sign in sign up
<<
Home , Nihilist cipher, Unicity distance

Appendix: Axiomatic

The logic of secrecy was the mirror-image of the logic of information Colin Burke 1994

Perfect security was promised at all times by the inventors of , particularly of crypto machines (Bazeries: je suis indechiffrable). In 1949, Claude E. Shannon gave in the framework of his information theory a clean definition of what could be meant by perfect security. We show in the fol• lowing that it is possible to introduce the cryptologically relevant part of information theory axiomatically. Shannon was in contact with , since he worked 1936-1938 in the team of Vannevar Bush, who developed the COMPARATOR for determina• tion of character coincidences. His studies in the Bell Laboratories, going back to the year 1940, led to a confidential report (A Mathematical Theory of Communication) dated Sept. 1, 1945, containing apart from the definition of Shannon entropy (Sect. 16.5) the basic relations to be discussed in this ap• pendix. The report was published three years later: Communication Theory of Secrecy Systems, Bell System Technical Journal 28,656-715 (1949).

A.I Axioms of an Axiomatic Information Theory

It is expedient to begin with events, i.e., sets X, y, Z of elementary events, and with the uncertainty on events - real numbers. More precisely, Hy(X) denotes the uncertainty on X, provided Y is known. H(X) = H0(X) denotes the uncertainty on X, provided nothing is known.

A.I.I Intuitively patent axioms for the real-valued binary set function Hare (0) 0 ~ Hy(X) ("Uncertainty is nonnegative.") For 0 = Hy(X) we say "Y uniquely determines X." (1) Hyuz(X) ~ Hz(X) ("Uncertainty decreases, if more is known." ) For Hyuz(X) = Hz(X) we say "Y says nothing about X ." The critical axiom on additivity is (2) Hz(X U Y) = Hyuz(X) + Hz(Y) This says that uncertainty can be built up additively over events. Appendix: Axiomatic Information Theory 419

The classical stochastic model for this axiomatic information theory is based on px(a) = Pr [X = a], the probability that the random variable X assumes the value a, and defines H0({X})=- L px(s)·ldpx(s) s :px(s) >0 H0({X}U{Y})=- L PX,y(s,t)·ldpx,Y(s,t) s,t :pX'y(s,t) >0 H{Y}({X}) = - L px,Y(s,t) .ldpx/y(s/t) s,t: px(Y(s/t) >0

where px,Y(a, b) =def Pr[(X = a) /\ (Y = b)] and px/y(a/b) obeys Bayes' rule for conditional probabilities: PX,y(s, t) = py(t) . Px/y(s/t) ,thus -ld PX,y(s, t) = -ld py(t) -ld px/y(s/t) A.1.2 From the axioms (0), (1), and (2), all the other properties usually derived for the classical model can be obtained. For Y = 0, (2) yields (2a) Hz(0) = 0 ("There is no uncertainty on the empty event set.") (1) and (2) imply (3a) Hz(X U Y) ::; Hz(X) + Hz(Y) ("Uncertainty is subadditive.") (0) and (2) imply (3b) Hz(Y) ::; Hz(X U Y) ("Uncertainty increases with larger event set.") From (2) and the commutativity of . u. follows (4) Hz(X) - Hyuz(X) = Hz(Y) - Hxuz(Y) (4) suggests the following definition: The mutual information of X and Y under knowledge of Z is defined as

lz(X,Y) =def Hz(X) - Hyuz(X) . Thus, the mutual information lz(X, Y) is a symmetric (and because of (1) nonnegative) function of the events X and y. From (2), lz(X,Y) = Hz(X) + Hz(Y) - Hz(X U Y) . Because of (4), "Y says nothing about X" and "X says nothing about Y" are equivalent and are expressed by Iz(X, Y) = O. Another way of saying this is that under knowledge of Z , the events X and Yare mutually independent. In the classical stochastic model, this situation is given if and only if X, Yare independent random variables: PX,y(s,t)=px(s)-y (t) . lz(X, Y) = 0 is equivalent with the additivity of H under knowledge of Z : (5) lz(X, Y) = 0 if and only if Hz(X) + Hz(Y) = Hz(X U Y) . 420 Appendix: Axiomatic Information Theory

A.2 Axiomatic Information Theory of Cryptosystems For a X , events in the sense of abstract information theory are sets of finite texts over Zm as an alphabet. Let P be a plaintext(-event), C a cryptotext(-event), K a keytext(-event).l The uncertainties H(K), Hc(K) , Hp(K), H(C), Hp(C), HK(C), H(P), HK(P), Hc(P) are now called equivocations. A.2.1 First of all, from (1) one obtains H(K) ::; Hp(K) , H(C)::; Hp(C) , H(C) ::; HK(C) , H(P)::; HK(P) , H(P) ::; Hc(P) , H(K)::; Hc(K) .

A.2.1.1 If X is functional, then C is uniquely determined by P and K, thus

(CRYPT) Hp,K(C) = 0, i.e., h(P, C) = HK(C) , Jp(K, C) = Hp(C) ("plaintext and keytext together allow no uncertainty on the cryptotext.") A.2.1.2 If X is injective, then P is uniquely determined by C and K, thus

(DECRYPT) He,K(P) = 0, i.e., Jc(K, P) = Hc(P) , h(C, P) = HK(P) ("cryptotext and keytext together allow no uncertainty on the plaintext.") A.2.1.3 If X is Shannon, then K is uniquely determined by C and P, thus (SHANN) He,p(K) = 0, i.e., Jp(C, K) = Hp(K) , Jc(P, K) = Hc(K) ("cryptotext and plaintext together allow no uncertainty on the keytext.")

A.2.2 From (4) follows immediately HK(C) + HK,e(P) = HK(P) , Hp(C) + Hp,c(K) = Hp(K) , He(P) + He,p(K) = Hc(K) , HK(P) + HK,p(C) = HK(C) , Hp(K) + Hp,K(C) = Hp(C) , Hc(K) + He,K(P) = He(P) . With (1) this gives Theorem 1: (CRYPT) implies HK(C)::; HK(P) , Hp(C)::; Hp(K) , (DECRYPT) implies He(P)::; Hc(K) , HK(P)::; HK(C) , (SHANN) implies Hp(K)::; Hp(C) , Hc(K)::; Hc(P) .

A.2.3 In a cryptosystem, X is normally injective, i.e., (DECRYPT) holds. In Fig. 163, the resulting numerical relations are shown graphically. In the classical professional cryposystems, there are usually no homophones and the

1 Following a widespread notational misusage, in the sequel we replace {X} by X and {X} U {Y} by X, Y ; we also omit 0 as subscript. Appendix: Axiomatic Information Theory 421

H(K) H(C) ~HP(K) HP(C)~ VI VI

Fig. 163. Numerical equivocation relations for injective cryptosystems

Shannon condition (2.6.4) holds. Monoalphabetic simple substitution and transposition are trivial, and VIGENERE, BEAUFORT, and in particular VERNAM are serious examples of such classical cryptosystems. The conjunction of any two of the three conditions (CRYPT), (DECRYPT), (SHANN) has far-reaching consequences in view of the antisymmetry of the numerical relations: Theorem 2: (CRYPT) 1\ (DECRYPT) implies HK(C) = HK(P) ("Uncertainty on the cryptotext under knowledge of the keytext equals uncertainty on the plaintext under knowledge of the keytext,") (DECRYPT) 1\ (SHANN) implies Hc(P) = Hc(K) ( "Uncertainty on the plaintext under knowledge of the cryptotext equals uncertainty on the keytext under knowledge of the cryptotext," ) (CRYPT) 1\ (SHANN) implies Hp(K) = Hp(C) . ("Uncertainty on the keytext under knowledge of the plaintext equals uncertainty on the cryptotext under knowledge of the plaintext.")

In Fig. 164, the resulting numerical relations for classical cryptosystems with (CRYPT), (DECRYPT), and (SHANN) are shown graphically.

H(K) H(C)

~ Hp(K) = Hp(C) ~ VI VI

Fig. 164. Numerical equivocation relations for classical cryptosystems 422 Appendix: Axiomatic Information Theory

A.3 Perfect and Independent Cryptosystems A.3.1 A cryptosystem is called a perfect cryptosystem, if plaintext and cryptotext are mutually independent: I(P,C) = 0 . This is equivalent to H(P) = He(P) and to H(C) = Hp(C) ("Without knowing the keytext: knowledge of the cryptotext does not change the uncertainty on the plaintext, and knowledge of the plaintext does not change the uncertainty on the cryptotext" ) and is, according to (5) , equivalent to H(P, C) = H(P) + H( C) . A.3.2 A cryptosystem is called an independent key cryptosystem, if plain• text and keytext are mutually independent: I(P,K) = 0 . This is equivalent to H(P) = HK(P) and to H(K) = Hp(K) ("Without knowing the cryptotext: knowledge of the keytext does not change the uncertainty on the plaintext, and knowledge of the plaintext does not change the uncertainty on the keytext") and, according to (5) , is equivalent to H(K, P) = H(K) + H(P) .

H(K) H(C)

(K) = H ~H(independent key) p p (C)~(perfect) VI VI H(P) (perfect) 0 ~ (independent key) He(K) = He(P) HK(P) = HK(C)

Fig. 165. Numerical equivocation relations for classical cryptosystems, with properties perfect and independent key

A.3.3 Shannon also proved a pessimistic inequality.

Theorem 3 K : In a perfect classical cryptosystem (Fig. 165), H(P) ::; H(K) and H(C) ::; H(K) . Proof: H(P) ::; He(P) (perfect) He(P) ::; He(K) (DECRYPT), Theorem 1 Hc(K) ::; H(K) (1) . Analogously with (CRYPT) for H(C) . Thus, in a perfect classical cryptosystem, the uncertainty about the key is not smaller than the uncertainty about the plaintext, and not smaller than the uncertainty about the cryptotext. Appendix: Axiomatic Information Theory 423

From (SHANN) /\ (DECRYPT) with Theorem 1 we find Hc(P) = Hc(K) ; after adding H(C) on both sides, according to (2) we get H(P, C) = H(K, C). In a perfect cryptosystem, H(P, C) = H(P) + H(C) . Further, according to (2), H(K, C) = H(K) + HK(C). Thus HK(C) = H(P) - (H(K) - H(C)) = H(C) - (H(K) - H(P)) . In Fig. 166, this result is displayed graphically. H(K)

VI ~ Hp(K) = Hp(C) H(C)

Hc(K) = Hc(P) = H(P) VI

~HK(P) ~ HK(C) Fig. 166. Numerical equivocation relations for perfect classical cryptosysterns

A.3.4 By a cyclic shift of K, C, P: Theorem 3c : In a classical cryptosystem with independent key, H(K) 5: H(C) and H(P) 5: H(C) as well as

Hc(P) = H(K) - (H(C) - H(P)) = H(P) - (H(C) - H(K)) .

