# The Crypto Hunt

How do you wrap up a first-year seminar on the history and mathematics of cryptography? Okay, you have your students write ten-page research papers. But how else might you wrap up a course like this? With a cryptography-based scavenger hunt all around campus, of course!

I can’t take credit for the idea to send my students on a crypto hunt. When I taught a version of this course for MLAS students during the summer of 2009, I contacted Ravenchase Adventures, a company that puts together adventure games and treasure hunts for businesses, non-profits, and other groups. I had participated in a couple of their public “hunts” here in Nashville (and even won one of them!), and I knew that they often used codes and ciphers in their adventures. I got in touch with Joshua Wolak, Ravenchase’s Southeast Regional Director and invited him to come talk to my students about the ways he uses cryptography in his line of work. Josh, however, volunteered to put together a cryptography-based hunt for my students instead! So on the last day of class, my students spent the evening running all over campus following Josh’s clues. It was a ton of fun and a great way to wrap up the course.

This fall I taught the course again, this time as writing seminar for first-year undergraduates. I wanted to send them on a crypto hunt, too, but instead of asking Josh to volunteer his services again, I figured I could put something together myself. I used the structure of Josh’s hunt as a template for mine, but I made up all my own clues. Here’s how it worked:

- I polled the student about their availability outside of class in early December. I figured the hunt might take 2-3 hours, and my class only meets for 75 minutes. We settled on the afternoon of Saturday, December 4th.
- The students worked in teams of three. Well, that was the plan, at least. One student arrived to the hunt late, so he was on his own. Another was sick and couldn’t make it. That meant we had three teams of three, one team of four, and one guy by himself.
- Each team was given a set of five clues along with a “final cipher.” Each of the five clues led (eventually) to a word or phrase the students would enter in numbered boxes at the bottom of the page. The “final cipher” required students to put these answers together and decipher them, leading them to the finish line for the hunt where I would be waiting to check the teams in. (This was the basic structure of the Ravenchase hunt.)
- The first place team would receive bonus points on a recent problem set as well as some fun prizes. Bonus points were also on the line for the second and third place teams. Teams had to stick together; splitting one’s team up in three directions to handle the clues in parallel wasn’t allowed.
- Some clues were written in plaintext, others in ciphertext that had to be cracked. All clues led students somewhere: three of them to a specific location on campus (particular classroom buildings, the bookstore), one of them to a particular Twitter account, and one of them to the crossword puzzle in the student newspaper. At the two classroom buildings, I had posted QR codes (like the one seen above) that students scanned with their smart phones, leading them to websites with additional information or ciphers. At the bookstore, students were instructed to find a particular phrase on a particular page of a particular book. And the crossword puzzle in the student newspaper provided a key needed to decipher the message for that clue. (While the Ravenchase hunt had similar kinds of clues, it didn’t involve going online to access Twitter or QR codes, nor did it involve a crossword puzzle. I’m proud of those little touches!)
- Each team had to have a smartphone, too, with a QR scanner installed. I had polled my students earlier in the semester and found out that 60% of them had smartphones, and I told them ahead of time to bring them, so this wasn’t a problem. Each team also needed a copy of our textbook, Simon Singh’s
*The Code Book*. No other aids were allowed, except that teams could call or text me for a hint during the hunt. (Yes, I gave my students my cell number. No, they haven’t bothered me since the hunt.) Each hint came with a price, however: a 15-minute time penalty. - Students were also allowed to call or text me if they thought there was a problem with the hunt, such as discovering that one of the clues I had planted was missing. There was no time penalty for checking on something like this.
- The final cipher was a little tricky. The students had to take the letters in the answers to the five earlier clues and place them in a grid according to their numbers. This would reveal their final clue. I knew that students would likely be able to figure out this final clue without solving all five earlier clues if the final clue were written in plaintext, so I enciphered it. This meant that students pretty much had to finish all five earlier clues to get started on the final one. The final clue, once deciphered, led students to a particular plaque on campus they used as the key to a book cipher. That book cipher, in turn, led students to the finish line.

How did the crypto hunt turn out? Well, the first team finished in 1 hour 23 minutes, without asking for a single hint. It was the four-person team, however, and I think having an extra person helped a bit. There were a couple of clues that gave the other teams lots of trouble, and I suspect four heads was better than three for cracking these clues. The team came sprinting into the finish line, however, so I have to give them props for enthusiasm!

The second-place team finished about 40 minutes later. They, like the following teams, got tripped up with a tough anagram. Here’s the clue for that one:

Your next clue is found online in a tweet.

Two others hold the key. Isn’t that sweet?

Head for Twitter.com and use the name

Ciphered below. Anagram is the game!

Since transpositions stump most of you folks

Here’s a hint: This miner might be a hoax.

AMHAJEBOTLES

I knew that transposition ciphers (anagrams) are among the toughest ciphers to crack since trial and error is the only way to tackle them. But I figured the bit in the poem about a miner who might be a hoax would remind students of the Beale Ciphers we studied earlier in the semester, which are said to have been created by a gold miner to protect his treasure. Extracting the letters B-E-A-L-E from the anagram leaves a more manageable set of letters to unscramble, leading to the Twitter account @ThomasJBeale. However, I didn’t count on two problems: (1) If you Google “miner” and “hoax,” you get a lot of websites claiming that the recent Chilean mine cave-in and rescue was a hoax, and (2) the J in the anagram makes it tempting to think that the person’s name starts with J, like Joseph or James. Both of these led a lot of teams astray. I think I ended up giving out hints to two of the teams on this one!

Another team gave up a little bit later. They had already received two hints for a 30 minute time penalty and they ran out of steam on the final cipher. It’s too bad, because when they packed it in, there was still two other teams out there, counting the solo hunter. The solo hunter eventually gave up, too. Not having a smart phone or a copy of our textbook had slowed him down considerably! The third-place team ended up checking in about 30 minutes after the second-place team. All of the students seemed to have a good time, and some of them were quite clearly having a great time. I was busy tweeting during the hunt while I waited for teams to check in. I’m glad I was careful what I tweeted, however, because I found out later that one of my students was checking my Twitter page for hints!

One tip for anyone interested in putting something similar together: I found it very helpful to wander around campus with my cell phone a few days before the hunt, taking photos of anything I thought I could use in the hunt. This let me spend all my time writing clues and ciphers in the comfort of my home, instead of outside in the late November cold! And since I didn’t use all the campus locations I photographed, I already have a start on next year’s crypto hunt!

Speaking of next year, a couple of ideas have occurred to me this fall about different approaches to the crypto hunt. One idea that was suggested to me at the POD Network conference (by a colleague whose name escapes me) is to have the students design all or parts of the crypto hunt, maybe with teams challenging each other to complete their hunts. Another idea is to move from a done-in-a-single-afternoon format to a full-on alternate reality game that lasts throughout the semester. My use of Twitter and QR codes in this hunt make me think that maybe I could pull such a thing off. Just imagine embedding the first couple of clues in the syllabus on the first day of class…

I’m also curious: Any ideas for using this kind of activity in courses that don’t focus on cryptography?