The Alberti Cipher

Author: William Servos '06

"Virtues of  a perfect cipher: that they be not laborious to write and read; that they be impossible to decipher; and, in some cases, that they be without suspicion." - Francis Bacon

The Alberti Cipher is a type of polyalphabetic cipher. A polyalphabetic cipher is similar to a Substitution, cipher. In some cases the multiple alphabets are just rotations of the existing the existing alphabet. This generates an encrypted ciphertext that cannot be solved by simple frequency analysis, because the mapping of plaintext letters to ciphertext letters is one-to-many, which is to say the plaintext letters have different ciphertext corespondents at different places in the text. The Alberti cipher is a particular kind of polyalphabetic cipher, and operates as described below.

Historical Background

Leon Battista Alberti, the bastard son of an Italian noble, developed a method of encipherment which revolutionized encryption in the West. The Alberti cipher, described in his 1467 treatise on encipherment, De Cifris (Alberti, Leon Battista, A Treatise on Ciphers, trans. A. Zaccagnini. Foreword by David Kahn, Galimberti, Torino 1997), is the first polyalphabetic cipher. Alberti's treatise was written for his friend Leonardo Dati and was never printed in the 15th centurey.

Alberti, who is considered to have been surpassed only by Leonardo Da Vinci as a Renaissance Man. Also known for his work in architecture, writing and painting, Alberti's insights into perspective have particularly influenced subsequent painters of his era. But he is most widely recognized as the father of Western Cryptology.

The Alberti cipher traditionally consisted of two metal discs, one mobile, and one immobile, attached by a common axle so that the inner disc may be rotated. Around the outside of the outer disc are inscribed the uppercase letters in the Latin alphabet, which is the English alphabet less J, U, and W, and also without H, K, or Y, since Alberti felt they were superfluous. The outer disc also included the numbers 1 through 4 for use with a codebook containing preselected phrases and words with assigned four-digit values. Alberti designed his cipher technique with courtesans and diplomats in mind.

The inner disc had a randomized uppercase Latin alphabet, which is the English alphabet minus u, w, and j, and with et (probably meaning '&'). Alberti thought his cipher was unbreakable, and this assumption was based on his inquiries into frequency analysis, which is the most effective method of deciphering monoalphabetic cryptograms; given enough cryptotext one can use the frequency of the letters in reference to a normal distribution to find the shift, and solve the cryptogram, this system fails to solve polyalphabetic cryptograms since the letter distribution is garbled. Interestingly, Alberti's studies involving cryptology were only a passing interest, at the suggestion of his friend, and secretary to the pope, Dato, Alberti decided to investigate encryption, and eventually published a book on the subject, despite its lack of relevance to his architecture and painting.

Encrypting a Message with Alberti Cipher

The process of encrypting into the Alberti cipher is simplified by Alberti's discs. On the inner disc was a mark which could be lined up with a letter on the outer disc as a key, so that if you wanted to encrypt or decrypt a message you only needed to know the correct letter to match the mark to. In order to decrypt a message written using Alberti's discs you had to have a matching alphabet on your inner disc. To make matters more complicated the disc could be turned during an encryption so that a different alphabet is used periodically. This was the first instance of the polyalphabetic cipher. When encrypting an interval of rotation can be predetermined by those reading and writing the ciphertext, adding a shift based on the letters in a secret shared keyword. The traditional discs shown below were the only method of using this type of cipher until the 16th century. Below is an example of Alberti's cipher disc.

(NOTE: In this diagram, the letters on the outer disc should be uppercase and those on the inner disc should be lowercase. The example given below is based on this representation of the disk. Click here for an image of the actual Alberti cipher disk. )

Alberti's 20 character Latin alphabet can be seen around the outer ring of the discs, the four numbers at the end being, again, used in reference to a codebook containing preselected phrases. Alberti deliberately left numbers off the inner disc so no numbers appeared in the ciphertext, so it contained a scrambled version of the normal Latin alphabet instead of Alberti's. This was a very effective method of concealing the code-numbers, since they blended in with the other garbled words, becoming indestinguishable.

