T

Text Machine

Powerful text tools, in your browser

Substitution Cipher Solver

Paste a monoalphabetic substitution cipher or cryptogram and recover the original message without knowing the key. The solver matches letter frequencies for a starting guess, then uses simulated annealing scored on English trigrams to search the 26-letter alphabet for the reading that looks most like English. Everything runs in your browser.

Try a sample:

Ciphertext

Paste a substitution cipher above, press Solve, and the recovered message and substitution alphabet will appear here. The more text you give it, the more reliable the answer.

How to use Substitution Cipher Solver

  1. 1

    Paste the ciphertext

    Copy your substitution cipher or cryptogram and paste it into the box. More text solves more reliably; letters are read without regard to case, and spaces, digits and punctuation are ignored while solving and then restored in the answer.

  2. 2

    Press Solve

    Click Solve cipher. The search runs for a moment — it tries hundreds of thousands of candidate alphabets — and then shows the most English-like reading it found.

  3. 3

    Read the recovered message

    The decrypted text appears with its original capitalisation, spacing and punctuation restored. Copy it with one click to keep the result.

  4. 4

    Check the recovered alphabet

    Below the message, the substitution alphabet shows what each ciphertext letter decoded to. Dimmed letters never appeared in your text, so the solver could not place them. Copy the alphabet to reuse or verify the key.

  5. 5

    Share or clear

    Copy a shareable link that reopens the tool with your exact ciphertext — the text rides in the part of the URL after the hash, which never reaches a server. Clear resets everything.

Cracking the substitution cipher, explained

What this tool does

A monoalphabetic substitution cipher replaces every letter of the alphabet with a different one — A might become Q, B might become W — and uses that same scrambled alphabet for the whole message. It is the cipher behind newspaper cryptograms, escape-room puzzles and the Aristocrats of the American Cryptogram Association. There are more than four hundred septillion possible alphabets, far too many to try one by one, yet a substitution cipher is one of the easiest of all ciphers to break. This tool breaks it for you, automatically, with no key.

Paste the ciphertext and the solver returns the most likely original message together with the full substitution alphabet it recovered. It works the way an experienced puzzler does — start from the letter frequencies, then keep swapping letters and keeping the changes that make the text read more like English — only it does so hundreds of thousands of times a second. Nothing leaves your browser; the whole search runs on your own machine.

Why a substitution cipher can be broken

A substitution cipher hides which letter is which, but it cannot hide how often each letter is used. In English, E is far more common than any other letter, followed by T, A, O, I and N, while J, Q, X and Z are rare. Encryption just relabels those frequencies: whatever letter stands in for E will be the most common letter in the ciphertext. That single fact — letter frequencies survive substitution — is the crack in the armour that all of cryptanalysis was built on.

Frequencies alone are not quite enough, because several letters have similar counts and can be swapped by mistake. The deeper signal is in how letters combine. English loves certain patterns — TH, HE, ING, THE, AND — and avoids others almost entirely. A correct decryption is full of those natural patterns; a wrong one is studded with combinations that real English never uses. Measuring that difference is what lets a computer recognise the right answer among countless plausible-looking wrong ones.

Step one: a frequency-matched starting guess

The solver begins by counting how often each letter appears in the ciphertext and lining those counts up against the known frequency order of English. The most common ciphertext letter is guessed to be E, the next T, then A, O, I, N and so on down the list. This is the classic first move every cryptogram solver learns by hand.

That guess is rarely perfect — the rarer letters are especially likely to be misplaced — but it does not need to be. It only has to be close enough to give the search a sensible place to start. From there, the tool refines the alphabet letter by letter until the message snaps into focus.

Step two: simulated annealing finds the key

From the starting guess, the solver repeatedly swaps the plaintext meaning of two letters and asks whether the message now reads more like English. If a swap helps, it is kept. The catch is that always insisting on an immediate improvement gets the search stuck on a near-miss — a local optimum — that no single swap can escape. Substitution solving is the textbook case for a technique called simulated annealing, which fixes exactly this.

Simulated annealing sometimes accepts a swap that makes things momentarily worse, with a probability that starts high and is steadily lowered — as if the search were hot at first and slowly cooled. Early on it roams freely and climbs out of dead ends; later it settles down and polishes the best alphabet it has found. The tool runs this several times from different starting points, finishes each with a strict improve-only pass, and keeps the single best result — which is why it reliably finds answers a plain hill-climb would miss.

How the solver judges English: trigram fitness

Every candidate alphabet is graded by a single number: its trigram fitness. The tool looks at every run of three consecutive letters in the decrypted text and adds up how likely each triple is in real English, using a table of three-letter frequencies built from a large body of English writing. Common triples like THE, AND and ING score well; triples that English never uses score terribly.

Trigrams matter because single-letter frequency is too easy to fool — a wrong key can match the letter counts and still be gibberish. It is far harder to fake a whole page of believable three-letter combinations. By steering every swap toward higher trigram fitness, the search is pulled, swap by swap, toward genuine English. The table is generated from this site's own articles, so nothing is fetched from outside and the tool stays fast and private.

