Abstract

In this article, I investigate the hypothesis that the Voynich Manuscript (MS 408, Yale University Beinecke Library) is compatible with being a ciphertext by attempting to develop a historically plausible cipher that can replicate the manuscript’s unusual properties. The resulting cipher—a verbose homophonic substitution cipher I call the Naibbe cipher—can be done entirely by hand with 15th-century materials, and when it encrypts a wide range of Latin and Italian plaintexts, the resulting ciphertexts remain fully decipherable and also reliably reproduce many key statistical properties of the Voynich Manuscript at once. My results suggest that the so-called “ciphertext hypothesis” for the Voynich Manuscript remains viable, while also placing constraints on plausible substitution cipher structures.

1. Introduction

Often called “the most mysterious manuscript in the world,” the Voynich Manuscript—MS 408 at Yale University’s Beinecke Library, VMS hereafter—has eluded researchers’ attempts to understand its origin, nature, and purpose for centuries (Brumbaugh Citation1978; D’Imperio Citation1978; Davis Citation2020a; Friedman and Friedman Citation1959; Manly Citation1921; Newbold Citation1928; Tiltman Citation1967; Zandbergen Citation2016; Citation2022). The apparent text of the VMS consists of a strange collection of “Voynichese” glyphs, strung together in bizarre-looking, unreadable words that surround otherworldly illustrations (Clemens Citation2016; Davis Citation2022). Perhaps deepening its mystery, the manuscript is extremely well characterized in many respects. Radiocarbon dating confirms that the VMS’s parchment was made in the early fifteenth century (1404–1438), and in its construction and illustrated content, the VMS resembles books made during the early 1400s in central Europe, especially those from the region around the Alps (Clemens Citation2016; Zyats et al. Citation2016).

Three main schools of thought have emerged on the nature of the VMS: (i) that it is meaningless gibberish perhaps created as glossolalia or as a means of running a medieval scam (Gaskell and Bowern Citation2022; Rugg Citation2004; Rugg and Taylor Citation2017; Schinner Citation2007; Timm and Schinner Citation2020, Citation2024); (ii) that it represents an early artificial language, or perhaps the written form of an obscure or previously unknown natural language (Bax Citation2014; Bowern and Lindemann Citation2021; Cheshire Citation2019; Friedman and Friedman Citation1959); or (iii) that it represents a ciphertext of a well-known natural language such as Latin, Italian, or German (Bowern and Gaskell Citation2022; Bowern and Lindemann Citation2021; D’Imperio Citation1978; Dunin and Schmeh Citation2022; Hermes Citation2022).

The ciphertext hypothesis is appealing because it offers a way to reconcile the VMS’s unusual properties with languages known to have been used within 15th-century European manuscripts, while also allowing aspects of the VMS’s linguistic structure to fall in line with natural languages, such as higher-order groupings consistent with topic-based subsections (Amancio et al. Citation2013; Layfield et al. Citation2020; Montemurro and Zanette Citation2013; Reddy and Knight Citation2011; Sterneck, Polish, and Bowern Citation2021). Paleographic analysis has also identified five scribes’ hands within the VMS, suggestive of it being made by a community using a set of shared procedures (Davis Citation2020b; Citation2022). Even so, scholars have struggled to reconcile the VMS’s properties with the ciphers known from or conceivably doable in 15th-century Europe (Bowern and Lindemann Citation2021; Sherman Citation2016; Zandbergen Citation2019). In addition, intuitively written gibberish and meaningless text generated by Cardan grilles and “self-citation” algorithms have been shown to replicate some VMS properties (Gaskell and Bowern Citation2022; Rugg Citation2004; Rugg and Taylor Citation2017; Timm and Schinner Citation2020).

Against this backdrop, finding substitution ciphers whose ciphertexts reliably mimic the VMS could help researchers test the VMS’s compatibility with being a ciphertext. Whether the VMS represents a ciphertext, gibberish, or the written form of a highly unusual natural language, one thing is certain: The text was generated somehow, and it would be more probable for us to see the VMS with the properties it has if the underlying text generation process often generated VMS-like text. Is it possible to make a substitution cipher—the most advanced type of cipher available in early 15th-century Europe—that can often create VMS-like ciphertext?

For any such cipher to merit fuller analysis, it must: (a) replicate many well-known VMS statistical properties; (b) consistently replicate these properties when encrypting a wide range of plaintexts in a well-characterized natural language; (c) be executable by hand with materials available in or around the Alpine region during the early fifteenth century, the single likeliest place and time of the VMS’s construction (Zandbergen Citation2022); (d) reliably yield minimally ambiguous decryptions, to maximize the utility and minimize the potential harm of using the ciphertext as a medical reference (Brewer and Lewis Citation2024; Skinner Citation2017); and (e) encrypt and preserve the full sequence of plaintext letters in their original order, contra Reddy and Knight (Citation2011) and Hauer and Kondrak (Citation2016).

In this work, I describe what I call the Naibbe cipher, which meets all the above conditions and reliably encrypts Latin and Italian texts as decipherable ciphertexts that replicate many VMS properties at once. Section 2 describes the structure of the Naibbe cipher, Section 3 describes the many VMS-like properties of Naibbe ciphertexts, and Section 4 discusses the cipher’s current limitations.

