David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 4: Captain Ridley’s Shooting Party Confronted with the prospect of defeat, the Allied cryptanalysts had worked night and day to penetrate German ciphers. It would appear that fear was the main driving force, and that adversity is one of the foundations of successful codebreaking. Simon Singh, The Code Book Bletchley Park (June 2004)

1 February 2005University of Virginia CS 5882 Menu Enigma Take pictures

1 February 2005University of Virginia CS 5883 Enigma Invented commercially, 1923 Used by German Navy, Army, Air Force About 50,000 in use Modified throughout WWII, believed to be perfectly secure Kahn’s Codebreakers (1967) didn’t know it was broken Turing’s 1940 Treatise on Enigma declassified in 1996 Enigma machine at Bletchley Park

1 February 2005University of Virginia CS 5884 Enigma Mechanics Three rotors (chosen from 5), scrambled letters Each new letter, first rotor advances Other rotors advance when ring is hit Reflector Plugboard

1 February 2005University of Virginia CS 5885 Rotor Wheel Simple substitution No letter maps to itself Latch turns next rotor once per rotation

1 February 2005University of Virginia CS 5886 Settings Plugboard –Swap pairs of letters –Number of plugs varied (  6 until 1939, up to 10 after) Rotors –Before 1939 – Three rotors (choose order) –After – Choose 3 from set of 5 rotors –Orientations (3) – start orientations of the 3 rotors –Ring settings (2) – when next ring advances Reflector –Fixed symmetric substitution (A  B  B  A) Involution: R 2 = Identity

1 February 2005University of Virginia CS 5887 Image from

1 February 2005University of Virginia CS 5888 Enigma Schematic Plaintext B Plugboard L Rotor 1 M Rotor 2 N Rotor 3 R Reflector Ciphertext C = B -1 L -1 M -1 N -1 RNMLB(P) Turns every letter

1 February 2005University of Virginia CS 5889 Does Decryption Work? C = B -1 L -1 M -1 N -1 RNMLB(P) P = B -1 L -1 M -1 N -1 RNMLB(C) = B -1 L -1 M -1 N -1 RNMLB(B -1 L -1 M -1 N - 1 RNMLB(P)) R is an involution (A  B  B  A) Plaintext B Plugboard L Rotor 1 M Rotor 2 N Rotor 3 R Reflector Ciphertext

1 February 2005University of Virginia CS Key Space Plugboard with 6 plugs: (26 * 25/2) * … * (16*15 / 2) / 6!  Plaintext B Plugboard L Rotor 1 M Rotor 2 N Rotor 3 R Reflector Ciphertext Rotors: (26!) 3  4 * Ring settings: 26 2 = 676 Message Key: 26 3 = Reflector: (26 * 25 / 2) * (24 * 23 / 2) * … * (2 * 2) / 13!  8 * Total:  6 * (not all are different) >> atoms in the universe

1 February 2005University of Virginia CS Capture a Machine “This fictional movie about a fictional U.S. submarine mission is followed by a mention in the end credits of those actual British missions. Oh, the British deciphered the Enigma code, too. Come to think of it, they pretty much did everything in real life that the Americans do in this movie.” Roger Ebert’s review of U-571

1 February 2005University of Virginia CS Key Space Plugboard with 6 plugs: (26 * 25/2) * … * (16*15 / 2) / 6!  Plaintext B Plugboard L Rotor 1 M Rotor 2 N Rotor 3 R Reflector Ciphertext Rotors: (26!) 3  4 * Ring settings: 26 2 = 676 Message Key: 26 3 = Reflector: (26 * 25 / 2) * (24 * 23 / 2) * … * (2 * 2) / 13!  8 * Total:  7 * C 3 = 60 1 (> 2 64, still too big for exhaustive search)

1 February 2005University of Virginia CS Plugless Enigma Plaintext L Rotor 1 M Rotor 2 N Rotor 3 R Reflector Ciphertext C = L -1 M -1 N -1 RNML(P) Used in Spanish Civil War (1937-9) by all participants (including British, Germans and Spanish)

1 February 2005University of Virginia CS Plugless Enigma Plaintext L Rotor 1 M Rotor 2 N Rotor 3 R Reflector Ciphertext C = L -1 ZL(P) L(C) = ZL(P) Z Probable words (4-10 letters) What is the probability that Rotor 2 and Rotor 3 do not move in 4 letter crib? = 22/26 =.85