How much text you need, and when it struggles

Cracking a substitution cipher is a statistical job, so it lives or dies on how much text you give it. With roughly a hundred and fifty letters or more of ordinary English, recovery is usually near-perfect. Around eighty to a hundred letters it still works but a rare letter or two — the J, Q, X and Z that barely appear — may be misread, because there simply is not enough evidence to pin them down. Below about fifty letters any solver, human or machine, is largely guessing.

A few other things make a message harder: text that deliberately avoids common letters (like a pangram), writing that is not English, or a cipher that also moves letters around rather than only relabelling them. When the reading comes out almost right, the answer is nearly always more ciphertext, or fixing the one or two stubborn letters by eye. If the text is not a simple substitution at all, the Cipher Identifier can tell you what you are actually looking at.

Substitution ciphers and their cousins

A simple substitution that keeps the word breaks is what cryptogram setters call an Aristocrat; the same cipher with the spaces stripped out is a Patristocrat. Both are monoalphabetic — one fixed alphabet for the whole message — and both fall to the method here. Caesar and Atbash are just special, even simpler substitutions, so this tool cracks them too, though their dedicated pages solve them instantly.

The big step up in difficulty is the polyalphabetic cipher, which changes the alphabet as it goes so that the same letter can stand for several different ones. The Vigenère cipher is the famous example, and frequency analysis on the whole message no longer works against it. If your message resists this solver and the letter frequencies look suspiciously flat, it may be polyalphabetic — reach for the Vigenère Solver instead.

Frequently asked questions

Can you really solve a substitution cipher without the key?
Yes. A substitution cipher hides which letter is which but not how often each is used, and English letter and three-letter-group frequencies are very distinctive. The solver starts from those frequencies and then searches for the alphabet whose decryption reads most like English, recovering both the message and the key with nothing supplied in advance.
What kind of cipher does this solve?
It solves monoalphabetic substitution ciphers — the kind where one fixed scrambled alphabet replaces the letters for the whole message. That covers newspaper cryptograms, Aristocrats and Patristocrats, keyword-alphabet ciphers, and simpler cases like Caesar and Atbash. It does not solve polyalphabetic ciphers such as Vigenère, which change the alphabet as they go.
How does the solver work?
In two stages. First it matches ciphertext letter frequencies to English to make a starting guess. Then it uses simulated annealing — repeatedly swapping two letters and keeping the swaps that make the text more English-like, while occasionally accepting a setback to escape dead ends — scored by how natural the three-letter combinations look. It runs several times and keeps the best result.
Why is trigram scoring used instead of letter frequencies?
Single-letter frequencies can be matched by a key that still produces gibberish, so they are not enough on their own to recognise the right answer. Trigram fitness scores every run of three letters against real English, where THE, AND and ING are common and most triples are vanishingly rare. A wrong key produces unnatural triples and scores badly, which lets the search home in on the genuine reading.
How much text do I need to crack a cryptogram?
Aim for at least a hundred and fifty letters of ordinary English for a near-perfect solve. Around eighty to a hundred letters usually works but may misread a rare letter or two. Below about fifty letters there is rarely enough statistical evidence for any solver to be sure, so expect only a partial reading.
The result is almost right but a few letters are wrong. Why?
Rare letters such as J, Q, X and Z appear so seldom that a short message may not contain enough of them to place them confidently, and two letters with similar frequencies can occasionally be swapped. The fix is usually more ciphertext, or correcting the one or two stray letters by eye once the rest of the message is readable.
Will it solve a cryptogram that keeps the spaces (an Aristocrat)?
Yes. Spaces, digits and punctuation are preserved in the output but ignored during solving, so word breaks neither help nor hinder. Whether your puzzle keeps the spaces (an Aristocrat) or removes them (a Patristocrat), the same frequency-and-trigram method recovers the message.
Is the solver deterministic?
Yes. Although it uses a randomised search, the randomness is driven by a fixed seed, so the same ciphertext always produces the same result. That also means a shared link reproduces exactly the same solve for anyone who opens it.
Does it only work on English?
The built-in frequency and trigram tables describe English, so it is tuned for English plaintext. A message in another language will usually come out as nonsense even when the search succeeds, because it is matching the wrong statistics. For non-English text you would need frequency data for that language.
Is my ciphertext sent to a server?
No. The entire search runs in your browser, so your text is never uploaded, logged or stored. Even the share link keeps your ciphertext in the part of the URL after the hash, which browsers never transmit to a server, so it stays private unless you choose to share it.
What if it isn't a substitution cipher at all?
If the solve comes out as gibberish and the letter frequencies look unusually flat, the message may be polyalphabetic, transposition-based, or something else entirely. Run the Cipher Identifier to find out what you are dealing with, then use the matching tool — for example the Vigenère Solver for a repeating-key cipher.

Related tools

Keep going with these handy tools

Cipher Identifier

Frequency Analysis

Unix Timestamp Converter

JSON to CSV Converter

CSV to JSON Converter

JSON to YAML Converter