The Enigma Machine

8.5. Determining the Internal Rotor Wirings

However, life was even more difficult for the Polish analysts as they did not even know the rotor wirings or the reflector values. Hence, they needed to break the scheme without even having a description of the actual machine. They did at least have access to a non-military version of Enigma and deduced the basic structure. In this they had two bits of luck:

(1) They deduced that the wiring between the plugboard and the rightmost rotor was in al- phabetical order. Had this not been the case they would have needed to find an additional, hidden permutation.

(2) Secondly, the French cryptographer Gustave Bertrand obtained from a German spy, Hans- Thilo Schmidt, two months’ worth of day keys. Thus, for two months of traffic the Poles had access to the day settings.

142 8. THE ENIGMA MACHINE

From this information they needed to deduce the internal wirings of the Enigma machine.

Note that in the pre-war days the Germans only used three wheels out of a choice of three, hence the number of day keys is actually reduced by a factor of ten. This is, however, only a slight simplification (at least with modern technology). To explain the method suppose we are given that the day setting is

Rotors Rings Pos Plugboard III,II,I T XC EAZ (AM T EBC)

We do not know what the actual rotors are at present, but we know that the one labelled rotor I will be placed in the rightmost slot (our label one). So we have

r1=2, r2=23, r3=19,p1=25, p2=0, p3=4.

Suppose also that the data from the previous section was obtained as traffic for that day. Hence, we obtain the following three values for the productsj·j+1,

₀·₃ = (ADSM RN KJ U B)(CV)(ELF QOP W IZT)(HY), 1·4 = (BP W J U OM GV)(CLQN T DRY F)(ES)(HX), 2·5 = (AC)(BDST U EY F XQ)(GP IW RV HZN O)(J K).

From these we wish to deduce the values of0,1, . . . ,5. We will use the fact thatj is a product of disjoint transpositions and Theorem 8.2.

We take the first product and look at it in more detail. We take the sets of two cycles of equal degree and write them above one another, with the bottom one reversed in order, i.e.

A D S M R N K J U B

T Z I W P O Q F L E

C V

Y H

We now run through all possible shifts of the bottom rows. Each shift gives us a possible value of 0and3. The value of0is obtained from reading off the disjoint transpositions from the columns, the value of₃is obtained by reading off the transpositions from the “off diagonals”. For example with the above orientation we would have

0 = (AT)(DZ)(SI)(M W)(RP)(N O)(KQ)(J F)(U L)(BE)(CY)(V H), 3 = (DT)(SZ)(M I)(RW)(N P)(KO)(J Q)(U F)(BL)(AE)(V Y)(CH).

This still leaves us, in this case, with 20 = 2·10 possible values for 0and3.

Now, to reduce this number we need to rely on operational errors by German operators. Various operators had a tendency to always select the same three letter message key. For example, popular choices where QW E (the first letters on the keyboard). One operator used the letters of his girlfriend’s name, Cillie, hence such “cribs” (or guessed/known plaintexts in today’s jargon) became known as “cillies”. Note, for our analysis here we only need one cillie for the day when we wish to obtain the internal wiring of rotor I.

In our dummy example, suppose we guess (correctly) that the first message key is indeedQW E, and thatU CW BLRis the encryption of QW E twice. This in turn tells us how to align our cycle of length 10 in the first permutation, as under0the letterQmust encrypt toU.

A D S M R N K J U B

L E T Z I W P O Q F

We can check that this is consistent as we see thatQunder3must then encrypt toB. Assuming we carry on in this way we will finally deduce that

₀=(AL)(BF)(CH)(DE)(GX)(IR)(J O)(KP)(M Z)(N W)(QU)(ST)(V Y), ₁=(AK)(BQ)(CW)(DM)(EH)(F J)(GT)(IZ)(LP)(N V)(OR)(SX)(U Y), ₂=(AJ)(BN)(CK)(DZ)(EW)(F P)(GX)(HS)(IY)(LM)(OQ)(RU)(T V), ₃=(AF)(BQ)(CY)(DL)(ES)(GX)(HV)(IN)(J P)(KW)(M T)(OU)(RZ), ₄=(AK)(BN)(CJ)(DG)(EX)(F U)(HS)(IZ)(LW)(M R)(OY)(P Q)(T V), ₅=(AK)(BO)(CJ)(DN)(ER)(F I)(GQ)(HT)(LM)(P X)(SZ)(U V)(W Y).

