Spring 2015 Chris Christensen CSC/MAT 483
One-time pads
From the Vigenère cipher we learn that we need to eliminate the period within the key. We did in the running key cipher by making the key as long as the message.
From the running key cipher we learn that we need to eliminate patterns in the key as well as in the message. We could do this by making the key a random string.
But, how do we create a random string? We could place the letters of the alphabet on slips of paper and draw them from a bag with replacement to create a random string of letters, or do that same thing with the digits 0, 1, …, 9 to create a random string of digits. We could monitor a random process. We could use the digits of π ; this string of digits is known to be random. Here are the first 1000 digits of π according to the computer algebra system Mathematica.
31415926535897932384626433832795028841971693993751058209749445923078164062862 08998628034825342117067982148086513282306647093844609550582231725359408128481 11745028410270193852110555964462294895493038196442881097566593344612847564823 37867831652712019091456485669234603486104543266482133936072602491412737245870 06606315588174881520920962829254091715364367892590360011330530548820466521384 14695194151160943305727036575959195309218611738193261179310511854807446237996 27495673518857527248912279381830119491298336733624406566430860213949463952247 37190702179860943702770539217176293176752384674818467669405132000568127145263 56082778577134275778960917363717872146844090122495343014654958537105079227968 92589235420199561121290219608640344181598136297747713099605187072113499999983 72978049951059731732816096318595024459455346908302642522308253344685035261931 18817101000313783875288658753320838142061717766914730359825349042875546871159 562863882353787593751957781857780532171226806613001927876611195909216420199
If a sufficiently long string of these digits was used to encrypt a message using a Gronsfeld cipher (See appendix 1.), then there would be no period and no pattern in the key.
But, say, that we had 100 messages to encrypt with a Gronsfeld cipher. If we used the same keystring of digits for each message, we would have created depth – not within a single ciphertext message – but among the collection of ciphertext messages. Stripping the first letter from each ciphertext message would result in 100 letters from the same alphabet; the frequencies of these letters could be used to determine the first shift. Stripping the second letter from each ciphertext message would result in 100 letters from the same alphabet; the frequencies of these letters could be used to determine the second shift. Etc. (See appendix 4, which contains an example using the Vigenère cipher.) The keystring cannot be re-used or depth would be created.
The keystring must be as long as the message, the keystring must be random, and the keystring can only be used once.
Such an encryption scheme is called a one-time pad (OTP). Claude Shannon (1916 – 2001), the Bell Labs engineer and mathematician who founded the field of information theory, proved that the one-time pad is unbreakable (1949). It is the only provably secure cryptosystem.
So, why doesn’t everyone use a one-time pad? The practical problems associated with a one- time pad make it a little-used encryption scheme. The practical problems are:
Generating long random keystrings.
Exchanging the keystrings between sender and receiver.
There are other cryptosystems that, while not provably secure, are “secure enough” and are more convenient.
Stream ciphers
Block ciphers, like Playfair and Hill ciphers, encrypt plaintext of a fixed length – digraphs for the Playfair cipher and n-graphs for n-dimensional Hill ciphers. If the length of the plaintext message is not an integral multiple of the length of a block, the plaintext message must be padded.
Stream ciphers can encrypt plaintext messages of variable length. The one-time pad can be thought of as an example – each message uses a portion of the key with length equal to the length of the plaintext message. (Then that portion of the key is never re-used.)
The ideas that resulted in modern stream ciphers originated with another AT&T Bell Labs engineer, Gilbert Vernam (1890 – 1960). In 1917, Vernam developed a scheme to encrypt teletype transmissions. Unlike Morse code, which uses symbols of different lengths to substitute for letters of the alphabet, teletype transmission used what we would today call a 5-bit code for the letters of the alphabet and certain keyboard commands. Its use was similar to the way that the 8-bit ASCII code is used today in computing.
A = xx B = x••xx C = xxx D = xx E = x F = x xx G = x xx H = xx I = xx J = xx x K = xxxx L = xx M = xxx N = xx O = xx P = xx x Q = xxx x R = xx S = xx T = x U = xxx V = xxxx W = xx x X = x xxx Y = xxx Z = xx
Like today’s keyboards, two functions were associated to each key – a “letter” function and a “figures” function.
letters figures A - B ? C : D who are you ? E 3 F % G & H local currency I 8 J ring bell K ( L ) M . N , O 9 0 P Q 1 R 4 S ‘ T 5 7 U V = W 2 X / Y 6 + Z
The 26 letters of the alphabet and the corresponding “figures” used 26 of the 32 possible 5-bit strings. was not used.
