The running-key cipher is a polyalphabetic substitution cipher that works like the Vigenère cipher but takes its key from a long stretch of text — classically a passage from an agreed book — rather than repeating a short keyword. Because the key is as long as the message and never repeats, it removes the periodic structure that makes ordinary Vigenère vulnerable to Kasiski analysis.
How it works
Letters are numbered 0 (A) through 25 (Z). The letters of the key passage are lined up beneath the message, one key letter per message letter. Encryption adds them modulo 26:
C = (P + K) mod 26
Decryption subtracts the same key letters:
P = (C - K) mod 26
Only letters in the key passage are used; its spaces and punctuation are skipped. In the message, non-letter characters pass through unchanged and do not consume a key letter, so the alignment between message letters and key letters is preserved.
Worked example
With key passage KING and plaintext MEET:
P: M E E T (values: 12, 4, 4, 19)
K: K I N G (values: 10, 8, 13, 6)
C: W M R Z (results: 22, 12, 17, 25)
M (12) plus K (10) = 22 → W. E (4) plus I (8) = 12 → M. And so on. Decrypting WMRZ with the same key passage subtracts each key letter modulo 26 to recover MEET.
Why the running-key cipher is interesting but not secure
The cipher solves Vigenère’s periodic key problem — Kasiski analysis fails because the key never repeats. However, it introduces a different weakness: both the message and the key are natural language, and natural language is heavily non-random. This redundancy makes the cipher vulnerable to a probabilistic attack that tries candidate key passages and scores the resulting plaintexts by their plausibility as English text.
In practice, an attacker who knows the plaintext is English can work backward: for each possible ciphertext letter, only one key letter produces a valid plaintext letter, and many of those pairs are uncommon in natural language. Combining constraints across multiple letters narrows the candidate key passages quickly. This attack requires significant effort but is much easier than breaking a true one-time pad, which is completely information-theoretically secure.
Agreement requirements
Sender and receiver must agree on:
- The exact source text — typically a specific edition of a book or a memorised poem.
- The starting position — which character in the text to begin from.
- Non-letter handling — whether digits and punctuation are stripped or passed through. This tool skips non-letters in the key and passes them through unchanged in the message.
A single discrepancy in the source text — different editions can have different punctuation — causes decryption to diverge from the correct point onward, corrupting the recovered message. This fragility is one reason the cipher was historically impractical for long-distance communication.