Cracking Enigma, a (Short) Summary of the Past

Home , Banburismus, Cyclometer, Enigma machine, Harold Keen, Hugh Foss, Hut 3

Cracking Enigma, a (short) Summary of the past

Jens Hubrich Technische Universitat¨ Kaiserslautern, Embedded Systems Group j [email protected]

Abstract

This paper is focused on the Enigma I or ‘Wehrmachtsenigma’. After a short introduction giving the relevance of ciphering, the historical background of Enigmas will be described. Following the historical background, the mechanics and functionality of the whole Enigma machine and its separated parts(Rotors, Reﬂector, Plugboard) is examined. Once the mechanics are clear, the usage by operators is explained and the theoretical cryptographic strength of enigma is calculated. This Part of the work ends with a overview of the Enigma versions important to German military during Word War Two. The second part of this work is related to ‘Cracking Enigma’, the protagonists and some of their methods used to break the encryption of Enigma. In ﬁrst focus the work of Marian Rejewski, who revealed the internal wiring of the Enigma and then the one of Alan Turing which is probably the most famous person in this process with his ‘bomb’. In the end a short look at modern methods to break still unbroken messages with today technologies is given and in the conclusion it will be discussed which of the given Enigma problems are still relevant in nowadays cryptography.

1 Introduction

Since early mankind keeping informations secret is one of the main keys in military and commercial structures. Since the exclusive knowledge is a big benefit. Of course it is the same way beneficial to gain such secret knowledge. After Edward Snowden leaked secret documents, which lead to the NSA-scandal in 2013, the topic of secure communication became a widely discussed topic in public domain again.[9] During the time of WWI (World War One, 1914-1918) ciphering secret messages was done primarily by manual en- and decoding. Therefore, cryptographically strong methods needed a lot of time and their handling was pretty difficult. For more information about WWI cryptography see [7] or [16]. Around the end of WWI multiple companies and inventors developed machines to reduce the effort of ciphering drastically. For example Edward H. Hebern in the USA [26], [25], [24] or Ingenieursbureau (engineering office) ‘Securitas’ from Amsterdam [27]. The probably most famous kind of those ciphering machines was ‘Enigma’, which is the Greek word for riddle. They are known for their key role as main en- and decryption tool of German military during WWII (Second World War 1939-1945).

The next section will give a brief history about the Enigma, explain the mechanics behind it, list the different Models produced, and a assumption about its cryptographic strength. 2

2 Enigma

The Enigma machines were a series of electro-mechanical rotor cipher machines invented by Arthur Scherbius. He and E. Richard Ritter founded a ﬁrm called ‘Scherbius Ritter’ and submitted a patent for a ‘Chiffrierapperat’ (German for: ciphering machine) at 23th Feb. 1918[22]. During the late days of WWI they tried to offer the idea to the German navy, which refused. As consequence they transferred the patent to ‘Gewerkschaft Securitas’. And as a next step they offered the machines as commercial product to companies, banks, and everyone else who could have an interest in secure communication.[15] Therefore the ‘Chiffriermaschinen-Aktiengesellschaft’ was founded at 9th July 1923 with Scherbius and Ritter as directors.[19] (Which also is a good recourse for further information about the commercial history) However, the interest of the German military awakened quickly after publications like Winston Churchills ‘The world Crisis’[4] showed clearly that the manual methods used during WWI were broken and no longer provide any acceptable security. After a short test period of two years military decided to use the Enigma for secure communication in 1928 and the civil sale of the machines was stopped. Just one year later, in 1929, Scherbius died in an accident, short before the Enigma mass production was started. And in 1934 Rudolf Heimsoeth and Elsbeth Rinke took over the ”Chiffriermaschinen- Aktiengesellschaft” and went on to produce and develop the Enigma machines in their new ﬁrm ‘H&R’. As mentioned in section 1 the Enigma became the main en- and decryption tool of German military during WWII and was a huge advantage over other military forces, but when it was broken, it turned into the biggest drawback.

This work will focus on the Enigma I or ‘Wehrmachts’ Enigma, since it was the most commonly used model during WWII and includes all concepts other models were based on.

The following subsection will explain the mechanical principles which were used in Enigma machines.

2.1 Mechanics The Enigma were typewriter similar, electro-mechanical, rotor based cipher machines. The base parts were a keyboard (German: ‘Tastenfeld’), a set of rotors (German: ‘Walzen’), and a output in form of a lampboard (German: ‘Lampenbrett’). The Figure 1, taken from the original Patent of Scherbius [22, p. 4], shows the basic idea behind the ciphering machine Enigma (and all other rotor based ciphering machines). By pressing a key (a. . . f) current is passed to the connector (1) which lead it trough the rotors (2a,2b). The first rotor permute the input letter and hand the permutation to the next rotor were another permutation is applied. The connector (3) lead the result finally to the lampboard (A . . . F). At this point encryption would be done by just a simple static permutation of the signs. To Change that, the rotors rotate after each keystroke, so similar following signs are exchanged by different signs. E. g. : Input AAA, output: RGT. In the first version the rotation was established by separate gears and could be set with external handles.

2.1.1 Rotors: ‘Walzen’ The rotors are the main part of any rotor based cipher machine. At the ﬁrst models, as mentioned in subsection 2.1, the rotors were permutations only and rotated by additional gears. The military versions 3

(a) encryption (b) decryption

Figure 1: Schematic of the ciphering machine. It shows a Keyboard (a . . . f), Lampboard (A . . . F), two rotors (2a,2b), Connectors (1,3) and a switch to change between en and decoding (4)

Source: Patent [22, p. 4] had the rotation mechanics, integrated in each single rotor. During German army used ﬁve different rotors, the naval had a additional one and even increased the number to eight during the war. Those rotors were labelled by Greek numbers I-V for Army and VI-VIII for the additional naval ones. The main part of each rotor are the criss-cross connections between the contacts on both sides which are visible in Figure 2. This connections are the base permutations of each rotor. Figure 2b shows the notch (besides letter D), which is used to rotate the next rotor once per full rotation of this one, later versions of rotors had two notches. The turnovers, which were inducted by the notches, were different for most rotors as shown in Table 1, taken from [2, p. 113].