The Alberti cipher was not periodic. Each correspondent had a different randomized alphabet in his position. In the 16th century Giovan Battista della Porta used a system of keywords to implement a cipher that can be seen as a variation of the Alberti cipher. One keyword was used to form a permutation of the alphabet, the other keyword was used to specify a sequence for the multiple alphabets to occur in. This technique, which was labeled the 'double cipher' has been more accurately described as polyalphabetic. Porta's permutation technique was based on a 2-dimensional table, for an example here's a version of Porta's table based on a 26 character alphabet:


           Equivalent to the outer disc
     a b c d e f g h i j k l m n o p q r s t u v w x y z
   0 A L B E R T I C P H D F G H J K M N O S U V W X Y Z
   1 Z A L B E R T I C P H D F G H J K M N O S U V W X Y
N  2 Y Z A L B E R T I C P H D F G H J K M N O S U V W X
u  3 X Y Z A L B E R T I C P H D F G H J K M N O S U V W
m  4 W X Y Z A L B E R T I C P H D F G H J K M N O S U V
b  5 V W X Y Z A L B E R T I C P H D F G H J K M N O S U
e  6 U V W X Y Z A L B E R T I C P H D F G H J K M N O S
r  7 S U V W X Y Z A L B E R T I C P H D F G H J K M N O
   8 O S U V W X Y Z A L B E R T I C P H D F G H J K M N
o  9 N O S U V W X Y Z A L B E R T I C P H D F G H J K M
f 10 M N O S U V W X Y Z A L B E R T I C P H D F G H J K
  11 K M N O S U V W X Y Z A L B E R T I C P H D F G H J
S 12 J K M N O S U V W X Y Z A L B E R T I C P H D F G H
h 13 H J K M N O S U V W X Y Z A L B E R T I C P H D F G
i 14 G H J K M N O S U V W X Y Z A L B E R T I C P H D F
f 15 F G H J K M N O S U V W X Y Z A L B E R T I C P H D
t 16 D F G H J K M N O S U V W X Y Z A L B E R T I C P H
s 17 H D F G H J K M N O S U V W X Y Z A L B E R T I C P
  18 P H D F G H J K M N O S U V W X Y Z A L B E R T I C
  19 C P H D F G H J K M N O S U V W X Y Z A L B E R T I
  20 I C P H D F G H J K M N O S U V W X Y Z A L B E R T
  21 T I C P H D F G H J K M N O S U V W X Y Z A L B E R
  22 R T I C P H D F G H J K M N O S U V W X Y Z A L B E
  23 E R T I C P H D F G H J K M N O S U V W X Y Z A L B
  24 B E R T I C P H D F G H J K M N O S U V W X Y Z A L
  25 L B E R T I C P H D F G H J K M N O S U V W X Y Z A

In this case the uppercase-letters correspond to the randomized inner alphabet of the discs, we use ALBERTICIPHER as the keyword to form the alphabet. The top letters correspond to the outer disc, and the numbers on the left represent the indexes of the multiple alphabets, a second keyword is used to denote a sequence of indexes used to select a row for the table. For Porta's type of cipher, the cryptographic key would consist of the permutation given in the first row of the table plus the shift that should be made after each letter of plaintext. Each new shift value, in Porta's method, or each character in the second keyword, signifies a new ciphertext alphabet.

As an example of this cipher we encrypt the message "this is a test of alberti" using the table above.

An Example of Alberti Cipher

We begin by writing the second keyword, CATWALK, repeatedly under the plaintext.


this is a test of alberti
CATW AL K CATW AL KCATWAL

Now replace the letters in the keyword with their number equivalents, where A=0, B=1, C=2 and so on.

t--h--i--s i--s a t--e--s--t o--f a--l--b--e--r--t--i 2 0 19 22 0 11 10 2 0 19 22 0 11 10 2 0 19 22 0 11

Next the character corresponding to the coordinates, defined by the plaintext character and the index shift value, (i.e. (t,2) = N, (h,0) = C, etc.)


this is a test of alberti
NCKW PC M NRZX JU MHLFVSX

The message is obviously unrecognizable. Also it should be noted that frequency analysis is useless since, non-corresponding letters h and s, and t and i have both been reassigned to matching letters C and X, respectively.

Decrypting a Message with the Alberti Cipher

To decrypt a secret message, write out the encrypted characters with their corresponding shifts.


