Cryptanalysis of the Enigma

From Wikipedia, the free encyclopedia

Jump to: navigation, search

Cryptanalysis of the Enigma enabled the Allies in World War II to read substantial amounts of secret Morse-coded radio communications of the Axis powers enciphered using Enigma machines. This Allied reading yielded military intelligence which, along with that from other decrypted German radio transmissions, was given the name Ultra.

Enigma cryptanalysis contributed greatly to the success of Allied war efforts—in the Battle of Matapan in March 1941; in reversing the early disastrous course of the Battle of the Atlantic, beginning in the latter part of 1941; in frustrating Rommel's efforts to capture Cairo in 1942; in the invasion of Sicily (1943) and mainland Italy (1943–44); in the planning and execution of Operation Overlord (the Allied invasion of France, 1944); and in the subsequent drive to and through Germany.[1][2] Evidence suggests that Soviet strategy and tactics against Nazi Germany likewise benefited from Ultra intelligence, conveyed to the Soviets by a variety of conduits.[3]

The Enigma machines were a family of portable cipher machines with rotor-based scramblers. Various German armed and secret services and civilian agencies used Enigma in somewhat different ways, and at various times made changes to their procedures for operating Enigma. The greatest differences in operating procedures were between those of the German Navy (Reichsmarine and Kriegsmarine) and those of other services and agencies.

The German plugboard-equipped Enigma that would be the Third Reich's principal crypto-system was reconstructed, with the aid of French-supplied intelligence material, by the Polish General Staff's Cipher Bureau in December 1932, on the eve of Adolf Hitler's rise to power in Germany in January 1933. From then until the outbreak of World War II, the Poles held a monopoly of decryption of this Enigma model.

The Enigma cipher machine
This box: view  talk  edit

As war drew near, at a Warsaw conference on 25 July 1939 the Polish Cipher Bureau initiated the French and British into its Enigma-breaking techniques and technology, thus greatly broadening the Allied (Polish, French, and particularly British and American) foundations for wartime decryption of German Enigma-enciphered communications.

Contents

[edit] General principles

Analysis of a monoalphabetic substitution cipher is relatively easy, provided that a message is long enough to give a reasonably representative count of the letters of the alphabet that it contains. The resultant frequency count can then be compared with the known letter frequencies of the language in which the message is written.[4]

In the 15th and 16th centuries, in Europe, the idea of a polyalphabetic substitution cipher was developed, among others by the French diplomat Blaise de Vigenère (1523-96).[5] For some three centuries, the Vigenère cipher was considered to be completely secure (le chiffre indéchiffrable—"the indecipherable cipher"). Nevertheless, Charles Babbage (1791–1871) and later, independently, Friedrich Kasiski (1805–81) succeeded in breaking this cipher.[6]

The cryptographic key for the Vigenère cipher consists of a word or phrase that is repeated many times to cover the length of the message. The key's letters indicate which line of the Vigenère square is used to encipher each letter of the plaintext so as to produce the ciphertext. It was this repetition that allowed Babbage and Kasiski to achieve their breaks.

During World War I, inventors in several countries realized that a purely random key sequence, containing no repetitive pattern, would make a polyalphabetic substitution, in principle, unbreakable.[7] This led to the development, in several countries, of rotor cipher machines such as Arthur Scherbius' Enigma.

Rotor cipher machines alter each character in the plaintext to produce the ciphertext, by means of a scrambler comprising a set of rotors (or wheels) that alter the electrical path from character to character, between the input device (in Enigma, a keyboard) and the output device (in Enigma, a lampboard). This constant altering of the electrical pathway produces a very long period before the pattern—the key sequence or substitution alphabet—repeats.

Although Kerckhoffs' principle states that a cryptosystem should be secure even when everything about the system except the key is known to the enemy, the internal wiring of machines such as Enigma has so many possibilities that an important aspect of breaking them is deducing their logical structure.

The presence of repetition or of guessable elements in either the key or the message are the weaknesses that allow cryptanalysts to seek patterns that can enable them to break a cipher. Finding such weak points in Enigma encipherment, before and during World War II, led to sustained Allied decryption of German Enigma ciphers.

[edit] Strengths of Enigma

The Enigma machine was used commercially from the early 1920s and was adopted by the militaries and governments of various countries—most famously, Nazi Germany.
A series of three rotors from an Enigma machine

The Enigma was potentially an excellent system. It was designed to defeat cryptanalytic techniques by continually changing the substitution alphabet through the use of a scrambler comprising three—in some cases, four—rotors.

Like other rotor cipher-machines, Enigma generated a polyalphabetic substitution cipher with a long period. Given three single-notched rotors, the period was 16,900 (= 26 × 25 × 26).[8] Such a long period prevented any detectable repetition in the enciphering sequence.

The mechanism of the Enigma consisted of a keyboard connected to an entry plate or wheel (German: Eintrittswalze), at the right hand end of the scrambler (usually via a plugboard in the military versions). This contained a set of 26 contacts that made electrical connection with the set of 26 spring-loaded pins on the right hand rotor. The left hand side of each rotor in turn made electrical connection with the rotor to its left, and in the case of the leftmost, with the reflector (German: Umkehrwalze). The reflector provided a set of thirteen paired connections to return the current back through the scrambler rotors, and eventually to the lampboard.[9]

There are 403 trillion trillion (26 factorial) ways that the connections within each scrambler rotor—and between the entry plate and the keyboard or plugboard or lampboard—can be arranged. For the reflector plate there are a mere six billion (13 factorial) options to its possible wirings.

Whenever a key on the keyboard was pressed, the stepping motion was actuated, moving the rightmost rotor on one position. Because it advanced with each key pressed it is sometimes called the 'fast' rotor. When the notch on that rotor engaged with a pawl on the middle rotor, that too moved; and similarly with the leftmost ('slow') rotor.

Each scrambler rotor could be set to any one of its 26 starting positions (any letter of the alphabet). For the Enigma machines with only three rotors, their sequence in the scrambler could be selected from the six that are possible.

Possible rotor sequences
Left Middle Right
I II III
I III II
II I III
II III I
III I II
III II I
The plugboard (Steckerbrett) was positioned at the front of the machine, below the keys. In the above photograph, two pairs of letters have been swapped (S-O and J-A).

Later Enigma models added a variable alphabet ring like a tyre around the core of each rotor, that specified which letter was opposite the notch that caused the next wheel to advance. Later still, the three rotors that were in use were selected from a set of five or, in the case of the German Navy, eight rotors.

Most military Enigmas also featured a plugboard (German: Steckerbrett) which exchanged letters reciprocally, so that if A was plugged to G then A would become G and G would become A either on input from the keyboard to the scrambler, or on output from the scrambler to the lamp panel. With six plugboard leads, the number of different ways that letters could be re-arranged was some 100 billion.

[edit] Key setting

The machine featured the operational convenience of being symmetrical (or self-inverse). This meant that decipherment worked in the same way as encipherment—when the ciphertext was typed in, the sequence of lamps that lit yielded the plaintext. This of course required that the deciphering machine's plugboard and scrambler rotors be set identically to those of the enciphering machine.

In order to ensure that this would be the case, the complex ground-key setting (German: Grundstellung) was distributed to all users of a network[10] by means of setting sheets in a codebook.[11] These setting sheets changed the ground key regularly (at first monthly or weekly,[12] but soon daily and even, toward war's end in some networks, several times a day). The setting sheets had columns specifying, for each date, the rotors to be used and their positions (German: Walzenlage), the ring positions (German: Ringstellung) and the plugboard connections (German: Steckerverbindungen ). The dates were in reverse chronological order down the page. Each row was cut off when it was finished with, so that, in the event of capture, previous keys would not be revealed.[13]

Lastly, for each message, the transmitting operator would send the message key (the key specific to that message) so that the receiving operator could align his rotors identically. This was called the indicator[14] for that message and was the initial letters that would be visible through the windows on Enigma's top plate. This message key setting was itself enciphered on the machine using an indicator setting. At first the indicator setting was specified on the setting sheets, but later on it was selected by the operator or, in the case of the German Navy, by a more complicated and secure procedure. Because of the danger that poor radio reception might lead to the message key being garbled, it was, until May 1940, sent twice.

[edit] Security properties

Despite the undoubted strengths of Enigma when used properly, if the settings for one day (or whatever period was represented by each row of the setting sheet) were established, the rest of the messages for that network on that day could be decrypted.[15]

The various Enigma models provided different levels of security. The presence of a plugboard (Steckerbrett) substantially increased the security of the encipherment. Each pair of letters that were connected together by a plugboard lead, were referred to as stecker partners, and the letters that remained unconnected were said to be self-steckered.[16] In general, the unsteckered Enigma was used for commercial and diplomatic traffic and could be broken relatively easily using hand methods, while attacking versions with a plugboard was much more difficult. The British read unsteckered Enigma messages sent during the Spanish Civil War,[17] and also some Italian traffic enciphered early in World War II.

