Cryptanalysis of the Enigma

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Cryptanalysis of the Enigma enabled the western Allies in World War II to read substantial amounts of secret Morse-coded radio communications of the Axis powers that had been enciphered using Enigma machines. This yielded military intelligence which, along with that from other decrypted Axis radio and teleprinter transmissions, was given the codename Ultra. This was considered by western Supreme Allied Commander Dwight D. Eisenhower to have been "decisive" to the Allied victory.[1]

The Enigma machines were a family of portable cipher machines with rotor scramblers.[2] Good operating procedures, properly enforced, would have made the cipher unbreakable.[3][4] However, most of the German armed and secret services and civilian agencies that used Enigma employed poor procedures and it was these that allowed the cipher to be broken.

The German plugboard-equipped Enigma became the Third Reich's principal crypto-system. It was broken by the Polish General Staff's Cipher Bureau in December 1932—with the aid of French-supplied intelligence material that had been obtained from a German spy. Shortly before the outbreak of World War II, the Polish Cipher Bureau initiated the French and British into its Enigma-breaking techniques and technology at a conference held in Warsaw.

From this beginning, the British Government Code and Cypher School (GC&CS) at Bletchley Park built up an extensive cryptanalytic facility. Initially, the decryption was mainly of Luftwaffe and a few Army messages, as the German Navy employed much more secure procedures for using Enigma. Alan Turing, a Cambridge University mathematician and logician, provided much of the original thinking that led to the design of the cryptanalytical Bombe machines and the eventual breaking of naval Enigma. However, the German Navy introduced an Enigma version with a fourth rotor for its U-boats resulting in a prolonged period when these messages could not be decrypted. With the capture of relevant cipher keys and the use of much faster US Navy Bombes, regular, rapid reading of U-boat messages resumed.

General principles[edit]

Main article: Cryptanalysis

The Enigma machines produced a polyalphabetic substitution cipher. During World War I, inventors in several countries realized that a purely random key sequence, containing no repetitive pattern, would, in principle, make a polyalphabetic substitution cipher unbreakable.[5] This led to the development of rotor cipher machines which alter each character in the plaintext to produce the ciphertext, by means of a scrambler comprising a set of rotors that alter the electrical path from character to character, between the input device and the output device. This constant altering of the electrical pathway produces a very long period before the pattern—the key sequence or substitution alphabet—repeats.

Deciphering enciphered messages involves three stages, defined somewhat differently in that era than in modern cryptography.[6] Firstly, there is the identification of the system in use, in this case Enigma; secondly, breaking the system by establishing exactly how encryption takes place, and thirdly, setting, which involves finding the way that the machine was set up for an individual message, i.e. the message key.[7] Today, it is often assumed that an attacker knows how the encipherment process works and breaking specifically refers to finding a way to infer a particular key or message (see Kerckhoffs's principle). Enigma machines, however, had so many potential internal wiring states that reconstructing the machine, independent of particular settings, was a very difficult task.

The Enigma machines[edit]

The Enigma machine was used commercially from the early 1920s and was adopted by the militaries and governments of various countries—most famously, Nazi Germany.
A series of three rotors from an Enigma machine scrambler. When loaded in the machine, these rotors connect with the entry plate on the right and the reflector drum on the left.

The Enigma rotor cipher machine was potentially an excellent system. It generated a polyalphabetic substitution cipher, with a period before repetition of the substitution alphabet that was much longer than any message, or set of messages, sent with the same key.

A major weakness of the system, however, was that no letter could be enciphered to itself. This meant that some possible solutions could quickly be eliminated because of the same letter appearing in the same place in both the ciphertext and the putative piece of plaintext. Comparing the possible plaintext Keine besonderen Ereignisse (literally, "no special occurrences"—perhaps better translated as "nothing to report"), with a section of ciphertext, might produce the following:

Exclusion of some positions for the possible plaintext Keine besonderen Ereignisse
Ciphertext O H J Y P D O M Q N J C O S G A W H L E I H Y S O P J S M N U
Position 1 K E I N E B E S O N D E R E N E R E I G N I S S E
Position 2 K E I N E B E S O N D E R E N E R E I G N I S S E
Position 3 K E I N E B E S O N D E R E N E R E I G N I S S E
Positions 1 and 3 for the possible plaintext are impossible because of matching letters.

The red cells represent these crashes. Position 2 is a possibility.

Structure[edit]

The mechanism of the Enigma consisted of a keyboard connected to a battery and a current entry plate or wheel (German: Eintrittswalze), at the right hand end of the scrambler (usually via a plugboard in the military versions).[8] This contained a set of 26 contacts that made electrical connection with the set of 26 spring-loaded pins on the right hand rotor. The internal wiring of the core of each rotor provided an electrical pathway from the pins on one side to different connection points on the other. The left hand side of each rotor made electrical connection with the rotor to its left. The leftmost rotor then made contact with the reflector (German: Umkehrwalze). The reflector provided a set of thirteen paired connections to return the current back through the scrambler rotors, and eventually to the lampboard where a lamp under a letter was illuminated.[9]

Whenever a key on the keyboard was pressed, the stepping motion was actuated, moving the rightmost rotor on one position. Because it advanced with each key pressed it is sometimes called the fast rotor. When a notch on that rotor engaged with a pawl on the middle rotor, that too moved; and similarly with the leftmost ('slow') rotor.

There are a huge number of ways that the connections within each scrambler rotor—and between the entry plate and the keyboard or plugboard or lampboard—could be arranged. For the reflector plate there are fewer, but still a large number of options to its possible wirings.[10]

Each scrambler rotor could be set to any one of its 26 starting positions (any letter of the alphabet). For the Enigma machines with only three rotors, their sequence in the scrambler—which was known as the wheel order (WO) to Allied cryptanalysts—could be selected from the six that are possible.

Possible rotor sequences—also known as Wheel Order (WO)
Left Middle Right
I II III
I III II
II I III
II III I
III I II
III II I
The plugboard (Steckerbrett) was positioned at the front of the machine, below the keys. In the above photograph, two pairs of letters have been swapped (A↔J and S↔O). During World War II, ten leads were used, leaving only six letters 'unsteckered'.

Later Enigma models included an alphabet ring like a tyre around the core of each rotor. This could be set in any one of 26 positions in relation to the rotor's core. The ring contained one or more notches that engaged with a pawl that advanced the next rotor to the left.[11]

Later still, the three rotors for the scrambler were selected from a set of five or, in the case of the German Navy, eight rotors. The alphabet rings of rotors VI, VII and VIII contained two notches which, despite shortening the period of the substitution alphabet, made decryption more difficult.

Most military Enigmas also featured a plugboard (German: Steckerbrett). This altered the electrical pathway between the keyboard and the entry wheel of the scrambler and, in the opposite direction, between the scrambler and the lampboard. It did this by exchanging letters reciprocally, so that if A was plugged to G then pressing key A would lead to current entering the scrambler at the G position, and if G was pressed the current would enter at A. The same connections applied for the current on the way out to the lamp panel.

For an enemy to decipher German military Enigma messages required that the following were known.

Logical structure of the machine (unchanging)

  • The wiring between the keyboard (and lampboard) and the entry plate.
  • The wiring of each rotor.
  • The number and position(s) of turnover notches on the rings of the rotors.
  • The wiring of the reflectors.

Internal settings (usually changed less frequently than external settings)

  • The selection of rotors in use and their positions on the spindle (Walzenlage or "wheel order").
  • The positions of the alphabet ring in relation to the core of each rotor in use (Ringstellung or "ring settings").

External settings (usually changed more frequently than internal settings)

  • The plugboard connections (Steckerverbindungen or "stecker values").
  • The scrambler rotor positions at the start of enciphering the text of the message.

Security properties[edit]

The various Enigma models provided different levels of security. The presence of a plugboard (Steckerbrett) substantially increased the security of the encipherment. Each pair of letters that were connected together by a plugboard lead, were referred to as stecker partners, and the letters that remained unconnected were said to be self-steckered.[12] In general, the unsteckered Enigma was used for commercial and diplomatic traffic and could be broken relatively easily using hand methods, while attacking versions with a plugboard was much more difficult. The British read unsteckered Enigma messages sent during the Spanish Civil War,[13] and also some Italian naval traffic enciphered early in World War II.

The strength of the security of the ciphers that were produced by the Enigma machine was a product of the large numbers associated with the scrambling process.

  1. It produced a polyalphabetic substitution cipher with a period (16,900) that was many times the length of the longest message.
  2. The 3-rotor scrambler could be set in 26 × 26 × 26 = 17,576 ways, and the 4-rotor scrambler in 26 × 17,576 = 456,976 ways.
  3. With six leads on the plugboard, the number of ways that pairs of letters could be interchanged was 100,391,791,500 (100 billion)[14] and with ten leads, it was 150,738,274,937,250 (150 million, million).[15]

However, the way that Enigma was used by the Germans meant that, if the settings for one day (or whatever period was represented by each row of the setting sheet) were established, the rest of the messages for that network on that day could quickly be deciphered.[16]

The security of Enigma ciphers did have fundamental weaknesses that proved helpful to cryptanalysts.

