The use of instruments giving a cipher, which is or can be varied constantly and automatically, has often been recommended … but the risk of some instrument … falling into unauthorized hands must be taken into account. Since equally good ciphers can be constructed without the use of mechanical devices I do not think their employment can be recommended.
For what was done by a machine might all the more easily be undone by a machine. The inner complexity of the Enigma, however clever it might look, would be worthless unless it created a cipher system which could not be broken even by an enemy in possession of a copy of the machine. It might only serve to give a false sense of security.
Nor was the technical construction of the Enigma as advanced as that suggested by Sinkov’s description of contemporary developments. The cipher clerk using it still had the tedious and time-consuming task of noting which letter had been illuminated, and writing it down. There was no automatic printing or transmission, which had to be done laboriously in Morse code. Far from being a weapon of the modern Blitzkrieg, this plodding device drew on nothing more technologically advanced than the electric light bulb.
From the cryptanalyst’s point of view, however, the physical labours of the cipher clerk, and the physical construction of the machine, were irrelevant. What mattered was the logical description – just like a Turing machine. Everything relevant to the Enigma was contained in its ‘table’, a list of its states and what it would do in each state. And from a logical point of view, the action of the Enigma, in any given, fixed, state, enjoyed a very special property. It was a symmetrical property inherent in the ‘reflecting’ nature of the machine. For any Enigma, in any state, it would be true that if A were enciphered into E, then in that same state, E would be enciphered as A. The substitution alphabets resulting from an Enigma state would always be swappings.
For the hypothetical 8-letter machine in the state shown in the first diagram, the substitution would be:
plain
A B C D E F G H
cipher
E D G B A H C F
For the machine in the state shown in the second diagram, it would be:
plain
A B C D E F G H
cipher
E F G H A B C D
These could be written as swappings: (A E) (B D) (C G) (F H) in the first case and (A E) (B F) (C G) (D H) in the second.
There was a practical advantage to this Enigma property. It meant that the deciphering operation was identical with the enciphering operation. (In group-theory terms, the cipher was self-inverse). The receiver of the message had only to set up the machine in exactly the same way as the sender, and feed in the cipher-text, to recover the plain-text. There was no need to incorporate ‘encipher’ and ‘decipher’ modes into the Enigma machine, which made its operation that much less liable to mistakes and confusion. But it was associated with a grave weakness, in that the substitutions thus performed were always of this very special kind, with the particular feature that no letter could ever be enciphered into itself.
This was the basic structure of the Enigma. But there was much more to the machine actually in military use. For one thing, the three rotors were not fixed in place, but could be removed and replaced in any order. Until late 1938 there was a stock of just three rotors, which therefore allowed a total of six arrangements. In this way, the machine offered 6 × 17576 = 105456 different alphabetic substitutions.
Obviously, the rotors had to be marked in some way on the outside so that the different positions could be identified. However, here entered yet another element of complexity. Each rotor was encircled by a ring bearing the 26 letters, so that with the ring fixed in position, each letter would label a rotor position.* (In fact, the letter would show through a window at the top of the machine.) However, the position of the ring, relative to the wirings, would be changed each day. The wirings might be thought of as labelled by numbers from 1 to 26, and the position of the ring by the letters A to Z appearing in the window. So a ring-setting would determine where the ring was to sit on the rotor, with perhaps the letter G on position 1, H on position 2, and so forth.
It would be part of the task of the cipher clerk to make the ring-settings, and thereafter he would use the letters on the ring to define the rotor-settings. From the cryptanalyst’s point of view, this meant that even if it were openly announced that rotor-setting ‘K’ was being used, this would not give away what at Bletchley they would call the core-position – the actual physical position of the wiring. This could only be deduced if the ring-setting were also known. However, the analyst might know the relative core-positions; thus settings K and M would necessarily correspond to core-positions two places apart. So it was known that if K were at position 9, then M would be at position 11.
The more important complicating feature, however, was the attachment of a plugboard. It was this that distinguished the military from the commercial Enigma, and made it something that had unnerved the British analysts. It had the effect of performing automatically an extra swapping of letters, both before entering the rotors, and after emerging from them. Technically, this was achieved by attaching wires, with plugs at each end, into a plugboard with 26 holes – rather like making connections on a telephone switchboard. It required ingenious electrical connections, and the use of double wires, to have the required effect. Until late 1938, it was usual in the German use of the machine to have only six or seven pairs of letters connected in this way.
Thus with the rotors and reflector of the basic machine in such a state as to effect the substitution
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
C O A I G Z E V D S W X U P B N Y T J R M H K L Q F
and with the plugboard wires set up to connect the pairs
(A P) (K O) (M Z) (I J) (C G) (W Y) (N Q),
the result of pressing the A key would be to send a current through the plugboard wire to P, then through the rotors and out again to N, then through the plugboard wire to Q.
Because of the symmetrical use of the plugboard both before and after the passage of the current through the rotors, it would preserve the self-inverse character of the basic Enigma, and the feature that no letter could be enciphered into itself. If A were enciphered into Q then, in the same state of the machine, Q would be enciphered into A.
