Appendix: Axiomatic Information Theory

The logic of secrecy was the mirror-image of the logic of information Colin Burke 1994 Perfect security was promised at all times by the inventors of cryptosystems, particularly of crypto machines (Bazeries: je suis ind´echiffrable). In 1945, Claude E. Shannon (1916 – 2001) gave in the framework of his information theory a clean definition of what could be meant by perfect security. We show in the following that it is possible to introduce the cryptologically relevant part of information theory axiomatically. Shannon was in contact with cryptanalysis, since he worked 1936 – 1938 in the team of Vannevar Bush, who developed the COMPARATOR for determi- nation of character coincidences. His studies in the Bell Laboratories, going back to the year 1940, led to a confidential report (A Mathematical Theory of Cryptography) dated Sept. 1, 1945, containing apart from the definition of Shannon entropy (Sect. 16.5) the basic relations to be discussed in this ap- pendix. The report was published four years later: Communication Theory of Secrecy Systems, Bell System Technical Journal 28, 656-715 (1949). A.1 Axioms of an Axiomatic Information Theory It is expedient to begin with events, i.e., sets X , Y, Z of ‘elementary events’, and with the uncertainty1 (Shannon: ‘equivocation’) on events—the uncer- tainties expressed by non-negative real numbers. More precisely, HY (X ) denotes the uncertainty on X , provided Y is known. H(X )=H∅(X ) denotes the uncertainty on X , provided nothing is known. A.1.1 Intuitively patent axioms for the real-valued binary set function H: (0) 0 ≤ HY (X ) (“Uncertainty is nonnegative.”) For 0 = HY (X )wesay“Y uniquely determines X .” (1) HY∪Z(X ) ≤ HZ (X ) (“Uncertainty decreases, if more is known.”) For HY∪Z(X )=HZ (X )wesay“Y says nothing about X .” The critical axiom on additivity is (2) HZ (X∪Y)=HY∪Z(X )+HZ (Y). This says that uncertainty can be built up additively over events. Since in particular H(X∪Y)=H(X )+H(Y), H is called an ‘entropy’ in analogy to the additive entropy of thermodynamical systems.

1 The term ‘uncertainty’ was used as early as 1938 by Solomon Kullback. 488 Appendix: Axiomatic Information Theory

The classical stochastic model for this axiomatic information theory is based on pX (a)=Pr[X = a], the probability that the random variable X assumes the value a , and defines (Nyquist, 1944) H∅({X})=− pX (s) · ld pX (s) s p s > : X( ) 0 H∅({X}∪{Y })=− pX,Y (s, t) · ld pX,Y (s, t)

s,t : pX,Y (s,t) >0 H{Y }({X})=− pX,Y (s, t) · ld pX|Y (s, t)

s,t: pX|Y (s/t) >0

where pX,Y (a, b)=def Pr[(X = a) ∧ (Y = b)] and pX|Y (a/b) obeys Bayes’ rule for conditional probabilities:

pX,Y (s, t)=pY (t) · pX|Y (s, t) ,thus

−ld pX,Y (s, t)=−ld pY (t) − ld pX|Y (s, t) . A.1.2 From the axioms (0), (1), and (2), all the other properties usually derived for the classical model can be obtained. For Y = ∅, (2) yields

(2a) HZ (∅) = 0 (“There is no uncertainty on the empty event set”) (1) and (2) imply

(3a) HZ (X∪Y) ≤ HZ (X )+HZ (Y) (“Uncertainty is subadditive”) (0) and (2) imply

(3b) HZ (Y) ≤ HZ (X∪Y) (“Uncertainty increases with larger event set”) From (2) and the commutativity of . ∪ . follows

(4) HZ (X ) − HY∪Z(X )=HZ (Y) − HX∪Z(Y) (4) suggests the following definition: The mutual information of X and Y under knowledge of Z is defined as

IZ (X , Y)=def HZ (X ) − HY∪Z(X ) . Thus, the mutual information IZ (X , Y) is a symmetric (and because of (1) nonnegative) function of the events X and Y. From (2),

IZ (X , Y)=HZ (X )+HZ (Y) − HZ (X∪Y) . Because of (4), “Y says nothing about X ” and “X says nothing about Y” are equivalent and are expressed by IZ (X , Y) = 0 . Another way of saying this is that under knowledge of Z , the events X and Y are mutually independent. In the classical stochastic model, this situation is given if and only if X, Y are independent random variables: pX,Y (s, t)=pX (s)·Y (t) .

IZ (X , Y) = 0 is equivalent with the additivity of H under knowledge of Z :

(5) IZ (X , Y) = 0 if and only if HZ (X )+HZ (Y)=HZ (X∪Y) . A.2 Axiomatic Information Theory of Cryptosystems 489

A.2 Axiomatic Information Theory of Cryptosystems For a cryptosystem X , events in the sense of abstract information theory are sets of finite texts over Zm as an alphabet. Let P be a plaintext(-event), C a cryptotext(-event), K a keytext(-event).2 The uncertainties H(K),HC (K),HP (K),H(C),HP (C),HK (C),H(P ),HK (P ),HC (P ) are now called equivocations. A.2.1 First of all, from (1) one obtains

H(K) ≥ HP (K) ,H(C) ≥ HP (C), H(C) ≥ HK (C) ,H(P ) ≥ HK (P ), H(P ) ≥ HC (P ) ,H(K) ≥ HC (K).

A.2.1.1 If X is functional, then C is uniquely determined by P and K , thus

(CRYPT) HP,K(C) = 0 , i.e., IK (P, C)=HK (C) ,IP (K, C)=HP (C) (“plaintext and keytext together allow no uncertainty on the cryptotext.”) A.2.1.2 If X is injective, then P is uniquely determined by C and K ,thus

(DECRYPT) HC,K (P ) = 0 , i.e., IC (K, P)=HC (P ) ,IK (C, P)=HK (P ) (“cryptotext and keytext together allow no uncertainty on the plaintext.”) A.2.1.3 If X is Shannon, then K is uniquely determined by C and P ,thus

(SHANN) HC,P (K) = 0 , i.e., IP (C, K)=HP (K) ,IC (P, K)=HC (K) (“cryptotext and plaintext together allow no uncertainty on the keytext.”)

A.2.2 From (4) follows immediately

HK (C)+HK,C (P )=HK (P ) ,HP (C)+HP,C(K)=HP (K), HC (P )+HC,P (K)=HC (K) ,HK (P )+HK,P (C)=HK (C), HP (K)+HP,K(C)=HP (C) ,HC (K)+HC,K (P )=HC (P ). With (1) this gives Theorem 1:

(CRYPT) implies HK (C) ≤ HK (P ) ,HP (C) ≤ HP (K), (DECRYPT) implies HC (P ) ≤ HC (K) ,HK (P ) ≤ HK (C), (SHANN) implies HP (K) ≤ HP (C) ,HC (K) ≤ HC (P ).

A.2.3 In a cryptosystem, X is normally injective, i.e., (DECRYPT) holds. In Figure 188, the resulting numerical relations are shown graphically. In the

2 Following a widespread notational misusage, in the sequel we replace {X} by X and {X}∪{Y } by X, Y ; we also omit ∅ as subscript. 490 Appendix: Axiomatic Information Theory

H(K) H(C) ≥≤

HP (K) HP (C) ∨ ∨ H(P ) ≤≥ ≥≤ HC (K) HC (P ) HK (P ) HK (C)

Fig. 188. Numerical equivocation relations for injective cryptosystems classical professional cryposystems, there are usually no homophones and the Shannon condition (2.6.4) holds. Monoalphabetic simple substitution and transposition are trivial, and VIGENERE,` BEAUFORT, and in particular VERNAM are serious examples of such classical cryptosystems. The conjunction of any two of the three conditions (CRYPT), (DECRYPT), (SHANN) has far-reaching consequences in view of the antisymmetry of the numerical relations: Theorem 2: (CRYPT) ∧ (DECRYPT) implies HK (C)=HK (P ) (“Uncertainty on the cryptotext under knowledge of the keytext equals uncertainty on the plaintext under knowledge of the keytext,”)

(DECRYPT) ∧ (SHANN) implies HC (P )=HC (K) (“Uncertainty on the plaintext under knowledge of the cryptotext equals uncertainty on the keytext under knowledge of the cryptotext,”) (CRYPT) ∧ (SHANN) implies HP (K)=HP (C). (“Uncertainty on the keytext under knowledge of the plaintext equals uncertainty on the cryptotext under knowledge of the plaintext.”) In Figure 189, the resulting numerical relations for classical cryptosystems with (CRYPT), (DECRYPT), and (SHANN) are shown graphically.

H(K) H(C) ≥≤

HP (K) === HP (C) ∨ ∨ H(P ) ≤≥

HC (K) === HC (P ) HK (P ) === HK (C)

Fig. 189. Numerical equivocation relations for classical cryptosystems A.3 Perfect and Independent Key Cryptosystems 491

A.3 Perfect and Independent Key Cryptosystems A.3.1 A cryptosystem is called a perfect cryptosystem, if plaintext and cryptotext are mutually independent: I(P, C)=0.

This is equivalent to H(P )=HC (P ) and to H(C)=HP (C) (“Without knowing the keytext: knowledge of the cryptotext does not change the uncertainty on the plaintext, and knowledge of the plaintext does not change the uncertainty on the cryptotext”) and is, according to (5) , equivalent to H(P, C)=H(P )+H(C). A.3.2 A cryptosystem is called an independent key cryptosystem, if plain- text and keytext are mutually independent: I(P, K)=0.

This is equivalent to H(P )=HK (P ) and to H(K)=HP (K) (“Without knowing the cryptotext: knowledge of the keytext does not change the uncertainty on the plaintext, and knowledge of the plaintext does not change the uncertainty on the keytext”) and, according to (5) , is equivalent to H(K, P)=H(K)+H(P ).

H(K) H(C) ≥≤

≤≥ HP (K) === HP (C) (independent key) (perfect) ∨ ∨ H(P ) (perfect) ≥≤≥≤(independent key)

HC (K) === HC (P ) HK (P ) === HK (C)

Fig. 190. Numerical equivocation relations for classical cryptosystems, with additional properties perfect and/or independent key

A.3.3 Shannon also proved a pessimistic inequality. Theorem 3K : In a perfect classical cryptosystem (Fig. 190), H(P ) ≤ H(K) and H(C) ≤ H(K) .

Proof: H(P ) ≤ HC (P )(perfect) HC (P ) ≤ HC (K) (DECRYPT), Theorem 1 HC (K) ≤ H(K) (1) . Analogously with (CRYPT) for H(C). Thus, in a perfect classical cryptosystem, the uncertainty about the key is not smaller than the uncertainty about the plaintext, and not smaller than the uncertainty about the cryptotext. 492 Appendix: Axiomatic Information Theory

From (SHANN) ∧ (DECRYPT) with Theorem 1 we find HC (P )=HC (K); after adding H(C) on both sides, according to (2) we get H(P, C)=H(K, C). In a perfect cryptosystem, H(P, C)=H(P )+H(C). Further, according to (2), H(K, C)=H(K)+HK (C) . Thus

HK (C)=H(P ) − (H(K) − H(C)) = H(C) − (H(K) − H(P )) . In Figure 191, this result is displayed graphically.

H(K) ≥ ∨ HP (K) === HP (C) ======H(C)

HC (K) === HC (P ) === H(P ) ∨ ≥

HK (P ) === HK (C)

Fig. 191. Numerical equivocation relations for perfect classical cryptosystems

A.3.4 By a cyclic shift of K, C, P: Theorem 3C : In a classical cryptosystem with independent key, H(K) ≤ H(C) and H(P ) ≤ H(C) as well as

HC (P )=H(K) − (H(C) − H(P )) = H(P ) − (H(C) − H(K)) .

A.4 Shannon’s Main Theorem A.4.1 For a classical cryptosystem which is both perfect and independent key, Theorems 3K and 3C imply immediately that H(K)=H(C). A.4.2 A cryptosystem with coinciding H(K) and H(C) shall be called a cryptosystem of Vernam type. Examples are given by encryptions with VIGENERE,` BEAUFORT, and particularly VERNAM encryption steps, but also by linear polygraphic block encryptions. In the stochastic model this condition is particularly fulfilled, if both C and K are texts of k characters with maximal H(K) and maximal H(C) : H(K)=H(C)=k · ld N . Main Theorem (Claude E. Shannon 1949): In a classical cryptosystem, any two of the three properties perfect , independent key , of Vernam type imply the third one. The proof is obvious from Figure 190. A.5 Unicity Distance 493

A.4.3 A sufficient condition for a classical cryptosystem to be perfect is that it is independent key and of Vernam type; these conditions can be guaranteed from outside. Then H(P ) ≤ H(C)=H(K). In the stochastic model, perfect security requires with H(P ) ≤ H(K) that the key possesses at least as many characters as the plaintext, which means that every description of the key is at least as long as the key itself (Chaitin’s requirement, Sect. 8.8.4). Thus, perfect security requires safe distribution of an independent key which provides for every plaintext character a key character—an extreme require- ment, which frequently cannot be fulfilled in practice. Non-perfect practical security is guaranteed only by the time required for breaking the encryption. A.4.4 Shannon discussed a further property of a cryptosystem. We call a cryptosystem ideal (Shannon: strongly ideal), if cryptotext and keytext are mutually independent: I(K, C)=0.

This is equivalent to H(K)=HC (K) and to H(C)=HK (C). According to Shannon, ideal cryptosystems have practical disadvantages: for a perfect cryptosystem, H(K)=H(P ) must hold. Perfect ideal cryptosys- tems are necessarily adapted to the plaintext language, which usually is a natural language. In this case, rather complicated encryption algorithms are necessary. Also, transmission errors inevitably cause an avalanche effect. In fact, we have here a practically unattainable ideal.

A.5 Unicity Distance

The condition HC (P ) > 0 expresses that for known cryptotext there remains some uncertainty on the plaintext. For a classical cryptosystem with in- dependent key (not necessarily perfect) this means, by Theorem 3C ,

H(K) >H(C) − H(P ) . We now use the stochastic model, with plaintext words V ∗ and cryptotext words W ∗ over a character set V = W of N characters. We restrict our attention to words of length k . Following Hellman (1975), we assume that NP and NC are numbers such that among the N k words of length k the number of meaningful, i.e., possibly k occurring, ones is just (NP ) and the number of occurring cryptotexts is k just (NC ) . Then NP ≤ N and NC ≤ N . If all these texts occur with equal probability, then in the stochastic model

H(P )=k · ld NP ,H(C)=k · ld NC . Furthermore, we assume that Z is the cardinality of the class of methods, i.e., the number of key words. Assume that all these key words occur with equal probability. Then 494 Appendix: Axiomatic Information Theory

H(K)=ldZ.

The inequality above, meaning the existence of an uncertainty, turns into

ld Z>k· (ld NC − ld NP ) or, provided ld NC > ld NP , 1 k

If NC is maximal, NC = N , i.e., if all possible cryptotexts occur with equal probability, and if NP ld NP is certainly fulfilled, and the unicity distance is 1 U = · ld Z ; ld N − ld NP it is determined solely by the Shannon entropy ld NP of the plaintext words. This depends in turn on the cryptanalytic procedure. If the analysis is limited (1) to single-letter frequencies, then the Shannon entropy ld NP is to be consid- ered, the values of which are not very different in English, French, or German, (1) and amount in the Meyer-Matyas count to ld NP ≈ 4.17 [bit], where N =26 (2) and ld N =ld26≈ 4.70 [bit]. Furthermore, with ld NP ≈ 3.5 [bit] for bi- (3) gram frequencies and ld NP ≈ 3.2 [bit] for trigram frequencies, we find ≈ 1 (1) U 0.53 ld Z for decryption with single-letter frequencies, ≈ 1 (2) U 1.2 ld Z for decryption with bigram frequencies, ≈ 1 (3) U 1.5 ld Z for decryption with trigram frequencies. For plaintext words, the average length is about 4.5 and the corresponding (w) Shannon entropy about ld NP ≈ 2.6 [bit], thus ≈ 1 (w) U 2.1 ld Z for decryption with word frequencies. The Shannon entropy of the English language under consideration of all, even grammatical and semantic, side conditions is considerably smaller; a value of (∗) about ld NP ≈ 1.2 [bit] seems about right. This gives the unicity distance ∗ ≈ 1 ( ) U 3.5 ld Z for decryption in freestyle, which is also given in Sect. 12.6 . For simple (monographic) substitution with Z = 26 ! , we have ld Z =88.38 (Sect. 12.1.1.1); this leads to the values 167, 74, 59, 42, and 25 for the unicity distance, which are confirmed by practical experience. The situation is rather similar for the German, French, Italian, Russian, and related Indo- European languages. A.7 Impossibility of Complete Disorder 495

A.6 Code Compression

Although Shannon was led to his information theory by his occupation with cryptological questions during the Second World War, information theory, in the form relevant and interesting for communication engineering, has no secrecy aspects. Its practical importance lies more in showing how to increase the transmission rate3 by suitable coding, up to a limit which corresponds to a message without any redundancy—say a message P of k characters with the maximal uncertainty H(P )=k · ld N . The cryptological results above apply immediately to communication chan- nels. Theoretically, a transmission requiring ld 26 = 4.70 [bit/char] can be compressed by coding to one requiring only about 1.2 [bit/char]. A good ap- proximation of this rate needs tremendous circuitry. The simplest case of a Huffman coding works on single characters only and reduces the transmission rate only to about 4.17 [bit/char], while Huffman coding for bigrams and tri- grams, which needs a larger memory, does not bring a dramatic reduction. In future, however, economic and practical redundancy elimination by Huffman coding for tetragrams should be within reach using special chips. The situation is different for the transmission of pictures. The compression obtainable by relatively simple methods is remarkable and finds increasingly practical use. For these applications, the truism of post-Shannon cryptology, that code compression of the plaintext is a useful step in improving the practical security of a cryptosystem, is particularly appropriate.