We now need to use this information to deduce the value ofρ1, etc. So for the rest of this section we assume that we know thej forj= 0, . . . ,5, and so we mark them inblue. Recall that we have

j = τ ·(σ^i1+j·ρ1·σ^−i1−j)·(σⁱ²·ρ2·σ⁻ⁱ²)·(σⁱ³·ρ3·σ⁻ⁱ³)·

·(σⁱ³·ρ3−1·σ⁻ⁱ³)·(σⁱ²·ρ2−1·σ⁻ⁱ²)·(σ^i1+j·ρ1−1·σ^−i1−j)·τ

We now assume that no stepping of the second rotor occurs during the first six encryptions under the day setting. This holds with quite high probability, namely 20/26≈0.77. Should the assumption turn out to be false we will notice in our later analysis and it will mean that we can deduce something about the (unknown to us at this point) position of the notch on the first rotor.

Given that we know the day settings, includingτ and the values ofi₁,i₂ andi₃(since we are assumingk1=k2= 0 for 0≤j≤5), we can write the above equation for 0≤j≤5 as

λj = σ^−i1−j·τ·j·τ·σ^i1+j

= ρ1·σ^−j·γ·σ^j·ρ1−1.

Whereλ_j is now known and we wish to determineρ₁for some fixed but unknown value ofγ. The permutationγis in fact equal to

γ= (σⁱ²⁻ⁱ¹·ρ₂·σ⁻ⁱ²)·(σⁱ³·ρ₃·σ⁻ⁱ³)··(σⁱ³·ρ₃⁻¹·σ⁻ⁱ³)·(σⁱ²·ρ₂⁻¹·σⁱ¹⁻ⁱ²).

In our example we get the following values forλ_j:

λ₀ = (AD)(BR)(CQ)(EV)(F Z)(GP)(HM)(IN)(J K)(LU)(OS)(T W)(XY), λ₁ = (AV)(BP)(CZ)(DF)(EI)(GS)(HY)(J L)(KO)(M U)(N Q)(RW)(T X), λ₂ = (AL)(BK)(CN)(DZ)(EV)(F P)(GX)(HS)(IY)(J M)(OQ)(RU)(T W), λ₃ = (AS)(BF)(CZ)(DR)(EM)(GN)(HY)(IW)(J O)(KQ)(LX)(P V)(T U), λ₄ = (AQ)(BK)(CT)(DL)(EP)(F I)(GX)(HW)(J U)(M O)(N Y)(RS)(V Z), λ₅ = (AS)(BZ)(CV)(DO)(EM)(F R)(GQ)(HK)(IL)(J T)(N P)(U W)(XY).

We now form, forj= 0, . . . ,4,

μj = λj·λj+1,

= ρ₁·σ^−j·γ·σ⁻¹·γ·σ^j+1·ρ₁⁻¹,

= ρ₁·σ^−j·δ·σ^j·ρ₁⁻¹,

whereδ=γ·σ⁻¹·γ·σ is unknown. Eliminatingδviaδ=σ^j−1·ρ1−1·μj−1ρ1·σ^−j+1we find the following equations forj= 1, . . . ,4,

μ_j = (ρ₁·σ⁻¹·ρ₁⁻¹)·μ_j−1·(ρ₁·σ·ρ₁⁻¹),

= α·μ_j−1·α⁻¹,

144 8. THE ENIGMA MACHINE

whereα=ρ1·σ⁻¹·ρ1−1. Hence,μj andμj−1are conjugate and so by Theorem 8.1 have the same cycle structure. For our example we have

μ0 = (AF CN E)(BW XHU J OG)(DV IQZ)(KLM Y T RP S), μ1 = (AEY SXW U J)(BF ZN O)(CDP KQ)(GHIV LM RT), μ2 = (AXN ZRT IH)(BQJ EP)(CGLSY W U D)(F V M OK), μ₃ = (ARLGY W F K)(BIHN XDSQ)(CV EOU)(J M P ZT), μ₄ = (AGY P M DIR)(BHU T V)(CJ W KZ)(EN XQSF LO).

