## Substitution ciphers in Cryptol

Substitution ciphers are one of the oldest encryption methods, dating back to at least the 15th century. In a substitution cipher, each character in the plain-text is simply "substituted" according to a predefined map. Decryption is simply the substitution in the reverse direction. Wikipedia has a nice description of these ciphers. Obviously, you wouldn't want your bank to use such a cipher when executing your web-based transactions! But they are fun to play around, especially when entertaining kids in hot summer days. In this post, we'll see how to code simple substitution ciphers in Cryptol, and go a step further and actually prove that our implementation is correct.

### Preliminaries

The simplest form of substitution ciphers use a permutation of the input alphabet. That is, each letter in the input alphabet gets mapped to another in the same alphabet. (Strictly speaking, input and output alphabets need not be the same, but nothing essential changes by making that assumption.) For instance, you might decide that your substitution will map 'a' to 'q', and 'b' to 'd', ..., etc., making sure no two letters are mapped to the same target. Once this mapping is agreed on, all you have to do to encrypt a given message is to map each character to the corresponding element according to your predefined mapping rules.Here's our Cryptol encoding of these ciphers. First, some preliminary declarations:type Char = [8];type String(l) = [l]Char;type Table(n) = [n](Char, Char);We'll simply assume that the input consist of "characters," each of which will be 8-bit quantities (i.e., numbers from 0 to 255). We will simply use ASCII encoding for normal English characters. This is captured by the

`Char`type declaration above, which simply gives a convenient name for 8-bit wide words. The second type declaration captures sized-strings: For any given size

`l`, the type

`String(l)`represents a sequence of length

`l,`containing 8-bit words. For instance,

`String(16)`is the type of all sequences of length 16, containing numbers from 0 to 255 as elements. Finally a

`Table`of size

`n`is simply

`n`-pairings of characters that form a substitution. Here's the example table we will use:

cipherTable : Table(28);cipherTable = [| (x, y) || x <- plain || y <- cipher |]where { plain = "abcdefghijklmnopqrstuvwxyz .";cipher = "oebxa.cdf hijklmnzpqtuvwrygs"};Note that our table has 28 entries (the lower-case English alphabet, plus space and the dot). A simple Cryptol sequence-comprehension succinctly zips the sequences up, forming our example table.