A.7 Impossibility of Complete Disorder

When in the 1920s the use of independent (“individual”) keys was recom- mended, their fabrication did not seem to be a problem. That an individual key should be a random sequence of key characters was intuitively clear. Af- ter the work of Shannon and particularly of Chaitin in 1974, all attempts to produce a random sequence algorithmically had to be dropped. If keys were to be generated by algorithms, genuine random keytexts were not attainable. Thus, some order had to remain—the question was which one. Consequently, ‘pseudorandom sequences’ with a long period were increas- ingly suspected of having hidden regularities that would help cryptanalysis, although concrete examples are so far lacking in the open literature. The pro- fessionals responsible for the security of their own systems were faced with more and more headaches, while aspiring codebreakers could always hold out the hope of unexpected solutions. Strangely, at about this time a similar development took place in mathe- matics. In 1973, H. Burkill and L. Mirsky wrote:

3 −1 Note the Sampling Theorem: A message being limited to frequencies up to f0 [sec ] can be represented by sampling it every 1 [sec] (Whittaker, 1915; Shannon, 1940). 2f0 496 Appendix: Axiomatic Information Theory

”There are numerous theorems in mathematics which assert, crudely speaking, that every system of a certain class possesses a large sub- system with a higher degree of organization than the original system.” We give a number of examples: (1) Every graph of n nodes contains either a large subgraph of k nodes which is connected, or a large subgraph of k nodes which is unconnected. (k is the Ramsey number, e.g., k = 6 for n = 102, F. P. Ramsey 1930) (2) Every bounded infinite sequence of complex numbers contains a conver- gent infinite subsequence. (K. Weierstrass 1865) (3) If the natural numbers are partitioned into two classes, at least one of these classes contains an arithmetic series of arbitrarily large length. (Issai Schur about 1925, B. L. van der Waerden 1927) (4) Every partial order of n2 + 1 elements contains either a chain of length n + 1 or a set of n + 1 incomparable elements. (R. P. Dilworth 1950) (5) Every sequence of n2 + 1 natural numbers contains either a monotoni- cally increasing or a monotonically decreasing subsequence of length n +1. (P. Erd˝os, G. Szekeres 1950) Between these and some other examples there seemed to be no connection, before Paul Erd˝os, in 1950 (‘Complete chaos is impossible’), tried a synopsis and found a general theorem which gave many single results by specializa- tion. Under the name Ramsey Theory (F. P. Ramsey, 1903–1030), this has led since 1970 to many subtle mathematical works on disorderly systems with orderly subsystems; for example, in 1975 ‘on sets of integers containing no k in arithmetic progression’ by E. Szemer´edi. The fundamental impossibility of complete disorder should be interpreted as a warning to cryptologists, to be careful with the use of machine-produced keys—at the moment only a theoretical danger, but nevertheless a serious one. Marian Rejewski, Polish hero of decryption, expressed the warning in 1978 in the following form: “Whenever there is arbitrariness, there is also a certain regularity.” Bibliography

Good introductions to classical cryptology for amateurs: Gaines, Helen Fouch´e, Cryptanalysis. Dover, New York 1956 (new ed.) Smith, Laurence Dwight, Cryptography. Dover, New York 1955 (new ed.) Millikin, Donald D., Elementary Cryptography and Cryptanalysis. New York 1943 (3rd ed.) An introduction which also appeals to mathematically oriented readers: Sinkov, Abraham, Elementary Cryptanalysis. Mathematical Association of America, Washington 1968 This book, written by a professional cryptologist, certainly does not reproduce the full knowledge of the author. A classic of cryptanalysis: Friedman, William Frederick, Military Cryptanalysis. Parts I, II, III, IV. Washington, 1938, 1938, 1938, 1942 (obtainable as reprint) A comprehensive historical study of cryptology according to the state of the open literature in 1967: Kahn, David, The Codebreakers. Macmillan, New York 1967 This book, written with journalistic verve by a professional historian, also gives references to special, not easily accessible historical literature, particularly before the 19th century. “Of primary importance for a knowledge of modern cryptology” (Kahn) is the article Rohrbach, Hans, Mathematische und Maschinelle Methoden beim Chiffrie- ren und Dechiffrieren. FIAT Review of German Science, 1939 – 1946: Applied Mathematics, Vol. 3 Part I pp. 233 – 257, Wiesbaden: Office of Military Government for Germany, Field Information Agencies 1948 An English translation by Bradford Hardie is in Cryptologia II, 20–37, 101–121 (1978). Historical cryptological devices and machines are investigated in: T¨urkel, Siegfried, Chiffrieren mit Ger¨aten und Maschinen. Graz 1927 Deavours, Cipher A. and Kruh, Louis, Machine Cryptography and Modern Cryptanalysis. Artech House, Dedham, MA 1985 Results of the Polish and of the British codebreakers, including early mention of the BOMBA and COLOSSUS machines, may be found in: Kozaczuk, Wladislaw, Bitwa o tajemnice (Battle about Secrets): Slu˙zby wywiadowcze Polski i Rzeszy Niemieckiej 1922–1939. Ksi¸a˙zka i Wiedza, Warsaw 1967 Bertrand, Gustave, Enigma ou la plus grande ´enigme de la guerre 1939 – 1945. Librairie Plon, Paris 1973 Winterbotham, Frederick W., The Ultra Secret. Weidenfeld and Nicolson, London 1974 498 Bibliography

Beesly, Patrick, Very Special Intelligence. Hamish Hamilton, London 1977 Lewin, Ronald, Ultra Goes to War. Hutchinson, London 1978 Johnson, Brian, The Secret War. Methuen, London 1978 Rohwer, J¨urgen; J¨ackel, Eberhard, Die Funkaufkl¨arung und ihre Rolle im Zweiten Weltkrieg. Motorbuch-Verlag, Stuttgart 1979 Randell, Brian, The COLOSSUS. In: N. Metropolis et al., A History of Computing in the Twentieth Century. Academic Press, New York 1980 Later detailed and reliable reports on the ENIGMA break: Welchman, Gordon, The Hut Six Story: Breaking the Enigma Codes. McGraw-Hill, New York 1982. Updated edition by M&M Baldwin 1997 Garli´nski, J´ozef, The Enigma War. Scribner, New York 1980 Kozaczuk, Wladyslaw, Enigma. Arms and Armour Press, London 1984 Polish original edition: W kr¸egu Enigmy, 1979 Hinsley, Francis H. et al., British Intelligence in the Second World War. Volumes I – IV, Cambridge University Press 1979 – 1988 Bloch, Gilbert, Enigma avant Ultra. ‘Texte definitive’, September 1988 An English translation by Cipher A. Deavours is in Cryptologia XI, 142–155, 227–234 (1987), XII, 178–184 (1988) Kahn, David, Seizing the Enigma. Houghton-Mifflin, Boston 1991 Hinsley, Francis H.; Stripp, Alan (eds.), Codebreakers. The Inside Story of Bletchley Park. Oxford University Press, Oxford 1993 A biography of the life and work of Alan Turing: Hodges, Andrew, Alan Turing: The Enigma. Simon & Schuster, New York 1983 First-hand information on statistical methods is found in: Kullback, Solomon, Statistical Methods in Cryptanalysis. Aegean Park Press, Laguna Hills, CA 1976 Recent reports on cryptanalytical work of the allies in WW II are: Rowlett, Frank B., The Story of Magic. Aegean Park Press, Laguna Hills, CA 1998 Budiansky, Stephen, Battle of Wits. Simon & Schuster, New York 2000 Sebag-Montefiore, Hugh, ENIGMA. The Battle for the Code. Weidenfeld and Nicolson, London 2000 Joyner, David (ed.), Coding Theory and Cryptography. From Enigma and Geheimschreiber to Quantum Theory. Springer, Berlin 2000 Erskine, Ralph; Smith, Michael (eds.), Action This Day. Bantam Press, London 2001 Beckman, Bengt, Codebreakers. American Mathematical Society 2002 Copeland, B. Jack (ed.), The Essential Turing. Oxford University Press, Oxford 2004 Bibliography 499

Copeland, B. Jack (ed.), Colossus: The First Computer. Oxford University Press, Oxford 2004 Specialist works on modern cryptology: Konheim, Alan G., Cryptography. Wiley, New York 1981 Meyer, C. H.; Matyas, St. M., Cryptography. Wiley, New York 1982 Brassard, G., Modern Cryptology. Lecture Notes in Computer Science, Vol. 325, Springer, Berlin 1988 Beker, H.; Piper, F., Cipher Systems. Northwood Books, London 1982 Salomaa, Arto, Public-Key Cryptography. Springer, Berlin 1990 The last two books also cover cryptanalysis of the Hagelin machines in some detail. Schneier, Bruce, Applied Cryptography. Wiley, New York 1993, 1995 (2nd ed.) This book contains protocols, algorithms, and source code in C. Goldreich, Oded, Modern Cryptography, Probabilistic Proofs and Pseudo- randomness. Springer, Berlin 1999 A book typical for the modern part of scientific cryptology. Questions of cryptology and civil rights are discussed in: Hoffman, Lance J. (ed.), Building in Big Brother. Springer, New York 1995 Denning, Dorothy E. R., Cryptography and Data Security. Addison-Wesley, Reading, MA 1983 More recent elementary books of general interest: Bamford, James, The Puzzle Palace. Penguin Books, New York 1983 Burke, Colin, Information and Secrecy. Scarecrow Press, Metuchen 1994 Kippenhahn, Rudolf, Verschl¨usselte Botschaften. Rowohlt, Reinbek 1997 Unpublished reports that are in archives, some due to appear in print: Turing, Alan, Treatise on the Enigma. (typescript, written late in 1941) Alexander, Hugh, Cryptographic History of Work on the German Naval Enigma. (written in about 1947) Mahon, A. P. , The History of Hut Eight. (written in June 1945) Anonymous, Decoding German Enigma Machine Messages (compiled 1944–1945 for 6812th Signal Security Detachment US Army) Newman, Max, Newman Notes (handwritten personal notes, about 1943) Small, Albert W., Special Fish Report (written in December 1944 for US Signal Corps) Good, Irving John; Michie, Donald; Timms, Geoffrey A., General Report on Tunny (Public Record Office 2000) Fried, Walter J., Report No. 43 of May 27, No. 46 of June 12, No. 68 of Ju- ly 29, No. 96 of Sept. 29, No. 101 of Oct. 14, No. 118 of Nov. 21; all: 1944, NARA RG 457 NSA Hist. Col. Box 880 No. 2612 500 Bibliography

Among the specialist journals are: Cryptologia. A Quarterly Journal Devoted to Cryptology. Editors: David Kahn, Louis Kruh, Cipher A. Deavours, Brian J. Winkel, Greg Mellen. ISSN 0161-1194. Terre Haute, Indiana Journal of Cryptology. The Journal of the International Association for Cryptologic Research. Editor-in-Chief: Ueli Maurer. ISSN 0933-2790. Springer, New York Under the heading Advances in Cryptology appear the proceedings of the annual International Cryptology Conference (CRYPTO), International Con- ference on the Theory and Application of Cryptographic Techniques (EU- ROCRYPT) and International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT), sponsored by the International Association for Cryptologic Research (IACR), published in the Lecture Notes in Computer Science series, Springer, Berlin. Of interest mainly to historians are the works of Breithaupt 1737; Buck 1772; Hindenburg 1795, 1796; Andres 1799; Kl¨uber 1809; Lindenfels 1819; Vesin de Romanini 1838, 1844, 1857; Smith 1845; Chase 1859; Kasiski 1863; Myer 1866; Beaufort 1870; Køhl 1876; Fleißner von Wostrowitz 1881, 1885; Kerckhoffs 1883; Josse 1885; de Viaris 1888, 1893; Val´erio 1892; Carmona 1891, 1894; Gioppi di T¨urkheim 1897; Collon 1900; Bazeries 1901; Myszkowski 1902; Delastelle 1902; Meister 1902, 1906; Schnei- ckert 1900, 1905; Mauborgne 1914, 1917; Hitt 1916; Langie 1918; Friedman 1917, 1918, 1922, 1924, 1925; Givierge 1925; Lange-Soudart 1925, 1935; Sacco 1925, 1936, 1947; Figl 1926; T¨urkel 1927; Gyld´en 1931; Yardley 1931; Oha- ver 1933; Baudouin 1939; d’Agapayeff 1939; Pratt 1939; Eyraud 1953; Weiss 1956; Callimahos 1962; Muller 1971; Konheim 1981; Meyer-Matyas 1982. A rather complete bibliography may be found in: Shulman, David, An Annotated Bibliography of Cryptography. Garland, New York 1976 The works of Hitt, Langie, Friedman, Givierge, Lange-Soudart, Sacco, Gyl- d´en, Ohaver, Callimahos, and Kullback, are obtainable as reprints from: Aegean Park Press, P.O. Box 2837, Laguna Hills, CA 92654-0837, USA. The unpublished manuscripts of Eberhard Voigt, Handschl¨usselverfahren (≈ 1955), [Cgm 9301]; Herbert W¨usteney, Die deutschen Schl¨usselfernschreib- maschinen (1945), [Cgm 9302]; Willi Jensen, Hilfsger¨ate der Kryptographie (1953), [Cgm 9303]; Andreas Figl, Systeme des Dechiffrierens, 3 Vols.(≈ 1930), [Cgm 9304]: Erich H¨uttenhain, Einzeldarstellungen aus dem Gebiet der Kryptologie (1970), [Cgm 9304a] are in the Bayerische Staatsbibliothek M¨unchen, Handschriftenabteilung. Index

Slanted page numbers indicate photographs.

