Case Study: University of Bath Cryptography Challenge

Organisations involved: University of Bath

Case study written by: Ben Sparks, Greg Chamberlain, Katie Steckles and Peter Rowlett (This case study is written based on an interview with Ben Sparks for this project; in the text, “I” refers to Ben.)

Intended audience: Students (primary up to Uni level); Professional development for Teachers.

Maths content: Cryptography, codebreaking, ciphers, encryption, number

Audience group: Primary or Elementary, Lower secondary or Middle school, Upper secondary or High school, Sixth Form or Junior College, Families (adults and children), University Students, Young Adults, Adults, Retired

Audience interest level: Receptive, Engaged, Expert

Topics: Codes and cryptography, Number

Origins of the Project

The Crypto Challenge is an event run in the school half term at the University of Bath which broadly aims promote mathematics to as wide a community as possible and to provide a half term experience for the general public, raising the profile of mathematics and the University of Bath at the same time. It began in 2015 following the success of the earlier Mega Menger project – a collaborative experience for the general public including families and university students. It is also related to the MegaPixel project from 2016.

Participants had to be on location due to the physical nature of the activities. Ideally all participants—primary school pupils through to final year university students—can find some level of mathematics appropriate to their level of experience. Cryptography is particularly well suited to this because there are a range of difficulty levels from simple ciphers to state of the art cryptographic techniques.

Practicalities

Crypto Challenge was inspired by contemporary cryptographic challenges such as those run by the University of Manchester and the University of Southampton, consisting of a series of ciphers for participants to solve. What makes our event unique is a treasure hunt aspect: in order to crack a given cipher, participants had to go to a certain location on campus.

For the event we booked a room (“Crypto HQ”), a quiet room to work in and a table outside where someone on duty would stay for the whole day.

We didn’t want people to feel defeated and lose motivation early on, so for the first challenge—level 1—we chose something highly accessible and really hands-on: mirror writing; participants could hold up a mirror to reveal the secret message. Once they deciphered it, participants then had to whisper their solution to a member of the events team, which the kids absolutely loved. Unlike the usual sedentary classroom work, here maths had directly led them to do something.

The rest of level 1 consisted of backwards writing (letters reversed), a page of nonsense where the first letter of every word combined to form the secret message, and an Alphabet Cipher where the numbers in the cipher represented the letters in alphabetical order.

We felt that level 1 was accessible to everybody. With a bit of hand-holding, the event saw children as young as 6 breaking codes.

With level 2, we introduced a Caesar Cipher, Substitution Cipher, Pig Pen Cipher and the Dancing Men from Sherlock Holmes. We hoped that this would be accessible to any secondary student and perhaps diligent primary students.

Whereas level 1 and level 2 challenges gave away the key (or strongly hinted at it), level 3 introduced cryptanalysis where you actually have to crack a code (e.g. with frequency analysis) rather than just deciphering it. Ramping up the difficulty, level 3 included a Morse code audio message; participants would scan a QR code and listen using their smart phones. Level 3 also included a Vigenère Cipher and a Playfair Cipher. This required some research and was only really tackled by A-level and university students.

Participants that reached level 4 were met with 4 deliberately really hard ciphers. This involved a Playfair Cipher, autokey Vigenère Cipher and an RSA Cipher. The size of the public key for the latter was chosen very carefully so as not to be insultingly small nor unbreakably large. The final challenge was an Enigma code, which in some ways is easier to understand but does require an Enigma machine, which are notoriously hard to get a hold of; so I expected participants to find and use an online Enigma simulator.

These four levels were successful in catering for the entire range of experience. The most successful part of the event was that we had primary students alongside university mathematicians working and talking about ciphers in the same room (even if they weren’t exactly the same ciphers).

When we first did this we had 3 or 4 days of this, so I was just sat on the table for 3 or 4 days and people would drop in. The second time I ran it, a few years later, we focused on a couple of days in half term, and had a day before half term for a school to turn up as a school activity rather than a public thing.

We became aware that we didn’t want to have responsibility for people running around the campus unsupervised, so we made it very clear that families who turned up would have responsibility for their own family; when schools turned up they were expected to go in groups, and we had a few student volunteers stationed around the campus. We knew exactly where the locations they were meant to go were and gave everyone a map and drew a circle within which those locations would be. It wasn’t all of campus but it was far enough to give them a bit of a run around, and that physicality of it really helped. Eventually we ended up giving lat and long co-ordinates (in 2015 most people didn’t know how to enter those into Google Maps so we had to demonstrate this; we ran it again in Autumn 2019 and this was not a problem because people know how to do this now).