  1. A letter could never be encrypted to itself, a consequence of the reflector.[17] This property was of great help in using cribs—short sections of plaintext thought to be somewhere in the ciphertext—and could be used to eliminate a crib in a particular position. For a possible location, if any letter in the crib matched a letter in the ciphertext at the same position, the location could be ruled out.[18] It was this feature that the British mathematician and logician Alan Turing exploited in designing the British bombe.
  2. The plugboard connections were reciprocal, so that if A was plugged to N, then N likewise became A. It was this property that led mathematician Gordon Welchman at Bletchley Park to propose that a diagonal board be introduced into the bombe, substantially reducing the number of incorrect rotor settings that the bombes found.[19]
  3. The notches in the alphabet rings of rotors I to V were in different positions, which helped cryptanalysts to work out the wheel order by observing when the middle rotor was turned over by the right-hand rotor.[20]
  4. There were substantial weaknesses, in both policies and practice, in the way that Enigma was used (see 'Operating shortcomings' below).

Key setting[edit]

Enigma featured the major operational convenience of being symmetrical (or self-inverse). This meant that decipherment worked in the same way as encipherment, so that when the ciphertext was typed in, the sequence of lamps that lit yielded the plaintext.

Identical setting of the machines at the transmitting and receiving ends was achieved by key setting procedures. These varied from time to time and across different networks. They consisted of setting sheets in a codebook.[21][22] which were distributed to all users of a network, and were changed regularly. The message key was transmitted in an indicator[23] as part of the message preamble. Confusingly, the word key was also used at Bletchley Park to describe the network that used the same Enigma setting sheets. Initially these were recorded using coloured pencils and were given the names red, light blue etc., and later the names of birds such as kestrel.[24] During World War II the settings for most networks lasted for 24 hours, although towards the end of the war, some were changed more frequently.[25] The sheets had columns specifying, for each day of the month, the rotors to be used and their positions, the ring positions and the plugboard connections. For security, the dates were in reverse chronological order down the page, so that each row could be cut off and destroyed when it was finished with.[26]

The top part of an early setting sheet looked something like this[27]
Datum [Date] Walzenlage [Rotors] Ringstellung [Ring settings] Steckerverbindungen
[Plugboard settings]
Grundstellung
[Initial rotor settings]
31 I II III W N M HK CN IO FY JM LW RAO
30 III I II C K U CK IZ QT NP JY GW VQN
29 II III I B H N FR LY OX IT BM GJ XIO

Up until 15 September 1938,[28] the transmitting operator indicated to the receiving operator(s) how to set their rotors, by choosing a three letter message key (the key specific to that message) and enciphering it twice using the specified initial ring positions (the Grundstellung). The resultant 6-letter indicator, was then transmitted before the enciphered text of the message.[29] Suppose that the specified Grundstellung was RAO, and the chosen 3-letter message key was IHL, the operator would set the rotors to RAO and encipher IHL twice. The resultant ciphertext, say OTUNSD, would be transmitted, followed by the message enciphered using message key IHL. The receiving operator would use the specified Grundstellung RAO to decipher the first six letters, yielding IHLIHL. The receiving operator, seeing the repeated message key would know that there had been no corruption and use IHL to decipher the message.

The weakness in this indicator procedure came from two factors. First, use of a global Grundstellung —this was changed in September 1938 so that the operator selected his initial position to encrypt the message key, and sent the initial position in clear followed by the enciphered message key. The second problem was the repetition of message key within the indicator, which was a serious security flaw.[30] The message setting was encoded twice, resulting in a relation between first and fourth, second and fifth, and third and sixth character. This security problem enabled the Polish Cipher Bureau to break into the pre-war Enigma system as early as 1932. On 1 May 1940 the Germans changed the procedures to encipher the message key only once.

British efforts[edit]

In 1927, the UK openly purchased a commercial Enigma. Its operation was analysed and reported. Although a leading British cryptographer, Dilly Knox (a veteran of World War I and the cryptanalytical activities of the Royal Navy's Room 40), worked on decipherment he had only the messages he generated himself to practice with. After Germany supplied modified commercial machines to the Nationalist side in the Spanish Civil War, and with the Italian Navy (who were also aiding the Nationalists) using a version of the commercial Enigma that did not have a plugboard, Britain could intercept the radio broadcast messages. In April 1937[31] Knox made his first decryption of an Enigma encryption using a technique that he called buttoning up to discover the rotor wirings[32] and another that he called rodding to break messages.[33] This relied heavily on cribs and on a crossword-solver's expertise in Italian, as it yielded a limited number of spaced-out letters at a time.

Britain had no access to the messages broadcast by Germany which were using the military Enigma machine.[34]

Polish breakthrough[edit]

Main article: Polish Cipher Bureau
Marian Rejewski about 1932, when he first broke Enigma

In the 1920s the German military began using a 3-rotor Enigma, whose security was increased in 1930 by the addition of a plugboard.[35] The Polish Cipher Bureau sought to break it due to the increasing threat that Poland faced from Germany. On 1 September 1932, a 27-year-old Polish mathematician, Marian Rejewski, joined the Bureau along with two fellow Poznań University mathematics graduates, Henryk Zygalski and Jerzy Różycki.[36] Their first task was to solve the logical structure of the military Enigma, which differed from the commercial version.

In December 1932, the Bureau received from Gustave Bertrand of French Military Intelligence, two German documents and two pages of Enigma daily keys[37] which had been obtained by the French from an agent who worked at Germany's Cipher Office in Berlin, Hans-Thilo Schmidt.[38] This material enabled Rejewski to achieve "one of the most important breakthroughs in cryptologic history"[39] by using the theory of permutations and groups to work out the Enigma scrambler wiring.[40][41]

Rejewski found that the connections between the military Enigma's keyboard and the entry ring were not, as in the commercial Enigma, in the order of the keys on a German typewriter. He made an inspired correct guess that it was in alphabetical order. Britain's Dilly Knox was astonished when he learned, in July 1939, that the arrangement was so simple.[42][43] Having worked out the logical structure of the machine, Rejewski had replicas made, which he called 'Enigma doubles'.

Rejewski's characteristics method[edit]

Marian Rejewski quickly spotted the Germans' major procedural weakness of specifying a single indicator setting (Grundstellung) for all messages on a network for a day, and repeating the operator's chosen message key in the enciphered 6-letter indicator. This helped him to work out the rotor wirings[44] In the above example of OTUNSD being the enciphered indicator, it is known that the first letter O and the fourth letter N represent the same letter, enciphered three positions apart in the scrambler sequence. Similarly with T and S in the second and fifth positions, and U and D in the third and sixth. Rejewski exploited this fact by collecting a sufficient set of messages enciphered with the same indicator setting, and assembling three tables for the 1,4, the 2,5, and the 3,6 pairings. Each of these might look something like the following:

First letter A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Fourth letter X F E A R B S L H Q I G C V D Z W K M N J U O Y T P

A path from one first letter to the corresponding fourth letter, then from that letter as the first letter to its corresponding fourth letter, and so on until the first letter recurs, traces out a cycle group.[45] The above table contains four cycle groups.

Cycle group starting at A (12 links) (A, X, Y, T, N, V, U, J, Q, W, O, D, A)
Cycle group starting at B (2 links) (B, F, B)
Cycle group starting at C (10 links) (C, E, R, K, I, H, L, G, S, M, C)
Cycle group starting at P (2 links) (P, Z, P)
Cyclometer, devised in the mid-1930s by Rejewski to catalog the cycle structure of Enigma permutations. 1: Rotor lid closed, 2: Rotor lid open, 3: Rheostat, 4: Glowlamps, 5: Switches, 6: Letters.

Rejewski realised that, although the letters in these cycle groups were changed by the plugboard, their patterns—in this example, four groups with 12, 10, 2 and 2 links—were not. He described this as the characteristic of the indicator setting. This reduced the number of possibilities for the indicator setting from 10,000 trillion to 105,456.[46] The Poles therefore set about creating a card catalog of these cycle patterns.[47]

Rejewski, in 1934 or 1935, devised a machine to facilitate this task, called a cyclometer. This "comprised two sets of rotors... connected by wires through which electric current could run. Rotor N in the second set was three letters out of phase with respect to rotor N in the first set, whereas rotors L and M in the second set were always set the same way as rotors L and M in the first set".[48] Preparation of this catalog, using the cyclometer, was, said Rejewski, "laborious and took over a year, but when it was ready, obtaining daily keys was a question of [some fifteen] minutes".[49]

However, on 1 November 1937, the Germans changed the Enigma reflector, necessitating the production of a new catalog—"a task which [says Rejewski] consumed, on account of our greater experience, probably somewhat less than a year's time".[49]

This characteristics method stopped working for German naval Enigma messages on 1 May 1937, when the indicator procedure was changed to one involving special codebooks (see German Navy 3-rotor Enigma below).[50] Worse still, on 15 September 1938 it stopped working for German army and air force messages because operators were then required to choose their own indicator setting for each message.

Perforated sheets[edit]

Main article: Zygalski sheets

Although the characteristics method no longer worked, the inclusion of the enciphered message key twice gave rise to a phenomenon that the cryptanalyst Henryk Zygalski was able to exploit. Sometimes (about one message in eight) one of the repeated letters in the message key enciphered to the same letter on both occasions. These occurrences were called samiczki[51] (in English, females—a term later used at Bletchley Park).[52][53]

Only a limited number of scrambler settings would give rise to females, and these would have been identifiable from the card catalog. If the first six letters of the ciphertext were SZVSIK, this would be termed a 1-4 female; if WHOEHS, a 2-5 female; and if ASWCRW, a 3-6 female. The method was called Netz (from Netzverfahren, "net method"), or the Zygalski sheet method as it used perforated sheets that he devised, although at Bletchley Park Zygalski's name was not used for security reasons.[54] About ten females from a day's messages were required for success.

