Running Key Cipher: Book-Based Encryption with Polyalphabetic Substitution
Complete guide to the running key cipher, a polyalphabetic substitution cipher using book passages as keys. Learn encryption, decryption, crib-dragging attacks, and how it compares to Vigenère and book ciphers.
Introduction
The running key cipher stands at an intriguing crossroads in cryptographic history. It takes the familiar Vigenère encryption mechanism — the tabula recta, modular addition, polyalphabetic substitution — and solves the most glaring weakness of its predecessor: the repeating key. By replacing a short keyword with an entire passage of text from a book, the running key cipher eliminates the periodic patterns that make standard Vigenère ciphers easy to break.
Yet the running key cipher is not unbreakable. Its genius and its weakness both stem from the same source: the use of natural language as key material. A book passage is long enough to avoid key repetition, but it is not random. The statistical properties of English — letter frequencies, common digraphs, predictable word patterns — persist in the key text and leak information about the plaintext. This makes the running key cipher a fascinating study in how security degrades when randomness is replaced by structure.
This guide covers everything from basic encryption mechanics to advanced crib-dragging attacks. Whether you are a cryptography student, a puzzle enthusiast, or a historian of Cold War intelligence, you will find here a thorough treatment of one of the most elegant classical ciphers.
Try our free Running Key Cipher Encoder & Decoder to follow along with the examples in this guide.
What Is the Running Key Cipher
The running key cipher is a polyalphabetic substitution cipher that uses a long text — typically a passage from a book — as the encryption key. Each letter of the plaintext is combined with the corresponding letter from the key text using the tabula recta (a 26x26 table of Caesar-shifted alphabets) to produce the ciphertext.
The defining property of the running key cipher is that the key is at least as long as the message. Unlike the Vigenère cipher, where a short keyword like "SECRET" repeats cyclically, the running key never repeats within a single message. This eliminates the periodic structure that makes Vigenère vulnerable to the Kasiski examination and index-of-coincidence tests.
The term "running key" refers to the fact that the key "runs" alongside the plaintext, one character at a time, drawn from a continuous source text. Historically, correspondents would agree on a specific book, edition, page number, and starting line. The book served as a shared key repository that both parties could access independently — no key transmission required.
The running key cipher is sometimes confused with the "book cipher," but these are fundamentally different systems. The running key cipher is a substitution cipher that transforms each letter mathematically. The book cipher is a code system that uses word positions (page-line-word references) to identify plaintext words directly. We explore this distinction in detail later in this article.
Mathematical Foundation
The encryption formula is identical to Vigenère:
Encryption: C[i] = (P[i] + K[i]) mod 26
Decryption: P[i] = (C[i] - K[i] + 26) mod 26
Where:
- P[i] is the plaintext letter at position i, mapped to 0-25 (A=0, B=1, ..., Z=25)
- K[i] is the key letter at position i
- C[i] is the ciphertext letter at position i
The "+26" in the decryption formula ensures the result is never negative before the modulo operation.
Step-by-Step Encryption Tutorial
Let us encrypt the message "SEND MORE TROOPS" using a passage from The C Programming Language by Brian Kernighan and Dennis Ritchie. We will use the opening of Chapter 1:
Key source: "A TUTORIAL INTRODUCTION TO THE C PROGRAMMING LANGUAGE"
After stripping spaces and converting to uppercase, the key becomes: ATUTORIALINTRODUCTIONTOTHECPROGRAMMINGLANGUAGE
Plaintext (letters only): SENDMORETROOPS
Key text (first 14 letters): ATUTORIALINTRO
Now we compute each ciphertext letter:
| Pos | Plaintext | Value | Key | Value | Sum | mod 26 | Ciphertext |
|---|---|---|---|---|---|---|---|
| 1 | S | 18 | A | 0 | 18 | 18 | S |
| 2 | E | 4 | T | 19 | 23 | 23 | X |
| 3 | N | 13 | U | 20 | 33 | 7 | H |
| 4 | D | 3 | T | 19 | 22 | 22 | W |
| 5 | M | 12 | O | 14 | 26 | 0 | A |
| 6 | O | 14 | R | 17 | 31 | 5 | F |
| 7 | R | 17 | I | 8 | 25 | 25 | Z |
| 8 | E | 4 | A | 0 | 4 | 4 | E |
| 9 | T | 19 | L | 11 | 30 | 4 | E |
| 10 | R | 17 | I | 8 | 25 | 25 | Z |
| 11 | O | 14 | N | 13 | 27 | 1 | B |
| 12 | O | 14 | T | 19 | 33 | 7 | H |
| 13 | P | 15 | R | 17 | 32 | 6 | G |
| 14 | S | 18 | O | 14 | 32 | 6 | G |
Result: SENDMORETROOPS encrypts to SXHWAFZEEZBHGG
The encrypted message looks random and shows no obvious relationship to either the plaintext or the key. In traditional five-letter blocks, it would be transmitted as: SXHWA FZEEZ BHGG.