A.4 Shannon's Main Theorem A.4.1 For a classical cryptosystem which is both perfect and independent key, Theorems 3K and 3c imply immediately that H(K) = H(C). A.4.2 A cryptosystem with coinciding H(K) and H(C) shall be called a cryptosystem of Vernam type. Examples are given by with VIGENERE, BEAUFORT, and particularly VERNAM steps, but also by linear polygraphic block encryptions. In the stochastic model this condition is particularly fulfilled, if both C and K are texts of k characters with maximal H(K) and maximal H(C) : H(K) = H (C) = k . ld N . Main Theorem (Claude E. Shannon 1949): In a classical cryptosystem, any two of the three properties perfect, independent key, of Vernam type imply the third one. The proof is obvious from Fig. 165. 424 Appendix: Axiomatic Information Theory

A.4.3 A sufficient condition for a classical cryptosystem to be perfect is that it is independent key and of Vernam type; these conditions can be guaranteed from outside. Then H(P) ~ H(C) = H(K). In the stochastic model, perfect security requires with H(P) ~ H(K) that the key possesses at least as many characters as the plaintext, which means that every description of the key is at least as long as the key itself (Chaitin's requirement, Sect. 8.8.4). Thus, perfect security requires safe distribution of an independent key which provides for every plaintext character a key character - an extreme require• ment, which frequently cannot be fulfilled in practice. Non-perfect practical security is guaranteed only by the time required for breaking the encryption. A.4.4 Shannon discussed a further property of a cryptosystem. We call a cryptosystem ideal (Shannon: strongly ideal), if cryptotext and key text are mutually independent:

I(K,C) = O. This is equivalent to H(K) = Hc(K) and to H(C) =HK(C) . According to Shannon, ideal cryptosystems have practical disadvantages: for a perfect cryptosystem, H(K) = H(P) must hold. Perfect ideal cryptosys• terns are necessarily adapted to the plaintext language, which usually is a natural language. In this case, rather complicated encryption algorithms are necessary. Also, transmission errors inevitably cause an avalanche effect. In fact, we have here a practically unattainable ideal.

A.5

The condition Hc(P) > 0 expresses that for known cryptotext there remains some uncertainty on the plaintext. For a classical cryptosystem with in• dependent key (not necessarily perfect) this means, by Theorem 3c ,

H(K) > H(C) - H(P) . We now use the stochastic model, with plaintext words V* and cryptotext words W* over a character set V = W of N characters. We restrict our attention to words of length k . Following Hellman (1975), we assume that N p and Nc are numbers such that among the Nk words of length k the number of meaningful, i.e., possibly occurring, ones is just (Np)k and the number of occurring cryptotexts is just (Nc)k. Then Np ::; Nand Nc ::; N . If all these texts occur with equal probability, then in the stochastic model H(P) = k ·ldNp , H(C) = k ·ldNc . Furthermore, we assume that Z is the cardinality of the class of methods, Le., the number of key words. Assume that all these key words occur with equal probability. Then Appendix: Axiomatic Information Theory 425

H(K) = IdZ . The inequality above, meaning the existence of an uncertainty, turns into

IdZ> k· (ldNc -ldNp ) or, provided IdNc > IdNp , 1 k < U, where U = IdNc -ldNp ·ldZ .

Thus, if k ~ U, there is no uncertainty. U is a unicity distance (Sect. 12.6).

If Nc is maximal, Nc = N, i.e., if all possible cryptotexts occur with equal probability, and if N p < N, i.e., plaintexts are in a natural language, then the condition ld N c > ld N p is certainly fulfilled, and the unicity distance is 1 U = ld N _ ld N p . ld Z ; it is determined solely by the Shannon entropy ld N p of the plaintext words. This depends in turn on the cryptanalytic procedure. If the analysis is lim• ited to single-letter frequencies, then the Shannon entropy ld N~l) is to be considered, the values of which are not very different in English, French, or German, and amount in the Meyer-Matyas count to IdN~l) ~ 4.17 , where N = 26 and ld N = ld 26 ~ 4.70. Furthermore, with ld N~2) ~ 3.5 for bigram frequencies and ld Ncr) ~ 3.2 for trigram frequencies, we find (1) U ~ O.~3 ld Z for decryption with single-letter frequencies, (2) U ~ /2 ld Z for decryption with bigram frequencies, (3) U ~ /5 ld Z for decryption with trigram frequencies. For plaintext words, the average length is about 4.5 and the corresponding Shannon entropy about ld N~w) ~ 2.6 , thus (w) U ~ 2\ ld Z for decryption with word frequencies. The Shannon entropy of the English language under consideration of all, even grammatical and semantic, side conditions is considerably smaller; a value of about ld N~*) ~ 1.2 seems about right. This gives the unicity distance (* ) U ~ 3~5 ld Z for decryption in free style, which is also given in Sect. 12.6. For simple (monographic) substitution with Z = 26!, we have ld Z = 88.38 (Sect. 12.1.1.1); this leads to the values 167, 74, 59, 42, and 25 for the unicity distance, which are confirmed by practical experience. The situation is rather similar for the German, French, Italian, Russian, and related Indo• European languages. 426 Appendix: Axiomatic Information Theory

A.6 Compression

Although Shannon was led to his information theory by his occupation with cryptological questions during the Second World War, information theory, in the form relevant and interesting for communication engineering, has no secrecy aspects. Its practical importance lies more in showing how to increase the transmission rate by suitable coding, up to a limit which corresponds to a message without any redundancy - say a message P of k characters with the maximal uncertainty H(P) = k ·ldN . The cryptological results above apply immediately to communication chan• nels. Theoretically, a transmission requiring Id26 = 4.70 [bit/char] can be compressed by coding to one requiring only about 1.2 [bit/char]. A good ap• proximation of this rate needs tremendous circuitry. The simplest case of a Huffman coding works on single characters only and reduces the transmission rate only to about 4.17 [bit/char], while Huffman coding for bigrams and tri• grams, which needs a larger memory, does not bring a dramatic reduction. In future, however, economic and practical redundancy elimination by Huffman coding for tetragrams should be within reach using special chips. The situation is different for the transmission of pictures. The compression obtainable by relatively simple methods is remarkable and finds increasingly practical use. For these applications, the truism of post-Shannon cryptology, that code compression of the plaintext is a useful step in improving the practical security of a cryptosystem, is particularly appropriate.

A.7 Impossibility of Complete Disorder

When in the 1920s the use of independent ("individual") keys was recom• mended, their fabrication did not seem to be a problem. That an individual key should be a random sequence of key characters was intuitively clear. Af• ter the work of Shannon and particularly of Chaitin in 1974, all attempts to produce a random sequence algorithmically had to be dropped. If keys were to be generated by algorithms, genuine random keytexts were not attainable. Thus, some order had to remain - the question was which one. Consequently, 'pseudo random sequences' with a long period were increas• ingly suspected of having hidden regularities that would help cryptanalysis, although concrete examples are so far lacking in the open literature. The pro• fessionals responsible for the security of their own systems were faced with more and more headaches, while aspiring code breakers could always hold out the hope of unexpected solutions. Strangely, at about this time a similar development took place in mathe• matics. In 1973, H. Burkill and L. Mirsky wrote: There are numerous theorems in mathematics which assert, crudely speaking, that every system of a certain class possesses a large sub• system with a higher degree of organization than the original system. Appendix: Axiomatic Information Theory 427

We give a number of examples: (1) Every graph of n nodes contains either a large subgraph of k nodes which is connected, or a large subgraph of k nodes which is unconnected. (k is the Ramsey number, e.g., k = 6 for n = 102, F. P. Ramsey 1930) (2) Every bounded infinite sequence of complex numbers contains a conver• gent infinite subsequence. (K. Weierstrass 1865) (3) If the natural numbers are partitioned into two classes, at least one of these classes contains an arithmetic series of arbitrarily large length. (Issai Schur about 1925, B. L. van der Waerden 1927) (4) Every partial order of n 2 + 1 elements contains either a chain of length n + 1 or a set of n + 1 incomparable elements. (R. P. Dilworth 1950) (5) Every sequence of n2 + 1 natural numbers contains either a monotoni• cally increasing or a monotonically decreasing subsequence of length n + 1 . (P. Erdos, G. Szekeres 1950) Between these and some other examples there seemed to be no connection, before P. Erdos, in 1950, tried a synopsis and found a general theorem which gave many single results by specialization. Under the name Ramsey Theory, this has led since 1970 to many subtle mathematical works on disorderly systems with orderly subsystems. The fundamental impossibility of complete disorder should be interpreted as a warning to cryptologists, to be careful with the use of machine-produced keys - at the moment only a theoretical danger, but nevertheless a serious one. Marian Rejewski, Polish hero of decryption, expressed the warning in 1978 in the following form: Whenever there is arbitrariness, there is also a certain regularity. Bibliography

Good introductions to classical cryptography for amateurs: Gaines, Helen Fouche, Cryptanalysis. Dover, New York 1956 (newed.) Smith, Laurence Dwight, Cryptography. Dover, New York 1955 (newed.) Millikin, Donald D., Elementary Cryptography and Cryptanalysis. New York 1943 (3rd ed.) An introduction which also appeals mathematically oriented readers: Sinkov, Abraham, Elementary Cryptanalysis. Mathematical Association of America, Washington 1966 This book, written by a professional cryptologist, certainly does not reproduce the full knowledge of the author. A classic of cryptanalysis: Friedman, William Frederick, Military Cryptanalysis. Part I, II, III, IV. Washington, 1938, 1938, 1938, 1942 (obtainable as reprint) A comprehensive historical study of cryptology according to the state of the open literature in 1967: Kahn, David, The Codebreakers. Macmillan, New York 1967 This book, written with journalistic verve by a professional historian, also gives references to special, not easily accessible historical literature, particularly before the 19th century. "Of primary importance for a knowledge of modern cryptology" (Kahn) is the article Rohrbach, Hans, Mathematische und Maschinelle Methoden beim Chiffrie• ren und Dechiffrieren. FIAT Review of German Science, 1939-1946: Applied Mathematics, Vol. 3 Part I pp. 233-257, Wiesbaden: Office of Military Government for Germany, Field Information Agencies 1948 An English translation by Bradford Hardie is in Cryptologia II, 20-37, 101-121 (1978). Results of the British codebreakers, including mention of the BOMBE and COLOSSUS machines, may be found in: Bertrand, Gustave, Enigma ou la plus grande enigme de la guerre 1939-1945. Librairie PIon. Paris 1973 Bibliography 429

