##### May 25, 2012

# Encrypt Your Secrets with a Deck of Cards

Bruce Schneier, an American cryptographer and security expert, created the Solitaire cryptographic algorithm. The Solitaire cipher is a low-tech cryptographic algorithm that uses a deck of playing cards to encrypt and decrypt messages.

The Solitaire cipher allows secure communications without having to rely on computers or other tools that might indicate that covert channels are being used, or where access to a computer is not possible. It was designed to be secure even against well-funded adversaries with the biggest computers and the smartest cryptanalysts.

Shuffling a deck of playing cards provides an inherent randomness to their order which supply’s the security for the Solitaire cipher. Utilizing a deck of cards that has been sorted in a particular order allows for two people to create and set random letters that will be used to encrypt their messages. The entire process is very slow and can take up an entire evening of encrypting and decrypting a message, so keep it short.

Bruce Schneier’s motivation for developing the Solitaire cipher was that in totalitarian environments, a deck of cards is far more affordable and less incriminating than a personal computer with an array of cryptological utilities. The average person could use a low-tech method to securely transmit information with high-tech security.

Even though the Solitaire cipher was intended to be done manually by hand, it has been converted over to digital format and is available in multiple languages including but not limited to Javascript, Python, and Perl which can be found on Bruce Schneier’s Solitaire website. The following example is from Bruce Schneier himself.

**How to Use the Solitaire Cipher**

Solitaire is an output-feedback mode stream cipher. The basic idea is that Solitaire generates a stream, often called a “keystream,” of numbers between 1 and 26. To encrypt, generate the same number of keystream letters as plaintext letters. Then add them modulo 26 to plaintext letters, one at a time, to create the ciphertext. To decrypt, generate the same keystream and subtract, modulo 26 from the ciphertext to recover the plaintext.

**Encryption**

1. Split the plaintext message into five-character groups. Use X’s to fill in the last group. So if the message is “DO NOT USE PC” then the plaintext is:

`DONOT USEPC`

2. Use Solitaire to generate ten keystream letters. (Details are below.) Assume they are:

`KDWUP ONOWT`

3. Convert the plaintext message from letters into numbers, A=1, B=2, etc:

`4 15 14 15 20 21 19 5 16 3`

4. Convert the keystream letters similarly:

`11 4 23 21 16 15 14 15 23 20`

5. Add the plaintext number stream to the keystream numbers, modulo 26. Basically, if the sum is more than 26, subtract 26 from the result. For example, 1+1=2, 26+1=27, and 27-26=1, so 26+1=1.

`15 19 11 10 10 10 7 20 13 23`

6. Convert the numbers back to letters.

`OSKJJ JGTMW`

DO NOT USE PC is now OSKJJ JGTMW

**Decryption**

The basic idea is that the receiver generates the same keystream, and then subtracts the keystream letters from the ciphertext letters.

1. Take the ciphertext message and put it in five-character groups.

`OSKJJ JGTMW`

2. Use Solitaire to generate ten keystream letters. If the receiver uses the same key as the sender, the keystream letters will be the same:

`KDWUP ONOWT`

3. Convert the ciphertext message from letters into numbers:

`15 19 11 10 10 10 7 20 13 23`

4. Convert the keystream letters similarly:

`11 4 23 21 16 15 14 15 23 20`

5. Subtract the keystream numbers from the ciphertext numbers, modulo 26. For example, 22-1=21, 1-22=5. (It’s easy. If the first number is less than or equal to the second number, add 26 to the first number before subtracting. So 1-22=? becomes 27-22=5.)

`4 15 14 15 20 21 19 5 16 3`

6. Convert the numbers back to letters.

`DONOT USEPC`

As you can see, decryption is the same as encryption, except that you subtract the keystream from the ciphertext message.

**Generating the Keystream Letters**

Generating the keystream letters is the heart of Solitaire. The keystream is generated using a deck of cards. In a 54-card deck (52 + 2 jokers) there are 54!, or about 2.31 * 10^71, possible different orderings of a deck.

We need a deck set of 52 cards and two jokers. The jokers must be visually different. One will be called “joker A” and the other “joker B”. To initialize the deck, take it in your hand face up. Then arrange the cards in the initial configuration that is the key. You’re now ready to generate keystream letters.

Here’s how to produce a single output character:

1. Find the A joker. Move it one card down, swapping it with the card beneath it. If the joker is the bottom card of the deck, move it just below the top card.

2. Find the B joker. Move it two cards down. If the joker is the bottom card of the deck, move it just below the second card. If the joker is one up from the bottom card, move it just below the top card.

It’s important to do these two steps in order. It’s tempting to get lazy and just move the jokers as you find them. This is okay, unless they are very close to each other.

So if the deck looks like this before step 1:

`A 7 2 B 9 4 1`

at the end of step 2 it should look like:

`7 A 2 9 4 B 1`

And if the deck looks like this before step 1:

`3 A B 8 9 6`

at the end of step 2 it should look like:

`3 A 8 B 9 6`

3. Perform a triple cut. That is, swap the cards above the first joker with the cards below the second joker. If the deck used to look like:

`2 4 6 B 5 8 7 1 A 3 9`

then after the triple cut operation it will look like:

`3 9 B 5 8 7 1 A 2 4 6`

“First” and “second” jokers refer to whatever joker is nearest to, and furthest from, the top of the deck. Ignore the “A” and “B” designations for this step.