There was a set of 26 of these sheets for each of the six possible sequences wheel orders. Each sheet was for the left (slowest-moving) rotor. The 51×51 matrices on the sheets represented the 676 possible starting positions of the middle and right rotors. The sheets contained about 1000 holes in the positions in which a female could occur.[55] The set of sheets for that day's messages would be appropriately positioned on top of each other in the perforated sheets apparatus. Rejewski wrote about how the device was operated:

When the sheets were superposed and moved in the proper sequence and the proper manner with respect to each other, in accordance with a strictly defined program, the number of visible apertures gradually decreased. And, if a sufficient quantity of data was available, there finally remained a single aperture, probably corresponding to the right case, that is, to the solution. From the position of the aperture one could calculate the order of the rotors, the setting of their rings, and, by comparing the letters of the cipher keys with the letters in the machine, likewise permutation S; in other words, the entire cipher key.[56]

The holes in the sheets were painstakingly cut with razor blades and in the three months before the next major setback, the sets of sheets for only two of the possible six wheel orders had been produced.[57]

Polish bomba[edit]

Main article: Bomba (cryptography)

After Rejewski's characteristics method became useless, he invented an electro-mechanical device that was dubbed the bomba kryptologiczna or cryptologic bomb.[58] Each machine contained six sets of Enigma rotors for the six positions of the repeated three-letter key. Like the Zygalski sheet method, the bomba relied on the occurrence of females, but required only three instead of about ten for the sheet method. Six bomby[59] were constructed, one for each of the then possible wheel orders. Each bomba conducted an exhaustive (brute-force) analysis of the 17,576[60] possible message keys.

Rejewski has written about the device:

The bomb method, invented in the autumn of 1938, consisted largely in the automation and acceleration of the process of reconstructing daily keys. Each cryptologic bomb (six were built in Warsaw for the Cipher Bureau before September 1939) essentially constituted an electrically powered aggregate of six Enigmas. It took the place of about one hundred workers and shortened the time for obtaining a key to about two hours.[61]

Major setback[edit]

On 15 December 1938, the German Army increased the complexity of Enigma enciphering by introducing two additional rotors (IV and V). This increased the number of possible wheel orders from 6 to 60.[62] The Poles could then read only the small minority of messages that used neither of the two new rotors. They did not have the resources to commission 54 more bombs or produce 58 sets of Zygalski sheets. Other Enigma users received the two new rotors at the same time. However, until 1 July 1939 the Sicherheitsdienst (SD)—the intelligence agency of the SS and the Nazi Party—continued to use its machines in the old way with the same indicator setting for all messages. This allowed Rejewski to reuse his previous method, and by about the turn of the year he had worked out the wirings of the two new rotors.[62] On 1 January 1939, the Germans increased the number of plugboard connections from between five and eight to between seven and ten, which made other methods of decryption even more difficult.[49]

Rejewski wrote, in a 1979 critique of appendix 1, volume 1 (1979), of the official history of British Intelligence in the Second World War:

we quickly found the [wirings] within the [new rotors], but [their] introduction ... raised the number of possible sequences of [rotors] from 6 to 60 ... and hence also raised tenfold the work of finding the keys. Thus the change was not qualitative but quantitative. We would have had to markedly increase the personnel to operate the bombs, to produce the perforated sheets ... and to manipulate the sheets.[63][64]

World War II[edit]

Italian naval Enigma[edit]

In 1940 Dilly Knox wanted to establish whether the Italian Navy were still using the same system that he had cracked during the Spanish Civil War; he instructed his assistants to use rodding to see whether the crib PERX (per being Italian for "for" and X being used to indicate a space between words) worked for the first part of the message. After three months there was no success, but Mavis Lever, a 19-year-old student, found that rodding produced PERS for the first four letters of one message. She then (against orders) tried beyond this and obtained PERSONALE (Italian for "personal"). This confirmed that the Italians were indeed using the same machines and procedures.[33]

The subsequent breaking of Italian naval Enigma ciphers led to substantial Allied successes. The cipher-breaking was disguised by sending a reconnaissance aircraft to the known location of a warship before attacking it, so that the Italians assumed that this was how they had been discovered. The Royal Navy's victory at the Battle of Cape Matapan in March 1941 was considerably helped by Ultra intelligence obtained from Italian naval Enigma signals.

Polish disclosures[edit]

As the likelihood of war increased in 1939, Britain and France pledged support for Poland in the event of action that threatened her independence.[65] In April, Germany withdrew from the German-Polish Non-Aggression Pact of January 1934. The Polish General Staff, realizing what was likely to happen, decided to share their work on Enigma decryption with their western allies. Marian Rejewski later wrote:

[I]t was not [as Harry Hinsley suggested, cryptological] difficulties of ours that prompted us to work with the British and French, but only the deteriorating political situation. If we had had no difficulties at all we would still, or even the more so, have shared our achievements with our allies as our contribution to the struggle against Germany.[63][66]

At a conference near Warsaw on 26 and 27 July 1939, the Poles revealed to the French and British that they had broken Enigma and pledged to give each a Polish-reconstructed Enigma, along with details of their Enigma-solving techniques and equipment, including Zygalski's perforated sheets and Rejewski's cryptologic bomb.[67] In return, the British pledged to prepare two full sets of Zygalski sheets for all 60 possible wheel orders.[68] Dilly Knox was a member of the British delegation. He commented on the fragility of the Polish system's reliance on the repetition in the indicator because it might, "at any moment be cancelled".[69] In August two Polish Enigma doubles were sent to Paris, whence Gustave Bertrand sent one to London, handing it to Stewart Menzies of Britain's Secret Intelligence Service at Victoria Station.[70]

Gordon Welchman, who became head of Hut 6 at Bletchley Park, wrote:

Hut 6 Ultra would never have gotten off the ground if we had not learned from the Poles, in the nick of time, the details both of the German military version of the commercial Enigma machine, and of the operating procedures that were in use.[71]

Peter Calvocoressi, who became head of the Luftwaffe section in Hut 3, wrote of the Polish contribution:

The one moot point is—how valuable? According to the best qualified judges it accelerated the breaking of Enigma by perhaps a year. The British did not adopt Polish techniques but they were enlightened by them.[72]

PC Bruno[edit]

Main article: PC Bruno

On 17 September 1939, as the Soviet Army invaded eastern Poland, Cipher Bureau personnel crossed their country's southeastern border into Romania. They eventually made their way to France, and on 20 October 1939, at PC Bruno outside Paris, the Polish cryptanalists resumed work on German Enigma ciphers in collaboration with Bletchley Park.[73]

PC Bruno and Bletchley Park worked together closely, communicating via a telegraph line secured by the use of Enigma doubles. In January 1940 Alan Turing spent several days at PC Bruno conferring with his Polish colleagues. He had brought the Poles a full set of Zygalski sheets that had been punched at Bletchley Park by John Jeffreys using Polish-supplied information, and on 17 January 1940, the Poles made the first break into wartime Enigma traffic—that from 28 October 1939.[74] From that time, until the Fall of France in June 1940, 17 percent of the Enigma keys that were found by the allies, were solved at PC Bruno.[75]

The Germans, just before opening their 10 May 1940 offensive against the Low countries in their thrust towards France, had made the feared change in the indicator procedure, discontinuing the duplication of the enciphered message key. This meant that the Zygalski sheet method no longer worked.[76][77] Instead, the cryptanalysts had to rely on exploiting the operator weaknesses described below, particularly the cillies and the Herivel tip.

After the June Franco-German armistice, the Polish cryptological team resumed work in France's southern Free Zone, although probably not on Enigma.[78] Marian Rejewski and Henryk Zygalski, after many travails, perilous journeys and Spanish imprisonment, finally made it to Britain,[79] where they were inducted into the Polish Army and put to work breaking German SS and SD hand ciphers at a Polish signals facility in Boxmoor. Due to their having been in occupied France, it was thought too risky to invite them to work at Bletchley Park.[80]

After the German occupation of Vichy France, several of those who had worked at PC Bruno were captured by the Germans. Despite the dire circumstances in which some of them were held, none betrayed the secret of Enigma's decryption.[81]

Operating shortcomings[edit]

Apart from some less-than-ideal inherent characteristics of the Enigma, in practice the machine's greatest weakness was the way that it was used. The basic principle of this sort of enciphering machine is that it should deliver a very long stream of transformations that are difficult for a cryptanalyst to predict. Some of the instructions to operators, however, and their sloppy habits, had the opposite effect. Without these operating shortcomings, Enigma would, almost certainly, not have been broken.[82]

The set of shortcomings that the Polish cryptanalysts exploited to such great effect included the following:

  • Producing an early Enigma training manual containing an example of plaintext and its genuine ciphertext, together with the relevant message key. When Rejewski was given this in December 1932, it "made [his reconstruction of the Enigma machine] somewhat easier".[76]
  • Repetition of the message key as described in early indicator procedures, above. (This helped in Rejewski's solving Enigma's wiring in 1932, and was continued until May 1940.)
  • Repeatedly using the same stereotypical expressions in messages, an early example of what Bletchley Park would later term cribs. Rejewski wrote that "... we relied on the fact that the greater number of messages began with the letters ANX—German for "to", followed by X as a spacer".[83]
  • The use of easily guessed keys such as AAA or BBB, or sequences that reflected the layout of the Enigma keyboard, such as "three [typing] keys that stand next to each other [o]r diagonally [from each other]..."[84] Sometimes, with multi-part messages, the operator would not enter a key for a subsequent part of a message, merely leaving the rotors as they were at the end of the previous part, to become the message key for the next part.[85] At Bletchley Park such occurrences were called cillies.[86][87] Cillies in the operation of the four-rotor Abwehr Enigma included four-letter names and German obscenities.
  • Having only three different rotors for the three positions in the scrambler. (This continued until December 1938, when it was increased to five and then eight for naval traffic in 1940.)
  • Using only six plugboard leads, leaving 14 letters unsteckered. (This continued until January 1939 when the number of leads was increased, leaving only a small number of letters unsteckered.)

