by Lars Adolph, Bernhard Esslinger, published on 2026-04-12
An intercepted prototype log offers a first glimpse into the cryptographic experiments of a clandestine group. Can you reconstruct the hidden state behind the recorded bitstream?
by Bernhard Esslinger, Lillin Modi, published on 2025-09-23
An old cipher, new scale: a secret permutation of 676 bigrams replaces every letter pair. A plaintext-ciphertext pair has leaked. Instructions and a Python program are available. Can you reconstruct the full key?
by Gabriel Sá Diogo, Jonas Schmitt, published on 2025-08-08
Someone thought that Post-Quantum-Cryptography does not need to be that complicated. Thus he simplified the MAYO-Signature Scheme to Vinaigrette. Can you find an exploit to forge signatures?
An apparently unsolvable logic problem is wrapped in this cipher, but does that mean the cipher itself has no weakness? Meet Lady Liz and "relative encryption", which turns two characters into one.
Fialka was a rotor cipher machine used by the USSR during the Cold War. This second part challenges your understanding of the machine. Despite longer keys being used, can you still break the machine?
Fialka was a rotor cipher machine used by the USSR during the Cold War. This challenge gives you the opportunity to understand the machine and test your skills at breaking it.
During the Cold War, anyone could encrypt relatively securely with the PX-1000. To prevent this, the NSA added a backdoor in the successor model PX-1000cr. However, even the supposedly secure original version has weaknesses. Can you break the PX-1000?
Ready for the third Elliptic Boogaloo? In this challenge, we dance on elliptical curves and try to forge digital signatures. But some hints went missing. However, a nasty encryption algorithm prevents us from putting the necessary pieces of the puzzle together. Can you still manage to forge a signature?
Ready for the second Elliptic Boogaloo? In this challenge, we dance on elliptical curves and try to forge digital signatures. But some hints went missing. Can you still forge a signature?
An English plaintext of length 4272 was encrypted with the Hutton cipher, a pen-and-paper cipher from 2018. The length of the two passwords is also known. Can you successfully perform a ciphertext-only attack?
The Josse cipher is a polyalphabetic cipher from the time of the Franco-Prussian War. Its description was lost. It was only rediscovered and published in 2020. In these challenges you are to decipher several, increasingly shorter ciphertexts.
The Josse cipher is a polyalphabetic cipher from the time of the Franco-Prussian War. Its description was lost. It was only rediscovered and published in 2020. In these challenges you are to decipher several, increasingly shorter ciphertexts.
The Josse cipher is a polyalphabetic cipher from the time of the Franco-Prussian War. Its description was lost. It was only rediscovered and published in 2020. In these challenges you are to decipher several, increasingly shorter ciphertexts.
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the fourteenth challenge in a series of 16 level-3 challenges with the SZ42. In this "Breaking" challenge you are only provided with one ciphertext. Can you find the MU-, CHI-, and PSI wheel patterns and decrypt the ciphertext?
The legendary Merkle-Hellman Knapsack cryptosystem can also be used for public-key encryption. Is the cryptosystem secure or can you crack the ciphertext?
The legendary Merkle-Hellman Knapsack cryptosystem is not suitable for hiking, but it is considered a pioneer of asymmetric cryptography.
Can you crack the ciphertext?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the last challenge in a series of 13 level-2 challenges with the SZ42. In this "key breaking" challenge you are provided with one ciphertext and parts of the corresponding plaintext. Can you find the MU wheel patterns and decrypt the ciphertext?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the twelfth challenge in a series of 13 level-2 challenges with the SZ42. In this "key breaking" challenge you are provided with one ciphertext and parts of the corresponding plaintext. Can you find the PSI wheel patterns and decrypt the ciphertext?
The SIGABA CSP-2900 was a highly secure encryption machine used by the US for strategic communication in WWII. In this series of challenges, you are provided with a ciphertext and a partially-known plaintext, here with the length of 200 and 100 characters.
The SIGABA CSP-2900 was a highly secure encryption machine used by the US for strategic communication in WWII. In this series of challenges, you are provided with a ciphertext and a partially-known plaintext, here with the length of 270 and 120 characters.
The SIGABA CSP-2900 was a highly secure encryption machine used by the US for strategic communication in WWII. In this series of challenges, you are provided with a ciphertext and a partially-known plaintext, here with the length of 320 and 120 characters.
The SIGABA CSP-889 was a highly secure encryption machine used by the US for strategic communication in WWII. In this series of challenges, you are provided with a ciphertext and a partially-known plaintext, here with the length of 200 and 100 characters.
The SIGABA CSP-889 was a highly secure encryption machine used by the US for strategic communication in WWII. In this series of challenges, you are provided with a ciphertext and a partially-known plaintext, here with the length of 270 and 120 characters.
The SIGABA CSP-889 was a highly secure encryption machine used by the US for strategic communication in WWII. In this series of challenges, you are provided with a ciphertext and a partially-known plaintext, here with the length of 320 and 120 characters.
Update June 2021: We replaced the used key (and this changed the ciphertext) since a part of the previous used key was leaked in the newest SIGABA template of CrypTool 2.
The Wheatstone Cryptograph is a simple device that resembles a clock with two hands. For each hand there is a ring of symbols. In this challenge the key is a random permutation of the english alphabet. Are you able to decrypt the given ciphertext?
The Wheatstone Cryptograph is a simple device that resembles a clock with two hands. For each hand there is a ring of symbols.
Are you able to decrypt the given ciphertext?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the eleventh challenge in a series of 13 level-2 challenges with the SZ42. In this "key breaking" challenge you are provided with one ciphertext and the corresponding plaintext. Can you find the wheel patterns?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the tenth challenge in a series of 13 level-2 challenges with the SZ42. In this "key breaking" challenge you are provided with one ciphertext and the corresponding plaintext. Can you find the wheel patterns?
Update January 2021: The starting positions for the CHI wheels were added.
This series deals with a grid — a basic tool cryptographers use to separate sequences of data into columns and rows. In this challenge you are given three grids where the first grid gives you hints to reveal the plaintext of the second grid. Are you able to find the right route?
This series deals with a grid — a basic tool cryptographers use to separate sequences of data into columns and rows. In this challenge you are given four grids where the first grid gives you hints to reveal the plaintext of the second grid. Are you able to find the right route?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the ninth challenge in a series of 13 level-2 challenges with the SZ42. In this "setting" challenge you are provided with only one ciphertext; the patterns for all the wheels are known as well as the starting positions for the CHI wheels. Can you find the starting positions for both the MU and PSI wheels and decrypt the ciphertext?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the eighth challenge in a series of 13 level-2 challenges with the SZ42. In this "setting" challenge you are provided with only one ciphertext; the patterns for all the wheels are known as well as the starting positions for the CHI and PSI wheels. Can you find the starting positions for the MU wheels and decrypt the ciphertext?
