Cardano Autokey 1550 · the original self-keying cipher
Cardano's original autokey: prime with a single letter, then let the message extend its own key.
Why This Matters
Girolamo Cardano (1501–1576) — physician, mathematician, gambler, and author of the first textbook on probability — proposed the autokey idea in De Subtilitate (1550). Cardano's version is much weaker than the autokey usually attributed to Vigenère today: Cardano primed the keystream with a single letter and then used the plaintext from position 0 onward as the key for positions 1, 2, 3 …
The flaw is structural. If an attacker guesses or recovers any plaintext letter, they immediately know the next key letter — and therefore the next plaintext letter — and a cascade unzips the entire message. Vigenère's later refinement (prime with a multi-letter keyword instead of a single letter) blocks the cascade by giving the attacker no foothold to start from.
Pick a single seed letter S. The keystream is
k₀ = S kᵢ = pᵢ₋₁ for i ≥ 1
Encryption uses the standard Vigenère table: cᵢ = (pᵢ + kᵢ) mod 26. Decryption recovers p₀ from c₀ using S, then uses each just-recovered pᵢ as the key for cᵢ₊₁.
Worked example with S = Q, plaintext MEET ME AT MIDNIGHT:
Plain : M E E T M E A T M I D N I G H T Key : Q M E E T M E A T M I D N I G H Cipher: C Q I X F Q E T F U L Q V O N A
Guess the first plaintext word. Each correct letter immediately reveals the next key letter and therefore the next plaintext letter. The attack propagates forward through the message at no extra cost. The whole reason Vigenère replaced Cardano with a multi-letter primer was to deny the attacker this foothold.
Try every possible seed letter. For each, run the cascade and look for English. Twenty-six attempts and a frequency check is enough.
Cardano's autokey is the cleanest historical example of state confusion: he conflated using the plaintext with using a fresh key. Modern stream ciphers and AEAD modes go to great length to make sure the keystream is independent of the data being encrypted, precisely because Cardano-style coupling enables exactly the cascade attack shown above.
CTR mode and ChaCha20 are the modern correct version of the same idea: the keystream is generated from a key and a counter, never from the plaintext. The lesson — never let your key depend on your data — is one of the load-bearing rules of modern cryptography.
| Origin | Girolamo Cardano, Italy |
| Year | 1550 (De Subtilitate) |
| Key Type | Single priming letter |
| Key Length | Effectively the message length |
| Modern Lesson | Key reuse from the plaintext is not the same as key freshness |