Polyalphabetic Ciphers

Vigenère is the textbook polyalphabetic cipher, but it's not the only one. Several variants and predecessors share the same core idea — multiple substitution alphabets in rotation, one per position — while differing in the details that change how attackable they are.

The core idea

A monoalphabetic cipher (Caesar, simple substitution) has one alphabet. The same plaintext letter always encrypts to the same ciphertext letter. Frequency analysis trivially breaks it.

A polyalphabetic cipher uses several alphabets in some pattern:

position:    1 2 3 4 5 6 7 8 9 ...
plaintext:   A T T A C K A T D ...
key:         L E M O N L E M O ...        ← LEMON repeating
ciphertext:  L X F O P V E F R ...        ← Vigenère: C = (P + K) mod 26

Each plaintext A is encrypted with whatever key letter happens to be aligned with it — sometimes L, sometimes O. So plaintext A produces multiple ciphertext letters. The single-letter frequency signal is smeared across multiple alphabets (one per key position), defeating naive frequency analysis.

Vigenère (recap)

We've covered Vigenère in lesson 02. Quick recap:

• Encrypt: C = (P + K) mod 26
• Decrypt: P = (C - K) mod 26
• Key is repeated to message length
• Weakness: short repeating keys produce statistical regularity. If you guess the key length, you can apply frequency analysis to each "column" (every L-th letter) separately.

Beaufort cipher

A reciprocal variant. Instead of (P + K) mod 26, use (K - P) mod 26:

Encrypt: C = (K - P) mod 26
Decrypt: C = (K - P) mod 26    ← SAME formula!

Because subtraction is its own inverse in this construction, encrypting twice produces the original plaintext. One implementation does both directions. This was useful when sender and receiver had to be operationally symmetric — German naval Enigma used a reciprocal property too, for the same reason.

Cryptanalytically Beaufort is the same difficulty as Vigenère — same key-length attack via Kasiski or Friedman.

Autokey cipher

The big idea: extend the key with the plaintext itself.

keyword:    LEMON
plaintext:  ATTACK AT DAWN
extended:   LEMON ATTACK AT DAWN     ← keyword + plaintext
            ^^^^^ first 5 from keyword, then plaintext
key for
encryption: LEMON ATTACK AT DA       ← truncated to plaintext length

So the effective "key" has no period. Kasiski examination fails because there's no repeating pattern.

But there's a recurrence to exploit. If you guess that the keyword is 5 letters, then the 6th-through-10th key letters are the 1st-through-5th plaintext letters. Guess those, propagate, score. If you guess wrong early, it's obvious because nothing decrypts. With computer search this is broken in seconds, but for hand cryptanalysis in 1500 it was effectively unbreakable.

Autokey was Vigenère's own preferred cipher, ironically — he invented the polyalphabetic system named after him AND a stronger autokey variant in the same 1586 publication. History remembers the weaker one.

Trithemius cipher

The first systematic polyalphabetic cipher, published by Trithemius in 1508 in Polygraphia. Each successive plaintext letter is shifted by one more than the previous:

plaintext:  H E L L O   W O R L D
shift:      0 1 2 3 4   5 6 7 8 9
ciphertext: H F N O S   B U Y T M

Effectively a Caesar cipher whose shift increments per position. Equivalent to Vigenère with key ABCDEFG... — a progressive Caesar.

The accompanying invention was the tabula recta — a 26×26 grid of every Caesar shift, which became the visual aid for Vigenère, Beaufort, and many other polyalphabetic ciphers in the next 400 years.

Running-key cipher

Like autokey, but instead of using the plaintext as the extension, use a long pre-shared text — a passage from a book, say. Both parties have a copy of the same book and start at an agreed page.

This was a serious operational cipher into WWII because the "key" — a chunk of natural-language text — has no obvious period and can be much longer than a typical message.

The weakness: the key isn't random, it's English. An attacker who knows the cipher class can decrypt by trying to align candidate plaintext bigrams against candidate key bigrams (both biased toward TH, HE, etc.). Friedman's 1922 paper laid out the attack in full. By WWII, running-key was understood to be breakable but still saw operational use because nothing better was available without machinery.

Porta cipher

A reciprocal polyalphabetic cipher invented in 1563. Uses a key letter to select one of 13 reciprocal substitution alphabets (each alphabet is its own inverse). Less common in modern teaching but historically important — same family as Beaufort.

Cracking polyalphabetic ciphers

Three attacks, in roughly the order an analyst would apply them:

Kasiski examination

Find repeated trigrams in the ciphertext. Their distance must be a multiple of the key length. Compute distances between all repeats; the GCD of those distances is a strong candidate for the key length.

This works against Vigenère, Beaufort, and any polyalphabetic with a repeating-key structure. Fails against autokey and running-key.

Friedman test (Index of Coincidence)

Compute the IoC of the ciphertext. English plaintext IoC is ~0.067. Vigenère with key length L flattens IoC toward 1/L (~0.038 for very long keys).

The relationship between observed IoC and key length lets you estimate L without needing repeated trigrams. Useful when Kasiski is ambiguous or when the message is short.

Per-column frequency analysis

Once you know L, write out every L-th letter as a column. Each column is a Caesar cipher (one alphabet). Solve each independently with single-letter frequency analysis.

For a 5-letter key on a 250-character message, each column has 50 letters — enough to apply frequency analysis to each. Solving 5 Caesar ciphers is trivial; you've broken Vigenère.

What this lesson asks of you

The playground asks you to identify the polyalphabetic variant for each scenario — Vigenère vs Beaufort vs autokey vs Trithemius — and to recognise which attack technique applies. The visualizer shows the autokey extension flow side by side with plain Vigenère, making clear why the missing period defeats Kasiski.