Tai Lieu Chuyen Nganh
Tai Lieu Chuyen Nganh
com
DISCRETE MATHEMATICS AND ITS APPLICATIONS
Series Editor KENNETH H. ROSEN
Secret History
The Story of Cryptology
Craig P. Bauer
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
www.ebook777.com
free ebooks ==> www.ebook777.com
DISCRETE
MATHEMATICS
ITS APPLICATIONS
Series Editor
Kenneth H. Rosen, Ph.D.
R. B. J. T. Allenby and Alan Slomson, How to Count: An Introduction to Combinatorics,
Third Edition
Craig P. Bauer, Secret History: The Story of Cryptology
Juergen Bierbrauer, Introduction to Coding Theory
Katalin Bimbó, Combinatory Logic: Pure, Applied and Typed
Donald Bindner and Martin Erickson, A Student’s Guide to the Study, Practice, and Tools of
Modern Mathematics
Francine Blanchet-Sadri, Algorithmic Combinatorics on Partial Words
Miklós Bóna, Combinatorics of Permutations, Second Edition
Richard A. Brualdi and Dragos̆ Cvetković, A Combinatorial Approach to Matrix Theory and Its
Applications
Kun-Mao Chao and Bang Ye Wu, Spanning Trees and Optimization Problems
Charalambos A. Charalambides, Enumerative Combinatorics
Gary Chartrand and Ping Zhang, Chromatic Graph Theory
Henri Cohen, Gerhard Frey, et al., Handbook of Elliptic and Hyperelliptic Curve Cryptography
Charles J. Colbourn and Jeffrey H. Dinitz, Handbook of Combinatorial Designs, Second Edition
Martin Erickson, Pearls of Discrete Mathematics
Martin Erickson and Anthony Vazzana, Introduction to Number Theory
Steven Furino, Ying Miao, and Jianxing Yin, Frames and Resolvable Designs: Uses,
Constructions, and Existence
Mark S. Gockenbach, Finite-Dimensional Linear Algebra
Randy Goldberg and Lance Riek, A Practical Handbook of Speech Coders
Jacob E. Goodman and Joseph O’Rourke, Handbook of Discrete and Computational Geometry,
Second Edition
Jonathan L. Gross, Combinatorial Methods with Computer Applications
free ebooks ==> www.ebook777.com
Titles (continued)
Jonathan L. Gross and Jay Yellen, Graph Theory and Its Applications, Second Edition
Jonathan L. Gross and Jay Yellen, Handbook of Graph Theory
David S. Gunderson, Handbook of Mathematical Induction: Theory and Applications
Richard Hammack, Wilfried Imrich, and Sandi Klavžar, Handbook of Product Graphs,
Second Edition
Darrel R. Hankerson, Greg A. Harris, and Peter D. Johnson, Introduction to Information Theory
and Data Compression, Second Edition
Darel W. Hardy, Fred Richman, and Carol L. Walker, Applied Algebra: Codes, Ciphers, and
Discrete Algorithms, Second Edition
Daryl D. Harms, Miroslav Kraetzl, Charles J. Colbourn, and John S. Devitt, Network Reliability:
Experiments with a Symbolic Algebra Environment
Silvia Heubach and Toufik Mansour, Combinatorics of Compositions and Words
Leslie Hogben, Handbook of Linear Algebra
Derek F. Holt with Bettina Eick and Eamonn A. O’Brien, Handbook of Computational Group Theory
David M. Jackson and Terry I. Visentin, An Atlas of Smaller Maps in Orientable and
Nonorientable Surfaces
Richard E. Klima, Neil P. Sigmon, and Ernest L. Stitzinger, Applications of Abstract Algebra
with Maple™ and MATLAB®, Second Edition
Richard E. Klima and Neil P. Sigmon, Cryptology: Classical and Modern with Maplets
Patrick Knupp and Kambiz Salari, Verification of Computer Codes in Computational Science
and Engineering
William Kocay and Donald L. Kreher, Graphs, Algorithms, and Optimization
Donald L. Kreher and Douglas R. Stinson, Combinatorial Algorithms: Generation Enumeration
and Search
Hang T. Lau, A Java Library of Graph Algorithms and Optimization
C. C. Lindner and C. A. Rodger, Design Theory, Second Edition
Nicholas A. Loehr, Bijective Combinatorics
Toufik Mansour, Combinatorics of Set Partitions
Alasdair McAndrew, Introduction to Cryptography with Open-Source Software
Elliott Mendelson, Introduction to Mathematical Logic, Fifth Edition
Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, Handbook of Applied
Cryptography
Stig F. Mjølsnes, A Multidisciplinary Introduction to Information Security
Jason J. Molitierno, Applications of Combinatorial Matrix Theory to Laplacian Matrices of Graphs
Richard A. Mollin, Advanced Number Theory with Applications
Richard A. Mollin, Algebraic Number Theory, Second Edition
www.ebook777.com
free ebooks ==> www.ebook777.com
Titles (continued)
Richard A. Mollin, Codes: The Guide to Secrecy from Ancient to Modern Times
Richard A. Mollin, Fundamental Number Theory with Applications, Second Edition
Richard A. Mollin, An Introduction to Cryptography, Second Edition
Richard A. Mollin, Quadratics
Richard A. Mollin, RSA and Public-Key Cryptography
Carlos J. Moreno and Samuel S. Wagstaff, Jr., Sums of Squares of Integers
Goutam Paul and Subhamoy Maitra, RC4 Stream Cipher and Its Variants
Dingyi Pei, Authentication Codes and Combinatorial Designs
Kenneth H. Rosen, Handbook of Discrete and Combinatorial Mathematics
Douglas R. Shier and K.T. Wallenius, Applied Mathematical Modeling: A Multidisciplinary
Approach
Alexander Stanoyevitch, Introduction to Cryptography with Mathematical Foundations and
Computer Implementations
Jörn Steuding, Diophantine Analysis
Douglas R. Stinson, Cryptography: Theory and Practice, Third Edition
Roberto Togneri and Christopher J. deSilva, Fundamentals of Information Theory and Coding
Design
W. D. Wallis, Introduction to Combinatorial Designs, Second Edition
W. D. Wallis and J. C. George, Introduction to Combinatorics
Jiacun Wang, Handbook of Finite State Based Models and Applications
Lawrence C. Washington, Elliptic Curves: Number Theory and Cryptography, Second Edition
free ebooks ==> www.ebook777.com
DISCRETE MATHEMATICS AND ITS APPLICATIONS
Series Editor KENNETH H. ROSEN
www.ebook777.com
free ebooks ==> www.ebook777.com
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been
made to publish reliable data and information, but the author and publisher cannot assume responsibility for the
validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the
copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to
publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let
us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted,
or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, includ-
ing photocopying, microfilming, and recording, or in any information storage or retrieval system, without written
permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com
(http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers,
MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety
of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment
has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for
identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
This book is dedicated to all of the authors of the works cited in the pages that follow.
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
Contents
ix
www.ebook777.com
free ebooks ==> www.ebook777.com
x Contents
www.ebook777.com
free ebooks ==> www.ebook777.com
xii Contents
16. Authenticity.................................................................................................. 489
16.1 Problem from World War II.............................................................. 489
16.2 Digital Signatures (and Some Attacks)........................................... 490
16.2.1 Attack 12. Chosen Ciphertext Attack................................. 492
16.2.2 Attack 13. Insider’s Factoring Attack
on the Common Modulus.................................................... 492
16.2.3 Attack 14. Insider’s Nonfactoring Attack.......................... 493
16.2.4 Elgamal Signatures............................................................... 494
16.3 Hash Functions: Speeding Things Up............................................ 495
www.ebook777.com
free ebooks ==> www.ebook777.com
xiv Contents
Index...................................................................................................................... 575
free ebooks ==> www.ebook777.com
xv
www.ebook777.com
free ebooks ==> www.ebook777.com
xvi Note to the Reader
of a programming language. For the problems that are not historic ciphers,
the plaintexts were carefully chosen or created to offer some entertainment
value to the decipherer, as a reward for the effort required to find them. Not
all of the exercises involve breaking ciphers. For those so inclined, there
are numerous exercises testing the reader’s mastery of the mathematical
concepts that are key components of the various systems covered. Sample
syllabi and suggested paths through the book for various level classes are
also present. The website will also feature a (short, I hope!) list of errata.
Should you wish to correspond with the author, he may be reached at
[email protected].
free ebooks ==> www.ebook777.com
Introduction
* The Electronic Frontier Foundation (EFF) has a nice webpage on this topic that includes
many relevant links (http://www.eff.org/issues/printers).
xvii
www.ebook777.com
free ebooks ==> www.ebook777.com
xviii Introduction
FIGURE I.1
A page from an 1875 code book includes short code groups for commonly used phrases such
as “Some squabble or fight on shore with crew. Crew Imprisoned.” (From Greene, B.F., Ed.,
The International Code of Signals for All Nations, American Edition, published under the authority
of the Secretary of the Navy by the Bureau of Navigation, U.S. Government Printing Office,
Washington, DC, 1875, p. 49. Courtesy of the National Cryptologic Museum.)
free ebooks ==> www.ebook777.com
Introduction xix
and operations. In the early days, however, this was not the case. In fact,
Charles Babbage (1791–1871), the great pioneer in computer science, is often
credited as being the first to model ciphers using mathematics. This isn’t
correct; there were earlier efforts, but they did not catch on.* In any case, it
wasn’t until the 20th century that cryptology really became mathematical. A
few more definitions will make what follows easier.
Cryptography is the science of creating cipher systems. The word comes
from the Greek κρυπτός, meaning “hidden,” and γραφία, meaning “writing.”
Cryptanalysis is the science and art of breaking ciphers (deciphering without
the key). Cryptology, the most general term, embraces both cryptography and
cryptanalysis. Most books on ciphers are on cryptology, as one cannot deter-
mine the security of a cipher without attempting to break it, and weaknesses
in one system must be understood to appreciate the strengths in another.
That is, it doesn’t make sense to study cryptography without studying crypt-
analysis. Nevertheless, the term cryptography is used more frequently and
taken to mean cryptology.
Encipher and encrypt both refer to the process of converting a message into
a disguised form, ciphertext, using some cryptographic algorithm. Decipher
and decrypt refer to the reverse process that reveals the original message
or plaintext (sometimes called cleartext). The International Organization for
Standardization (ISO),† a group that offers over 19,000 voluntary standards
for technology and business, even has a standard (7498-2) regarding these
terms; encipher and decipher are the ones to use, as the terms encrypt and
decrypt are considered offensive by some cultures because they refer to dead
bodies.‡
Modern expectations of encrypted communications include not only the
inability of an eavesdropper to recover the original messages, but much
more. It is expected, for example, that any changes made to a message in
transit can be detected. This is referred to as data integrity. Suppose an
encrypted order to buy 500 shares of a given stock at a particular price is
sent. Someone could intercept the ciphertext and replace a certain portion
of it with alternate characters. This is possible without an ability to deci-
pher the message. It only requires knowledge of which positions in the mes-
sage correspond to the stock, the number of shares, and the price. Altering
any of these will result in a different order going through. If unauthorized
* Buck, F.J., Mathematischer Beweiß: daß die Algebra zur Entdeckung einiger verborgener Schriften
bequem angewendet werden könne, Königsberg, 1772; available online at http://www-math.
uni-paderborn.de/~aggathen/Publications/gat04a-lit.html. This is the first known work on
algebraic cryptology.
† “Because ‘International Organization for Standardization’ would have different acronyms in
different languages (‘IOS’ in English, ‘OIN’ in French for Organisation internationale de nor-
malisation), its founders decided to give it also a short, all-purpose name. They chose ‘ISO,’
derived from the Greek isos, meaning ‘equal.’ Whatever the country, whatever the language,
the short form of the organization’s name is always ISO.” (http://www.iso.org/iso/about/
discover-iso_isos-name.htm)
‡ Schneier, B., Applied Cryptography, 2nd ed., Wiley, New York, 1996, p. 1.
www.ebook777.com
free ebooks ==> www.ebook777.com
xx Introduction
* Kippehahn, R., Code Breaking: A History and Exploration, Overlook Press, New York, 1999, p.
209.
† Ibid.
‡ Singh, S., The Code Book, Doubleday, New York, 1999, p. 311.
§ Vatsyayana, Kama Sutra: The Hindu Ritual of Love, Castle Books, New York, 1963, p. 14.
¶ Taken here from Garfinkel, S., Database Nation: The Death of Privacy in the 21st Century, O’Reilly,
Part I
Chapter 1 details some systems used by the ancient Greeks and the Vikings,
as well as the impact steganography had in the history of ancient Greece.
In Chapter 2, a close look is taken at monoalphabetic substitution ciphers
(MASCs). This includes historical uses, as well as appearances in fictional
works created by Edgar Allan Poe, Sir Arthur Conan Doyle (creator of
Sherlock Holmes), J.R.R. Tolkien, and others. Important ideas such as modu-
lar arithmetic are first presented in this chapter, and sophisticated modern
attacks on MASCs are also included, along with sections on data compres-
sion, nomenclators (systems that make use of both a cipher and a code), and
book codes. Chapter 3, as already mentioned, shows the logical progressions
from the Vigenère cipher (which uses multiple substitution alphabets) to the
running key cipher, and on to the unbreakable one-time pad. Historical uses
are provided from the U.S. Civil War (for the Vigenère cipher) and World
War II (for the one-time pad). Chapter 4 shifts gears to take a look at transpo-
sition ciphers, in which letters or words are rearranged rather than replaced
by others. Most modern systems combine substitution and transposition, so
www.ebook777.com
free ebooks ==> www.ebook777.com
xxii Introduction
this helps to set the stage for later chapters such as 6, 12, and 19. In Chapter
5, we examine a steganographic system alleged to reveal Francis Bacon as
the true author of William Shakespeare’s plays. Although I hope to convince
the reader that such arguments are not valid, the system has been used else-
where. This chapter also examines Thomas Jefferson’s cipher wheel, which
saw use as recently as World War II, and looks at how John F. Kennedy’s life
hung in the balance during that war, dependent on the security of the 19th-
century Playfair cipher. Again, modern attacks on these older systems are
examined. Stepping back a bit, Chapter 6 examines the great impact cryptol-
ogy had on World War I and looks closely at the fascinating cryptologic fig-
ure Herbert O. Yardley, who may be accurately described as the “Han Solo of
cryptology.” This chapter also includes a brief description of censorship, with
emphasis on censorship of writings dealing with cryptology. Linear algebra
shows its importance in Chapter 7, where matrix encryption is examined.
Two attacks on this system that have never before appeared in book form are
presented. Electromechanical machines come on the scene in Chapter 8, as
the Germans attempt to protect their World War II-era secrets with Enigma.
This chapter contains a detailed look at how the Poles broke these ciphers,
aided by machines of their own. Following the invasion of Poland, the set-
ting shifts to Bletchley Park, England, and the work of Alan Turing, the great
pioneer in computer science. A brief look is taken at the Nazi Lorenz ciphers
and the computer the British used to break them. Chapter 9 shifts to the
Pacific Theater of World War II and takes a close look at Japanese diplomatic
ciphers and naval codes and the effect their cryptanalysis had on the war.
The role the Navajo code talkers played in securing the Allies’ victory closes
out this chapter and Part I of the book.
Part II
Chapter 10 leads off Part II with a look at how Claude Shannon’s ideas helped
shape the information age, as well as modern cryptology. His method of
measuring the information content of a message (using the terms entropy
and redundancy) is explained and simple ways to calculate these values are
provided, along with the impact such concepts had in other fields. A history
of the National Security Agency is given in Chapter 11. Included with this
is a discussion of how electromagnetic emanations can cause an otherwise
secure system to be compromised. TEMPEST technology seeks to protect
systems from such vulnerabilities. Speculations are presented concerning
NSA’s (classified) successes. The chapter on NSA is followed by a close exam-
ination in Chapter 12 of a cipher (DES) that the Agency had a role in design-
ing. The controversy over DES’s key size and its classified design criteria
is given full coverage, as is the Electronic Frontier Foundation’s attack on
the system. The revolutionary concept of public key cryptography, where
people who have never met to agree on a key can nevertheless communicate
free ebooks ==> www.ebook777.com
Introduction xxiii
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
Acknowledgments
Thanks to Chris Christensen and Robert Lewand, for reading the entire man-
uscript and providing valuable feedback; to Brian J. Winkel, for his comments
on several chapters and much help and great advice over the years, as well
as unbelievably generous cryptologic gifts; to René Stein, who researched
numerous queries on my behalf at the National Cryptologic Museum; to
David Kahn, for his inspiration and generosity; to everyone at the National
Security Agency’s Center for Cryptologic History (the best place to work!),
for my wonderful year as the 2011–2012 scholar in residence; to the editorial
board of Cryptologia, for sharing their expertise; and to Jay Anderson, for get-
ting me hooked on the subject in the first place.
Thanks also to the American Cryptogram Association, Steven M. Bellovin,
Gilles Brassard, Jay Browne, Stephen Budiansky, Jan Bury, Kieran Crowley,
John Dixon, Sarah Fortener, Benjamin Gatti, Sam Hallas, Robert E. Hartwig,
Martin Hellman, Regan Kladstrup, Neal Koblitz, Robert Lord, Andrea
Meyer, Victor S. Miller, Adam Reifsneider, Barbara Ringle, Kenneth Rosen,
Mary Shelly at Franklin & Marshall College Library, William Stallings, Bob
Stern, Ernie Stitzinger, Patrick Weadon, Bob Weiss, Avi Wigderson, Betsy
Wollheim (president of DAW Books), John Young, and Philip Zimmermann.
Thank you all!
xxv
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
Part I
Classical Cryptology
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
1
Ancient Roots*
Male Female
60–Anu 55–Antu
50–Enlil 45–Ninlil
40–Ea/Enki 35–Ninki
30–Nanna/Sin 25–Ningal
20–Utu/Shamash 15–Inanna/Ishtar
10–Ishkur/Adad 5–Ninhursag
The number paired with the name of the god was sometimes used instead
of the name;† thus, we have a substitution cipher. In general, though, as
explained in the Introduction, when entire words or names are swapped out
for numbers or letters, we refer to that as a code rather than a cipher.
Assyriologie und Vorderasiatischen Archäologie, Vol. 3, Walter de Gruyter & Co., Berlin, 1971,
pp. 499–500.
www.ebook777.com
free ebooks ==> www.ebook777.com
4 Secret History: The Story of Cryptology
FIGURE 1.1
A skytale reveals a message.
It seems that every culture that develops writing (which itself offers some
secrecy if nearly everyone is illiterate) develops cryptography soon thereaf-
ter. Although many more examples could be included, we now move on to
the ancient Greeks’ use of cryptography.
FIGURE 1.2
American Cryptogram Association logo (www.cryptogram.org/).
1 2 3 4 5
1 A B C D E
2 F G H I&J K
3 L M N O P
4 Q R S T U
5 V W X Y Z
T H I S I S E A S Y T O B R E A K
44 23 24 43 24 43 15 11 43 54 44 34 12 42 15 11 25
This system was originally intended for signaling over long distances. To
send the first letter, T, one would hold 4 torches in the right hand and 4 in
the left. To send the next letter, H, one would hold 2 torches in the right hand
and 3 in the left. We will see how to break such a cipher in Chapter 2. It’s a
special case of a general class of ciphers known as monoalphabetic substitution
ciphers, where a given letter is always substituted for with the same symbol
wherever it appears.
The five-by-five square forced us to combine I and J as 24. The Greeks,
using a smaller alphabet, did not have this inconvenience. For us, though,
decipherment is not unique, but context should make clear which choice is
* Polybius wrote about this system in Chapter 46 of his tenth book of history, circa 170 BC.
www.ebook777.com
free ebooks ==> www.ebook777.com
6 Secret History: The Story of Cryptology
correct. Of course, we could use a six-by-six square, which would allow for
26 letters and 10 digits. Alternatively, numbers can be spelled out. A six-by-
six square would be used for languages written in the Cyrillic alphabet. The
Hawaiian alphabet, on the other hand, contains only 12 letters: 5 vowels (a, e,
i, o, u) and 7 consonants (h, k, l, m, n, p, w). Thus, for the Hawaiian alphabet,
a four-by-four square would suffice.
The Polybius square is sometimes called a Polybius checkerboard. The let-
ters may be placed in the square in any order; for example, the keyword
DERANGEMENT could be used to rearrange the letters like so:
1 2 3 4 5
1 D E R A N
2 G M T B C
3 F H I&J K L
4 O P Q S U
5 V W X Y Z
Observe that repeated letters of the keyword are left out when they reappear.
Once the keyword is used up, the remaining letters of the alphabet are filled
in the square.
The term derangement has a technical meaning, in that it refers to a reor-
dering where no object occupies its original position. Thus, the scrambling
provided above is not a derangement, since the letters U, V, W, X, Y, and Z are
left in their original locations.
FIGURE 1.3
Example of Viking cryptography. (Redrawn from Franksen, O.I., Mr. Babbage’s Secret: The Tale of
a Cypher—and APL, Prentice Hall, Englewood Cliffs, NJ, 1984.)
free ebooks ==> www.ebook777.com
Ancient Roots 7
member member
1 2 3 4 5 6 7 8 1 2 3 4 5 6
1 1
f u (th) a r k g w f u (th) a r k
2 2
aeht aeht
h n i j p E R s h n i a s
3 3
t b e m l (ng) o d t b m l R
FIGURE 1.4
Examples of Pre-Viking (left) and Viking (right) cryptography.
row and fourth column. In the diagram on the left, this gives the rune for J.
Thus, this encryption system was essentially a Polybius cipher. This is just
one of the Viking systems; there are others. Secrecy must have been impor-
tant for these people from the beginning, for the word rune means “secret”
in Anglo-Saxon.
As the danger of discovery was great, there was only one way in which
he could contrive to get the message through: this was by scraping the
wax off a pair of wooden folding tablets, writing on the wood under-
neath what Xerxes intended to do, and then covering the message over
with wax again. In this way the tablets, being apparently blank, would
cause no trouble with the guards along the road. When the message
reached its destination, no one was able to guess the secret until, as I
understand, Cleomenes’ daughter Gorgo, who was the wife of Leonidas,
discovered it and told the others that, if they scraped the wax off, they
would find something written on the wood underneath. This was done;
the message was revealed and read, and afterwards passed on to the
other Greeks.
The warning, combined with the efforts of 300 Spartans who held off
the Persians for three days, allowed time to prepare a successful defense.
Leonidas was among those who died trying to gain the time necessary for
www.ebook777.com
free ebooks ==> www.ebook777.com
8 Secret History: The Story of Cryptology
the Greeks to build a stronger defense. Without the advance warning given
in this instance (or for the later attack, mentioned previously, where the
skytale was used to convey a warning), it’s conceivable that a lack of prepa-
ration could have led to a victory for Persia, in which case there would have
been no “cradle of Western civilization.”
Another steganographic trick was carried out by Histaieus. In 499 BC,
he had a slave’s head shaved for the purpose of tattooing a message on it
encouraging Aristagoras of Miletus to revolt against the Persian king. When
the slave’s hair grew back, concealing the message, the slave was dispatched
with instructions to tell the intended recipient to shave his head. This is not
a good method, though, if time is of the essence or if the message is long and
the slave’s head small!*
Thus, HELLO would become V1 P1 Z1 Z1 L2. The book promotes free thinking
and exploration in the spirit of Charles Fort, who is quoted at various points.
Bellovin, S.M., Compression, Correction, Confidentiality, and Comprehension: A Modern
Look at Commercial Telegraph Codes, Department of Computer Science, Columbia
University, NY, 2009 (http://www.usenix.org/events/sec09/tech/slides/bell-
ovin.pdf). This PowerPoint® presentation on commercial code books provides
many entertaining examples, such as this excerpt from The Theatrical Cipher Code
(1905):
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
2
Monalphabetic Substitution Ciphers,
or MASCs: Disguises for Messages*
These simple ciphers have been used for thousands of years. In the interest of
space, the discussion here has to be somewhat limited. Many more examples
from history and literature may be seen in the online exercises that accom-
pany this book. We begin the print discussion with Julius Caesar.
2.1 Caesar Cipher
The Caesar cipher† was described by Suetonius in his biography of Caesar
and by Caesar himself.‡ Each letter is replaced by the third letter to follow
it alphabetically. Upon reaching the end of our ciphertext alphabet, we jot
down the A, B, C that weren’t yet used.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z plaintext
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C ciphertext
For example,
ET TU BRUTE? message
becomes
HW WX EUXWH? cipher
(Note: These were not Caesar’s last words. They are the last words of Caesar
in Shakespeare’s play, which is not completely historically accurate.)
We don’t have to shift by three. We could shift by some other integer value
K. If we think in terms of the numbers 0 through 25 representing the let-
ters A through Z, the enciphering process may be viewed mathematically
Greek. This represents the first recorded use of a substitution cipher. It occurred during the
Gallic Wars. “The letter he sent written in Greek characters, lest by intercepting it the enemy
might get to know of our designs” (The Gallic War, Book V, by Caesar). Some of Caesar’s other
cipher systems have apparently been lost to history.
‡ Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 83.
11
www.ebook777.com
free ebooks ==> www.ebook777.com
12 Secret History: The Story of Cryptology
Note: n! is read as “n factorial” and is used to indicate the product of the inte-
gers 1 through n; for example, 4! = 1 ⋅ 2 ⋅ 3 ⋅ 4 = 24. Christian Camp introduced
the ! notation in 1808 because n! grows surprisingly fast for small values
of n.† It was not, as comedian Steven Wright claimed, an attempt to make
mathematics look exciting. Since an arbitrary monoalphabetic substitution
cipher can make use of any of 26 possible letters to represent A, and any of
the remaining 25 letters to represent B, and so on, until only one choice is left
to represent Z, the size of the keyspace is 26! = 403,291,461,126,605,635,584,00
0,000. Try double-checking this with your calculator! Alternatively, type 26!
into Mathematica or Maple or another computer algebra system. Do you get
all of the digits?
* Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 216.
† Ghahramani, S., Fundamentals of Probability, Prentice Hall, Upper Saddle River, NJ, 1996, p. 45.
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 13
n ! ∼ ( 2πn )( nn )( e − n )
So, we have a nice compact formula that relates the concept of factorials to
some of the most important constants in mathematics!
In classical cryptography, it has often been desirable to have a key that can
be memorized, because if the key is written down it is susceptible to seizure.
It would be time consuming to memorize A goes to H, B goes to Q, C goes to
R, etc. for all 26 letters. This leads us to keyword ciphers.† For example, using
the keyword PRIVACY, we have
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z plaintext
P R I V A C Y B D E F G H J K L M N O Q S T U W X Z ciphertext
Letters that are not used in the keyword follow it in alphabetical order,
when writing out the ciphertext alphabet. Thus, we have a cipher superior
to the Caesar shift, but still weakened by some order being retained in the
cipher alphabet. Such ciphers may be further complicated by having the key-
word placed somewhere other than the start of the alphabet. For example, we
may use the two-part key (PRIVACY, H) and encipher with
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z plaintext
Q S T U W X Z P R I V A C Y B D E F G H J K L M N O ciphertext
Also, long key phrases may be used to determine the order of the substitu-
tions. If a letter is repeated, simply ignore it when it reappears,‡ as you write
the cipher alphabet out. Key phrases may be chosen that contain all of the
letters of the alphabet.
* Discovered by James Stirling (1692–1770) in 1730. You will see the ~ notation again in Chapter
15, where the importance of prime numbers in cryptology is discussed.
† The Argentis were the first to use keywords in this manner (during the late 1580s). See Kahn,
D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 113.
‡ An enciphered message sent to Edgar Allan Poe was made much more difficult to break
www.ebook777.com
free ebooks ==> www.ebook777.com
14 Secret History: The Story of Cryptology
FIGURE 2.1
Leon Battista Alberti’s cipher disk. (From Kahn, D., The Codebreakers, 2nd ed., Scribner, New
York, 1996, p. 128. With permission.)
For example,
The quick brown fox jumps over a lazy dog (33 letters)
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z plaintext
T H E Q U I C K B R O W N F X J M P S V A L Z Y D G ciphertext
§ Lederer, R., Crazy English, Pocket Books, New York, 1989, pp. 159–160.
¶ Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, pp. 126–128.
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 15
FIGURE 2.2
St.-Cyr slide.
Another device is the St.-Cyr Slide (Figure 2.2).* Here again, one alphabet
(the one written twice in the picture above) may be moved relative to the
other. This device is only good for performing a Caesar type shift, if using
a straight alphabet, as pictured above, and keeping the slide in a fixed posi-
tion. Yet, even with a completely mixed alphabet, it is a trivial matter to break
such a cipher. Monoalphabetic substitution ciphers have often been used in
fiction. The hero of the tale typically succeeds in his attempt at cryptanalysis
and explains how he did it.† One of the best of these tales was penned by
Edgar Allan Poe. His connection with cryptology is examined next. The fol-
lowing section examines Sherlock Holmes’ encounters with ciphers and we
then conclude our treatment of MASCs with a look at solution techniques
unknown to Poe or Arthur Conan Doyle’s famous detective.
FIGURE 2.3
Edgar Allan Poe. (Courtesy of Karen’s
He did insist that word spacing be pre-
Whimsy, http://karenswhimsy.com/ served. Poe solved the ciphers that were sent
public -domain-images/). in, with a few exceptions. Some wiseguys
www.ebook777.com
free ebooks ==> www.ebook777.com
16 Secret History: The Story of Cryptology
FIGURE 2.4
A polyphonic cipher cracked by Poe.
apparently sent in fake ciphers that never contained a message but rather con-
sisted of random letters. Several readers made Poe’s work easier by encipher-
ing well-known writings; for example, Poe needed only to glance at one such
ciphertext to know that it was the Lord’s Prayer. Poe had articles on cryptog-
raphy in a total of 15 issues,* yet he did not reveal his method of deciphering,
despite the pleas of readers.
Poe quit Alexander’s in May of 1840 and began serving as editor for Graham’s
Magazine a year later. He repeated his cipher challenge, although this time it
was buried in a review, “Sketches of Conspicuous Living Characters” (April,
1841). Poe’s longest article on the subject, titled, oddly enough, “A Few Words
on Secret Writing,” appeared in the July 1841 issue. The articles were once
again very popular, yet Poe still did not reveal his method. The suspense was
good for sales.
Polyphonic ciphers were among the systems that Poe solved in Graham’s
(Figure 2.4). In these, more than one letter may be enciphered as the same
character. This makes deciphering more difficult for the cryptanalyst, as well
as for the intended recipient. At a glance, we can tell that the ciphertext in
Figure 2.4 was not obtained by simply replacing each letter with another in a
one-to-one manner; for example, the second to last word in the second line,
inotiiiiv, has four copies of the same letter grouped together, but there is no
such word in English! Nevertheless, Poe broke this cipher. He determined
the key phrase (in Latin) to be Suaviter in modo, fortiter in re. So, the substitu-
tions were determined as follows:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z plaintext
S U A V I T E R I N M O D O F O R T I T E R I N R E ciphertext
In both periodicals Poe made a claim that he repeated in his short story
“The Gold Bug” (1843).* The phrasing differed. It is stated here in the form
seen in the story:
we have a more serious error. Do you see it? If not, look again before read-
ing on.
In a fantastic computer science text,† William Bennett pointed out the
errors that Poe made.‡ He titled this section “Gold Bug or Humbug?” and
referred to the origin of the frequency table above as “the most fundamental
mystery of the entire short story.” The letter t should be the second most fre-
quent. Why did Poe place it tenth? This was not an error made by the printer,
Hey, Edgar, Amontillado is a sherry! For more errors in “The Cask of Amontillado,” see
Fadiman, C., Ed., Dionysus: A Case of Vintage Tales about Wine, McGraw-Hill, New York, 1962.
www.ebook777.com
free ebooks ==> www.ebook777.com
18 Secret History: The Story of Cryptology
In describing the vowels, Blair stated that e was the most frequent, followed
by o, a, and i, and then pointed out that some consonants, such as s and t
are more frequent than u and y. The relatively recent letters v and j were not
included!
Upon reading this, Poe placed u and y after s and t in the ordering given
above and then put the other vowels at the start, accidentally switching the
order of o and a to get
e a o i d h n r s t u y c f g l m w b k p q x z
Because he created the genre of detective fiction, I would like to think Poe
would have enjoyed the work that went into solving the “Mystery of the
Incorrect Letter Frequencies.”
David Kahn pointed out several other errors in “The Gold Bug” that have
nothing to do with cryptography.† Read the entire story and see how many
you can find.
* Bond, R.T., Famous Stories of Code and Cipher, Rinehart, New York, 1947, pp. 98–99. The contents
of the paperback edition differ from the hardcover by one story, but “The Gold Bug” is pres-
ent in both.
† Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, pp. 790–791.
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 19
An Enigma (1848)
* Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 781.
www.ebook777.com
free ebooks ==> www.ebook777.com
20 Secret History: The Story of Cryptology
FIGURE 2.5
Ciphertexts found in “The Adventure of the Dancing Men” (http://sherlock-holm.es/stories/
pdf/a4/1-sided/danc.pdf).
Finally, we hit upon the idea that the flags represent the spaces. This makes
our task much easier, as we now have word divisions; however, there are still
some complicating factors. The messages are short and turn out to include
proper names and locations (not just words you would find in a dictionary),
and there’s at least one typo present! The number of typos varies from edi-
tion to edition, but all have at least one!
Holmes never mentioned the typos, so one may assume that they were
errors made by Doyle or the printers and not intended to make things more
difficult. Anyone attempting to decipher a message must be able to deal with
typos. These occur frequently in real-world messages. They can be caused
by a careless encipherer or by problems in transmission. “Morse mutilation”
is a term sometimes used to describe a message received in Morse code with
errors arising from the transmission process.
Leo Marks, who was in charge of the Special Operations Executive (SOE)
code and cipher group during World War II,* frequently had to contend with
“indecipherables” arising from agents in occupied Europe improperly enci-
phering. When he began in 1942, about 25% of incoming messages were inde-
cipherable for one reason or another. At that time, only 3% were recovered,
but Marks gave lectures on recovery techniques to his team and developed
new methods. The number of solutions quickly rose to a peak of 92% and
finally settled at an average of 80%. An individual message required an aver-
age of 2000 attempted decipherments before Marks’ team hit upon the real
error.† It was worth the effort, for the only alternative was to have the agent
resend the message, a risky activity with Nazis constantly on the lookout
with direction-finding equipment for agents transmitting radio messages.
A second attempt at transmission could easily result in capture and torture
for the agent.
More recently, a copycat killer nicknamed Zodiac II sent an enciphered
message to The New York Post. In order to get the correct decipherment, the
cryptanalyst had to grapple with some typos the killer made. See the online
exercises for this cipher.
Sherlock Holmes, of course was able to break the dancing men cipher
completely and compose a message of his own using it (Figure 2.6). Holmes’
adversary in this tale had no idea that the message was from Holmes and
this deception led to his capture. So, the story raises an issue that we will
visit again in this book: Namely, how can we be sure the message comes
from the person we think it does? Holmes was able to impersonate another
because he learned the secret of the cipher, but in an ideal system this would
not be possible.
* The Special Operations Executive was roughly the British equivalent of America’s Office of
Strategic Services. They ran risky operations behind enemy lines.
† Marks, L., Between Silk and Cyanide: A Codemaker’s War, 1941–1945, The Free Press, New York,
www.ebook777.com
free ebooks ==> www.ebook777.com
22 Secret History: The Story of Cryptology
FIGURE 2.6
Sherlock Holmes’ dancing men ciphertext.
Many agents were captured and impersonated over the course of World
War II. In one instance, when it was suspected that a particular SOE agent
had been compromised and that a Nazi was carrying out his end of the radio
conversation, a test was devised to ascertain the truth. The suspicious British
radio operator signed off on his message to the agent with HH, short for
Heil Hitler. This was a standard sort of “goodbye” among the Nazis and the
operator abroad responded automatically with HH, giving himself away.*
Was Doyle’s use of dancing men to represent letters as creative as it might
seem? It turns out that these fellows had been protecting messages long before
Doyle wrote his story. When confronted with previous uses, he chalked it up
to coincidence.† Doyle’s dancing men are also reminiscent of some figures in
a lost script, known as Rongorongo, which was used by the people of Easter
Island and, oddly, resembles Indus Valley script, another indecipherable at
the moment (Figure 2.7). The idea that there is a connection between the two
scripts is not backed by the leading experts, as the two cultures were widely
separated, not only in terms of distance but also in time.
Although such topics are only treated in passing here, deciphering lost
scripts attracts the interest of a decent number of cryptologists. See the refer-
ence section for papers that Cryptologia has published on Rongorongo script.
“The Adventure of the Dancing Men” is not the only story in which Doyle’s
detective encountered cryptology. Another is discussed later in this chapter.
2.5 Frequency Analysis
Monoalphabetic substitution ciphers are easy to break, as each letter is
always enciphered in the same manner when it reappears. Statistics for the
language in which the message was written soon reveal the plaintext. In
fact, in many cases, we can use these statistics to recognize what language
was used, if it is initially unknown. The correct language can often be deter-
mined without any deciphering. A sampling of some statistics for English is
* Marks, L., Between Silk and Cyanide: A Codemaker’s War, 1941–1945, The Free Press, New York,
pp. 348–349.
† Shulman, D., The origin of the dancing men, The Baker Street Journal, 23(1), 19–21, 1973.
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 23
FIGURE 2.7
A comparison of Rongorongo (right side of each column) and Indus Valley script (left side of
each column). (Adapted from Imbelloni, J., Sr., The Journal of the Polynesian Society, 48 (189), 68,
1939.)
provided in Table 2.1. These are only sample statistics, and your results may
vary. For example, E usually stands out as being much more frequent than
any of the other letters, yet an entire novel (E.V. Wright’s Gadsby, published
in 1939) has been written without this letter. For your amusement, the first
paragraph of Gadsby follows.
If youth, throughout all history, had had a champion to stand up for it; to
show a doubting world that a child can think; and, possibly, do it practi-
cally; you wouldn’t constantly run across folks today who claim that “a
www.ebook777.com
free ebooks ==> www.ebook777.com
24 Secret History: The Story of Cryptology
TABLE 2.1
Sample English Statistics
Letter Relative Frequency (%) Letter Relative Frequency (%)
A 8.2 N 6.7
B 1.5 O 7.5
C 2.8 P 1.9
D 4.3 Q 0.1
E 12.7 R 6.0
F 2.2 S 6.3
G 2.0 T 9.0
H 6.1 U 2.8
I 7.0 V 1.0
J 0.2 W 2.4
K 0.8 X 0.2
L 4.0 Y 2.0
M 2.4 Z 0.1
Wright was not alone in meeting this challenge. The French author Georges
Perec completed La Disparation (1969) without using a single E. Frequency
tables vary from language to language, but E is commonly high. Perec’s per-
formance was perhaps more impressive, as E is even more frequent in French
(17.5%) than in English. Gilbert Adair translated this work without introduc-
ing an E. He titled it A Void and it begins as follows:
Although this paragraph was written without the letter E, it cannot be read
without it! By writing 26 using digits instead of letters, Adair avoided that
particular E.
Frequency counts used for the purpose of cryptanalysis first appear in
Arabic works. The interest was apparently a byproduct of studying the
Koran. All sorts of statistics on letters and words used in the Koran had
been compiled as part of the intense study this work was subject to. Finally
someone took the next step and applied this data to an enciphered message.
2.6 Biblical Cryptology
Although the Christian world was behind the Islamic world in terms of
cryptanalysis, there is some crypto in the Bible. A system known as Atbash
enciphered Hebrew by switching the first and last letters of the alphabet, the
second and second to last, and so on. With our alphabet it would look like this:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z plaintext
Z Y X W V U T S R Q P O N M L K J I H G F E D C B A ciphertext
The name Atbash is derived from the first two pairs of Hebrew letters that
are switched: aleph, taw and beth, sin (Figure 2.8). This system was used
in Jeremiah 25:26 and Jeremiah 51:41, where Sheshach appears as an enci-
phered version of Babel. Until it was recognized that this encipherment had
been used, biblical scholars spent many hours puzzling over where Sheshach
was located!
aleph beth gimel daleth he waw zayin heth teth yod kaph
taw sin resh qoph sadhe pe ayin samekh nun mem lamed
shin
FIGURE 2.8
Atbash substitutions. (From Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p.
78. With permission.)
www.ebook777.com
free ebooks ==> www.ebook777.com
26 Secret History: The Story of Cryptology
In Section 2.1, we examined the Caesar cipher. There is a variant of this sys-
tem, called a reverse Caesar cipher, for which the ciphertext alphabet is written
backward before being shifted. If this is suspected, one may simply transform
the ciphertext Atbash style and then break it like a regular Caesar cipher.
Unfortunately, much media attention has been focused on a nonexistent
Bible code, where equidistant sequences are alleged to reveal information
about events from biblical times through the present and into the future.
Rather than waste space on it here, I will simply reference a paper that
debunks this nonsense and point out that such “messages” can be found in
any book of sufficient length.*
TABLE 2.2
Frequency of Letters in Initial and Terminal Positions
Frequency Frequency
Initial Terminal Initial Terminal
Letter Position Position Letter Position Position
A 123.6 24.7 N 21.6 67.6
B 42.4 0.9 O 70.8 41.4
C 47.0 3.7 P 40.9 6.4
D 20.6 111.0 Q 2.2 —
E 27.7 222.9 R 31.2 47.5
F 41.9 49.3 S 69.1 137.0
G 12.3 25.1 T 181.3 98.1
H 47.5 34.2 U 14.1 2.3
I 59.0 0.9 V 4.1 —
J 7.0 — W 63.3 3.7
K 1.8 8.7 X 0.4 1.4
L 22.4 24.7 Y 7.5 66.2
M 39.2 20.1 Z 0.4 —
Source: Pratt, F., Secret and Urgent, Bobbs-Merrill, New York, 1939,
p. 258.
Note: Figures above represent the frequency of occurrence in 1000
words. V, Q, J, and Z occur so rarely as terminals that their
frequency cannot be expressed in this table.
TABLE 2.3
Most Common Doubled Letters
Letter Frequency Letter Frequency Letter Frequency
LL 19 FF 9 MM 4
SS 15 RR 6 GG 4
EE 14 NN 5 DD 1.5
OO 12 PP 4.5 AA 0.5
TT 9 CC 4 BB 0.25
Source: Pratt, F., Secret and Urgent, Bobbs-Merrill, New York, 1939, p.
259.
Note: Figures above represent the frequency of occurrence in 1000
words.
* http://www4.ncsu.edu/~njrose/Special/Bios/Levine.html.
www.ebook777.com
free ebooks ==> www.ebook777.com
28 Secret History: The Story of Cryptology
FIGURE 2.9
Frequency table for two-letter combinations. (From Friedman, W.F. and Callimahos, L.D.,
Military Cryptanalytics, Part I, National Security Agency, Washington, D.C., 1956, p. 257.)
Pattern word lists were used during World War II, although America’s lists
were not as complete as those made later by Levine. Amazingly, I’ve been
unable to find decent lists from before World War II. It seems like such an
obvious approach to cracking monoalphabetic substitution ciphers must be
hundreds of years old, but, if so, where are the lists?
Non-pattern words are also useful to have in lists. These are words that do
not use any letter more than once. They are also called isograms. The record
length seems to be 15 letters. A few examples follow:
Many more words can be added to the shorter word length lists above. How
many can you find?
* Fourteen- and 15-letter isograms are from Lederer, R., Crazy English, Pocket Books, New York,
1989, p. 159.
† Dermatoglypics is the science of fingerprints.
‡ Ten-, 11-, and 13-letter isograms are from http://www.wordways.com/morenice.htm.
www.ebook777.com
free ebooks ==> www.ebook777.com
30 Secret History: The Story of Cryptology
AA BA
AB BB
AC BC
AD BD
AE BE
AF BF
AG BG
AH BH
. .
. .
. .
AZ BZ
Was this a harder task for the second column of digraphs? I’m sure the sec-
ond column was more difficult for you. This is because vowels contact more
letters than consonants. That is the key characteristic in distinguishing the
vowels from the consonants. Hence, your work above shows that A is more
likely to be a vowel than B, since you found words for a higher percentage of
digraphs in the A column than in the B column. We now look at an algorithm
that may be applied to monoalphabetic ciphertexts, as well as unknown
scripts.
2.8.1 Sukhotin’s Method
1. Count the number of times each letter contacts each of the others
and put these values in an n-by-n square (n = alphabet size).
2. Make the diagonal of the square all zeroes.
3. Sum the rows and assume that all characters are consonants.
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 31
As always, an example makes things clearer. Consider the phrase NOW WE’RE
RECOGNIZING VOWELS.
Step 1
C E G I L N O R S V W Z
C 0 1 0 0 0 0 1 0 0 0 0 0
E 1 0 0 0 1 0 0 3 0 0 2 0
G 0 0 0 0 0 2 1 0 0 0 0 0
I 0 0 0 0 0 2 0 0 0 0 0 2
L 0 1 0 0 0 0 0 0 1 0 0 0
N 0 0 2 2 0 0 1 0 0 0 0 0
O 1 0 1 0 0 1 0 0 0 1 2 0
R 0 3 0 0 0 0 0 0 0 0 0 0
S 0 0 0 0 1 0 0 0 0 0 0 0
V 0 0 0 0 0 0 1 0 0 0 0 0
W 0 2 0 0 0 0 2 0 0 0 0 0
Z 0 0 0 2 0 0 0 0 0 0 0 0
Step 4
E looks like a vowel, because it has the highest row sum. We then adjust the
row sums.
www.ebook777.com
free ebooks ==> www.ebook777.com
32 Secret History: The Story of Cryptology
Step 5
Consonant/
C E G I L N O R S V W Z Sum Vowel
C 0 1 0 0 0 0 1 0 0 0 0 0 0 C
E 1 0 0 0 1 0 0 3 0 0 2 0 7 V
G 0 0 0 0 0 2 1 0 0 0 0 0 3 C
I 0 0 0 0 0 2 0 0 0 0 0 2 4 C
L 0 1 0 0 0 0 0 0 1 0 0 0 0 C
N 0 0 2 2 0 0 1 0 0 0 0 0 5 C
O 1 0 1 0 0 1 0 0 0 1 2 0 6 V
R 0 3 0 0 0 0 0 0 0 0 0 0 –3 C
S 0 0 0 0 1 0 0 0 0 0 0 0 1 C
V 0 0 0 0 0 0 1 0 0 0 0 0 1 C
W 0 2 0 0 0 0 2 0 0 0 0 0 0 C
Z 0 0 0 2 0 0 0 0 0 0 0 0 2 C
Back to Step 4
Now O looks like a vowel. We adjust the row sums again (step 5):
Consonant/
C E G I L N O R S V W Z Sum Vowel
C 0 1 0 0 0 0 1 0 0 0 0 0 –2 C
E 1 0 0 0 1 0 0 3 0 0 2 0 7 V
G 0 0 0 0 0 2 1 0 0 0 0 0 1 C
I 0 0 0 0 0 2 0 0 0 0 0 2 4 C
L 0 1 0 0 0 0 0 0 1 0 0 0 0 C
N 0 0 2 2 0 0 1 0 0 0 0 0 3 C
O 1 0 1 0 0 1 0 0 0 1 2 0 6 V
R 0 3 0 0 0 0 0 0 0 0 0 0 –3 C
S 0 0 0 0 1 0 0 0 0 0 0 0 1 C
V 0 0 0 0 0 0 1 0 0 0 0 0 –1 C
W 0 2 0 0 0 0 2 0 0 0 0 0 –4 C
Z 0 0 0 2 0 0 0 0 0 0 0 0 2 C
2.9 More MASCs
Many popular authors have included ciphers in their works. These include,
in addition to those discussed previously, some at a higher level of sophis-
tication by Jules Verne, Dorothy Sayers, Charles Dodgson (better known by
his pen name Lewis Carroll), and others whom you will encounter in the
pages to follow. Figure 2.10 displays a dust jacket from one of the many edi-
tions of the first book in J.R.R. Tolkien’s Lord of the Rings trilogy. Tolkien cre-
ated a rune alphabet, which is often used to conceal secret messages on the
covers. Can you crack it with the statistics and techniques discussed in this
chapter? Ozzy Osbourne’s Speak of the Devil album makes use of Tolkien’s
rune alphabet on the front and back covers. For those whose tastes lean
more toward classical music, Figure 2.11 provides a cipher “composed” by
Wolfgang Amadeus Mozart. Each note simply represents a letter.
Cryptology is mathematics in the same sense that music is mathematics.
H. Gary Knight*
www.ebook777.com
free ebooks ==> www.ebook777.com
34 Secret History: The Story of Cryptology
FIGURE 2.10
Find the message hidden on the cover of this book (www.isildur.com/tolkien/books/fell5.gif).
other hand, some pieces have two dots inside. The tombstone may be seen
in Trinity Churchyard in New York City. It marks the grave of James Leeson,
an officer of a Masonic lodge, who died in 1794.* The same message appears
on a flat slab marking the grave of Captain James Lacey (d. 1796) in St. Paul’s
Churchyard, just a few blocks away; however, this one uses a different key.†
FIGURE 2.11
A cipher created by Wolfgang Amadeus Mozart—not intended for performance! (Retyped by
Nicholas Lyman from McCormick, D., Love in Code, Eyre Methuen, London, 1980, p. 49.)
A B C J N O P W
D E F K L Q R S X Y
G H I M T U V Z
FIGURE 2.12
A common monoalphabetic substitution cipher used by Masons and school children.
FIGURE 2.13
Sample message to decipher.
FIGURE 2.14
Tales from the crypt? (From http://farm3.static.flickr.com/2095/2126621361_091b5ac745.jpg?v=0.)
www.ebook777.com
free ebooks ==> www.ebook777.com
36 Secret History: The Story of Cryptology
2.10 Cryptanalysis of a MASC
Now that we’re seeing ciphers everywhere, it’s time for an example of how
they can be broken. Suppose we intercept the following ciphertext:
We can begin our attack by constructing a frequency table for the ciphertext
letters (Table 2.4). The letter S sticks out as having the largest frequency; there-
fore, it is likely that it represents the plaintext letter E. The three letter cipher-
text word JDS appears twice. The most common three-letter combination (as
well as the most common three letter word) is THE. This agrees with our sus-
picion that S represents E. Is it likely that J represents T? T is very common
in English and the ciphertext letter J appears six times, so it seems plausible.
Writing our guesses above the corresponding ciphertext letters gives:
T E E E H E E E
C J U Z B G U S H M S G Z S U D Q I S A S S G Q
T E T H E H E.
W C U Q U J S N X B N J D S D M T Q G N Q Z S.
TABLE 2.4
Frequency Table for Sample Ciphertext Letters
Letter Frequency Letter Frequency
A 1 N 5
B 4 O 0
C 5 P 0
D 4 Q 7
E 0 R 0
F 0 S 11
G 7 T 1
H 1 U 6
I 2 V 2
J 6 W 3
K 0 X 1
L 0 Y 0
M 4 Z 3
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 37
There are many possible ways to proceed from here. Since we have a
12-letter word, ZBGUSHMSGZSU, let’s consider its pattern. It has the form
ABCDEFGECAED. If you have downloaded the program referenced earlier,
you may type in this pattern and you will see that there is only one word that
fits, namely CONSEQUENCES. Substituting for all of the letters now revealed
gives
T H E N U S T E U T O N N
J D S C G W M U J N C Q V N S I B V M J C B G Q G W
T S C O N S E Q U E N C E S
H E E E N
C J U Z B G U S H M S G Z S U D Q I S A S S G Q
The fifth word cannot be anything other than ITS. Placing I above every C
quickly leads to more letters and the message is revealed to be
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z plaintext
Q A Z W S X E D C R F V T G B Y H N U J M I K O L P ciphertext
Do you see the pattern in the substitutions now that it is entirely revealed?*
Notice that the statistics given in this chapter helped, but they do not match
our message perfectly. T was the second most frequent letter in our table, but
it is tied for fourth place in the sample cipher. Nevertheless, the frequency
was high enough to make it seem like a reasonable substitution. In general,
we may make some incorrect guesses in trying to break a cipher. When this
happens, simply backtrack and try other guesses!
Now that we’ve achieved some skill in breaking monoalphabetic substitu-
tion ciphers, it is time to laugh at those who are not so well informed; may
they forever wallow in their ignorance! One fellow, whose name has been lost
to history, unwittingly displayed his ignorance when he proudly explained
how he had deciphered a message of the type we have been examining.†
www.ebook777.com
free ebooks ==> www.ebook777.com
38 Secret History: The Story of Cryptology
From the moment when the note fell into my hands, I never stopped
studying from time to time the signs which it bore.…About 15 years
more or less passed, until the moment when God (Glory to Him!) did
me the favor of permitting me to comprehend these signs, although no
one taught them to me.
I like killing people because it is so much fun it is more fun than killing
wild game in the forest because man is the most dangerous anamal of
all to kill something gi
A later cipher created by the zodiac killer that proved to be more difficult is
reproduced in Figure 2.16. Robert Graysmith claimed a decipherment in his
book Zodiac, but it has not met with wide acceptance.†
* For a fuller account, see Pratt, F., Secret and Urgent, Bobbs Merrill, New York, 1939, pp. 137–139.
† Graysmith, R., Zodiac, St. Martin’s/Marek, New York, 1986, pp. 238–244.
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 39
FIGURE 2.15
Zodiac killer cipher.
FIGURE 2.16
An unsolved cipher.
www.ebook777.com
free ebooks ==> www.ebook777.com
40 Secret History: The Story of Cryptology
FIGURE 2.17
Edward Elgar. (From http://en.wikipedia.org/wiki/Edward_Elgar.)
FIGURE 2.18
Another open problem—what does this say? (From http://en.wikipedia.org/wiki/File:Dorabella
-cipher-image.gif.)
* For more information, see Kruh, L., Still waiting to be solved: Elgar’s 1897 cipher message,
Cryptologia, 22(2), 97–98, 1998.
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 41
2.12 Affine Ciphers
When we introduced the mixed alphabets, the mathematical view of encrypt-
ing (via modular arithmetic) seemed to disappear! It appeared again on the
other side, cryptanalysis, where we’ve been using some simple statistics.
Returning to Caesar’s cipher, we can generalize to bring the mathematical
perspective back to enciphering again. Caesar used C = M + 3 (mod 26). We
made the key arbitrary, giving C = M + K (mod 26). But why not generalize
further? We do this by introducing a multiplier, a.
Consider C = aM + b (mod 26). Here our key is K = (a,b), an ordered pair.
Using K = (0,b) is not allowed, as every letter would get sent to b and the mes-
sage would be impossible to decipher—only the length would be known.
K = (1,3) gives a Caesar shift. What about other values? We only get a 1:1
map between plaintext and ciphertext letters when the greatest common
divisor of a and 26 is 1. That is, a and 26 must be relatively prime (also called
coprime).
