A primitive mechanical model of the Chaocipher device
Photo courtesy of National Cryptologic Museum
Proving the Choacipher Solution
Gary J. Shannon
Created July 7, 2010
Updated July 21, 2010
The Chaocipher and the Sliding Tile Equivalent
This cipher machine and it's resulting cipher, called the Chaocipher, was originally implemented by J. F. Byrne in 1918 and not cracked until 2010 when the blueprints were finally made public. His original model was made with tiles cut from cardboard and placed on wooden wheels. A complete description can be found here.
Here is the same cipher with the sliding tiles laid out in a flat row rather than a circle. The top row is the ciphertext alphabet and the bottom row is the plaintext.
The cipher shuffles both alphabets by shifting and then moving a single tile from one location to another. Note the "race tracks" in the illustration which make it easier to move the tiles to their correct place in the alphabet row. Also notice the two index marks, one for each alphabet, which Byrne called the "zenith". Lacking the race tracks of the sliding tile model, Byrne also used another index mark he called "nadir" to show where to insert the two moved tiles into the alphabet row. Byrne also placed the two wheels side by side instead of concentricly. They were connected by gear-like teeth so that they would move together. Since the wheels will thus move in opposite directions, this requires that in the flat row version we arrange the ciphertext alphabet in the reverse order of the arrangement in Byrne's version.
In operation, whereas with the flat row we would look for the plaintext letter in the bottom row and then find the ciphertext letter in the row above it, in Byrne's version we would turn plaintext wheel until the desired plaintext letter touched the ciphertext wheel, at which time the ciphertext letter would be the tile where the two wheels touch. The net effect, however, is identical in every respect to the flat row version. (See also my discussion of sliding tile ciphers in general)
The sliding tile equivalent works like this: In the ciphertext alphabet take the tile to the right of the last used ciphertext letter and move it 12 slots to the right (or 12 slots clockwise if the rows are arranged in a circular track). With the plaintext alphabet, take the tile second to the right from the last plaintext letter used and move it to a slot 11 tiles to the right. Then shift the plaintext row one tile to the left. (Or we could say shift the ciphertext row one tile to the right since the net result is the same.)
Byrne's actual operating instructions of the Chaocipher device are considerably more complicated than that, but if you actually perform the operations described above and the operations described by Byrne you will see that the end result is identical, and that the same message will be encrypted the same way by both systems.
The fact that this sliding tile machine is equivalent to Byrne's wheel machine is best demonstrated by using the sliding tiles to decrypt one of Byrne's own messages, his "Exhibit One". Here are the first couple line of that ciphertext:
CLYTZPNZKLDDQGFBOOTYSNEPUAGKIUNKNCRINRCVKJNHTOAFQPDPNCV
LTVFICOTSSLWYYIHBICFUTHXNUVKGIMVEZYWSTHEPIEWXNNGFTOGHSR
We begin by setting the tiles up with the initial alphabets used by Byrne to encrypt that exhibit:
CPEDQRSTIXYLMOZABFVGUHWJKN
xayznbqdsefghlwikcmoprtuvj
Notice that I have shown the two alphabets offset from each other. This is so that the leftmost letter of each row corresponds to the letter under the index in the illustrations above.
As an aside, "james" on the The Crypto Forum has discovered how Byrne arrived at this starting alphabet using the keyword THINK. Read an account of his rather brilliant discovery here on the forum.
