The Cryptanalysis of a Three Rotor Machine Using a Genetic Algorithm - DocsLib

sign in sign up

<<

Home , Rotor machine

The Cryptanalysis of a Three Rotor Machine Using a Genetic

Algorithm

A J Bagnall G P McKeown and V J RaywardSmith

Scho ol of Information Systems

University of East Anglia

Norwich NR TJ

England

Abstract Weshow that a genetic algorithm can b e used to suc

cessfully search the very large discrete keyspace of a

rotor machine of magnitude up to using a sim

This pap er describ es a metho d of decipher

ple statistical measure of suitability The metho d in

ing messages encrypted with rotor machines

volves nding the last rotor of a three rotor machine

utilising a Genetic Algorithm to search the

using a GA and then solving the resulting two rotor

keyspace A tness measure based on the phi

machine using the iterative technique describ ed in

test for non randomness of text is describ ed

The plaintext is assumed to be n indep endent reali

and the results show that an unknown three

sations of a random variable dened on alphab et Z

q

rotor machine can generally b e cryptanalysed

with probability distribution derived from observation

with ab out letters of ciphertext The

of the single letter frequencies of English The distri

results are compared to those given using a

bution we use is that given in The statistical mea

previously published technique and found to

sure of tness is based on the fact that a two rotor ma

b e sup erior

chine with o dometerlike rotation is p erio dic with p e

rio d q If we map the ciphertext through the correct

last rotor with a known rotation pattern and split

this new ciphertext into q ciphertext strings these

INTRODUCTION

strings will exhibit the characteristics of monoalpha

b etically enciphered plaintext Based on the statis

A cryptographic system eects an enciphering trans

tic for testing the nonrandomness of text see the

formation from plaintext x to ciphertext y bothof

tness for any prop osed last rotor is the probabil

which are vectors of n letters from a nite set of sym

ity of having observed an average value at least as

b ols an alphab et of size q whichwe call Z A key k

q

large as the value actually observed given and that

for a cryptographic system is a parameter dened on a

the text mapp ed through results from q monoal

key space K with the prop erty that knowledge of the

phab etic substitutions of the plaintext

value of k will enable the recovery of plaintext from

ciphertext Cryptanalysis is the pro cess of attempting

to recover encrypted plaintext without knowledge of

the key In this pap er we consider cryptanalysis with

ROTOR MACHINES

ciphertext only as opp osed to with known or chosen

plaintext and ciphertext It is the former situation

Rotor machines formed the basis for most military and

which presents the hardest problem for the attacker

commercial cryptography until the late s The

Genetic Algorithms GAs have previously b een used German Enigma the Heb ern machine and the Con

in cryptanalysis for solving simple substitution sys verter M all describ ed in are variations on the

tems transp osition ciphers and knapsackbased basic machine weuse

systems The cryptographic systems solved are all A rotor machine is a cryptographic device consist

fairly straightforward and readily solvable by other ing of N rotors A rotor is a disk with a no de on

metho ds For example gives various metho ds for each side for each letter in the appropriate alphab et

solving knapsack problems larger than those solved size q and electrical contacts b etween the no des ef