The various values of a may be investigated individually. All odd values
between 1 and 25 inclusive work, with the exception of 13. Euler’s totient
function, φ(n) gives the number of positive integers less than n and relatively
prime to n. So, we may write φ(26) = 12. This function is very useful in pub-
lic key cryptography, as will be seen in Section 13.3. Now, b can take any
value in the range 0 to 25, so the keyspace for this cipher is (12)(26) = 312.
Decipherment is done via the equation M = a–1(C – b), where a–1 is the multi-
plicative inverse of a; that is, the number that gives 1 when multiplied by a
(mod 26).
This keyspace for an affine cipher is too small to serve as protection against
a brute force attack. Although we are using some mathematics here, the set
of possible keys is just a tiny subset of that for the general monoalphabetic
substitution cipher. Recall that the keyspace for this is 26! = 403,291,461,126,
605,635,584,000,000. A mod 26 multiplication table (Table 2.5) is provided for
your convenience in using an affine cipher.
Let’s encipher a short message using the key (11,8) to get the hang of this
system:
HOW ARE YOU? I’M AFFINE.
Then each cipher letter is obtained by taking 11M + 8 (mod 26), where M is
the message letter. Make sure to use the mod 26 multiplication table to save
time.
www.ebook777.com
TABLE 2.5
42
11(7) + 8 = 7
11(14) + 8 = 6
11(22) + 8 = 16
11(0) + 8 = 8
11(17) + 8 = 13
11(4) + 8 = 0
11(24) + 8 = 12
11(14) + 8 = 6
11(20) + 8 = 20
11(8) + 8 = 18
11(12) + 8 = 10
11(0) + 8 = 8
11(5) + 8 = 11
11(5) + 8 = 11
11(8) + 8 = 18
11(13) + 8 = 21
11(4) + 8 = 0
So our numerical ciphertext is 7, 6, 16, 8, 13, 0, 12, 6, 20, 18, 10, 8, 11, 11, 18, 21, 0.
Converting back to letters and replacing punctuation (not good for security!)
we have
HGQ INA MGU? S’K ILLSVA
and then use the formula M = 19C + 4 to decipher in the same manner as we
originally enciphered.
Although the affine cipher’s keyspace is so small that we do not need to
look for anything more sophisticated than a brute-force attack to rapidly
break it, I’ll point out another weakness. If we are able to obtain a pair of
distinct plaintext letters and their ciphertext equivalents (by guessing how
the message might begin or end for example), we can usually recover the key
mathematically.
www.ebook777.com
free ebooks ==> www.ebook777.com
44 Secret History: The Story of Cryptology
Example 1
Suppose we intercept a message and we guess that it begins DEAR…. If the
first two ciphertext letters are RA, we can pair them up with D and E to get
R = Da + b, A = Ea + b
17 = 3a + b, 0 = 4a + b
Since we are working modulo 26, the solution becomes a = –17 = 9. Plugging
a = 9 into 0 = 4a + b, we get 36 + b = 0, which is b = –36 = 16. We have now
completely recovered the key. It is (9,16).
Example 2
Suppose we intercept a message sent by Cy Deavours and we guess that
the last two ciphertext letters arose from his signature: CY. If the ciphertext
ended LD, then we have
L = aC + b, D = aY + b
11 = 2a + b, 3 = 24a + b
3 = 24 a + b
−(11 = 2 a + b)
− 8 = 22 a
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 45
Since we are working modulo 26, this solution becomes 18 = 22a. Looking
at our mod 26 multiplication table, we see that there are two possible values
for a, 2 and 15. Let’s see what each equation gives us when we plug in a = 2.
3 = 24a + b → 3 = 22 + b → –19 = b → b = 7
11 = 2a + b → 11 = 4 + b → 7 = b
3 = 24a + b → 3 = 22 + b → –19 = b → b = 7
11 = 2a + b → 11 = 4 + b → 7 = b
Now let’s make it more general by letting C1 and C2 represent the ciphertext
values and M1 and M2 the plaintext values:
C2 = M2 a + b
−(C1 = M1 a + b)
C2 − C1 = ( M2 − M1 ) a
www.ebook777.com
free ebooks ==> www.ebook777.com
46 Secret History: The Story of Cryptology
FIGURE 2.19
Cryptic science fiction cover art. (Courtesy of DAW Books, www.dawbooks.com.)
TABLE 2.6
International Morse Code
Letter Code Letter Code
A ._ N _.
B _… O ___
C _._. P ._ _.
D _.. Q _ _._
E . R ._.
F .._. S …
G _ _. T _
H …. U .._
I .. V …_
J ._ _ _ W ._ _
K _._ X _.._
L ._.. Y ._._
M __ Z _ _..
as the beginning of Beethoven’s Fifth Symphony. The allies used V for vic-
tory during World War II and made use of Beethoven’s Fifth for propaganda
purposes.
Look closely at the back of the coin shown in Figure 2.20. Notice the series
of dots and dashes around the perimeter that spell out a message in Morse
code. Start reading clockwise from the bottom of the coin just to the left of
FIGURE 2.20
A Canadian coin with a hidden message. (Thanks to Lance Snyder for helping with this image.)
www.ebook777.com
free ebooks ==> www.ebook777.com
48 Secret History: The Story of Cryptology
[Jeremiah] Denton is best known for the 1966 North Vietnamese televi-
sion interview he was forced to give as a prisoner, in which he inge-
niously used the opportunity to communicate to American Intelligence.
During the interview Denton blinked his eyes in Morse code to spell out
the word “T-O-R-T-U-R-E” to communicate that his captors were tortur-
ing him and his fellow POWs.
There is another, more modern, system for coding that prevents this prob-
lem and truly requires just two characters. It is due to David. A. Huffman
(Figure 2.21), who came up with the idea while working on his doctorate
in computer science at MIT.§ Huffman codes make use of the same idea as
Morse code. Instead of representing each character by eight bits, as is stan-
dard for computers, common characters are assigned shorter representa-
tions while rarer characters receive longer representations (see Table 2.7).
The compressed data is then stored along with a key giving the substitu-
* Anon., DPEPE DPJO, Cryptologia, 1(3), 275–277, 1977 (picture on p. 275).
† http://en.wikipedia.org/wiki/Jeremiah_Denton.
‡ http://rubyquiz.com/quiz121.html.
§ Huffman, D.A., A method for the construction of minimum-redundancy codes, Proceedings of
TABLE 2.7
Huffman Code
Letter Huffman Code Letter Huffman Code
E 000 M 11010
T 001 W 11011
A 0100 F 11100
O 0101 G 111010
I 0110 Y 111011
N 0111 P 111100
S 1000 B 111101
H 1001 V 111110
R 1010 K 1111110
D 10110 J 11111110
L 10111 X 111111110
C 11000 Q 1111111110
U 11001 Z 1111111111
www.ebook777.com
free ebooks ==> www.ebook777.com
50 Secret History: The Story of Cryptology
0 1
0 1 0 1
0 1 0 1 0 1
E T
0 1 0 1 0 1 0 1 0
A O I N S H R
0 1 0 1
D L
0 1 0 1
C U M W
FIGURE 2.22
Huffman coding graph.
* Yes, this is the John Nash of the book and movie A Beautiful Mind. The book is excellent, but
the movie made major changes and does not, in my opinion, provide an accurate depiction of
Nash’s life.
† Scans of this letter and other Nash letters are available http://www.nsa.gov/public_info/_
files/nash_letters/nash_letters1.pdf.
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 51
2.14 MASC Miscellanea
In a moment we will leave the simple substitution cipher behind. It’s not that
there is nothing else of interest left to be said on the topic. In fact, a great deal
has been left out! The simple ciphers of this chapter have been the subject of
entire books;* however, a great deal must be skipped, or the study of classical
cryptology would take up thousands of pages.
It should be noted that the Polybius cipher (see Section 1.2) had not really
been improved upon until the time of the Renaissance. Other monoalpha-
betic substitution schemes have the advantage of not doubling the length
of the message, but they aren’t any harder to crack (assuming mixed alpha-
bets are used in both). The lack of advancement in cryptology during these
years has caused many historians to refer to that time period as the “Dark
Ages.”
One exception is the work of Roger Bacon (c. 1214–1294), who was the
author of the first known European book to describe ciphers. During this
time period, and indeed through the Renaissance, the art/science that is
cryptology was considered magic and its practitioners magicians or, worse
yet, in league with devils.† There are still a few practitioners today who
have done little to dispel this myth (see the Ozzy Osbourne album cover
referenced earlier in this chapter). The Alphabet of the Magi is reproduced
in Figure 2.23.
Cryptology has strong literary roots. Even Chaucer dabbled in the field.
We close this section with a sample from his works. Figure 2.24 is one of six
ciphers from Chaucer’s The Equatorie of the Planetis, which is apparently a
companion piece to his Treatise on the Astrolabe (Chaucer was also an astron-
omer). It is simply a monoalphabetic substitution cipher, giving simplified
instructions for using the equatorie.
www.ebook777.com
free ebooks ==> www.ebook777.com
52 Secret History: The Story of Cryptology
FIGURE 2.23
Alphabet of the Magi. (From Christian, Paul (pseudonym for Jean Baptiste Pitois), Histoire de la
Magie, du Monde Surnaturel et da la Fatalité à travers les Temps et les peuples, 1870, p. 177.)
FIGURE 2.24
Chaucer’s cipher. (From Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 90.
With permission.)
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 53
2.15 Nomenclators
From 1400 to 1850 nomenclators were the kings of the European nations’
cipher systems. They are basically a combination of a code and a monoalpha-
betic substitution cipher, which may be used to spell out words not provided
for in the code portion. The code portions initially just consisted of names,
hence, nomenclator. Figure 2.25 shows one used by Mary, Queen of Scots.
You can probably guess what happened when Mary’s life hung in the bal-
ance, dependent on whether or not messages in this cipher could or could
not be read by a cryptanalyst without access to the key. Mary was wise to
include nulls, but there were no homophones (different symbols represent-
ing the same letter, as in the Zodiac ciphers) and far too few words in the
code portion.
Mary was crowned queen of Scotland in 1543 at only nine months of age.
In 1559, she married Francis, the dauphin of France. It was hoped that this
would serve to strengthen the ties between the two Roman Catholic nations,
but he died in 1560 and in the meanwhile Scotland was becoming more and
more Protestant. Mary then married her cousin Henry Stewart, who caused
so much trouble for Scotland that it was planned for him to die by having
his house blown up while he was inside. He escaped the explosion only to
die of strangulation, which certainly looked suspicious. Mary found a third
husband, James Hepburn, but he was exiled in 1567 by the now powerful
Protestant population of Scotland, and Mary was imprisoned. She escaped
and with an army of her supporters attempted to reclaim her crown, but the
a b c d e f g h i k l m n o p q r s t u x y z
Nulles Dowbleth
send ~
lre receave bearer i pray you mte your name myne
FIGURE 2.25
Nomenclator used by Mary, Queen of Scots. (From Singh, S., The Code Book, Doubleday, New
York, 1999, p. 38. With permission.)
www.ebook777.com
free ebooks ==> www.ebook777.com
54 Secret History: The Story of Cryptology
attempt failed and so she fled to England and the imagined protection of
her cousin Queen Elizabeth I. But, Queen Elizabeth, knowing that England’s
Catholics considered Mary the true Queen of England, had Mary impris-
oned to minimize any potential threat.
Angered by England’s persecution of Catholics, Mary’s former page,
Anthony Babbington, and others put together a plan in 1586 to free Mary
and assassinate Queen Elizabeth. The conspirators decided they could not
carry out their plans without Mary’s blessing and managed to smuggle a
message to her in prison. It was enciphered using the nomenclator pictured
in Figure 2.25. However, the conspirators didn’t realize that Gilbert Gifford,
who helped to smuggle the letter (and earlier messages from other support-
ers of Mary), was a double agent. He turned the messages over to Sir Francis
Walsingham, Principal Secretary to Queen Elizabeth. Thus, they were cop-
ied before being delivered to Mary, and the cryptanalyst Thomas Phelippes
succeeded in breaking them.
Mary responded, supporting the conspiracy as long as her liberation was
before or simultaneous with the assassination, as she feared for her life if the
assassination came first. Like the previous message, this one was read by
Phelippes and relayed to Walsingham. Both Babbington and Queen Mary
were now marked for death, but the other conspirators remained unnamed.
To snare the rest, Walsingham had Phelippes add a bit more enciphered text
to Mary’s response in the style of Mary’s own hand (Figure 2.26). The deci-
phered message reads:
I would be glad to know the names and qualities of the six gentlemen
which are to accomplish the designment; for it may be that I shall be
able, upon knowledge of the parties, to give you some further advice
necessary to be followed therein, as also from time to time particularly
how you proceed: and as soon as you may, for the same purpose, who be
already, and how far everyone is privy hereunto.
FIGURE 2.26
A forged ciphertext. (From Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 123.
With permission.)
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 55
However, events were such that Babbington was about to leave the country
to prepare the overthrow of Queen Elizabeth (he was supported by Philip II
of Spain), and it became necessary to arrest him. Following the trial, Mary
was beheaded in 1587,* but would the plot have succeeded if Mary had used a
stronger cipher? Many more tales can be told concerning nomenclators used
in Europe, but we now jump ahead to the American Revolution.
General George Washington, having learned some hard lessons in spycraft
(the death of Nathan Hale, for example), went on to protect the identity of spies
codenamed Culper Senior and Culper Junior so well that it remained a mystery
to historians until 1930! Morton Pennypacker finally uncovered the Culpers’
true names, when he came upon letters from Robert Townsend in a hand that
perfectly matched that of the spy Culper Junior.† Townsend was a Quaker who
did not want any attention drawn to the work he did on behalf of his country. It
was not until the 20th century that spying lost its stigma and became glamor-
ized. In the days of the American Revolution it was considered dishonorable.
A page from the nomenclator used by the Culper spy ring, operating in
occupied New York, is reproduced in Figure 2.27. The Culper’s nomencla-
tor was not always used in the best manner. One letter bore the partially
enciphered phrase “David Mathews, Mayor of 10.”‡ If this message had been
intercepted, how long do you think it would have taken a British cryptana-
lyst to determine that 10 = New York? Although Culper Junior’s identity was
eventually revealed, we still do not have a very good idea of his appearance.
Pennypacker identified a silhouette (Figure 2.28A) as Robert Townsend, but
it is actually Townsend’s brother. The only depiction currently accepted as
Robert (Figure 2.28B) was drawn by his nephew Peter Townsend.
During the Revolutionary War, General Washington spent only $17,617 on
espionage activities, and he paid for these activities out of his own pocket!
He did later bill Congress, but this sort of budget still contrasts very strongly
with the situation today. See Chapter 11.
2.16 Cryptanalysis of Nomenclators
Now that we have seen a few examples, let’s consider how we might break
a nomenclature—one larger and more challenging than those above! Good
nomenclatures have tens of thousands of code groups; however, the code por-
tion may have the distinct disadvantage of having the codewords arranged
* Mary’s story is entertainingly related in Singh’s The Code Book, pp. 1–3, 32–44, from which the
above was adapted.
† Pennypacker, M., The Two Spies, Nathan Hale and Robert Townsend, Houghton Mifflin, Boston,
MA, 1930.
‡ Pennypacker, M., General Washington’s Spies, Long Island Historical Society, New York, 1939,
p. 50.
www.ebook777.com
free ebooks ==> www.ebook777.com
56 Secret History: The Story of Cryptology
FIGURE 2.27
A nomenclator used in the American Revolution. (From George Washington Papers at the Library
of Congress, 1741–1799: Series 4. General Correspondence. 1697–1799, Talmadge, 1783, Codes.)
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 57
(A) (B)
FIGURE 2.28
(A) Silhouette incorrectly believed by Pennypacker to be Robert Townsend. (Courtesy of the
Friends of Raynham Hall.) (B) Drawing of Robert Townsend by his nephew Peter Townsend.
(Courtesy of the Friends of Raynham Hall Museum.)
n+1
Size ≈ Max − 1
n
where n is the number of codegroups observed, and Max is the largest value
among the observed code groups.
For example, if an intercepted message contains 22 code groups and the
largest is 31,672, then the number of entries in the code book is roughly
n+1 22 + 1
Max − 1 = (31, 672) − 1 ≈ 33, 111
n 22
* Two-part codes, which avoid this pitfall, are discussed in Section 5.2.
† For a derivation see Ghahramani, S., Fundamentals of Probability, Prentice Hall, Upper Saddle
River, NJ, 1996, pp. 146–148. This is not, however, the first place the result appeared or was
proven.
www.ebook777.com
free ebooks ==> www.ebook777.com
58 Secret History: The Story of Cryptology
Once we know the size of the code, a dictionary of similar size may be con-
sulted. Since it is not likely to be the key, we cannot expect to simply plug in
the word in the position of the code number; however, there is a good chance
that the first letter, and possibly the second, of that word may be correct.
Thus, we can jot down assumptions for the first two letters of each word.
This, when combined with context, may allow us to guess some phrases of
plaintext.
Table 2.8 shows where words beginning with the given letters stop in a
dictionary of 60,000 to 65,000 words.
2.17 Book Codes
A nomenclator with a large code portion may well employ a code book to list
them all, but this is not to be confused with a book code. I’ll illustrate the idea
of a book code with an example sent by Porlock to Sherlock Holmes in The
Valley of Fear with confidence that Holmes would be able to read it without
the key:*
534 C2 13 127 36 31 4 17 21 41
DOUGLAS 109 293 5 37 BIRLSTONE
26 BIRLSTONE 9 47 171
Holmes decides that 534 indicates page 534 of some book and C2 indicates
column two. The numbers then represent words and a few names are spelled
out, as they do not occur on the given page. William Friedman once broke
such a cipher without finding the book that was used, but Holmes takes a
more direct route. The minimum size of the book being 534 pages and its
practicality for use requiring that a copy be available to Holmes, he con-
siders volumes that fit the constraints. The Bible is a possibility broached
by Watson, but Holmes comments that he “could hardly name any volume
which would be less likely to lie at the elbow of one of Moriarty’s associates.”
Holmes finally turns to the current almanac. It yields nonsense, but the pre-
vious year’s almanac works and the story is off and running.
Other villains who made use of book codes include Benedict Arnold, in
his attempt to betray West Point to the British, and Hannibal Lector, in the
novel Silence of the Lambs. Arnold’s book was a dictionary, and Lecter’s was
The Joy of Cooking.
* Doyle, A.C., The Valley of Fear, Doran, New York, 1915. This story was first serialized in Strand
Magazine from September 1914 to May 1915. Three months after the New York edition, a
British edition appeared.
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 59
TABLE 2.8
Code Dictionary
AA 5 DA 11,646 GL 21,300 LO 30,690 PE 38,121 TE 55,336
AB 207 DE 12,850 GN 21,344 LU 30,850 PH 38,385 TH 55,778
AC 467 DI 13,935 GO 21,592 LY 30,890 PI 38,828 TI 56,036
AD 695 DO 14,210 GR 22,267 MA 31,730 PL 39,245 TO 56,466
AE 741 DR 14,620 GU 22,530 ME 32,362 P0 39,970 TR 57,232
AF 845 DU 14,840 GY 22,588 MI 32,903 PR 41,260 TU 57,432
AG 942 DW 14,855 HA 23,320 MO 33,525 PS 41,320 TW 57,498
AI 1018 DY 14,900 HE 23,942 MU 33,826 PU 41,740 TY 57,556
AL 1325 EA 15,000 HI 24,180 MY 33,885 PY 41,815 UB 57,571
AM 1415 EC 15,075 HO 24,764 NA 34,075 QUA 41,984 UG 57,589
AN 1957 ED 15,126 HU 24,989 NE 34,387 QUE 42,036 UL 57,638
AP 2081 EF 15,187 HY 25,190 NI 34,529 QUI 42,159 UM 57,685
AR 2514 EG 15,225 IC 25,270 NO 34,815 QUO 42,181 UN 59,885
AS 2737 EI 15,235 ID 25,347 NU 34,928 RA 42,573 UP 59,957
AT 2860 EL 15,436 IG 25,370 NY 34,946 RE 44,346 UR 60,014
AU 3014 EM 15,630 IL 25,469 OA 34,970 RH 44,422 US 60,050
AV 3073 EN 16,030 IM 25,892 OB 35,140 RI 44,712 UT 60,080
AW 3100 EP 16,145 IN 27,635 OC 35,230 RO 45,207 VA 60,363
AZ 3135 EQ 16,210 IR 27,822 OD 35,270 RU 45,441 VE 60,692
BA 3802 ER 16,290 IS 27,868 OF 35,343 SA 46,192 VI 61,113
BE 4250 ES 16,387 IT 27,910 OG 35,356 SC 46,879 VO 61,277
BI 4470 ET 16,460 JA 28,046 OI 35,390 SE 47,945 VU 61,307
BL 4760 EU 16,505 JE 28,135 OL 35,450 SH 48,580 WA 61,830
BO 5180 EV 16,610 JI 28,168 OM 35,496 SI 49,024 WE 62,133
BR 5590 EX 17,165 JO 28,290 ON 35,555 SK 49,152 WH 62,472
BU 5930 EY 17,190 JU 28,434 OO 35,575 SL 49,453 WI 62,800
BY 5954 FA 17,625 KA 28,500 OP 35,727 SM 49,600 WO 63,079
CA 6920 FE 17,930 KE 28,583 OR 35,926 SN 49,788 WR 63,175
CE 7110 FI 18,390 KI 28,752 OS 35,993 SO 50,266 X 63,225
CH 7788 FL 18,964 KN 28,857 OT 36,018 SP 51,132 YA 63,282
CI 7970 FO 19,610 KO 28,878 OU 36,159 SQ 51,259 YE 63,345
CL 8220 FR 20,030 KR 28,893 OV 36,348 ST 52,678 YO 63,397
CO 10,550 FU 20,265 KU 28,910 OW 36,361 SU 53,701 YU 63,409
CR 11,030 GA 20,700 LA 29,457 OX 36,395 SW 53,977 ZE 63,452
CU 11,300 GE 20,950 LE 29,787 OY 36,410 SY 54,206 ZI 63,485
CY 11,380 GI 21,088 LI 30,283 PA 37,226 TA 54,783 ZO 63,542
ZY 63,561
Source: Mansfield, L.C.S., The Solution of Codes and Ciphers, Alexander Maclehose,
London, 1936, pp. 154–157.
www.ebook777.com
free ebooks ==> www.ebook777.com
60 Secret History: The Story of Cryptology
Figure 2.29 shows the book code that William Friedman solved without
benefit of the accompanying book, which was only found later. Notice that
this particular code does not select words, but rather individual letters, to
form the ciphertext.
FIGURE 2.29
A solution to a book code. (From Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996,
p. 373. With permission.)
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 61
Not of Interest
Rosenheim, S.J., The Cryptographic Imagination: Secret Writing from Edgar Poe to the
Internet (Parallax: Re-Visions of Culture and Society), The Johns Hopkins University
Press, Baltimore, MD, 1997.
For details, see the following review by a professor of computer science at the
University of Waterloo:
Shallit, J., Book review of Menezes, van Oorschot, and Vanstone, Handbook of Applied
Cryptography, and Rosenheim, The Cryptographic Imagination: Secret Writings
from Edgar Poe to the Internet, American Mathematical Monthly, 106, 85–88, 1999.
www.ebook777.com
free ebooks ==> www.ebook777.com
62 Secret History: The Story of Cryptology
Bond, R.T., Famous Stories of Code and Cipher, Rinehart, New York, 1947, pp. 98–99.
The contents of the paperback edition differ from the hardcover by one story,
but “The Adventure of the Dancing Men” is present in both (paperback, pp.
171–172; hardcover, pp. 136–137).
Donegall, Lord, Baker Street and beyond: essays on Sherlock Holmes, The New
Strand, 1, 1048–1050, 1962; 2, 1717–1720, 1963.
Hearn, O., Some further speculations upon the dancing men, The Baker Street Journal,
19, 196–202, 1969. Hearn is a pseudonym of Walter N. Trenerry.
Kahn, D., The Codebreakers, Macmillan, New York, 1967, pp. 794–798. I am citing the
first edition here, so that you may see when Kahn weighed in on the issue.
McCormick, D., Love in Code, Eyre Methuen, London, 1980, p. 5.
Orr, L., A case of coincidence relating to Sir A. Conan Doyle, The Bookman, 38, 178–
180, 1910. This article was reprinted in The Baker Street Journal, 19, 203–205,
1969.
Pattrick, R.H., A study in crypto-choreography, The Baker Street Journal, 5, 205–209,
1955.
Pratt, F., The secret message of the dancing men, in Smith, E.W., Ed., Profile by
Gaslight: An Irregular Reader About the Private Life of Sherlock Holmes, Simon &
Schuster, New York, 1944, pp. 274–282.
Schenk, R.T.E., Holmes, cryptanalysis and the dancing men, The Baker Street Journal,
5(2), 80–91, 1955.
Schorin, H.R., Cryptography in the canon, The Baker Street Journal, 13, 214–216, 1963.
Shulman, D., Sherlock Holmes: cryptanalyst, The Baker Street Journal, 3, 233–237,
1948.
Shulman, D., The origin of the dancing men, The Baker Street Journal, 23(1), 19–21,
1973.
Trappe, W. and Washington, L.C., Introduction to Cryptography with Coding Theory,
Prentice Hall, Upper Saddle River, NJ, 2002, pp. 26–29. These authors summa-
rize the story (a sort of Cliff’s Notes edition) and discuss the typos in various
editions.
For more examples of codes and ciphers used in fiction, you cannot do bet-
ter than the following:
Dooley, J.F., Codes and ciphers in fiction: an overview, Cryptologia, 29(4), 290–328,
2005.
Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996.
On Rongorongo Script
If you’d like to learn more, these Rongorongo references, in turn, reference
many more books and papers.
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 63
On Arabic Cryptology
Al-Kadi, I.A., Origins of cryptology: the Arab contributions, Cryptologia, 16(2), 97–126,
1992.
Mrayati, M., Meer Alam, Y., and at-Tayyan, M.H., Series Eds., Series on Arabic Origins
of Cryptology. Vol. 1. al-Kindi’s Treatise on Cryptanalysis, King Faisal Center
for Research and Islamic Studies and King Abdulaziz City for Science and
Technology, Riyadh, 2003.
Mrayati, M., Meer Alam, Y., and at-Tayyan, M.H., Series Eds., Series on Arabic Origins
of Cryptology. Vol. 2. Ibn ’Adlan’s Treatise al-mu’allaf lil-malik al-’Ašraf, King Faisal
Center for Research and Islamic Studies and King Abdulaziz City for Science
and Technology, Riyadh, 2003.
Mrayati, M., Meer Alam, Y., and at-Tayyan, M.H., Series Eds., Series on Arabic Origins
of Cryptology. Vol. 3. Ibn ad-Duryahim’s Treatise on Cryptanalysis, King Faisal
Center for Research and Islamic Studies and King Abdulaziz City for Science
and Technology, Riyadh, 2004.
Mrayati, M., Meer Alam, Y., and at-Tayyan, M.H., Series Eds., Series on Arabic Origins
of Cryptology. Vol. 4. Ibn Dunaynır’s Book: Expositive Chapters on Cryptanalysis,
King Faisal Center for Research and Islamic Studies and King Abdulaziz City
for Science and Technology, Riyadh, 2005.
Mrayati, M., Meer Alam, Y., and at-Tayyan, M.H., Series Eds., Series on Arabic Origins
of Cryptology. Vol. 5. Three Treatises on Cryptanalysis of Poetry, King Faisal Center
for Research and Islamic Studies and King Abdulaziz City for Science and
Technology, Riyadh, 2006.
Schwartz, K.A., Charting Arabic cryptology’s evolution, Cryptologia, 33(4), 297–305,
2009.
On Cryptanalysis
Barker, W.G., Cryptanalysis of the Simple Substitution Cipher with Word Divisions Using
Non-Pattern Word Lists, Aegean Park Press, Laguna Hills, CA, 1975. This work
also discusses techniques for distinguishing vowels from consonants.
Edwards, D.J., OCAS—On-line Cryptanalysis Aid System, MIT Project MAC, TR-27,
May 1966. Bruce Schatz wrote, “reported on a SNOBOL-like programming lan-
guage specially designed for cryptanalysis.”
Gaines, H.F., Cryptanalysis: A Study of Ciphers and Their Solutions, 2nd ed., Dover, New
York, 1956, p. 74ff, 88–92; the first edition appeared in 1939.
www.ebook777.com
free ebooks ==> www.ebook777.com
64 Secret History: The Story of Cryptology
Girsdansky, M.B., Cryptology, the computer, and data privacy, Computers and
Automation, 21, 12–19, 1972. This is a survey of automated cryptanalysis, so you
can see that this has been investigated publicly for quite some time.
Guy, J.B.M., Vowel identification: an old (but good) algorithm, Cryptologia, 15(3), 258–
261, 1991.
Mellen, G.E., Cryptology, computers, and common sense, in AFIPS ’73: Proceedings
of National Computer Conference and Exposition, June 4–8, 1973, ACM, New York,
pp. 569–579. Survey of automated cryptanalysis.
Moler, C. and Morrison, D., Singular value analysis of cryptograms, American
Mathematical Monthly, 90(2), 78–87, 1983. This paper uses the singular value
decomposition for vowel recognition.
Olson, E., Robust dictionary attack of short simple substitution ciphers, Cryptologia,
31(4), 332–342, 2007.
Schatz, B.R., Automated analysis of cryptograms, Cryptologia, 1(2), 116–142, 1977.
Silver, R., Decryptor, MIT Lincoln Laboratory Quarterly Progress Report, Division 5
(Information Processing), December, 57–60, 1959.
Sutton, W.G., Modified Sukhotin: a manual method, The Cryptogram, Sept./Oct.,
12–14, 1992.
* Raja is the American Cryptogram Association (ACA) nom de plume for the author and his
wife Josephine.
† Ibid.
‡ Ibid.
free ebooks ==> www.ebook777.com
Monalphabetic Substitution Ciphers, or MASCs: Disguises for Messages 65
Goddard, E. and Goddard, T., Cryptodyct, Wagners, Davenport, IA, 1976. Upon seeing
the title, I thought it must have been written in some foreign language I wasn’t
familiar with; however, it is in English and is simply a pattern word dictionary
of 272 pages for words of length 14 and shorter. This effort took two years and
appears to have been privately printed.
Goddard, E. and Goddard, T., Cryptokyt I: Non-Pattern Nine Letter Word List, Wagners,
Davenport, IA, 1977, 28 pp.
Goddard, E. and Goddard, T., Cryptokyt II: Non-Pattern Five Letter Word List, Wagners,
Davenport, IA, 1977, 64 pp.
Hempfner, P. and Hempfner, T., Pattern Word List for Divided and Undivided
Cryptograms, self-published, 1984. An electronic dictionary was used to generate
the 30,000+ entries in this 100-page book, which goes up to the 21-letter word
electroencephalograph.
Levine, J., A List of Pattern Words of Lengths Two Through Nine, self-published, 1971,
384 pp.
Levine, J., A List of Pattern Words of Lengths Ten Through Twelve, self-published, 1972,
360 pp.
Levine, J., A List of Pattern Words of Lengths Thirteen to Sixteen, self-published, 1973,
270 pp.
Lynch, F.D., Col., USAF, Ret., Pattern-Word List Volume 1: Containing Words up to 10
Letters in Length, Aegean Park Press, Laguna Hills, CA, 1977, 152 pp. “Much of
Colonel Lynch’s work remains classified,” but this work was “compiled manually
by the author over a period of many years” using Webster’s Third New International
Dictionary. Words where only a single letter repeats itself once were not included.
On Zodiac
Crowley, K., Sleep My Little Dead: The True Story of the Zodiac Killer, St. Martin’s, New
York, 1997. This is about a copycat killer in New York, not the original Zodiac.
Imitation is the sincerest form of flattery. The author signed my copy, “To
Craig—What’s Your Sign?” It gave me a chill—thanks!
Graysmith, R., ZODIAC, St. Martin’s/Marek, New York, 1986. This is the best book
on Zodiac. It’s creepy and in 2007 was made into a movie of the same title that
is also creepy.* It is not to be confused with an extremely low-budget film called
Zodiac Killer,† which appeared in 2005, a year that also saw the release of The
Zodiac.‡
Graysmith, R., Zodiac Unmasked: The Identity of American’s Most Elusive Serial Killer
Revealed, Berkley Books, New York, 2002.
Penn, G., Times 17: The Amazing Story of the Zodiac Murders in California and Massachusetts
1966–1981, Foxglove Press, Sharon Springs, NY, 1987. Penn seems to have put
much more thought into the killings than Zodiac himself. It seems to me that
most of the patterns he picked up on are coincidental, but a few are intriguing.
* http://www.imdb.com/title/tt0443706/.
† http://www.imdb.com/title/tt0469999/.
‡ http://www.imdb.com/title/tt0371739/.
www.ebook777.com
free ebooks ==> www.ebook777.com
66 Secret History: The Story of Cryptology
On MASCs
Bamford, J., Body of Secrets, Doubleday, New York, 2001. Although this is a book about
the National Security Agency, each chapter begins with cryptograms—can you
find the correct decipherments?
Huffman, D.A., A method for the construction of minimum-redundancy codes,
Proceedings of the Institute of Radio Engineers, 40, 1098–1101, 1952.
Kruh, L., The churchyard ciphers, Cryptologia, 1(4), 372–375, 1977.
Reeds, J., Solved: the ciphers in Book III of Trithemius’ Steganographia, Cryptologia,
22(4), 291–317, 1998. This paper concerns an old and hidden cipher of Trithemius,
only recognized and deciphered hundreds of years after his death. Trithemius’
life and his cryptologic work are discussed in Section 3.2, but the paper refer-
enced here can be appreciated now.
Silbert, L., The Intelligencer, Atria Books, New York, 2004. This novel refers to many
ciphertexts, but they are not provided. It is referenced here because the story
takes place during the reign of Elizabeth the First, and Thomas Phelippes is
included as a character.
Singh, S., The Code Book, Doubleday, New York, 1999. This work is aimed at a general
audience and relates the history of codemakers vs. codebreakers in historical
context in a lively manner. Singh uses the term “code” in the title in a broader
than usual sense and intends it to include ciphers as well.
Solution to Poe’s sonnet: If you read along the diagonal (first line/first character,
second line/second character, etc.) the name of the woman for whom the son-
net was written is spelled out.
Hint for the pattern in the cipher alphabet from the Kaczynski example: Look at a
keyboard.
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
3
Simple Progression to
an Unbreakable Cipher*
This chapter describes a simple cipher system and proceeds to patch it against
attacks until the final result of a theoretically unbreakable cipher is achieved.
3.1 Vigenère Cipher
In a previous chapter, we saw how Edgar Allan Poe challenged readers to
send him monoalphabetic substitution ciphers to break. For the submission
reproduced in Figure 3.1, Poe was not able to offer a solution; however, he
was able to demonstrate that the sender did not follow his rules. That is, the
cipher is not monoalphabetic. Poe concluded (incorrectly) that it was “a jar-
gon of random characters, having no meaning whatsoever.Ӡ
Jumping ahead to the 1970s, Mark Lyster, an undergraduate in Brian
Winkel’s cryptology class at Albion College, became curious and attempted
a solution. Together, the professor and his student solved it. Brian then chal-
lenged Cryptologia’s readers to attempt their own solutions in the paper refer-
enced with Figure 3.1. In the August 1977 Scientific American, Martin Gardner
challenged his readers to solve it. You may consider yourself so challenged
after reading the material on cryptanalysis that follows in this chapter! A
solution was presented in Brian Winkel’s article, “Poe Challenge Cipher
Solutions,” in the October 1977 Cryptologia (pp. 318–325). Look at this paper
only after making a serious attempt to solve it yourself!
The system behind the Poe cipher was long known as le chiffre indéchiffrable
(“the unbreakable cipher”). Today, it is simply referred to as the Vigenère cipher—
we have to make a few improvements before it becomes truly unbreakable!
The main weaknesses of monoalphabetic ciphers are the preservation of
letter frequencies (only the symbols representing the letters change) and
word patterns, as detailed in the previous chapter. So, a necessary condition
appeared in Alexander’s Weekly Messenger, February 26, 1840, and gave the quote provided
over a year later (reflecting back) in his article, “A Few Words on Secret Writing,” which
appeared in the July 1841 issue of Graham’s Magazine, on pages 33 to 38. Ironically, Poe’s “A
Few Words on Secret Writing” was the longest of his essays dealing with cryptology.
69
www.ebook777.com
free ebooks ==> www.ebook777.com
70 Secret History: The Story of Cryptology
FIGURE 3.1
A ciphertext that Poe could not solve. (From Winkel, B.J., Cryptologia, 1(1), 95, 1977; the cipher-
text originally appeared in Poe, E.A., Alexander’s Weekly Messenger, February 26, 1840.)
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z plaintext
E F G H I J K L M N O P Q R S T U V W X Y Z A B C D alphabet 1
L M N O P Q R S T U V W X Y Z A B C D E F G H I J K alphabet 2
V W X Y Z A B C D E F G H I J K L M N O P Q R S T U alphabet 3
I J K L M N O P Q R S T U V W X Y Z A B C D E F G H alphabet 4
S T U V W X Y Z A B C D E F G H I J K L M N O P Q R alphabet 5
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 71
The words THANK YOU are enciphered in two different ways, depending
upon their position relative to the key alphabets. Also, we have doubled let-
ters in the ciphertext, VV and ZZ, where there are no doubled letters in the
plaintext. When this system first appeared there were no cryptanalytic tech-
niques in existence that were any better than simply guessing at the key.
In general, longer keys are better. If the key is only a single character, this
system reduces to the Caesar cipher.
www.ebook777.com
free ebooks ==> www.ebook777.com
72 Secret History: The Story of Cryptology
FIGURE 3.4
Johannes Trithemius, cryptology’s first printed author. (Courtesy of the National Cryptologic
Museum, Fort Meade, MD.)
FIGURE 3.5
Title page of Polygraphiae by Trithemius. (Courtesy of the National Cryptologic Museum, Fort
Meade, MD.)
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 73
had long circulated in manuscript form and had even attracted the attention
of the Roman Catholic Church, which placed it on the Index of Prohibited
Books. It is now available online at www.esotericarchives.com/esoteric.
htm#tritem. Most of the cryptographers of Trithemius’ era were also alche-
mists and magicians of a sort. In fact, Trithemius knew the real Dr. Faustus
(whom he considered a charlatan) and is said to have been a mentor of
Paracelsus and Cornelius Agrippa.* According to legend, Trithemius him-
self was said to have raised the wife of Emperor Maximilian I from the
dead.†
Polygraphiae contained the first “square table” or “tableau.” This is pictured
below and simply represents all possible shift ciphers. The first row is the
plaintext.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
* Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 131.
† Goodrick-Clarke, N., The Western Esoteric Traditions: A Historical Introduction, Oxford
University Press, New York, 2008, p. 52.
www.ebook777.com
free ebooks ==> www.ebook777.com
74 Secret History: The Story of Cryptology
* Also of interest is that Porta founded an “Academy of Secrets” in Naples. For more informa-
tion, see Zielinski, S., Magic and experiment: Giovan Battista Della Porta, in Zielinkski, S.,
Ed., Deep Time of the Media: Toward an Archaeology of Hearing and Seeing by Technical Means,
MIT Press, Cambridge, MA, pp. 57–100. Available online at http://courses.washington.edu/
hum202/zielinski.pdf.
† Yet, even this contribution should really be credited to a previous discoverer, G.B. Bellaso,
who described it in 1564. See Labronicus [Augusto Buonafalce], Historical tidbits, The
Cryptogram, 58(3), 9, 1992.
‡ Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 153.
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 75
1, 6, 11, 16, … alphabet 1
2, 7, 12, 17, … alphabet 2
3, 8, 13, 18, … alphabet 3
4, 9, 14, 19, … alphabet 4
5, 10, 15, 20, … alphabet 5
www.ebook777.com
free ebooks ==> www.ebook777.com
76 Secret History: The Story of Cryptology
So how can we determine the length of the key? Several methods are
available. The simplest is to assume that some plaintext portions of the mes-
sage are repeated in the same alignment with the key. For example, if two
computer science professors are communicating, the word COMPUTER may
appear repeatedly in the message. If the key is ORANGE, we may have various
alignments:
* Friedrich W. Kasiski (1805–1881) was a retired Prussian infantry major who published his
method in Die Geheimschriften und die Dechiffrir-kunst in 1863.
† For a bit more on this, see Simon, S., The Code Book, Doubleday, New York, 1999, p. 78. For
a tremendous amount more see Franksen, O.I., Mr. Babbage’s Secret, The Tale of a Cypher and
APL, Prentice Hall, Englewood Cliffs, NJ, 1984.
‡ Friedman, W., The Index of Coincidence and Its Applications in Cryptography, Publ. No. 22,
∑ F ( F − 1)
i i
IC = i= A
N ( N − 1)
www.ebook777.com
free ebooks ==> www.ebook777.com
78 Secret History: The Story of Cryptology
Notice that the difference between expected values is largest when the
number of alphabets used is small. We can easily distinguish between one
alphabet (a monoalphabetic substitution cipher) and two alphabets, but dis-
tinguishing between nine and ten alphabets is difficult.
Suppose the index of coincidence is 0.04085, indicating that 9 or 10 alpha-
bets have been used. We can investigate further by assuming that the correct
keylength is 9 and splitting the ciphertext into 9 groups of letters, each of
which would have been enciphered by the same alphabet, if our assump-
tion is correct. The first group would contain the letters in positions 1, 10, 19,
28, …, since a key of length 9 forces us to start over with the first alphabet
at position 10 and again at positions 19, 28, etc. The second group would
contain all letters enciphered with the second alphabet, positions 2, 11, 20,
29, etc. Now applying the IC to group one should indicate (by resulting in a
value close to 0.066) if those letters truly did arise from encipherment with
the same alphabet. If the value of the IC is closer to 0.038, we lose confidence
in a keylength of 9, but the first group is not the only one we should consider.
The IC value for this group could be a misleading fluke! Testing all 9 groups
of letters separately gives a much firmer statistical base upon which to decide
if a keylength of 9 is correct. If the 9 IC values, considered as a group, are
discouraging, we can start over and assume the keylength is 10. Splitting the
ciphertext letters into 10 groups and computing the IC for each will show if
this assumption is better or not. The smaller groups of ciphertext letters, for
which these computations are done, are referred to as decimated alphabets,
even if there are not exactly 10 of them.
A few examples will indicate how reliable the Kasiski and IC tests are. The
first is presented below and others are left as exercises. Caution: Some books
concoct examples where such tests work perfectly, creating the false impres-
sion that this is always the case.
The IC equation can be turned around to give the length (L) of the key,
when the number of characters (N) in the ciphertext and the ciphertext index
of coincidence (IC) are known:
0.028 N
L≈
( IC)( N − 1) − 0.038 N + 0.066
Although you need not understand the derivation of the formula above in
order to use it, it’s easy to demonstrate. Suppose we have a ciphertext consist-
ing of N letters and that the enciphering key has length L. If we randomly
pick two letters, what is the probability that they are the same? (As ciphertext;
the plaintext letters they represent need not match.) The probability that the
two letters match is much higher if they were both enciphered with the same
alphabet, so we consider two separate cases and combine them for our final
answer.
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 79
Case 1: The Two Letters Arose from the Same Cipher Alphabet
It doesn’t matter which letter we pick first, but the second letter has to come
from the same alphabet, so it must be one of the remaining (N/L) – 1 letters
of this type. (The L alphabets will roughly divide the N letters of the text into
N/L groups, each enciphered differently.) Thus, there are (N/L) – 1 choices
left out of the total remaining N – 1 letters. So, the probability is
N −1
L
N −1
But we also want the two letters to be the same. Since we are already within
the same alphabet, this probability is simply 0.066, the value of the IC for one
alphabet. We multiply these two values together to get
N
− 1 (0.066)
L
N −1
N
−1
1− L
N − 1
Now that we have two letters from different alphabets, we need to multi-
ply by the probability that they match. This is simply the IC value for ran-
dom text (or, equivalently, a large number of alphabets), namely 0.038. So, our
probability for case 2 is
N
−1
L (0.038)
1 −
N − 1
www.ebook777.com
free ebooks ==> www.ebook777.com
80 Secret History: The Story of Cryptology
N
− 1 (0.066) N
L −1
IC ≈ + L (0.038)
N −1 1 −
N − 1
It’s now just a matter of doing the algebra to solve for L (see Exercise 23) and
obtain the result
0.028 N
L≈
( IC)( N − 1) − 0.038 N + 0.066
Using this equation, you do not need a table of values like the one given
above; however, this version of the equation is intended only for ciphers hav-
ing English plaintexts. For other languages, the constants may vary.
The Kasiski test and the index of coincidence may sound complicated at
first, but they are very easy to use. Take a look at the following example to see
how simple they make the task of Vigenère cipher cryptanalysis.
IZPHY XLZZP SCULA TLNQV FEDEP QYOEB SMMOA AVTSZ VQATL LTZSZ
AKXHO OIZPS MBLLV PZCNE EDBTQ DLMFZ ZFTVZ LHLVP MBUMA VMMXG
FHFEP QFFVX OQTUR SRGDP IFMBU EIGMR AFVOE CBTQF VYOCM FTSCH
ROOAP GVGTS QYRCI MHQZA YHYXG LZPQB FYEOM ZFCKB LWBTQ UIHUY
LRDCD PHPVO QVVPA DBMWS ELOSM PDCMX OFBFT SDTNL VPTSG EANMP
MHKAE PIEFC WMHPO MDRVG OQMPQ BTAEC CNUAJ TNOIR XODBN RAIAF
UPHTK TFIIG EOMHQ FPPAJ BAWSV ITSMI MMFYT SMFDS VHFWQ RQ
Difference between
Character Grouping Starting Positions Starting Positions
IZP 1 and 57 56
HYX 4 and 172 168
EPQ 24 and 104 80
MBU 91 and 123 32
TSM 327 and 335 8
Consider the last column of the table above. All of the values are multiples
of 8. This suggests that the key is of length 8. It’s possible that the keylength
is 4 (or 2), but if this were the case, it’s likely that one of the numbers in the
difference column would be a multiple of 4 (or 2) but not a multiple of 8.
Calculating the index of coincidence requires more work. We begin by
constructing a frequency table (Table 3.1) for the ciphertext letters.
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 81
TABLE 3.1
Frequency Table Used to Calculate Index
of Coincidence
Letter Frequency Letter Frequency
A 18 N 7
B 14 O 18
C 12 P 22
D 12 Q 17
E 15 R 10
F 22 S 16
G 9 T 20
H 14 U 8
I 13 V 18
J 2 W 5
K 4 X 7
L 15 Y 9
M 26 Z 14
The numerator of the index of coincidence for this example is then given by
∑ F ( F − 1)
i i
5178
IC = i= A
= ≈ 0.0431
N ( N − 1) (347 )(346)
www.ebook777.com
free ebooks ==> www.ebook777.com
82 Secret History: The Story of Cryptology
We could try again with four alphabets and then seven before moving on to
values further from the ones suggested by the IC, but the Kasiski test suggested
eight, so let’s skip ahead to this value. Splitting the ciphertext into eight separate
groups and calculating the IC for each gives 0.105, 0.087, 0.075, 0.087, 0.056, 0.069,
0.065, and 0.046. These values are by far the largest, so we have another test
backing up the results of the Kasiski test. Another way in which an IC calcula-
tion can be used to support the result of the Kasiski test is described in Exercise
22. We now rewrite the ciphertext in blocks of length 8, so that characters in
the same column represent letters enciphered by the same alphabet. We may
construct a frequency table for each column (Table 3.2). This had to be done to
get the values for the IC given in the paragraph above, but I left out showing the
work until it could be seen to lead to a positive conclusion. Take a moment to
examine Table 3.2 and the accompanying text before returning here.
For each column there are 26 possible choices for which letter represents E.
In column 1, the maximum value for the sum of the frequencies of E, A, and T
is 21 and is obtained when M represents E. Now, for column 2, assuming that P
represents E yields a sum of only 9. The greatest sum is 11, which is obtained
when Q represents E. For column 3, the maximum sum is also obtained when
Q represents E. This time the sum is 17. For columns 4 through 8, this tech-
nique suggests that E is represented by S, V, X, E, and P, respectively. We see
that, if these substitutions are correct, E is only the most frequent character
in columns 1, 3, 4, and 5, while it is tied for first place in column 7. You are
encouraged to investigate other techniques for determining the shift of each
alphabet in Exercise 14. The substitutions above imply that the keyword (the
letters representing A in each alphabet strung together in order) is IMMORTAL.
Since this is a real word, we gain some confidence in our solution. Applying
this keyword to the ciphertext by subtracting mod 26 gives:
IZPHY XLZZP SCULA TLNQV FEDEP QYOEB SMMOA AVTSZ VQATL LTZSZ
IMMOR TALIM MORTA LIMMO RTALI MMORT ALIMM ORTAL IMMOR TALIM
ANDTH ELORD GODSA IDBEH OLDTH EMANI SBECO MEASO NEOFU STOKN
AKXHO OIZPS MBLLV PZCNE EDBTQ DLMFZ ZFTVZ LHLVP MBUMA VMMXG
MORTA LIMMO RTALI MMORT ALIMM ORTAL IMMOR TALIM MORTA LIMMO
OWGOO DANDE VILAN DNOWL ESTHE PUTFO RTHHI SHAND ANDTA KEALS
FHFEP QFFVX OQTUR SRGDP IFMBU EIGMR AFVOE CBTQF VYOCM FTSCH
RTALI MMORT ALIMM ORTAL IMMOR TALIM MORTA LIMMO RTALI MMORT
OOFTH ETREE OFLIF EANDE ATAND LIVEF OREVE RTHER EFORE THELO
ROOAP GVGTS QYRCI MHQZA YHYXG LZPQB FYEOM ZFCKB LWBTQ UIHUY
ALIMM ORTAL IMMOR TALIM MORTA LIMMO RTALI MMORT ALIMM ORTAL
RDGOD SENTH IMFOR THFRO MTHEG ARDEN OFEDE NTOTI LLTHE GROUN
LRDCD PHPVO QVVPA DBMWS ELOSM PDCMX OFBFT SDTNL VPTSG EANMP
IMMOR TALIM MORTA LIMMO RTALI MMORT ALIMM ORTAL IMMOR TALIM
DFROM WHENC EHEWA STAKE NSOHE DROVE OUTTH EMANA NDHEP LACED
MHKAE PIEFC WMHPO MDRVG OQMPQ BTAEC CNUAJ TNOIR XODBN RAIAF
MORTA LIMMO RTALI MMORT ALIMM ORTAL IMMOR TALIM MORTA LIMMO
ATTHE EASTO FTHEG ARDEN OFEDE NCHER UBIMS ANDAF LAMIN GSWOR
UPHTK TFIIG EOMHQ FPPAJ BAWSV ITSMI MMFYT SMFDS VHFWQ RQ
RTALI MMORT ALIMM ORTAL IMMOR TALIM MORTA LIMMO RTALI MM
DWHIC HTURN EDEVE RYWAY TOKEE PTHEW AYOFT HETRE EOFLI FE
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 83
TABLE 3.2
Frequency Table with Tallies for Each Column
1 2 3 4 5 6 7 8 Column Number
I Z P H Y X L Z
1 2 3 4 5 6 7 8
Z P S C U L A T
L N Q V F E D E A 1 3 5 2 0 2 5 0
P Q Y O E B S M B 6 0 0 4 0 4 0 0
M O A A V T S Z C 1 0 0 7 2 0 0 3
V Q A T L L T Z D 0 0 4 1 2 0 2 2
S Z A K X H O O
E 0 1 0 0 2 4 6 2
I Z P S M B L L
F 0 5 4 5 4 0 3 1
V P Z C N E E D
B T Q D L M F Z G 0 0 0 2 1 4 1 1
Z F T V Z L H L H 1 1 0 3 0 5 5 0
V P M B U M A V I 4 2 0 1 3 1 1 0
M M X G F H F E J 0 0 0 0 1 0 0 1
P Q F F V X O Q K 1 0 0 1 2 0 0 0
T U R S R G D P
L 2 0 0 0 2 4 3 4
I F M B U E I G
M 11 3 4 1 2 4 0 1
M R A F V O E C
B T Q F V Y O C N 0 2 0 0 1 0 3 1
M F T S C H R O O 2 2 0 2 0 1 6 5
O A P G V G T S P 2 8 3 0 1 4 0 4
Q Y R C I M H Q Q 2 3 9 0 0 0 0 3
Z A Y H Y X G L
R 0 4 2 1 1 0 1 1
Z P Q B F Y E O
S 1 0 1 8 0 0 2 4
M Z F C K B L W
B T Q U I H U Y T 1 4 4 1 1 3 3 2
L R D C D P H P U 0 1 1 1 4 0 1 0
V O Q V V P A D V 5 0 0 3 9 0 0 1
B M W S E L O S W 0 0 2 0 1 0 0 2
M P D C M X O F X 0 0 2 0 1 4 0 0
B F T S D T N L
Y 0 1 2 0 2 3 0 1
V P T S G E A N
Z 4 4 1 0 1 0 0 4
M P M H K A E P
I E F C W M H P
O M D R V G O Q
Consider column 1. M is by far the most frequent letter, so we
M P Q B T A E C assume that M represents E. This implies that B represents T
C N U A J T N O and I represents A. The frequencies of B and I are high, so
I R X O D B N R this looks like a good fit. For a small sample, E will not
A I A F U P H T always be the most frequent letter. For example, in column 2,
K T F I I G E O the most frequent character is P, yet this implies that E (with
M H Q F P P A J frequency 1) is T and that L (with frequency 0) is A, values
B A W S V I T S that do not seem likely. A better strategy is to look for the
shift that maximizes the sum of the frequencies for E, A, and
M I M M F Y T S
T, the three most frequent plaintext letters.
M F D S V H F W
Q R Q
www.ebook777.com
free ebooks ==> www.ebook777.com
84 Secret History: The Story of Cryptology
The plaintext turns out to be a passage from the Bible about gaining
immortality.*
The index of coincidence gave too low a value for the number of alphabets,
as will often happen when two or more of the “different” alphabets used are,
in fact, the same. The repeated M alphabet in the key IMMORTAL is to blame
in this instance.
Kasiski’s attack worked better in this example, but Friedman’s index of
coincidence is, in general, the more powerful technique. Friedman would
have gained immortality through this work, even if he had done nothing
else. It can be applied in many different contexts and can even be used in
some cases to distinguish between languages:†
Language IC
English .0667
French .0778
German .0762
Italian .0738
Russian .0529 (30-letter Cyrillic alphabet)
Spanish .0775
* Publishing seems to be the surest path. Some seek immortality through accomplishments
in sports, but how many ancient Greek athletes can you name? On the other hand, you can
probably name several Greek playwrights and authors of works on mathematics, science, and
philosophy.
† Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 378.
‡ Bennett, Jr., W.R., Scientific and Engineering Problem-Solving with the Computer, Prentice Hall,
Englewood Cliffs, NJ, 1976. Sections 4.13 and 4.14 are relevant here.
