for

entry into the Playfair. Due to its inherent
characteristics, Playfair cipher words will follow the
same pattern as their plaintext equivalents; they carry
their pattern into the cipher.

Given: Tip "er one day entere" Hampian. 10/1952

EU SM FV DO VC PB FC GX DZ SQ DY BA AQ OB
ZD AC OC ZD ZC UQ HA FK MH KC WD QC MH DZ
BF NT BP OF HA SI KE QA KA NH EC WN HT CX
SU HZ CS RF QS CX DB SF SI KE FP (106)

We set up a combined frequency tally with letters to the

right and left of the reference letter shown:

K Q H H B . A . Q C
D O P . B . A F P
E Q K Z O A F V . C . X S X
W Z Z . D . O Z Y Z B
K K . E . U C
S R O B . F . V C K P
. G . X
N M M . H . A A T Z
S S . IJ.
F . K . C E A E
. L .
S . M . H H
W . N . T H
D . O . B C F
F B . P . B
U A S . Q . C A S
. R . F
Q C . S . M Q I U F I
H N . T .
S E . U . Q
 F . V . C
. W . D N
C C G . X .
D . Y .
H D D . Z . D D C

This particular message has no significant repeats.

Cipher GX DZ SQ DY BA AQ OB ZD AC
Plain .. ER ON ED AY EN TE RE ..

Note the first and last pair reversal.

It is necessary to take each set of these pair

equalities and establish the position of the four
letters with respect to each other. They must conform to
the above three rules for row, column, and rectangle.

The six different sets of pairs of know equalities are

set up:

1 2 3 4 5
er = DZ on = SQ ed = DY ay = BA en = AQ
------ ------- ------ ------- -------
E D R Z O S N Q E D Y Y A B E A N Q
D S D A A
R E D N O S Y B N E A
Z Z R Q Q N Q Q N

6
te = OB
-------
T O E B
O
E T O
B B E

The three possible relations of the letters are labeled

Vertical (v), Horizontal (h), Diagonal (d). Our object
is to combine the letters in each of the set of pairs.

Combine 1 and 3: E R D Z Y

1/v - 3/v 1/h - 3/h 1/d - 3/h

--------- --------- ---------
E E D Y R Z E D Y
D Z R
Y
R
Z

Combine 2 and 5: O N S Q E A
 2/h - 5/d 2/d - 5/h 2/d - 5/d
--------- --------- ---------
O S N Q E A N Q S O
A E S O N Q
A E

Note that all the equalities hold for all letters.

Set number 6 combines only with the last combination: T

E O B N S Q A

2/d - 5/d - 6/v 2/d - 5/d - 6/d

---------------- ---------------
T S O T
S O N Q
A E A E B
B
N Q

which we now combine with 4:

2/d - 5/d - 6/d - 4/h

---------------------
S T O
Y A E B (rearranged and
N Q equalities hold)

only one combination of 1 and 3 will combine with the

above: S T O Y A B E D N Q Z R

1/d - 2/d - 3/h - 4/h - 5/d - 6/d

---------------------------------
S T O
Y A E B D
N Q
Z R

Arranged in a 5 X 5 square:

. . S T O
D Y A B E
. . . . .
. . N . Q
R . . . Z

We see that O is in the keyword, the sequence NPQ

exists, the letters S T Y are in the keyword, and three
of the letters U V W X are in needed to fill the bottom
row.

----------
. . S T O| C
D Y A B E|
. . . . .|
. . N P Q|
R . . . Z| U V W X

With the exception of F G H I K L M which must in order

fill up the 3rd and 4th rows, the enciphering square is
found as:

C U S T O
D Y A B E
F G H I K
L M N P Q
R V W X Z

Our plaintext message starts off: YOUNG RECRUIT DRIVER

ONE DAY ENTERED STORE ROOM ....

SERIATED PLAYFAIR
Perhaps the best known variation of the Playfair system,
and one which adds greatly to its security, is called
the Seriated Playfair.

