by DAVID KAHN
His method requires possession of the device. This presupposition was quite in line with Kerckhoffs’ principle that no military system should require the secrecy of the apparatus. Bazeries accepted the principle and contended that the key alone—the order in which the disks are placed on the spindle—assured the absolute unsolvability of the system. In the de Viaris method, the cryptanalyst begins by turning the disks so that only a’s stand on the “plaintext” line. Each successive line—called a “generatrix”—comprises all the ciphertext equivalents for a that could possibly exist on that generatrix. Furthermore, the array of equivalents on each generatrix differs from the array on any other generatrix. For example, the first two generatrices under a in the orginal Bazeries device were:
Étienne Bazeries’ drawing of his cylinder, with plaintext “I am indecipherable”
The patterning results from the peculiar way in which Bazeries constructed his alphabets to make them mnemonic. Some consisted of intercalations of vowels and consonants; others derived from keyphrases tending toward the patriotic (“God protects France,” “Honor and country”), the homiletic (“Avoid drafts,” “Instruct youth”), and the idiotic (“I like onion fried in oil”). Other alphabets would produce other patterns.
Now, these first two generatrices employ distinctive sets of letters as the substitutes for a:
The cryptanalyst now assumes that a probable word or word-fragment such as -ation has been enciphered wholly on one generatrix in the cryptogram before him. He then lists all the possible first-generatrix substitutes for a, for t, for i, o, and n in columns next to one another. These five columns he slides along under the cryptogram looking for a five-letter group whose first letter appears among the substitutes for a, whose second appears among the substitutes for t, and so on. Any such group obviously constitutes a possible first-generatrix substitute for -ation.
Suppose the cryptanalyst finds such a group. If the substitute for a in that group is v, the disk in use at that point must have been number 8. It is the only disk which substitutes v for a on the first generatrix. If the substitute were z, the disk in use must have been either 4, 5, or 6. The choices for the other letters will be similarly limited. The cryptanalyst then assembles a trial grouping of disks based on these choices, and, because the message was enciphered 20 letters at a time, makes trial decipherments at intervals of 20 letters. If little atolls of plaintext break the surface of the ciphertext sea, he obviously has found the right permutation of some of the disks. He can anagram to enlarge the islets into an archipelago, and to eventually merge them into an entire continent of clear. If no solid plaintext emerges, the cryptanalyst must move his list along under the cryptogram until another possibility appears. If none appears with the equivalents from the first generatrix, the cryptanalyst must try with those of the second, and so on. The whole process, de Viaris said, takes longer to explain than to carry out.
Despite this truly fine bit of cryptanalysis, Bazeries would not concede that de Viaris had done what he had in fact done: found a valid solution for the Bazeries cylinder. The inventor pointed out that the cryptogram presented in Marseilles remained unsolved, insisted that it never would be solved, reaffirmed his faith in his brainchild, and, in the words of a later commentator, generally displayed “a woeful lack of that intellectual generosity which a scientist must invariably display towards an antagonist when facing the collapse of his theory, even if a cherished one.”
Notwithstanding de Viaris’ solution or Bazeries’ inordinate faith, the system of simultaneous encipherment with multiple alphabets is a good one, and, with frequent key changes and some modifications, can serve as a quite effective military cipher. Though he probably never knew it, Bazeries was vindicated during his own lifetime when, in 1922, the U.S. Army adopted his system.
The rejection of his cylinder hardly stilled Bazeries’ fear that weak military ciphers imperiled his country. His fervent patriotism, his refusal to submit meekly to mere authority, his legitimate conviction that his crypt-analytic accomplishments qualified him to judge the merits of a cipher, all impelled him to put forward one final system. It conformed to the general staff requirement—possibly taken from Josse’s dictum—that it need only pencil and paper for its operation.
Basically, it consisted of a monalphabetic substitution that changed with each message combined with a transposition. Each message carried its own key at the head. The key consisted of two letters, which were turned into a number by means of the simple rule A = 1, B = 2, and so on, and this, written out as a phrase, formed the cipher alphabet. Using English, SF becomes 186, or ONE HUNDRED EIGHTY-SIX, giving a key alphabet of ONEHUDRIGTYSXABCFJKLMPQVWZ. After the plaintext was substituted by means of this alphabet, it was divided into groups of three letters and these groups reversed. Vowels could be interpolated as nulls before each such triplet; if such a group began with a ciphertext vowel, a null had necessarily to be inserted before it to prevent confusion. Bazeries felt that the change of key with each message effectively fortified his system, and he offered a sample cryptogram. Though the French cryptanalysts never solved it, the Ministry of War wrote him on April 19, 1899, that “the method does not present sufficient guarantees of security to be adopted.”