§ Boklan, K., How I broke the Confederate code (137 years too late), Cryptologia, 30(4), 340–345,
2006. Boklan later evened things out by breaking an old Union cipher.
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 85
3.4 Kryptos
A more recent example of a Vigenère cipher is in the form of an intriguing
sculpture called Kryptos (Figure 3.9). Created by James Sanborn in 1990, this
artwork is located in an outdoor area within the Central Intelligence Agency
(CIA). Although the location is not open to the public, it has attracted a great
deal of public attention and is even alluded to via its latitude and longitude
on the dust jacket of Dan Brown’s novel, The Da Vinci Code.
The left half of the sculpture is the ciphertext, which may be divided into
two panels. These are referred to as panel 1 (top half of left side) and panel 2
(bottom half of left side). Both panels are reproduced in Figures 3.10 and
3.11. Each contains two distinct ciphers. These ciphers are distinguished in
the figures here, but not in the original sculpture. The right side of Kryptos
* The source of this quote is typically cited as “The Alphabet Cipher,” which was published
in 1868 in a children’s magazine. Thus far, I have been unable to obtain further bibliographic
information. I have a photocopy of the two-page paper, but even this is no help, as no title,
date, author name, or even page numbers appear on the pages. Christie’s auctioned off an
original as Lot 117 of Sale 2153. The price realized was $1000, and the item was described as
“Broadsheet on card stock (180 × 123 mm). The table of letters printed on one side and the
Explanation on the other.” So perhaps it never was in a magazine? See http://www.christies.
com/lotfinder/books-manuscripts/dodgson-charles-lutwidge-5280733-details.aspx?from=s
alesummary&pos=5&intObjectID=5280733&sid=&page=9 for more information.
† The article, “A New Cipher Code,” was published in a supplement to the January 17, 1917,
www.ebook777.com
free ebooks ==> www.ebook777.com
86 Secret History: The Story of Cryptology
FIGURE 3.9
James Sanborn’s sculpture Kryptos. (Courtesy of National Cryptologic Museum, Fort Meade,
MD.)
FIGURE 3.10
Panel 1 of Kryptos; a horizontal line has been added to separate cipher 1 from cipher 2. (Adapted
from https://www.cia.gov/about-cia/headquarters-tour/kryptos/KryptosPrint.pdf.)
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 87
FIGURE 3.11
Panel 2 of Kryptos; a (mostly) horizontal line has been added to separate cipher 3 from cipher 4.
(Adapted from https://www.cia.gov/about-cia/headquarters-tour/kryptos/KryptosPrint.pdf.)
FIGURE 3.12
Panel 3 of Kryptos provides a clue as to the means of encipherment. (Adapted from https://
www.cia.gov/about-cia/headquarters-tour/kryptos/KryptosPrint.pdf.)
www.ebook777.com
free ebooks ==> www.ebook777.com
88 Secret History: The Story of Cryptology
FIGURE 3.13
Panel 4 of Kryptos, in which the clue continues. (Adapted from https://www.cia.gov/about-
cia/headquarters-tour/kryptos/KryptosPrint.pdf.)
K R Y P T O S A B C D E F G H I J L M N Q U V W X Z plaintext
G H I J L M N Q U V W X Z K R Y P T O S A B C D E F alphabet 1
A B C D E F G H I J L M N Q U V W X Z K R Y P T O S alphabet 2
U V W X Z K R Y P T O S A B C D E F G H I J L M N Q alphabet 3
S A B C D E F G H I J L M N Q U V W X Z K R Y P T O alphabet 4
S A B C D E F G H I J L M N Q U V W X Z K R Y P T O alphabet 5
Below this, the key GAUSS is written vertically down the left-hand side
to provide the first letters of our five cipher alphabets. Each of these cipher
alphabets is continued from its first letter in the same order as our initial
mixed alphabet. Now, to encipher, the five alphabets are used in order, as
many times as necessary, until the message is at an end, so we get
Determining the correct keys and recovering the first two messages is left
as a challenge to the reader. The solutions can easily be found online. Can you
use the techniques detailed in this chapter to meet this challenge? The second
part should be easier than the first, as there is more ciphertext to work with.
The third cipher made use of transposition (see Chapter 4) and was also
solved by Gillogly. With only a little more than three lines of ciphertext left,
Gillogly got stuck. He was unable to break the fourth and final cipher.
After Gillogly’s success, the CIA revealed that one of its employees, David
Stein, had already deciphered the portions Gillogly recovered back in
1998. Stein’s results appeared in a classified publication, which James had
no opportunity to see. Not to be bested by the CIA, the National Security
Agency (NSA) revealed that some of their employees had solved it in 1992,
but initially NSA would not provide their names. In 2005, the informa-
tion was released that it was actually a team at NSA (Ken Miller, Dennis
McDaniels, and two others whose iden-
tities are still not publicly known).*
Despite intense attention, the last portion
of Kryptos has resisted decipherment, at
least as far as the general public knows!
* http://en.wikipedia.org/wiki/Kryptos.
† Levy, S., Mission impossible: the code even the CIA can’t crack, Wired, 17(05), April 20, 2009
(www.wired.com/science/discoveries/magazine/17-05/ff_kryptos).
‡ Scryer, Kryptos clue, The Cryptogram, 77(1), 11, 2011. Scryer is the American Cryptogram
www.ebook777.com
free ebooks ==> www.ebook777.com
90 Secret History: The Story of Cryptology
For what it’s worth, my best guess is that the fourth cipher arose from
matrix encryption (see Chapter 7). The positions of the intentional errors
made by Sanborn in the earlier ciphers may indicate the values in the enci-
phering matrix used for the final cipher.
3.5 Autokeys
Now that we’ve examined the cryptography, cryptanalysis, and historical
uses of the basic Vigenère cipher, let’s examine the real contribution that Blaise
de Vigenère made to this system, which, recall, already existed. Vigenère’s
autokey only used the given key (COMET in the examples below) once. After
that single application, the original message (or the ciphertext generated) is
used as the key for the rest of the message.
SENDSUPPLIES… message
COMETSENDSUP… key
USZHLMTCOAYH… cryptogram
SENDSUPPLIES… message
COMETUSZHLOH… key
USZHLOHOSTSZ… cryptogram
SENDSUPPLIES… message
COMETUSNHLOH… key
USNHLOHCSTSZ… cryptogram obtained
USZHLOHOSTSZ… cryptogram desired
Continuing on, we would find that every fifth ciphertext character after our
initial error is also incorrect.
The Vigenère cipher was introduced in this chapter, then broken, and we’re
about to go on to patch it, creating a stronger system; however, it should be
noted that the Vigenère cipher did not get disposed of so quickly in the real
world. It had an extremely successful run. We may never again see a system
that survives for hundreds of years before successful attacks are discovered.
Here the message is enciphered using A Tale of Two Cities by Charles Dickens
as the key.
The Kasiski attack will not work against this upgrade to the Vigenère
cipher, since the key never repeats and Friedman’s index of coincidence will
only indicate that a large number of cipher alphabets was used. However,
that doesn’t mean that Friedman was defeated by the running key cipher. In
a cover letter introducing his paper “Methods for the Solution of Running-
Key Ciphers,” he wrote:*
* Friedman, W., Methods for the Solution of Running-Key Ciphers, Publ. No. 16, Riverbank
Laboratories, Geneva, IL, 1918.
www.ebook777.com
free ebooks ==> www.ebook777.com
92 Secret History: The Story of Cryptology
probably known to you that the U.S. Army Disk in connection with a
running-key has been used as a cipher in field service for many years,
and is, to the best of our knowledge, in use to-day. I suppose that its
long-continued use, and the confidence placed in its safety as a field
cipher has been due very probably to the fact that no one has ever taken
the trouble to see whether “It could be done.” It is altogether probable
that the enemy, who has been preparing for war for a long time, has not
neglected to look into our field ciphers, and we are inclined to credit
him with a knowledge equal to or superior to our own. We have been
able to prove that not only is a single short message enciphered by the
U.S. Army Disk, or any similar device, easily and quickly deciphered,
but that a series of messages sent out in the same key may be deciphered
more rapidly than they have been enciphered!
Friedman’s new attack was based on some very simple mathematics and is
now examined.
A list of the probabilities of letters in English is provided once more in
Table 3.3 for handy reference.
Now suppose we see the letter A in a ciphertext arising from some running
key. It could have arisen from an A in the message combining with another
A from the key or it could have arisen from a B in the message combining
with a Z from the key. Which seems more likely to you? The letter A is much
more common than B or Z, so the first possibility is more likely. There are
other possible combinations that would yield an A in the ciphertext. Table 3.4
lists all plaintext/key combinations along with their probabilities (obtained
using Table 3.3).
TABLE 3.3
Probabilities of Letters in English
Letter Probability Letter Probability
A=0 .08167 N = 13 .06749
B=1 .01492 O = 14 .07507
C=2 .02782 P = 15 .01929
D=3 .04253 Q = 16 .00095
E=4 .12702 R = 17 .05987
F=5 .02228 S = 18 .06327
G=6 .02015 T = 19 .09056
H=7 .06094 U = 20 .02758
I=8 .06966 V = 21 .00978
J=9 .00153 W = 22 .02360
K = 10 .00772 X = 23 .00150
L = 11 .04025 Y = 24 .01974
M = 12 .02406 Z = 25 .00074
Source: Beutelspacher, A., Cryptology, Mathematical
Association of America, Washington, D.C.,
1994, p. 10.
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 93
TABLE 3.4
Plaintext/Key Combinations and Probabilities
Combination Probability Ranking
AA .0066699889 = .0066699889 3
BZ .0000110408 ×2 = .0000220816 13
CY .0005491668 ×2 = .0010983336 9
DX .0000637950 ×2 = .0001275900 12
EW .0029976720 ×2 = .0059953440 4
FV .0002178984 ×2 = .0004357968 10
GU .0005557370 ×2 = .0011114740 8
HT .0055187264 ×2 = .0110374528 1
IS .0044073882 ×2 = .0088147764 2
JR .0000916011 ×2 = .0001832022 11
KQ .0000073340 ×2 = .0000146680 14
LP .0007764225 ×2 = .0015528450 7
MO .0018061842 ×2 = .0036123684 6
NN .0045549001 = .0045549001 5
Note that we must double the probabilities for distinct key and message
letters. For example, the pair B and Z, which combine to give A, can do so
with B in the message and Z in the key or with Z in the message and B in
the key. Thus, there are two equally probable ways this pair of letters can
yield A. However, there is only one way that the letters A and A can combine
to yield A. Similarly, N and N can only combine in one way to give A. So, we
do not double the probability if two of the same letter combine to give the
ciphertext letter.
The rankings in the table above show that a ciphertext A is most likely to
arise from combining an H and a T. However, the other pairings will some-
times be correct. Considering the top five possibilities will yield the correct
pairings often enough that the remaining solutions can be found in a man-
ner similar to fixing typos. The tables of ranked pairings for each letter of the
alphabet are given in Table 3.5.*
We now take a look at a running key ciphertext to see how Friedman used
rankings like those given above to read the original message and key—for
example,
L A E K A H B W A G W I P T U K V S G B
The L that starts the ciphertext is likely to have arisen from E+H, S+T, A+L,
D+I, or R+U, as these are the top five pairings that yield L. We write these let-
ters under L in a long vertical column and then write them out again with the
ordering reversed in each pair. We do the same with the top five pairings for
each of the other letters in the ciphertext. This gives us Table 3.6.
* Thanks to Adam Reifsneider for writing a computer program to calculate these rankings.
www.ebook777.com
free ebooks ==> www.ebook777.com
94 Secret History: The Story of Cryptology
TABLE 3.5
Ranked Pairings for Each Letter of the Alphabet
A B C D
HT 0.0110374528 IT 0.012616819 OO 0.0056355049 AD 0.0069468502
IS 0.0088147764 NO 0.0101329486 EY 0.0050147496 LS 0.0050932350
AA 0.0066699889 HU 0.0033614504 LR 0.0048195350 OP 0.0028962006
EW 0.0059953440 AB 0.0024370328 AC 0.0045441188 MR 0.0028809444
NN 0.0045549001 DY 0.0016790844 IU 0.0038424456 HW 0.0028763680
MO 0.0036123684 FW 0.0010516160 NP 0.0026037642 KT 0.0013982464
LP 0.0015528450 MP 0.0009282348 HV 0.0011919864 IV 0.0013625496
GU 0.0011114740 KR 0.0009243928 KS 0.0009768888 FY 0.0008796144
CY 0.0010983336 GV 0.0003941340 GW 0.0009510800 BC 0.0008301488
FV 0.0004357968 EX 0.0003810600 JT 0.0002771136 EZ 0.0001879896
JR 0.0001832022 JS 0.0001936062 BB 0.0002226064 NQ 0.0001282310
DX 0.0001275900 LQ 0.0000764750 FX 0.0000668400 JU 0.0000843948
BZ 0.0000220816 CZ 0.0000411736 DZ 0.0000629444 GX 0.0000604500
KQ 0.0000146680 MQ 0.0000457140
E F G H
AE 0.0207474468 OR 0.0089888818 NT 0.0122237888 OT 0.0135966784
NR 0.0080812526 NS 0.0085401846 OS 0.0094993578 DE 0.0108043212
LT 0.0072900800 MT 0.0043577472 CE 0.0070673928 AH 0.0099539396
IW 0.0032879520 BE 0.0037902768 AG 0.0032913010 NU 0.0037227484
MS 0.0030445524 AF 0.0036392152 IY 0.0027501768 PS 0.0024409566
BD 0.0012690952 HY 0.0024059112 PR 0.0023097846 LW 0.0018998000
GY 0.0007955220 CD 0.0023663692 DD 0.0018088009 CF 0.0012396592
CC 0.0007739524 LU 0.0022201900 MU 0.0013271496 BG 0.0006012760
KU 0.0004258352 IX 0.0002089800 LV 0.0007872900 MV 0.0004706136
PP 0.0003721041 KV 0.0001510032 BF 0.0006648352 QR 0.0001137530
HX 0.0001828200 JW 0.0000722160 KW 0.0003643840 IZ 0.0001030968
OQ 0.0001426330 PQ 0.0000366510 HZ 0.0000901912 JY 0.0000604044
FZ 0.0000329744 GZ 0.0000298220 JX 0.0000045900 KX 0.0000231600
JV 0.0000299268 QQ 0.0000009025
I J K L
EE 0.0161340804 RS 0.0075759498 RT 0.0108436544 EH 0.0154811976
AI 0.0113782644 EF 0.0056600112 DH 0.0051835564 ST 0.0114594624
OU 0.0041408612 CH 0.0033907016 EG 0.0051189060 AL 0.0065744350
RR 0.0035844169 NW 0.0031855280 SS 0.0040030929 DI 0.0059252796
PT 0.0034938048 BI 0.0020786544 CI 0.0038758824 RU 0.0033024292
DF 0.0018951368 DG 0.0017139590 OW 0.0035433040 NY 0.0026645052
BH 0.0018184496 LY 0.0015890700 AK 0.0012609848 PW 0.0009104880
NV 0.0013201044 OV 0.0014683692 MY 0.0009498888 FG 0.0008978840
MW 0.0011356320 PU 0.0010640364 FF 0.0004963984 BK 0.0002303648
CG 0.0011211460 AJ 0.0002499102 PV 0.0003773124 OX 0.0002252100
KY 0.0003047856 QT 0.0001720640 NX 0.0002024700 CJ 0.0000851292
LX 0.0001207500 MX 0.0000721800 LZ 0.0000595700 MZ 0.0000356088
QS 0.0001202130 KZ 0.0000114256 QU 0.0000524020 QV 0.0000185820
JZ 0.0000022644 BJ 0.0000456552
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 95
Q R S T
EM 0.0061122024 EN 0.0171451596 EO 0.0190707828 AT 0.0147920704
DN 0.0057406994 AR 0.0097791658 AS 0.0103345218 IL 0.0056076300
II 0.0048525156 DO 0.0063854542 HL 0.0049056700 EP 0.0049004316
CO 0.0041768948 TY 0.0035753088 FN 0.0030073544 FO 0.0033451192
SY 0.0024978996 GL 0.0016220750 BR 0.0017865208 CR 0.0033311668
FL 0.0017935400 CP 0.0010732956 DP 0.0016408074 HM 0.0029324328
UW 0.0013017760 FM 0.0010721136 UY 0.0010888584 GN 0.0027198470
BP 0.0005756136 HK 0.0009409136 IK 0.0010755504 BS 0.0018879768
GK 0.0003111160 VW 0.0004616160 GM 0.0009696180 VY 0.0003861144
TX 0.0002716800 IJ 0.0002131596 WW 0.0005569600 DQ 0.0000808070
HJ 0.0001864764 SZ 0.0000936396 TZ 0.0001340288 WX 0.0000708000
AQ 0.0001551730 UX 0.0000827400 CQ 0.0000528580 UZ 0.0000408184
VV 0.0000956484 BQ 0.0000283480 VX 0.0000293400 JK 0.0000236232
RZ 0.0000886076 JJ 0.0000023409
U V W X
HN 0.0082256812 ER 0.0152093748 ES 0.0160731108 ET 0.0230058624
DR 0.0050925422 IN 0.0094027068 IO 0.0104587524 FS 0.0028193112
AU 0.0045049172 HO 0.0091495316 DT 0.0077030336 IP 0.0026874828
CS 0.0035203428 DS 0.0053817462 AW 0.0038548240 GR 0.0024127610
IM 0.0033520392 CT 0.0050387584 FR 0.0026678072 DU 0.0023459548
GO 0.0030253210 AV 0.0015974652 HP 0.0023510652 LM 0.0019368300
BT 0.0027023104 BU 0.0008229872 LL 0.0016200625 KN 0.0010420456
WY 0.0009317280 GP 0.0007773870 CU 0.0015345512 BW 0.0007042240
FP 0.0008595624 KL 0.0006214600 YY 0.0003896676 CV 0.0005441592
EQ 0.0002413380 JM 0.0000736236 KM 0.0003714864 AX 0.0002450100
www.ebook777.com
free ebooks ==> www.ebook777.com
96 Secret History: The Story of Cryptology
Reversing the order of the letter pairs in the second block allows a nice
correspondence. If the third letter under the L was actually used in the mes-
sage or key to generate the L, then the third letter down in the bottom block
of text is what it was paired with. You will soon see how this helps with the
cryptanalysis. Letters that pair with themselves to give the desired cipher-
text letter will appear twice in our table. This is redundant, but aesthetically
pleasing; it keeps all of the columns the same length.
We now focus on the first block of text, the ten rows of letters directly
beneath the ciphertext. We try to select a single letter from each column, such
that a meaningful message is formed by them when read across. There may
be many, but we go slowly and can easily tell if we are likely to be on the right
track. We do this by considering letters in the lower block of text that occupy
the same positions as the letters in the message we are attempting to form. If
the letters in the bottom block are also forming words, we gain confidence in
our solution. This will become clearer as our example continues.
Since THE is the most common word in English, we may as well try to start
there. We select letters in the top block of text that spell THE and see what we
get from those positions in the bottom block of text (see Table 3.7).
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 97
TABLE 3.6
Sample Running Key Ciphertext
L A E K A H B W A G W I P T U K V S G B
E H A R H O I E H N E E E A H R E E N I
H T E T T T T S T T S E L T N T R O T T
S I N D I D N I I O I A H I D D I A O N
T S R H S E O O S S O I I L R H N S S O
A A L E A A H D A C D O T E A E H H C H
L A T G A H U T A E T U W P U G O L E U
D E I S E N A A E A A R C F C S D F A A
I W W S W U B W W G W R N O S S S N G B
R N M C N P D F N I F P A C I C C B I D
U N S I N S Y R N Y R T P R M I T R Y Y
H T E T T T T S T T S E L T N T R O T T
E H A R H O I E H N E E E A H R E E N I
T S R H S E O O S S O I I L R H N S S O
S I N D I D N I I O I A H I D D I A O N
L A T G A H U T A E T U W P U G O L E U
A A L E A A H D A C D O T E A E H H C H
I W W S W U B W W G W R N O S S S N G B
D E I S E N A A E A A R C F C S D F A A
U N S I N S Y R N Y R T P R M T T R Y Y
R N M C N P D F N I F P A C I C C B I D
www.ebook777.com
free ebooks ==> www.ebook777.com
98 Secret History: The Story of Cryptology
TABLE 3.7
Finding THE in the First Block and STA in the Second Block
L A E K A H B W A G W I P T U K V S G B
E H A R H O I E H N E E E A H R E E N I
H T E T T T T S T T S E L T N T R O T T
S I N D I D N I I O I A H I D D I A O N
T S R H S E O O S S O I I L R H N S S O
A A L E A A H D A C D O T E A E H H C H
L A T G A H U T A E T U W P U G O L E U
D E I S E N A A E A A R C F C S D F A A
I W W S W U B W W G W R N O S S S N G B
R N M C N P D F N I F P A C I C C B I D
U N S I N S Y R N Y R T P R M I T R Y Y
H T E T T T T S T T S E L T N T R O T T
E H A R H O I E H N E E E A H R E E N I
T S R H S E O O S S O I I L R H N S S O
S I N D I D N I I O I A H I D D I A O N
L A T G A H U T A E T U W P U G O L E U
A A L E A A H D A C D O T E A E H H C H
I W W S W U B W W G W R N O S S S N G B
D E I S E N A A E A A R C F C S D F A A
U N S I N S Y R N Y R T P R M T T R Y Y
R N M C N P D F N I F P A C I C C B I D
TABLE 3.8
Finding THE TH in the First Block and START in the Second Block
L A E K A H B W A G W I P T U K V S G B
E H A R H O I E H N E E E A H R E E N I
H T E T T T T S T T S E L T N T R O T T
S I N D I D N I I O I A H I D D I A O N
T S R H S E O O S S O I I L R H N S S O
A A L E A A H D A C D O T E A E H H C H
L A T G A H U T A E T U W P U G O L E U
D E I S E N A A E A A R C F C S D F A A
I W W S W U B W W G W R N O S S S N G B
R N M C N P D F N I F P A C I C C B I D
U N S I N S Y R N Y R T P R M I T R Y Y
H T E T T T T S T T S E L T N T R O T T
E H A R H O I E H N E E E A H R E E N I
T S R H S E O O S S O I I L R H N S S O
S I N D I D N I I O I A H I D D I A O N
L A T G A H U T A E T U W P U G O L E U
A A L E A A H D A C D O T E A E H H C H
I W W S W U B W W G W R N O S S S N G B
D E I S E N A A E A A R C F C S D F A A
U N S I N S Y R N Y R T P R M T T R Y Y
R N M C N P D F N I F P A C I C C B I D
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 99
TABLE 3.9
Finding STAGE in the Second Block
L A E K A H B W A G W I P T U K V S G B
E H A R H O I E H N E E E A H R E E N I
H T E T T T T S T T S E L T N T R O T T
S I N D I D N I I O I A H I D D I A O N
T S R H S E O O S S O I I L R H N S S O
A A L E A A H D A C D O T E A E H H C H
L A T G A H U T A E T U W P U G O L E U
D E I S E N A A E A A R C F C S D F A A
I W W S W U B W W G W R N O S S S N G B
R N M C N P D F N I F P A C I C C B I D
U N S I N S Y R N Y R T P R M I T R Y Y
H T E T T T T S T T S E L T N T R O T T
E H A R H O I E H N E E E A H R E E N I
T S R H S E O O S S O I I L R H N S S O
S I N D I D N I I O I A H I D D I A O N
L A T G A H U T A E T U W P U G O L E U
A A L E A A H D A C D O T E A E H H C H
I W W S W U B W W G W R N O S S S N G B
D E I S E N A A E A A R C F C S D F A A
U N S I N S Y R N Y R T P R M T T R Y Y
R N M C N P D F N I F P A C I C C B I D
The top rectangle now reads THE TH. This looks okay. It could turn out
to be THE THOUGHT IS WHAT COUNTS or THE THREE AMIGOS or THE
THREAT OF DEFEAT LOOMS LARGE. To see what happens if we make a
wrong turn, let’s investigate the result if we guess that the bottom rectangle
reads STAGE (Table 3.9).
The top text would be THE EW…, which we would have trouble continuing
or possibly THEE W…, but THEE seems like an unlikely word if the message
wasn’t sent by Shakespeare or Thor.
So, continuing on with the texts we’ve recovered, THE TH and START, we
may look at either rectangle, whichever seems easier to continue. I prefer the
top. Examine it yourself and see if your selection matches the one I give in
Table 3.10.
THE TH can be extended to THE THOUSAND, and the bottom rectangle then
yields START THE ATT…. This must be START THE ATTACK. It seems that
we are getting the message in the bottom block and the key in the top block
this time. We try to complete the word ATTACK in the bottom rectangle and
check to make sure the top rectangle is still giving something meaningful.
But we hit a snag—there is no K to be found where we need one! That’s okay.
The rectangles list the most likely pairings, but less likely pairings can occur.
We simply tack on the K we need, along with (in the top rectangle) the J it
must combine with to yield the ciphertext letter T (Table 3.11). We can always
www.ebook777.com
free ebooks ==> www.ebook777.com
100 Secret History: The Story of Cryptology
TABLE 3.10
Working from THE TH in the First Block and START in the Second Block
L A E K A H B W A G W I P T U K V S G B
E H A R H O I E H N E E E A H R E E N I
H T E T T T T S T T S E L T N T R O T T
S I N D I D N I I O I A H I D D I A O N
T S R H S E O O S S O I I L R H N S S O
A A L E A A H D A C D O T E A E H H C H
L A T G A H U T A E T U W P U G O L E U
D E I S E N A A E A A R C F C S D F A A
I W W S W U B W W G W R N O S S S N G B
R N M C N P D F N I F P A C I C C B I D
U N S I N S Y R N Y R T P R M I T R Y Y
H T E T T T T S T T S E L T N T R O T T
E H A R H O I E H N E E E A H R E E N I
T S R H S E O O S S O I I L R H N S S O
S I N D I D N I I O I A H I D D I A O N
L A T G A H U T A E T U W P U G O L E U
A A L E A A H D A C D O T E A E H H C H
I W W S W U B W W G W R N O S S S N G B
D E I S E N A A E A A R C F C S D F A A
U N S I N S Y R N Y R T P R M T T R Y Y
R N M C N P D F N I F P A C I C C B I D
add letters in this manner, but we really shouldn’t unless we are either fairly
confident that they are correct or have no other reasonable options. Our two
texts now read START THE ATTACK and THE THOUSAND INJ…. Once more,
please take a moment to look for the continuation of INJ in the top rectangle
(to see that it’s not so hard to do) before reading on.
Of course, one could proceed in a different direction by trying to extend
START THE ATTACK. In general, though, it’s easier to complete partial
words than to find new ones, unless the preceding words are the beginning
of a well-known phrase. Speaking of which, there will likely be a reader
who has already recognized the source of the key being used here. More in
a moment.
Okay, did you extend the top text to THE THOUSAND INJURIES? This
makes the bottom text read START THE ATTACK AT NOO. Looking at the
bottom text one last time, we extend it by another letter and then do the same
in the top rectangle. We now have the message and the key:
The key was, by the way, the beginning of Edgar Allan Poe’s short story “The
Cask of Amontillado.”
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 101
TABLE 3.11
Adding J and K as Needed
L A E K A H B W A G W I P T U K V S G B
E H A R H O I E H N E E E A H R E E N I
H T E T T T T S T T S E L T N T R O T T
S I N D I D N I I O I A H I D D I A O N
T S R H S E O O S S O I I L R H N S S O
A A L E A A H D A C D O T E A E H H C H
L A T G A H U T A E T U W P U G O L E U
D E I S E N A A E A A R C F C S D F A A
I W W S W U B W W G W R N O S S S N G B
R N M C N P D F N I F P A C I C C B I D
U N S I N S Y R N Y R T P R M I T R Y Y
J
H T E T T T T S T T S E L T N T R O T T
E H A R H O I E H N E E E A H R E E N I
T S R H S E O O S S O I I L R H N S S O
S I N D I D N I I O I A H I D D I A O N
L A T G A H U T A E T U W P U G O L E U
A A L E A A H D A C D O T E A E H H C H
I W W S W U B W W G W R N O S S S N G B
D E I S E N A A E A A R C F C S D F A A
U N S I N S Y R N Y R T P R M T T R Y Y
R N M C N P D F N I F P A C I C C B I D
K
The example chosen above to illustrate this attack was a little easier than
usual. Nine times out of 20 (45%), the pair of letters most likely to yield a
particular ciphertext letter did yield that letter. Experiments reveal that this
happens less than a third of the time on average. Also, the example only had
one ciphertext letter (5% of the cipher) that did not arise from one of the five
most likely pairings. This was a lower percent than usual.
Nevertheless, this is a great attack. Friedman made the attack even quicker
by cutting out the columns. This allowed him to move individual columns
up and down. When he got a word or phrase going across letters from the
top rectangle, he could glance down at the bottom rectangle and also read
the corresponding letters there straight across. I used bold text and under-
lining, since it is easier to present it this way in a book, but the sliding paper
works better for classroom demonstrations.
Although Friedman didn’t pursue it further, his attack can be expanded.
Instead of taking the ciphertext characters one at a time, groups may be con-
sidered; for example, suppose the ciphertext begins MOI. Our tables suggest
www.ebook777.com
free ebooks ==> www.ebook777.com
102 Secret History: The Story of Cryptology
Fraction Correct
0.8
0.6
0.4
0.2
0
1 2 3 4 5 6
N-gram Size (characters)
FIGURE 3.15
Griffing’s results (solid line) compared to an earlier attempt by others (dotted line).
But, these tables don’t take context into consideration. The top pairing sug-
gested for O does not consider what letters appear before or after it in the
ciphertext. Taking the letters MOI as a group and using trigraph frequencies
to rank the possibilities, we see it is most likely to arise from THE+THE.
Christian N.S. Tate, an undergraduate at the time, and I investigated this
new attack. We split the ciphertext into groups of characters and used fre-
quencies for letter combinations of the group size to rank our pairings. For
example, if the ciphertext was HYDSPLTGQ, and we were using groups of
three characters to launch our attack, we would split the ciphertext up as
HYD SPL TGQ and replace each trigram with the pair most likely to yield it.
The idea needed to be tested, and the easiest way to do so was to write
computer programs to carry out the calculations and analyze the results.
We tested single character analysis (as Friedman had) digraphs, trigraphs,
tetragraphs, pentagraphs, and hexagraphs.
I expected that after the results were in I could compare the new attack to
Friedman’s and say, “It is a far far better thing I have done.” However, this
was not the case. The results were only marginally better! We tried to place
the results in the best light possible for the write-up. Figuring that even the
slightest improvement on Friedman’s work ought to be worth publishing,
we submitted the paper. A kind editor accepted it following some revising.
Fortunately, Alexander Griffing, a student in the bioinformatics doctorate
program at North Carolina State University, saw the paper and was able to
turn the attack into something truly successful. He did this by not just taking
the blocks of ciphertext characters one after the other, but by also consider-
ing their overlap when computing the most likely solution.* So, when consid-
ering the ciphertext HYDSPLTGQ, Griffing’s method didn’t just look at how
HYD, SPL, and TGQ could arise, but rather HYD, YDS, DSP, SPL, PLT, LTG, and
TGQ. A graph reproduced from his paper is provided in Figure 3.15. It shows
how his method is better than the method Tate and I proposed for every size
letter group considered, and it is dramatically better when pentagraphs and
hexagraphs are used.
* Griffing, A., Solving the running key cipher with the Viterbi algorithm, Cryptologia, 30(4),
361–367, 2006.
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 103
24
20
16
12
0 4 8 12
FIGURE 3.16
Number of spurious decipherments as a function of the message size. (From Deavours, C.A.,
Cryptologia, 1(1), 62, 1977.)
With the techniques discussed in this chapter, running key ciphers of any
length can be broken; however, extremely short messages are not likely to
have unique solutions. The graph in Figure 3.16 shows how the number of
potential solutions changes as a function of the message’s length. Beyond
eight characters, we expect only a single solution.
www.ebook777.com
free ebooks ==> www.ebook777.com
104 Secret History: The Story of Cryptology
is, in fact, the only cipher that is theoretically unbreakable.* Edgar Allan Poe
didn’t know about it when he wrote that “human ingenuity cannot concoct a
cipher which human ingenuity cannot resolve.” We can forgive him, since this
method had not yet been discovered. Despite the way in which the unbreak-
able system seems to naturally evolve from “patching” the running key cipher,
historians believed, until very recently,† that it didn’t arise until the years 1917
to 1918, when it was developed by Gilbert Vernam (Figure 3.17) and Major
Joseph O. Mauborgne (Figure 3.18) at AT&T. The form it took then was differ-
ent from how it is introduced here, but functionally equivalent. We will return
shortly to how Vernam and Mauborgne described their system. Sometimes it’s
referred to as a Vernam cipher, but the name one-time pad is a bit better because
it emphasizes the proper use of the key—only once! If a random key is used for
more than one message, it is no longer unbreakable, as we shall see.
The one-time pad could easily have been discovered hundreds of years
earlier, as it works in much the same way as a Vigenère cipher or a running
key cipher, except the key is random and must be as long as the message. As
an example, suppose the one-time pad begins USNHQ LFIYU and Bob wants
to send the message I LOVE ALICE. Using the pad as the key and adding
letters (using their numerical equivalents) mod 26, we have
* Shannon, C., Communication theory of secrecy systems, The Bell System Technical Journal,
28(4), 656–715, 1949. Shannon noted, “The material in this paper appeared in a confidential
report ‘A Mathematical Theory of Cryptography’ dated Sept. 1, 1945, which has now been
declassified.”
† If you know about Frank Miller, please be patient. I discuss his work at the end of this chapter.
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 105
If Eve intercepts the message and correctly guesses the key, she recov-
ers the message; however, she has no reason to guess this particular key. If
she instead guesses UWMYQ LFIYU, then the message deciphers to I HATE
ALICE. Or, suppose she tries the key USNHQ SJKYJ. In this case, the mes-
sage becomes I LOVE SUSAN. Any message 10 characters in length will
arise from some key. As Eve has no reason to favor one key over another, she
receives no information beyond the length of the message. In fact, the length
of the ciphertext only provides an upper bound on the length of the message.
Padding may have been added to make a very brief message appear longer.
Following the development of an unbreakable cipher, we might well
expect that it would quickly be adopted by everyone and all other methods
of encryption would vanish. This was not the case! In fact, it was not until
the early 1920s that this American discovery saw heavy use and it was by
the Germans!* They used it as an extra step for their diplomatic codes; that
is, after the message was converted to numerical code groups, the one-time
pad, in the form of a list of random digits between 0 and 9, was used to
shift each of the ciphertext values. Whenever such an extra step is taken,
whether the key is random or not, we refer to the system as an enciphered
code. One-time pads were also used by the Office of Strategic Services (OSS),†
an American group in World War II that evolved into both the CIA and
the Green Berets, and heavily by the Soviet Union for diplomatic messages
beginning in 1930.‡
One famous Russian spy caught by the Federal Bureau of Investigation
(FBI) in New York City with a one-time pad in 1957 was Rudolf Abel.§ Five
years after his arrest he was traded for Francis Gary Powers, who was shot
down while piloting a U-2 spy plane over the Soviet Union. The trade took
place on the Glienick Bridge connecting East and West Berlin.
Figure 3.19 is a page from a one-time pad used by a Communist spy in
Japan in 1961.¶ One side was probably for enciphering and the other for
deciphering.
* This is according to Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 402.
However, A.G. Denniston recalled German use beginning in 1919 in a memoir (penned in
1944) titled “The Government Code and Cypher School Between the Wars,” which appeared
posthumously in Intelligence and National Security, 1(1), 48–70, 1986 (p. 54 cited here). Kahn’s
estimate of 1921 to 1923 was based on interviews conducted with German cryptographers
in 1962.
† But not exclusively, as it was just one of many systems they employed. See Kahn, D., The
www.ebook777.com
free ebooks ==> www.ebook777.com
106 Secret History: The Story of Cryptology
FIGURE 3.19
Page from a one-time pad used by a Communist spy in Japan in 1961. One side was probably for
enciphering and the other for deciphering. (From Kahn, D., The Codebreakers, 2nd ed., Scribner,
New York, 1996, p. 665. With permission.)
Although it had been talked about for some time, it was only in 1963, after
the Cuban missile crisis, that the “hot line” was set up between Washington,
DC, and Moscow (Figure 3.20). Actually, there were two hot lines (a backup
is always a good idea), and both were secured with one-time pads. A com-
mercially available system that was keyed by tapes was used.*
When Ché Guevara was killed in Bolivia in 1967, he was found to be car-
rying a one-time pad.† A message Ché sent to Fidel Castro months earlier,
which used a Polybius cipher to convert the text to numbers prior to applying
a numerical one-time pad, was later decoded by Barbara Harris and David
Kahn using Ché’s calculation sheet.‡
FIGURE 3.20
The one-time tape is visible on the left side in this picture of the hot line between Washington,
DC, and Moscow. (Courtesy of the National Cryptologic Museum, Fort Meade, MD.)
them is also very difficult. If you think these problems are not so tough after
all, consider some of the failed implementations of the system described
below.
During World War II, the German Foreign Office made use of one-time pads
for its most important messages, but the pads were generated by machines,
which cannot create truly random sequences. In the winter of 1944–1945, the
U.S. Army’s Signal Security Agency was able to break these messages.*
Another way the system can fail is by using the same key twice. To see how
this can be broken, let M1 and M2 denote two distinct messages that are sent
with the same page of key K. Our two ciphertexts will then be
C1 = M1 + K and C2 = M2 + K
C1 – C2 = (M1 + K) – (M2 + K) = M1 + K – M2 – K = M1 – M2
So the eavesdropper can create a text that is the difference of two mean-
ingful messages. It makes no important difference that the meaningful
* Erskine, R., Enigma’s security: what the Germans really knew, in Erskine, R. and Smith, M.,
Eds., Action This Day, Bantam Press, London, 2001, p. 372.
www.ebook777.com
free ebooks ==> www.ebook777.com
108 Secret History: The Story of Cryptology
* Phillips, C.J., What made Venona possible?, in Benson, R.L. and Warner, M., Eds., Venona:
Soviet Espionage and the American Response, 1939–1957, National Security Agency and Central
Intelligence Agency, Washington, D.C., 1996, p. xv.
† Benson, R.L. and Warner, M., Eds., Venona: Soviet Espionage and the American Response, 1939–
1957, National Security Agency and Central Intelligence Agency, Washington, D.C., 1996, p. viii.
‡ It was originally found by Finnish troops, who overran the Soviet consulate in Finland in 1941.
The Germans then got the book from the Finns, and finally in May 1945 Americans found a copy
in a German signals intelligence archive in Saxony, Germany. See Haynes, J.E. and Klehr, H.,
Venona: Decoding Soviet Espionage in America, Yale University Press, New Haven, CT, 1999, p. 33.
§ Haynes, J.E. and Klehr, H., Venona: Decoding Soviet Espionage in America, Yale University Press,
1957, National Security Agency and Central Intelligence Agency, Washington, D.C., 1996, p. xxx.
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 109
FIGURE 3.21
A one-time pad, very much like those used by Cold War spies. (Copyright Dirk Rijmenants,
2009; http://users.telenet.be/d.rijmenants/en/onetimepad.htm.)
Cohen. They had done spy work in the United States but fled the country
following the arrest of Julius Rosenberg. After their capture, they were sen-
tenced to 20 years in prison, but 8 years later they were traded to the Soviets.
A Soviet newspaper stated, “Thanks to Cohen, designers of the Soviet atomic
bomb got piles of technical documentation straight from the secret laborato-
ries in Los Alamos.”*
Our initial example used letters for the key, but the pads depicted above
used numbers. Suppose we use a random number generator to get a string
of values, each between 0 and 9. We then shift each letter of a message by the
digits, one at a time. Here’s an example:
The answer to the question posed by the message is no! If there are only
ten possible shifts for each letter, then there are only ten possible decipher-
ments for each ciphertext character. For example, the initial ciphertext letter
P couldn’t possible represent plaintext A, as that would require the first digit
of the key to have been 15.
* Komsomolskaya Pravda, quoted here from Polmar, N. and Allen, T.B., Spy Book: The
Encyclopedia of Espionage, Random House, New York, 1997, p. 128.
www.ebook777.com
free ebooks ==> www.ebook777.com
110 Secret History: The Story of Cryptology
3.9 Faking Randomness
Randomness is essential for the one-time pad, but generating randomness
is quite difficult, so in addition to the difficulty of generating the large vol-
umes of key needed we have the difficulty involved in generating any of it!
Solar radiation and other natural phenomena have been used, in addition to
artificial sources, to generate keys; however, artificial sources cannot be truly
random. We refer to them as pseudorandom number generators. If we use one
of these, which is often more convenient, we have what is known as a stream
cipher. These systems are discussed in Chapter 18.
As was mentioned earlier, the manner in which the one-time pad was pre-
sented here is not how it was implemented by Vernam. His story began in
1917 when he devised a machine to perform encryption by making use of
tape. A later version of his mechanical solution is pictured in Figure 3.22.
Printer
Message Machine
Transmitter Perforator
Key Tape
Keyboard Transmitters
Perforator
Key Tapes
FIGURE 3.22
Cipher printing telegraph machine. (From Vernam, G.S., Journal of the American Institute of
Electrical Engineers, 45, 109, 1926.)
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 111
FIGURE 3.23
Five-unit printing telegraph code. This is sometimes referred to as a Baudot code, after its
French inventor J.M.E. Baudot, who is also the source for the term baud. (Image drawn by and
courtesy of Sam Hallas.)
www.ebook777.com
free ebooks ==> www.ebook777.com
112 Secret History: The Story of Cryptology
This method, if carried out manually, is slow and laborious and liable
to errors. If errors occur, such as the omission of one or more letters, the
messages are difficult for the recipient to decipher. Certain difficulties
would also be involved in preparing, copying and guarding long ran-
dom keys. The difficulties with this system are such as to make it unsuit-
able for general use, unless mechanical methods are used.
Vernam also noted in this paper that, “This cipher was demonstrated before
the delegates to the Preliminary International Communications Conference
in October, 1920.”‡ In today’s world, a government employee would not be
demonstrating the latest in encryption technology at an international confer-
ence or publishing it in an open journal!
* He also suggested that the two lengths could differ by some other amount, as long as that
amount was not a factor of the length of either tape. If this does not sound quite right to you,
good! There is a much better way to restrict the lengths of the two tapes if we want to gain a
long period.
† Vernam, G.S., Cipher printing telegraph systems for secret wire and radio telegraphic com-
munications, Journal of the American Institute of Electrical Engineers, 45, 113, 1926.
‡ Ibid., p. 115
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 113
TABLE 3.12
Cipher Created by Mauborgne in 1915
PMVEB DWXZA XKKHQ RNFMJ VATAD YRJON FGRKD TSVWF TCRWC
RLKRW ZCNBC FCONW FNOEZ QLEJB HUVLY OPFIN ZMHWC RZULG
BGXLA GLZCZ GWXAH RITNW ZCQYR KFWVL CYGZE NQRNI JFEPS
RWCZV TIZAQ LVEYI QVZMO RWQHL CBWZL HBPEF PROVE ZFWGZ
RWLJG RANKZ ECVAW TRLBW URVSP KXWFR DOHAR RSRJJ NFJRT
AXIJU RCRCP EVPGR ORAXA EFIQV QNIRV CNMTE LKHDC RXISG
RGNLE RAFXO VBOBU CUXGT UEVBR ZSZSO RZIHE FVWCN OBPED
ZGRAN IFIZD MFZEZ OVCJS DPRJH HVCRG IPCIF WHUKB NHKTV
IVONS TNADX UNQDY PERRB PNSOR ZCLRE MLZKR YZNMN PJMQB
RMJZL IKEFV CDRRN RHENC TKAXZ ESKDR GZCXD SQFGD CXSTE
ZCZNI GFHGN ESUNR LYKDA AVAVX QYVEQ FMWET ZODJY RMLZJ
QOBQ
* Kruh, L., A 77-year old challenge cipher, Cryptologia, 17(2), 172–174, 1993.
† Marks, L., Between Silk and Cyanide: A Codemaker’s War, 1941–1945, The Free Press, New York,
1998, p. 250.
www.ebook777.com
free ebooks ==> www.ebook777.com
114 Secret History: The Story of Cryptology
FIGURE 3.24
A pair of silk one-time pads. (Left image courtesy of the International Spy Museum; right image
featuring Leo Marks from Sara Krulwich/The New York Times/Redux Pictures. With permission.)
Churchill to “set Europe ablaze.” The keys were issued on silk that would be
less suspicious when sewn into clothing than the lump produced by a pad of
paper. As with paper keys, used portions of the silk keys could be cut or torn
off and destroyed. Some silks were printed with the keys in invisible ink. Of
course, a strong case had to be made for using silk in this manner, as there
were wartime shortages and silk was also needed for parachutes. Prior to
Marks’ rediscovery of the letter one-time pad system, the SOE made use of
transposition ciphers. These are discussed in the next chapter.
3.12 History Rewritten!
At the beginning of the discussion of the one-time pad, I wrote that “histo-
rians believed, until very recently, that it didn’t arise until the years 1917 to
1918, when it was developed by Gilbert Vernam and Major Joseph Mauborgne
at AT&T.” In 2011, history was rewritten by Steven M. Bellovin, a computer
science professor and a collector of code books. Bellovin’s hobby had previ-
ously intersected with his professional life when he gave an entertaining lec-
ture titled “Compression, Correction, Confidentiality, and Comprehension:
A Modern Look at Commercial Telegraph Codes” at the 2009 Cryptologic
free ebooks ==> www.ebook777.com
Simple Progression to an Unbreakable Cipher 115
www.ebook777.com
free ebooks ==> www.ebook777.com
116 Secret History: The Story of Cryptology
Friedman, W.F., Methods for the Solution of Running-Key Ciphers, Publ. No. 16, Riverbank
Laboratories, Geneva, IL, 1918. Friedman showed that the U.S. Army’s field cipher
was insecure in this paper, even for short messages. This was reprinted together
with other Friedman papers in Friedman, W.F., The Riverbank Publications, Volume
1, Aegean Park Press, Laguna Hills, CA, 1979. As the original printing only con-
sisted of 400 copies, I suggest looking for the reprint instead.
Griffing, A., Solving XOR plaintext strings with the Viterbi algorithm, Cryptologia,
30(3), 257–265, 2006. This paper attacks running key ciphers where word spac-
ing is preserved in the message and the key.
Griffing, A., Solving the running key cipher with the Viterbi algorithm, Cryptologia,
30(4), 361–367, 2006. This paper dramatically improves upon the results in
Bauer and Tate and in Bauer and Gottloeb, to the point that their papers ought
to be burned.
On One-Time Pads
Note: There is some overlap between papers on generating one-time pads
and papers on random number generators. Papers that fall in the overlap
are only referenced in this book in Chapter 18, which is on stream ciphers.
Stream ciphers serve as approximations of the one-time pad without having
the problems associated with true one-time pads.
Anon., Science news, Science, 63(1625), February 19, 1926 (Science News section).
Anon., A secret-code message machine, The Literary Digest, 89, 22, 1926. This article,
after an introductory paragraph, reproduces text from Science Service’s Daily
News Bulletin: “The new machine was described by G. S. Vernam, engineer of
the American Telegraph and Telephone Company, who stated that it had been
developed for the use of the Signal Corps of the U.S. Army during the war, but
until recently it had been kept secret.” Kept secret? Why? It’s not like the Signal
Corps was actually using it or anything.
Bellovin, S.M., Frank Miller: inventor of the one-time pad, Cryptologia, 35(3), 203–222,
2011.
Benson, R.L. and Warner, M., Eds., Venona: Soviet Espionage and the American Response,
1939–1957, National Security Agency and Central Intelligence Agency,
Washington DC, 1996, p. viii. The bulk of this book is reproductions of formerly
classified documents. The preface is nice, but the rest is dry. Although the repro-
ductions are of value to historians, casual readers will prefer the book by John
Earl Haynes and Harvey Klehr referenced below.
Benson, R.L., The Venona Story, Center for Cryptologic History, National Security
Agency, Fort Meade, MD, 2001 (http://www.nsa.gov/about/_files/cryptologic_
heritage/publications/coldwar/venona_story.pdf).
Bury, J., From the archives: breaking OTP ciphers, Cryptologia, 35(2), 176–188, 2011.
Filby, P.W., Floradora and a unique break into one-time pad ciphers, Intelligence and
National Security, 10(3), 408–422, 1995.
Foster, C.C., Drawbacks of the one-time pad, Cryptologia, 21(4), 350–352, 1997. This
paper briefly addresses the matter of determining the random sequence used
as the key. If it is not truly random, then the cipher ceases to be unbreakable.
Algorithms run on computers are never truly random. The future may see an
exception to this, as quantum computers are developed.
www.ebook777.com
free ebooks ==> www.ebook777.com
118 Secret History: The Story of Cryptology
Haynes, J.E. and Klehr, H., Venona: Decoding Soviet Espionage in America, Yale
University Press, New Haven, CT, 1999, p. 33. Although focused on the history,
this book has a chapter (“Breaking the Code”) that gives more detail on the
cryptology than other works.
Marks, L., Between Silk and Cyanide: A Codemaker’s War, 1941–1945, The Free Press,
New York, 1998. Marks, a cryptographer for the Special Operations Executive
(SOE), writes about his experiences in a very entertaining manner. (After the
war, but before this volume, he was a screenwriter, so he can write!) The back
cover sports blurbs from David Kahn and Martin Scorsese.
Mauborgne, B.P., Military Foundling, Dorrance, Philadelphia, PA, 1974. A mix of fact
and fiction, this novel is of interest to us mainly for its dedication:
This book is respectfully dedicated to the memory of my illustrious, tal-
ented and versatile father, Major General Joseph O. Mauborgne, chief sig-
nal officer of the United States Army from 1937 to 1941; scientist, inventor,
cryptographer, portrait painter, etcher, fine violin maker and author.
Military history has recorded that he was the first person to establish
two-way wireless communication between the ground and an air-
plane in flight; that he invented an unbreakable cipher; and that he was
“directly responsible” for probably the greatest feat of cryptanalysis in
history—the breaking of the Japanese PURPLE code—more than a year
prior to the sneak attack on Pearl Harbor.
Miller, F., Telegraphic Code to Insure Privacy and Secrecy in the Transmission of Telegrams,
Charles M. Cornwell, New York, 1882.
Philips, C., The American solution of a German one-time-pad cryptographic system,
Cryptologia, 24(4), 324–332, 2000.
Redacted, A new approach to the one-time pad, NSA Technical Journal, 19(3), 1974.
The title of this paper was released by the National Security Agency as part of
a much redacted index to this journal. In fact, the author’s name was redacted.
But we do know it comes somewhere between Gurin, Jacob and Jacobs, Walter.
Any guesses?
Rubin, F., One-time pad cryptography, Cryptologia, 20(4), 359–364, 1996. This paper
provides an attempt to make the one-time pad more practical.
Shannon, C., Communication theory of secrecy systems, The Bell System Technical
Journal, 28(4), 656–715, 1949. Shannon shows that the one-time pad is unbreak-
able and anything that is unbreakable must be a one-time pad. Despite his hav-
ing found this result over 60 years ago, one needn’t look hard for other cipher
systems that are billed as being unbreakable.
Vernam, G.S., Cipher printing telegraph systems for secret wire and radio telegraphic
communications, Journal of the American Institute of Electrical Engineers, 45, 109–
115, 1926.
Vinge, V., A Fire Upon the Deep, St. Martin’s Press, New York, 1993. A one-time pad
is used in this science-fiction novel, but must first be pieced together by three
starship captains.
Yardley, H., Are we giving away our state secrets?, Liberty, 8, 8–13, 1931. Yardley
argued that we ought to be making use of the one-time pad.
free ebooks ==> www.ebook777.com
4
Transposition Ciphers*
The 21st century will see transposition regain its true importance.
—Friedrich L. Bauer †
4.1.1 Rail-Fence Transposition
Example 1
Anyone who looks at us the wrong way twice will
surely die.‡
We simply write the text moving back and forth in a zigzag fashion from the
top line to the bottom line:
A Y N W O O K A U T E R N W Y W C W L S R L D E
N O E H L O S T S H W O G A T I E I L U E Y I
and then read across the top line first to get the ciphertext:
119
www.ebook777.com
free ebooks ==> www.ebook777.com
120 Secret History: The Story of Cryptology
AYNWO OKAUT ERNWY WCWLS RLDEN OEHLO STSHW OGATI EILUE YI
The “fence” needn’t be limited to two tiers. We could encipher the same
message as follows:
A W K T N W L L
N E H O S S H O G T I I L E Y
Y N O O A U E R W Y C W S R D E
O L T W A E U I
AWKTN WLLNE HOSSH OGTII LEYYN OOAUE RWYCW SRDEO LTWAE UI
4.1.2 Rectangular Transposition
We can also write the text in a rectangle in a particular manner and read it
off in another manner.
Example 2
ATTACK DAMASCUS AT DAWN.
ATTACK
DAMASC → ADUWT ASNTM AKAAT ECSDT KCAW
USATDA
WNKETW
Note: The last four letters in the message are only there to complete the rect-
angle. It is common to see the letter X used for this purpose, but it is better
to use more frequent letters, making the cryptanalyst’s job a bit harder.
The rectangle can have any dimension. If a cryptanalyst suspects this
manner of encipherment, the number of possible cases to consider depends
on the number of factors of the ciphertext length. For example, consider the
following intercept:
Look at the position of each of these letters and the distances between them:
W1 = 16
W2 = 20
H1 = 25 H1 – W1 = 9 H1 – W2 = 5
H2 = 29 H2 – W1 = 13 H2 – W2 = 9
I1 = 33 I1 – H1 = 8 I1 – H2 = 4
I2 = 34 I2 – H1 = 9 I2 – H2 = 5
I3 = 38 I3 – H1 = 13 I3 – H2 = 9
P1 = 43 P1 – I1 = 10 P1 – I2 = 9 P1 – I3 = 5
P2 = 47 P2 – I1 = 14 P2 – I2 = 13 P2 – I3 = 9
The only number that shows up as a distance between each pair of letters in
WHIP is 9. It may look like 13 works, but chaining the letters to get through
the probable word is not possible, as we would have to use two different Hs.
Reproducing the table and boldfacing the 9s for convenience, we have
W1 = 16
W2 = 20
H1 = 25 H1 – W1 = 9 H1 – W2 = 5
H2 = 29 H2 – W1 = 13 H2 – W2 = 9
I1 = 33 I1 – H1 = 8 I1 – H2 = 4
I2 = 34 I2 – H1 = 9 I2 – H2 = 5
I3 = 38 I3 – H1 = 13 I3 – H2 = 9
P1 = 43 P1 – I1 = 10 P1 – I2 = 9 P1 – I3 = 5
P2 = 47 P2 – I1 = 14 P2 – I2 = 13 P2 – I3 = 9
www.ebook777.com
free ebooks ==> www.ebook777.com
122 Secret History: The Story of Cryptology
If we start with W1 to form WHIP, we then have to use H1, as it is the only H 9
units away from this W. This eliminates the ambiguity in the I section. Since
we had to use H1, we must also use I2 and, it follows from there, P1. Thus, we
have a consistent solution. The 9s indicate that 9 rows were used.