2. Structure of the Naibbe cipher

Named after a late 14th-century Italian word for a card game (Pratesi Citation1987; Wintle Citation1996a), the Naibbe cipher is a verbose homophonic substitution cipher that maps individual letters in a Latin or Italian plaintext onto multiple distinct strings of Voynichese glyphs, all of which obey an expanded version of the slot grammar described in Zattera (Citation2022). The cipher is designed to recoverably encrypt Latin and Italian plaintexts while reproducing as many features as possible of the VMS. I will be using the Extensible Voynich Alphabet (EVA; Zandbergen Citation2025) to map Voynichese glyphs to the Latin alphabet, denoting Voynichese with italics and angled brackets using the convention of Timm and Schinner (Citation2020). A summary of the EVA mapping is provided in .

Figure 1. The Extensible Voynich Alphabet (EVA) used throughout this paper to transliterate Voynichese using the Latin alphabet.

2.1. Preparation of the plaintext

A Latin or Italian plaintext is stripped of casing, Arabic numerals, diacritics, punctuation, and the original spacing. It is then respaced so that the plaintext consists of roughly 50% unigrams (one letter) and 50% bigrams (two letters). This can be done intuitively, but for ease of reproducibility, I present manual respacing schemes below that use dice rolls to randomly split the text into unigrams and bigrams:

2.1.1. Simplified respacing

I start at the beginning of the plaintext and roll a standard six-sided die. If the die is odd (1, 3, or 5), I put a space one letter after a plaintext letter; if even (2, 4, 6), I put a space two letters after it. This yields a 50–50 split between unigrams and bigrams. One could also flip a coin, but I find that rolling a six-sided die onto a table or into a small container is faster and more reliable, as one does not have to keep catching the coin.

2.1.2. Standard respacing

I start at the beginning of the plaintext and roll two standard six-sided dice. If the leftmost die from my point of view is odd (1, 3, or 5), I put a space one letter after a plaintext letter; if even (2, 4, 6), I put a space two letters after it. If I happen to roll “snake eyes” (two 1s), however, I put a space two letters after the letter. I then proceed with respacing the plaintext, which yields a 47.2%–52.8% split between unigrams and bigrams. A slight bigram excess mildly improves the cipher’s ability to mimic the VMS’s observed most common words measure (Supplementary Material 1).

2.2. Tables

After respacing, every plaintext letter is in one of three different states: a unigram; first in a bigram; or second in a bigram. To encrypt a given letter in each state, one of six previously prepared tables (combined here as ) is chosen through a procedure described in Section 2.3. Each table consists of four columns, with one column listing the plaintext’s alphabet letters and three additional columns dictating how a given plaintext letter in each state is encrypted:

Table 1. The primary table α and the secondary table β1.

Table 2. The secondary tables β2 and β3.

Table 3. The tertiary tables γ1 and γ2.

If the letter is a unigram, it is replaced with an entire Voynichese word.

If the letter comes first in a bigram, it is replaced with a Voynichese prefix.

If the letter comes second in a bigram, it is replaced with a Voynichese suffix.

The idea is to encode plaintext n-grams as words within the artificial language of Voynichese, with plaintext bigrams represented as word types that will rarely match the specific word types that encode plaintext unigrams. The tables are also designed to simplify decryption by making it easy to determine where a bigram prefix ends and a bigram suffix begins, as described in Section 2.5. The VMS-like behavior of verbose ciphers resembling artificial languages has been reported before (Hermes Citation2022; Zandbergen Citation2021a). The Naibbe cipher expands on this idea significantly.

The Naibbe tables’ unigram word types were populated manually, while their bigram prefixes and suffixes came from parsing the word types within the Voynich A and Voynich B portions of the VMS’s VT transliteration (Zandbergen Citation2025) into the minimum number of affixes generated by this paper’s word grammar, described in Section 2.5. I then delimited to the non-unigram word types within Voynich A and B that could be made with only one or two affixes; the 138 commonest first affixes within Voynich B word types serve as prefix assignments, while the 138 commonest second affixes serve as suffix assignments. I then performed several encryptions of Italian and Latin plaintexts using placeholder codes and then rank-matched the VMS affixes to the prefix and suffix codes within these placeholder encryptions.

While the tables’ Voynichese glyph string assignments are fine-tuned so that the resulting ciphertext mimics Voynich B under random respacing, I populated these tables only after setting the structure of the cipher, which was derived from both a study of randomly generated substitution ciphers that obey the VMS’s observed word grammar (Supplementary Material 2) and a glyph-agnostic analysis of the frequency-rank distribution of Voynich B’s commonest word types (Supplementary Material 3). Populating the tables using a non-VMS word grammar that was similarly rigid in its glyph sequencing would also yield ciphertexts with VMS-like properties.