Now we begin the process of decrypting the exhibit. We see that the first ciphertext letter C is above the plaintext letter a, so a becomes the first letter of the plaintext:
CLYTZPNZKLDDQGFBOOTYSNEPUAGKIUNKNCRINRCVKJNHTOAFQPDPNCV
a
LTVFICOTSSLWYYIHBICFUTHXNUVKGIMVEZYWSTHEPIEWXNNGFTOGHSR
Next we perform the first shuffling operation:
The resulting alphabet rows now look like this:
CEDQRSTIXYLMOPZABFVGUHWJKN
ayzbqdsefghlwinkcmoprtuvjx
The next ciphertext letter is L. We find it in the ciphertext row just above the plaintext l, so that is our next plaintext letter:
CLYTZPNZKLDDQGFBOOTYSNEPUAGKIUNKNCRINRCVKJNHTOAFQPDPNCV
al
LTVFICOTSSLWYYIHBICFUTHXNUVKGIMVEZYWSTHEPIEWXNNGFTOGHSR
Repeating the shuffle as above, and cranking out the next few plaintext letters we get the following alphabet rows and their plaintext solutions:
LOPZABFVGUHWJMKNCEDQRSTIXY
lwikcmoprtuvjxnayzbqdsefgh plaintext l for ciphertext Y (Note wrap-around)
YOPZABFVGUHWJLMKNCEDQRSTIX
lwicmoprtuvjxnkayzbqdsefgh plaintext g for ciphertext T
TXYOPZABFVGUHIWJLMKNCEDQRS
ghlicmoprtuvjxwnkayzbqdsef plaintext o for ciphertext Z
ZBFVGUHIWJLMKANCEDQRSTXYOP
opruvjxwnkayzbtqdsefghlicm plaintext o for ciphertext P
PBFVGUHIWJLMKZANCEDQRSTXYO
oprvjxwnkayzbtuqdsefghlicm plaintext d for ciphertext N
CLY TZPNZKLDDQGFBOOTYSNEPUAGKIUNKNCRINRCVKJNHTOAFQPDPNCV
all good
LTVFICOTSSLWYYIHBICFUTHXNUVKGIMVEZYWSTHEPIEWXNNGFTOGHSR
And for further verification, a few more letters are decrypted. And so that you can follow along and verify the result, here are the alphabet rows after each:
NEDQRSTXYOPBFCVGUHIWJLMKZA
dseghlicmoprvjfxwnkayzbtuq Z:q
ZNEDQRSTXYOPBAFCVGUHIWJLMK
qdsghlicmoprvjefxwnkayzbtu K:q
KNEDQRSTXYOPBZAFCVGUHIWJLM
qdshlicmoprvjegfxwnkayzbtu L:u
LKNEDQRSTXYOPMBZAFCVGUHIWJ
uqdhlicmoprvjesgfxwnkayzbt D:i
DRSTXYOPMBZAFQCVGUHIWJLKNE
icmprvjesgfxwnokayzbtuqdhl D:c
DSTXYOPMBZAFQRCVGUHIWJLKNE
cmpvjesgfxwnokrayzbtuqdhli Q:k
QCVGUHIWJLKNERDSTXYOPMBZAF
krazbtuqdhlicmypvjesgfxwno G:b
GHIWJLKNERDSTUXYOPMBZAFQCV
btudhlicmypvjeqsgfxwnokraz F:r