Winterbotham, Frederick W., The Ultra Secret. Weidenfeld and Nicolson, London 1974 Beesly, Patrick, Very Special Intelligence. Hamish Hamilton, London 1977 Lewin, Ronald, Ultra Goes to War. Hutchinson, London 1978 Johnson, Brian, The Secret War. Methuen, London 1978 Rohwer, Jiirgenj Jackel, Eberhard, Die Funkautkliirung und ihre Rolle im Zweiten Weltkrieg. Motorbuch-Verlag, Stuttgart 1979 Randell, Brian, The COLOSSUS. In: N. Metropolis et al., A History of Computing in the Twentieth Century. Academic Press, New York 1980 Later detailed and reliable reports on the ENIGMA break: Welchman, Gordon., The Hut Six Story: Breaking the Enigma Codes. McGraw-Hill, New York 1982 Garlinski, J6zef, The Enigma War. Scribner, New York 1980 Kozaczuk, Wladislaw, Enigma. Arms and Armour Press, London 1984 (Polish original edition: W kregu Enigmy 1979) Hinsley, Francis H. et al., British Intelligence in the Second World War. Volumes I - IV, Cambridge University Press 1979--1988 Bloch, Gilbert, Enigma avant Ultra. 'Texte definitive', September 1988 An English translation by A. Deavours is in Cryptologia XI, 142-155, 227-234 (1987), XII, 178-184 (1988) Kahn, David, Seizing the Enigma. Houghton-Mifflin, Boston 1991 Hinsley, Francis H., Stripp, Alan (eds.), Code breakers. The inside story of Bletchley Park. Oxford University Press 1993 A biography of the life and work of Alan Turing: Hodges, Andrew, Alan Turing: The Enigma. Simon and Schuster New York, 1983 First-hand information on statistical methods: Kullback, Solomon, Statistical Methods in Cryptanalysis. Aegean Park Press, Laguna Hills, CA 1976 Cryptological devices and machines are treated in: Turkel, Siegfried, Chiffrieren mit Geriiten und Maschinen. Graz 1927 Deavours, Cipher A. and Kruh, Louis, Machine Cryptography and Modern Cryptanalysis. Artech House, Dedham, MA 1985 Specialist works on modern cryptography: Konheim, Alan G., Cryptography. Wiley, New York 1981 Meyer, C. H., Matyas, St. M., Cryptography. Wiley, New York 1982 Brassard, G., Modern Cryptology. Lecture Notes in Computer Science, Vol. 325 , Springer, Berlin 1988 430 Bibliography

Beker, H. and Piper, F., Cipher Systems. Northwood Books, London 1982 Salomaa, Arto, Public-Key Cryptography. Springer, Berlin 1990 The last two books also cover cryptanalysis of the Hagelin machines in some detail. Schneier, Bruce, Applied Cryptography. Wiley, New York 1993, 2nd ed. 1995 This book contains protocols, algorithms and source code in C. Questions of cryptology and civil rights are discussed in: Hoffman, Lance J. (ed.), Building in Big Brother. Springer, New York 1995 Denning, Dorothy E. R., Cryptography and Data Security. Addison• Wesley, Reading, MA 1983 Among the specialist journals are: Cryptologia. A Quarterly Journal Devoted to Cryptology. Editors: David Kahn, Louis Kruh, Cipher A. Deavours, Brian J. Winkel, Greg Mellen. ISSN 0161-1194. Terre Haute, Indiana Journal of Cryptology. The Journal of the International Association for Cryptologic Research. Editor-in-Chief: Gilles Brassard. ISSN 0933-2790. Springer, New York Under the heading Advances in Cryptology appear the proceedings of the annual International Cryptology Conference (CRYPTO) and of the annual International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT), sponsored by the International Association for Cryptological Research (IACR), in the Lecture Notes in Computer Science series, Springer, Berlin A rather complete bibliography may be found in: Shulman, David, An Annotated Bibliography of Cryptography. Garland, New York 1976 Of interest mainly to historians are the works of Hindenburg 1795,1796; Andres 1799; Kliiber 1809; Lindenfels 1819; Vesin de Romanini 1838; 1844; Kasiski 1863; Myer 1866; Koehl 1876; FleiBner von Wostrowitz 1881; Kerckhoffs 1883; Josse 1885; de Viaris 1888, 1893; Valerio 1892; Carmona 1894; Gioppi di Tiirkheim 1897; Bazeries 1901; Delastelle 1902; Meister 1902, 1906; Schneickert 1900, 1905, 1913; Hitt 1916; Langie 1918; Friedman 1918, 1922, 1924, 1925; Givierge 1925; Lange & Soudart 1925; Sacco 1925, 1947; Fig11926; Gylden 1931; Yardley 1931; Ohaver 1933; Baudouin 1939; d'Agapayeff 1939; Pratt 1939; Eyraud 1953; Weiss 1956; Muller 1971

The works of Hitt, Kullback, Friedman, Sacco, Gylden, Givierge, Lange• Soudart, Ohaver, Langie, Callimahos are obtainable as reprints from: Aegean Park Press, P.O. Box 2837, Laguna Hills, CA 92654-0837, USA. Index

A-I, 74 algebraic alphabet, 77 A-22, 116, 117 algorithmic definition of a cipher, 35 ABC, 26, 123,404 alignment, 317,320-321,325,327,339 ABC 6th edition (code), 73 allegorical code, 16 Abel, Rudolf, 9,55 alphabet, 34,38 ABNER,393 -, accompanying, 48,50,100,317 Abwehr (OKW) , 17,131,234 -, complementary, 45,85 acknowledgment, 16 -, inverse, 45 Acme (code), 73 -, involutory see self-reciprocal acrophony, 66 -,mixed,44,47 acrostics, 18, 19 -, overlapping, 85, 112,209 Adair, Gilbert, 228 -, powers of a mixed, 48,50 ADAM and EVE, 392 -,reversed, 45,85 addition, 77,112,158,210,211 -, rotated, 102,103,104 - modulo 2, 125-126,351 -, shifted, 47,49,101,102,103,114 - modulo 2n , 125 -, self-reciprocal, 46, 114 - modulo 10, 149-150 -, vertically continued, 101,102 - modulo lOn, 150 Alpha-AXP 21164, 169 -, polygraphic, 125, 150,210,211 alphabet ring, 109,131 -, symbolic, 149, 150, 158 alphabets, unrelated, 114-121,325,343 additive (adj) , 78 amalgamation, 150, 156, 158, 200 additive (n), 150,338,361 Arne, Cesare, 409 ADFGVX system, 39,51,150 American Expeditionary Force Adleman, Leonard M., 178,179 (A.E.F.), 65,74 A.E.F., see American Expeditionary Amt VI des R.S.H.A., 59,405 Force Amt fur Milita.rkunde, 31 iEneas, 11 anagram, 97,99 affine, 77 anagramming, 399 Afrika-Korps, German, 189,285 -, multiple, 402,403 AGATE, 144 ananym, 90 AGNES, 390 Anderson, Ralph V., 411 agony column, 26, 308 Andree, Richard V., 235,238 Airenti (code), 72 Andres, Johann Baptist, 116,120,430 alarm, 16, 184 Andrew, Christopher, 3,89 Albam, 45 ango kenkyilhan, 31, 409 Albert, A. Adrian, 2, 394 angokikai taipu, 128,136,137 Alberti, Leon Battista, 38,39,50,52,111, /anx/, 377 122-125,258 Archer, Philip E., 193 ALBERTI disc, 40, 50, Argenti, Giovanni Battista, 35,45,48, ALBERTI encryption step, 103, 124, 136, 52,54,67,114,142,186,190,225,307 148,212,214,250,317,326,336,337, -, Matteo, 35,53,114,127,142,190, 341,346 225 alemania, 14 argot, 14,20 Alexander, Conel Hugh O'Donel, 89,413 aristocrats, 228,239,278 432 Index arithmetic modulo 2, 83,148,349 Bazeries, Etienne, 4,8,28,29,36,38,47, arithmetic operations, 158,161 49,90,114,117,118,120,196,205,206, Armed Forces Security Agency, 30 213,218,227,243,259,264,285,311, Army Security Agency, 30 399,411,430 Arnold, Benedict, 150 Bazeries (code), 72 ars occulte scribendi, 8 Bazeries' cylinder, 36,47,49,117,118, Arthold, J., 264 197,222 ASCHE, 372,376,377 B-Dienst, 60, 193, 195,405,406,407 ASCII (code), 53,278 Beaufort, Sir Francis, 113 astragal, 11 BEAUFORT encryption step, 113,129, asymmetric methods, 172 138-139,143,151,213,239,290,292, Athbash, 45 296,308,346,423 Atlantis (ship), 59,409 Befehlstafel, 75 ATLAS, ATLAS II, 306,393 Beesly, Patrick, 206,225,407,428 Augustus, Roman emperor, 47 Behnke, Heinrich, 405 Auriol, L. J. d', 83 Beker, H., 429 Auswiirtiges Amt, 31,399 [Bel], 208,384 authentication, 25,29,171-172,174,183, Belaso, Giovanni Battista, 123, 124, 125, 184 128,141 autokey, 141 Bell numbers, 225 AUTOS CRITCHER, 256,257,393 Bennet, Ralph, 414 autostereogram, 11,12 Bentley's (code), 73 AVA factory, 377-378 Bernstein, David S., 201,203 avalanche effect, 156,165 Berry, Duchesse de, 35 Ave Maria code, 14 Berthold, Hugo A., 189,191 Axiomatic Information Theory, 417, Bertrand, Gustave, 371,373,381,428 418-425 Beth, Thomas, 203,204,398 AZ (code), 14 Beurling, Arne, 2, 356 Beutelspacher, Albrecht, 430 B-21, B-211 , 157 Bevan, John Henry, 30 BC-543, 129,130 Bi language, 21 Babbage, Charles, 4,26,36,89, 112, 143, Bibo, Major 59 250,285,298,308,417 bifide, 34 Babbage, Dennis, 385,393 bigram, 34 BACH, 59,193 - coincidences, 300, 303 Bach, Johann Sebastian, 20 - frequencies, 272,273,274,275,323,399 backslang, 21,90 - repetitions, 311,313,332,384 Bacon, Sir Francis, 9,29,39,53 Bigrammbewertungsgeriit, 399 Baker,Stewart A., 196 Biham, Eli, 167 Balzac, Honore de, 29 biliteral, 9,39 Bammel, S. E., 120 binary, 39,83 BAMS (code), 73,409 - addition, 126 [ban], 208,384 - alphabet, 39, 125 Banburism, 384,412,417 - cipher, 39 Banbury sheets, 303 - circuit, 83, 126 bar code, 73 - code, 53, 125,215 bar drum, 129 - digits (Z2, .!Z2), 23,39,88,125-126 Baravelli (code), 72,187 - linear substitution, 83 basis analysis, 139,394,396 - numbers, 23,88,125-126 BATON, 168 bipartite, 34,64 batons, 50 Bischoff, Bernhard, 99 batons, methode de, 251-256 bit (Z2, .!Z2)' 39,125-126 Baudot, Jean Maurice Emile, 39 [bit], 208,384 Baudouin, Roger, 430 bitwise binary encryption, 125-126 Bauer, Friedrich Ludwig, 153,264,300 Biuro Szyfr6w, 107,240,371,376 Bayes' rule (Bayes, Thomas), 419 Black Chamber, 68,70,134,200 Index 433

BLACK (code), 40,74,409 C-35/C-36, 76,129,130, Plate G Blair, William, 127 C-38 see M-209 Blakely, 160 C-38m, 197 Bletchley Park, 3,30,89, 151,240,303, C-41, 129 305,340,351,355,361,374,381,384, Cabinet nair, 68, 134 385,392,412 Cadogan, 21 blind hit, 231,240,242,245,379,386,396 cadran, 50 Bloch, Gilbert, 429 CAESAR addition, simple, 47,85, 113, block encryption, 34,158,161 210,216,217,220,222,234,237,259, block transposition, 94-96, 147, 151,402 261,262,273,278,361 blockdiagonal, 84 -, polygraphic, 78,143,211,212,213,219 BLUE (code), 74,188, CAESAR encryption step, 47,113,143, Boll, Heinrich, 94,216,217,261,262,269, 151,216,218,220,221 272,401 caliio, 14 Callimahos, Lambros D., 24,84 Boetzel, 10, 157 Campaigne, Howard H., 393 'boldest' line, 324 Canaris, Wilhelm, 17,131,234 'Bolek', 373 Candela, Rosario, 251 Bolton (code), 71 cant, 14,21 bomba, 379,380,381,382,383,384 Cantor, Georg, 29 BOMBE, 383,384,388,389,390,391,392 canvasses, 381 Bonatz, Heinz, 194 caption code, 75 bookseller's price cipher, 27,43 Caramuel y Lobkowitz, Giovanni, 39 Boolean algebra, 83,126,353 Cardano, Geronimo, 22,23,93, 125, 141 boustrophedonic, 45,91 Carlet, Jean Robert du, 1 B.P. see Bletchley Park Carmichael's 'IjJ function, 178 Brachet (code), 72 Carmichael's theorem, 178, 180 Braquenie, Henri, 381 Carmona,J.G., 430 Brassard, G., 429 carry device, 88, 126, 150,213 Brett-Smith, Hilary, 412 Carter, James Earl, 201 Britzelmayr, Wilhelm, VI Cartier, Fran<;ois, 96,248,404,406 Broadhurst, S. W., 353 Cartouche, 20 Broadway buildings, 381 Casanova, Giacomo Girolamo Chevalier Brooke-Hunt, G. L., 406 de Seingalt, 27 Brown, Cave, 89 Casement, Hugh, VII, 99, 224 BROWN (code), 74,409 category of methods, 35 Browne, Thomas, 8 CBC, 166,179,203 Broy, Manfred, VII,81 CCITT 2, 349 Bruce, David, 405 CD-55, CD-57, 76 Brunswick (code), 72 censor, 15,18,23 BRUSA pact, 392 Central Intelligence Agency (C.I.A.), brute force attack, 196 30 Chaitin, Gregory J., 145,424, 426 Brynielsson, L. B., 139 Chandler, W. W., 353 B.S.-4, 371, 378 Chanel, Coco, 31 Buck, F. J., 83 character, 31 Buell (code), 71 - coincidences, 288 Bundesamt fur Fernmeldestatistik, 31,405 characteristic, 377 Bundesamt fur Sicherheit in der Charlemagne, 43 Informationstechnik (BSI), 31,202 Charles I, 67 Bundesnachrichtendienst (BND), 30,31 Charles II, 68 Burke, Colin, 305,354,392,399,407,418 Chase, Pliny Earle, 64, 145, 161 Burkill, H., 426 Chess, Abraham P., 4 Bush, Vannevar, 2,305,312,354,418 Chi, 291,292,294,321,323,325 Byron, Lord George Gordon Noel 22,29 Chi, OKW Abt., 240,303,311,339,372, byte (Z256), 39,125, 158 388,405,408,411 434 Index

Chi-Stelle, 372,406 -, U.S. Army double, 96 Chiang Kai-shek, 135 columns, 312-314,318-329,338-339,357- Childs, J. Rives, 361,406 359 Chinese remainder theorem, 183 companion matrix, 138 chip, 156,161,167,168,169,203 COMPARATOR, 305,306,312,354 choice operator, nondeterministic, 32 complementary alphabet, 85 Chorukor, 229 complete-unit transposition, 90,tin 94 chosen plaintext attack, 412,413 complexity, combinatorial, 41 chronogram, 19 - theory, 176 chronostichon, chronodistichon, 19 complication illu8oire, 26,60,64, 130, 156, Church, Alonzo, 145 167,185,197,239,245,357,377,399, Churchill, Winston, 9,30,55,119,198, 402,404 363,405,413 composition of classes of methods, 147 C.I.A., 30 compression, 426 Cicero (code), 73 compromise, 198,342 Ci~zki, Maksymilian, 371,373,381 computable irrational numbers, 146 cillies, 385,415 concealment cipher, 8,18,23,24 cipher, 34 conceptual word, 274 - disk, 50, 122, Plate B confrontation, 265,267,269 - slide, rods, 52 confusion, 152 - teletype machine, 53,129, 148, 149,305, congruence root, primitive, 177 350, 353,356 conjugated encryption step, 64 Cipher Block Chaining (CBC), 166,179 contact, 279399-404 ciphering device, 116,117,118,119,122 Coombs, A. W. M., 353 ciphering machine, 5, 28, 104 COPPERHEAD, 340 -only attack, 236 Coppersmith, Donald, 167 City of Bagdad (ship), 59 CORAL,138 Clarendon, Edward Hyde Earl of, 406 coupled pattern finding method, 236 class of families, 249, 250 Coventry raid, 3,4 classification of cryptology, 23, 24 covert proof, 416 Clausen, Max, 55 CQ signals, 257,408 Clausen-Thue, William, 71 crab, 90,99 cleartext, 31 - (Knox), 131 clef principale, 124 crash, 239 CLIPPER, 168, 203 Crawford, David J., 256 clique, 265,268,269,282 CRAY-l, CRAY X-MP, CRAY C90, cliques on the rods, 251 139,169,175, 306,393, Plate Q clock method, 384 Cray, Seymour, 393, Plate Q closing, 149 crib, 230,361,385,386,388,390,412,415 closure, 386 criminology, 4,51,227 code, 18,34,65,340 Croissant, Klaus, 8 - book, 5,35,65 Croix Grecque transposition, 92 - compression, 426 cross-plugging, 46,108, 109,372,377,380, -, decryption of, 340 381-383,386-388,393 - group, 39,65 cross-ruff, 361 -, literal, 70 Crutchfield, James P., 152 -, numeral, 70 (CRYPT), 420 -, one-part, 69,340 crypt width, 33 -, two-part, 69 cryptanalysis, V, VI, VII, 3, 4, 7, 24, 26, Code Compilation Section, U.S. Signal 31,39,64,186,206ff. Corps, 30 Crypto AG, 116,169 coding wheel, 148,149 crypto board, 169, Plate P Collange, Gabriel de, 38 crypto clerk, 185,190,198,199,278,405 COLOSSUS, 2,305,306,340,353,354 cryptographic equation, 41,107 ,112 columnar transposition, 26,94,95,96 cryptographic fault, 186,198, 199,405 -, double, 26,96,402 cryptography, VII, 1, 2ff., 7, 8, 24, 31ff. Index 435 cryptology, V, VII, 2, 3, 4, 5, 7, 24, 31 Delastelle, Felix Marie, 64,157,308,430 Cryptoquip, 5,227,228 DEMON,306 cryptosystem, 33, 100 denary, 39,52 -, classical, 420,421,422,423 - cipher, 39 -,fixed,40,123,166,167 Denning, Dorothy E. R., 203 -, ideal, 424 Denning, Norman, 407 -, independent key, 422 Denniston, Alastair, 381,410 -, of Vernam type, 423 -, Robin, 410 -, perfect, 422,423 depth, 312,342 -, pure, 148,344,345 Dershavin, Gavrila Romanovich, 229 -,Shannon, 148,239,345,420,421 DES, 35,161,163,164,165,166,167,174, -, transitive, 345 200,204,207 cryptotext, 31,34,41 - chips, 167 - vocabulary, 31 -,modes of operation for, 165,166,207 cryptotext-cryptotext-compromise, 187, Desch, Joseph, 391-392 189,198,342,360,361,371,413 Desch BOMBE, 392 cryptotext-only attack (known crypto- Deubner, Ludwig, 47,406 text attack), 278,412 -,Ottfried, 249 CSKO, 414 Deutsches Museum, Munich, VII CSP 642, 119,240,250,409 de Viaris (code), 72 CSP 845 see M-138-A de Vries, Mauritius, 2,84 CSP 1500 see M-209 diagonal board, 388,389,390 cue, 16,17 diagonally continued alphabets, 103 Culpeper, Edmund, 227 Diccionario Cryptographico (code), 72 CULPER, 68, 227 Dickinson, Velvalee, 16 CVCCV, 74,402 Dickson, L. E., 80 CVCVC, 69,402 dieder group, 349 cycle, 386-390 difference method, 336,337-339,357- - decomposition, 104,377 359 - notation, 44 difference table, 338,339,358 - numbers, cyclotomic numbers, 77 differential cryptanalysis, 187 cyclic group, 346,349 Differenzenrechengeriit, 339 cyclometer, 377 Diffie, Whitfield, V, 5, 172, 184, 201 cylinder and strip devices, 49,50, 117, 118, diffusion, 152 119,128,240,243-248,325 cypher, 30 Algorithm (DSA) , 184-185 Cyrillic alphabet, 38 Digital Signature Standard (DSS), 184 Czech alphabet, 38 digraphic substitution, 56,210,218 D' Agapayeff, Alexander, 430 Dilworth, R. P., 427 Damm, Arvid Gerhard, 106,116,128, 136, directory, 172 143 discrete logarithm function, 177 Darhan (code), 73 discriminant, 151,357 Dato, Leonardo, 122 disinformation, 3 Deavours, Cipher A., 108, 110, 194, 253, disk, 51,52 255,256,384,386,429 division algorithm, 88, [deciban], 384 Dodgson, Charles Lutwidge, 363 decimal digits (Z10 ), 39 Donelly, Ignatius, 29 decimation, 85, 209 Donitz, Karl, 195,360,406,407 (DECRYPT), 420 Doppelkassettenverfahren, 63 decryption of ancient scripts, 25, Plate A Doppelwiirfelverfahren, 96 decryption step, 41, 171 Doppler, 303,313 see also repetitions Defense Calculator, 393 double casket,double PLAYFAIR, 63 Defense Intelligence Agency (DIA), 30 double cipher, 124 definal, 32 double columnar transposition, 26,96,402 de Grey, Nigel, 406,415 double cross, 14, 18 436 Index double-ended scrambler, 382,383,385, ENIGMA, 3,31,46, 106-110, 129-133, 387,388 136,189-195,199,240,360,361, 'double key', 124 371-393, 411,415 doublet, 190,378 -, commercial, 89,106,107,252,253 doubly safe primes, 182, 185 -, core position, 109 Douglas, Chevalier, 16 - equation, 107 Dreher, 274 -,4-Rotor-, 108,189,193,194, Plate I Dreyfus, Alfred, 187, 188 -, ground setting, 59,371,373,377,378, Driscoll, Agnes Meyer, 306,390 380,381,385 du Carlet, Jean Robert, 1 -, Grundstellung see ground setting dual encryption steps, 346 -, message setting see text setting Ducros, Oliver, 118 -, number of, 109,197 Dudeney, Henry Ernest, 91 - replicas, 381 DUENNA, 257,393 -, ring setting, 109,193,371,377-379,381, Dulles, Allen W., 40,249,359 383,388 dummy, 33,43,189,190,198,259 -, Ringstellung see ring setting - text, 32 -, rotor order, 108,371,376-380,384,414 Dunning, Mary Jo, 137 -,rotors, 106-108,130, 131,Plate K duplication, 49, 104 - -, numbering of, 108,110 Dyer, Thomas H., 301 -, Spruchschliissel see text setting -, Tagesschliissel see ground setting Eachus, Joseph, 392,393 -, text setting, 371-376,378,383,384, eavesdropping, 25,183 385 EBCDIC (code), 53 -,3-rotor-, 107,108,189,192-194 Eckardt, Heinrich von, 415 equifrequency cipher, 259 ECM, 133 equivocation, 420 Edward Prince of Wales, 27 ERA 1101, ERA 1101 A, ERA 1103, efficiency boundary, 175 393 Ehler, Herbert, VII Erdos, Pal, 121,427 electric contact realization, 104 Eriksson, Bertil E. G., 54 Electronic Code Book (ECB), 35,166, 'Erloschen ist Leuchttonne' 188,239,240 179, 203 error-detecting and -correcting codes, EIGamal, Tahir, 185 25 encicode, 338 Erskine, Ralph, 4 enciphering step, encoding step, 34 Escrowed Encryption Standard (EES), 7, encryption, fixed monoalphabetic, 40, 166 202 -, non-periodic, 34,127,140, escrow system, 202 -, periodic, 34,123,298,342 Euler, Leonhard, 10,81 -, polyalphabetic, 127, 140, 212, 213, 239 Euler's 36-officer problem, 57 -, progressive, 123, 128,245 Euler's totient function 'P, 85, 178, 209 -, quasi-nonperiodic, 127,140,395 Euwe, Max, 140 encryption block, 34 event, 418 - error, 25,186,405 -, elementary, 418 - method, 26,35,41 'evitez les courants d'air', 49,117 - philosophy, 197 Ewing, Sir Alfred, 360 - security, 31,119,185,186,196,199,202, exclusion of encryption methods, 258 204 exclusive or, 126 - step, 33,34,41,100,171 exhaustion of probable word position, non- - table, 34,121,350,370 coincidence, 239-241,247 - width, 33 -, binary, 242,247 endomorphic encryption, 33,35,39,44,48 exhaustive search, 196,208,215,219-221 endomorphic linear substitution, 79 exponentiation in GF(p), 176, 177 endomorphic substitution, 100 Eyraud, Charles, 38,45,60,85,95,112, Engineering Research Associates, Inc. 115,119,122,263,264,274,290,402,430 (E.R.A.), 393 EYRAUD encryption step, 112,113 Engstrom, Howard T., 306, 393 Eytan [EttinghausenJ, Walter, 151 Index 437

Fabyan, George, 29 Friderici, Joannes Balthasar, 39 factorization, 175, 180 Friedman, Elizebeth Smith, 4,29,227 falsification, 25 Friedman, William Frederick, 2,4,29,65, family code, 18 75,83,109,117-119,123,132,134,137, family of accompanying alphabets, 50 204,207,218,227,243,247,250,285, family of message blocks, 249, 250 288,299,301,303,305,306,308,340, Fano,R.M., 35 341,368,384,428,430 Fano condition, 35,54 Friedman examination, 299,306,308,311, feedback cycle system, 385-390 316,417 Feinstein, Genevieve, 137 Friedmann (code), 72 Feistel, Horst, 161,162 Friedrich, J ., 25 Fellers, Frank Bonner, 409 Friedrichs, Asta, 66,249,359 Fellgiebel, Erich, 31,107 function inversion, 175 female, 45,198,374,381 functional, 32 Fenner, Wilhelm, 405 Funkspiel, 184,192 Fermat prime, 161 'Fur GOD', 116 Fermat's theorem, 159 Ferner, Robert, 137 G.2 A.6, 30, 66 Fersen, Axel Graf, 127 Gagliardi, Francesco, 98 Fetterlein, Ernst C. ('Felix'), 3,144 Gaines, Helen Fouche, 58,60,94,223,226, FIALKA, 132 235,258,263,264,274,278,279,428 fiber, 32 Galilei, Galileo, 97 Fibonacci numbers, 153 Galland (code), 71 Figl, Andreas, 58,59,188,406,430 Galois field, 78,159 finitely generated, 33 garbling and corruption, 25 First Amendment, 6 gardening, 361,413 first character, 77 Gardner, Martin, 321 fist, 192 Garlinski, J6zef, 429 five-digit code, 72,73 ,74 Gaujac, Paul, 188 five-letter code, 39,71 Gauss, Carl Friedrich, 177 fixpoint, 154, 155, 160, 181,379-382,386 Gaussin, Joseph, 113 Fleissner , 92 Geheimklappe, 60, 66 , 75 Fleissner von Wostrowitz, Eduard, 92, Geheimschreiber, 143, 148, 149,353,356 263,430 gematria, 36 Flowers, T. H., 353 generating relation, 33 Floyd, Robert W., 140 generation of a quasi-nonperiodic key, FLUSS, 59 140,143 formal cipher, 37 generatrix, 118, 243, 244 Forschungsamt des RLM, 249,405,406 Gerold, Anton, VII, 185 Forschungsstelle der Reichspost, 9 GF(p), 78,158,176 Forsvarets Radio Anstalt (FRA), 31 Gherardi, Loris, 40 [ourbesque, 14 GIANT, 257,393 four-digit code, 72 Gioppi di Tiirkheim, Luigi Count, 65,430 four-letter code, 39 Gisevius, Hans Bernd, 359 Fox, Philip E., 256 Givierge, Marcel, 191,197,199,206,243, fractionating method, 63 247,248,264,402,406,430 'Frankfurt', 195, 407 Gleason, Andrew M., 2 Franksen, Ole Immanuel, 113,308 Goldberg, Emanuel, 9, 312 FREAK, 399 GOLDBERG, 306 free-style methods, 285, 330 Gold-Bug, 43,285,286 Freemasons' cipher, 43 Golombek, Harry, 89 frequency count, 266,267,270 Good, Irving John [Isidor Jacob Gudak], frequency distribution, 57,258,263 VII, 231, 351, 353, 410 frequency ordering, 263,264 Goring, Hermann, 250,359,385,405 frequency profile, 260-262,319,320,327 Government Code and Cypher School, Freyss, Gustave, 404 (G.C.&C.S.) 3,30,89,381,382,405 438 Index

Government Communications Headquar- hiatus, 35,54 ters (G.C.H.Q.), 30 hieroglyphs, 66 graph, 11,12 Hill, Lester S., 2,83,126 GRAY (code), 66,74,188,409 HILL encryption step, 79,83,211 Greek-Latin square, 57 Hilton, Peter J., 91 GREEN (code), 69,74,188,402 Himmler, Heinrich, 9,31,359,405 GREEN (machine), 135,136 Hindenburg, C. F., 92,430 Grew, Joseph C., 187,188 Hindenburg, Paul von, 191 Griechenwalze, 108, 189, 193 Hinsley, Francis Harry, 406, 429 Gripenstierna, Fredrik, 49,52,115,116 Histireus, 9 'grill (grid) method', 377 Hitchings, Oswald Thomas, 406 grille, 18,22,24,92 Hitler, Adolf, 31,151,234,408 GRONSFELD encryption step, 114 Hitt, Parker, 118,127,144,191,218,282, Grosvenor, William M., 404 284,285,406,430 group property, 147 Hodges, Andrew, 89,351,385,429 Groves, Leslie R., 52,53 Hoffman, Lance J., 430 Grunsky, Helmut, VI, 249 Holden, Edward S., 403 Giintsch, Fritz-Rudolf, VII Holmes, Sherlock, 11 Gylden, Yves, 4,23,129,157,430 Holtwick, Jack S., 136,410 holocryptic, 145,219 Hagelin, Boris Caesar Wilhelm, 106,129, Homan, W. B., 259 197,204,342,377 homogenous linear substitution, 78,79, half-adder, 126 80,83 half-rotor, 106,136,157 homophones, 32,33,35,43,52,53,69,71, Hall, Marshall, 2 122,190,198,243,367 Hall, William Reginald, 406 Hooper, Stanford Caldwell, 305-306 Hamming,Richard W., 25,73 Hoover, Herbert, 134,200,201 Handschliissel, 63,96,414 Hopf, Eberhard, 151,152 Harmon, John M., 5,6 Hopkins, Johns, 369,370 Harriot, Thomas, 39 Horak, Otto, 1 Harris, Martha, 203 horizontally shifted alphabets, 101-104 Hartfield, John Charles, 71,73 Hornbeck, Stanley K., 409 HARVEST, 393 Horster, Patrick, 430 Harvey (code), 71 Hotel-Telegraphenschliissel, 73 HaSek, Jaroslav, 40,55,92 H

INDIGO, 107,253,357 303,307,309,334,357,402,406,408, individual key, 144-146, 192,200 410,428,429 induced, 33 Kama-siitra, 45 influence letter, 143,356 Kaplanski, N., 121 informal cipher, 277 Kappa, 206,288-295,298-306,311,315 Informatik (Deutsches Museum), VII - test, 302-306 information, mutual, 419 Kappa -Chi Theorem, 293,294 information theory, 218,426 Kappa -Phi Theorem, 294,295,314-316 -, axiomatic, 418-425 Kappa -Phi(u) Theorem, 313 inhomogenous linear substitution, 80,83 Kasiski, Friedrich W., 218,263,306,308, injective, 32,41 430 Inman, Bobby Ray, 30 , 306-312,316,326, in-phase adjustment, 342,343,357,412 332 Institute for Defense Analyses (I.D .A.), Katscher (code), 71 30, 31 Keen Harold ('Doc') 383 intermediary cryptotext, 326,337,359,363 Kenn'gruppe 151 ' invariance theorems, 223,258,259,261, Kepler, Joh~es, 97 . 290,292,296 Kerckhoffs, Auguste, 95,186, 196,225,263, Inverse alphabet, 45 308 332 335 336 342-344 402 430 involution, 45 Kerckhoffs', marlm' VII 196' , ~nvol.utory see self-reciprocal Kesselring, Albert, 355' IrratIonal numbers, 35 key distribution 40 200 irregular wheel movement, 129-133, 148 - escrow system' 202 ISBN (code), 73 _ generator 143 isomorphism, 41,107 - group 344-346 isomorphs, method of, 251-257 - phras~ 48 isopsephon, 36 - vocabtrtary 40 italic capitals for key characters, 40 key text, 41, i23 !TAR., 6,201 Kinsey, Alfred C., 8 IteratIon, 152-156,180-182 Kircher Athanasius 8 73 ~teration exponent, 180 Kirchh~fer, Kirk H.,' viI 1-Wurm, 144 kiss , 361 Jackel, Eberhard, 429, Klartextfunktion, 143, 149,356 JADE, 138 KL-7 CRYPTOGRAPH, 132, 133 Jager, Lieutenant, 65-66,187,231 Kliiber, J. L., 430b b jargon code, 14,16,24 knapsack problem, 185 Javanais, 20 knight's tour transcription, 91,92 je suis indechiffmble, 28 knock-cipher, 51 Jefferson, Thomas, 47,68-69,116-118, known plaintext attack, 412 196,197,213,222 known cryptotext attack, 412 Jeffery sheets, 381,383 Knox, Alfred Dillwyn ('Dilly'), 89,131, Jeffreys, John R. F., 381 251,373,381,382,411 Jensen, Willi, VI, 264, 303, 311,359,399 Koch, Hugo Alexander, 106 Jipp, August, 350 Koch, Ignaz Baron de, 68 IN-25 (code), 73 Koehl, Alexis, 64,157 Johnson, Brian, 5,109,351,353,429 Kolmogorov, Andrei Nikolaevich, 145 Johnson, Esther, 22 Komet (ship), 193 Josse, Henri, 430 Konheim,Alan G., V,241,263,429 Joyce, James, 36,229 Kom, Willi, 106,109,377 Julius Caesar, 47 Kowalewskaya, Sonja, 192 Kozaczuk, Wladyslaw, 371,373,376,429 Kaeding, F. W., 263,264,272 Kratzer, Uwe, 231 Kahn, David, V, 5, 9, 25, 64, 65, 66, 68, Krebs (ship), 192 77,91,105,115,123,124,125,128,130, Krivitsky, Walter [Samuel Ginsberg), 195 144,195-197,228,263,287,288,298, Krohn (code), 71 440 Index

Krug, Hansgeorg, 249,359 London Controlling Section (L.C.S.), Kruh, Louis, 108,110,194,253,384,386, 30,405 429 longeur de seriation, 157 KRUSA, 26, 75 Lonsdale, Gordon [Konon Molody], 9 Kryha, Alexander von, 129,136, Plate F LORENZ Schliisselzusatz SZ40/42, Kulissenverfahren, 64,157 53,143,149,305,350,353 Kullback, Solomon, 84,132, 136,269,290, Los Alamos, 52, 53 291,295,297,300 Louis ( code), 72 Kullback examination, 306,312-315,316 Louis XV, 16 317,318,326,384,417 lower case letters (plain characters), 40 Kulp, G. W., 299,300,312-315,316 Loyd, Sam, 91 Kunze, Werner, 84,136,144,249,359 'Luc', 371 Kiipfmiiller, Karl, 189,264 Lucan, Henno, 194 Kurzsignalbuch, 70,193 LUCIFER, 161,162 KWIC Index, 235,236 Ludendorff, Erich, 51,150,191 Ludwig II, 98 Lange, Andre, 40, 264, 268, 430 lug cage, 129 Langer, Gwido, 371,381 Langie, Andre, 8, 284, 430 M-94 ~ CSP 488, 75, 118, 121, 196,248, Langlotz, Erich, 144,359 325, Plate D largondu, -jem, -ji, 21 M-134-A (SIGMYK), 109,146 LARRABEE, 112, 116, 144 M-134-C ~ CSP 889 (SIGABA), 109,133, last character, 77 194 Latin square, 119, 120, 121, 248, 345 M-138, 119 M-138-A ~ CSP 845, 119,194,196,248, Lauenburg (ship), 193 'Law Enforcement Access Field' (LEAF), 250,257,325 203 M-138-T4, 119,Plate E M-209 ~ CSP 1500~ C 38, 76,119,129, L.C.S., 30,405 192,197,377,Plate H left-univalent, 32 M-228 (SIGCUM), 146 Legendre, Adrien-Marie, 177 M-325 (SIGFOY), 133 Leiberich, Otto. 405 Macbeth, James C. H., 73 Leibniz, Gottfried Wilhelm von 39,68,97 machine key period, 129,131,148,149, Leotard, Franl,;ois, 188 Mackensen telegram, 361 leveling of frequencies, 52,57,412 MacPhail, Malcolm, 89 Lever, Mavis, 413 MADAME X (003), 390 Levine, Isaac Don, 195 Maertens, Eberhard, 193,195 Levine, Jack, 60,235 MAGIC, 4 Lewin, Ronald, 225,429 Malik, Rex, 356 Lewinski, Richard (pseud.), 89 Mamert-Gallian (code), 71 Lewis Carroll [Charles Lutwidge Mandelbrot, Benoit, 270 Dodgson], 363 Mann, Paul August, VI Lieber (code), 71 Mantua, Herzog von, 43 Lindenfels, J. B., 430 map' grid, 39 Lindenmayer, Aristide, 141 Marconi (code), 73,74 linear substitution, 77,78,83,84 Marie Antoinette, 27,127 linear shift register, 139,396 masking, 13-16 -, reconstruction of a, 396-398 Massey, J. L., 168 LINOTYPE, 264 Matapan, 413 lipogram, 228,262 matching, 44,265,271,284 Lisicki, Tadeusz, 379 -, optimal, 271 literary English, 269 Matton, Pierre-Ernest, 188 lobster (Knox), 131 Matyas, S. M., 207,263,267,269,416,429 logic switching panel, 353 Mauborgne, Joseph 0., 84,118,121 ,144, logograms, 32 406 Lombard (code), 73 Maul, Michael, 312 Index 441 maximal length of message, 131,191,192 MULTIPLEX encryption step, 115,212, Mayer, Stefan, 381 215,248 maze, 11,12 multiplex systems, 117 Meader, Ralph, 393 multiplication, symbolic, 85,88, 158 Meaker, 0. Phelps, 263,272 multiplication modulo q, 85,88, Medical Greek, 91 multiplication of primes, 176 Meister, Aloys, 122,430 Miinchen (ship), 192 'Memex', 312 Murphy, Robert D., 66,189,198,231,249, Mendelsohn,Charles J., 115,406 409 menu, 385,387, Murray, Donald, 349 Menzies, Stewart Graham, 3,405 Murray, Joan, 382 'Mephisto Polka', 140 Myer, Albert J., 309,317,430 Mergenthaler,Ottmar, 263,264 MYK-78 (Mykotronx), 168 Mersenne prime, 139 Nabokov, Vladimir, 229 metaphor, 14 Napier, John Laird of Merchiston, 39 Meurling, Per, 54 National Bureau of Standards (U.S.), Meyer,C.H., 207,263,267,269,416,429 161,165 Meyer, Helmuth, 17 National Defense Research Committee, MI-8, 30,74 305 Mi-544 (Lorenz), 146 National Institute of Standards and M.I.1 (b), 30 Technology (N.I.S.T.), 168,184 M.1.6, 3,29,30,405 national security, 167 Micali, Silvio, 203 National Security Agency (N.S.A.), 132, microdot, 9 167,169,196,200,204,393,410 Michie, Donald, 305 NATO, 132 microprocessors, 88 Navy Cipher Box (NCB), 118 MIKE, 399 Nebel, Fritz, 51,150 Military Intelligence Code, 74 Neeb, Fritz, 406 Millikin, Donald D., 428 'need to know' doctrine, 405 Milner-Barry, Stuart, 89,199 NEMA, 109 Minocyclin, 98 NEPTUN, 415 Mirabeau, Honore Gabriel Riqueti Count Nero, Roman emperor, 36 of, 51,156,161 Newman, Maxwell Herman Alexander, Mirsky,L., 426 353 Mitchel, William J., 73 Newton, Isaac, 97 mixed alphabet, 44,47 Niethe (code), 72 mixed rows block transposition, 95,402 , 10,51,157 mixed rows columnar transposition, 95,402 Nihilist transposition, 95,402 mnemonic key see password Nilac (code), 72 modular transformation, 152,154,155 NKVD, 54,55 Monnier, Sophie Marquise de, 51,157 'no letter may represent itself', 197,239 monoalphabetic, 34,158 nomenclator, 66-68 monocyclic permutation, 46 non-carry binary addition, 126 monographic, 34 non-computable real numbers, 146 Montgomery, Bernard Law Viscount, 66, non-content words, 274 191,406 non-periodic, 34 Moorman, Frank, 66,191,406 Norris, William C., 393 Moreo, Juan de, 67 Noskwith, Rolf, 360 Morikawa, Hideya, 409 notch, 129-131,384 Morris, Christopher, 410 Notschliissel, 96 Morse, Marston, 140 Novopaschenny, Dr., 406 mot convenue, 16 null, 18,20,33,43,53,93, 190, 198, 259 Mullard EF 36, 354 - cipher, 18 Muller, Andre, 430 - text, 32 Miiller, Hans-Kurt, 249,359 Nuovo Cifrario Mengarini (code), 73 442 Index

0-2, 119,248-250 Pearl Harbor, 17,18 Oberkommando der Wehrmacht (OKW) , Pendergrass, James T., 393 399 penetrazione squadra, 188,409 octogram, 125 pentagram, 39,53 octopartite simple substitution, 53 Pepys, Samuel, 8 Office of Strategic Services (OSS), 249, 405 Perec, Georges, 228 joffizierj, 151 perfect, 422 Ohaver, M. E., 157,309,430 period, period length, 138-140,212,314 O'Keenan, 10, 157 Perioden- und Phasensuchgerii.t, 303,311 OKW Cipher Branch, (Chi) 31,240,303, periodic, 34,298,306 311,339,359,372,388,405,408 permutation, 44 Olivary, Adolphe, 404 -, self-reciprocal, 44 Olivetti, 149 Pers Z, 359,399,405 OMALLEY, 306 PETER ROBINSON, 305 OMI, 109, 131 Peter the Great, 43 I-cycle, 45,239,240,374,378 Peterson's (code), 73 one-part code, 69,340 Phaistos, disc of, 25, Plate A one-time key, 144,145, 146 Phi, 295 one-time pad, -tape, 144, Plate 0 Phi-Test, 312-315 one-to-one function, 32,44 Philipp II of Spain, 67 one-way function, 173,174 photoelectric sensing, 312 OP-20-G, 30,305,312,392,393 picture encryption, 152, 156 open code, 9, 13,24 picture transmission, 426 open encryption key system, 170, 185 pig Latin, 21 open-letter cipher, 18 'pigpen' cipher, 43 Operational Intelligence Centre, 30 Piper, F., 429 ORANGE, 84, 136,359 placode, plain code, 338 order of a matrix, 138 plaintext, 31,34,41 order-preserving, 68,77 - vocabulary, 31 ostensibly secret messages, 29 plaintext attack, chosen, 412,413 Ottico Meccanica Italiana, 109 plaintext attack, derived, 413 overlay sheets, 303,304 plaintext attack, known, 412 plaintext-cryptotext compromise, 198, Painvin, Georges-Jean, 150,248,406 257,377,385-393,412 PA-K2-Chiffre, 97 plaintext-plaintext compromise, 187,198, palindrome, 90,91 342,351,361,402,411 pangram, 237,238 planned obsolescence, 26,73 Panizzardi, Alessandro, 187, 188 play on words, 99 Pannwitz, Erika, 249 'playback', 192 parallels see repetitions Playfair, Lyon Baron of St. Andrews, 26, Parallelstellensuchgerii.t, 303 61,62 Parkerism, 415 PLAYFAIR encryption step, 61-64,65, partition, 259,260,265-272 189,198,210,222,282,284,285,299 'passport control officers' (PCO), 3 plugboard, 46,89,107,108,109,150,251, password, 48,49,51,52,54,55,57,61, 382,383,388,414 102,112,116,117,186,227,282,331, 'pluggable' reflecting rotor, 108, 256 334,341,369,395,398 Poe, Edgar Allan, 5,43,285,286,299,307 -, reconstruction of, 340,341,369 Poincare, Henri, 152-153 Pastoure, 8 Pokorny, Hermann, 47,406 pastry dough mixing, 151 Polares (ship), 192 Patrick, J. N. H., 150 Polheim, Christopher, 52 Patronen-Geheimschrift, 92 Pollux, 157 pattern, 223-225 polyalphabetic encryption, 34,100,122, - finding method, 223-230,235-237,278, 128,140,212,239,298 412 Polybios square, 39,51,54,64,156,157 -, normal form of -8, 223 polygraphic, 34 Index 443

- substitution, 56 reciphering, 149 polyphones, polyphony, 35-37, 48, 70, reciprocal pairs, 85,86-87 118,222,226,395 recovery exponent, 180,181 Poore, Ralph Spencer, 168 RED (code), 74,188 Porta, Giovanni Battista, 38,43,45,56, RED (machine), 84,136,359 114,115,123-125,127,186,189,190,191, redundancy, 218,251,426 231,306 reflecting rotor, 106,108 PORTA encryption step, 114, 142,239,242 reflection, 45,125 powers of a mixed alphabet, 48, 52,101,341 -, genuine, 45,46 Pratt, Fletcher, 274,430 reglette, 50 preamble, 372,378 regular matrix, 82,85 Pretty Good Privacy (PGP), 169,201 Reichling, Walter, 17 primary alphabet, 100,317,322,325,329, Reichsbahn, Deutsche, 108,342 330 Reichsluftfahrtministerium, 31 priming key, 141,143 Reichspost, Deutsche, 9,108 private key, 171 Rejewski, Marian, 2,371,373-375,377, probability, 270 381,382,385,427 probable word, 188,198,216,230,239, Remmert, Reinhold, 81 247,278,394,396,412 R.enyi, Alfred, 296,297,416 progressive encryption, 123,128,245 Renyi-a-entropy, 297 properly self-reciprocal, 45 Reparto crittogmfico, 230 protocol, 184,416 repetitions, 303,306-313,318,326,332 pseudo random keytext, 146,166,426 -, accidental, 308-311,332 Psi, 292-293,295 repetition pattern, 223-230 Ptydepe, 229 residual classes, 77 public cryptography, 5,6,185,207 reversed alphabet, 45,85,114 - key system, 5,29,170,172-177,185 reversal, 259,262 punched card machines, 248, 301-303, 339 reverses, 73, 274 punctuation, 37,277 Ribbentrop, Joachim von, 359,405 pure cipher, 148 Richelieu, Armand Jean du Plessis Duc pure cryptanalysis, 236,278, 282, 305, 353, de, 23,94 411-412,417 Riesel, Hans, 175,178 PURPLE, 4,137,414 right-univalent, 32 Pyry, 381 Ringelnatz, Joachim, 21 PYTHON, 306,392 ring setting, 109,371,377,380,383,386,388 Rittler, Franz, 229 Qalqashandi, 43 Rivest, Ronald L., 178,179 quasi-nonperiodic key, 127,128 Robinson, Ralph M., 139 quaternary cipher, 39 ROBINSON AND CLEAVER, 305 quinary cipher, 39 ROCKEX,146 Quine, Willard Van Orman, 2 Rogers, Henry, 71 quinpartite simple substitution, 53 Rohrbach, Hans, VI, 2, 64,119,191,194, 207,248,249,322,399,406,408,410,415 radio call signal, 58 Rohrbach's maxim, 199,227,237,321, rail fence transposition, 92 332,361,395 raising to a power modulo q, 159, 177 Rohwer, Jiirgen, 108,429 Ramsey, Frank Plumpton, 427 Romanini, Ch. Vesin de, 263 Randell, Brian, VII, 429 Rommel, Erwin, 197,354,385,408,409 random key sequence, 426 Ronge, Max, 230,406 - text, 189, 190 Room40, 381 - variable, 419 Room 47 Foreign Office, 30 'Rapid Analytical Machine' (RAM), 306 Roosevelt, Franklin Delano, 9,74,119, RAPID SELECTOR, 312 195,198,392,409 RATTLER, 306,393 Rosen, Leo, 3,137,409,410 RC2, RC4, 167,169 Rossberg, Ehrhard, 350 rebus, 66 Rosser, Barkley, 2 444 Index

Rossignol, Antoine, 68,69,196 Schroeppel, R., 175 rotated alphabets, 101,102,103 Schur, Issai, 427 Rothstein, J., 120 Schwab, Henri, 404 rotor, 105 scissors-and-paste method, 222, 399 -, 'fast' (rightmost), 130,252,253,384 scrambler (ENIGMA), 382,385-390 -, 'medimn' (middle), 130,252,255 'scrambling' (audio), 9 -, 'slow' (leftmost), 130 scritch, scritchmus, 252,256,393 -, reflecting, 106, 108 SD see Sicherheitsdienst ROTOR encryption step, 103-107, 148, secrecy, 25, 29 251,324 Secret Intelligence Service (S.I.S.), 30 rotor movement, regular, 128,129,131 secret marks, 13, 14 Rotscheidt, Wilhelm, 359 secret writing, covert, 8,24 rotwelsch, 14 -,masked, 13,16,18,24 route transcription, 91 -, overt, 8,24,25 row-column transcription, 91 -,veiled, 18,22,24 Rowlett, Frank, 109,132, 133, 136, 137 security check, 184,192 R6zicki, Jerzy, 371,377,381,384 self-reciprocal linear substitution, 79 REA method, 178-185 self-reciprocal matrix, 82,83 R.S.H.A. Amt VI, 58,59,405 self-reciprocal permutation, 44,45,46 R.S.H.A. radio observation post, 58 Selmer, Ernst S., 2 Rudolf Mosse (code), 73 semagram, 9,11,24 Rundstedt, Gerd von 355 senary cipher, 39 running key, 34,35,123,140 Service de Renseignements (2 bis ), 31 Russian copulation, 55,187,189,231 Servizio degli InJormazione Militare Russians, 26,55,188,195,201,250,410 (S.I.M.), 31,40 Ryska, N., 430 Sestri, Giovanni, 113 seven-letter code, 72 SA Cipher, 35, 70, 71 Shakespeare, William, 29 Sacco, Luigi, VI, 115, 122, 190, 197,207, Shamir, Adi, 167,178,179 230,263,264,406,430 (SHANN), 420 safe primes, 160, 182 Shannon, Claude Elwood, 2,25,26,143, Safford, Laurance, 3,4, 132 151-156,161,186,196,199,297,384, Saint-Cyr slide, 40,50,113 392,416,418-426 Salomaa, Arto, 173, 175, 176, 178,179,429 Shannon cryptosystem, 41,239,345,420 Sandherr, Jean, 187,188 Shannon entropy, 297,425 'saw-buck' principle, 303,305,353 Shannon's Main Theorem, 423 Satzbuch, 69, 75 Shannon's maxim, 28,29,132,141,151, S-box, 164-165,166 185,196,208,214,325,361,414 Schauffier, Rudolf, 144,359 Shaw, H. R., 11 Schellenberg, Walter, 9,31,58 shift number, 112 Scherbius, Arthur, 106 shifted alphabets, 101 shift register, 139 shorthand symbols, 32 - ,linear, 139,396 shrdlu, 264 Schilling von Cannstatt, Paul, 27,28 shredder, 144,192 Schleyer, Johann Martin, 336 Shulman, David, 430 Schliisselheft, 66,150 Sicherheitsdienst (SD), 31,63,377,413 Schliisselzusatz, 129,149,305,350,353, Siemens Geheimschreiber T 52, 53, 143, 354,355, Plate N 148,149,353,356 Schmidt, Arno, 29 SIGABA == M-134-C, 109,133,414 -, Hans-Thilo, 372,376,377 SIGFOY == M-325, 133 Schneickert, Hans, 430 SIGMYC == M-134-A, 109 Schnorr, Claus-Peter, 145,185 Signal Corps U.S. Army, 118,119 Schoeneberg, Bruno, 178 Signal Security Agency U.S. Army, 194 Scholz, Arnold, 178 Signals Intelligence Service (SIS), 30,301 Schott, Caspar, 8,114 signature, 172, 178, 184 Schroder, Georg, 406 SIGTOT, 119,126,146,250 Index 445