2.3. Table selection via playing cards

On average, the six tables described in Section 2.2 are chosen in roughly 5:2:2:2:1:1 ratios. That is, the average letter-by-letter probabilities of using each of the six tables are approximately 513, 213, 213, 213, 113, and 113, respectively. These proportions were determined by fitting a model of a substitution cipher to the proportional frequency-rank distribution of word types within Voynich B (Supplementary Material 3). To select tables, a scribe chooses which table will encrypt a given plaintext letter by drawing a card from a deck of 52 or 78 playing cards. A mapping between specific tables and specific playing cards determines which table is applied (). Once used to select a table, a card is discarded, and another card is drawn to determine which table encrypts the next plaintext letter. When the deck is dealt out, the cards are shuffled and reset to continue encryption.

Table 4. Card-table mappings used in the Naibbe cipher variants described in this paper.

Any random or even nonrandom source that can yield these approximate ratios on average would suffice, such as a ruleset that maps tables to alphabet letters and then uses the letter sequence in one line of plaintext to determine the table sequence that encrypts another line of plaintext. Playing cards, previously noted for their usefulness in analog keystream generation (Schneier Citation1999), are especially convenient. Because the ratios add up to 13, they can be achieved with a table selection procedure in which items of six identifiable subtypes that stand for individual tables are chosen from a pool of items totaling to a multiple of 13. Decks of 52 (13 × 4) and 78 (13 × 6) cards fit the bill.

Playing cards are also historically plausible, having been introduced to Europe in the late fourteenth century via trade with the Mamluk Sultanate (Dummett and Abu-Deeb Citation1973; Mayer Citation1939; Pratesi Citation1987; Wintle Citation1996a; Citation1996b). Decks of 52 and 78 playing cards are known from 15th-century Europe, and confirmed records of playing cards within Italy date back to 1377, in the form of a Florentine prohibition on the foreign card game naibbe, a term likely derived from Arabic (Dann Citation2022; Husband Citation2016; Metropolitan Museum of Art Citation1983; Pratesi Citation1987; Wintle Citation1996a). Playing cards are also known from around the Alpine region specifically: Venice built up such a robust card-making industry during the early fifteenth century that by 1441, Venetian artisans were already lamenting the industry’s decline (Ottley Citation1816; Singer Citation1816; Wintle Citation2017).

I have designed two variants of the Naibbe cipher. One uses the 78-card tarocchi (tarot) deck, which was created in 15th-century Italy to play trick-taking card games. The other variant uses a standard 52-card deck, whose basic design was established in the Mamluk Sultanate. In both cases, I refer to the most selected table as the primary table (abbreviated as α), the three next commonest tables as secondary tables (β1, β2, and β3), and the two least chosen tables as tertiary tables (γ1 and γ2). The card-table mappings used in this paper are given in .

2.4. Example encryption

To encrypt “Arma virumque cano,” the first three words of Virgil’s Aeneid (Greenough Citation2025), using the 52-card variant of the Naibbe cipher, we remove the original spacing and then respace the plaintext into roughly 50–50 unigrams and bigrams: AR M AV I R UM QU E CA N O

The first plaintext letter is an A that is the first letter in a bigram, so we will encrypt that A as a Voynichese prefix. To determine which prefix we will use, we draw a card from a deck of cards and then use that card’s identity to determine which one of our six tables—α, β1, β2, β3, γ1, and γ2—will encrypt our letter. We draw a 7, so we consult β1 () and look up its prefix option for the letter A, which is <yt>. We write down <yt>, with the ellipsis here denoting an incompletely encrypted bigram: <yt…>

The next plaintext letter is an R that ends a bigram. We draw a 10 from our deck of cards, so we consult the corresponding table β3 () and look up the listed suffix option for the letter R, which is <eeor>. We then write the suffix <eeor> right next to the prefix <yt> to create the seamless word <yteeor>:

<yteeor>

The next letter in our plaintext is a unigram M. In response to drawing an Ace, we consult the corresponding table α () and copy down its listed unigram option for M, <qokar>, as the next ciphertext token: <yteeor> <qokar>

Further letter-by-letter encryption yields the following ciphertext, here paired with the matching plaintext n-gram sequence: <yteeor><qokar><chckhsy><otedy><okeedy><pdor><ofeedain><lchedy><qofched><daiin><y>ARMAVIRUMQUECANO

Different card drawing sequences lead to different table selection sequences—and, thus, to different ways of encrypting the same plaintext. The Naibbe cipher’s ability to disguise a given plaintext bigram in one of 36 (6 × 6) ways through letter-by-letter table selection is a major strength, as it provides an efficient means of generating thousands of unique, readily decipherable ciphertext word types—often 4,500 or more from a 32,000-letter plaintext—while also complicating traditional frequency analysis.

2.5. Decrypting Naibbe ciphertexts

To decrypt a Naibbe ciphertext, a scribe first identifies all ciphertext word types that can encrypt plaintext unigrams and decrypts them as such. These assignments are often correct because the unigram version of the word is usually formed much more often than the bigram equivalent. If a given token does not match a unigram word type, it is treated as a bigram by default. Bigrams are parsed into their constituent prefixes and suffixes, with each affix then decrypted as a plaintext letter.