The remaining five 5-bit strings were used for commands.
x space x carriage return x line feed xx xx shift to figures xxxxx shift to letters
The World War II codebreakers at Bletchley Park used the following characters for 5-bit strings:
A = xx B = x••xx C = xxx D = xx E = x F = x xx G = x xx H = xx I = xx J = xx x K = xxxx L = xx M = xxx N = xx O = xx P = xx x Q = xxx x R = xx S = xx T = x U = xxx V = xxxx W = xx x X = x xxx Y = xxx Z = xx
/ = 9 = x 3 = x 4 = x 5 = xx xx 8 = xxxxx
This code is called the International Telegraph Alphabet number 2 (ITA2) and is still in use in TDDs and some amateur radio applications. It was based upon a 5-bit teletype code developed by the French telegraph engineer Émile Baudot (1845 – 1903) around 1874. (The rate of symbol transmission called the baud is named after Baudot.) Around 1901, Baudot’s code (ITA1) was modified by Donald Murray (1865 – 1945), a New Zealand sheepfarmer. A later modification resulted in ITA2.
The idea of using 5-character strings to represent the letters of the alphabet seems to be due to Sir Francis Bacon (1561 – 1626). Bacon used the first two letters of his name for the characters in the strings.
a AAAAA i/j ABAAA r BAAAA b AAAAB k ABAAB s BAAAB c AAABA l ABABA t BAABA d AAABB m ABABB u/v BAABB e AABAA n ABBAA w BABAA f AABAB o ABBAB x BABAB g AABBA p ABBBA y BABBA h AABBB q ABBBB z BABBB
When Vernam developed his encryption scheme during the early Twentieth Century, he was not thinking about 5-bit strings of 1’s and 0’s; he was thinking about cross x or dot , mark or no mark, high voltage or low voltage, etc., but today it is easiest to think of 1’s or 0’s.
Thinking this way, Vernam’s encryption scheme can be easily described. The key was a random string of 0’s and 1’s. The plaintext message was converted to a string of 0’s and 1’s using ITA2. The two strings were XORed to generate the ciphertext. Pattern (plaintext) plus ( ⊕ ) random (key) yields random (CIPHERTEXT).
The operation XOR is equivalent to bitwise addition modulo 2.
⊕ 01 0 01 1 10
0 is the identity for XOR; i.e., XORing a bit with 0 does not change the bit. 000⊕= and 10011⊕ = ⊕=. Notice that, for XOR, each bit is its own inverse; i.e., a bit XORed with itself yields 0: 000⊕= and 110⊕= .
The last property makes decryption easy. Any string XORed with itself is a string of 0’s.
011111110010010 ⊕ 011111110010010 000000000000000
Therefore, a ciphertext message can be decrypted by XORing (again) with the key.
CIPHERTEXT ⊕ key =(plaintext ⊕⊕key) key =plaintext ⊕⊕(key key) =plaintext ⊕ 00 0 = plaintext
Vernam’s cipher was not a one-time pad. It was implemented using relays, and the keystring was punched on a (long) paper tape. Even though the tape was long, it would eventually repeat and create depth. An AT&T engineer Lyman Morehouse developed an idea that created long keystrings by combining two shorter strings of different lengths. The idea can be exhibited using two small strings. Let the first string be of length 6
101110 and the second of length 7
1111011
Create the keystring by XORing these two strings.
101110101110101110101110101110101110101110101110 1111011111101111110111111011111101111110111111011 010011010000010001110001000001011001010101010011
Because of the difference in lengths and because the lengths are relatively prime, combining these strings, which have periods 6 and 7, results in a string having period 42. A string of 999 bits combined with a string of 1000 bits would result in a keystring of 999000 bits. But, it would still not be a one-time pad.
The need for the key to be both “endless and senseless” was recognized by Joseph Mauborgne (1881 – 1971) an officer in the United States Army Signal Corps.
The United States – Soviet Union hotline (See appendix 2.) that was constructed during the 1960’s used a one-time pad with the keystring on a paper tape. The voice encryption device SIGSALY (See appendix 3.) that was developed by Bell Labs for the United States Army during World War II used a one-time pad with the key consisting of random noise recorded on a record. Concern about the poor encryption systems that they used during World War I caused the Soviets to implement a one-time pad, hand cipher for their spies during World War II and after. Unfortunately for them, the need for many keys caused them to re-use keys. This was noticed by American cryptanalysts who were able to break many messages. The breaking of these messages was called the VENONA project (See appendix 5.) and led to the arrests of the Soviet atomic spies.