The plain text is written horizontally in two line

periodic groups as shown below in period six

C O M E Q U E N E E D H M E D I A T
I C K L Y W (X)E L P I M E L Y T O M

The vertical pairs are formed and enciphered by the

regular Playfair rules. Based on the keyword LOGARITHM,
the above message is enciphered:

L O G A R Cipher:
I T H M B N L B C S P Q Q C D C M H C F T R H
C D E F K C D F G X Z G C G Q T B F G W H G B
N P Q S U
 V W X Y Z

we take the ciphertext off horizontally by the same

route by which the plain text was written in for
encipherment:

NLBCS PCDFG XZQQC DCMGC GQTBH CFTRH FGWHG B.

Solution of Seriated Playfair:

We assume a period of 4 - 10 which fits most of the
cases encountered. Of prime importance is determination
of the period. We test the various periods and eliminate
any test where we find a vertical pair consisting of two
appearances of the same letter.

If the message enciphered above is tested this way, in

all periods from 4 - 10, it will be found that period 6
is correct. All others will show a doubled vertical
pair.

Charles A. Leonard [PLAf] detailed a method to determine

impossible periods mathematically:

S2
------- = Q & R
S2 - S1

where: S2 - S1 = Period, Q = quotient, R = remainder

Substituting known S values in this formula and solving

for Q and R, a doubled vertical pair will occur in
period S2 - S1 in the following cases:

1. When Q is an odd number and R is greater than

zero;
2. When Q is an even number and R is zero.

Cipher letter position numbers in our message are:

A B C D E F G H I K L etc.
3 4 8 9 10 25 2
24 7 16 27 19 30
36 15 31 21 34
17 32
20 35
26
Period Letter S2 - S1 Q R Result
4 F 31 - 27 7 3 Eliminated-Case 1
5 C 20 - 15 4 0 Case 2
6 C 26 - 20 4 2 possible
7 H 34 - 30 Eliminate-last gp
8 D 16 - 8 2 0 Case 2
9 C 26 - 17 2 8 possible
G 19 - 10 2 1 possible
H 34 - 25 3 7 Case 1
10 C 17 - 7 1 7 Case 1

When a periodic group S2 - S1 does not occur in message

the last group is inspected. If it is shorter than the
regular groups of the period being tested, a double
vertical pair may show at S2- S1 value equal to the
length of this final group. If so, eliminate.

The mono and digraphic frequency counts are made.

Plaintext high frequency digraphs and tetragraphs do not
carry their identity over into the cipher and are not
recognizable. Entry must be made with a probable word.
Patterns do carry over to the two line groups and will
repeat.

The placing of the probable word is important. Given a

cipher text slice with period 6 found using the Leonard
procedure:

HKILVP PBVBAA BHRPOU TBITFE UCEVZK

RNFTZU HZWVFR UDTKBD UIBYNS EXBZAR

and the probable phrase "is destined to", the word

destined could be in any of the following positions when
enciphered in period 6:

DESTIN .DESTI ..DEST ...DES ....DE

ED.... NED... INED.. TINED. STINED

The DE = ED reversal in all arrangements is noted and

found in the cipher text portion:

BHRPOU TBITFE UCEVZK

UDTKBD UIBYNS EXBZAR
.desti
ned..

adding the additional information:

 BHRPOU TBITFE UCEVZK
UDTKBD UIBYNS EXBZAR
. sdesti
i nedto.

we develop several equations:

ed = IB
-I = UD, sn = TU, de = BI, ST = TY, to =FN, I- =ES

these translate to the following equalities:

1 2 3 4 5
SN = TU DE = BI ST = TY TO = FN I- = ES
------- ------- ------ ------- -------
S T N U D B E I S T Y T F O N I E - S
T B T F E
N S T E D B Y O T F - I E
U U N I I E N N O S S -

6 7
-I = UD ED = IB
------- -------
- U I D E I D B
U I
I - U D E I
D D I B B D

After some work (and with some assumptions to be tested

we develop a tentative square for the system:

1/d-2/d -3/h-4/v- 5/h -6/h

--------------------------
-
O U N
I E
D B
F S T Y

check:
TO=FN+ + = yes
SN=TU+
ST=TY+ letters left: A C E G H K
I-=ES -=t IT =ES L M P Q R V
DE=BI+ W X Z
ED=IB+
-I=UD+

from here we need to expand on the cipher text or choose

another probable word.