Notice a few important details:
- The first letter S encrypts to S because the key letter A has value 0 (no shift). This is a known weakness: an A in the key leaves the plaintext unchanged.
- Letters E and Z appear multiple times in the ciphertext, but they represent different plaintext letters each time — a hallmark of polyalphabetic ciphers.
Decryption Process
To decrypt, the recipient needs the exact same key text. They apply the decryption formula: P[i] = (C[i] - K[i] + 26) mod 26.
Ciphertext: SXHWAFZEEZBHGG
Key text: ATUTORIALINTRO
| Pos | Ciphertext | Value | Key | Value | C - K + 26 | mod 26 | Plaintext |
|---|---|---|---|---|---|---|---|
| 1 | S | 18 | A | 0 | 44 | 18 | S |
| 2 | X | 23 | T | 19 | 30 | 4 | E |
| 3 | H | 7 | U | 20 | 13 | 13 | N |
| 4 | W | 22 | T | 19 | 29 | 3 | D |
| 5 | A | 0 | O | 14 | 12 | 12 | M |
| 6 | F | 5 | R | 17 | 14 | 14 | O |
| 7 | Z | 25 | I | 8 | 43 | 17 | R |
| 8 | E | 4 | A | 0 | 30 | 4 | E |
| 9 | E | 4 | L | 11 | 19 | 19 | T |
| 10 | Z | 25 | I | 8 | 43 | 17 | R |
| 11 | B | 1 | N | 13 | 14 | 14 | O |
| 12 | H | 7 | T | 19 | 14 | 14 | O |
| 13 | G | 6 | R | 17 | 15 | 15 | P |
| 14 | G | 6 | O | 14 | 18 | 18 | S |
Recovered plaintext: SENDMORETROOPS
Both parties must agree not only on the book but also on exactly how to extract key characters: whether to include spaces, punctuation, digits, or only alphabetic characters. Any difference in key extraction will garble the decryption.
Running Key vs Book Cipher
The running key cipher and book cipher are often confused, but they operate on entirely different principles:
Running key cipher — A substitution cipher. The book text serves as a key to transform each plaintext letter via the tabula recta. The output is a string of letters. The mathematical relationship C = (P + K) mod 26 governs every character. The book text and plaintext are the same length, and the encryption is letter-by-letter.
Book cipher — A code system. The book serves as a codebook, and each word in the plaintext is represented by its position in the book: page number, line number, and word number. The output is a series of number triplets (e.g., "42-7-3" means page 42, line 7, word 3). No mathematical transformation occurs — the book is a lookup table for whole words.
| Aspect | Running Key Cipher | Book Cipher |
|---|---|---|
| Unit of encryption | Individual letters | Whole words |
| Output format | Letters (or numbers 0-25) | Position references (page-line-word) |
| Mathematical operation | Modular addition via tabula recta | No math — positional lookup |
| Key usage | Book text as character-by-character key | Book as word-position codebook |
| Vulnerability | Crib-dragging attacks on language statistics | Identifying the correct book edition |
| Output length | Same as plaintext (letters only) | Variable (depends on word positions) |
A practical consequence: the book cipher can only encode words that appear in the source book. Proper nouns, technical terms, or unusual words may not be encodable. The running key cipher has no such limitation — it operates on individual letters and can encrypt any alphabetic text.
Running Key vs Vigenère vs Autokey
The running key cipher belongs to a family of polyalphabetic ciphers that all share the tabula recta mechanism but differ in how they generate the keystream.
Vigenère cipher: Uses a short keyword (e.g., "LEMON") that repeats cyclically. If the key is 5 letters and the message is 50 letters, the key repeats 10 times. This repetition creates periodic patterns that the Kasiski examination and Friedman test can detect, revealing the key length. Once the key length is known, each position can be solved as a simple Caesar cipher through frequency analysis.