Rotor Turnover at I R II F III W IV K V A VI, VII and VIII A and N

Table 1: Turnover positions of the German military rotors as listed in [2, p. 113]

The letters written on the ring are used to define the starting orientation of each rotor by the operator. To increase the security in later development, a co-worker named Bernstein made the ring adjustable so the rotor position could be changed relative to the ring letters.[14] The ‘Wehrmachts’ Enigma could fit 3 rotors, the naval version was able to fit a fourth non rotating 4

(a) right side of a rotor (b) left side of a rotor

Figure 2: Rotors of Enigma Model ‘Wehrmacht’.

Source: https://commons.wikimedia.org/wiki/File:Enigma_rotors_and_spindle_showing_contacts_rachet_and_notch.jpg , 12:23 23.07-2018 In (a): Contacts per letter, dark gear to turn the rotor, and metal blade to set the orientation by operator. In (b): Contacts per letter, (letter) ring, and notch (at D) which turns the next rotator additional rotor of 2 versions labelled with α or γ.

2.1.2 Reﬂector: ‘Umkehrwalze’ In 1926 a Patent [23] handed in by the ‘Chiffriermaschinen-Aktiengesellschaft’ was describing a Enigma Model which didn’t need a switch to change the wiring between en- and deciphering, as it was shown in Figure 1. The base idea behind it was introduced by Willi Korn, another Employee of ‘Chiffriermaschinen- Aktiengesellschaft’. A reﬂector drum (German: ‘Umkehrwalze’) Figure 3b, was placed after the last, most left, rotor. It’s internal wiring feed the output of the rotors back into themselves as schematically shown in Figure 3a.

(a) Schematics of 3 rotor (1,2,3) Enigma, with reﬂector (4) (b) Picture of where (5) is the entry connector. Original Reﬂector

Figure 3: Reﬂector, ‘Umkehrwalze’

Sources: (a): Taken from Patent [23, p. 5] / (b): https://commons.wikimedia.org/wiki/File:EnigmaReflector.jpg, 7:30 24.07.2018

The expected beneﬁts of the reﬂector were a more easy handling of the machines, since it was not possible anymore to use a wrong mode (en- or decrypt) by mistake and a increase of the security by using each rotor twice.[23, p. 1] 5

During the first benefit is obvious true, the second one will be later known as one of the biggest drawbacks of the military Enigmas: Due to the electrical circuit issued by the reflector it became impossible to encrypt a letter with itself, since it would cause a short circuit. This made the whole system self reciprocal. There were three different reflectors labelled with A,B, and C. But usually they did not get changed in years. In the last year of WWII a fourth reflector, version D (‘Dora’), was produced but never distributed on a large scale,[1, p. 115] and so just used by a small group of German air force departments e. g. in Norway. Reflector D made possible to change the internal wiring of the reflector, which increased the key space drastically. This probably was the reason it got the British nickname ‘Uncle Dick’.[3, p. 14]

2.1.3 Plugboard: ‘Steckerbrett’

The plugboard (German: ‘Steckerbrett’) was placed on the front of the machine as illustrated in Figure 4. It consisted of pairwise female jacks, which got connected with two-core pluggable twist-resistant ca-

Figure 4: Plugboard of ‘Wehrmachts’ Enigma https://commons.wikimedia.org/wiki/File:Enigma_machine,_3_rotor_-_National_Electronics_Museum_-_DSC00197.JPG 12:00 24.07.2018 bles. Each ending of the cable consist of two pins, 3mm and 4mm radius,which were connected crossover. While the 3mm jacks were connected with the entry connector for the rotors, the 4mm ones were connected with the letters key/lamp. If no cable was plugged for a given letter, it was short out and the connection between key/lamp and rotors was direct. For example assume A was plugged with F, so if the key A was pressed it got encrypted like an F by the rotors and if the rotors output was an A the lamp F were glowing, obviously the same happened vice versa from F to A. The amount of plugged letters increased over time. The plugboard increased the keyspace dramatically and added the biggest factor to it.

The next subsection will explain how an operator had to use the Enigma.

2.2 Usage Before any en- or decryption could happen on a Enigma, it had to be set to the actual key settings for the message. The German military therefore used daily ground settings, named ‘Tagesschlussel’¨ which 6 deﬁned all the initial settings for each message send at the given day.

In addition each single message was encrypted by a own message key (German: ‘Nachrichten- schlussel’),¨ which implements a weak kind of forward secrecy1.

2.2.1 Ground setting (‘Tagesschlussel’)¨

The ground settings were distributed by the military administration in form of lists containing the initial Enigma settings per day. This include the order and choice of rotors (‘Walzenlage’), their ring setting (‘Ringstellung’), the plugged letter pairs (‘Steckverbindungen’) and a start setting (‘Grundstellung’) which deﬁnes the orientation of each rotor. In Figure 5 a imitation of a possible code card is shown. The date order was from bottom up, so old keys could be cut off and destroyed.

Geheim! Tagesschl¨ussel

Datum Walzenlage Ringstellung Steckverbindungen Grundstellung 31. IV I III THF AE CD OH LE NT SR PU WK IF VM IFE 30. II IV V AGP GF HJ LU ZV WA YP KT NM OI BX XGA 29. III II I KEP UX PB TA ED ST IO LW FV KM NJ UWN ......

Figure 5: Imitation of a ‘Tagesschlussel’¨ table given for a speciﬁc month

2.2.2 Message key(‘Nachrichtenschlussel’)¨

The message key was a random chosen start setting (‘Grundstellung’) of the rotors encrypted by the daily ground setting. To be able to spot transmission errors the sequence of 3 letters for the chosen start setting got repeated once, then encrypted by the today ground setting and transmitted as ﬁrst 6 letters of the message. The recipient who wanted to decrypt the message started decrypting the ﬁrst 6 letters by typing them on its Enigma with the known ground setting and then used the received start setting to decrypt the rest of the message.[28] The repetition of the message key got practised until 1940.[20]

2.3 (Assumed) Cryptographic strength

Since there were many versions of Enigma machines, varying numbers of rotors and plugged letters, as well as different usage of reflectors, we will just consider here the following setting: Three rotors out of five with adjustable rings, ten plugged letters and reflector B So the assumption fit to the code table given in Figure 5. Further more we assume, that the internal wiring of each component (rotors, reflector, keyboard-to rotor entry, and rotor out to Lampboard) are known.