The Enigma machine did, however, have major weaknesses that proved helpful to cryptanalysts. First, a letter could never be encrypted to itself (with the exception of the early models A and B, which lacked a reflector). This property was of great help in using cribs—short sections of plaintext thought to be somewhere in the ciphertext—and could be used to eliminate a crib in a particular position. For a possible location, if any letter in the crib matched a letter in the ciphertext at the same position, the location could be ruled out; at Britain's Government Code and Cipher School (GCCS) at Bletchley Park, this was termed a crash.[18] It was this feature that the British mathematician and logician Alan Turing would exploit in designing the British bombe.

A second Enigma weakness was that the plugboard connections were reciprocal, so that if A was plugged to N, then N likewise became A. It was this property that inspired mathematician Gordon Welchman at Bletchley Park to propose that a diagonal board be introduced into the bombe, substantially reducing the number of rotor settings that the bombe had to try.[19]

A number of the officially-specified procedures for using Enigma also provided avenues for attack. Thus, for machines where there was a choice of more rotors than there were slots for them, a rule stipulated that no rotor should be in the same slot in the scrambler as it had been for the immediately preceding configuration. Also, no wheel order could be repeated on the monthly setting sheet. This meant that when the keys were being found on a regular basis, further economies in excluding possible wheel orders for the bombes to test, could be made.[20]

Similarly, for some networks, the plugboard-setup rules forbade a letter being connected to an adjacent one on the alphabet.

Once detected, these constraints reduced the number of alternatives that needed to be tried.

In any case, the Germans' specified Enigma-operating procedures, and good cryptologic practice, were not adhered to by all Enigma operators.

It has been suggested by some who worked at breaking Enigma at Bletchley Park that the Enigma should have been unbreakable in practice, had its operating procedures been better thought out and had its operators been less ill-disciplined. Postwar debriefings of German cryptographic specialists, conducted as part of project TICOM, tend to support this view—the Germans were well aware that Enigma was theoretically breakable, but felt that the resources required to mount a pure brute-force attack on the system would require too much effort to be worthwhile.

Had they considered the potential consequences of widespread poor operator procedure, and acted to correct the situation, it is likely that breaking Enigma on a regular basis would have proven impractical. To war's end, the Germans continued making improvements to the system, though they considered it to be for all practical purposes unbreakable.

[edit] Polish breakthrough

Polish General Staff building (the Saxon Palace), in Warsaw, where German Enigma ciphers were first broken (1932).
Main article: Polish Cipher Bureau

In 1928 the German Army (German: Heer), Navy (German: Reichsmarine later Kriegsmarine ) and Airforce (German: Luftwaffe) began using a 3-rotor Enigma with a 6-cable plugboard.[21] British, French and American cryptanalysts had no success in cracking this Enigma version.[22] In Poland, however, the threat from Germany was much greater, and the Polish Cipher Bureau (Biuro Szyfrów) in Warsaw continued work on it. On 1 September 1932, a 27-year-old Polish mathematician, Marian Rejewski, joined the Bureau along with two somewhat younger fellow Poznań University mathematics graduates, Henryk Zygalski and Jerzy Różycki.[23]

In December that year, the Polish Cipher Bureau received from Captain Gustave Bertrand of French Military Intelligence two German documents and two pages of Enigma daily keys (for September and October 1932)[24] that had been obtained by a French military intelligence agent, a German code-named Rex,[25] from an agent who worked at Germany's Cipher Office in Berlin (Hans Thilo-Schmidt, whom the French code-named Asché). The documents were entitled Gebrauchsanweisung für die Chiffriermaschine Enigma (Instructions for Using the Enigma Cipher Machine) and Schlüsselanleitung für die Chiffriermaschine Enigma (Keying Instructions for the Enigma Cipher Machine).

The tables of daily keys, Rejewski would later recall, were "a great help to me, because thanks to [them] the number of unknowns in the equations [that Rejewski had set up] was reduced, and I was able to solve [the] equations, and... as I was sitting there writing, the internal connections just came out in the form... of letters or numbers, I don't recall [which]—the internal connections ['wiring'] for the first [rotor], the one... on the far right, which always... revolved at every depression of a key".[26]

Marian Rejewski told Richard Woytak that

it was very important that the months [covered in the daily-key tables] happened to be September and October, in other words, periods that belonged to two different quarters [of the year. This is] because... the key consisted of several elements [and] one element of the key was changed only once a quarter. Namely, the order of the [rotors].... [A]t that time they were changed once a quarter. [S]ince September and October belonged to two different quarters, in September and October the orders of the [rotors] were different. [With] the method that I had been using to find the [wiring] in a [rotor]... I could only solve the [far] right-hand [rotor], the one that revolved one place every time [a key was pressed]. The point is that, thanks to the keys for September, I could solve the [rotor] that was in the far right-hand position in September. And since I also had the keys for October, using the same method I was later able to find the [wiring] in the [rotor] that was at the [far] right in October. [T]he third [rotor] and... the [reflector] now weren't so difficult... I managed to find them by other methods.[27]

Marian Rejewski about 1932, when he first broke Enigma

Marian Rejewski thus made one of the most important breakthroughs in cryptologic history by using elementary group theory to solve the Enigma wiring and rotor settings.[28][29] His method made it possible to derive the rotor settings independently of the plugboard connections.

A crucial inspired guess on Rejewski's part was that the connections between the keyboard and the entry ring were in alphabetical order, rather than in the order of the keys on a German typewriter keyboard: QWERTZUIO... — the order that was used in the commercial Enigma. Britain's Dilly Knox was astonished when he learned from the Poles, in Warsaw in July 1939, that the entry-ring order was so simple.[30][31]

After Rejewski had reconstructed the plugboard-equipped Enigma machine, the Poles were able to decrypt a substantial portion of German Enigma traffic through December 1938. (Thereafter they continued reading Enigma, but—due to changes in encipherment procedures—a smaller volume.)[32]

At the time, the setting sheets specified the rotor positions in the machine, the ring settings, the plugboard connections, and the rotor settings as they appeared through the three windows on top of the machine.

The message indicator was a 6-letter sequence comprising the three letters of the message key, enciphered twice using the initial rotor position given in the ground setting (e.g., RAO).[33] If the 3-letter message key chosen by the operator was IHL, he would encipher this after having set the rotors to RAO. The resultant ciphertext, say OTUNSD, would be transmitted, followed by the message, enciphered using message key IHL. The receiving operator would use the ground setting RAO to decipher the first six letters, yielding IHLIHL—assuming that there had been no distortion or garbling in the transmission or reception of the Morse. (It was the possibility of garbling that had led to the procedure of repeating the message key. This repetition was, however, a major security weakness that was exploited by the Poles.) The receiving operator would then decipher the message, using message key IHL.

In the example of OTUNSD being the ciphertext of the message key, it is known that the first letter O and the fourth letter N represent the same letter, enciphered three positions apart in the scrambler sequence. Similarly with T and S in the second and fifth positions, and U and D in the third and sixth. Rejewski exploited this fact by collecting a sufficient set of messages enciphered with the same ground key and assembling three tables for the 1,4, the 2,5, and the 3,6 pairings. Each of these might look something like the following:

First letter A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Fourth letter X F E A R B S L H Q I G C V D Z W K M N J U O Y T P

A path from one first letter to the corresponding fourth letter, then from that letter as the first letter to its corresponding fourth letter, and so on until the first letter recurs, traces out a cycle group.[34] The above table contains four cycle groups.

Cycle group starting at A (12 links) (A, X, Y, T, N, V, U, J, Q, W, O, D, A)
Cycle group starting at B (2 links) (B, F, B)
Cycle group starting at C (10 links) (C, E, R, K, I, H, L, G, S, M, C)
Cycle group starting at P (2 links) (P, Z, P)

The letters in these cycle groups are changed by the plugboard settings but, importantly, their patterns (in this example, four groups with 12, 10, 2 and 2 links) are not. This reduces the number of possibilities from 10,000 trillion to 105,456 (the number of possible rotor settings).[35]

This method stopped working for German naval Enigma messages on 1 May 1937, when the indicator procedure was changed substantially, making it very much more difficult to break.[36]

[edit] Cyclometer

Cyclometer (mid-1930s), devised by Rejewski to catalog the cycle structure of Enigma permutations. 1: Rotor lid closed, 2: Rotor lid open, 3: Rheostat, 4: Glowlamp, 5: Switches, 6: Letters.
Main article: Cyclometer

The Poles set about creating a catalog of these cycle patterns. Rejewski about 1934 or 1935 devised a machine to facilitate this task, called a cyclometer, which "comprised two sets of rotors... connected by wires through which electric current could run. Rotor N in the second set was three letters out of phase with respect to rotor N in the first set, whereas rotors L and M in the second set were always set the same way as rotors L and M in the first set".[37]

Preparation of the card catalog, using the cyclometer, was, says Rejewski, "laborious and took over a year, but when it was ready, obtaining daily keys was a question of [some fifteen] minutes".[38]

On 1 November 1937, however, the Germans changed the Enigma reflector, necessitating the production of a new catalog—"a task which [says Rejewski] consumed, on account of our greater experience, probably somewhat less than a year's time".[38]

On 15 September 1938 (the day that British Prime Minister Neville Chamberlain flew to the conference that led to the Munich Agreement) the indicator procedure was changed.[39] It now comprised a 9-letter sequence. The setting, as stated in the setting sheet, no longer specified the initial rotor positions to be used. Instead the operator chose three letters, which were transmitted in clear as the first three of nine letters. These gave the key for setting the rotors for the next six letters, which constituted the 3-letter message key sent twice.[40][41] This meant that the cycle-pattern method would no longer work.

