Origin and History of the Autokey Cipher
The Autokey cipher (also called the autoclave cipher) has its roots in the 16th century. It was first described by Giovan Battista Bellaso in 1564 and later by Blaise de Vigenère in his Traicté des Chiffres (1586). Vigenère distinguished between his standard repeated-key variant — today known as the Vigenère cipher — and the Autokey, which he considered more robust.
The central idea is elegant: instead of repeating the key cyclically as Vigenère does (which creates the periodicity exploited by the Kasiski test), Autokey uses the plaintext itself as the key extension. Unlike the Caesar cipher — monoalphabetic with a fixed key — Autokey generates no detectable periodic patterns.
For centuries it was considered virtually unbreakable, until the mathematician Charles Babbage and Wilhelm Kasiski developed statistical cryptanalysis techniques in the 19th century that, with variations, can also attack Autokey by exploiting the correlation between key and plaintext.
What is the Autokey cipher used for?
History of cryptography
Considered for centuries the pinnacle of classical cryptography and studied in every cryptographic history textbook.
Advanced education
Excellent for teaching how key periodicity is Vigenère's central weakness and how Autokey conceptually eliminates it.
CTF challenges
Appears in Capture the Flag competitions as an advanced Vigenère variant. Challenges even those who master the standard Kasiski test.
Conceptual reference
Introduces the idea of a stream cipher: generating a key as long as the message — the conceptual basis of modern cryptography.
How the Autokey cipher works step by step
- Choose the priming key: A short word using only letters A–Z. The longer it is, the greater the initial security.
- Build the key stream: Concatenate the priming key with the plaintext letters:
K = priming_key + P₁P₂P₃…. The result is a key stream exactly as long as the message. - Apply the encryption formula:
Cᵢ = (Pᵢ + Kᵢ) mod 26— identical to Vigenère, but with a non-repeating key. - Sequential decryption (Autokey cipher decoder): Apply
Pᵢ = (Cᵢ − Kᵢ + 26) mod 26. Each decrypted letter is immediately added to the key stream to decrypt the next one. - No periodicity: Because the key is extended with the actual plaintext, it never repeats cyclically, removing the signature that the Kasiski test detects in Vigenère.
Follow this Autokey cipher step by step and verify each result with the interactive tool below — the fastest way to use an Autokey cipher decoder online.
Autokey Cipher Simulator
ATTACK, priming key
KEY → encrypt → paste the result back and use this
Autokey cipher decoder to recover the original.
Autokey cipher example explained with a table
This Autokey cipher example step by step shows exactly how the key stream is built from the priming key and the plaintext — letter by letter.
Plaintext: ATTACK
Priming key: KEY
Key stream: KEY + ATT = KEYATT
Formula: Cᵢ = (Pᵢ + Kᵢ) mod 26
| Pos. | Plaintext (Pᵢ) | Key (Kᵢ) | Key source | Calculation | Ciphertext (Cᵢ) |
|---|---|---|---|---|---|
| 1 | A (0) | K (10) | Priming key | (0+10) mod 26 = 10 | K |
| 2 | T (19) | E (4) | Priming key | (19+4) mod 26 = 23 | X |
| 3 | T (19) | Y (24) | Priming key | (19+24) mod 26 = 17 | R |
| 4 | A (0) | A (0) | Plaintext P₁ | (0+0) mod 26 = 0 | A |
| 5 | C (2) | T (19) | Plaintext P₂ | (2+19) mod 26 = 21 | V |
| 6 | K (10) | T (19) | Plaintext P₃ | (10+19) mod 26 = 3 | D |
Encrypted result: KXRAVD
The first 3 key letters come from KEY (priming key). The next 3 are ATT (first 3 letters of the plaintext).
Autokey vs Vigenère vs Beaufort: comparison
Comparison of the three most important polyalphabetic ciphers in classical cryptography.
| Feature | Vigenère | Beaufort | Autokey |
|---|---|---|---|
| Key extension | Cyclic repetition | Cyclic repetition | Plaintext |
| Encryption formula | (Pᵢ + Kᵢ) mod 26 |
(Kᵢ − Pᵢ + 26) mod 26 |
(Pᵢ + Kᵢ) mod 26 |
| Vulnerable to Kasiski | Yes | Yes | No |
| Reciprocal property | No | Yes | No |
| Relative security | Low–medium | Low–medium | Medium (superior) |
| Main attack | Kasiski + frequencies | Kasiski + reflected freq. | Statistical autocorrelation |
Why the Autokey cipher is more secure than Vigenère
Although Autokey surpasses Vigenère in resistance, it remains an insecure classical cipher for protecting real information. Use AES-256 for modern needs.
The central weakness of the Vigenère cipher is periodicity: if the key has length n, the characters at positions k, k+n, k+2n… are always encrypted with the same key letter. This creates detectable repetitions that the Kasiski test exploits to estimate the key length.