This series deals with a grid — a basic tool cryptographers use to separate sequences of data into columns and rows. In this challenge you are given two grids where the first grid gives you hints to reveal the plaintext of the second grid. Are you able to find the right route?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the seventh challenge in a series of 13 level-2 challenges with the SZ42. In this "setting" challenge you are provided with only one ciphertext; the patterns for all the wheels are known as well as the starting positions for the CHI and MU wheels. Can you find the starting positions for the PSI wheels and decrypt the ciphertext?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the sixth challenge in a series of 13 level-2 challenges with the SZ42. In this "setting" challenge you are provided with only one ciphertext and the patterns for all five CHI wheels are known. Can you find the starting positions for the five CHI wheels?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the fifth challenge in a series of 13 level-2 challenges with the SZ42. In this "setting" challenge you are provided with only one ciphertext and the patterns for CHI1 and CHI2 wheels are known. Can you find the starting positions for CHI1 and CHI2?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the fourth challenge in a series of 13 level-2 challenges with the SZ42. In this "setting" challenge you are provided with only one ciphertext and the patterns for CHI1 and CHI2 wheels are known. Can you find the starting positions for CHI1 and CHI2?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the third challenge in a series of 13 level-2 challenges with the SZ42. Here, you are provided with 2 in-depth ciphertexts and a limitation is used. Can you recover the plaintexts?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the second challenge in a series of 13 level-2 challenges with the SZ42. Here, you are provided with 4 in-depth ciphertexts and a limitation is used. Can you recover the plaintexts?
The Lorenz SZ42, codenamed Tunny, was a German teleprinter encryption device used during WW2. This is the first challenge in a series of 13 Level-2 challenges with the SZ42. Here, you are provided with 8 in-depth ciphertexts. Can you recover the plaintexts?
by Miroslav Dimitrov, Bernhard Esslinger, published on 2020-07-16
This is part 3 of the challenge series about lattice-based cryptography schemes. This challenge introduces an encryption scheme which uses systems of linear equations. Can you decrypt a message without knowing the key?
by Miroslav Dimitrov, Bernhard Esslinger, published on 2020-06-23
Lattice-based cryptography schemes are relevant for current post-quantum cryptography research. This challenge series accompanies the basic theory from a chapter of the CrypTool Book called "LIGHTWEIGHT INTRODUCTION TO LATTICES". This part of the challenge series uses vectors to hide a famous quote in modern art. Can you reveal it?
by Miroslav Dimitrov, Bernhard Esslinger, published on 2020-05-16
Lattice-based cryptography schemes are relevant for current post-quantum cryptography research. This challenge series accompanies the basic theory from a chapter of the CrypTool Book called "LIGHTWEIGHT INTRODUCTION TO LATTICES". In this part of the challenge series we introduce systems of linear equations to find a hidden message in a picture.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of new heavier challenges with T52. In this challenge, you need to recover a plaintext from a T52E ciphertext and a crib. The key is partially known.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of new heavier challenges with T52. In this challenge, you need to recover a plaintext from a T52D ciphertext and a crib. The key is unknown.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of new heavier challenges with T52. In this challenge, you need to recover a plaintext from a T52AB ciphertext and a crib. The key is unknown.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of new heavier challenges with T52. In this challenge, you need to recover a plaintext from a T52D ciphertext and a crib. The key is partially known.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of new heavier challenges with T52. In this challenge, you need to recover a plaintext from T52D ciphertexts "in-depth". You are also provided with cribs for each message. The key is unknown.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of new heavier challenges with T52. In this challenge, you need to recover a plaintext from T52E ciphertexts "in-depth". You are also provided with cribs for each message. The key is partially known.
This part of the challenge series introduces polyhomophonic substitution. In a polyhomophonic substitution cipher, each ciphertext symbol can represent one of several plaintext symbols, and each plaintext letter can be encrypted as one of several ciphertext letters. The key is a mapping from the set of plaintext symbols to the set of ciphertext symbols.
The SIGABA was a highly secure encryption machine used by the US for strategic communications in WWII. As in the first five parts of this series of challenges, you are provided with a partial known-plaintext. However, in this part you get no information about the key.
This part of the challenge series is a warm-up with polyphonic substitution. In a polyphonic substitution cipher, more than one plaintext letter are encrypted to the same ciphertext symbol. The key is a mapping from the set of plaintext symbols to the set of ciphertext symbols.
The SIGABA was a highly secure encryption machine used by the US for strategic communications in WWII. As in the first four parts of this series of challenges, you are provided with a partial known-plaintext, and some information about the key settings. However, in this part you get even less information about the key.
This part of the challenge series is a warm-up with homophonic substitution. In a homophonic substitution cipher, there are more than one ciphertext symbol for each plaintext symbol. The key is a mapping.
The SIGABA was a highly secure encryption machine used by the US for strategic communications in WWII. As in the first three parts of this series of challenges, you are provided with a partial known-plaintext, and some information about the key settings. However, in this part you get even less information about the key.
The SIGABA was a highly secure encryption machine used by the US for strategic communications in WWII. As in part 1 and part 2 of this series of challenges, you are provided with a partial known-plaintext, and some information about the key settings. However, in this part you get even less information about the key.
The SIGABA was a highly secure encryption machine used by the US for strategic communications in WWII. As in part 1 of this series of challenges, you are provided with a partial known-plaintext, and some information about the key settings. However, in this part you get less information about the key.
The SIGABA was a highly secure encryption machine used by the US for strategic communications in WWII. It is believed that the German codebreakers were unable to make any inroads against SIGABA. In this part of the series of challenges, you are provided with a partial known-plaintext, and some information about the key settings.
LoRa calculates the ciphertext by using a logic expression as key. The ciphertext unusually contains large bitstreams too. Could you find the logic expression from a given ciphertext?
by Nils Kopal, Christian Bender, published on 2020-01-28
This challenge series introduces in detail the handling of the differential cryptanalysis (DCA). In the first two challenges you have to decrypt encrypted images and enter the code shown in the images. The second challenge requires filtering.
This is part two of the two polyphonic cipher challenges, where again two or more plaintext letters correspond to one cipher symbol. Can you solve such a cipher?
Christmas Challenge 2019: Differential Cryptanalysis — Part 1
Level 2
by Nils Kopal, Christian Bender, published on 2019-12-22
This challenge series introduces in detail the handling of the differential cryptanalysis (DCA). In the first two challenges you have to decrypt encrypted images and enter the code shown in the images. The first challenge needs no filtering, as only valid plaintext-ciphertext pairs are delivered.
Determine which type of classic cipher was used to generate each of 500 ciphertext messages. The ciphers used in this challenge are simple substitution, columnar transposition, Vigenère, Playfair, and Hill.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of new heavier challenges with T52. In this challenge, you need to recover a plaintext from one T52C ciphertext. The key is unknown.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of new heavier challenges with T52. In this challenge, you need to recover a plaintext from one T52AB ciphertext. The key is unknown.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of new heavier challenges with T52. In this challenge, you need to recover the plaintexts from T52D ciphertexts "in-depth". The key is unknown.
Like the MONOALPHABETIC SUBSTITUTION WITH CAMOUFLAGE series of challenges, this two-part challenge considers a modification of the classic simple substitution cipher achieved by randomly introducing decoy characters into the ciphertext in encryption which are then ignored in decryption. In part 2, the plaintext is first divided into two parts, then each part will be encrypted separately.
