by DAVID KAHN
The keyletter that is paired with a given plaintext letter indicates the alphabet of the tableau that is to be used to encipher that plaintext letter. Thus, / is to be enciphered by the V alphabet, a by the I alphabet, and so on. The system permits great flexibility: no longer did all messages have to be enciphered with one of a relatively few standard sequences of alphabets, but different ambassadors could be given individual keys, and, if it were feared that a key had been stolen or solved, a new one could be substituted with the greatest of ease. Keys caught on at once, and the Belaso invention laid the foundation for today’s exceedingly complex arrangements, in which not one but several keys are employed and are varied at odd intervals.
Belaso, however, like Trithemius, employed standard alphabets as his cipher alphabets. It remained for a young prodigy, who later organized the first scientific society of modern times, to revive the mixed alphabets of Alberti and to wrap Alberti’s notions together with those of Trithemius and Belaso into the modern concept of polyalphabetic substitution.
Giovanni Battista Porta was born in Naples in 1535, was raised by a cultured and intelligent uncle, and was composing essays in Latin and Italian by the time he was ten. After the usual grand tour, he returned to Naples and, at 22, published his first book, a study of oddities and scientific curiosa entitled Magia naturalis. Later, he brought together in his home in Naples a group of men similarly interested in natural magic—the study of the mysteries of nature by experimental means, as opposed to spirit magic like Trithemius’. Here they met periodically and performed experiments. This was the Acca-demia Secretorum Naturae, whose members called themselves the Otiosi (Men of Leisure). It was the first of all associations of scientists, and as such it began the transformation of scientific inquiry from an individual eccentricity to the organized and socially sanctioned pursuit that it now is. The Otiosi were soon suspected of dabbling in the occult, however, and Porta was called to Rome to explain reports of witches’ salves and necromantic arts. He cleared himself before Pope Paul V, returning cautioned but unblemished. In fact, his “magic” was only that of a parlor conjuror—tricks cloaked in mystery but easily explained. He also served as vice president of another early scientific society, the Accademia dei Lincei (Academy of Lynxes), one of whose members was Galileo.
Between 1586 and 1609, Porta produced books on the asserted relation of human physiognomy to animal characteristics, which influenced the Italian criminologist Cesare Lombroso in defining “the criminal type,” on meteorology, the refraction of light, pneumatics, the design of villas, astronomy, astrology, distillation, and the improvement of memory, as well as 14 prose comedies, two tragedies, and one tragicomedy. An expanded version of the Magia naturalis, in 20 books, recorded many of the experiments of the Otiosi and, as popular as the original, was translated and was reprinted no fewer than 27 times. Called the “most delightful and browsable of scientific books,” it includes such oddities as ways of making merry by turning women’s faces red, green, or pimply, and by using a juggler’s prank of burning hare’s fat to cause women to cast off all their clothes. (Not all of Porta’s tricks worked.) Book XVI gave numerous recipes for secret ink and for such tricks as writing invisibly on an egg and on human skin so that “messengers may be sent, who shall neither know that they carry letters nor can they be found about them,” and hiding missives in living creatures (by feeding a letter in meat to a dog, then killing him to retrieve it). Porta sometimes embroidered the truth a little in reporting the facts both of his experiments and of his life. But he was the first to recognize the heating effect of light rays and to expound an ecological grouping of plants. He died in 1615 at 80, leaving the memory of a mild-tempered and pleasant man.
Porta was only 28 when, in 1563, he published the book on which his fame as a cryptologist rests. De Furtivis Literarum Notis is an extraordinary book. Even today, four centuries later, it retains its freshness and charm and—remarkably—its ability to instruct. Its great quality is its perspective: Porta saw cryptology in the round. Its four books, dealing respectively with ancient ciphers, modern ciphers, cryptanalysis, and a list of linguistic peculiarities that will help in solution, encompassed the cryptologic knowledge of the time. He rehearsed the standard ciphers of his forefathers, but he did not hesitate to criticize: the venerable pig-pen, or Freemasons’, or Rosicrucians’ cipher, is used, he sneered, by “rustics, women and children.” Among the “modern” systems—many of which are probably Porta’s own—appeared the first digraphic cipher in cryptology, in which two letters were represented by a single symbol.
