Cryptography from the 13th Century

The British Museum wants help breaking a code on a 13th-century sword.

Posted on August 13, 2015 at 12:17 PM • 61 Comments


AnuraAugust 13, 2015 1:02 PM

NDXOX = Our lord, Hug and Kisses

Seriously, though, being that it's been around for nearly two centuries, I doubt it's a code - if it is, either it is not a simple substitution cipher, or there is too little ciphertext to break it. It's probably abbreviations, maybe not English, and possibly something with special meaning to whoever owned it.

GnpAugust 13, 2015 1:08 PM

Well, that's exactly why we need backdoors on all cypher codes. Think of the children!

Clive RobinsonAugust 13, 2015 1:23 PM

The message is less than half the length required to make the probability of any "guess" being accurate.

At a guess the X is not a letter, but a null or seperator / space.

@ Bruce,

This is the second time you have posted a "London Muesum" item within a week or two of me having been there....

People are going to talk :-)

mattAugust 13, 2015 2:00 PM


The message is less than half the length required to make the probability of any "guess" being accurate.

sounds what is the minimum length required for such guesses to be accurate?

albertAugust 13, 2015 2:51 PM

It's ancient Welsh. It means "The Lord will punish whomever steals this sword." This is born out by mysterious deaths within its chain of custody. Curses aren't just for Pharoahs tombs.
. .. . .. o

CoinspanAugust 13, 2015 3:33 PM

GNP: Think of the children!

Think of the grand grand grand children!

What will historians make out of the inscription "Wilkinson Sword" when they rummage through our trash to figure out how we came to be so daft?

ramriotAugust 13, 2015 3:34 PM



The W must be wrong for the period, suggests Middle english mixed with Latin & a Claudian overhang. I suggest it is a one off inscription that would have accompanied a deed, now lost.

I suggest that it is a semi-palindromic reflection poem of two stanzas i.e.


Sort of translates by expansion of common abbreviations to be a gift that proffers dominion to the owner of all of a named region. The name of the giftee follows in a way that rhymes with the beginning and extends the gift to 7 generation of their offspring.

Now if only we had the deed, and knew who the current owner should be.

kingsnakeAugust 13, 2015 3:55 PM

Maybe the sword smith was drunk: I've heard the drink is popular in those parts ...

Another JustinAugust 13, 2015 4:02 PM

Well, clearly it is a medieval French dialect:

By the Grace of Our Lord this mighty sword smote the warriors of Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch

where the craftsman had bad hearing, the conquering hero was drunk, and the sword was short.

tyrAugust 13, 2015 4:31 PM

It says "if you're close enough to read this you're dead"

Part of it is the makers mark. Given the way
they spelled in those days it was perfectly
readable by the literati of the day. I was
amazed at how well preserved it is.

CallMeLateForSupperAugust 13, 2015 4:37 PM

"Made in Japan"

Say... Was this sword found in a chimney with a pigeon skeleton?

Z.LozinskiAugust 13, 2015 5:43 PM

> sounds what is the minimum length required for such guesses to be accurate?

The exact answer depends on the language of the plaintext (and how much redundancy there is) and the cipher algorithm (and in particular, how many keys there are). It can be calculated, and is called the unicity distance for the cipher. If you assume the plaintext is in English, and it is a substitution cipher, the minimum amount of ciphertext to allow a unique decipherment is at least 28 characters.

There is a nice explanation in the (freely available) Handbook of Applied Cryptography (look for 7.68 and 7.69 Unicity Distance):

ThothAugust 13, 2015 5:53 PM

Even if it has a backdoor in place, I doubt anyone could use the backdoor properly due to the mechanism lost for 800 years or so.

Alien JerkyAugust 13, 2015 5:54 PM

This is a little off topic for this thread, but so what.

An interesting article about when Lavabit was ordered to hand over the SSL keys so the government could get at Snowden's data.

At approximately 1:30 p.m. CDT on August 2, 2013, Mr. Levison gave the F.B.I. a printout of what he represented to be the encryption keys needed to operate the pen register. This printout, in what appears to be four-point type, consists of eleven pages of largely illegible characters. To make use of these keys, the F.B.I. would have to manually input all two thousand five hundred and sixty characters, and one incorrect keystroke in this laborious process would render the F.B.I. collection system incapable of collecting decrypted data.

cfAugust 13, 2015 7:01 PM

I like the theory, posited in another article, that it's the medieval equivalent of the dudes who get kanji tattoos. They don't speak Japanese, and neither do the tattoo artists, and they spend years telling people their tat says 'strength', until eventually some chef at a sushi place clues them into why everyone starts giggling when they come through the door. Let's them know that their tat is meaningless, or says something completely stupid or nasty.