in fecting a substitution After eachsuch substitution

th

enciphering substitution for the i letter of plaintext

en by A A is giv B B

C C

r i r i r i

m m m

S R i C C C

m

D D m

r i r i r i

E E m

C C C

F F

verse G G and the deciphering substitution is the in

H H

r i r i r i r i

S R i C C C C

r i r i

m m

C C

m t functions is usually assumed

A The set of displacemen

be known A common set of displacement func A to

B B

are those that follow an o dometerlike rotation

C C tions has D D pattern suc

E s

r ibiq c sm i

E s

F F

m rotor system with o dometerlike displacement

G G An

R is a polyalphabetic substitution system

H H functions

dened by the sequence of substitutions

Figure A three rotor machine for an eight letter

SR i j i

alphab et b efore and after the rst rotor has rotated

m

one place

with period P which divides q A rotor machine

with a set of displacement functions which are not

m

o dometerlike can at most pro duce q dierent sub

the contacts rotate in accordance with a rotation pat

stitutions A fuller mathematical description of rotor

tern while the no des remain in the same p osition or

machines is given in

vice versa Rotating a rotor a places yields another

usually dierent substitution

The key for a rotor machine must dene

a a

S a C C

the numb er of rotors m

S a is the comp osition of with the Caesar sub

the initial rotor substitutions

a a a

stitutions C and C A Caesar substitution C is

simply a shift of a places

the displacement functions R

C i i a a iq

a

We assume the numb er of rotors is known and that the

setofdisplacement functions follow the o dometerlike

Rotor machines are built by concatenating rotors Let

pattern describ ed ab ove So the keyspace K is the

set of all Ntuples of p ossible substitutions and a key

f g

m

k is an element of a subset of K The cryptanalysis

problem is to nd an estimate of k k given a string

b e a set of substitutions representing a bank of m ro

of ciphertext

tors for encipherment of the rst letter and

R fr r r g

m

CRYPTANALYSIS OF A THREE

b e a set of displacement functions

ROTOR MACHINE

r Z Z

s q q

Our metho d of attack is to nd the last rotor of a

r

s

three rotor machine using a Genetic Algorithm GA

r i r i s mi

s s

and then to solve the resulting two rotor machine us

th

where r i is the rotational displacement of the s ing the iterativetechnique describ ed in