A-1 (code), 77 Airenti (code), 75 A-21, 132, 133 Aktiebolaget Cryptograph, 146, AA/Pers Z , 154, 415, 464, 467, 470, 483 Aktiebolaget Ingenj¨orsfirman ABC (key), 27, 140, 469 Cryptoteknik, 114 ABC Code, 75, 76 alarm, 17, 18, 209 Abel, Rudolf, 10, 57 Albam,47 ABNER, 457 Albert, A. Adrian, 3, 86, 457 Abwehr (OKW), 17, 263, 464, 483 Alberti, Leone Battista, XIV, XIV,36, 39- Abwehr ENIGMA, 123-126, 148-149, 373 40, 44, 56, 64, 71, 72, 139-142, 216, 290 acknowledgment, 17 Alberti disk, 39, 41, 52, 109, 139-140, 244, Acme (code), 76 340 acrophony, 69 ALBERTI encryption step, 109, 130, 141, acrostics, 19, 20, 257 154, 169, 242, 244, 280, 350, 355, 359, Adair, Gilbert, 257 362, 369, 370, 374, 377, 379, 381 ADAM and EVE, 456 alemania,15 addition, 49, 80, 81, 87, 128, 180, 239-240 Alesund˚ pinch, 444-445 –, false, symbolic, 171, 180 Alexander, Conel Hugh O’Donel, VII, 92, – mod 2, 142-143, 184, 229, 338, 382-402 156, 284, 287, 332, 416, 418, 478, 479, 499 – mod 2n, 142-143 algebraic alphabet, 80, 86 – mod 10n, 171-172 algorithmic definition, 36, 164 – mod N, mod N n, 128, 341, 365, 379 alignment (of shifted alphabets), 350-362, –, polygraphic, 142, 172, 240 371, 372 –, “wrong”, non-carrying, 143, 371 al-Ki.nd¯ı, Jaakub Ibn Ishak, 290 additive (adj), 75, 81, 172, 389, 400 allegorical code, 16 additive (n), 128, 162, 164, 172, 370-373, alphabet, 35, 39 413, 415, 421, 423, 467 –, accompanying, 50-52, 106, 109, 128, 350 ADFGVX system, 40, 53, 173 –, complementary, 47, 90 adjustment (of cryptotexts), 375, 412– –, decimated, 90, 91, 128, 238 419, 423, 478 –, inverse, 47 Adleman, Leonard M., 203-204 –, involutory see self-reciprocal Adstock, 454 –, mixed, 46, 49, 50, 52, 64, 107, 127, 130 AEF see American Expeditionary Force –, non-involutory, 149, 482 AES (Advanced Encryption Standard), –, powers of a mixed, 50, 52, 106, 127 190 –, reversed, 47, 90, 129, 173, 252 ‘Aegir’, FOREIGN (key net), 483 –, rotated, 107-111, 126, 137, 281-282 Æneas, 12 –, shifted, 47, 50-52, 107-111, 127-128 AFA¨ (call sign), 438 –, self-reciprocal, 43, 47, 59, 61, 67, 82, 90, affine, 80, 175, 176 115, 118, 123, 129-130, 132, 143, 144, 159, Afrika-Korps, German, 214, 317, 448 171-172, 193, 224, 269, 282, 340, 379, 383, agate (agat), 163 392, 433, 437, 445, 451, 482 ‘Agnes’, ‘Agnus Dei’, 447, 454 –, vertically continued, 107-108 agony column, 27, 340 Alpha-AXP (211 64), 192 502 Index alphabet ring, 121, 124, 125, 148-149 Augustus, Roman emperor, 49 alphabets, unrelated, 131-136, 222, 241, Auriol, L. J. d’, 86 358, 376 Ausw¨artiges Amt, 32, 61, 69, 87, 112, 154, al-Qalqashandi, 45 162-165, 278, 415, 421, 464, 470 amalgamation, 173, 175, 178-180, 184, authentication, 26, 30, 188, 191, 194-196, 189, 226 201, 209, 218, 228, 485 Am`e, Cesare, 475 autokey, 159-160, 188, 204, 229, 391, 399 American Expeditionary Force AUTOSCRITCHER, 286-287, 457 (AEF), 31, 68, 77, 214 autostereogram, 12-13 Amt VI of the R.S.H.A., 60-61, 470 AVA factory (Wyt´ornia Radiotechniza), ‘Am t fur ¨ Milit¨arkunde’, 32 437, 439 anagram, 93, 102-104, 257, 466 avalanche effect, 179, 185, 188 anagramming, 464-469 Ave Maria code, 15, 17 –, multiple, 97, 100, 467-469 Axiomatic Information Theory, 247, 486, ananym, 93 487-496 anarchists, 11, 53, 70, 291 AZ (code), 76 Anderson, Ralph V., 477 Andree, Richard V., 264, 266, 267 B talk, 21 Andres, Johann Baptist, 131, 136, 500 B-1 (code), 77 Andrew, Christopher, 3, 92 B-21, B-211, 179 Andreyev, Andrei Nicolayevich, 476 Babbage, Charles, 5, 6, 27, 37, 128-129, 160, Angoo Kenky¯u Han, 32, 475 161, 170, 233, 233, 278, 280, 317, 330, 340, Angooki Taipu, 145, 153, 154 341, 477, 486 ‘ANNA’, 411 Babbage, Dennis William, 92, 286, 448, 457 Antriebsr¨ader, 117 BACH, 61, 219 /anx/, 437 Bach, Johann Sebastian, 20 aperiodic, 36 back slang, 22, 93 ‘app’, 400 backwards VIGENERE,` 129 Archer, Philip E., 219 Bacon, Sir Francis, 9, 10, 30, 40, 55, 385 Argenti, Giovanni Batista, 36, 47, 50, 54, Baker, Stewart A., 222 56, 70, 130, 144, 160, 211, 217, 254, 339 Balzac, Honor´e de, 30 –, Matteo, 36, 47, 55, 56, 130, 144, 160, Bammel, S. E., 137 217, 254 Bamford, James E., 499 argot, 15, 21 BAMS (code), 62, 76, 476 aristocrats, 256-257, 268, 310 [ban], 237, 401, 416 arithmetic modulo 2, 86, 143, 157, 184, Banburismus, VII, 401, 415-419, 445-448 229, 382, 383, 384, 389, 392, 393, 402, Banbury sheets, 335, 416 404, 409 bar code, 76 arithmetical operations, 180, 183 bar drum, 146 Arlington Hall, 30, 334, 471 Baravelli (code), 75, 213 Armed Forces Security Agency, 31 barrier, 178-179, 188-189, 198, 387 Army Security Agency (ASA), 31 ‘Barsac’ [Gustave Bertrand], 447 Arnold, Benedict, 171 basic wheel setting, 61, 117, 122, 168, 432- ars occulte scribendi,9 433, 437-439, 441-442, 443-444, 448 Arthold, J., 296 basis analysis, linear, 157, 459-461 Asch´e, ASCHE, 432, 437 Batey, Mavis n´ee Lever, 284, 479 ASCII (code), 55, 310 bˆatons,52 astragal, 12 bˆatons, m´ethode de, 281-286 asymmetric methods, 6, 167, 194-199, Baudot, Jean Maurice Emile,´ 40, 382, 385 203, 209, 236, 480, 485 Baudouin, Roger, 500 Athbash,47 Bauer, Bernhard, 13 ‘Atlanta’, 454, 455 Bauer, Friedrich Ludwig, 174, 176, 296, Atlantis (ship), 63, 476 307 ATLAS I, ATLAS II, 339, 458 Bayes’ rule (Thomas Bayes), 488 Index 503

´ Ÿ Bazeries, Etienne, 5, 9, 29-30, 37-38, 39, – digits (Z2 , 2 ), 24, 40, 91, 142-143 49, 51, 70, 75, 93, 128, 133-137, 134, 169, – linear substitution, 86, 91 179, 222, 224, 233, 234, 244, 251, 256, – numbers, 23, 91, 142-143, 181 272-273, 275, 277, 291, 296, 317, 344, bipartite, 35, 53-55, 59-63, 64, 66, 67, 86 464, 477, 487, 500 Bischoff, Bernhard, 105 Bazeries (code), 75 Bismarck (ship), 216 Ÿ Bazeries’ cylinder, 29, 37, 38, 49, 51, 133, bit, binary digit (Z2 , 2 ), 40, 142-143 134, 224, 251, 275, 277 [bit], 237, 416 BC-543, 146-147 bitwise binary encryption, 142-143, 383 B-Dienst, 63, 220-221, 415, 470, 472-474 Biuro Szyfr´ow, 117, 269, 431, 437 Beaufort, Sir Francis, 6, 129 blackout, 419 BEAUFORT encryption step, 129-130, Black Chamber, 71, 73, 151-153, 227, 230 143, 146,156-157, 161, 173, 179, 242, BLACK (code), 41, 77, 475 243, 268, 280, 322, 324, 328, 344, 379, Blair, William, 144 381, 475, 490, 492, 500 Blakely, Bob and G. R., 183 Befehlstafel,78 Bleak (link), 411 Beckman, Bengt, 132 Bletchley Park, 3, 31, 66, 92, 114, 148, 155, Beesly, Patrick, 235, 254, 473, 497 162, 165, 172, 173, 214, 216, 219, 226, 254, Behnke, Heinrich, 470 269, 286, 322, 335, 338, 372, 373, 382, 384, Beiler, Albert H., 200 387, 401, 411-412, 415–416, 418, 420-421, Beker, H., 499 432, 434, 442-443, 446-447, 453, 454, 456- Bell numbers, 254 457, 473, 475, 479-480, 482 Bel[l]aso, Giovan Batista, 50, 54, 130, 140, Bloch, Gilbert, 498 141, 142, 145, 159 block encryption, 35-36, 42, 80, 106, 157, Bennet, Ralph, 481 180, 184, 188, 192, 194, 203 Bentley’s (code), 76 block transposition, 98-100, 170, 173, 240, Bernstein, David S., 228-229 467 Bernstein, Paul, 121, 146 blockdiagonal, 87 Berry, Duchesse de, 37 Blockverfahren (one-time-pad system), Berthold, Hugo A., 214, 216 165 ‘Bertok’ (Berlin-Tokyo traffic), 482 BLUE (code), 77, 214 Bertrand, Gustave, 431, 433, 442, 447, 497 Blum, Manuel, 168 Beth, Thomas, 230, 463 B¨oll, Heinrich, 245, 293, 297, 301, 304, 466 Beurling, Arne, 2, 2, 399, 399, 400, 483 Boetzel, A., 11, 179 Beutelspacher, Albrecht, 296 ‘boldest’ line, 356-357 Bevan, John Henry, 31 ‘Bolek’ [Gustave Bertrand], 433 Bi language, 21 Bolton (code), 75 Bibo, Major, 61 bomba, 417, 440-448, 456 bifide,35 BOMBE, 445-457, 476, 497 bigram, 35 Bonatz, Heinz, 4, 220, 473 – coincidences, 335, 416 book cipher, 9, 46 – encryption, 316, 420, 431, 438, 443-445 bookseller’s price cipher, 28, 45 – frequencies, 301, 304-318, 327, 356, 464 Boolean algebra, 86, 143, 329 408 – repetitions, 341, 344, 345, 347, 365, 416 Borelius, Carl-G¨osta, 401 – table, 61, 62, 122, 166, 218, 418, 438, 444 ‘boxing’, 431 Bigrammbewertungsger¨at, 464 B.P. see Bletchley Park Biham, Eli, 189 Brachet (code), 75 biliteral (cipher), 10, 40 Branstad, D. K., 184 binary, 40, 83, 86, 180 Braqueni´e, Henri, 442 – addition, 143, 383 Brassard, G., 499 – alphabet, 40, 48, 142, 157 Bream (link), 408, 411 – cipher, – code 10, 40 Brett-Smith, Hilary, 479 – circuit, 86, 142 Britzelmayr, Wilhelm, VI – code, – encoding, 55, 103, 142, 157, 244 Broadhurst, Sid W., 401, 407 504 Index