So some prince or semi-educated knight has a sword with some text, and he's a badass, and the next thing you know some illiterate knight is asking some illiterate blacksmith to put letters on his sword so he can be in with the in crowd. The blackmith picks some letters at random, and the knight spends a few years telling people that 'NDXOXCHWDRGHDXORVI' is Latin for 'strength', then somebody killed him and chucked him and his fancy sword in a river.

Clive RobinsonAugust 13, 2015 7:34 PM

@ Matt,

sounds what is the minimum length required for such guesses to be accurate?

Your ability to be able to uniquely identify a plain text depends on a number of things.

Firstly the ciphertext alphabet size, in the likes of a block cipher the alphabet size is usually 2^b where 'b' is the number of bits, if the ciphertext is shorter than this then then it's not possible to uniquely decode it or even decode it at all even if using a brute force key search (it's one of the reasons to split ciphertext into parts and send it by different paths).

Normaly you are taught that for various reasons the plaintext block size is the same as the ciphertext blocksize and under any given key there is a unique mapping from plaintext to ciphertext. Whilst this is technically true it misses an important point. Plaintext usually has a very small alphabet which does not usually match the ciphertext alphabet size. That is there is redundancy, the more redundancy there is they easier it is generally on a brutforce search of the keyspace to determine if the plaintext is the valid plaintext or not. However the shorter the plaintext message the harder it is to determine if you have a valid plain text. A simple example, if I use a simple substitution cipher on all caps plaintext the ciphertext alphabet is going to be 26, but what of the plaintext alphabet size? If I'm only using two chars such as Y/N to get through a menu etc then my plain text alphabet size is 2 which is just one bit of information. I could thus use T/F instead of Y/N or I/O etc without further information you have no way to know what is valid plaintext.

There's a whole bunch more on this and it's called the "unicity distance" Wikipedia has a page on it which at a quick glance looks like it covers most of it,

metaschimaAugust 13, 2015 8:25 PM

I don't see any reason for anyone to write an encrypted message on a sword and then throw it into a river.

I would have to agree with the suggestion that most people were illiterate at the time, so this was just one of the unfortunate results of this fact.

Either way, brute forcing it with this short of a ciphertext is near impossible.

CallMeLateForSupperAugust 13, 2015 11:12 PM

"I don't see any reason for anyone to write an encrypted message on a sword and then throw it into a river."

Who says the person who tossed it in the water is the same person who made or engraved it?

Judging from only the photo in the article, I think the sword was not in the water very long. Certainly not six or seven centuries. Personally, before I'd spend any time twiddling with the inscription, I would put some effort into dating the metallurgy

EvanAugust 14, 2015 3:25 AM

There's actually semi-historical evidence of this happening elsewhere. In the Iceland Egill's Saga, some illiterate attempts to carve runes to make a woman fall in love with him but screws up completely and ends up carving runes of illness instead, making her sick.

The 13th century seems a little late to me for that to be happening, but it's not outside the realm of possibility.

WinterAugust 14, 2015 3:47 AM

"It's a nice story, but OCR was invented a little while ago."

4 pt font, no errors allowed? You better start typing.

SamAugust 14, 2015 6:30 AM

> "This side towards enemy"

Inscribed on the flat bit?

What about: "Fresh river water only. Do not scour or tumbledry"

Or: "Read safety instructions before use; consult your doctor before engaging in combat."

Clive RobinsonAugust 14, 2015 6:34 AM

@ AC2,

"This side towards enemy"


Nice word play on the front wording of the M18A1 mine, which is named after the (Scottish) Highland weapon which at closer quaters had a similar disemboweling effect.

ianfAugust 14, 2015 7:00 AM


The message is less than half the length required to make the probability of any "guess" being accurate.

That was my immediate impression, too - lacking a cipher key, not enough meat to pick the bones.

@Clive, @mrc

At a guess the X is not a letter, but a null or separator / space.

This can't be. Apart from the glyph X being conspicuous in Christian iconography from Roman times onward, thus too valuable a symbol to be spent on a mere delimiter, the medieval general method of texting called lingua continua used NO SPACES, hardly any punctuation at all (yet to be invented; readers were expected to unravel the meaning of unbroken text-streams anyway.) Doubly valid for when the message is as short as here.


