The Mathematics of Secrets *by Joshua Holden takes readers on a tour of the mathematics behind cryptography. Most books about cryptography are organized historically, or around how codes and ciphers have been used in government and military intelligence or bank transactions. Holden instead focuses on how mathematical principles underpin the ways that different codes and ciphers operate. Discussing the majority of ancient and modern ciphers currently known, *The Mathematics of Secrets

*sheds light on both code making and code breaking. Over the next few weeks, we’ll be running a series of cipher challenges from Joshua Holden. The first was on Merkle’s puzzles. Today’s focuses on subliminal channels:*

As I explain in Section 1.6 of *The Mathematics of Secrets, *in 1929 Lester Hill invented the first general method for encrypting messages using a set of multiple equations in multiple unknowns. A less general version, however, had already appeared in 1926, submitted by an 18-year-old to a cryptography column in a detective magazine. This was Jack Levine, who would later become a prolific researcher in several areas of mathematics, including cryptography.

Levine’s system was billed as a way of encrypting two different messages at the same time. Maybe one of them was the real message and the other was a dummy message–if the message was intercepted, the interceptor could be thrown off the scent by showing them the dummy message. This sort of system is now known as a *subliminal channel*.

The system starts with numbering the letters of the alphabet in two different ways:

a b c d e f g h i j k l m 27 28 29 30 31 32 33 34 35 36 37 38 39 1 2 3 4 5 6 7 8 9 10 11 12 13 n o p q r s t u v w x y z 40 41 42 43 44 45 46 47 48 49 50 51 52 14 15 16 17 18 19 20 21 22 23 24 25 26

Suppose the first *plaintext*, or unencrypted message, is “tuesday” and the second plaintext is “tonight.” We use the first set of numbers for the first plaintext:

t u e s d a y 46 47 31 45 30 27 51

and the second set for the second plaintext:

t o n i g h t 20 15 14 9 7 8 20

The encrypted message, or *ciphertext***,** is made up of pairs of numbers. The first number in each pair is half the sum of the two message numbers, and the second number is half the difference:

t u e s d a y 46 47 31 45 30 27 51 t o n i g h t 20 15 14 9 7 8 20 33,13 31,16 22½,8½ 27,18 18½,11½ 17½,9½ 35½,15½

To decrypt the first message, just take the sum of the two numbers in the pair, and to decrypt the second message just take the difference. This works because if *P*_{1} is the first plaintext number and *P*_{2} is the second, then the first ciphertext number is

and the second is

.

Then the plaintext can be recovered from the ciphertext using

and

This system is not as secure as Hill’s because it gives away too much information. For starters, the existence and nature of the fractions is a clue to the encryption process. (The editor of the cryptography column suggested doubling the numbers to avoid the fractions, but then the pattern of odd and even numbers would still give information away.) Also, the first number in each pair is always between 14 and 39 and is always larger than the second number, which is always between ½ and 25 ½. This suggests that subtraction might be relevant, and the fact that there are twice as many numbers as letters might make a codebreaker suspect the existence of a second message and a second process. Hill’s system solves some of these issues, but the problem of *information leakage* continues to be relevant with modern-day ciphers.

**With those hints in mind, can you break the cipher used in the following message?**

11 3/5, 15 4/5 10 4/5, 9 2/5 17, 11 14 1/5, 16 3/5 9 4/5, 7 2/5 12 3/5, 7 4/5 9 2/5, 12 1/5 13 1/5, 13 3/5 18, 11 12 2/5, 14 1/5 8 4/5, 10 2/5 12 1/5, 6 3/5 15 4/5, 12 2/5 13 3/5, 13 4/5 12, 16 11 2/5, 8 1/5 9 1/5, 16 3/5 14, 17 16 3/5, 12 4/5 9 4/5, 14 2/5 12 1/5, 6 3/5 11 3/5, 15 4/5 10, 11 11 4/5, 6 2/5 10 2/5, 14 1/5 17 2/5, 12 1/5 14 3/5, 9 4/5

**Once you have the two plaintexts, can you deduce the process used to encrypt them?**

**Answer to Cipher Challenge #1: Merkle’s Puzzles**

The hole in the version of Merkle’s puzzles is that the shift we used for encrypting is vulnerable to a *known-plaintext attack*. That means that if Eve knows the ciphertext and part of the plaintext, she can get the rest of the plaintext. In Cipher Challenge #1, she knew that the word “ten” is part of the plaintext. So she shifts it until she finds a ciphertext that matches one of the puzzles:

ten UFO VGP

“Aha!” says Eve. “The first puzzle starts with VGP, so it must decrypt to ten!” Then she decrypts the rest of the puzzle:

VGPVY QUGXG PVYGP VAQPG UKZVG GPUGX GPVGG PBTPU XSNHT JZFEB whqwz rvhyh qwzhq wbrqh vlawh hqvhy hqwhh qcuqv ytoiu kagfc xirxa swizi rxair xcsri wmbxi irwiz irxii rdvrw zupjv lbhgd yjsyb txjaj sybjs ydtsj xncyj jsxja jsyjj sewsx avqkw mcihe ⋮ qbkqt lpbsb kqtbk qvlkb pfuqb bkpbs bkqbb kwokp snico euazw rclru mqctc lrucl rwmlc qgvrc clqct clrcc lxplq tojdp fvbax sdmsv nrdud msvdm sxnmd rhwsd dmrdu dmsdd myqmr upkeq gwcby tentw oseve ntwen tyone sixte ensev entee nzrns vqlfr hxdcz

So the secret key is 2, 7, 21, 16.

The hole can be fixed by using a cipher that is less vulnerable to known-plaintext attacks. Sections 4.4 and 4.5 of *The Mathematics of Secrets* give examples of ciphers that would be more secure.