Broadway buildings, 442 Cantor, Georg, 30 BROWN (code), 77, 475 caption code, 73, 78 BROWN (key net), 48 Caramuel y Lobkowitz, Giovanni, 40 Brown, Cave, 92 Cardano, Geronimo, 23, 96, 142, 159, 486 Browne, Thomas, 9 cardinal number, 34 Broy, Manfred, VIII,84 Carlbom, Lars, 401 Bruce, David, 470 Carlet, Jean Robert du, 1 Bruno (Poste de Commandement), 447 Carmichael’s ψ function, 203 Brunswick (code), 75 Carmichael’s theorem, 203, 206 BRUSA pact, 457 Carmona, J. G., 500 brute force attack, 189-191, 205, 222, 251, Carroll, Lewis, 6, 128, 130, 179, 423 287 carry device, 91, 143, 144, 171, 243, 382 Brynielsson, L. B., 157 Carter, James Earl, 227 B.S.-4, 431, 439 Cartier, Fran¸cois, 100, 278, 469 BSI, 32, 228 Cartouche, 21 B talk, 21 Casanova, Giacomo Girolamo Chevalier Buck, F. J., 86 de Seingalt, 28. 28 Budiansky, Stephen, 418, 498 Casement, Hugh, VIII, 104, 253 Buell (code), 75 category of methods, 36, 163-164 Bulldog (ship), 219 CBC, 188, 204, 236 Bundesstelle f¨ur Fernmeldestatistik, 32, 470 CCITT No. 2, 142, 382 Bundesamt f¨ur Sicherheit in der CCM, 151 Informationstechnik (BSI), 32, 228 CD-55, CD-57, 79 Bundesnachrichtendienst (BND), 31, 32 censorship, VIII, 2, 15, 19, 25 Buonafalce, Augusto, VIII Central Intelligence Agency (CIA), 30 Bureau of Export (BXA), 231 CESA, 231 Burgess, Guy, 164 CHAFFINCH (key net), 448 Burke, Colin, 338, 456, 457, 464, 473, 487 Chaitin, Gregory J., 163, 165, 493, 495 Burkill, H., 495 Chandler, W. W., 407 Bush, Vannevar, 3, 338, 344-345, 411, 487 Chanel, Coco, 32 Byron, Lord George Gordon Noel, 23, 30 character set, 33, 34, 35, 39-41 byte (Z256 ), 40, 55, 142, 168, 180, 184 character coincidences, 320 character frequencies, 290, 316, 317, 328 C-35/C-36, 79, 146-147, Plate G characteristic, 437 C-38 see M-209 Charlemagne, 45 C-38m, 147, 223 Charles I, 70 C-41, 147 Charles II, 71 Cabinet noir,71 Chase, Pliny Earle, 67, 163, 183 ‘Cadix’, 447 Chˆateau de Vignolles, 447 Cadogan, 21 Chˆateau des Fouzes, 447 cadran,52 Chess, Abraham P., 5 CAESAR addition, simple, 49, 81, 87, 129, Chi, 323-326, 354-356, 360, 361-362 171, 239, 240, 245, 247, 252, 263, 266, 291, – test, 279, 327, 339, 344, 358, 371, 376 293, 294, 305, 310, 350, 370, 423 Chi, OKW Abteilung (Cipher Branch), –, polygraphic, 81, 161, 172, 240-243, 247 32, 147, 269, 335, 344, 372, 415, 419, 451, CAESAR encryption step, – shift 49, 81, 464, 470, 474, 478 129, 173, 247-250, 293, 423 Chiffriermaschinen A.G., 111, 114, 122, 431 cal˜ao,15 Chi-Stelle, 32, 118, 432-433, 472, 474 Callimahos, Lambros D., 25, 87, 500 Chi-wheel, 393-395, 403-410 Campaigne, Howard H., 457 Chiang Kai-shek, 153 Campbell, Lucille, 164 chiffre carr´e, 106 Canaris, Wilhelm, 17, 148, 263 chiffre `a damier,66 Candela, Rosario, 281 Childs, J. Rives, 421, 472 cant, 15, 22 Chinese remainder theorem, 202, 208 Index 505 chip, 178, 183, 190-192, 229 –, literal, 75 choice operator, nondeterministic, 33 –, numeral, 73 Chorrin, 144 –, one-part, 71, 72, 75 Chorukor, 258 –, two-part, 71, 72, 73 chosen cryptotext attack, 480 Code Compilation Section, US Signal chosen plaintext attack, 479, 480 Corps, 31 chronogram, 20 codetext see cryptotext chronostichon, chronodistichon, 20 Collange, Gabriel de, 39 Chub (link), 411 Collon, Auguste L. A., 66 Church, Alonzo (Church thesis), 164 COLOSSUS, 2, 234, 338-339, 372, 401, Churchill, Winston, 4, 10, 31, 57, 101, 407-409, 410-412, 447, 456, 497 135, 224, 423, 470, 480 columnar transposition, 27, 98-101 C.I.A., 30 –, double, 27, 100-101, 244, 467 Cicero (code), 75 –, US Army double, 100 Ci¸e˙zki, Maksymilian, 431, 433, 442 combinatorial complexity, 41, 64, 140, cifrario tascabile, 39, 128 141, 169-170, 175, 210, 222, 237, 239-243, cillies, VII, VIII, 447, 448, 482 244 cipher, 35 Combined Cipher Machine (CCM), 151 – bureau, 32, 431 commuting encryptions, 166, 170, 379 – disk, 44, 52, 139-140, Plate B companion matrix, 156 – security, 210, 466, 470, 480, 482, 487 COMPARATOR, 338-339, 345, 410-411 – slide, rods, strips, 52 complementary alphabet, 90 – -teletype machine, 55, 161, 170-171, complete-unit transposition, 98 372, 386, 387, 388, 395 complexity, 197, 198-199, 210 Cipher Block Chaining see CBC –, subexponential, 198, 201 ciphering devices, 131-135 complication illusoire, 27, 63, 67, 98, 148, ciphering machine, 6, 29, 110 160, 224, 274, 413, 437, 464, 467, 469 ciphertext see cryptotext composition of classes of methods, 169- cipher wheel, 170-171 192 City of Bagdad (ship), 63 compression, 180, 495 Clarendon, Edward Hyde Earl of, 472 compromise, 152, 164, 167, 168, 209, 212, Clarke, Joan see Murray, Joan n´ee Clarke 224, 288-289, 375-376, 387, 389, 398, class of families, 279 409, 419–423, 424, 431, 437, 448, 467, classification of cryptography, 24, 25 474, 478-480 Clausen, Max, 57 computable irrational numbers, 158, 164 Clausen-Thue, William, 75 concealment cipher, 10, 11, 19, 24 cleartext, 33 conceptual word, 306 clef, 41, 98, 141 confrontation, 297, 299, 300, 301 clef principale, 141 confusion, 174 CLIPPER, 229 congruence root, primitive, 200 click machine, 284 conjugated encryption step, 67 clique, 297, 300-306, 310-314 contact method, 312, 464-469 cliques on the rods, 281 Coombs, Allen W. M., 407 clock method, 415–418 Copeland, Jack, VIII, 498 closing, 56-57, 171 COPPERHEAD, 372 closure, 450 Coppersmith, Donald, 189-190, 201 COBRA, 456 CORAL, 156 Cocks, Clifford, 167 ‘counter’ ENIGMA, 148 Codfish (link), 406, 411 coupled pattern finding method, 265-266 code, 18, 35, 68, 373 Coventry raid, 4 – book, 6, 36, 41, 68 covert proof, 485-486 – compression, 180, 495 CQ signals, 289, 474 –, decryption of, 373 crab, 93, 94, 105 – groups, 40, 68, 259 – (Knox), 149 506 Index crash, 268, 272, 417-418 cryptotext-only attack (known crypto- Crawford, David J., 286 text attack), 265, 310, 479 CRAY-1, 339, 458, Plate Q cryptozilla, 192 CRAY X-MP, 198 CSKO, 482 CRAY-2, CRAY Y-MP, CRAY C 90, CSP 642, 136, 269, 280, 358, 475 CRAY T 90, CRAY J 90, CRAY T3D, CSP 845 see M-138-A CRAY T3E, Plate Q CSP 889 see M-134-C Cray, Seymour R. , 458, Plate Q CSP 1500 see M-209 Creed, Frederick George, 385 CSP 1700, 151 crib, 259, 260, 284, 288, 373, 400, 401, 406, cue, 17-18, 24 420, 438, 444, 445, 448, 449, 453, 454, Culpeper, Edmund, 256 479, 481, 482 CULPER, 71, 256 crib run, cribbing, 409, 410, 419 CVCCV , 78, 467 criminology, 4, 53, 256 CVCVC, 72, 467 Croissant, Klaus, 9 CX-52, 147 Croix Grecque transposition, 95 cycle attack, 450-451 Cromwell, Oliver, 19 – decomposition, 110, 125, 206, 437 cross-plugging, 48, 118, 120-122, 433, 437, – notation, 46-47, 49-51, 52, 110 441, 442, 445, 446, 449-451, 453, 457, 478 – (cyclotomic) numbers, 80, 156, 181 cross-product sum, 323 – partition, 49 cross-ruff, 421 cyclic group, 379, 381-382 (CRYPT), 489 cyclic shift, 107 crypt width, 34 cyclometer, 234, 437 cryptanalysis, V,VI,VII,3,5,6,8,25,29,31, cylinder and strip devices, 29, 37, 51-52, 37, 73, 92, 95, 98, 100, 141, 148, 189, 190, 133-136, 145, 224, 244, 251, 269, 272-277, 208-214, 217, 219, 222, 227, 231, 233ff. 358 –, pure, 394, 489-493 Cynthia, 103 Crypto AG, VIII, 131, 163, 192 cypher, 31 crypto board, 192, Plate P Cyrillic alphabet, 39 crypto clerk, 210, 216, 224-225, 310, 434, Czech alphabet, 39 436, 470 cryptographic equation, 42, 118, 128-130 Dace (link), 411 cryptographic faults, 211, 224, 481-482 Daemen, Joan, 191 cryptography, VII, 1-8, 9, 12, 24, 25, 26ff. D’Agapayeff, Alexander, 500 cryptology, VII, 2, 3, 5, 6, 8, 25, 30-32 damier, 64, 66 cryptoquip, 5, 256-257, 289 Damm, Arvid Gerhard, 111, 113, 113-114, cryptosystem, VII, 7, 8, 34, 106, 150, 158 132-133, 146, 153-154, 161, 179, 397 –, classical, 489-493 Darhan (code), 75 –, fixed, 41, 140 Dato, Leonardo, 139 –, ideal, 493 Deavours, Cipher A., VII, 121, 220, 282, –, independent key, 491-493 285, 286, 416, 437, 449, 498-500 –, of Vernam type, 492 [deciban], 237, 401, 416 –, perfect, 491-492 decimal digits (Z10 ), 40, 335 –, pure, 43, 170, 377-378 decimation, 90, 128, 238 –, Shannon, 43, 159, 170, 212, 268, 278, 280, (DECRYPT), 489-492 289, 378, 489 decryption key, 167, 193, 195, 210 –, transitive, 277, 378 decryption of ancient scripts, 26, 37, 47, –, unbreakable, 7, 70, 101, 144, 163, 168, 69, Plate A 192, 221, 248, 272, 339, 386, 421 decryption step, 42, 43, 47, 49, 194, 203 cryptotext, 33, 39-43 Delta process (Tutte), 403, 404 – vocabulary, 33 Defense Calculator (IBM 701), 458 cryptotext-cryptotext compromise, 164, Defense Intelligence Agency (DIA), 31 212, 224, 289, 375, 420-421, 424, 431, 478, definal, 33 480 de Grey, Nigel, 471, 471, 472, 484 Index 507

Delastelle, F´elix Marie, 67, 179, 341, 500 division algorithm, 91 Della Porta, Giambattista, 1, 1, 39, 44, 47, DNA, 486 58, 130, 131, 140, 141, 144, 211, 214, 216- Dodgson, Charles Lutwidge [Lewis Car- 217, 222, 260, 268, 280, 339, 340, 382 roll], 6, 130, 179, 423 de Leeuw, Karl, 113 DOLPHIN, see ‘Hydra’ (key net), denary, 40, 54 Donelly, Ignatius, 30 – cipher, 40 D¨onitz, Karl, 212, 221, 420, 472 Denning, Dorothy E. R., 230, 499 Doppelkassettenverfahren,66 Denning, Norman, 473 Doppelw¨urfelverfahren, 100 Denniston, Alastair G., 442, 477 Doppler, 335, 347 see also repetitions –, Robin, 375, 477 Dora (reflector “D”), 120, 123 depth, 345, 350, 350-351, 357-358, 369, 375 double casket, double PLAYFAIR, 66 depth cribbing, 419 double cipher, 141, 364 Dershavin, Gavrila Romanovich, 258 double cribbing, 419 de Saussure, Ferdinand, 290 double cross, 15, 18 DES, 36, 184-190, 191, 193, 194, 197, double encipherment of text setting, 226, 229, 230, 236 431-433, see also indicator doubling –, modes of operation for, 188, 236 ‘double key’, 141, 364 DESAB 3 (codebook), 172 double superencryption, 421 Desch, Joseph, 454-457 double transposition, 27, 100, 216, 244, 467 Desch BOMBE, 454 double-ended scrambler, 445, 446, 448, 449, Deubner, Ludwig, 49, 472 451, 454 –, Ottfried, 278 doublet (letters), 215, 216, 224, 254, 439 Deutsches Museum Munich, VIII doubling (words), 216, 254, 431, 390, 392, de Viaris (code), 75 406, 410, 440, 480 de Viaris, Ga¨etan Henri L´eon, 29, 129, 130, doubly safe primes, 207, 210 134, 136, 222, 272-280, 276, 295, 341, 500 Douglas, Chevalier, 16 de Vries, Mauritius, 3, 87 Doyle, Arthur Conan, 12 DIA, 30 ‘dragging’, ‘drag grenade’, 288, 401, 409 diacritic marks, 39 DRAGON, 338, 409 diagonal board, 173, 451-456, 482 Dreher, 306 diagonally continued alphabets, 109 Dreyfus, Alfred, 213 Diccionario Cryptographico (code), 75 Driscoll, Agnes n´ee Meyer, 154, 338, 454 Dickinson, Velvalee, 17 du Carlet, Jean Robert, 1 Dickson, L. E., 83 dual encryption steps, 379 dieder group, 382 Ducros, Oliver, 134 difference method, difference table, 369, Dudeney, Henry Ernest, 94 370-372, 413-415, 422 ‘duds’, 339 differential cryptanalysis, 189, 212, DUENNA, 287, 457 Differenzenrechenger¨at, 372 Dulles, Allen Welsh, 41, 61, 278, 415 Diffie, Whitfield, 6, 167, 195, 209, 227 dummy, 21, 215, 216 diffusion, 174 – text, 33, 212 Digital Signature Algorithm (DSA), 209 Dunning, Mary Jo, 155 Digital Signature Standard (DSS), 209 duplication, 52, 111, 134, 184, 442 digraphic substitution, 58-63, 64, 66, 67, Durchgangsr¨ader, 113 78, 239, 241, 248 Dyer, Thomas H., 333, 372 Dilworth, R. P., 496 direction-finding, VII, 221 Eachus, Joseph, 456-458 directory, 195-197 Eastcote, 454, 455 discrete logarithm function, 168, 200- Eastman 5202, 344, 410 202 eavesdropping, 26, 208, 212, 280, 476, 480 discriminant, 173, 412, 482 EBCDIC (code), 55 disinformation, 4, 221 Eckardt, Heinrich von, 484 disk, 39, 41, 44-45, 49, 51-52, 109, 127, 139 ECM Mark I, II, 123, 151, 481 508 Index

Edward Duke of Windsor, 28 –, Reichsbahn-, 124, 125 efficiency boundary, 197-198 –, Wehrmacht-, 48, 118-120, 124, 125, 126, efficient (method), 196, 197, 199, 200, 204 148-149, 168, 281, 284, 287, 288, 431 Ehler, Herbert, VIII –, 3-rotor-, 118-120, 149, 156, 166, 219, 220 EINSing, EINS catalogue, 287-288, 444 –, 4-rotor- (Kriegsmarine, M4), 4, 45, 121, Elble, R., 212 156, 214-215, 219, 220, 420, 431, Plate I electric contact realization, 110-111 – equation, 118 Electronic Code Book (ECB), 36, 188- –, basic wheelsetting(ground setting), 117, 189, 204, 229 121, 122, 168, 432, 433, 437-439, 441, 448 ElGamal, Tahir, 209 –, commercial, 92, 114, 117, 281, 284, 431 elliptic curve method (ECM), 201 – Grundstellung see basic wheel setting Ellis, James H., 6, 167 – message setting, 122, 173, 229, 416-418, “emergency clear” device, 167 432, 435, 439, 443-444, 448-449 encicode, 370 –, number of –s, 123 enciphering step, encoding step, 35 – replicas, 437, 441, 442 encryption, monoalphabetic, 35, 36, 45, 49, – ring setting, 121, 122, 168, 219, 284, 432, 98, 113, 140, 180, 188, 203, 204, 229, 238 437, 439-441, 448, 449, 481-482 –, nonperiodic, 36, 144-145, 158 – Ringstellung see ring setting –, periodic, 36, 140, 145, 157, 168, 330, 375 – rotor order, 120, 122, 432, 437-449, 454, –, polyalphabetic, 144, 157, 241-243, 248, 481-482 268, 322 – rotors, 113-118, 120, 145-146, Plate K –, progressive, 140, 144-145, 157, 274, 287 – –, numbering of, 118, 120, 124, 125 –, quasi-nonperiodic, 145, 158, 161, 460 – Spruchschl¨ussel see text setting encryption and signature methods, 195 – superencryption, 173, 339 encryption block, 35 – Tagesschl¨ussel see ground setting – error, 26, 98, 144, 160, 210, 225, 470 – text setting see message setting – key, open, 193-210 entropy, 329, 487, 494 – philosophy, 223 Enzensberger, Hans Magnus, 5 – security, 32, 144, 153, 156, 210, 211-232 equifrequency cipher, 291 – step, 34-36, 41-42, 44, 58, 80, 106 equivocation, 487, 489 – table, 35, 136, 368, 383, 428, 430 ERA 1101, ERA 1101 A, ERA 1103, 458 – width, 34-35, 106 Erd˝os, P´al, 138, 496 endomorphic encryption, 34, 36, 41, 43, Eriksson, Bertil E. G., 56 46, 50, 107, 169-170, 378, 379 ‘Erloschen ist Leuchttonne’, 214, 268, 269 endomorphic linear substitution, 81, 82 error-detecting and -correcting codes, 26 Engineering Research Associates, Inc. Erskine, Ralph, VII, VIII, 4, 124, 416, 439, (ERA), 458 457, 482, 483, 498 Engstrom, Howard Theodore, 338, 458 Escrowed Encryption Standard (EES), ENIGMA, 4, 29, 32 48, 112-126, 146-149, 8, 229 151, 153, 169, 172, 215-216, 218, 220, 269, Euler, Leonhard, 11, 8, 157 281, 338, 419, 420, 431-457, 478-484 Euler’s 36-officer problem, 59 ENIGMA A,B, 112, 114, 117, 122, 146 Euler’s totient function ϕ, 90, 203, 238 ENIGMA C, 113-117, 147, 166, 281-282 European Union, 229 ENIGMA D, 117, 124-125, 147-148, 153 Euwe, Max, 158 ENIGMA G, 117, 118, 123, 124, 125, 126, event, elementary, 487 146, 148-149, 373 ‘´evitez les courants d’air’, 51, 133 ENIGMA G-312, 118, 125, 148-149, 373 Ewing, Sir Alfred, 420 ENIGMA I, 48, 118, 121, 148, 166 exclusion of encryption methods, 290-291 ENIGMA II, 118 exclusive or, 143 ENIGMA K (INDIGO), 117, 125, 126, 281 example ‘B¨oll’, 98, 245, 246, 293, 294, 297, ENIGMA T (‘Tirpitz’), 124, 125, 148 301, 304, 466 ENIGMA ‘11-15-17’ see ENIGMA G example ‘Kulp’, 331, 332, 345-348, 349, –, Abwehr- see ENIGMA G 351-354, 355, 369 –, counter-, 148 exhaustion of probable word position, Index 509