s

th

rotor for the encipherment of the i elementofx The

Each string results from monoalphab etic encipher GENETIC ALGORITHMS

ment Mapping the ciphertext through the correct

We implemented the problem on the XGAmeter

last rotor of a rotor machine with periodic rotation

toolkit develop ed at the UEA which enables the

will pro duce a new ciphertext string with the prop erty

m

easy use of GAs on a variety of problems The deci

that the q text strings will exhibit the nonrandom

sions in implementing a GA for a particular problem

prop erties of the plaintext distribution We can then

are concerned with representation tness evaluation

reduce the search space to the p ossible wirings of the

and the select create and merge metho ds The stop

last rotor and consider a tness measure for this non

ping condition we use is to halt the GA if there had

randomness

b een no change in the b est solution so far in gen

erations

Phi test

Representation

Consider v indep endent observations of random vari

able X with sample space of size q and with range

The most obvious representation of a rotor is an array

Z Supp ose that the observed frequencies of eachof

q

of m integers representing the wiring from each p osi

the elements in is given by f f f If we

q

tion The subset of the keyspace containing correct

dene the statistic as

keys for a three rotor machine with known rotation

q

functions has magnitude q That is to say there are

X

f f

multiple solutions to a rotor machine with more than

i i

i

one rotor If we dene the set of rotors

then

f g

E s v v

where

and the variance is

b

b q C

v s s v s s s v s s s

and

b b

C C b q

where

q q

then if

X X

b

s P X i and s P X i

C

i i

r r r r r r

C C C C C S R C

See for further description of the statistic and

b b r r b r

pro of of the ab ove results If random variable X has a

C C C C C C

r b r r probability distribution given by our single letter fre

C C C C

quency distribution then

r r r r r r

C C C C C C

E v v

S R

and

This means that we can arbitrarily x a wiring in the

we set last rotors For any prop osed solution

v v v

and

For a p olyalphab etic substitution with p erio d P and

ciphertext y of length n if we assume n is divisible

Fitness

by P for simplicity then the P strings of text y

j

of length nP can b e considered as P observations of

The basis for our tness evaluation is that plaintext en

random variable dened on the sample space of all

ciphered by a monoalphab etic substitution will still ex

nP p ossible letter combinations Then

hibit characteristics of the original distribution Ape

P

rio dic p olyalphab etic substitution system with p erio d

P

i

i

P can b e reduced to a series of monoalphab etic sub

P

stitution systems by splitting the ciphertext y into P

text strings y where

and

j

y iy i P j for jP i nP

j P

By the Central Limit Theorem the limiting form Mutation

of the distribution of

In order to maintain diversityandavoid lo calised hill

Z

climbing it is desirable that when an ospring is cre

ated there is a chance that it may mutate We used

the following twomutation op erators

is the standard normal distribution

m

So if welet t q the tness of a prop osed last

randomly swap two rotor wirings ie eect a ran

rotor is calculated as follows

dom transp osition on an ospring

shift a randomly selected substring of rotor

let y b e the transformed ciphertext found by sub

wirings to random p osition

jecting ciphertext y to the sequence of substitu

tions

S r i for in

offspring : 5 1 3 2 6 4 7 8 9

Let y b e substrings of y such that

j random substring: 1 3 2

y iy i t j for jt i nt

j random position = 6

Calculate A the observed value for the sub

strings y

j mutant : 7 8 9 5 6 1 3 2 4

Let the tness of be

Figure An example of shift mutation with a ten

A

letter rotor

We allowed the mutation op erators to move the rst

wiring and then realligned the mutated ospring so

Even though each text string has less than let

The reason for this was that there was that

ters the fact we have so many strings means that

a tendency for the GA to converge to the wrong last

will b e approximately normally distributed with small

rotor for example if by xing the rst wiring we are

variance Our estimate of the last rotor is the

lo oking for

substitution which maximises the probability of ob

serving a value at least as large as A conditional

b

where b C

ntnt and on the fact that

nt nt nt

then a prop osed solution close to a dierent correct

last rotor for example

In eect we are using the critical level of the test

b

where b C

H ntnt vs

will have a high tness So the GA may converge to

a solution with the rst and one other wiring correct

H ntnt

Thus we allow mutation to move the p osition of the

rst wiring with resp ect to the rest of the p ermuta

as the tness of a prop osed last rotor assuming the

tion However since PMX is resp ectful and crossover

variance is

o ccurs b efore mutation the crossover op erator will not

movethe p osition of the rst wiring This is imp or

tant as PMX maintains p osition within the mapping

Select Create and Merge Metho ds

section Once an ospring had been created by the

We exp erimented with various select create and merge

crossover op erator the probability of it mutating by

metho ds and for reasons given b elow settled on

one of the op erators describ ed ab ove was set at

roulette PMX and new solutions The mutation

If an ospring was to mutate one of the two muta

op erators used are describ ed b elow

tion op erators was selected randomly Lower mutation

probabilities tended to make the GA slower at nding the correct solution

n Generations Evaluations Time s

Merge Method

plaintext

plaintext

Intro ducing the ospring to the p opulation pool re

plaintext

quires the removal of some of the existing chromo

somes to maintain a constantpoolsize The metho d

Table Average results for nding the correct last

we use termed new solutions is to only allow ospring

rotor with letters of ciphertext and a GA p opu

into the p o ol if they had b etter tness than the worst

lation of

memb er of the current p o ol and if they were not sim

