If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Shift cipher

Modular Math and the Shift Cipher

The Caesar Cipher is a type of shift cipher. Shift Ciphers work by using the modulo operator to encrypt and decrypt messages. The Shift Cipher has a key K, which is an integer from 0 to 25. We will only share this key with people that we want to see our message.

How to Encrypt:

For every letter in the message M :
1. Convert the letter into the number that matches its order in the alphabet starting from 0, and call this number X.
( A=0, B=1, C=2, ...,Y=24, Z=25)
2. Calculate: Y = (X + K) mod 26
3. Convert the number Y into a letter that matches its order in the alphabet starting from 0.
(A=0, B=1, C=2, ...,Y=24, Z=25)
For Example: We agree with our friend to use the Shift Cipher with key K=19 for our message. 
We encrypt the message "KHAN", as follows:​
So, after applying the Shift Cipher with key K=19 our message text "KHAN" gave us cipher text "DATG".
We give the message "DATG" to our friend.

How to decrypt:

For every letter in the cipher text C :
1. Convert the letter into the number that matches its order in the alphabet starting from 0, and call this number Y.
(A=0, B=1, C=2, ..., Y=24, Z=25)
2. Calculate: X= (Y - K) mod 26
3. Convert the number X into a letter that matches its order in the alphabet starting from 0.
(A=0, B=1, C=2, ..., Y=24, Z=25)
Our friend now decodes the message using our agreed upon key K=19. As follows:
So, after decrypting the Shift Cipher with key K=19 our friend deciphers the cipher text "DATG" into the message text "KHAN".

Why is the Shift Cipher insecure?

A cipher should prevent an attacker, who has a copy of the cipher text but does not know the key, from discovering the contents of the message. Since we only have 26 choices for the key, someone can easily try all of the 26 keys, one by one, until they recover the message. This type of attack is called a brute force attack.

Want to join the conversation?

  • male robot hal style avatar for user Ken Sommerville
    I wrote a small vbscript program to perform the modulo shift, and for most cases it worked.
    However, if the input minus the shift value results in a negative number, vbscript's mod function outputs a negative remainder. The work around I had to implement was ultimately found from a quote from news:borland.public.delphi.objectpascal which stated: "Henrick Hellström wrote: I would strongly prefer that (X mod Y) > 0 if Y > 0. The expression (((X mod Y) + Y) mod Y) one has to write from time to time just looks awful!"

    This really seems like a hack to get the mod function to work, however, I noticed in several google searches, that not every programming language treats modulo the same. SO if you try to code up a encrypt/decrypt routine based on the mod function, you've been warned.
    (22 votes)
    Default Khan Academy avatar avatar for user
    • male robot hal style avatar for user Cameron
      Here's an alternate approach.

      Since A mod B is the remainder R when we divide A by B and all integers can be written as A=B*Q+R (where Q is the quotient which is floor(A/B) )

      A mod B is:
      A-floor(A/B)*B

      Without getting too deep into it, the quirky behavior behind mod in many programming languages has its roots in how computers represent negative numbers and how integer division is done on computers (truncating integer division).

      Hope this makes sense
      (6 votes)
  • primosaur ultimate style avatar for user KHAN ACE
    since there are 26 letters in the alphabet
    Why isn't A= 1, B = 2, C = 3 ... Y = 25, Z = 26?
    (9 votes)
    Default Khan Academy avatar avatar for user
    • leaf green style avatar for user Lucie le Blanc
      In cryptography, we use A=0 ... Z=25. This makes sense, because if a shift is 0 you can assume that the letters were shifted by 0, which means they were shifted by nothing. Any letter shifted by 0 is that letter. Think of it like addition: you are adding a number. Any number + 0 is that number, therefore A+0 is A, right?
      Also, if we used A=1, it would get very confusing because some people would think that A shifted by 1 is A and others would disagree. This would make it very hard to decrypt an encrypted message because you would have to decrypt the message twice, once for each possibility!
      (22 votes)
  • leaf blue style avatar for user mike boy
    I may be missing something. Under 'decryption', using k=19, 19 is subtracted from the cryptic message (3, 0, 19, 6) to give the result of -16, -19, 0, -13. Under that result, a new result of 10, 7, 0 13 is provided to give us the message 'khan'. Specifically, I'm unclear how -16 & -19 converted to 10 and 7 to give us the letters k & h in the message. Please explain and clarify this result.
    (13 votes)
    Default Khan Academy avatar avatar for user
    • blobby green style avatar for user John Devoy
      I wasted hours wondering why i couldn't decrypt properly, turns out c# doesn't have a proper modulo command, luckily i found this. My c# code was ignoring % when used with negative values.
      float nfmod(float a, float b)
      {
      return a - b * Mathf.Floor(a / b);
      }
      (5 votes)
  • piceratops ultimate style avatar for user Roger Andersson
    Decryption. How does dividing -16 by 26 give us a remainder of 10?
    26 goes into -16 how many times?