Autokey eliminates this periodicity: after the priming key, each key position is a letter of the plaintext. Plaintext letters do not follow a uniform distribution (E, T, A dominate in English), but they are not periodic either, so Kasiski cannot find the repetitions it looks for.
Vigenère (repeated key KEY):
Key: KEYKEYKEYKEYKEY… ← periodic pattern
Autokey (priming key KEY):
Key: KEYATTACKATDAWN… ← no periodicity
However, Autokey has its own vulnerability: because the key is the plaintext, there is a statistical autocorrelation between key and ciphertext. An attacker can shift the ciphertext over itself and find the shift (equal to the priming key length) that maximises statistical correlation with the language, then attack those initial positions as a known-length Vigenère.
Advantages and disadvantages of the Autokey cipher
Advantages
- ▪No periodicity: the key never repeats cyclically, making it immune to the standard Kasiski test used to break Vigenère.
- ▪Unique key per message: even with the same priming key, each message produces a different key stream thanks to different plaintext.
- ▪Conceptually advanced: introduces the idea of a stream cipher and one-time pads — the conceptual foundation of modern cryptography.
- ▪More secure than Vigenère: requires more sophisticated cryptanalysis techniques to break with comparable ciphertext.
Disadvantages
- ▪Exploitable autocorrelation: the statistical correlation between key (plaintext) and ciphertext enables shift attacks that reveal the priming key length.
- ▪Mandatory sequential decryption: decryption must be performed letter by letter in order — no parallelism or random access possible.
- ▪Error cascade: a single transmission error corrupts the decryption of all subsequent letters, not just the erroneous one.
- ▪Not suitable for real use: like all classical ciphers, it is insecure for sensitive modern information against computational statistical tools.
How to identify a text encrypted with Autokey
If you have an unknown ciphertext, these signals suggest an Autokey cipher:
Low index of coincidence
Similar to Vigenère, indicating a polyalphabetic cipher. But unlike Vigenère, the Kasiski test reveals no periodic repetitions.
No Kasiski repetitions
A text that looks like Vigenère but has no Kasiski-detectable repetitions is a candidate for Autokey or another non-periodic cipher.
Positive autocorrelation
The ciphertext statistically correlates with itself shifted exactly n positions, where n is the length of the priming key.
Tip: if Kasiski fails but the index of coincidence remains low, try shifting the ciphertext over itself and computing the correlation for different priming key lengths.
Autokey cipher exercises
Practice with these exercises. Use the simulator to verify your answers.
Exercise 1 — Basic
Encrypt CAT with priming
key AB.
- Key stream: AB + CA (first 2 letters of plaintext).
- Apply
(Pᵢ + Kᵢ) mod 26for each letter.
Hint: C=2, A=0, T=19 | A=0, B=1, C=2, A=0
Exercise 2 — Decryption
Decrypt KXRAVD with
priming key KEY.
Remember: decrypt sequentially and add each recovered letter to the key stream before decrypting the next.
Hint: the result is a common military action.
Exercise 3 — Analysis
Given a long ciphertext encrypted with Autokey, unknown 3-letter priming key:
- Shift the ciphertext over itself by 3 positions.
- Compute the index of coincidence between text and shifted version.
- If high (≈0.065 for English), the priming key has 3 letters.
- Attack the first 3 positions as a length-3 Vigenère.
How to break the Autokey cipher
Breaking the Autokey cipher step by step requires two phases: locating the priming key length via autocorrelation, then attacking those positions exactly as a known-length Vigenère.
1. Autocorrelation attack
Because the key is the plaintext shifted n positions (where n is the priming key length), there is a statistical correlation between the ciphertext and itself at that shift. The attacker tries all possible shifts and measures the index of coincidence: the maximum reveals the priming key length.
2. Vigenère attack on the first n positions
Once the priming key length n is known, the first n letters of the ciphertext correspond directly to encrypting the plaintext with the priming key. Attack that portion using frequency analysis as a length-n Vigenère. Once the priming key is recovered, the rest of the message decrypts trivially in cascade.
numpy.correlate automate the index of coincidence
calculation for all shifts in seconds.
Autokey attack example step by step
Suppose you intercept the ciphertext KXRAVD
and suspect it was encrypted with Autokey. Here is the complete breaking process:
Step 1 — Estimate the priming key length
Shift the ciphertext over itself and compute the index of coincidence (IC) for each shift d. The IC measures how many letters match between the text and its shifted version:
Text: K X R A V D
Shifted d=1: _ K X R A V → IC low
Shifted d=2: _ _ K X R A → IC low
Shifted d=3: _ _ _ K X R → IC ≈ 0.065 (peak)
The peak at d = 3 indicates the priming key has 3 letters.
