Adventures with Superencipherment

This is a revised version of my original full write-up from August 2017 prioritising in breaking down the challenge with my methodology in how I attack puzzles. My original writeup includes all of the missteps and photos of my journal that I took in solving it. Also disclaimer: This has the full solution. If you’d like to work on this please close this page!

At my fifth DEF CON and Queercon, I ended up solving and winning Subterfuge’s Queercon 14 Contest with pen and graph paper. Receiving my first challenge coin from Queercon by working the challenge in my natural way of solving things was incredibly meaningful. I get asked often why I don’t work puzzles on a laptop or via code. It would have saved me quite a lot of time in some places, but I personally solve puzzles this way because it’s soothing, relaxing, and it makes me happy. It’s a coping mechanism for me.

Two and a half years later, I’d like to also show how one could have solved this faster with code and the internet.

Puzzle 1

The Queercon 14 Contest Puzzle #1 in unrecognisable characters

Whenenever I see a puzzle with unknown characters/symbols, I immediately convert it into a format that I can recognise as this is a fun and simple way to throw off folks. I personally like to first substitute it to the alphabet (A, B, C, …, X, Y, Z) in place of the characters. You can do this with numbers too if you’d like. The above image converts to:

ABCD EFC GEHAHIJ KLF DLM JLFNLI HI ABC OP QLMIJC RST JOLU BP JTT DTV

This is where frequency analysis comes in with trying to identify commonly used words. The following are common word and character lists:

1-Letter Words: I A
2-Letter Words: OF TO IN IT IS BE AS AT SO WE HE BY OR ON DO IF ME MY UP AN GO NO US AM
3-Letter Words: THE AND FOR ARE BUT NOT YOU ALL ANY CAN HAD HER WAS ONE OUR OUT DAY GET HAS HIM HIS HOW MAN NEW NOW ODL SEE TWO WAY WHO BOY DID ITS LET PUT SAY SHE TOO USE
4-Letter Words: THAT WITH HAVE THIS WILL YOUR FROM THEY KNOW WANT BEEN GOOD MUCH SOME TIME
Doubles: SS EE TT FF LL MM OO
Frequent Letters: E T A O I N S H R D L U
First letters in Words: T O A W B C D S F M C H I Y E G L N P U J K
Last letters in Words: E S T D N R Y F L O G H A K M P U W

For any given puzzle I’m working on, I’ll write down the ones I think I’ll need. This helps with being able to cross out the ones that don’t seem to fit. Some immediate ones that seemed to fit in well were:

ABCD EFC GEHAHIJ KLF DLM JLFNLI HI ABC OP QLMIJC RST JOLU BP JTT DTV
THE                                THE                       SEE

Even though JTT=SEE was my first guess (which I’d later discover I was correct), considering ABC fits into ABCD, the most likely word was THE with C=E versus T=E (note: this could also be YOU and YOUR). ABCD could be: THEY, THEM, THEN, which is why I left it off originally but frequency analysis is about trying things and failing until you get it right. So trying it with THEY, filling in the next layer works to:

ABCD EFC GEHAHIJ KLF DLM JLFNLI HI ABC OP QLMIJC RST JOLU BP JTT DTV
THEY   E    T        Y             THE         E          H      Y

This quickly works out to trying DLM=YOU, thus:

ABCD EFC GEHAHIJ KLF DLM JLFNLI HI ABC OP QLMIJC RST JOLU BP JTT DTV
THEY   E    T     O  YOU  O  O     THE     OU  E       O  H      Y

If we look at our 3-letter words, words ending in E include: THE, ARE, ONE, SEE, USE. In our words: THE, ONE, SEE, USE, they all have characters that we’re using so trying out EFC=ARE leads to:

ABCD EFC GEHAHIJ KLF DLM JLFNLI HI ABC OP QLMIJC RST JOLU BP JTT DTV
THEY ARE  A T     OR YOU  OR O     THE     OU  E       O  H      Y