    I understand the logic in the encryption when the numerator is positive, but I'm lost in the decryption.
    (5 votes)
    Default Khan Academy avatar avatar for user
  • leafers ultimate style avatar for user Patrick Vermeulen
    Correct me if i'm wrong. But with mod=26, and A=0; you end up with 27 alphabetical characters...
    (3 votes)
    Default Khan Academy avatar avatar for user
  • hopper jumping style avatar for user Sam D
    I understand that the caesar cipher can be broken in just 26 or less tries but here, in this shift cipher we're taking the letter positions in the alphabet and then adding it to a shift number. next we use modulus 26. How is the Cryptographer going to know it was mod 26 and not mod 24 or 22? Or, how is he even going to know we did something like Modulus? And, can't we use mod 22 or any other number closer to 26?
    (3 votes)
    Default Khan Academy avatar avatar for user
    • spunky sam blue style avatar for user CZ
      Here are some issues to think about. What symbols will you use to send the text? The reason we use modulus 26 is we are limited to only 26 recognizable symbols to use. We could expand that list, however, the difficulty to guess it only increases linearly...and we have introduced more symbols which may make it more difficult to decrypt at the other end for the intended person. A similar problem arises when we use a smaller modulus. If we have only 22 symbols to use then we can really only encrypt 22 letters. What about the other 4? Also this makes it easier to check. In theory an interceptor would probably be already trying 26 shift keys. So 22 does not make the message more secure. With regards to the knowing we are using a modulus. You are right, he might not know that, but it would not be very hard to guess that we are using a shift key and see if the message decrypts. In the age of computers, he could write a simple program to try all 26 shift possibilities (or 110 if you want to add more symbols) and see if any make intelligible print.
      (3 votes)
  • leaf blue style avatar for user shrumms
    If I were to decrypt B using k=3:
    B=2, so 2- 3 = -1, mod(-1); wouldn't the answer still be -1? not 25 which is Z, the correct answer?
    I'm sorry for this noob question.
    (2 votes)
    Default Khan Academy avatar avatar for user
  • male robot johnny style avatar for user galvanek.m
    Why we cannot comment also under the exercises or games? It would be more convenient to discuss possible setbacks right there, won´t it?
    (3 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user Andrea
    Do you have to add 26 for mod 26 after ever decryption? For example:

    H e l l o K=1
    7 4 16 16 19
    6 3 15 15 18
    +26 26 26 26 26?
    -----------------------------
    32 29 41 41 44
    Those aren't even letters on the number to letter step. Please help I'm confused.
    (1 vote)
    Default Khan Academy avatar avatar for user
    • starky ultimate style avatar for user jdsutton
      Mod 26 means you take the remainder after dividing by 26. So 36 mod 26 would give you 10. As a result, shifting by 26 is the same as not shifting by zero. Here's the steps to perform:
      1. Convert the characters to numbers
      2. Pick a number to shift by
      3. Add the number to each character
      4. Mod each resulting number by 26
      5. You message is now encrypted!
      (7 votes)
  • duskpin ultimate style avatar for user Medha_V
    In the encryption process, mod 26 is mentioned. How does that apply to encrypt the message. For example, in 29 mod 26, how is the 3 obtained? Also, how is 19 mod 26, 19?
    (1 vote)
    Default Khan Academy avatar avatar for user
    • hopper cool style avatar for user Neil And Chase
      The mod operator gives the remainder of the top number divided by the bottom. For example, if we want 10 mod 3, we will start by dividing and getting 10 / 3 = 3 R 1 (read: 3 remainder 1) because the 10 is 1 over being divisible by 3 (9 is divisible by 3 and 1 less than 10). The remainder that we get, in this case, 1, is mod, so 10 mod 3 = 1.
      For the examples you gave:
      29 mod 26
      29 / 26 = 1 R 3 because 29 = 1*26 + 3
      ^
      This is the mod
      29 mod 26 = 3

      And
      19 mod 26
      19 / 26 = 0 R 19 because 19 = 0*26 + 19
      ^
      This is the mod
      19 mod 26 = 19


      Hope this helps!
      Neil
      (4 votes)