Other useful shortcomings that were discovered by the British and later the American cryptanalysts included the following, many of which depended on frequent breaking of a particular network:

  • The practice of re-transmitting a message in an identical, or near-identical, form on different cipher networks. If a message was transmitted using both a low-level cipher that Bletchley Park broke by hand, and Enigma, the decrypt provided an excellent crib for Enigma decipherment.[88]
  • For machines where there was a choice of more rotors than there were slots for them, a rule on some networks stipulated that no rotor should be in the same slot in the scrambler as it had been for the immediately preceding configuration. This reduced the number of wheel orders that had to be tried.[89]
  • Not allowing a wheel order to be repeated on a monthly setting sheet. This meant that when the keys were being found on a regular basis, economies in excluding possible wheel orders could be made.[90]
  • The stipulation, for Air Force operators, that no letter should be connected on the plugboard to its neighbour in the alphabet. This reduced the problem of identifying the plugboard connections and was automated in some Bombes with a Consecutive Stecker Knock-Out (CKSO) device.[91]
  • The sloppy practice that John Herivel anticipated soon after his arrival at Bletchley Park in January 1940. He thought about the practical actions that an Enigma operator would have to make, and the short cuts he might employ. He thought that, after setting the alphabet rings to the prescribed setting, and closing the lid, the operator might not turn the rotors by more than a few places in selecting the first part of the indicator. Initially this did not seem to be the case, but after the changes of May 1940, what became known as the Herivel tip proved to be most useful.[86][92][93]
  • The practice of re-using some of the columns of wheel orders, ring settings or plugboard connections from previous months. The resulting analytical short-cut was christened at Bletchley Park Parkerismus after Reg Parker, who had, through his meticulous record-keeping, spotted this phenomenon.[94]
  • The re-use of a permutation in the German Air Force METEO code as the Enigma stecker permutation for the day.[95]

Mavis Lever, a member of Dilly Knox's team, recalled an occasion when there was an extraordinary message.

The one snag with Enigma of course is the fact that if you press A, you can get every other letter but A. I picked up this message and—one was so used to looking at things and making instant decisions—I thought: 'Something's gone. What has this chap done. There is not a single L in this message.'

My chap had been told to send out a dummy message and he had just had a fag [cigarette] and pressed the last key on the keyboard, the L. So that was the only letter that didn't come out. We had got the biggest crib we ever had, the encypherment was LLLL, right through the message and that gave us the new wiring for the wheel [rotor]. That's the sort of thing we were trained to do. Instinctively look for something that had gone wrong or someone who had done something silly and torn up the rule book.[96]

Postwar debriefings of German cryptographic specialists, conducted as part of project TICOM, tend to support the view that the Germans were well aware that Enigma was theoretically breakable, but felt that the resources required to mount a pure brute-force attack on it would be impracticable. To the war's end, the Germans continued making improvements to the system, though they considered it to be, for all practical purposes, unbreakable.

Crib-based decryption[edit]

The term crib was used at Bletchley Park to denote any known plaintext or suspected plaintext at some point in an enciphered message.

Britain's Government Code and Cipher School (GC&CS), before its move to Bletchley Park, had realised the value of recruiting mathematicians and logicians to work in codebreaking teams. Alan Turing, a Cambridge University mathematician with an interest in cryptology and in machines for implementing logical operations—and who was regarded by many as a genius—had started work for GC&CS on a part-time basis from about the time of the Munich Crisis in 1938.[97] Gordon Welchman, another Cambridge mathematician, had also received initial training in 1938,[98] and they both reported to Bletchley Park on 4 September 1939, the day after Britain declared war on Germany.

Most of the Polish success had relied on the repetition within the indicator. But as soon as Turing moved to Bletchley Park—where he initially joined Dilly Knox in the research section—he set about seeking methods that did not rely on this weakness, as they correctly anticipated that the German Army and Air Force might follow the German Navy in improving their indicator system.

The Poles had used an early form of crib-based decryption in the days when only six leads were used on the plugboard.[50] The technique became known as the Forty Weepy Weepy method for the following reason. When a message was a continuation of a previous one, the plaintext would start with FORT (from Fortsetzung, meaning "continuation") followed by the time of the first message given twice bracketed by the letter Y. At this time numerals were represented by the letters on the top row of the Enigma keyboard. So, "continuation of message sent at 2330" was represented as FORTYWEEPYYWEEPY.

Top row of the Enigma keyboard and the numerals they represented
Q W E R T Z U I O
1 2 3 4 5 6 7 8 9
(Zero was represented by P)

Cribs were fundamental to the British approach to breaking Enigma, but guessing the plaintext for a message was a highly skilled business. So in 1940 Stuart Milner-Barry set up a special Crib Room in Hut 8.[99][100]

Foremost amongst the knowledge needed for identifying cribs was the text of previous decrypts. Bletchley Park maintained detailed indexes[101] of message preambles, of every person, of every ship, of every unit, of every weapon, of every technical term and of repeated phrases such as forms of address and other German military jargon.[102] For each message the traffic analysis recorded the radio frequency, the date and time of intercept, and the preamble—which contained the network-identifying discriminant, the time of origin of the message, the callsign of the originating and receiving stations, and the indicator setting. This allowed cross referencing of a new message with a previous one.[103] Thus, as Derek Taunt, another Cambridge mathematician-cryptanalyst wrote, the truism that "nothing succeeds like success" is particularly apposite here.[90]

Stereotypical messages included Keine besonderen Ereignisse (literally, "no special occurrences"—perhaps better translated as "nothing to report"),[104] An die Gruppe ("to the group") [105] and a number that came from weather stations such as weub null seqs null null ("weather survey 0600"). This was actually rendered as WEUBYYNULLSEQSNULLNULL. The word WEUB being short for wetteruebersicht, YY was used as a separator and SEQS was common abbreviation of sechs ("six").[106] Field Marshal Erwin Rommel's Quartermaster started all of his messages to his commander with the same formal introduction.[107]

With a combination of probable plaintext fragment and the fact that no letter could be enciphered as itself, a corresponding ciphertext fragment could often be tested by trying every possible alignment of the crib against the ciphertext, a procedure known as crib-dragging. This, however, was only one aspect of the processes of breaking a key. Derek Taunt has written that the three cardinal personal qualities that were in demand for cryptanalysis were (1) a creative imagination, (2) a well-developed critical faculty, and (3) a habit of meticulousness.[108] Skill at solving crossword puzzles was famously tested in recruiting some cryptanalysts. This was useful in working out plugboard settings when a possible solution was being examined. For example, if the crib was the word WETTER (German for "weather") and a possible decrypt before the plugboard settings had been discovered, was TEWWER, it is easy to see that T with W are stecker partners.[109] These examples, although illustrative of the principles, greatly over-simplify the cryptanalysts' tasks.

A fruitful source of cribs was re-encipherments of messages that had previously been decrypted either from a lower-level manual cipher or from another Enigma network.[110] This was called a kiss and happened particularly with German naval messages being sent in the dockyard cipher and repeated verbatim in an Enigma cipher. One German agent in Britain, code named Treasure, who had been turned to work for the Allies, was very verbose in her messages back to Germany, which were then re-transmitted on the Abwehr Enigma network. She was kept going by MI5 because this provided long cribs, not because of her usefulness as an agent to feed incorrect information to the Abwehr.[111]

Occasionally, when there was a particularly urgent need to break German naval Enigma, such as when an Arctic convoy was about to depart, mines would be laid by the RAF in a defined position, whose grid reference in the German naval system did not contain any of the words (such as sechs or sieben) for which abbreviations or alternatives were sometimes used.[112] The warning message about the mines and then the "all clear" message, would be transmitted both using the dockyard cipher and the U-boat Enigma network. This process of planting a crib was called gardening.[113]

Although cillies were not actually cribs, the chit-chat in clear that Enigma operators indulged in amongst themselves, often gave a clue as to the cillies that they might generate.[114]

When a captured, interrogated German Enigma operator revealed that they had been instructed to encipher numbers by spelling them out rather than using the top row of the keyboard, Alan Turing reviewed decrypted messages and determined that the word eins ("one") appeared in 90% of messages. He automated the crib process, creating the Eins Catalogue, which assumed that eins was encoded at all positions in the plaintext. The catalogue included every possible rotor position for EINS with that day's wheel order and plugboard connections.

British bombe[edit]

Main article: Bombe

The British bombe was an electromechanical device designed by Alan Turing soon after he arrived at Bletchley Park in September 1939. Harold "Doc" Keen of the British Tabulating Machine Company (BTM) in Letchworth (35 kilometres (22 mi) from Bletchley) was the engineer who turned Turing's ideas into a working machine—under the codename CANTAB.[115] Turing's specification developed the ideas of the Poles' bomba kryptologiczna but was designed for the much more general crib-based decryption.