So the plugboard left unaffected this useful – but dangerous – aspect of the basic Enigma. But it enormously increased the sheer number of states of the Enigma machine. There would be 1,305,093,289,500 ways* of connecting seven pairs of letters on the plugboard, for each of the 6 × 17576 rotor states.
Presumably the German authorities believed that these modifications to the commercial Enigma had brought it ‘very close to practical unsolvability’. And yet, when Alan joined up at Bletchley on 4 September, he found it humming with the disclosures made by the Polish cryptanalysts.5 It was all still fresh and new, for only on 16 August had the technical material reached London. And this revealed the methods by which, for seven years, the Poles had been deciphering Enigma messages.
The first thing, the sine qua non, was that the Poles had been able to discover the wirings of the three rotors. It was one thing to know that an Enigma machine was being used; quite another thing – but absolutely essential – to know the specific wirings employed. To do this, in the peacetime conditions of 1932, was itself an impressive feat. It had been made possible by the French secret service who had obtained, through spying, a copy of the instructions for using the machine in September and October 1932. They had passed it to the Poles. They had also passed it to the British. The difference was that the Polish department employed three energetic mathematicians, who were able to use the papers to deduce the wirings.
Highly ingenious observations, good guessing, and the use of elementary group theory, produced the rotor wirings, and the structure of the reflector. The guessing, as it happened, was necessary to ascertain how the letters on the keyboard were connected to the enciphering mechanism. They m
ight have been connected in some jumbled order to introduce another element of complexity into the machine. But they guessed and verified that the Engima design made no use of this potential freedom. The letters were joined to the rotor in alphabetical order. The result was that logically, if not physically, they had captured a copy of the machine, and could proceed to exploit that fact.
They were only able to make these observations, on account of the very particular way in which the machine was used. And they were only able to progress towards a regular decipherment of Enigma material by exploiting that method of use. They had not broken the machine; they had beaten the system.
The basic principle of using an Enigma machine was that its rotors and rings and plugboard would be set up in some particular way, and then the message would be encrypted, the rotors automatically stepping round as this was done. But for this to be of any use in a practical communication system, the receiver of the message also had to know the initial state of the machine. It was the fundamental problem of any cipher system. The machine was not enough; there had to be also an agreed, fixed, ‘definite method’ of using it. According to the actual method employed by the Germans, the initial state of the machine was partly decided at the time of use by the cipher clerk. Inevitably, therefore, it made use of indicators, and it was through the indicator system that the Poles enjoyed their success.
To be explicit, the order of the three rotors was laid down in written instructions, and so was the plugboard and ring-setting. The task of the cipher clerk was to choose the remaining element, the initial settings for the three rotors. This amounted to choosing some triplet of letters, say ‘WHJ’. The most naive indicator system would have been simply to transmit ‘WHJ’, and follow it with the enciphered message. However, it was made more complicated than that. The ‘WHJ’ was itself enciphered on the machine. For this purpose a so-called ground-setting was also laid down in the instructions for the day. This, like the rotor order, plugboard and ring-setting would be common to every operator in the network. Suppose the ground-setting were ‘RTY’. Then the cipher clerk would set up his Enigma with the specified rotor order, plugboard and ring-setting. He would turn the rotors to read ‘RTY’. Then his job was to encipher, twice over, his own choice of rotor setting. That is, he would encipher ‘WHJWHJ’, producing say ‘ERIONM’. He would transmit ‘ERIONM’, then turn the rotors to ‘WHJ’, encipher the message, and transmit it. The strength was that every message, after the first six letters, was enciphered on a different setting. The weakness was that, for one day, all the operators in the network would be using exactly the same state of the machine for the first six letters of their messages. Worse, those six letters always represented the encipherment of a repeated triplet. It was this element of repetition that the Polish cryptanalysts were able to exploit.
Their method was to collect each day, from their radio intercepts, a list of these initial six-letter sequences. They knew that in this list, there would be a pattern. For if in one message the first letter were A, and the fourth letter was R, then in any other message where the first letter was A, the fourth letter would again be R. With enough messages, they could build up a complete table, say:
First letter: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Fourth letter: R G Z L Y Q M J D X A OW V H N F B P C K I T S E U
There would be two further tables, connecting the second and fifth letters, and the third and sixth. There were a number of ways of using this information to derive the state of the Enigma machine from which all those six-letter sequences had emanated. But particularly significant was a method which responded to the mechanical work of the cipher clerk, with a mechanised form of analysis.
They wrote these tables of letter connections in the form of cycles. The cycle notation was common currency in elementary group theory. To bring the specific letter connection above into ‘cycle’ form, one would start with the letter A, and note that A was connected with R. Then R was connected with B, B with G, G with M, M with W, W with T, T with C, C with Z, Z with U, U with K, and K with A – making a complete ‘cycle’: (ARBGMWTCZUK). The complete connection could be written out as the product of four cycles:
(A R B G M W T C Z U K) (D L O H J X S P N V I) (E Y) (F Q)
The reason for doing this was that the analysts had noticed that the lengths of these cycles (in this example, 11, 11, 2, 2) were independent of the plugboard. They would depend only upon the position of the rotors, the plugboard affecting which letters appeared in the cycles, but not how many. This observation showed that in a rather beautiful way the rotor positions left their fingerprints upon the cipher-text, when the traffic was considered as a whole. In fact they left just three fingerprints, the cycle-lengths of each of the three letter-connection tables.