For once the bureaucrats were right; no monoalphabetic substitution can maintain security in heavy traffic. Bazeries, naturally enough, remained entirely unconvinced, and in 1901 he revenged himself in a bitter, scornful, episodic book called Les Chiffres Secrets Dévoilés (“Secret Ciphers Unveiled”). “May this revelation lead the War Department to change its locks,” he exclaims in the introduction of a book whose cover is subtly adorned with a photograph of the Bazeries cylinder. He flagellated the general staff for its “willful blindness” in matters cryptologic, rehearsed his tale of injured pride, argued anew for his ciphers, rebutted the official criticism of them. His pages rasp: “The French general staff, in adopting these methods, believed it made progress. It only retreated.” He sarcastically praised the Army’s “fine spirit of routine” and denounced its ciphers as “a public danger.”
The book is not entirely polemic. Bazeries outlined the major systems of cryptology, related some entertaining history, and disclosed how he solved the anarchist and Orléans messages. He surveyed the current literature with Olympian hauteur and convicted authors like Josse and de Viaris of “heresy” when they asserted views contrary to his own. The book exudes his personality. Bazeries invested even an arid technical discussion with his astringent tone: “To abandon the methods of substitution for those of transposition,” he pontificated, “is to change a one-eyed horse for a blind one.” That Bazeries lost his fight with the administration is cryptology’s gain, for the upshot was probably the most readable book in the whole of the science. The author’s victory is that in it he lives still.
It will be noted that, despite their differences, both Bazeries and the French general staff agreed almost axiomatically on ciphers for field operations instead of codes. The practice was almost universal during those years, and it testifies to the ascendancy of the field cipher. Spain employed a system in which a mixed plaintext alphabet slid over a list of two-digit ciphertext groups from 10 to 99; the position of the alphabet, and hence the homophonic equivalents for each letter, changed from message to message. The worthlessness of the system was exposed in 1894 by a lieutenant of infantry, Joaquín García Carmona, in his Tratado de Criptografia, the finest book on the subject in Spanish and one of the better ones in any language.
In Cuba, Jose Marti, that island’s great apostle of freedom, was using a numerical Vigenère to direct the revolutionary struggle during the early 1890s. For example, on December 8, 1894, he wrote from New York, in his famous plan for the rising in Cuba: “1. Todos los trabajos deberán dirigirse desde ahora con la idea de comenzar, todos unidos, 16, 3, 5, 10, 16, 7 17, 16, 7, 22, 19, 6, | 20, 19, 22, 6, 36, 6, | 23, 23, 7, 15, 20, 22.” He had applied the key HABANA to a tableau whose alphabets included the Spanish letters ll and ñ. Decip
hered, this portion read, hbcia [hacia] fines del presente mes, making the entire clause: “1. All the work must be directed from now with the idea of beginning, all together, towards the end of the current month.” The revolt indeed broke out early in 1895. And even in faraway Ethiopia a polyalphabetic substitution with mixed alphabets played its role during the confused warfare of that ancient land to retain its independence against the colonial powers.
But while armies clung to ciphers, navies and foreign ministries employed codes. These swollen descendants of the nomenclators afforded—when kept secret—greater security than a cipher, and they saved cable tolls for diplomats and signal time for commodores. Most of the codes were one-part, and most listed both codenumbers and codewords as replacements for the plaintext. Each had advantages. The codewords were far less susceptible to transmission error than the codenumbers. The addition or omission of a single Morse dot in a cable could change a codenumber from 7261 to 7262 and alter the reading from he will to he will not, since the alphabet usually placed such phrases above their negatives in the code. This is less likely to happen with codewords, like MALSANIA and MALSANOS.
On the other hand, codenumbers were easier to handle in superencipher-ment Superencipherment consists of enciphering codenumbers or codewords to provide extra security. Straightforward substitution could be used. A sequence of codewords like PALMETO FEODALISER CONTABOR ANGROLLEN could be enciphered in monalphabetic substitution, or Vigenère, or any system, just as if it were ordinary language. (Transposition systems seem not to have been used because they would destroy the codewords. Code language did not regularize into five-letter groups until July 1, 1904, when new cable regulations went into effect.) Likewise, codenumbers could be transformed into letters by a key. Often a 10-letter word with no repeated letters, like REPUBLICAN, served to convert the numbers on the basis of 1 = R, 2 = E, and so on. But such superencipherments were used much less often than two others, based on codenumbers.