The bombe helped to identify the wheel order, the initial positions of the rotor cores, and the stecker partner of a specified letter. This was achieved by examining all 17,576 possible scrambler positions for a set of wheel orders on a comparison between a crib and the ciphertext, so as to eliminate possibilities that contradicted the Enigma's known characteristics. In the words of Gordon Welchman "the task of the bombe was simply to reduce the assumptions of wheel order and scrambler positions that required 'further analysis' to a manageable number."[100]

The working rebuilt bombe at Bletchley Park museum. Each of the rotating drums simulates the action of an Enigma rotor. There are 36 Enigma-equivalents and, on the right hand end of the middle row, three indicator drums.

The demountable drums on the front of the bombe were wired identically to the connections made by Enigma's different rotors. Unlike them, however, the input and output contacts for the left-hand and the right-hand sides were separate, making 104 contacts between each drum and the rest of the machine.[116] This allowed a set of scramblers to be connected in series by means of 26-way cables. Electrical connections between the rotating drums' wiring and the rear plugboard were by means of metal brushes. When the bombe detected a scrambler position with no contradictions, it stopped and the operator would note the position before restarting it.

Although Welchman had been given the task of studying Enigma traffic callsigns and discriminants, he knew from Turing about the bombe design and early in 1940, before the first pre-production bombe was delivered, he showed him an idea to increase its effectiveness.[117] It exploited the reciprocity in plugboard connections, to reduce considerably the number of scrambler settings that needed to be considered further. This became known as the diagonal board and was subsequently incorporated to great effect in all the bombes.[19][118]

A cryptanalyst would prepare a crib for comparison with the ciphertext. This was a complicated and sophisticated task, which later took the Americans some time to master. As well as the crib, a decision as to which of the many possible wheel orders could be omitted had to be made. Turing's Banburismus was used in making this major economy. The cryptanalyst would then compile a menu which specified the connections of the cables of the patch panels on the back of the machine, and a particular letter whose stecker partner was sought. The menu reflected the relationships between the letters of the crib and those of the ciphertext. Some of these formed loops (or closures as Turing called them) in a similar way to the cycles that the Poles had exploited.

The reciprocal nature of the plugboard meant that no letter could be connected to more than one other letter. When there was a contradiction of two different letters apparently being stecker partners with the letter in the menu, the bombe would detect this, and move on. If, however, this happened with a letter that was not part of the menu, a false stop could occur. In refining down the set of stops for further examination, the cryptanalyst would eliminate stops that contained such a contradiction. The other plugboard connections and the settings of the alphabet rings would then be worked out before the scrambler positions at the possible true stops were tried out on Typex machines that had been adapted to mimic Enigmas. All the remaining stops would correctly decrypt the crib, but only the true stop would produce the correct plaintext of the whole message.[119]

To avoid wasting scarce bombe time on menus that were likely to yield an excessive number of false stops, Turing performed a lengthy probability analysis (without any electronic aids) of the estimated number of stops per rotor order. It was adopted as standard practice only to use menus that were estimated to produce no more than four stops per wheel order. This allowed an 8-letter crib for a 3-closure menu, an 11-letter crib for a 2-closure menu and a 14-letter crib for a menu with only one closure. If there was no closure, at least 16 letters were required in the crib.[119] The longer the crib, however, the more likely it was that turn-over of the middle rotor would have occurred.

The production model 3-rotor bombes contained 36 scramblers arranged in three banks of twelve. Each bank was used for a different wheel order by fitting it with the drums that corresponded to the Enigma rotors being tested. The first bombe was named Victory and was delivered to Bletchley Park on 18 March 1940. The next one, which included the diagonal board, was delivered on 8 August 1940. It was referred to as a spider bombe and was named Agnus Dei which soon became Agnes and then Aggie. The production of British bombes was relatively slow at first, with only five bombes being in use in June 1941, 15 by the year end,[120] 30 by September 1942, 49 by January 1943[121] but eventually 210 at the end of the war.

A refinement that was developed for use on messages from those networks that disallowed plugboard (Stecker) connection of adjacent letters, was the Consecutive Stecker Knock Out. This was fitted to 40 Bombes and produced a useful reduction in false stops.[122]

Initially the bombes were operated by ex-BTM servicemen, but in March 1941 the first detachment of members of the Women's Royal Naval Service (known as Wrens) arrived at Bletchley Park to become bombe operators. By 1945 there were some 2,000 Wrens operating the bombes.[123] Because of the risk of bombing, relatively few of bombes were located at Bletchley Park. The largest two outstations were at Eastcote (some 110 bombes and 800 Wrens) and Stanmore (some 50 bombes and 500 Wrens). There were also bombe outstations at Wavendon, Adstock and Gayhurst. Communication with Bletchley Park was by teleprinter links.

When the German Navy started using 4-rotor Enigmas, about sixty 4-rotor bombes were produced at Letchworth, some with the assistance of the General Post Office.[124] The NCR-manufactured US Navy 4-rotor bombes were, however, very fast and the most successful. They were extensively used by Bletchley Park over teleprinter links (using the Combined Cipher Machine) to OP-20-G[125] for both 3-rotor and 4-rotor jobs.[126]

Luftwaffe Enigma[edit]

Although the German army, SS, police, and railway all used Enigma with similar procedures, it was the Luftwaffe (Air Force) that was the first and most fruitful source of Ultra intelligence during the war. The messages were decrypted in Hut 6 at Bletchley Park and turned into intelligence reports in Hut 3.[127] The network code-named ‘Red’ at Bletchley Park was broken regularly and quickly from 22 May 1940 until the end of hostilities. Indeed, the Air Force section of Hut 3 expected the new day’s Enigma settings to have been established in Hut 6 by breakfast time. The relative ease of breaking this network’s settings was a product of plentiful cribs and frequent German operating mistakes.[128] Luftwaffe chief Hermann Göring was known to use it for trivial communications, including informing squadron commanders to make sure the pilots he was going to decorate had been properly deloused. Such messages became known as "Göring funnies" to the staff at Bletchley Park.[citation needed]

Abwehr Enigma[edit]

Enigma Model G, used by the Abwehr. It had three ordinary rotors and a rotating reflector, multiple notches on the rotor rings, but no plugboard.

Dilly Knox's last great cryptanalytical success before his untimely death in February 1943, was the breaking, in 1941, of the Abwehr Enigma. Intercepts of traffic which had an 8-letter indicator sequence before the usual 5-letter groups, led to the suspicion that a 4-rotor machine was being used.[129] The assumption was correctly made that the indicator consisted of a 4-letter message key enciphered twice. In fact the machine was a Model G Enigma, which had no plugboard, three conventional rotors, and a rotating reflector that could both be set by hand and was advanced by the stepping mechanism. Collecting a set of enciphered message keys for a particular day allowed cycles (or boxes as Knox called them) to be assembled in a similar way to the method used by the Poles in the 1930s.[130]

Knox was able to derive, using his buttoning up procedure,[32] some of the wiring of the rotor that had been loaded in the fast position on that day. Progressively he was able to derive the wiring of all three rotors. Once that had been done, he was able to work out the wiring of the reflector.[130] Deriving the indicator setting for that day was achieved using Knox's time-consuming rodding procedure.[33] This involved a great deal of trial and error, imagination and crossword puzzle-solving skills, but was helped by cillies.

The Abwehr was the intelligence and counter-espionage service of the German High Command. The spies that it placed in enemy countries used a lower level cipher (which was broken by Oliver Strachey's section at Bletchley Park) for their transmissions. However, the messages were often then re-transmitted word-for-word on the Abwehr's internal Enigma networks, which gave the best possible crib for deciphering that day's indicator setting. Interception and analysis of Abwehr transmissions led to the remarkable state of affairs that allowed MI5 to give a categorical assurance that all the German spies in Britain were controlled as double agents working for the Allies under the Double Cross System.[111]

German Army Enigma[edit]

In the summer of 1940 following the Franco-German armistice, most Army Enigma traffic was travelling by land lines rather than radio and so was not available to Bletchley Park. The air Battle of Britain was crucial, so it was not surprising that the concentration of scarce resources was on Luftwaffe and Abwehr traffic. It was not until early in 1941 that the first breaks were made into German Army Enigma traffic, and it was the spring of 1942 before it was broken reliably, albeit often with some delay.[131] It is unclear whether the German Army Enigma operators made deciphering more difficult by making fewer operating mistakes.[132]

German naval Enigma[edit]

The German Navy used Enigma in the same way as the German Army and Air Force until 1 May 1937 when they changed to a substantially different system. This used the same sort of setting sheet but, importantly, it included the ground key for a period of two, sometimes three days. The message setting was concealed in the indicator by selecting a trigram from a book (the Kenngruppenbuch, or K-Book) and performing a bigram substitution on it.[133] This defeated the Poles, although they suspected some sort of bigram substitution.

The procedure for the naval sending operator was as follows. First they selected a trigram from the K-Book, say YLA. They then looked in the appropriate columns of the K-Book and selected another trigram, say YVT, and wrote it in the boxes at the top of the message form:

. Y V T
Y L A .

