# Can you break this bigram substitution from the Cold War?

George Lasry has found an interesting collection of challenge ciphers, probably used to train codebreakers during the early Cold War. Today, I’m going to present one of these challenges.

Two weeks ago, on the day before the NSA Symposium on Cryptologic History started, I went to the National Archives and Records Administration (NARA) in College Park near Washington, D.C. Together with Israeli codebreaker George Lasry …

Source: Klaus Schmeh

… I combed through thousands of documents related to cryptography, mainly from the Second World War and the early Cold War. We found a lot of interesting stuff, including information about US encryption machines George can use for his research work. We spent an interesting day at NARA, but it was also exhausting to deal with such a huge amount of information.

Of course, George knows that I’m always looking for historical cryptograms I can publish on my blog. While he was skimming through one of the files he had ordered, he said: “I have found something interesting for you. This might provide enough material to write about on your blog for a whole year.”

What George had discovered was a collection of challenge ciphers, probably from the Cold War. Unfortunately, the file was not properly labeled, so we don’t know exactly where these ciphertexts come from. Apparently, they were used for training US cryptologists, approximately in the 1950s.

The collection consists of several dozens of cipher problems, starting with MASCs (monoalphabetical substitutions), then getting more and more difficult. Among others, polyalphabetic and turing grille cryptograms are contained. The solutions are not provided.

### A bigram substitution

Some of the challenges George found are headlined “Digraphic Substitution”. The first one (problem VIIIa) is reproduced in the following.

A digraphic substitution (also known as bigram substitution) replaces letter pairs. There are numerous variants of this method, but only two of these have found widespread use:

• The general bigram substitution is based on a table that provides a replacement (usually another bigram) for every existing bigram. If we are dealing with an alphabet of 26 letters, such a table has 676 columns. The shortest general bigram ciphertext ever broken has 1000 letters. This record was set by Jarl Van Eycke and Louie Helm only a few days ago.
• The Playfair cipher is defined by a set of simple rules. It is much easier to handle than a general bigram substitution, but less secure. The shortest Playfair cryptogram ever solved (not counting a few special cases) consists of 30 letters. This record was set by Magnus Eckhall earlier this year.

Considering that problem VIIIa has some 250 letters, it is unlikely that it was created with a general bigram substitution (at least, if we assume that it is meant to be solvable). So, my guess is that a Playfair cipher was used. However, this is only a guess, other options (i.e., less popular bigram substitutions) are possible, as well.

Can a reader find out which method was used to encrypt this ciphertext? And can somebody decipher it? If so, please let us know.

Further reading: A cryptographic challenge from the German TV show “TV total”

## Kommentare (12)

1. #1 Nils Kopal
Krefeld
3. November 2019

Transcription:
UH KZ KN SY KP JP CR QQ GL HO IY SF JI LN TK UY BB SD
BX AV LB CG EU LY KI FF HG QK BB CG BL NN RW CF ZC NR
ZC NR LS GQ NE EU WX MG SU CA CF JL TT WR MI DG EH MC
DG NE EF JN MT OR GW AG EA SD JI SQ OR HG YU RW LC GL
LS CQ NE EH SK LT YJ MD GL BU SO KY HS GQ BE HV MN CT
ST AS CF JL TT WR JM IW FF JN NI XG NJ HG NC KK PM TZ RN SO
CG NJ SP BB SO KL EF NG KJ PM TZ RN SY NR KZ JT CT BA KS JO

2. #2 Nils Kopal
Krefeld
3. November 2019

Don’t think its Playfair since you have 26 different letters. And with Playfair you have I = J, meaning, 25 letters 🙂

3. #3 Bill Briere
Wyoming, USA
3. November 2019

Someone can surely make quick work of this sans computer.

Here’s a crib that might get it started: Looks like a four-square, probably with 2 direct standard alphabets and 2 very gently keyword-mixed alphabets, making “ZC NR ZC NR” likely “ZE RO ZE RO.”

Alternate the use of I and J or of U and V. If this puzzle’s still here tomorrow, I’ll take a stab at it myself!

4. #4 TWO
iSLA JIMENEZ
3. November 2019

Ok I’ll give it a go but dont laugh too much please.

5. #5 George Lasry
3. November 2019

Klaus, maybe you could provide the full page, as there are several messages, and they could be related.