It followed that if they possessed a complete file of the cycle-length fingerprints, three for each rotor position, then to determine which rotor position was being used for the first six letters all they would have to do was to search through the file. The snag was that there were 6 × 17576 possible rotor positions to catalogue. But they did it. To help in the work, the Polish mathematicians devised a small electrical machine which incorporated Enigma rotors, and which automatically produced the required sets of numbers. It took them a year to do the work, the results of which were entered on file cards. But then the detective work was effectively mechanised. It only took twenty minutes to look through the file to identify the combination of cycle-lengths which matched the cipher traffic of the day. This would reveal the positions of the rotors as they stood during the encipherment of the six indicator letters, and from that information, the rest could be worked out and the day’s traffic read.
It was an elegant method, but the disadvantage was that it depended entirely on the specific indicator system. It did not last. The naval Enigma was the first to be lost, and6
… after the end of April 1937, when the Germans changed the naval indicators, they had been able to read the naval traffic only for the period from 30 April to 8 May 1937, and that only retrospectively. Moreover, this small success left them in no doubt that the new indicator system had given the Enigma machine a much higher degree of security …
And then on 15 September 1938, as Chamberlain flew to Munich, a greater disaster struck. All the other German systems were changed. It was only a minor modification, but it meant that overnight, all the catalogued cycle-lengths became completely worthless.
In the new system, the ground-setting was no longer fixed in advance. Instead, it would be chosen by the cipher clerk, who therefore had to communicate it to the receiver. This was done in the simplest possible way, by transmitting it as it stood. Thus the clerk might choose AGH, then set the rotors to read AGH. He would then choose another setting, say TUI. He would encipher TUITUI, to give say RYNFYP. He would then transmit AGHRYNFYP as indicator letters, followed by the actual message as enciphered with the rotors starting on the setting TUI.
This method depended for its security upon the fact that the ring-setting would be varying from day to day, for otherwise the first three letters (AG H, in the example) would give the whole thing away. The task of the analyst, correspondingly, was to determine this ring-setting which was common to all the traffic of the network. And amazingly, the Polish analysts were able to bounce back with a new kind of fingerprint, which had the effect of finding this ring-setting, or equivalently, of finding the core-position which corresponded to the openly announced rotor setting such as AGH in the example.
As with the older method, the fingerprint depended upon looking at the entire traffic, and in exploiting the element of repetition in the last six of the nine indicator letters. Without a common ground-setting, there was no fixed correspondence between first and fourth, second and fifth, third and sixth letters, to analyse. But one remnant of this idea, like the grin on the Cheshire cat, survived. Sometimes it would happen that the first and the fourth letters would actually be the same – or the second and the fifth, or the thir
d and the sixth. This phenomenon was, for no apparent reason, called ‘a female’. Thus, supposing that TUITUI were indeed enciphered as RYNFYP, that repeated Y would be ‘a female’. This fact would then give a small piece of information about the state of the rotors as they were when the letters TUITUI were being enciphered. The method depended upon putting enough of these clues together to deduce that state.
More precisely a core-position would be said to have a ‘female’ letter, if that letter’s encipherment happened to be the same three steps later. This was not a rare phenomenon, but would occur on average one time in twenty-five. Some core-positions (about forty per cent) would have the property of possessing at least one ‘female’ letter, and the rest would not. The property of having a female, or not, would be plugboard-independent, although the identity of the female letter would depend upon the plugboard.
The analysts could easily locate all the observed females in the traffic of the day. They would not know the core-positions which had given rise to them, but from the openly announced rotor settings like AGH in the example, they would know the relative core-positions. This information yielded a pattern of females. Because only about forty per cent of the core positions had females, there might only be one way in which this pattern could be matched with their known distribution. Here therefore was the new fingerprint – a pattern of ‘females’.
But it was not possible to catalogue in advance all possible patterns, as they had been able to do with the cycle lengths. There had to be some other, more sophisticated means of making the match. The method they employed made use of perforated sheets. These were simply tables of all the core-positions, in which instead of printing ‘has a female’ or ‘has no female’, there would either be a hole punched, or not. In principle they could first have constructed one such huge table, and then each day could have made a template with the pattern of females observed in the traffic of that day. Passing the template over the table, they would eventually have found a position where the holes matched. But that would have been far too inefficient a method. Instead, they had a method of piling pieces of the table of core positions on top of each other, staggered in a manner corresponding to the observed relative positions of the females. A ‘matching’ of the pattern would then show up as a place where light passed through all the sheets. The advantage of this staggering system was that 676 possibilities could be examined simultaneously. It was still a long job, requiring 6 × 26 operations for a complete search. It also required the construction of perforated sheets listing the 6 × 17576 core-positions. Yet they achieved this within a few months.
Alan Turing: The Enigma: The Book That Inspired the Film The Imitation Game Page 29