He classified systems into three kinds: the changing of a letter’s order (transposition), of a letter’s form (substitution by symbol), and of a letter’s value (substitution by a letter of another alphabet). This was one of the earliest, if crude, instances of the now standard division of ciphers into transposition and substitution. He urged the use of synonyms in plaintexts, noting that “It will also make for difficulty of interpretation if we avoid the repetition of the same word.” Like the Argentis, he suggested deliberate misspellings of plaintext words: “For it is better for a scribe to be thought ignorant than to pay the penalty for the detection of plans,” he wrote. The book included a set of movable rococo cipher disks, and at one point Porta explained how they may be converted to a square table. His grasping of this relationship illuminates more clearly than anything else his thorough comprehension of the subject. He spiced his book with some eyebrow-raising sample plaintexts. Perhaps the most startling is “I deflowered the object of my affections today,” used for six encipherments in a row. He gave the first published description in Europe of how to solve a monalphabetic cipher with no word divisions or with false word divisions, at a time when cryptanalysts often depended on the presence of word divisions.
The earliest known digraphic system: Giovanni Battista Porta replaced each pair of letters with the sign at the intersection of their row and columns
Porta anticipated all other writers on the subject by describing what is regarded today as the second major form of cryptanalytical technique—that of the probable word—and, furthermore, by specifically differentiating it from linguistic analysis: “… when the subject matter is known,” he wrote, “the interpreter can make a shrewd guess at the common words that concern the matter in hand, and these can without much labor be discovered by observing for each word in the passages in question the number of characters and the likeness and difference of the letters in their positions…. In each subject there are several common words which go with it as it were of necessity; for example, in love, love, heart, fire, flame, to be burned, life, death, pity, and cruelty have place, and in war, soldier, leader, general, camp, arms, to fight, etc.… Thus, a form of interpretation which is not based on consideration of the documents themselves or on the attempt to distinguish vowels and consonants therein may lighten the task.”
He proffered some sapient advice on work techniques, as valid today as it was in Renaissance Italy:
There is required the most complete concentration, the most perfect diligence, so that the mind, free from all distracting thoughts, and with everything else put aside, may devote itself entirely to the single task of carrying the whole undertaking to a successful conclusion. Still, if the task sometimes requires unusual concentration and expenditure of time, this concentration should not go on uninterrupted; the brain should not be racked over-anxiously. For excessive pains and prolonged mental effort bring on brain-fag, so that the mind is afterwards less fit for these things, and accomplishes nothing…. This has often been my experience at such times as I came upon particularly involved ciphers, in the working-out of these. For after spending the whole day in this task (scarcely seven or eight hours seemed to me to have gone by), I hardly thought it was more than one or two o’clock, so that I was not aware of the approach of evening except through the shadows and the failing of the light.
Finally, Porta unconsciously revealed some practical experience in one sentence: “It will be found of no sm
all importance besides for the message to have been written by the hand of the author, or a skilled scribe, for if, after it has been intercepted, it be copied wrong, or if it have started off from the hands of someone who was ignorant of the art of cipher, it will readily result that, since the writing is confused, every way of interpreting it will be blocked.” Knowledge like that comes only from wrestling with the dropped or transposed or altered letters that appear so regularly in the transmission of real cryptograms, since the problems one finds in books are invariably letter-perfect and highly susceptible to solution. It may be that he did some crypt-analysis for the papal curia.