They then filled in the "dots" with any letters, giving say:

Q Y V T
Y L A G

Finally they looked up the vertical pairs of letters in the Bigram Tables

QY→UB YL→LK VA→RS TG→PW

and wrote down the resultant pairs, UB, LK, RS and PW which were transmitted as two four letter groups at the start and end of the enciphered message. The receiving operator performed the converse procedure to obtain the message key for setting his Enigma rotors.

As well as these Kriegsmarine procedures being much more secure than those of the German Army and Air Force, the German Navy Enigma introduced three more rotors (VI, VII and VIII), early in 1940.[134] The choice of three rotors from eight meant that there were a total of 336 possible permutations of rotors and their positions.

Alan Turing decided to take responsibility for German naval Enigma because "no one else was doing anything about it and I could have it to myself".[135] He established Hut 8 with Peter Twinn and two "girls".[136] Turing used the indicators and message settings for traffic from 1–8 May 1937 that the Poles had worked out, and some very elegant deductions to diagnose the complete indicator system. After the messages were deciphered they were translated for transmission to the Admiralty in Hut 4.

German Navy 3-rotor Enigma[edit]

The first break of wartime traffic was in December 1939, into signals that had been intercepted in November 1938, when only three rotors and six plugboard leads had been in use.[137] It used "Forty Weepy Weepy" cribs.

A captured German Funkmaat[138] Meyer had revealed that numerals were now spelt out as words. EINS, the German for "one", was present in about 90% of genuine German Navy messages. An EINS catalogue was compiled consisting of the encipherment of EINS at all 105,456 rotor settings.[139] These were compared with the ciphertext, and when matches were found, about a quarter of them yielded the correct plaintext. Later this process was automated in Mr Freeborn's section using Hollerith equipment. When the ground key was known, this EINS-ing procedure could yield three bigrams for the tables that were then gradually assembled.[137]

Further progress required more information from German Enigma users. This was achieved through a succession of pinches, the capture of Enigma parts and codebooks. The first of these was on 12 February 1940, when rotors VI and VII, whose wiring was at that time unknown, were captured from the U-33, by HMS Gleaner.

On 26 April 1940 the Narvik-bound German patrol boat VP2623, disguised as a Dutch trawler named Polares, was captured by HMS Griffin. This yielded an instruction manual, codebook sheets and a record of some transmissions, which provided complete cribs. This confirmed that Turing's deductions about the trigram/bigram process was correct and allowed a total of six days' messages to be broken, the last of these using the first of the bombes.[137] However, the numerous possible rotor sequences, together with a paucity of usable cribs, made the methods used against the Army and Air Force Enigma messages of very limited value.

Turing had devised a development of the clock method invented by the Polish cryptanalyst Jerzy Różycki at the end of 1939. This came to be known as "Banburismus". Turing said that at that stage "I was not sure that it would work in practice, and was not in fact sure until some days had actually broken".[140] Banburismus used a statistical scoring system and large cards printed in Banbury (hence its name), to reduce the number of rotor sequences to be tried on the bombes. In practice the 336 possible rotors and sequences could be reduced to perhaps 18 to be run on the bombes.[141] Knowledge of the bigrams was essential for Banburismus and building up the tables took a long time. This lack of visible progress led to Frank Birch, head of the Naval Section to write on 21 August 1940 to Edward Travis Deputy Director of Bletchley Park:

"I'm worried about Naval Enigma. I've been worried for a long time, but haven't liked to say as much.... Turing and Twinn are like people waiting for a miracle, without believing in miracles....."[142]

Schemes for capturing Enigma material were conceived including, in September 1940, Operation Ruthless by Lieutenant Commander Ian Fleming (author of the James Bond novels). When this was cancelled, Birch told Fleming that "Turing and Twinn came to me like undertakers cheated of a nice corpse....".[143]

A major advance came through Operation Claymore, a commando raid on the Lofoten Islands on 4 March 1941. The German armed trawler Krebs was captured, including the complete Enigma keys for February, but no bigram tables or K-book. However, the material was sufficient to reconstruct the bigram tables by "EINS-ing", and by late March they were almost complete.[144]

Banburismus then started to become extremely useful. Hut 8 was expanded and moved to 24-hour working, and a crib room was established. The story of Banburismus for the next two years was one of improving methods, of struggling to get sufficient staff, and of a steady growth in the relative and absolute importance of cribbing as the increasing numbers of bombes made the running of cribs ever faster.[145] Of value in this period were further "pinches" such as those from the German weather ships München and Lauenburg and the submarines U-110 and U-559.

Despite the introduction of the 4-rotor Enigma for Atlantic U-boats, the analysis of traffic enciphered with the 3-rotor Enigma proved of immense value to the Allied navies. Banburismus was used until July 1943, when it became more efficient to use the many more bombes that had become available.

German Navy 4-rotor Enigma[edit]

The German Navy 4-rotor Enigma machine (M4) which was introduced for U-boat traffic on 1 February 1942.

On 1 February 1942, the Enigma messages to and from Atlantic U-boats, which Bletchley Park called '"Shark," became significantly different from the rest of the traffic, which they called "Dolphin."[146]

This was because a new Enigma version had been brought into use. It was a development of the 3-rotor Enigma with the reflector replaced by a thin rotor and a thin reflector. Eventually, there were two fourth-position rotors that were called Beta and Gamma and two thin reflectors, Bruno and Caesar which could be used in any combination. These rotors were not advanced by the rotor to their right, in the way that rotors I to VIII were.

The introduction of the fourth rotor did not catch Bletchley Park by surprise, because captured material dated January 1941 had made reference to its development as an adaptation of the 3-rotor machine, with the fourth rotor wheel to be a reflector wheel.[147] Indeed, because of operator errors, the wiring of the new fourth rotor had already been worked out.

This major challenge could not be met by using existing methods and resources for a number of reasons.

  1. The work on the Shark cipher would have to be independent of the continuing work on messages in the Dolphin cipher.
  2. Breaking Shark on 3-rotor bombes would have taken 50 to 100 times as long as an average Air Force or Army job.
  3. U-boat cribs at this time were extremely poor.[148]

It seemed, therefore, that effective, fast, 4-rotor bombes were the only way forward. This was an immense problem and it gave a great deal of trouble. Work on a high speed machine had been started by Wynn-Williams of the TRE late in 1941 and some nine months later Harold Keen of BTM started work independently. Early in 1942, Bletchley Park were a long way from possessing a high speed machine of any sort.[149]

Eventually, after a long period of being unable to decipher U-boat messages, a source of cribs was found. This was the Kurzsignale (Short Signal Code) which the German navy used to minimize the duration of transmissions, thereby reducing the risk of being located by direction finding techniques. The messages were only 22 characters long and were used to report sightings of possible Allied targets.[150] A copy of the code book had been captured from U-110 on 9 May 1941. A similar coding system was used for weather reports from U-boats, the Wetterkurzschluessel, (Weather Short Code Book). A copy of this had been captured from U-559 on 29 or 30 October 1942.[151] These short signals had been used for deciphering 3-rotor Enigma messages and it was discovered that the new rotor had a neutral position at which it, and its matching reflector, behaved just like a 3-rotor Enigma reflector. This allowed messages enciphered at this neutral position to be deciphered by a 3-rotor machine, and hence deciphered by a standard bombe. Deciphered Short Signals provided good material for bombe menus for Shark.[152] Regular deciphering of U-boat traffic restarted in December 1942.[153]

American bombes[edit]

Further information: US Navy Bombe and US Army Bombe

Unlike the situation at Bletchley Park, the United States armed services did not share a combined cryptanalytical service. Before the US joined the war, there was collaboration with Britain, albeit with a considerable amount of caution on Britain's side because of the extreme importance of Germany and her allies not learning that its codes were being broken. Despite some worthwhile collaboration amongst the cryptanalysts, their superiors took some time to achieve a trusting relationship in which both British and American bombes were used to mutual benefit.

In February 1941, Captain Abe Sinkov and Lieutenant Leo Rosen of the US Army, and US naval Lieutenants Robert Weeks and Prescott Currier, arrived at Bletchley Park bringing, amongst other things, a replica of the 'Purple' cipher machine for the Bletchley Park's Japanese section in Hut 7.[154] The four returned to America after ten weeks, with a naval radio direction finding unit and many documents[155] including a "paper Enigma".[156]

The main American response to the 4-rotor Enigma was the US Navy bombe, which was manufactured in much less constrained facilities than were available in wartime Britain. Colonel John Tiltman, who later became Deputy Director at Bletchley Park, visited the US Navy cryptanalysis office (OP-20-G) in April 1942 and recognised America's vital interest in deciphering U-boat traffic. The urgent need, doubts about the British engineering workload and slow progress, prompted the US to start investigating designs for a Navy bombe, based on the full blueprints and wiring diagrams received by US naval Lieutenants Robert Ely and Joseph Eachus at Bletchley Park in July 1942.[157][158] Funding for a full, $2 million, Navy development effort was requested on 3 September 1942 and approved the following day.

US Navy bombe. It contained 16 four-rotor Enigma-equivalents and was much faster than the British bombe.