Similarly, if we start with W2 to form WHIP, we then have to use H2, as it is
the only H 9 units away from W. This eliminates the ambiguity in the I sec-
tion. Since we had to use H2, we must also use I3 and, it follows from there,
P2. Thus, we have another consistent solution. Apparently the word WHIP
appeared twice in this message. Again, the 9s indicate that 9 rows were used.
To decipher, we write the ciphertext as columns and read the message out in
rows.
Y O U C A N O N
L Y W H I P A M
A N F O R S O L
O N G U N T I L
H E S T A R T S
T O L I K E T H
E W H I P C H A
R L E S M A N S
O N R D H W C U
Message: YOU CAN ONLY WHIP A MAN FOR SO LONG UNTIL HE STARTS
TO LIKE THE WHIP—CHARLES MANSON.
A few random letters were used to round out the block. This approach will
work when the probable word appears on a single line of the enciphering
block.
* In Dan Brown’s otherwise awful novel, The Lost Symbol, magic squares are used for transpo-
sition. For a review of the book, see Dooley, J., Reviews of cryptologic fiction, Cryptologia,
34(2), 180–185, 2010. The review in question is on pages 183–185.
free ebooks ==> www.ebook777.com
Transposition Ciphers 123
Example 3
The number represented by e can serve as the key to encipher the message.
We write out our message in rows of length 10 and then label the columns
with the digits of the number represented by e (leaving out digits that repeat).
Since e ≈ 2.71828182845904523536…, we have
2 7 1 8 4 5 9 0 3 6
T H I S C O N S T A
N T W A S T H E C O
M B I N A T I O N T
O T H E S A F E S A
T L O S A L A M O S
D U R I N G W O R L
D W A R I I T A N R
Reading out the columns in the order indicated by the key, we get the
ciphertext
Example 4
Using the keyword VALIDATE to encipher SECRECY IS THE BEGINNING
OF TYRANNY, we have
V A L I D A T E
S E C R E C Y I
S T H E B E G I
N N I N G O F T
Y R A N N Y E T
* Feynman, R., “Surely You’re Joking, Mr. Feynman!”, W.W. Norton, New York, 1985. Also see
pages 514–515 of the present book.
www.ebook777.com
free ebooks ==> www.ebook777.com
124 Secret History: The Story of Cryptology
We’d like to remove the text by columns, taking them in alphabetical rather
than numerical order, but there are two As. No problem. Start with the first
A, then move on to the second A, and then take the rest of the columns in
alphabetical order. Our ciphertext is
ETNR CEOY EBGN IITT RENN CHIA YGFE SSNY
In the examples above, we would be wise to express the final ciphertexts
in groups of five letters (the standard) so as not to reveal the number of rows
in our rectangle of text.
Guessing the wrong dimensions isn’t the end of the world. If you’ve ever
encountered a “prove or disprove” question on a test or homework set, you
know how this goes. Try to prove it for a while, and if you can’t then look
for a counterexample. Or, if you started by looking for a counterexample
and cannot find one, then consider that maybe it is true and try to prove
it. Thus, we pick somewhere to start, and if we cannot get a decipherment
then we simply try some other set of dimensions. If a team is working on the
intercept, each member could take a different case. So, trying 9 rows and 14
columns, we read our ciphertext off in columns to get
H R P E E T O S P E L O O M
A K B V L T A E E D O H E A
E H S H T S G U I N B T E T
S K A H O T H U A Y V T A T
E H D U R V R E E A T Y E O
U T P I T R Y U I B A T F T
T E A O H E S T R E L B N O
I R I U F T T S U T B O T T
E I R T R L A Y C H D L T I
free ebooks ==> www.ebook777.com
Transposition Ciphers 125
Of course, we cannot read the message yet because the columns were not
inscribed in the proper order. If our guess at the dimensions of the rectangle
is correct, rearranging the columns in the right way will yield the message.
Trying all possible rearrangements would keep us busy, though, since with
14 columns we have 14! = 87,178,291,200 possibilities.
Instead of using brute force, a better way to find the right order for the
columns is to try to form a common word in one row and see if it yields any-
thing reasonable for the other rows. For example, since the first row has T,
H, and E, we may put those letters together to get the most common word in
English. We actually have three Es in the first row, so we start by joining the
first to the T and H and see what we get. Then we try the second E and finally
the third E. Comparing the results, we have
THE THE THE
TAV TAL TAD
SHH SET SEN
TSH TSO TSY
VEU VER VEA
RUI RUT RUB
ETO ETH ETE
TIU TIF TIT
LET LER LEH
Take a close look and decide which option looks the best to you before read-
ing on. We could easily rank the possibilities by summing the frequencies of
the trigraphs produced in each case and seeing which scores the highest—
that is, this process is easy to automate.
Without examining frequencies, I would opt for the middle choice. The sec-
ond to last row of the first choice has TIU, which seems unlikely (although I
can think of possibilities, such as anTIUnion, anTIImmigration, etc.). For the
third choice, the second position has TAD, which doesn’t suggest a lot of pos-
sibilities, other than sTADium and amisTAD. Now we attempt to build our rect-
angle out by joining other columns to the left- or right-hand sides one at a time.
THER THEP THEE THEO THES THEP THEE THEL THEO THEO THEM
TALK TALB TALV TALA TALE TALE TALD TALO TALH TALE TALA
SETH SETS SETH SETG SETU SETI SETN SETB SETT SETE SETT
TSOK TSOA TSOH TSOH TSOU TSOA TSOY TSOV TSOT TSOA TSOT
VERH VERD VERU VERR VERE VERE VERA VERT VERY VERE VERO
RUTT RUTP RUTI RUTY RUTU RUTI RUTB RUTA RUTT RUTF RUTT
ETHE ETHA ETHO ETHS ETHT ETHR ETHE ETHL ETHB ETHN ETHO
TIFR TIFI TIFU TIFT TIFS TIFU TIFT TIFB TIFO TIFT TIFT
LERI LERR LERT LERA LERY LERC LERH LERD LERL LERT LERI
www.ebook777.com
free ebooks ==> www.ebook777.com
126 Secret History: The Story of Cryptology
Which of the 11 possibilities above looks the best to you? Decide before con-
tinuing. Also, it should be noted that it could be none of the above! Perhaps
the first row ends with THE. In that case, the other columns would all have to
be joined to the left-hand side of the portion of the rectangle we have recre-
ated in the previous step.
Did you like the first option best? If so, you may have a word or pair of
words in mind to complete the fragment that one of the rows presents. Feel
free to copy the columns and try rearranging them before and after the four
columns we have to see if the words you have in mind form impossible com-
binations elsewhere or lead to other words leaping to mind and a quick deci-
pherment. My solution follows, but you will get more out of trying it for
yourself.
Taking the first of the options above, the TIFR makes me a bit nervous.
ANTIFRENCH? ANTIFRUGAL? But the TSOK seems likely to be IT’S OKAY or
THAT’S OKAY, while the other solution options don’t seem to have much to
offer in that position. There are three columns that have an A in the neces-
sary position to continue OKAY. Each of them is considered below, followed
by the only column having a Y where it is needed for OKAY.
Which possibility looks the best to you? The first choice can almost cer-
tainly be eliminated because of the TALKBD in the second row and the third
seems unlikely due to TIFRTT in row nine. Going with the second possibil-
ity, and working on the left-hand side, we see that there is no I available in
the necessary position to form IT’S OKAY, but we do have two columns with
an A in the position needed to make THAT’S OKAY. We try each.
OTHERPE PTHERPE
ETALKED BTALKED
ESETHIN SSETHIN
ATSOKAY ATSOKAY
EVERHEA DVERHEA
FRUTTIB PRUTTIB
NETHERE AETHERE
TTIFRUT ITIFRUT
TLERICH RLERICH
free ebooks ==> www.ebook777.com
Transposition Ciphers 127
The first choice is comical with three consecutive Os in the first row. The
second isn’t any better, and the third only makes sense if the message was
composed by a cow. Thus, we go with the fourth.
MEOTHERPE
AVETALKED
THESETHIN
THATSOKAY
OUEVERHEA
TIFRUTTIB
OONETHERE
TUTTIFRUT
ITTLERICH
The deciphering should be moving along faster now. Can you guess what
letter comes just before AVETALKED or OUEVERHEA or ITTLERICH? The
strangest rows are even beginning to make sense now. TIFRUTTIB and
TUTTIFRUT may look odd by themselves, but taken together anyone famil-
iar with early rock and roll music ought to recognize them.
Also, as the unused columns dwindle, the placements become easier, since
there are fewer possibilities. Thus, at this point, you should have no trouble
completing the rectangle to get
SOMEOTHERPEOPL
EHAVETALKEDABO
UTTHESETHINGSB
www.ebook777.com
free ebooks ==> www.ebook777.com
128 Secret History: The Story of Cryptology
UTTHATSOKAYHAV
EYOUEVERHEARDT
UTTIFRUTTIBYPA
TBOONETHERESAL
SOTUTTIFRUTTIB
YLITTLERICHARD
4.3 Historic Uses
Columnar transposition has seen extensive use. A
few examples are given below and not intended to
provide anything near a comprehensive list.
In the 1920s, transposition ciphers were used
by the Irish Republican Army. Tom Mahon came
upon some of these in an archive, and his search
for someone who could break them ultimately
led to James J. Gillogly (Figure 4.1) of Kryptos
fame. James’ story of cryptanalysis is conveyed
in a thorough and interesting manner in Decoding
the IRA.*
The IRA message in Figure 4.2 was sent in 1927
but dated February 24, 1924, to confuse the police FIGURE 4.1
in case they got a hold of it. Consider the middle James J. Gillogly. (Photo taken
ciphertext (the others are left as exercises): in Egypt, courtesy of Gillogly.)
* Mahon, T. and Gillogly, J.J., Decoding the IRA, Mercier Press, Cork, Ireland, 2008.
free ebooks ==> www.ebook777.com
Transposition Ciphers 129
FIGURE 4.2
IRA ciphertexts from 1927. (From Mahon, T. and Gillogly, J.J., Decoding the IRA, Mercier Press,
Cork, Ireland, 2008, p. 11. With permission.)
The 96 tells us that there are that many letters in the ciphertext. It serves as
a useful check that nothing was accidentally dropped or repeated. To deci-
pher, we need a rectangle whose dimensions multiply together to yield 96.
Although we might not try the right dimensions the first time, we eventually
get around to considering 8 rows and 12 columns.
1 2 3 4 5 6 7 8 9 10 11 12
U C O E Y T L U O D S G
E O M N M E T M E I S I
I O R A E R N D N C Y I
M B O N P S B T U S H O
S I P R P I O T U R P S
N S O T R H F W E I P I
R E T H O E O O R L R T
F I N L M E L A M A S B
www.ebook777.com
free ebooks ==> www.ebook777.com
130 Secret History: The Story of Cryptology
Cutting the columns out and rearranging, soon yields the result below.
2 3 1 7 10 5 9 8 12 4 6 11
C O U L D Y O U G E T S
O M E T I M E M I N E S
O R I N C E N D I A R Y
B O M B S P U T O N S H
I P S O R P U T S R I P
S O N F I R E W I T H P
E T R O L O R O T H E R
I N F L A M M A B L E S
Some IRA transposition ciphers were made more difficult to crack by insert-
ing columns of nulls.
During World War II, Hong Kong was attacked by the Japanese at about
the same time as Pearl Harbor. Royal Air Force (RAF) pilot Donald Hill
was captured and kept a journal of his experiences between December 7,
1941, and March 31, 1942, even though this was forbidden by the Ministry
of War in London, who feared intelligence might be relayed to the enemy
through such writings. Hill fooled his Japanese captors by disguising his
entries as mathematical tables (he converted the letters to numbers prior to
transposing). The story of Donald Hill and his love, as well as the cipher,
its cryptanalysis (by Philip Aston), and the story the plaintext revealed, are
all detailed in Andro Linklater’s The Code of Love.* A page of Hill’s cipher is
reproduced in Figure 4.3.
Various forms of transposition were used during World War II by Britain’s
Special Operations Executive (SOE), in addition to the one-time pads men-
tioned in Section 3.11. The best form, double transposition, is described
shortly.
More recently, investigators found a tremendous amount of enciphered
text in the Unabomber’s shack. It was apparently generated by applying
some sort of substitution or code and then transposing extensively. Could
a genius mathematician, such as the Unabomber, have come up with a
pencil-and-paper cipher that could withstand the scrutiny of our nation’s
best cryptanalysts? We may never know, as the key to the system was also
found in the shack. No one has provided a scholarly account of the details of
this cipher. It has only been described very briefly at the popular level. The
FIGURE 4.3
A page from the enciphered diary of POW Donald Hill. (Thanks to Philip Aston, the mathema-
tician who cracked the diary, for providing this image.)
original ciphers were sold at a government auction, along with many other
items that were once property of the Unabomber. The funds raised went to
his victims and their families.*
4.4 Anagrams
If the transposition key is very long and random (not arising from valid
words) compared to the length of the message, this system can be difficult to
break. In particular, if the length of the transposition key equals the length
of the message, the cryptanalyst is essentially playing Scrabble with a large
number of tiles and may be able to form several meaningful solutions with
no statistical reason for favoring one over another. A rearrangement of letters
is also known as an anagram.† Both Galileo and Newton concealed discover-
ies through anagramming; however, they did not scramble their messages in
a systematic way, so they could not be recovered as easily as in the example
above. William Friedman also used an anagram to state his opinion on the
Voynich manuscript.
* Hoober, S., Items in Unabomber auction net more than $200,000, NewsyType.com, June 3, 2011
(http://www.newsytype.com/7120-unabomber-auction/).
† Some reserve this term for when the letters of a word are rearranged to make another word.
www.ebook777.com
free ebooks ==> www.ebook777.com
132 Secret History: The Story of Cryptology
Example 5
Galileo Galilei
Haec immature a me iam frustra leguntur O. Y.
Example 6
Christian Huygens
a7c5d1e5g1h1i7l4m2n9o4p2q1r2s1t5u5
Example 7
Isaac Newton
a7c2d2e14f2i7l3m1n8o4q3r2s4t8v12x1
Example 8
William F. Friedman
I put no trust in anagrammatic acrostic ciphers, for
they are of little real value—a waste—and may prove
nothing—Finis.
With multiple possible solutions for such anagrams, the best that the crypt-
analyst can hope for is to intercept a second message of the same length that
uses the same transposition key. The cryptanalyst can then anagram them
simultaneously, as if solving a columnar transposition cipher that used only
two rows. It is very unlikely that there will be more than one arrangement
that yields a meaningful result for both intercepts. Indeed, Claude Shannon
put the unicity distance for transposition systems with period d at 1.7d.†
* Zimansky, C.A., William F. Friedman and the Voynich manuscript, Philological Quarterly, 49(4),
433–442, 1970. This was reprinted in Brumbaugh, R.S., Ed., The Most Mysterious Manuscript,
Southern Illinois University Press, Carbondale, 1978, pp. 99–108.
† Shannon, C., Communication theory of secrecy systems, Bell System Technical Journal, 28(4),
695, 1949.
www.ebook777.com
free ebooks ==> www.ebook777.com
134 Secret History: The Story of Cryptology
4.5 Double Transposition
As before, when we encounter an attack on a cipher system, we can think
about how to block it and thus create a stronger cipher system. In this case,
the weakness is that when we try to form words we have many rows to work
with and can evaluate them as a group as being more or less likely than other
possible alignments. To block this, we could use a method known as double
transposition. This is demonstrated below.
Example 9
We’ll encipher the following using double transposition with the key
FRIEDRICH NIETZSCHE.
F R I E D R I C H N I E T Z S C H E
Y E S S O M E T H I N G I N V U L N
E R A B L E U N B U R I A B L E I S
W I T H M E S O M E T H I N G T H A
T W O U L D R E N D R O C K S A S U
N D E R I T I S C A L L E D M Y W I
L L S I L E N T L Y D O E S I T P R
O C E E D A N D U N C H A N G E D T
H R O U G H O U T T H E Y E A R S N
F R I E D R I C H N I E T Z S C H E
T N O E S T D U U E T A Y T E R O L
M L I L D G S B H U R I E U G I H O
L O H E N S A U I R T N Y E W T N L
O H H B M N C L U T L I H S W P D S
S A T O E S E O E U S R I N N A N R
T R L D C H I U E D A Y N T E R I W
D L C R M E E D T E A H V L G S M I
G A I A I C E E A Y N B N K D S N E
UBULO UDERI TPARS SSDNM ECMIE LEBOD RAAIN IRYHB LOLSR WIETM
LOSTD GUHIU EETAO HNDNI MNOIH HTLCI DSACE IEETR TLSAA NEURT
UDEYN LOHAR LATGS NSHEC EGWWN EGDYE YHINV NTUES NTLK
Another sort of double transposition was used in the second half of the 19th
century by the anarchist enemies of the czars. This Nihilist cipher, rather than
performing columnar transposition twice, separately transposed columns
and rows. Other nihilist ciphers based on substitution were in use as well.
Friedman described double transposition as a “very excellent” method;*
however, he did mention special cases in which it could fail. The biggest con-
cern is that a careless encipherer will forget to perform the second transposi-
tion. In this event, an intercepted message can be easily read and will then
provide the key for other messages that were correctly transposed twice.
Other special cases where solutions may be obtained include the following:
Friedman wrote this in 1923, before high-speed computer attacks were fea-
sible. A dictionary attack on the keyword could now yield a solution even
if the message does not satisfy any of the three special conditions he men-
tioned. However, we did not have to wait for the digital age, as a general
attack was (secretly) published in 1934.† The author was Solomon Kullback,
whom you will hear more about in Chapter 9.
One way to square the number of keys that would need to be checked using
a dictionary attack is to use two different words, one for the first transposition
and another for the second. Although the composition of two transpositions
is a transposition, the “composite word” is not likely to be in the dictionary.
An attack for this improved version was also presented in Kullback’s paper.
Several years later, Britain’s Special Operations Executive would use single
and double transposition with their agents in occupied Europe. Leo Marks
tried to replace this system with one-time pads, but the result was that both
were then used, although not for the same messages! On the other side (of
the pond and the war), German operatives in Latin America used columnar
transposition until the spring of 1941.‡
* Friedman, W.F., Elements of Cryptanalysis, Aegean Park Press, Laguna Hills, CA, 1976, p. 103.
This is an easily available reprint edition of the May 1923 first edition, which was marked
FOR OFFICIAL USE ONLY and published by the Government Printing Office for the War
Department.
† Kullback, S., General Solution for the Double Transposition Cipher, U.S. Government Printing
Office, Washington, DC, 1934. This was eventually declassified by the National Security
Agency and then quickly reprinted by Aegean Park Press, Laguna Hills, CA, in 1980.
‡ Bratzel, J.F. and Rout, Jr., L.B., Abwehr ciphers in Latin America, Cryptologia, 7(2), 132–144, 1983.
www.ebook777.com
free ebooks ==> www.ebook777.com
136 Secret History: The Story of Cryptology
4.6 Word Transposition
While transposition is most commonly used on letters (or bits for computer-
ized encryption), it can be done at the level of words. During the U.S. Civil
War, the Union enciphered much of its communications in this manner.
As a sample ciphertext, consider the following June 1, 1863, dispatch from
Abraham Lincoln.*
GUARD indicates the size of the rectangle and what path to follow for the
transposition. In this case, to decipher, the words should be filled in by
going up the first column, down the second, up the fifth, down the fourth,
and up the third. After GUARD, every eighth word is a null and is therefore
ignored.† We get
If transposition were the only protection, we would be able to read the mes-
sage now; however, the Union used an extra level of protection—code words:
VENUS = colonel
WAYLAN = captured
ODOR = Vicksburg
NEPTUNE = Richmond
ADAM = President of the United States
NELLY = 4:30 p.m.
Applying the code words (and removing the last words THIS FILLS UP,
which are more nulls used to fill out the block above) yields the original
message:
* Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 215.
† That is, we ignore KISSING, TURNING, TIMES, BELLY, and COMMISSIONER.
free ebooks ==> www.ebook777.com
Transposition Ciphers 137
This system completely stymied the Confederacy. It’s been claimed often
in the cryptologic literature that the Confederacy even resorted to printing
some intercepted ciphertexts in southern newspapers, along with solici-
tations for help! Despite this being a frequently repeated claim, all of my
attempts to find the actual solicitations only led to others seeking the same!
Finally, in April 2012, I found an article that I believe solves the mystery of
the missing Confederate ads. It was a piece by Albert J. Myer of the Signal
Corps titled “The Cypher of the Signal Corps.” It ran in the October 7, 1865,
edition of the Army Navy Journal, p. 99. I know this is the wrong side, and
after the war, but read on! The piece is reproduced below.
It is held, first, that no expert not of the Signal Corps, who is now,
or has been, in the employ of the War Department, or of any Army of
the United States during the war, can interpret this message at all; and,
second, that no expert in the United States, not of the Signal Corps, can
interpret it with less than three days’ labor.
To compensate any responsible endeavor the editor of the Army and
Navy Journal will pay the sum of fifty dollars to the first successful inter-
preter, to be determined by himself.
This cypher can be wholly changed at the wave of a flag in twenty sec-
onds’ time. It can be more difficult. It is plainer in print than it appears
in signals. A second message need not resemble this. It will benefit the
www.ebook777.com
free ebooks ==> www.ebook777.com
138 Secret History: The Story of Cryptology
As the article quoted above appeared soon after the end of the Civil War,
someone seeing it could easily confuse the date slightly, when recalling the
article years later, and believe it ran during the war. Furthermore, recalling
that it asked the reader to break a Union cipher, the person recalling the ad
might well think it must have been in a southern newspaper. Through the
haze of memory, years after the fact, it would all seem very reasonable. This
I propose is the origin of the myth of the Rebel newspaper ads.
4.7 Transposition Devices
In Section 1.2 we examined the skytale, an ancient Greek device to perform
transposition encryption. Another device known as the Cardano grille may
also be used for this purpose. Before detailing its use, we take a brief look at
the life of Girolamo Cardano (Figure 4.4).
Cardano is best remembered for being the first to publish (in Ars Magna,
1545) the solution to the cubic equation; however, a controversy ensued
immediately, as he had obtained the formula from Tartaglia, after much
harassment and a promise to keep it secret. Cardano is also credited with
authoring the first book on probability† (Liber de Ludo Aleae) and making the
first explicit use of complex numbers in a calculation (Ars Magna again).
On the personal side, things did not go as well. In 1560, Cardano’s son
Giambattista was jailed and executed following his conviction for killing
his wife. Another son is alleged to have had his ears cut off by Cardano for
some offense!
* Boklan, K.D. and Assarpour, A., How we broke the Union code (148 years too late), Cryptologia,
34(3), 200–210, 2010.
† Yet, he didn’t know as much as he thought he did about the laws of chance, for in 1533 he was
forced to pawn his wife’s jewelry and some of his furniture to pay gambling debts.
free ebooks ==> www.ebook777.com
Transposition Ciphers 139
FIGURE 4.4
“I was so exceptionally clever that everyone marveled at my extraordinary skill” (Girolamo
Cardano, 1501–1576). (From University of Pennsylvania, Rare Book & Manuscript Library,
Elzevier Collection, Elz D 786. Thanks to Regan Kladstrup for help with this image.)
Cardano himself was jailed in 1570. He was charged with heresy for cast-
ing the horoscope of Jesus Christ and writing a book that praised Nero.*
His punishment was much less severe than what others faced in the hands
of the Inquisition; he spent 77 days in prison and more under house arrest.
Although he was banned from publishing (and even writing!) for a time, he
authored 100 works over the course of his life, some of which consisted of
more than one “book.”
Cardano had been plagued by health problems throughout his life. His
list includes catarrh, indigestion, congenital heart palpitations, hemorrhoids,
gout, rupture, bladder trouble, insomnia, plague, carbuncles, tertian fever,
colic, and poor circulation, plus various other ailments. One is tempted to
add hypochondria. He seemed to delight in recounting his troubles: “My
struggles, my worries, my bitter grief, my errors, my insomnia, intestinal
troubles, asthma, skin ailments and even phtheiriasis, the weak ways of my
grandson, the sins of my own son…not to mention my daughter’s barrenness,
the drawn out struggle with the College of Physicians, the constant intrigues,
the slanders, poor health, no true friends” and “so many plots against me,
so many tricks to trip me up, the thieving of my maids, drunken coachmen,
the whole dishonest, cowardly, traitorous, arrogant crew that it has been my
misfortune to deal with.Ӡ
* If you’re curious, the horoscope was reprinted in Shumaker, W., Renaissance Curiosa,
Medieval and Renaissance Texts and Studies, Vol. 8, Center for Medieval & Renaissance Studies,
Binghamton, NY, 1982, pp. 53–90. An introduction is included.
† Muir, J., Of Men and Mathematics: The Story of the Great Mathematicians, Dodd, Mead & Co.,
www.ebook777.com
free ebooks ==> www.ebook777.com
140 Secret History: The Story of Cryptology
FIGURE 4.5
Original ciphertext.
FIGURE 4.6
THE ABILITY TO DESTROY A.
free ebooks ==> www.ebook777.com
Transposition Ciphers 141
FIGURE 4.7
PLANET IS INSIGNIFICANT.
FIGURE 4.8
COMPARED TO THE POWER O.
www.ebook777.com
free ebooks ==> www.ebook777.com
142 Secret History: The Story of Cryptology
FIGURE 4.9
F THE FORCE—DARTH VADER.
A close look at the original ciphertext shows that four letters were not
used. Punching one more hole in the grille would allow us to make use of
those four extra positions, if we needed them. Instead, they were filled in
with nulls. Actually, the four letters used can be anagrammed to continue
the theme of the message.
Turning grilles were used as recently as World War I by the Germans,
although only for a period of four months. French cryptanalysts learned to
break these, and the Germans moved on to a better system, which will be
examined in Section 6.2. Most modern ciphers use both substitution and
transposition. Some of them are detailed in the second half of this volume.
* Fildes, J., Rubik’s cube quest for speedy solution comes to an end, BBC News, August 11, 2010
(http://www.bbc.co.uk/news/technology-10929159).
www.ebook777.com
free ebooks ==> www.ebook777.com
144 Secret History: The Story of Cryptology
Ritter, T., Transposition cipher with pseudo-random shuffling: the dynamic transpo-
sition combiner, Cryptologia, 15(1), 1–17, 1991.
Zimansky, C.A., William F. Friedman and the Voynich manuscript, Philological
Quarterly, 49(4), 433–442, 1970. This was reprinted in Brumbaugh, R.S., Ed., The
Most Mysterious Manuscript, Southern Illinois University Press, Carbondale,
1978, pp. 99–108.
free ebooks ==> www.ebook777.com
5
Shakespeare, Jefferson, and JFK*
145
www.ebook777.com
free ebooks ==> www.ebook777.com
146 Secret History: The Story of Cryptology
One could use this to encipher a message, sending the 25-letter string aabbb
aabaa ababb ababb abbba to say “hello,” but this is a particularly inef-
ficient way to do a monoalphabetic substitution! The strength in this cipher
lies in its invisibility. Let a be represented by normal text characters, and let
b be represented by boldface characters. Now observe the message hidden
behind the text that follows:
* Pratt, F., Secret and Urgent, Bobbs Merrill, New York, 1939, p. 85.
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 147
1 2 3 4 5 6
God is our refuge and strength,
7 8 9 10 11 12
a very present help in trouble.
13 14 15 16 17
Therefore will not we fear,
18 19 20 21 22 23
though the earth be removed, and
24 25 26 27 28
though the mountains be carried
29 30 31 32 33 34
into the midst of the sea;
35 36 37 38 39
Though the waters thereof roar
40 41 42 43 44
and be troubled, though the
45 46
mountains shake with the
with the swelling thereof. Selah.
There is a river, the streams whereof shall make glad the city
of God, the holy place of the tabernacles of the most High.
God is in the midst of her; she shall not be moved: God shall
help her, and that right early.
www.ebook777.com
free ebooks ==> www.ebook777.com
148 Secret History: The Story of Cryptology
The words we end on are shake and spear! From this, we may conclude
that Shakespeare was the author! Or perhaps, less dramatically, we may con-
clude that a slight change was made in translation to honor his 46th birthday
(the King James Version was used). Or perhaps it is all a coincidence.
Elizabeth Gallup was the first to publish an anti-Shakespeare theory using
the cipher introduced in this chapter. Her 1899 work was titled The Bi-literal
Cypher of Francis Bacon. In it, she claimed that different-looking symbols for
the same letters used in printing Shakespeare’s plays actually represented
two distinct symbols and spelled out messages in Bacon’s biliteral cipher to
indicate that he was the true author. Bacon revealed his system of concealing
messages in 1623, the year that the first folio was published, so the timing is
right but that is about all.
The evidence against Gallup’s case is convincing. At the time of the print-
ing of the first folio, various old typefaces were commonly mixed, and bro-
ken characters were used along with better copies. Thus, the characters
seem to form a continuum between the new and the old, rather than two
distinct forms. Also, Gallup had Bacon use words that did not exist at the
time his hidden message was allegedly printed.* Over a half century after
Gallup’s book appeared, William and Elizebeth Friedman authored a book
* Pratt, F., Secret and Urgent, Bobbs Merrill, New York, 1939, p. 91.
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 149
examining the controversy.* Their research ended with the conclusion that
the Bacon supporters were mistaken. The uncondensed version of the book
(1955) won the Folger Shakespeare Library Literature Prize of $1000.†
The Friedmans got much more out of this controversy than a published book
and a prize, as it was actually how they met. They both worked for Riverbank
Laboratories, run by eccentric millionaire George Fabyan, in Geneva, Illinois,
just outside Chicago. The research areas included acoustics, chemistry, cryp-
tology (only with the aim of glorifying Bacon as the author of those famous
plays—Gallup worked there), and genetics. William Friedman was hired as
a geneticist, but he helped the dozen plus workers in the cryptology section
with his skill at enlarging photographs of texts believed to contain hidden
messages. It could be said that William fell in love twice at Riverbank Labs.
In addition to meeting his wife-to-be Elizebeth,‡ who worked in the cryptol-
ogy section, he also began researching valid cryptologic topics for Fabyan.
When a cryptologist hears someone refer to “The Riverbank Publications,”
Friedman’s cryptologic publications are what come to mind, even though
other works were put out by the Lab’s press. As America headed into World
War I, Friedman’s cryptologic education proved valuable. Remember, America
still did not have a standing cryptologic agency. Like spies, codemakers and
codebreakers went back to other work at the end of each of America’s wars.
Broken type in Shakespeare first folios may not reveal a hidden message,
but something can be learned from type in general. Penn State biology pro-
fessor S. Blair Hedges found a way to estimate the print dates of various edi-
tions of books by comparing the cracks in the wood blocks used to print the
illustrations. These cracks appear at a continuous rate. Other processes act-
ing on copper plates allow dating for images printed in that manner, as well.§
Contrarians attempting to show that Shakespeare’s plays were really writ-
ten by Sir Francis Bacon seem to have been gradually replaced by contrarians
attempting to show that Shakespeare’s plays were really written by Edward
de Vere, although there are several other names bandied about. The argu-
ments made today for de Vere are much the same as those of their predeces-
sors and are not taken seriously by professional cryptologists.
On the bright side, progress is still being made in the study of Shakespeare
himself. In 2009, for the first time, a contemporary portrait of Shakespeare
was publicly revealed. It was made in 1610 and is reproduced in Figure 5.3.
For generations it passed down through the Cobbe family, in a house out-
side of Dublin, without anyone realizing who the painting depicted. Finally
someone noticed the resemblance and some top experts agree that it is actu-
ally William Shakespeare.
* Friedman, W.F. and Friedman, E.S., The Shakespearean Ciphers Examined, Cambridge University
Press, Cambridge, U.K., 1957.
† Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 879.
‡ They were married in May 1917.
§ Marino, G., The biologist as bibliosleuth, Research Penn State, 27(1), 13–15, 2007.
www.ebook777.com
free ebooks ==> www.ebook777.com
150 Secret History: The Story of Cryptology
FIGURE 5.3
A contemporary portrait of Shakespeare (http://en.wikipedia.org/wiki/File:Cobbe_portrait_
of_Shakespeare.jpg).
* http://www.loc.gov/exhibits/lewisandclark/preview.html.
† http://www.nsa.gov/museum/wheel.html.
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 151
FIGURE 5.4
Thomas Jefferson.
FIGURE 5.5
A two-part code by Thomas Jefferson. (From Kahn, D., The Codebreakers, 2nd ed., Scribner, New
York, 1996, p. 185. With permission.)
FIGURE 5.6
A pair of cipher wheels. (Left, http://ilord.com/m94.html, courtesy of Robert Lord; right,
http://www.nsa.gov/museum/wheel.html).
www.ebook777.com
free ebooks ==> www.ebook777.com
152 Secret History: The Story of Cryptology
This enciphering and deciphering device was acquired from West Virginia
by NSA in the early 1980s. It was first thought to have been a model of the
“Jefferson cipher wheel,” so called because Thomas Jefferson described a
similar device in his writings. We believe it to be the oldest extant device
in the world, but the connection with Jefferson is unproven. Such devices
are known to have been described by writers as early as Francis Bacon in
1605 and may have been fairly common among the arcane “black cham-
bers” of European governments. This cipher wheel was evidently for use
with the French language, which was the world’s diplomatic language up
through World War I. How it came to be in West Virginia is unknown.
given for the various service branches vary from author to author. For example, in Weller, R.,
Rear Admiral Joseph N. Wenger USN (Ret) and the Naval Cryptologic Museum, Cryptologia,
8(3), 214, 1984, these cipher wheels were delivered to the Navy in December 1926 and use by
the Coast Guard began “about 1935.”
** Mellen, G. and Greenwood, L., The cryptology of multiplex systems, Cryptologia, 1(1), 5, 1977.
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 153
FIGURE 5.7
High school cryptology student Dustin Rhoades gives us a sense of scale as he examines a
cipher wheel in the National Cryptologic Museum library. A poster in the background seems
to show that this pleases David Kahn, who generously donated his own cryptologic library to
the museum.
www.ebook777.com
free ebooks ==> www.ebook777.com
154 Secret History: The Story of Cryptology
1 BCEJIVDTGFZRHALWKXPQYUNSMO
2 CADEHIZFJKTMOPUQXWBLVYSRGN
3 DGZKPYESNUOAJXMHRTCVBWLFQI
4 EIBCDGJLFHMKRWQTVUANOPYZXS
5 FRYOMNACTBDWZPQIUHLJKXEGSV
6 GJIYTKPWXSVUEDCOFNQARMBLZH
7 HNFUZMSXKEPCQIGVTOYWLRAJDB
8 IWVXRZTPHOCQGSBJEYUDMFKANL
9 JXRSFHYGVDQPBLIMOAKZNTCWUE
10 KDAFLJHOCGEBTMNRSQVPXZIYWU
11 LEGIJBKUZARTSOHNPFXMWQDVCY
12 MYUVWLCQSTXHNFAZGDRBJEOIPK
13 NMJHAEXBLIGDKCRFYPWSZOQUVT
14 OLTWGANZUVJEFYDKHSMXQIPBRC
15 PVXRNQUIYZSJATWBDLGCEHFOKM
16 QTSEOPIDMNFXWUKYJVHGBLZCAR
17 RKWPUTQEBXLNYVFCIMZHSAGDOJ
18 SONMQUVAWRYGCEZLBKDFIJXHTP
19 TSMZKXWVRYUFIGJDABEOPCHNLQ
20 UPKGSCFJOWAYDHVELZNRTBMQIX
21 VFLQYSORPMHZUKXACGJIDNTEBW
22 WHOLBDMKEQNIXRTUZJFYCSVPAG
23 XZPTVOBMQCWSLJYGNEIUFDRKHA
24 YQHACRLNDPBOVZSXWITEGKUMJF
25 ZUQNXWRYALIVPBESMCOKHGJTFD
such that the ciphertext is continued on the appropriate line, while looking to
see if the line of plaintext continues to make sense. If there’s a given cipher-
text of length 25 or greater for which we know, or can guess, the plaintext, we
can recover the order of the wheels with just pencil and paper.
Example 1
Perhaps a commonly sent message is NOTHING TO REPORT AT THIS
TIME. If we suspect that the ciphertext YTWML GHWGO PVRPE SDKTA
QDVJO represents this message, we pair the two up and examine the dis-
tance between each pair of plaintext/ciphertext letters for each of the 25
disks. Table 5.1 shows the result. Since each ciphertext character is the same
fixed distance on the wheel it arose from, when compared to the message
letter it represents, we need to find a numerical value that appears in every
row and column.
TABLE 5.1
Distance between Pairs of Plaintext/Ciphertext Letters for 25 Disks
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
1 24 08 08 12 10 12 04 08 09 14 16 13 12 07 21 10 25 09 21 09 22 25 01 05 23
2 22 24 07 07 14 25 06 07 12 15 10 07 11 16 19 21 18 25 06 22 19 18 15 23 09
3 23 07 04 25 23 19 14 04 17 20 24 15 06 14 15 22 09 12 02 12 17 08 20 24 04
4 03 21 24 01 06 12 04 24 11 08 21 21 18 09 11 07 15 22 06 17 15 15 15 22 20
5 23 05 03 13 03 18 20 03 20 02 17 12 24 12 14 18 02 12 17 17 16 02 10 15 07
6 12 15 03 22 21 09 25 03 11 21 20 04 05 12 08 16 09 01 05 17 09 09 08 06 03
7 17 25 03 05 07 13 12 03 23 22 01 05 04 15 19 10 08 18 16 09 06 08 02 18 08
8 19 23 21 12 25 14 22 21 03 05 17 21 21 03 10 16 13 16 24 23 24 13 02 21 19
9 12 05 02 10 25 13 24 02 09 14 12 23 12 09 04 12 14 23 16 03 07 14 20 11 17
10 09 05 12 07 08 21 23 12 02 18 09 25 08 04 24 14 15 14 06 06 01 15 22 18 23
11 10 24 09 05 23 13 12 09 15 03 15 07 23 06 16 03 11 21 23 06 09 11 20 11 12
12 15 13 21 15 08 04 21 21 20 04 03 05 22 06 12 20 08 16 24 17 25 08 06 20 01
13 16 04 19 24 25 10 19 19 15 07 12 07 19 03 06 15 12 13 22 21 03 12 15 01 16
14 07 02 08 02 06 24 12 08 04 02 11 13 24 24 09 12 12 13 12 10 03 12 14 18 15
15 04 16 01 04 10 14 03 01 21 20 06 01 06 23 07 24 03 11 18 05 21 03 20 12 03
16 06 23 11 16 15 10 25 11 15 05 02 12 21 06 02 04 06 13 09 18 24 06 11 08 01
17 01 07 23 24 20 11 23 23 24 24 22 10 02 03 02 25 18 22 12 05 12 18 23 08 17
18 08 23 10 06 21 09 12 10 10 18 12 07 08 16 15 19 20 19 01 13 04 20 12 18 14
19 12 07 06 06 12 16 09 06 20 11 02 13 15 12 18 11 15 04 04 04 02 15 21 12 01
20 19 12 15 09 18 11 10 15 21 15 12 13 11 08 21 20 18 08 07 12 19 18 16 11 19
21 09 16 03 25 09 22 19 03 11 25 11 18 01 01 01 16 24 17 12 22 24 24 07 09 09
22 09 12 12 05 18 15 02 12 23 15 15 25 11 10 20 24 17 19 13 13 14 17 11 11 01
23 24 24 07 09 20 25 09 07 10 09 11 02 17 06 14 12 18 20 05 07 23 18 12 06 14
24 19 07 24 21 15 13 08 24 09 06 16 03 20 04 01 11 16 03 16 12 13 16 21 01 18
25 04 05 08 22 25 18 25 08 03 12 24 25 14 06 17 07 02 22 03 24 13 02 01 06 04
www.ebook777.com
free ebooks ==> www.ebook777.com
156 Secret History: The Story of Cryptology
Column 1 doesn’t contain 2, 5, 11, 13, 14, 18, 20, 21, and 25, so these may be
eliminated as possible shifts. The possibilities that remain are 1, 3, 4, 6, 7, 8,
9, 10, 12, 15, 16, 17, 19, 22, 23, and 24. But column 2 doesn’t contain 1, 3, 6, 9,
10, 17, 19, or 22, so our list is quickly reduced to just 4, 7, 8, 12, 15, 16, 23, and
24. Column 3 doesn’t contain a 16, so we are then left with 4, 7, 8, 12, 15, 23,
and 24. Column 4 eliminates 8 and 23, leaving 4, 7, 12, 15, and 24. Column 5
reduces the choices to 7, 12, and 15. There’s no 7 in column 6, so we now know
the shift is either 12 or 15. Things now start to move more slowly! Every col-
umn contains both a 12 and a 15 until we get to column 18, which lacks the
15. Finally (with 7 columns to spare!) we conclude the shift was by 12.
Locating all of the 12s in Table 5.1 will help us to find the order of the
wheels (Table 5.2). Table 5.2 shows that N is followed 12 places later by Y
only on wheels 6, 9, and 19, but we don’t know which of these it is. The best
strategy is to not worry about it for now. Moving on to the fifth letter in the
message, we see that I is followed 12 places later by L only on wheel 19. Thus,
TABLE 5.2
Locating All of the 12s in the Table
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
1 24 08 08 12 10 12 04 08 09 14 16 13 12 07 21 10 25 09 21 09 22 25 01 05 23
2 22 24 07 07 14 25 06 07 12 15 10 07 11 16 19 21 18 25 06 22 19 18 15 23 09
3 23 07 04 25 23 19 14 04 17 20 24 15 06 14 15 22 09 12 02 12 17 08 20 24 04
4 03 21 24 01 06 12 04 24 11 08 21 21 18 09 11 07 15 22 06 17 15 15 15 22 20
5 23 05 03 13 03 18 20 03 20 02 17 12 24 12 14 18 02 12 17 17 16 02 10 15 07
6 12 15 03 22 21 09 25 03 11 21 20 04 05 12 08 16 09 01 05 17 09 09 08 06 03
7 17 25 03 05 07 13 12 03 23 22 01 05 04 15 19 10 08 18 16 09 06 08 02 18 08
8 19 23 21 12 25 14 22 21 03 05 17 21 21 03 10 16 13 16 24 23 24 13 02 21 19
9 12 05 02 10 25 13 24 02 09 14 12 23 12 09 04 12 14 23 16 03 07 14 20 11 17
10 09 05 12 07 08 21 23 12 02 18 09 25 08 04 24 14 15 14 06 06 01 15 22 18 23
11 10 24 09 05 23 13 12 09 15 03 15 07 23 06 16 03 11 21 23 06 09 11 20 11 12
12 15 13 21 15 08 04 21 21 20 04 03 05 22 06 12 20 08 16 24 17 25 08 06 20 01
13 16 04 19 24 25 10 19 19 15 07 12 07 19 03 06 15 12 13 22 21 03 12 15 01 16
14 07 02 08 02 06 24 12 08 04 02 11 13 24 24 09 12 12 13 12 10 03 12 14 18 15
15 04 16 01 04 10 14 03 01 21 20 06 01 06 23 07 24 03 11 18 05 21 03 20 12 03
16 06 23 11 16 15 10 25 11 15 05 02 12 21 06 02 04 06 13 09 18 24 06 11 08 01
17 01 07 23 24 20 11 23 23 24 24 22 10 02 03 02 25 18 22 12 05 12 18 23 08 17
18 08 23 10 06 21 09 12 10 10 18 12 07 08 16 15 19 20 19 01 13 04 20 12 18 14
19 12 07 06 06 12 16 09 06 20 11 02 13 15 12 18 11 15 04 04 04 02 15 21 12 01
20 19 12 15 09 18 11 10 15 21 15 12 13 11 08 21 20 18 08 07 12 19 18 16 11 19
21 09 16 03 25 09 22 19 03 11 25 11 18 01 01 01 16 24 17 12 22 24 24 07 09 09
22 09 12 12 05 18 15 02 12 23 15 15 25 11 10 20 24 17 19 13 13 14 17 11 11 01
23 24 24 07 09 20 25 09 07 10 09 11 02 17 06 14 12 18 20 05 07 23 18 12 06 14
24 19 07 24 21 15 13 08 24 09 06 16 03 20 04 01 11 16 03 16 12 13 16 21 01 18
25 04 05 08 22 25 18 25 08 03 12 24 25 14 06 17 07 02 22 03 24 13 02 01 06 04
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 157
19 2 25 12 17 11
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
We now take these wheels off the table since their positions in the key have
been determined (Table 5.3). Notice that wheel 4 only moves one character
of the message to the appropriate ciphertext character—namely, the letter
in position 6. Although there are other wheels that move the letter in posi-
tion 6 to where it needs to go, it must be wheel 4 that actually does so. This
is because wheel 4 must be used somewhere, and it doesn’t work anywhere
else. We may therefore take wheel 4 off the table and remove the underlining
TABLE 5.3
Taking Wheels Off the Table
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
1 24 08 08 12 10 12 04 08 09 14 16 13 12 07 21 10 25 09 21 09 22 25 01 05 23
3 23 07 04 25 23 19 14 04 17 20 24 15 06 14 15 22 09 12 02 12 17 08 20 24 04
4 03 21 24 01 06 12 04 24 11 08 21 21 18 09 11 07 15 22 06 17 15 15 15 22 20
5 23 05 03 13 03 18 20 03 20 02 17 12 24 12 14 18 02 12 17 17 16 02 10 15 07
6 12 15 03 22 21 09 25 03 11 21 20 04 05 12 08 16 09 01 05 17 09 09 08 06 03
7 17 25 03 05 07 13 12 03 23 22 01 05 04 15 19 10 08 18 16 09 06 08 02 18 08
8 19 23 21 12 25 14 22 21 03 05 17 21 21 03 10 16 13 16 24 23 24 13 02 21 19
9 12 05 02 10 25 13 24 02 09 14 12 23 12 09 04 12 14 23 16 03 07 14 20 11 17
10 09 05 12 07 08 21 23 12 02 18 09 25 08 04 24 14 15 14 06 06 01 15 22 18 23
13 16 04 19 24 25 10 19 19 15 07 12 07 19 03 06 15 12 13 22 21 03 12 15 01 16
14 07 02 08 02 06 24 12 08 04 02 11 13 24 24 09 12 12 13 12 10 03 12 14 18 15
15 04 16 01 04 10 14 03 01 21 20 06 01 06 23 07 24 03 11 18 05 21 03 20 12 03
16 06 23 11 16 15 10 25 11 15 05 02 12 21 06 02 04 06 13 09 18 24 06 11 08 01
18 08 23 10 06 21 09 12 10 10 18 12 07 08 16 15 19 20 19 01 13 04 20 12 18 14
20 19 12 15 09 18 11 10 15 21 15 12 13 11 08 21 20 18 08 07 12 19 18 16 11 19
21 09 16 03 25 09 22 19 03 11 25 11 18 01 01 01 16 24 17 12 22 24 24 07 09 09
22 09 12 12 05 18 15 02 12 23 15 15 25 11 10 20 24 17 19 13 13 14 17 11 11 01
23 24 24 07 09 20 25 09 07 10 09 11 02 17 06 14 12 18 20 05 07 23 18 12 06 14
24 19 07 24 21 15 13 08 24 09 06 16 03 20 04 01 11 16 03 16 12 13 16 21 01 18
www.ebook777.com
free ebooks ==> www.ebook777.com
158 Secret History: The Story of Cryptology
that indicated the other possible wheels for position 6. We do the same
(by following the same reasoning) for wheels 7, 8, 15, 16, 21, and 24. This is
reflected in the updated key below and Table 5.4.
8 19 4 7 2 25 16 12 21 24 17 15 11
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
TABLE 5.4
Taking More Wheels Off the Table
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
1 24 08 08 12 10 12 04 08 09 14 16 13 12 07 21 10 25 09 21 09 22 25 01 05 23
3 23 07 04 25 23 19 14 04 17 20 24 15 06 14 15 22 09 12 02 12 17 08 20 24 04
5 23 05 03 13 03 18 20 03 20 02 17 12 24 12 14 18 02 12 17 17 16 02 10 15 07
6 12 15 03 22 21 09 25 03 11 21 20 04 05 12 08 16 09 01 05 17 09 09 08 06 03
9 12 05 02 10 25 13 24 02 09 14 12 23 12 09 04 12 14 23 16 03 07 14 20 11 17
10 09 05 12 07 08 21 23 12 02 18 09 25 08 04 24 14 15 14 06 06 01 15 22 18 23
13 16 04 19 24 25 10 19 19 15 07 12 07 19 03 06 15 12 13 22 21 03 12 15 01 16
14 07 02 08 02 06 24 12 08 04 02 11 13 24 24 09 12 12 13 12 10 03 12 14 18 15
18 08 23 10 06 21 09 12 10 10 18 12 07 08 16 15 19 20 19 01 13 04 20 12 18 14
20 19 12 15 09 18 11 10 15 21 15 12 13 11 08 21 20 18 08 07 12 19 18 16 11 19
22 09 12 12 05 18 15 02 12 23 15 15 25 11 10 20 24 17 19 13 13 14 17 11 11 01
23 24 24 07 09 20 25 09 07 10 09 11 02 17 06 14 12 18 20 05 07 23 18 12 06 14
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 159
With some of the underlining removed in the previous step, we see that we
can apply the same argument again. Wheels 1 and 3 must be in positions 13
and 18, respectively. We now update our key and table (Table 5.5).
8 19 4 7 2 25 16 1 12 3 21 24 17 15 11
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
TABLE 5.5
Updated Table
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
5 23 05 03 13 03 18 20 03 20 02 17 12 24 12 14 18 02 12 17 17 16 02 10 15 07
6 12 15 03 22 21 09 25 03 11 21 20 04 05 12 08 16 09 01 05 17 09 09 08 06 03
9 12 05 02 10 25 13 24 02 09 14 12 23 12 09 04 12 14 23 16 03 07 14 20 11 17
10 09 05 12 07 08 21 23 12 02 18 09 25 08 04 24 14 15 14 06 06 01 15 22 18 23
13 16 04 19 24 25 10 19 19 15 07 12 07 19 03 06 15 12 13 22 21 03 12 15 01 16
14 07 02 08 02 06 24 12 08 04 02 11 13 24 24 09 12 12 13 12 10 03 12 14 18 15
18 08 23 10 06 21 09 12 10 10 18 12 07 08 16 15 19 20 19 01 13 04 20 12 18 14
20 19 12 15 09 18 11 10 15 21 15 12 13 11 08 21 20 18 08 07 12 19 18 16 11 19
22 09 12 12 05 18 15 02 12 23 15 15 25 11 10 20 24 17 19 13 13 14 17 11 11 01
23 24 24 07 09 20 25 09 07 10 09 11 02 17 06 14 12 18 20 05 07 23 18 12 06 14
www.ebook777.com
free ebooks ==> www.ebook777.com
160 Secret History: The Story of Cryptology
8 19 4 7 2 25 16 1 5 12 3 21 24 17 15 11
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
TABLE 5.6
Updated Table
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
6 12 15 03 22 21 09 25 03 11 21 20 04 05 12 08 16 09 01 05 17 09 09 08 06 03
9 12 05 02 10 25 13 24 02 09 14 12 23 12 09 04 12 14 23 16 03 07 14 20 11 17
10 09 05 12 07 08 21 23 12 02 18 09 25 08 04 24 14 15 14 06 06 01 15 22 18 23
13 16 04 19 24 25 10 19 19 15 07 12 07 19 03 06 15 12 13 22 21 03 12 15 01 16
14 07 02 08 02 06 24 12 08 04 02 11 13 24 24 09 12 12 13 12 10 03 12 14 18 15
18 08 23 10 06 21 09 12 10 10 18 12 07 08 16 15 19 20 19 01 13 04 20 12 18 14
20 19 12 15 09 18 11 10 15 21 15 12 13 11 08 21 20 18 08 07 12 19 18 16 11 19
22 09 12 12 05 18 15 02 12 23 15 15 25 11 10 20 24 17 19 13 13 14 17 11 11 01
23 24 24 07 09 20 25 09 07 10 09 11 02 17 06 14 12 18 20 05 07 23 18 12 06 14
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 161
This reveals that wheel 6 must be in position 1. Again, we update to get the
following key and Table 5.7.
6 8 19 4 7 2 25 16 1 5 12 3 21 24 17 15 11
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
TABLE 5.7
Updated Table
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
9 12 05 02 10 25 13 24 02 09 14 12 23 12 09 04 12 14 23 16 03 07 14 20 11 17
10 09 05 12 07 08 21 23 12 02 18 09 25 08 04 24 14 15 14 06 06 01 15 22 18 23
13 16 04 19 24 25 10 19 19 15 07 12 07 19 03 06 15 12 13 22 21 03 12 15 01 16
14 07 02 08 02 06 24 12 08 04 02 11 13 24 24 09 12 12 13 12 10 03 12 14 18 15
18 08 23 10 06 21 09 12 10 10 18 12 07 08 16 15 19 20 19 01 13 04 20 12 18 14
20 19 12 15 09 18 11 10 15 21 15 12 13 11 08 21 20 18 08 07 12 19 18 16 11 19
22 09 12 12 05 18 15 02 12 23 15 15 25 11 10 20 24 17 19 13 13 14 17 11 11 01
23 24 24 07 09 20 25 09 07 10 09 11 02 17 06 14 12 18 20 05 07 23 18 12 06 14
www.ebook777.com
free ebooks ==> www.ebook777.com
162 Secret History: The Story of Cryptology
TABLE 5.8
Updated Table
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
9 12 05 02 10 25 13 24 02 09 14 12 23 12 09 04 12 14 23 16 03 07 14 20 11 17
10 09 05 12 07 08 21 23 12 02 18 09 25 08 04 24 14 15 14 06 06 01 15 22 18 23
13 16 04 19 24 25 10 19 19 15 07 12 07 19 03 06 15 12 13 22 21 03 12 15 01 16
14 07 02 08 02 06 24 12 08 04 02 11 13 24 24 09 12 12 13 12 10 03 12 14 18 15
18 08 23 10 06 21 09 12 10 10 18 12 07 08 16 15 19 20 19 01 13 04 20 12 18 14
20 19 12 15 09 18 11 10 15 21 15 12 13 11 08 21 20 18 08 07 12 19 18 16 11 19
22 09 12 12 05 18 15 02 12 23 15 15 25 11 10 20 24 17 19 13 13 14 17 11 11 01
23 24 24 07 09 20 25 09 07 10 09 11 02 17 06 14 12 18 20 05 07 23 18 12 06 14
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 163
In the same manner, positions 3 and 8 must be wheels 10 and 22 (in one
order or another), so the other highlighted option for wheel 22 no longer
needs to be considered (Table 5.9).