Bigrams are easily parsed because within the Naibbe cipher, prefixes and suffixes are generated by an expanded version of the Zattera (Citation2022) Voynichese slot grammar. All prefixes or suffixes are glyph strings that can be made with either a modified version of Zattera’s slots 0–5 or a modified version of Zattera’s slots 6–11, going left to right using 0 or 1 glyphs per slot with no backtracking ( and ). I consider strings generated by my grammar’s slots 0–5 in accordance with these rules to be type-1 affixes, while similarly generated strings using slots 6–12 are type-2 affixes. Most bigram prefixes are type-1 affixes, while most bigram suffixes are type-2 affixes.

Table 5. The slot grammar that generates the Naibbe cipher’s type-1 affixes.

Table 6. The slot grammar that generates the Naibbe cipher’s type-2 affixes.

The Naibbe word grammar ensures that type-1 affixes and type-2 affixes each contain collections of glyphs that are unique to a given affix type, which provides the reader with an easy way to determine the breakpoint between a bigram word type’s prefix and suffix. Type-1 affixes exclusively contain the Voynichese glyphs <ch>, <sh>, <cfh>, <ckh>, <cph>, <cth>, <f>, <k>, <p>, <t>, and <x>. Within a bigram word type, the rightmost occurrence of one of these glyphs and all the glyphs to the left of it form the prefix. Similarly, type-2 affixes exclusively contain the Voynichese glyphs <a>, <e>, <g>, <m>, and <n>. Within a bigram word type, the leftmost occurrence of one of these glyphs and all the glyphs to the right of it form the suffix.

If these glyphs happen to be absent from a given bigram word type, the scribe refers to the grammar in and . From the beginning of the word, the reader can almost always parse the prefix by generating the longest continuous type-1 or type-2 affix. In experimental decipherment sessions, I reference decoding tables () that list out unigram word types, bigram prefixes, and bigram suffixes in Voynichese alphabetical order (per EVA), alongside their plaintext letter assignments.

Table 7. The unigram decoding table.

Table 8. The prefix decoding table.

Table 9. The suffix decoding table.

2.6. Example decryption

We are presented with the following Naibbe ciphertext: <chey> <qokain> <shedy> <daledam> <kchaim> <qokal> <chedy> <ofchod> <cheedy> <fcheedar>

First, we check the decoding tables () to see whether <chey> is a valid word type for a unigram. It is, and the decoding table says that <chey> corresponds with a plaintext C. The next two words, <qokain> and <shedy>, also match unigram word types and stand for U and I, respectively, so we decrypt them as such: <chey> <qokain> <shedy> <daledam> <kchaim> <qokal> <chedy> <ofchod> C U I <cheedy> <fcheedar>

The next word, <daledam>, does not match any unigram word type, so it must encrypt a bigram. Based on the Naibbe grammar ( and ), the <e> glyph must denote the start of the suffix, so the prefix is <dal>, which stands for D (), and the suffix is <edam>, which stands for O (). So we decrypt <daledam> as DO: <chey> <qokain> <shedy> <daledam> <kchaim> <qokal> <chedy> <ofchod> C U I DO <cheedy> <fcheedar>

As we proceed through the ciphertext, first checking for possible unigrams and then parsing bigrams for prefix-suffix breakpoints, we get the following translation: <chey> <qokain> <shedy> <daledam> <kchaim> <qokal> <chedy> <ofchod> C U I DO NO L E PI <cheedy> <fcheedar> D UM

Which can be read as “Cui dono lepidum,” the beginning of Carmina by Catullus (Merrill Citation2025).

2.7. Minimizing ambiguities during encryption and decryption

It is possible to create bigram tokens that match unigram word types, a source of ambiguity in the cipher’s construction. But by design, it is more probable to create the unigram version of a given word type than the bigram version of it. A scribe also can and should eliminate ambiguity at the encryption stage. If we happen to encrypt a plaintext bigram as a word type reserved for unigram use, we can re-encrypt the bigram (by redrawing cards) so that it no longer matches a unigram word type.

To allow for this flexibility—and to permit easier decryptions down the line—I recommend performing an initial encryption on scratch paper, checking for ambiguous ciphertext tokens, and then re-encrypting any ambiguous tokens before copying down the final ciphertext onto the page. This procedure has the added benefit of giving the scribe fresh practice at writing down the ciphertext tokens, making it easier to smoothly write at the small sizes observed in the VMS. Restricting ourselves to only 15th-century materials, an initial encryption could be done on either paper or a wax tablet, a common and reusable drafting surface (Rouse and Rouse Citation1989; Toruń Citation2025).

If ambiguities still make their way into the ciphertext, such as through accidental ambiguity among encrypted bigrams, it is always possible to use the decoding tables to list out all plaintext bigrams that could generate the token in question and then test which decryption makes the most sense in context.