Like the MONOALPHABETIC SUBSTITUTION WITH CAMOUFLAGE series of challenges, this two-part challenge considers a modification of the classic simple substitution cipher achieved by randomly introducing decoy characters into the ciphertext in encryption which are then ignored in decryption. In part 1, the cipher uses a key which devides the ciphertext alphabet into signal characters and noise characters.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of challenges with T52. In this challenge, you need to recover the plaintext from a T52ca ciphertext. The key is partially known. You are also provided with a crib.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of challenges with T52. In this challenge, you need to recover the plaintext from a T52c ciphertext. The key is partially known. You are also provided with a crib.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of challenges with T52. In this challenge, you need to recover the plaintext from six "in-depth" ciphertexts built with T52ca. You are also provided with cribs for each message.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of challenges with T52. In this challenge, you need to recover the plaintext from six "in-depth" ciphertexts built with T52a/b. You are also provided with cribs for each message.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of challenges with T52. In this challenge, you need to recover the plaintext from six "in-depth" ciphertexts built with T52c. The key is partially known. You are also provided with cribs for each message.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of challenges with T52. In this challenge, you need to recover the plaintext from ten "in-depth" ciphertexts built with T52ca. The key is partially known.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of challenges with T52. In this challenge, you need to recover the plaintext from ten "in-depth" ciphertexts built with T52c. The key is partially known.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of challenges with T52. In this challenge, you need to recover the plaintext from ten "in-depth" ciphertexts built with T52ab. The key is partially known.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of challenges with T52. In this challenge, you need to recover the plaintext only from a T52ab ciphertext. The key is partially known.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of challenges with T52. In this challenge, you need to recover the plaintext only from a T52d ciphertext. The key is partially known.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of challenges with T52. In this challenge, you need to recover the plaintext only from a T52c ciphertext. The key is partially known.
The Siemens and Halske T52 was a family of German teleprinter encryption devices used during WW2. This challenge is part of a series of challenges with T52. In this challenge, you need to recover the plaintext only from a T52ab ciphertext. The key is partially known.
Handycipher is a low-tech stream cipher, simple enough to permit pen-and-paper encrypting and decrypting of messages, while providing a significantly high level of security. Handycipher was first published in 2014 and further improved in 2015 and 2016. Part 10 of the Handycipher series presents the same challenge as Part 9 but with a different key choice. It is a ciphertext-only challenge.
Part 2 of the series "Handycipher made in love" is almost identical to Part 1 except that the solution you are asked for is the correct key that Alice used to produce the ciphertext rather than the short message embedded in the plaintext.
by Nils Kopal, Bernhard Esslinger, published on 2019-05-08
Homophonic encryption is a modified version of the monoalphabetic substitution: One plaintext symbol can be substituted by more than one ciphertext symbol. In part 4 of this series we consider a distribution of the homophones based on English language statistics like in part 2, but the alphabet doesn't contain the blank. This is a ciphertext-only challenge. Try to crack the ciphertext and extract a specific word from the plaintext.
by Nils Kopal, Bernhard Esslinger, published on 2019-05-08
Homophonic encryption is a modified version of the monoalphabetic substitution: One plaintext symbol can be substituted by more than one ciphertext symbol. In part 3 of this series every plaintext symbol has the same number of possible substitutions like in part 1, but the alphabet doesn't contain the blank. This is a ciphertext-only challenge. Try to crack the ciphertext and extract a specific word from the plaintext.
by Nils Kopal, Bernhard Esslinger, published on 2019-05-08
Homophonic encryption is a modified version of the monoalphabetic substitution: One plaintext symbol can be substituted by more than one ciphertext symbol. In part 2 of this series we consider a distribution of the homophones based on English language statistics. This is a ciphertext-only challenge. Try to crack the ciphertext and extract a specific word from the plaintext.
by Nils Kopal, Bernhard Esslinger, published on 2019-05-04
Homophonic encryption is a modified version of the monoalphabetic substitution: One plaintext symbol can be substituted by more than one ciphertext symbol. In part 1 of this series every plaintext symbol has the same number of possible substitutions. This is a ciphertext-only challenge. Try to crack the ciphertext and extract a specific word from the plaintext.
Once upon a time, there was a three-part challenge which was inspired by Kryptos and is based on a fairy tale. Can you solve this mysterious challenge?
Once upon a time, there was a three-part challenge which was inspired by Kryptos and is based on a fairy tale. Can you solve this mysterious challenge?
Once upon a time, there was a three-part challenge which was inspired by Kryptos and is based on a fairy tale. Can you solve this mysterious challenge?
The challenges for the weakened ElsieFour serve as an exercise and use an intentionally weakened version of LC4. ElsieFour combines ideas of modern RC4 stream cipher, historical Playfair cipher and plaintext-dependent keystreams. It can be computed manually. Part 2 is a partly-known key challenge which provides 12 consecutive characters of the key.
The challenges for the weakened ElsieFour serve as an exercise and use an intentionally weakened version of LC4. ElsieFour combines ideas of modern RC4 stream cipher, historical Playfair cipher and plaintext-dependent keystreams. It can be computed manually. Part 1 is a partly-known key challenge which provides the first 12 characters of the key.
The Secret Archives of the Vatican keep a large collection of ciphertexts from papal correspondence. The keys of these manuscripts have been destroyed, or are kept elsewhere and been forgotten. Can you find out how to decipher the letter from March 14, 1625?
A solution to this challenge was published on 2018-06-19. Solutions can still be submitted and verified, but no points will be awarded for them.
The hero of the book has to decode a manuscript — seven lines of it are here for you. These lines were encoded with a mixture of classic methods — anagrams, two position-dependent monoalphabetic substitutions and Atbash. Can you help him?
What do you do, if your father and your stepmother decide to communicate only encrypted? You tape-record the messages. But what do the two of them really talk about?
Decrypting a Christmas carol to help children in need? It's not that easy, if you don't know much about cryptography. Can you help Jacob and the children?
The challenges for the weakened ElsieFour serve as an exercise and use an intentionally weakened version of LC4. ElsieFour combines ideas of modern RC4 stream cipher, historical Playfair cipher and plaintext-dependent keystreams. It can be computed manually. Part 3 is a partly-known-plaintext challenge which provides 2 messages that were encrypted with the same key.
ElsieFour combines ideas of modern RC4 stream cipher, historical Playfair cipher and plaintext-dependent keystreams. It can be computed manually. Part 1 is a partly-known-plaintext challenge which provides 2 messages that were encrypted with the same key.
by Miroslav Dimitrov, Bernhard Esslinger, published on 2017-07-02
From a honeypot you get a set of encrypted files and the according plaintext files. Could you discover the used key, to help victims of the ransom ware?
Holographic encryption can be performed by employing encryption masks which alter the field before propagation. This makes the image
unrecognizable when recorded. You are given three holograms that represent the cipher image and three plain images and their holograms which were encrypted with the same encryption masks.
Holographic encryption can be performed by employing encryption masks which alter the field before propagation. This makes the image unrecognizable when recorded. You are given three holograms that represent the cipher image and two corrupted encryption masks.
Hilly is an improved version of the Hill cipher. This challenge consists of the decryption of a ciphertext by means of a given plaintext-ciphertext pair.
Handycipher is a newly created cipher designed to permit pen-and-paper encrypting and decrypting, while providing a significantly high level of security. Part 9 is the same as Part 6, but uses an improved version of the cipher. It is a ciphertext-only challenge.
Handycipher is a newly created cipher designed to permit pen-and-paper encrypting and decrypting, while providing a significantly high level of security. Part 8 is the same as Part 5, but uses an improved version of the cipher. You are given the ciphertext and 229 letters occuring at an unknown location in the plaintext.