TABLE 5.9
Updated Table
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
9 12 05 02 10 25 13 24 02 09 14 12 23 12 09 04 12 14 23 16 03 07 14 20 11 17
10 09 05 12 07 08 21 23 12 02 18 09 25 08 04 24 14 15 14 06 06 01 15 22 18 23
13 16 04 19 24 25 10 19 19 15 07 12 07 19 03 06 15 12 13 22 21 03 12 15 01 16
14 07 02 08 02 06 24 12 08 04 02 11 13 24 24 09 12 12 13 12 10 03 12 14 18 15
18 08 23 10 06 21 09 12 10 10 18 12 07 08 16 15 19 20 19 01 13 04 20 12 18 14
20 19 12 15 09 18 11 10 15 21 15 12 13 11 08 21 20 18 08 07 12 19 18 16 11 19
22 09 12 12 05 18 15 02 12 23 15 15 25 11 10 20 24 17 19 13 13 14 17 11 11 01
23 24 24 07 09 20 25 09 07 10 09 11 02 17 06 14 12 18 20 05 07 23 18 12 06 14
www.ebook777.com
free ebooks ==> www.ebook777.com
164 Secret History: The Story of Cryptology
The updated table now reveals that position 2 must be wheel 20. We update
our key and table (Table 5.10) again.
6 20 8 19 4 7 2 25 16 1 5 12 3 21 24 17 15 11
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
TABLE 5.10
Updated Table
N O T H I N G T O R E P O R T A T T H I S T I M E
Y T W M L G H W G O P V R P E S D K T A Q D V J O
9 12 05 02 10 25 13 24 02 09 14 12 23 12 09 04 12 14 23 16 03 07 14 20 11 17
10 09 05 12 07 08 21 23 12 02 18 09 25 08 04 24 14 15 14 06 06 01 15 22 18 23
13 16 04 19 24 25 10 19 19 15 07 12 07 19 03 06 15 12 13 22 21 03 12 15 01 16
14 07 02 08 02 06 24 12 08 04 02 11 13 24 24 09 12 12 13 12 10 03 12 14 18 15
18 08 23 10 06 21 09 12 10 10 18 12 07 08 16 15 19 20 19 01 13 04 20 12 18 14
22 09 12 12 05 18 15 02 12 23 15 15 25 11 10 20 24 17 19 13 13 14 17 11 11 01
23 24 24 07 09 20 25 09 07 10 09 11 02 17 06 14 12 18 20 05 07 23 18 12 06 14
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 165
would seem to require 128 configurations of the cipher wheel (two possibili-
ties for each of seven unknowns). A little reasoning will reduce this, but we
cannot narrow it down to a single possibility based on the information we
have. With more pairs of plaintext and ciphertext we would likely be able to
do so, but we don’t have this.
Consider the four lightly shaded values. Positions 3 and 8 are occupied by
wheels 10 and 22, in one order or the other. This represents two possibilities,
not the four it might seem to be at first glance, since a particular wheel can-
not be in two positions at once. Similarly, the four underlined/boxed values
give us two possibilities altogether. For the darkly shaded values, assigning
wheel 9 to either position forces wheels 18 and 23 to particular positions.
Thus, there are only two ways to assign those three wheels. Assignments
for the various shaded and underlined/boxed values are all independent.
Thus, the total number of possibilities left to check (and these must be
checked by hand) is (2)(2)(2) = 8. These possibilities all convert the given
message to the given ciphertext, but only one is likely to correctly decipher
the next message that is received.
The attack presented here relied on knowing some plaintext and the cor-
responding ciphertext, as well as the order of the alphabet on each wheel.
Only the key was unknown. There are more sophisticated attacks that do
not demand as much. See the second paper by Mellen in the References and
Further Reading section, if you would like to learn more about these attacks.
Another weakness with this cipher is that a letter can never be enciphered
as itself. If we have a phrase that we believe appears in the message, this
weakness can sometimes help us decide where.
Although primarily known for his “invention” of the cipher wheel, it
is interesting to note that Thomas Jefferson (1743–1826) also wrote the
Declaration of Independence, served as the third president of the United
States, and founded the University of Virginia. One might expect that a figure
as important as Thomas Jefferson would have been so closely examined that
there is no room left for original research; however, this is not the case. In the
winter of 2007, mathematician Lawren Smithline learned from a neighbor,
who was working on a project to collect and publish all of Jefferson’s letters
and papers, that several were written in code or cipher. In June, the neigh-
bor mentioned that one of these letters, from Robert Patterson to Jefferson,
included a cipher or code portion that could not be read. The letter discussed
cryptography, and the unreadable passage was a sample ciphertext that
Patterson thought couldn’t be broken. Lawren got a copy of the letter, which
was dated December 19, 1801, and went to work. It was a columnar transposi-
tion cipher with nulls, and Lawren was able to solve it. The plaintext turned
out to be the preamble to the Declaration of Independence.* There are two
www.ebook777.com
free ebooks ==> www.ebook777.com
166 Secret History: The Story of Cryptology
lessons we can take away from this. First, do not assume there is nothing
new to be discovered just because a topic is old or already much studied.
Second, be social. Because Lawren talked with a neighbor, both benefited.
You may be amazed at how often you profit from letting people know your
interests.
In mathematics we begin with a small number of assumptions that we
cannot prove and then try to prove everything else in terms of them. We call
these assumptions axioms or postulates, and ideally they would seem “obvi-
ously true” although no proof of them can be given. Jefferson must have been
in a mathematical mindset when he began his greatest piece of writing with
“We hold these truths to be self-evident….”
5.4 Playfair Cipher
In 19th-century London, it was not unusual for lovers or would-be lovers to
encipher their personal communications and pay to place them in The Times.
Known collectively as “Agony Columns,” these notes most commonly used
monoalphabetic substitution ciphers. Such simple ciphers provided a bit of
sport for Baron Lyon Playfair and Charles Wheatstone:*
The cipher system named after Playfair (although he is not the creator of
it) is more sophisticated than those that typically appeared in the papers. It’s
an example of a digraphic substitution cipher, which simply means that the
letters are substituted for two at a time.
Before the Playfair cipher, digraphic ciphers required the users to keep
copies of the key written out, as they were clumsy and not easy to remember,
as Porta’s example (believed to be the first) demonstrates in Figure 5.8.
FIGURE 5.8
A digraphic cipher created by Porta. (From Kahn, D., The Codebreakers, 2nd ed., Scribner, New
York, 1996, p. 139. With permission.)
We’ll use this table to encipher REVOLT. First we split the message into
two-letter groups: RE VO LT. To encipher the first group, RE, we find R in the
alphabet that runs across the top of the table and then move down that col-
umn until we come to the row that has E on the right-hand side. The symbol
in this position, , takes the place of RE. In the same manner, VO becomes
and LT becomes . Thus, our complete ciphertext is .
The unicity point for a random digraphic substitution cipher, like the one
pictured above, is 1460.61.* That is, we would need about 1461 characters of
ciphertext in order to be able to expect a unique solution.
www.ebook777.com
free ebooks ==> www.ebook777.com
168 Secret History: The Story of Cryptology
FIGURE 5.9
Charles Wheatstone (1802–1875) (http://en.wikipedia.org/wiki/File:Wheatstone_Charles_
drawing_1868.jpg).
The Playfair cipher was invented by Charles Wheatstone (Figure 5.9), who
described it in 1854.* As Wheatstone and Playfair were both British (and
friends), this did not lead to a huge controversy like the Newton–Leibniz feud
over the discovery of calculus. Wheatstone also invented a telegraphic system
before Samuel Morse, so he lost at least two naming opportunities! On the
plus side for Wheatstone, Wadsworth invented a cipher that became known as
the Wheatstone cipher.† We will now examine how the Playfair cipher works.
Example 2
To start, we fill a rectangle with the alphabet. I and J are once again (see
Polybius) equated:
A B C D E
F G H I&J K
L M N O P
Q R S T U
V W X Y Z
Given the message
* Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 198.
† Clark, R., The Man Who Broke Purple, Little Brown, Boston, 1977, pp. 57–58.
‡ From “Lift Your Head Up High (And Blow Your Brains Out),” by Bloodhound Gang.
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 169
LI FE IS SH OR TA ND HA RD LI KE AB OD YB UI LD IN GE LF
To encipher the first pair, LI, we find those letters in the square above. We
can then find two more letters, F and O, to get the four corners of a rectangle.
A B C D E
F G H I&J K
L M N O P
Q R S T U
V W X Y Z
We take these two new corners as our ciphertext pair. But should we take
them in the order FO or OF? It was arbitrarily decided that the letter to appear
first in the ciphertext pair should be the one in the same row as the first
plaintext letter. Making note of this first encryption and continuing in the
same manner we have
LI → OF
FE → KA
IS → HT
SH → ??
If one of the letters was in the last row, we would circle back to the top of
the column to find its encipherment. Now we continue with the other pairs:
OR → MT
TA → QD
ND → OC
HA → FC
RD → TB
LI → OF
KE → PK
AB → ??
www.ebook777.com
free ebooks ==> www.ebook777.com
170 Secret History: The Story of Cryptology
Another problem! A and B appear in the same row. Again, we cannot form
a rectangle. In this case, we simply take the letters directly to the right of
each of the plaintext letters to get
AB → BC
OD → TI
YB → WD
UI → TK
LD → OA
IN → HO
GE → KB
LF → QL
Although it did not arise with this message, there is an ambiguous case.
What do we do when a plaintext pair consists of two of the same letter? Do
we shift down (because they are in the same column) or shift to the right
(since they are in the same row)?
The solution is to avoid this situation! An X is to be inserted between dou-
bled letters prior to encipherment to break them up. Because X is a rare letter,
it will not cause any confusion. A recipient who, after deciphering, sees an
X between two Ls or two Os, for example, would simply remove the X. This
example was just for instructional purposes. The alphabet in the grid would
normally be scrambled (perhaps using an easy to remember keyword).
The first recorded solution of the Playfair cipher was by Mauborgne in
1914. At that time, Playfair was the field cipher for the British. There are
reports that this cipher was used in the Boer War (1899–1902),* but the next
example is more recent. Imagine that, as an Australian coastwatcher, you are
the intended recipient of a Playfair cipher sent on August 2, 1943, in the midst
of the war in the Pacific (Figure 5.10).
The ciphertext, which is typically sent in groups of five letters, has already
been split into groups of size two. At about the middle of the second line
you notice a doubled letter, TT. You fear the message has been garbled or,
perhaps, isn’t a Playfair cipher, after all.
In any case, the key is ROYAL NEW ZEALAND NAVY, so you form the fol-
lowing square:
* Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 202.
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 171
FIGURE 5.10
Playfair message sent during World War II in the Pacific Theater. (From Kahn, D., The
Codebreakers, 2nd ed., Scribner, New York, 1996, p. 592. With permission.)
R O Y A L
N E W Z D
V B C F G
H I K M P
Q S T U X
You begin deciphering. (Recall that I and J are not distinguished here.)
PTBOATONEOWENINELOSTINACTIONINBLACKE??STRAITTWOMIL
ESSWMERESUCOCEXCREWOFTWELVEXREQUESTANYINFOMRATIONX
* Although an obvious weakness, the Playfair cipher was actually sometimes used this way, as
the present example shows!
www.ebook777.com
free ebooks ==> www.ebook777.com
172 Secret History: The Story of Cryptology
There’s an error, but, again, context makes it easy to fix. You produce the
final message.
5.5 Playfair Cryptanalysis
The unicity point for a Playfair cipher is 22.69 letters, so a message longer
than this should have a unique solution.† Sir George Aston issued the follow-
ing 30 letter Playfair as a challenge.‡
* Mauborgne, J.O., An Advanced Problem in Cryptography and Its Solution, 2nd ed., Army Service
Schools Press, Fort Leavenworth, KS, 1918.
† Deavours, C.A., Unicity points in cryptanalysis, Cryptologia, 1(1), 46–68, 1977.
‡ Aston, G., Secret Service, Faber & Faber, London, 1933.
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 173
Alf Mongé solved it (by hand) in the following manner.* Splitting the cipher-
text into pairs and numbering the pairs for reference, we have:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
BU FD AG NP OX IH OQ YT KV QM PM BY DA AE QZ
Indicating the pairs OQ and QM in positions 7 and 10, Mongé pointed out
that O and Q are close to each other in a straight alphabet, as are Q and M.
Looking for two other high-frequency digraphs with letters that are close to
each other in the alphabet and have a letter in common between the pairs,
Mongé came up with NO and OU. (He did not say how many other possibili-
ties he tried first!) The proposed ciphertext/plaintext pairings would arise
from the following square.
1 2 3 4 5
6 7 8 9 10
11 12 13 14 15
M N O Q U
V W X Y Z
Thus, Mongé determined 40% of the square already! Returning to the cipher-
text, he filled in as much as he could, indicating multiple possibilities where
they existed and were not too numerous.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
BU FD AG NP OX IH OQ YT KV QM PM BY DA AE QZ
–– –– –– –– –O –– NO –– –– OU –– –– –– –– UY
M M V W N Q
N O W X O V
O Q X Y Q W
Q U Z Z U X
Q M Z
Which letters do you think would make the best choices for positions 8
and 9? Think about it for a minute before reading the answer below!
Mongé selected W and Y to form the words NOW and YOU, but positions 8 and
9 represent pairs of letters, so there must be a two-letter word connecting NOW
and YOU in the plaintext. Making these partial substitutions, T must occur in
* Mongé, A., Solution of a Playfair cipher, Signal Corps Bulletin, 93, November–December, 1936.
Reprinted in Friedman, W.F, Cryptography and Cryptanalysis Articles, Vol. 1, Aegean Park
Press, Laguna Hills, CA, 1976, and in Winkel, B.J., A tribute to Alf Mongé, Cryptologia, 2(2),
178–185, 1978.
www.ebook777.com
free ebooks ==> www.ebook777.com
174 Secret History: The Story of Cryptology
1 T? 3 4 5
6 T? 8 9 10
11 T? 13 K 15
M N O Q U
V W X Y Z
1 T? 3 4 5
6 T? 8 9 10
11 T? 13 K L
M N O Q U
V W X Y Z
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
BU FD AG NP OX IH OQ YT KV QM PM BY DA AE QZ
–– –– –– –– –O –– NO W– –Y OU –– –– –– –– UY
M M N Q
N O O V
O Q Q W
Q U U X
L T Z
Mongé then focused on the letters T and K from ciphertext groups 8 and 9.
If T was in position 12 of the square, then the keyword would be at least 12
letters long and consist of A, B, C, D, E, F, G, IJ, P, R, S, and T. Mongé rejected
this as unlikely, so T was in either position 2 or 7 of the square.
If the keyword was less than 11 letters long, then three of the letters A, B, C, D,
E, F, G, H, and IJ would have to appear in positions 11, 12, and 13 of the square.
Mongé noticed that H and IJ cannot appear in position 11 of the square, as
there are not enough letters between them and K to fill in positions 12 and 13.
Thus, position 11 must be A, B, C, D, E, F, or G. Mongé simply tried each pos-
sibility and found that only one worked. For example, placing A in position 11
causes ciphertext block 9 to decipher to AY, which, in context, gives a plaintext
of NOW –A YOU. There is no letter that can be placed in front of the plaintext
A that makes sense. Similarly, all but one of the other possibilities fizzle out.
Placing F in square 11 makes the ciphertext block 9 decipher to FY, so that
the plaintext contains the phrase NOW –F YOU, which may sound vulgar
until it is recalled that “–” represents an unknown letter. It is then easy to see
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 175
that the plaintext must be NOW IF YOU. Thus, it is also revealed that I must
be in position 4 or 9 of the square. Once F is placed in position 11 and I is
forced in position 4 or 9 of the partially recovered square, positions 12 and 13
can be nothing but G and H. We now have
1 T? 3 I? 5
6 T? 8 I? 10
F G H K L
M N O Q U
V W X Y Z
Continuing to work back and forth between the square and the ciphertext,
Mongé wrote
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
BU FD AG NP OX IH OQ YT KV QM PM BY DA AE QZ
–– –– –– –– HO –K NO W– –Y OU –– –– –– –– UY
and saw that the phrase NOW IF YOU was really KNOW IF YOU.
If the attacker can recover the keyword, the solution is immediately
obtained. Mongé’s work thus far indicates that IJ, P, R, S, and T must be
part of the key. He expected more than a single vowel in the key and so sup-
posed either A or E or both were part of the key. That then left B, C, and D, as
(perhaps) not part of the key. Mongé therefore placed them in the square as
follows:
1 T? 3 I 5
6 T? B C D
F G H K L
M N O Q U
V W X Y Z
This has the added benefit (if correct) of eliminating the ambiguity over the
location of I. This conjecture may be tested against the ciphertext as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
BU FD AG NP OX IH OQ YT KV QM PM BY DA AE QZ
DO L– –– –– HO –K NO W– –Y OU –– CX –– –– UY
www.ebook777.com
free ebooks ==> www.ebook777.com
176 Secret History: The Story of Cryptology
1 T 3 I 5
6 A B C D
F G H K L
M N O Q U
V W X Y Z
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
BU FD AG NP OX IH OQ YT KV QM PM BY DA AE QZ
DO L– TA –– HO –K NO WI FY OU –– CX C– –– UY
LP MA PK CP
LR MT RK CR
LS OT SK CS
LE UT EK CE
Group 2 must be LE, which then forces E to take position 6 in the square,
which, in turn, makes ciphertext groups 13 and 14 CE and ED, respectively.
Thus, the message ends with ––CXCEEDUY. Recalling that the X is only in
the plaintext to split up the pair CC, the ending of the message should read
––CCEEDUY. At this point, the attacker either may guess SUCCEED followed
by two meaningless letters so that the ciphertext could be evenly split into
groups of five characters or he may look at the recovered square again, which
is now almost complete, testing the very few remaining for a meaningful
plaintext. With either technique, the square and message are both quickly
revealed as
S T R I P
E A B C D
F G H K L
M N O Q U
V W X Y Z
and
BU FD AG NP OX IH OQ YT KV QM PM BY DA AE QZ
DO LE TA UT HO RK NO WI FY OU SU CX CE ED UY
DO LET AUTHOR KNOW IF YOU SUCCEED
* Mongé left out the possibilities for ciphertext blocks 11 and 14 as being too numerous.
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 177
There were several places in the above solution where guesses or assump-
tions were made. They all proved correct, but it wouldn’t have been a disas-
ter if one or more were wrong. We would simply generate some impossible
plaintext and then backtrack to try another guess. It’s no different from the
backtracking that is typically needed when attempting to solve a monoal-
phabetic substitution cipher by hand.
Mongé did not indicate how many incorrect guesses he may have made,
but, as the challenge appeared in 1933 and Mongé’s solution appeared in
1936, there is a bound of a few years on how long this could possibly have
taken. It’s unlikely, however, that this is a tight bound! William Friedman
had written, “The author once had a student [Mongé] who ‘specialized’ in
Playfair ciphers and became so adept that he could solve messages contain-
ing as few as 50–60 letters within 30 minutes.”*
5.5.1 Computer Cryptanalysis
In 2008, a paper by Michael Cowan described a new attack against short
(80 to 120 letters) Playfair ciphers.† This attack has nothing in common with
Mongé’s approach. In fact, it would be completely impractical to try to imple-
ment Cowan’s attack by hand; however, with the benefit of the computer, it
is a very efficient approach. It is important to note that Cowan’s attack does
not assume that the key is based on a word. The order of the letters in the
enciphering square may be random. Cowan’s approach was to use simulated
annealing, which is a modification of hill climbing.
In hill climbing, we start by guessing at a solution (be it a substitution
alphabet for a monoalphabetic substitution cipher or a key for a Playfair
cipher). Then we make a change to the guess (switch a few letters around, for
example). The original guess and the new slightly changed guess are com-
pared. Some method of scoring assigns a value to each, based on how close
they are to a readable message in whatever language is expected. Scoring can
be done, for example, by summing the frequencies of the individual letters
or digraphs. We keep whichever guess, the original or the modified, scores
higher and discard the other, then we make another small change and com-
pare again. This process is repeated thousands of times, which is why it is
not practical to do by hand. The idea is that the scores continue to climb until
we get to the top, where the correct solution is found.
The analogy of physically climbing a real hill allows us to see how this
method can fail. Suppose we seek to get to the highest point in our neigh-
borhood. Taking random steps and only backtracking if we do not ascend
in that particular direction might seem like a good idea, but we could end
* Friedman, W.F., Military Cryptanalysis, Part I, Aegean Park Press, Laguna Hills, CA, 1996, p. 97
(taken here from Winkel, B.J., A tribute to Alf Mongé, Cryptologia, 2(2), 178, 1978).
† Cowan, M.J., Breaking short Playfair ciphers with the simulated annealing algorithm,
www.ebook777.com
free ebooks ==> www.ebook777.com
178 Secret History: The Story of Cryptology
up at the top of a small hill from which we can see a higher peak but can-
not get to that peak because a step in any direction will take us downhill.
In mathematical lingo, we have found a local (or relative) max, but not the
global (or absolute) max.
Simulated annealing provides an opportunity to escape from local maxima
and make it to the global maximum by only moving in the uphill direction
(to a higher scoring guess) with a certain probability. That is, after scoring
two guesses, we might move to the lower scoring guess 40% of the time.
This percentage is known as the temperature of the process. The tempera-
ture is lowered slowly over the course of tens of thousands of modifications.
The name simulated annealing makes an analogy with the tempering pro-
cess undergone by swords, where they are dipped in water to cool between
rounds at very high temperatures.
Cowan’s changes to the key, for the purpose of comparing the resulting
scores, consisted of a mix of row swaps, column swaps, and individual letter
swaps, as well as the occasional flip of the square around the NE–SW axis.
For scoring, he found tetragraph frequencies worked best.
Cowan gives much more detail in his paper. It seems that his approach is
reliable, but runtime may vary greatly depending on the particular cipher
being examined and the initial guess. His solving times for particular ciphers
(averaged over many initial guesses) ranged from about 6 seconds to a little
more than a half hour.
After the idea of replacing characters two at a time is contemplated, a good
mathematician ought to quickly think of a generalization. Why not replace
the characters three at a time (trigraphic substitution) or four at a time, or n at
a time? A nice mathematical way of doing this (using matrices) is described
in Section 7.1.
5.6 Kerckhoffs’ Rules
I have pointed out how the method of encipherment can be determined
for many cipher systems by an examination of sample ciphertext. In gen-
eral, this is not necessary. It’s usually assumed that the method is known.
The security of a cipher must lie in the secrecy of the key. You cannot hide
the algorithm (see K2 below). This basic tenet of cryptography goes back to
Auguste Kerckhoffs (Figure 5.11). In his La Cryptographie Militaire (1883), he
stated six laws that, with the change of only a word or two, are still valid
today:*
* Taken here from Konheim, A., Cryptography, A Primer, John Wiley & Sons, New York, 1981, p. 7.
free ebooks ==> www.ebook777.com
Shakespeare, Jefferson, and JFK 179
FIGURE 5.11
Auguste Kerckhoffs (1835–1903). (From Kahn, D., The Codebreakers, 2nd ed., Scribner, New York,
1996. With permission.)
* Shannon, C., Communication theory of secrecy systems, The Bell System Technical Journal,
28(4), 670, 1949. Shannon noted, “The material in this paper appeared in a confidential
report, ‘A Mathematical Theory of Cryptography,’ dated Sept.1, 1945, which has now been
declassified.”
www.ebook777.com
free ebooks ==> www.ebook777.com
180 Secret History: The Story of Cryptology
Revealing the details of the system is actually a good way to make sure
it’s secure. If the world’s best cryptanalysts cannot crack it, you have an ad
campaign that money can’t buy. Despite all of this, some modern purveyors
of cryptosystems still try to keep their algorithms secret. An example that
will be examined in greater detail in Section 18.5 is RC4, sold by RSA Data
Security, Inc. Despite the effort to maintain secrecy, the algorithm appeared
on the cypherpunks mailing list.*
Jenkins, S., Waiting for William, The Washington Post Magazine, August 30, 2009, pp.
8–15, 25–28. This article reports on the newly discovered Shakespeare portrait. I
have assumed it is authentic, but the experts are not unanimous in accepting it.
Marino, G., The biologist as bibliosleuth, Research Penn State, 27(1), 13–15, 2007.
Pyle, J.G., The Little Cryptogram, Pioneer Press, St. Paul, MN, 1888, 29 pp. This is a
spoof of Donnelly’s work.
Schmeh, K., The pathology of cryptology: a current survey, Cryptologia, 36(1), 14–45,
2012. Schmeh recommends Pyle’s approach to investigation of alleged hidden
messages: If the technique yields messages in similar items, selected at random,
or different messages from the original source, then it is likely to be an invalid
technique.
Stoker, B., Mystery of the Sea, Doubleday, New York, 1902. Bram Stoker used the bilit-
eral cipher extensively in this novel—not to hide a message within its text but
rather for two characters in the tale to communicate with each other. The two
symbols needed for the cipher are manifested in a great variety of ways, not
limited to print.
Walpole, H., Historic Doubts on the Life and Reign of King Richard the Third, J. Dodsley,
London, 1768. (Reprinted by Rowman & Littlefield, Totowa, NJ, 1974.) The
claims Pratt says Walpole makes are not to be found in here!
Zimansky, C.A., William F. Friedman and the Voynich manuscript, Philological
Quarterly, 49(2), 433–443, 1970. The last two pages reproduce text masking
messages via Bacon’s biliteral cipher. This paper was reprinted in Brumbaugh,
R.S., Ed., The Most Mysterious Manuscript, Southern Illinois University Press,
Carbondale, 1978, pp. 99–108, with notes on pp. 158–159.
On Cipher Wheels
Bazeries, É., Les Chiffres Secrets Dévoilés, Charpentier-Fasquelle, Paris, 1901.
Bedini, S.A., Thomas Jefferson: Statesman of Science, Macmillan, New York, 1990.
Although this biography contains only a few paragraphs dealing with cryptol-
ogy, it does focus on Jefferson’s scientific interests and accomplishments.
de Viaris, G., L’art de Chiffrer et Déchiffrer les Dépêches Secretes, Gauthier-Villars, Paris,
1893. The attack described by de Viaris makes the same assumption as the
example in this chapter.
Friedman, W.F., Several Machine Ciphers and Methods for Their Solution, Publ. No. 20,
Riverbank Laboratories, Geneva, IL, 1918. Friedman showed attacks on the
wheel cipher in Part III of this paper. This paper was reprinted together with
other Friedman papers in Friedman, W., The Riverbank Publications, Vol. 2,
Aegean Park Press, Laguna Hills, CA, 1979. As the original printing only con-
sisted of 400 copies, I suggest looking for the reprint instead.
Gaddy, D.W., The cylinder cipher, Cryptologia, 19(4), 385–391, 1995. Gaddy argues that
the cipher wheel was probably not an independent invention of Jefferson, but
rather that he got the idea from an already existing wheel or description.
Kruh, L., The cryptograph that was invented three times, The Retired Officer, April,
20–21, 1971.
Kruh, L., The cryptograph that was invented three times, An Cosantoir: The Irish
Defense Journal, 32(1–4), 21–24, 1972. This is a reprint of Kruh’s piece from The
Retired Officer.
www.ebook777.com
free ebooks ==> www.ebook777.com
182 Secret History: The Story of Cryptology
Kruh, L., The evolution of communications security devices, The Army Communicator,
5(1), 48–54, 1980.
Kruh, L., The genesis of the Jefferson/Bazeries cipher device, Cryptologia, 5(4), 193–
208, 1981.
Mellen, G. and Greenwood, L., The cryptology of multiplex systems, Cryptologia, 1(1),
4–16, 1977. This is an interesting introduction and overview of cipher wheel/
strip cipher systems. The cryptanalysis is done in the sequel, referenced below.
Mellen, G. and Greenwood, L., The cryptology of multiplex systems. Part 2. Simulation
and cryptanalysis, Cryptologia, 1(2), 150–165, 1977. A program in FORTRAN V
to simulate the M-94 is described. Cryptanalysis for three cases is examined: (1)
known alphabets and known crib; (2) unknown alphabet and known crib (“A
crib of 1000–1500 characters is desirable. Shorter cribs of several hundred letters
can be used but prolong the effort.”); and (3) unknown alphabets and unknown
crib. Mellen noted, “The general method for this case was originated by the
Marquis de Viaris in 1893 [15] and elaborated upon by Friedman [16].” In the
reference section at the end of this paper, we see that [15] refers to David Kahn’s
The Codebreakers, pp. 247–249, but [16] is followed by blank space. Perhaps this
work by Friedman was classified at the time and could not be cited!
Rohrbach, H., Report on the decipherment of the American strip cipher O-2 by the
German foreign office (Marburg, 1945), Cryptologia, 3(1), 16–26, 1979. Rohrbach
was one of the German codebreakers who cracked this cipher during World
War II. Following a preface, his 1945 report on how this was done is reprinted.
Smithline, L.M., A cipher to Thomas Jefferson: a collection of decryption techniques
and the analysis of various texts combine in the breaking of a 200-year-old code,
American Scientist, 97(2), 142–149, 2009.
Spear, J., Worawannotai, C., and Mitchell, E., Jefferson Wheel Cipher, http://www.
monticello.org/jefferson/wheelcipher/index2.html.
For 29 years (116 issues), Cryptologia almost never repeated a cover. When it
was decided to settle on a single cover, only changing the dates each time,
the image that won was of a cipher wheel (Figure 5.12). This is fitting, as a
cipher wheel cover marked the journal’s debut.
FIGURE 5.12
Cryptologia’s new look.
Rhew, B., Cryptanalyzing the Playfair Cipher Using Evolutionary Algorithms, December 9,
2003, 8 pp. (http://web.mst.edu/~tauritzd/courses/ec/fs2003/project/Rhew.
pdf).
Stumpel, J., Fast Playfair Programs, www.jw-stumpel.nl/playfair.html. Cowan’s pro-
gram was based on Stumpel’s platform.
Winkel, B.J., A Tribute to Alf Mongé, Cryptologia, 2(2), 178–185, 1978.
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
6
World War I and Herbert O. Yardley*
In World War I, all of the ciphers previously discussed in this book saw
use, even the weakest ones! We focus here on the best systems, ADFGX and
ADFGVX. The fascinating life of Herbert O. Yardley is also covered, but first
we look at a coded telegram that had a huge effect on the war.
6.1 Zimmermann Telegram
It is a common misconception that the sinking of the Lusitania got the United
States into World War I. A simple checking of dates casts serious doubt on
this idea. The Germans sank the Lusitania on May 7, 1915, and the United
States did not declare war until April 6, 1917. Now compare the latter date
to the revelation of what has become known as the Zimmermann Telegram,
which was given to the press (at President Wilson’s request) on March 1, 1917.
The famous Zimmermann telegram is pictured in Figure 6.1. It was
sent to Felix von Eckhardt, the German ambassador in Mexico, by Arthur
Zimmermann (director of the German ministry of foreign affairs). It was
written using a code, rather than a cipher; that is, the basic unit of substitu-
tion was the word. For example, alliance was written as 12137 and Japan
was written as 52262. The Germans normally included an extra step in which
the numbers were enciphered (i.e., an enciphered code), but the process was
skipped for this message. After decoding and translating, the telegram reads:†
185
www.ebook777.com
free ebooks ==> www.ebook777.com
186 Secret History: The Story of Cryptology
FIGURE 6.1
The Zimmermann telegram (http://www.nara.gov/education/teaching/zimmermann/bernstor.
jpg).
at the same time mediate between Japan and ourselves. Please call the
President’s attention to the fact that the ruthless employment of our sub-
marines now offers the prospect of compelling England in a few months
to make peace.
Signed, Zimmermann
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 187
* Yardley, H.O., The American Black Chamber, Espionage/Intelligence Library, Ballantine Books,
New York, 1981, p. 90.
† Kippenhahn, R., Code Breaking: A History and Exploration, Overlook Press, New York, 1999, p. 60.
‡ Ibid., p. 65.
§ Sayers, M. and Kahn, A.E., Sabotage! The Secret War Against America, Harper & Brothers, New
www.ebook777.com
free ebooks ==> www.ebook777.com
188 Secret History: The Story of Cryptology
A few words should be said about the British cryptologists at this point.
First, they were ahead of the Germans, who did not even have any cryptana-
lysts on the western front for the first two years of the war!* But, compared to
today’s gigantic cryptologic agencies, they were very few in number. A total
of 50 or so cryptanalysts worked in Room 40 of the old Admiralty build-
ing, where they recovered about 15,000 encoded or enciphered messages
between October 1914 and February 1919.† Imagine yourself in a classroom
with 50 of your peers. How many messages would your group be able to
crack? Although the cryptanalysts that were recruited were carefully chosen
to be of very high intelligence and many possessed fluency in foreign lan-
guages, they initially knew less about cryptanalysis than anyone who has
read this far. So, the comparison is fair, and it’s a good thing that those in
Room 40 were quick learners.
These cryptanalysts received help on a few occasions in the form of recov-
ered German code books. One came as a gift from the Russians. On August
26, 1914, the German light cruiser Magdeburg became stuck in shallow water
at Odensholm (now Osmussaar) in the Baltic Sea. This was Russian territory
and their troops were able to recover the German Navy’s main code book
from the wreck, despite attempts by the Germans to destroy everything. The
Russians then passed it on to the British, who were the stronger naval power
and could use it to great advantage. Indeed, the Germans kept this particular
code in use for years!‡
World War I is referred to as the “Chemists’ War” due to the major role of
chemical warfare, and World War II is called the “Physicists’ War” because
of the atomic bomb. It has been claimed that, if it occurs, World War III will
be the “Mathematicians’ War” (if anyone is left to talk about it). Just imagine
a cyber attack that renders all of the enemies’ computer systems useless and
shuts down all enemy communications.
* Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 313.
† Ibid., pp. 275 and 273.
‡ Rislakki, J., Searching for cryptology’s great wreck, Cryptologia, 31(3), 263–267, 2007.
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 189
FIGURE 6.2
General Erich Ludendorff directed Germany’s spring offensive under the protection of a new
and seemingly secure cipher system (http://en.wikipedia.org/wiki/Erich_Ludendorff).
soon to be described, were not the only ones the Germans employed. Over
the course of the war they used a wide range of ciphers that even included
monoalphabetic substitution!*
It’s always a good idea to introduce new ciphers shortly before major
offensives and this is what the Germans did. A little more than two weeks
before General Ludendorff (Figure 6.2) launched their March 21, 1918, attack
ADFGX hit the wires and airwaves, and on June 1 the system was modified
to become ADFGVX.† The cipher got its name from the fact that these were
the only letters that appeared in the ciphertext. They were specifically cho-
sen for their ease in being distinguished from one another when transmit-
ted in Morse code. A lot of thought and testing went into these ciphers. The
designer, Fritz Nebel, had 60 cryptanalysts try to crack the system prior to
its deployment.‡
* Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 307.
† Ibid., p. 344.
‡ Norman, B., The ADFGVX men, The Sunday Times Magazine, August 11, 1974, p. 11.
www.ebook777.com
free ebooks ==> www.ebook777.com
190 Secret History: The Story of Cryptology
A D F G V X
A c o 8 x f 4
D m k 3 a z 9
F n w 1 0 j d
G 5 s i y h u
V p l v b 6 r
X e q 7 t 2 g
XX AD XG XG DA GF XG GX FA GD
Next we use the second part of the key, a word that determines in what order the
columns are to be read out for the transposition portion of the encipherment:
3 2 4 1
X X A D
X G X G
D A G F
X G G X
F A G D
The ciphertext is then read off as DGFXD XGAGA XXDXF AXGGG. In actual
use, the messages were typically much longer, as was the transposition key.
Although the length of the key varied, it was common to have 20 values. This
is an example of a fractional cipher, so-called because the original message let-
ters are replaced by pairs that become split in the transposition step.
6.3 Cryptanalysis of ADFGX
The French were saved by Georges Painvin (Figure 6.3), who exerted a tre-
mendous effort over nearly 3 months, first breaking ADFGX, which used a
5-by-5 Polybius square, and then ADFGVX, losing 33 pounds (15 kg) in the
* Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 345.
† This translates to “God is with us” and appeared on the belt buckles of some German troops
in both World War I and World War II. If true, it looks like God is 0 for 2 in world wars.
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 191
FIGURE 6.3
French cryptanalyst Georges Painvin. (Courtesy of the David Kahn Collection at the National
Cryptologic Museum.)
process but finally obtaining solutions revealing where the next attack was
to be.* A former American diplomat, J. Rives Childs, observed that,†
Painvin’s solution did not allow all ADFGVX ciphers to be read, but did crack
some special cases. A general solution was found only after the war ended.
We examine a special case below, but some of the comments can be applied
more generally. If the following paragraphs are too abstract, feel free to skip
ahead to the example.
* Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 347.
† Childs, J.R., My recollections of G.2 A.6, Cryptologia, 2(3), 206, 1978.
www.ebook777.com
free ebooks ==> www.ebook777.com
192 Secret History: The Story of Cryptology
For the even case, after transposing columns, each column will still be all Bs
or all Es. For the odd case, after transposing columns, each column will still
alternate Bs and Es.
Unless the placement of the letters in the Polybius square is carefully done
to avoid it, the frequencies of the individual letters A, D, F, G, V, and X will dif-
fer as beginning characters and end characters in the ciphertext pairs. This
allows a cryptanalyst to determine, using the patterns above, if the num-
ber of columns is even or odd. The manner in which this is done is now
described.
Given a message of n characters, we divide by a number we feel is an upper
bound for the number of columns, c, used. The result, n/c, will be a lower
bound on the number of rows. If n/c is 18, for example, then the first 18 letters
in the ciphertext are all from the same column. It could be a column of all Bs,
all Es, or half and half. Take the characters in the odd positions and construct
a frequency distribution. These characters must all be of the same type (all
Bs or all Es), whether the number of columns is even or odd. Now take the
characters in the even positions and construct a frequency distribution.
Again, these characters must all be of the same type, B or E. Now compare
the two frequency distributions. If they look similar, then all characters in
that column are of the same type, so the number of columns must be even. If
they look dissimilar, an odd number of columns must have been used.
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 193
Example 1
We’ll attack a message enciphered with the original version, ADFGX, so that
we needn’t be concerned with the frequencies of the various numbers after
we unravel the transposition. We’ll assume that the message is in English
and that I and J are enciphered by the same pair, since a 5-by-5 grid only
allows for 25 plaintext characters. Our ciphertext is
AXDXD XDDDX DXXDD DXXDD DXXDG DXGXX XDFGA AGGAF FGGFA AAFFA ADGGF GFFAD
FAFAD FGGAF DFDXD XDFFX AXDXG FGFGX DXGXX DXFAD XGFDA AFADF FFGGA DFGDF
FADFA GAAFF GAAGG XFFDF GGDFG FDFFF GAFDA FAFAF GAFAA FAFFX DXFXF GDDGX
DFFFG XDFXX XDFFX ADAFA FDXFX FGADD GGDDA AXXXX FFGXX FDXXD FXFGD DFFFD
DXDDA DDXDD GXAFD DXXXX DGGDF XXXXF XXDDD AGGDA FAAGF GGGFA GFGAG FFXAG
FFFGF FXXFX AFXDG DXXXD XXXXD XAADF FXDDF GXGDX XFXXX AGGXD AFFAX FGFAX
www.ebook777.com
free ebooks ==> www.ebook777.com
194 Secret History: The Story of Cryptology
XXXAD FFDFD DFDXD XFFXX XDXDA GDGFX XGDFA FGXFG DDXXX XXGXF XFXXF AXGXF
DXDDD AXDDD XFXFD XAFDG XFGGA AAAGF GAAAA FGAGA AGAAA FDGAF DAGAA GGFDF
FGGGG GGAGG AFGAA GFFFG FGAFF DFAFA GGAGA FGAAD AGGGF GFGFG FFAGA GGAAF
AAAGD GGXGF GGAFF AGAFG AAAAF GDAAG DGFGF FGGXX DDXFD FXXXG GAXXX GGDDG
FFGXD XGDGX FXXGA AGAFG ADAGG FXFGG GAAGA FFGFD DAAAA DGAFF AFGDA ADFGD
FAAGG AFAAG FGGGG FFGDG
We have 680 characters and we assume that no more than 30 columns were
used, so there must be at least 22 characters in each column (680/30 ≈ 22.67).
We take the first 22 characters, AXDXD XDDDX DXXDD DXXDD DX, and find the
frequency distribution for the characters in the odd positions:
A = 1, D = 8, F = 0, G = 0, X = 2
A = 0, D = 4, F = 0, G = 0, X = 7
A = 2, D = 1, F = 4, G = 4, X = 0
A = 3, D = 1, F = 1, G = 6, X = 0
The values for D and X match exactly, the values for A only differ by one, and
the values for G differ by two, so our conclusion gains further support. Also,
observe how markedly both of these distributions (no Xs!) differ from the
first 22 characters. It seems that the columns these letters represent cannot
both be of the same type (B or E).
So, we have an even number of columns, and that number must divide 680.
Our choices are 2, 4, 8, 10, 20, 34, 68, 170, 340, or 680. We already assumed that
no more than 30 columns were used, so our list quickly shrinks to 2, 4, 8, 10,
20. The smaller values seem unlikely, so we test 10 and 20.
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 195
10 Columns
Column Letters A D F G X Column Letters A D F G X
1 1–68 12 18 12 12 14 6 341–408 7 13 15 9 24
2 69–136 13 13 18 12 12 7 409–476 21 11 12 12 12
3 137–204 11 12 27 8 10 8 477–544 19 3 19 27 0
4 205–272 5 20 12 8 23 9 545–612 10 10 13 21 14
5 273–340 10 12 16 14 16 10 613–680 21 8 15 22 2
Columns 8 and 10 stand out as having very few Xs, but we need to split the
columns into two groups, Bs and Es, so each group must contain five col-
umns. What other three columns resemble these? The next lowest frequen-
cies for X are 10, 12, and 12—quite a jump!
20 Columns
Column Letters A D F G X Column Letters A D F G X
1 1–34 1 15 1 3 14 11 341–374 5 6 9 3 11
2 35–68 11 3 11 9 0 12 375–408 2 7 6 6 13
3 69–102 3 8 7 5 11 13 409–442 3 9 8 2 12
4 103–136 10 5 11 7 1 14 443–476 18 2 4 10 0
5 137–170 8 4 16 5 1 15 477–510 7 2 12 13 0
6 171–204 3 8 11 3 9 16 511–544 12 1 7 14 0
7 205–238 3 8 8 5 10 17 545–578 9 3 8 13 1
8 239–272 2 12 4 3 13 18 579–612 1 7 5 8 13
9 273–306 7 4 11 11 1 19 613–646 12 4 6 10 2
10 307–340 3 8 5 3 15 20 647–680 9 4 9 12 0
From this table, it’s easy to split the columns into two groups with distinct fre-
quency distributions. The frequency of X, by itself, clearly distinguishes them;
thus, we conclude that 20 columns were used. Our two distinct groups are
We must now pair them together to represent the plaintext letters. Our
work thus far fails to indicate whether Group 1 columns are beginnings
or ends of pairs. Happily, it doesn’t matter. As was mentioned prior to this
example, reversing the order of the pairs arising from the Polybius cipher
will simply correspond to someone having misused the table—writing first
the column header and then the row header, instead of vice versa. As long
as all pairs are switched, switching doesn’t matter. So, we’ll assume that
the high-frequency X group provides the beginnings. To determine which
Group 2 column completes each of the Group 1 beginnings, Painvin, and the
www.ebook777.com
free ebooks ==> www.ebook777.com
196 Secret History: The Story of Cryptology
End Column
Start
Column 2 4 5 9 14 15 16 17 19 20
1 0.0909 0.0802 0.1087 0.0891 0.1462 0.1052 0.1034 0.0856 0.0963 0.0873
3 0.0517 0.0481 0.0749 0.0624 0.0731 0.0517 0.0784 0.0481 0.0481 0.0446
6 0.0535 0.0463 0.0766 0.0553 0.0766 0.0713 0.0731 0.0517 0.0446 0.0588
7 0.0570 0.0446 0.0606 0.0606 0.0660 0.0642 0.0677 0.0535 0.0517 0.0535
8 0.0731 0.0553 0.0856 0.0695 0.0998 0.0820 0.0784 0.0677 0.0980 0.0624
10 0.0713 0.0606 0.0749 0.0588 0.1248 0.0802 0.1230 0.0570 0.0588 0.0695
11 0.0624 0.0535 0.0517 0.0446 0.0873 0.0695 0.0802 0.0463 0.0624 0.0677
12 0.0606 0.0713 0.0677 0.0660 0.0731 0.0695 0.0731 0.0624 0.0570 0.0695
13 0.0570 0.0535 0.0660 0.0606 0.0873 0.0624 0.1141 0.0588 0.0535 0.0570
18 0.0713 0.0624 0.0570 0.0499 0.1016 0.0713 0.0677 0.0606 0.0660 0.0749
The correct values range from 0.0446 to 0.1034; thus, this test is not as useful
as we might expect. Another obvious approach is to examine, for each pos-
sible pairing, the frequency table and see how it compares to that of normal
English. To do this, we order the frequencies for each pairing and the regular
alphabet, then we compare the most frequent in each group, the second most
frequent in each group, and so on. To attach a number to this, we sum the
squares of the differences between observed and expected frequencies. This
yields the table below. Once again, values for correct pairings are underlined.
End Column
Start
Column 2 4 5 9 14 15 16 17 19 20
1 0.0208 0.0140 0.0310 0.0187 0.0556 0.0277 0.0285 0.0167 0.0245 0.0191
3 0.0039 0.0029 0.0123 0.0064 0.0105 0.0039 0.0161 0.0029 0.0072 0.0040
6 0.0061 0.0045 0.0115 0.0056 0.0149 0.0109 0.0105 0.0046 0.0033 0.0055
7 0.0050 0.0040 0.0068 0.0076 0.0078 0.0084 0.0099 0.0070 0.0046 0.0054
8 0.0112 0.0069 0.0162 0.0084 0.0269 0.0175 0.0135 0.0105 0.0254 0.0064
10 0.0119 0.0076 0.0140 0.0052 0.0388 0.0127 0.0438 0.0053 0.0074 0.0084
11 0.0071 0.0045 0.0035 0.0028 0.0192 0.0092 0.0144 0.0045 0.0083 0.0103
12 0.0073 0.0109 0.0087 0.0100 0.0105 0.0115 0.0105 0.0063 0.0061 0.0119
13 0.0047 0.0038 0.0092 0.0058 0.0174 0.0084 0.0347 0.0055 0.0046 0.0062
18 0.0103 0.0063 0.0057 0.0049 0.0253 0.0090 0.0089 0.0075 0.0092 0.0135
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 197
Looking at the fourth row (headed with 7) we see that the smallest value
represents the correct pairing. Sadly, this is the only row for which this hap-
pens! Thus, this approach also fails to readily pair the columns.
As was mentioned before, Painvin, and later American cryptanalysts who
approached this problem, did not use either of these measures. They simply
looked at the frequency distributions for possible pairings and determined
by sight which were most likely. Being that there are 10! ways to pair the col-
umns when 20 columns are used, this must have taken them a great deal of
time. Surely this was the most difficult step in solving ADFGX and ADFGVX.
With today’s technology, we can consider all 10! possibilities. Each pos-
sibility then gives 10 columns (each consisting of two letters per row), which
may be arranged in 10! ways. The correct arrangement then represents a
monoalphabetic substitution cipher without word spacing, which may easily
be solved with technology or by hand.
We continue our attack, assuming that the correct pairings have been
determined, probably after tremendous trial and error. The pairings are
1 ↔ 16
↔ 9
3
↔ 5
6
↔ 4
7
↔ 2
8
↔ 15
10
↔ 17
11
↔ 20
12
↔ 19
13
↔ 14
18
We must now find the proper order for these ten pairs of columns and
solve the Polybius cipher (without word divisions) that they provide. There
are 10! = 3,628,800 ways to arrange pairs of columns, so we could brute force
a solution with a computer.
If we prefer to stick to World War I-era technology, we can use the fre-
quency distribution for all of the pairs to guess at some letters and piece
together columns by making words:
AA = 6 DA = 27 FA = 19 GA = 15 XA = 36
AD = 3 DD = 7 FD = 8 GD = 6 XD = 8
AF = 12 DF = 22 FF = 23 GF = 7 XF = 31
AG = 5 DG = 31 FG = 12 GG = 13 XG = 43
AX = 0 DX = 1 FX = 2 GX = 0 XX = 3
www.ebook777.com
free ebooks ==> www.ebook777.com
198 Secret History: The Story of Cryptology
1 ↔ 16 3 ↔ 9 6 ↔ 5 7 ↔ 4 8 ↔ 2 10 ↔ 15 11 ↔ 17 12 ↔ 20 13 ↔ 19 18 ↔ 14
AG AD DF XF FA E XD DG XX E
E FD XF FD DA XF FG T FG E
DA DD FD GA DG FD E FF T DA
E FA XF AA E XF XX FF FA DA
DA DG FG DF DA AF E T E T
XF E GG DA DF FG AF XF T FA
DG DD DD GD AF E GG E FF DG
DA T DF GF DG DG GG DD AG FF
DA DF GG DF DG GG T T T E
XD FA XF DF XF DG DF DA GD T
DA FA DD AG DA E AF AD T T
E E FF AG DA T FA GF FG GA
E AF FF T GA E FG DG DG GA
DG E FF XD XF DG AA GD XF AF
DF DG GG XF AF T XF FF DX E
DG E T E FA XF FG T DF T
XF GF DF FD DA E GA T DG E
E FA FD FF DD T FA GG AG GA
DF GG T GF E DA AA DG E GA
DG FF XF T E E T FA DA DG
DF GG T XD XF AF XF AF DA DA
XF T DF FF E AF E FA DG GA
T DG FA DA DF DF XD GA T FA
DG XF FF E GF FG AA E FF FF
GA GF E T GA FF DA FF XF GD
DG XX AA DA DD E FG GG FG E
E T DF FF FF DA FD DG DF DA
GA DG AA XF T DF DG DG XD XF
T XF FA FG XF FF FF E AD GD
XF FF AF GA T GD DG XF FA DA
T AF FA DA XD XF DF XF DA GG
DA DG DF DG FF GA FF E GA T
FA XF XF FG E DF DG XD T FA
GG GF FX FX E T E GG FD E
We’ll use the high frequency of the trigraph THE to order the columns. We
start with column 1 ↔ 16. Looking down at position 12 and 18, we find Es
that match the positions of Ts in column 10 ↔ 15. We expect that there is a
column that appears between these two that has a plaintext H in positions
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 199
12 and 18. We look for a column such that the pairs in positions 12 and 18
match and come up with two possibilities 11 ↔ 17 and 18 ↔ 14. They can be
considered separately.
Case 1 Case 2
10 ↔ 15 11 ↔ 17 1 ↔ 16 10 ↔ 15 18 ↔ 14 1 ↔ 16
E XD AG E E AG
XF FG E XF E E
FD E DA FD DA DA
XF XX E XF DA E
AF E DA AF T DA
FG AF XF FG FA XF
E GG DG E DG DG
DG GG DA DG FF DA
GG T DA GG E DA
DG DF XD DG T XD
E AF DA E T DA
T FA E T GA E
E FG E E GA E
DG AA DG DG AF DG
T XF DF T E DF
XF FG DG XF T DG
E GA XF E E XF
T FA E T GA E
DA AA DF DA GA DF
E T DG E DG DG
AF XF DF AF DA DF
AF E XF AF GA XF
DF XD T DF FA T
FG AA DG FG FF DG
FF DA GA FF GD GA
E FG DG E E DG
DA FD E DA DA E
DF DG GA DF XF GA
FF FF T FF GD T
GD DG XF GD DA XF
XF DF T XF GG T
GA FF DA GA T DA
DF DG FA DF FA FA
T E GG T E GG
If Case 1 is correct, then FA = H. If Case 2 is correct, then GA = H.
www.ebook777.com
free ebooks ==> www.ebook777.com
200 Secret History: The Story of Cryptology
Case 1a Case 1b
13 ↔ 19 3 ↔ 9 10 ↔ 15 11 ↔ 17 1 ↔ 16 18 ↔ 14 3 ↔ 9 10 ↔ 15 11 ↔ 17 1 ↔ 16
XX AD E XD AG E AD E XD AG
FG FD XF FG E E FD XF FG E
T DD FD E DA DA DD FD E DA
FA FA XF XX E DA FA XF XX E
E DG AF E DA T DG AF E DA
T E FG AF XF FA E FG AF XF
FF DD E GG DG DG DD E GG DG
AG T DG GG DA FF T DG GG DA
T DF GG T DA E DF GG T DA
GD FA DG DF XD T FA DG DF XD
T FA E AF DA T FA E AF DA
FG E T FA E GA E T FA E
DG AF E FG E GA AF E FG E
XF E DG AA DG AF E DG AA DG
DX DG T XF DF E DG T XF DF
DF E XF FG DG T E XF FG DG
DG GF E GA XF E GF E GA XF
AG FA T FA E GA FA T FA E
E GG DA AA DF GA GG DA AA DF
DA FF E T DG DG FF E T DG
DA GG AF XF DF DA GG AF XF DF
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 201
DG T AF E XF GA T AF E XF
T DG DF XD T FA DG DF XD T
FF XF FG AA DG FF XF FG AA DG
XF GF FF DA GA GD GF FF DA GA
FG XX E FG DG E XX E FG DG
DF T DA FD E DA T DA FD E
XD DG DF DG GA XF DG DF DG GA
AD XF FF FF T GD XF FF FF T
FA FF GD DG XF DA FF GD DG XF
DA AF XF DF T GG AF XF DF T
GA DG GA FF DA T DG GA FF DA
T XF DF DG FA FA XF DF DG FA
FD GF T E GG E GF T E GG
www.ebook777.com
free ebooks ==> www.ebook777.com
202 Secret History: The Story of Cryptology
DA DA GG AF XF DF
DG GA T AF E XF
T FA DG DF XD T
FF FF XF FG AA DG
XF GD GF FF DA GA
FG E XX E FG DG
DF DA T DA FD E
XD XF DG DF DG GA
AD GD XF FF FF T
FA DA FF GD DG XF
DA GG AF XF DF T
GA T DG GA FF DA
T FA XF DF DG FA
FD E GF T E GG
We could continue to work the front of the key, but none of the matches at
this stage can be made with great confidence, so we move to the end. Notice
how 1 ↔ 16 has Ts in positions 23, 29, and 31. Column 6 ↔ 5 provides a won-
derful match with FAs (presumed Hs) in all of these positions. We now place
this in our partially reconstructed key.