Step 2 — Attack the priming key as a length-3 Vigenère
The first 3 letters of the ciphertext K X R
correspond directly to encrypting the plaintext with the priming key.
Apply frequency analysis to each position:
Position 1: ciphertext=K → the most frequent letter in English should map here. Likely result: K₁ = K
Position 2: ciphertext=X → K₂ = E
Position 3: ciphertext=R → K₃ = Y
→ Recovered priming key: KEY
Step 3 — Cascade decryption
With the known priming key KEY,
each decrypted letter automatically becomes the next key letter:
| Pos. | Ciphertext (Cᵢ) | Key (Kᵢ) | Calculation | Plaintext (Pᵢ) |
|---|---|---|---|---|
| 1 | K (10) | K (10) ← priming | (10−10+26) mod 26 = 0 | A |
| 2 | X (23) | E (4) ← priming | (23−4+26) mod 26 = 19 | T |
| 3 | R (17) | Y (24) ← priming | (17−24+26) mod 26 = 19 | T |
| 4 | A (0) | A (0) ← P₁ = A | (0−0+26) mod 26 = 0 | A |
| 5 | V (21) | T (19) ← P₂ = T | (21−19+26) mod 26 = 2 | C |
| 6 | D (3) | T (19) ← P₃ = T | (3−19+26) mod 26 = 10 | K |
Decrypted message: ATTACK
— priming key KEY
Note: in a real attack with long text, the frequency analysis in Step 2 is automated and highly reliable. With short messages like this one, brute force or additional context is needed.
Is the Autokey cipher secure?
Is the Autokey cipher secure?
The Autokey cipher is not secure for modern communications. Although it is more secure than Vigenère — passing the Kasiski test —, it has exploitable statistical vulnerabilities:
- ▪ Statistical autocorrelation: the key (shifted plaintext) is correlated with the ciphertext, allowing the priming key length to be estimated with sufficient text (typically <500 characters).
- ▪ Error cascade: a single bit error in the ciphertext corrupts all subsequent characters during decryption, making it fragile on noisy channels.
- ▪ Trivially broken with modern tools: any basic statistical script breaks Autokey in seconds with sufficient ciphertext.
Conclusion: the Autokey cipher is an educational and CTF tool, not a security mechanism. For secure communications use AES-256 or modern protocols like TLS.
Frequently asked questions about the Autokey cipher
What is the Autokey cipher?
The Autokey cipher is a polyalphabetic cryptographic system where the
initial key (priming key) is extended with the plaintext itself to generate a key stream as
long as the message. It uses the same formula as Vigenère
(Cᵢ = (Pᵢ + Kᵢ) mod 26) but eliminates key periodicity.
How does Autokey differ from Vigenère?
The difference is key extension. Vigenère repeats the key cyclically (if the key is KEY, it repeats KEYKEY…), creating a periodic pattern that the Kasiski test detects. Autokey extends the key with the plaintext (KEY + first letters of the message), eliminating that periodicity and making it resistant to Kasiski.
Is the Autokey cipher secure?
No for modern communications. Although it resists the Kasiski test, the Autokey cipher is vulnerable to autocorrelation attacks: the statistical correlation between the key (shifted plaintext) and the ciphertext allows the priming key length to be determined, after which the system can be attacked systematically.
Why must Autokey decryption be sequential?
Because the key stream for decryption is built from the plaintext, which is recovered letter by letter. To decrypt position i you need key letter Kᵢ, which is plaintext letter Pᵢ⁻ⁿ (where n is the priming key length). That letter is only known once the corresponding position has been decrypted.
What is the priming key in the Autokey cipher?
The priming key is the short secret key shared between sender and receiver. It is only used for the first n positions of the cipher; after that, the key stream is generated automatically from the plaintext. The longer the priming key, the more initial positions are truly secure and the harder the autocorrelation attack becomes.
Where is the Autokey cipher used today?
The Autokey cipher is not used in real security today. It appears mainly in educational contexts to teach the concept of key extension and stream ciphers, in CTF challenges as an advanced Vigenère variant, and in cryptography history studies for its conceptual importance as a precursor to modern stream ciphers.
Autokey cipher summary
The Autokey cipher is a 16th-century polyalphabetic cipher
that extends the priming key with the plaintext, eliminating the periodicity that makes the
Vigenère
cipher vulnerable. It uses the formula
Cᵢ = (Pᵢ + Kᵢ) mod 26,
identical to Vigenère, but with a non-repeating key — making it a conceptual precursor
to modern stream ciphers.
Key
Priming key + plaintext. Each message produces a unique key stream.
Key advantage
No periodicity → immune to Kasiski. More secure than Vigenère and Beaufort.
Weakness
Statistical autocorrelation. Insecure for production use with sufficient text.
Current use
Education, CTF, and classical cryptography study. Precursor to stream ciphers.