The straddle checkerboard was an important part of many Cold War ciphers. Can a reader decipher three ciphertexts I created with this encryption method?

Today, I’m going to address an encryption method from the Cold War: the straddle checkerboard cipher. This algorithm is a substitution cipher that replaces each letter of the alphabet with either a one-digit or a two-digit number. I will explain the straddle checkerboard cipher in the following. A more detailed description is available here.


The straddle checkerboard cipher

In order to use the straddle checkerboard cipher, we need a table with four rows. The numbers from 0 to 9 are written into the first one:


Next, we write the eight most frequent letters of the English language (ETAONISH) into the second line. The order of the letters and the position of the two empty cells are a part of the key. The two numbers above the blancs are written at the beginning of the third and fourth row (the order is key-dependent). The remaining letters are written behind the two numbers (in a key-dependet way). Again, there will be two empty cells, the positions of which are a part of the key. Here’s an example:


Now, each letter in the second line is encrypted with the number above it. Every other letter is represented by a two-digit number consisting of the digit at the start of the line and the digit above it.

For instance, the plaintext CRYPTOLOGY encrypts to 8868628443646057.

Although some letters are replaced with a two-digit number, while others correspond to a single digit, it is possible to decrypt a ciphertext unabiguously.

The straddle checkerboard cipher can certainly be broken, unless the ciphertext is very short. However, this method is quite useful as a first step in a more complex encryption procedure. For instance, the straddle checkerboard was used as a part of the VIC cipher, a method applied by Soviet spies during the Cold War.

West German spies used the stradle checkerboard to turn a plaintext into a sequence of numbers that was encrypted with the One Time Pad. The German variants of this method had names such as DEIN STAR, STEIN RAD, or EI STRAND, as these expressions contain the eight most frequent German letters. The method DEIN STAR, for instance, required the user to write the letters DEIN_STAR_ into the line below the numbers.


Three challenges

A question I ask myself is how much ciphertext is required to break a straddle checkerboard cipher. For this reason, I created three challenges. They are based on on English plaintexts containing 30, 60, and 90 letters respectively. Here they are:

Challenge 1 (30 letters)


Challenge 2


Challenge 3


Each message was encrypted with a different key. This means that the positions of the eight letters in the second row are different (but still, only the letters E, T, A, O, N, I, S,  and H appear in this line). The positions of the remaining letters in lines three and four are different, too. The two unused digits in the first line can appear in random order at the beginning of lines three and four.

Can a reader break these messages?

Further reading: The ciphers of spy Brian Regan


Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Kommentare (14)

  1. #1 Narga
    20. September 2019

    Ooooh! My favorite cipher!

    #3: this message is for all my readers if you crack it you prove that an encrypted note of this length can be solved

  2. #2 Narga
    20. September 2019

    #2 dear ben i send you the best of my love and warm greetings from this island

  3. #3 Klaus Schmeh
    20. September 2019

    @Narga: Congratulations, these solutions are correct. How did you find them?

  4. #4 Narga
    21. September 2019

    This cipher is actually not much more complicated than a substitution cipher. If you are able to solve one of these, the additional difficulty only lies in grouping the numbers right in single or double digits. It turns out that this is only affected by the top line of the key! Where you put the rest of the letters just exchanges for example all F for B. It doesn’t even make any difference where you put the letters ETAOINSH. That means finding the positions of the empty cells is the only additional work here and then solving a simple substitution.

    There are only (10 choose 2)=45 possibilities to place the empty cells! You can generate these in a few lines of code. Many of those even lead to contradictions when grouping the numbers. But most of all: they lead to different numbers of plaintext letters. So if you say “60 letter challenge” there is in fact only one or two simple substitutions to solve 🙂

    The 30 letter challenge has 5 simple substitutions left to solve that lead to 30 letters. However, I was not able to solve those, yet. 🙂

  5. #5 Thomas
    21. September 2019

    Great job!

  6. #6 Klaus Schmeh
    21. September 2019

    @Narga: Thanks for explaining. I knew that revealing the length of the plaintext makes breaking the challenge easier. Apperently, this seems to be even more the case than I thought. Perhaps, it would be better to keep this information secret.

  7. #7 Gerd
    21. September 2019

    Narga, thanks for pointing this out. The longer the text, the easier it should be to sort out selections of the two digits used for line 3 and 4 that are contradicionary. So if this cipher is not much safer than a MASC, I wonder why it has been used for secret service purposes.