1 February 2005University of Virginia CS Plugless Enigma C = L -1 ZL(P) L(C) = ZL (P) Plaintext L Rotor 1 M Rotor 2 N Rotor 3 R Reflector Ciphertext Z Z is a fixed substitution (monoalphabetic) if R2&3 don’t move Guess a crib – have C and P guess L(C) = ZL(P guess ) Try possible rotors and starting positions for L : 3 rotor choices * 26 starting positions = 78 L i = effect of Rotor 1 in the i th rotation position

1 February 2005University of Virginia CS C = XTSWVUINZ P guess = wehrmacht (“armed forces”) L 1 ( X ) = Z L 1 ( w ) L 2 ( T ) = Z L 2 ( e ) L 3 ( S ) = Z L 3 ( h ) L 4 ( W ) = Z L 4 ( r ) L 5 ( V ) = Z L 5 ( m ) L 6 ( U ) = Z L 6 ( a ) L 7 ( I ) = Z L 7 ( c ) ABCDEFGHIJKLMNOPQRSTUVWXYZ EKMFLGDQVZNTOWYHXUSPAIBRCJ JEKMFLGDQVZNTOWYHXUSPAIBRC CJEKMFLGDQVZNTOWYHXUSPAIBR RCJEKMFLGDQVZNTOWYHXUSPAIB BRCJEKMFLGDQVZNTOWYHXUSPAI IBRCJEKMFLGDQVZNTOWYHXUSPA AIBRCJEKMFLGDQVZNTOWYHXUSP Batons Attack For a given starting rotor setting, solve for Z 1: R = Z (B)2: S = Z (F)3: X = Z (G)4: P = Z (Y) 5: U = Z (V)6: H = Z (I)7: M = Z (B)

1 February 2005University of Virginia CS Batons Attack We know Z is: –Function: contradiction if Z (x)  Z (x) –Involution: contradiction if Z (x) = y & Z (y)  x Find a rotor setting with no contradictions –Long enough crib, there will only be one –But if crib is too long, need to deal with R2 moving List of probable 4-10 letter words Catalog to map Z to rotor settings for R2 and R3

1 February 2005University of Virginia CS Plugless Enigma Plaintext L Rotor 1 M Rotor 2 N Rotor 3 R Reflector Ciphertext Ideas for making Batons attack harder?

1 February 2005University of Virginia CS Enter the Plugboard Plaintext B Plugboard L Rotor 1 M Rotor 2 N Rotor 3 R Reflector Ciphertext 6 plugs: (26*25)/2 * (24*23)/2 * … * (16*15/2) / 6! = times more keys

1 February 2005University of Virginia CS Operation Day key (distributed in code book) Each message begins with message key (“randomly” chosen by sender) encoded using day key Message key sent twice to check After receiving message key, re-orient rotors according to key

1 February 2005University of Virginia CS Repeated Message Key P = P 1 P 2 P 3 P 1 P 2 P 3 C 1 = E 1 (P 1 ) = B -1 L 1 -1 M -1 N -1 RNML 1 B(P 1 ) C 4 = E 4 (P 1 ) =B -1 L 4 -1 M -1 N -1 RNML 4 B(P 1 ) P 1 = E 1 (C 1 ) = B -1 L 1 -1 M -1 N -1 RNML 1 B(C 1 ) P 1 = E 4 (C 4 ) = B -1 L 4 -1 M -1 N -1 RNML 4 B(C 4 ) E 4 o E 1 (C 1 ) = E 4 (P 1 ) = C 4 E 4 o E 1 = B -1 L 1 -1 M -1 N -1 RNML 1 B B -1 L 4 -1 M -1 N -1 RNML 4 B = B -1 L 1 -1 M -1 N -1 RNML 1 L 4 -1 M -1 N -1 RNML 4 B

1 February 2005University of Virginia CS Letter Permutations Symmetry of Enigma: if E pos (x) = y we know E pos (y) = x Given message openings DMQ VBM E 1 (m 1 ) = D E 4 (m 1 ) = V E 1 oE 4 (D) = V VON PUY=> E 1 (D) = m 1 PUC FMQ=> E 4 (E 1 (D)) = V With enough message openings, we can build complete cycles for each position pair: E 1 oE 4 = (DVPFKXGZYO) (EIJMUNQLHT) (BC) (RW) (A) (S) Note: Cycles must come in pairs of equal length

1 February 2005University of Virginia CS Composing Involutions E 1 and E 2 are involutions (x  y  y  x) Without loss of generality, we can write: E 1 contains (a 1 a 2 ) (a 3 a 4 ) … (a 2k-1 a 2k ) E 2 contains (a 2 a 3 ) (a 4 a 5 ) … (a 2k a 1 ) E 1 E 2 a 1  a 2 a 2  x = a 3 or x = a 1 a 3  a 4 a 4  x = a 5 or x = a 1 Why can’t x be a 2 or a 3 ?