The single parts of the key length of this Enigma machine would calculate as follows:

1Forward secrecy ensures that a compromised single session key wont compromise another session in the past or future. 7

Rotor Order (‘Walzenlage’) Choosing three out of ﬁve considering the order:

5! 5! = = 5 · 4 · 3 = 60 (1) (5 − 3)! 2!

Start setting(‘Grundstellung’) Three rotors with 26 possible starting positions each:

26 · 26 · 26 = 263 = 17576 (2)

Ring setting (‘Ringstellung’) Again three rotors with 26 possible ring positions each:

26 · 26 · 26 = 263 = 17576 (3)

Plugboard (‘Steckerbrett’) • The Plugboard have 26 Letters ⇒ 26! possibilities of arrangement 1 • 10 pairs are chosen ⇒ 6 letters don’t care ⇒ 6! 1 • The order of the 10 pairs doesn’t matter ⇒ 10! 1 • The order inside the pairs doesn’t matter ⇒ 210

26! ⇒ = 150 738 274 937 250 ≈ 1.50 · 1014 ≈ 0.53 · 248 (4) 6! · 10! · 210 To get the total key space for Enigma ground settings (‘Tagesschlussel’)¨ in the given example, the equitations (1), (2), (3), and (4) need to be multiplied:

5! 26! · 263 · 263 · = 2 793 925 870 508 516 103 360 000 ≈ 2.8 · 1024 ≈ 1.16 · 281 (5) 2! 6! · 10! · 210

This number is slightly bigger than the most commonly known 150 Million Million Millions (1.5 · 1020) for example out of the Roman [11] and the ﬁlms based on it. That difference occurs cause many authors ignore the ring setting, since the Enigmas before 1939 couldn’t change it. Further more the start settings already include all outcomes of different ring settings, so ignoring the ring will just lead to a different start setting which still is sufﬁcient to decrypt all messages. The number of possible keys in this case is:

5! 26! · 263 · = 158 962 555 217 826 360 000 ≈ 1.6 · 1020 ≈ 1.08 · 267 (6) 2! 6! · 10! · 210 Since this number is just a upper bound to the real key space its save to say that the Enigmas key length was around 67 Bit. Even with the possibility’s which are given today a brute force attack on the full key space of Enigma machines would be not practicable. Lets assume it is possible to check 1 · 106 keys per second, so it would still need approximated 5 073 566 years to test the full key space. 8

2.3.1 Full theoretical key space In the previous calculation the internal wiring of Enigma was assumed to be know, which is a pretty save assumption since its very likely that your enemies somewhen are able to capture the hardware you use. Referring to [5, p. 16] the full space of Enigmas possible states, without any knowledge about the internal wiring would approximate to:

3 · 10114 ≈ 1 · 2380 (7) This key space even overpower the now days still used AES-256 algorithm which is still considered to be relatively save. To give a feeling for this number [5] compares it as following: Its a assumed that there are around 1080 Atoms in the universe, and the age of the universe is assumed by 3.2 · 1022 seconds. Would each atom now be a supercomputer being able to process 109 Enigma states a second, and they started calculation at Big Bang, they still would have checked less than 1% of the states until today.

2.3.2 Period The term period refers to the amount of letters until the permutation repeats itself. In case of a 26 letter Enigma it would be the number of keystrokes until the rotators are in its starting position again:

26 · 25 · 26 = 16900 (8)

There was a mechanical anomaly which made the middle rotor rotate a additional time once the third(most left) rotor made its step.

The German military was very conﬁdent, even after WWII was over, in believing that the unusual long period and the huge factor introduced by the plugbord made the Enigma unbreakable.[13, p. 4-5]

2.4 Chronological overview of (some) Enigma models During the years 1923-1945, the Enigma was the main cipher method of the German military. Due to several developments and changes, way over 20 Enigma versions could be seen as separated Enigma models.

The following list shows some important models, focused on the military use, and is a brief summary of [32, Chapter 1.1] and information provided by[6]. Second gives a great formatted tree view about the dependencies between all Enigma versions known.

1924: Modell A was the ﬁrst public presented Enigma and shown at the international post-union congress . It had 28 Keys (Full alphabet and A¨ O¨ U¨ but no X), four ﬁxed rotors, a separate gear box for rotation, a typewriter as output, and a switch to change between en- and decryption. 1924: Modell B was also offered in the same year. It had 57 keys, including a shift key to switch between small and big letters. Furthermore, the four rotors were exchangeable, so the order could be freely chosen. Likewise to Modell A, the rotation was done by a gearbox and the output was typewriter like. 9

1924: Modell C introduced the reflector (subsubsection 2.1.2), and the self rotating rotors with ring setting (subsubsection 2.1.1), which replaced the gearbox. Further more the typewriter output was exchanged with a lampboard, it had only 26 letters and the keyboard layout was changed from QWERTZ to ABCDE. 1925: Funkschlussel¨ C was for the ‘Reichsmarine’(German navy). It was a deviate of Modell C. In addition to the usual 26 letters it had A¨ O¨ U,¨ since they were needed for ‘Kenngruppen’, which were a additional cipher used to encrypt the naval messages. Another characteristic was that X was directly wired and so not decrypted. Funkschlussel¨ C was using three out of five possible rotors with ring settings but only had one reflector with 4 different possible positions. 1930: Enigma I or ‘Wehrmachts’ Enigma, was developed for the ‘Wehrmacht’(German army). It was also a deviate of Modell C, with no additional letters (so only 26). There were as well three out of five rotors used (not the same as in Funkschlussel¨ C, since they had a different amount of letters!), and it were 3 reflectors available. The major difference to Funkschlussel¨ C was the plugboard (subsubsection 2.1.3) with its outstanding benefit in increasing the key space (subsection 2.3). 1934: Funkschlussel¨ M 1 or short ‘Schlussel¨ M’, was the naval version of Enigma I. The German navy acknowledge the higher security of Enigma I and understood the importance of encrypted communication between navy and army. In addition to the five army rotors it had two rotors more (1939 an eighth one was introduced). 1938: Funkschlussel¨ M2 & 1940 Funkschluchl¨ ussel¨ M3 didn’t have any changes in the ciphering system. Besides some changes in the covering wooden box for M2 the plugboard order was changed and M3 had a internal 220V/4V to 6V transformer. 1941: Funkschlussel¨ M4 had a additional rotor to be put in (so 4 rotors in use). The space for it was gained by building the reflectors smaller and keeping the additional rotor half the size of a usual one by leaving the possibility to turn. There are two different versions of the additional wheel known. Both had one possible orientation where they imitate the usual key of Enigma I to communicate with the army.

