Securely Encrypt Messages with a Deck of Cards and Solitaire - ITS Tactical

Securely Encrypt Messages with a Deck of Cards and Solitaire

By U. Fridman

Neal Stephenson’s cypherpunk novel Cryptonomicon contains a cryptosystem called Pontifex. This low-tech cryptographic algorithm uses a deck of playing cards to encrypt and decrypt messages.

Outside of the book, this algorithm is actually called Solitaire. It was designed by cryptographer and security expert Bruce Schneier at the request of Neal Stephenson. Solitaire allows secure communications without having to rely on computers or other tools that might indicate that cover channels are being used, or where access to a computer is not possible. It was designed to be secure even against the most well-funded adversaries with the biggest computers and the smartest cryptanalysts.

Solitaire gets its security from the inherent randomness of a shuffled deck of cards. Using this deck, keyed in a special way, two people can create a set of random letters that will be use to encrypt the messages. The process is somewhat slow, but it’s hard to spot that a deck of cards is being used to encrypt information.

Using Solitaire

For the cypherpunks out there, or crypto aficionados, Solitaire is an output-feedback mode stream cipher. As Schneier explains:

The basic idea is that Solitaire generates a stream, often called a “keystream”, of numbers between 1 and 26. To encrypt, generate the same number of keystream letters as plaintext letters. Then add them modulo 26 to plaintext letters, one at a time, to create the ciphertext. To decrypt, generate the same keystream and subtract, modulo 26 from the ciphertext to recover the plaintext.


Using Schneier’s own example, this is how you encrypt a message using Solitaire. For this example, our plaintext message will be the same message used in Cryptonomicon: DO NOT USE PC.

  1. Split the plaintext message into five-character groups. Use X’s to fill in the last group if necessary.
  2. Use Solitaire to generate ten keystream letters. For example:
  3. Convert the plaintext message from letters into numbers, A=1, B=2, etc:
    4 15 14 15 20   21 19 5 16 3
  4. Convert the keystream letters similarly:
    11 4 23 21 16   15 14 15 23 20
  5. Add the plaintext number stream to the keystream numbers, modulo 26. Modulo 26 means that if the sum is more than 26, subtract 26 from the result. For example, 1+1=2, 26+1=27, and 27-26=1, so 26+1=1.
    15 19 11 10 10   10 7 20 13 23
  6. Convert the numbers back to letters to get your ciphertext.



The receiver of the message has to key the same keystream as the person encrypting. That is your encryption key. Then the receiver subtracts the keystream letters from the ciphertext letters.

  1. Take the ciphertext message and put it in five-character groups.
  2. Use Solitaire to generate ten keystream letters. If the receiver has the same key as the sender, the keystream letters will be the same:
  3. Convert the ciphertext message from letters into numbers:
    15 19 11 10 10   10 7 20 13 23
  4. Convert the keystream letters similarly:
    11 4 23 21 16   15 14 15 23 20
  5. Subtract the keystream numbers from the ciphertext numbers, modulo 26. For example, 22-1=21, 1-22=5. If the first number is less than or equal to the second number, add 26 to the first number before subtracting. So 1-22=? becomes 27-22=5.
    4 15 14 15 20   21 19 5 16 3
  6. Convert the numbers back to letters to get your plaintext.

Generating the Keystream Letters

Generating the keystream letters is the heart of Solitaire. The keystream is generated using a deck of cards. In a 54-card deck (52 + 2 jokers) there are 54!, or about 2.31 * 10^71, possible different orderings of a deck.

We need a deck set of 52 cards and two jokers. The jokers must be visually different. One will be called “joker A” and the other “joker B”. To initialize the deck, take it in your hand face up. Then arrange the cards in the initial configuration that is the key. You’re now ready to generate keystream letters.