3. Properties of Naibbe ciphertexts

The Naibbe cipher delivers exceptional performance at replicating many VMS properties at once when encrypting a wide range of Latin and Italian plaintexts. Unless stated otherwise, summary statistics provided here will be ±1σ for 20 combined ∼20,000-token runs—10 runs with the 52-card variant, and 10 runs with the 78-card variant—that each encrypt a 32,000-letter combination of the first 8,000 letters of the four following texts: Dante’s Divina Commedia (Project Gutenberg Citation1997); Book 16 of Pliny’s Natural History (Thayer Citation2025); Grosseteste’s De sphaera (King Citation2008); and a 14th-century Latin “alchemical herbal” (Ponzi Citation2023). All runs use standard plaintext respacing (47.2% unigrams, 52.8% bigrams).

3.1. VMS word grammar, glyph and glyph pair frequencies, and entropy

Most Naibbe word types obey the Zattera (Citation2022) slot grammar, and those that do not incorporate the rare VMS glyphs <g> and <x>, which Zattera (Citation2022) excludes. On average, 69 ± 1% of tokens and 29 ± 1% of word types within 20,000-token-long Naibbe ciphertexts exist within the VMS, when comparing against Voynich A and Voynich B word types within the VMS’s VT Takahashi transliteration (Zandbergen Citation2025). Naibbe ciphertexts also nearly replicate the observed glyph and glyph pair frequencies within Voynich B ().

Figure 2. (a) Naibbe ciphertexts replicate the VMS’s frequencies of individual Voynichese glyphs, as evinced by the correspondence between glyph frequencies in Voynich B and those in a representative ∼20,000-token, 78-card Naibbe ciphertext of the Latin “alchemical herbal” (Ponzi Citation2023). (b) The in-token glyph pair frequencies (as defined using EVA) within the word types of a ∼20,000-token, 78-card Naibbe ciphertext of this study’s four-part sample plaintext. (c) The in-token glyph pair frequencies in Voynich B, also calculated using EVA. The VMS glyphs <j>, <v>, <u>, and <z> are absent from Naibbe ciphertexts and are therefore excluded here. Naibbe ciphertexts largely reproduce the over- and under-production of glyph pairs observed within Voynich B.

In addition, when using the EVA transliteration alphabet, Naibbe ciphertexts consistently achieve character entropies of 3.86 ± 0.01 and conditional character entropies of 2.00 ± 0.01 at the token level, replicating the VMS’s values as reported by Zandbergen (Citation2024b), Bowern and Lindemann (Citation2021), and Lindemann and Bowern (Citation2021) (). When using the Cuva transliteration alphabet (Zandbergen Citation2021b), Naibbe ciphertexts achieve character entropies of 3.92 ± 0.01 and conditional character entropies of 2.32 ± 0.01 at the token level, consistent with the Cuva equivalents for Voynich B (character entropy, 3.90; conditional character entropy, 2.25).

Figure 3. (a) After Zandbergen (Citation2024b), character entropy and conditional character entropy, as measured for Latin, Italian, German, and the VMS. Naibbe ciphertexts nearly replicate Voynich B’s token-level character entropy and conditional character entropy, as calculated using the EVA and Cuva transliteration alphabets. Naibbe ciphertexts’ average token length distribution (b) and word type length distribution (c) are quasi-binomial and centered on lengths of 5–6, when calculated following Stolfi (Citation2000), strongly resembling the VMS’s equivalent distributions.

3.2. Token length distribution and word type length distribution

Naibbe ciphertexts’ token and word type length distributions are quasi-binomial and centered on lengths of 5–6 Voynichese glyphs when calculated after Stolfi (Citation2000), replicating the VMS’s token and type length distributions (). Naibbe ciphertexts’ average word type length distribution is virtually identical to the one reported by Stolfi (Citation2000) for the VMS.

The Naibbe cipher’s derivation began from a desire to develop a VMS-mimic cipher that reliably replicated the VMS’s token length distribution. As seen in Supplementary Material 2, , this distribution can be approximated by a toy-model cipher with the following properties:

The plaintext is respaced entirely into orthographic bigrams. 1.

Each plaintext letter has four “prefix” substitution options (used if first in the bigram) and four “suffix” options (used if second in the bigram). 1.

The four options for a given plaintext letter in each position are one, two, three, or four glyphs long. 1.

The substitution options that are two or three glyphs long are each applied 2–3 times more often than options that are one or four glyphs long.

In effect, if we standardize the length of plaintext n-grams, we can offload the distributions of token and type lengths to our choice of cipher.

To more fully replicate the observed distribution of VMS token lengths, we can modify the toy model to produce unigrams (lengths 1–4), bigrams (lengths 2–8), and trigrams (lengths 3–12) during plaintext respacing. This setup yields a tool I call Voynichesque, which randomly generates three cipher alphabets based on the Zattera (Citation2022) slot grammar and then uses them to encrypt a plaintext randomly respaced into manually set proportions of unigrams, bigrams, and trigrams.

Voynichesque—described more fully in Supplementary Material 2—addresses a major problem with studying the VMS: namely, that because the VMS is a singular artifact, we have a sample size of one. By randomly generating both VMS-mimic ciphers and plaintext respacings in a tunable way, Voynichesque permits the study of the population-level behavior of VMS-mimic ciphers while holding the plaintext constant, to examine how distributions of ciphertext-level metrics respond to changes to Voynichesque’s input parameters. We are looking for conditions in which it becomes more probable for Voynichesque to replicate the VMS’s key properties.