[edit] Perforated sheets

Zygalski sheet
Main article: Perforated sheets

To decrypt Enigma messages, use was now made of a perforated-sheet apparatus that was devised about October 1938 by Henryk Zygalski and is therefore often called Zygalski sheets or Netz.[42][43] This method depended on a message key's repetition, but also relied on the situation in which a repeated letter of the key was enciphered to the same letter of ciphertext as it had been three letters previously.

Thus, if an intercepted message had the same first and fourth, second and fifth, or third and sixth letters, it was known that some scrambler settings could be eliminated. This phenomenon was, in effect, a zero-length cycle, and details of such cycles would have been available in the catalog.

These occurrences were called samiczki[44] (in English, females—a term later used at Bletchley Park[45][46]). If the first six letters of the ciphertext were SZVSIK, this would be termed a 1-4 female; if WHOEHS, a 2-5 female; and if ASWCRW, a 3-6 female.

Demonstration of two perforated sheets at Bletchley Park Museum

The probability of any message containing at least one female was about one in eight. Some ten females would be collected from a day's messages and subjected to the sheets apparatus.

There was a set of 26 sheets for each of the six possible sequences for inserting the three rotors into the scrambler. Each sheet related to the starting position of the left (slowest-moving) rotor. The 26 × 26 matrix represented the 676 possible starting positions of the middle and left rotors and was duplicated horizontally and vertically: a–z, a–y. The sheets were punched with holes in the positions that would allow a female to occur. Rejewski writes about how the perforated-sheets device was operated:

When the sheets were superposed and moved in the proper sequence and the proper manner with respect to each other, in accordance with a strictly defined program, the number of visible apertures gradually decreased. And, if a sufficient quantity of data was available, there finally remained a single aperture, probably corresponding to the right case, that is, to the solution. From the position of the aperture one could calculate the order of the rotors, the setting of their rings, and, by comparing the letters of the cipher keys with the letters in the machine, likewise permutation S; in other words, the entire cipher key.[47]

[edit] Polish bomba

Cryptologic bomb.
1: Rotors. 2: Electric motor. 3: Switches.
Main article: Bomba (cryptography)

As an alternative to the Zygalski sheets, which required about ten females, a method was developed that used only three. This required an exhaustive (brute-force) analysis of the 105,456 possible rotor settings.

If done by hand, such an analysis would have represented a vast human effort. To facilitate it, Marian Rejewski in about October 1938 invented an electro-mechanical device that was dubbed the bomba kryptologiczna or cryptologic bomb [48] Each bomba contained six sets of Enigma rotors for the six positions of the repeated three-letter key.

In mid-November 1938, six Polish bomby[49] (one for each rotor arrangement) were ready, and reconstruction of daily keys went on apace.

Rejewski has written about the device:

The bomb method, invented in the fall of 1938, consisted largely in the automation and acceleration of the process of reconstructing daily keys. Each cryptologic bomb (six were built in Warsaw for the Cipher Bureau before September 1939) essentially constituted an electrically powered aggregate of six Enigmas. It took the place of about one hundred workers and shortened the time for obtaining a key to about two hours.[50]

On 15 December 1938, the German Army increased the complexity of its Enigma operating procedures. Previously only three rotors had been in use, and their sequence in the slots was changed daily. Now two additional rotors were introduced; three of the five would be in use at any given time. This increased the number of possible rotor arrangements in the scrambler by a factor of ten.[51]

Other German agencies likewise received the two new rotors at the same time. Had all these organizations used the same new operating procedures as the Army, it would have nullified any chance of the Poles continuing to decrypt Enigma. However, until 1 July 1939, just two months before Germany invaded Poland, the Sicherheitsdienst (S.D.—the S.S. Security Service) continued using its machines in the old way—like the Wehrmacht prior to 15 September 1938.[51]

The Cipher Bureau immediately exploited this incoordination between the Army and the S.D. and by about the turn of the year had reconstructed the wirings in rotors IV and V. Nevertheless, even with Rejewski's cryptologic bomb and Zygalski's perforated sheets, the new keying procedure and the increased number of rotors posed some major problems.[52] These were exacerbated when, on New Year's Day 1939, the Germans increased the number of plug connections in the plugboard. Previously, from 1 October 1936, the number of plug connections had been variable, ranging between five and eight.[38] Now, from 1 January 1939, the number of plug connections was increased to between seven and ten.[38]

As Rejewski wrote in a 1979 critique of appendix 1, volume 1 (1979), of the official history of British Intelligence in the Second World War:

we quickly found the [wirings] within the [new rotors], but [their] introduction [...] raised the number of possible sequences of [rotors] from 6 to 60 [...] and hence also raised tenfold the work of finding the keys. Thus the change was not qualitative but quantitative. We would have had to markedly increase the personnel to operate the bombs, to produce the perforated sheets [...] and to manipulate the sheets.[53][54]

[edit] World War II

[edit] Italian Naval Enigma

During the Spanish Civil War, Italy, under Italian Fascism, was on the side of Francisco Franco's Nationalists. The Italian Navy used a version of Enigma that did not have a plugboard. In 1937 Dillwyn 'Dilly' Knox, a gifted British cryptanalyst veteran of World War I and the cryptanalytical activities of Room 40, managed to break this cipher, using a technique that he called 'buttoning up' to discover the rotor wirings[55] and another that he called rodding to break messages.[56] This relied heavily on cribs and on crossword expertise in Italian, as it yielded a limited number of spaced-out letters at a time.

When in 1940 Dilly Knox wanted to establish whether the Italian Navy were still using the same machine, he instructed his assistants to use rodding to see whether the crib PERX (per being Italian for 'for' and X being used to indicate a space between words) worked for the first part of the message. After three months there was no success, when Mavis Laver, a 19-year-old student, found that rodding produced PERS for the first four letters. She then (against orders) tried beyond this and obtained PERSONALE (Italian for 'personal'). This confirmed that the Italians were indeed using the same machines and procedures.

The subsequent breaking of Italian Naval Enigma ciphers led to substantial Allied successes. The cipher-breaking was disguised by sending a reconnaissance aircraft to the known location before attacking the warship, so that the Italians assumed that this was how they had been discovered. The British Royal Navy's victory at the Battle of Matapan (March 1941) was considerably helped by Ultra intelligence obtained from Italian Naval-Enigma signals.

[edit] Polish disclosures

On 15 March 1939, German forces marched into Bohemia and Moravia. On 31 March Britain and France pledged their support for Poland in the event of any action that threatened her independence.[57] Then, on 27 April, Germany withdrew from the German-Polish Non-Aggression Pact of January 1934. The Polish General Staff, realizing the pace and direction of changes in the European political situation, decided in mid-1939 to share their work on Enigma decryption with their western allies. Rejewski later wrote:

[I]t was not [as Harry Hinsley suggested, cryptological] difficulties of ours that prompted us to work with the British and French, but only the deteriorating political situation. If we had had no difficulties at all we would still, or even the more so, have shared our achievements with our allies as our contribution to the struggle against Germany.[53][58]

At a conference in Warsaw on 26 July 1939, the Poles revealed to the French and British that they had broken Enigma and pledged to give each a Polish-reconstructed Enigma, along with details of their Enigma-solving techniques and equipment, including Zygalski's perforated sheets and Rejewski's cryptologic bomb.[59] Dilly Knox was a member of the British delegation. He commented on the fragility of the Polish system's reliance on the repetition in the indicator because it might, "at any moment be cancelled".[60]

The two Enigma doubles were sent to Paris, whence Gustave Bertrand brought one to London for the British. He turned it over at Victoria Station, as he was to recall in his Enigma, to Stewart Menzies of Britain's Secret Intelligence Service.[61]

