Cipher Challenge: Using code-breaking algorithms

[Anonymous]

We always get questions about what counts as fair use of use online crackers and existing software in the competition. We thought we might find the following email exchange useful in understanding the slightly vague rules. Names have been changed:

Dear *******,

Thank you for you email, I will try to answer your questions below and hope that this sets your mind at rest:

>Dear National Cipher Challenge Team,

>I am ******* ********, username ******, of the team *********** for the National Cipher Challenge. Me and my fellow teammate >wanted to clarify this question:

>How much code, or code-breaking in general, do we have to make/do ourselves?

See below.

>The following paragraphs give examples of places where we’re unsure where the rules stand:

>For all of the challenges so far, we have used programs (mine has been written in Python, my teammate’s has been written in C#) to >break the various ciphers used. These involve a large number of different functions for different ciphers. However, one function, a >function that takes a string and returns the string with only letters, is not mine, but simply gotten from stackoverflow.
>Is this allowed within the rules of the challenge, or would we have to write our own function for this?

Used as part of a programme or system that you have developed this would be regarded as reasonable.

>Furthermore, I’ve recently written a 2×2 hill cipher breaker that I intend to use in case a hill cipher comes up in a later >challenge. However, this needed me to import a library in python called numpy that allows you to create and manipulate matrix-like >objects, as well as many matrix functions like multiplication and finding the inverse, needed for cracking a hill cipher.
>Is this allowed within the rules of the challenge, or would we have to program our own way of creating matrices, finding inverses >and other things?

Using a library of mathematical manipulations like matrix multiplication would be reasonable, just as it is reasonable to use, say, the MOD function in a spreadsheet to attack the decryption.

>In your ‘Beginner’s Guide to Codebreaking’ pdf, you linked to a site called ‘dcode.fr’, mentioning it as a tool for frequency >analysis. As you know, it also has a list of many different ciphers on its cryptography tools page, and we’ve used this, along with >wikipedia, to research how certain ciphers (like the hill cipher) work, and how you go about decrypting them. We’ve avoided using >the automatic cipher-breakers, as I assume that these aren’t allowed to be used.
>However, is it fine for us to research ciphers and how they work, using this site?

Automatic cipher breakers are clearly not allowed. The point of the competition is to stretch the competitors and get them to learn how to break ciphers and how to automate the process for themselves. Code.fr is a good place to experiment and learn about ciphers and how they work, it is not acceptable to use its programmes to do the heavy lifting.

>On this page, it gives a quite detailed explanation of how you might go about making a program that automatically cracks a keyword->transposition cipher, essentially giving some pseudocode for you to work off of. I found this when researching how to break more >complicated transposition ciphers, and it seems like a good algorithm.
>Would we be allowed to use this? Or are we expected to come up with our own decryption algorithms, given that we know how >encryption of a certain cipher works?

This is getting into a grey area. Clearly just turning pseudo code into code can be done without much understanding, which defeats the purpose of the exercise. On the other hand it is unlikely that you will find pseudo code out there that will crack the harder challengers, and this is where the winners set themselves apart. We ask candidates for prizes to provide us with an account of how they cracked the last challenge, and to furnish us with copies of working and code they have written, and we use the extensive skill and judgment of the prize committee to adjudicate the boundaries.

>Essentially, what we’re asking is what the challenge is actually testing. Is it testing our ability to recognise what cipher >something is, and we can then use online tools to crack it? Is it testing our ability to use and research decryption algorithms? Is >it testing our ability to make our own decryption algorithms? Or something else?

The competition is testing your ability to tackle a complex task using skill and imagination, hard work and perseverance. That can involve writing software; ingenious use of software like text editors and spreadsheets; careful reflection and deep insight; or hand calculations.

>In your rules, you state that entries from teams must be “solely their own collective work”. Does this only refer to making sure >there is no inter-team collaboration (apart from hints on the forums)? Or does it also mean that we aren’t allowed to use code->breaking algorithms found on the internet, i.e. using help from programs?

It largely refers to the fact that the submission should be based on your own hard work, not reliant on other people’s automated crackers and not depend on help from teachers, parents and other non-eligible people farmbrazil.com.br. If someone is helping you they should be part of the team, and if that makes the team ineligible then so be it.

>In no way do we wish to try to ‘cheat’ in the challenge – much more the opposite, in fact! We would be very grateful if you could >provide us with some clear-cut advice on what we are allowed to do.

I know, and I understand your wish for clarity.

It might be helpful for everyone if I could publish this email exchange (with names changed of course) so they all understand. Would that be OK?

Thanks for your thoughtful email, I hope we have answered your questions.

All the best,

Harry

The team followed up my answers with the following reply which I think sums it up pretty well:

>Dear Harry,

>Thank you very much for your reply. It has certainly cleared up what we can and can’t do in the challenge.

>As far as we can tell, your position on researching decryption algorithms is that we can’t simply use someone else’s >code/pseudocode, as that defeats the purpose of the challenge, as you said. However, using concepts and ideas, such as ‘e’ is the >most common letter in the English language and that a transposition cipher has a letter frequency identical to English, researched >from sites like dcode.fr, should be fine, as these don’t provide a full decryption algorithm and require you to think of your own >one. I think this is what you meant – if not, you can correct us.

>We would be completely fine with you posting this email exchange (with names removed) – I’m sure it would help the community, given >that I’ve seen at least one question about using libraries in code (post #29101, for reference).

>Best wishes,

>*******.

So here it is. Hope it is helpful.

Harry

[Anonymous]

Very helpful, thank you so much!

[Anonymous]

Here’s my ¢2:

1) This was not explicitly stated in the rules. The only thing stipulated there is that your work must be your own, which is subject to very large interpretation. Although some clarification has now been provided, in future years competitors should not have to rely on extra clarification – it should be stated more clearly in the rules.

2) I think the whole issue could just be avoided if these online decoders were freely available for use. You say that the point of the challenge is to get people to learn how to break and automate the breaking of ciphers, but even if online crackers were permitted, the people who want to actually understand the theory are still able to do so in the earlier challeges. The later challenges shouldn’t be affected by this permission because as you rightly said they are a lot harder and are often a non-standard combination of ciphers or techniques.

3) A pragmatic point. There is no way that prohibiting online crackers can actually be enforced, except for the winners. Everyone else still has the option of using them without being detected easily (and I imagine many already are). Banning them or allowing them makes zero difference in that regard – people already have a free choice between doing the challenge within the rules and learning how to do the basics (like frequency analysis), and in a system where any program is fair game then this is no different, so why not just allow them?

With this knowledge, it would be a good idea to instead make the challenges overall slightly harder (or make the middle few challenges closer in difficulty to the later few ones). This is the only reliable way to force people to do everything themselves, in my opinion.

TL;DR Online decryption programs should be allowed; but they can be made (more) redundant by making the later challenges harder.

[Anonymous]

Just for further clarification, {snip} has tools where, if you give it all the input information (if it was a Vigènere, it would just be the exact key) it would then perform the decryption process for you. Obviously we can’t use the other buttons like having it auto-break knowing key length or a plaintext word, but would it be allowed to use this – where you’re not getting the computer to do any thinking (in a metaphorical sense of course), but instead to speed up the process of decoding by hand?

I see it sort of similar to using a Find and Replace tool on Notepad for monoalphabetic substitution decryption…

[Anonymous]

I wrote a thing in Java that does the same as this website. It wasn’t too difficult.

[Author]

Posts