This section described the electro-mechanics, the history, the usage, and the cryptographic assumptions of Enigmas. The next will now discuss how the allies crack the Enigma codes.

3 Cracking Enigma

The cryptographic strength of Enigma machines surprised the allies around 1925 when Funkschlussel¨ C was introduced by the German navy. While former methods of ciphering could usually be broken by linguists with frequency analysis of letters, e. g. in German and English language the letter ‘e’ is the most frequent letter, so with a very high probability the letter with the most occurrence is the encrypted ‘e’, it was impossible to use this kind of technique for texts encrypted by Enigmas due to their ability to decode with a very high period (see subsubsection 2.3.2). As well as the development of Enigma, the breaking of Enigma cipher was an ongoing, always changing process over the full time from 1925 till the end of WWII in 1945. New features and chancing ‘habits’ / rules of usage made working methods outdated or at least enforced adjustments. It was some kind of a hidden war, where one side wasn’t aware of it, as we could already see in subsection 2.3. 10

In the following the focus will be set to some major methods and important characters in the process of breaking Enigma. A pretty precise and very detailed summary about who and how Enigma got cracked can be found in [32].

3.1 First British efforts

Already in 1927 the UK tried to break the Enigma with the help of a purchased commercial model. They were able to break messages send during the Spanish Civil War (1936 to 1939), which were encrypted by a non commercial Enigma without plugboard in 1937.[12]. But they had no possibility to decrypt messages send with the German military versions of Enigma. In fact France and Britain considerer the German Enigma as unbreakable [30, p. 199], before they got proved the opposite by a young polish mathematician.

3.2 The Polish break trough

Poland was always pretty aware of its dangerous location between Germany and Russia. If Germany would want to attack Russia it would need to first seize Poland. With this thought in mind their ambitions to break German secret communication and with it Enigma were pretty strong. Around 1930 the Polish Cipher Bureau had the idea, that mathematicians could be pretty good codebreaker, since the previous used linguists couldn’t solve the obviously machine ciphered messages anymore. In September 1932 they hired the mathematician Marian Rejewski and two of his fellow students full time to work for the Cipher Bureau in Warsaw.[18, p. 231] Their first task was to work on the Ger- man Marine-Codes which were still used without Enigma during this time. But in mid of October 1932 Rejewski was commandeered to work on breaking the Enigma. [32, p. 57] In [28] Rejewski himself describes the mathematics he was using to break the Enigma, which will be summarized following. As starting equipment he had a commercial Enigma (probably Modell C), the knowledge that the first 6 letters are the repetition of the ciphered individual message key, and many collected German ciphered messages. At the time Rejewski begun, the German only allowed the usage of rotor I to III, so only 3! = 6 possible rotor orders. Also the order was just changed each some month. Only the Plugboard with 6 cables and the rotor orientation (start setting) was changed daily.

3.2.1 Finding the Message Key

Rejewski started his work with the knowledge, that the first letter of each message is a permutation of the same letter as the fourth one, the same of course for the second and fifth, and for third and sixth. He named the permutation from the original (unknown) letters to those first 6 letter with A to F. During those permutations A to F are unknown, it is indeed possible to calculate the permutations AD, BE and CF which is the multiplication of two permutations, in other words: First execute permutation A then permutation B. How is this possible? Let x be the unknown original first letter of the message key, the permutation A encrypt it with the known letter a. Due to the self reciprocal property introduced with the reflector, we know that typing the letter a at that point would give x. Is x pressed in the repetition then D 11 is used and we gain the known letter b.

A x ←→ a A D AD ⇒ a −→ x −→ b ⇒ a −→ b written as: AD = (ab) (9) x ←→D b

This can be done for each of the three multiplied permutations AD,BE and CF, and that for each Message captured at the same day. Rejewski stated it needed approximated 80 messages with the same day key AD to heave each letter of the alphabet at each position in the message key. Assumed there is a −→ b and AD b −→ c then it is notated as permutation AB = (abc). If this is done for all messages per day the outcome looks like:(example taken from [28, p. 4])

AD = (dvp f kxgzyo)(ei jmunqlht)(bc)(rw)(a)(s) BE = (bl f qveoum)(h jpswizrn)(axt)(cgy)(d)(k) (10) CF = (abvikt jg f cqny)(duzrehlxwpsmo)

The equitations (10) are named the characteristic of the given day.