Until then, German military Enigma traffic had defeated the French and British, and they had faced the disturbing prospect that German radio communications would remain undecipherable during the coming war. As British cryptologist Gordon Welchman has written,

Hut 6 Ultra would never have gotten off the ground if we had not learned from the Poles, in the nick of time, the details both of the German military version of the commercial Enigma machine, and of the operating procedures that were in use.[62]

During the German invasion of Poland in September 1939, key Cipher Bureau personnel were evacuated southeast and—after the Soviets invaded eastern Poland on 17 September—into Romania, on the way destroying their cryptological equipment and documentation. Eventually, crossing Yugoslavia and still-neutral Italy, they reached France. There, at PC Bruno outside Paris, on 20 October 1939 they resumed work on German Enigma ciphers, continuing it in the subsequent Battle of France.[63]

As late as December 1939, when Lt. Col. Gwido Langer, chief of the Polish Cipher Bureau, and French Air Force Captain Henri Braquenié, visited London and Bletchley Park, the British asked that the Polish cryptologists be turned over to them. Langer, however, took the position that the Polish team must remain where the Polish Armed Forces were being re-formed—on French soil.[64] Actually, the mathematician-cryptologists might have reached Britain much earlier than they eventually would (that is, the two who were still alive) in 1943; but in Bucharest, Romania, when they had gone to the British Embassy, they had been brushed off by preoccupied British diplomats.[65]

Some personnel of the Cipher Bureau's German section who had worked with Enigma, and most of the workers at the AVA Radio Company that had built Enigma doubles and cryptologic equipment for the German section, had remained in Poland. Some were interrogated by the Gestapo, but no one gave away the secret of Polish mastery of Enigma decryption.[66]

PC Bruno and Bletchley Park worked together closely from late 1939, communicating via a telegraph teletype line secured by the use of Enigma (!). The French would close their Enigma-enciphered messages with an appreciative Heil Hitler![67]

In January 1940, the British cryptologist Alan Turing spent several days at PC Bruno conferring with his Polish colleagues. He had brought the Poles Zygalski sheets that had been produced at Bletchley Park by John Jeffreys using Polish-supplied information, but which were not working. It turned out that the wirings in Enigma rotors IV and V that Rejewski had worked out, had been copied down wrongly.[68] Correcting this error allowed the Poles to make, on 17 January 1940, the first break into wartime Enigma traffic—that from 28 October 1939.[69]

During this period, until the collapse of France in June 1940, ultimately 83 percent of the Enigma keys that were found, were solved at Bletchley Park, the remaining 17 percent at PC Bruno. Rejewski comments:

How could it be otherwise, when there were three of us Pol[ish cryptologists] and [there were] at least several hundred British cryptologists, since about 10,000 people worked in Bletchley... Besides, recovery of keys also depended on the amount of intercepted cipher material, and that amount was far greater on the British side than on the French side. Finally, in France (by contrast with the work in Poland) we ourselves not only sought for the daily keys, but after finding the key also read the messages.... One can only be surprised that the Poles had as many as 17 percent of the keys to their credit. [70][71][72]

The inter-Allied cryptologic collaboration prevented duplication of effort and facilitated discoveries. Before fighting had started in Norway in April 1940, the Polish-French team solved an uncommonly hard three-letter code used by the Germans to communicate with fighter and bomber squadrons and for exchange of meteorological data between aircraft and land. The code had first appeared in December 1939, but the Polish cryptologists had been too preoccupied with Enigma to give the code much attention. With the German assault on the west impending, however, the breaking of the Luftwaffe code took on mounting urgency. The trail of the elusive code (whose system of letters changed every 24 hours) led back to Enigma. The first clue came from the British, who had noticed that the code's letters did not change randomly. If A changed to P, then elsewhere P was replaced by A. The British made no further headway, but the Poles realized that what was manifesting was Enigma's exclusivity principle that they had discovered in 1932. The Germans' carelessness meant that now the Poles, having after midnight solved Enigma's daily setting, could with no further effort also read the Luftwaffe signals.[73][74]

The Germans, just before opening their 10 May 1940 offensive in the west that would trample Belgium, Luxemburg and Holland in order to reach the borders of France, once again changed their procedure for enciphering message keys, rendering the Zygalski sheets "completely useless"[75][76] and temporarily defeating the joint British-Polish cryptologic attacks on Enigma. According to Gustave Bertrand, "It took superhuman day-and-night effort to overcome this new difficulty: on May 20, decryption resumed."[77][78]

At this stage, to break the Germans' Enigma ciphers, the cooperating British at Bletchley Park and the Poles in France would have to rely on exploiting the operator weaknesses described below (particularly the cillies and the Herivel tip), as well as on some others, such as the non-uniformly-placed notches in rotor alphabet-rings that caused the rotor to the left to move one space when the first rotor reached its particular letter-notch.[79]

After the Franco-German armistice, the Polish cryptological team resumed work in France's southern Free Zone and in French Algeria, at constant risk of discovery and imprisonment or worse. When Germany took over Vichy France in November 1942, the Poles once again had to flee.[80] The Cipher Bureau's chiefs, Colonel Gwido Langer and Major Maksymilian Ciezki, and some of the technical staff were captured by the Germans but, despite extensive interrogation, preserved the secret of Enigma decryption.[81]

Mathematicians Marian Rejewski and Henryk Zygalski, after a perilous odyssey that took them across France, into a Spanish prison, to Portugal and at last by ship to Gibraltar, finally made it to Britain. (The third mathematician, Jerzy Różycki, had perished in the sinking of a passenger ship while returning in 1942 to southern France from a tour of duty in Algeria.) In Britain, Rejewski and Zygalski were inducted into the Polish Army as privates (they would eventually be promoted to lieutenant) and put to work breaking German SS and SD hand ciphers at a Polish signals facility in Boxmoor. They were not invited to work on Enigma at Bletchley Park.[82]

[edit] Operating shortcomings

Apart from some less-than-ideal inherent characteristics of the Enigma, in practice the machine's greatest weakness was the way that it was used. Errors by German Army and Air Force Enigma operators were common, and the Poles had become very experienced at exploiting even very subtle cryptographic mistakes made by the Germans.

One blatant mistake made by them, Rejewski recalled, had been the inclusion, in an early Enigma manual, of a genuine plaintext and its genuine ciphertext, together with the genuine message key. When Rejewski was given this in December 1932, it "made [his reconstruction of the Enigma machine] somewhat easier".[83]

Another German mistake described by Rejewski was the use of easily-guessed keys such as AAA or BBB, or sequences that reflected the layout of the Enigma keyboard, such as "three [typing] keys that stand next to each other [o]r diagonally [from each other]..."[84] At Britain's Bletchley Park these would become known as cillies—either the name of a German operator's girlfriend, used as a key, or a burlesque of "sillies", for some of the foolish things that operators did despite regulations to the contrary;[85] or because one of the first message settings that was worked out at Bletchley Park, using cillies, was CIL (the word "cilli" then being a cross between CIL and "silly", describing the Bletchley Park view of such German practices).[86] Cillies in the operation of the four-rotor Abwehr Enigma included four letter names and German obscenities.

Equally silly of the Germans, from a cryptologic perspective, was repeatedly using, in messages, the same stereotypical expressions—what Bletchley Park later would term cribs: the same standard salutations, titles and addresses. Thus, for example, Rejewski recalled that "The last phase in reconstructing daily keys was finding the settings of the rings [on the rotors]. In that phase, we relied on the fact that the greater number of messages began with the letters ANX—German for "to", followed by X as a spacer".[87]

Another important error perpetrated by German operators, was anticipated by John Herivel soon after his arrival at Bletchley Park in January 1940,[88] although it did not occur until after the changes of 10 May that year, during the period of close collaboration between the British, French and Poles. Some operators, after setting their Enigmas in the starting position and closing the metal lid, were selecting as the message key (Spruchschlüssel) the letters that were visible in the glass windows. These letters were often identical with, or close to, the settings on the Enigma's internal rings. As a result, they were effectively sending the ring settings almost in clear.[89] This was called Herivelismus or the Herivel tip.[90][43] During the first part of 1940, this meant that the French duty cryptologist could, at a few minutes past midnight, read Wehrmacht signals at the same time as their intended recipients.[91]

One operator was in the habit of using the positions of the rotors at the end of one message (or one quite close to it), as the indicator setting for the next message.[92]

Later in the war, a German responsible for preparing settings sheets, re-used some of the columns of wheel orders, ring settings or plugboard connections from previous months.[93] The resulting analytical short-cut was christened at Bletchley Park Parkerismus in honour of Reg Parker, who had, through his meticulous record-keeping, spotted this phenomenon.