ply replicas of existing p o ol memb ers An ospring to

n Generations Evaluations Time s

b e included replaces the chromosome whose tness is

plaintext

closest to and less than when maximising the tness

plaintext

of the ospring

plaintext

Table Average results for nding the correct last

rotor with letters of ciphertext and a GA p opu

RESULTS

lation of

The three rotors we use are

see as a tness measure to search the space of

all p ossible rotors and obtained results comparable

f

to those of the iterativetechnique

g

f

g

Number of iterations required to solve the resulting

f

two rotor problem with letters of ciphertext

g

plaintext

plaintext

They are rotors VI to VI I I of the German Naval

Enigma machine as given in Of the four sets of

plaintext

plaintext the rst twowere generated by random sam

plaintext

pling of the distribution in plaintext was taken

from an article in a newspap er and plaintext was

We p erformed a further series of exp eriments with

found by randomly sampling an intentionally skewed

letters The letter problem is harder to solve

distribution For the last distribution the probabil

b ecause the tness measure is coming to the limit of its

ity of observing an E was decreased by as was

usefulness It is p ossible that the rotor with the high

the probability of observing a T and the probability

est tness will not be the correct last rotor For

of observing an X and the probability of observing a

runs of plaintext and with letters the GA

Z were increased by This was done to test the

found the correct rotor on only four o ccasions How

metho d against delib erately deceptive text All exp er

ever on each run the GA would always get a substan

iments were p erformed on an Alpha station

tial numb er of wirings correct and usually it would b e

There seemed to be little dierence between roulette

the same or very similar set of wirings One metho d of

and ranking selection metho ds and the results b elow

nding the last rotor with letters is to run the GA

were obtained using roulette selection Tables reft

two or three times and lo ok for common wirings in the

and give the average numb er of generations evalua

b est solutions of eachrun With plaintext strings

tions and time required over runs of the GA to nd

and this usually gave a rotor with or p ositions

the correct last rotor with p o olsize p and textlength

correct The rest could be found by an exhaustive

n as given

search of all the remaining p ossible wirings or

Once the last rotor was found the simplest metho d of

n Generations Evaluations Time s

solving the resulting rotor problem is to use Baums

plaintext

maximisation algorithm describ ed in with alter

Table Average results for nding the correct last nating iterations between row sto chastic and column

rotor with letters of ciphertext and a GA p opu sto chastic constraints We also implemented a GA

lation of for a two rotor problem using the likeliho o d function

dierent p ossible rotors For and letters Other Heuristic Techniques

of plaintext the GA generally only found b etween

and correct wirings

The success of the GA would suggest that p erhaps sim

ulated annealing SA andeven p ossibly hill climb

ing HC might also b e go o d at nding the correct last

ALTERNATIVE ROTATION PATTERN

rotor of a three rotor machine We exp erimented with

b oth using our previously dened mutation op erators

It could b e claimed that using an o dometerlike rota

as neighb ourho o d denitions and found that SA and

tion problem makes the rotor machine easier to crack

HC did not in fact p erform very well We attempted

The technique requires that the rotations for the enci

SA and HC ve times on each plaintext with let

pherment of the plaintext letters

ters for prop osed moves SA found the correct

last rotor once with plaintext and not at all with the

xi t j for jt i nt

other plaintexts and HC never found the correct last

rotor Both metho ds tended to converge to a solution

not b e the same for all i otherwise each text string y

j

with less than wirings correct with SA generally

has b een monoalpab etically enciphered This is not a

outp erforming HC Further exp erimentation with dif

restrictive condition however since a rotation pattern

ferent neighb ourho o d op erators and co oling schedules

which did pro duce the same rotation for each string

we use geometric co oling with temp ering to of

would reduce the rotor machine to a two rotor prob

the previous maximum for SA may pro duce better

lem Supp ose the rotation patterns follow a known

results

pseudo random pattern We can still split the text so

that the text mapp ed through the last rotor will have

b een monoalphab etically enciphered but the rotations

for the last rotor will now b e dierent The results in

CONCLUSIONS

Table are for a rotor machine with o dometerlike

rotation for rotors one and two and pseudo random

Wehaveshown that a very basic implementation of a

rotation for rotor three

GA can be used to solve a fairly hard cryptographic

system using a simple mo del of a language By us

ing more complex mo dels for example mo dels based

n Generations Evaluations Time s

on observed two letter frequencies or utilising Markov

plaintext

chains and more complex measures of tness p ossi

plaintext

bly based on the test statistics for language recogni

plaintext

tion describ ed in wewould exp ect an improvement

in the p erformance of the GA The choice of op era

Table Average results for nding the correct last

tors was dictated bythe tness landscap e As previ

rotor with letters of ciphertext and a GA p opu

ously mentioned there are in fact q correct solutions for

lation of

the last rotor and each of these solutions has identi

cal adjacency information For example if one correct

last rotor for a four letter alphab et is fg then

COMPARISONS

the other correct solutions are fg fg and

fg By xing the rst wiring we are restricting

Iterative Technique for the ThreeRotor Problem

ourselves to lo oking for the rst solution only a re

striction justied by the reduction in the search space

We implemented the technique in for a three rotor and are therefore interested in maintaining p ositional