Autokey cipher: Uses an initial keyword, then appends the plaintext itself to the key. For example, with keyword "QUEEN" and plaintext "ATTACKATDAWN", the full key becomes "QUEENATTACKA". The key does not repeat, but the autokey has its own vulnerability: since the key is partially composed of plaintext, a known-plaintext attack on any portion reveals subsequent plaintext and key simultaneously.
Running key cipher: Uses an external text source (a book passage) as the key. The key never repeats and is independent of the plaintext. However, both plaintext and key are natural language with similar statistical properties, enabling crib-dragging attacks.
| Feature | Vigenère | Autokey | Running Key |
|---|---|---|---|
| Key source | Short keyword | Keyword + plaintext | Book passage |
| Key repeats? | Yes | No | No |
| Kasiski attack works? | Yes | No | No |
| Crib-dragging works? | Not needed | Possible | Primary attack |
| Key distribution | Share a word | Share a word | Agree on book + position |
| Relative security | Lowest | Moderate | Moderate-high |
For hands-on comparison, try our Vigenère Cipher tool and Autokey Cipher tool alongside the running key cipher.
Cryptanalysis: Crib-Dragging Attack
The crib-dragging attack is the primary method for breaking running key ciphers. It exploits the fact that both the plaintext and key are natural-language text with predictable statistical properties.
How Crib-Dragging Works
The attacker guesses a probable plaintext word (a "crib") — such as "THE", "AND", "THAT", or domain-specific terms like "ATTACK" in a military context. They then "drag" this crib across every position in the ciphertext, subtracting it from the ciphertext at each position using the decryption formula.
If the crib is correct at a given position, the subtraction produces the corresponding section of the key text. Since the key is also English text, the result should be a recognizable fragment of English. If the result is gibberish, the crib is wrong at that position.
Worked Example
Suppose we intercepted the ciphertext: SXHWAFZEEZBHGG
An analyst tries the crib "THE" at position 1:
- S (18) - T (19) + 26 = 25 → Z
- X (23) - H (7) + 26 = 42 → mod 26 = 16 → Q
- H (7) - E (4) + 26 = 29 → mod 26 = 3 → D
Result: "ZQD" — not recognizable English. Move on.
Try "THE" at position 5:
- A (0) - T (19) + 26 = 7 → H
- F (5) - H (7) + 26 = 24 → Y
- Z (25) - E (4) + 26 = 47 → mod 26 = 21 → V
Result: "HYV" — not English either.
Try "SEND" at position 1:
- S (18) - S (18) + 26 = 26 → mod 26 = 0 → A
- X (23) - E (4) + 26 = 45 → mod 26 = 19 → T
- H (7) - N (13) + 26 = 20 → U
- W (22) - D (3) + 26 = 45 → mod 26 = 19 → T
Result: "ATUT" — this looks like the beginning of "A TUTORIAL"! The crib is likely correct.
The analyst now extends the hypothesis. If the key starts with "ATUTORIAL...", they can decrypt more positions and check if the plaintext continues to make sense. This back-and-forth process between plaintext and key text eventually recovers both streams.
Why It Works
The attack succeeds because of a fundamental asymmetry: there is only one valid decryption that produces readable English in both the plaintext and key streams simultaneously. Random combinations of crib positions produce gibberish in the key stream. The statistical distinctiveness of natural language — its letter frequency distribution, common digraphs like TH and HE, and word structure patterns — makes valid versus invalid decryptions easy to distinguish.
This is precisely why the running key cipher falls short of the one-time pad: the one-time pad uses truly random keys, which means every possible plaintext is equally likely. No crib-dragging attack can gain traction against a random key.
The One-Time Pad Connection
The running key cipher and the one-time pad share the same mathematical formula. The only difference is the source of the key:
- Running key: Key is natural-language text from a book
- One-time pad: Key is a sequence of truly random characters
This single difference separates a cipher that can be broken (the running key) from one that is mathematically proven to be unbreakable (the one-time pad). Claude Shannon demonstrated in 1949 that if the key is truly random, at least as long as the message, and never reused, the cipher achieves "perfect secrecy" — the ciphertext reveals absolutely no information about the plaintext.
The running key cipher fails to achieve perfect secrecy because book text is not random. English text has an entropy of approximately 1.0-1.5 bits per character, compared to the 4.7 bits per character of a truly random 26-letter alphabet. This gap between the key's actual entropy and its theoretical maximum is exactly the information that crib-dragging attacks exploit.
Historically, the running key cipher can be understood as a practical compromise. Generating and distributing truly random keys of sufficient length was logistically impractical for most 19th and early 20th-century communicators. Book text offered a "good enough" approximation: long, non-repeating, and accessible to both parties without key transmission. The trade-off was reduced security in exchange for dramatically simplified key management.
