Solitaire / Pontifex
Bruce Schneier's 1999 hand cipher using a deck of playing cards
Why This Matters
Bruce Schneier designed Solitaire in 1999 for Neal Stephenson's novel Cryptonomicon, where it appears under the name "Pontifex". The goal: a cipher that an agent could carry in a hostile country with nothing more incriminating than a deck of playing cards. Strong enough to resist amateur attack, simple enough to operate by hand. Subsequent analysis revealed minor statistical biases, so it is not recommended for production use today, but it remains an important demonstration that strong-ish encryption can be done with no electronics at all.
Schneier published Solitaire in an appendix to Cryptonomicon and later on his Counterpane website. Within months, cryptanalysts including Paul Crowley discovered small biases in the keystream — enough to make Solitaire weaker than ideal but not catastrophically broken. Schneier maintains the design as a teaching example and acknowledges the analysis. Real-world use by activists and journalists has been documented but is rare.
Treat the 54-card deck as state. Each "round" produces one keystream letter (1–26):
1. Move the A-joker (53) one card down. 2. Move the B-joker (54) two cards down. 3. Triple-cut: swap the chunks above and below the two jokers. 4. Count-cut: read the value of the bottom card; cut that many cards from the top, place above the bottom card. 5. Look at the top card's value N. Count N cards down. The next card (mod 26) is the keystream output. If it is a joker, repeat from step 1.Encryption is then a simple Vigenère-style shift:
c = (p + k - 1) mod 26 + 1.
Procedure adapted from Schneier's specification; see the plain-language walkthrough at @shai-hulud · Solitaire Encryption: Low-Tech High-Security How-To.
Step through the actual deck operations one at a time. Watch the two jokers shuffle, the triple-cut swap segments, and the keystream letter emerge from the count-cut. Each click advances one phase of the algorithm; "Next Letter" runs all five phases until a usable keystream letter is produced.
Distilled from @shai-hulud's Solitaire how-to and Schneier's original spec — the conventions that make a hand-cipher actually survive contact with the real world.
| Convention | Why it matters |
|---|---|
| X-pad to multiples of 5 | Pad the plaintext with X until its length is a multiple of 5. Both sides know X at the end of a word is filler. Eliminates the cribs that obvious sentence boundaries would give an attacker. |
| Group output in 5-letter blocks | Telegraph and radio convention since the 19th century. Makes the cipher easy to copy by hand without losing your place — and it hides word lengths. |
| Identical decks, identical key | Sender and receiver must start from the exact same 54-card ordering. The key (a passphrase, or a memorized initial deck) is the secret. The cipher is symmetric: same procedure for encrypt and decrypt — only the final ± changes. |
| Never reuse a deck for two messages | Two messages on the same keystream is a classic two-time-pad break. After sending, re-key from a fresh passphrase or shuffle to a new agreed-on order. |
| Mind the jokers | Both jokers count as 53 in the count-cut and the top-card lookup. If the lookup card itself is a joker, discard the output and run the algorithm again — never write a joker into the keystream. |
| One slip = gibberish forever after | The deck is the state; one mis-counted card desynchronizes sender and receiver permanently. Slow is smooth. Smooth is fast. Recount every step. |
| Destroy the deck after use | Burn, shuffle thoroughly, or return to bridge order. A deck left in its keyed state is a written copy of your key sitting on the table. |
Decryption recipe: Identical key → identical deck → identical keystream. Then p = (c − k − 1) mod 26 + 1 — toggle the Decrypt button above to watch it run in reverse.
Paul Crowley showed that the Solitaire keystream has a measurable bias: the probability that two consecutive keystream values are equal is about 1/22.5 instead of the ideal 1/26. This is enough to distinguish Solitaire output from random, but not enough to recover plaintext or key in practice.
A single mis-step in the count-cut or keystream extraction misaligns the recipient's deck and turns the rest of the message into gibberish. In practice, operator error is the main threat — not cryptanalysis.
| Concept from Solitaire / Pontifex | Modern Evolution |
|---|---|
| Hardware-free cryptography | Useful where electronics are dangerous to possess |
| Deniable artifacts | A deck of cards is innocuous; a thumb drive is not |
| Distinguishability vs. recovery | Modern crypto requires indistinguishability from random |
| Exhibit | 46 of 49 |
| Era | Modern · 1999 |
| Security | Moderate |
| Inventor | Bruce Schneier |
| Year | 1999 |
| Famous use | Neal Stephenson's novel Cryptonomicon (as "Pontifex") |
| Key Type | Initial ordering of a 54-card deck (52 + 2 jokers) |
| Keyspace | 54! ≈ 2.3 × 10⁷¹ |
| Modern Lesson | Hand-deniable crypto for high-risk environments |