There were hints all the way through, but they were not obvious until you spotted them. For example, the title of the second challenge was ‘kcud’. After walking around the uni of Bath campus you notice it’s infested with ducks! ‘kcud’ is duck backwards and the solution was the read the ciphertext backwards. So many of the hints were in the title of the challenge itself - the third challenge was Titled ‘Definitely Useless Code Challenge’ (the initials spell DUCC).

In most cases the keys were hidden in the titles. Our hint system worked well because it wasn’t a hint booklet; the hints system was when we spotted this going on, or were asked for help we’d tell them to read the title and ask ‘what does that mean to you’.

Challenge 6 was a Caesar cipher and said ‘unducky for some’ – most people decided that that meant the unlucky number 13 was involved so they tried a Caesar shift of 13 with a bit of a prompt which was the correct approach.

We did also print out a lot of copies of a 16 page A5 help booklet that described in detail some of the earlier ciphers; we deliberately didn’t do this for the later ciphers because a help booklet explaining RSA is a textbook basically! It also went through the vocab like steganography, cryptography, cipher, code, etc. and this was helpful in our conversations with people. This was not so much a hint thing but it was the ‘teachy’ bit which is really hard to teach successfully: you could do a lecture on the vocab of cryptography but I’m not sure people would have turned up with much excitement to that – or listened for that matter. This was a way of drip feeding that information when they needed it. So the help booklet had a few hints in there as well and discussed how to look for hidden messages and things in there. So occasionally we directed them to that.

Visitors were aware that there were multiple levels to the challenge. The latest iteration of this was last year; when they turned up to Crypto HQ where me and Tamsin or one of the student volunteers was on duty, we had four locked boxes really visible with 4 digit combo padlocks, each for a different level.

If you solved all 4 challenges of level 1, you had the 4 digits to open the padlock for the level 1 box. On arrival they could see there were 4 levels and they could pick up a pack for level 1, 2, 3 or 4. Judging by their enthusiasm and confidence we could give them a pack we thought was appropriate.

Having solved level 1, which took about 10 minutes whatever their age, they would immediately come and ask for the level 2 pack. They could always come and chat to us at the desk and ask what’s in the next level.

So there was a strong motivation not only in the challenges directing them physically somewhere, when they’d solved 4 of them for the whole level they could come to the desk and try to unlock the box which contained a pile of chocolate coins or something similar in box 1. I think in box 2 there was more chocolate and some gluten free options.

Box 4 we hyped up as being for the pros and it had large bars of chocolate but also three £10 notes just loose in the box; anyone who unlocked box 4 was allowed to take one.

The boxes provided a nice focus for getting a whole level done before moving on to something else. There’s something really tangibly exciting about the box being right here, not even hidden, but you couldn’t get into it. We didn’t let people just brute force the padlocks trying all the combinations because that’s really embarrassing if you’re just standing right there.

This way even those students who turned up and only solved level 1 and opened the box could leave having had a complete experience or move onto level 2 if they wanted.

We did have a few university students who solved all four levels; they collected their money and were very chuffed with it. They ended up helping us man the volunteer desk. One was running a Python script to bash through the Vigenère cipher at the end. They ended up being expert helpers and we’d ask them to talk to others because they knew all about these codes and everything.

We sent out a call to all undergraduates on the maths and CS courses to volunteer. We had a short meeting the week before where I talked them through the ciphers; a lot of them wanted to go away and solve them on their own though and that was fine. In practice, few finished all that in advance.

We had a little rota of when they’d turned up and their job was either to sit at Crypto HQ and welcome people and point out how the levels worked, or to float around the work room and make sure there were pens and pencils and a few Caesar wheels and things and just chat to people. The volunteers did really well with the latter, and that’s the really urgently important part of the day – if there’s just a vacuum and people don’t know what they’re doing and no one can step in for help then I think it’s a lot harder to keep the atmosphere. As it happened, in that work room it was a really lovely atmosphere.

We had a few very very low level activities for those who couldn’t engage with level 1 – maybe they can’t read, particularly if they turned up as a family with an older student; we had a few things written around the room in UV pens, and we provided UV pen lights so they could go and find a shape hidden in a room. There were a few primary and below challenges in the work room – things like, not a dot-to-dot, but something where you colouring in the right shapes and a picture appears. It’s the same sort of feeling as decrypting something. The first time we ran this in 2015 we didn’t have this and so those primary and below students became bored. These simple token activities kept them busy and entertained.