One of Giovanni Battista Porta’s cipher disks
But what of Porta’s contribution to polyalphabeticity? It consists essentially of a lamination of existing elements—the letter-by-letter encipherment of Trithemius, the easily changed key of Belaso, and the mixed alphabet of Alberti—into a modern system of polyalphabetic substitution. Unfortunately for Porta, though he specifically stated that “The order [of the letters in the tableau … may be arranged arbitrarily, provided no letter is omitted,” he illustrated the system only with standard alphabets, and a lazy posterity, while naming this trivial system for him, cheated him of full recognition of his contribution. He wisely used a long key—CASTUM FODERAT LUCRETIA PECTUS ALGAZEL—and advised the choice of “irrelevant words” for keys, because “The further removed they are from common knowledge, the greater safety do they afford to the writing.” No great originality may be claimed for Porta’s contribution to polyalphabeticity, but it remains the first time that the modern concept of polyalphabeticity was enunciated.
Perhaps the full measure of Porta’s remarkable abilities may best be taken by his brash tackling of the toughest problem of Renaissance cryptology—the solution of polyalphabetic ciphers. Despite the high esteem in which these ciphers were then universally held, Porta refused to admit their invincibility and thought out some methods of attack. These are rather artificial, but their importance lies not in their intrinsic value, which is low, but in the bold attitude that engendered them—the only attitude that leads to any success in cryptanalysis.
In his first solution, Porta mounted an assault on a progressive-alphabet cipher with mixed alphabets. It was produced by a cipher disk with a normal plaintext alphabet clockwise on the fixed portion and a series of fantastic cipher signs on the mobile portion, which turned one space clockwise after the encipherment of each letter. Porta observed that if three letters appear in alphabetical sequence in a plaintext word (as def in deficio or stu in studium) the one-space progression of the disk would bring the same cipher sign successively opposite each of them, resulting in a threefold repetition of that sign in the ciphertext. Using this as a basis, Porta solved a contrived cryptogram and reconstructed the symbol alphabet. In his second solution, given in a chapter added in the 1602 edition of De Furtivis, Porta modified his first method to solve another trick polyalphabetic cryptogram that had standard alphabets but that used a literal key. Here, a threefold repetition of a ciphertext letter signaled that a key with three letters in normal alphabetical order had enciphered a plaintext that had three letters in reverse alphabetical order. During his discussion, he came within a hair’s breadth of achieving the true general solution he sought: “Since there are … 51 letters between the first three MMM and the same three letters repeated in the thirteenth word, I conclude that the key has been given three times and decide correctly that it consists of 17 letters.” He never capitalized on this observation. Had he done so, he would have kept the polyalphabetic cipher from ever gaining the exaggerated reputation for security that glowed like a protective aura around it for 300 years.
De Furtivis, like Porta’s other books, went through several editions and, in 1591, it received the ultimate accolade: it was pirated by an unscrupulous printer of London, John Wolfe, who counterfeited the original 1563 edition almost to perfection. A legitimate 1593 edition, published under the title of De Occultis Literarum Notis, included at the rear cryptology’s first set of synoptic tables. These showed in graphic form the path the cryptanalyst must follow in his analysis of a given cryptogram, with the forks he must take if the message shows one characteristic as opposed to another. Porta’s overall rank in the cryptology of his day was well stated by Dr. Charles J. Mendelsohn,who has delved more deeply into this period than any other scholar: “He was, in my opinion, the outstanding cryptographer of the Renaissance. Some unknown who worked in a hidden room behind closed doors may possibly have surpassed him in general grasp of the subject, but among those whose work can be studied he towers like a giant.”
Though Porta had molded together the three basic elements that are essential to a modern concept of polyalphabeticity, refinements were always possible, and two other men of the 16th century devised improvements upon Belaso’s key procedure.
It is clear that a key that changes with each message provides more security than one that is used over and over for several messages. The ultimate, of course, is a key that changes with each message. The two men devised an exceedingly clever way to ensure this change: use the message itself as its own key. This is called an “autokey.” The first system was flawed and consequently unusable; the inventor is remembered chiefly for a contribution to steganography. The second worked perfectly. But though it afforded guarantees of security far above those of simple keywords, and though the author described it with clarity, and though his book is one of the most famous in cryptology, the system fell into utter oblivion and its inventor owes his fame to a crude and degenerate form of polyalphabetic substitution with which he had nothing to do and which he would have spurned.