system on the same machine as the GA The algorithm information from the parents With this in mind we

found the correct three rotor machine for plaintext use PMX crossover However PMX will not utilize

with and letters in and iterations the obvious adjacency information and so the shift

but with letters it had only achieved a correct de mutation op erator was intro duced This is probably

cipherment rate CDR of after iterations not the most eectiveway of combining the p ositional

For plaintext and iterations taking ap and adjacency information but it worked up to the

proximately hours gave a CDR of no b etter than limit of the feasibility of the tness measure With

little b etter than randomly guessing each letter less than letters of ciphertext each monoalpha

and half as go o d as guessing E for every letter b etically enciphered string has or less letters and generally there are rotors with b etter tness than the

correct last rotor Cryptologia

We also implemented a GA to search the space of all

R Ganesan and A Sherman Statistical tech

three rotors using the likeliho o d function as our t

niques for language recognition An empirical

ness measure The nature of the problem suggested

study using real an simulated english Cryptolo

that this approachwould not work The interdep en

gia

dence of the rotors meant that solutions close to the

D Goldb erg Genetic Algorithms in Search Opti

correct rotors will not necessarily be particularly t

mization and Machine Learning AddisonWesley

For example a solution with the rst two rotors cor

rect could havealow tness if the last rotor is not close

to the correct solution This is contrary to the idea of

S Kirkpatrick CDGellat and MPVecchi Op

building blo cks describ ed by This implementation

timization bysimulated annealing Science

did work with a two rotor problem in times compa

rable to those obtained using the iterative technique

but this was probably b ecause of the easier nature of

Alan G Konheim CryptographyA Primer John

the problem and the lesser imp ortance of rotor inter

Wiley Sons

dep endence As we exp ected the GA failed to nd

S Kullback Statistical Methods in Cryptanalysis

the correct solution to the three rotor problem with as

Aegean Park Press

many as letters for all plaintexts

J W Mann A Kapsalis and G D Smith The Our preliminary exp eriments with the cryptanalysis of

GAmeter to olkit In V J RaywardSmith editor a four rotor machine using the GA to search the space

Applications of Modern Heuristic Methods Alfred of the last two rotors have b een unsuccessful Again

Waller the reason for this is probably interdep endence of the

rotors An alternative tness measure or the use of

S Martello and P Toth Knapsack Problems

a more sophisticated GA may pro duce some progress

John Wiley Sons

with this problem

RAJ Mathews The use of genetic algorithms

The applications of GAs and other heuristics in crypt

in cryptanalysis Cryptologia

analysis is always going to b e limited An ideal cryp

tographic system is one that is dened on a landscap e

R Spillman Cryptanalysis of knapsack ciphers

which is all noise except for a single p eak the key

using genetic algorithms Cryptologia

An implementation of any search technique using the

obvious representation to search the keyspace of any

reasonable cryptographic system will most likely fail

A Stuart and J K Ord Kendal ls Advanced The

However the p ossibilty of nding some transformation

ory of Statistics Edward Arnold

which pro duces a searchable space is something crypt

analysts and cryptographers should b e aware of It is

p ossible that some progress may b e made in the crypt

analysis of blo ck ciphers by nding some transforma

tion of the search space and suitable tness measure

which although precluding enumerative search allows

aGAsomechance of success

References

D Andelman and J Reeds On the cryptanalysis

of rotor machines and substitutionp ermutation

networks IEEE Transactions on Information

Theory IT

A Deavours and L Kruh Machine Cryptography

and Modern Cryptanalysis Artech House

R Spillman et al Use of a genetic algorithm in

the cryptanalysis of simple substitution ciphers

Web Analytics