At this point we can check whether our assumption of no-stepping, i.e. a constant value for the values of i2 andi3, is valid. If a step did occur in the second rotor then the above permutations would be unlikely to have the same cycle structure.

We need to determine the structure of the permutationα; this is done by looking at the four equations simultaneously. We note thatσandαare conjugates, underρ1, and we know thatαhas cycle structure of a single cycle of length 26, sinceσ is the shift-left permutation. In our example we only find one possible solution forα, namely

α=(AGY W U J OQN IRLSXHT M KCEBZV P F D).

To solve forρ₁we need to find a permutation such that

α=ρ₁·σ⁻¹·ρ₁⁻¹.

We find there are 26 such solutions

(AELT P HQXRU)(BKN W)(CM OY)(DF G)(IV)(J Z) (AF HRV J)(BLU)(CN XST QY DGEM P IW)(KOZ) (AGF IXT RW DHSU CO)(BM QZLV KP J)(EN Y) (AHT SV LW EOBN ZM RXU DIY F J CP KQ) (AIZN)(BOCQ)(DJ)(EP LXV M SW F KRY GHU) (AJ EQCRZODKSXW GI)(BP M T U F LY HV N) (AKT V OER)(BQDLZP N CSY I)(F M U GJ)(HW) (AL)(BR)(CT W I)(DM V P OF N)(ESZQ)(GKU HXY J) (AM W J HY KV QF OGLBS)(CU IDN ET XZR)

(AN F P QGM X)(BT Y LCV RDOHZS)(EU J I)(KW) (AOIF QH)(BU KX)(CW LDP REV S)(GN)(M Y)(T Z) (AP SDQIGOJ KY N HBV T)(CX)(EW M ZU L)(F R) (AQJ LF SEXDRGP T BW N IHCY OKZV U M) (ARHDSF T CZW OLGQK)(BXEY P U N J M) (ASGRIJ N KBY QLHEZXF U OM C)(DT)(P V W) (AT E)(BZY RJ ON LIKC)(DU P W QM)(F V XGSH) (AU QN M EB)(DV Y SILJ P XHGT F W RK)

(AV Z)(CDW SJ QOP Y T GU RLKE)(F XIM) (AW T HIN OQP ZBCEDXJ RM GV)(F Y U SK) (AXKGW U T IORN P)(BDY V)(CF Z)(HJ SLM) (AY W V CGXLN QROSM IP BEF)(DZ)(HK)(J T) (AZEGY XM J U V D)(BF)(CHLOT KIQSN RP) (BGZF CIRQT LP D)(EHM KJ V)(N SOU W X) (ABHN T M LQU XOV F DCJ W Y ZG)(EISP) (ACKLRSQV GBIT N U Y)(EJ XP F)(HOW Z) (ADEKM N V HP GCLSRT OXQW)(BJ Y)(IU Z)

These are the values of ρ1·σⁱ, for i= 0, . . . ,25. So with one day’s messages we can determine the value ofρ₁ up to multiplication by a power ofσ. The Polish had access to two months’ such data and so were able to determine similar sets for ρ2 andρ3 (as different rotor orders are used on different days). Note that, at this point, the Germans did not use a selection of three from five rotors.

If we select three representativesρˆ₁,ρˆ₂andρˆ₃, from the sets of possible rotors, then we have ˆ

ρ1 = ρ1·σ^l1, ˆ

ρ2 = ρ2·σ^l2, ˆ

ρ3 = ρ3·σ^l3.