An analysis of 500 total runs of Voynichesque and 500 randomly generated VMS-mimic cipher variants, totaling 5 million tokens of ciphertext, shows that Voynichesque variants can reliably replicate the VMS’s observed character entropy and conditional character entropy if a plaintext letter is often represented by a grammar-valid string of 2–3 Voynichese glyphs (Supplementary Material 2, ). Voynichesque ciphertexts also suggest that it would be improbable for such a substitution cipher to also replicate the VMS’s token and word type length distributions, unless the cipher acted on a plaintext broken up into almost entirely unigrams and bigrams.

Voynichesque favors a unigram-bigram plaintext because if a plaintext letter is often represented by a string of 2–3 Voynichese glyphs, then it becomes probable to encrypt plaintext trigrams as Voynichese glyph strings more than seven glyphs long. However, if trigram frequencies exceed ∼3% under these conditions, then the cipher overproduces long word types relative to what is observed in the VMS. This tension increases as the trigram frequency increases and is especially severe for the type length distribution (Supplementary Material 2, ). The Naibbe cipher encrypts a unigram-bigram plaintext precisely to avoid creating this tension.

Figure 4. (a) On average, Naibbe ciphertexts reliably replicate the absolute and proportional frequency-rank distribution of word types within the VMS portions collectively known as Voynich B. Error bars are ±1σ. (b) Naibbe ciphertexts reliably reproduce the absolute frequencies of specific Voynich B word types. Of the word types that co-occur within both Voynich B and Naibbe ciphertexts, the best-fit linear regression between the two texts’ average absolute frequencies of a given word type is approximately y =* x*, with R2 ∼ 0.9.

3.3. Zipfian frequency-rank word type distributions

Strikingly, Voynichesque variants that encrypt plaintexts composed of mostly unigrams and bigrams yield ciphertexts whose frequency-rank word type distributions automatically approximate power laws, in accordance with Zipf’s law (Zipf Citation1935; Supplementary Material 2, ), a feature of both natural languages and the VMS (Landini Citation2001). Zipf’s law naturally emerges within Voynichesque because in this general kind of cipher, ciphertext word types that encrypt plaintext unigrams automatically become many of the ciphertext’s commonest word types, as they can achieve frequencies that far exceed those of many bigram word types within the ciphertext. Many unigrams have much higher absolute frequencies within a given plaintext than longer n-grams do, and in a letter-by-letter homophonic substitution scheme, the number of possible ciphertext representations of a given plaintext n-gram increases exponentially as n-gram length increases, exponentially reducing the frequency of any one of these representations within the ciphertext.

Figure 5. An experimental Naibbe ciphertext that encrypts the beginning of Julius Caesar’s De bello Gallico (Holmes Citation2025), done entirely by hand with the 52-card variant of the Naibbe cipher. The writing is smooth, orderly, and almost entirely error-free, consistent with the VMS. The text also exhibits VMS-like clustering of structurally similar word types, with the second and third lines of paragraph 2 and first three lines of paragraph 3 showing clusters of words that start with <qok>. This clustering occurs because most unigram word types within the primary table begin with <qok>.

This observation motivated a modeling of the frequency-rank distribution of Voynich B’s 70 commonest word types that treated the words as if they were all standalone alphabet letters encrypted via a substitution cipher. The Naibbe cipher’s structure—notably its Latin and Italian plaintext languages, the roughly 50–50 split between plaintext unigrams and bigrams, and the 5:2:2:2:1:1 table ratios—is directly derived from this fitting procedure (Supplementary Material 3).

As a result, Naibbe ciphertexts exhibit frequency-rank word type distributions that not only are Zipfian but also reliably replicate those of Voynich B (). In addition, Naibbe ciphertexts’ most common word type often has an absolute frequency of 2.3 ± 0.1%, consistent with the observed frequency of Voynich B’s commonest word type (2.1%) as reported in Bowern and Lindemann (Citation2021). This replication also means that the ciphertexts exhibit a VMS-like Heaps’ law relationship between the length of the ciphertext (in tokens) and the number of distinct word types, thereby replicating Voynich B’s observed diversity of word types (∼4,900) at Voynich B-like token lengths (∼23,000). Naibbe ciphertexts also reliably replicate the absolute and proportional frequencies of many Voynich B word types, especially common ones ().

Among the commonest 100 words, much of this fit is driven by the tables’ carefully assigned unigram word types. Remarkably, this fit to Voynich B occurs even as the Naibbe tables’ unigram word types are rigorously organized by prefix and suffix, where many of the unigram word types within a given table start with the same prefix, and most of the unigram word types for a given plaintext letter across the tables all end with the same suffix (; Supplementary Material 1). This organization deliberately echoes how Trithemius (Citation1564) generated word types for his artificial language cipher Polygraphia III, whose behavior is broadly VMS-like (Hermes Citation2022).

