Breaking the Caesar Cipher with Brute Force

Brute-Force Attack on the Caesar Cipher

A brute-force attack on the Caesar cipher is trivially easy because there are only 25 possible keys (shifts 1 through 25). An attacker simply tries each one and reads the results.

How It Works

Given the ciphertext "KHOOR", try every possible shift:

Shift  1: JGNNQ
Shift  2: IFMMP
Shift  3: HELLO  ← readable English!
Shift  4: GDKKN
Shift  5: FCJJM
...
Shift 25: LIPPS

At shift 3, we get "HELLO" — the plaintext is immediately obvious.

Automated Brute Force

A simple program can try all shifts in microseconds:

function bruteForce(ciphertext) {
  for (let shift = 1; shift <= 25; shift++) {
    let plain = '';
    for (const ch of ciphertext) {
      const code = ch.charCodeAt(0);
      if (code >= 65 && code <= 90) {
        plain += String.fromCharCode(((code - 65 - shift + 26) % 26) + 65);
      } else {
        plain += ch;
      }
    }
    console.log(`Shift ${shift}: ${plain}`);
  }
}

Why Only 25 Possibilities?

The Caesar cipher key space is extremely small:

• 26 letters in the alphabet
• Shift 0 = no encryption (identity)
• Shifts 1–25 = the only valid keys
• Total: 25 possible keys

For comparison, modern AES-256 encryption has 2²⁵⁶ possible keys — a number so large it cannot be brute-forced even with all the computers in the world running until the heat death of the universe.

Improving the Attack

While brute force works, smarter approaches exist:

• Frequency analysis: Match letter frequencies to known language statistics
• Known plaintext: If you know one word in the message, derive the shift
• Crib dragging: Try common words at each position

Security Lesson

The Caesar cipher demonstrates a critical security principle: a cipher with a small key space is never secure, regardless of how the algorithm works. Modern encryption requires key spaces large enough to make brute force computationally infeasible.