DG GA T AF E XF DF
T FA DG DF XD T FA
FF FF XF FG AA DG FF
XF GD GF FF DA GA E
FG E XX E FG DG AA
DF DA T DA FD E DF
XD XF DG DF DG GA AA
AD GD XF FF FF T FA
FA DA FF GD DG XF AF
DA GG AF XF DF T FA
GA T DG GA FF DA DF
T FA XF DF DG FA XF
FD E GF T E GG FX
www.ebook777.com
free ebooks ==> www.ebook777.com
204 Secret History: The Story of Cryptology
FA E T T FA E
AF XF XD XD AF XF
FA E FF FF FA E
GA DF DA DA GA DF
E GF E E E GF
FF GA T T FF GA
GG DD DA DA GG DD
DG FF FF FF DG FF
DG T XF XF DG T
E XF FG FG E XF
XF T GA GA XF T
XF XD DA DA XF XD
E FF DG DG E FF
XD E FG FG XD E
GG E FX FX GG E
12 ↔ 20 8 ↔ 2 7 ↔ 4 13 ↔ 19 18 ↔ 14 3 ↔ 9 10 ↔ 15 11 ↔ 17 1 ↔ 16 6 ↔ 5
DG FA XF XX E AD E XD AG DF
T DA FD FG E FD XF FG E XF
FF DG GA T DA DD FD E DA FD
FF E AA FA DA FA XF XX E XF
T DA DF E T DG AF E DA FG
XF DF DA T FA E FG AF XF GG
E AF GD FF DG DD E GG DG DD
DD DG GF AG FF T DG GG DA DF
T DG DF T E DF GG T DA GG
DA XF DF GD T FA DG DF XD XF
AD DA AG T T FA E AF DA DD
GF DA AG FG GA E T FA E FF
DG GA T DG GA AF E FG E FF
GD XF XD XF AF E DG AA DG FF
FF AF XF DX E DG T XF DF GG
T FA E DF T E XF FG DG T
T DA FD DG E GF E GA XF DF
GG DD FF AG GA FA T FA E FD
DG E GF E GA GG DA AA DF T
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 205
FA E T DA DG FF E T DG XF
AF XF XD DA DA GG AF XF DF T
FA E FF DG GA T AF E XF DF
GA DF DA T FA DG DF XD T FA
E GF E FF FF XF FG AA DG FF
FF GA T XF GD GF FF DA GA E
GG DD DA FG E XX E FG DG AA
DG FF FF DF DA T DA FD E DF
DG T XF XD XF DG DF DG GA AA
E XF FG AD GD XF FF FF T FA
XF T GA FA DA FF GD DG XF AF
XF XD DA DA GG AF XF DF T FA
E FF DG GA T DG GA FF DA DF
XD E FG T FA XF DF DG FA XF
GG E FX FD E GF T E GG FX
The last column has a T in position 19. When reading the plaintext out of
this rectangle, the end of this row is continued at the start of row 20, where
we have HE. This indicates a nice placement of the three remaining columns.
Placing 12 ↔ 20, 8 ↔ 2, 7 ↔ 4 at the end instead doesn’t yield such a nice
result, nor does placing 7 ↔ 4, 8 ↔ 2, 12 ↔ 20 at either end. Therefore, we
assume that we now have the proper ordering of the columns and that we
have correctly identified T, H, and E. Recall that this was all part of Case 1b.
If we had reached an impasse, we would have backed up to consider Case 1a
or even Case 2, but because things seem to be working out there’s no need.
We fill in all 19 Hs to get the partial plaintext below:
DG H XF XX E AD E XD AG DF
T DA FD FG E FD XF FG E XF
FF DG GA T DA DD FD E DA FD
FF E AA H DA H XF XX E XF
T DA DF E T DG AF E DA FG
XF DF DA T H E FG AF XF GG
E AF GD FF DG DD E GG DG DD
DD DG GF AG FF T DG GG DA DF
T DG DF T E DF GG T DA GG
DA XF DF GD T H DG DF XD XF
AD DA AG T T H E AF DA DD
GF DA AG FG GA E T H E FF
DG GA T DG GA AF E FG E FF
GD XF XD XF AF E DG AA DG FF
FF AF XF DX E DG T XF DF GG
T H E DF T E XF FG DG T
www.ebook777.com
free ebooks ==> www.ebook777.com
206 Secret History: The Story of Cryptology
T DA FD DG E GF E GA XF DF
GG DD FF AG GA H T H E FD
DG E GF E GA GG DA AA DF T
H E T DA DG FF E T DG XF
AF XF XD DA DA GG AF XF DF T
H E FF DG GA T AF E XF DF
GA DF DA T H DG DF XD T H
E GF E FF FF XF FG AA DG FF
FF GA T XF GD GF FF DA GA E
GG DD DA FG E XX E FG DG AA
DG FF FF DF DA T DA FD E DF
DG T XF XD XF DG DF DG GA AA
E XF FG AD GD XF FF FF T H
XF T GA H DA FF GD DG XF AF
XF XD DA DA GG AF XF DF T H
E FF DG GA T DG GA FF DA DF
XD E FG T H XF DF DG H XF
GG E FX FD E GF T E GG FX
There are many ways to pursue the decipherment from here. The problem
has been reduced to a Polybius cipher without word spacing. A vowel-recog-
nition algorithm (as seen in Section 2.8) could be applied, and perhaps after
a few guesses the As, Os, and Is could all be filled. From there, it ought to be
easy to guess a few words. The solving process would then quickly acceler-
ate. Other approaches are possible. Ultimately, it is up to you, as the final
steps are left as an exercise.
The approach used in this example will not work so nicely (although it
can be patched), if the rectangle is not completely filled in; however, if the
length of the transposition key is 20, then 5% of the messages should, by
chance, complete a rectangle. Without knowing the length of the key, the
attack could be tried on every message, and once the key is found the other
messages may be easily broken. With the large number of messages that flow
in every war, 5% will give cryptanalysts a lot to work with.
It was not until 1966 that the creator of ADFGVX, Fritz Nebel, learned that
his system had been cracked. He commented:*
I personally would have preferred the second stage to have had a dou-
ble transposition rather than a single one, but, in discussion with the
radiotelegraphy and decipherment chiefs, the idea was rejected. The
result was a compromise between technical and tactical considerations.
Double transposition would have been more secure but too slow and too
difficult in practice.
* Norman, B., The ADFGVX men, The Sunday Times Magazine, August 11, 1974, p. 11.
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 207
6.4 Herbert O. Yardley
We now come to perhaps the most colorful figure in the cryptologic world.
Herbert O. Yardley (Figure 6.4) could be called the Han Solo of cryptol-
ogy. He’s often described as a gambler, a
drinker, and a womanizer, and debate is still
ongoing concerning his loyalty to the United
States. Although both did important cryptan-
alytic work for the United States, Yardley and
Friedman strike a strong contrast in almost
every category. Friedman was very neat, dap-
per even. Yardley was often scruffy and would
sometimes water the lawn in his underwear.
At the time of his death, he didn’t own a tie;
one was given to his widow for Yardley to be
buried in.† Yardley was anti-Semitic, whereas
Friedman was Jewish.‡ Friedman had a long,
apparently happy marriage, but one gets the
impression that he didn’t have a great deal of
FIGURE 6.4
Herbert O. Yardley (1889–1958)
confidence with women. Yardley, on the other
(http://www.nsa.gov/about/_ hand, was not at all shy. He even bragged about
images/pg_hi_res/yardley.jpg.) knowing his way around a Chinese whore-
* Norman, B., The ADFGVX men, The Sunday Times Magazine, August 11, 1974, p. 15.
† Kahn, D., The Reader of Gentlemen’s Mail, Yale University Press, New Haven, CT, 2004, p. 288.
‡ Ibid., pp. 88 and 146.
www.ebook777.com
free ebooks ==> www.ebook777.com
208 Secret History: The Story of Cryptology
FIGURE 6.5
The precise penmanship of the Friedmans (from the collection of the author).
house and hosted orgies for visiting journalists and diplomats while he was
in China.* Although it’s not often a good indicator, even their handwriting
represents their distinct personalities (Figures 6.5 and 6.6).
Yardley started out in a noncryptographic position at the State Department;
he was just a telegraph operator and code clerk, but having access to coded
messages, including ones addressed to President Wilson, he made attempts
to break them. He eventually produced a report, “Solution of American
Diplomatic Codes,” for his boss. His successes made a strong case for the
need for an improved American cryptographic bureau, or black chamber,
and his skills at self-promotion catapulted him into a new position as chief
of this new organization under the War Department, formally called the
Cipher Bureau, in 1917. Black chambers had played an important role in
European history, but such cryptanalytic units were new in the United
States. In 18 months, Yardley’s team (Military Intelligence Section 8, or MI-8)
had read almost 11,000 messages in 579 cryptographic systems. This is even
more amazing when one considers that the team initially consisted of only
Yardley himself and two clerks. At its peak in November 1918, the team
consisted of 18 officers, 24 civilians, and 109 typists.†
* Kahn, D., The Reader of Gentlemen’s Mail, Yale University Press, New Haven, CT, 2004, p. 196.
† Lewand, R.E., Cryptological Mathematics, Mathematical Association of America, Washington,
DC, 2000, p. 42. Kahn put the total at 165 (perhaps the few extra did not fit into any of the cat-
egories listed here). See p. xvii of the foreword to Yardley, H.O., The American Black Chamber,
Espionage/Intelligence Library, Ballantine Books, New York, 1981.
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 209
FIGURE 6.6
Yardley’s sloppy scrawl (from the collection of the author).
Yardley had a method for gaining intercepts that was much simpler than
induction. He or a State Department official approached high officers in the
cable companies and asked for the messages. It was illegal for anyone to
agree to this request, but reactions were not all negative. “The government
can have anything it wants,” was the response from W.E. Roosevelt of the
All-America Cable Company.† At one point, when the cable companies cut off
Yardley’s supply of messages, he regained them with bribes.‡
The Cipher Bureau’s work was not strictly limited to codes and ciphers.
They also dealt with secret inks and shorthand systems. The ability to
detect messages hidden by the use of secret inks exposed German spy
* Yardley, H.O., The American Black Chamber, Espionage/Intelligence Library, Ballantine Books,
New York, 1981, p. 19.
† Kahn, D., The Reader of Gentlemen’s Mail, Yale University Press, New Haven, CT, 2004, p. 58.
‡ Ibid., p. 84.
www.ebook777.com
free ebooks ==> www.ebook777.com
210 Secret History: The Story of Cryptology
FIGURE 6.7
Yardley’s injured right hand. (From Kahn, D., The Reader of Gentlemen’s Mail, Yale University
Press, New Haven, CT, 2004, p. 58. With permission.)
networks in the United States, but there was a price to pay. In an experi-
ment with secret ink chemicals, some of Yardley’s fingers were blown off
(Figure 6.7).
The chamber might have been disbanded when World War I ended, but
Yardley convinced his superiors to keep it open. This represented a tremen-
dous change for America. It is the first time that the American codebreak-
ers didn’t return to their prior lives following the end of a war. Yardley
explained, “As all the Great Powers maintained such a Cipher Bureau, the
United States in self-defense must do likewise.”*
* Yardley, H.O., The American Black Chamber, Espionage/Intelligence Library, Ballantine Books,
New York, 1981, p. 133.
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 211
Knowing how far Japan could be pushed concerning ship tonnage ratios
allowed the United States to do so with full confidence, merely waiting for
the Japanese to give in. The Japanese finally accepted the 10:10:6 ratio on
December 10, 1921.
* The funding from the State Department couldn’t be used within Washington, DC; thus, a
move was required. See Yardley, H.O., The American Black Chamber, Espionage/Intelligence
Library, Ballantine Books, New York, 1981, p. 156
† Yardley, H.O., The American Black Chamber, Espionage/Intelligence Library, Ballantine Books,
www.ebook777.com
free ebooks ==> www.ebook777.com
212 Secret History: The Story of Cryptology
This was the greatest peacetime success of the Cipher Bureau, but they did
attack many other systems and eventually cracked the ciphers of 20 different
countries.* With the election of Herbert Hoover in 1928, however, the politics
of decipherment changed. Hoover’s secretary of state, Henry L. Stimson, was
actually offended when decrypts were provided to him. He later summed
up his feelings with the famous quote, “Gentlemen do not read each other’s
mail.” Stimson withdrew the Cipher Bureau’s funding, and it was formally
shutdown on October 31, 1929.†
Of course, such organizations have a way of staying around whether
they’re wanted or not. Usually they just change names. In this case, William
Friedman took possession of Yardley’s files and records, and the work con-
tinued under the Signal Intelligence Service (SIS),‡ part of the Army Signal
Corps. Apparently Stimson was not aware of this group! Yardley was offered
a position with the SIS, but the salary was low and he was expected to refuse,
as he did.
Out of work, in the aftermath of the stock market crash, and strapped for
cash, Yardley decided to write about his adventures in codebreaking. On June
1, 1931, Yardley’s book, The American Black Chamber, was released. He stated in
the foreword, “Now that the Black Chamber has been destroyed there is no
valid reason for withholding its secrets.”§ The book sold 17,931 copies, which
was a remarkable number for the time.¶ An unauthorized Japanese edition was
even more popular. American officials denied that the Cipher Bureau existed
but privately sought to prosecute Yardley for treason. The nations whose
ciphers had been broken were now aware of the fact and could be expected
to change systems. It’s often claimed that, as a result of Yardley’s disclosures,
the Japanese changed their ciphers and eventually began to make use of a
tough machine cipher that they called “secret typewriter number two.” This
was the system in use at the time of Pearl Harbor; the Americans called it
Purple. However, David Kahn makes a good case for Yardley’s revelations
* From the foreword (p. xi) to Yardley, H.O., The American Black Chamber, Espionage/Intelligence
Library, Ballantine Books, New York, 1981. On page 222 of this book, Yardley lists the coun-
tries as “Argentina, Brazil, Chile, China, Costa Rica, Cuba, England, France, Germany, Japan,
Liberia, Mexico, Nicaragua, Panama, Peru, Russia, San Salvador, Santo Domingo, Soviet
Union and Spain.”
† From the foreword (p. xii) to Yardley, H.O., The American Black Chamber, Espionage/Intelligence
Library, Ballantine Books, New York, 1981. Years later, in 1944, Secretary of State Edward P.
Stettinius acted similarly and had the Office of Strategic Services (OSS) return Soviet crypto-
graphic documents (purchased by the OSS from Finnish codebreakers in 1944) to the Soviet
Embassy! See Benson, R.L. and Warner, M., Eds., Venona: Soviet Espionage and the American
Response, 1939–1957, National Security Agency/Central Intelligence Agency, Washington DC,
1996, pp. xviii and 59.
‡ The size of the SIS at various times is given in Foerstel, H.N., Secret Science: Federal Control of
80
60
Solutions per Month
50
40
30
20
10
0
J F M AM J J A S O N D J F MA M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D
1930 1931 1932 1933
800
Solutions per Quarter
600
400
200
0
2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
1926 1927 1928 1929 1930 1931 1932 1933
FIGURE 6.8
Graphs charting cryptanalytic successes show no dip from Yardley’s book. (From Kahn, D.,
The Reader of Gentlemen’s Mail, Yale University Press, New Haven, CT, 2004, pp. 134–135. With
permission.)
* Kahn, D., The Reader of Gentlemen’s Mail, Yale University Press, New Haven, CT, 2004, p. 136.
www.ebook777.com
free ebooks ==> www.ebook777.com
214 Secret History: The Story of Cryptology
I saw the fabled manuscript many years ago at the National Archives
and used it in my Yardley book. But when I called for it again recently,
the half-dozen or so manila envelopes that had held its 970 pages were
all empty. The file had no withdrawal slip. I have no idea where the man-
uscript may be.
* Foerstel, H., Secret Science: Federal Control of American Science and Technology, Praeger, Westport,
CT, 1993, p. 101.
† Ibid..
‡ From the introduction (p. xiv) to Yardley, H.O., The American Black Chamber, Espionage/
history.org/jih/reviews-1-2.html.
¶ Kahn, D., The death of a ghost-writer. Note that the manuscript is well over 1000 pages with
FIGURE 6.9
An advertisement promoting Yardley’s novel The Blonde Countess. (From Hannah, T.M., The
many lives of Herbert O. Yardley, Cryptologic Spectrum, 11(4), 14, 1981. With permission.)
www.ebook777.com
free ebooks ==> www.ebook777.com
216 Secret History: The Story of Cryptology
FIGURE 6.10
One of Yardley’s novels. (Book cover by Paul Bartlett Taylor.)
Boston, 1983.
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 217
FIGURE 6.11
Can Hollywood make frequency counts exciting? (Thanks to René Stein, National Cryptologic
Museum librarian, for finding this poster for me and to Nicholas Altland for photographing it.)
* Kahn, D., The Reader of Gentlemen’s Mail, Yale University Press, New Haven, CT, 2004, p. 206.
† Farago, L., The Broken Seal: The Story of “Operation Magic” and the Pearl Harbor Disaster, Random
House, New York, 1967, pp. 57–58.
www.ebook777.com
free ebooks ==> www.ebook777.com
218 Secret History: The Story of Cryptology
* Dooley wrote, “Farago says ‘1661 Crescent Place, an elegant little graystone house off
Connecticut Avenue’ but such a house does not currently exist. The closest current building
to this address is 1661 Crescent Place NW, which is a six story apartment building between
16th and 17th Streets NW and about 5 or 6 blocks from Connecticut Avenue.”
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 219
You might think that Yardley’s writings alone would forever place him on
some sort of “enemy of the state” list, but his previous work was eventually
recognized by his placement in the National Security Agency’s Hall of Honor.
He was also buried with military honors in Arlington National Cemetery.*
Often when looking for one thing, something else of interest turns up.
Such was the case with Dooley’s research into Yardley. He had the following
telegram translated and presented it in his paper for the first time:
Telegram Section
Confidential #48
Date: March 10th, 1925
From: Isaburo Yoshida, Acting Ambassador to the US
To: Kijuro Shidehara, Minister of Foreign Affairs
Re: Telegram Codes
Mr. W. Friedman, an American, from Cornell University seems very
skilled in breaking codes; for he was engaged in breaking codes at the
war in Europe (i.e., WWI), and he is now working for the US Army.
When he came to see me recently, he mentioned that the US Army
had no difficulty breaking codes. In order to prevent this, we have no
choice but change codes very frequently. I am sending this note for your
information.
6.9 Censorship
Japanese Diplomatic Secrets has been referred to as the only manuscript ever
seized by the U.S. government. This is not correct. The oral history of Captain
Joseph Rochefort, who was involved with Navy cryptologic activities during
World War II, was impounded by the National Security Agency (NSA).† In
another case, the U.S. government bought a manuscript to block its publica-
tion. War Secrets of the Ether, by Wilhelm F. Flicke, described Germany’s inter-
ception and cryptanalysis of messages from 1919 to 1945 and included how
phone conversations between Roosevelt and Churchill were unscrambled.
The book passed from the Army Security Agency to NSA and was classified
“Restricted.”‡
* From the introduction (p. xvi) to Yardley, H.O., The American Black Chamber, Espionage/
Intelligence Library, Ballantine Books, New York, 1981.
† Lewin, R., The American Magic, Farrar Straus Giroux, New York, 1982, p. 139.
‡ Clark, R., The Man Who Broke Purple, Little, Brown & Co., Boston, 1977, p. 209.
www.ebook777.com
free ebooks ==> www.ebook777.com
220 Secret History: The Story of Cryptology
It has been brought to the attention of the War Department that member
libraries of the American Library Association have received numerous
requests for books dealing with explosives, secret inks, and ciphers.
It is requested that these books be removed from circulation and that
these libraries be directed to furnish their local office of the Federal
Bureau of Investigation with the names of persons making requests for
same.
* Bamford, J., The Puzzle Palace, Penguin Books, New York, 1983, pp. 168–173.
† Of course, the senders could hardly be considered gentlemen at this time!
‡ Letter from Henry L. Stimson to Carl H. Milam, August 13, 1942, War Department file,
Record Series 89/2/6 (War Service Committee), Box 2, ALA Archives, University of Illinois at
Urbana–Champaign.
free ebooks ==> www.ebook777.com
World War I and Herbert O. Yardley 221
Since hostilities have ceased, it is agreed that the necessity for limiting
the circulation and use of these types of books no longer exists and that
the libraries which participated in this program should be notified to
this effect.
It appears that the FBI didn’t catch anyone with bad intentions attempting to
borrow books on cryptology, but this official censorship was nothing new:†
And there were political censorship demands made by the government dur-
ing the Cold War, as well:‡
The British government has also cracked down on writings they felt were
inappropriate for public consumption. They seized the manuscript GCHQ:
The Negative Asset by Jock Kane under the Official Secrets Act in 1984. It was
never published, but James Bamford was able to obtain a copy of the manu-
script before the seizure and has incorporated some of it into his own book,
Body of Secrets.§
The Food and Drug Administration (FDA) has engaged in book censor-
ship by claiming that they are used as labeling for banned foods and drugs.
For example, the FDA seized a large quantity of the book Folk Medicine, by
C.D. Jarvis, MD, claiming it was used to promote the sale of honey and vin-
egar. In November 1964, the U.S. Court of Appeals ruled that the seizure was
improper. The court also ruled against the FDA when they seized a book
that promoted molasses, claiming that it was shipped with molasses and
therefore constituted labeling. Another FDA seizure was Calories Don’t Count
by Dr. Herman Taller.¶
* Letter from Henry L. Stimson to Carl H. Milam, September 21, 1945, War Department file,
Record Series 89/2/6 (War Service Committee), Box 2, ALA Archives, University of Illinois at
Urbana–Champaign.
† http://onlinebooks.library.upenn.edu/banned-books.html.
‡ Ibid.
§ Bamford, J., Body of Secrets, Doubleday, New York, 2001, p. 645.
¶ Garrison, O.V., Spy Government: The Emerging Police State in America, Lyle Stuart, New York,
www.ebook777.com
free ebooks ==> www.ebook777.com
222 Secret History: The Story of Cryptology
In 1915, Margaret Sanger’s husband was jailed for distributing her Family
Limitation, which described and advocated various methods of contra-
ception. Sanger herself had fled the country to avoid prosecution, but
would return in 1916 to start the American Birth Control League, which
eventually merged with other groups to form Planned Parenthood.
During World War I, the US government jailed those who were distrib-
uting anti-draft pamphlets like this one.‡ Schenck, the publisher of the
pamphlet, was convicted, and his conviction was upheld by the Supreme
Court in 1919. (This decision was the source of the well-known “fire in a
theatre” quote.)§
It may seem that the situation is now much better, but a subtler form of
censorship is on the rise. A handful of large corporations make up the major-
ity of book sales in the United States, with independents accounting for only
a 12.1% and 9.7% market share in terms of dollars and volume, respectively.¶
How many publishers will feel it is worthwhile to put forth items the corpo-
rate giants won’t carry? So, although such works are not officially banned,
they face serious challenges that mainstream items do not.
at.northwestern.edu/commstud/freespeech/cont/cases/schenck/pamphlet.html.
§ http://onlinebooks.library.upenn.edu/banned-books.html.
¶ Figures are for the first 28 weeks of 2009. See Neilan, C., Indies steal market share, despite
www.ebook777.com
free ebooks ==> www.ebook777.com
224 Secret History: The Story of Cryptology
system for readers to solve. Note that these ciphers are substantially easier than
ADFGVX because the Polybius square pairs are not split in the transposition
stage.
Konheim, A., Cryptanalysis of ADFGVX encipherment systems, in Blakley, G.R. and
Chaum, D., Eds., Advances in Cryptology: Proceedings of CRYPTO 84, Lecture Notes
in Computer Science, Vol. 196, Springer, Berlin, 1985, pp. 339–341. This is an
“extended abstract” rather than a full paper. A full-length paper by Konheim on
this topic appears as Appendix A in Childs, J.R., General Solution of the ADFGVX
Cipher System, as reprinted in 1999 by Aegean Park Press, Laguna Hills, CA.
Langie, A., How I Solved Russian and German Cryptograms during World War I,
Imprimerie T. Geneux, Lausanne, 1944 (translated from German into English by
Bradford Hardie in 1964).
Lerville, E., The radiogram of victory (La radiogramme de la victoire), La Liason
des Transmissions, April 1969, pp. 16–23 (translated from French to English by
Steven M. Taylor.)
Lerville, E., The cipher: a face-to-face confrontation after 50 years, L’Armee, May 1969,
pp. 36–53 (translated from French to English by Steven M. Taylor).
Mendelsohn, C., Studies in German Diplomatic Codes Employed during the World War,
War Department, Office of the Chief Signal Officer, U.S. Government Printing
Office, Washington, DC, 1937.
Mendelsohn, C., An Encipherment of the German Diplomatic Code 7500, War Department,
Office of the Chief Signal Officer, U.S. Government Printing Office, Washington,
DC, 1938. This is a supplement to the item listed above.
Norman, B., The ADFGVX men, The Sunday Times Magazine, August 11, 1974, pp.
8–15. For this piece, Norman interviewed both Fritz Nebel, the German creator
of the ADFGVX cipher, and Georges Painvin, the Frenchman who cracked it.
Ollier, A., La Cryptographie Militaire avant la guerre de 1914, Lavauzelle, Panazol, 2002.
Rislakki, J., Searching for cryptology’s great wreck, Cryptologia, 31(3), 263–267, 2007.
This paper summarizes the Russian capture of the German Navy’s main code
book from the wreck of the Magdeburg and David Kahn’s excursion to the site 92
years later. This is what historians of cryptology do on vacation!
Tuchman, B.W., The Zimmermann Telegram, Macmillan, New York, 1970. This book has
gone through many editions, and this is not the first.
von zur Gathen, J., Zimmermann telegram: the original draft, Cryptologia, 31(1), 2–37,
2007.
Yardley, H.O., Secrets of America’s Black Chamber, Every Week Magazine, July 26,
1931.
Yardley, H.O., Double-crossing America: a glimpse of the international intrigue that
goes on behind Uncle Sam’s back, Liberty, October 10, 1931, pp. 38–42.
Yardley, H.O., Cryptograms and their solution, Saturday Evening Post, November 21,
1931, pp. 21, 63–65.
Yardley, H.O., Are we giving away our state secrets?, Liberty, December 19, 1931, pp.
8–13.
Yardley, H.O., Yardleygrams, Bobbs-Merrill, Indianapolis, IN, 1932. This was ghost
written by Clem Koukol.
Yardley, H.O., Ciphergrams, Hutchinson & Co., London, 1932. This is the British ver-
sion of Yardleygrams, with a new title but still ghostwritten by Clem Koukol.
Yardley, H.O., The beautiful secret agent, Liberty. December 30, 1933, pp. 30–35.
Yardley, H.O., Spies inside our gates, Sunday [Washington] Star Magazine and New
York Herald Tribune Magazine, April 8, 1934.
Yardley, H.O., H-27: the blonde woman from Antwerp, Liberty, April 21, 1934, pp.
22–29.
Yardley, H.O., The Blonde Countess, Longmans, Green & Co., New York, 1934. This
one, primarily written by Carl Grabo, was made into the movie Rendezvous,
released by Metro-Goldwyn-Mayer in 1935.
Yardley, H.O., Red Sun of Nippon, Longmans, Green & Co., New York, 1934. Carl
Grabo was the main author.
Yardley, H.O., Crows Are Black Everywhere (with Carl Grabo), G.P. Putnam’s Sons, New
York, 1945. Again, Carl Grabo worked on this behind the scenes.
Yardley, H.O., The Education of a Poker Player, Simon & Schuster, New York 1957.
Yardley, H.O., The Chinese Black Chamber An Adventure in Espionage, Houghton Mifflin,
Boston, 1983. This book was written sometime between 1941 and 1945 but was
not published until later due to Yardley’s past experiences with the federal gov-
ernment after he published The American Black Chamber in 1931 (from http://
members.aol.com/asachitose/page14.htm).
Yardley, H.O., From the archives: the achievements of the Cipher Bureau (MI-8) dur-
ing the First World War, Cryptologia, 8(1), 62–74, 1984.
About Yardley
Anon., Yardley sold secrets to Japanese, Surveillant, 2(4), 1999.
Denniston, R., Yardley’s diplomatic secrets, Cryptologia, 18(2), 81–127, 1994.
Dooley, J.F., Was Herbert O. Yardley a traitor?, Cryptologia, 35(1), 1–15, 2011.
Farago, L., The Broken Seal: The Story of “Operation Magic” and the Pearl Harbor Disaster,
Random House, New York, 1967, pp. 56–58.
Hannah, T.M., The many lives of Herbert O. Yardley, Cryptologic Spectrum, 11(4), 5–29,
1981 (http://www.nsa.gov/public_info/_files/cryptologic_spectrum/many_
lives.pdf).
Kahn, D., Nuggets from the archive: Yardley tries again, Cryptologia, 2(2), 139–143,
1978.
Kahn, D., The Reader of Gentlemen’s Mail, Yale University Press, New Haven, CT, 2004.
Portions of this book are available online at http://david-kahn.com/book-
david-kahn-reader-gentelmen-mail.htm.
www.ebook777.com
free ebooks ==> www.ebook777.com
226 Secret History: The Story of Cryptology
Turchen, L.V., Herbert Osborne Yardley and American Cryptography, Master’s the-
sis, University of South Dakota, Vermillion, 1969. Turchen made the following
comment concerning Farago’s book: “Obviously biased against Mr. Yardley The
Broken Seal could have been more clearly documented and more judicious in its
conclusions” (p. 95).
Addendum
Long before meeting his World War I adversary Fritz Nebel, Painvin met
his American counterpart Herbert Yardley. An image from their meeting
(Figure 6.12) is one of many treasures preserved by the National Cryptologic
Museum at Fort Meade, MD.
FIGURE 6.12
Georges Painvin and Herbert O. Yardley. (Courtesy of National Cryptologic Museum, Fort
Meade, MD.)
free ebooks ==> www.ebook777.com
7
Matrix Encryption*
Correspondence 1981–1991, Various, Levine, Jack, letter to Louis Kruh, July 24, 1989.
227
www.ebook777.com
free ebooks ==> www.ebook777.com
228 Secret History: The Story of Cryptology
Flynn’s Weekly was a pulp magazine that consisted mainly of detective fic-
tion. Agatha Christie had a short story in the same November 13, 1926, issue
in which Levine’s system was explained. This was not the best place to pub-
lish a mathematical idea, but Levine was still a teenager at the time.
Hill’s description came three years later, but it appeared in American
Mathematical Monthly, so it isn’t hard to see why the system was named after
Hill. The American Mathematical Monthly paper provided a complete expla-
nation of matrix encryption with examples, whereas Levine’s letter didn’t
actually reveal his method, although it can be inferred. And, although
Levine used algebra, he was not quite doing the same thing as Hill, at least
not publicly.
Levine went on to earn a doctorate in mathematics from Princeton
University, serve his country in a cryptologic capacity (in the Army), and
author many more papers on cryptology, some of which are described in the
pages to follow. Hill, on the other hand, only published two papers dealing
directly with cryptology. Hill served in the Navy during World War I, but
not in a cryptologic capacity. In later decades, he did do some cryptologic
work for the Navy, but it appears to have been unsolicited and not consid-
ered valuable.* In any case, the military work of both Levine and Hill was not
known to the academic community.
* Chris Christensen of Northern Kentucky University is working on a paper that will bring
Hill’s work under the Navy to light.
free ebooks ==> www.ebook777.com
Matrix Encryption 229
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
This gives
19 7 4 1 4 18 19 22 0 24 19 14 3 4 0 11 22 8 19 7 19 4
12 15 19 0 19 8 14 13 8 18 19 14 24 8 4 11 3 19 14 8 19
The key we select in this system is an invertible matrix (modulo 26) such as
6 11 . To encipher we simply multiply this matrix by the numerical ver-
3 5
sion of the plaintext in pieces of length two and reduce the result modulo 26;
for example,
6 11 19 191 9
3 5 7 = 92 = 14 (modulo 26)
gives the first two ciphertext values as 9 and 14 or, in alphabetic form, J O.
Continuing in this manner we have
www.ebook777.com
free ebooks ==> www.ebook777.com
230 Secret History: The Story of Cryptology
If you’ve been reading very closely, you noticed that the 23 used in the
last matrix multiplication wasn’t part of the original message. The message
had an odd number of characters, so it was necessary to add one more in
order to encipher everything. I added an X, which has a numerical value
of 23.
The ciphertext is
9 14 9 17 14 24 18 11 4 16 8 23 10 3 17 3 12 2 9 14 2 25
3 7 10 5 20 19 19 3 12 10 8 23 24 8 15 15 19 0 16 4 3 16
Deciphering is done in the same manner, except that we need to use the
inverse of the original matrix. Sometimes the enciphering matrix is chosen
to be one that is self-inverse. In that case, deciphering is identical to encipher-
ing; however, a heavy price is paid for this convenience, since limiting one-
self to such keys drastically reduces the keyspace. In our example, the
7 21
deciphering matrix is given by . Applying this matrix to the cipher-
1 24
text in order to recover the original message is left as an exercise for the
reader. You may wish to refer to the modulo 26 multiplication table in Section
2.12 when using this system.
A comparison of the plaintext and ciphertext shows an advantage of this
system:
The first time TO appeared it was enciphered as IX. The same encipher-
ment happened the second time TO appeared, but for the third appearance
it was enciphered as AQ. This is because TO was enciphered using the matrix
the first and second time it appeared, but for the third time T and O were split
apart and ST and OI were the plaintext pairs to be enciphered. Hence, the
same word may be enciphered in two different ways, depending on how it is
split up when the message is broken into pairs of letters. The Playfair cipher
also had this feature.
Square (invertible) matrices of any dimension may be used for encryp-
tion. A 5×5 matrix would allow us to encipher characters in groups of five,
and a particular word could be enciphered in as many as five different ways
depending on its position in the message. There are other advantages to
using larger matrices, such as larger keyspaces.
free ebooks ==> www.ebook777.com
Matrix Encryption 231
7.3 Levine’s Attacks
A brute-force attack on 2×2 matrix encryption will quickly yield the plain-
text, as there are only 157,248 possible keys. Indeed, Levine pursued this
approach back in 1961 for the special case in which an involutory (self-
inverse) matrix was used.* There are 740 of these especially convenient keys,
and even primitive 1961 computer technology was up to the task, although
a human was needed to look at the results and determine which provided a
meaningful message.
The keyspace grows rapidly with the size of the matrix. For 3×3 matrix
encryption there are 1,634,038,189,056 possible keys, and for the 4×4 case we
have 12,303,585,972,327,392,870,400 invertible matrices (modulo 26) to consider.
The references at the end of this chapter include a paper showing how these
values are calculated. When larger matrices are used, cryptanalysts need an
attack significantly better than brute force if they hope to recover the message.
If we are able to guess the beginning of a message (or any other part), the
combination of known plaintext and ciphertext makes it easy to recover the
matrix and break the rest of the cipher.† This is referred to as a known-plain-
text attack. However, we often have a word or phrase that we believe appears
in the message, although we do not know where. Such suspected plaintexts
are called cribs.
In another 1961 paper, Levine demonstrated how cribs can be applied to
break matrix encryption.‡ The mathematics required to understand this
attack consists of two very basic facts:
1. The product of two integers is odd if and only if both of the integers
are odd.
2. The sum of two integers is odd if and only if exactly one of the inte-
gers is odd.
To see how these facts become useful, suppose we are enciphering with a
even odd
matrix of the form . There are four distinct possibilities for the
odd even
form of the plaintext pair that is enciphered at each step, namely
on the size of the matrix and another factor. You are asked to determine this for 3×3 matrix
encryption in one of the online exercises for this chapter.
‡ Levine, J., Some elementary cryptanalysis of algebraic cryptography, American Mathematical
www.ebook777.com
free ebooks ==> www.ebook777.com
232 Secret History: The Story of Cryptology
Labeling these four forms as 0, 1, 2, and 3, we see (by applying the facts above
in the context of matrix multiplication) that the enciphering matrix sends
form 0 to another pair of letters having form 0. In the case of form 1, enci-
phering yields a pair having form 2. A nice symmetry exists, as a plaintext
pair of form 2 will be sent to a ciphertext pair of form 1. Finally, a plaintext
pair of form 3 will be sent to a ciphertext pair of form 3.
These pairings can be tersely expressed as
0 ↔ 0, 1 ↔ 2, 3 ↔ 3
even odd
If the enciphering matrix has a form other than , these pair-
odd even
ings may differ, but the pairings are always constant for a given matrix and
we always have symmetry and 0 ↔ 0.
Now consider the following ciphertext obtained by enciphering with a 2×2
matrix of unknown form:
1.
MA TH EM AT IC Sx
or
2.
xM AT HE MA TI CS
1 1 1 3 1 0 1 1 1 0 2 0 1 0 0 2 1 0 3 3
CR SF SH LT WB WC SB GR KB CI PM QE MF OU SC PE SH SG PD VF
3 0 3 3 3 0 1 0
RT WC XF JD PJ MI SH EW
0 3 0 1 0
1 1 1 3 1 0 1 1 1 0 2 0 1 0 0 2 1 0 3 3 3 0 3 3 3 0 1 0
This is not possible, since the middle pairing is 0 ↔ 1. Also, if 3 ↔ 1, we must
have 1 ↔ 3, but the above alignment has 1 ↔ 1. We now line up the first 0 in
our proposed plaintext with the second zero in the ciphertext:
0 3 0 1 0
1 1 1 3 1 0 1 1 1 0 2 0 1 0 0 2 1 0 3 3 3 0 3 3 3 0 1 0
The pairings given by this alignment are consistent. This is, in fact, the only
consistent alignment for when MATHEMATICS is broken up as MA TH EM AT
IC Sx and enciphered. However, as explained earlier, MATHEMATICS could be
broken up as xM AT HE MA TI CS and then enciphered. In this case, the form
pattern (1, 2, 0, 2, 0) must be compared with the ciphertext. Since this pattern
has two zeros separated by a single value (a pattern present only at the end of
the ciphertext), we quickly see that we only need to consider one alignment:
1 2 0 2 0
1 1 1 3 1 0 1 1 1 0 2 0 1 0 0 2 1 0 3 3 3 0 3 3 3 0 1 0
0 3 0 1 0
1 1 1 3 1 0 1 1 1 0 2 0 1 0 0 2 1 0 3 3 3 0 3 3 3 0 1 0
⎛ a b ⎞ ⎛ 12⎞ ⎛ 2⎞
MA → CI ⇒ ⎜ = ⇒ 12a = 2 and 12c = 8
⎝ c d ⎟⎠ ⎜⎝ 0 ⎟⎠ ⎜⎝ 8⎟⎠
⎛ a b ⎞ ⎛ 19⎞ ⎛ 15⎞
TH → PM ⇒ ⎜ = ⇒ 19a + 7b = 15 and 19c + 7d = 12
⎝ c d ⎟⎠ ⎜⎝ 7 ⎟⎠ ⎜⎝ 12⎟⎠
www.ebook777.com
free ebooks ==> www.ebook777.com
234 Secret History: The Story of Cryptology
⎛ a b ⎞ ⎛ 4 ⎞ ⎛ 16⎞
EM → QE ⇒ ⎜ = ⇒ 4a + 12b = 16 and 4c + 12d = 4
⎝ c d ⎟⎠ ⎜⎝ 12⎟⎠ ⎜⎝ 4 ⎟⎠
⎛ a b ⎞ ⎛ 0 ⎞ ⎛ 12⎞
AT → MF ⇒ ⎜ = ⇒ 19b = 12 and 19d = 5
⎝ c d ⎟⎠ ⎜⎝ 19⎟⎠ ⎜⎝ 5 ⎟⎠
⎛ a b ⎞ ⎛ 8⎞ ⎛ 14⎞
IC → OU ⇒ ⎜ = ⇒ 8a + 2b = 14 and 8c + 2d = 20
⎝ c d ⎟⎠ ⎜⎝ 2⎟⎠ ⎜⎝ 20⎟⎠
A little time could have been saved by calculating the deciphering matrix
first—that is, by finding the matrix that sends the known ciphertext to the
known plaintext. The steps would be the same as above; only the numbers
would change. It should also be noted that the equations generated by the
crib may be solved by placing them in a matrix and row reducing, rather than
investigating them in the manner detailed above. For larger matrices, with
more unknowns to solve for, the more systematic approach of row reduction
would be preferred.
A good cipher must resist crib attacks. An intercepted message always
has some context that allows an attacker to guess cribs. If one particular
crib doesn’t lead to a solution, the attacker can start over with another crib.
Modern ciphers are even expected to resist chosen plaintext attacks, where
the attacker gets to pick any plaintext he or she likes and receive the corre-
sponding ciphertext. For a matrix encryption system using a 2×2 matrix, the
chosen plaintext pairs BA and AB would be excellent choices. The ciphertext
that results, upon being converted back to numerical values, would be the
entries in rows 1 and 2 of the matrix, respectively. One could work these
pairs into a meaningful message like so:
free ebooks ==> www.ebook777.com
Matrix Encryption 235
For a 3×3 matrix, the ideal chosen plaintext triplets would be BAA, ABA,
and AAB. Casually fitting these into an innocent-sounding message would
be a little harder.
* Bauer, C. and Millward, K., Cracking matrix encryption row by row, Cryptologia, 31(1), 76–83,
2007. The following pages are adapted from this paper and updated with material from a
sequel by other authors.
www.ebook777.com
free ebooks ==> www.ebook777.com
236 Secret History: The Story of Cryptology
* Modern Library’s 100 Best English-Language Novels of the Twentieth Century, http://home.com-
cast.net/~netaylor1/modlibfiction.html.
free ebooks ==> www.ebook777.com
Matrix Encryption 237
www.ebook777.com
free ebooks ==> www.ebook777.com
238 Secret History: The Story of Cryptology
100
90
% of Messages Completely Recovered
80
70
60
50
40
30
20
10
0
1 2 3 4 5 6 7
Number of Top Scoring Rows Considered
FIGURE 7.5
Recovery rate of keys as a function of the number of high scoring rows considered for the
2×2 case.
For the second ciphertext we attacked, the two most likely rows (highest
scoring) did not yield the correct deciphering matrix. The list of highest scor-
ing rows began (13 22), (0 9), (13 9), (0 7), (13 7), (4 15), .…The correct
4 15
deciphering matrix was , which used the rows in positions 1 and 6
13 22
of our ordered list. So, while the correct rows usually appeared as the two
most likely, we sometimes had to go further down the list. When considering
the six highest scoring rows, we found the correct two rows for the decipher-
ing matrix to be among them 92% of the time. Hence, the graph in Figure 7.5
includes the point (6, 92).
Considering the top seven rows, by our ranking scheme, caught the correct
two 100% of the time. Selecting two rows from the seven most likely to form
a matrix allows for 7P2 = 42 possibilities. It was necessary to use a permuta-
tion in this calculation, because the order of the rows matters. The 42 distinct
matrices obtained as possibilities in this worst-case scenario (we can usually
find our answer within a smaller set) can still be found and checked far more
rapidly than the set of all 157,248 invertible 2×2 matrices. Even considering the
overhead of calculating scores for 262 = 676 rows, we still have a great savings.
We continued on to apply our attack to the same set of messages enci-
phered with 3×3 matrices. Once again, our list of ranked rows greatly
reduced the number of matrices that had to be considered. Our attack found
the correct three rows over half the time among those scoring in the top 17.
This leaves more possibilities to consider than in the 2×2 case, yet testing 17P3
= 1680 matrices once again represents a tremendous savings over a brute-
force attack on the set of all 1,634,038,189,056 possibilities. In this case, the
free ebooks ==> www.ebook777.com
Matrix Encryption 239
TABLE 7.1
Bauer-Millward vs. Simplified Multinomial Scoring Schemes
2×2 3×3 4×4
Recovered Recovered Recovered
Candidate Candidate Candidate
Message Message Message
Rows Rows Rows
Considered BM SM Considered BM SM Considered BM SM
2 72 90 2 4 18 4 0 0
4 92 100 4 35 60 16 10 6
8 99 100 8 58 76 64 24 22
10 100 100 16 73 90 128 41 32
32 85 98 512 58 68
50 90 100 2048 77 84
100 98 100 8192 94 97
234 100 100 16702 96 100
42832 100 100
overhead consists in calculating scores for 263 = 17,576 rows. The correct rows
were among the top 76 in 88% of the trials, but we had to consider the top
394 scorers before correctly identifying all 25 matrices. Still, 394 P3 = 60,698,064
represents only about 0.0037% of the full brute-force search.
The last case we investigated was when a 4×4 matrix had been applied to
yield the ciphertext. The results continued the trend established by the smaller
cases. We achieved success in 52% of the cases with a relatively small number
of rows considered from our ranking (namely, 1469), continued on to get 88%
within the top 7372, and then had to go all the way out to the top 24,541 rows
to get 100% of the test messages correctly deciphered. Thus, the trend is that
a larger and larger number of rows must be considered as the dimension of
the matrix grows, yet as a percentage of the total keyspace, which, for the 4×4
case, is 12,303,585,972,327,392,870,400, our attack is seen to improve in terms of
efficiency over brute force. It should also be noted that, because the messages
were kept at a fixed length of 100 characters, as the enciphering matrix grew
from 2×2 to 4×4, the number of characters on which the rankings of the rows
is determined diminished from 50 to 25. It is likely that the results would be
improved if the sample ciphertexts were longer.
The scoring scheme we used was never claimed to be optimal. Indeed, in
2009, Dae Hyun Yum and Pil Joong Lee, a pair of Korean researchers, found a
better scoring method, improving the efficiency of the attack.* They called their
scoring scheme “simplified multinomial,” or SM for short, and it is directly
compared to our scoring scheme (Bauer–Millward, or BM for short) in Table
7.1. Yum and Lee also generalized the attack to work on Hill ciphers where
the numerical representations of the letters do not simply follow the alphabet.
* Yum, D.H. and Lee, P.J., Cracking Hill ciphers with goodness-of-fit statistics, Cryptologia,
33(4), 335–342, 2009.
www.ebook777.com
free ebooks ==> www.ebook777.com
240 Secret History: The Story of Cryptology
Levine, J. and Hartwig, R.E., Applications of the Drazin inverse to the Hill crypto-
graphic system, Part I, Cryptologia, 4(2), 71–85, 1980.
Levine, J. and Hartwig, R.E., Applications of the Drazin inverse to the Hill crypto-
graphic system, Part II, Cryptologia, 4(3), 150–168, 1980.
Levine, J. and Hartwig, R.E., Applications of the Drazin inverse to the Hill crypto-
graphic system, Part III, Cryptologia, 5(2), 67–77, 1981.
Levine, J. and Hartwig, R.E., Applications of the Drazin inverse to the hill crypto-
graphic system, Part IV, Cryptologia, 5(4), 213–228, 1981.
Levine, J. and Chandler, R., The Hill cryptographic system with unknown cipher
alphabet but known plaintext, Cryptologia, 13(1), 1–28, 1989.
Ohaver, M.E., Solving cipher secrets, Flynn’s Weekly, October 22, 1926, p. 798. Ohaver
is one of the pseudonyms used by Kendell Foster Crossen (1910–1981). Problem
No. 6, on page 798 of this article, is the one posed by Jack Levine.
Ohaver, M.E., Solving cipher secrets, Flynn’s Weekly, November 13, 1926, pp. 794–800.
This is the column in which an explanation of Levine’s system, from the October
22, 1926, issue, appeared (see pages 799–800). Levine believed it laid the founda-
tion for matrix encryption.
Overbey, J., Traves, W., and Wojdylo, J., On the keyspace of the Hill cipher, Cryptologia,
29(1), 59–72, 2005. Available online at http://jeff.actilon.com/keyspace-final.
pdf, this paper presents formulas yielding the size of the keyspace for matrix
www.ebook777.com
242
FIGURE 7.6
The Jack Levine archive at North Carolina State University is home to a pair of cipher wheels for performing matrix encryption. (From Jack Levine
Papers, 1716–1994, North Carolina State University, MC 308.5.1, General Cryptography, Algebraic Encipherment Wheels.)
Secret History: The Story of Cryptology
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
Matrix Encryption 243
encryption with arbitrary dimension and moduli. Some of this material may
also be found (more tersely) in Friedrich L. Bauer’s Decrypted Secrets, 1st ed.,
Springer, Berlin, 1997, p. 81. Second and third editions have since been released.
Thilaka, B. and Rajalakshni, K., An extension of Hill cipher using generalized inverses
and mth residue modulo m, Cryptologia, 29(4), 367–376, 2005.
Wutka, M., The Crypto Forum, http://s13.invisionfree.com/Crypto/index.php?show
topic=80.
Yum, D.H. and Lee, P.J., Cracking Hill ciphers with goodness-of-fit statistics,
Cryptologia, 33(4), 335–342, 2009.
There have been many other papers in recent years in recent years in less
specialized journals that attempt to describe stronger variants of matrix
encryption; however, the cryptographic community is, in general, skeptical.
One modification described in some of the papers referenced above fore-
shadows the various modes of encryption used for modern cipher systems.
This is discussed in Section 12.6.
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
8
World War II: The Enigma of Germany*
The quote above is often used to debunk conspiracy theories, but, as this
chapter will show, Ben was completely wrong. Thousands can, and have,
kept secrets for decades.
245
www.ebook777.com
free ebooks ==> www.ebook777.com
246 Secret History: The Story of Cryptology
FIGURE 8.1
The two sides of an Enigma rotor.
FIGURE 8.2
National Cryptologic Museum curator Patrick Weadon with an M-209B. The M-209B is a later
version of the M-209, but the differences between the two are very minor.
FIGURE 8.3
A closer look at an M-209B. (This machine is in the collection of the National Cryptologic
Museum and was photographed by the author.)
www.ebook777.com
free ebooks ==> www.ebook777.com
248 Secret History: The Story of Cryptology
* Kahn, D., The significance of codebreaking and intelligence in allied strategy and tactics,
Cryptologia, 1(3), 211, 1977.
† Erskine, R., Enigma’s security: what the Germans really knew, in Erskine, R. and Smith, M.,
Eds., Action This Day, Bantam Press, London, 2001, pp. 370–385.
‡ The plugboard didn’t exist for early (commercial) versions of Enigma. It was introduced in
1928.
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 249
FIGURE 8.4
An Enigma machine.
FIGURE 8.5
An Enigma plugboard with a cable connecting F and M.
www.ebook777.com
free ebooks ==> www.ebook777.com
250 Secret History: The Story of Cryptology
Axle
Notch
Notch
Battery
Plugboard
FIGURE 8.6
From keyboard to bulb—the enciphering path of an Enigma. (From Miller, R., The Cryptographic
Mathematics of Enigma, Center for Cryptologic History, Fort Meade, MD, 2001, p. 2.)
• Rotor I
Input: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Output: EKMFLGDQVZNTOWYHXUSPAIBRCJ
• Rotor II
Input: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Output: AJDKSIRUXBLHWTMCQGZNPYFVOE
• Rotor III
Input: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Output: BDFHJLCPRTXVZNYEIWGAKMUSQO
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 251
FIGURE 8.7
A disassembled Enigma rotor. (Courtesy of René Stein, National Cryptologic Museum.)
The above might seem like the tersest possible notation for the action of the
rotors, but this is not so! Such permutations (as mathematicians usually refer
to them) can be written even more briefly. Consider Rotor I. It sends A to E,
E to L, L to T, T to P, P to H, H to Q, Q to X, X to R, R to U, and U to A, which is
where I started this chain. We may write this as (AELTPHQXRU), leaving off
the last A, with the understanding that when we reach the end we loop back
to the start. Now, this is very nice, but it doesn’t include all of the letters. So,
we pick a letter that was missed and repeat the process to get (BKNW). Putting
these together yields (AELTPHQXRU)(BKNW), which still does not include all
26 letters, so again we start with one that was missed and form another cycle,
as these groups of letters are called. Eventually we get
Rotor I = (AELTPHQXRU)(BKNW)(CMOY)(DFG)(IV)(JZ)(S)
Rotor II = (A)(BJ)(CDKLHUP)(ESZ)(FIXVYOMW)(GR)(NT)(Q)
Rotor III = (ABDHPEJT)(CFLVMZOYQIRWUKXSG)(N)
The most popular single area in which mathematics doctorates are awarded
in American universities is abstract algebra. An important part of abstract
algebra is group theory, which we will see more of later. For now, I’ll point out
that every group that has been studied (or ever can be) is equivalent to some
set of permutations. Thus, as you may imagine, these permutations have been
subject to intense study. There were, in fact, theorems waiting to be exploited
in favor of the cryptanalysts and to the great disadvantage of the Nazis.
www.ebook777.com
free ebooks ==> www.ebook777.com
252 Secret History: The Story of Cryptology
FIGURE 8.8
Reflector B and the rotor assembly.
In Figure 8.8, we see three rotors side by side. Each rotor performs a substi-
tution. After passing through all three rotors, the electrical impulse passes
to the reflector, pictured up close in Figure 8.9. The reflector makes another
substitution.
FIGURE 8.9
View of a reflector, after removing the rotors (http://www.90thidpg.us/Equipment/Articles/
Enigma/images/EnigmaReflektor.jpg).
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 253
In our cyclic permutation notation, the reflector first used by the German
military, called reflector A, was (AE)(BJ)(CM)(DZ)(FL)(GY)(HX)(IV)(KW)(NR)(OQ)
(PU)(ST). A differently wired reflector B was introduced later. Notice that all
of the cycles in the permutation for reflector A are in pairs (2-cycles) and that
no two 2-cycles have a letter in common. When cycles have nothing in com-
mon, they are said to be disjoint.
After passing through the reflector, the electrical impulse passes back
through the three rotors (along a different path than the first time), through
the wire connecting it to the plugboard, through the plugboard itself, and
finally to one of the lights above the keypad.
The composition of monoalphabetic substitutions is a monoalphabetic sub-
stitution, so, if Enigma worked exactly as described above, it would not result
in a strong encryption. What makes the machine special is that the first rotor
turns by one position every time a key is pressed, changing the substitution
that will be performed. The first two rotors have notches that cause the next
rotor to turn by one position for every 26 turns they make themselves.
Thus, it appears that after each of the three rotors has turned all of the
way around—that is, after (26)(26)(26) = 17,576 letters have been typed—the
machine returns to its original rotor setting. In this way, Enigma would work
like a Vigenère cipher with 17,576 independently mixed alphabets. Actually,
although many authors have made this mistake,* the period is not 17,576, but
rather a little smaller. Stephen Budiansky is one of the authors who got this
right. In his excellent history of World War II cryptanalysis, Battle of Wits, he
explained:†
www.ebook777.com
free ebooks ==> www.ebook777.com
254 Secret History: The Story of Cryptology
26 26 ! (2 p)!
2 p (2 p − 1)(2 p − 3)(2 p − 5)…(1) = (26 − 2 p) !(2 p)! p !(2 p )
26 !
=
(26 − 2 p)! p !(2 p )
But the above result is only for when p cables are used. Because p is a vari-
able somewhere between 0 and 13 inclusive, the total number of possible
plugboard settings is
13
26 !
∑ (26 − 2 p)! p !(2 p
)
= 532,985,208,200,576
p= 0
Originally, exactly six cables were used. So, in calculating the keyspace,
some authors use the figure for six cables, instead of the much larger summa-
tion value given above. Later on the number of cables used varied.
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 255
The next factor is how the internal wiring connects the plugboard to the
rotor assembly. There are 26! ways to do this. We now come to the first rotor.