–, non-coincidence, 268-270, 277 Fliegerf¨uhrer Trondheim, 447 –, binary non-coincidence, 271-272, 277 FLORADORA see GEC –, zig-zag, 280-281 Flowers, T. H., 407 exhaustive search, 222, 236, 237-251 Floyd, Robert W., 157 exponentiation in §(p), 199, 200 FLUSZ, 61, 62 ‘Expositur 3000’, 447 F¨oppl, Ludwig, 128, 472 Eyraud, Charles, 39, 47, 63, 90, 98, 99, FOREIGN see ‘Aegir’ (key net) 107, 128, 131, 136, 139, 295, 296, 306, formal cipher, 38, 310 307, 322, 467, 500 Forschungsamt des RLM, 280, 472, 474 EYRAUD encryption step, 128 Forschungsstelle der Reichspost,10 Eyssen, Capt., 219 Forster, Otto, 200 Eytan [Ettinghausen], Walter, 173 F¨orsvarsv¨asendets Radioanstalt (FRA), 32, 399 Fabyan, George, 30 /fort/ (,,Fortsetzung“), 438 Fabian, Rudolph J., 372 Foss, Hugh, 115, 116, 154, 445, 478 factorization, 198, 199, 202, 205 fourbesque,15 ‘Fall Gelb’, 447 four-digit code, 75 falsification, 26 “Forty Weepy”, 438, 443, 444 family code, 19 Fox, Philip E., 286 familes of alphabets, 106-138 §(p), 81, 181, 199 family of message blocks, 279 FRA (F¨orsvarsv¨asendets Radioanstalt), Fano, Robert M., Fano condition, 36 32, 399 feedback cycle system, 448-453 fractionating method, 66 Feinstein-Grotjan, Genevieve, 155, 164 ‘Frankfurt’, 221, 473 Feistel, Horst, 184, 185 Franksen, Ole Immanuel, 129, 341 Fellers, Frank Bonner, 475 Franz, Wolfgang, 3, 269 Fellgiebel, Erich, 32, 118, 212, 483 FREAK, 464 female, 48, 224, 434, 441, 446 freestyle methods, 317, 363, 494 Fenner, Wilhelm, 470 Freemasons’ cipher, 45 Fermat’s factorization, 205 frequency count, 293, 296, 298, 299, 302 Fermat prime, 183, 200 – distribution, 59, 290-291, 295-296, 299 Fermat’s theorem, 182 – ordering, 294-297, 299, 300 Ferner, Robert, 155 – profile, 292-294, 352-353, 360 Ferris, John, 483 Freyss, Gustave, 469 Fersen, Axel Graf von, 144 Friderici, Joannes Balthasar, 40 Fetterlein, Ernst C. (‘Felix’), 3, 162, 172 ‘Fried Reports’, 287, 289, 499 FIALKA (fialka), 150 Friedman, Elizebeth Smith, 5, 30, 256 fiber, 33 Friedman, William Frederick, 2, 2, 5, 25, 30, Fibonacci numbers, 176 31, 68, 75, 78, 79, 86, 123, 133, 134, 136, FIDNET, 231 140, 150-152, 155, 163, 230, 234, 235, 247, Figl, Andreas, 60, 61, 213, 259, 296, 471, 256, 272, 277, 280, 281, 317, 320, 331, 333, 472, 480, 500 336, 339, 341, 343, 344, 348, 349, 373, 374, Filby, P. William, 172 377, 401, 416, 424, 428, 471, 483, 486, 497 finite, finitely generated, 34 Friedman examination, 331, 341, 343, 344, First Amendment, 7 348, 349, 486 first character, 80 Friedmann (code), 75 fist, 218 Friedrich, J., 26 five-digit code, 75, 76, 77 Friedrichs, Asta, 69, 278, 415 five-letter code, 40, 75 Frowein, Hans-Joachim, 472 fixpoint, 177, 178, 183, 206, 440, 441, 450 Fuchs, Klaus 164 FLB’s resurrection, 175 function inversion, 196-197 Fleissner grille, 96, 97 functional, 33 Fleissner von Wostrowitz, Eduard, 96, ‘FUNF’, 373 295, 500 Funkschl¨ussel C, 117, 118 510 Index

Funkschl¨ussel M, 118, 121 Goldreich, Oded, 499 Funkspiel, 209, 218 Gold-Bug, 45, 317-318 ‘F¨ur GOD’, 146 Golombek, Harry, 92 Golßen (Funkfernschreibstelle), 162 G.2 A.6, 31, 69, 216 Good, Irving John (Jack) [Isidor Jacob GADFLY (key net), 448 Gudak], VI. VII, VIII, 260, 389, 401, 409, Gagliardi, Francesco, 103 412, 415-416, 477, 499 Gaines, Helen Fouch´e, 60, 63, 97, 98, 179, Gordon, D. M., 201 252, 255, 257, 264, 290, 295, 296, 306, G¨oring, Hermann, 280, 415, 448, 470, 484 310, 312, 497 Government Code and Cypher School, Galilei, Galileo, 103 (G.C.&C.S.), 3, 31, 92, 442, 443, 470 Galland (code), 75 Government Communications Headquar- Galois field, 81, 181 ters (G.C.H.Q.), 31 garbling and corruption of messages, 26 GRAY (code), 70, 77, 214, 475 gardening, 420, 480 ‘Greek rotors’ (α, β , γ ), 121, 148, 215, 219 Gardner, Martin, 354 Greek-Latin square, 59 Garli´nski, J´ozef, 437, 498 GREEN (code), 72, 77, 214 467 Gaujac, Paul, 213 GREEN (key net), 447 Gauß, Carl Friedrich, 202 GREEN (machine), 153 Gaussin, Joseph, 129 Greenglass, David, 164 Gayhurst, 454 Gretz-Armainvilliers, 447 G.C.&C.S., 3, 31, 63, 92, 442, 443, 470 grenades, 288 GEC, 172, 421, 484 Grew, Joseph C., 77, 213, 214 GEE (one-time-pad system), 164, 165 Grey, Nigel de, 471, 472, 484 GFQBZ (KONPAENGFQBZ), 389 Griechenwalze see ‘Greek rotors’ Geheimklappe, 63, 69, 78 grill (grid) method (‘metoda rusztu’), 437 Geheimschreiber, 170-171, 387-389, 395, grille, 19, 23, 24, 78, 95-96, 97, 101, 97, 467 396, 398, 400, 483 Grilse (link), 411 Geiger counter, 164 Gripenstierna, Fredrik, 51, 54, 131 gematria, 37 Gronsfeld, Count of, 128, 272 generating relation of encryption steps, 34 Grosvenor, William M., 97, 469 generation of a quasi-nonperiodic key, 157 Grotjan, Genevieve see Feinstein-Grotjan generatrix, 134, 273-277, 279 ground setting see basic wheel setting genuine reflection, 48, 51, 60, 116 group property, 169 George, Stefan, 5 ‘Group Z’, 447 Gerold, Anton, VIII, 210 Groves, Leslie R., 54 Gewerkschaft Securitas, 111 GRU, 476 Gherardi, Loris, 41 Grundstellung see basic wheel setting GIANT, 287, 457 Grundverfahren (GEC), 172, 421, 484 Giant-Step-Baby-Step algorithm, 200 Grunsky, Helmut, VI, 278 Gillogly, James, 478 G¨untsch, Fritz-Rudolf, VIII Gioppi di T¨urkheim, Luigi Count, 68, 500 Gurnard (link), 411, 412 Gisevius, Hans Bernd, 415 Gyld´en, Yves, 5, 25, 146, 471, 500 Givierge, Marcel, 99,141,217,223,225, 234, 273, 277, 278, 280, 295-296, 467, 472, 500 Hadwiger, Hugo, 3, 123 Gleason, Andrew M., 3 Hagelin, Boris Caesar Wilhelm, 79, 114, Gl¨uhlampentype, 114 146, 147, 153, 163, 179, 223, 230, 230, 269, ‘Glowlamp Machine’, 117 330, 375, 379, 437, 475-476, 499 Glur, Paul, 3, 123 half-adder, 143 ‘Godefroy’ [Gustave Bertrand], 433 half-rotor, 111, 113, 114, 127, 145, 146, Gold, Harry, 164 153, 154, 179 Goldbach, Christian, 71 Hall, Marshall, 3 Goldberg, Emanuel, 10, 339, 345 Hall, Theodore, 164 GOLDBERG, 339 Hall, William Reginald, 472 Index 511

Hallock, Richard, 164 Hinsley, Francis Harry, 92, 398, 472, 473, Hamer, David H., 124, 125 479, 498 Hamming, Richard W., 26, 76 Histiæus, 10 Hand-Duenna, 287 Hitchings, Oswald Thomas, 472 Handschl¨ussel, 66, 100, 481 Hitler, Adolf, 32, 173, 216, 254, 263, 474 Harmon, John M., 7 Hitt, Parker, 134, 135, 139, 144, 161, 217, Harriot, Thomas, 40 224, 247, 314, 316, 472, 500 Harris, Martha, 229 Hitts admonition, 139, 144, 161, 168, 217 Hartfield, John Charles, 75 Hodges, Andrew, 389, 446, 498 HARVEST, 458 H¨ottl, Wilhelm, 60 Harvey (code), 75 Hoffman, Lance J., 499 Haˇsek, Jaroslav, 42, 56, 96 Holden, Carl F., 457 Hasenj¨ager, Gisbert, VI, 451, 453 Holden, Edward S., 97, 468, 469 Hassard, John R. G., 97, 469 Holmes, Sherlock, 12 hatted code see two-part code Holtwick, Jack S., 154, 476 Havel, V´aclav, 258 holocryptic, 163-164, 248, 386 Hawkins, Charles A., 227 Homan, W. B., 291 Hay of Seaton, Malcolm V., 472 homogenous linear substitution, 81, 82- Hayhanen, Reino, 57 83, 86 HCM (Hebern), 151 homophones, 33, 34, 36, 44-46, 54, 55, 63, H.E. [Hans-Thilo Schmidt], 432 67, 70, 72-74, 78, 139, 197, 215, 224, 238, HEATH ROBINSON, 337, 338, 339, 372, 252, 273, 427 404, 406, 407 Hooper, Stanford Caldwell, 338 Hebern, Edward Hugh, 113, 113, 114, 123, Hoover, Herbert, 152, 227 145, 150, 153 Hopf, Eberhard, 174 Hopkins, Johns, 429, 430 HECATE, 339 Horak, Otto, VIII, 190, 223 Heftschl¨usselverfahren, 96, 101 horizontally shifted alphabets, 107-108 Heidenberg, Johannes (Trithemius), 127 Hornbeck, Stanley K., 475 Heider, Franz-Peter, 387 HORNET (key net), 448 ‘Heimische Gew¨asser’, DOLPHIN (key ‘HOSF’, 411 net), 448 Hotel-Telegraphenschl¨ussel,76 Heimsoeth & Rinke, 92, 114 H¨ottl, Wilhelm, 60, 61 Heise, Werner, 138 Houdin, Robert, 14 Hellman, M. E., V, 6, 167, 195, 209, 493 Howard, John E., 458 Hellschreiber, 388, 389, 391 Huffman coding, 495 Helmich, Joseph G., 150 Hughes, David Edward, 385 Henkels, M., 68 H¨unke, Anneliese, 278 Henri IV of France, 70 H¨uttenhain [Hammerschmidt], Erich, VI, Herivel, John, 448 164, 215, 225, 269, 289, 296, 335, 336, Herivel tip, 447, 448, 482 419, 470, 471, 474, 475, 500 Hermann, Arthur J., 134 Huyghens, Christiaan, 103 Herring (link), 411 ‘Hydra’, DOLPHIN (key net), 448 heterogeneous encryption, 45 ‘Hypothetical Machine’ (HYPO), 338 Hettler, Eberhard, 387 hiatus, 36, 56, 273, 284, 317 IBM (International Business Machines), hieroglyphs, 69 40, 184, 333-334, 345, 458 Hildegard von Bingen, 45 IBM 701, 458 Hill, Lester S., 3, 86, 87, 129, 143 ICKY, 344, 372 HILL encryption step, 82, 239, 240 IDA, 31 Hilton, Peter J., 94, 401 IDEA, 191 Himmler, Heinrich, 10, 32 415, 470 ideal, 493 Hindenburg, C. F., 95, 500 identity, 81, 86, 110, 143 156, 223, 378 Hindenburg, Paul von, 217 ideogram, 69 512 Index idiomorph, 252, 253 i-Wurm, 161 independent key, 491-493 index (Alberti), 139 JABJAB, 448 Index Calculus method, 200-201 J¨ackel, Eberhard, 498 ‘Index’ machine, 116 JADE, 156 index of coincidence, I.C., 5, 150, 320, 326, J¨ager, Lieutenant, 69, 212, 260 331, 335, 336, 338, 340, 341, 344, 401, 416 jargon code, 15, 17, 24 index ring, 121, 124, 125, 149 Javanais, 21 indicator, 61, 102, 117, 122-123, 164, 168, je suis ind´echiffrable, 29, 487 284, 388, 389, 393, 400, 406, 412, 413, Jefferson, Thomas, 49, 71, 133, 244 416-417, 431-444, 447-448 Jeffreys, John R. F., 442, 446 indicator doubling, 122, 416, 417, 431, 447, Jellyfish (link), 411, 412 480, 482 Jensen,Willi, VI,296,335,344,415,464, 500 INDIGO, 117, 284 Jipp, August, 170, 387 individual key, 161-165, 218, 226, 356, 421, JN-25A, JN-25B (code), 76 466, 483, 495 JN-157 (code), 457 induced encryption, 34 Johnson, Brian, 6, 123, 389, 396, 498 inflation of cryptotext, 226 Johnson, Esther, 22 influence letter, 161 Josse, Henri, 500 informal cipher, 309-310 Joyce, James, 37, 258 Informatik (Deutsches Museum), VIII Julius Cæsar, 49 information, mutual, 488 ‘JUMBO’, 454 information theory, V, VI, 3, 247, 329, 495 –, axiomatic, 487-494 Kaeding, F. W., 296, 304 inhomogenous linear substitution, 83 Kahn, David, V, VII, VIII, 6, 10, 25, 26, 67, injective, 33, 34, 37, 41, 42, 43, 80, 81, 170, 68-69, 71, 80, 94, 112, 121, 129, 131, 139- 183, 196-197, 199, 244, 460, 490 142, 145, 148, 155, 163, 221-223, 257, Inman, Bobby Ray, 31 289, 295, 310, 311, 319, 320, 330, 335, in-phase adjustment, 375,376,412-419, 478 340, 342, 367, 396, 413, 415, 467, 472, Institute for Defense Analyses (IDA), 31 474, 476, 478, 497-500 International Traffic in Arms Regula- K¯ama-s¯utra,47 tions (ITAR) 7, 192, 228 Kaplanski, N., 138 intermediary cryptotext, 359, 362, 363, Kappa, 234, 320-327, 330-339 370, 373, 414, 423, 427 – test, 334-339, 341, 344, 346, 376, 401 intractable, 197 Kappa -Chi Theorem, 325, 326 invariance theorems, 251, 252, 263, 290, Kappa -Phi Theorem, 326, 327, 346, 348 291, 293, 305, 320, 322, 324, 328 Kappa -Phi (u) Theorem, 346 invectives, 20 Kasiski, Friedrich W., 247, 295, 339-341, inverse alphabet, 47 500 involution, 47 Kasiski examination, 339- 346, 349, 359, involutory see self-reciprocal 365, 368, 394 irrational numbers, 36 Katscher (code), 75 irregular wheel movement, 146-148, 151, K-book see Kenngruppenbuch 161, 171 Keen, Harold (‘Doc’), 446 ISBN (code), 76 Kjellberg, Bo, 401 isologs, 224, 409, 419 Keitel, Wilhelm, 402 isomorphism, isomorphs, 42, 118, 224 Kelley, Stephen J., 156 isomorphs, method of, 281-287 Kenngruppe, Kenngruppenbuch, 173, 412, Isonzo battle, 225 444 isopsephon,37 Kendrick, Tony, 478 italic upper case letters for key char- Kepler, Johannes, 103 acters, 41 Kerckhoffs, Auguste, 99, 211, 222-223, 244, iteration, 175-176, 205-207 254, 289, 295, 341, 365, 367, 368, 369, 375, iteration exponent, 205, 207 376, 377, 379, 437, 442, 469, 481, 500 Index 513