Commander Edward Travis, Deputy Director and Frank Birch, Head of the German Naval Section travelled from Bletchley Park to Washington in September 1942. With Carl Frederick Holden, US Director of Naval Communications they established, on 2 October 1942, a UK:US accord which may have "a stronger claim than BRUSA to being the forerunner of the UKUSA Agreement," being the first agreement "to establish the special Sigint relationship between the two countries," and "it set the pattern for UKUSA, in that the United States was very much the senior partner in the alliance."[159] It established a relationship of "full collaboration" between Bletchley Park and OP-20-G.[160]

An all electronic solution to the problem of a fast bombe was considered,[161] but rejected for pragmatic reasons, and a contract was let with the National Cash Register Corporation (NCR) in Dayton, Ohio. This established the United States Naval Computing Machine Laboratory. Engineering development was led by NCR's Joseph Desch, a brilliant inventor and engineer. He had already been working on electronic counting devices.[162]

Alan Turing, who had written a memorandum to OP-20-G (probably in 1941),[163] was seconded to the British Joint Staff Mission in Washington in December 1942, because of his exceptionally wide knowledge about the bombes and the methods of their use. He was asked to look at the bombes that were being built by NCR and at the security of certain speech cipher equipment under development at Bell Labs.[164] He visited OP-20-G, and went to NCR in Dayton on 21 December. He was able to show that it was not necessary to build 336 Bombes, one for each possible rotor order, by utilising techniques such as Banburismus.[165] The initial order was scaled down to 96 machines.

The US Navy bombes used drums for the Enigma rotors in much the same way as the British bombes, but were very much faster. The first machine was completed and tested on 3 May 1943. Soon, these bombes were more available than the British bombes at Bletchley Park and its outstations, and as a consequence they were put to use for Hut 6 as well as Hut 8 work.[166] A total of 121 Navy bombes were produced.[167] In Alexander's "Cryptographic History of Work on German Naval Enigma", he wrote as follows.

When the Americans began to turn out bombes in large numbers there was a constant interchange of signal - cribs, keys, message texts, cryptographic chat and so on. This all went by cable being first encyphered on the combined Anglo-American cypher machine, C.C.M. Most of the cribs being of operational urgency rapid and efficient communication was essential and a high standard was reached on this; an emergency priority signal consisting of a long crib with crib and message text repeated as a safeguard against corruption would take under an hour from the time we began to write the signal out in Hut 8 to the completion of its decyphering in Op. 20 G. As a result of this we were able to use the Op. 20 G bombes almost as conveniently as if they had been at one of our outstations 20 or 30 miles away.[168]

The US Army also produced a bombe. It was physically very different from the British and US Navy bombes. A contract was signed with Bell Labs on 30 September 1942.[169] The machine was designed to analyse 3-rotor, not 4-rotor traffic. It did not use drums to represent the Enigma rotors, using instead telephone-type relays. It could, however, handle one problem that the bombes with drums could not.[166][167] The set of ten bombes consisted of a total of 144 Enigma-equivalents, each mounted on a rack approximately 7 feet (2.1 m) long 8 feet (2.4 m) high and 6 inches (150 mm) wide. There were 12 control stations which could allocate any of the Enigma-equivalents into the desired configuration by means of plugboards. Rotor order changes did not require the mechanical process of changing drums, but was achieved in about half a minute by means of push buttons.[170] A 3-rotor run took about 10 minutes.[167]

German suspicions[edit]

By 1945, almost all German Enigma traffic (Wehrmacht, Kriegsmarine, Luftwaffe, Abwehr, SD, etc.) could be decrypted within a day or two, yet the Germans remained confident of its security.[171] They openly discussed their plans and movements, handing the Allies huge amounts of information, not all of which was used effectively. For example, Rommel's actions at the Kasserine Pass were clearly foreshadowed in decrypted Enigma traffic, but the information was not properly appreciated by the Americans.[citation needed]

After the war, American TICOM project teams found and detained a considerable number of German cryptographic personnel. Among the things the Americans learned was that German cryptographers, at least, understood very well that Enigma messages might be read; they knew Enigma was not unbreakable. They just found it impossible to imagine anyone going to the immense effort required.[172] When Abwehr personnel who had worked on Fish cryptography and Russian traffic were interned at Rosenheim around May 1945, they were not at all surprised that Enigma had been broken, only that someone had mustered all the resources in time to actually do it. Admiral Dönitz had been advised that a cryptanalytic attack was the least likely of all security problems.

Since World War II[edit]

Modern computers can be used to solve Enigma, using a variety of techniques.[173] There is even a project to decrypt some remaining messages, using distributed computing.[174] Stefan Krah led an effort in Germany to crack the last codes in 2006.[175]

See also[edit]

References and notes[edit]