The inventor of the first and imperfect autokey system was Girolamo Cardano, a Milanese physician and mathematician who is known today chiefly as one of the first popularizers of science and as author of the world’s first text on the theory of probability.
Born in 1501, Cardano had an overwhelming desire simply to be remembered—not even caring whether the memory was of good or of ill. He tried to assure himself a place in posterity by a stupendous volume of writing. In the 131 books that he published during his lifetime and the 111 that he left behind in manuscript, he discussed mathematics, astronomy, astrology, physics, chess, gambling (which included his pioneering investigation of probability), the immortality of the soul, consolation, marvelous cures, dialectics, death, Nero, gems and colors, the zeal of Socrates, poisons, air, water, nourishment, dreams, urine, teeth, music, morals, and wisdom. Somehow he did not give cryptology a book of its own, but inserted his information in his two best-selling popularizations of science. The first was De Subtilitate, a collection of illustrations and attempted explanations of scientific phenomena that included such topics as suggestions for teaching the blind to read and write by touch. Published in 1550, De Subtilitate embodied both the soundest physical learning of its time and its most advanced spirit of speculation. The public liked Cardano’s anecdotal exposition and his bizarre illustrations so much that he followed it six years later with a sort of continuation entitled De Rerum Varietate. Both books were translated and pirated by printers throughout Europe.
In his two discussions of cryptology, Cardano described the classic methods of antiquity, attempted a classification which leads to an unfortunate self-contradiction, gave directions for surreptitiously opening letters, laid down some elementary rules for solving messages and for developing secret ink, and offered a few methods of his own, accompanied by the usual laud: “In the case of the methods that we give, [cryptanalysis] would require an Apollo.” One of these is his autokey.
He employed the plaintext as a key to encipher itself, starting the key over from the beginning with each new plaintext word:
But while the autokey was a brilliant idea, Cardano formulated it defectively. First, it allows plural decipherments. With Cardano’s (standard) alphabets, cipher N could stand for a plaintext f keyed with an F as well as for plaintext s and key S. Second, and worse, the decip
herer is in exactly the same position as the cryptanalyst in trying to figure out the first plaintext word. This, once obtained, unlocks the rest of the message.* Consequently this formulation has been justly neglected, and the immortality that Cardano so desperately sought he achieved in cryptology with a system of steganography, which bears his name.
The Cardano grille consists of a sheet of stiff material, such as cardboard, parchment, or metal, into which rectangular holes, the height of a line of writing and of varying lengths, are cut at irregular intervals. The encipherer lays this mask over a sheet of writing paper and writes the secret message through the perforations, some of which will take a whole word, others a single letter, others a syllable. He then removes the grille and fills in the remaining spaces with an innocuous-sounding cover message. Cardano prescribed copying the message three times to smooth out any irregularities in the writing that might give the secret away. The decipherer simply places his grille on the message he receives and reads the hidden text through the “windows.” The method’s chief defect, of course, is that awkwardness in phrasing may betray the very secret that that phrasing should guard: the existence of a hidden message. Nevertheless, a number of countries made use of the Cardano grille in their diplomatic correspondence in the 1500s and 1600s.
Cardano also achieved the dubious renown of being the first cryptologist to cite the enormous number of variations inherent in a cryptographic system as “proof” of the impossibility of a cryptanalyst’s ever reaching a solution during his lifetime. After describing a monalphabetic substitution in which the 27 permutations of three-letter groups (AAA, AAB, AAC, ABA, … CCC) stand for the 24 letters of the alphabet and three common words, he stated: “The [number of possible] arrangements of alphabets will require 28 digits” and “such a number of arrangements could not be contained in many books.” He meant that the number of ways in which the 27 plaintext elements could be mated to possible ciphertext equivalents in trial solutions would require 28 digits to write out. As a matter of fact, it would require 29 digits, since the number of combinations is:
