Dawn of Mathematical Cryptology: Probabilists vs Algebraists or Algebraists & Probabilists?
Marek Grajek freelance consultant and historian, Poland [email protected]
1 Introduction Khalil1 (also known as Ahmed al-Farahidi), living in Basra in eight century. Their works Traditional cryptology, before the advent of linked early cryptography with the equally early the ciphering machines, relied mostly on the methods of mathematical statistics. It should be linguistical methods, and the role of mathematics noted that Al-Kindi’s interest in statistics was not in the codebreaking was limited to counting the limited to the secret writings. He proposed also a frequency of letters, their pairs and triplets. statistical approach to the medical treatment Machine cryptology changed everything; only evaluation. mathematicians were able to interpret even the During the mediaeval and early modern bare numbers of combinations resulting from the periods attacks based on the letter frequency use of the ciphering machine. The first successful were still popular due to the popularity of the application of advanced mathematics in nomenclators; monoalphabetic substitution cryptology, Marian Rejewski’s success with representing a part of the nomenclator made it Enigma, marked a change of paradigm; his attack vulnerable to statistical attack. Later on, when the was based on the algebra and the group theory. codes and nomenclators started to lose their However, soon after the outbreak of WW2 the popularity in favour of simpler and more Germans had changed the Enigma operational practical ciphers, statistical attacks have gained procedures, rendering most Polish methods of in importance; codebreakers started analysing attack ineffective. British mathematicians, who not only the frequency of the single letters, but took over from the Poles, had to revert to the old also their pairs, triplets and entire, popular words. and proven methods based on probability and Invention and fast adoption of the telegraph statistics, which dominated their work during, has changed this picture for a moment. Early and well after WW2. It was only 30 years after telegraph required not only hiding the message the end of this conflict that the role of the content, but also its compacting. Codes provided algebraic methods was restored. an easy and practical answer; second half of the This paper presents the early period of the nineteenth century was heavily dominated by the development of the mathematical cryptology, use of codes, which, from the codebreaker’s focusing on the clash of two approaches to the perspective, required the application of the codebreaking; that based on statistics and linguistical rather than statistical methods of probability on the one side, and algebraic attack. Use of the radio during the Great War has methods on the other. brought another game changer. Both sides used radio on a mass scale. Ease of interception of the 2 Historical context radio messages forced the application of cryptography at the equally mass scale, and the Although traditional, historical codebreaking traditional codes were getting more and more has always been based on linguistics rather than impractical; during World War One ciphers mathematics, at least since eight century a replaced the codes as the mainstream of component of simple application of math was cryptography, and, consequently, statistics present therein. Al-Kindi, an Arab polymath replaced the linguistics as the mainstream of living in Baghdad in ninth century, described in cryptanalysis. his “Manuscript on Deciphering Cryptographic However, statistical methods used in Messages” an attack on the monoalphabetic cryptanalysis represented rather elementary substitution ciphers based on the natural applications of mathematics, which could be frequency of letters in the language of the clear dealt with by amateurs. Immediately after the end text. As far as we know his work was based on of World War One agencies of major countries the earlier (and presently lost) writings of Al- dealing with cryptology did not realize the need
Proceedings of the 3rd International Conference on Historical Cryptology, HistoCrypt 2020 70 to employ or train mathematicians. If some and in the last days of 1932 he managed to solve mathematicians happened to be employed in the his equations, reengineering thus Enigma crypto world, it was only due to their general machine in a purely mathematical way. intellectual discipline, and not to the particular Terms used in the description above do not skills resulting from their scientific discipline. leave a shadow of doubt that Rejewski was using Werner Kunze was employed at the German an absolutely pioneering approach. System of foreign ministry cipher office in 1919, but it was equations represents a term functioning in the only in 1936 that he became the head of its newly purely algebraic context. Permutations are used created mathematical section. William Friedman in the context of the theory of groups. Neither published in 1930 an offer to employ three reminds ideas or notions used in the probability “government mathematicians” at some obscure or statistics, dominating codebreaking up to that agency of the US Army. From the memories of moment. It is somewhat surprising that Rejewski Solomon Kullback, Frank Rowlett and Abraham had not started his attack from the statistical Sinkov, whom he selected from among the approach, considering his earlier professional candidates, we learn that for the first several plans. Just after having completed his studies in years nature of their occupations was rather mathematics at the Poznań University, he distant from mathematics. decided to continue education in the actuarial statistics at Göttingen. One of his relatives was It seems that the first agency dealing with among the founders of the first life insurance cryptology that consciously and purposefully company in Wielkopolska, and Marian Rejewski decided to employ and train mathematicians was obviously planned to start a career in the the Polish Cipher Bureau in 1928. Effects of that insurance business. decision are well known among the historians of cryptology; after the half year training in Algebraic and group theoretic approach, used cryptology in Poznań, in 1929, and three years by Rejewski in his breakthrough attack at the long period of apprenticeship in the Enigma cipher, had numerous advantages over codebreaking, Marian Rejewski was asked to the statistical attacks used against the earlier hand take a look at the real objective of this effort – the ciphers. Its crucial advantage was that it worked. Enigma cipher. It took him less than three months Codebreaking agencies of the major countries to break the cipher and, simultaneously, to initially declared helplessness when confronted change the nature of cryptology forever. with the Enigma cipher. William Clarke, one of the veterans of British Room 40, remarked in a 3 Probabilists vs Algebraists memorandum written in 1937 that “only one cloud obscures the horizon – possibility of When in October 1932 Maksymilian Ciężki general application of the ciphering machines. had asked Marian Rejewski to take a look at the One can argue that it would mean the complete materials that Polish Cipher Bureau was able to end of the codebreaking”. Frank Birch noted an gather about Enigma (Rejewski, 1967), opinion of one of G.C.&C.S. heads of section Rejewski, in spite of his over three years long stating that “(a)ll the German ciphers are training in cryptology, was still a mathematician unbreakable. (…) putting pundits on them rather than the codebreaker. One might say, represents a waste of time”. luckily for the civilized world; had he been the Rejewski’s approach was unique among the cryptologist, he would have probably tried to traditional codebreaking methods, as its success apply the traditional codebreaking methods, was deterministic rather than probabilistic. Most completely ineffective versus Enigma cipher. codebreaking methods used up to his Rejewski started his work identifying some breakthrough were offering only a promise of purely mathematical features of the cipher and success, without granting it. Success depended continued transforming his entire knowledge on many factors beyond the codebreaker’s about the machine and its cipher into a system of control: errors committed by the cipher clerk, equations. He was unable to solve these external evidence permitting to guess the content equations outright, as the variables they of the message, inspired guess of the probable contained represented unknown permutations cleartext. Algebraic approach invented by rather than the numbers. Theory permitting to Rejewski virtually granted the success, provided solve such type of equations was missing and that the codebreaker was able to accumulate Rejewski had to provide it himself, which he did, some 80-100 messages during a single day.
Proceedings of the 3rd International Conference on Historical Cryptology, HistoCrypt 2020 71 Finally, with the proper tooling Rejewski’s He developed the new idea within a month and it method was extremely efficient and fast. In 1935 took the AVA company working for Polish Polish team decided to construct a simple intelligence service another month to deliver six electromechanical device named cyclometer. prototypes, but nobody was proud of this Cyclometer was used to simplify the preparation achievement. First – because in December the of the catalogue of so called cyclic Germans increased the number of rotors to five, characteristics. Ready catalogue of the cyclic increasing tenfold the number of bombas characteristics permitted to break over 70% of necessary to break the cipher. Second – because the intercepted German messages within just few Rejewski seemed to consider necessity to reach hours after interception. In many cases the for the machinery as the failure of his beloved deciphered messages reached the eyes of the mathematics. And third – because the bomba did Polish intelligence officers before they landed on not implement the attack based on the algebraic, the desk of their rightful German receiver. but only statistical approach. Most Enigma historians assume that bomba Success reached using the algebraic approach was designed to look for so called females, i.e. did not make Polish mathematicians blind to the one letter long cycles in the Enigma cipher, possibilities offered by the traditional statistics. transforming some letter of the cleartext into the In fact, the team seems to have been divided same letter of ciphertext twice in the distance of between the adepts of algebra and group theory exactly three characters. The very idea of females and those of the statistics. Jerzy Różycki, the was valid only in the context of another method youngest member of the team, from the very of attack, being developed in parallel to the beginning was focused on the statistics, usually bombas by Henryk Zygalski, and therefore with great success. Still during their referred to as Zygalski sheets. The females in the apprenticeship the team was asked to break the Zygalski sheets represented the cyclic property training code of the German Navy. Różycki of the Enigma cipher and their existence and started his work with the observation that in any nature resulted directly from the algebraic language number of words starting with any considerations regarding the cipher. particular letter of alphabet represents This was not the case with