With the help of the ‘Theorem on the product of transpositions’ [28, p. 8] it is possible to reduce the possibilities for A to F to several tens of thousand solutions. During observing the first 6 Letters of a day Rejewski noticed that some message keys are used in multiple messages and he guessed it is due to the laziness of the operators choosing simple combinations like three letter repetitions (e. g. ‘aaa’, ‘ccc’, . . . ) as message keys. His guess was right and together with logical elimination of impossible settings (all letter in first and forth places, can’t be the the first letter of the message key, since the letter couldn’t be encrypted by itself). By combining the possible solutions with the found pairs of original and encrypted message keys the permutations A to F could be determined. If the rotors are named N, M. L (from right to left, since the most right one is the one connected with key- and lampboard), the reflector with R, the plugboard with S, introduce the permutation P which shows the rotation of rotor N (just a left shift of the alphabet) and furthermore assume that the rotors M and L are not rotating since(M rotates with a possibility of 6/26, L of 6/676 during the first 6 sign), the permutations A to F can be written as:

A = SP1NP−1MLRL−1M−1P1N−1P−1S−1 B = SP2NP−2MLRL−1M−1P2N−1P−2S−1 . . (11) F = SP6NP−6MLRL−1M−1P6N−1P−6S−1

Since M,L and R are assumed to be not moving they are replaced by Q:

A = SP1NP−1QP1N−1P−1S−1 B = SP2NP−2QP2N−1P−2S−1 . . (12) F = SP6NP−6QP6N−1P−6S−1

So S, N and Q remain unknown. 12

3.2.2 Wiring of the Drum N / Recunstruction of Enigma Modell I Rejewski wrote at [28, p. 10] that it would be possible at that point to discover the wiring of rotor N, but that it would need two days with identical or very similar rotor setting and that it would be a very long way with many cases which would need to be checked. Luckily Rejewski received copies of the table of ‘Tagesschlussel’¨ for several month containing the plugboard and start setting in December 1932. They were parts of documents the French spy Hans-Thilo Schmidt gathered for the French Bureau of Ciphers, which were handed to the Polish government.[17, p. 256] With this information it was possible to move the plugboard settings in Equation 12 to the left side as parts:

S−1AS = P1NP−1QP1N−1P−1 S−1BS = P2NP−2QP2N−1P−2 . . (13) S−1FS = P6NP−6QP6N−1P−6

The ﬁrst and last occurrence of P can be moved to the left side as well and to improve the readability the left side gets denoted with U to Z:

U = P1S−1ASP−1 = NP−1QP1N−1 V = P2S−1BSP−2 = NP−2QP2N−1 . . (14) Z = P6S−1FSP−6 = NP−6QP6N−1

The goal now is it to eliminate Q, which stands for the second rotor M, the last rotor L and the reﬂector R. To achieve this ﬁrst the products get calculated:

UV = NP−1(QP−1QP)P1N−1 VW = NP−2(QP−1QP)P2N−1 WX = NP−3(QP−1QP)P3N−1 (15) XY = NP−4(QP−1QP)P4N−1 YZ = NP−5(QP−1QP)P5N−1

In a last step the common factor QP−1QP gets eliminated:

VW = NP−1N−1(UV)NPN−1 WX = NP−1N−1(VW)NPN−1 XY = NP−1N−1(WX)NPN−1 (16) YZ = NP−1N−1(XY)NPN−1

The remaining unknown is the ﬁrst rotor N, which can be solved by using two equitations of (16). If no calculation mistakes occurred the outcome should be correct and could be tested by the original message keys and their encryption. Of course the unlikely possibility of a turnover at second or third rotor would 13 lead to a wrong solution as well in some cases. But Rejewski discovered that he never gets the correct solution, so one of his assumptions must be wrong. He ﬁgured out, that the wiring between the key- /lambboard and the rotors must have been changed. There would be another 26! ≈ 4·1026 possible ways for it. He knows it was different to the commercial Enigma he had access to where the wiring was:

q → 1, w → 2, e → 3, r → 4, t → 5, z → 6,...

So he wondered if they just changed it to:

a → 1, b → 2, c → 3,... and he was right. That ‘little’ obstacle, caused by the alphabetical keyboard of Modell I compared to the qwertz one of Modell C, confused the British codebreaker Dillwyn Knox in 1939 still.[29, p. 42] Since the rotor order was changed time by time and each of the three used rotors eventually was in first position, the described way made it possible to find the internal wiring of each rotor and with them the reflector wiring too. At this point Rejewski reconstructed the full internal wiring of Modell I and was able to read all messages once he had the ground settings for a given day.

3.2.3 Finding the ground settings Cyclometer To ﬁnd the daily ground settings, the inverse problem had to be solved. Duplicates of the used Enigma model were available and the rotor order, rotor orientation and plugboard setting need to be found. At this point the daily characteristics (Equation 10) became a very handy tool. Since the plugboard only is a monoalphabetic replacement of letters, it only changed the letters in the cycles but not the number and length of them. The idea was to generate a catalogue of all characteristics generated by the 6 possible rotor orders which each had 263 possible orientations so:

6 · 263 = 105456 (17) possibilities. To catalogue all of them the Poles invented the ‘cyclometer’ [28, pp. 12-14], which calculated the characteristic for a given rotor setting. Even with this machine they needed around one year to generate the full catalogue. The characteristics indeed were not fully unique, but it reduced the possibility to a amount which could be checked in short time manually. With the given rotor settings, the plugboard was the only part missing. Since just six cables were used, only 6 pairs of letters were replaced with each other. Those replacement could be easily discovered manually, by looking at the decrypted texts. By those methods the Polish Bureau of Ciphers was able to decrypt and read most messages of German secret communication at that time.

At the 15th Septemer of 1938, the German changed the regulations of ciphering. From now on the operator choose the start setting. The start setting was sent before the encrypted text as plain text followed again by the two times encrypted secret message key. Due to this changes it got impossible to determine the characteristic of the day and with it the catalogue could not be used anymore to ﬁnd the daily settings. 14

Perforated Cards Still the repetition of the secret key gave hidden information, which got exploited by the cryptoanalyst Henryk Zygalski. If one letter of the message key got encrypted in both rounds of encryption to the same letter (e. g. pst pwa) it was called a female. Those females were rep- resentations of the cycles of length one, in the catalogue and occurred in approximately each 8th message. The idea Zygalski was it to generate perforated cards for a given last rotor L. The card now had for each possible orientation of the middle M and ﬁrst rotor N a row where holes got cut in at possible positions of females. For each message containing a female the corresponding card was placed by a given set of rules on a stack and if just one hole was left to see through it was possible to determine the position of rotors and the rings and by comparing the letters of the key with the letters in the machine the plugboard setting could be found as well. Since this method seemed pretty practical, the production of the needed Figure 6: Diagramm of a cards was too slow and only sets for two of the six possible rotor orders were Zygalski-Card ready before the next change in ciphering rules happened.[34, p. 216]

The Bomba Although Rejewski had an idea once his previous solution stopped working. The idea needed three different messages were each had a female of the same letter, one between 1-4, another between 2-5 and the last between 3-6. He simply build a machine, containing six Enigma rotor sets, were always two are set to test one of the three females. And the whole machine made a brute force attack, by iterating trough all possible rotor orientations, keeping the rotor order, so 263 = 17567 possibilities. To work in parallel on each possible rotor order six of those machines got produced and they needed around two hours to obtain the rotor and ring settings.[17, p. 290] The plugboard settings were still solved by hand.

