Solitaire (Pontifex)

The Solitaire cipher, also known as Pontifex, was designed by Bruce Schneier in 1999 at the request of novelist Neal Stephenson, so that the characters in Cryptonomicon could carry portable, computer-free but seriously resilient cryptography. The result is a stream cipher whose only material support is a 54-card deck (52 standard cards plus 2 jokers).

Principle

Solitaire produces a keystream — a sequence of values between 1 and 26 — by algorithmically manipulating the deck, independently of the plaintext. The shared key between sender and receiver is the initial deck order. Encryption is then plain Vigenère on that stream:

cipher[i] = (plain[i] + stream[i]) mod 26

The engine

Each step of the algorithm executes the following on the deck:

1. Move joker A one position down (cyclically).
2. Move joker B two positions down.
3. Triple cut around the two jokers: swap the segments before and after the jokers.
4. Count cut by the bottom card: the value of the bottom card gives n; move the top n cards just above it.
5. Stream output: the top card’s value gives m; look at the (m+1)-th card. If it’s a joker, restart; otherwise, take its value modulo 26 → that’s stream[i].

To encrypt one character, you run all five steps once; the deck is therefore always different at every character, ensuring the same plaintext never encrypts the same way twice.

Card values

Clubs 1–13, Diamonds 14–26, Hearts 27–39, Spades 40–52. Joker A = 53, Joker B = 53 (the jokers are distinct but share an extraction value). The result is reduced modulo 26 to a Vigenère shift in 1–26.

Strengths and weaknesses

Strengths

• No electronics required: an agent can hide behind a perfectly mundane deck of cards.
• Long-key stream cipher: 54! ≈ 2.3 × 10⁷¹ initial deck orderings → an enormous key space.
• Trivial reset: reshuffle the deck according to a new shared convention (a typed-out keyword).

Weaknesses

• Non-uniform keystream — the analysis by Crowley, Stay and Hertz (2000) shows detectable biases over long texts.
• Slowness: 5 deck operations per character → a trained agent encrypts maybe 1 to 2 words per minute.
• A handling mistake destroys sync: a single mis-step corrupts the rest of the message.

Cryptonomicon (2000)

Stephenson wove the algorithm into his novel as a plot thread: a character inherits a wartime message from his grandfather, encrypted with Solitaire, and must decrypt it by hand using a deck of cards. The cipher’s source code appears as an appendix to the book in Perl.

Stephenson’s (and Schneier’s) choice was deliberately pedagogical: showing that a field agent can carry a serious cipher in their pocket, without leaving any electronic trace. It is also a reminder that cryptography is not exclusively about computer algorithms.

Real security

Solitaire does not hold up against modern attacks on multi-thousand-character messages: the statistical biases enable a distinguishing attack. For a short message (< 1000 characters) with a properly random initial deck, it remains practically secure against any adversary without a computer.

In CipherChronicle

Solitaire embodies hands-on, tactile cryptography: cards, paper, a message. Companion grids can ask the player to simulate a few algorithm steps by hand (with a real or virtual deck), to grasp how a cipher is built one operation at a time.