rest, and throws up a
cloud of steam that forces all of the choppers to gain altitude. Randy
crawls down under the cover of that steam cloud, sensing it's the last
privacy he'll ever have, and sits down by the edge of the river to watch.
After half an hour the jet of hot gas is joined by a rivulet of incandescent
fluid that sinks to the bottom of the stream as soon as it emerges, clothed
in a fuzz of wildly boiling water. For a long time there is really nothing
to be seen except steam; but after Golgotha's been burning for an hour or
two, it becomes possible to see that underneath the shallow water, spreading
down the valley floor, indeed right around the isolated boulder where
Randy's perched, is a bright, thick river of gold.
APPENDIX: THE SOLITAIRE ENCRYPTION ALGORITHM
by Bruce Schneier
Author, Applied Cryptography
President, Counterpane Systems
http://www.counterpane.com
In Neal Stephenson's novel Cryptonomicon, The character Enoch Root
describes a cryptosystem code named "Pontifex" to another character named
Randy Waterhouse, and later reveals that the steps of the algorithm are
intended to be carried out using a deck of playing cards. These two
characters go on to exchange several encrypted messages using this system.
The system is called "Solitaire" (in the novel, "Pontifex" is a code name
intended to temporarily conceal the fact that it employs a deck of cards)
and I designed it to allow field agents to communicate securely without
having to rely on electronics or having to carry incriminating tools. An
agent might be in a situation where he just does not have access to a
computer, or may be prosecuted if he has tools for secret communication. But
a deck of cards . . . what harm is that?
Solitaire gets its security from the inherent randomness in a shuffled
deck of cards. By manipulating this deck, a communicant can create a string
of "random" letters that he then combines with his message. Of course
Solitaire can be simulated on a computer, but it is designed to be
implemented by hand.
Solitaire may be low tech, but its security is intended to be high
tech. I designed Solitaire to be secure even against the most well funded
military adversaries with the biggest computers and the smartest
cryptanalysts. Of course there is no guarantee that someone won't find a
clever attack against Solitaire (watch my web page for updates), but the
algorithm is certainly better than any other pencil and paper cipher I've
ever seen.
It's not fast, though. It can take an evening to encrypt or decrypt a
reasonably long message. In David Kahn's book Kahn on Codes, he describes a
real pencil and paper cipher used by a Soviet spy. Both the Soviet algorithm
and Solitaire take about the same amount of time to encrypt a message.
ENCRYPTING WITH SOLITAIRE
Solitaire is an output feedback mode stream cipher. Sometimes this is
called a key generator (KG in U.S. military speak). The basic idea is that
Solitaire generates a stream, often called a "keystream," of numbers between
1 and 26. To encrypt, generate the same number of keystream letters as
plaintext letters. Then add them modulo 26 to plaintext letters, one at a
time, to create the ciphertext. To decrypt, generate the same keystream and
subtract modulo 26 from the ciphertext to recover the plaintext.
For example, to encrypt the first Solitaire message mentioned in
Stephenson's novel, "DO NOT USE PC":
1. Split the plaintext message into five character groups. (There is
nothing magical about five character groups; it's just tradition.) Use X's
to fill in the last group. So if the message is "DO NOT USE PC" then the
plaintext is:
DONOT USEPC
2. Use Solitaire to generate ten keystream letters. (Details are
below.) Assume they are:
KDWUP ONOWT
3. Convert the plaintext message from letters into numbers: A = 1, B =
2, etc:
�4 15 14 15 20 21 19 5 16 3�
4. Convert the keystream letters similarly:
�11 4 23 21 16 15 14 15 23 20�
5. Add the plaintext number stream to the keystream numbers, modulo 26.
(All this means is, if the sum is more than 26, subtract 26 from the
result.) For example, 1 + 1 = 2, 26 + 1 = 27, and 27 – 26 = 1, so 26 +
1 = 1.
�15 19 11 10 10 10 7 20 13 23�
6. Convert the numbers back to letters.
�OSKJJ JGTMW�
If you are really good at this, you can learn to add letters in your
head, and just add the letters from steps (1) and (2). It just takes
practice. It's easy to remember that A + A = B; remembering that T + Q = K
is harder.
DECRYPTING WITH SOLITAIRE
The basic idea is that the receiver generates the same keystream, and
then subtracts the keystream letters from the ciphertext letters.
1. Take the ciphertext message and put it in five character groups. (It
should already be in this form.)