However, we still do not know the value for the reflector, or the correct values ofl1,l2andl3. To understand how to proceed we present the following theorem.

Theorem 8.3. Consider an Enigma machine E that uses rotors ρ₁, ρ₂ and ρ₃, and reflector . Then there is an Enigma machine Eˆusing rotors ρˆ₁, ρˆ₂ and ρˆ₃, and a different reflector ˆsuch that, for every setting ofE, there is a setting of Eˆsuch that the machines have identical behaviour.

146 8. THE ENIGMA MACHINE

Furthermore, Eˆ can be constructed so that the machines use identical day settings except for the ring positions.

Proof. The following proof was shown to me by Eugene Luks; I thank him for allowing me to reproduce it here. The first claim is thatˆis determined via

ˆ

=σ^{−(l1+l2+l3)}··σ^{−(l1+l2+l3)}.

We can see this by the following argument (and the fact that the reflector is uniquely determined by the above equation). Define the following function

P(φ1, φ2, φ3, ψ, t1, t2, t3) =τ ·(σ^t1·φ1·σ^−t1)·(σ^t2·φ2·σ^−t2)·(σ^t3·φ3·σ^−t3)·ψ

·(σ^t3·φ⁻₃¹·σ^−t3)·(σ^t2·φ⁻₂¹·σ^−t2)·(σ^t1·φ⁻₁¹·σ^−t1)·τ We then have the relation,

P( ˆρ₁,ρˆ₂,ρˆ₃,, tˆ ₁, t₂, t₃) =P(ρ₁, ρ₂, ρ₃, , t₁, t₂+l₁, t₃+l₁+l₂).

Recall the following expressions for the functions which control the stepping of the three rotors:

k₁ = (j−m₁+ 26)/26, k2 = (j−m2+ 650)/650,

i1 = p1−r1+ 1, i2 = p2−r2+k1+k2, i3 = p3−r3+k2. The Enigma machineE is given by the equation

j=P(ρ1, ρ2, ρ3, , i1+j, i2, i3)

where we interpreti₂ andi₃as functions of j as above. We now set the ring positions in ˆE to be given by

r1, r2+l1, r3+l1+l2

in which case we have that the output of this Enigma machine is given by ˆ

j=P( ˆρ1,ρˆ2,ρˆ3,, iˆ 1+j, i2−l1, i3−l1−l2).

But then we conclude that_j= ˆ_j.

We now use this result to fully determineE from the available data. We pick values ofρˆ₁, ρˆ₂ and ˆ

ρ3 and determine a possible reflector by solving forˆin

₀ = τ·(σⁱ¹·ρˆ₁·σ⁻ⁱ¹)·(σⁱ²·ρˆ₂·σ⁻ⁱ²)·(σⁱ³·ρˆ₃·σ⁻ⁱ³)·ˆ

·(σⁱ³·ρˆ3−1·σ⁻ⁱ³)·(σⁱ²·ρˆ2−1·σ⁻ⁱ²)·(σⁱ¹·ρˆ1−1·σ⁻ⁱ¹)·τ

We let ˆE¹denote the Enigma machine with rotors given by ˆρ1,ρˆ2,ρˆ3and reflector ˆ, but with ring settings the same as in the target machineE (we know the ring settings ofE since we have the day key). Note that ˆE¹= ˆEfrom the above proof, since the rings are in the same place as in the target machine.

Assume we have obtained a long message, with a given message key. We put the machine ˆE¹ in the message key configuration and start to decrypt the message. This will work (i.e. produce a valid decryption) up to the point when the sequence of permutations ˆ¹_j produced by ˆE¹differs from the sequence_j produced byE.

At this point we cycle through all values of l1 and fix the first permutation (and also the associated reflector) to obtain a new Enigma machine ˆE² which allows us to decrypt more of the long message. If a long enough message is obtained we can also obtainl₂in this way, or alternatively

wait for another day when the rotor order is changed. Thus the entire internal workings of the Enigma machine can be determined.