Solving a Tunny Challenge with Computerized “Testery” Methods
Total Page:16
File Type:pdf, Size:1020Kb
Solving a Tunny Challenge with Computerized “Testery” Methods George Lasry The DECRYPT Project [email protected] Abstract This article is structured as follows: In Section 1, a functional description of the Lorenz SZ42 is given. The Lorenz SZ42, codenamed Tunny, was In Section 2, the contents of the Testery report are a teleprinter encryption device used by Ger- surveyed, highlighting the parts that reveal new in- many during WW2 for strategic commu- formation. In Section 3, the primary techniques nications. Its successful cryptanalysis at for the cryptanalysis of Tunny are described. In Bletchley Park (BP) provided the Allies with Section 4, a Tunny cipher challenge is introduced. high-grade intelligence about several fronts, In Section 5, new automated or partially automated as well as for the preparations for the D- versions of the Testery manual methods are de- Day landings. The story of Tunny’s code- scribed, as well as how they were used to solve breaking and Colossus is well known, fol- the Tunny cipher challenge. In Section 6, the main lowing the declassification of the General results of this study are summarized. Report on Tunny in 2000 (Good et al., 1945), and the publication of several books 1 The Lorenz SZ42 (Tunny) (Reeds et al., 2015; Gannon, 2014; Copeland, 2010; Roberts, 2017; Mayo-Smith, 2014). The history of the Lorenz SZ42 and the details The work on Colossus and other machines of its design and functioning are documented in was carried out in the Newmanry, under the references (Reeds et al., 2015; Gannon, 2014; the leadership of the mathematician Max Copeland, 2010). In this section, only a brief func- Newman. tional description is given. The Lorenz SZ42 is a teleprinter encryption de- The work of the Testery, the other Tunny vice. It encodes Baudot teleprinter symbols that section at BP, is less known. Named after consist of five impulses. Each impulse can have his commander, Major Ralph Tester, the one of two states. It can be active, denoted as cross Testery was responsible for the develop- according to BP terminology, or x. Or it can be in- ment and application of hand methods, that active, denoted as dot or •. The Baudot alphabet, complemented the work of machines like as well as BP’s notation for the Baudot symbols, Colossus. For some reason, the report on is given in Table 1. the Testery was not declassified until 2018. The Lorenz SZ42 functions as a Vernam device. Following its recent release, it is possible It applies an XOR addition (denoted as ⊕) to en- to fully assess the achievements of the Testery crypt plaintext Baudot symbols. The effect of the cryptanalysts and their key contribution to XOR operation on a pair of impulses a and b is BP’s success against Tunny (Testery, 1945). described in Table 2. The XOR operation can also The work described in this article is an at- be applied to a pair of Baudot symbols with five tempt to determine whether the Testery man- impulses each. In that case, it is applied sequen- ual methods can be mechanized with mod- tially one impulse at a time. An example is given ern computing. The author was able to in Table 3. It should be noted that adding (using automate some of the techniques and par- an XOR addition) a symbol to itself, results in the tially automate some others. With these symbol ••••• which has only dots, as illustrated techniques, the author also succeeded in in Table 4. recovering the key settings and the plain- The Lorenz SZ42 generates a keystream K of text of two Tunny challenge messages. pseudo-random symbols and performs an XOR ad- Proceedings of the 3rd International Conference on Historical Cryptology, HistoCrypt 2020 96 dition on a stream of plaintext P, producing the Symbol BP Meaning in Meaning in ciphertext Z, as described in Equation 1, the en- Notation Letter Shift Figure Shift cryption formula. ••••• / null ••••x E E 3 •••x• 4 carriage return Z = P ⊕ K (1) •••xx A A - ••x•• 9 space Encryption and decryption are implemented iden- ••x•x S S ’ tically. This is possible since adding (XOR) the ••xx• I I 8 ••xxx U U 7 keystream K to the ciphertext Z cancels out the •x••• 3 line feed effect of the keystream K originally added during •x••x D D Who are you? encryption, as shown in Equation 2, the decryption •x•x• R R 4 •x•xx J J BELL formula. •xx•• N N , •xx•x F F % •xxx• C C : Z ⊕ K = (P ⊕ K) ⊕ K = P ⊕ (K ⊕ K) = P (2) •xxxx K K ( x•••• T T 5 As a result, two machines using identical set- x•••x Z Z + x••x• L L ) tings can communicate properly, one side encrypt- x••xx W W 2 ing plaintext and transmitting ciphertext, the other x•x•• H H £ receiving and decrypting the ciphertext. x•x•x Y Y 6 x•xx• P P 0 The functioning of the Lorenz SZ42 is illus- x•xxx Q Q 1 trated in Figure 3 in the Appendix. The keystream xx••• O O 9 K is generated by a set of twelve wheels, divided xx••x B B ? xx•x• G G & into three functional groups: xx•xx 5 or + figure shift xxx•• M M . • Five c wheels, c1 to c5: Those wheels have xxx•x X X / 41, 31, 29, 26, and 23 pins, respectively. Each xxxx• V V ; pin can be set to either an active (cross) or an xxxxx 8 or - letter shift inactive (dot) state. The c wheels regularly Table 1: The Baudot Teleprinter Alphabet step after the encryption (or decryption) of each symbol. The stream of Baudot symbols generated by the five c wheels is denoted as the c stream. a b a ⊕ b • • • • Five y wheels, y1 to y5: Those wheels have • x x 43, 47, 51, 53, and 59 pins, respectively. Each x • x x x • pin can be set to either an active or an in- active state. Their stepping is governed by Table 2: The XOR (⊕) Operation the motor wheels. Either all five y wheels step or none of them steps. The actual stream of symbols generated by the y wheels is de- noted as the y0 stream. It differs from a the- K •xxxx G xx•x• oretical y stream, that would have been gen- K ⊕ G x•x•x erated if the y wheels always stepped. The y0 stream is an extended version of the y Table 3: XOR (⊕) on the Symbols K and G stream, with symbols duplicated at positions where the y wheels did not step. • Two motor or m wheels, m1 and m2: Wheel G xx•x• G xx•x• m1 has 61 pins, which govern the stepping of G ⊕ G ••••• wheel m2. If the current pin of wheel m1 is ac- tive (cross), wheel m2 steps. Wheel m2 has 37 Table 4: XOR (⊕) on the Same Symbol pins, and if its current pin is active, all five y wheels step. The single-impulse stream Proceedings of the 3rd International Conference on Historical Cryptology, HistoCrypt 2020 97 generated by wheel m2 is denoted as the base motor stream. In later models of the Lorenz SZ42, various motor limitations were intro- duced to reduce the number of motor stops, that is, positions where the y wheels are not stepping.1 The keystream K consists of the (XOR) addition of two streams, c, and y0: K = c ⊕ y0 (3) Therefore: Z = P ⊕ K = P ⊕ c ⊕ y0 (4) We define D, also known as the dechi stream (or simply, the dechi), as: D = Z ⊕ c (5) Figure 1: Testery Report – Table of Contents The term dechi originates from the fact that we are removing c from the ciphertext Z, by adding it so that the original contribution of c cancels out: In some places, it lacks some details or examples 0 0 necessary to understand some of the key points. D = Z ⊕ c = P ⊕ c ⊕ y ⊕ c = P ⊕ y : (6) The GRT only briefly mentions the work and methods of the Testery. Those hand methods are If we add y0 to both sides of D = P ⊕ y0, it also also described (in even less detail) in testimonies follows that P = D ⊕ y0. and books written by Testery veterans (Roberts, 2 The Testery Report 2017; Mayo-Smith, 2014). The Testery report was not declassified together Each of the two main Tunny sections at BP – the with the GRT back in 2000. A possible reason Newmanry and the Testery – wrote a report. The is that the Testery report may have contained sen- General Report on Tunny with Emphasis on Sta- sitive information about methods still in use af- tistical Methods (GRT) was written in 1945 by I.J. ter WW2. This contrasts with a statement by D. Good, D. Mitchie, and G. Timms from the New- Mitchie, one of the GRT authors, who was allowed manry (Good et al., 1945; Reeds et al., 2015). It to review the Testery report, and wrote that ”a was declassified in 2000. It describes in detail the good deal of [the Testery report’s] content is di- work on codebreaking machines such as the Heath rectly inferable from other sources, including Gen- Robinson and Colossus in the Newmanry, as well eral Report on Tunny. The full Testery report am- as their mathematical and statistical foundations. plifies this knowledge.” (Copeland, 2010, P. 246) While it provides a wealth of technical informa- In 2017, at the NSA Symposium on Cryptologic tion, the GRT is not easy to read, and its struc- History, the author met the GCHQ historian, Dr.