From the 1920’s until the 1970’s encryption machines dominated cryptography. The purpose of these machines was to implement ciphers with long keys and, therefore, protect against attacks using the period.
Known plaintext attack on depth of two
A known plaintext attack can succeed against a stream cipher with a depth of two. If two messages are encrypted with the same keystream, XORing the two ciphertexts will remove the keys and result in the XOR of the plaintexts.
CIPHERTEXT1⊕ CIPHERTEXT2 =( plaintext1⊕⊕key) ( plaintext2 ⊕key) =(plaintext1 ⊕ plaintext2) ⊕⊕(key key) =⊕⊕(plaintext1 plaintext2) 00 0 =plaintext1 ⊕ plaintext2
If a crib, a portion of the plaintext, is known, an attack can be made.
Here are two ciphertexts:
CIPHERTEXT1
00000 11111 11001 11000 10111 00011
CIPHERTEXT2
00000 01011 00100 01001 11111 00011
XORing the two ciphertexts removes the key and results in the XOR of the two plaintext messages.
CIPHERTEXT1⊕ CIPHERTEXT2 =plaintext1 ⊕ plaintext2
00000 10100 11101 10001 01000 00000
If we know one of the messages, say plaintext 1 is known to be “cipher,” then the other message can be determined:
plaintext1⊕ plaintext2 00000 10100 11101 10001 01000 00000 plaintext1 01110 01100 01101 00101 10000 01010 c i p h e r
(plaintext1⊕⊕ plaintext2) plaintext1 = plaintext2
01110 11000 10000 10100 11000 01010 c a e s a r
Instead of using the 0s and 1s of the Baudot code, an addition table (+) can be constructed for the characters (See appendix 6.), and that table can be used to determined plaintext2.
plaintext1+ plaintext2 / S Q Z 4 / plaintext1 c i p h e r
(plaintext1++ plaintext2) plaintext1 = plaintext2 c a e s a r
It is often the case that although a crib is known its placement is not known. The position of the crib can be determined by “dragging.”
Here are two ciphertexts:
CIPHERTEXT1
11110 11101 00000 00110 01011 00111 11111 01010 01000 11101 00000 10000 00000 11000 00001 10100 11100
CIPHERTEXT2
11001 11011 10001 11101 01011 11000 11000 10111 11001 11110 10001 00010 00010 01011 10001 00010 10101 11001 01110 10110
.Rather than use strings of 0s and 1s, we will convert each 5-bit string to a character and use the Bausdot addition table (appendix 6).
CIPHERTEXT1
K Q / N G M 8 R 4 Q / E / A T S U
CIPHERTEXT2
W 5 Z Q G A A X W K Z 3 3 G Z 3 Y W C F
Adding the two ciphertexts removes the key and results in the sum of the two plaintexts
K Q / N G M 8 R 4 Q / E / A T S U
W 5 Z Q G A A X W K Z 3 3 G Z 3 Y W C F
M N Z 5 / 8 M Q Z O Z D 3 B E F L
We believe that the phrase “key to” appears in one of the messages. We will drag that phrase along the sum of the two plaintexts and add it (recall that addition is self-inverse) until the result seem to be plaintext.
M N Z 5 / 8 M Q Z O Z D 3 B E F L K E Y T O w f 9 j o
M N Z 5 / 8 M Q Z O Z D 3 B E F L K E Y T O a t c t u
M N Z 5 / 8 M Q Z O Z D 3 B E F L K E Y T O v g y k 9
M N Z 5 / 8 M Q Z O Z D 3 B E F L K E Y T O h e r n k
This looks like plaintext. Now try to work in both directions to extend what is known about the two plaintext messages. The keystring can also be determined.
Modern stream ciphers
Modern stream ciphers operate much the same as Vernam’s original cipher. They are not one- time pads; their keystrings are pseudorandom. Because the XOR operation and the methods used to generate keystrings are not complex operations, stream ciphers are typically faster than block ciphers. Stream ciphers are often used in situations (for example, wireless communications) in which the length of the plaintext message is not known beforehand.