One transposed the codenumber digits. For example, 8264 could be shuffled to any of 23 other permutations. This method was proposed by F.-J. Sittler to attain secrecy in his best-selling commercial code, first published in 1868. In the Sittler code, the first two codenumber digits indicated the page, the second the line. The encoder could represent these mnemonically by PA and LI, the codenumber as a whole by PALI, and the encipherment by whatever combination was desired, as IPLA.
The second superencipherment was a form of substitution; the “alphabet” was the ordinary scale of numbers. This method added a keynumber, called an “additive,” to the original codenumber, called the “plain code,” or “placode.” The sum constituted the final cryptogram, called the “enciphered code” or “encicode.” In the late 19th century, a single keynumber usually served as the additive for all the codegroups of a message. For example, the placode 2726 7074 8471 might be enciphered with the additive 2898 to yield the encicode 5634 9972 1369—with the extra 1 that would precede 1369 dropped as being understood. A rudimentary form of this additive method had been used a century earlier by Benedict Arnold, who added a 7 to the digits of his dictionary code.
It was possible, however, to obtain the advantages of both easy superencipherment and transmission accuracy by utilizing the code’s parallel lists of codenumbers and codewords. The code clerk would note the numerical placode for his phrase, say 3043, mentally add the additive, which would have to be a simple figure like 800, and then take the codeword opposite the intermediate encicode, 3843, as the final encicode. (Somewhat the same thing had been done with dictionary codes in the United States in 1876 by J. N. H. Patrick in his telegrams concerning presidential electors for Oregon.) In this method, the conversion from codenumbers to codewords contributes a security bonus. Cryptanalysts would find it easier to determine the additive for numerical placode-encicode pairs, like 10053 and 12053, than for literal pairs, like CAVARONO and CIANICO, which furnish only the most generalized clue to the number of code elements between them.
This system, probably the most secure and advanced code system of the day, appears to have been used by the United States Navy at the time of the Spanish-American War. It marked the latest stage in Navy secret communications. In 1809, a simple monalphabetic had served for messages from the Navy Department to its future hero, Commander David Porter, at New Orleans. Responsibility for naval cryptography then rested, as it had since the Navy was founded, with the senior member of the Navy Board. In 1842, with the establishment of the bureau system, the cryptographic responsibility was assigned to the Bureau of Construction, Equipment, and Repair. In 1853, it was transferred to the Bureau of Ordnance and Hydrography, and in 1862 to the Bureau of Navigation, which retained it until 1917. In 1877, the Navy was using a Vigenère for at least some of its communications, and in 1887 it printed the Navy Secret Code, which was still in use in 1898, apparently with a superencipherment. Naval cryptography glinted briefly in the tumult surrounding the reception and decoding of one of the most thrilling code messages of the era.
As war approaches: Admiral Dewey gets a coded message from Navy Secretary Long warning Keep full of coal, the best that can be had
Ever since rumors had reached the United States of the momentousness of Admiral George Dewey’s victory over the Spanish fleet in Manila Bay on May 1, 1898, the country had been in a fever of anxiety to hear the official report. Elaborate preparations had been made to process it. Consul Wildman at Hong Kong, who was expected to get the first word by ship from Manila, was ordered to cable the message without delay. Officials remained on 24-hour duty at the State Department and in the Navy’s Bureau of Navigation, which would decode the cable. At 4:40 a.m. on the rainy morning of Saturday, May 7, the message “Hong Kong, McCulloch, Wildman” arrived, indicating that the revenue cutter McCulloch had arrived with Dewey’s report and that the Admiral’s dispatch would follow shortly. Within half an hour, Secretary of the Navy John D. Long was notified. Soon the whole city was wild with excitement.