There are 26! ways for a rotor to be wired. We assume that the users will
want to be able to reorder the rotors in the machine to get different encipher-
ments; therefore, it makes sense for the rotors to be wired differently. If they
are all wired identically, reordering would have no effect. So, if each rotor is
wired differently, we have (26!) (26! – 1) (26! – 2) possibilities for the wirings.
This brings us to some common errors. It is tempting to insert other factors
at this point having to do with the possible orderings of the three rotors and
the 26 positions each individual rotor can be rotated to, but these have already
been accounted for. To see this, imagine setting a rotor in place and then turn-
ing it by one position. This is no different from having inserted another rotor
that is wired this way, and we already counted all 26! ways that the first rotor
can be wired. Similarly, having accounted for the possible wirings of each of
the three rotors, rearranging them simply counts these possibilities again.
We do not want this duplication. To make a simple analogy, consider three
mailboxes arranged side by side. If we have five letters, and can place only one
in each box, then there are five choices for the first box, four choices for the
second box, and three choices for the third box. We get a total of 5 × 4 × 3 = 60
possibilities. We do not then consider rearranging the order of the letters in
the boxes. For Enigma, distinctly wired rotors take the place of letters in this
example and we have 26! of them instead of just five, but the argument against
counting rearrangements is unchanged.
The locations of the notches (ring setting) on the two fastest rotors (right
and middle) determine when the next wheel turns, so they must be con-
sidered as part of the key. This gives us another factor of (26)(26) = 676. The
contact points of the reflector were wired together in pairs, so the number
of possible wirings is the same as for a plugboard with 13 cables—namely,
7,905,853,580,625. To summarize we have the following enumerations:
www.ebook777.com
free ebooks ==> www.ebook777.com
256 Secret History: The Story of Cryptology
FIGURE 8.10
Marian Rejewski (c. 1932), Jerzy Różycki, and Henryk Zygalski. (Rejewski photograph courtesy
of Prof. Jaroszewska and Rejewski’s daughter, Mrs. Janina Sylwestrzak; Różycki photograph
courtesy of Prof. Jaroszewska; Zygalski photograph courtesy of Prof. Jaroszewska and Maria
Bryschak.)
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 257
FIGURE 8.11
A first-day cover for the first stamp honoring codebreaking.
• H
Input: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Output: JWULCMNOHPQZYXIRADKEGVBTSF
• H–1
Input: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Output: QWERTZUIOASDFGHJKPYXCVBNML
www.ebook777.com
free ebooks ==> www.ebook777.com
258 Secret History: The Story of Cryptology
Does it look more familiar now? H–1 almost matches American QWERTY
keyboards; in fact, it matched the Enigma keyboard perfectly. Of course, the
World War II cryptanalysts did not have to look at different notations to see
this pattern. The Poles had a commercial Enigma and could simply observe,
without using any notation at all, that the keys were connected, in order, to
the rotor system input. I chose to present it in this manner to illustrate that
notation needs to fit the circumstance and we cannot simply say one form is
always superior.
The values of the reflector, called R now, and the three rotors, N, M, and L,
were given earlier in this chapter. Of course, the rotors could be used in any
order, so we cannot simply say N = Rotor I, for example. The Poles, however,
did not know any of these permutations at first. They had to derive them
mathematically; hence, all of the letters above represented unknowns initially.
We need one more permutation to show the change that occurs every time
the fast rotor advances one position. Fortunately this one is known and is
given by
P = (ABCDEFGHIJKLMNOPQRSTUVWXYZ).
In order to encipher a message, the user set the machine up to the “daily key,”
say HLD, by turning the rotors so these were the three letters on top.* He then
selected another “session key” (randomly, if he was following orders…), say
EBW. Typing the session key twice might result in the ciphertext GDOMEH. This
would be sent at the start of the message. The intended recipient, who knew
the daily key and had set his Enigma to it, typed in GDOMEH to get out EBWEBW.
Now back to the encipherer. After he typed the session key twice, he reset his
Enigma to the session key and typed out the message. The intended recipi-
ent, having used the daily key setting to recover the session key, also reset
the machine to the session key and typed the rest of the ciphertext to recover
the original message. Clearly, the session key needn’t be typed twice. This
redundancy was intentionally introduced to ensure that the session key was
received correctly. It worked in that regard, but it also proved to be a weakness.
An example will illustrate how Marian Rejewski exploited the repeated
session key.† Consider the following beginnings for ciphertexts using various
session keys but sent on the same day (thus using the same daily key for the
first six letters):‡
AUQ AMN IND JHU PVJ FEG SJM SPO WTM RAO
BNH CHL JWF MIC QGA LYB SJM SPO WTM RAO
BCT CGJ JWF MIC QGA LYB SJM SPO WTM RAO
CIK BZT KHB XJV RJL WPX SUG SMF WKI RKK
* If the rotors used displayed numbers, rather than letters, the user would set them using the
correspondence A = 1, B = 2, etc.
† The method that follows has been adapted from Rejewski’s own explanation.
‡ From Bauer, F.L., Decrypted Secrets: Methods and Maxims of Cryptology, 2nd ed., Springer, New
DDB VDV KHB XJV RJL WPX SUG SMF XRS GNM
EJP IPS LDR HDE RJL WPX TMN EBY XRS GNM
FBR KLE LDR HDE RJL WPX TMN EBY XOI GUK
GPB ZSV MAW UXP RFC WQQ TAA EXB XYW GCP
HNO THD MAW UXP SYX SCW USE NWH YPC OSQ
HNO THD NXD QTU SYX SCW VII PZK YPC OSQ
HXV TTI NXD QTU SYX SCW VII PZK ZZY YRA
IKG JKF NLU QFZ SYX SCW VQZ PVR ZEF YOC
IKG JKF OBU DLZ SYX SCW VQZ PVR ZSJ YWG
AD = (DVPFKXGZYO)(EIJMUNQLHT)(BC)(RW)(A)(S)
Repeating this approach for the second and fifth letters and then once more
for the third and sixth letters we get two more permutations:
BE = (BLFQVEOUM)(HJPSWIZRN)(AXT)(CGY)(D)(K)
CF = (ABVIKTJGFCQNY)(DUZREHLXWPSMO)
www.ebook777.com
free ebooks ==> www.ebook777.com
260 Secret History: The Story of Cryptology
The exact results for the lengths of the cycles depends upon the daily key,
but if a cycle of a given length is present, then another cycle of that same
length will also appear.* Rejewski referred to the pattern in the cycle lengths
as the characteristic structure or, more briefly, the characteristic for a given day.
The plugboard, which we’ll mostly ignore, doesn’t alter cycle structures,
no matter how it is wired. It will change what letters are involved in each
cycle but not the lengths of the cycles. This may be stated mathematically:
Permutation pairs of the form P and C–1PC, for any C, are said to be conjugate.
Hence, the above theorem may be stated tersely as, “Conjugate permutations
have the same disjoint cycle structure.”
We will see this theorem play an important role in the cryptanalysis of
Enigma, but for now the trick we need to perform is to factor the three
products AD, BE, and CF; that is, knowing the product AD, find A and
D and similarly for BE and CF. However, unlike factoring an integer as
a product of primes, the factorizations here won’t be unique. This non-
uniqueness of factorization makes extra work for the cryptanalyst! For
example, if XY = (AB)(CD), factorizations are given by
For larger pairs of cycles, there are more possible factorizations. In general,‡
if XY = (x1x3x5…x2n–1)(y2n…y6y4y2), then we can factor it as
of the General Staff Second Department 1930–1945, Adam Mickiewicz University, Poznań,
Poland, 2011.
‡ It should be noted that this result and other theorems from abstract algebra used in this
chapter existed before they were needed for cryptanalysis. The Poles didn’t have to invent or
discover the mathematics; they only had to know it and apply it.
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 261
disjoint cycles having the same length independently and then piece all
such results together to get our “overall” factoring. This will be done below.
When Rejewski explained his work, he skipped over much of what follows
by writing
It is hoped that what the following pages lose in terms of terseness, com-
pared to Rejewski’s explanation, is made up for in clarity.
By “knowledge of encipherers’ habits” Rejewski was alluding to the fact
that the three-letter session keys were often not chosen randomly. They might
be part of a row or a diagonal on the keyboard, someone’s initials, letters
connected to a girlfriend’s name, or something else that could be guessed.
Taking advantage of this human tendency toward the nonrandom is some-
times referred to as using the psychological method. We will take advantage of
this after accounting for all of the possible factorizations.
We begin by factoring AD = (DVPFKXGZYO)(EIJMUNQLHT)(BC)(RW)(A)(S) by
making repeated use of our factoring rule, for each pair of cycles of equal
length, with the example to guide us.
www.ebook777.com
free ebooks ==> www.ebook777.com
262 Secret History: The Story of Cryptology
or
(DJ)(VI)(PE)(FT)(KH)(XL)(GQ)(ZN)(YU)(OM) is part of A and
(JV)(IP)(EF)(TK)(HX)(LG)(QZ)(NY)(UO)(MD) is part of D
or
(DM)(VJ)(PI)(FE)(KT)(XH)(GL)(ZQ)(YN)(OU) is part of A and
(MV)(JP)(IF)(EK)(TX)(HG)(LZ)(QY)(NO)(UD) is part of D
or
(DU)(VM)(PJ)(FI)(KE)(XT)(GH)(ZL)(YQ)(ON) is part of A and
(UV)(MP)(JF)(IK)(EX)(TG)(HZ)(LY)(QO)(ND) is part of D
or
(DN)(VU)(PM)(FJ)(KI)(XE)(GT)(ZH)(YL)(OQ) is part of A and
(NV)(UP)(MF)(JK)(IX)(EG)(TZ)(HY)(LO)(QD) is part of D
or
(DQ)(VN)(PU)(FM)(KJ)(XI)(GE)(ZT)(YH)(OL) is part of A and
(QV)(NP)(UF)(MK)(JX)(IG)(EZ)(TY)(HO)(LD) is part of D
or
( DL)(VQ)(PN)(FU)(KM)(XJ)(GI)(ZE)(YT)(OH) is part of A and
(LV)(QP)(NF)(UK)(MX)(JG)(IZ)(EY)(TO)(HD) is part of D
or
(DH)(VL)(PQ)(FN)(KU)(XM)(GJ)(ZI)(YE)(OT) is part of A and
(HV)(LP)(QF)(NK)(UX)(MG)(JZ)(IY)(EO)(TD) is part of D
Mixing and matching the choices we have for the decomposition of the
10-cycle and the 2-cycle to go with our only option for the 1-cycle yields 20
possible decompositions for AD.
This is a bit misleading, because each of the 20 possibilities, if taken one by
one, can only reveal the first letter in each of the three-letter session keys. We
need to simultaneously try a solution for B and C in order to get all three let-
ters of the session key. With all three letters for each session key, we can then
see whether or not they fit the psychological profile. If not, we try another
possibility. Thus, to make this demonstration complete, we must list the pos-
sibilities for B and C. E and F follow from the same work, but aren’t necessary
for this step.
We found previously that
BE = (BLFQVEOUM)(HJPSWIZRN)(AXT)(CGY)(D)(K)
www.ebook777.com
free ebooks ==> www.ebook777.com
264 Secret History: The Story of Cryptology
We also have
CF = (ABVIKTJGFCQNY)(DUZREHLXWPSMO)
C = (AO)(BM)(VS)(IP)(KW)(TX)(JL)(GH)(FE)(CR)(QZ)(NU)(YD)
F = (OB)(MV)(SI)(PK)(WT)(XJ)(LG)(HF)(EC)(RQ)(ZN)(UY)(DA)
or
C = (AD)(BO)(VM)(IS)(KP)(TW)(JX)(GL)(FH)(CE)(QR)(NZ)(YU)
F = (DB)(OV)(MI)(SK)(PT)(WJ)(XG)(LF)(HC)(EQ)(RN)(ZY)(UA)
or
C = (AU)(BD)(VO)(IM)(KS)(TP)(JW)(GX)(FL)(CH)(QE)(NR)(YZ)
F = (UB)(DV)(OI)(MK)(ST)(PJ)(WG)(XF)(LC)(HQ)(EN)(RY)(ZA)
or
C = (AZ)(BU)(VD)(IO)(KM)(TS)(JP)(GW)(FX)(CL)(QH)(NE)(YR)
F = (ZB)(UV)(DI)(OK)(MT)(SJ)(PG)(WF)(XC)(LQ)(HN)(EY)(RA)
or
C = (AR)(BZ)(VU)(ID)(KO)(TM)(JS)(GP)(FW)(CX)(QL)(NH)(YE)
F = (RB)(ZV)(UI)(DK)(OT)(MJ)(SG)(PF)(WC)(XQ)(LN)(HY)(EA)
or
C = (AE)(BR)(VZ)(IU)(KD)(TO)(JM)(GS)(FP)(CW)(QX)(NL)(YH)
F = (EB)(RV)(ZI)(UK)(DT)(OJ)(MG)(SF)(PC)(WQ)(XN)(LY)(HA)
or
C = (AH)(BE)(VR)(IZ)(KU)(TD)(JO)(GM)(FS)(CP)(QW)(NX)(YL)
F = (HB)(EV)(RI)(ZK)(UT)(DJ)(OG)(MF)(SC)(PQ)(WN)(XY)(LA)
or
C = (AL)(BH)(VE)(IR)(KZ)(TU)(JD)(GO)(FM)(CS)(QP)(NW)(YX)
F = (LB)(HV)(EI)(RK)(ZT)(UJ)(DG)(OF)(MC)(SQ)(PN)(WY)(XA)
or
C = (AX)(BL)(VH)(IE)(KR)(TZ)(JU)(GD)(FO)(CM)(QS)(NP)(YW)
F = (XB)(LV)(HI)(EK)(RT)(ZJ)(UG)(DF)(OC)(MQ)(SN)(PY)(WA)
or
C = (AW)(BX)(VL)(IH)(KE)(TR)(JZ)(GU)(FD)(CO)(QM)(NS)(YP)
F = (WB)(XV)(LI)(HK)(ET)(RJ)(ZG)(UF)(DC)(OQ)(MN)(SY)(PA)
or
C = (AP)(BW)(VX)(IL)(KH)(TE)(JR)(GZ)(FU)(CD)(QO)(NM)(YS)
F = (PB)(WV)(XI)(LK)(HT)(EJ)(RG)(ZF)(UC)(DQ)(ON)(MY)(SA)
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 265
or
C = (AS)(BP)(VW)(IX)(KL)(TH)(JE)(GR)(FZ)(CU)(QD)(NO)(YM)
F = (SB)(PV)(WI)(XK)(LT)(HJ)(EG)(RF)(ZC)(UQ)(DN)(OY)(MA)
or
C = (AM)(BS)(VP)(IW)(KX)(TL)(JH)(GE)(FR)(CZ)(QU)(ND)(YO)
F = (MB)(SV)(PI)(WK)(XT)(LJ)(HG)(EF)(RC)(ZQ)(UN)(DY)(OA)
To see how the psychological method works, we consider one of the pos-
sible factorizations by taking the first possibility for each of the permutations
A, B, and C. We then have
A = (AS)(BR)(CW)(DT)(VH)(PL)(FQ)(KN)(XU)(GM)(ZJ)(YI)(OE)
B = (DK)(AY)(XG)(TC)(BN)(LR)(FZ)(QI)(VW)(ES)(OP)(UJ)(MH)
C = (AO)(BM)(VS)(IP)(KW)(TX)(JL)(GH)(FE)(CR)(QZ)(NU)(YD)
D = (SA)(RC)(WB)(TV)(HP)(LF)(QK)(NX)(UG)(MZ)(JY)(IO)(ED)
E = (KD)(GT)(YX)(CA)(NL)(RF)(ZQ)(IV)(WE)(SO)(PU)(JM)(HB)
F = (OB)(MV)(SI)(PK)(WT)(XJ)(LG)(HF)(EC)(RQ)(ZN)(UY)(DA)
Now we use this information to decipher all of the session keys. The substi-
tutions performed by D, E, and F are redundant and therefore not needed,
but they do serve as a way to check that our previous work was correct. The
enciphered session keys are reproduced below for convenience:*
AUQ AMN IND JHU PVJ FEG SJM SPO WTM RAO
BNH CHL JWF MIC QGA LYB SJM SPO WTM RAO
BCT CGJ JWF MIC QGA LYB SJM SPO WTM RAO
CIK BZT KHB XJV RJL WPX SUG SMF WKI RKK
DDB VDV KHB XJV RJL WPX SUG SMF XRS GNM
EJP IPS LDR HDE RJL WPX TMN EBY XRS GNM
FBR KLE LDR HDE RJL WPX TMN EBY XOI GUK
GPB ZSV MAW UXP RFC WQQ TAA EXB XYW GCP
HNO THD MAW UXP SYX SCW USE NWH YPC OSQ
HNO THD NXD QTU SYX SCW VII PZK YPC OSQ
HXV TTI NXD QTU SYX SCW VII PZK ZZY YRA
IKG JKF NLU QFZ SYX SCW VQZ PVR ZEF YOC
IKG JKF OBU DLZ SYX SCW VQZ PVR ZSJ YWG
To recover the first enciphered session key, AUQ AMN, we begin with the
first character, A. Because it is in the first position, it was enciphered by per-
mutation A. Permutation A contains the swap (AS), so the ciphertext letter A
* From Bauer, F.L., Decrypted Secrets: Methods and Maxims of Cryptology, 2nd ed., Springer, New
York, 2000, p. 390.
www.ebook777.com
free ebooks ==> www.ebook777.com
266 Secret History: The Story of Cryptology
Q W E R T Z U I O
A S D F G H J K
P Y X C V B N M L
Deciphering the entire list of session keys with our proposed permutations,
A through F, gives
SJZ SJZ YBY YBY LWL LWL AUB AUB CCB CCB
RBG RBG ZVE ZVE FXO FXO AUB AUB CCB CCB
RTX RTX ZVE ZVE FXO FXO AUB AUB CCB CCB
WQW WQW NMM NMM BUJ BUJ AJH AJH CDP CDP
TKM TKM NMM NMM BUJ BUJ AJH AJH ULV ULV
OUI OUI PKC PKC BUJ BUJ DHU DHU ULV ULV
QNC QNC PKC PKC BUJ BUJ DHU DHU UPP UPP
MOM MOM GYK GYK BZR BZR DYO DYO UAK UAK
VBA VBA GYK GYK AAT AAT XEF XEF IOR IOR
VBA VBA KGY KGY AAT AAT HQP HQP IOR IOR
VGS VGS KGY KGY AAT AAT HQP HQP JFD JFD
YDH YDH KRN KRN AAT AAT HIQ HIQ JSE JSE
YDH YDH ENN ENN AAT AAT HIQ HIQ JEL JEL
We don’t see any keys that use the same letter three times, or make use of
three letters in a row or on a diagonal on the keyboard, nor do we see any
that look like names of women. We conclude that our choices for A, B, C, D,
E, and F are incorrect. We had 20 choices for A and D, 27 choices for B and E,
and 13 choices for C and F. Thus, altogether, we have (20)(27)(13) = 7020 pos-
sibilities for these six permutations. We will not look at all of them by hand,
but we will jump ahead to the correct solution to see how it contrasts with
incorrect solutions, like the one above.
Consider the following:
A = (AS)(BR)(CW)(DI)(VE)(PT)(FH)(KL)(XQ)(GN)(ZU)(YM)(OJ)
B = (DK)(AY)(XG)(TC)(BJ)(LH)(FN)(QR)(VZ)(EI)(OW)(US)(MP)
C = (AX)(BL)(VH)(IE)(KR)(TZ)(JU)(GD)(FO)(CM)(QS)(NP)(YW)
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 267
D = (SA)(RC)(WB)(IV)(EP)(TF)(HK)(LX)(QG)(NZ)(UY)(MO)(JD)
E = (KD)(GT)(YX)(CA)(JL)(HF)(NQ)(RV)(ZE)(IO)(WU)(SM)(PB)
F = (XB)(LV)(HI)(EK)(RT)(ZJ)(UG)(DF)(OC)(MQ)(SN)(PY)(WA)
SSS SSS DFG DFG TZU TZU ABC ABC CCC CCC
RFV RFV OOO OOO XXX XXX ABC ABC CCC CCC
RTZ RTZ OOO OOO XXX XXX ABC ABC CCC CCC
WER WER LLL LLL BBB BBB ASD ASD CDE CDE
IKL IKL LLL LLL BBB BBB ASD ASD QQQ QQQ
VBN VBN KKK KKK BBB BBB PPP PPP QQQ QQQ
HJK HJK KKK KKK BBB BBB PPP PPP QWE QWE
NML NML YYY YYY BNM BNM PYX PYX QAY QAY
FFF FFF YYY YYY AAA AAA ZUI ZUI MMM MMM
FFF FFF GGG GGG AAA AAA EEE EEE MMM MMM
FGH FGH GGG GGG AAA AAA EEE EEE UVW UVW
DDD DDD GHJ GHJ AAA AAA ERT ERT UIO UIO
DDD DDD JJJ JJJ AAA AAA ERT ERT UUU UUU
Of the 65 keys, 39 use a triplet, 18 read along a row of keys, 3 read down a
diagonal on the keyboard (RFV, IKL, QAY), and 5 use three consecutive let-
ters (one of which, CDE, happens to also be up a diagonal on the keyboard).
Every single session key had some pattern!
Having to consider 7020 possibilities may sound painful, but the correct
answer will be found, on average, after 3510 attempts (half the total), and the
problem is perfect for parallel processing. Of course, during World War II,
this meant many people working simultaneously on separate possibilities.
This is why cryptanalytic groups often had a large number of clerks! With
100 people working on this problem, a single person would have only 35 pos-
sibilities to check on average. Also, to speed things up, one could move on
to the next possibility if, say, the first five session keys all failed to fit any of
the expected forms. But, due to security concerns, the Poles didn’t adopt the
parallel processing approach.
Rejewski presented the correct solution in a manner that looks a bit differ-
ent, but recall that disjoint cycles commute and two cycles may be written in
the form (XY) or (YX). Rejewski’s representation of permutations A through
F follows:
A = (AS)(BR)(CW)(DI)(EV)(FH)(GN)(JO)(KL)(MY)(PT)(QX)(UZ)
B = (AY)(BJ)(CT)(DK)(EI)(FN)(GX)(HL)(MP)(OW)(QR)(SU)(VZ)
C = (AX)(BL)(CM)(DG)(EI)(FO)(HV)(JU)(KR)(NP)(QS)(TZ)(WY)
D = (AS)(BW)(CR)(DJ)(EP)(FT)(GQ)(HK)(IV)(LX)(MO)(NZ)(UY)
E = (AC)(BP)(DK)(EZ)(FH)(GT)(IO)(JL)(MS)(NQ)(RV)(UW)(XY)
F = (AW)(BX)(CO)(DF)(EK)(GU)(HI)(JZ)(LV)(MQ)(NS)(PY)(RT)
www.ebook777.com
free ebooks ==> www.ebook777.com
268 Secret History: The Story of Cryptology
If only the rightmost rotor turns while enciphering the session key, then we
have the following:*
A = SHPNP–1MLRL–1M–1PN–1P–1H–1S –1
B = SHP2NP–2MLRL–1M–1P2N–1P–2H–1S –1
C = SHP3NP–3MLRL–1M–1P3N–1P–3H–1S –1
D = SHP4NP–4MLRL–1M–1P4N–1P–4H–1S –1
E = SHP5NP–5MLRL–1M–1P5N–1P–5H–1S –1
F = SHP6NP–6MLRL–1M–1P6N–1P–6H–1S –1
Recalling our notations, the first equation, read from left to right, shows
the composition of the permutations S (plugboard), H (wiring from plug-
board to rotor assembly), P (representing the turning of the first rotor), N (the
fast rotor), P–1 (we then need to undo the turning effect), M (the middle rotor),
L (the final rotor), R (the reflector), and then out through the same permuta-
tions again, but in reverse order and direction (hence the inverse notation).
Now, if the middle rotor turns, the above will not hold true, but this would
only happen with probability 5/26.
Since MLRL–1M–1 appears in the center of all of the equations, we can sim-
plify matters by setting this equal to Q. We then have
A = SHPNP–1QPN–1P–1H–1S –1
B = SHP2NP–2QP2N–1P–2H–1S –1
C = SHP3NP–3QP3N–1P–3H–1S –1
D = SHP4NP–4QP4N–1P–4H–1S –1
E = SHP5NP–5QP5N–1P–5H–1S –1
F = SHP6NP–6QP6N–1P–6H–1S –1
Since there are six equations and only four unknowns (S, H, N, and Q), we
ought to be able to find a solution.
The identification of S (the plugboard setting) came about by noncryptana-
lytic means. A German, Hans Thilo Schmidt (Figure 8.12), sold it, along with
other Enigma information, to the French on November 8, 1931. In December
of the following year, the Frenchman Captain Gustav Bertrand (later to
become a General) passed Schmidt’s information on to the Poles.†
H was guessed to be the same as the commercial Enigma and A, B, C, D, E,
and F were determined as above. Thus, to simplify things, we multiply both
sides of each equation on the left by H–1S –1 and on the right by SH to get
* Rejewski, in explaining his work, sometimes wrote the first equation without the necessary
P–1 in position 5 and P in position 11. It seems he did not want to confuse the reader with too
many details. Later on he includes it (when he’s being more detailed). Christensen followed
this style in his excellent paper.
† Rejewski, M., Mathematical solution of the Enigma cipher, Cryptologia, 6(1), 8, 1982.
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 269
FIGURE 8.12
Hans Thilo Schmidt. (From the David Kahn collection at the National Cryptologic Museum.)
Thus, all of the permutations on the left side of the above equalities were
believed to be known.
A quick definition: If we start with permutation A and use another permu-
tation P to form the product P–1AP, we say that A has been transformed by
the action of P.
Now take the six equations above and transform both sides by the action
of P, P2, P3, P4, P5, and P6, respectively. We label the results with new letters
for convenience:
www.ebook777.com
free ebooks ==> www.ebook777.com
270 Secret History: The Story of Cryptology
UV = (NP–1QPN–1)(NP–2QP2N–1)
VW = (NP–2QP2N–1)(NP–3QP3N–1)
WX = (NP–3QP3N–1)(NP–4QP4N–1)
XY = (NP–4QP4N–1)(NP–5QP5N–1)
YZ = (NP–5QP5N–1)(NP–6QP6N–1)
Removing the parentheses, the N–1N in the middle drops out of each equa-
tion. We then combine the powers of P that appear next to one another and
insert a new pair of parentheses (to stress a portion the equations all share)
and get the following.
UV = NP–1(QP–1QP)PN–1
VW = NP–2(QP–1QP)P2N–1
WX = NP–3(QP–1QP)P3N–1
XY = NP–4(QP–1QP)P4N–1
YZ = NP–5(QP–1QP)P5N–1
Now take the first four equations above and transform both sides of each by
the action of NPN–1:
NP–1N–1(UV)NPN–1 = NP–1N–1NP–1(QP–1QP)PN–1NPN–1
NP–1N–1(VW)NPN–1 = NP–1N–1NP–2(QP–1QP)P2N–1NPN–1
NP–1N–1(WX)NPN–1 = NP–1N–1NP–3(QP–1QP)P3N–1NPN–1
NP–1N–1(XY)NPN–1 = NP–1N–1NP–4(QP–1QP)P4N–1NPN–1
NP–1N–1(UV)NPN–1 = NP–2(QP–1QP)P2N–1
NP–1N–1(VW) NPN–1 = NP–3(QP–1QP)P3N–1
NP–1N–1(WX) NPN–1 = NP–4(QP–1QP)P4N–1
NP–1N–1(XY) NPN–1 = NP–5(QP–1QP)P5N–1
NP–1N–1(UV)NPN–1 = VW
NP–1N–1(VW) NPN–1 = WX
NP–1N–1(WX) NPN–1 = XY
NP–1N–1(XY) NPN–1 = YZ
Now we have four equations and the only unknown is N (remember, P rep-
resents the advancement of the fast rotor).
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 271
Observe that NP–1N–1 is the inverse of the permutation NPN–1. Thus, the
first of the equations above has the form T–1(UV)T = VW and the others
are similar. When we have this situation, we say UV and VW are conjugate
permutations, and it is very easy to find a permutation T that transforms UV
into VW.
To do so, we simply write VW under UV and pretend that the top line
is the plaintext and the bottom line is the ciphertext. We then express this
“encryption” in disjoint cycle notation. For example,
UV = (AEPFTYBSNIKOD)(RHCGZMUVQWLJX)
VW = (AKJCEVZYDLWNU)(SMTFHQIBXOPGR)
gives
T = (A)(EKWONDUILPJGFCT)(YVBZHMQXRS)
The only problem is that UV could be written, switching the order of the
13-cycles, as
UV = (RHCGZMUVQWLJX)(AEPFTYBSNIKOD)
and this will give a different result. That is, the solution to the problem of
finding a permutation T such that T–1(UV)T = VW is not unique. Indeed,
beginning one of the 13-cycles that make up UV with a different letter also
changes the solution.
So, the first equation will give us dozens of possibilities for NP–1N–1 (recall
that T was taking the place of NP–1N–1 in the discussion above). Exactly how
many solutions exist depends on the cycle structure of UV.
In any case, each of the equations below will offer various possibilities for
NP–1N–1:
NP–1N–1(UV)NPN–1 = VW
NP–1N–1(VW)NPN–1 = WX
NP–1N–1(WX)NPN–1 = XY
NP–1N–1(XY)NPN–1 = YZ
UV = (AEPFTYBSNIKOD)(RHCGZMUVQWLJX)
VW = (AKJCEVZYDLWNU)(SMTFHQIBXOPGR)
WX = (AQVLOIKGNWBMC)(PUZFTJRYEHXDS)
www.ebook777.com
free ebooks ==> www.ebook777.com
272 Secret History: The Story of Cryptology
So, we write VW under UV all possible ways (13 × 13 × 2 = 338 of them!)* and
see what permutations they give, and we also write WX under VW all pos-
sible ways, and then look for a match. For example,
VW = (AKJCEVZYDLWNU)(SMTFHQIBXOPGR)
WX = (AQVLOIKGNWBMC)(PUZFTJRYEHXDS)
gives
(A)(KQJVIRSPXEOHTZ)(CLWBYGDNMU)(F)
AYURICXQMGOVSKEDZPLFWTNJHB ⇒ ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHIJKLMNOPQRSTUVWXYZ AZFPOTJYEXNSIWKRHDMVCLUGBP
AYURICXQMGOVSKEDZPLFWTNJHB ⇒ ABCDEFGHIJKLMNOPQRSTUVWXYZ
BCDEFGHIJKLMNOPQRSTUVWXYZA BAGQPUKZFYOTJXLSIENWDMVHCR
AYURICXQMGOVSKEDZPLFWTNJHB ⇒ ABCDEFGHIJKLMNOPQRSTUVWXYZ
CDEFGHIJKLMNOPQRSTUVWXYZAB CBHRQVLAGZPUKYMTJFOXENWIDS
..
.
AYURICXQMGOVSKEDZPLFWTNJHB ⇒ ABCDEFGHIJKLMNOPQRSTUVWXYZ
ZABCDEFGHIJKLMNOPQRSTUVWXY ZYEONSIXDWMRHVJQGCLUBKTFAP
One of the 26 possibilities indicated above will be N, the wiring of the fast
rotor.
The attack described above was based on Rejewski’s description. He didn’t
use real data, so, although the approach works, the rotor possibilities we end
up with don’t match any that were actually used.
In any case, the work we just went through only provides the wiring for
one rotor—the rightmost and fastest rotor. The Germans, however, placed
the rotors in the machine in a different order every three months, as part
of the key, and the settings supplied by Schmidt straddled two quarters.
* The factors of 13 come from the fact that either 13-cycle can be expressed beginning with any
of its 13 letters. The factor of 2 comes from the choice as to which of the two 13-cycles we write
first.
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 273
Happily, two different rotors fell in the rightmost position in these two quar-
ters and both were recovered by the method detailed above.
There was some more work involved, as the wiring of the third rotor and
the reflector still had to be recovered, but the above gives the flavor of the
work. It should also be noted that we cannot narrow down the possibilities
for each rotor individually. We must look at them as a group to decide which
are correct.*
After everything was determined, and the Poles were expecting to be able
to read messages, only gibberish appeared! Something was wrong. Finally,
Rejewski turned to the wiring from the plugboard to the rotor entry points.
Perhaps it wasn’t the same as in the commercial Enigma the Poles had
acquired. So, what complex mathematical machinery did Rejewski apply to
this new problem? None. He guessed. Maybe H was simply
Input: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Output: ABCDEFGHIJKLMNOPQRSTUVWXYZ
The new Enigmas were being delivered to frontier units, and in early
1939 a military truck containing one was ambushed. Polish agents staged
an accident in which fire destroyed the evidence. German investigators
assumed that some charred bits of coils, springs, and rotors were the
remains of the real Enigma.
The author does mention the star of this chapter, sort of; he refers to
“Mademoiselle Marian Rejewski.” Richard A. Woytak admired Stevenson’s
“thereby managing, with masterful economy of expression, to get wrong
both Rejewski’s sex and marital status.”‡
That was a lot easier than wrapping your head around the mathematics
wasn’t it? Everyone knows you cannot believe everything you read on the
Internet, but I really do not see how it’s any different from the print world.
Thus, the Poles, having been given the daily keys, were able to reconstruct
the Enigma machine. Eventually the keys expired and the Poles had to face
the opposite problem: Having the machine, how could the daily keys be
recovered?
* Rejewski, M., Mathematical solution of the Enigma cipher, Cryptologia, 6(1), 11, 1982. “But
those details may only be established following the basic reconstruction of the connections
in all the rotors.”
† Stevenson, W., A Man Called Intrepid, Ballantine Books, New York, 1977, p. 53.
‡ Rejewski, M., Remarks on Appendix 1 to British Intelligence in the Second World War by F. H.
Hinsley, Cryptologia, 6(1), 75–83, 1982. This piece was translated into English by Christopher
Kasparek and contains a prefatory note by Richard A. Woytak.
www.ebook777.com
free ebooks ==> www.ebook777.com
274 Secret History: The Story of Cryptology
AD = (DVPFKXGZYO)(EIJMUNQLHT)(BC)(RW)(A)(S)
BE = (BLFGVEOUM)(HJPSWIZRN)(AXT)(CGY)(D)(K)
CF = (ABVIKTJGFCQNY)(DUZREHLXWPSMO)
Thus,
The cycle structure is determined by the order of the rotors and their initial
positions. The ring settings and plugboard do not affect it. There are six ways
to order the three rotors and 263 = 17,576 ways to select a daily key, so the
total number of possibilities comes to (6)(17,576) = 105,456. It would be won-
derful if there were also 105,456 possibilities for the cycle structure of AD,
BE, and CF. In that case, there would be a one-to-one correspondence and the
Poles could simply make a catalog (remember they now had an Enigma) and,
when the cycle structures are recovered for a given day, simply look it up and
read off the corresponding key setting. Well, the correspondence wasn’t one
to one. There were fewer cycle structure possibilities than keys, but there
were enough distinct cycle structures that the Poles were able to make a use-
ful catalog. Upon looking up the cycle structure they found it to be paired
with several possible keys, but not so many that they couldn’t all be checked.
To create the catalog, the Poles could have set their new bootleg military
Enigma to a particular key and enciphered a session key twice, noting the
result, then reset the key and enciphered another session key twice, and
so on. After obtaining dozens of these enciphered session keys, Rejewski’s
method, described earlier in Section 8.4, could be applied to yield the permu-
tations AD, BE, and CF, and thus determine their cycle structure; however, to
do this 105,456 times would be very time consuming.
Instead, to create the desired catalog, the Poles made a machine called a
cyclometer, depicted in Figure 8.13. This time-saving device consisted of two
rotor sets (with reflectors). As you may have already guessed, one represents
A and the other D (or B and E, C and F, whichever permutation is being inves-
tigated at that moment). A charge can be applied to any of the letters and the
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 275
FIGURE 8.13
The Polish cyclometer. (Illustration by Dan Meredith. From Christensen, C., Mathematics
Magazine, 80(4), 260, 2007. With permission.)
current will flow through the set of rotors representing permutation A and
then through the rotors representing permutation D; the letter that comes out
will be illuminated, but this is not the end. The charge continues through A
and D again and may light another letter, if the cycle is not yet complete. The
handle on the left side of the front of the cyclometer is to control the amount of
current.* If the amount of current needed to clearly light the bulbs for all of the
letters in a large cycle were used for a very short cycle, it might burn out the
filaments. Hence, the operator should start out low and increase the current
only if it looks like enough bulbs are lighting to avoid damage.
Naturally it took some time to construct the cyclometer, but it allowed
the catalog to be built much more quickly than by applying the method
described in Section 8.4. The original catalog no longer exists, but Alex
Kuhl, an undergraduate at Northern Kentucky University at the time,
reconstructed it.† Naturally, he used a personal computer rather than doing
it by hand with a cyclometer. Although the cyclometer method was quicker
than a mathematical analysis, it still took over a year for the Poles to com-
plete their catalog. I find it amazing that more people were not assigned
to this extremely important work in order to speed its completion. It was
a task extremely well suited to what we would now call parallel process-
www.ebook777.com
free ebooks ==> www.ebook777.com
276 Secret History: The Story of Cryptology
ing. Twice as many workers could have completed the job in half the time,
and so on for three, four, etc. times as many workers. Once the cyclom-
eters were made, anyone could have been trained to work on a portion
of the catalog. It didn’t require any skills other than attention to detail; in
fact, it must have been very monotonous work. But, even though it was
tremendously important, the Poles weren’t even working on the catalog
full time; they were also reconstructing Enigma keys by another method
each day. Kozaczuk described what it was like when cyclometer work was
being done:*
When the catalog was completed, however, recovery of the daily key typi-
cally took only 10 to 20 minutes. Kuhl’s reconstruction of the catalog revealed
how the 105,465 rotor settings map to the 21,230 different disjoint cycle struc-
tures. Some of his results are provided below:†
• The good news is that 11,466 of the disjoint cycle structures have
unique rotor settings that give rise to them. Thus, over half the time
the cycle structure, when checked in the catalog, would immediately
yield the rotor settings. Over 92% of the disjoint cycle structures cor-
respond to 10 or fewer possible rotor settings.
• The bad news is that there are disjoint cycle structures that give far
more possibilities (see Table 8.1).
Still, a catalog with 105,456 entries can be generated by hand, even twice.
* Kozaczuk, W., Enigma: How the German Machine Cipher Was Broken, and How It Was Read
by the Allies in World War Two, edited and translated by Christopher Kasparek, University
Publications of America, Frederick, MD, 1984, p. 29 (original Polish version 1979).
† Kuhl, A., Rejewski’s catalog, Cryptologia, 31(4), 329–330, 2007.
‡ Rejewski, M., How the Polish mathematicians broke Enigma, Appendix D, in Kozaczuk, W.,
Enigma: How the German Machine Cipher Was Broken, and How It Was Read by the Allies in World
War Two, Arms & Armour Press, London, 1984, p. 264.
§ I’ve been referring to this as the reflector.
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 277
TABLE 8.1
Most Frequent Cycle Structures
Number of
Disjoint Cycle Structure (AD)(BE)(CF) Occurrences
(13 13)(13 13)(13 13) 1771
(12 12 1 1)(13 13)(13 13) 898
(13 13)(13 13)(12 12 1 1) 866
(13 13)(12 12 1 1)(13 13) 854
(11 11 2 2)(13 13)(13 13) 509
(13 13)(12 12 1 1)(12 12 1 1) 494
(13 13)(13 13)(11 11 2 2) 480
(12 12 1 1)(13 13)(12 12 1 1) 479
(13 13)(11 11 2 2)(13 13) 469
(12 12 1 1)(12 12 1 1)(13 13) 466
(13 13)(10 10 3 3)(13 13) 370
(13 13)(13 13)(10 10 3 3) 360
(10 10 3 3)(13 13)(13 13) 358
(13 13)(13 13)(9 9 4 4) 315
(9 9 4 4)(13 13)(13 13) 307
Source: Kuhl, A., Cryptologia, 31(4), 329, 2007. With permission.
www.ebook777.com
free ebooks ==> www.ebook777.com
278 Secret History: The Story of Cryptology
* According to Kahn’s chronology. In contrast, the date of July 25 is given in Welchman, G., The
Hut Six Story, McGraw-Hill, New York, 1982, p. 16; and Rejewski, M., Mathematical solution
of the Enigma cipher, Cryptologia, 6(1), 17, 1982.
† Kahn, D., The significance of codebreaking and intelligence in Allied strategy and tactics,
FIGURE 8.14
Alan Turing (1912–1954) (http://www.turing.org.uk/sources/archive.html).
This says more about the failings of public schools than about Turing. The
headmaster seemed to think education meant becoming “familiar with the
ideas of authority and obedience, of cooperation and loyalty, of putting the
house and the school above your personal desires.”* He was later to complain
of Turing, who did not buy into this: “He should have more esprit de corps.”†
The spirit at Sherborne was perhaps summarized by Turing’s form-master
for the fall of 1927: “This room smells of mathematics! Go out and fetch a
disinfectant spray!” Turing later observed that ‡
The great thing about a public school education is that afterwards, how-
ever miserable you are, you know it can never be quite so bad again.
* Hodges, A., Alan Turing: The Enigma, Simon & Schuster, New York, 1983, p. 22.
† Ibid., p. 24.
‡ Ibid., p. 381.
www.ebook777.com
free ebooks ==> www.ebook777.com
280 Secret History: The Story of Cryptology
All that I can claim is that my deliberate policy of leaving him largely to
his own devices and standing by to assist when necessary allowed his
natural mathematical genius to progress uninhibited.
In 1933, Turing joined the Anti-War Council, telling his mother in a letter,
“Its programme is principally to organize strikes amongst munitions and
chemical workers when government intends to go to war. It gets up a guar-
antee fund to support the workers who strike.Ӡ The group also protested
films such as Our Fighting Navy, which Turing called “blatant militarist
propaganda.”‡
Turing graduated from King’s College in 1934. In 1935, he attended a
course that dealt with Gödel’s incompleteness theorem and Hilbert’s ques-
tion of decidability. It was at this time that Turing began his research into
that question. Turing’s dissertation was on the reasons behind why so many
phenomena follow a Gaussian distribution. He proved the central limit theo-
rem (seen in every college-level course in probability) in this dissertation.
Turing’s proof was not the first, but he did not know about the other, pub-
lished slightly earlier, and discovered his own independently.
In 1936, Turing published an article entitled, “On Computable Numbers,
with an Application to the Entscheidungsproblem,” which introduced what
is now called a Turing machine. The theoretical machine read symbols from
a tape and could also delete or write symbols on the tape as well. A com-
putable number was defined to be a real number whose decimal expansion
could be produced by a Turing machine starting with a blank tape. Since
only countably many real numbers are computable and there are uncount-
able many real numbers, there exists a real number that is not computable.
This argument was made possible by Cantor’s work. Turing described a
number that is not computable, remarking that this seemed to be a paradox,
since he described in finite terms a number that cannot be described in finite
terms. The answer was that it is impossible to decide, using another Turing
machine, whether a Turing machine with a given table of instructions will
output an infinite sequence of numbers.§ This took care of another one of
Hilbert’s questions from 1928. The answer was, once more, no.
Turing also discussed a universal machine in his 1936 paper. It is a
machine:¶
* Hodges, A., Alan Turing: The Enigma, Simon & Schuster, New York, 1983, p. 32.
† Ibid., p. 71.
‡ Ibid., p. 87.
§ http://www-groups.dcs.st-and.ac.uk/~history/Mathematicians/Turing.html.
¶ Ibid.
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 281
FIGURE 8.15
The mansion at Bletchley Park. (Copyright Bletchley Park Trust and used with permission.)
Before the war my work was in logic and my hobby was cryptanalysis
and now it is the other way round.
* Also known as Station X, as it was the tenth site acquired by MI-6 for its wartime operations.
† Smith, M., The Emperor’s Codes: The Breaking of Japan’s Secret Ciphers, Penguin Books, New
York, 2002, p. 2.
‡ Ibid., p. 3.
§ Hodges, A., Alan Turing: The Enigma, Simon & Schuster, New York, 1983, pp. 214–215.
www.ebook777.com
free ebooks ==> www.ebook777.com
282 Secret History: The Story of Cryptology
Turing redesigned the Polish bomba, and then Welchman made further
improvements. The machine was now known as a bombe. This seems to have
simply been a modification of the Polish name, but nobody knows why the
Poles chose the name in the first place. According to one of several stories,
it was because it ticked while in operation, like a time bomb.* The ticking
stopped when a potential solution arose.
Stories of Turing’s eccentricities circulated at Bletchley; for example, begin-
ning each June, he would wear a gas mask while bicycling. This was to keep
the pollen out; he suffered from hay fever. The bicycle was also unusual.
Periodically a bent spoke would touch a particular link and action would
have to be taken to prevent the chain from coming off. Turing kept track of
how many times the bicycle’s wheel had turned and would stop the bike and
reset the chain before it came off.†
Still, Turing and the other eccentrics at Bletchley were very good at what
they did. By 1942, the deciphered messages totaled around 50,000 per month;‡
however, in February 1942, the German Navy put a four-rotor Enigma into
use. This caused the decipherments to come to an immediate halt and the
results were bloody.
Kahn convincingly illustrated the importance of Enigma decipherments
in the Atlantic naval war by comparing sinkings of Allied ships in the sec-
ond half of 1941, when Enigma messages were being read, with the second
half of 1942, when the messages went unsolved. The respective figures for
tons sunk are 600,000 vs. 2,600,000.§ Kahn also puts a human face on these
figures:¶
And each of the nearly 500 ships sunk in those six months meant more
freezing deaths in the middle of the ocean, more widows, more fatherless
children, less food for some toddler, less ammunition for some soldier,
less fuel for some plane—and the prospect of prolonging these miseries.
Reading Enigma messages also allowed the allies to sink Axis convoys in
greater numbers. Rommel was greatly handicapped in Africa by the lack of
much needed gasoline due to these sinkings. At one point he sent a sarcas-
tic message of thanks to Field Marshal Kesselring for the few barrels that
washed ashore from wrecks of a convoy.**
* There are several different stories given to explain why the machines were called bombes.
There is no consensus as to which is correct.
† Hodges, A., Alan Turing: The Enigma, Simon & Schuster, New York, 1983, p. 209.
‡ Ibid., p. 237.
§ Kahn, D., Seizing the Enigma, Houghton Mifflin, Boston 1991, pp. 216–217.
¶ Ibid., p. 217.
** Winterbotham, F.W., The Ultra Secret, Harper & Row, New York, 1974. p. 82.
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 283
FIGURE 8.16
National Cryptologic Museum curator Patrick Weadon with a Lorenz machine. This machine
dwarfs the M-209 and is also significantly larger than the Enigma.
* The “SZ” in the name is short for Schlüsselzusatz, which translates to “cipher attachment.”
These machines were attached to Lorenz teleprinters.
www.ebook777.com
free ebooks ==> www.ebook777.com
284 Secret History: The Story of Cryptology
FIGURE 8.17
Lorenz SZ 42 cipher machine (http://en.wikipedia.org/wiki/File:Lorenz-SZ42-2.jpg).
FIGURE 8.18
Nazi ciphers being broken by the first programmable computer, Colossus. (Copyright Bletchley
Park Trust and used with permission.)
computer. It was long believed that ENIAC was the first, as the existence
of Colossus remained classified until the 1970s! A Colossus has since been
rebuilt by a team led by Tony Sale and is on display at Bletchley Park.*
Bletchley also has a bombe that was rebuilt by a team led by John Harper.
Again, no originals survived in England to the present day. One U.S. Navy
bombe, built in Dayton, Ohio, was preserved and is now on display at the
National Cryptologic Museum.
* See http://www.codesandciphers.org.uk/lorenz/rebuild.htm for more information.
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 285
FIGURE 8.19
Monument in Poznan, Poland, honoring Rejewski, Różycki, and Zygalski. (From Grajek, M.,
Cryptologia, 32(2), 103, 2008. With permission.)
I feel that intelligence was a vital factor in the Allied victory—I think
that without it we might not have won, after all.
—Harold Deutsch*
There are other experts who share Deutsch’s opinion. Among experts who
believe we would have won without the cryptologists, the consensus is that
the victory would have arrived at least a year later, perhaps two. Certainly,
a tremendous number of lives were saved by the work of the cryptanalysts.
These cryptanalytic heroes had to wait in silence for decades before their
contributions could be revealed. Eventually some honors were bestowed
upon them. We saw the Polish postage stamp earlier in this chapter. Other
countries eventually issued special stamps, as well. In addition to a monu-
ment in Poland (Figure 8.19), there are cryptologic museums in England and
America. This is good. We should pay our respects in this manner, but this
* Kahn, D., The significance of codebreaking and intelligence in Allied strategy and tactics,
Cryptologia, 1(3), 221, 1977.
www.ebook777.com
free ebooks ==> www.ebook777.com
286 Secret History: The Story of Cryptology
is not the reward of the cryptanalysts. Look closely the next time you see a
crowd of people at a sporting event or at a shopping center and know that
many of them would never have existed if the war had lasted a year or two
longer. How many of our parents, grandparents, and great-grandparents
made it back from the war, but would not have if it had gone on longer? How
many of us have forefathers who weren’t called to duty because they were
a little bit too young? How many more hospital beds would be filled with
the horribly wounded? The reward of the cryptanalysts is pride in knowing
their work made an incredible difference in the lives of those around them.
* Parrish, T., The Ultra Americans, Stein & Day, Briarcliff Manor, NY, 1986. Note that a trade
paperback edition bears the title The American Codebreakers.
† More information on the National Cryptologic Museum can be found at http://www.nsa.
gov/about/cryptologic_heritage/museum/.
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 287
After the war, Turing had more time to devote to exercise. He was a mem-
ber of the Walton Athletic Club and won their 3-mile and 10-mile champion-
ships in record time.* He was unable to try out for the Olympic team due to
an injury. The marathon that year was won by an Argentinian with a time 17
minutes faster than what Turing could do.† How did he learn to run so fast?
Well, in grade school:‡
…he hated and feared the gym class and the afternoon games. The boys
played hockey in winter, and Alan later claimed that it was the necessity
of avoiding the ball that had taught him to run fast.
I believe that at the end of the century the use of words and general edu-
cated opinion will have altered so much that one will be able to speak of
machines thinking without expecting to be contradicted.
These ideas must have seemed absurd to many in 1950 when “it was not
unknown for computer users to be sweltering in 90°F heat, and banging the
racks with a hammer to detect loose valves.”**
In 1952, Turing, attempting to evade blackmail, gave the police details of a
homosexual affair he had. He was charged with “gross indecency” for vio-
lating the British homosexuality statutes. His defense was that he saw noth-
ing wrong in his actions. He was found guilty and given a choice of prison
or a year of estrogen injections. He took the injections.†† After this incident,
Turing was viewed as a security risk. His clearance was withdrawn and his
foreign colleagues were investigated. Hodges’ biography of Turing indicates
that Turing was fairly open about his sexuality. It is possible that the powers
that be knew Turing was gay, but chose to ignore the fact because he was so
useful in the war effort.
* http://www-groups.dcs.st-and.ac.uk/~history/Mathematicians/Turing.html.
† Hodges, A., Alan Turing: The Enigma, Simon & Schuster, New York, 1983, p. 386.
‡ Ibid., p. 11.
§ Philip, K., Dick made use of this test in his novel Do Androids Dream of Electric Sheep?, which
was later made into the film Bladerunner. The book is, of course, superior. There are also three
humorous installments of the comic strip “Dilbert” that deal with Turing tests. These can be
viewed online at http://search.dilbert.com/comic/Turing%20Test.
¶ http://www-groups.dcs.st-and.ac.uk/~history/Quotations/Turing.html.
** Hodges, A., Alan Turing: The Enigma, Simon & Schuster, New York, 1983, p. 402.
†† http://www-groups.dcs.st-and.ac.uk/~history/Mathematicians/Turing.html.
www.ebook777.com
free ebooks ==> www.ebook777.com
288 Secret History: The Story of Cryptology
I didn’t feel elated and I wondered if there was something wrong with
me. Oh sure, I recognized that this was a good and necessary step, but I
couldn’t help but feel that it was not proportionate. The British govern-
ment, in the name of the British people, tortured this good and decent
man (and thousands of others) because they disapproved of his sexual
habits. Now, half a century later, they offer only words of regret. Maybe
I’d feel better if Gordon Brown vowed not to rest until gay marriage
was legal in Britain. Of course in Britain today the legal status of gays
is a thousand times better than in the US, so maybe Brown could work
on educating America? How about passing a heavy tax—the Turing
Tariff—on all computing hardware and software imported into the UK
from countries, like the US, that still discriminate against homosexuals
by banning gay marriage? The proceeds of the tariff could be donated,
in the name of Alan Mathison Turing, to the leading gay rights organiza-
tions in the exporting country.
Kennedy knew his suggestions wouldn’t be adopted, but his point was well
made. Actions speak louder than words.
I will try to lighten the mood a little bit by closing this chapter with an
anecdote. This and several other humorous incidents are recounted in Neal
Stephenson’s Cryptonomicon. Although it is a work of fiction, many real events
have been incorporated into the book. Alan Turing is one of the characters
in the book, and it is obvious that Stephenson read Hodges’ biography of
Turing and that it had a big influence on parts of the novel.
At one point during the war, Turing enrolled in the infantry section of the
Home Guard. He had to complete forms to do this. One question asked, “Do
you understand that by enrolling in the Home Guard you place yourself
liable to military law?” Turing saw no advantage in writing yes, so he wrote
no. Of course, nobody ever looked closely at the form. He was taught how
to shoot, became very good at it, and then, no longer having any use for the
Home Guard, moved on to other things. He was eventually summoned to
explain his absence. Turing explained that he only joined to learn how to
shoot and that he was not interested in anything else. He did not want, for
example, to attend parades. The conversation progressed as follows:
* http://www-groups.dcs.st-and.ac.uk/~history/Mathematicians/Turing.html.
† Kennedy, S., A politician’s apology, Math Horizons, 17(2), 34, 2009.
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 289
“But it is not up to you whether to attend parades or not. When you are
called on parade, it is your duty as a soldier to attend.”
“But I am not a soldier.”
“What do you mean, you are not a soldier! You are under military law!”
“You know, I rather thought this sort of situation could arise. I don’t
know I am under military law. If you look at my form you will see that I
protected myself against this situation.”
www.ebook777.com
free ebooks ==> www.ebook777.com
290 Secret History: The Story of Cryptology
Körner, T.W., The Pleasure of Counting, Cambridge University Press, Cambridge, U.K.,
1996. Part IV of this book takes a look at Enigma cryptanalysis.
Kuhl, A., Rejewski’s catalog, Cryptologia, 31(4), 326–331, 2007. This paper won one of
Cryptologia’s undergraduate paper competitions.