1 February 2005University of Virginia CS Rejewski’s Theorem E 1 contains (a 1 a 2 ) (a 3 a 4 ) … (a 2k-1 a 2k ) E 4 contains (a 2 a 3 ) (a 4 a 5 ) … (a 2k a 1 ) E 1 E 4 contains (a 1 a 3 a 5 …a 2k-1 ) (a 2k a 2k-2 … a 4 a 2 ) The composition of two involutions consists of pairs of cycles of the same length For cycles of length n, there are n possible factorizations

1 February 2005University of Virginia CS Factoring Permutations E 1 E 4 = (DVPFKXGZYO) (EIJMUNQLHT) (BC) (RW) (A) (S) (A) (S) = (AS) o (SA) (BC) (RW) = (BR)(CW) o (BW)(CR) or = (BW)(RC) o (WC) (BR) (DVPFKXGZYO) (EIJMUNQLHT) = (DE)(VI)… or (DI)(VJ) … or (DJ)(VM) … … (DT)(VE)10 possibilities

1 February 2005University of Virginia CS How many factorizations? (DVPFKXGZYO) (EIJMUNQLHT) D  a 2 E1E1 E2E2 a 2  V V  a 4 a 4  P Once we guess a 2 everything else must follow! So, only n possible factorizations for an n-letter cycle Total to try = 2 * 10 = 20 E 2 E 5 and E 3 E 6 likely to have about 20 to try also  About 20 3 (8000) factorizations to try (still too many in pre-computer days)

1 February 2005University of Virginia CS Luckily… Operators picked message keys (“cillies”) –Identical letters –Easy to type (e.g., QWE) If we can guess P 1 = P 2 = P 3 (or known relationships) can reduce number of possible factorizations If we’re lucky – this leads to E 1 …E 6

1 February 2005University of Virginia CS Solving? E 1 = B -1 L -1 Q LB E 2 = B -1 L -2 Q L 2 B E 3 = B -1 L -3 Q L 3 B E 4 = B -1 L -4 Q L 4 B E 5 = B -1 L -5 Q L 5 B E 6 = B -1 L -6 Q L 6 B 6 equations, 3 unknowns Not known to be efficiently solvable

1 February 2005University of Virginia CS Solving? E 1 = B -1 L -1 Q LB BE 1 B -1 = L -1 Q L 6 equations, 2 unknowns – solvable Often, know plugboard settings (didn’t change frequently) 6 possible arrangements of 3 rotors, 26 3 starting locations = 105,456 possibilities Poles spent a year building a catalog of cycle structures covering all of them (until Nov 1937): 20 mins to break Then Germans changed reflector and they had to start over.

1 February 2005University of Virginia CS Early 1939 – Germany changes scamblers and adds extra plugboard cables, stop double- transmissions –Poland unable to cryptanalyze 25 July 1939 – Rejewski invites French and British cryptographers –Gives England replica Enigma machine constructed from plans, cryptanalysis 1 Sept 1939 – Germany invades Poland, WWII starts

1 February 2005University of Virginia CS Bletchley Park Alan Turing leads British effort to crack Enigma Use cribs (“WETTER” transmitted every day at 6am) to find structure of plugboard settings Built “bombes” to automate testing 10,000 people worked at Bletchley Park on breaking Enigma (100,000 for Manhattan Project)

1 February 2005University of Virginia CS Alan Turing’s “Bombe” Steps through all possible rotor positions (26 3 ), testing for probable plaintext; couldn’t search all plugboard settings (> ); take advantage of loops in cribs

1 February 2005University of Virginia CS Enigma Cryptanalysis Relied on combination of sheer brilliance, mathematics, espionage, operator errors, and hard work Huge impact on WWII –Britain knew where German U-boats were –Advance notice of bombing raids –But...keeping code break secret more important than short-term uses The Coventry bombing story isn’t true, but decoy scouts is

1 February 2005University of Virginia CS 58834

1 February 2005University of Virginia CS Charge Now: take pictures Next time: Block Ciphers I have office hours today, 2:30-3:30 Problem Set 1 Due Thursday Turing’s Hut 8 at Bletchley Park