the pairs of letters characteristic feature of the language. He divided sought for by the bomba. In his description of his the intercepted codewords into the groups of construction Rejewski (1967) referred to the various frequency and started thus successful object of its search using the term “spectacles” recovery of the codebook (Rejewski, 1967). A rather than females, stressing the difference little later Różycki invented the ingenious between both concepts. method permitting determination of right-hand Spectacles represented a purely probabilistic Enigma rotor, called the “clock method” property of the cipher and therefore the bomba (Rejewski, 1967). His method relied on the idea did function only in the probabilistic and not of the index of coincidence, originally described deterministic fashion; under certain by William Friedman in 1922. There are some circumstances it could find the key to the cipher, indications that Różycki might have discovered but the solution was not granted. Rejewski never the index of coincidence independently of openly demonstrated his disappointment with his Friedman’s original work (Grajek, 2019). own idea. However, an emphatic reader may Algebraic approach served the Polish team easily spot the difference in the tone of his well until 1938, then the situation started to get description of bomba and purely mathematical complicated. During the Munich crisis German methods of attack. Describing the bomba army has modified Enigma’s ciphering Rejewski pretends to have forgotten the details of procedure, making cyclometer and the catalogue its construction and functioning and attempts to of cyclic characteristics obsolete. In the diminish its role, revealing involuntarily his increasingly confusing political situation the emotional attitude towards his own creation. His codebreakers had to find a new way to break the remarks provide a strong contrast with his cipher, and to find it fast. Rejewski (1967) comments regarding the Zygalski sheets which, responded with a concept of the “bomba” – an although they do not represent his own idea, electromechanical device running through the belong to the mainstream of his algebraic entire key space within less than two hours and thinking about the cipher. It is a pity that even stopping whenever potential solution was found. writing his memoirs in the late 1960s, he remained ignorant that his bomba represented the
Proceedings of the 3rd International Conference on Historical Cryptology, HistoCrypt 2020 72 foundation for a family of machines constituting to nowhere. So it was very fortunate that one of the basis of the Allied cryptologic effort during the first mathematicians to cross the gates of the war. Bletchley Park was Alan Turing, who was never particularly concerned with the opinions of his It was true, however, that the algebraic professional circle and was usually following his approach preferred by Rejewski and his own ways. This permitted him to create an colleagues has reached its apex sometime in interesting synthesis of the original, Polish 1937/1938, and was doomed to decline over the algebraic approach with a new one, based on next few years: events they were able to keep probability rather than algebra. under control since 1932 started to slip out of He took Rejewski’s earliest discovery, that of their hands. Everything started from the changes Enigma cipher’s cyclic property, as the introduced by their adversary around the Munich foundation of his design; his machine was crisis. Members of the Polish team used to supposed to traverse the key space searching for comment mistakes made by the German crypto the closed cycles (Turing, 1940). Contrary to service saying “they’d better do it in this or that Rejewski’s original design he was not planning way…”. And surprisingly, in just few months to search for these cycles within the message their adversary was changing his systems strictly headers, but rather in the message contents. We following their own opinions. Poles started to might easily recognize Dilly Knox behind that suspect the existence of a mole within their decision. Immediately after his return from Pyry closest circle (which, according to our present Knox expressed opinion that all Polish successes state of knowledge, was not true). were based on a factor which might be removed One of the conclusions of the Pyry meeting in by the adversary any moment: double July 1939 divided the efforts between the encipherment of the message key. Dilly was cooperating parties; British codebreakers were right; that was precisely what happened on May st responsible for the construction of the necessary 1 , 1940. At that time Turing bombe was already equipment, French for using their agent in Berlin in the production process, and it did not rely on to get more information about Enigma, and the the analysis of the message indicator, so the Poles for the studies in the theory of Enigma change did not affect its construction. ciphers. That division soon fell victim of the There was, however, a price to be paid. Turing wartime reality. Polish team was able to find a had designed his bomb so that it could search for refuge in France and to reorganize in P.C. Bruno the cycles within the fragment of the probable only to discover, that the Poles represented text (a crib) assumed by the codebreaker to be virtually entire cryptology of the French army. present in the coded message. His bombe was Concentrating their efforts on the daily, able to provide a solution only, and exclusively operational codebreaking they were unable to only, when this guess was right. Bombe’s continue their studies in the theory – initiative functioning was algebraic and deterministic with passed into the hands of the more