This looks really promising now. One thing to immediately clear up: KLF=?OR being likely KLF=FOR. HI also appears in GEHAHIJ, that would make trying out HI=IN a possibility leading GEHAHIJ=?A?T??? to GEHAHIJ=?AITIN?, in other words GEHAHIJ=WAITING. Filling in the characters from FOR, WAITING, IN, leads us to JLFNLI=GOR?ON. This looks awfully like JLFNLI=GORDON. Filling in all of those characters leads QLMIJC=?OUNGE to QLMIJC=LOUNGE, which I took the liberty of knowing Queercon is abbreviated as QC to mean OP=QC. This lead to the following:

ABCD EFC GEHAHIJ KLF DLM JLFNLI HI ABC OP QLMIJC RST JOLU BP JTT DTV
THEY ARE WAITING FOR YOU GORDON IN THE QC LOUNGE     GQO  HC G   Y

At this point I translated the substituted letters to our alphabet:

ABCDEFGHIJKLMNOPQRSTUVWXYZ | SUBSTITUTE
THEYARWINGFOUDQCL          | PLAINTEXT

But what we care about is our plaintext alphabet, which requires flipping the above to:

ABCDEFGHIJKLMNOPQRSTUVWXYZ | PLAINTEXT
E PNCKJBH  Q IL OF AM G D  | SUBSTITUTE

This shows that in our plaintext, we’re missing the following characters: B, J, K, M, P, S, V, X, Z. In the portion of what appears to still be enciphered, BP=HC is the only full word we have completed. If we convert the alphabet A=1, B=2, and so on, HC is {8, 3} respectively. This means we’re looking for a 2-letter word that’s -5 on the alphabet from the first character which matches to either TO or UP:

ABCDEFGHIJKLMNOPQRSTUVWXYZ |
              O    T       | TO
               P    U      | UP

If we assume BP=HC=TO, the following is what we have to work with:

RST JOLU BP JTT DTV | SUBSTITUTED
    GQO  HC G   Y   | PLAINTEXT
         TO         | 'TO'

This gives us the following alphabet table with our new final plaintext:

E PNCKJBH  Q IL OF AM G D  | SUBSTITUTED
ABCDEFGHIJKLMNOPQRSTUVWXYZ | PLAINTEXT
  O    T                   | 'TO' IN FINAL PLAINTEXT
MNOPQRSTUVWXYZABCDEFGHIJKL | FINAL PLAINTEXT

From here we have to build up and down our final alphabet table. First, I built down from the above table to get:

RST JOLU BP JTT DTV | SUBSTITUTED
    GQO  HC G   Y   | PLAINTEXT
    SCA  TO S   K   | FINAL PLAINTEXT

Going back to the start, my first guess when I saw the substituted letters was JTT=SEE. Considering that JTT=G??=S??, we can fill in JTT=G??=SEE, which builds back up to JTT=GSS=SEE. DTV=Y??=K?? with the new addition of T=S=E provides DTV=YS?=KE? or DTV=YSM=KEY. JOLU=GQO?=SCA? looked like JOLU=GQO?=SCAN aka JOLU=GQOB=SCAN.

RST JOLU BP JTT DTV | SUBSTITUTED
  S GQOB HC GSS YSM | PLAINTEXT
  E SCAN TO SEE KEY | FINAL PLAINTEXT

This gives an alphabet table of:

EUPNCKJBH  QVIL OFTAM G D  | SUBSTITUTED
ABCDEFGHIJKLMNOPQRSTUVWXYZ | PLAINTEXT
MNOPQRSTUVWXYZABCDEFGHIJKL | FINAL PLAINTEXT

This left 6 unassigned final plaintext letters: B, H, J, L, V, W, for RST=??S=??E.

BLE!

Alternative Universe Solution

If you don’t abhor the usage of a cryptogram solver such as quipqiup the first portion of the solution nearly instantly comes up:

0	-2.442	TUSB MRS ZMITING FOR BOY GORDON IN TUS LP JOYNGS HAE GLOW UP GEE BEC
1	-2.599	FORM ?SR ??UFUPL WAS MAY LAS?AP UP FOR IN ?AYPLR THE LIA? ON LEE ME?
2	-2.609	THEM ARE WAITING FOR MO? GORDON IN THE BY ?O?NGE CUP GBO? HY GPP MP?
3	-2.620	WASG MRS ?MBWBYL FOR GOD LOR?OY BY WAS IN ?ODYLS THE LIO? AN LEE GE?
4	-2.621	WITH ?DT ??BWBYL AND HN? LND?NY BY WIT OF ?N?YLT USE LONG IF LEE HER
5	-2.627	MAYF ?DY ??UMUPS GOD FOR SOD?OP UP MAY IN ?ORPSY THE SIO? AN SEE FEW
6	-2.642	FORM PER ?PBFBYU THE MH? UHE?HY BY FOR IN ?H?YUR WAS UIH? ON USS MS?
7	-2.646	FORM ?SR ??UFUPG WAS MAY GAS?AP UP FOR IN ?AYPGR THE GIA? ON GEE ME?
8	-2.649	THEW RYE BRITISK MAY WAN KAYLAS IS THE VP DANSKE GJO KVAZ HP KOO WOU
9	-2.651	MAYL ?RY ??UMUPS FOR LOW SOR?OP UP MAY IN ?OWPSY THE SIO? AN SEE LED

If you plug in ABCD=THEY, EFC=ARE into the clues box on quipqiup, the first portion of the solution comes up:


0	-1.980	THEY ARE WAITING FOR YOU GORDON IN THE KM LOUNGE CBS GKO? HM GSS YSP

From there it would be a very quick solve by fixing the portions that are incorrect and finish from there.

Puzzle 2

AZZSUAPYDD
ZRQNXSDJCC
JVYIAEYUHH
DMANTVAPGG
LIERRDJUDD
KWHVEBDEEE
XHYGVTDRHH
ATKIOVAEEE
HIBKVOPGFF
AVLTKCAHDD
YQBEHWOQGG
FUKKEDVNAA
PLKBRRHWEE
BOJYWZSTBB
GDMPRJZVDD
FDENZSLKCC
JYREDODYGG
FMQAAQOGGG
IHPTBAFWHH
VEAWSMROAA
FULGUKEKFF
SENGQCEXDD
TISZKQHEBB
PSOKSHXTFF
MAGTVOTOEE

The first thing I like to do when I see what looks like a block of ciphertext is number the columns and rows like this:

   0 1 2 3 4 5 6 7 8 9
0  A Z Z S U A P Y D D
1  Z R Q N X S D J C C
2  J V Y I A E Y U H H
3  D M A N T V A P G G
4  L I E R R D J U D D
5  K W H V E B D E E E
6  X H Y G V T D R H H
7  A T K I O V A E E E
8  H I B K V O P G F F
9  A V L T K C A H D D
10 Y Q B E H W O Q G G
11 F U K K E D V N A A
12 P L K B R R H W E E
13 B O J Y W Z S T B B
14 G D M P R J Z V D D
15 F D E N Z S L K C C
16 J Y R E D O D Y G G
17 F M Q A A Q O G G G
18 I H P T B A F W H H
19 V E A W S M R O A A
20 F U L G U K E K F F
21 S E N G Q C E X D D
22 T I S Z K Q H E B B
23 P S O K S H X T F F
24 M A G T V O T O E E

This block, however, is a bit strange as columns 8 and 9 are identical. Unfortunately in the moment, I thought it couldn’t be that simple which let to a mistake. After talking with other folks working at the same stage I also did frequency analysis by hand. The following excerpt from my original post best describes what happened next:

Subterfuge tested out a hint on me by telling me the doubles lead the path. Which honestly was more of a reminder to myself of what is right in front of me and should have been the first thing I went with. Sometimes the answer is simpler than we’d like to think. It was at this point I was chatting over the puzzle and hint with another person who turned out to be in the same spot I was in. We were chatting when Subterfuge came up to us and shortly after while he was talking it immediately hit me. Are you thinking what I’m thinking? I asked. Then we both ran into the swag room and sat down. I was working in my journal, they were working on their laptop, and we got to the next part:

Not to get ahead of ourselves here, the core feature to focus on in this puzzle was truly the double columns which immediately jumped out as unusual to me. It was clear that the two columns had letters that ran from A through H only, or 0-7 (1-8 for those who count from 1). Conveniently, there were the correct amount of columns that matched up prior to the double columns. Thus the solution looked like this:

   A B C D E F G H
   0 1 2 3 4 5 6 7 | 8 9 |
0  A Z Z S U A P Y | D D | S
1  Z R Q N X S D J | C C | Q
2  J V Y I A E Y U | H H | U
3  D M A N T V A P | G G | A
4  L I E R R D J U | D D | R
5  K W H V E B D E | E E | E
6  X H Y G V T D R | H H | R
7  A T K I O V A E | E E | O
8  H I B K V O P G | F F | O
9  A V L T K C A H | D D | T
10 Y Q B E H W O Q | G G | O
11 F U K K E D V N | A A | F
12 P L K B R R H W | E E | R
13 B O J Y W Z S T | B B | O
14 G D M P R J Z V | D D | P
15 F D E N Z S L K | C C | E
16 J Y R E D O D Y | G G | D
17 F M Q A A Q O G | G G | O
18 I H P T B A F W | H H | W
19 V E A W S M R O | A A | V
20 F U L G U K E K | F F | K
21 S E N G Q C E X | D D | G
22 T I S Z K Q H E | B B | I
23 P S O K S H X T | F F | H
24 M A G T V O T O | E E | V

Plaintext: SQUAREROOTOFROPEDOWVKGIHV

There is the unresolved DOWVKGIHV but considering the theme was superencipherment it was fine leaving it as is for now.

Alternative Universe Solution

While this challenge did not actually contain any ciphertext (but did convincingly look enough like a block of ciphertext), I would have saved quite a lot of time if I had done the frequency analysis via code. There’s quite a lot of ways to do this in a myriad of languages but the gist of it remains about the same:

1.) Split out whatever you need removed (e.g. spaces, commas) from your string

2.) In a for-loop, reducer, a cool built in method in your chosen language, aka whatever you want to use, create a new object or define it before (e.g. frequency = {})! I don’t know which language you’re using so it’s a free for all here. But do it over your cleaned up string

3.) For each character (e.g. frequency[char]) either incremement up (e.g. frequency[char]++) or if it’s the first time we’re counting that character set it to 1 lest we end up having an error (e.g. frequency[char] = 1)

4.) Return your object with your frequency analysis

5.) Optional: Sort your object alphabetically if you’d like

On the actual challenge portion itself, honestly it would have been much faster to do the work directly on top of the pamphlet. I, alongside anyone on laptops, wasted our times writing or typing it out first.

Puzzle 3

The Queercon 14 Contest Puzzle #3, a sticker with a QR code

While I did solve the contest entirely by hand via graph paper and pen, I did have to use modern technology to obtain two portions of the challenge and the occasional searching online for questions or researching ideas. This was one of two portions that did require using technology. Upon scanning the QR code the following was returned:

TYSCTSQXATIRGTMPAQVCKQQVLIJSVOPTQRWXVOWZVVRGRGLWSMFMRUSAHEFDTCKW

Intuitively I thought this might be an 8x8 block (it just felt right), but additionally created 4x16 and 2x32 blocks alongside doing frequency analysis, again. The results of the blocks looked like so:

8x8
TYSCTSQX
ATIRGTMP
AQVCKQQV
LIJSVOPT
QRWXVOWZ
VVRGRGLW
SMFMRUSA
HEFDTCKW

4x16
TYSCTSQXATIRGTMP
AQVCKQQVLIJSVOPT
QRWXVOWZVVRGRGLW
SMFMRUSAHEFDTCKW

2x32
TYSCTSQXATIRGTMPAQVCKQQVLIJSVOPT
QRWXVOWZVVRGRGLWSMFMRUSAHEFDTCKW

I stopped here simply because shortly after it turned out I’d need more modern technology usage to obtain the next part of the challenge.

BLE Scannning

It turned out I needed a badge for this portion and Jake was very kind giving me a badge at this point. So I learned how to BLE scan and read the scans (thanks Jake!). From BLE scanning I obtained the data of three different badges:

Badge #1
0x0201040319DC190F095143756265203130
00000000000016FFD304000A0D0C0004BF74
00C69B41524F5947424956

Badge #2
0x0201040319DC190F095143756265203134
37000000000016FFD3040093130000000800
00E11141524F5947424956

Badge #3
0x0201040319DC190F095143756265203130
30000000000016FFD3040064270081104771
0CAB9141524F5947424956

Considering the badges interact I additionally requested for two badges to interact but the data did not change. I did learn later on that was an original desire for the challenge. When I see hex like this, I section it off with dividers so I can read it easily. I marked off where scans were unique to isolate them. Additionally, I wrote out a quick ASCII chart for the hex as it’s handy to have it right there.