Simeone de Crema, 43,53 straddling, 33, 53-55 similarity transformation, 101,102,104 strategy of alignment, 328 simple linear substitution, 84 stream encryption,-cipher, 34,143 simple substitution, 42,43 STRETCH, 393 Sinkov, Abraham, 3,84,132,209,316,325, strip method, 221,222 328,364-370,428 Stripp, Alan, 406, 429 S.I.S. (Secret Intelligence Service), 30 stripping off superencryption, 302,337, S.I.S. (U.S. Army Signal Intelligence Ser- 359 vice), 390,392,399 Stuart, Mary, 67 Sittler, F. J., 72,150 Stummel, Ludwig, 193,195,360 Sittler (code), 72 'sturgeon', 148 SKIP JACK, 168,203 substitution, 18,42 skytale, 98 -, binary linear, 83 Slater (code), 73 -, bipartite digraphic, 57,58,59,64,150 slide, 50 -, bipartite simple, 51,64 slip-ring, 104 -,decomposed linear, 84 Small, Albert, 137 -, digraphic, 56,218 small capitals (crypto characters), 40 -, linear polygraphic, 77-83,147,152,211, smart card, 183 219,394 Smith, Francis O. J., 70 -, monocyclic simple, 46, 209 Smith, Laurence Dwight, 186,263,264, -, multipartite simple, 51, 151 268,428 -, polygraphic, 56,90,147,210,223 Smith, W. W., 284 -, properly self-reciprocal simple, 45,106, Smith-Corona Co., 129 209,373,377,387,388 'snowfall', 55 -,self-reciprocal, 44 Snyder, Samuel S., 137,393 -, self-reciprocal linear , 79 Solzhenitsyn, Alexander, 51 -, simple, 42,43,147,239,259,273 Sonderdienst Dahlem, 248,250,339,405 -, tripartite digraphic, 60 Sora, Iacomo Boncampagni Duke of, 307 -, tripartite simple, 52 Sorge, Richard, 55 Soudart, E.-A., 40,264,268,406,430 -, unipartite simple, 43, 147,209 Sperr-Ring, 109 substitution Ii double clef, 124 Spezialvergleicher, 399 - Ii triple clef, 125 spreading of encryption errors, 143, 199 substitution notation, 44 spoonerism, 91 Suetonius, 47 Spruchschliissel see text setting suffixing, parasitic, 20 -, chiffrierter, 372 superencryption, --enciphering, 149,338, spurt, 9 413 spy cipher, 54 superimposition, 342-359,361,381,402, squadra penetrazione, 188,409 412 squaring modulo q, 177 -, in-phase, 357-359,383 standard alphabet, 44,46,77 SUPER ROBINSON, 305 Station X, 30 SUPERSCRITCHER, 256,257,393 Steckerbrett, 46, 108 surjective, 32,41 Steckerverbindung, 107 swap, 45 , 8, 23, 24 swapping of roles, 346,361 -, linguistic, 9,23,24 Swift, Jonathan, 22,98,401 -, technical, 8,9 Swiss ENIGMA, 107 Stein, Karl, VI,388 switchboard, 104 Steinbriiggen, Ralf, 36 SYKO, 116 Steiner & Stern (code), 72 symbolic addition, 150 Steiner's theorem, 292 symmetric methods, 171 Stimson, Henry L., 134,200,409 symmetric functions of frequencies, 171 Stirling's formula, 208 symmetry of position, 332-337,338,343- stochastic source, 260, 290, 293 344, 361 Strachey, Oliver, 381 synthetic language, 189, 190 446 Index

SZ 40, SZ 42, SZ 42a (Lorenz), 28,143, -, Nihilist, 95,96 149,305,350,353-355,Plate N -, simple columnar, 94 SZ3-92, 267,273,287 transposition, double, 96 Szekeres, G., 427 transposition double, 95,96 trapdoor, 167,174-177 T43 (Siemens), 149 - one-way functions, 174 T 52a, T 52b, T 52c, T 52d, T 52e (Sie• 'treble key', 125,370 mens),28,143,148-149,353,356 trellis cipher, 92 T-52, T-55 (Hagelin), 146 trench codes, 75,399 , 102,111,119-120,123,124, Trevanion, Sir John, 8,19 128,335,369-370 trifide, 34 - with permuted headline, 370 trigram, 34 Tagesschliissel, 371 - coincidences, 300,303 Takagi, Shiro, 303 - frequencies, 273,276 Tallmadge, Benjamin, 68 - repetitions, 311,332 Tannenberg, battle of, 191,415 trigraphic substitution, 65,210,218 Tartaglia, Niccolo, 417 Taunt, Derek, 256,393 tripartite, 34 Technical Operations Division, 16 Trithemius, 8,14-15,38,52,111,123,125, telegraphic English, 269 128,141 Telescand (code), 72 TRITON (key), 392 'tunny', 149,351,353 teletype code (;Z~), 349 Turing, Alan Mathison, 2,89,176,208, ten-letter code, 39 381-384,385-390,392,411 ternary substitution, 52 Turing BOMBE, 150,385,388-393 TESSIE, 340 turning grille, 92,93 test register, 383,387,390 test texts for teletype lines, 238 Turkel, Siegfried, 429 tetragram, 34 Tut Latin, 20 tetragraphic substitution, 210,218 Tutte, William Thomas, 305,352-353 text setting, 371,372,374,378,384,386 'Twenty Committee', 14 theta series, 81 Twinn, Peter, 89,131 thieves' Latin, 14 two-character differential, 73 Thomas, E. E., 195 2-cycle, 45,374-376 Thompson, Eric, 207 two-part code, 69 'thrasher', 149 two-part nomenclator, 69 three-digit code, 67,75 TYPEX, 109,131,132,414, Plate L three-letter code, 71,75 Thue, Axel, 140 ubchi, 96 Tibbals (Western Union) (code), 73 U-boat U-13, U-33, 193 Tiltman, John H., 63,342,351,352 U-boat U-llO, 192,193 tokumuhan, 31,409 U-boat U-559, 193,361 Tomash, Erwin, 393 U-boat U-570, 193 tomographic methods, 63 Uhr box, 414, Plate M Tompkins, Charles B., 393 ULTRA, 4,200 Townsend, Robert, 68,227 Umkehrwalze, 106 traffic padding, 189, 190 unambiguous, 32,41 Tranow, Wilhelm, 406,407,408 unauthorized decryption, 3,31,100,186, transitive cryptosystem, 345 205ff., 410 translation, 78 uncertainty, 418 transposition, 23,90,94,211,216,217, unicity distance, 98, 122,215,217-219, 219,220,222,290,292 228,237,286-287,424-425 -, block-, 94,147,399 unipartite, 34,43 -, double columnar, 26,96,214,402 Universal Trade Code, 134 -, feigning a, 57 UNIX, 174 -, mixed-rows block-, 95,96,402 Urfe, Madame d', 27 -, mixed-rows columnar, 95,96,156,402 U.S. Intelligence Board (U.S.LB.), 30 Index 447 vacuum tube noise, 146 Welchman, Gordon, 5,89,131,194,198, Valerio, P., 263,340,430 371,382,383,385,388-391,411,414, van der Waerden, Bartel Leendert, 427 415,429 van Wijngaarden, Adrian, 10 Welchman BOMBE, 389,390,391 variante a l'allemande, 113 Wenger, Joseph N., 305-306,392 variant, 32,33 WerEtschliissel, 361 variante de Richelieu, 94 West, Nigel (pseud.), 3 Vatsayava, 45 Wetterkurzschliissel, 70 Wheatstone, Charles, 4,26,48,61,67, Vaz Subtil (code), 71 128, 198, Plate C Venona break, 146 wheel movement, regular, 128,129,131 Verlaine, Paul, 17 wheel order see rotor order Verlan, 21 Widman, Kjell-Ove, VII Vernam, Gilbert S., 126 Wiener, M. J., 183 VERNAM encryption step, 53,12,126, Wiener, Norbert, 417 139,140,144,146,149,423 Wilkins, John, 8 Verne, Jules, 92 Williams, H. C., 177 vertically continued alphabets, 102, 104 Williams, Sam B., 390 Vesin de Romanini, Charles Franc;ois, 430 Wills, John, 71 Vetterlein, Kurt, 9 Willson, Russell, 118 Viaris, Gaetan Henri Leon Marquis de, Wilson, Woodrow, 112,415 28,113,117-120,196,243-248,250, Winkel, Brian J., V,321 263,308,430 Winterbotham, Frederick W., 89,200,429 ViE'!te, Franc;ois, 2, 67 Witt, Ernst, VI, 322, 339 Vigenere, Blaise de, 9,112,115,124,125, Wolseley, Lord Garnet J., 332 141,191 Women's Royal Naval Service, 151 VIGENERE encryption step, 26,28,112, Woodhall, Sam, 68,227 124-126,138-139,143,149-151,170, word frequency, 274 197,210,212,213-215,219,245,259, word length frequency, 277 290,292,296,308,317,336,346,423 word spacing, 37,179,190,198,226,227, Vinay, Emile, 113 235,274,277 Wright, Ernest Vincent, 228 VIPER, 306,392 Wiisteney, Herbert, 149 Volapiik, 336 Wylie, Shaun, 412 Voltaire [Franc;ois Marie Arouet], 406 Wynn-Williams,C.E., 305 vowel distances, 277 'vowel-solution method', 279 xB-Dienst see B-Dienst X-ray crystallography, 417 Wake and Kiska islands, 240 Wallis, John, 2,68 Yardley, Herbert 0., 30,134,135,381, Walzenlage, 108 406,409,410,430 Walter (code), 71 Wanderer-Werke, 129 Zeichenvergleichslabyrinth, 303 WARLOCK, 306 Zemanek, Heinz, 264 War Station, 30 Zentralstelle Eur das Chiffrierwesen (ZECh), 31,405 Washington, George, 68 zero-knowledge proof, 416 Wasstrom, Sven, 116 003 (MADAME X), 390 Watt, Donald Cameron, 371 Ziegenriicker, Joachim, 249 Weaver, Warren, 2,297 zig-zag method, 250,345,348 Wehrmachtnachrichtenverbindungen Zimmermann, Philip R., 169,201,207 Chiffrierwesen, 31,350 Zimmermann telegram, 415 Weierstrafi, Karl, 192,427 Zipf, George K., 270 Weigel, Erhard, 39 Zuse, Konrad, 28,353 'weight of evidence', 384,417 Zygalski, Henryk, 150,371,377 Weiss, Georg, 430 Zygalski sheets, 380-383 Photo Credits

Kahn, David, The Codebreakers. Macmillan, New York 1967: Figs. 1, 4, 5, 10, 11, 12, 23, ~o, 31, 33, 34, 35, 36, 37, 38, 40, 57 Smith, Laurence Dwight, Cryptography. Dover, New York 1955: Figs. 3, 16, 24, 53 Lange, Andre and E.-A. Soudart, TI-aite de cryptographie. Paris 1925: Fig. 26 Crypto AG, Zug, Switzerland: Figs. 48, 54, 55, 60, 61, 62, 64, 65, Plates L, 0, P Deavours, Cipher A. and Kruh, Louis, Machine Cryptography and Modern Cryptanalysis. Artech House, Dedham, MA 1985: Figs. 63, 66, 67, 68 Public Record Office, London: Fig. 143 FRA, Bromma, Sweden: Fig. 145 Deutsches Museum (Reinhard Krause), Munich, Germany: Plates A, B, C, D, F, G, I, K, N CRAY Resarch, Munich, Germany: Plate Q Russell, Francis, The Secret War. Time-Life Books, Chicago, IL 1981: Plates E, H, M Springer and the environment

At Springer we firmly believe that an international science publisher has a special obligation to the environment, and our corporate policies consistently reflect this conviction. We also expect our business partners - paper mills, printers, packaging manufacturers, etc. - to commit themselves to using materials and production processes that do not harm the environment. The paper in this book is made from low- or no-chlorine pulp and is acid free, in conformance with international standards for paper permanency.

Springer