About 9 :30, Mr. Marcan, manager of the Western Union office, appeared at the Navy Department with a sheet containing the mysterious jargon in which Dewey had coded his report. He handed it directly to Long, who looked hard at its 88 codewords, as if he would wrest their meaning from them by sheer force of personality. But all his straining anxiety could not draw an iota of sense from the message, which began:
CRAQUIEREZ REFRENANS VIJFVOETIG IMPAZZAVA PRESABERE INTRUSIVE REGENBUI EDIFIERS RETAPIEZ DECRUSAMES IMPAVIDEZ RIBOTIEZ GOLD-KRAUT RIONORAI SANSCRITO …
He handed it to Lieutenant (j.g.) Humes S. Whittlesey, one of the cryptographic officers, who disappeared with it into the Bureau of Navigation. Then Long pretended to transact other business at his desk.
Just after 10 o’clock, the Assistant Secretary of the Navy, Theodore Roosevelt, who had been in the Bureau of Navigation, stepped into the midst of the waiting newspapermen and announced, “Dewey has destroyed or captured all six cruisers.” Reporters rushed for the telephones; messenger boys pedaled furiously through the rain. Soon thereafter, Long came out and, standing in the corner window where the light was good, read out the plaintext: Squadron arrived at Manila at daybreak this morning. Immediately engaged the enemy and destroyed the following Spanish vessels: Reina Cristina, Castillia, Don Antonio de Biloa, Don Juan de Austria, Isla de Luzon, Isla de Cuba…. The list of names seemed to run on endlessly. When he finished, cheers rang through the room, and then swept the country. Not until much later did the nation decode the real meaning of the message: that the United States, having conquered possessions around the globe, had started on the road to international commitment.
At 9 a.m. on October 15, 1894, Captain Alfred Dreyfus of the French general staff reported to a meeting of several superior officers at the War Ministry on the Rue Saint-Dominique in Paris. They suspected him of having written a document that offered military information to Germany, the so-called bordereau, or memorandum. After the captain took some dictation to test his handwriting, which resembled that of the borde
reau, Major Marquis Mercier du Paty de Clam arose, placed his hand on Dreyfus’ shoulder, and intoned, “Captain Dreyfus, in the name of the law I arrest you. You are accused of high treason.”
Though the arrest was kept secret at first, the anti-Semitic journal La Libre Parole scooped the rest of the Paris press on November 1 with the headline, “High Treason! Arrest of the Jewish Officer, A. Dreyfus!” The newspapers indicated that Dreyfus was in the pay of Germany or Italy, and that very day the Italian military attaché, Colonel Alessandro Panizzardi, wrote to his chief in Rome that neither he nor his German colleague knew anything of the prisoner, though he conceded that Dreyfus may have worked directly for the Italian general staff without Panizzardi’s own knowledge. As the clamor mounted in the press, Panizzardi next day felt it necessary to telegraph that, if Dreyfus had not been in contact with Rome, an official denial should be published to quell newspaper comments.
The message of November 2 went out in code and, like all other diplomatic cryptograms passing over the wires of the French Ministry of Posts and Telegraphs, an onionskin copy of Panizzardi’s text was sent to the Foreign Ministry for an attempt at solution. This cryptogram, which was to become the most sensational secret message of those gaslight years, read:
Commando stato maggiore Roma
913 44 7836 527 3 88 706 6458 71 18 0288 5715 3716 7567 7943 2107 0018 7606 4891 6165
Panizzardi
The ministry’s Bureau du Chiffre consisted of seven men.* Its chief, Charles-Marie Darmet, who was two weeks short of his 59th birthday when the Panizzardi telegram came in, had joined the ministry as an employee in the archives bureau 40 years previously, and had moved over to the cipher bureau three years later. He had served as a delegate to the Congress of Berlin in 1878, possibly with secret cryptanalytic duties. His rise through the ranks culminated in his appointment on January 22, 1891, as chief of the cipher bureau with a salary somewhere between 7,000 and 10,000 francs. His deputy chief was Albin-Chrysostôme Marnotte, 54, who had served in the cipher bureau for just under 37 years and had become deputy the same day that Darmet became chief. The others were Maurice-Edmé-Ludovic Gaillard, 53, with 23 years in the cipher bureau; Charles Dauchez, 46, also with 23 years’ service; Louis-Marie-Léonor Béguin-Billecocq, 29, seven years in the bureau; François Billecocq, 29, four years’ service; and Joseph-Gabriel-Claude-Hippolyte Mézière, 21, two years’ service. The three older men had all been made chevaliers of the Légion d’Honneur; the four younger, all with law degrees, seem to have been recruited directly into the cryptanalytic service.