�OSKJJ JGTMW�
2. Use Solitaire to generate ten keystream letters. If the receiver
uses the same key as the sender, the keystream letters will be the same:
�KDWUP ONOWT�
3. Convert the ciphertext message from letters into numbers:
�15 19 11 10 10 10 7 20 13 23�
4. Convert the keystream letters similarly:
�11 4 23 21 16 15 14 15 23 20�
5. Subtract the keystream numbers from the ciphertext numbers, modulo
26. For example, 22 – 1 = 20, 1 – 22 = 5. (It's easy. If the
first number is less than the second number, add 26 to the first number
before subtracting. So 1 – 22 = ? becomes 27 – 22 = 5.)
�4 15 14 15 20 21 19 5 16 3�
6. Convert the numbers back to letters.
�DONOT USEPC�
Decryption is the same as encryption, except that you subtract the
keystream from the ciphertext message.
GENERATING THE KEYSTREAM LETTERS
This is the heart of Solitaire. The above descriptions of encryption
and decryption work for any output feedback mode stream cipher. This section
explains how Solitaire works.
Solitaire generates a keystream using a deck of cards. You can think of
a 54 card deck (remember the jokers) as a 54 element permutation. There are
54!, or about 2.31 x 10^71, possible different orderings of a deck. Even
better, there are 52 cards in a deck (without the jokers), and 26 letters in
the alphabet. That kind of coincidence is just too good to pass up.
To be used for Solitaire, a deck needs a full set of 52 cards and two
jokers. The jokers must be different in some way. (This is common. The deck
I'm looking at as I write this has stars on its jokers: one has a little
star and the other has a big star.) Call one joker A and the other B.
Generally, there is a graphical element on the jokers that is the same, but
different size. Make the "B" joker the one that is "bigger." If it's easier,
you can write a big "A" and "B" on the two jokers, but remember that you
will have to explain that to the secret police if you ever get caught.
To initialize the deck, take the deck in your hand, face up. Then
arrange the cards in the initial configuration that is the key. (I'll talk
about the key later, but it's different than the keystream.) Now you're
ready to produce a string of keystream letters.
This is Solitaire:
1. Find the A joker. Move it one card down. (That is, swap it with the
card beneath it.) If the joker is the bottom card of the deck, move it just
below the top card.
2. Find the B joker. Move it two cards down. If the joker is the bottom
card of the deck, move it just below the second card. If the joker is one up
from the bottom card, move it just below the top card. (Basically, assume
the deck is a loop . . . you get the idea.)
It's important to do these two steps in order. It's tempting to get
lazy and just move the jokers as you find them. This is okay, unless they
are very close to each other.
So if the deck looks like this before step 1:
3AB89
at the end of step 2 it should look like:
3A8B9
If you have any doubt, remember to move the A joker before the B joker.
And be careful when the jokers are at the bottom of the deck.
3. Perform a triple cut. That is, swap the cards above the first joker
with the cards below the second joker. If the deck used to look like:
�246B4871A39�
then after the triple cut operation it will look like:
�39B4871A246�
"First" and "second" jokers refer to whatever joker is nearest to, and
furthest from, the top of the deck. Ignore the "A" and "B" designations for
this step.
Remember that the jokers and the cards between them don't move; the
other cards move around them. This is easy to do in your hands. If there are
no cards in one of the three sections (either the jokers are adjacent, or
one is on top or the bottom), just treat that section as empty and move it
anyway.
4. Perform a count cut. Look at the bottom card. Convert it into a
number from 1 through 53. (Use the bridge order of suits: clubs, diamonds,
hearts, and spades. If the card is a (club), it is the value shown. If the
card is a (diamond), it is the value plus 13. If it is a (heart), it is the
value plus 26. If it is a (spade), it is the value plus 39. Either joker is
a 53.) Count down from the top card that number. (I generally count 1
through 13 again and again if I have to; it's easier than counting to high
numbers sequentially.) Cut after the card that you counted down to, leaving
the bottom card on the bottom. If the deck used to look like:
7 ... cards ... 45 ... cards ... 89
and the ninth card was the 4, the cut would result in:
5 ... cards ... 87 ... cards ... 49
The reason the last card is left in place is to make the step
reversible. This is important for mathematical analysis of its security.
5. Find the output card. Look at the top card. Convert it into a number
from 1 through 53, in the same manner as above. Count down that many cards.
(Count the top card as number one.) Write the card after the one you counted
to on a piece of paper. (If you hit a joker, don't write anything down and
start over again with step 1.) This is the first output card. Note that this
step does not modify the state of the deck.
�915�
6. Convert the card to a number. As before, use the bridge suits to
order them: From lowest to highest, we have clubs, diamonds, hearts, and
spades. Hence, A(clubs) through K(clubs) is 1 through 13, A(diamonds)
through K(diamonds) is 14 through 26, A(hearts) through K(hearts) is 1
through 13, and A(spades) through K(spades) is 14 through 26.
That's Solitaire. You can use it create as many keystream numbers as
you need.