3.4. Additional properties of Naibbe ciphertext

Like the VMS, Naibbe ciphertexts can reliably and simultaneously exhibit: many hapax legomena (Zandbergen Citation2024a); skewed word pairings (Caruana, Layfield, and Abela Citation2022); smooth, orderly, and seemingly error-free written text (); clusters of in-sequence tokens that are short Levenshtein distances from each other (Levenshtein Citation1966; Timm Citation2015, Citation2016); densely interconnected networks of word types that are Levenshtein distances of 1 away from each other (Timm and Schinner Citation2020); tokens that repeat multiple times in a row (Bowern and Lindemann Citation2021); ciphertext word type frequencies that vary based on the language or topic of the underlying plaintext (Amancio et al. Citation2013; Layfield et al. Citation2020; Montemurro and Zanette Citation2013; Reddy and Knight Citation2011; Sterneck, Polish, and Bowern Citation2021); the VMS’s observed morphological complexity, as defined by the most common words measure and the moving average type-token ratio (Lindemann Citation2022); and the VMS’s observed near-absence of token autocorrelation as a function of sequence offset (Timm and Schinner Citation2024). Overviews of how the Naibbe cipher can achieve these properties are given in and Supplementary Material 1.

Table 10. Summary of how the Naibbe cipher replicates various properties of the VMS. See Supplementary Material 1 for further detail.

When subjected to the same linguistic analyses described within Gaskell and Bowern (Citation2022) and Bowern and Gaskell (Citation2022), which measured the statistical properties of the VMS with 42 different word-level metrics, this study’s 20 reference Naibbe ciphertexts all individually outperform more than 86% of the texts within those studies’ 932-document reference corpus at replicating the properties of the VMS (Supplementary Materials). Additionally, when the texts within this corpus are grouped by text generation method (e.g., conlangs, gibberish, texts all encrypted with the same cipher), the Naibbe cipher exhibits the lowest non-VMS average distance from the VMS’s statistical behavior, where distance is defined by a given text’s Z-scored Euclidean distance relative to the 42 metrics calculated by Gaskell and Bowern (Citation2022) and Bowern and Gaskell (Citation2022) for an EVA transliteration of the VMS (). By this average metric, the Naibbe cipher outperforms all text generation methods examined by Bowern and Gaskell (Citation2022) and Gaskell and Bowern (Citation2022), including gibberish, conlangs, ciphertexts, and meaningless VMS-like text generated by Timm and Schinner’s (Citation2020) self-citation algorithm ().

Figure 6. When compared against the VMS and 27 other text generation methods as described in Gaskell and Bowern (Citation2022) and Bowern and Gaskell (Citation2022), the Naibbe cipher exhibits the most VMS-like average word-level behavior other than the VMS itself, as measured by a text generation method’s average Euclidean distance (after Z-scoring) from 42 word-level linguistic measurements of an EVA transliteration of the VMS. See Gaskell and Bowern (Citation2022) for a full description of these metrics and text generation methods. In general, the texts include various model ciphertexts, conlangs, manually generated gibberish, modern and historical plaintexts, and text generated by Timm and Schinner’s (Citation2020) self-citation algorithm.

Additionally, when Gaskell and Bowern (Citation2022) trained a random forest classification model on known gibberish and known meaningful text and then used it to classify the VMS, the model assigned the VMS to gibberish with low confidence (i.e., >50%). This same model also consistently classifies Naibbe ciphertext as gibberish (), confirming Gaskell and Bowern’s (Citation2022) warning that classification of the VMS as gibberish does not itself constitute proof that the VMS is meaningless.

Figure 7. When Naibbe ciphertexts are classified as either gibberish or as meaningful text using a random forest classification model trained on known gibberish and meaningful text, as described within Gaskell and Bowern (Citation2022), they are reliably classified at low confidence (>50%) as gibberish, as the model also classifies the VMS.

In general, the Naibbe cipher can simultaneously replicate or nearly replicate many properties of the VMS because it substitutes the letters within very short plaintext n-grams with many different types of distinct yet structurally similar Voynichese glyph strings—either entire Voynichese word types or affixes generated using this study’s version of the Zattera (Citation2022) slot grammar—while leaving the full sequence of plaintext letters intact. The Naibbe cipher’s verbosity, homophony, and respacing of the plaintext let the cipher generate VMS-like numbers of unique word types in VMS-like proportions while obeying the tight constraints jointly placed by the VMS’s observed word grammar, entropy, token length distribution, and word type length distribution.

At the same time, language-like properties naturally emerge within Naibbe ciphertext because hints of the underlying plaintext’s structure can shine through. The most prominent skewed word pairs within a Naibbe ciphertext represent skewed pairs of plaintext alphabet letters (e.g., UM versus MU in Latin) encrypted as two unigram word types (Supplementary Material 1). Similarly, Naibbe word types’ frequencies can vary based on a plaintext section’s language or topic simply because plaintext unigram and bigram frequencies do, too. Within this study’s standard plaintext, the bigram CH is more common within the Italian section (Dante’s Divina Commedia) than it is within the rest of the plaintext. As a result, Naibbe ciphertext word types that encrypt the bigram CH are more common within the portion of the ciphertext that encrypts part of the Divina Commedia, a discrepancy that can be detected using term frequency-inverse document frequency vectorization (Supplementary Material 1).