Here’s how to produce a single output character:

  1. Find the A joker. Move it one card down, swapping it with the card beneath it. If the joker is the bottom card of the deck, move it just below the top card.
  2. Find the B joker. Move it two cards down. If the joker is the bottom card of the deck, move it just below the second card. If the joker is one up from the bottom card, move it just below the top card. (Basically, assume the deck is a loop.)It’s important to do these two steps in order. It’s tempting to get lazy and just move the jokers as you find them. This is okay, unless they are very close to each other.So if the deck looks like this before step 1:
    A 7 2 B 9 4 1

    at the end of step 2 it should look like:

    7 A 2 9 4 B 1

    And if the deck looks like this before step 1:

    3 A B 8 9 6

    at the end of step 2 it should look like:

    3 A 8 B 9 6
  3. Perform a triple cut. That is, swap the cards above the first joker with the cards below the second joker. If the deck used to look like:
    2 4 6 B 5 8 7 1 A 3 9

    then after the triple cut operation it will look like:

    3 9 B 5 8 7 1 A 2 4 6

    “First” and “second” jokers refer to whatever joker is nearest to and furthest from the top of the deck, respectively. Ignore the “A” and “B” designations for this step. Remember that the jokers and the cards between them don’t move; the other cards move around them. This is easy to do in your hands. If there are no cards in one of the three sections (either the jokers are adjacent, or one is on top or the bottom), just treat that section as empty and move it anyway.

  4. Perform a count cut. Look at the bottom card. Convert it into a number from 1 through 53. (Use the bridge order of suits: clubs, diamonds, hearts, and spades. If the card is a club, it is the value shown. If the card is a diamond, it is the value plus 13. If it is a heart, it is the value plus 26. If it is a spade, it is the value plus 39. Either joker is a 53.) Use that number to count down from the top card. Cut after the card that you counted down to, leaving the bottom card on the bottom. If the deck used to look like:
    7 ... cards .. 4 5
    ... cards ... 8 9

    and the ninth card was the 4, the cut would result in:

    5 ... cards ... 8 7
    ... cards ... 4 9

    The reason the last card is left in place is to make the step reversible. This is important for mathematical analysis of its security. A deck with a joker as the bottom card will remain unchanged by this step.

    Be sure not to reverse the order when counting cards off the top. The correct way to count is to pass the cards, one at a time, from one hand to another. Don’t make piles on the table.

  5. Find the output card. To do this, look at the top card. Convert it into a number from 1 through 53 in the same manner as in the previous step. Count down that many cards. (Count the top card as number one.) Write the card after the one you counted to on a piece of paper; don’t remove it from the deck. (If you hit a joker, don’t write anything down and start over again with step 1.) This is the first output card. Note that this step does not modify the state of the deck.
  6. Convert the output card to a number. As before, use the bridge suits to order them. From lowest to highest, we have clubs, diamonds, hearts, and spades. Hence, A-clubs through K-clubs is 1 through 13, A-diamonds through K-diamonds is 14 though 26, A-hearts through K-hearts is 1 through 13, and A-spades through K-spades is 14 through 26. (We need 1 through 26, and not 1 through 52, so we can get to letters.)

That’s how to use Solitaire to encrypt a single character. You can use it to create as many keystream numbers as you need; just go through the same six steps once for each output character. (Don’t rekey the deck). And remember, you’ll need one per message character.

Keying the Deck

Before you start producing output cards, you have to key the deck. This is probably the most important part of the whole operation, and the one that the entire security of the system hinges upon. Solitaire is only as secure as the key. That is, the easiest way to break Solitaire is to figure out what key the communicants are using. If you don’t have a good key, none of the rest of this matters. Here are some suggestions for exchanging a key.

Use identically shuffled decks

A random key is the best. One of the communicants can shuffle up a random deck and then create another, identical deck. One goes to the sender and the other to the receiver. Most people are not good shufflers, so shuffle the deck at least six times. Both parties should keep an additional spare deck in the same keyed order, otherwise if you make a mistake you’ll never be able to decrypt the message.

Use a bridge ordering

A description of a set of bridge hands that you might see in a newspaper or a bridge book is about a 95-bit key. Agree on a way to take the bridge-hand diagram and convert it into an ordering of the deck. Then agree on a way to put the two jokers into the deck. (One obvious one is to put the A joker after the first card mentioned in the text, and the B joker after the second card mentioned in the text.)