Remember that the jokers and the cards between them don’t move; the other cards move around them. This is easy to do in your hands. If there are no cards in one of the three sections (either the jokers are adjacent, or one is on top or the bottom), just treat that section as empty and move it anyway. If the deck used to look like:

`B 5 8 7 1 A 3 9`

then after the triple cut operation it will look like:

`3 9 B 5 8 7 1 A`

A deck that looks like:

`B 5 8 7 1 A`

will remain unchanged by this step.

4. Perform a count cut. Look at the bottom card. Convert it into a number from 1 through 53. (Use the bridge order of suits: clubs, diamonds, hearts, and spades. If the card is a club, it is the value shown. If the card is a diamond, it is the value plus 13. If it is a heart, it is the value plus 26. If it is a spade, it is the value plus 39. Either joker is a 53.) Count down from the top card that number. (I generally count 1 through 13 again and again if I have to; it’s easier than counting to high numbers sequentially.) Cut after the card that you counted down to, leaving the bottom card on the bottom. If the deck used to look like:

7 … cards .. 4 5

… cards … 8 9

and the ninth card was the 4, the cut would result in:

5 … cards … 8 7

… cards … 4 9

The reason the last card is left in place is to make the step reversible. This is important for mathematical analysis of its security.

A deck with a joker as the bottom card will remain unchanged by this step.

Be sure not to reverse the order when counting cards off the top. The correct way to count is to pass the cards, one at a time, from one hand to another. Don’t make piles on the table.

5. Find the output card. To do this, look at the top card. Convert it into a number from 1 through 53 in the same manner as step 4. Count down that many cards. (Count the top card as number one.) Write the card after the one you counted to on a piece of paper; don’t remove it from the deck. (If you hit a joker, don’t write anything down and start over again with step 1.) This is the first output card. Note that this step does not modify the state of the deck.

6. Convert the output card to a number. As before, use the bridge suits to order them. From lowest to highest, we have clubs, diamonds, hearts, and spades. Hence, A-clubs through K-clubs is 1 through 13, A-diamonds through K-diamonds is 14 through 26, A-hearts through K-hearts is 1 through 13, and A-spades through K-spades is 14 through 26. (We need 1 through 26, and not 1 through 52, so we can get to letters.)

That’s how to use Solitaire to encrypt a single character. You can use it to create as many keystream numbers as you need; just go through the same six steps once for each output character. And remember, you’ll need one per message character.

**Keying the Deck**

Keying the deck is the most important part of the whole operation, and the one that the entire security of the system hinges upon. Solitaire is only as secure as the key. That is, the easiest way to break Solitaire is to figure out what key the communicants are using. If you don’t have a good key, none of the rest of this matters. Here are some suggestions for exchanging a key.

**Use identically shuffled decks.**A random key is the best. One of the communicants can shuffle up a random deck and then create another, identical deck. One goes to the sender and the other to the receiver. Most people are not good shufflers, so shuffle the deck at least six times. And both parties should keep an additional spare deck in the same keyed order, otherwise if you make a mistake you’ll never be able to decrypt the message. Also remember that the key is at risk as long as it exists; the secret police could find the deck and copy down its order.**Use a bridge ordering.**A description of a set of bridge hands that you might see in a newspaper or a bridge book is about a 95-bit key. Agree on a way to take the bridge-hand diagram and convert it into an ordering of the deck. Then agree on a way to put the two jokers into the deck.**Use a passphrase to order the deck**This method uses the Solitaire algorithm to create an initial deck ordering. Both the sender and receiver share a passphrase. (For example, “SECRET KEY.”) Start with the deck in a fixed order; lowest card to highest card, in bridge suits, followed by the A and then the B joker. Perform the Solitaire operation, but instead of Step 5, do another count cut based on the first character of the passphrase (19, in this example). In other words, do step 4 a second time, using 19 as the cut number instead of the last card. Remember to put the top cards just above the bottom card in the deck, as before.Repeat the five steps of the Solitaire algorithm once for each character of the key. That is, the second time through the Solitaire steps use the second character of the key, the third time through use the third character, etc.Remember, though, that there are only about 1.4 bits of randomness per character in standard English. You’re going to want at least a 64-character passphrase to make this secure; Schneier recommends at least 80 characters.

The Solitaire algorithm may be low-tech, but its security is high-tech. Bruce Schneier has explained that he expected that everyone would know the intricacies of how the algorithm works. As with any cryptographic algorithm, the success lies with the secrecy of the key. As long as the key remains secret, it is unlikely that any third-party will be able to decrypt ciphertext that has been encrypted with Solitaire.

For more information regarding cryptanalysis, operational notes and security visit to Bruce Schneier’s Solitaire site and the Solitaire (cipher) Wikipedia page.