FCVGHIWJLKNERQDSTUXYOPMBZA
raztudhlicmypvbjeqsgfxwnok B:o
BAFCVGHIWJLKNZERQDSTUXYOPM
okrztudhlicmypavbjeqsgfxwn O:w
OMBAFCVGHIWJLPKNZERQDSTUXY
wnorztudhlicmykpavbjeqsgfx O:n
OBAFCVGHIWJLPMKNZERQDSTUXY
nortudhlicmykpzavbjeqsgfxw T:f
TXYOBAFCVGHIWUJLPMKNZERQDS
fxwortudhlicmynkpzavbjeqsg Y:o
YBAFCVGHIWUJLOPMKNZERQDSTX
ortdhlicmynkpzuavbjeqsgfxw S:x
SXYBAFCVGHIWUTJLOPMKNZERQD
xwotdhlicmynkprzuavbjeqsgf N:e
NERQDSXYBAFCVZGHIWUTJLOPMK
eqsfxwotdhlicmgynkprzuavbj E:s
EQDSXYBAFCVZGRHIWUTJLOPMKN
sfxotdhlicmgynwkprzuavbjeq P:j
PKNEQDSXYBAFCMVZGRHIWUTJLO
jeqfxotdhlicmgsynwkprzuavb U:u
UJLOPKNEQDSXYTBAFCMVZGRHIW
uavjeqfxotdhlibcmgsynwkprz A:m
ACMVZGRHIWUJLFOPKNEQDSXYTB
mgsnwkprzuavjeyqfxotdhlibc G:p
GHIWUJLFOPKNERQDSXYTBACMVZ
przavjeyqfxotduhlibcmgsnwk K:o
KERQDSXYTBACMNVZGHIWUJLFOP
otdhlibcmgsnwkuprzavjeyqfx I:v
IUJLFOPKERQDSWXYTBACMNVZGH
vjeqfxotdhlibcymgsnwkuprza U:e
ULFOPKERQDSWXJYTBACMNVZGHI
eqfotdhlibcymgxsnwkuprzavj N:r
NZGHIULFOPKERVQDSWXJYTBACM
rzajeqfotdhlibvcymgxsnwkup K:l
KRVQDSWXJYTBAECMNZGHIULFOP
libcymgxsnwkupvrzajeqfotdh N:a
NGHIULFOPKRVQZDSWXJYTBAECM
ajefotdhlibcymqgxsnwkupvrz C:z
CNGHIULFOPKRVMQZDSWXJYTBAE
zajfotdhlibcymeqgxsnwkupvr R:y
RMQZDSWXJYTBAVECNGHIULFOPK
ymegxsnwkupvrzqajfotdhlibc I:d
ILFOPKRMQZDSWUXJYTBAVECNGH
dhlbcymegxsnwkiupvrzqajfot N:o
NHILFOPKRMQZDGSWUXJYTBAVEC
otdlbcymegxsnwhkiupvrzqajf R:g
RQZDGSWUXJYTBMAVECNHILFOPK
gxswhkiupvrzqanjfotdlbcyme C:t
CHILFOPKRQZDGNSWUXJYTBMAVE
tdlcymegxswhkibupvrzqanjfo V:o
VCHILFOPKRQZDEGNSWUXJYTBMA
otdcymegxswhkilbupvrzqanjf K:s
KQZDEGNSWUXJYRTBMAVCHILFOP
swhilbupvrzqankjfotdcymegx J:a
JRTBMAVCHILFOYPKQZDEGNSWUX
ankfotdcymegxsjwhilbupvrzq N:v
NWUXJRTBMAVCHSILFOYPKQZDEG
vrzankfotdcymeqgxsjwhilbup H:e
HILFOYPKQZDEGSNWUXJRTBMAVC
eqgsjwhilbupvrxzankfotdcym T:t
TMAVCHILFOYPKBQZDEGSNWUXJR
tdcmeqgsjwhilbyupvrxzankfo O:h
OPKBQZDEGSNWUYXJRTMAVCHILF
hilyupvrxzankfbotdcmeqgsjw A:e
ACHILFOPKBQZDVEGSNWUYXJRTM
eqgjwhilyupvrxszankfbotdcm F:i
FPKBQZDVEGSNWOUYXJRTMACHIL
ilypvrxszankfbuotdcmeqgjwh Q:r
QDVEGSNWOUYXJZRTMACHILFPKB
rxsankfbuotdcmzeqgjwhilypv .. etc.