Handycipher is a newly created cipher designed to permit pen-and-paper encrypting and decrypting, while providing a significantly high level of security. Part 7 is the same as Part 4, but uses an improved version of the cipher. You are given the ciphertext and the first 229 letters of the plaintext.
This series consists of 5 challenges based on each other. It introduces a new three-step cipher called ASAC, which is a modified version of ADFGVX. Part 5 is a "bonus" and just modifies the second challenge of this series by improving the second step of the cipher.
This series consists of 5 challenges based on each other. It introduces a new three-step cipher called ASAC, which is a modified version of ADFGVX. Part 4 uses the complete cipher and is the main challenge of this series.
This series consists of 5 challenges based on each other. It introduces a new three-step cipher called ASAC, which is a modified version of ADFGVX. Part 3 involves the complete cipher but weakens the third step by using a single-column transposition instead of a double column transposition.
This series consists of 5 challenges based on each other. It introduces a new three-step cipher called ASAC, which is a modified version of ADFGVX. Part 2 uses only the first two steps of the cipher.
This series consists of 5 challenges based on each other. It introduces a new three-step cipher called ASAC, which is a modified version of ADFGVX. Part 1 is meant as an introduction and uses only the first step of ASAC.
The Weakened Handycipher challenges serve as an exercise and use an intentionally weakened version of Handycipher. Part 6 is the same as Part 3, but uses an improved version of the cipher. It is ciphertext-only.
The Weakened Handycipher challenges serve as an exercise and use an intentionally weakened version of Handycipher. Part 5 is the same as Part 2, but uses an improved version of the cipher. It is ciphertext-only, but you are given some partial information about the key.
The Weakened Handycipher challenges serve as an exercise and use an intentionally weakened version of Handycipher. Part 4 is the same as Part 1, but uses an improved version of the cipher. You are given the first 1,009 characters of the plaintext, and some partial information about the key.
Extended Handycipher is an enhancement of Handycipher. Part 6 is the same as Part 3, but uses an improved version of the cipher. You are given two encryptions of the plaintext generated with the same key. It is ciphertext-only.
Extended Handycipher is an enhancement of Handycipher. Part 5 is the same as Part 2, but uses an improved version of the cipher. You are given two encryptions of the plaintext generated with the same key, and 229 characters occuring at an unknown location in the plaintext.
Extended Handycipher is an enhancement of Handycipher. Part 4 is the same as Part 1, but uses an improved version of the cipher. You are given three encryptions of the plaintext generated with the same key, and the first 229 characters of the plaintext.
Handycipher is a newly created cipher designed to permit pen-and-paper encrypting and decrypting, while providing a significantly high level of security. Part 6 is the same as Part 3, but uses an improved version of the cipher. It is a ciphertext-only challenge.
Handycipher is a newly created cipher designed to permit pen-and-paper encrypting and decrypting, while providing a significantly high level of security. Part 5 is the same as Part 2, but uses an improved version of the cipher. You are given the ciphertext and 229 letters occuring at an unknown location in the plaintext.
Handycipher is a newly created cipher designed to permit pen-and-paper encrypting and decrypting, while providing a significantly high level of security. Part 4 is the same as Part 1, but uses an improved version of the cipher. You are given the ciphertext and the first 229 letters of the plaintext.
This series consists of five parts which are based on each other and that will be getting more and more complicated with each part. This is the last part and teaches us something about the weaknesses of this method by improving it a little bit in some points.
This series consists of five parts which are based on each other and that will be getting more and more complicated with each part. This part is the actual challenge and tells you the New Year's greeting of the author.
This series consists of five parts which are based on each other and that will be getting more and more complicated with each part. Part 4 contains a little New Year's greeting of the author and part 5 teaches us something about the weaknesses of this method. Part 3 adds another modification.
This series consists of five parts which are based on each other and that will be getting more and more complicated with each part. Part 4 contains a little New Year's greeting of the author and part 5 teaches us something about the weaknesses of this method. Part 2 modifies the encryption of part 1 a little bit.
This series consists of five parts which are based on each other and that will be getting more and more complicated with each part. Part 4 contains a little New Year's greeting of the author and part 5 teaches us something about the weaknesses of this method. Part 1 is the easiest part of this series.
The story of the simple bookseller Paul from Eisleben and his beloved from the near Castle Mansfeld will be continued: A second postcard has been found.
Can you decipher the encrypted message?
The challenges for the simplified GRANIT cipher, a method that can be done manually, serve as an exercise and use an intentionally simplified version of GRANIT.
Part 3 is a ciphertext-only challenge for which the second permutation key is known.
The challenges for the simplified GRANIT cipher, a method that can be done manually, serve as an exercise and use an intentionally simplified version of GRANIT.
Part 2 is a ciphertext-only challenge for which the first permutation key is known.
The challenges for the simplified GRANIT cipher, a method that can be done manually, serve as an exercise and use an intentionally simplified version of GRANIT.
Part 1 is a ciphertext-only challenge for which both permutation keys are known.
Spirale is a OTP cipher designed to be simply performed by hand.
Part 4 is a ciphertext-only challenge with a 485-letter ciphertext.
Unlike the other three parts of this series, this one uses four new random keys.
Spirale is a OTP cipher designed to be simply performed by hand.
Part 3 is a ciphertext-only challenge with a 949-letter ciphertext.
In this part, two of the four keys are equal to the keys of the first two parts.
Spirale is a OTP cipher designed to be simply performed by hand.
Part 2 is a ciphertext-only challenge with a 659-letter ciphertext.
This part uses the same four keys for encryption as part 1 does.
Spirale is a OTP cipher designed to be simple to implement by hand. It is resilient to errors as they have only a local effect without obscuring all the ciphertext.
Part 1 is a partly-known plaintext challenge with a 314-letter ciphertext. The first 75 letters of the plaintext are known.
Part 2 of this series uses the same four keys as this one.
During the cold war the foreign intelligence agency of Germany established so-called stay-behind units. Their radio messages were encrypted by a OTP method, but the keys were used multiple times.
This challenge is about the effect of this multiple usage on the security of the method. You are given 5 messages, all encrypted with the same key.
This challenge series is about the GRANIT cipher, a method that can be done manually. It has been used for instance by the former GDR spy Günter Guillaume till about 1960.
Part 1, 2 and 3 of this series use the same keyword for generating the key matrix, but different permutation keys. This part has a ciphertext-only challenge and the ciphertext has 80 characters.
This challenge series is about the GRANIT cipher, a method that can be done manually. It has been used for instance by the former GDR spy Günter Guillaume till about 1960.
Part 1, 2 and 3 of this series use the same keyword for generating the key matrix, but different permutation keys. This part has a ciphertext-only challenge and the ciphertext has 110 characters.
This challenge series is about the GRANIT cipher, a method that can be done manually. It has been used for instance by the former GDR spy Günter Guillaume till about 1960.
Part 1, 2 and 3 of this series use the same keyword for generating the key matrix, but different permutation keys. In this part a codebook is used additionally, and the given ciphertext has 70 characters.
The challenges for the weakened Handycipher serve as an exercise and use an intentionally weakened version of Handycipher. Part 3 is a ciphertext-only challenge.