3.2.4 The ‘end’ of polish efforts

During previous changes in the usage of Enigma, like the change of the reﬂector in November 1937 [28, p. 17] and the static increasing number of plug-cables from 6 in the beginning to 13 at the very end could be compensated, the introduction of rotors IV and V at the 15th December in 1938 overpowered the Polish Bureau of Cipher. They were able to ﬁnd the wiring of the new rotors pretty fast, but they could not afford the manpower needed to build enough Bomby (56 in addition to reach the 60 possible rotor orders) or to produce the needed Zygalski-cards.[17, p. 290]

Since the Poles were aware of a soon happening German offensive they handed over all their methods and equipment to the France and British Ciphering Bureaus during a meeting in Warsaw on 25th July 1939. And during the evacuation of the Polish Cipher Bureau in September 1939 nearly all documents and the full equipment got destroyed.[28, p. 17]

3.3 The British break trough / Bletchley Park

The following subsection about the British efforts is again a brief summary of [32, pp. 124-177], focusing on some main methods used to decrypt the Enigma codes. For a way more detailed mathematical view please refer to that source. 15

In 1939 the British government gathered all the resources working on radio based, spied out, communication in Bletchley Park, which is located between Oxford and Cambridge. Since they started their work with around 30 persons the number increased to 10.000 till the end of WWII. The agencies re- cruited starting 1937 mainly linguists, ancient philologists, and historians by the principle ‘who knows somebody who could be useful?’, which resulted in hiring a lot of very talented young students from the nearby elite universities. Beginning with 1938 they also started to hire mathematicians and besides many other brilliant young people they hired Alan Turning and Gordon Welchman. By this time a big team of all kind of ages and disciplines, with very high intellectual abilities was formed to get as many information out of the captured communication as possible. Welchman soon understood that working as one unstructured big group, maybe leads to many innovative ideas but wont use the full potential of the groups, so he made the advise to restructure Bletchley Park as follows: • Decoding Army/Airforce: Hut 6 • Decoding Navy: Hut 8 • evaluation Army/Airforce: Hut 3 • evaluation Navy: Hut 4 Which got directly accepted. The existence of Bletchley Park was one of the biggest and best kept secrets. Only a few people outside known it even exists. The circle of people getting the information gathered there was kept to a minimum and if informations from Enigma messages were used it was required to set up a plausible cover story how the information was received.

3.3.1 Banburismus

Since the naval version of Enigma had eight rotors to choose from, it had 8!/5! = 336 possible rotor orders. Therefore Turing developed a statistical method, with the logarithmic unit he named ‘ban’ to minimize the possible rotor orders. Like Zygalski method it was based on perforated paper, which got produced in a town named Banbury, which most likely was the reason for the names ‘ban’ and ‘Ban- burismus’. The navy decoded messages in a different way than the other departments. The message key could not be freely chosen by the operator but was generated by a indicator chosen out of code books. That indicator was encrypted with the ground settings of the day and the result was used as message key. The indicator got transmitted, the message key not. Turing discovered the exact methods used between 1939 and 1940, and even reconstructed big parts of the code books himself. The ﬁrst message broken by the help of Bunburismus was from 8th May 1940 which was then celebrated as ‘Foss’s Day’(named after Hugh Foss).

Messages in depth If two sentences are written above each other the likelihood that same letters are at the same place is language speciﬁc. Those letters which overlap are said to be ”in deep”. With German navy messages that probability got determined to be approximately 1/17 during random texts have a probability of 1/26. Due to the self reciprocal ability of Enigma, Messages with same message key 16 would have those overlapping events at the same place as the plain text. If the message key only differs in the last sign, only the most right and therefore ﬁrst rotor is set different. The idea now is it to align two of such messages that they are in depth again (this works cause the rotation of the rotor is just a shift in the permutation). The distance between the two messages would give then the offset between the two message keys. If this is done with enough messages it is possible to determine the turnover of the middle rotor and by it to get known where the notch of left rotor is placed. By this technique the rotors I - V could be distinguished, VI - VIII had then notch at the same position. On the similar way but way harder the middle rotor could be found.

The ‘Ban’ Turing developed a scoring based on Bayes’Theorem (see [8] for explinations of Bayes Theorem) and used logarithmic scale to replace multiplication of possibilities by additions. To make the values more handy the deciBan was introduced similar to decibel (10 dB = 1B) and halfdeciBan (20hdB = 1 Ban), So if there is a overlap the score was increased by log10(26/17) = 0.18Ban = 3.7hdB and each non overlap decreased it by log10(416/425) = 0.0093Ban = 0.19hdB). Messages were considered as ‘in depth’ once they had a score over 34hdB. To ﬁnd the overlapping letters the already mentioned large papers sheets from Banbury got perforated and placed above each other.

3.3.2 Turing Bomb

The Turing Bomb is probably the most famous tool which was used to break the Enigma during WWII. Since the Poles made the internal wiring known to the Brits (see subsubsection 3.2.4) it was also possible for them to replicate Enigmas. Turing took the base idea of the Polish Bomba to simply iterate trough all possibilities but instead of using the females his idea was simply based on plain text / encrypted text pairs called crib’s (see section 3.3.2. He developed his Bomb in September 1939 and the ﬁrst prototype was build buy Harold Keen and a team of 12 employees by BTM(British Tabulating Machine Company) in spring 1940.[1, p. 423]

Crib A Crib was plain texts assumed to appear in the original message e. g. ‘ANX’ (‘an’ is German for to and X was used as space), ‘OBERKOMANDOWEHRMACHT’ (name of the headquarters of German army) or ‘WETTERBERICHT’ (weather forecast). The possible positions of that crib could be determined by Enigmas trait not to encrypt a letter with itself.(See Figure 7) Usually a crib was not that long (around 12 letters) otherwise the possibility for a turnover of the middle rotor got to big.