I know that there are regional differences in decks of cards, depending
on the country. In general, it does not matter what suit ordering you use,
or how you convert cards to numbers. What matters is that the sender and the
receiver agree on the rules. If you're not consistent you won't be able to
communicate.
KEYING THE DECK
Solitaire is only as secure as the key. That is, the easiest way to
break Solitaire is to figure out what key the communicants are using. If you
don't have a good key, none of the rest this matters. Here are some
suggestions for exchanging a key.
1. Shuffle the deck. A random key is the best. One of the communicants
can shuffle up a random leck and then create another, identical deck. One
goes to the sender and the other to the receiver. Most people are not good
shufflers, so shuffle the deck at least ten times, and try to use a deck
that has been played with instead of a fresh deck out of the box. Remember
to keep a spare deck in the keyed order, otherwise if you make a mistake
you'll never be able to decrypt the message. Also remember that the key is
at risk as long as it exists; the secret police could find the deck and copy
down its order.
2. Use a bridge ordering. A description of a set of bridge hands that
you might see in a newspaper or a bridge book is about a 95 bit key. If the
communicants can agree on a way to convert that to a deck ordering and a way
to set the jokers (perhaps after the first two cards that are mentioned in
the discussion of the game), this can work. Be warned: the secret police can
find your bridge column and copy down the order. You can try setting up some
repeatable convention for which bridge column to use; for example, "use the
bridge column in your home town newspaper for the day on which you encrypt
the message," or something like that. Or use a list of keywords to search
the New York Times website, and use the bridge column for the day of the
article that comes up when you search on those words. If the keywords are
found or intercepted, they look like a passphrase. And pick your own
convention; remember that the secret police read Neal Stephenson's books,
too.
3. Use a passphrase to order the deck. This method uses the Solitaire
algorithm to create an initial deck ordering. Both the sender and receiver
share a passphrase. (For example, "SECRET KEY.") Start with the deck in a
fixed order; lowest card to highest card, in bridge suits. Perform the
Solitaire operation, but instead of Step 5, do another count cut based on
the first character of the passphrase (19, in this example). (Remember to
put the top cards just above the bottom card in the deck, as before.) Do
this once for each character. Use another two characters to set the
positions of the jokers. Remember, though, that there are only about 1.4
bits of randomness per character in standard English. You're going to want
at least an 80 character passphrase to make this secure; I recommend at
least 120 characters. (Sorry, but you just can't get good security with a
shorter key.)
SAMPLE OUTPUT
Here's some sample data to practice your Solitaire skills with:
Sample 1: Start with an unkeyed deck: A(clubs) through K(clubs),
A(hearts) through K(hearts), A(diamonds) through K(diamonds), A(spades)
through K(spades), A joker, B joker (you can think of this as 1 52, A, B).
The first ten outputs are:
4 49 10 (53) 24 8 51 44 6 33
The 53 is skipped, of course. I just put it there for demonstration. If
the plain text is:
�AAAAA AAAAA�
then the cipher text is:
�EXKYI ZSGEH�
Sample 2: Using keying method 3 and the key "FOO," the first fifteen
outputs are:
8 19 7 25 20 (53) 9 8 22 32 43 5 26 17 (53) 38 48
If the plain text is all As, the cipher text is:
�ITHZU JIWGR FARMW�
Sample 3: Using keying method 3 and the key "CRYPTONOMICON," the
message "SOLITAIRE" encrypts to:
�KIRAK SFJAN�
Of course, you should use a longer key. These samples are for test
purposes only. There are more samples on the website, and you can use the
book's PERL script to create your own.
SECURITY THROUGH OBSCURITY
Solitaire is designed to be secure even if the enemy knows how the
algorithm works. I have assumed that Cryptonomicon will be a best seller,
and that copies will be available everywhere. I assume that the NSA and
everyone else will study the algorithm and will watch for it. I assume that
the only secret is the key.
That's why keeping the key secret is so important. If you have a deck
of cards in a safe place, you should assume the enemy will at least
entertain the thought that you are using Solitaire. If you have a bridge
column in your safe deposit box, you should expect to raise a few eyebrows.
If any group is known to be using the algorithm, expect the secret police to
maintain a database of bridge columns to use in cracking attempts. Solitaire
is strong even if the enemy knows you are using it, and a simple deck of
playing cards is still much less incriminating than a software encryption
program running on your laptop, but the algorithm is no substitute for
street smarts.
OPERATIONAL NOTES
The first rule of an output feedback mode stream cipher, any of them,
is that you should never use the same key to encrypt two different messages.
Repeat after me: NEVER USE THE SAME KEY TO ENCRYPT TWO DIFFERENT MESSAGES.