[edit] Crib-based decryption

The term crib was used at Bletchley Park to denote any known plaintext or suspected plaintext at some point in an enciphered message. This cryptanalytic approach was thus effectively a known-plaintext attack. A large part of the Polish successes had relied on the repetition within the indicator; as soon as Alan Turing moved to Bletchley Park, initially joining Dilly Knox in the research section, he set about seeking methods that did not rely on this weakness, as they anticipated, correctly, that the Germans might not continue it for long.

The Poles had used an early form of crib-based decryption in the days when only six leads were used on the plugboard, leaving 14 letters self-steckered.[94] The technique became known as the Forty Weepy method for the following reason. When, on the basis of external evidence, a message was thought to be a continuation of a previous message, the plaintext would start with FORT (from Fortsetzung, meaning continuation) followed by the time of the first message. At this time numerals were represented by the letters on the top row of the Enigma keyboard.

Top row of the Enigma keyboard and the numerals they represented
Q W E R T Z U I O
1 2 3 4 5 6 7 8 9
(Zero was represented by P)

To indicate that a letter or a string of letters represented numbers, a letter Y was placed either side of them. So, "continuation of message sent at 2330" was represented as FORTYWEEPY.

Britain's Government Code and Cipher School (GCCS), before its move to Bletchley Park, had realized the value of recruiting mathematicians and logicians to work in codebreaking teams. Turing, a Cambridge University mathematician with an interest in cryptology and in machines for implementing logical operations—and who was regarded by many as a genius—had started work for GCCS on a part-time basis in 1938.[95] Gordon Welchman, another Cambridge mathematician, had also received initial training in 1938,[96] and both reported to Bletchley Park on 4 September 1939, the day after Britain declared war on Germany.

One fundamental feature of Enigma that was of enormous help to cryptanalysts was the fact that the reflector (a patented feature of Enigma machines) guaranteed that no letter could be enciphered as itself. Cryptologists combined an awareness of this fact with knowledge of cribs. With such a combination of probable plaintext fragment and the fact that no letter could be enciphered as itself, a corresponding ciphertext fragment could often be tested by trying every possible alignment of the crib against the ciphertext, a procedure known as crib-dragging. Of the possible guesses, some would turn out to be true plaintext-ciphertext pairs. This provided a clue to message settings. Crib-dragging allowed the elimination of possible crib positions. Comparing one crib that appeared quite frequently, Keine besondere Ereignisse (literally, No special occurrences—perhaps better translated as Nothing to report),[97] with a section of ciphertext might produce the following, where the red cells represent crashes, the co-occurrence of the same letter in the crib and the ciphertext:

Exclusion of possible positions for the crib Keine besondere Ereignisse
Ciphertext O H J Y P D O M Q N J C O S G A H L E I H Y S O P J S M N U
Position 1 K E I N E B E S O N D E R E E R E I G N I S S E
Position 2 K E I N E B E S O N D E R E E R E I G N I S S E
Position 3 K E I N E B E S O N D E R E E R E I G N I S S E
Positions 1 and 3 for the crib are impossible because of matching ciphertext letters.

Position 2 is a possibility.

Crib-dragging was only one aspect of the processes of breaking a key. Derek Taunt, a Bletchley Park cryptanalyst, has written that the three cardinal personal qualities that were in demand were (1) a creative imagination, (2) a well-developed critical faculty, and (3) a habit of meticulousness.[98] Skill at solving crossword puzzles was famously tested in recruiting some cryptanalysts. This was useful in working out plugboard settings when a possible solution was being examined. For example, if the crib was the word WETTER (German for weather) and a possible decrypt before the plugboard settings had been discovered, was TEWWER, it is easy to see that T with W are stecker partners.[99] These examples, although illustrative of the principles, greatly over-simplify the cryptanalysts' tasks.

The use of the bombes allowed the rotor order, the rotor core starting positions and the stecker partner for a chosen letter to be discovered.[100] However, considerable manual cryptanalytic work was required to design menus for the bombes, to test their various stops and to work out the remaining stecker partners (plugboard connections).

[edit] Sources of cribs

Cribs were a fundamental part of the British approach to breaking Enigma. Guessing the plaintext for a message was a skilled business; a special Crib Room was set up in 1940 by Stuart Milner-Barry.[101]

Foremost amongst the knowledge needed for identifying cribs, was the text of previous decrypts which included German military jargon and stereotypical phrases. Meticulous traffic analysis recording, for each network: the radio frequency, the date and time of intercept, the preamble containing the discriminant—which identified the network, the indicator setting, the time of origin of the message and the callsign of the originating and receiving stations—allowed cross referencing of a new message with a previous one.[102] Thus, as Derek Taunt wrote, the truism that "nothing succeeds like success" is particularly apposite here.[103]

Stereotypical messages included Keine besondere Ereignisse (nothing to report), An die Gruppe (to the group) [104] and a number that came from weather stations such as Wueb null seqs null null meaning "weather survey 0600". This was actually rendered as WEUBYYNULLSEQSNULLNULL. The word WEUB is short for wetteruebersicht, YY was used as a separator and the misspelling sechs as SEQS was a common and intentional abbreviation.[105] Field Marshall Erwin Rommel's Quartermaster started all of his messages to his commander with the same formal introduction.[106]

Another fruitful source of cribs was re-encipherments of messages that had previously been decrypted either from another Enigma network or from a lower-level manual cipher.[107] This happened particularly with German Naval messages being sent in a Dockyard cipher and repeated verbatim in an Enigma cipher. One German agent in Britain, code named Treasure, who had been turned to work for the British, was very verbose in her messages back to Germany, which were then re-transmitted on the Abwehr Enigma network. She was kept going by MI5 because of providing long cribs in this way, not because of her usefulness as an agent to feed incorrect information to the Abwehr.[108]

Occasionally, when there was a particularly urgent need to break the German Naval code, such as when an Arctic convoy was about to depart, mines would be laid by the RAF in a defined position whose grid reference in the German Naval system did not contain any of the words (such as sechs) for which abbreviations or alternatives were sometimes used.[109] The warning message about the mines and then the "all clear" message would be transmitted both on the dockyard network and the U-boat network. This process of planting a crib was called gardening.[110]

Although cillies were not actually cribs, the chit-chat in clear that Enigma operators indulged in amongst themselves, often gave a clue as to the cillies that they might generate. [111]

Mavis Lever, a member of Dilly Knox's team, recalled an occasion when there was an extraordinary message.

The one snag with Enigma of course is the fact that if you press A, you can get every other letter but A. I picked up this message and—one was so used to looking at things and making instant decisions—I thought: 'Something's gone. What has this chap done. There is not a single L in this message.'

My chap had been told to send out a dummy message and he had just had a fag [cigarette] and pressed the last key on the keyboard, the L. So that was the only letter that didn't come out. We had got the biggest crib we ever had, the encypherment was LLLL, right through the message and that gave us the new wiring for the wheel [rotor]. That's the sort of thing we were trained to do. Instinctively look for something that had gone wrong or someone who had done something silly and torn up the rule book.[112]

When a captured, interrogated German Enigma operator revealed that they had been instructed to encipher numbers by spelling them out rather than using the top row of the keyboard, Alan Turing reviewed decrypted messages and determined that the number eins (one) appeared in 90% of messages. He automated the crib process, creating the Eins Catalogue, which assumed that eins was encoded at all positions in the plaintext. The catalogue included every possible rotor position, starting position, and key setting.

[edit] British bombe

Main article: Bombe
Replica of a bombe at Bletchley Park

The British bombe was devised by Alan Turing soon after he arrived at Bletchley Park in September 1939. Harold "Doc" Keen of the British Tabulating Machine Company (BTM) in Letchworth, 35 kilometers (22 mi) from Bletchley, was the engineer who turned Turing's ideas into a working machine under the codename CANTAB.[113]

Turing's design developed the ideas of the Poles' bomba kryptologiczna, but was much more general—although it could be set to work in the same way as the Polish bomba. The drums on the front of the machine were wired to match the connections made by Enigma's different rotors. Unlike them, however, the input and output contacts for both the left-hand and right-hand sides were separate, making 104 contacts between each drum and the rest of the machine.[114] This allowed a set of scramblers to be connected in series by means of 26-way cables.

