Pen and Paper Crypto: A basic exploration of substitution ciphers

Cryptography is an essential part of today’s online information security. Without cryptography there would be no way to safely store your private data on remote servers (it is stored encrypted right?), to safely complete online transactions or to authenticate with online services (you make sure SSL is enabled on the websites you visit, correct?).

Cryptography and information security, however, is not new. It has served as a tool for secure information exchange throughout history, playing a very important role on events that have marked humanity. With time, it has also been rapidly evolving and as new cryptographic techniques are created, more sophisticated attacks are devised, becoming a never-ending game of catch-up.

The first known real cryptographic techniques were very basic, but are both fun to play with and provide a good foundation to understand modern crypto practices and their weaknesses. In this article I’ll be exploring some of these techniques, how they work and provide interactive “playgrounds” to experiment with.


The first one is Rot13. This encryption method is more of an obfuscation technique, because it doesn’t provide real security since the key to encrypt is public. However it has been used effectively on online forums to hide messages that are not meant to be read right away. Movie spoilers or puzzle solutions are some good examples.

This algorithm works by assigning a number to each letter of the alphabet. For example, A=1, B=2, C=3 … Y=25, Z=26. Then for each letter on the message, we add 13 to it. If it goes over Z, then wrap around and start on A. This is visualized better on the playground below.

One of the most interesting properties of this encryption technique is that the encrypted text is all that’s necessary to get the original message. You can try this by copying the Cipher Text into the Plain Text field on the playground above.

Caesar Cipher

The Caesar Cipher is a variation on Rot13 in which the rotation by 13 is no longer fixed. This means that our key space and therefore the security of this encryption algorithm is increased 26-fold (yep, mindblown)

If we designate X to be the shifting value when encrypting, then the key to decrypt an encrypted message is (26 – X). You can try it below.

Vigenere Cipher

The Vigenere Cipher is like having multiple Caesar Ciphers chained together, each with a different shift value. The number available key combinations now multiplies by 26 for each instance of a caesar cipher. So, if you have a 3 character key (a character represents a shift value), our key space is 26 * 26 * 26 = 17576.

While the key space for the Vigenere cipher is much larger, all these encryption techniques have some flaws that make it easy to break. I’ll explore the basic technique for this attack in part 2 of this series.

The code for the encryption playgrounds is available here:

At Olark, we constantly spend time teaching and learning from each other. We have a weekly Show n’ Tell session, where we spend time learning from each others’ skills and interests. This post is an adaptation of one of our Show N’ Tell sessions I did.