Appendix 1
Gronsfeld Cipher
In 1892, French authorities arrested a group of anarchists and brought them to trial. Included in the evidence was a number of cryptograms that had been solved by [Étienne] Bazeries [1846 – 1931]. They used a system called the Gronsfeld, a kind of truncated Vigenère named for the count of Gronsfeld. Its key consists of numbers, each of which indicates the number of letters forward in the normal alphabet that the encipherer is to count from the plaintext letter to the ciphertext letter. (The Code Breakers by David Kahn)
Here is a table for the Gronsfeld cipher.
abcdefghijklmnopqrstuvwxyz 0ABCDEFGHIJKLMNOPQRSTUVWXYZ 1BCDEFGHIJKLMNOPQRSTUVWXYZA 2CDEFGHIJKLMNOPQRSTUVWXYZAB 3DEFGHIJKLMNOPQRSTUVWXYZABC 4EFGHIJKLMNOPQRSTUVWXYZABCD 5FGHIJKLMNOPQRSTUVWXYZABCDE 6GHIJKLMNOPQRSTUVWXYZABCDEF 7HIJKLMNOPQRSTUVWXYZABCDEFG 8IJKLMNOPQRSTUVWXYZABCDEFGH 9JKLMNOPQRSTUVWXYZABCDEFGHI
Appendix 2
This is a picture of one of the teletypewriters used in the US/Soviet Union Hotline. The key is a one-time pad that contained on the paper spool on the left. The machine is on display at NSA’s National Cryptological Museum.
Appendix 3
SIGSALY speech encryption.
SIGSALY turntables.
Appendix 4
Depth
Vigenère ciphers were broken by locating repetitions of alphabets within the cipertext. It is just as bad to allow the repetitions to occur among several ciphertext messages. This is called depth. Here is an example of how depth can be used to cryptanalyze ciphertext messages.
Here are the first fifteen characters of one hundred ciphertext messages each of which has been enciphered with a Vigenère cipher using the same random string of letters.
hxtcp wndcw tciov hxtod hcola ugwyh ojitd kkycv zulny gybbg wneva zjxda dugtv hndbm yjqys
gybug smvsz kqpjj hxxeo lcoiz ejwlv kyitd foryv kyxqb wmpez sosho yvtyl wjxed ekyma ocpna
cdtaa lcolm gtswz wjlmn aipuk zbhnc hxtdz lcogi zuiay rkgui yoryg kbvbp beqay qrkmx gsxrj
vyhqs shshi zjswv hxtdz xjbya sjxqy hxtmm ljpwz eqxxn wjxen ldvfu usilb hxtnj gfmil kjwxw
vugqh smumb nbxco belwi grxua ziith crkuj mnvsq lbvnw hxxea sxdca ziikh velqq wmdbm rfxcl
muifc wpxcw tfwcz kxtzv vzmcx nfvvl iduam lpxub kmcov kyitd fvxbw assop kxpfx skduq tdyrn
cdtaa vzfco koial kxxxz aidbi zdmcf tykqd kvfie kmmcw dqgfg qorca sfxqv pkiuo aomuv xfemp
aegqj nzbnp knewb qechz jnofg ziiop obdzb ujela kpjru vubmt zjvxa uumpo wdiij gadbm rprpl aehfv jhsya uoxql qyetz jnklm ziybz ryexj evmsp ktmch pqrai anwnp kulnv qhnbo gbbux njgjs qecej fvxna mssdw tegwz jxuin ltemc hxteo wkdbi zgsus gebqo ahomi fjkih jugkz xaowb owidz teaxj odxab nfwny reczz dgiww aoxnk qugfv aixie zieco otdbo aiqnp oteba owday vzkfk uvpmi kxntv voryk uojnk gymbz jnyha cfvna muitd koolz ousap ifiao zdcnq nfrap uykqi lcknb nfwlp dhdrz knylv kxfxs thdyd lcomw uoiga fuhqv jxrcv umhnu cdakm wgknq bfphp aehfg qoryt kuxny kyaxo zzimp uxtny qejzo aiqzz unxql puvui fdxai zulnm ofgay absic yoyvi qyetz jnrul hfiwy muiic agolc ytmju zuifz jngcb nulnb beedd kjxyz tpvju wmpez sosho yvtyl aoemm liolv uxywk dqgfj xorya acwcp oiagx cryot jieel kqaed fbruu yisdz pkiai dtpiz gtlxy peitn winyz gohal
idauf whbmo gmpdw tqred edvya ugxql hhpzn eddnm xtiay sltzo zzqlm gujal pedfc kkbiw ltxql ofgaa wnccw tbpco owpui fdovc nsljk sltzo zzxuu ktxqy pkiua gioua yvqvl wditz hvslw zfbcz obafc jjeap ziinp hxtmg dzqiz odeuj keard kvvnp kgebo dhpkt wodbi zzsdt sdvxd kcmcx nfvru sfxeo dzyhb nfrds hhxfc whsoa lppuv vucdd zvngi tbknk ryskj mcouz ciecq wjxed ekyma ocpna
The first alphabet is the set that consists of the first letter of each message. This should correspond to a Caesar cipher.
