The Babington Plot Cipher
The first cipher in history known to have decided a queen's life.
Why This Matters
This is the cipher whose breaking directly killed someone. Mary Stuart, deposed Queen of Scots, had been Elizabeth I's prisoner-cousin for 19 years when a young English Catholic named Anthony Babington proposed a coup: assassinate Elizabeth, free Mary, restore Catholicism. Their plot was carried in nomenclator-encrypted letters smuggled out of Chartley Manor inside a beer-barrel bung. Sir Francis Walsingham — Elizabeth's spymaster — was reading every line before the recipients did, decoded by a young codebreaker named Thomas Phelippes. When Mary, in a July 17, 1586 letter, finally endorsed the assassination of Elizabeth in writing, Walsingham had what he needed. Mary was beheaded on February 8, 1587. The Babington Plot is the first historical case where cryptanalysis is the documented cause of an execution.
By 1586, Mary Stuart had been imprisoned in England for 19 years. Catholic plots to free her and depose Elizabeth I had come and gone (Ridolfi, Throckmorton). Walsingham — who ran what historians now consider Europe's first modern intelligence service — believed Mary was guilty of conspiracy but had no evidence Elizabeth would accept. He needed Mary's own words, written by her own hand, endorsing regicide. So he built a trap.
Walsingham's agent Gilbert Gifford, a double agent posing as a Catholic courier, established a covert channel: letters to and from Mary at Chartley Manor would be hidden in the bung-hole of beer kegs delivered by the local brewer. Mary believed it was secure. In reality, every letter passed through Phelippes's workshop in London, where it was opened, copied, decoded, resealed, and forwarded — usually within a day. The cipher she trusted was a 64-symbol nomenclator: 23 disguised letters, 36 codewords for common terms (THE, MARY, QUEEN, POISON, DEATH), 4 nulls, and one trap symbol called the "doubleth" meaning "double the next letter."
On July 6, 1586, Anthony Babington wrote to Mary describing the plot: six gentlemen would assassinate Elizabeth; Mary would be freed by an invasion force. On July 17, Mary replied — endorsing the plot in writing, asking only for details on the gentlemen and the timing. Phelippes decoded it the same week. Famously, before forwarding the letter to Babington, Phelippes added a forged postscript in Mary's cipher asking for the names of the six conspirators. Babington wrote back with the names. Walsingham now had evidence enough to arrest the conspirators (they were hanged, drawn, and quartered in September) and to put Mary on trial. She was beheaded at Fotheringhay Castle on February 8, 1587.
"She trusted in her cipher, and her cipher betrayed her." — Simon Singh, The Code Book, summarizing the moment Mary realized at her trial that her own letters had been read all along. The trial transcripts record her shock when the deciphered correspondence was produced.
The cipher is a nomenclator — a hybrid of substitution cipher and codebook. Mary's actual key (preserved in the British Library and reproduced in Pollen's 1922 edition) had four classes of symbol:
23 letter symbols (no J, V, W — folded onto I, U, II) 36 codewords (THE, AND, OF, MARY, QUEEN, ELIZABETH, POISON, …) 4 null symbols (decoys — drop on decode) 1 "doubleth" (means: double the previous/next letter) ───────── 64 total glyphs
Encryption is a greedy-longest-match scan: clerks looked for the longest codeword that started at the current position. Where no codeword matched, they dropped to a single letter glyph. Nulls were sprinkled in as decoys. Decryption requires the codebook in front of you.
Phelippes — fluent in five languages and trained in Al-Kindi-style frequency analysis — separated the 23 letter glyphs from the 36 codeword glyphs by counting frequencies. The letter glyphs followed an English-alphabet distribution; the codeword glyphs were rare and clustered (you only need MARY a few times per letter). Mapping the most-frequent letter glyph to E, the next to T, and so on, broke the alphabet quickly. The codewords were then trivially inferred from context.
Once Phelippes held the codebook, he could write new ciphertext that looked authentic. Walsingham ordered him to add a forged postscript to Mary's July 17 letter — in her own cipher — asking Babington to name the six conspirators. Babington complied. This is the earliest documented case of cryptographic forgery being used to gather evidence — a chosen-ciphertext attack against a system with no integrity protection.
The cipher's strength was irrelevant: the entire delivery channel — Gilbert Gifford, the brewer, the beer keg — belonged to Walsingham. Mary's correspondents believed they had a private channel. Modern analogue: end-to-end encryption is meaningless if the endpoint or transport layer is owned by the adversary.
Why it failed fundamentally: A nomenclator with only ~23 letter glyphs has the same frequency profile as a monoalphabetic cipher — Al-Kindi's 850 AD attack still works. Adding 36 codewords slows analysis but does not change the underlying weakness. And the cipher had no message authentication, so a captured codebook let the attacker forge messages indistinguishable from the real ones.
| Babington-Era Concept | Modern Evolution |
|---|---|
| Nomenclator: codewords for whole tokens | Compression dictionaries (Huffman, LZ77) and tokenizers — same idea, modern math |
| "Doubleth" trap glyph | Format-aware deception in steganography; honey encryption; CBC malleability traps |
| Forged ciphertext to extract information | Chosen-ciphertext attacks (CCA) — the reason modern encryption schemes use authenticated encryption (AES-GCM, ChaCha20-Poly1305) |
| Trusted channel that is actually compromised | End-to-end encryption with verified identity (Signal Protocol's safety numbers, key transparency logs) |
Direct lineage: The Babington case is why modern protocols separate confidentiality from integrity. AES-GCM and ChaCha20-Poly1305 are authenticated ciphers: any tampering by Phelippes-the-modern-attacker would be detected before the recipient ever read the plaintext. There would have been no forged postscript, no list of six gentlemen, possibly no execution.
| Exhibit | 39 of 40 |
| Era | Elizabethan · 1586 |
| Used by | Mary, Queen of Scots |
| Broken by | Thomas Phelippes |
| Time to break | Days (cipher was already known to Phelippes from earlier intercepts) |
| Active attack | Forged postscript by Phelippes |
| Trial date | 14–15 October 1586 (Fotheringhay) |
| Execution | 8 February 1587 |
| Conspirators | 14 hanged, drawn & quartered (Sept 1586) |
The original 64-glyph key is in the British Library (Cotton MS Caligula C IX). This demo uses ASCII tokens — ⟨a01⟩…⟨a23⟩ for letters, ⟨w01⟩…⟨w36⟩ for codewords, ⟨n01⟩…⟨n04⟩ for nulls, and ⟨x2⟩ for the doubleth — deterministically assigned from the seed.
Try encoding "POISON THE QUEEN AT THE TOWER" and notice how POISON, THE, QUEEN, and TOWER each get their own codeword (one glyph for the whole word). Then encode "ATTACK" and watch the doubleth trap fire on the doubled T.
J folds to I and V folds to U, matching the historical 23-letter Elizabethan alphabet.
Decode this intercepted dispatch (seed: BABINGTON):
⟨w25⟩ ⟨a14⟩ ⟨w32⟩ ⟨a20⟩ ⟨w33⟩ ⟨a17⟩ ⟨x2⟩
Reveal solution
The dispatch reads DAGGER ELIZABETH AT THE TOWER DEATH — paste the ciphertext into the demo and switch to Decrypt to verify. The seed shuffles the symbol-to-token assignment, so each glyph stands for whichever word the shuffle deals it.