Electrical connections between the rotating drums' wiring and the rear plugboard were by means of metal brushes. The drums were colour-coded according to which Enigma rotor they emulated: I Red; II Maroon; III Green; IV Yellow; V Light Brown; VI Blue; VII Black; VIII Silver.[115]

Turing's basic idea was to use a comparison between a crib and the ciphertext to examine all 17,576 possible scrambler settings for each rotor order, so as to eliminate possibilities that contradicted the Enigma's known characteristics. As Gordon Welchman has written, "the task of the bombe was simply to reduce the assumptions of wheel [rotor] order and scrambler positions that required 'further analysis' to a manageable number."[101]

Although Welchman had been given the task of studying Enigma-traffic callsigns and discriminants, he knew from Turing about the bombe design and, before the first pre-production bombe was delivered early in 1940, he showed him an idea to increase its effectiveness.[116] It exploited the reciprocity in plugboard connections, to reduce considerably the number of scrambler settings that needed to be considered further. This became known as the diagonal board and was incorporated to great effect in all subsequent bombes.[117][118]

The cryptanalyst would prepare a crib for comparison with the plaintext and from this devise a menu which specified the wiring of the patch panels on the back of the machine. Suppose, for the sake of illustration, that the crib Attack at dawn was to be compared with the ciphertext as follows:

Position 1 2 3 4 5 6 7 8 9 10 11 12
Crib A T T A C K A T D A W N
Ciphertext W S N P N L K L S T C S
The relationship between the letters of a crib and the ciphertext, were graphed to provide a menu which specified how to set up a bombe run.

The menu reflects the relationships between the letters of the crib and those of the ciphertext. Some of these form loops (or closures as Turing called them). The menu in this example includes the three loops ATLK, TNS and TAWCN. As many as three loops was an unusual occurrence in practice, but it did allow success with a shorter crib, and the shorter the crib, the less likely that the right-hand Enigma rotor had caused a turn-over of the middle rotor. The great strength of closures is that the effects of the plugboard interconnections cancel each other out. The menu was set up to establish the stecker partner of one letter—probably T in this example.

To avoid wasting bombe time on menus that were likely to yield an excessive number of stops, Turing performed a lengthy probability analysis of the estimated number of stops per rotor order. It was adopted as standard practice only to use menus that were estimated to produce no more than four stops per rotor order. This allowed an 8-letter crib for a 3-closure menu, an 11-letter crib for a 2-closure menu and a 14-letter crib for a menu with only one closure. If there was no closure, at least 16 letters were required in the crib.[119]

The pre-production machines contained 30 Enigma scramblers, all subsequent 3-rotor bombes contained 36 scramblers arranged in three banks of twelve. Each bank was used for a different rotor order by fitting it with the drums that corresponded to the Enigma rotors being tested. The menu was plugged up with 26-way cables on the back of the machine.

The first bombe was named Victory and was delivered to Bletchley Park on 18 March 1940. The next one, which included the diagonal board, was delivered on 8 August 1940. It was referred to as a spider bombe and was named Agnus Dei which soon became Agnes and then Aggie. The production of bombes was relatively slow at first, with only 15 bombes being in use in June 1941, compared to 210 British bombes by the war's end.[120] A refinement that was developed for use on messages from those networks that disallowed plugboard (Stecker) connection of adjacent letters, was the Consecutive Stecker Knock Out. This was fitted to 40 Bombes and produced a useful reduction in fase stops.[121]

Initially the bombes were operated by servicemen who had been employed by BTM before the war. In March 1941, however, a detachment of members of the Women's Royal Naval Service (known as Wrens) arrived at Bletchley Park. By 1945 there were some 2,000 Wrens operating the bombes.[122] Relatively few of these were at Bletchley Park. The largest two outstations for the bombes and their Wren operators were at Eastcote (some 110 bombes and 800 Wrens) and Stanmore (some 50 bombes and 500 Wrens). There were also bombe outstations at Wavendon, Adstock and Gayhurst. Communication with Bletchley Park was by teleprinter (teletype) links.

Later in the war, when the German Navy switched to using a four-rotor Enigma, some 60 four-rotor bombes were produced at Letchworth, some with the assistance of the General Post Office.[123] The American four-rotor bombe was, however, the one that was most successful, following the Anglo-American agreement that the US Navy cryptanalysts in OP-20-G should concentrate on the German Naval Enigma, and that the NCR Corporation in Dayton, Ohio was better placed to produce the faster machines that were needed for the four-rotor Enigma.[124]

For each rotor sequence, a bombe would run through all possible rotor settings, stopping only when there was no contradiction between the menu and the rotor setting. The reciprocal nature of the plugboard meant that no letter could be connected to more than one other letter. If both of two such letters formed part of the menu, the bombe would detect this, and move on. If, however, one of the two letters was not part of the menu, a false stop could occur. In refining down the set of stops to find the correct one, the cryptanalyst would eliminate stops that contained such a contradiction. The drum positions at the possible true stops were then tried out on Typex machines that had been adapted to mimic Enigmas. All of them would correctly decipher the crib, but only the true one would produce, after all the plugboard settings had been found, the correct plaintext.[119]

[edit] Abwehr Enigma

Dilly Knox's last great cryptanalytical success before his death in February 1943, was the breaking, in 1941, of the Abwehr Enigma. The Abwehr was the intelligence and counter-espionage service of the German High Command. It placed espionage agents in enemy countries. These spies inevitably used a lower level cipher (which was broken by Oliver Strachey's section at Bletchley Park) for their transmissions. However, the messages were often then re-transmitted word-for-word on the Abwehr's internal networks using Enigma, which gave the best possible crib for deciphering that day's Enigma ground key. Interception and analysis of Abwehr transmissions led to the remarkable state of affairs in which a categorical assurance was given by MI5, that all the German spies in Britain were controlled as double agents working for the Allies under the Double Cross System.[125]

Enigma Model G, used by the Abwehr. It had three rotors and a rotating reflector, multiple notches on the rotor rings, but no plugboard.

Intercepts of Morse-coded traffic which had an 8-letter indicator sequence before the usual 5-letter groups, led to the suspicion that a 4-rotor machine was being used on these networks.[126] In fact it was a Model G Enigma, which had three rotors and a rotating reflector that could both be set by hand, and was advanced by the stepping mechanism.

The assumption was made that the indicator consisted of a 4-letter message key enciphered twice. This implied that the 1st and 5th, the 2nd and 6th, the 3rd and 7th and the 4th and 8th letters of the ciphertext were each re-encipherments of the same letters. These assumptions were correct. The situation was thus somewhat similar to that exploited by Marian Rejewski of the Polish Cipher Bureau in the 1930s. Collecting a set of enciphered message keys for a particular day allowed the same sort of cycles (or boxes as Knox called them) to be assembled.[127]

These cycles—or chains if there were insufficient messages on that day—were assembled for the 1:5, 2:6, 3:7 and 4:8 re-encoding of the letters of the message key. It was observed that it was not uncommon for the cycles for two successive letters in the message key to be derivable from each other by substituting adjacent letters of the entry plate. This occurred because all three rotors and the reflector had turned over simultaneously between two pairs of letters in the message key. Knox called this a crab (perhaps because it was like a sideways movement along the scrambler). The fact that such a situation was relatively common, implied that each rotor ring had many notches to turn over the next rotor, rather than just one. In fact the three rotors, subsequently named green, blue and red, contained 11, 15 and 17 notches respectively.

The finding of crabs allowed Knox to derive, using his buttoning up procedure,[55] some of the wiring of the rotor that had been loaded in the fast position on that day. Progressively he was able to derive the wiring of all three rotors. Once that had been done, he was able to work out the wiring of the reflector.[127]

Analysis of the blocks of keys for a particular day was used to derive the ground key setting for that day. This was performed using Knox's time-consuming rodding procedure,[56] which involved a great deal of trial and error, imagination and crossword puzzle-solving skills. This task was, however, helped by cillies—Enigma operators using guessable words such as the names of people and German obscenities, as well as sequences of adjacent letters on the keyboard for the 4-letter message keys.

[edit] German Naval Enigma

Alan Turing decided, soon after arriving at Bletchley Park, to take responsibility for German Naval Enigma, as no one else was looking into it. That was because the superior operator discipline and procedure for conveying the daily key, rendered decryption much more difficult. Turing diagnosed the indicator system that was in use, but was unable to decrypt the traffic on a regular basis. As well as the Kriegsmarine procedures being much more secure, the naval Enigma variant featured a set of eight rotors, from which three were selected. This meant that there were 336 possible rotor combinations, alone.

Turing's first break into naval Enigma traffic came in December 1939—into signals that had been intercepted in November 1938. For routine breaking, he needed information from German codebooks. No useful headway was made until the capture of the armed trawler Polares on 26 April 1940, which became known as the Narvik Pinch. Keys for April 1940, an instruction manual, and codebooks were secured. As a consequence, by June or July 1940 Hut 8 at least knew what content to expect in Kriegsmarine messages and knew the details of encipherment and decipherment procedures. However, the numerous possible rotor sequences, together with a lack of usable cribs, made the usual cryptanalytic methods almost useless.

Turing therefore developed "Banburismus," a method using Bayesian statistics to derive a bombe menu from the message settings rather than the messages themselves. In doing so, Hut 8 would identify at least the rightmost rotor being used in the cipher that day. If the cryptologists were lucky, they managed to identify the rightmost and middle rotors, leaving only six wheel orders to be run on the bombes.