resourceful regard to the cycle search, and purely British codebreakers (Grajek, 2019). probabilistic with regard to the choice and One might think that the British would be position of the probable text. Later on Gordon naturally inclined to continue their work more or Welchman strengthened the deterministic part of less along the lines drawn by their Polish its job, adding the diagonal table, but overall the predecessors. Most of the young mathematicians efficiency of the bombe was determined by the entering the gates of Bletchley Park were probabilistic component. As long as the educated in the intellectual tradition best codebreakers were able to provide a good and epitomized by opinions by Godfrey Hardy, stable crib, they were able to break the key; stressing the importance of pure vs applied otherwise the cipher remained invulnerable. mathematics (including well known “[r]eal Bombe provided a practical solution for the mathematics has no effects on war. No one has networks of the German land and air army. Navy yet discovered any warlike purpose to be served was using Enigma in much more ingenious way, by the theory of numbers or relativity, and it resisting British attacks until late spring 1941. It seems very unlikely that anyone will do so for was in the context of the struggle with the naval many years”) (Hardy, 1940). In the reality of Enigma, that the British codebreakers switched 1939/1940 attempts to continue algebraic attacks entirely to the probabilistic attacks. Alan Turing at the Enigma cipher would almost certainly lead and his colleagues proposed at least three
Proceedings of the 3rd International Conference on Historical Cryptology, HistoCrypt 2020 73 different methods of attack at the naval Enigma, the name of its head) “Freebornery” (Alexander, all of them based purely on the statistical 1945). properties of the cipher. E-rack represented most elementary of them, using the well-known fact Neither of the described methods of attacks that letter “e” represents most frequent letter in permitted breaking of the cipher directly. All of the German language, appearing in the written them were interdependent; efficient application texts with outstanding frequency of nearly 17%. of one depended on the earlier success of the E-rack was based on the slightly paradoxical other. Alan Turing and his colleagues had to wait assumption that entire text being analysed until April/May 1941, when the documents consists of letter “e” only (Alexander, 1945). captured onboard of some German ships After the initial breakthrough with the naval permitted to overcome the crisis, and to start Enigma E-rack assured several successes with more or less regular operation of breaking the the “Offizier” variant of the cipher. naval Enigma. Another method invented in the process was Their brief description above illustrates their called “EINSing” (Alexander, 1945). Analysing nature sufficiently to recognize their purely decoded texts of German military messages the probabilistic character. Under the pressure of the codebreakers have noticed that the most frequent war necessity British codebreakers have given up single word encountered therein was EINS. They algebraic approach, switching almost entirely to have designed a simple device enciphering EINS the well-established probabilistic and statistical at each and every position of Enigma rotors and methods. This tendency was further strengthened registering the result on the perforated cards. later on, during the attacks on the German Then it was enough to register intercepted teletype ciphers. Functioning of both devices messages on the perforated cards and compare constructed by the British codebreakers for this them, using the electromechanical sorter, with purpose, Heath Robinson and Colossus, relied on cards containing the EINS catalogue. counting the measure of coincidence between the Third and most advanced method of attack on intercepted text and the pattern enciphered at the naval Enigma was banburismus (Alexander, every setting of the ciphering machine. 1945). Its goal was to identify the right-hand Two factors regarding British preference for Enigma rotor and, consequently, to narrow the probabilistic and statistical methods deserve number of rotor combinations being checked by additional comment. When Alan Turing was the bombe. Banburismus represented the looking for a base for his banburismus, he extension of the pre-war method proposed by decided to choose the less popular branch of Jerzy Różycki and referred to as the “clock statistics, the Bayesian inference, taking thus the method”. Różycki used to analyse pairs of position in the old debate between the a priori messages, whose indicators differed only in the and a posteriori statisticians. Interestingly, using last position; banburismus extended his approach an a priori approach assured the German for the pairs of messages differing in two, and mathematicians about the security of Enigma under certain circumstances even thee positions. ciphers (Ratcliff, 2003). Turing did not agree Codebreakers were registering incoming with a very principle of using an a priori messages on the special sheets (manufactured in approach; he argued that the ciphertext itself Banbury, hence the name of the method) and reveals some information about the cipher and sliding pairs of sheets vs each other, looking for the codebreaker should take this information into repeats. Every repeat one, two or three letters account. It was thus natural to reach for an a long was weighted using specially designed posteriori inference, and the Bayesian statistics tables, measuring the probability of the provided a natural tool. coincidence. Sum of the partial results Second factor was of purely human nature. determined the probability that both messages Most of the mathematicians recruited to Blechley were enciphered at the same or similar Enigma Park belonged simultaneously to the top ranking settings. It is worth noting that for the sake of group of chess players, at least in Britain, and banburismus Alan Turing invented the concept some of them (among them C.H’O.D. of “ban” – a measure of information equivalent Alexander) represented the top world level. to bit proposed by Claude Shannon. Banburismus Among the various circles, groups and clubs was further extended to the “tetra catalogue” – organized at the BP to provide recreation, chess repeats four or more letters long, processed using club belonged to most numerous and most active. sorters and tabulators in the section called (from