  1. ^ Winterbotham 2000, pp. 16–17
  2. ^ Reuvers, Paul; Simons, Marc (2009,2010), Enigma Cipher Machine, retrieved 22 July 2010 
  3. ^ Welchman 1997, p. 3
  4. ^ Calvocoressi 2001, p. 66
  5. ^ Singh 1999, p. 116
  6. ^ Churchhouse 2002, p. 4
  7. ^ Churchhouse 2002, pp. 4,5
  8. ^ Alexander c. 1945 "Background" Para. 2 Alexander (c. 1945) "Background" Para. 2
  9. ^ Ellsbury 1998a
  10. ^ Churchhouse 2002, pp. 202–204
  11. ^ Sale, Tony, The components of the Enigma machine, Enigma rotors (or wheels), retrieved 1 January 2010 
  12. ^ Copeland 2004, p. 245
  13. ^ Smith 2006, p. 23
  14. ^ Singh 1999, p. 136
  15. ^ Sale, Tony, Military Use of the Enigma: The complexity of the Enigma machine, retrieved 2 June 2010 
  16. ^ Copeland 2004, p. 250
  17. ^ Mahon 1945, p. 3
  18. ^ Mahon 1945, p. 16
  19. ^ a b Welchman 1997, p. 245
  20. ^ Bauer 2002, p. 135
  21. ^ Sale, Tony, Military Use of the Enigma: The Message Key and Setting Sheets, Codes and Ciphers in the Second World War: The history, science and engineering of cryptanalysis in World War II, retrieved 21 October 2008 
  22. ^ Rijmenants, Dirk, "Enigma Message Procedures", Cipher Machines and Cryptology, retrieved 19 November 2009 
  23. ^ Churchhouse 2002, pp. 33, 86
  24. ^ Hinsley, F.H. and Stripp, Alan (1993) p. xviii and Hinsley (1992) p. 2
  25. ^ One element of the key, the sequence of rotors in the machine, was at first changed quarterly; but from 1 January 1936 it was changed monthly; from 1 October 1936, daily; and later, during World War II, as often as every eight hours. Marian Rejewski, Summary of Our Methods for Reconstructing ENIGMA and Reconstructing Daily Keys..., Appendix C to Władysław Kozaczuk, Enigma (1984) p. 242
  26. ^ US Army 1945, p. 2
  27. ^ Sale, Tony, Bigrams, Trigrams and Naval Enigma: The Daily Key,(Tagschluessel), Lecture on Naval Enigma, retrieved 7 June 2010 
  28. ^ The German Navy adopted a more complex and secure indicator procedure on 1 May 1937—see "German naval Enigma".
  29. ^ Gaj, Kris; Orłowski, Arkadiusz, Facts and myths of Enigma: breaking stereotypes, George Mason University, Fairfax, VA 22030, U.S.A.; Institute of Physics, Polish Academy of Sciences Warszawa, Poland, Section 3.2, retrieved 1 February 2009 
  30. ^ Gaj, Kris; Orłowski, Arkadiusz, Facts and myths of Enigma: breaking stereotypes, George Mason University, Fairfax, VA 22030, U.S.A.; Institute of Physics, Polish Academy of Sciences Warszawa, Poland A, Section 7, retrieved 1 February 2009 
  31. ^ Hodges (1983) p. 176
  32. ^ a b Carter, Frank (2004), Buttoning Up: A method for recovering the wiring of the rotors used in a non-stecker Enigma, retrieved 20 January 2009 
  33. ^ a b c Carter, Frank (2004), Rodding, retrieved 20 January 2009 
  34. ^ Gordon Corera (23 March 2012), The Spanish link in cracking the Enigma code, BBC News 
  35. ^ Wilcox 2001, p. 2
  36. ^ Rejewski & Woytak 1984b, p. 231
  37. ^ Rejewski & Woytak 1984b, p. 256
  38. ^ The documents were Instructions for Using the Enigma Cipher Machine and Keying Instructions for the Enigma Cipher Machine, and the pages of Enigma keys were for September and October 1932 which fortunately had different rotor positions.
  39. ^ Kahn 1991, p. 974
  40. ^ Wilcox 2001, p. 5
  41. ^ Hodges 1983, p. 170
  42. ^ Copeland 2004, p. 234
  43. ^ Rejewski & Woytak 1984b, p. 257 citing Fitzgerald, Penelope (1977), The Knox Brothers, London: Macmillan, ISBN 1-58243-095-0 
  44. ^ Welchman 1997, pp. 207–211
  45. ^ Also referred to as a box shape or a chain. See Alexander c. 1945 Ch. II Para. 4
  46. ^ 105,456 is the number of possible rotor settings (17,576) multiplied by the six wheel orders that were possible at this time. Singh 1999, p. 153
  47. ^ Alexander c. 1945 Ch. II Para. 4
  48. ^ Rejewski 1984e, p. 285
  49. ^ a b c Rejewski 1984c, p. 242
  50. ^ a b Mahon 1945, p. 13
  51. ^ Kozaczuk 1984, pp. 54, 63 note 2
  52. ^ In Welchman 1997, p. 72 he suggests that this arose from the nomenclature for plugs (male) and sockets (female) because the success of this method depended on a number of overlying sheets having their apertures in register.
  53. ^ Sebag-Montefiore 2004, p. 362 cites Alfred Dillwyn Knox, who attended the 25 July 1939 Warsaw conference, as having given a more frankly biological etymology, discreetly veiled in French.
  54. ^ Instead they were called Jeffreys sheets after the head of the Bletchley Park section that produced them.
  55. ^ Welchman 1997, p. 215
  56. ^ Rejewski 1984e, p. 289
  57. ^ Welchman 1997, p. 216
  58. ^ Apparently this name was provided by Jerzy Różycki when the tree cryptanalysts were in a cafe and he was eating a Bombe glacée ice cream desert.
  59. ^ Bomby is the plural of bomba.
  60. ^ 17,576 = 263, since Enigma used 26 letters on each of 3 rotors.
  61. ^ Rejewski 1984e, p. 290
  62. ^ a b Kozaczuk 1984, p. 54
  63. ^ a b Rejewski 1982, p. 80
  64. ^ Also quoted in Kozaczuk 1984, p. 63
  65. ^ Chamberlain, Neville (31 March 1939), "European Situation (2.52 p.m.)", Hansard (UK Parliament) 345, retrieved 3 January 2009 
  66. ^ Kozaczuk 1984, p. 64
  67. ^ Erskine 2006, p. 59
  68. ^ Herivel 2008, p. 55
  69. ^ Copeland 2004, p. 246
  70. ^ Bertrand 1973, pp. 60–61
  71. ^ Welchman 1984, p. 289
  72. ^ Calvocoressi, Peter (23 March 1984), "Credit to the Poles", The Times (London): 13 
  73. ^ Kozaczuk 1984, pp. 69–94, 104–11
  74. ^ Kozaczuk 1984, pp. 84, 94 note 8
  75. ^ Rejewski 1982, pp. 81–82
  76. ^ a b Rejewski 1984c, p. 243
  77. ^ Rejewski 1984d, pp. 269–70
  78. ^ It is not clear whether, after the June 1940 fall of France, the Cipher Bureau broke Enigma. Rejewski, the principal Polish source, wrote in a posthumously published 1980 paper that at Cadix "We worked on other ciphers, no longer on Enigma." (Kozaczuk 1984, p. 270). Colonel Stefan Mayer of Polish Intelligence, however, mentioned the Poles breaking "interesting [machine-enciphered messages] from [Germany's 1941] Balkan campaign coming [in over] the 'Luftwaffe' network..." (Kozaczuk 1984, p. 116). And French intelligence Gen. Gustave Bertrand wrote of Enigma having been read at Cadix. (Kozaczuk 1984, p. 117). Tadeusz Lisicki, Rejewski's and Zygalski's immediate chief later in wartime England but sometimes a dubious source, wrote in 1982 that "Rejewski in [a letter] conceded that Bertrand was doubtless right that at Cadix they had read Enigma, and that the number given by Bertrand, of 673 [Wehrmacht] telegrams, was correct.... The British did not send keys to Cadix; these were found using various tricks such as the sillies [and] Herivel tip described by Welchman, Knox's method, as well as others that Rejewski no longer remembered." (Kozaczuk 1984, p. 117).
  79. ^ The third mathematician, Jerzy Różycki, had perished together with three Polish and one French colleague in the 1942 sinking of the passenger ship Lamoricière as they were returning to France from a tour of duty in Algeria.
  80. ^ Kozaczuk 1984, pp. 148–55, 205–9
  81. ^ Kozaczuk 1984, p. 220
  82. ^ Churchhouse 2002, p. 122
  83. ^ Rejewski 1984c, pp. 243–44
  84. ^ Rejewski & Woytak 1984b, p. 235
  85. ^ Copeland 2004, p. 235
  86. ^ a b Kahn 1991, p. 113
  87. ^ Sebag-Montefiore 2004, p. 92
  88. ^ Alexander c. 1945 "Background" Para. 38
  89. ^ Bauer 2007, p. 441
  90. ^ a b Taunt 1993, p. 108
  91. ^ Budiansky 2000, p. 240
  92. ^ Welchman 1997, pp. 98–100
  93. ^ John Herivel, cited by Smith 2007, pp. 50–51
  94. ^ Welchman 1997, pp. 130, 131, 167
  95. ^ Bauer 2007, p. 442
  96. ^ Smith 2007, pp. 59, 60
  97. ^ Hodges 1995
  98. ^ Welchman 1997, p. 12
  99. ^ Mahon 1945, p. 24
  100. ^ a b Welchman 1997, p. 120
  101. ^ Bletchley Park Archives: Government Code & Cypher School Card Indexes, retrieved 8 July 2010 
  102. ^ Budiansky 2000, p. 301
  103. ^ Welchman 1984, p. 56
  104. ^ Milner-Barry 1993, p. 93
  105. ^ Smith 2007, p. 38
  106. ^ Taunt 1993, pp. 104, 105
  107. ^ Lewin 2001, p. 118
  108. ^ Taunt 1993, p. 111
  109. ^ Singh 1999, p. 174
  110. ^ Mahon 1945, p. 44
  111. ^ a b Smith 2007, p. 129
  112. ^ Mahon 1945, p. 41
  113. ^ Morris 1993, p. 235
  114. ^ Smith 2007, p. 102
  115. ^ Harper, John (ed.), "BTM - British Tabulatuing Machine Company Ltd", The British Bombe CANTAB 
  116. ^ Sale, Tony, "Alan Turing, the Enigma and the Bombe", in Sale, Tony, The Enigma cipher machine 
  117. ^ Hodges 1983, p. 183
  118. ^ Ellsbury 1998b
  119. ^ a b Carter, Frank (2004), From Bombe 'stops' to Enigma keys, retrieved 1 March 2009 
  120. ^ Copeland 2004, pp. 253–256
  121. ^ Budiansky 2000, p. 230
  122. ^ Bauer 2002, p. 482
  123. ^ Smith 2007, p. 75
  124. ^ Harper, John (ed.), "Bombe Types", The British Bombe CANTAB 
  125. ^ Mahon 1945, p. 89
  126. ^ Wenger, Engstrom & Meader 1998
  127. ^ Calvocoressi 2001, p. 74
  128. ^ Calvocoressi 2001, p. 87
  129. ^ Twinn 1993, p. 127
  130. ^ a b Carter, Frank, The Abwehr Enigma Machine 
  131. ^ Calvocoressi 2001, p. 99
  132. ^ Sullivan & Weierud 2005, p. 215
  133. ^ Supreme Command of the Navy (1940), "The Enigma General Procedure (Der Schluessel M Verfahren M Allgemein)", The Bletchley Park translated Enigma Instruction Manual, transcribed and formatted by Tony Sale (Berlin: Supreme Command of the German Navy), retrieved 26 November 2009 
  134. ^ Copeland 2004, p. 225
  135. ^ Alexander c. 1945 Ch. II Para. 11
  136. ^ Copeland 2004, p. 258
  137. ^ a b c Mahon 1945, p. 22
  138. ^ German for radio operator
  139. ^ Alexander c. 1945 Ch. II Para. 21
  140. ^ Mahon 1945, p. 14
  141. ^ Alexander c. 1945 "Background" Para. 42
  142. ^ Mahon 1945, p. 2
  143. ^ Batey 2008, pp. 4–6
  144. ^ Mahon 1945, p. 26
  145. ^ Alexander c. 1945 Ch. III Para. 5
  146. ^ Alexander c. 1945 Ch. III Para. 20
  147. ^ Mahon 1945, p. 62
  148. ^ Alexander c. 1945 Ch. III Para. 21
  149. ^ Mahon 1945, p. 63
  150. ^ Sale, Tony, The Breaking of German Naval Enigma: U Boat Contact Signals, Codes and Ciphers in the Second World War: The history, science and engineering of cryptanalysis in World War II, retrieved 1 December 2008 
  151. ^ Budiansky 2000, pp. 341–343
  152. ^ Mahon 1945, p. 64
  153. ^ Mahon 1945, p. 77
  154. ^ Budiansky 2000, p. 176
  155. ^ Budiansky 2000, p. 179
  156. ^ Jacobsen 2000
  157. ^ Budiansky 2000, p. 238
  158. ^ Wilcox 2001, p. 21
  159. ^ Erskine 1999, pp. 187–197
  160. ^ Budiansky 2000, p. 239
  161. ^ Budiansky 2000, p. 241
  162. ^ Desch, Joseph R. (21 January 1942), 1942 Research Report, retrieved 20 July 2013 
  163. ^ Turing c. 1941, pp. 341–352
  164. ^ Bletchley Park Text: November 1942: Departure of Alan Turing from BP, retrieved 16 April 2010 
  165. ^ Budiansky 2000, p. 242
  166. ^ a b Welchman 1997, p. 135
  167. ^ a b c Wenger 1945, p. 52
  168. ^ Alexander c. 1945 Ch. VIII para. 11
  169. ^ Sebag-Montefiore 2004, p. 254
  170. ^ Wenger 1945, p. 51
  171. ^ Ferris 2005, p. 165
  172. ^ Bamford 2001, p. 17
  173. ^ Sullivan & Weierud 2005
  174. ^ M4 Message Breaking Project, retrieved 16 October 2008 
  175. ^ "Online amateurs crack Nazi codes". BBC. 2006-03-02. 

Bibliography[edit]

External links[edit]