PBQDVEGSNWOUYKXJZRTMACHILF
pvrsankfbuotdcxmzeqgjwhily
DEGSNWOUYKXJZVRTMACHILFPBQ
ankbuotdcxmzeqfgjwhilypvrs
PQDEGSNWOUYKXBJZVRTMACHILF
rsakbuotdcxmzenqfgjwhilypv
NOUYKXBJZVRTMWACHILFPQDEGS
tdcmzenqfgjwhixlypvrsakbuo
CILFPQDEGSNOUHYKXBJZVRTMWA
ypvsakbuotdcmzrenqfgjwhixl
VTMWACILFPQDERGSNOUHYKXBJZ
whilypvsakbuotxdcmzrenqfgj
LPQDERGSNOUHYFKXBJZVTMWACI
akbotxdcmzrenqufgjwhilypvs
TWACILPQDERGSMNOUHYFKXBJZV
lypsakbotxdcmzvrenqufgjwhi
VWACILPQDERGSTMNOUHYFKXBJZ
lypakbotxdcmzvsrenqufgjwhi
FXBJZVWACILPQKDERGSTMNOUHY
gjwilypakbotxdhcmzvsrenquf
IPQKDERGSTMNOLUHYFXBJZVWAC
otxhcmzvsrenqudfgjwilypakb
CPQKDERGSTMNOILUHYFXBJZVWA
otxcmzvsrenqudhfgjwilypakb
OLUHYFXBJZVWAICPQKDERGSTMN
dhfjwilypakbotgxcmzvsrenqu
TNOLUHYFXBJZVMWAICPQKDERGS
qudfjwilypakbohtgxcmzvsren
SNOLUHYFXBJZVTMWAICPQKDERG
qudjwilypakbohftgxcmzvsren
SOLUHYFXBJZVTNMWAICPQKDERG
udjilypakbohftwgxcmzvsrenq
LHYFXBJZVTNMWUAICPQKDERGSO
ilyakbohftwgxcpmzvsrenqudj
WAICPQKDERGSOULHYFXBJZVTNM
cpmvsrenqudjilzyakbohftwgx
YXBJZVTNMWAICFPQKDERGSOULH
kboftwgxcpmvsrhenqudjilzya
YBJZVTNMWAICFXPQKDERGSOULH
bofwgxcpmvsrhetnqudjilzyak
IFXPQKDERGSOUCLHYBJZVTNMWA
rhenqudjilzyaktbofwgxcpmvs
HBJZVTNMWAIFXYPQKDERGSOUCL
ofwxcpmvsrhenqgudjilzyaktb
BZVTNMWAIFXYPJQKDERGSOUCLH
wxcmvsrhenqgudpjilzyaktbof
IXYPJQKDERGSOFUCLHBZVTNMWA
nqgdpjilzyaktbuofwxcmvsrhe
CHBZVTNMWAIXYLPJQKDERGSOFU
fwxmvsrhenqgdpcjilzyaktbuo
FCHBZVTNMWAIXUYLPJQKDERGSO
ofwmvsrhenqgdpxcjilzyaktbu
ULPJQKDERGSOFYCHBZVTNMWAIX
xcjlzyaktbuofwimvsrhenqgdp
TMWAIXULPJQKDNERGSOFYCHBZV
enqdpxcjlzyaktgbuofwimvsrh
HZVTMWAIXULPJBQKDNERGSOFYC
srhnqdpxcjlzyaektgbuofwimv
XLPJBQKDNERGSUOFYCHZVTMWAI
jlzaektgbuofwiymvsrhnqdpxc
NRGSUOFYCHZVTEMWAIXLPJBQKD
uofiymvsrhnqdpwxcjlzaektgb
UFYCHZVTEMWAIOXLPJBQKDNRGS
mvshnqdpwxcjlzraektgbuofiy
VEMWAIOXLPJBQTKDNRGSUFYCHZ
pwxjlzraektgbucofiymvshnqd
KNRGSUFYCHZVEDMWAIOXLPJBQT
ofimvshnqdpwxjylzraektgbuc
GUFYCHZVEDMWASIOXLPJBQTKNR
vshqdpwxjylzranektgbucofim
IXLPJBQTKNRGUOFYCHZVEDMWAS
ektbucofimvshqgdpwxjylzran
MASIXLPJBQTKNWRGUOFYCHZVED
ranktbucofimvsehqgdpwxjylz
CLY TZPN Z KLDDQ GFBOO TYSNE PUAG KIUN KNCR INR CV KJNH TOAFQ PDPNC V
all good q quick brown foxes jump over lazy dog to save their party w
LTV FICO T SSLWY YIHBI CFUTH XNUV KGIM VEZYWSTHEPIEWXNNGFTOGHSR
all good q quick brown foxes jump over ...
And so on for as long as we care to continue. This demonstrates that the sliding tile machine produces results equivalent to those of the Choacipher machine.