4. Current limitations of the Naibbe cipher

As the aphorism goes, all models are wrong, but some are useful—and in its current form, the Naibbe cipher fails in several major ways to replicate key properties of the VMS. In its present failures, the Naibbe cipher invites future analysis to address whether and how modifications to the cipher’s general structure can achieve a more complete replication of VMS properties. A non-exhaustive list of tensions follows.

4.1. Incomplete replication of word types

While motivated by the word frequencies observed within Voynich B, the bigram prefix and suffix assignments within the Naibbe cipher’s current tables do not reliably reproduce the exact observed diversity of VMS word types, especially rare ones. In a 20,000-token Naibbe ciphertext, only about 30% of all present word types occur within the VMS. Even at peak performance, the Naibbe cipher’s six tables and current procedure can generate only 83% of Voynich B’s tokens and 45% of Voynich B’s unique word types.

Future versions of the Naibbe cipher could attempt optimizations of the word grammar that both create greater structural similarity within a given table’s prefix and suffix options and explicitly provide a ruleset for trigrams and longer n-grams, with the understanding that longer plaintext n-grams would have to be rare to preserve VMS-like token and type length distributions. That said, whatever system generated the VMS’s rare word types must have offered greater flexibility than the Naibbe cipher currently provides. The Naibbe tables are populated with Voynich B’s 138 commonest prefixes and suffixes as I determined them, but there were more than 200 total prefixes and suffixes, with many unused ones occurring only once or twice.

However, if a small fraction of the spaces (∼3%) within such a ciphertext were then omitted—as if the scribe were cramming tokens together, or if a transliteration of the ciphertext accidentally omitted an ambiguous space—this omission would have the effect of efficiently generating additional long, rare word types of plaintext lengths 2–4. By greatly expanding the Naibbe cipher’s combinatorial possibilities, this minor modification would improve its ability to replicate observed VMS word types, at the expense of more potential for ambiguity during decryption.

4.2. Lack of long-range correlations

One of the VMS’s key statistical properties is the presence of long-range correlations at the glyph and word levels (Matlach, Janečková, and Dostál Citation2022; Montemurro and Zanette Citation2013; Schinner Citation2007; Timm and Schinner Citation2020). In its current form, the Naibbe cipher does not induce these correlations, in part because its random respacing and card-drawing procedures may destroy the chance for them to form. I confirm that a representative, ∼20,000-token Naibbe ciphertext converted into a binary sequence fails to reproduce the long-range correlations observed within the VMS by Schinner (Citation2007), as measured via the root mean square fluctuation in the random-walk displacement of the text’s binary sequence (; Supplementary Material 4).

The Naibbe cipher cannot be exactly how the VMS was created, in part because in its current form, it explicitly optimizes for repeatable replication of the average frequency-rank distribution of word types across all of Voynich B, which averages across that portion’s finer-scale structure (Supplementary Material 3). If the VMS’s scribes at least occasionally deviated from Naibbe-style procedures to habitually choose how to encrypt the text instead, then it is possible that long-range correlations could readily form. As Matlach, Janečková, and Dostál (Citation2022) argued, autocorrelations within the VMS “might be a consequence of a habit of picking specific substitutes” and that “such habits may also naturally fade off as the coder notices the repetition.” Through this lens, the Naibbe cipher’s table ratios may represent global averages of several scribes’ ever-evolving biases for or against certain tables of unigram word types or lists of affixes used to encrypt longer n-grams. For example, if each Naibbe table had its own page within a multi-page pamphlet, some tables could be easier to consult than others and thus could see more frequent use.

Correlations may also stem from non-stochastic bursts of table use, word repetition, and line-by-line reuse of ciphertext word types, with the construction of the VMS itself also potentially playing a role. For the most part, the VMS is made of quires of multiple bifolia that each consist of a single folded piece of parchment yielding four VMS pages (Zyats et al. Citation2016). If the VMS’s plaintext contents were encrypted one bifolio at a time—and not in final narrative order—a scribe could nonrandomly reuse tokens while encrypting across a given bifolio, which could lead to nonrandom correlations in word use on opposite sides of the resulting quire, potentially thousands of tokens apart. Future work should evaluate whether changes to the Naibbe cipher that emulate the VMS’s quire-based construction or biases during manual encryption can reliably induce long-range correlations while encrypting a meaningful plaintext.

4.3. No explicit mechanism for line- and paragraph-dependent glyph placements

The Naibbe cipher currently proceeds with encryption at the level of individual plaintext unigrams and bigrams, with no explicit mechanism accounting for the fact that certain VMS glyphs vary in their frequency depending on their token’s placement within a line or paragraph (Currier Citation1976).

At risk of arbitrarily extending the cipher’s ruleset, the judicious use of nulls could explain some of this variation. For example, to replicate the flamboyant <p> that often begins the VMS’s apparent paragraphs, we could simply require that every few lines, a line must begin with an exaggerated <p>, for the sole purpose of creating the false appearance of a new paragraph (as done in ). Likewise, to explain why <m> often appears at the end of VMS lines, we could designate that a