By doing so I was able to identify the common feature in all three badges, the last 8 hex characters, and convert them:

41 | 52 | 4F | 59 | 47 | 42 | 49 | 56
A    R    O    Y    G    B    I    V

Alternative Universe Solution

I’d have saved time a lot of time if I had simply BLE scanned, copy and pasted it into any HEX converter online or via code, and recognised AROYGBIV as a common ending from all the scans. I could have also simply pulled the ASCII table and not write it down either.

Puzzle #2 (Again)

SQUAREROOTOFROPEDOWVKGIHV

The unresolved DOWVKGIHV has a length of 9, which was a character too long to be a key for Puzzle #3. The first thing I like to do when I see something like this is simply enumerate through every Caeser shift:

DOWVKGIHV
---------
EPXWLHJIW
FQYXMIKJX
GRZYNJLKY
HSAZOKMLZ
ITBAPLNMA
JUCBQMONB
KVDCRNPOC
LWEDSOQPD
MXFETPRQE
NYGFUQSRF
OZHGVRTSG
PAIHWSUTH
QBJIXTVUI
RCKJYUWVJ
SDLKZVXWK
TEMLAWYXL
UFNMBXZYM
VGONCYAZN
WHPODZBAO
XIQPEACBP
YJRQFBDCQ
ZKSRGCEDR
ALTSHDFES
BMUTIEGFT
CNVUJFHGU

This still failed to work, however, and this is far too short to have a key of its own. Subterfuge reminded me there’s more than one way of doing things, which was enough for me to realise I should flip the alphabet around like such:

CIPHERTEXT A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
--------------------------------------------------------------
PLAINTEXT  Z Y X W V U T S R Q P O N M L K J I H G F E D C B A
           Y X W V U T S R Q P O N M L K J I H G F E D C B A Z
           X W V U T S R Q P O N M L K J I H G F E D C B A Z Y
           ...

This is a reversed Vigenère square/table. With this the answer eventually showed up while redoing my shifts:

DOWVKGIHV
---------
WLDEPTRSE
VKCDOSQRD
UJBCNRPQC
TIABMQOPB
SHZALPNOA
RGYZKOMNZ
QFXYJNLMY
PEWXIMKLX
ODVWHLJKW
NCUVGKIJV
MBTUFJHIU
LASTEIGHT <- PLAINTEXT
KZRSDHFGS
JYQRCGEFR
IXPQBFDEQ
HWOPAECDP
GVNOZDBCO
FUMNYCABN
ETLMXBZAM
DSKLWAYZL
CRJKVZXYK
BQIJUYWXJ
APHITXVWI
ZOGHSWUVH
YNFGRVTUG
XMEFQUSTF

LASTEIGHT was the clue for the BLE portion of the challenge, confirming that AROYGBIV was the correct answer (which I did learn was the rainbow after).

Alternative Universe Solution

Rumkin’s Atbash cipher solver returns the first shift of DOWVKGIHV to WLDEPTRSE but fails to go further. I don’t personally think it would have taken less time to do it via code. However, if one wished to do this via code one possible way would be with matrixes:

1.) Create a matrix for the full Atbash table with the following:

- The alphabet A-Z in the first row
- The alphabet Z-A in the second row
- In a loop, per row shift the first character and move it to the end of the array
- Stop the loop at the end so it does not repeat again

2.) Create a new matrix for the results with the following:

- For each character of the ciphertext in the first row of the Atbash table, return the column for that character by appending the results to an empty array, then add that array to our matrix

The aim with the method above would be first returning our Atbash table:

Atbash_Block = [["A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V","W", "X", "Y", "Z"], // First Row: Alphabet A-Z
                ["Z", "Y", "X", "W", "V", "U", "T", "S", "R", "Q", "P", "O", "N", "M", "L", "K", "J", "I", "H", "G", "F", "E", "D", "C", "B", "A"], // Second Row: Alphabet Z-A
                ["Y", "X", "W", "V", "U", "T", "S", "R", "Q", "P", "O", "N", "M", "L", "K", "J", "I", "H", "G", "F", "E", "D", "C", "B", "A", "Z"], // Third Row: First char from Second Row shifted to end
                ["X", "W", "V", "U", "T", "S", "R", "Q", "P", "O", "N", "M", "L", "K", "J", "I", "H", "G", "F", "E", "D", "C", "B", "A", "Z", "Y"], // Fourth Row: First char from Third Row shifted to end
                ["W", "V", "U", "T", "S", "R", "Q", "P", "O", "N", "M", "L", "K", "J", "I", "H", "G", "F", "E", "D", "C", "B", "A", "Z", "Y", "X"], // Fifth Row: First char from Fourth Row shifted to end
                ["V", "U", "T", "S", "R", "Q", "P", "O", "N", "M", "L", "K", "J", "I", "H", "G", "F", "E", "D", "C", "B", "A", "Z", "Y", "X", "W"], // Sixth Row: First char from Fifth Row shifted to end
                ... // Repeat for the rest of the alphabet until
                ["A", "Z", "Y", "X", "W", "V", "U", "T", "S", "R", "Q", "P", "O", "N", "M", "L", "K", "J", "I", "H", "G", "F", "E", "D", "C", "B"]] // Twenty-Seventh Row: Final row with first char from the previous row shifted to end

For DOWVKGIHV it works out to something like:

Reference:
D   O   W   V   K   G   I   H   V
3   14  22  21  10  6   8   7   21

Results_Block = [["D", "W", "V", ..., "L", ...],
                 ["O", "L", "K", ..., "A", ...],
                 ["W", "D", "C", ..., "S", ...],
                 ["V", "E", "D", ..., "T", ...],
                 ["K", "P", "O", ..., "E", ...],
                 ["G", "T", "S", ..., "I", ...],
                 ["I", "R", "Q", ..., "G", ...],
                 ["H", "S", "R", ..., "H", ...],
                 ["V", "E", "D", ..., "T", ...]]

Puzzle 3 (Again)

With the answer for Puzzle #2 being LASTEIGHT with AROYGBIV from the BLE scan being eight characters, it essentially confirmed my initial feelings that Puzzle #3 was an 8x8 block.

TYSCTSQX
ATIRGTMP
AQVCKQQV
LIJSVOPT
QRWXVOWZ
VVRGRGLW
SMFMRUSA
HEFDTCKW

Vigenère was the first classical key-worded cipher I ever learned, which is why it’s my default guess whenever I see a key. Using the key of AROYGBIV the following occurs:

THEENRIC
ACUTASEU
AZHEEPIA
LRVUPNHY
QAIZPNOE
VEDILFDB
SVROLTKF
HNRFNBCB

In hindsight I should have not paid attention to where and what other folks were at because I psyched myself out. I likely said it best then:

The theme of this entire contest was superencipherment but for myself the theme was reminding me there’s more than one way to do the same thing and go try out the most blatantly too obvious thing first, too.

In the end it turned out I had to figure out what the autokey cipher was, which began like such (there was indeed a typo which led to rewriting a new Vigenère table):

AROYGBIV | THEENRIC | KEY
TYSCTSQX | ATIRGTMP | CIPHERTEXT
THEENRIC | TMENTCEN | PLAINTEXT

But by repeating the pattern over and over of moving the plaintext every 8 characters to be the new key, I eventually got:

AROYGBIV THEENRIC HMENTCEN TERPROMI SESDEADL YNEUROTO XINMASSI VESARCAS    | KEY
TYSCTSQX ATIRGTMP AQVCKQQV LIJSVOPT QRWXVOWZ VVRGRGLW SMFMRUSA HEFDTCKW    | CIPHERTEXT
THEENRIC HMENTCEN TERPROMI SESDEADL YNEUROTO XINMASSI VESARCAS MANDCAKE    | PLAINTEXT

THE ENRICHMENT CENTER PROMISES DEADLY NEURO TOXIN MASSIVE SARCASM AND CAKE | FINAL LINE

[Not An] Alternative Universe Solution

If I had been in front of a computer screen I don’t believe I’d have been able to eventually stop panicking, see, then recognise the pattern that clicked in my head. Pen and graph paper is slower for certain things such as frequency analysis and basic shifts (e.g. running through all Caesar shifts), but for times like this it’s your best friend.

And I wouldn’t have it any other way.

And that was the entire contest. Oh golly.

>