6. #6 Magnus Ekhall
Borensberg
6. November 2019

I agree with George – from the photo it looks like exercise VIII (a) consists of several messages, with only the first one (serial #1) being visible in the photo.
So the original exercise was probably meant to be solved with all messages available to the solver.

The transcription Nils provided has a few typos in it. Here is my attempt to correct them:
UH KZ KN SY KP JC CR QQ GL HP IY SF JI LN TK UY BB SD
BX AV LB CG EU LY KI FF HG QX BB CG BL NN RW CF ZC NR
ZC NR LS GQ NE EU WX MG SU CA CF JL TT WR MI DG EH MC
DG NE EF JN MT OR GW AG EA SD JI SQ OR HG YU RW LC GL
LS GQ NE EH SK LT YJ MD GL BU SO KY HS GQ BE HV MN CT
ST AS CF JL TT WR JM IW FF JN NI XG NJ HG NC KK PM TZ RN SO
CG NJ SP BB SO KL EF NG KJ PM TZ RN SY NR KZ JT CT BA KS JO

7. #7 George Lasry
6. November 2019
8. #8 Magnus Ekhall
Borensberg
6. November 2019

Thank you George.

I see that some repeats (underlined) extends to only one character in a bigram. For example: SP K in “SP KT”, “SP KA”, “SP KD” and “SP KP”.

If this is a digraphic substitution cipher, what does this effect say about the selected cipher?

9. #9 Richard Bean
Brisbane
8. November 2019

It can’t be standard Playfair because of the doubled letters in the ciphertext. Perhaps the underlined repeats with just one of two characters indicate seriation, with some contrived long repeats in there across the line pairs. Then if you have enough ciphertext to work with, you can guess the seriation width and start filling in your key squares/rectangles. There are lots of variants and an obvious one is to combine I/J and U/V like Bill said and use 4×6 rectangles.

10. #10 Richard Bean
Brisbane
8. November 2019

Second message

NE MD YF NR HB KY HG GQ SP RF TK RI IK NR WZ VJ KH SA
JF SP KT RN SL KI NH SP KA RB LT JB JN GV LN UQ UR AS SE
TS NX MD JQ JH EH ZC NR EH FX SF BL LN NX YF RN SU RF AV
SE BX AV LV KL FO JH EH KL ST GL SK FF JJ SG NE SE JI SN
JE IW OR HH GF JN BD CL JO KI JM WX BL SP ML TS AQ BD BA
SF EK KK SP CF SW SP RP EF HA NN TT RF FQ GQ WR MI DY HX
CQ KI JO SV SN JM RV JE AG VJ KH SU YX SP KD GL JM NE SI
SP KP JC CR QG RK MW SD SQ RN SP SD CF CQ KI JR KI NX SF
GE LN NX YS GV JN CU KT SQ SV SN LS GQ NE EN

11. #11 Rossignol
Paris, France
10. November 2019

Imho these cryptograms are encrypted with a large (26×26) table of bigrams.
For military cryptography, a good reference is Milirary Cryptanalytics by Friedman and Callimahos.
There are some examples of such tables page 153 et seq.
https://archive.org/details/41748189078749/page/n163

I think the purpose of the exercise is the use of word lists:
https://archive.org/details/41748189078749/page/n349
pattern word lists:
https://archive.org/details/41748189078749/page/n367
and digraphic idiomorphs:
https://archive.org/details/41748189078749/page/n387

For instance, for the two words KK PM TZ RN S* and KJ PM TZ RN S*
with the table https://archive.org/details/41748189078749/page/n363
we obtain
DETRAINED – ENTRAINED
DECREASED – INCREASED
DEFENSIVE – OFFENSIVE
DETENTION – RETENTION – INTENTION – ATTENTION
…etc
A lot of cases to test.

It’s old school cryptography: a sheet of paper, a pencil and a big big eraser!

Note that, with the bigrams of the two cryptograms, the index coincidence for the
first letters is 0.067 against 0.041 for the second letters.
The distribution of the first letters seems monoalphabetic.

12. #12 Thomas
10. November 2019

These idiomorph tables for solving four square ciphers were later extended in the Field manual: https://archive.org/details/Fm3440.2BasicCryptAnalysis/page/n281