Later in the war, British cryptologists learned to fully exploit a serious security lapse associated with German weather reports: they were broadcast from weather ships to Germany in lower-level ciphers, easy to decrypt, then retransmitted to U-boats at sea in Enigma, thus furnishing Bletchley Park with regular cribs. This was crucial to Bletchley's attacks on the U-boat four-rotor Enigma that was introduced in 1942.

Enigma-cipher material was captured at sea. The first such capture occurred in February 1940, when rotors VI and VII, whose wiring was then unknown, were captured from the U-33, by the Minesweeper HMS Gleaner. On 7 May 1941 the Royal Navy captured a German weather ship, together with cipher equipment and codes. Two days later the U-110 was captured, complete with Enigma machine, settings book, operating manual and other information, by HMS Bulldog. As a result, Naval Enigma became readable directly through the end of June. From then on, Banburismus allowed it to be read fairly continuously until, in mid-1943, newer, faster bombes rendered Banburismus unnecessary.

In addition to U-110, naval Enigma machines or settings books were captured from a total of seven U-boats and eight German surface ships, including U-boats U-559 (1942) and U-505 (1944), two weather trawlers, and a small vessel (the Krebs) captured during a raid on the Lofoten Islands off Norway.

Other schemes were dreamt up but not used, including Operation Ruthless by Ian Fleming (author of the James Bond novels—who was a Lieutenant Commander in Naval Intelligence), who suggested that a captured German bomber follow a departing bombing raid on Britain and be crashed into the sea near a German recovery vessel, hoping that the plane's crew would be rescued. The British crew would all be fluent German-speakers and would wear German Air Force uniforms. They would be armed and aim to capture the ship's cryptographic materials, including an Enigma. Alan Turing and Peter Twinn were very disappointed when this operation was canceled.[128]

[edit] American bombe

In order to solve Naval Enigma, both Britain and the U.S., but particularly the U.S., produced four-wheel bombes that could rapidly test thousands of possible keys. The American efforts on the M4 Enigma were led by Joseph Desch, an engineer working for the National Cash Register Corporation at the United States Naval Computing Machine Laboratory.

[edit] German suspicions

By 1945, almost all German Enigma traffic (Wehrmacht, Kriegsmarine, Luftwaffe, Abwehr, SD, etc.) could be decrypted within a day or two, yet the Germans remained confident of its security. They openly discussed their plans and movements, handing the Allies huge amounts of information, not all of which was used effectively. For example, Rommel's actions at the Kasserine Pass were clearly foreshadowed in decrypted Enigma traffic, but the information was not properly appreciated by the Americans.

After the war, American TICOM project teams found and detained a considerable number of German cryptographic personnel. Among the things the Americans learned was that German cryptographers, at least, understood very well that Enigma messages might be read; they knew Enigma was not unbreakable. They just found it impossible to imagine anyone going to the immense effort required. [129] When Abwehr personnel who had worked on Fish cryptography and Russian traffic were interned at Rosenheim around May 1945, they were not at all surprised that Enigma had been broken, only that someone had mustered all the resources in time to actually do it. Admiral Dönitz had been advised that that was the least likely of all security problems.

[edit] Since World War II

Modern computers can be used to solve Enigma, using a variety of techniques.[130] There is even a project to decrypt some remaining messages,[131] using distributed computing.

[edit] In popular culture

  • In the comedy war film All the Queen's Men (2001, starring Matt LeBlanc and Eddie Izzard), four World War II Allied soldiers are parachuted into Germany, where, dressed as women, they attempt to steal an Enigma machine. They eventually learn that the Allies already had the machine and that the mission was a ruse intended to mislead the Germans into thinking that Enigma was a closed book to the Allies.