Handycipher is a newly designed cipher to permit pen-and-paper encrypting and decrypting, while providing a significantly high level of security.
The challenges for the weakened Handycipher serve as an exercise and use an intentionally weakened version of Handycipher. Part 2 is a ciphertext-only challenge with a helping additional information.
Handycipher is a newly designed cipher to permit pen-and-paper encrypting and decrypting, while providing a significantly high level of security.
The challenges for the weakened Handycipher serve as an exercise and use an intentionally weakened version of Handycipher. Part 1 is a partially-known-plaintext challenge with a helping additional information.
Handycipher is a newly designed cipher to permit pen-and-paper encrypting and decrypting, while providing a significantly high level of security.
A friend of yours has given you the following text which contains only X and Y characters. He claims that this text contains a codeword. Can you find it?
Extended Handycipher is an enhancement of the newly designed cipher Handycipher, which permits pen-and-paper encrypting and decrypting, while providing a significantly high level of security. You got only two different ciphertexts of the 996-character plaintext.
Extended Handycipher is an enhancement of the newly designed cipher Handycipher, which permits pen-and-paper encrypting and decrypting, while providing a significantly high level of security. From the 905-character plaintext 229 characters somewhere in it are known.
Extended Handycipher is an enhancement of the newly designed cipher Handycipher, which permits pen-and-paper encrypting and decrypting, while providing a significantly high level of security. From the 815-character plaintext the first 229 characters are known.
Handycipher is a newly designed cipher to permit pen-and-paper encrypting and decrypting, while providing a significantly high level of security. You got only the ciphertext of the 993-character plaintext.
Handycipher is a newly designed cipher to permit pen-and-paper encrypting and decrypting, while providing a significantly high level of security. From the 1142-character plaintext 229 characters somewhere in it are known.
Handycipher is a newly designed cipher to permit pen-and-paper encrypting and decrypting, while providing a significantly high level of security. From the 858-character plaintext the first 229 characters are known.
This is the beginner's challenge in a series about M-138, a manual cipher of the US army which has been relatively save at the beginning of world war 2nd. Part 1 of the series is a ciphertext-only challenge whose key is largely known.
This challenge is based on the Heartbleed Bug in OpenSSL discovered in April 2014. Attack a server which is specifically prepared to be vulnerable to the Heartbleed bug. Please note that it is necessary to solve Part 1 and 2 at first.
!!! We had to take off this challenge, as our firewall doesn't allow flawed servers any more -- even if this flaw was offered by will for training and within a sandbox. !!!
This challenge is based on the Heartbleed bug in OpenSSL discovered in April 2014. Attack a server which is specifically prepared to be vulnerable to the Heartbleed bug. Please note that it is necessary to solve Part 1 first.
!!! We had to take off this challenge, as our firewall doesn't allow flawed servers any more -- even if this flaw was offered by will for training and within a sandbox. !!!
This challenge is based on the Heartbleed Bug in OpenSSL discovered in April 2014. Attack a server provided by the group for Privacy and Compliance with the Research Institute Cyber Defence (CODE) at Bundeswehr University Munich, which is specifically prepared to be vulnerable to the Heartbleed bug.
!!! We had to take off this challenge, as our firewall doesn't allow flawed servers any more -- even if this flaw was offered by will for training and within a sandbox. !!!
In the last part of a series of mid-level Double Column Transposition challenges, you have to find the two keys. Each of it is 19 characters long and has been derived from an English phrase.
In this part of a series of mid-level Double Column Transposition challenges, the keys that has been used for both transposition are given. Find out from which phrases they have been derived!
In this part of a series of mid-level Double Column Transposition challenges, the same key has been used for both transposition. This allows you to attack this simple, yet strong cipher.
In this part of a series of mid-level Double Column Transposition challenges, a large part of the beginning of the plaintext is known. This partial crib allows you to attack this simple, yet strong cipher.
by Mark Stamp, Richard M. Low, published on 2014-04-14
The ORYX stream cipher consists of three 32-bit LFSRs X, A, B which are shifted differently depending on some bits in the LFSR X. The key stream is a combination of the highest 8 bits of each of the three LFSRs. It is neither feasible nor necessary to search the whole 96-bit key space, there are more efficient methods!
by Mark Stamp, Richard M. Low, published on 2014-04-14
The ORYX stream cipher consists of three 32-bit LFSRs X, A, B which are shifted differently depending on some bits in the LFSR X. The key stream is a combination of the highest 8 bits of each of the three LFSRs. It is neither feasible nor necessary to search the whole 96-bit key space, there are more efficient methods!
by Mark Stamp, Richard M. Low, published on 2014-04-14
The ORYX stream cipher consists of three 32-bit LFSRs X, A, B which are shifted differently depending on some bits in the LFSR X. The key stream is a combination of the highest 8 bits of each of the three LFSRs. It is neither feasible nor necessary to search the whole 96-bit key space, there are more efficient methods!
by Luis Alberto Benthin Sanguino, published on 2014-03-27
Many telegrams that date from the Spanish Civil War (1936 - 1939) still remain undisclosed. It is assumed that these telegrams were encrypted using the Spanish Strip Cipher. Try to find the plaintext of this original telegram.
by Luis Alberto Benthin Sanguino, published on 2014-03-27
An English telegram was encrypted using the Spanish Strip Cipher, a popular algorithm during the Spanish Civil War. It is your task to find the plaintext.
by Luis Alberto Benthin Sanguino, published on 2014-03-27
A Spanish telegram was encrypted using the Spanish Strip Cipher, a popular algorithm during the Spanish Civil War. It is your task to find the plaintext.
In this part of this series of Enigma challenges, a plaintext message consisting of three letters which are repeated several times has been encrypted by the Enigma I. What are the first three letters of the plaintext?
In this part of this series of Enigma challenges, a plaintext message consisting of three letters which are repeated several times has been encrypted by the Enigma I. What was the setting of the Enigma rotors?
In this part of this series of Enigma challenges, a plaintext message consisting of two letters which are repeated several times has been encrypted by the Enigma I. What was the setting of the Enigma rotors?
by A. Wacker, Bernhard Esslinger, K. Schmeh, published on 2013-12-11
The double columnar transposition is considered to be one of the best manual encryption systems. This sequence considers vulnerabilities that have been used to solve the corresponding level X challenge. The three challenges of the sequence have an increasing difficulty. In the third part a German plaintext has been encrypted with random keys.
by A. Wacker, Bernhard Esslinger, K. Schmeh, published on 2013-12-11
The double columnar transposition is considered to be one of the best manual encryption systems. This sequence considers vulnerabilities that have been used to solve the corresponding level X challenge. The three challenges of the sequence have an increasing difficulty. In the second part two interleaved English texts have been encrypted with random keys.
by A. Wacker, Bernhard Esslinger, K. Schmeh, published on 2013-12-11
The double columnar transposition is considered to be one of the best manual encryption systems. This sequence considers vulnerabilities that have been used to solve the corresponding level X challenge. The three challenges of the sequence have an increasing difficulty. In the first part an English plaintext has been encrypted with keys derived from English sentences.
In this part of this series of Enigma challenges, a plaintext message consisting of one letter which is repeated several times has been encrypted by the Enigma I. What was the setting of the Enigma rotors?