WATQBGGYWCRYBGTT Encrypted text WETTERBERICHT--- not possible -WETTERBERICHT-- possible --WETTERBERICHT- not possible

Figure 7: Example of ﬁnding a crib’s position (random example, not out of real message)

Menue The menue was the input to the bomb. It represented the knowledge gained out of the plain text / encrypted text combinations. 17

1 2 3 4 5 6 7 8 9 10 11 12 13 ATQBGGYWCRYBG WETTERBERICHT (a) Aligent crib with numbering

(b) Menue: the number denot in which step the transition occurs. Let’s assume this portion of the ciphertext does correspond to our crib phrase. Then we can see that, Figure 8: Example menue taken from [10, p. 16] in position 2, ‘t’ becomes ‘e’. This is the combined eﬀect of the plugboard, the rotors in position 2, followed by the plugboard again: The Bomb than was able to test all possible rotor settings. In addition to the menu also a randomly chosen plug was set. With both such information the bomb could determine logical errors during testing multiple rotor orders in parallel. In the beginnings Banburismus got used to reduce the possible rotor orders before the bomb was used, until enough bombs were available.

3.4 Little helper Remember, because the Enigma Machine acts as a product of transpositions, this diagram also works Between all those very intelligentin the and opposite genius direction.Alan ideas the allies Turing had realised to break that, enigma, for a given there rotor where setting, some it is possible little to deduce certain flaws of German bureaucracyplugboard and in usage settings. which For also example, helped let’s the assume codebreaker. (ta) is a pair Following on the plugboard. some of So them, after the first use of the as listed in [10, pp. 20,21] plugboard, input ‘t’ becomes ‘a’. • It was forbidden that the same rotor order appears twice on a monthly code table. Furthermore some networks enforced that no rotor should be in the same position as the day before. Once noticed, this restrictions helped to reduce the possible rotor orders to the end of the month. • At German air force it was not allowed that two neighbouring letters got plugged with each other, which reduced the amount of possible plug board settings • Sometimes the columns ofThis the monthlyis then followed ‘Tagesschl by the rotorsussel’¨ in table the second got reused, position. which Starting was from spotted some initial by position, below are Reg Parker. the complete outputs of 13 successive monoalphabetic ciphers from an enigma machine without its plugboard, i.e. Ri, 1 6 i 6 13. Notice, these ciphers are still products of transpositions. • The ‘Harvil Tip’, was the assumption that after setting up the machine with the daily ring settings, the operator only shifts the rotors by a few step to choose a message key. This especial was true during the morning hours when the machines were set up the first time. This assumption was made by John Herivel once he arrived in Bletchley Park in 1940. • One last ‘little helper’ which should be mentioned but was not caused by a German flaw, was named ‘gardening’. Sometimes at days were no crib could be found or not enough messages were sent, Bletchley Park would have asked the Royal Air Force to place a set of water mines in a certain region. The then upcoming messages surely contained the name of the16 region or harbour affected, which could be used as good crib. 18

3.5 Modern Methodes Over 100 years after Arthur Scheribius had the idea for his machines, the Enigma messages are still in focus of scientiﬁc work. There are still several hundred, captured and documented Enigma messages which could not be decrypted until today. Reasons for that are usually, that not enough messages got captured at the given days or that the messages were to short and had rotor turnovers of the middle and/or last rotor in the, so the daily key could not be determine. Still today researchers try to break those leftover messages and of course document their progress, e. g. : [31] or [21]. The given examples use the now available computational power to run way more unrestricted brute force attacks on encrypted messages without the help of a crib. Everything except the plugboard setting is fully exhausted. [21] exhausts only ‘important’ plugs. Important ones are those of letters which occur often in German army messages: E, N, X and R, in this order. Afterwards a Hillclimbing approach is applied to ﬁnd the remaining plug board settings. The minimal needed message length is determined to 27, the shortest message the author could break had a length of 32 letters. Even with the given calculation power the full process needed up to several days.

4 Conclusions, Results, Discussion

In the paper it is shown that the basic idea of Enigma was sufficient cryptographic strong. The major mistake was the introduction of the reflector, which increased the usability but opened up the enigma for the attack methods described in 3.2.1‘Finding the Message Key’, and 3.2.2 ‘Wiring of the Drum, N, on which the other attacks were build on. It was shown that it needed a international cooperation to break Enigma on the long run, but the major work was done by a small group of intellectuals, with innovative ideas, really good assumptions and a good piece of luck. Enigma was a incredible piece of technology, with big influence at its given time which even bothers cryptanalyst’s over 100 years after it was founded.

The mistakes done by the German military during usage can be summed up to the following points; • Improvement for usability by using a simplification, which turns out to a big drawback. (Reflector) • Lazy operators choosing predictable message keys. • not using the full possibilities by just slowly increasing the number of rotors and rules which limited the possible key space, like the limited amount of plug connections. • to rely on the believe that Enigma (with plugboard) is unbreakable. All those points are still important for today’s cryptography. A very popular proposition in cryptography is: ‘Don’t role your own crypto’, which could be associated with the first point. Willi Korn changed the cryptographic scheme without paying enough attention to the changed characteristics of the machine. The second point of lazy operators, is comparable with users choosing passwords which are easy to guess. This point is still one of the biggest problems . In 2015 many car companies used a cipher chip with 96bit for their remote key systems. Scientists found out, that the car companies left the first 32bit at zero[33, p. 705] the remaining 64bit include a company specific key which didn’t changed for all cars of the company and the similar thing for the model, the actual key was reduced drastically. This scandal is a example for point 3. The last point the most obvious one, its always a bad idea to believe that your cryptological scheme is unbreakable cause it leads to laziness. 19