Kerckhoffs’ maxim, VII, 222, 244, 289, 437 Kratzer, Uwe, 260 Kesselring, Albert, 411, 412 Krebs (ship), 218 key distribution, 42, 226 Krivitsky, Walter [Samuel Ginsberg], 221 – escrow system, 8, 228, 229 /krkr/, 216 – generator, 161, 166, 168, 393 Krohn (code), 75 – group, 43, 170, 183, 280, 377-384, 388 Krug, Hans-Georg, 278, 279, 372, 415 – management, 165-168 Kruh, Louis, VII, 121, 124, 220, 282, 416, – registration, risk of, 168 449, 453, 499, 500 – net, 420, 431, 439, 441, 444, 447, 448, KRU, KRUSA, KRUSA,¨ 27, 78 457, 480-484 Kryha, Alexander von, 146, 154, Plate F – vocabulary, 41 KTB (Kriegstagebuch), 483 – words, 27, 144, 159, 166, 211, 217, 344, KTF see Klartextfunktion 354, 362, 364, 367, 370, 374, 430, 493 Kulissenverfahren, 67, 180 Key Exchange Algorithm (KEA), 168 Kullback, Solomon, 87, 150, 154, 172, 251, ‘key phrase’ cipher, 45 301, 307, 322, 323, 327, 332, 471, 487, 498 key-symmetric, 43, 187, 191, 192 Kullback entropy, 329 keytext, 42, 140, 144, 145, 159, 168, 188, Kullback examination, 333, 339,345-348, 224, 280, 281, 341, 375, 419, 460, 489-493 349, 350, 351, 359, 416, 486 Kinsey, Alfred C., 9 Kulp, G. W., 331, 332, 345-348, 349, 351- Kippenhahn, Rudolf, 499 354, 355, 369 Kircher, Athanasius, 9, 54, 76 Kunze, Werner, 87, 154, 162, 278, 279, 415 Kirchhofer, Kirk H., VIII K¨upfm¨uller, Karl, 215 kiss, 420 Kursk, Battle of, 412 Kjellberg, Bo, 401 Kurzsignalheft, 73, 219 Klar, Christian, 9 KW-7, 476 Klartext, 33, 217 KWIC Index, 264, 265 Klartextfunktion, 161, 171, 397, 399, 412 KL-7 rotor machine, 123, 150 Landau, Susan, 190 Kleinschmidt, Edward, 385 Lange, Andr´e, 41, 296, 300, 500 Kluge, Hans G¨unther von, 411 Langer, Gwido (‘Luc’), 431, 442, 447 Kl¨uber, J. L., 500 Langie, Andr´e, 9, 316, 500 knapsack problem, 210 Langlotz, Erich, 162, 165, 415 knight’s tour transcription, 95 largondu, –jem, –ji, 22 knock-cipher, 53 LARRABEE, 128, 132, 161 known cryptotext attack, 479 last character, 80 known plaintext attack, 479 Latin square, 136-138, 277, 281, 378, 383 Knox, Alfred Dillwyn(‘Dilly’), 92,117, 149, Lauenburg (ship), 219 281, 433, 436, 442, 443, 446, 471, 478, 484 ‘Law Enforcement Access Field’ (LEAF), KO (“Kriegsorganisation”, i.e., Abwehr), 229, 230 483 L.C.S. , 31, 470 Koblitz, Neil, 201 left-univalent, 33 Koch, Hugo Alexander, 113, 113-114 Legendre, Adrien-Marie, 202 Koch, Ignaz Baron de, 71 Leiberich, Otto, VIII, 155, 415, 470, 475 Køhl, Alexis, 67, 179, 500 Leibniz, Gottfried Wilhelm von, 40, 71, 103 Kolmogorov, Andrei Nikolaevich, 163 Leitungszwischentr¨ager, 112 Komet (Schiff 45) (ship), 219 Lemoine, Rodolphe [Rudolf Stallmann] Konheim, Alan G., V, 270, 295, 499 see ‘Rex’ Korn, Willi, 114-115, 121, 124, 146, 437 Lenin, Vladimir Ilych, 32 KORN encryption step, 115, 451 Lenstra, Hendrik W., 201 Kovalevskaya, Sofia, 218 L´eotard, Fran¸cois, 213 Kowalewski, Jan 151 Leutbecher, Armin, 200 Kozaczuk, Wladyslaw, 418, 431, 433, 498 leveling of frequencies, 54, 59, 479 Kraitchik, M., 198 Lever, Mavis, 284, 479 Krause, Reinhard, IV Levine, Isaac Don, 221 514 Index

Levine, Jack, 68, 264 M-138-A =ˆ CSP 845, 135, 220, 222, 224, 277 Lewin, Ronald, 254, 498 M-138-T4, 135, Plate E Lewinski, Richard (pseudonym), 92 M-209 =ˆ CSP 1500 =ˆ C 38, 79, 135, 147, lexicalization, 22 217-218, 223, 379, 475, Plate H Lieber (code), 75 M-228 (SIGCUM), 163, 483 Lindenfels, J. B., 500 M-325 (SIGFOY), 151 Lindenmayer, Aristide, 158 MacFarlane, Captain, 447 linear substitution, 80-87, 90, 91 Macbeth, James C. H., 76 linear shift register, 156-157, 461 ‘machine gun’, 454 –, reconstruction of a, 461-463 machine key period, 146, 148, 171, 376 LINOTYPE, 296 Mackensen telegram, 421 lipogram, 257-258, 294-295 Maclean, Donald Duart, 164 Lisicki, Tadeusz, 436, 437, 440 MacPhail, Malcolm, 92 literary English, 301 MADAME X (X-68 003), 454 lobster (Knox), 149 Madison, James, 71 logic switching panel, 408 Maertens, Eberhard, 219, 221 logograms, 33 Magdeburg (cruiser), 72 L¨ohr, Alexander, 411, 412 MAGIC, 4, 155 Lombard (code), 76 Mahon, Patrick, 417, 418, 419, 436 London Controlling Section (L.C.S.), Makarov, Victor, 476 31, 470 Malik, Rex, 408 longueur de s´eriation, 179 Mamert-Gallian (code), 75 Lonsdale, Gordon [Konon Molody], 10 MAMMOTH, 446 Loranco Ltd. (Mr Lorant), 165 Mandelbrot, Benoˆıt, 302 LORENZ Schl¨usselzusatz SZ 40/42, Mann, Paul August, VI 29, 55, 161, 171, 372, 387-389, 394, 397, Mann, Thomas and Katia, 14, 215 401, 410, 412 Manstein, Erich von, 411 Los Alamos, 54, 55 Mantua, Duke of, 45 Louis (code), 75 many-partner key net, 194 Louis II of Bourbon, 144 map grid, 40 Louis XIV, 71 Marconi (code), 76, 77 Louis XV, 16 Marie Antoinette, 28, 144 Louis XVI, 144 Marks, Leo, 101 lower-case letters (plain characters), 41 Marks, Philip, 124, 482 Loyd, Sam, 94 masking, 13-17 ‘Luc’ (Gwido Langer), 431 Massey, J. L., 191 Lucan, Henno, 220 Matap´an, 284, 480 LUCIFER, 184, 185, 189 matching, 218, 297-304, 310-315, 316, 350 Ludendorff, Erich, 53, 173, 217 –, optimal, 303 Ludwig II, King of Bavaria 103 Matton, Pierre-Ernest, 213 Ludwig the Severe, Duke of Bavaria 20 Matsui, Mitsuru, 190 lug cage, 146 Matyas, S. M., 235, 295, 299, 301, 485, 499 Ljunggreen, Tufve, 401 Mauborgne, Joseph O., 87, 134, 135, 137, Lyster, Mark, 354 138, 161, 395, 472, 500 Lywood, O. G. W., 123, 149 Maul, Michael, 345 Mayer, Stefan, 442 M 3, M 4, 120 maze, 12, 13 M-94 =ˆ CSP 488, 78, 134-135, 222, 277, McCurley, Kevin S., 201 339, Plate D McVittie, George, 421 M-134-T2, 123 Meader, Ralph, 458 M-134-A (SIGMYC), 123, 163 Meaker, O. Phelps, 295, 304 M-134-C (SIGABA) =ˆ CSP 889 (ECM Medical Greek, 94 Mark II), 123, 151, 220, 481 Meister, Aloys, 139, 500 M-138, 135, 289, 475 Mellen, Greg, 499 Index 515

‘Memex’, 345 monographic, 35, 44, 60, 70, 165, 170 Mencken, Henry Louis, 322 Monroe, James, 71 Mendelsohn, Charles Jastrow, 131, 472 Montgomery, Bernard L., 474 menu, 448, 449, 451, 478 Montgomery, P., 198 Menzer, Fritz, 147 Moorman, Frank, 69, 216, 472 Menzies, Sir Stewart Graham, 3, 470 Morehouse, Lyman F., 143, 162 ‘Mephisto Polka’, 158 Moreo, Juan de, 70 Merchant Navy Code, 472 Morikawa, Hideya, 475 Mergenthaler, Ottmar, 296 Morrell, Frank, 401 Mersenne primes, 157, 181 Morris, Christopher, 477 message length, maximal, 139, 144, 145, Morse, Marston, 158 148, 160, 162, 168, 217-218 Morse code, 10, 12, 40, 73, 173, 180, 296 message setting, 122-123, 173, 229, 416, mot convenue,17 432, 435, 439, 443-445, 448, 449 mot vide, 306 metaphor, 15 motor wheels, 387, 394, 395, 403-405, 410 ‘METEO Code’, 217 mozilla, 192 m´ethode des bˆatons, 281 Mullard EF 36, 408 ‘metoda rusztu’, 437 Muller, Andr´e, 95, 500 Meurling, Per, 56 M¨uller, Hans-Kurt, 278, 415 Meyer, Agnes May see Driscoll, Agnes Mullet (link), 411 Meyer, C. H., 235, 295, 299, 301, 485, 499 MULTIPLEX encryption step, 136, 242, Meyer, Helmuth (Lt. Col.), 18 268, 277 Meyer (Funkmaat), 444 multiplex systems, 133, 241, 244, 269 MI-8, 31, 77, 151 multiplication, symbolic, 90, 128 Mi-544 (Lorenz), 163 multiplication of primes, 199 M.I.1 (b), 31 M¨unchen (ship), 218 M.I.6, 3, 30, 31, 470 Murphy, Robert D., 69, 215, 224, 260, 475 M.I.8, 31 Murray, Donald, 382 Micali, Silvio, 168, 230 Murray, Joan n´ee Clarke, 445 microdot, 10 Musil, Robert, 5 Michie, Donald, 338, 391, 401, 408-410 Myer, Albert J., 342, 350, 500 microprocessor, 91, 181, 183, 192 MYK-78 (Mykotronx), 191 MIKE, 464 Myszkowski, Emile V. T., 500 Military Intelligence Code, 77 Miller, V. S., 201 Nabokov, Vladimir, 5, 258 Millikin, Donald D., 497 Napier, John Laird of Merchiston, 40 Milner-Barry, Philip Stuart, 92, 225 Napol´eon I, Emperor of France, 71, 225 ‘Ming’, 454 National Bureau of Standards (US), Minocyclin, 103 36, 184, 188 Mirabeau, Honor´e Gabriel Riqueti Count National Defense Research Committee, of, 53, 179, 183 338 Mirsky, L., 495 National Institute of Standards and mishit, 260,269-271,275,277,440,449, 461 Technology (NIST), 188, 190, 209, 210 Mitchel, William J., 76 national security, 7, 189 mixed alphabet, 46, 49-52 National Security Agency (NSA), 31, mixed rows block transposition, 99, 467 184, 189, 222, 226, 230, 457, 476 – – columnar transposition, 99, 467 NATO, 149, 150, 476 mnemonic key see password Naval Cypher Nr. 1, 473 mobile telephone, 191 Naval Cypher Nr. 2, 415, 473 Model, Walter, 411 Naval Cypher Nr. 3, Nr. 5, 221, 415, 473 modular transformation, 174, 176-178 Navy Code Box (NCB), 134 Monnier, Sophie Marquise de, 53, 179 NCR, 454, 456 monoalphabetic, 35-36, 44, 98, 188 Nebel, Fritz, 53, 173 monocyclic permutation, 48 Neeb, Fritz, 472 516 Index

‘need to know’ rule, VII, 470, 480 O’Keenan, Charles, 11, 179 NEMA, 123 OKW Cipher Branch (Chi), 32, 147, 269, ‘Neptun’ (key net), 483 335, 344, 372, 415, 419, 451, 464, 470, 474 Nero, Roman emperor, 37 Olivary, Adolphe, 469 Netscape Communicator, 192 Olivetti, 171 Newman, Maxwell Herman Alexander, OMALLEY, 339 395, 401, 401, 403, 404, 410 OMI (Ottico Meccanica Italiana), 123, 149 Newmanry, 401, 406, 407 1-cycle, 46, 269, 434, 440, 441, 446 Newman’s Theorem, 403, 405, 406 one-part code, 72, 75, 76, 77, 78, 373 newspaper German, 298 one-time key, 161-163, 164-168, 171, 218, Newton, Isaac, 103 226, Plate O NID 25 see Room 40 one-time pad, – tape see one-time key Niethe (code), 75 one-to-one function, 33, 46 Nihilist cipher, 11, 53, 179 one-way function, 196-197 Nihilist transposition, 99, 467 OP-20-G, 31, 338, 344, 454, 456, 457, 458 Nilac (code), 75 OP-20-GY, 31, 338 NIST see National Institute of Stan- open code, 10, 13-23, 24 dards and Technology open encryption key system, 193-210 NKVD, 56, 57 open-letter cipher see null cipher ‘no letter may represent itself’, 115, 223, Operational Intelligence Centre, O.I.C, 31 257, 268, 269, 279 ORANGE (machine), 87, 154, 415 nomenclator, 70-73, 144 ORANGE (key net), 448 noncarrying binary addition, 143 order of a matrix, 156 non-computable real numbers, 164, 169 order-preserving, 71, 80 non-content words, 306 Ortsnamenalphabet, 102 non-crashing, 48, 268 Oshima, Hiroshi, 415 non-pattern words, 266-267 O.S.S., 278, 470 nonperiodic, 36 ostensibly secret messages, 30 Norris, William C., 458 OTP (one-time pad), 161-163 Noskwith, Rolf, VII, 420 Ottico Meccanica Italiana, 123, 149 notch, 146, 147-149, 286, 417-418 overlay sheets, 335, 336 Notschl¨ussel, 100 Novopaschenny, Fedor, 472 P=NP, 196 NSA see National Security Agency padding letter, 61 null, 19, 20, 22, 34, 45, 55, 96, 215, 224, 291 Painvin, Georges-Jean, 87, 173, 278, 471, – cipher, 19, 24 471, 472 – text, 33 paired day, 445, 481 number field sieve (NFS), 198, 201 PA-K2 system, 101 Nuovo Cifrario Mengarini (code), 75 palindrome, 93, 94, 258 N. V. Ingenieursbureau Securitas, 113 Pale, Erkki Sten, 3 Nyquist, Harry, 488 Palluth, Antoni, 439 pangram, 266-267 O-2, 136, 278-280 Panizzardi, Alessandro, 213 octogram, 142 Pannwitz, Erika, 278 OKW Signal Communications, 118, 212 parallels see repetitions OKW/Chi (Cipher Branch), 32, 147, 269, Parker, R. D., 386 335, 344, 372, 415, 419, 451, 464, 470, 474, Parkerism, 482 478 partition, 49, 110, 291-92, 297-304 octopartite simple substitution, 55 Paschke, Adolf, 415, 483, 484 Octopus (link), 406, 411 ‘passport control officers’, 3 Office of Strategic Services (O.S.S.), 278, password, 45, 47, 50-51, 53-54, 56-57, 59, 470 64, 94, 98, 100-102, 108, 131, 134, 137, offizier, 173, 339, 420 141,166,170,179,190,192,197,192, 211, Ohaver, M. E., 180, 343, 500 256,276,279,314,315,364,460,463,469 Index 517