Proceedings of the 3rd International Conference on Historical Cryptology, HistoCrypt 2020 74 So far no one was able to formulate an algebraic It was fortunate for the Allied cause that right theory of the chess game; chess player naturally at that moment the initiative in the attacks at formulates his thinking about the game in terms Enigma ciphers passed into the British hands. of probability. It was thus natural to extend this The situation was developing in a somewhat model of thinking in the new game that the chess paradoxical way. Marian Rejewski’s studies in playing mathematicians were participating in. actuarial statistics indicate his interest in the applied mathematics. In spite of that he As far as we know after the end of hostilities developed a theory of attack at the cipher in the the codebreaking has for many years remained best style of pure math. Most British heavily dominated by the probabilistic and codebreakers were educated in the respect for the statistical methods. The landscape started to pure math, and in spite of that decided to change change only in late 1960s and early 1970s, when the paradigm and switch to the probabilistic and algebraic approach started to regain its statistical methods, the only ones practical citizenship rights in cryptology, being bravely considering the necessities of war and the only accompanied by the number theory. ones offering the prospects of success. 4 Algebraists & Probabilists The history of attacks at Enigma ciphers is almost synonymous with the earliest period of Although some simple statistical methods the development of mathematical cryptology. It have been traditionally used in the codebreaking is fascinating to note that during that very early for over ten centuries, Polish success with period Allied codebreakers developed and Enigma in 1932 marked the real birth of the successfully applied methods based on two mathematical cryptology. mutually complementary areas of modern Interestingly, it was based on the oldest, cryptology; algebra on one part, and probability perhaps next to geometry, field of mathematics, and statistics on the other. Present cryptanalysis algebra. Rejewski’s breakthrough was by no relies on the mixture of both approaches. Its first means accidental. Polish Cipher Bureau was the stage usually involves the exploitation of first cryptology agency in the world, which not cipher’s algebraic properties to limit the search only decided to employ mathematicians, but also space. Then the probability and statistics take suit expected, encouraged and trained them to apply to find the solution within that limited space. It is their mathematical workshop in the interesting to note that precisely this approach codebreaking. Other codebreaking services provided the base for the construction of the followed its suit only after learning, directly or Turing bombe. indirectly, about Polish success. Methods of Enigma breaking invented by References Polish team were somewhat exceptional. Their algebraic character made them deterministic: Alexander C.H.O’D., Cryptographic History of Work they granted breaking the cipher whenever on German Naval Enigma, 1945, NA HW 25/1 Cipher Bureau was able to accumulate sufficient Al-Farahidi Ahmed, Book of Cryptographic number of messages, without additional Messages conditions regarding their contents. In that aspect Friedman, W.F., 1922, The index of coincidence and its applications in cryptology. Department of they represented almost an antithesis of the then Ciphers. Publ 22. Geneva, Illinois, USA: mainstream of traditional cryptanalysis, relying Riverbank Laboratories entirely on statistics and probability. Moreover, Grajek Marek, 2019, Sztafeta Enigmy. Odnaleziony they were invented and used just in time to raport polskich kryptologów, Agencja demonstrate their power. A few years later Bezpieczeństwa Wewnętrznego, Emów 2019 German crypto services started restructuring Hardy, G. H., 1940, A Mathematician's Apology, their operations, recruiting more mathematicians Cambridge University Press 1940 and permitting them to look at the codes, ciphers Al-Kindi, Manuscript on Deciphering Cryptographic and machines from the perspective of their Messages discipline. This new approach permitted to Ratcliff R.A., 2003, How Statistics Let the Germans eliminate some mistakes and idiosyncrasies in to Believe Enigma Secure and Why They Were Wrong: Neglecting the Practical Mathematics of the design of German ciphers, among them those, Cipher Machines, Cryptologia 2003/2 which made Polish approach so effective. Rejewski Marian, 1967, Memories of my work at the Cipher Bureau of the General Staff Second
Proceedings of the 3rd International Conference on Historical Cryptology, HistoCrypt 2020 75 Department 1930-1945, Adam Mickiewicz Turing Alan, 1940, Prof’s Book, NA HW 25/3 University Press, Poznań 2013
Proceedings of the 3rd International Conference on Historical Cryptology, HistoCrypt 2020 76