References

[1] Friedrich L Bauer (2013): Entzifferte geheimnisse: methoden und maximen der kryptologie. Springer-Verlag. [2] Friedrich Ludwig Bauer (2002): Decrypted secrets: methods and maxims of cryptology. Springer Science & Business Media. [3] C.H.O’D. Alexander (1998): Method for testing ’Holmes Hypothesis’ for U.D. [4] Winston Churchill (1923 - 1929): The World Crisis. [5] Midge Cozzens, Steven J. Miller & Wesley Pegden: The mathematics of encryption: an elementary introduction 51(7), pp. 51–3888–51–3888, doi:10.5860/CHOICE.51-3888. Available at http://choicereviews. org/review/10.5860/CHOICE.51-3888. [6] Crypto Museum (2009): Enigma Family Tree. Available at http://www.cryptomuseum.com/crypto/ enigma/tree.htm. [7] W.F. Friedman (1977): Solving German Codes in World War I. Cryptographic series, Aegean Park Press. [8] Hans-Otto Georgii (2013): Stochastics, 2., rev. and extended ed. edition. De Gruyter, Berlin [u.a.]. Available at https://opac.ub.uni-kl.de/F/?func=find-c&ccl_term=idn%3DHT017710582& local_base=KLU01. [9] Glenn Greenwald, Ewen MacAskill & Laura Poitras (2013): Edward Snowden: the whistleblower behind the NSA surveillance revelations. The Guardian 9(6), p. 2. [10] James Grime (2014): Math form the talk ”Alan Turing and the Enigma Machine”. [11] Robert Harris (2013): Enigma - Roman. Heyne Verlag, Munchen.¨ [12] Andrew Hodges (1983): Alan Turing: the enigma. [13] Orr Huttenhein & Fricke (1945): OKW/Chi Cryptanalytic Research on Enigma, Hagelin and Cipher Teleprinter Messages. Available at https://drive.google.com/file/d/ 0B7sNVKDp-yiJOWYxZWFmNDgtODUyMS00Y2FiLThkNWItYmQ5N2JmMzEyMzIz/view. [14] David Kahn (1991): Seizing the Enigma: The Race to Break the German U-Boat Coes, 1939–1943. [15] David Kahn (1993): An Enigma Chronology. Cryptologia 17(3), pp. 237–246, doi:10.1080/0161- 119391867908. Available at https://doi.org/10.1080/0161-119391867908. [16] David Kahn (1996): The Codebreakers, [rev. and updated ed.] edition. Scribner, New York, NY. Available at https://kplus.ub.uni-kl.de/Record/KLU01-000536998. [17] W. Kozaczuk (1984): Enigma: how the German machine cipher was broken, and how it was read by the Allies in World War Two. Foreign intelligence book series, University Publications of America. Available at https://books.google.de/books?id=bryEAAAAIAAJ. [18] Wladyslaw Kozaczuk (1985): Enigma: How the German Machine Cypher Was Broken, and How It Was Read By the Allies in World War Two. University Publications of America, Inc. [19] Louis Kruh & Cipher Deavours: The commercial Enigma: Beginnings of machine cryptography (1), p. 16. [20] Oberkomamndo Whermacht (1940): Abschrift: Schlusselanleitung¨ zur Schlusselmaschine¨ Enigma. H.Dv.g. 14. Available at https://web.archive.org/web/20150924033652/http://www.ilord.com/ enigma-manual1940-german.pdf. [21] Olaf Ostwald & Frode Weierud: Modern breaking of Enigma ciphertexts 41(5), pp. 395–421, doi:10.1080/01611194.2016.1238423. Available at https://www.tandfonline.com/doi/full/10. 1080/01611194.2016.1238423. [22] PATENT Arthur Scherbius: Chiffriermaschine. Available at https://www.dpma.de/docs/dpma/ veroeffentlichungen/de416219a_chiffriermaschine1918.pdf. [23] PATENT Chiffriermaschine Aktiengesellschaft: Elektrische Vorrichtung zum Chiffrieren und Dechiffrieren. Available at http://www.cdvandt.org/Enigma%20DE452194C1.pdf. 20

[24] PATENT Edward H. Hebern : Chifﬁrermaschine. Available at https://www.dpma.de/docs/dpma/ veroeffentlichungen/us1510441a_hebernchiffirermaschine1921.pdf. [25] PATENT Edward H. Hebern: Cryptographic attachment for typewriters. Avail- able at https://www.dpma.de/docs/dpma/veroeffentlichungen/us000001086823a_ hebern1912cryptographicattachmentfortypewriters.pdf. [26] PATENT Edward H. Hebern: Machine for code messages. Available at https://www.dpma.de/docs/ dpma/veroeffentlichungen/us1084010a_hebern1912machineforcodemessages.pdf. [27] PATENT Ingenieursbureau ”Securitas”: Chiffriermaschine. Available at https://www.dpma.de/docs/ dpma/veroeffentlichungen/de411126a_chiffriermaschinesecuritas.pdf. [28] M. Rejewski: An application of the theory of permutations in breaking the Enigma cipher 16(4), pp. 543–559, doi:10.4064/am-16-4-543-559. Available at http://www.impan.pl/get/doi/10.4064/ am-16-4-543-559. [29] Hugh Sebag-Monteﬁore (2004): Enigma: The Battle For The Code. Weidenfeld Military. [30] Simon Singh (2000): Geheime Botschaften. Carl Hanser. [31] Geoff Sullivan & Frode Weierud (2005): Breaking German Army Ciphers. 29, pp. 193–232. [32] Heinz Ulbricht: Die Chiffriermaschine Enigma - Trugerische¨ Sicherheit : Ein Beitrag zur Geschichte der Nachrichtendienste. Available at http://www.digibib.tu-bs.de/?docid=00001705. [33] Roel Verdult, Flavio D Garcia & Baris Ege (2013): Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer. In: USENIX Security Symposium, pp. 703–718. [34] Gordon Welchman (1997): The Hut Six Story: Breaking the Enigma Codes. Classic Crypto Books.