–, reconstruction of, 373-374 plaintext attack, chosen, 479, 480 Pastoure, 9 plaintext attack, derived, 480 pastry dough mixing, 174 plaintext attack, known, 479, 480 Patrick, J. N. H., 172 ‘Plaintext Bit 5 Two steps back’, 397, 412 Patronen-Geheimschrift,96 plaintext-cryptotext compromise, 224, pattern, 78, 252-254 288-289, 375, 437, 448-457, 474-475, 479 – finding method, 234, 252-259, 260, 264- plaintext-plaintext compromise, 212, 224, 266, 439-440, 466–467, 479 375-376, 387, 389, 398, 399, 409, 419, 421, –, normal form of –s, 252 467, 478 pawl, 117, 147-149, 397 planned obsolescence, 27, 76, 78, 235 P-box, 186 ‘playback’, 218 P. C. Bruno, 447 Playfair, Lyon Baron of St. Andrews, Pearl Harbor, 18, 214 27, 64 Pendergrass, James T., 457 PLAYFAIR encryption step, 64-67, 214 penetrazione squadra, 214, 475 225, 239, 248, 314, 316-317, 332 Pepys, Samuel, 9 plugboard, 48, 92, 118, 120, 123-124, 148- Perch (link), 411 151, 153, 156, 172, 179, 282, 445, 451, 482 Perec, Georges, 257, 258 ‘pluggable’ reflecting rotor, 120, 123, 286 perfect security, 487, 491-493 Poe, Edgar Allan, 5, 45, 295, 317, 331, 354 period length, 144, 157, 340, 348 Pokorny, Hermann, 49, 259, 472 Perioden- und Phasensuchger¨at, 335, 344 Polares (Schiff 26) (ship), 218, 444 periodic, 36, 139-140, 145, 168, 330, 339 Polhem, Christofer, 54 Perl, William, 164 Pollard, John, 198, 201 permutation, 22, 36, 46-52, 59, 63, 143 POLLUX, 180 –, self-reciprocal, 47, 48, 59, 62, 67, 82, 85 polyalphabetic encryption, 15, 35, 87, 106, –, properly self-reciprocal, 48, 61, 433, 434, 131, 133, 139, 140, 144-145, 157, 204, 217, 437, 445, 449, 451 223, 234, 241-243, 248, 251-252, 268, 330 –, construction of, 102 Polybios square, 40, 53, 57, 67, 114, 173, permutation class, 398 179, 382 PERMUTE encryption step, 131, 136, polygraphic, 35, 36, 58, 70, 80-81, 98, 203 242, 244 – substitution, 58, 140, 141, 178, 234, 239 Pers Z , 154, 415, 464, 467, 470, 483 polymorphism, 398 Petard (destroyer), 219 polyphones, polyphony, 37-38, 50, 73-74, PETER ROBINSON, 337, 407 134, 159, 251, 255, 279, 292, 295, 460 Peter the Great, 45, 71 Pomerance, C., 198 Peterson’s (code), 76 Poore, Ralph Spencer, 190 Phaistos, disc of, 26, Plate A Porta, Giovanni Battista see Della Phi, 327-328, 332, 345 Porta, Giambattista Phi Test, 345-349, 416 PORTA encryption step, 41, 130, 159-160, Philby, Harold, 164 225, 268, 271-272, 280, 382 Philip II of Spain, 70 Postal Congress, International, 112 Phillips, Cecil James, 164 Poste de Commandement Bruno, 447 photoelectric sensing, 335, 338, 339, 344, powers of a mixed alphabet, 50, 52, 84, 106, 345, 372, 373 107, 127, 156, 374 picture encryption, 175-178 ppmpqs, 198 picture transmission, 495 Pratt, Fletcher, 306, 500 Pierce, Clayton, 143 Praun, Albert, 211 pig Latin, 22 preamble, 432, 439, 469 ‘pigpen’ cipher, 45 Pretty Good Privacy (PGP), 191-192, 228 pinion/cogwheel, 124, 148 primary alphabet, 106-109, 130, 142, 168, Piper, F., 499 169, 350, 354-355, 357-359, 364, 373 placode, plain code, 370-373, 414-415 primitive root, 200 plaintext, 32-42, 43, 46 priming key, 159-161, 188 – vocabulary, 33 PRIMROSE, 482 518 Index private key, 194-196, 480 RATTLER, 339, 457 Prof’s book, 281, 416, 443 Rave, Cort, 415, 472 probable word, 214, 217, 224, 245, 259-264, Raven, Frank, 156 265, 268-272, 273-281, 459-462, 467, 479 Razvedupr, 476 progressive encryption, 140, 145, 157, 275 RC2, RC4, 190 properly self-reciprocal, 47, 115, 130, 143, rebus, 69 225, 238, 268, 433 reciphering, 171 protocol, 209, 230, 485 reciprocal pairs, 88-90, 182, 183 pseudorandom keytext, 168, 188, 192, 495 ‘Reciprocal ENIGMA’, 115 Psi, 324-325, 326, 327, 328-329 recovery exponent, 205-207, 208 Psi-wheel, 393-395, 403,, 404, 410 rectangle method, 409 Ptydepe, 258 RED (code), 77, 214 public cryptography, 7-8, 32 210, 236, 480 RED (key net), 443, 447, 448, 484 – key system, V, 193, 195-208, 210 RED (machine), 87, 153-156, 415 punched card machines, 279, 333-335, 415 reductio ad absurdum, 446 punched sheets, 442-443, 445-447 reencipherment, reencodement, 224, 420 punctuation, 19, 20, 38-39, 224, 309-310 reflector, 114-118, 120, 121, 123-125, 288 pure (cryptosystem), 43, 170, 377-378, 388 –, pluggable, 120, 123, 286, 457 pure cryptanalysis, 217, 265, 310, 314, 338, reflection, 47-49, 51, 52, 60, 8, 142, 187, 378 394, 454, 478-480, 486 –, genuine, 48 PURPLE, 4, 153-156, 415, 476, 482 reglette,52 Pyry, 442-443, 446 regular matrix, 83, 85, 86, 90, 460 PYTHON, 339, 457 Reichling, Walter, 18 Reichsbahn, Deutsche, 118, 124, 375 Qalqashandi, 45 Reichsluftfahrtministerium,32 Q-boat, 444 Reichs-Marineamt, 111-112 ‘QEP’, 406 Reichspost, Deutsche, 10, 118 quadratic sieve, 198, 199, 201 Quadratic Reciprocity, 202 Reichssicherheitshauptamt, 60-61, 470 quasi-nonperiodic key, 144-145, 158, 161, Reichswehr, 32, 48, 117-118, 166, 433, 474 217, 460 Rejewski, Marian, VII, 2, 2, 92, 431, 433- quaternary cipher, 40, 140 440, 442, 445, 447, 448, 477, 482, 496 quatsch, 216, 406 Remmert, Reinhold, 84 ‘Quex’, 3 R´enyi, Alfred, 329, 485 quinary cipher, 40 R´enyi-a-entropy, 329 Quine, Willard Van Orman, 3 Reparto crittografico, 259 quinpartite simple substitution, 55 repeat rate, 416 QWERTZU... , 433, 436, 438 repetitions, 335, 339-345, 346, 351, 359, 365 –, accidental, 341-344, 365 Rabin, M. O., 202 repetition pattern, 252-259 radio call signal, 60, 87 residue classes (numbers), 80, 83, 85, 181 rail fence transposition, 95 residue classes (messages), 43, 252, 371 raising to a power modulo q , 182, 202 reversed alphabet, 47, 90, 129, 173, 252 Ramsey, Frank Plumpton, 496 reversal, 291, 294 Randell, Brian, VI, 498 reverses, 76, 306 random key sequence, 161, 163, 164, 495 ‘Rex’ (Rodolphe Lemoine), 433 – text, 215, 254 Ribbentrop, Joachim von, 32, 415, 470 – variable, 488 Richelieu, Armand Jean du Plessis Duc ‘Rapid Analytical Machine’ (RAM), 339 de, 23, 98 RAPID SELECTOR, 345 Riesel, Hans, 203 Raps, August, 385 right-univalent, 33 Rasterschl¨ussel 44, 101 Rijmen, Vincent, 191 ratchet wheel notch, 117 RIJNDAEL, 191 Ratcliff, Rebecca, 470 Ringelnatz, Joachim, 21, 22 Index 519 ring setting, 117, 121, 122, 126, 148, 168, Rundstedt, Gerd von, 411, 412 219, 432, 437-441, 444, 448, 481-482 running key, 36, 140, 158, 179, 210 Rittler, Franz, 258 running down the alphabet, 245 Rivest, Ronald L., 203, 204 Russian copulation, 57, 151, 215, 260, 449 Robinson, Ralph M., 157 Russians, 3, 10, 11, 28, 49, 53, 71, 150, ROBINSON AND CLEAVER, 337, 338, 152, 162, 163, 217, 227, 280, 476, 485 407 ROCKEX, 164 SA Cipher, 37, 74 ‘rodding’, 281-284, Sacco, Luigi, VI, 131, 139, 216, 223, 236, Rogers, Henry, 75 259, 295, 296, 472, 500 Rohrbach, Hans, VI, 3, 67, 135, 217, 220, safe primes, 183, 207 224, 235, 255, 256, 278-280, 281, 464, 471 Safford, Laurance F., 3, 150 Rohrbach’s maxim, 224, 256, 266, 354-355, Saga, 281, 436 365, 428, 460, 472, 474, 477, 482-483, 497 Saint-Cyr slide, 41, 52, 129 Rohwer, J¨urgen, 121,155,212,415,473, 498 Sale, Tony, 168 Romanini, Ch. Vesin de, 295 Salomaa, Arto, 43, 146, 170, 196, 197, 199, Rommel, Erwin, 223, 411, 448, 474 203, 204, 207, 499 ROMSing, 416 Sampling Theorem, 495 Ronge, Maximilian, 259, 472 Sandherr, Jean, 213 Room 40 , 420, 443, 484 Sandwith, Humphrey, 442 Room 47 Foreign Office, 31, 442 ‘saw-buck’ principle, 335, 338, 344, 407 Roosevelt, Franklin Delano, 10, 69, 77, 135, Satzbuch, 72, 73, 78, 172 152, 214, 221, 224, 423, 456, 475 Sayre, David, 486 Rosen, Leo, 4, 155, 286, 476 S-box, 184, 185, 189 Rosenberg, Julius and Ethel, 164 Schauffler, Rudolf, 162, 415 Rossberg, Ehrhard, 170, 387 Schellenberg, Walter, 10, 32, 60 Rosser, Barkley, 3 Scherbius, Arthur, 111, 112, 113, 114, 145, Rossignol, Antoine, 71, 72, 140 147, 445 rotated alphabets, 107, 109–110, 126, 137, Schiff 26 (ship), 218, 444 281-282 Schiff 45 (ship), 219 Rothstein, J., 137 Schilling von Cannstatt, Paul, 28 rotor, 110-113, 114-116, 117-126, 330 Schimmel, Annemarie, 278 –, ‘fast’ (rightmost), 148, 282, 284, 436, 439 Schleyer, Johann Martin, 368 –, ‘medium’ (middle), 148, 282, 284-286, Schl¨usselger¨at 41, 147 –, ‘slow’ (leftmost), 148 Schl¨usselheft, 69, 172 ROTOR encryption step, 109-110, 169, Schl¨usselkenngruppe, 412, 444 281, 357 Schl¨usselzusatz, 171, 372, 387-389, 397, rotor movement,irregular, 145-148,151,155 Plate N –, regular, 145-146, 148 Schmidt, Arno, 30 rotor order see wheel order –, Hans-Thilo (Asch´e), 118, 432, 433, 437 Rotscheidt, Wilhelm, 415 –, Rudolf, 118, 433 Rotterdam-Ger¨at, 221 Schneickert, Hans, 97, 500 rotwelsch,15 Schneier, Bruce, 499 route transcription, 94 Schnelltelegraph. 385 row-column transcription, 94 Schnorr, Claus-Peter, 163, 209 Rowlett, Frank, 87, 123, 150, 151, 154, 155, Schott, Caspar, 9, 128 163, 471, 483, 498 Schr¨oder, Georg, 472 Royal Flags Wave Kings Above, 148 Schur, Issai, 496 R´o˙zycki, Jerzy, VII, 166, 415, 415-418, Schwab, Henri, 469 431, 437, 440, 442, 447 scissors-and-paste method, 251, 464 RSA method, 203-205, 207-208, 210 scoring, method of, 416 R.S.H.A. Amt VI , 60, 61, 470 SCORPION (key net), 448, 482 Rudolf, Erzherzog von Habsburg, 97, 97 scrambler, 445-446, 448-451, 453-456, 482 Rudolf Mosse (code), 76 ‘scrambling’ (audio), 10, 456 520 Index scritch, scritchmus, 282, 286-287, 457 –, linear, 156, 461-463 SD see Sicherheitsdienst shifted alphabets, 52, 107-109, 137 SEAHORSE, ‘Bertok’ (key net), 482 shrdlu, 296 Sebag-Montefiori, Hugh, 418, 498 shredding, 162, 218 secrecy, 2, 9, 13, 25, 26, 27, 30, 69-70, 194 Shulman, David, 500 Secret Intelligence Service (S.I.S.), 30 Sicherheitsdienst (SD), 32, 66, 118, 438, 439 secret marks, 14, 28, 44-45, 69 Siemens Geheimschreiber T 52, 29, 55, 161, secret writing, covert, 9, 14, 24, 139 170-171, 387-389, 393, 395-396, 398, 483 –, masked, 13-16, 18, 24 Siemens SFM T 43 see T43 –, overt, 9, 14, 24, 32 SIGABA =ˆ M-134-C, 123, 150, 151, 220, –, veiled, 19, 23, 24 481 secure sockets layer (SSL), 192 SIGCUM =ˆ M-228, 163, 483 security check, 209, 218 SIGFOY =ˆ M-325, 151 Seifert, Walther, 472 SIGINT, VII Selchow, Kurt, 415 SIGMYC =ˆ M-134-A, 123, 163 self-reciprocal linear substitution, 82 Signal Corps US Army, 31, 79, 135, 151, self-reciprocal matrix, 85, 86 152, 342 self-reciprocal permutation, 47, 48, 90, Signal Intelligence Service see SIS 115, 172, 256, 340, 383, 386, 392, 434, 482 Signal Security Agency US Army, 220, self-steckered letter, 445, 451 286 Selmer, Ernst S., 3, 157, 398 signature, 195, 196, 203, 209 semagram, 10, 11, 12, 24, 53 SIGPIK, SIGSYG, 78 senary cipher, 40 SIGTOT, 135, 143, 163, 280 senseless, 134, 143, 161-162 ‘sillies’ see cillies sequential analysis, 416 Silverman, R. D., 198 sequential Bayes rule, 416 bis Silvestri, Jacobus, 52, 127 Service de Renseignements (S.R. 2 ), 32 Silvestri disk, 52, 127 Servizio Informazione Militare (S.I.M.), Simeone de Crema, 45, 55 32 similarity transformation, 100, 107, 110 Service ENIGMA, 118 ‘simultaneous scanning’, 445 Sestri, Giovanni, 129 simple linear substitution, 87 session key, 188, see message setting simple substitution, 44-57 SG 41, 147 Sinclair, Sir Hugh P. F., 3 Shakespeare, William, 30 Shamir, Adi, 189, 203, 204 Sinkov, Abraham, 3, 4, 87, 150, 238, 307, 348, 349, 358, 361, 362, 424, 471, 497 Shanks, Daniel, 200 (SHANN), 489-492 S.I.S. (Secret Intelligence Service), 30 Shannon, Claude Elwood, VI,3,25,25, 26, SIS (US Army Signal Intelligence Ser- 27, 104, 139, 160, 170, 173, 184, 215, 225, vice), 333, 454, 457, 459, 464 247, 252, 267, 291, 329, 371, 416, 456, 495 Sittler, F. J., 75, 172 Shannon cryptosystem, 43, 159, 212, 268, Sittler (code), 75 278, 280, 289, 378, 379, 489-490 SKIPJACK, 191, 229 Shannon entropy, 329, 416, 494 skytale, 104, Shannon’s Information Theory, 104, 225, Slater (code), 75 247, 485, 487-495 ‘Sleipnir’ (key net), 483 Shannon’s Main Theorem, 492 slide, 41, 51-52, 109, 129 Shannon’s maxim, 29, 30, 150, 158, 210, slide method, 356-358 211, 222, 237, 244, 358, 481 slip-ring, 111, 150 Shannon’s Mixing, 174, 178 Small, Albert, 155 Shannon’s Yardsticks, 225 small capitals (crypto characters), 41 SHARK see ‘Triton’ (key net) smart card, 208 Shaw, Harold R., 12 Smid, M. E., 184 shift number, 128 Smith, Francis O. J., 73 shift register, 156-157, 215, 461, 463-463 Smith, Michael, 485, 498 Index 521