N--C--K--W  P--C  M  N--R--Z--X  J--U  M--H--L--F--V--S--X
c--a--t--w  a--l  k  c--a--t--w  a--l  k--c--a--t--w--a--l
2  0 19 22  0 11 10  2  0 19 22  0 11 10  2  0 19 22  0 11

Now you could look up the plaintext characters in a table like the one above, only with the plaintext and permutation alphabets switched, to get the original message.

this is a test of alberti
Implementation of the Alberti Cipher

We have implemented a version of Alberti'd cipher as a part of HcryptoJ API, using the classes AlbertiEngine.java, which handles substitutions, and AlbertiKey.java, which utilizes the keywords. The computer implements the cipher first by forming a plaintext-alphabet, and then a ciphertext-alphabet, which is based on a keyword. In the table above the keyword was ALBERTICIPHER (with the repeated characters dropped), so the alphabet was formed with those characters and then the remaining characters in the alphabet are added alphabetically. A second keyword is used to create the period and sequence of shifts, for instance:

Key2 = CATWALK Cycle = CATWAL KC ATWALK Message = Encode Me Please
The key is wrapped until the message is filled, then the corresponding numerical value of the letter within the plaintext (a=0, b=1, c=2. . .) is used to encode the characters in the message, taking the index of the plaintext, adding the shift value taken from the second key, modulo 26, and then leaving a the index of a ciphertext character. Again, this is simplified by the computer into two arrays containing the alphabets, where each character is listed in its alphabetical order, and given a number, corresponding to that order, which is the index. This process is simplified to the mathematical algorithm
(PlaintextCharacterIndex+Shift)%26 = CiphertextCharacterIndex

The process works a lot like addition, where the characters represent numbers in a mod 26 number set.

E N C O D E M E P L E A S E + C A T W A L K C A T W A L K -------------------------------- B H H O X S B B K O P A C U
Recognizing Polyalphabetic Ciphers

The Alberti Cipher and all its relations, the polyalphabetic ciphers, are distinguished by their effect on letter frequencies. Assuming the language being dealt with is English, then the letter 'E' would normally be the most frequent letter, or in a mono-alphabetic cipher some other letter would be assigned the same frequency as 'E'. With a polyalphabetic cipher this does not occur. A letter may repeat and mean two different things, or never occur, even though when decrypted it is the most frequent letter in the writing. This invulnerability to frequency analysis is what caused Alberti to call his cipher unbreakable, and is the reason nearly all modern encryption is based on this method.

Analysis of Polyalphabetic Ciphers

What if you don't have the key to a polyalphabetic cipher, how hard would it be to decipher a message?

In general, polyalphabetic ciphers become more complex and harder to decipher the more frequent the shift change becomes. Since the shift change is one of many factors that complicate solving a polyalphabetic cryptogram, a system for solving the cryptogram must be developed that works around the changing shift. Jean-Guillaume-Hubert-Victor-Francois-Alexandre-Auguste Kerckhoffs' method for solving polyalphabetic ciphers, published in 1881 in his La Cryptographie militaire, required that multiple messages encrypted with the same key be used in conjunction, to form monoalphabetic ciphers.


         1 2 3 4 5 6 . . .
Message1 U L A K M H . . .
Message2 I O W E Q V . . .
Message3 B X Z E F N . . .
. . . 
The cryptograms are stacked on top of eachother, and the columns form monoalphabetic ciphers, which can be solved through many means, including frequency analysis. In the above example 'U', 'I' and 'B' represent one monoalphabet set. This method becomes easier when more messages are used. Kerckhoffs made a huge advancement in cryptology, since the previous method for solving polyalphabetic ciphers had restrictions on the type and length of the key, which meant long and elaborate keys were nearly impossible to decrypt in this fashion. This is to say, even if you have many messages using the same key, you still need to decipher a seperate monoalphabetic cipher for every character in any message you decide to decrypt. Polyalphabetic ciphers such as the one developed by Alberti represent the backbone of modern encryption, and gave rise to such marvels as the enigma machine, and have come a long way from the Renaissance Man's "unbreakable cipher."

For Further Study and Enjoyment

  • Wikpedia article on the Alberti cipher -- contains a translation of Alberti's own description of his cipher and a reference to a nice exercise using the Alberti disk.

  • CryptoToolJ. Try using CryptoToolJ, which includes my AlbertiEngine and AlbertiKey implementation, to create and analyze your own Alberti Cipher messages.