  8. #8 Gerd
    21. September 2019

    Some ideas about the key space: a MASC has 26! possible keys, giving 4E26. For the straddle checkerboard I find the 45 possibilites for the “empty digits” and then 8! for filling the second line and 20!/2 for filling line 3 and 4 with 18 letters and two empty places. That is only 2.2E24 possible keys, less than for MASC. Is that right?

  9. #9 Bill Ricker
    Boston USA
    21. September 2019

    Yes, announcing the number of letters and that top line is always ETAOINSH , never an R, never a rare letter, both constrain our search space unrealistically.

    However, other classic techniques, nearly as good results are possible without knowledge of N number of letters.

    As @Narga notes, contradictions in grouping are useful. In the general straddling checker, the only contradiction would be ending with a final, singleton prefix digit. (A System could err by fixing the free spare cells as pq and qp, where p,q are the prefix digits. As Klaus notes, those were free variations expanding keyspace, so that would be an error.)

    I find message 1 ending in ’93’ rejects 8/45 as expected, only prefixes=39 among ?3,3? works; message 2, ending ’42’, likewise; but message 3, ending ‘544’, only rejects prefixes=45 since ’44’ is valid with any prefixes including 4 but not 5.)

    Counting digit frequency, the two prefixes and the E should be the three strongest digits, but it’s fallible. With these short messages can’t count on T being 2nd strongest.

    Even without the known number of letters and rejecting a bad last split, choice of top line blanks / left prefix-digits can be rated by Friedman Kappa/IC test. The 45 pairs of prefix digits driving the trial divisions into ‘letters’ (as described by @Narga) can be Kappa tested to see if it’s a MASC. English should be k=~1.73; I was accepting k in [1.5,2.0] for this. Doing Kappa first, only a couple candidates with acceptable Kappa are culled with N=30,60,90 hint, which hint is even more powerful but only slightly so.

    message 1

    Case: {prefix=>4 7, e=>9, N=>30, kappa=>1.94, Nc=>[5 3 3 3 3 2 2 2 1]}

    Case: {prefix=>6 9, e=>5, N=>30, kappa=>1.88, Nc=>[4 4 3 3 3 2 2 2 1]}

    Case:X{prefix=>7 9, e=>5, N=>29, kappa=>1.73, Nc=>[3 3 3 3 3 3 2 2 1]}

    Klaus says 30 letters so N=29 isn’t it, skipping Case: 7 9

    (3 candidates by Kappa, 5 candidates by N=30, both: 2)

    message 2

    Case: {prefix=>0 4, e=>9, N=>60, kappa=>1.67, Nc=>[8 5 5 4 4 4 4 4 4]}

    (1 canidate by Kappa, 1 candidate by N=60; Length varies wildly!)

    message 3

    Case: {prefix=>4 8, e=>5, N=>90, kappa=>1.67, Nc=>[12 8 7 7 7 6 5 5 4]}

    Case:X{prefix=>5 8, e=>4, N=>88, kappa=>1.58, Nc=>[12 9 7 6 6 5 5 4 3]}

    Klaus says 90 letters so N=88 isn’t it, skipping Case: 5 8

    (2 candidates by Kappa, 1 candidate by N=90, both: 1)

    So only message 1 is ambiguous.
    (And the bad split had best Kappa, hit goal 1.73 exactly :-/)

  10. #10 Narga
    21. September 2019

    And #1:
    don’t take these words as a new gospel

    Ok, wow, this one was tough because it was so short.

  11. #11 Klaus Schmeh
    21. September 2019

    @Narga: Congratulations, this is correct.

  12. #12 Bill Ricker
    Boston USA
    21. September 2019

    Interesting, @Narga’s solution to #1 does not match the Kappa preferred prefix sets …

  13. #13 Bill Ricker
    Boston USA
    21. September 2019

    Interesting. Kappa/IC of the Message 1 plaintext is > 2.0, k=2.15+, so I have to open up the Kappa window to e.g. [1.2, 2.5] in order to accept the correct prefixes 2,9 with K=2.15 as a candidate — at which point the N=30 hint *is* majorly helping skip 9 of 14 candidates within wider Kappa window (that had passed the trial-division into letters i.e. not ending in singleton prefix).

    IIRC that’s vaguely normal that shorter texts can have higher Kappa, as these things converge in the limit, but i didn’t /expect/ to need to open it /that/ much wider.

  14. #14 TWO
    JFC Brunsum
    22. September 2019

    @Klaus great puzzle you designed!

    @Narga great lateral thinking!

    @Bill Ricker superb analysis!
    I wonder how far you would make it with the QRU puzzle.
    Which is designed to defeat cryptanalysis,