The younger students were definitely exposed to higher levels of maths than they might see at school. Everyone who turned up either could have done or did level 1, but when young students finished level 1 they would move onto level 2 - which they spent ages on, because doing a substitution cipher by hand is time consuming.

Not all of the tasks require a high level of attention to detail - with the earlier ciphers (substitution and Caesar) you can get away with making an error or two, which was useful. The younger students didn’t always deal with the frustration and patience very well and that was where having helpers around was absolutely necessary when they got stuck.

The four levels really helped to manage calibrating the difficulty of the tasks, and avoiding frustration. It didn’t matter which level they ended up finishing - if people finished the level (and I think everyone finished level 1 if they wanted to) they got a successful feeling.

Visiting campus may also encourage people to consider studying maths at university - at least one student wrote to me saying they are now studying on campus at Bath and said “It was your crypto thing back in 2015 that made me choose to come and do maths.”

Accessibility

We were aware not everyone would have a mobile device with them, so we had a couple of laptops at Crypto HQ with Google Maps always open so people could use that. They were also available for people to read about ciphers on Wikipedia. In practice, most used their own devices - if they came as a group, someone had a device.

For school visits we had to make sure to have paper copies available because students did not necessarily have phones. This was surprisingly good because they ended up having to talk about co-ordinates and what latitude and longitude meant.

The area the challenge took place in didn’t all have level access - because of the way the campus worked - but there were lifts, so we did have a few people with accessibility issues who couldn’t use stairs and we managed to get them around. That was the hardest thing to deal with: to make sure all the locations were within eyesight and not too predictable, you have to send them further afield. There were a few staircases. The Uni of Bath campus has a parade, and there is a lift to get on, but it was broken on the first day of our challenge – that was an accessibility problem we did not foresee. We had a phone call from someone who couldn’t get on campus. But this is more a university issue rather than an issue with our design.

Part of our discussion was about whether it would be possible to create a version of it that is possible to do just online or without travelling around. We made all the challenges available online and you could go and solve them without leaving your home if you wanted to. The problem with that was a few people did that and wrote in to say “I’ve solved them all; can I come in?” – it wasn’t enough for them in motivation terms just to solve them at home, they wanted to get the physicality bit.

The best feedback we got verbally was not really solving the puzzles, though that is necessary - it was the excitement of “there’s something hidden there and only I know about it” and you had to implement your solutions physically.

Challenges and Evaluation

Evaluation of the project wasn’t extensive - we didn’t ask participants for opinions or qualitative feedback. Mainly, we collected participants’ names and context, so we had an evaluation of reach. If they were from a local school we asked them to write down their school, but that was the only geographical data we had.

The very first time we ran it we asked participants for their email address. I had a score sheet keeping track of who solved which challenges all the way through to the end. By the end of the week I looked at the who solved the most challenges and quickest and I sent them a book. That was part of the advertising at the beginning - a prize for the team that does best.

Developing the challenge has been an ongoing process. We adapted the challenges each time, especially the earlier ones depending on location. We learned that the opening challenges should be more accessible than we had first thought - even the older students enjoyed the mirror writing and stuff.

We learned that the first challenges shouldn’t be too far away so people weren’t being sent across campus for the first challenge. One person misread it and ended up spending an hour getting lost on the first challenge.

Those are the obvious things that you iterate when you do a project like this.

The excitement of the physical element - some paper mathematics to solve followed by a physical result of that (somewhere to go, something to find, something to do) was a really lovely combination.

There are problems perhaps with the competitive element. For the 2019 run we made it more about opening the box than beating other participants (you vs. the box instead of you vs. everyone else). I think that was better overall – teams could be competitive if they wanted to bit it wasn’t the focal point. It was just ‘can you beat the system?’ and that is something that we’d do again.

We’d spent a long time writing the ciphers specific to the uni of Bath campus; if someone demolishes the building you have to rewrite the ciphers. But the nice thing is that once it’s all designed you can run it again whenever you like on campus.

Talking to car parking control at the uni was important. If we had just organised a day for the public to turn up, we have to check that they haven’t organised a major conference and the car parks are gonna be full. Turns out at the uni of Bath, they’re always full! But hey, talking to them meant that we knew people at least had permission to park there.

Things like room booking: do that as early as possible! Because university scheduling can be a bit of an nightmare. For example, we booked rooms and they scheduled exams in the rooms around us! And then they told us we couldn’t make any noise whatsoever in this area. We had to have the discussion and they eventually moved the exams.

More information

Crypto Challenge Website

2019 Event Website