Skip to main content

The Beaufort Cipher Explained: One Keyword That Both Encrypts and Decrypts

How the Beaufort cipher works, why subtracting plaintext from the key makes it its own inverse, and how it differs from Vigenere, with a worked example.

Published By Li Lei
#cryptography #ciphers #ctf #classical-encryption

The Beaufort Cipher Explained: One Keyword That Both Encrypts and Decrypts

Most classical ciphers make you pick a mode. You encrypt one way and decrypt the other, and getting the direction wrong gives you nonsense. The Beaufort cipher quietly removes that whole decision. You run a keyword over your text, and the same single operation handles both directions. Encrypt a message, hand it to a friend with the keyword, and they run the exact same steps to read it back. There is no decode button, because there is nothing separate to do.

That property has a name: the cipher is reciprocal, or self-inverse. It comes from one small change to a formula you may already know, and it is worth understanding precisely, because the whole behavior of the cipher hangs on a single minus sign.

The formula: key minus plaintext, mod 26

Beaufort works letter by letter on the 26 Latin letters, mapping A to 0, B to 1, all the way to Z at 25. For each plaintext letter P, you take the matching letter of a repeating keyword, call its value K, and compute:

C = (K − P) mod 26

That is the entire cipher. Note the order carefully. The Vigenere cipher adds the key to the plaintext, P + K. Beaufort subtracts the plaintext from the key, K − P. People often write it the other way round in their heads and wonder why the output looks wrong, so it is worth saying plainly: the key comes first, and you subtract the plaintext from it.

Here is why that order matters so much. Suppose you encrypt and get ciphertext C = (K − P) mod 26. Now feed that ciphertext back through the same rule with the same keyword:

(K − C) mod 26 = (K − (K − P)) mod 26 = P mod 26 = P

The K cancels, and you land exactly on the plaintext you started with. Encryption and decryption are not two related procedures; they are literally the same procedure applied twice. That is what reciprocal means, and it is the reason a Beaufort tool can ship with one button instead of an encode mode and a decode mode.

Contrast that with Vigenere, where C = (P + K) mod 26. To undo addition you have to subtract, so decryption is P = (C − K) mod 26, a genuinely different operation. Run Vigenere encryption twice and you do not get your message back; you get it shifted further. The subtraction in Beaufort is what folds the two directions into one.

The tabula recta and the keyword

If you have ever seen the Vigenere square, the 26-by-26 grid of shifted alphabets called the tabula recta, you already have the table Beaufort uses too. The difference is how you read it.

For Vigenere you find the plaintext row and the key column and read the letter at their crossing. For Beaufort you flip the lookup: find your plaintext letter inside the body of the key's row, then read which column heading sits above it. That column heading is your ciphertext letter. Because you are searching for a position rather than reading one off, the lookup is symmetric, which is the table-level reason the same move works in both directions.

The keyword is what makes this a polyalphabetic cipher rather than a single fixed shift. You choose a word or phrase, say LEMON or FORTIFICATION, strip it to its letters, uppercase them, and repeat it across the length of your message. Each plaintext letter pairs with the next keyword letter. A longer, less predictable keyword spreads the statistics of your text across more alphabets and is genuinely harder to attack than a short one. Spaces and punctuation in your text are normally skipped and do not advance the keyword pointer, so a space in the middle of a sentence does not knock the rest of the message out of alignment.

A worked example you can follow by hand

Let me take the textbook message ATTACKATDAWN and encrypt it with the keyword LEMON.

First, repeat the keyword to match the length:

plaintext:  A T T A C K A T D A W N
keyword:    L E M O N L E M O N L E

Now apply C = (K − P) mod 26 to the first few letters:

  • A under L: (11 − 0) mod 26 = 11 = L
  • T under E: (4 − 19) mod 26 = (−15) mod 26 = 11 = L
  • T under M: (12 − 19) mod 26 = (−7) mod 26 = 19 = T
  • A under O: (14 − 0) mod 26 = 14 = O
  • C under N: (13 − 2) mod 26 = 11 = L

Carry on through the rest and the full ciphertext is LLTOLBETLNPR.

Now the payoff. Take LLTOLBETLNPR and run it through the same rule with LEMON again:

  • L under L: (11 − 11) mod 26 = 0 = A
  • L under E: (4 − 11) mod 26 = (−7) mod 26 = 19 = T
  • T under M: (12 − 19) mod 26 = 19... wait, T is 19, so (12 − 19) mod 26 = 19 → T

The original ATTACKATDAWN reappears, letter for letter. You can try this yourself in the Beaufort cipher encoder and decoder: type the message, set the keyword to LEMON, copy the output, paste it back, and watch the input return. The same keyword, the same operation, both ways.

One detail worth noticing in that worked example: notice how the negative results, like (4 − 19), wrap around by adding 26. That wraparound, the mod 26, is the only arithmetic subtlety in the whole cipher, and it is exactly what keeps every result inside A to Z.

How it relates to Vigenere, and where they part ways

Beaufort sits right next to Vigenere in the family of polyalphabetic substitution ciphers. They share the keyword mechanic, they share the tabula recta, and they share the same vulnerability to classical attacks. What separates them is the single operation at the core.

Run the same input through both and the divergence is obvious. ATTACKATDAWN with LEMON gives LXFOPVEFRNHR under Vigenere but LLTOLBETLNPR under Beaufort. Same message, same keyword, different cipher, completely different output. If you want to feel the effect of the sign flip directly, encrypt a message in a Vigenere cipher tool and then the same message in Beaufort and lay the two outputs side by side.

There is one more trap. A close relative sometimes called the variant Beaufort, or German Beaufort, uses P − K instead of K − P. That swap reverses the direction and breaks the reciprocity, so it is not self-inverse the way the classic form is. If your decryption comes out looking shifted by a steady amount, the puzzle may have used the variant, not the classic K − P. Always confirm which subtraction order a challenge expects before you blame the keyword.

When the Beaufort cipher actually earns its place

I first reached for Beaufort during a CTF where the hint said the key was a flag-related word but never said whether the block was encoded or decoded. With Vigenere I would have had to try both directions for every candidate keyword. With Beaufort there is only one direction to try, so I could fire candidate keywords at the ciphertext one after another and watch for the moment the output turned into readable English. That single-operation simplicity turned a fiddly guessing game into a quick scan, and the keyword fell out in a couple of minutes.

That is the honest case for the cipher today. It is a teaching tool for showing what reciprocity means, a clean mechanic for puzzle hunts where solvers apply one rule in both directions, and a recurring step in CTF crypto challenges. It is not security. Like every classical polyalphabetic cipher it falls to Kasiski examination and index-of-coincidence analysis once you have enough ciphertext, and a short keyword falls fast. For anything that must stay secret, reach for modern authenticated encryption such as AES-GCM, and keep Beaufort for the puzzles, the classrooms, and the flags.


Made by Toolora · Updated 2026-06-13