Editing Caesar cipher (section)

==Breaking the cipher==
{| class="wikitable" align="right" style="margin: 0 0 1em 1em"
! Decryption<br>shift
! Candidate plaintext
|- align="center"
| 0
| {{mono|exxegoexsrgi}}
|- align="center"
| 1
| {{mono|dwwdfndwrqfh}}
|- align="center" 
| 2
| {{mono|cvvcemcvqpeg}}
|- align="center"
| 3
| {{mono|buubdlbupodf}}
|- align="center"
| bgcolor="#ffebad" | 4
| bgcolor="#ffebad" | {{mono|attackatonce}}
|- align="center" 
| 5
| {{mono|zsszbjzsnmbd}}
|- align="center"
| 6
| {{mono|yrryaiyrmlac}}
|- align="center"
| colspan="2" | ...
|- align="center"
|  23
| {{mono|haahjrhavujl}}
|- align="center"
| 24
| {{mono|gzzgiqgzutik}}
|- align="center"
| 25
| {{mono|fyyfhpfytshj}}
|}
The Caesar cipher can be easily broken even in a [[ciphertext-only attack|ciphertext-only scenario]]. Since there are only a limited number of possible shifts (25 in English), an attacker can mount a [[brute force attack]] by deciphering the message, or part of it, using each possible shift. The correct description will be the one which makes sense as English text.<ref>{{cite book |title=Cryptology |last=Beutelspacher |first=Albrecht |author-link=Albrecht Beutelspacher |year=1994 |publisher=[[Mathematical Association of America]] |isbn=0-88385-504-6 |pages=8–9 }}</ref> An example is shown on the right for the ciphertext "{{mono|exxegoexsrgi}}"; the candidate plaintext for shift four "{{mono|attackatonce}}" is the only one which makes sense as English text. Another type of brute force attack is to write out the alphabet beneath each letter of the ciphertext, starting at that letter. Again the correct decryption is the one which makes sense as English text. This technique is sometimes known as "completing the plain component".<ref>{{cite journal |last=Leighton |first=Albert C. |date=April 1969 |title=Secret Communication among the Greeks and Romans |journal=Technology and Culture |volume=10 |issue=2 |pages=139–154 |doi=10.2307/3101474 |jstor=3101474 }}</ref><ref>{{cite book |title=Elementary Cryptanalysis: A Mathematical Approach |last=Sinkov |first=Abraham |author-link=Abraham Sinkov |author2=Paul L. Irwin |year=1966 |publisher=Mathematical Association of America |isbn=0-88385-622-0 |pages=13–15 }}</ref>

[[File:English letter frequency percentages.png|alt=|left|thumb|The distribution of letters in a typical sample of English language text has a distinctive and predictable shape. A Caesar shift "rotates" this distribution, and it is possible to determine the shift by examining the resultant frequency graph.]]
Another approach is to match up the frequency distribution of the letters. By graphing the frequencies of letters in the ciphertext, and by knowing the expected distribution of those letters in the original language of the plaintext, a human can easily spot the value of the shift by looking at the displacement of particular features of the graph. This is known as [[frequency analysis]]. For example, in the English language the plaintext frequencies of the letters {{mono|E}}, {{mono|T}}, (usually most frequent), and {{mono|Q}}, {{mono|Z}} (typically least frequent) are particularly distinctive.<ref>{{cite book |title=The Code Book |last=Singh |first=Simon |author-link=Simon Singh |year=2000 |publisher=Anchor |isbn=0-385-49532-3 |pages=[https://archive.org/details/codebook00simo/page/72 72–77] |url=https://archive.org/details/codebook00simo/page/72 }}</ref> Computers can automate this process by assessing the similarity between the observed frequency distribution and the expected distribution. This can be achieved, for instance, through the utilization of the [[chi-squared statistic]]<ref>{{cite web |url=http://www.cs.trincoll.edu/~crypto/historical/caesar.html |title=The Caesar Cipher |access-date=2008-07-16 |last=Savarese |first=Chris |author2=Brian Hart |date=2002-07-15 |publisher=[[Trinity College (Connecticut)|Trinity College]] }}</ref> or by minimizing the sum of squared errors between the observed and known language distributions.<ref>{{cite web |url=https://raw.org/tool/caesar-cipher/ |title=Caesar Cipher Decryption |access-date=2024-04-02 |last=Eisele |first=Robert |date=2007-05-18 }}</ref>

The [[unicity distance]] for the Caesar cipher is about 2, meaning that on average at least two characters of ciphertext are required to determine the key.<ref>{{cite book |last1=Lubbe |first1=Jan C. A. |title=Basic Methods of Cryptography |date=12 March 1998 |publisher=Cambridge University Press |isbn=9780521555593 |pages=47–8}}</ref> In rare cases more text may be needed. For example, the words "{{mono|river}}" and "{{mono|arena}}" can be converted to each other with a Caesar shift, which means they can produce the same ciphertext with different shifts. However, in practice the key can almost certainly be found with at least 6 characters of ciphertext.<ref>{{cite book |last1=Pardo |first1=José Luis Gómez |title=Introduction to Cryptography with Maple |date=19 December 2012 |publisher=Springer Berlin Heidelberg |isbn=9783642321665 |page=5}}</ref>

With the Caesar cipher, encrypting a text multiple times provides no additional security. This is because two encryptions of, say, shift ''A'' and shift ''B'', will be equivalent to a single encryption with shift {{nowrap|''A'' + ''B''}}. In mathematical terms, the set of encryption operations under each possible key forms a [[group (mathematics)|group]] under [[Function composition|composition]].<ref>{{cite book |title=Cryptology Unlocked |url=https://archive.org/details/Cryptology_Unlocked |last=Wobst |first=Reinhard |year=2001 |publisher=Wiley |isbn=978-0-470-06064-3 |page=31}}</ref>
{{clear left}}