Two scatterbrained professors exchange messages that have been encrypted with the Trifid cipher. Unfortunately, one of them lost the second of three layers. Will he nevertheless be able to decrypt the message he received from his colleague?
In this part of this series of Enigma challenges, a plaintext message consisting of one letter which is repeated several times has been encrypted by the Enigma I. What is the letter we are looking for?
You find a note with strange characters and an unsolved Sudoku on your brother's desk. You are curious and would like to find out what your brother is working on. Can you decrypt the note using the Sudoku?
Sarah and Igor are exchange students. Sarah lives in Moscow while Igor is in Berlin. To keep their little secrets confidential, they encrypt their emails. Decrypt the message to find out what Sarah wrote this time.
by Nils Griese, Nathalie Hänig, published on 2013-08-08
Nils would like to go on a journey and has given you a note with information about his destination. The note is encrypted. Can you find out where he would like to go?
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 212 decimal digits.
A solution to this challenge was published on 2013-07-31. Solutions can still be submitted and verified, but no points will be awarded for them.
by Mark Stamp, Richard M. Low, published on 2013-06-27
The ORYX stream cipher consists of three 32-bit LFSRs X, A, B which are shifted differently depending on some bits in the LFSR X. The key stream is a combination of the highest 8 bits of each of the three LFSRs. It is neither feasible nor necessary to search the whole 96-bit key space, there are more efficient methods!
by Mark Stamp, Richard M. Low, published on 2013-06-06
The ORYX stream cipher consists of three 32-bit LFSRs X, A, B which are shifted differently depending on some bits in the LFSR X. The key stream is a combination of the highest 8 bits of each of the three LFSRs. It is neither feasible nor necessary to search the whole 96-bit key space, there are more efficient methods!
The seven dwarfs are missing. Snow White however finds a file, which contains useful information steganographically hidden. Help her to find the dwarfs.
After solving the first part of this challenge, you can use the hints you found to decrypt the two ciphertexts that have been encrypted using the ADFGVX cipher.
The plaintext consists of English, French, German and Italian words. Can you identify the four sentences after you have solved the monoalphabetic substitution?
Can you break this cascading encryption that consists of a combination of substitution and transposition? The solution contains important information for the next parts.
In this challenge, only fragments of the grid used for a Playfair encryption are given. Are you able to reconstruct the matrix and decrypt the message?
This postcard from Thessaloniki was written in German in 1897. The encrypted text can either be considered as message from the sailor Fritz to his wife at home, or as a note regarding spionage activities. Can you determine the codeword that was used to request secret information?
The Beaver Code is a transposition cipher. Apart from the solution of this challenge, can you find a formula for any given ciphertext length, which generates the permutation needed to decrypt the ciphertext?
After the Order of the Templar has become very powerful, enviers try to crush it. The knights receive an encrypted letter but the key does not arrive. Does this letter contain the warning that would have saved the knights from being arrested?
Monoalphabetic Substitution with Camouflage — Part 6
Level 2
by Viktor Veselovsky, published on 2012-06-30
In the previous parts, you broke a monoalphabetic substitution with one camouflage alphabet. Can you find the plaintext even if nine camouflage alphabets have been used?
Your friend sent you an audio file that contains only a strange melody. In the email, your friend writes that the file contains a message encoded by a variant of Morse code. Can you find out how you can hear the Morse code?
In this challenge a plaintext has been encrypted using the KeyshancRT version of Keyshanc. The plaintext is an excerpt from one of William Shakespeare's plays.
In this challenge an excerpt from a novel has been encrypted using the "Keyshanc" cipher. Keyshanc is a special kind of monoalphabetic substitution using a 95-character alphabet.
In 1586 the famous French mathematician Blaise de Vigenère published a picture of the night sky and claimed that a message was concealed in it. Can you find out how to decipher this message?
A solution to this challenge was published on 2016-07-15. Solutions can still be submitted and verified, but no points will be awarded for them.
In order to decrypt the intercepted letter addressed to your neighbor, you need to find out which document has been used to encode the message with the book code.
Monoalphabetic Substitution with Camouflage — Part 5
Level 2
by Viktor Veselovsky, published on 2012-03-09
In the fifth part the same variant of the cipher already introduced in Part 3 and 4 of this challenge has been used here, too. The only difference is that spaces were removed previously to the encryption process.
Alice and Bob would like to agree upon a shared key. They use an Elliptic Curve Diffie-Hellman (ECDH) key-exchange protocol. Try to reproduce the steps that are necessary to calculate the key and to decrypt Bob's message.
With RSA keys, the private key d must remain private. If the public key e is very small, this is not completely possible. This exercise demonstrates how simple it is to compute a portion of the secret key d.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 617 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 617 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 500 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 490 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 480 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 470 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 463 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 460 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 450 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 440 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 430 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 420 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 410 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 400 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 390 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 380 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 370 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 360 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 350 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 340 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 330 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 320 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 310 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 309 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 309 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 300 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 290 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 280 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 270 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 270 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 260 decimal digits.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 250 decimal digits.
A solution to this challenge was published on 2020-02-28. Solutions can still be submitted and verified, but no points will be awarded for them.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 240 decimal digits.
A solution to this challenge was published on 2019-12-02. Solutions can still be submitted and verified, but no points will be awarded for them.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 232 decimal digits.
A solution to this challenge was published on 2020-02-17. Solutions can still be submitted and verified, but no points will be awarded for them.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 230 decimal digits.
A solution to this challenge was published on 2018-08-15. Solutions can still be submitted and verified, but no points will be awarded for them.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 220 decimal digits.
A solution to this challenge was published on 2016-05-13. Solutions can still be submitted and verified, but no points will be awarded for them.
This challenge descends from the RSA Laboratories contest to encourage research into the practical difficulty of factoring large integers of different length (between 330 and 2048 bit) and cracking RSA keys used in cryptography. This challenge is about factoring a number with 210 decimal digits.
A solution to this challenge was published on 2013-09-26. Solutions can still be submitted and verified, but no points will be awarded for them.
AES key — encoded in the machine readable zone of a European ePassport
Level 2
by S. Hick, published on 2012-01-16
An AES encrypted message has been forwarded to you. Additionally, you have received the corresponding key - unfortunately not quite complete - in a form like a machine readable zone on an identity document as it is used e.g. with ePassports in Europe.
Monoalphabetic substitution with camouflage — Part 4
Level 1
by Viktor Veselovsky, published on 2011-12-21
Alice and Bob use the cipher as it had been described in part 3 of this challenge. Due to an error one message has been encrypted and sent twice. Does this help you to find out the shared key and enables you to decrypt a third message easily?
Monoalphabetic substitution with camouflage — Part 2
Level 2
by Viktor Veselovsky, published on 2011-12-07
In this challenge it is to test whether a monoalphabetic substitution with camouflage provides more security even though spaces were not removed prior to the encryption.
After making yourself familiar with the idea of this cipher in part 1 it is now time to attack a larger plaintext. The monoalphabetic cipher that has been applied on the plaintext before should be the least problem.
A strange effect might occur if you encrypt a message using the RSA cipher: The encrypted message has got the same value as the plaintext. Can you find all of these unconcealed messages for the given public key?
Asterix and Obelix besiege Rome. They just happened to find an encrypted message but instead of the common Caesar Cipher the Romans used a new method. Can you decrypt the message?
