Running key cipher

Running key cipher

In classical cryptography, the running key cipher is a type of polyalphabetic substitution cipher in which a text, typically from a book, is used to provide a very long keystream. Usually, the book to be used would be agreed ahead of time, while the passage to use would be chosen randomly for each message and secretly indicated somewhere in the message.


Suppose we have agreed to use "The C Programming Language" (1978 edition) as our text, and we are using the ordinary "tabula recta" as our tableau. We need to send the message 'Flee at once'.

First, we choose a starting point. Let us choose page 63, line 1:

:errors can occur in several places. A label has...

We write out the running key under our plaintext:

Plaintext:fleea tonce
Running key:ERROR SCANO
Ciphertext:JCVSR LQNPS

And send the message 'JCVSR LQNPS'. However, unlike a Vigenère cipher, if we have to extend our message, we don't repeat the key; we just continue on from the key text. So suppose we need a longer message, like: 'Flee at once. We are discovered'. Then we just continue as before:

Plaintext:fleea toncewe aredisc overed

Next we need to tell the recipient where to find the running key for this message. In this case, we've decided to make up a fake block of five ciphertext characters, with three denoting the page number, and two the line number, using A=0, B=1 etc to encode digits. Such a block is called an indicator block. The indicator block will be inserted as the second last of each message. (Of course, many other schemes are possible for hiding indicator blocks). Thus page 63, line 1 encodes as 'AGDAB'.

Finally we can send the message 'JCVSR LQNPS YGUIM QAWXS AGDAB MECTO'.


Modern variants of the running key cipher often replace the traditional "tabula recta" with bitwise exclusive or, operate on whole bytes rather than alphabetic letters, and derive their running keys from large files. Apart from possibly greater entropy density of the files, and the ease of automation, there is little practical difference between such variants and traditional methods. If the running key is random, never reused, and kept secret, the result is a one-time pad, a method that provides perfect secrecy (reveals no information about the plaintext).


Perhaps surprisingly, the security is usually fairly poor. This is because the entropy per character of both plaintext and running key is low, and the combining operation is easily inverted. This means a cryptanalyst can run guessed probable plaintexts along the ciphertext, subtracting them out from each possible position. When the result is a chunk of something intelligible, there is a high probability that the guessed plain text is correct for that position (as either actual plaintext, or part of the running key). The 'chunk of something intelligible' can then often be extended at either end, thus providing even more probable plaintext - which can in turn be extended, and so on. Eventually it is likely that the running key will be recognised, and the jig is up. This process is sometimes performed as a simple puzzle, for recreation.

There are several ways to improve the security. The first and most obvious is to use a secret mixed alphabet tableau instead of a "tabula recta". This does indeed greatly complicate matters but it is not a complete solution. Pairs of plaintext and running key characters are far more likely to be high frequency pairs such as 'EE' rather than, say, 'QQ'. This skew this causes to the output frequency distribution is smeared by the fact that it is quite possible that 'EE' and 'QQ' map to the same ciphertext character, but nevertheless the distribution is not flat. This may enable the cryptanalyst to deduce part of the tableau, then proceed as before (but with gaps where there are sections missing from the reconstructed tableau).

Another possibility is to use a key text that has more entropy per character than typical English. For this purpose, the KGB advised agents to use documents like almanacs and trade reports, which often contain long lists of random-looking numbers.

Another problem is that the keyspace is surprisingly small. Suppose that there are 100 million key texts that might plausibly be used, and that on average each has 11 thousand possible starting positions. To an opponent with a massive collection of possible key texts, this leaves possible a brute force search of the order of 2^{40}, which by computer cryptography standards is a relatively easy target.


Because both ciphers classically employed novels or Bibles as part of their key material, many sources confuse the book cipher and the running key cipher. They are really only very distantly related. The running key cipher is a polyalphabetic substitution, the book cipher is a homophonic substitution. Perhaps the distinction is most clearly made by the fact that a running cipher would work best of all with a book of random numbers, whereas such a book (containing no text) would be useless for a book cipher.

See also

* Polyalphabetic substitution
* Substitution cipher
* Book cipher
* Topics in cryptography

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Key size — In cryptography, key size or key length is the size measured in bits[1] of the key used in a cryptographic algorithm (such as a cipher). An algorithm s key length is distinct from its cryptographic security, which is a logarithmic measure of the… …   Wikipedia

  • Substitution cipher — In cryptography, a substitution cipher is a method of encryption by which units of plaintext are replaced with ciphertext according to a regular system; the units may be single letters (the most common), pairs of letters, triplets of letters,… …   Wikipedia

  • Book cipher — A book cipher is a cipher in which the key is some aspect of a book or other piece of text; books being common and widely available in modern times, users of book ciphers take the position that the details of the key is sufficiently well hidden… …   Wikipedia

  • Stream cipher attack — Stream ciphers, where plaintext bits are combined with a cipher bit stream by an exclusive or operation (xor), can be very secure if used properly. However they are vulnerable to attack if certain precautions are not followed:*keys must never be… …   Wikipedia

  • Vigenère cipher — The Vigenère cipher is a method of encrypting alphabetic text by using a series of different Caesar ciphers based on the letters of a keyword. It is a simple form of polyalphabetic substitution.The Vigenère (pronEng|ˌviːdʒɪˈnɛəɹ, veedj ih nair )… …   Wikipedia

  • Hill cipher — Hill s cipher machine, from figure 4 of the patent In classical cryptography, the Hill cipher is a polygraphic substitution cipher based on linear algebra. Invented by Lester S. Hill in 1929, it was the first polygraphic cipher in which it was… …   Wikipedia

  • Transposition cipher — In cryptography, a transposition cipher is a method of encryption by which the positions held by units of plaintext (which are commonly characters or groups of characters) are shifted according to a regular system, so that the ciphertext… …   Wikipedia

  • Classical cipher — A cipher is a means of concealing a message, where letters of the message are substituted or transposed for other letters, letter pairs, and sometimes for many letters. In cryptography, a classical cipher is a type of cipher that was used… …   Wikipedia

  • Caesar cipher — The action of a Caesar cipher is to replace each plaintext letter with one fixed number of places down the alphabet. This example is with a shift of three, so that a B in the p …   Wikipedia

  • Pigpen cipher — The pigpen cipher uses graphical symbols assigned according to a key similar to the above diagram.[1] The pigpen cipher (sometimes referred to as the masonic cipher, Freemason s cipher, Rosicrucian cipher, or Tic tac toe cipher) …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.