Here is the first alphabet. Remember that each letter of this alphabet corresponds to an initial letter of a word; so, the frequencies are shifted toward letters that are more frequent initial letters. Recall that when we are looking for a Caesar cipher we usually look for frequency peaks at aeinorst.
a _ _ _ e _ _ _ i _ _ _ _ n o _ _ r s t ______
But enr are not typically used as initial letters; so, we should be looking for frequency peaks corresponding to aiost.
a ______i _ _ _ _ _ o _ _ _ s t ______
A = **** B = *** C = **** D = ***** E = F = * G = **** H = ************ I = *** J = * K = ********* L = M = *** N = O = ********* P = ******* Q = ******* R = **** S = **** T = ***** U = * V = ***** W = ******** X = Y = Z = *
What is the shift? For the second alphabet and subsequent alphabets, we should be looking for the more usual frequency peaks at a _ _ _ e _ _ _ i _ _ _ _ n o _ _ r s t ______
Here is the second alphabet.
A = B = ** C = D = ******** E = ***************** F = **** G = H = ****** I = * J = ***** K = **** L = ** M = ** N = O = * P = Q = ***** R = * S = T = * U = ************ V = W = ** X = ************** Y = ************* Z =
What is the shift? The third alphabet:
A = ******** B = **** C = **** D = ****** E = ***** F = G = *********** H = **** I = ************** J = * K = *** L = *** M = * N = ** O = P = ****** Q = * R = ** S = * T = ************* U = * V = ** W = X = ******** Y = Z =
What is the shift? The fourth alphabet:
A = ********** B = **** C = * D = **** E = ************ F = *********** G = * H = * I = ** J = K = **** L = M = ***** N = * O = * P = Q = ******** R = ** S = T = ********** U = ******** V = W = ** X = ***** Y = * Z = *******
What is the shift? The fifth alphabet:
A = ***** B = * C = ***** D = *************** E = F = * G = ***** H = * I = ******* J = ********* K = L = M = **** N = **** O = ************ P = * Q = * R = S = * T = ** U = V = ****** W = X = ** Y = *** Z = ***************
What is the shift? The sixth alphabet:
A = ********** B = C = * D = **** E = ***** F = ****** G = ***** H = *** I = J = ********* K = ******** L = ********* M = ** N = * O = * P = Q = *** R = S = ******* T = U = * V = **** W = *********** X = *** Y = * Z = ******
What is the shift? The seventh alphabet:
A = ** B = *** C = ******** D = ******* E = F = *
G = *** H = ***** I = ******** J = ****** K = ****** L = M = *** N = ************ O = *********** P = ** Q = R = *** S = T = * U = V = ******* W = X = *** Y = Z = *********
What is the shift? The eighth alphabet:
A = ** B = *** C = ******** D = ******* E = F = *
G = *** H = ***** I = ******** J = ****** K = ****** L = M = *** N = ************ O = *********** P = ** Q = R = *** S = T = * U = V = ******* W = X = *** Y = Z = *********
What is the shift? The ninth alphabet:
A = *** B = ******* C = *********** D = E = F = *** G = ** H = ***** I = ********* J = K = L = ********** M = ******** N = ********* O = ** P = Q = R = S = *** T = U = *********** V = ** W = *** X = * Y = ********** Z = *
What is the shift? The tenth alphabet:
A = ***************** B = ******* C = *** D = E = ** F = G = ** H =
I = ******** J = K = *** L = ** M = ******* N = * O = **** P = ******* Q = **** R = S = T = ** U = *** V = ****** W = ******** X = **** Y = Z = **********
What is the shift? The eleventh alphabet:
A = *** B = * C = ** D = E = ** F = * G = ****** H = * I = J = * K = *************** L = **** M = * N = ********** O = ****** P = Q = R = ** S = **
T = ****** U = ************ V = W = X = ** Y = ******* Z = ****************
What is the shift? The twelfth alphabet:
A = B = ****** C = **** D = *** E = F = ************** G = **** H = I = ********* J = ******** K = L = M = **** N = ** O = ******* P = **** Q = ** R = S = ***** T = ********* U = ********* V = **** W = * X = *** Y = * Z = *
What is the shift? The thirteenth alphabet:
A = B = * C = * D = E = ********* F = * G = * H = *** I = ************ J = *** K = **
L = ****** M = ***** N = O = P = ******** Q = ** R = *** S = ******** T = *** U = V = ****** W = ******* X = *************** Y = **** Z =
What is the shift? The fourteenth alphabet:
A = ******* B = **** C = *********** D = ******* E = * F = G = * H = * I = * J = ***** K = * L = *** M = *** N = ***************** O = **** P = ** Q = ******** R = **** S = T = * U = *** V = *** W = ***** X = **** Y = **** Z =
What is the shift? The fifteenth alphabet:
A = ****** B = **** C = ** D = E = F = * G = H = ***** I = ** J = *** K = ***** L = ************** M = * N = ** O = ***** P = ********** Q = * R = S = ***** T = * U = ***** V = ******* W = ***** X = Y = ********** Z = ******
What is the shift?