In 2006 the distributed "M4 Message Breaking Project" under the lead of Stefan Krah aimed at decrypting three ENIGMA M4 messages from the time of World War II. Two of the three messages where decrypted within the first weeks. However, the third message withstood despite all efforts and remained unbroken.
Today, the M4 project has been discontinued with the last message still unbroken. The task of this challenge is to break this very last message - after all, a few years have past since the…
A solution to this challenge was published on 2013-12-31. Solutions can still be submitted and verified, but no points will be awarded for them.
Affine Codes / Modulo Arithmetic with N / Extended Euclid
Level 1
by Tanja Lange, Andreas Grüner, Bernhard Esslinger, published on 2011-09-09
Two girls want to communicate in a secret way using the „affine cipher“. Transform the encryption rule into the decryption rule and turn in the plaintext of the example.
In this challenge the rotational relationship between the Pigpen symbols are used to create a new cipher. In this part the well-known key squares are used as a warm up.
In order to calculate the private keys of the RSA algorithm, it is necessary to factorize large numbers. How difficult is it if we replace x*y by some diophantine equation?
This challenge concerns the Discrete Logarithm Problem (DLP) in a "medium" field.
For powers of very small primes and for large prime fields the function-field sieve and the number-field sieve are highly optimized; for intermediate fields algorithms with the same asymptotic behavior exist but the actual running times are slower. Are you able to solve the DLP in such a field anyway?
A pair of plaintext and the corresponding ciphertext encrypted with the ADFGVX cipher ist given. Can you reveal the substitution and transposition key used in this example?
by Verena Brunner, Bernhard Esslinger, published on 2011-08-15
You found out that a message encrypted with two different public keys but same modulus yield to the same ciphertexts. Are you able to name the smallest private key to decrypt ciphertexts that were generated with this parameters?
by Verena Brunner, Bernhard Esslinger, Joerg-Cornelius Schneider, published on 2011-07-22
A message was encrypted with three different moduli but the same public exponent.
Fortunately, you were able to catch the three different ciphertexts.
Are you able to recover the secret message?
by Rashmi Bangalore Muralidhar, Mark Stamp, published on 2011-06-15
Usually prefix-free codes are used for encryption because it makes the decryption process easier at the receiver's end. However, this challenge deals with a substitution cipher with non-prefix codes. This should be broken by performing a "ciphertext-only attack".
A piece of music is given as mp3 file and in music notation. The notes represent a secret message, which was encrypted with two classic methods. In part 1 of this challenge you have to solve the first of these methods. Thereafter, you can set out to solve part 2 (which is in level 2).
A piece of music is given as mp3 file and in music notation. The notes represent a secret message, which was encrypted with two classic methods. To solve this challenge you first have to solve part 1 (which is in level 1).
This time your friend packed the plaintext in a ZIP archive before encrypting it. Are you able to get the archive from the given ciphertext file, and then reveal the wanted plaintext?
Post-Quantum Cryptography: Unbalanced Oil and Vinegar System — Part 2
Level 2
by Marc Kleffmann, Enrico Thomae, Christopher Wolf, published on 2011-04-13
By the time quantum computers exist, the actual signing algorithms are not secure anymore. Then one can switch e.g. to so-called "Unbalanced Oil and Vinegar" systems. It is your challenge to break such a system, with realistic parameters, today already.
Post-Quantum Cryptography: Unbalanced Oil and Vinegar System — Part 1
Level 1
by Marc Kleffmann, Enrico Thomae, Christopher Wolf, published on 2011-04-06
By the time quantum computers exist, the actual signing algorithms are not secure anymore. Then one can switch e.g. to so-called "Unbalanced Oil and Vinegar" systems. It is your challenge to break a simplified version of such a system today already.
by Lehrstuhl für Kryptologie u. IT-Sicherheit, Ruhr-Universität Bochum, published on 2011-04-04
Password-based authentication means that a user sends a plaintext password to a server, and the server calculates the hash value of the received password and compares it with a stored hash value. Goal of this challenge is to reveal the plaintext password given its SHA1 hash value. There is some information known about the original password.
Your friend calls you again and wants you to “test” his cipher (see Kaskade-S/T Part 1) with a longer key. He sends you a plaintext and the corresponding ciphertext and asks, if you could discover the key used for encryption.
This time your friend only sends you a ciphertext, which has been encrypted using his cipher (see Kaskade-S/T Part 1 and Part 2). He wants you to figure out the title of the decrypted text.
Lunchtime Attack on the Fully Homomorphic Encryption Scheme
Level 2
by Coen Ramaekers, published on 2011-01-13
The Fully Homomorphic Encryption Scheme by Gentry and Halevi turns out to be vulnerable to so called lunchtime attacks. In this challenge you have to perform such an attack.
Recovering the Private Key in the Fully Homomorphic Encryption Scheme
Level 3
by Coen Ramaekers, published on 2011-01-13
In the Fully Homomorphic Encryption scheme by Gentry and Halevi the private key is included in the public key. So, theoretically it is possible to recover the secret key.
CMEA is a block cipher and was one of the 4 cryptographic primitives of the mobile communications network in the US. It is your challenge to perform a known-plaintext attack on CMEA with 100 known plaintext blocks given.
CMEA is a block cipher and was one of the 4 cryptographic primitives of the mobile communications network in the US. It is your challenge to perform a known-plaintext attack on CMEA with 40 known plaintext blocks given.
The Enigma is an electro-mechanical rotor machine used for encryption and decryption. One main part of the Enigma is changeable rotors. This challenge deals with the calculation of the key space.
The "Three Investigators" heard that it was possible to create truly unbreakable cipher texts if you linked a stream of true random numbers to the plaintext (one-time pad). However this random stream must be incalculable for outsiders. Do you think you can, nevertheless, decrypt an eavesdropped encrypted message from the "Three Investigators"?
The Purple machine was the Japanese counterpart of the German Enigma machine.
Decrypt the given ciphertext which was encrypted with the Purple machine.
by Lehrstuhl für Kryptologie u. IT-Sicherheit, Ruhr-Universität Bochum, published on 2010-10-25
To achieve a very fast decryption in RSA, one might choose the secret key to be rather small. It should, however, not be too small, since then it might be possible to mount brute-force attacks. The same holds for variants like RSA-CRT.
This is the final part of a 3-part challenge regarding the classical transposition. You can solve this challenge with pen and paper or by writing a small computer program. In this challenge, the plaintext was first encrypted with a monoalphabetic substitution cipher. After that, the result was encrypted a second time with the irregular columnar transposition to create the final ciphertext. The used key length for the columnar tranposition has less than 10 characters.
This is part 2 of a 3-part challenge regarding the classical transposition. You can solve this challenge with pen and paper as well as with different software programs. To create the ciphertext the plaintext was first encrypted with a classical shift cipher. The result of this encryption was then further encrypted with a columnar transposition with a key length of less than 10 characters.
This is part 1 of a 3-part challenge regarding the classical transposition. You can solve this challenge with pen and paper as well as with adequate software programs (e.g. CrypTool 2). With this irregular columnar tranposition a key length greater than 10 was used.
In September 1902, a book seller named Paul Winkler received a postcard in cipher. Sent from the nearby Mansfeld castle, it appears that a young lady wants to meet with Paul – secretly.