[edit] See also

[edit] Notes

  1. ^ Hinsley, F.H. (1992) pp. 2-5
  2. ^ F.W. Winterbotham, The Ultra Secret, New York, Dell, 1974, passim.
  3. ^ Read, Anthony, and David Fisher, Operation Lucy: Most Secret Spy Ring of the Second World War, New York, Coward, McCann & Geoghegan, 1981, ISBN 069811079X.
  4. ^ Singh, Simon (1999) p. 17
  5. ^ Singh, Simon (1999) pp. 45-51
  6. ^ Singh, Simon (1999) pp. 63-78
  7. ^ Singh, Simon (1999) p. 116
  8. ^ Harmer, David H. (1997), "Enigma: Actions Involved in the ‘Double-Stepping’ of the Middle Rotor (Online version, zipped PDF)", Cryptologia 21 (1): 47–50, January 1997, http://www.eclipse.net/~dhamer/downloads/rotorpdf.zip, retrieved on 2009-02-02 
  9. ^ Ellsbury, Graham (1998), Description of the Enigma Machine, The Enigma Machine: Its Construction, Operation and Complexity, http://www.ellsbury.com/enigma2.htm, retrieved on 2009-01-21 
  10. ^ Confusingly, the word key was also used at Bletchley Park to describe the network that used the same Enigma setting sheets. Initially these were recorded using coloured pencils and had the names red, light blue etc., and later birds such as kestrel. Hinsley, F.H. and Stripp, Alan (1993) p. xviii and Hinsley, F.H. (1992) p. 2
  11. ^ Sale, Tony, Military Use of the Enigma: The Message Key and Setting Sheets, Codes and Ciphers in the Second World War: The history, science and engineering of cryptanalysis in World War II, http://www.codesandciphers.org.uk/enigma/enigma3.htm, retrieved on 2008-10-21 
  12. ^ One element of the key, the sequence of rotors in the machine, at first was changed quarterly; but from 1 January 1936 it was changed monthly; from 1 October 1936, daily; and later, during World War II, as often as every eight hours. Marian Rejewski, Summary of Our Methods for Reconstructing ENIGMA and Reconstructing Daily Keys..., Appendix C to Władysław Kozaczuk, Enigma (1984) p. 242
  13. ^ US Army (1945) p. 2
  14. ^ Twinn, Peter (1993) p. 129
  15. ^ Copeland, Jack (2004) p. 250
  16. ^ Copeland, Jack (2004) p. 245
  17. ^ Smith, Michael (2006) p. 23
  18. ^ Mahon, Patrick (2004) p. 302
  19. ^ Welchman, Gordon (1984) pp. 301-7
  20. ^ Taunt, Derek (1993) p. 108
  21. ^ Wilcox, Jennifer (2001) p. 2
  22. ^ Singh, Simon (1999) p. 143
  23. ^ Rejewski, Marian; Woytak, Richard (1984) p. 231
  24. ^ Rejewski, Marian; Woytak, Richard (1984) p. 256
  25. ^ Rex had been born Rudolf Stallmann in Berlin in 1871 and had changed his surname to his French wife's, becoming "Rodolphe Lemoine". David Kahn (1991) p. 57
  26. ^ Rejewski, Marian; Woytak, Richard (1984) p. 233
  27. ^ Rejewski, Marian; Woytak, Richard (1984) p. 234
  28. ^ Wilcox, Jennifer (2001) p. 5
  29. ^ Hodges, Andrew (1983) p. 170
  30. ^ Copeland, Jack (2004) p. 234
  31. ^ Rejewski, Marian (1984 d) p. 257 citing Fitzgerald, Penelope (1977), The Knox Brothers, London: Macmillan, ISBN 1-58243-095-0 
  32. ^ Rejewski, Marian (1984 c) pp. 242–43
  33. ^ Hodges, Andrew (1983) p. 171
  34. ^ Also referred to as a box by Dilly Knox and as a chain in some descriptions.
  35. ^ Singh, Simon (1999) p. 153
  36. ^ Copeland, Jack (2004) p. 257
  37. ^ Rejewski, Marian (1984 e) p. 285
  38. ^ a b c d Rejewski, Marian (1984 c) p. 242
  39. ^ Hodges, Andrew (1983) p. 173
  40. ^ Welchman, Gordon (1984) pp. 36, 60
  41. ^ Wilcox, Jennifer (2001) p. 6
  42. ^ Erskine, Ralph (2006)
  43. ^ a b Bletchley Park at War: Key world events leading up to and during WW2 (Timeline from Bletchley Park Exhibition)
  44. ^ Kozaczuk, Władysław (1984) pp. 54; 63, note 2
  45. ^ Gordon Welchman suggests that this arose from the nomenclature for plugs (male) and sockets (female) because the success of this method depended on a number of overlying sheets having their apertures in register. Welchman, Gordon (1984) p. 72
  46. ^ Hugh Sebag-Montefiore cites Alfred Dillwyn Knox, who attended the 25 July 1939 Warsaw conference, as having given a more frankly biological etymology, discreetly veiled in French. Sebag-Montefiore, Hugh (2000) p. 362
  47. ^ Rejewski, Marian (1984 e) p. 289
  48. ^ The name possibly originated from the characteristic muffled noise it produced when operating; alternative names puckishly given the device by Polish Cipher Bureau personnel were washing machine and mangle. An alternative explanation is that it made a ticking noise.
  49. ^ Bomby is the plural of bomba.
  50. ^ Rejewski, Marian (1984 e) p. 290
  51. ^ a b Kozaczuk, Władysław (1984) p. 54
  52. ^ Kozaczuk, Władysław (1984) pp. 54–55
  53. ^ a b Rejewski, Marian (1982) p. 80
  54. ^ Also quoted in Kozaczuk, Władysław (1984) p. 63
  55. ^ a b Carter, Frank, Buttoning Up: A method for recovering the wiring of the rotors used in a non-stecker Enigma, http://www.bletchleypark.org.uk/content/buttoningup.pdf, retrieved on 2009-01-20 
  56. ^ a b Carter, Frank, Rodding, http://www.bletchleypark.org.uk/content/rodding.pdf, retrieved on 2009-01-20 
  57. ^ Chamberlain, Neville (31 March 1939), "European Situation (2.52 p.m.)", Hansard (UK Parliament) 345, http://hansard.millbanksystems.com/commons/1939/mar/31/european-situation-1, retrieved on 2009-01-03 
  58. ^ Kozaczuk, Władysław (1984) p. 64
  59. ^ Erskine, Ralph (1984) p. 59
  60. ^ Copeland, Jack (2004) p. 246
  61. ^ Bertrand, Gustave (1973) pp. 60–61
  62. ^ Welchman, Gordon (1984) p. 289
  63. ^ Kozaczuk, Władysław (1984) pp. 69–94, 104–11
  64. ^ Kozaczuk, Władysław (1984) pp. 99, 102
  65. ^ Kozaczuk, Władysław (1984) p. 79
  66. ^ Kozaczuk, Władysław (1984) pp. 211–16
  67. ^ Kozaczuk, Władysław (1984) p. 87
  68. ^ Smith, Michael (2006) p. 27
  69. ^ Kozaczuk, Władysław, Enigma (1984), pp. 84; 94, note 8
  70. ^ Rejewski, Marian (1982) pp. 81–82
  71. ^ Also quoted in Kozaczuk, Władysław (1984) p. 102
  72. ^ Actually, at this early stage of the war there were nowhere near 10,000 people working at Bletchley Park. Still, there doubtless were a good many more working there than at PC Bruno, outside Paris.
  73. ^ Kozaczuk, Władysław (1984) pp. 87–88
  74. ^ Hugh Sebag-Montefiore, in reliance on Rejewski's unpublished 1967 Memoirs, gives a slightly different interpretation, apparently of the same episode: "The German Air Force was using an uncomplicated code for the weather forecasts it was relaying back to base. The substitutions involved in this code changed every day and the British codebreakers had spotted that they were always the same as the connections for the plugboard sockets on the Air Force Enigma system. So, as soon as the code was broken, the codebreakers knew the plugboard connections for the Air Force Enigma." Sebag-Montefiore, Hugh (2000) pp. 87, 368
  75. ^ Rejewski, Marian (1984 c) p. 243
  76. ^ Rejewski, Marian (1984 d) pp. 269–70
  77. ^ Bertrand, Gustave (1973) pp. 88–89
  78. ^ According to Gwido Langer, the interruption in decryption was shorter, May 13–19, 1940. Władysław Kozaczuk (1984) p. 115, note 2.
  79. ^ Kahn, David (1991) pp. 112–14
  80. ^ Kozaczuk, Władysław, Enigma (1984) pp. 111–47
  81. ^ Kozaczuk, Władysław (1984) pp. 156, 220
  82. ^ Kozaczuk, Władysław (1984) pp. 148–55, 205–9
  83. ^ Rejewski, Marian (1984 c) p. 243
  84. ^ Rejewski, Marian; Woytak, Richard (1984) p. 235
  85. ^ Kahn, David (1991) p. 113
  86. ^ Sebag-Montefiore, Hugh (2000) p. 338
  87. ^ Rejewski, Marian (1984 c) p. 243–44
  88. ^ Herivel, John, cited by Smith, Michael (2007) pp. 50-51
  89. ^ Kahn, David (1991) p. 113
  90. ^ Welchman, Gordon (1984) p. 98
  91. ^ Kozaczuk, Władysław (1984) pp. 83–84
  92. ^ Copeland, Jack (2004) p. 235
  93. ^ Welchman, Gordon (1984) p. 167
  94. ^ Mahon, Patrick (2004) pp. 278-279
  95. ^ Hodges, Andrew (1995), Part 4: The Second World War, Alan Turing: a short biography, http://www.turing.org.uk/bio/part4.html, retrieved on 2008-10-23 
  96. ^ Welchman, Gordon (1984) p. 11
  97. ^ Smith, Michael (2007) p. 39
  98. ^ Taunt, Derek (1993) p. 111
  99. ^ Singh, Simon (1999) p. 174
  100. ^ Carter, Frank, From Bombe 'stops' to Enigma keys, p. 1, http://www.bletchleypark.org.uk/content/bombestops.pdf, retrieved on 2009-03-01 
  101. ^ a b Welchman, Gordon (1984) p. 120
  102. ^ Welchman, Gordon (1984) p. 56
  103. ^ Taunt, Derek (1993) p. 108
  104. ^ Smith, Michael (2007) p. 38
  105. ^ Taunt, Derek (1993) pp. 104, 105
  106. ^ Lewin, Ronald (2001) p. 118
  107. ^ Mahon, Patrick (2004) p. 294
  108. ^ Smith, Michael (2007) p. 129
  109. ^ Mahon, Patrick (2004) p. 308
  110. ^ Morris, Christopher (1993) p. 235
  111. ^ Smith, Michael (2007) p. 102
  112. ^ Smith, Michael (2007) pp. 59,60
  113. ^ Harper, John, ed., "BTM - British Tabulatuing Machine Company Ltd", The British Bombe CANTAB, http://www.jharper.demon.co.uk/btm1.htm 
  114. ^ Sale, Tony, "Alan Turing, the Enigma and the Bombe", in Sale, Tony, The Enigma cipher machine, http://www.codesandciphers.org.uk/virtualbp/tbombe/tbombe.htm 
  115. ^ US Army (1945) p. 9
  116. ^ Hodges, Andrew (1983) p. 183
  117. ^ Welchman, Gordon (1984) pp. 295-309
  118. ^ Ellsbury, Graham (1998), "The Turing Bombe: What it was and how it worked", in Ellsbury, Graham, The Enigma and the Bombe, http://www.ellsbury.com/bombe3.htm 
  119. ^ a b Carter, Frank, From Bombe 'stops' to Enigma keys, http://www.bletchleypark.org.uk/content/bombestops.pdf, retrieved on 2009-03-01 
  120. ^ Copeland, Jack (2004) pp. 253-256
  121. ^ Harper, John (Spring 2009), "Bombe Rebuild Project", Resurrection: The bulletin of the Computer Conservation Society (British Computer Society) (46): 7-8, http://www.computerconservationsociety.org/resurrection.htm, retrieved on 2009-05-22 
  122. ^ Smith, Michael (2007) p. 75
  123. ^ Harper, John, ed., "Bombe Types", The British Bombe CANTAB, http://www.jharper.demon.co.uk/types1.htm 
  124. ^ Wegner, J. N.; Engstrom, H. T.; Meader, R. I. (1944), "History of The Bombe Project: Memorandum for the Director of Naval Communications", The Mariner's Museum (published 1998), http://www.mariner.org/atlantic/bombe_history.pdf 
  125. ^ Smith, Michael (2007) p. 129
  126. ^ Twinn, Peter (1993) p. 127
  127. ^ a b Carter, Frank, The Abwehr Enigma Machine, http://www.bletchleypark.org.uk/resources/file.rhtm/261894/web+abwehr2.pdf 
  128. ^ Batey, Mavis (2008), From Bletchley with Love, Milton Keynes: Bletchley Park Trust, pp. 4-6, ISBN 978-1-906723-04-0 
  129. ^ Bamford, James (2001), Body Of Secrets: How America's NSA & Britain's GCHQ Eavesdrop on the World, Century, p. 17, ISBN 978-0712675987 
  130. ^ Sullivan, Geoff; Weierud, Frode (July 2005), "Breaking German Army Ciphers", Cryptologia 24 (3): 193–232, http://www.tandf.co.uk/journals/pdf/papers/ucry_06.pdf, retrieved on 2008-10-16 
  131. ^ M4 Message Breaking Project, http://www.bytereef.org/m4_project.html, retrieved on 2008-10-16 

[edit] References

[edit] External links

Retrieved from "http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma"
Personal tools