Clive RobinsonAugust 14, 2015 7:39 AM

@ ianf,

The X was used as a seperator in both Roman and Christian works as a "rank marker" during the medieval period used in front of a name and to seperate parts of a name it would indicate a Bishop or similar high status office. This X symbol made it's way into crusader and other "Knights of the Church" swords as the "quaterfoil" --donught shape with cross in-- found on the helms and pommels.

Some swords were made of diferent irons, that would be twisted and hammer welded together, after polishing this gives a very beautiful patter deep in the metal, as well as acting like reinforced concrete where brittle is strengthened by flexible giving combined properties. The paternation caused by the metal differences was occasionaly used to embed writing or images into the central portion of swords that had been effectivly flutted to increase length and strength of the blade but keep the sword weight managable. Much much later this led to "engraving and blueing" images and guilding via the mercury process on ceremonial swords. The blueing would be that "cobalt blue" colour of the pigment once highly valued in iconography as the mineral it was ground from Lapis Lazuli was worth several times it's weight in gold (and usually used for the cape or cloak of the Virgin Mary).

It's many years since I read up on this, it was back when I was a teenager with perhaps an odd interest in "Brass Rubbing".

Chris SAugust 14, 2015 9:41 AM

It is odd to see the letter "W". This letter is unknown in Latin and Greek inscriptions, since it simply did not exist in those languages.

The Wikipedia entry on "W" is informative:

It also indicates that "W" first came into broader use in Germany, which as a simple starting point suggests the possibility of this being a memory aid for a Middle High German phrase. That would match up with the suggested geographic origin.

I've seen notes indicating that Latin was being phased out as an official language; this might give us an interpretation of the letter X. Words beginning with X are rare in German, but the symbol was a common short form for "Christ" in Latin. That said, the idea of it being a separator should also be considered.

Finally, I find the two letter "R" versions to be puzzling. The "R" in "WDR" and the "R" in "ORVI" are *completely* different. That leaves me wondering if one or the other are in some way part of "special groups", such as the initials of a name.

The only other option that comes to mind is a completely non-literate engraver copying a provided item, where some parts, such as the "WDR", are actually meant to be Greek letters. That might explain both the odd "R" (it's some other letter), and the straight-sided "W" might be a rotated capital sigma. The origins of "W" are "VV", which would not tend to have straight sides, whereas the sigma usually has a parallel top and bottom.

MeAugust 14, 2015 10:24 AM

Damn, I can't believe I missed the Doctor reference on HELLO SWEETY.

Need to re-watch the series I guess.

AJWMAugust 14, 2015 10:51 AM

@Me -- Hint: River Song, and in at least one episode she's leaving clues scattered across time. I can't say more because "Spoilers!".

labrieAugust 14, 2015 11:02 AM

Let's see... Sword? In water? It's "swordfish", of course. It is always "swordfish".

Clive RobinsonAugust 14, 2015 11:35 AM

@ Me,

How about a "river song" such as "smoking on the water" or "Sweetie how I love you, how I love you, down on the river" or the other "Hello Doctor, well Hello Dr, it's nice to see Who back where you be Song" and plenty of other groaners from the past ;-)

ianfAugust 14, 2015 12:51 PM

@Chris S.
a “completely non-literate engraver” doesn't quite compute. Literacy as we know it did not exist in those times, and only a small subset of the literate had steady access to hand-drawn codices. Likewise, the making of what to me looks like a ceremonial object, too well preserved to ever have been a "working weapon," must've been an elite/ thus learned/ occupation. So then engraving on such prized objects would not have been entrusted to any "illiterate" copist/ blacksmith.

MarkHAugust 14, 2015 1:11 PM

Come on, chaps! This isn't so hard.

The ciphertext has an appended hint in plaintext:

XORVI -> exclusive OR with the Vector of Initialization (in some languages the noun comes before the modifier)

that_guy_over_thereAugust 14, 2015 2:01 PM

This sword discovered by the British in 1825, the found the enscription "NDXOXCHWDRGHDXORVI", which of course means "A Whale's Vagina".

prophetAugust 14, 2015 4:19 PM

An angel appeared to me in a vision an said:

Thou shalt honour the cyphertext of your ancestors, so that yours may live long in the cyberspace the LORD your God is giving to you.

tyrAugust 14, 2015 9:21 PM

there is a rune for weapondeath


Looks like a W with an extra stroke in the center.
As muddled as some of the texts were at the time
it might be why there is a W, or not.