Find the name of the young lady and submit it as the codeword for this challenge. Use only capital letters.
by Lehrstuhl für Kryptologie u. IT-Sicherheit, Ruhr-Universität Bochum, published on 2010-10-14
Alice sends encrypted invitations for her birthday party to her friends. As it turns out, two of her friends use the same RSA parameter N. This fact allows an adversary Eve to decrypt the encrypted message without knowing the corresponding secret key.
Where does Alice's party take place? The codeword for this challenge is the location of Alice's party.
by Lehrstuhl für Kryptologie u. IT-Sicherheit, Ruhr-Universität Bochum, published on 2010-10-14
Alice has learned from her mistake from last year. This year, she makes sure that the friends to whom she sends invitations for her birthday party all use unique RSA N parameters. However, this time she still makes another mistake that allows an adversary, Eve, to reconstruct the message.
Can you again decrypt this year's invitation? The codeword for this challenge is the location of Alice's party.
In 1885, the US businessman James Ward published a booklet about an allegedly true story of a hidden treasure. According to the story, in 1823, a man named Thomas Beale hid several tons of gold and silver in a secret place and described the location of it in three encrypted messages. One of these messages was cracked, but it doesn't contain enough information to locate the treasure.
The two other messages are unsolved.
Brute-Force-Attack on Triple-DES with Reduced Key Space
Level 2
by Nina Schöllhammer, published on 2010-10-14
In present-days knowledge Triple-DES is secure if a really random key is used. If the key is not random and a part of the key may be guessed, it is possible to get knowledge of the rest of the key with a feasible bruteforce attack.
This challenge contains three messages encrypted with classical ciphers. You will need break each of the ciphers and take note of the three codewords. When you have all three codewords, submit them in the form "codeword1-codeword2-codeword3". Please note that the codewords are case sensitive and you have only 5 trials to find the correct solution.
The MTC3 team wishes everybody much success and fun in finding the correct solution.
In 1939, the Russian-born Briton Alexander D'Agapeyeff published a book named "Codes and Ciphers". This book contains a ciphertext that was meant as an exercise. So far, nobody has been able to decrypt this ciphertext. In later editions of his book, this exercise was omitted – possibly because he had forgotten the solution himself. D'Agapeyeff may have made a mistake during the encryption procedure, which makes it now difficult to find the cleartext.
In 1897, the English composer Edward Elgar sent an encrypted message to a lover. So far, nobody has been able to decrypt it. This message is known today as the "Dorabella Cipher".
The double columnar transposition is considered one of the best manual encryption systems. Many secret organizations have made use of it or still use it today. As there are only a few publications on this method, it is not clear if and how a well-constructed double transposition cipher can be broken.
A solution to this challenge was published on 2014-06-13. Solutions can still be submitted and verified, but no points will be awarded for them.
Decrypt the given ciphertext which is encrypted with the Enigma chiper. The wanted key conists of the configuration of the Enigma. Please give the letters in the key as capital letters.
Decrypt the given ciphertext which is encrypted with the Enigma chiper. The key conists of the configuration of the stecker and the initial setting of the three rotors. Please give the letters in the key as capital letters.
Kryptos is a sculpture made by the US artist Jim Sanborn. It is located next to the headquarters of the CIA in Langley, VA. An encrypted message was written on the sculpture. The message consists of four independent parts.
The first three parts have been solved, but the fourth one has so far withstood every attempt at decryption.
In 1923, a member of the Ku Klux Klan sent an encrypted telegram to one of his colleagues. This telegram could be preserved.
More than 60 years later, the US mathematician Cipher Deavours examined the telegram and was able to decipher it. In 1989, he published some of the details about the solution in the magazine Cryptologia („A Ku Klux Klan Cipher“, edition 3/1989). However, he didn‘t tell the complete solution – the last part was left to the reader as an exercise.
A solution to this challenge was published on 2026-03-26. Solutions can still be submitted and verified, but no points will be awarded for them.
Letter from the Alleged Countess Julie von Ortenburg
Level 1
by T. Schroedel, published on 2010-10-14
In 1806, the young countess Julie finds a dress with an old enciphered letter in a pouch. It reveals a secret of one of Julie's ancestors. Can you break the cipher?
The codeword for this challenge is the last word of the letter (all uppercase).
This is a famous speech of a German soccer star - including a mistake. The codeword consists of 2 words, one after the other with no space. The first is the password used to encrypt the plaintext, and the second is the mistake in the decrypted text. (The plaintext is in German.)
When creating RSA keys, it is important to choose the n and e parameters wisely. This was not done in this example, and thus you should be able to decipher this ciphertext message sent from Malawi. The plaintext gives the codeword, which is related to the photo.
It is also important to choose the parameters of an elliptic curve cryptosystem wisely. This was not done in this example, which should enable you to decrypt another ciphertext message from Malawi. The plaintext reveals the codeword, although this time it is not as closely related to the photo.
During World War II, the Italian solider Antonio Marzi worked as a radio operator. He created more than 230 pages full of enciphered notes about his experiences. Unfortunately, he forgot one step of his enciphering method. Still today, his records have never been decrypted.
A solution to this challenge was published on 2014-01-25. Solutions can still be submitted and verified, but no points will be awarded for them.
The ORYX stream cipher consists of three 32-bit LFSRs X, A, B which are shifted differently depending on some bits in the LFSR X. The key stream is a combination of the highest 8 bits of each of the three LFSRs. It is neither feasible nor necessary to search the whole 96-bit key space, there are more efficient methods!
Hint: Enter the codeword in hex with non-capital letters.
The ORYX stream cipher consists of three 32-bit LFSRs X, A, B which are shifted differently depending on some bits in the LFSR X. The key stream is a combination of the highest 8 bits of each of the three LFSRs. It is neither feasible nor necessary to search the whole 96-bit key space, there are more efficient methods!
Hint: Enter the codeword in hex with non-capital letters and a leading zero.
by Lehrstuhl für Kryptologie u. IT-Sicherheit, Ruhr-Universität Bochum, published on 2010-10-14
It is well known that RSA with a small private key is insecure. The company, Smart, Inc. has decided to try using special private keys that are large but have a small Hamming weight in order to speed up decryptions and signature generation. The question is whether these keys are safe.
The encryption with the Sigaba machine was the American counterpart to the German Enigma. But due to the much larger key space of the Sigaba, even today, it is only feasible to break the code if parts of the key are known. This is what this challenge is about.
Decrypt the given ciphertext which is encrypted with the Sigaba machine.
Please give the letters in the key as capital letters.
This challenge has solutions that cannot be automatically checked. If you find such a solution and want to receive your points please write us an <a href="mailto:mtc3@cryptool.org">E-Mail</a>.
The author of the German book "The Art of Deciphering", written 1808 remains unknown. However, the editor signs the preface with a cipher (Semicolon Plus One Triangle Plus Circle Period). Is this the encrypted name of the author?
The longest key that has ever been publicly cracked by exhaustive key search was 64 bits long. The purpose of this challenge is to improve this world record by one bit.
In the late 1960s the so called Zodiac killer used a homophonic substitution encryption to encrypt letters to the police and the press. This challenge is inspired by the solved Zodiac-408 problem and the unsolved Zodiac-340 problem.
Hint: Provide the codeword in capital letters.