Smith, Laurence Dwight, 95, 211, 295, Strachey, Oliver, 153, 443 296, 300, 497 straddling, 34, 35, 36, 55-57 Smith, W. W., 316 strategy of alignment, 361-362, 371-372 Smith-Corona Co., 146 stream encryption, –cipher, 35, 161 SNEGOPAD (‘snowfall’), 57 STRETCH, 458 Snyder, Samuel S., 155, 457 strip devices, 51, 52, 145, 134-136, 145, 224, S.O.E., 101 269, 272-274, 277, 278-281, 289, 474-475 Solzhenitsyn, Alexander, 53 strip method, 250, 251, 282-284, 355-358 Sonderdienst Dahlem, 278, 280, 372, 470 Stripp, Alan, 472, 498 Sonderschl¨ussel, 420 stripping off superencryption, 63, 334, 338, Sophie Germain prime, 183 350, 370-373, 415, 446, 467, 469, 473, 479 Sora, Iacomo Boncampagni Duke of, 339 Stuart, Mary, 70 Sorge, Richard, 57 Stummel, Ludwig, 219, 221, 420 Soudart, E.-A., 41, 296, 300, 500 ‘sturgeon’, 170, 395 ‘Spalierverfahren’, 61 subexponential complexity, 198, 201 Spanish Civil War, 149 substitution, 18, 24, 37, 42, 44-57, 58-79 Spanish-American War, 281 –, binary linear, 86 Sperr-Ring, 121 –, bipartite digraphic, 59-61, 67 Spezialvergleicher, 464 –, bipartite simple, 53-55 Spets otdel,32 –, decomposed linear, 87-90 spreading of encryption errors, 160, 226 –, digraphic, 58, 248 spoonerism, 66, 94 –, linear, 80-92, 240, 248, 459-460 Spruchkopf, 102 –, linear polygraphic, 174-178, 459-460 Spruchschl¨ussel see message setting –, monocyclic simple, 48-49, 238 –, chiffrierter, 432 –, multipartite simple, 53-55, 174 spurt, 10 –, polygraphic, 58-68, 93, 171-172, 239- Spruchtarnger¨at STG-61, 79, 240, 252 spy cipher, 56 –, properly self-reciprocal, 47, 115, 238, squadra penetrazione, 214, 475 268, 433 434, 437, 451 squaring modulo q , 183, 200, 202 –, self-reciprocal, 47 Squid (link), 406, 411, 412 –, self-reciprocal linear, 82 standard alphabet, 46, 49, 80, 107, 127 –, simple, 44-45, 87 Stanmore outstation, 447, 454 –, tripartite digraphic, 63 ‘Station X’, 31, 442 –, tripartite simple, 54 Statistical Almanac, 42 –, unipartite simple, 35, 44-45, 238 stator, 115, 118, 124-125 substitutiona ` double clef , 141 Steckerbrett, 48, 118 – `a triple clef , 142, 468 ‘steckering’, Steckerverbindung, 117-118, substitution notation, 46 120, 121 168, 173, 286, 288, 339, 432 subtractor, 128, 389, 473 438, 444, 448, 454, 482 ‘S¨ud’ (key net), 439 steganography, linguistic, 9, 10, 12, 24, 25 Suetonius, 49 –, technical, 9, 10, 24 suffixing, parasitic, 20 Stein, Karl, VI, VIII, 451 Sullivan, Geoff, 124, 125 Steinbr¨uggen, Ralf, 37 superencryption, superenciphering, 171- Steiner & Stern (code), 75 173, 223, 370-373, 413, 415, 421, 431, 438, Steiner’s theorem, 324 446, 473-474, 476, 480 stencil encryption, 101, 102, 473 superimposition, 375-401, 412, 419, 425, STG–61, 79 431, 442, 447, 467, 478 Stickleback (link), 411 –, in-phase, 412 Stimson, Henry L., 152, 227 SUPER ROBINSON, 338, 409 Stirling’s formula, 237 SUPERSCRITCHER, 286, 287, 457 stochastic source, 163, 292, 322, 325 surjective, 33, 42 Strachey, Christopher, 443 swap, 48, 383, 396 Strachey, Lytton, 443 swapping of roles, 380, 421, 460 522 Index

Swift, Jonathan, 22, 104, 466 three-digit code, 78 Swiss ENIGMA (ENIGMA K), 117, 125 three-letter code, 75, 78 switchboard, 110 ‘throw-on’ indicator system, 431 SYKO, 132 Thue, Axel, 158 symbolic addition, 171, 180 Tibbals, Cyrus (code), 76 symmetric functions, 328 Tiltman, John H., 63, 66, 375, 387, 389, 389 symmetric encryption methods, 194-196 Timms, Geoffrey A., 499 sym´etrie de position (symmetry of po- Tokumu Han, 32, 475 sition), 365-370, 371, 377, 379, 413, 421 Tolstoy, Sergei, 472, 476 synthetic language, 215 Tomash, Erwin, 457 SZ 40, SZ 42, SZ 42a (Lorenz), 29, 161, tomographic methods, 64-67, 179-180 162, 171, 338, 372, 387-389, 394, 397– Tompkins, Charles B., 4587 398, 401, 408, 411, 412, 483, Plate N Tordella, Louis, 476 SZ3-92, 299, 302, 305, 319, 322 totient function ϕ, 90, 203, 238 Szekeres, G., 496 Townsend, Robert, 71, 256 Szemer´edi, E., 496 traffic analysis, VII traffic padding, 212, 215 T 43 (Siemens SFM T 43), 143, 162, 171 Tranow, Wilhelm, 472, 474 T52a,T52b,T52c,T52d,T52e (Siemens), transitive cryptosystem, 277, 378 29, 161, 170-171, 395-399, 408, 410, 483 translation, 81, 240 T-52, T-55 (Hagelin), 163 transposition, 24, 93-105, 169-174, 178- tabula recta, 108, 127, 137, 140, 141, 145, 179, 184, 216, 240-241, 244-249, 251, 364, 367, 368, 428, 429 290-291, 293, 322, 324, 328, 395, 464 – – with permuted headline, 430 –, block, 98, 169, 464 Tagesschl¨ussel, 168, 431, 432, 433, 437, 441 –, double columnar, 27, 100, 244, 467 Takagi, Shiro, 3, 335 –, feigning a, 59 Talleyrand, Charles Maurice de, 71 –, mixed-rows block, 99, 100, 467 Tallmadge, Benjamin, 71 –, mixed-rows columnar, 99, 100, 178, 467 tamper-proof key carriers, 168, 192, 480 –, Nihilist, 99 Tannenberg, battle of, 217, 484 –, simple columnar, 98, 140, 153 Tarpon (link), 411 transposition double, 99, 100 Tartaglia, Niccol`o, 486 trapdoor, 189, 197- 202, 203 Taunt, Derek, VIII, 286, 457 – one-way functions, 197 Technical Operations Division, 17 ‘treble key’, 142, 430 telegraphic English, 301 trellis cipher, 95 Telescand (code), 75 trench codes, 78, 464 Ÿ5 Ÿ teletype code CCITT 2 ( 2, 25 ), 382 Trevanion, Sir John, 9, 19 ten-letter code, 40 trifide,35 ternary substitution, 54 trigram, 35 TESSIE, 373 – coincidences (repetitions), 335, 416 Tester, Ralph, 395, 401, 406, 409, 410 – frequencies, 305, 308, 340 Testery, 401, 406, 409, 410 – repetitions, 341, 344, 359, 365 test register, 446, 449, 451, 453, 454 trigraphic substitution, 68, 239, 248 test texts for teletype lines, 267 tripartite, 35 TETRA, 344 triple clef , 142, 430 tetragram, 35 triple-DES, 190 tetragraphic substitution, 68, 248 Trithemius, 9, 15, 16, 17, 39, 40, 54, 127 text setting see message setting 140, 142, 145, 159 theta series, 84 ‘Triton’, SHARK (key net), 121, 219, 456- ‘Thetis’ (key net), 483 457 thieves’ Latin, 15 Trotzki, Lev Davidovich, 32 Thomas, E. E., 221 ‘tunny’, 171, 389, 393-394, 395, 398, 401, Thompson, Eric, 236 403, 406, 408, 410–412, 499 THRASHER, 143, 162 Turbot (link), 411 Index 523

Turing, Alan Mathison, VII, 2, 2, 61, 91-92, variants, 22, 33, 34, 37, 128, 244-251, 272 173, 199, 237, 281, 284, 288, 395, 401, 410, variantea ` l’allemande, 130 415-418, 436, 438, 443-457, 478, 486, 498 variante de Richelieu,98 Turing BOMBE, 173, 447, 448-451, 454 V¯ats¯ayana, 47 Turing-Welchman BOMBE, 451-456 Vaz Subtil (code), 75 Turingery, 395, 410 Venona breaks, 164 turning grille, 78, 95-96 Verfahrenkenngruppe, 417, 444 turnover, 148, 149, 418 Verlaine, Paul, 17 T¨urkel, Siegfried, 5, 499 Verlan, 22 TURTLE (key net), 481 Vernam, Gilbert S., 29, 55, 134-135, 142, Tut Latin, 21 143, 330, 382, 384, 386, 386 Tutte, William Thomas, 338, 393–395, VERNAM encryption step, 142, 143, 157, 401–406, 410 158, 161-164, 170-171, 382, 384, 395, 463, ‘Twenty Committee’, 15 387, 490, 492 Twinn, Peter, 92, 149, 433, 439, 444, 478 Vernam type machine, 135, 162, 492, 493 two-character differential, 76 Verne, Jules, 95, 128 2-cycle, 48, 169, 284-286, 300, 434-435 vertically continued alphabets, 107-108 two-part code, two-part nomenclator, 72 Vesin de Romanini, Charles Fran¸cois, 295, TYPEX, 123, 149-151, 482, Plate L 500 Vetsera, Mary, 97 ubchi, 100, 469 Vetterlein, Kurt, 10 U-boat U-13, U-33, 218 Viaris, Ga¨etan Henri L´eon Marquis de, U-boat U-110, 61, 218 29, 75, 129-130, 134, 136-137, 222, 272- U-boat U-505,61 280, 276, 278, 341, 500 U-boat U-559, 219, 421 ‘Victory’, 447, 454 U-boat U-570, 219 Vienna-Athens (link) 384, 389 Uhr box, 120, 482, Plate M Vi`ete, Fran¸cois, 2, 70 Ulbricht, Heinz, 124 Vigen`ere, Blaise de, 6, 10, 28, 127, 131, 141- ULTRA, 4, 155, 226 142, 159, 161, 217, 272 Umkehrwalze, Umkerwaltz, 114, 120 VIGENERE` encryption step, 27, 127, 128- unambiguous, 26, 33 42 129, 130, 140, 142, 143, 156-157, 159-161, unauthorized decryption, 2,3,25,26,32, 97, 166, 171, 173, 174, 179, 193, 223, 239, 242- 101, 106, 134, 159, 169, 180, 189, 194, 211, 243, 244, 248, 274, 280, 291, 322, 324, 328, 215, 217, 220, 224, 230, 232, 235, 237, 244, 340, 350-351, 354, 355, 359, 369, 370, 379, 251, 272, 273, 278, 291, 292, 314, 316, 317, 381, 421, 461, 463, 469, 474, 490, 492 341, 344, 355, 356, 358, 373, 375, 388, 389, Vinay, Emile,´ 129 397, 399, 467, 470, 472, 476, 478, 481 VIPER, 339, 457 uncertainty, 487 vocabulary, 33 ‘Uncle Walter’, 114, 120 Voigt, Eberhard, 500 unicity distance, 104, 139, 246-248, 257, Volap¨uk, 368-369 266, 318-319, 493-494 Voltaire [Fran¸cois Marie Arouet], 471 unipartite, 35, 44-46, 87 von dem Bach-Zelewski, Erich, 66 Universal Trade Code (Yardley), 152 von Rundstedt, Gerd, 411–412 UNIX, 197 vowel distances, 309 Urf´e, Madame d’, 28 ‘vowel-solution method’, 312 US Intelligence Board (USIB), 30 VP 26 (ship), 218, 444 Uz`es, 447 VP 5904 (ship), 61 VULTURE I (Schl¨usselnetz), 448 vacuum tube noise, 164 Val´erio, P., 295, 307, 373, 500 Waggoner, Thomas A. Jr., 421 van der Waerden, Bartel Leendert, 496 Wake and Kiska islands, 269 van Wijngaarden, Adrian, 11 Wallis, John, 2, 9, 71 Variant Beaufort, 6, 129-130 Wald, Abraham, 416 Variant Vigen`ere, 6, 129-130 WALRUS, 456 524 Index

Walter (code), 75 Williams, Samuel B., 454 Walze, 111 Williamson, Malcolm, 167 Walzenlage, 121, 223, 432 Wills, John, 75 Wanderer-Werke, 147 Willson, Russell, 134 WAOSH (DKTNFQGWAOSH), 389 Wilson, Woodrow, 128, 484 WARLOCK, 339 Winkel, Brian J., 354, 500 War Station, 31 Winterbotham, Frederick W., 92, 226, 497 Washington, George, 71 Witt, Ernst, VI, 355, 372 WASP (key net), 448 Witzleben, Erwin von, 173 Wassenaar Arrangement, 231 Wolseley, Lord Garnet J., 365 W¨asstr¨om, Sven, 131 Women’s Royal Naval Service, 173 Watt, Donald Cameron, 431 Woodhull, Sam, 71, 256 Weaver, Warren, 3, 329 word frequency, 306 Weber, Heinrich, 123 word length frequency, 309 Wehrmacht ENIGMA, 48, 118-121, 122, word spacing, 38, 40, 204, 216, 224, 255, 124-126, 147-149, 166, 168, 284 256, 264, 267, 306, 309-310 Wehrmachtnachrichtenverbindungen Wright, Ernest Vincent, 257-258 Chiffrierwesen, 32, 147, 269, 335, 344, W/T RED FORM, 388 372, 415, 419, 451, 464, 470, 474 W¨usteney, Herbert, 170, 397, 500 Weierstraß, Karl, 218, 496 WWW Software Communicator, 192 Weierud, Frode, VIII, 124, 125 Wyt´ornia Radiotechniza AVA, 439 Weigel, Erhard, 40 Wylie, Shaun, 401, 479 ‘weight of evidence’, 416 Wynn-Williams, C. E., 338 Weisband, William, 164 Weiss, Georg, 500 xB-Dienst see B-Dienst X-ray crystallography, 486 Weitzenb¨ock, Roland, 20 X-68003 (MADAME X), 454 Welchman, Gordon, VII, 6, 92, 117, 148, 173,220,224,431,443,445-446,447, 448, Yardley, Herbert O., 31, 151, 152, 153, 451-454,452,456,478,482,484,498 443, 472, 476, 500 Wenger, Joseph N., 338, 456 YELLOW (key net), 447 Werftschl¨ussel, 420 West, Nigel [Rupert Allason], 3 Z3,Z4, 410 Western Union Code, 76 Zahlenwurm, 161 Wetterkurzschl¨ussel, 73, 218 Zeichenvergleichslabyrinth, 335 Wheatstone, Charles, 5, 27, 50, 64, 65, 70, Zellweger A.G., 123 145, 225, Plate C Zener diode, 164 wheel breaking, 401, 409, 410, 411 Zentralstelle f¨ur das Chiffrierwesen wheel movement, irregular, 145-148, 151 (ZfCh), 32, 470 –, regular, 145-146, 149 zero-knowledge proof, 485 wheel setting, basic see ground setting Ziegenr¨ucker, Joachim, 278 wheel setting, finding the, 401, 404-407, 410 zig-zag method, 281, 378-381 wheel order, 120-122, 168, 432, 454, 481 Zimmermann, Arthur, 484 White, Harry D., 164 Zimmermann, Philip R., 192, 228, 236 Whitehead, J. H. C., 401 Zimmermann telegram, 484 Whitelaw’s Telegraph Cyphers, 40 Zipf, George K., 302 Whiting (link), 411 ZMUG (HQIBPEXEZMUG), 387, 389, Whittaker, E. T., 495 393, 394, 409 Widman, Kjell-Ove, VIII Zossen (‘Zeppelin’), 162 Wiener, M. J., 191, 208 Zuse, Konrad, 29, 410 Wilkins, John, 9, 25, 40 Zygalski, Henryk, 431, 437, 441, 447 Williams, H. C., 202 Zygalski sheets, 173, 417, 441, 442-447 Photo Credits

Kahn, David, The Codebreakers. Macmillan, New York 1967: Figs. 1, 4, 5, 12, 23, 29, 30, 31, 34, 35, 36, 37, 38, 39, 41, 69, 82 Smith, Laurence Dwight, Cryptography. Dover, New York 1955: Figs. 3, 16, 24, 65 Bayerische Staatsbibliothek M¨unchen Figs. 10, 64 Crypto AG, Zug, Switzerland: Figs. 51, 66, 67, 72, 73, Plates L, O, P Deavours, Cipher A. and Kruh, Louis, Machine Cryptography and Modern Cryptanalysis. Artech House, Dedham, MA 1985: Figs. 78, 79, 80, 81 Bundesamt f¨ur Sicherheit in der Informationstechnik, Bonn: Fig. 76 Public Record Office, London: Figs. 165, 182 FRA, Bromma, Sweden: Fig. 164 National Museum of American History, Washington: Fig. 183 Deutsches Museum (Reinhard Krause), Munich, Germany: Plates A, B, C, D, F, G, I, K, N, Q Russell, Francis, The Secret War. Time-Life Books, Chicago, IL 1981: Plates E, H, M

Solution for the second Cryptoquip of Fig. 101: I=m . Entry with search for patterns results in 1211234 (for KRKKRLH) and 53675 (for ULZIU) . Among the one or two dozen possible instantiations only very few are not too weird. Among those, /peppery/, followed by (for 5r675) /aroma/ are suitable and lead to further success: KRKKRLH PLRU I OZGK AYMMGORA U LYPQ, QRUAH UL Z I U peppery re p e r , e y r peppery ream o p e a r , ea y aroma peppery cream soup use a r c , ea y aroma peppery cream soup i use a r i ch, hea y aroma peppery cream soup di used a r i ch, heady aroma peppery cream soup di f fused a r i ch, heady aroma