We've been spoiled by lexicograpers and dictionaries.

When men were made of clay the obvious name for
swords was clayhammer I won't attempt the Celtic
spelling but it became Claymore when the sassenach
tried to spell it.Fun to swing around as long as
you keep your parts out of the way.

RogerAugust 15, 2015 8:57 AM

If it is actually 13th century, then actual cipher seems unlikely.

However it is not at all uncommon to have difficulty reading short ancient inscriptions -- this is why the field of paleography exists. Letter formats -- fonts, if you like -- change dramatically, alphabets rise and fall and borrow letters from one another.

I would by no means assume that the inscription is in Roman letters. For thirteenth century England it seems the obvious choice, but that W is just plain wrong for a Roman letter of that period [1]. In fact, if the script is in Roman letters, that W might suggest that the inscription may be a hoax. (Found in a river in 1825? Hmm.)

What other options are there? Well, I am no paleographer, but here's a suggestion: Mediaeval (Uncial) Greek. Several uncial Greek letters are different to the Classical Greek alphabet you may have learned at school. In particular, the uncial sigma ("S") looks like a capital C, and the uncial capital omega ("O") looks a lot like that W. And the thing that looks vaguely-but-not-quite like a Roman X works much better as a chi ("Ch".) Most of the other letters work fine as uncial Greek too, although I'm not sure about some of them. In addition, Mediaeval Greek inscriptions used a lot of standardised abbreviations and acronyms that can seem quite cryptic to us today. For example, "XC" from this inscription is pretty unlikely as Roman letters, but chi-sigma is a common abbreviation for "christos", i.e. Christ.

There are numerous other candidate alphabets; I assume actual paleographers have considered at least the ones that are plausible for mediaeval England.
1. English had the W phoneme, but in the 13th century it was written as a literal double U, or double V. Even when it came to be understood as a single letter, it was centuries longer before it was written with the central peak lower than the two side limbs.

RogerAugust 15, 2015 8:31 PM

Your etymology for "claymore" is a little off. "Claymore" is indeed an Anglicisation of a Gaelic phrase, but the original phrase "claidheamh ‎mor" simply means "big sword," nothing to do with clay. Note that in Gaelic the "dh" digraph is not a "d" sound, but a breathed sound similar to "th", and somewhat difficult for English speakers to pronounce correctly; hence it is rather easy for "claidheamh ‎mor" to elide to "claimh ‎mor", then only a small side step to "claymore".

The word "mor" could be translated as "big", "large", "great", or even "important." In this phrase it is most usually translated to "great", presumably in reference to the English language word "greatsword." However a claymore is not a greatsword, and the Scots had a different name for greatswords ("claidheamh ‎da laimh") so "great" is a little misleading here.

ianfAugust 16, 2015 8:26 AM

        Incidentally, since Lavabit suspended the operation 2 years ago, has Ladar Levinson had to fork over any metadata, bulk content or the SSL keys? (Google supplies no answers).

        You're quite right that the SWORDQWERTY invocation is in some other, obscure, little known alphabet that borrowed letterforms/ glyphs from at that time more common writing systems/ or languages. On closer inspection of the writing-on-the-sword, there also is a leading, and a closing, pictograph(?) (hieroglyph(?)) that seem to be mirror images of one another.

GropifAugust 16, 2015 9:21 AM


The reverse of uninformed use of Japanese or Chinese symbols also exists, it's called "Engrish", and it's just as hilarious.

My take on the string: it's the owner's public key. ;-)

JurgenAugust 17, 2015 6:46 AM

Those that discuss 'WDR' gave it away, of course. It just says: Made in Germany, approx. 1945-1989. Making it an ugly but probably well-engineered weapon until next year when the smithes at AMG (or Brabus) squeeze out a couple more inches of deadliness for big €€ and you're left in the sucker dust.
Was crashed into the river by some London stockbroker who stumbled over more money than his (sic) brain (if any) could handle.

Swords from, e.g., Aston, smith at Martinby, are far more stylish but they break (down) after just about the first gallop. The French, they wet their swords in mustard. Etc.

MarecSeptember 2, 2015 6:47 AM

Sorry but I think there's no way of cracking it. Maybe it doesnt even mean anything and the one who engraved it made these signs just for fun. Maybe.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.