I doubt that it’s been solved. It’s unlikely that the CIA would have any reason for concealing the solution. In any case, it’s likely that CIA wouldn’t be the first to know. I doubt very much that they were told about the NSA crack of the first three parts until well after I and David Stein had gone public with our solutions. If an NSA team has the solution, I imagine the members of the team get their drinks free at meetings of the Dundee Society, and we’ll learn about it some time after the outside world breaks K4.
Q. How would you then and now characterize your stance on the CIA (+/-)?
I found them supportive. After the NY Times story about the break they contacted me through my former employer (the RAND Corporation) to invite me to come out, visit the sculpture, and take pictures. I thought the trip and the visit to the gift shop were good fun and interesting. Especially interesting were the several employees who came up to my keeper to object to my photography, and who were frankly annoyed to be told that I had received clearance above their pay grade for the photos. I have no idea just how far up the permission had been initiated. Other than that we haven’t had any contact regarding Kryptos.
Q. There are rumors of an as yet uncovered portion of Kryptos, would say that is more less likely than an openly hidden message?
I haven’t heard those rumors. Sanborn has indicated there’s an over-arching puzzle that will still need to be solved once the last piece is in place. I have no opinion about the shape of that puzzle.
Q. Why do you think K4 remains officially unsolved?
It’s short, and there is little relevant context for traffic analysis or other intel gathering. K1 and K2 were in known systems, so existing tests were useful for diagnosis. K3 was long, obviously some kind of transposition, and close enough to known systems that I found a way in, despite not seeing the method that had been used to encrypt it. K4 shows several interesting phenomena, but without more material to test them, these apparent phenomena could simply be happenstance.
In addition, it’s what Donald Rumsfeld might call a “known unknown”. That is, we know that we don’t know the system used to encrypt it: Scheidt has said it’s his own invention and hasn’t been seen in the world before. This means we’re expected to guess a system type, develop a test for it, and solve it with no more than the crib BERLIN at a particular place. I could think up dozens of systems that would be quite challenging to break given this amount of ciphertext. For example, start with a fractionating system like bifid, encrypt the result with a periodic like the Quag 3 used in K1 and K2, and finish up with a double transposition using two medium-long keys. If we knew that was the system it’s possible that we could work out an attack given enough material, but to guess it blindly and work out an attack for each guess? I don’t think so. Now try my example above adding nulls into the ciphertext, such as “ignore every letter after an N when decrypting”. Perhaps Sanborn and Scheidt think there’s enough of a hint in what we see to suggest the structure of K4’s cipher, but if so I haven’t seen it.
Q. How did you differentiate between the separately encoded sections?
By solving. I made my initial break on a part of K2, and its internal coherence (i.e. real English) made it clear that I had the system and keys right. I extended this part forward and backward until I started seeing garbage on both ends. This identified the ciphertext of K1 (which could still have been more than one part) and the beginning of K3. I tried the same cipher type on K1 and broke it rather readily, and again its internal cohesion showed I had the solution and that it was one part. I already had a guess about the length of K3 based on where the English-like frequencies ended, and this was proved correct after I solved it. I thought but didn’t know for sure that K4 was a single cipher until Sanborn confirmed it.
Q. Do you still try to solve K4 or have you given up?
I’ve spent several man-months on it over the 14 years since breaking the first bits, but perhaps only two or three days in the past year. Every now and then I get an idea and try it. However, I don’t think it’s worth spending my life on, with so many other interesting challenges in the world. Playing with grandsons is plenty of fun, and they’re only young once — I’m not going to miss that part.
Q. What advice would you give someone to file a fruitful FOIA?
Not to bother with it. The CIA probably doesn’t have any more of a clue than anybody else — before I broke K1-3 they had a web page about it with guesses about the cipher types and message divisions that were quite wrong. They were right that there were separate sections, but that’s about it. If the FOIA were to the NSA and they’ve broken it, and if I were a judge deciding whether to require the FOIA request to be fulfilled, I’d side with NSA if they said divulging their solution would expose US cryptanalytic methods and abilities.
Q. Is there an algorithm that can tease apart transposition ciphers to avoid the pitfalls of straight anagramming?
Straight anagramming is useful only on very short transposition messages. For anything longer the ambiguities multiply until you can get it to say anything you want. Multiple anagramming is a powerful tool if there are two or more messages (preferably more, but two will do if you’re desperate) with the same transposition key and the same length. That’s not relevant in any of the Kryptos ciphers, but has been very useful in cracking transpositions in wartime. It’s even possible to use ciphers of *nearly* the same length to solve double transposition – Joseph Courville’s thin book “Manual for Cryptanalysis of the Columnar Double Transposition Cipher” demonstrates this, and is a fun read if you’re really interested in the subject.
Q. Who was your favorite DCI?
William Webster. When asked about the overblown controversy regarding whether it was fair or legitimate to use programs to help break Kryptos, he agreed with my “solutions are where you find them” viewpoint, noting that he hadn’t seen rules for attacking the cipher written anywhere.
Q. Why make the 1st three parts so “easy” if the last part was going to be so “hard”?
The first three parts may seem easy in retrospect, but they were hard enough to withstand NSA hobbyists for over six months. Any magic trick seems trivial once you understand the trick. It’s probably hard for people to see K1-3 with fresh eyes since most people hadn’t seen it before it was broken and exposed. Perhaps once K4 has been cracked we can giggle about how long it took us to break such a simple system. Breaking ciphers in an unknown language and unknown cipher type is always a dodgy proposition — understanding the work of people who have already done it is much simpler.
Q. To quote William K. Harvey, am I asking the wrong questions?
One question on which I’d like to see more consideration or insight is the issue about the end of K2. The NSA team, David Stein and I all decrypted it as it stands: “ID BY ROWS”. Several years later Sanborn said that he’d made an error, leaving out an X in the plaintext, and it should actually have said X LAYER TWO. I believe Scheidt raised an eyebrow about this explanation in print, though I don’t have his quote in front of me.
I feel that having it decrypt two ways producing by chance perfectly grammatical English (both versions obscure, of course) is extremely unlikely. I think it’s more likely that Scheidt put that secondary meaning in by a judicious selection of the keyword. In favor of this hypothesis, I point out that ABSCISSA is fairly close to the beginning of the dictionary. It would be quite possible to write a program to cycle through a dictionary in a reverse dictionary attack, testing that part of the decrypted plaintext to see whether it could have the secondary meaning with each potential keyword.
This seems to fit Scheidt’s interest in duress ciphers – multi-layered ciphers for which you can give up a key to the enemy that produces credible plaintext without giving up the farm. Could K4 include something of this sort? Who knows? Once it’s decrypted, would we need to try adding a letter like the X of K2 to get more information?
I wish you all good luck with K4, and be sure to leave yourself time to enjoy the world.