Use a passphrase to order the deck

This method uses the Solitaire algorithm to create an initial deck ordering. Both the sender and receiver share a passphrase. (For example, “SECRET KEY.”) Start with the deck in a fixed order; lowest card to highest card, in bridge suits, followed by the A and then the B joker. Perform the Solitaire operation, but instead of Step 5, do another count cut based on the first character of the passphrase (19, in this example). In other words, do step 4 a second time, using 19 as the cut number instead of the last card. Remember to put the top cards just above the bottom card in the deck, as before.

Repeat the five steps of the Solitaire algorithm once for each character of the key. That is, the second time through the Solitaire steps use the second character of the key, the third time through use the third character, etc.

Remember, though, that there are only about 1.4 bits of randomness per character in standard English. You’re going to want at least an 64-character passphrase to make this secure; Bruce Schneier recommend at least 80 characters.

Low-Tech Security

The Solitaire algorithm offers a secure and low-tech, if slow, solution to those who wish to communicate privately. Bruce Schneier has explained that he expected Cryptonomicon to be a best-seller, and that everyone would know the intricacies of how the algorithm works. As with any cryptographic algorithm, the success lies with the secrecy of the key. As long as the key remains secret, it is unlikely that any third-party will be able to decrypt ciphertext that has been encrypted with Solitaire.

For more information regarding cryptanalysis, operational notes and security visit to Bruce Schneier’s Solitaire site.

Are you getting more than 14¢ of value per day from ITS?

Thanks to the generosity of our supporting members, we’ve eliminated annoying ads and obtrusive content. We want your experience here at ITS to be beneficial and enjoyable.

At ITS, our goal is to provide different methods, ideas and knowledge that could one day save your life. If you’re interested in supporting our mission and joining our growing community of supporters, click below to learn more.


  • D. Hide

    Very interesting but… I think I have to lay down after this LOL


  • Robert S.

    Cryptographers blow my mind.
    I’ll probably have to read this 20 more times.
    Did you read the book?
    If so what do you think about it?

    • The book is awesome. It goes back and forth between WWII and the present and touches spies, soldiers, cryptographers, etc. Really cool/

  • My head hurts, but my wife will like this. Really cool article!

  • Rene Moreno

    My nose bled a bit.

    • As it usually is the case with crypto. the beauty of Solitaire is that once you use it, it becomes second nature and it’s not so complicated anymore.

  • Jon

    I made it about halfway through this article… then I woke up under my neighbors van sucking my own thumb several hours later

  • TFA303

    Here’s another vote for Cryptonomicon. It’s a fantastic book that is so entertaining that you don’t realize how much you’re learning.

  • El Mariachi

    Solitare is broken. It’s probably OK for low-security stuff, but a One-Time-Pad using randomness from repeated dice rolls (into the dozens) or card decks that have been shuffled 15-20 times would be equally low tech but significantly stronger, as long as you obey the conditions required to keep the communication secret. If those tasks are followed, the OTP is mathematically provable to be unbreakable, giving even stronger guarantees of security than conventional symmetric (e.g. AES) and asymmetric (e.g. RSA) ciphers.

    OTP are very annoying for use with the large datasets, computer speed, and expectation of low key material use that rules much crypto use today, but it was a perfectly reasonable cipher in the past when all cipher use involved lots of annoying by-hand labor.

    • It is only broken if you mean that there exists a bias of about 1/22.5 instead of 1/26 in the ciphertext. The keyspace of this cipher is 2^237, or 237-bits. This is likely larger than the keyspace your bank uses for encrypting the communication between you and the sever using OpenSSL.

  • EntropyWorks

    I find it easier to understand with a visual aid.

    Bellow I encrypted this message with what I think a key you can guess.

    This message is encrypted. Visit to learn how to deal with it.


Do you have what you need to prevail?

Shop the ITS Store for exclusive merchandise, equipment and hard to find tactical gear.

Do you have what you need to prevail? Tap the button below to see what you’re missing.