The key for the first 15 letters of each message was: OQPMV SVKUI GBEJH.
The key string can only be used once! If it is reused for subsequent messages, there is the possibility of cryptanalysis.
Appendix 5
VENONA
Although the fact was known only to a few, a small group of codebreakers had in fact been working on Russian code problems during [World War II]. In 1943, American intelligence began to worry about a possible alliance between Nazi Germany and Russia as part of a comprehensive peace deal. Such a merger would have been a nightmare for the Allies. As a result, a few Army cryptanalysts were pulled away from work on German systems and assigned to a highly secret new unit with the goal of attempting to solve the enormously complex Soviet codes and ciphers.
Since 1939, thousands of encrypted Soviet messages, sent between Moscow and Washington had been acquired from Western Union and other commercial telegraph companies. A major break occurred when it was discovered that identical code groups turned up in seven pairs of messages. To find even a single pair was a billion-to-one shot. Army codebreakers had discovered a "bust," an error or anomaly that opens a crack into the cipher system. Such a bust might be caused, for example by a malfunction in a random-number generator. This bust, however, was caused by the Soviets reusing pages from one-time pads – the violation of a cardinal cryptographic rule. One- time pads had become two-time pads. Cecil Phillips, a former senior NSA official, played a key role in the early Soviet-watching program. "For a few months in early 1942," he said, "a time of great strain on the Soviet regime, the KGB's cryptographic center in the Soviet Union for some unknown reason printed duplicate copies of the 'key' on more than 35,000 pages … . Thus, two sets of the ostensibly unique one-time pad page sets were manufactured."
The decision by the Soviet codemakers to duplicate the pages was likely the result of a sudden shortage of one-time pads, a result of Hitler's invasion of Russia in June 1941. To quickly fill the enormous demand for the pads, Russian cryptographers likely chose the easiest course: carbon paper. Suddenly production was doubled while, it was reasoned, security was diminished only slightly.
Phillips estimated that between 1942 and 1948, when the last one-time pad was used, more that 1.5 million messages were transmitted to Soviet trade and diplomatic posts around the world. Of those, American codebreakers obtained about a million, 30,000 of which had been enciphered with the duplicate pages. But despite the bust, days and weeks of frustrating work were required to squeeze out a clear-text message from a cipher text. Even then, usually the most they would have was a long, out-of-date message concerning such things as shipping schedules of the Soviet Purchasing Commission.
For more than thirty years the codebreakers worked on those messages. By the time the file drawer was closed for the last time, in 1980, they had managed to read portions of more than 2,900 Soviet diplomatic telegrams sent between 1940 and 1948. Codenamed Venona, the program was one of the most successful in NSA's history. It played a major role in breaking up key Soviet espionage networks in the United States during the postwar period, including networks aimed at the secrets of the atomic bomb. Bamford, James, The Puzzle Palace: Inside the National Security Agency, America'a Most Secret Intelligence Organization, Penguin Books, 1983 (< Houghton Mifflin Company, 1982).
[From NSA's Introductory History of VENONA and Guide to the Translations] These messages disclose some of the clandestine activities of Julius and Ethel Rosenberg, Harry Gold, Klaus Fuchs, David and Ruth Greenglass, and others such as the spy known by the covername MLAD or the equally important, but still unidentified, PERS. The role played by the person covernamed VEKSEL remains uncertain but troubling. A number of other covernames of persons associated with atomic bomb espionage remain unidentified to this day.
Appendix 6
Baudot Addition Table
(There are some errors in the table.)