For modern users interested in exploring the one-time pad concept, try our Vernam Cipher tool, which implements the binary XOR version of the one-time pad.
Historical Context
Early Development
The polyalphabetic substitution concept dates to the 15th and 16th centuries. Johannes Trithemius described the tabula recta in 1508 in his work Polygraphia. Blaise de Vigenère expanded these ideas in 1586 in his Traicté des Chiffres. However, the systematic use of long text passages as running keys did not emerge until centuries later.
The French mathematician Arthur Joseph Hermann formalized the running key cipher concept in 1892, describing how published texts could serve as non-repeating polyalphabetic keys. His work recognized both the advantage (elimination of key repetition) and the limitation (natural-language statistics in the key) of the approach.
William Friedman's Cryptanalysis
William Friedman (1891-1969), often called the father of American cryptanalysis, developed systematic methods for attacking running key ciphers during the 1920s and 1930s while working for the U.S. Army's Signal Intelligence Service.
Friedman's approach combined probable-word testing with high-frequency digraph analysis. He recognized that when both plaintext and key are English, the resulting ciphertext letter frequencies deviate from uniform distribution in predictable ways. His techniques for exploiting these deviations laid the groundwork for modern computational cryptanalysis.
Friedman's work on running key ciphers contributed directly to the theoretical understanding of why randomness is essential for secure encryption — a principle that Claude Shannon would formalize mathematically in his landmark 1949 paper "Communication Theory of Secrecy Systems."
World War II and Cold War
During World War II, running key ciphers saw limited military use because more secure alternatives were available: the Enigma machine (for Germany), SIGABA (for the United States), and various one-time pad systems. However, intelligence agents and resistance networks sometimes used running key ciphers because they required no equipment beyond a commonly available book.
In the Cold War, the running key concept influenced the design of more sophisticated hand cipher systems. The Soviet VIC cipher, for instance, used a memorized phrase rather than a book passage, but applied the same principle of deriving a long key from a pre-agreed text source. The VIC cipher then added transposition layers that the simple running key cipher lacks.
Frequently Asked Questions
What is the best book to use as a running key?
The best book is one that both sender and receiver can access in identical editions, contains continuous prose (not poetry, tables, or lists), and is not an obvious choice that an adversary would test first. Historically, technical manuals, trade publications, and almanacs were preferred over famous novels precisely because they were less likely to appear on an attacker's list of candidate books. The specific edition matters — different printings may have different pagination.
Can a running key cipher use any text as the key?
Yes, any text can serve as the key: books, newspapers, letters, technical documents, song lyrics, or even random text. However, the security varies. Random text provides the highest security (approaching one-time pad levels), while repetitive or formulaic text (like legal documents or religious texts with repeated phrases) provides lower security due to predictable patterns. The key text must be at least as long as the plaintext message.
How long does it take to break a running key cipher?
With modern computers, a running key cipher using a known book can be broken in minutes to hours using automated crib-dragging against a library of candidate texts. Without knowing the book, the process takes longer but is still feasible for messages of moderate length (50+ characters). Very short messages (under 20 characters) may be practically impossible to break due to insufficient statistical data, while very long messages are easier to break because they provide more data for statistical analysis.
Is the running key cipher used today?
The running key cipher is not used for actual secure communication today. Modern encryption algorithms like AES-256 and ChaCha20 provide far superior security with much simpler key management. However, the running key cipher remains valuable for education, puzzle competitions, geocaching challenges, and understanding the historical evolution of cryptography. It provides an excellent hands-on demonstration of why key randomness matters for security.
What happens if the key text is shorter than the message?
If the key text is shorter than the message, you have two options: (1) extend the key by continuing to the next page, chapter, or section of the source text, or (2) wrap around and reuse the key from the beginning. Option 2 effectively converts the running key cipher back into a Vigenère cipher with a very long key, reintroducing the periodic vulnerability — though the long period makes attacks significantly harder than a short keyword. Option 1 is strongly preferred.
Can you use the running key cipher with numbers or special characters?
The classic running key cipher operates on the 26-letter English alphabet only. Numbers, spaces, and special characters are typically stripped from both the plaintext and key before encryption. However, the underlying modular arithmetic can be extended to larger character sets. A running key cipher over a 256-character ASCII set would use mod 256 instead of mod 26, and a key text containing numbers and punctuation would participate fully in the encryption.