If you do, you completely break the security of the system. Here's why: if
you have two ciphertext streams, A + K and B + K, and you subtract one from
the other, you get (A + K) – (B + K) = A + K – B – K = A
– B. That's two plaintext streams combined with each other, and is
very easy to break. Trust me on this one: you might not be able to recover A
and B from A – B, but a professional cryptanalyst can. This is vitally
important: never use the same key to encrypt two different messages.
Keep your messages short. This algorithm is designed to be used with
small messages: a couple of thousand characters. If you have to encrypt a
100,000 word novel, use a computer algorithm. Use shorthand, abbreviations,
and slang in your messages. Don't be chatty.
For maximum security, try to do everything in your head. If the secret
police starts breaking down your door, just calmly shuffle the deck. (Don't
throw it up in the air; you'd be surprised how much of the deck ordering is
maintained during the game of 52 Pickup.) Remember to shuffle the backup
deck, if you have one.
SECURITY ANALYSIS
There's quite a lot of it, but it's far too complicated to reproduce
here. See http://www.counterpane.com, or write to
Counterpane Systems
1711 North Ave #16
Oak Park, IL 60302
LEARNING MORE
I recommend my own book, Applied Cryptography (John Wiley & Sons,
1996), as a good place to start. Then read The Codebreakers, by David Kahn
(Scribner, 1996). After that, there are several books on computer
cryptography, and a few others on manual cryptography. You can subscribe to
my free e mail newsletter at http://www.counterpane.com/cryptogram.html or
by sending a blank e mail message to crypto gram subscribe@
chaparraltree.com. It's a fun field; good luck.
1. 1940 being a good year to begin experimenting with venereal diseases
in that the new injectable penicillin was just becoming available.
2. As the Nipponese were invariably called by Marines, who never used a
three syllable word where a three letter one would do.
3. "Hypo" is a military way of saying the letter H. Bright boy
Waterhouse infers that there must be at least seven others: Alpha, Bravo,
Charlie. etc.
4. Assuming, provisionally, that Alan is wrong and that human brains
are not machines.
5. An evident paradox, but nothing out of the ordinary being out of
America has just made this kind of thing more obvious to Randy.
6. A deprecatory term for a fighting man not good enough to be in the
Corps.
7. Men with experience in Asia use the word "Nip." The Colonel's use of
"Jap" suggests that his career has been spent in the Atlantic and/or
Caribbean.
8. He has no hard data to back this up; it just seems like a cool idea.
9. He has made up his mind that he will use the English words rather
than making a spectacle of himself by trying to pronounce the Qwghlmian
ones.
10. According to the E.Q., derived from lichen.
11. Cantrell alludes to the fact that Plan One brought them a couple of
million dollars in seed money from a venture capital outfit in San Mateo
called the Springboard Group.
12. Shaftoe had had nothing to do for the last couple of weeks except
play Hearts using KNOW YOUR ENEMY cards, so he could now peg model numbers
of obscure Kraut observation planes.
13. The first one, mì, meaning "secret" and the second one, fú, having
a dual connotation meaning, on the one hand, a symbol or mark, and on the
other hand, Taoist magic.
14. Ever since the four wheel Enigma was broken.
15. Baudot code is what teletypes use. Each of the 32 characters in the
teletype alphabet has a unique number assigned to it. This number can be
represented as a five digit binary number, that is, five ones or zeroes, or
(more useful) five holes, or absences of holes, across a strip of paper
tape. Such numbers can also be represented as patterns of electrical
voltages, which can be sent down a wire, or over the radio waves, and
printed out at the other end. Lately, the Germans have been using encrypted
Baudot code messages for communications between high level command posts;
e.g., between Berlin and the various Army group headquarters. At Bletchley
Park, this category of encryption schemes is called Fish, and the Colossus
machine is being built specifically to break it.
16. Half an hour ago, as Epiphyte Corp. was gathering in the lobby, a
big black Mercedes came in, fresh from the airport. 747s come into Kinakuta
four times a day, and from the time that a person presents himself at the
registration desk of his luxury hotel, you can figure out which city he flew
in from. These guys came in from Los Angeles. Three Latino men: a middle
aged fellow of great importance, a somewhat younger assistant, and a
palooka. They were met in the lobby by the solitary fellow who showed up
late yesterday with the cellphone.
17. This is dry humor, and is received as such by everyone in the room;
at this point in the war, a U boat could no more run up the English Channel
than it could travel up the Mississippi, sink a few barges in Dubuque, and
make its escape.
18. Nipponese Army speak for "retreat."
19. It goes without saying that the Finns have to have their own sui
generis brand of automatic weapon.
20. This phrase is a Douglas MacArthur Shaftoe parody.