Miller, R., The Cryptographic Mathematics of Enigma, Center for Cryptologic History,
Fort Meade, MD, 2001. This is available at no charge at the National Cryptologic
Museum in print form, as well as online at http://www.nsa.gov/ about/_files/
cryptologic_heritage/publications/wwii/engima_cryptographic_mathematics.
pdf).
Muggeridge, M., Chronicles of Wasted Time. Chronicle 2: The Infernal Grove, Collins,
London, 1973. This is a pre-Winterbotham revelation that the allies broke Nazi
ciphers during World War II.
Parrish, T., The Ultra Americans, Stein & Day, New York, 1986.
Randell, B., The Colossus, Technical Report Series No. 90, Computing Laboratory,
University of Newcastle upon Tyne, 1976.
Randell, B., Colossus: godfather of the computer, New Scientist, 73(1038), 346–348, 1977.
Rejewski, M., How Polish mathematicians deciphered the Enigma, Annals of the
History of Computing, 3(3), 213–234, 1981.
Rejewski, M., Mathematical solution of the Enigma cipher, Cryptologia, 6(1), 1–18, 1982.
Rejewski, M., Memories of My Work at the Cipher Bureau of the General Staff Second
Department 1930–1945, Adam Mickiewicz University, Poznań, Poland, 2011.
Sebag-Montefiore, H., Enigma: The Battle for the Code, Folio Society, London, 2005. This
was first published by Weidenfeld & Nicolson in 2000.
Stevenson, W., A Man Called Intrepid, Ballentine Books, New York, 1976.
Sullivan, G., Geoff’s Crypto page, http://www.hut-six.co.uk/. This page has links to
emulators for various cipher machines, including several versions of the Enigma.
Teuscher, C., Ed., Alan Turing: Life and Legacy of a Great Thinker, Springer, New York,
2004.
Turing, S., Alan M. Turing, W. Heffer & Sons, Cambridge, U.K., 1959.
Turing, S., Alan M. Turing: Centenary Edition, Cambridge University Press, Cambridge,
U.K., 2012. This special edition of the long out-of-print title listed above com-
memorates what would have been Alan Turing’s 100th birthday in 2012. It
includes a new afterword by John F. Turing, Alan’s older brother.
Welchman, G., The Hut Six Story, McGraw-Hill, New York, 1982.
Winterbotham, F.W., The Ultra Secret, Harper & Row, New York, 1974. Despite what
you might read elsewhere, this was not the first public revelation that the allies
had broken Nazi ciphers during World War II. Winterbotham claimed that
Ultra revealed that the Germans would be bombing Coventry, but Churchill
declined an evacuation order for fear that the Germans would take it as a sign
that the Brits had inside information, perhaps from a compromised cipher! If
the Germans replaced Enigma or modified it in such a way as to shut out the
codebreakers, the loss would far exceed the damage in terms of lives and mate-
rial sacrificed at Coventry. This claim was supported by Anthony Cave Brown
(Bodyguard of Lies) and William Stevenson (A Man Called Intrepid) but has not
stood up to the scrutiny of other historians. (For an early refutal, see Evans’ 1976
article referenced above.) Brown knew that Enigma had been broken before
Winterbotham revealed it, but he did not get his own book out until after The
Ultra Secret (see Thomas Parish’s The Ultra Americans).
free ebooks ==> www.ebook777.com
World War II: The Enigma of Germany 291
FIGURE 8.20
René Stein, National Cryptologic Museum librarian, in front of an American-made bombe that
is preserved in the museum’s collection.
Video
There are many videos, aimed at a general audience, describing World
War II codebreaking. Just one of these is singled out here, for it contains
information on the American construction of bombes (Figure 8.20) in
Dayton, Ohio, an important topic mentioned only very briefly in this book.
The focus of the following video is on Joe Desch, who was responsible for
much of the success in Dayton. Desch is the only civilian member of NSA’s
Hall of Honor.
LeBlanc, A., Dayton Codebreakers, The Dayton Codebreakers Project, 2006, 56 minutes
(http://www.daytoncodebreakers.org/).
Equipment
Crypto Museum, http://www.cryptomuseum.com/kits/. An Enigma machine
made with modern technology (Figure 8.21) shows the positions of the simu-
lated rotors digitally. These are available for sale in kit form—some assembly
required!
www.ebook777.com
free ebooks ==> www.ebook777.com
292 Secret History: The Story of Cryptology
FIGURE 8.21
Enigma machine made with modern technology.
free ebooks ==> www.ebook777.com
9
Cryptologic War against Japan*
Did you notice that the dice show 12–07 (December 7)? Was it meant to
serve as a warning? Perhaps for Japanese living in America? Federal Bureau
of Investigation (FBI) agent Robert L. Shivers wondered the same thing and
on January 2, 1942, sent a radiogram to FBI Director J. Edgar Hoover posing
that question. Other inquiries followed from government employees, as well
as private citizens. The investigation that followed revealed that it was sim-
ply a coincidence.†
* A link leading to exercises for this chapter may be found at http://www.crcpress.com/
product/isbn/9781466561861.
† Kruh, L., The deadly double advertisements: Pearl Harbor warning or coincidence?,
293
www.ebook777.com
free ebooks ==> www.ebook777.com
294 Secret History: The Story of Cryptology
FIGURE 9.1
Advertisement appearing in The New Yorker, November 22, 1941.
FIGURE 9.2
Continuation of advertisement appearing in The New Yorker, November 22, 1941.
FIGURE 9.3
Image appearing below advertisement appearing in The New Yorker, November 22, 1941.
www.ebook777.com
free ebooks ==> www.ebook777.com
296 Secret History: The Story of Cryptology
* Rowlett, F.B., The Story of Magic: Memoirs of an American Cryptologic Pioneer, Aegean Park
Press, Laguna Hills, CA, 1989, pp. 6–35.
† Also known as 91-shiki-obun In-ji-ki, which translates to “alphabetical typewriter 91.” The 91
refers to the year it was first developed—2591 by the Japanese reckoning, 1931 for Americans.
‡ Originally, it was referred to in conversation and official reports as “A Machine,” but
Friedman realized this was poor security, as it was so close to the Japanese name for the
device. The color code name was settled on after much discussion, and the other colors of the
spectrum were assigned to other machines, including Enigma, Kryha, and Hagelin. (From
Kruh, L., Reminiscences of a master cryptologist, Cryptologia, 4(1), 49, 1980.) Also, the binders
in which information on these messages were kept were red.
§ Found, along with the solution I provide, in Deavours, C. and Kruh, L., Machine Cryptography
and Modern Cryptanalysis, Artech House, Dedham, MA, 1985, pp. 213–215.
free ebooks ==> www.ebook777.com
Cryptologic War against Japan 297
Ciphertext:
1. LNOLLIWQAVEMZIZS
PRYPPEBTUZIQDEDW
From any consonant in the top line to the one directly beneath it is distance 3
in our consonant alphabet. This is not likely to be a coincidence!
* In general, two strings of characters are isomorphic if one can be transformed into the other
via a monoalphabetic substitution. Isomorph attacks have been used against various other
cipher systems, including the Hebern machine. (See Deavours, C.A., Analysis of the Hebern
cryptograph using isomorphs, Cryptologia, 1(2), 167–185, 1977.)
www.ebook777.com
free ebooks ==> www.ebook777.com
298 Secret History: The Story of Cryptology
2. VXOVVIHBAGEWKIKD
LNOLLIWQAVEMZIZS
For this pair, the distance is always 12. We start, for example, at V and move
forward through the consonants W, X, and Z, and then start back at the begin-
ning of the alphabet and continue until we arrive at L. Again, this is not
likely to be a coincidence!
This attack, which should remind you of Kasiski’s attack on the Vigenère
cipher (but using isomorphs instead of identical ciphertext segments), indi-
cates that the basic consonant substitution alphabet is simply shifted to
create the various encipherment possibilities. Thus, our substitution table
should look something like this:
BCDFGHJKLMNPQRSTVWXZ plaintext
1. BCDFGHJKLMNPQRSTVWXZ cipher alphabet 1
2. CDFGHJKLMNPQRSTVWXZB cipher alphabet 2
3. DFGHJKLMNPQRSTVWXZBC
4. FGHJKLMNPQRSTVWXZBCD
5. GHJKLMNPQRSTVWXZBCDF
6. HJKLMNPQRSTVWXZBCDFG
7. JKLMNPQRSTVWXZBCDFGH
8. KLMNPQRSTVWXZBCDFGHJ
9. LMNPQRSTVWXZBCDFGHJK
10.
MNPQRSTVWXZBCDFGHJKL
11.
NPQRSTVWXZBCDFGHJKLM
12.
PQRSTVWXZBCDFGHJKLMN
13.
QRSTVWXZBCDFGHJKLMNP
14.
RSTVWXZBCDFGHJKLMNPQ
15.
STVWXZBCDFGHJKLMNPQR
16.
TVWXZBCDFGHJKLMNPQRS
17.
VWXZBCDFGHJKLMNPQRST
18.
WXZBCDFGHJKLMNPQRSTV
19.
XZBCDFGHJKLMNPQRSTVW
20.
ZBCDFGHJKLMNPQRSTVWX
However, our results above don’t specify that we start with what is labeled
Cipher Alphabet 1. We may start anywhere in this table. We can simply try
each of the 20 possible start positions for the first line, as if we were breaking
free ebooks ==> www.ebook777.com
Cryptologic War against Japan 299
a Caesar shift cipher by brute force. We delete the artificial spacing in groups
of five to save space and progress through our 20 cipher alphabets one at a
time with each letter of text.
Starting cipher:
EBJHEVAWRAUPVXOVVIHBAGEWKIKDYUCJEKBPOEKYGRYLU
1. –ZGD–P–NH––BGH–CB–KC–F–SF–CT––PT–SJV––M–GQ–H –
2. –XFC–N–MG––ZFG–BZ–JB–D–RD–BS––NS–RHT––L–FP–G –
3. –WDB–M–LF––XDF–ZX–HZ–C–QC–ZR––MR–QGS––K–DN–F –
4. –VCZ–L–KD––WCD–XW–GX–B–PB–XQ––LQ–PFR––J–CM–D –
5. –TBX–K–JC––VBC–WV–FW–Z–NZ–WP––KP–NDQ––H–BL–C –
6. –SZW–J–HB––TZB–VT–DV–X–MX–VN––JN–MCP––G–ZK–B –
7. –RXV–H–GZ––SXZ–TS–CT–W–LW–TM––HM–LBN––F–XJ–Z –
8. –QWT–G–FX––RWX–SR–BS–V–HV–SL––GL–KZM––D–WH–X –
9. –PVS–F–DW––QVW–RQ–ZR–T–JT–RK––FK–JXL––C–VG–W –
10. –NTR–D–CV––PTV–QP–XQ–S–HS–QJ––DJ–HWK––B–TF–V –
11. –MSQ–C–BT––NST–PN–WP–R–GR–PH––CH–GVJ––Z–SD–T –
12. –LRP–B–ZS––MRS–NM–VN–Q–FQ–NG––BG–FTH––X–RC–S –
13. –KQN–Z–XR––LQR–ML–TM–P–DP–MF––ZF–DSG––W–QB–R –
14. –JPM–X–WQ––KPQ–LK–SL–N–CN–LD––XD–CRF––V–PZ–Q –
15. –HNL–W–VP––JNP–KJ–RK–M–BM–KC––WC–BQD––T–NX–P –
16. –GMK–V–TN––HMN–JH–QJ–L–ZL–JB––VB–ZPC––S–MW–N –
17. –FLJ–T–SM––GLM–HG–PH–K–XK–HZ––TZ–XNB––R–LV–M –
18. –DKH–S–RL––FKL–GF–NG–J–WJ–GX––SX–WMZ––Q–KT–L –
19. –CJG–R–QK––DJK–FD–MF–H–VH–FW––RW–VLX––P–JS–K –
20. –BHF–Q–PJ––CHJ–DC–LD–G–TG–DV––QV–TKW––N–HR–J –
Now there’s a small surprise—we can’t simply read across any of the lines,
as we could normally do if one of them was a plaintext only missing the
vowels! Double checking reveals no errors were made. Line 10 starts out
promising, but then fizzles out. Taking a closer look at line 10 along with
nearby lines shows that the word INTRODUCTION seems to begin on line 10
but breaks off and continues on line 11.
7. –RXV–H–GZ––SXZ–TS–CT–W–LW–TM––HM–LBN––F–XJ–Z –
8. –QWT–G–FX––RWX–SR–BS–V–HV–SL––GL–KZM––D–WH–X –
9. –PVS–F–DW––QVW–RQ–ZR–T–JT–RK––FK–JXL––C–VG–W –
10. –NTR–D–CV––PTV–QP–XQ–S–HS–QJ––DJ–HWK––B–TF–V –
11. –MSQ–C–BT––NST–PN–WP–R–GR–PH––CH–GVJ––Z–SD–T –
12. –LRP–B–ZS––MRS–NM–VN–Q–FQ–NG––BG–FTH––X–RC–S –
13. –KQN–Z–XR––LQR–ML–TM–P–DP–MF––ZF–DSG––W–QB–R –
www.ebook777.com
free ebooks ==> www.ebook777.com
300 Secret History: The Story of Cryptology
Another shift occurs later from line 11 to line 12. These shifts are referred to
as a stepping action. The mechanics of the Red cipher, which will be detailed
momentarily, makes how this happens clearer.
Filling in vowels and word breaks is now easy:
The word STOP shows the message to be in the style of telegraph traffic. We
were even able to complete the last word, which requires one more letter of
ciphertext than was provided. One can now go back and see that the vowel
substitutions were made using the mixed-order alphabet AOEUYI with vari-
ous shifts, like the consonant alphabet.
Enciphering vowels as vowels and consonants as consonants is clearly
a disadvantage. The motivation for the Japanese to do this was apparently
purely economic, as cable services charged a lower rate for transmitting text
that could be pronounced.
The Japanese word for “and” is oyobi, which has the unusual pattern vowel,
vowel, vowel, consonant, vowel; thus, with vowels enciphered as vowels and
consonants as consonants, the cryptanalysts could easily locate this word in
a ciphertext and then note whatever it revealed of the encryption process.
The British cracked Red in November 1934 and built a machine to simu-
late it in August 1935. U.S. Army cryptanalysts broke it in late 1936 and took
two more years to make a simulator of their own.* The key insight for the
Americans was made by Frank Rowlett, working with Solomon Kullback.
In the example above, our familiar 26-letter alphabet was used. Although
the actual intercepts were in Japanese, this was the case for those ciphertexts
as well. Because the traditional manner of writing Japanese is not well suited
for electronic transmission, the words were first written out using the Latin
alphabet,† then enciphered, and finally transmitted.
One needn’t know how the machine actually accomplishes the encipher-
ment in order to break such messages. In fact, there is more than one pos-
sible way to realize Red encryption electromechanically. The Japanese did it
with two half-rotors, driven by a gearwheel. Typically, the rotor unit moved
forward by one position for each letter, thus advancing through the alpha-
bets, but there were pins that could be removed, causing the rotor unit to
advance one position more at that point. This is the mechanism responsible
for the stepping action we observed in our example above. Two adjacent
pins may be removed to cause an advance of three positions. The American
version of Red, used to recover plaintexts for intercepted messages, did so
with two rotors.‡
* Smith, M., The Emperor’s Codes: The Breaking of Japan’s Secret Ciphers, Penguin Books, New
York, 2002, pp. 46–47.
† The Japanese called this romaji. It is still used.
‡ Deavours, C. and Kruh, L., Machine Cryptography and Modern Cryptanalysis, Artech House,
Dedham, MA, 1985. The American Red machine is pictured on pages 216 to 217.
free ebooks ==> www.ebook777.com
Cryptologic War against Japan 301
9.3.1 Orange
The Americans used the code name Orange for a variant of Red used as
the Japanese naval attaché machine. This machine enciphered kana syl-
lables, rather than romaji letters. The first breaks for the Americans came
in February 1936.* Lieutenant Jack S. Holtwick, Jr., of the U.S. Navy made a
machine that broke this naval variant.† The British also attacked this system
and had results even earlier. Hugh Foss and Oliver Strachey broke it for the
British in November 1934.‡ The successes were only temporary, however. The
Japanese would eventually switch over to a more secure machine, Angooki
Taipu B (“type B cipher machine”).§
* Smith, M., The Emperor’s Codes: The Breaking of Japan’s Secret Ciphers, Penguin Books, New
York, 2002, p. 35.
† Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, pp. 20 and 437. Also see
Deavours, C. and Kruh, L., Machine Cryptography and Modern Cryptanalysis, Artech House,
Dedham, MA, 1985, p. 11.
‡ Smith, M., The Emperor’s Codes: The Breaking of Japan’s Secret Ciphers, Penguin Books, New
97 refers to the year it was first developed—2597 by the Japanese reckoning, 1937 for the
Americans.
¶ Of course, this division of the rainbow into seven colors is arbitrary. That particular value
was chosen by Isaac Newton to create a nice symmetry with the seven-note musical scale (A,
B, C, D, E, F, G).
www.ebook777.com
free ebooks ==> www.ebook777.com
302 Secret History: The Story of Cryptology
L M R
Stepping
FIGURE 9.4
Purple schematics.
The period for Purple is a bit shorter than for Enigma, which cycled through
16,900 permutations before returning to the first. Purple cycled through 253 =
15,625. Of course, the sixes for Purple had a much shorter cycle of 25.
As with Enigma, the plugboard settings were determined in advance and
were the same for all users on a particular day; however, the Japanese lim-
ited themselves to 1000 different connections (out of a possible 26!; the con-
nections needn’t be reciprocal, as with Enigma).* Like Enigma, part of the
Purple key for any given message was to be determined at random and sent
as a header along with the ciphertext. This was a five-digit number, selected
initially from a list of 120 (later on the list offered 240 choices), which stood
for the initial positions of each switch and the stepping switch. There was no
mathematical relation between the five-digit number and the setting it stood
for. It was simply a code number. For example, 13579 meant that the sixes
wheel starts at position 3 and the twenties wheels start at positions 24, 8, and
25, while the 20-wheel motion (assignment of speeds slow, medium, and fast
to particular switches) is 3–2–1.† Of the 120 five-digit codes, half consisted
only of odd digits and half only even digits. It was a great mistake for the
Japanese to artificially restrict themselves to this tiny fraction of the initial
settings. With 25 possible settings for each of the twenties and the sixes, we
have 254 = 390,625 possibilities.
The Japanese did make some wise choices in how Purple was used. The
first was enciphering the five-digit key using an additive. Thus, messages
using the same key would not bear identical indicators. Another good deci-
sion was encoding messages, prior to running them through Purple, but they
did this with the commercially available Phillips Code—not the best choice!‡
Since a large keyspace is essential for security, we should address the over-
all keyspace for Purple. A variety of values may be given, depending on how
we perform the calculation. Determining the keyspace of Purple requires
that several subjective choices be made; for example, should one use all pos-
sible plugboard configurations as a factor or limit it to the 1000 that were
actually used? Should all possible initial positions of the switches be con-
sidered or only the 120 (later 240) the Japanese allowed? Should we count all
possible internal wirings? The cryptanalysts had to determine these, but the
Japanese could not change them once the machines were assembled, so one
could say they weren’t part of the key. Thus, it’s not surprising that a range of
values for the keyspace can be found in the literature. Stephen J. Kelley offers
a figure of 1.8 × 10138, which is much larger than for the three rotor Enigma.§
Mark Stamp, more conservative in assigning values to various factors, came
* Smith, M., The Emperor’s Codes: The Breaking of Japan’s Secret Ciphers, Penguin Books, New
York, 2002, p. 68.
† Freeman, W., Sullivan, G., and Weierud, F., Purple revealed: simulation and computer-aided
www.ebook777.com
free ebooks ==> www.ebook777.com
304 Secret History: The Story of Cryptology
9.5 Purple Cryptanalysis
As with many classical ciphers, a frequency analysis of Purple ciphertexts
provides useful information to get the cryptanalysis started. The six letters
that are separated from the rest will each have a frequency about equal to
the average of that group, since, over the course of the 25 substitutions, each
letter is about equally likely to be replaced by any letter in the sixes. In the
same manner, every letter in the group of twenty will be substituted for, on
average, equally often by each letter in the twenties. Thus, every letter in this
group will also have about the same frequency in the ciphertext.
As an experiment, I placed one Scrabble tile for each letter in a container,
shook it, and then selected six. The six, in alphabetical order, were A, E, J, L,
V, and Z; thus, the set happened to contain both the most frequent and the
rarest English letters. According to the frequency table from Section 2.5, the
average frequency of the letters in this group is 4.3666. For the remaining 20
letters, the average frequency is 3.7, for a difference of 0.666.
This is how we distinguish the sixes from the twenties. After calculating
the frequencies, we either split off the six most frequent or the six least fre-
quent letters to be the sixes (whichever set seems to stand out most strongly
from the other frequencies) and assume these are, in fact, the sixes. The
remaining letters should be the twenties.
Rowlett’s team had the advantage of having broken Red prior to attacking
Purple, so the 6–20 split was familiar. The sixes being easier, with a period of
only 25, were recovered first. The twenties were more difficult, but a number
of factors worked to the cryptanalysts’ advantage.
Switching from Red to Purple was a good move for the Japanese, but they
made the move in the worst possible way—slowly! Ideally, there would be
an abrupt change, with everyone shifting to the new cipher at, for example,
the stroke of midnight on a particular date. The slow change made by the
Japanese over many months meant that many messages sent out in Purple
were also sent out in Red to locations that had not yet made the transition.
Since Red was already broken, this allowed the cryptanalysts to compare
those plaintexts with the corresponding ciphertexts in the Purple system. In
* Stamp, M. and Low, R.L., Applied Cryptanalysis: Breaking Ciphers in the Real World, John Wiley
& Sons, Hoboken, NJ, 2007, pp. 44–45.
free ebooks ==> www.ebook777.com
Cryptologic War against Japan 305
other words, they had cribs in abundance! Messages that weren’t also sent in
Red were cribbed with stereotyped phrases and the numbering of messages
used by the Japanese. Finally, the Japanese sometimes sent enciphered copies
of U.S. State Department communiqués for which the cryptanalysts had no
trouble obtaining plaintexts.*
Leo Rosen, an electrical engineering major from the Massachusetts
Institute of Technology and part of the cryptanalytic team, made an impor-
tant discovery in September 1939. While looking at an electrical supply cata-
log, he recognized that telephone stepping switches could have been used
to accomplish the substitutions. There was no commercially available cipher
machine that worked in this manner, so it was not an obvious solution!
Even with Rosen’s insight and the help inadvertently supplied by the
Japanese, recovering the twenties with their large period of 253 = 15,625
would have been difficult; however, Genevieve Grotjan recognized that
there was a relationship to be found at shorter intervals of just 25 letters.
Some illustrations of reconstructed substitution alphabets make her finding
more clear.
The example in Figure 9.5 shows one of the patterns in the Purple alpha-
bets. Suppose the first alphabet enciphers A as U, then when we come to the
26th alphabet (i.e., alphabet 1 of cycle 2), A is enciphered as H. Then whatever
is enciphered as U in alphabets 2 through 25 will be enciphered as H in alpha-
bets 2 through 25 of cycle 2. The same goes for all other letters. So, knowing
alphabets 1 through 25 of cycle 1 and the first alphabet of cycle 2 reveals the
remaining 24 alphabets of cycle 2. In real cryptanalysis, the process would
not be so orderly. The cycles would get filled in like a jigsaw puzzle with
some values in each cycle known from cribs allowing corresponding values
to be filled in other cycles. Another pattern Grotjan recognized (Figure 9.6)
is even easier to grasp and exploit for cryptanalytic purposes. The columns
in the substitution table for cycle 2 are identical to those of cycle 1, but reor-
dered. Which pattern held for a particular message depended on the loca-
tion of the slow switch during that message’s encipherment. Grotjan first
found a pattern on September 20, 1940, and Purple was completely broken
on September 27, 1940. Thus ended 18 months of intense work. Images of
Rowlett, Rosen, and Grotjan are provided in Figure 9.7.
Following this feat, Friedman had a nervous breakdown that required sev-
eral months off, and Leo Rosen led the construction of a “Purple analog”
to simulate the Japanese machine (Figure 9.8). A later American version is
shown in Figure 9.9. These recreations were actually better than the originals!
They used brass for some contact points that, in the original, were made of
copper, which would wear with use and then tend to produce garbled text.†
* Smith, M., The Emperor’s Codes: The Breaking of Japan’s Secret Ciphers, Penguin Books, New
York, 2002, pp. 70–71.
† Lewin, R., The American Magic: Codes, Ciphers and the Defeat of Japan, Farrar Straus Giroux,
www.ebook777.com
free ebooks ==> www.ebook777.com
306 Secret History: The Story of Cryptology
FIGURE 9.5
A pattern in the Purple alphabets. (From Budiansky, S., Battle of Wits: The Complete Story of
Codebreaking in World War II, Free Press, New York, 2000, p. 354. With permission.)
FIGURE 9.6
Another pattern in the Purple alphabets. (From Budiansky, S., Battle of Wits: The Complete Story
of Codebreaking in World War II, Free Press, New York, 2000, p. 355. With permission.)
free ebooks ==> www.ebook777.com
Cryptologic War against Japan 307
FIGURE 9.7
Frank Rowlett (http://www.fas.org/irp/agency/inscom/journal/98-oct-dec/article6_1.jpg);
Leo Rosen (courtesy of René Stein, National Cryptologic Museum Librarian); and Genevieve
Grotjan (http://www.nsa.gov/about/cryptologic_heritage/women/honorees/feinstein.shtml).
FIGURE 9.8
A Purple analog built in 1940 without seeing the original. (Courtesy of the National Security
Agency, http://www.nsa.gov/about/_images/pg_hi_res/purple_analog.jpg.)
9.6 Practical Magic
The collection of deciphered Japanese intercepts was codenamed Magic.
Magic was in operation before Pearl Harbor was attacked by Admiral
Yamamoto’s forces. A question that has been long debated is whether or not
such decipherments should have given us advance warning of the attack.
The consensus view is that they didn’t provide a warning. There was no
Purple message saying that Pearl Harbor would be attacked. Recall, Purple
www.ebook777.com
free ebooks ==> www.ebook777.com
308 Secret History: The Story of Cryptology
FIGURE 9.9
René Stein, National Cryptologic Museum librarian, stands by the back of a Purple analog
from 1944.
* In some accounts, the message was enciphered but in a weak system that it was assumed the
Japanese could break.
† Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 569.
free ebooks ==> www.ebook777.com
Cryptologic War against Japan 309
battle of Midway proved to be the turning point of the Pacific war. Prior to
Midway, the United States had never had a victory, and following Midway
the country never saw defeat.
Yamamoto suffered a much more personal defeat when a message encoded
with the latest version of JN-25, and sent on April 13, 1943, provided the
American codebreakers with his itinerary for the next five days. This itiner-
ary brought him close to the combat zone, and Nimitz made the decision
to attempt to shoot down his plane. It was risky, for if the Japanese realized
how the U.S. Navy knew where to find Yamamoto their naval codes would
be promptly changed. On April 18, Major John Mitchell led a formation of
16 P-38 Lightnings, which included four ace pilots. They carried out their
mission successfully. Because of the tremendous importance of Admiral
Yamamoto to the Japanese, David Kahn described his assassination as “the
equivalent of a major victory.”*
The decoded message that resulted in Yamamoto’s death was translated
by Marine Corps Captain Alva Lasswell. Despite being a farmboy from
Arkansas with only an eighth-grade education, Lasswell, as a Marine, trav-
eled to Japan, where he mastered the language. Tom “Captain T” Hunnicutt
commemorated Lasswell’s accomplishments by dubbing him “The SigInt
Sniper” in a song of the same title.†
Reading Purple kept the Allies informed of German plans as well as
Japanese. Oshima Hiroshi, the Japanese military attaché in Berlin, sent
detailed messages concerning Nazi plans back to Tokyo. Carl Boyd devoted
a book to the study of intelligence about the Nazis obtained from Hiroshi.‡
A few paragraphs are reproduced below from messages Hiroshi sent on
November 10, 1943 (nearly six months before the June 6, 1944, D-Day inva-
sion) enciphered with Purple:§
All of the German fortifications on the French coast are very close to the
shore and it is quite clear that the Germans plan to smash any enemy
attempt to land as close to the edge of the water as possible.
The Strait of Dover area is given first place in the German Army’s forti-
fication scheme and troop dispositions, and Normandy and the Brittany
peninsula come next. Other parts of the coast are regarded with less
significance. Although the possibility of an Anglo-American landing
on the Iberian Peninsula, followed by a crossing of the Pyrenees, is not
altogether ruled out, no special defences have been constructed for this
area. Instead, mobile forces are held in reserve at Narbonne and other
strategic points, and these are prepared to hold the mountain passes in
the Pyrenees should an emergency arise.
* Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, pp. 595–601.
† “SigInt Sniper (The Yamamoto Shoot Down),” The Hunnicutt Collection, White Swan
Records, ASCAP Music, 2009.
‡ Boyd, C., Hitler’s Japanese Confidant: General Oshima Hiroshi and Magic Intelligence, 1941–1945,
www.ebook777.com
free ebooks ==> www.ebook777.com
310 Secret History: The Story of Cryptology
It has been estimated that cryptanalysis saved a year of war in the Pacific.
—David Kahn†
* http://www.sans.org/infosecFAQ/history/friedman.htm.
† Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. xi.
‡ Deavours, C. and Kruh, L., Machine Cryptography and Modern Cryptanalysis, Artech House,
FIGURE 9.10
Part of a Japanese Purple machine. (Courtesy of the National Security Agency, http://www.
nsa.gov/about/_images/pg_hi_res/purple_switch.jpg.)
9.7 Code Talkers
Were it not for the Navajos, the Marines would never have taken Iwo
Jima!
—Major Howard M. Conner *
It’s been claimed that the Japanese would be the world’s worst foreign lan-
guage students if it were not for the Americans, so perhaps it isn’t surprising
that the Americans have repeatedly used foreign languages as codes and
that they had their most famous success against the Japanese. The story of
such codes goes back to the U.S. Civil War, when the North used Hungarians
to befuddle the South.
* Paul, D.A., The Navajo Code Talkers, Dorrance Publishing, Pittsburgh, PA, 1973, p. 73.
www.ebook777.com
free ebooks ==> www.ebook777.com
312 Secret History: The Story of Cryptology
In the last month of World War I, Native Americans began serving as code
talkers, but, as in the Civil War, this language code did not play a major role.
Only eight Choctaws were initially used as radio operators. They were in
Company D, 141st Infantry, under Captain E.W. Horner in Northern France.*
Before World War I ended, the number of Choctaw code talkers grew to 15.†
They were able to use their own language to communicate openly without
fear of the enemy understanding. The effort was successful. As Colonel A.W.
Bloor of the 142nd Infantry put it, “There was hardly one chance in a million
that Fritz would be able to translate these dialects.”‡ Other Native American
tribes who contributed to the code war in World War I, with their native
tongues, included the Comanche and Sioux.§
Some problems arose from the lack of necessary military terms in the lan-
guage. A few Indian words were applied to these terms, but they were few in
number and did not cover everything that was needed. Marine TSgt. Philip
Johnston found a way around this difficulty in time for World War II.¶ By
adopting code words for terms not provided for in the Indian language and
spelling out other needed words or names or locations that arose and weren’t
in the code, the code talkers could have even greater success. Johnston, the
son of a missionary, had lived on a Navajo reservation for 22 years beginning
at age 4; thus, he learned the language, which he recognized as being very
difficult.
Johnston’s reasons for suggesting the use of Navajos, however, weren’t due
solely to his own experience. He pointed out that, despite their low literacy
rate compared with other tribes, the sheer size of the Navajo Nation, at nearly
50,000 people (more than twice the size of any other tribe at that time), would
make it easier to recruit the desired numbers. Another advantage of using
Navajo was expressed by Major General Clayton B. Vogel:**
Mr. Johnston stated that the Navajo is the only tribe in the United States
that has not been infested with German students during the past twenty
years. These Germans, studying the various tribal dialects under the
guise of art students, anthropologists, etc., have undoubtedly attained
a good working knowledge of all tribal dialects except Navajo. For this
reason the Navajo is the only tribe available offering complete security
for the type of work under consideration.
But would the idea work? The Germans weren’t the only enemy who had
attempted to study Indian languages between the wars. Some Japanese had
been employed by the Indian Affairs Bureau. And, why would the Navajo,
* Singh, S., The Code Book, Doubleday, New York, 1999, pp. 194–195.
† Meadows, W.C., The Comanche Code Talkers of World War II, University of Texas Press, Austin,
2002, p. 18.
‡ Ibid., p. 20.
§ Ibid., p. 29.
¶ Johnston came up with his idea in late December 1941 (after Pearl Harbor).
** Paul, D.A., The Navajo Code Talkers, Dorrance Publishing, Pittsburgh, PA, 1973, p. 157.
free ebooks ==> www.ebook777.com
Cryptologic War against Japan 313
who faced countless agonies at the hands of white men, including attempted
genocide, be willing to help? This is an obvious question that many modern
authors have attempted to answer. I will let the Navajos answer for them-
selves. The following is a resolution passed unanimously by the Navajo
Tribal Council at Window Rock on June 3, 1940:*
Whereas, the Navajo Tribal Council and the 50,000 people we represent,
cannot fail to recognize the crisis now facing the world in the threat of
foreign invasion and the destruction of the great liberties and benefits
which we enjoy on the reservation, and
Now, Therefore, we resolve that the Navajo Indians stand ready as they
did in 1918, to aid and defend our Government and its institutions against
all subversive and armed conflict and pledge our loyalty to the system
which recognizes minority rights and a way of life that has placed us
among the greatest people of our race.
Eventually, 540 Navajo served as Marines, of which 420 were code talkers.†
The lack of Navajo words for needed military terms was remedied by the
creation of easily remembered code words. A tank would be referred to as
a TORTOISE, an easy code word to remember because of the tortoise’s hard
shell. Planes became BIRDS, and so on. The basic idea was Johnston’s, but the
Navajo came up with the actual code words themselves.
Words that were not part of the code, such as proper names and loca-
tions, or anything else that might arise, could be spelled out. Initially, the
alphabet consisted of one Navajo word for each letter, but as the enemy
might catch on when words with easily recognized patterns of letters, such
as GUADALCANAL, were spelled out, alternative representations of frequent
letters were soon introduced.‡ The expanded alphabet is reproduced in
Table 9.1 along with a handful of the 411 code words. The complete list of
code words may be found in various books on the Navajo code talkers, as
well as online at http://www.history.navy.mil/faqs/faq61-4.htm, which was
the source used here.
* Paul, D.A., The Navajo Code Talkers, Dorrance Publishing, Pittsburgh, PA, 1973, pp. 2–3.
† Ibid., p. 117.
‡ This idea was due to Captain Stilwell, a cryptographer. See Paul, D.A., The Navajo Code Talkers,
www.ebook777.com
TABLE 9.1
314
Navajo Code Talkers’ Dictionary (Revised June 15, 1945, and Declassified under Department of Defense Directive 5200.9)
Letter Navajo Word Translation Letter Navajo Word Translation
A WOL-LA-CHEE Ant K KLIZZIE-YAZZIE Kid
A BE-LA-SANA Apple L DIBEH-YAZZIE Lamb
A TSE-NILL Axe L AH-JAD Leg
B NA-HASH-CHID Badger L NASH-DOIE-TSO Lion
B SHUSH Bear M TSIN-TLITI Match
B TOISH-JEH Barrel M BE-TAS-TNI Mirror
C MOASI Cat M NA-AS-TSO-SI Mouse
C TLA-GIN Coal N TSAH Needle
C BA-GOSHI Cow N A-CHIN Nose
D BE Deer O A-KHA Oil
D CHINDI Devil O TLO-CHIN Onion
D LHA-CHA-EH Dog O NE-AHS-JAH Owl
E AH-JAH Ear P CLA-GI-AIH Pant
E DZEH Elk P BI-SO-DIH Pig
E AH-NAH Eye P NE-ZHONI Pretty
F CHUO Fir Q CA-YEILTH Quiver
F TSA-E-DONIN-EE Fly R GAH Rabbit
F MA-E Fox R DAH-NES-TSA Ram
G AH-TAD Girl R AH-LOSZ Rice
G KLIZZIE Goat S DIBEH Sheep
G JEHA Gum S KLESH Snake
H TSE-GAH Hair T D-AH Tea
H CHA Hat T A-WOH Tooth
H LIN Horse T THAN-ZIE Turkey
I TKIN Ice U SHI-DA Uncle
I YEH-HES Itch U NO-DA-IH Ute
I A-CHI Intestine V A-KEH-DI-GLINI Victor
Secret History: The Story of Cryptology
free ebooks ==> www.ebook777.com
J TKELE-CHO-G Jackass W GLOE-IH Weasel
J AH-YA-TSINNE Jaw X AL-NA-AS-DZOH Cross
J YIL-DOI Jerk Y TSAH-AS-ZIH Yucca
K JAD-HO-LONI Kettle Z BESH-DO-TLIZ Zinc
K BA-AH-NE-DI-TININ Key
Country Navajo Word Translation Country Navajo Word Translation
Africa ZHIN-NI Blackies Iceland TKIN-KE-YAH Ice land
Alaskaa BEH-HGA With winter India AH-LE-GAI White clothes
America NE-HE-MAH Our mother Italy DOH-HA-CHI-YALI-TCHI Stutterb
Australia CHA-YES-DESI Rolled hat Japan BEH-NA-ALI-TSOSIE Slant eye
Britain TOH-TA Between waters Philippines KE-YAH-DA-NA-LHE Floating island
Cryptologic War against Japan
www.ebook777.com
Ships TOH-DINEH-IH Sea force Destroyer CA-LO Shark
Battleship LO-TSO Whale Transport DINEH-NAY-YE-HI Man carrier
Aircraft TSIDI-MOFFA-YE-HI Bird carrier Cruiser LO-TSO-YAZZIE Small whale
Submarine BESH-LO Iron fish Mosquito boat TSE-E Mosquito
Mine sweeper CHA Beaver
a I know. This was the category it was placed under in the code. Don’t blame me.
b The Navajos were unable to think of an appropriate, easy-to-remember, code word for Italy. Finally, one mentioned that he knew an
Italian who stuttered….
315
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
316 Secret History: The Story of Cryptology
FIGURE 9.11
The U.S. Marine Cemetery on Iwo Jima shows the price of victory, a price that would’ve been
even higher without the Navajo; Mount Suribachi, site of the famous flag raising, is in the back-
ground (http://www.history.navy.mil/library/online/battleiwojima.htm).
Even with the initial code (prior to its expansion), tests showed that Navajo
who were not familiar with the code words couldn’t decipher the messages.*
An important feature of using a natural language was increased speed. There
was no lengthy process of looking up code groups in order to recover the
original messages. A significant savings in time (minutes instead of hours)
yielded a combat advantage to the American troops. The expanded code was
even faster, as there were fewer delays due to having to spell out words not
in the Navajo language or the code. Also, both the original and expanded
code caused fewer errors than traditional codes. It did cause some confusion,
though, for allies not in on the secret. When the Navajo first hit the combat
airwaves in Guadalcanal, some of the other American troops thought it was
the Japanese broadcasting.
With regard to the Navajo role at Iwo Jima (Figure 9.11), Major Conner had
this to say:†
The entire operation was directed by Navajo code. Our corps command
post was on a battleship from which orders went to the three division
command posts on the beachhead, and on down to the lower echelons. I
was signal officer of the Fifth Division. During the first forty-eight hours,
while we were landing and consolidating our shore positions, I had six
Navajo radio nets operating around the clock. In that period alone they
sent and received over eight hundred messages without an error.
* Paul, D.A., The Navajo Code Talkers, Dorrance Publishing, Pittsburgh, PA, 1973, p. 30.
† Ibid., 1973, p. 73.
free ebooks ==> www.ebook777.com
Cryptologic War against Japan 317
The “without an error” portion of this quote is not something that was taken
for granted in World War II-era coded transmissions. When Leo Marks began
his cryptographic work for Britain’s Special Operations Executive (SOE) in
1942, about 25% of incoming messages from their agents couldn’t be read for
one reason or another.
The security surrounding the use of the Navajo as code talkers was very
poor. Several accounts appeared in the media before the war’s end. Without
leaks like these, however, the program might never have existed! Johnston
explained how he came up with his idea:*
The classic World War I trick of using Indians speaking their own lan-
guages as “code” transmitters is again being used in the Army, this time
during the great maneuvers in the South, says Science Service. Three
units of the 32nd Division have small groups of Indians from Wisconsin
and Michigan tribes, who receive instructions in English, put them on
the air in a tongue intelligible only to their listening fellow-tribesmen,
who in turn retranslate the message into English at the receiving end.
The Indians themselves have had to overcome certain language dif-
ficulties, for there are no words in their primitive languages for many
of the necessary military terms. In one of the groups, ingenious use was
made of the fact that infantry, cavalry, and artillery wear hat cords and
other insignia of blue, yellow, and red, respectively. The Indian word for
“blue” thus comes to mean infantry, “yellow” means cavalry, and “red”
means artillery. The Indian term for “turtle” signifies a tank.
The article went on to state that 17 [Comanche] Indians had been trained.
Recall that Johnston preferred Navajo, in part because it hadn’t been stud-
ied by the Germans. Yet, despite the Germans’ study of the other dialects,
the Comanche code talkers used by the U.S. Army for the D-day landing at
Normandy and after sent and received messages that the Germans failed
* Johnston, P., Indian jargon won our battles, Masterkey, 38(1), 131, 1964.
† Meadows, W.C., The Comanche Code Talkers of World War II, University of Texas Press, Austin,
2002, p. 75.
www.ebook777.com
free ebooks ==> www.ebook777.com
318 Secret History: The Story of Cryptology
* Meadows, W.C., The Comanche Code Talkers of World War II, University of Texas Press, Austin,
2002, p. xv.
† Ibid., p. 80.
‡ Ibid., pp. 108–109.
§ McClain, S., Navajo Weapon: The Navajo Code Talkers, Rio Nuevo Publishers, Tucson, AZ, 2001,
p. 118.
¶ Meadows, W.C., The Comanche Code Talkers of World War II, University of Texas Press, Austin,
2002, p. xv.
** Ibid., p. 68.
†† Navajo and other code talkers served in the Korean and Vietnam wars, so despite the many
and are not citizens!! We did not say we were not citizens when we vol-
unteered for service against the ruthless and treacherous enemies, the
Japs and Germans! Why?
Indians in Arizona and New Mexico were not allowed to vote until 1948.
p. 104. Ten other Navajo code talkers died in World War II.
§ Durrett, D., Unsung Heroes of World War II: The Story of the Navajo Code Talkers, Facts on File,
New York, 1998, p. 77. Thanks to Katie Montgomery for introducing me to this source.
¶ Paul, D.A., The Navajo Code Talkers, Dorrance Publishing, Pittsburgh, PA, 1973, p. 66.
www.ebook777.com
free ebooks ==> www.ebook777.com
320 Secret History: The Story of Cryptology
FIGURE 9.12
A code talker action figure (http://www.southwestindian.com/prod/G-I-Joe-Navajo-Code-
Talker.cfm).
Joe Kieyoomia, a Navajo who was not a code talker, was captured early
in the war by the Japanese. At first, despite his denials, they thought he was
a Japanese–American. Eventually, when they realized an Indian language
was being used as a code, they came to believe he was in fact Navajo, but
they didn’t believe he couldn’t understand the coded messages. Joe, who had
already survived the Bataan Death March, now faced more torture, but there
was nothing he could tell them. In all, he spent 1240 days as a prisoner of war
before being freed after the end of the war.*
The action figure shown in Figure 9.12, with voice supplied by the real
Navajo code Talker Sam Billison, was first released in 1999 and is described
by a vendor as follows:†
* McClain, S., Navajo Weapon: The Navajo Code Talkers, Rio Nuevo Publishers, Tucson, AZ, 2001,
pp. 119–121.
† http://www.southwestindian.com/prod/G-I-Joe-Navajo-Code-Talker.cfm.
free ebooks ==> www.ebook777.com
Cryptologic War against Japan 321
FIGURE 9.13
Cryptologic humor (http://xkcd.com/257/).
Also included in this Deluxe Edition (not available in any store or cata-
log) is a handsome 3” Embroidered Iron-On Patch featuring the famous
silhouette of the Marines hoisting the flag on Iwo Jima and proudly iden-
tifying you as a “Junior Navajo Code Talker.” And to help you master the
Code, we’ve also included a sturdy, laminated list of over 200 authentic
Code Words (stamped “Top Secret—Confidential”) actually used by the
original Navajo Code Talkers, including the English word, the Navajo
equivalent, and the literal Navajo translation! Did you know the literal
translation for “tank destroyer” is “tortoise killer”? Now you can write
secret messages to your friends in Navajo Code! (GI Joe 11” Tall)
Price: $39.00
* Meadows, W.C., The Comanche Code Talkers of World War II, University of Texas Press, Austin,
2002, p. 5.
† Dawidoff, N., The Catcher Was a Spy: The Mysterious Life of Moe Berg, Pantheon Books, New
www.ebook777.com
free ebooks ==> www.ebook777.com
322 Secret History: The Story of Cryptology
Kahn, D., Pearl Harbor and the inadequacy of cryptanalysis, Cryptologia, 15(4),
273–294, 1991. Pages 293 to 294 are devoted to Grotjan, whom Kahn had
interviewed.
Kelley, S.J., Big Machines, Aegean Park Press, Laguna Hills, CA, 2001. This book
focuses on Enigma, Purple (and its predecessors), and SIGABA, the top
American machine of World War II, one that was never broken.
Kruh, L., The deadly double advertisements: Pearl Harbor warning or coincidence?,
Cryptologia, 3(3), 166–171, 1979.
Kruh, L., Reminiscences of a master cryptologist, Cryptologia, 4(1), 45–50, 1980.
Following are some short excerpts from this article:
It seems that most writers are concerned with the breaking of other
nation’s ciphers. Isn’t it more important and even more of a feat to make
your own systems secure against foreign cryptanalysts?
The successful cryptanalysis of the Japanese Purple system was
accomplished by a team of Army cryptanalysts. At first, it was a joint
Army–Navy project, but after a few months the Navy withdrew its
cryptanalytic resources to apply them to the Japanese naval systems.
The Navy did however, continue to provide some intercept coverage of
diplomatic traffic.
The Chief Signal Officer, General Joseph O. Mauborgne, was person-
ally interested in the Purple effort and supported our work to the fullest
degree possible. He liked to refer to us as his magicians and called the
translations of the messages we produced by the name “magic.”
Friedman played a signal role in the selection and assignment of per-
sonnel and participated in the analytical work on a part-time basis.
Lewin, R., The American Magic: Codes, Ciphers and the Defeat of Japan, Farrar Straus
Giroux, New York, 1982.
Parker, F.D., The unsolved messages of Pearl Harbor, Cryptologia, 15(4), 295–313,
1991.
Rowlett, F.B., The Story of Magic: Memoirs of an American Cryptologic Pioneer, Aegean
Park Press, Laguna Hills, CA, 1989. Not only was Rowlett there, but he also
writes well! This book does the best job of capturing the atmosphere of World
War II era codebreaking in America.
Smith, M., The Emperor’s Codes: The Breaking of Japan’s Secret Ciphers, Penguin Books,
New York, 2002. Smith describes the British successes against Japanese codes
and ciphers while pointing out that they were the first to crack a Japanese
diplomatic cipher machine (Orange, see pages 34–35) and JN-25 (see pages 5,
59–60).
Stamp, M. and Low, R.M., Applied Cryptanalysis: Breaking Ciphers in the Real World,
John Wiley & Sons, Hoboken, NJ, 2007. A nice Purple simulator in C is available
for free download at the website accompanying this text (http://cs.sjsu.edu/
faculty/stamp/crypto/), in the CRYPTO code.zip folder.
Tucker, D.P. (edited and annotated by G. Mellen), Rhapsody in Purple: a new history
of Pearl Harbor, Part I, Cryptologia, 6(3), 193–228, 1982.
Weierud, F., The PURPLE Machine: 97-shiki-obun In-ji-ki Angooki Taipu B, http://
cryptocellar.org/simula/purple/index.html. An online Purple simulator may
be found at this website.
www.ebook777.com
free ebooks ==> www.ebook777.com
324 Secret History: The Story of Cryptology
On Code Talkers
Aaseng, N., Navajo Code Talkers, Thomas Allen & Son, Markham, Ontario, 1992.
Anon., Comanches again called for Army code service, The New York Times, December
13, 1940, p. 16.
Anon., DOD hails Indian code talkers, Sea Services Weekly, November 27, 1992, pp.
9–10.
Anon., Pentagon honors Navajos, code nobody could break, Arizona Republic,
September 18, 1992, p. A9.
Anon., Played joke on the Huns, American Indian Magazine, 7(2), 101, 1919. This article
revealed the role the Sioux played in World War I with their native language. It is
quoted in Meadows, W.C., The Comanche Code Talkers of World War II, University
of Texas Press, Austin, 2002, p. 30.
Bianchi, C., The Code Talkers, Pinnacle Books, New York, 1990. This is a novel.
Bixler, M., Winds of Freedom: The Story of the Navajo Code Talkers of World War II, Two
Bytes, Darien, CT, June 1992.
Bruchac, J., Codetalker: A Novel About the Navajo Marines of World War Two, Dial Books,
New York, 2005.
Davis, Jr., G., Proud tradition of the Marines’ Navajo code talkers: they fought with
words—words no Japanese could fathom, Marine Corps League, 46(1), 16–26, 1990.
Donovan, B., Navajo code talkers made history without knowing it, Arizona Republic,
August 14, 1992, p. B6.
Durrett, D., Unsung Heroes of World War II: The Story of the Navajo Code Talkers, Facts
on File, New York, 1998
Gyi, M., The unbreakable language code in the Pacific Theatre of World War II, ETC:
A Review of General Semantics, 39(1), 8–15, 1982.
Hafford, W.E., The Navajo code talkers, Arizona Highways, 65(2), 36–45, 1989.
Huffman, S., The Navajo code talkers: a cryptologic and linguistic perspective,
Cryptologia, 24(4), 289–320, 2000.
Johnston, P., Indian jargon won our battles, Masterkey, 38(4), 130–136, 1964.
Kahn, D., From the archives: codetalkers not wanted, Cryptologia, 29(1), 76–87, 2005.
Kawano, K., Warriors: Navajo Code Talkers, Northland, Flagstaff, AZ, 1990.
King, J.A., DOD dedicates code talkers display, Pentagram, September 24, 1992, p. A3.
Langille, V., Indian War Call, Leatherneck, 31-A(3), 37–40, 1948.
Levine, L.A., Amazing code machine that sent messages safely to U.S. Army in war
baffles experts: war tricks that puzzled Germans, New York American, November
13, 1921. America’s use of Choctaw code talkers in World War I was described
in this article, which is quoted in Meadows, W.C., The Comanche Code Talkers of
World War II, University of Texas Press, Austin, 2002, pp. 23–24.
Marder, M., Navajo code talkers, Marine Corps Gazette, September 1945, pp. 10–11.
McClain, S., Navajo Weapon, Books Beyond Borders, Boulder, CO, 1994.
McCoy, R., Navajo code talkers of World War II: Indian Marines befuddled the enemy,
American West, 18(6), 67–75, 1981.
Meadows, W.C., The Comanche Code Talkers of World War II, University of Texas Press,
Austin, 2002. This thorough and scholarly account also contains very useful
appendices with data concerning all of the Native American tribes, identified
thus far, that served as code talkers in World War I or World War II.
Paul, D.A., The Navajo Code Talkers, Dorrance Publishing, Pittsburgh, PA, 1973.
free ebooks ==> www.ebook777.com
Cryptologic War against Japan 325
Price, W.H., I was a top-secret human being during World War 2, National Enquirer,
February 4, 1973. In general, National Enquirer is not a reliable source!
Shepherdson, N., America’s secret weapon, Boy’s Life, November 1997, p. 45.
Stewart, J., The Navajo at war, Arizona Highways, June 1943, pp. 22–23. This article
(published while the war was still on!) included the following passage:
[T]he U.S. Marine Corps has organized a special Navajo signal unit for
combat communications service.…Its members were trained in signal
work using the Navajo language as a code, adapting a scheme tried with
considerable success during World War I.
Whether or not the Japanese saw this before the war ended is unknown. In any
case, they did catch on to the fact that some of the conversations they could not
understand were being carried out in Navajo.
Thomas, Jr., R. McG., Carl Gorman, code talker in World War II, dies at 90, The New
York Times, February 1, 1998, p. 27.
U.S. Congress, Codetalkers recognition: not just the Navajos, Cryptologia, 26(4), 241–
256, 2002. This article provides the text of the Code Talkers Recognition Act.
U.S. Marine Corps, Navajo Dictionary, June 15, 1945.
Watson, B., Navajo code talkers: a few good men, Smithsonian, 24(5), 34–43, 1993.
Wilson, W., Code Talkers, American History, February 1997, pp. 16–20, 66–67.
Bibliography
A bibliography that includes unpublished (archival) sources can be found at
http://www.history.navy.mil/faqs/faq12-1.htm.
Videography
Chibitty, C., Craig, B., and Agnew, B., American Indian Code Talkers [VHS], Center
for Tribal Studies, College of Social and Behavioral Sciences, Northeastern
Oklahoma State University, Tahlequah, 1998.
Chibitty, C., Noble, D., Noble, E., and Eskew, J., Recollections of Charles Chibitty—The
Last Comanche Code Talker [VHS], Hidden Path Productions, Mannford, OK,
2000.
Hayer, B., Cory, H., and Wandzel, M., Dine College, and Winona State University,
Samuel Tso: Code Talker, 5th Marine Division [DVD], Dine College, Tsaile, AZ, and
Winona State University, Winona, MN, 2009.
Meadows, W.C., Comanche Code Talkers of World War II [VHS], August 4, 1995. This
is a videotaped interview with Comanche code talkers Roderick Red Elk and
Charles Chibitty. Meadows was both the host and producer. A copy is available
in the Western History Collections of the University of Oklahoma.
NAPBC, In Search of History: The Navajo Code Talkers [VHS], History Channel and
Native American Public Broadcasting Consortium, Lincoln, NE, 2006 (origi-
nally broadcast in 1998).
Red-Horse, V., Director, True Whispers, The Story of the Navajo Code Talkers [DVD], PBS
Home Video, 2007 (originally broadcast 2002).
www.ebook777.com
free ebooks ==> www.ebook777.com
326 Secret History: The Story of Cryptology
Sam, D., Talahongva, P., and Baumann, C., The Power of Words: Native Languages as
Weapons of War [DVD], National Museum of the American Indian, Smithsonian
Institution, Washington, DC, 2006.
Tully, B.W., Director, Navajo Code Talkers: The Epic Story [VHS], Tully Entertainment,
1994.
Wright, M., Code Talkers Decoration Ceremony, Oklahoma State Capitol, November 3, 1989
[VHS], Oral History Collections, Oklahoma Historical Society, Oklahoma City,
1989.
free ebooks ==> www.ebook777.com
Part II
Modern Cryptology
* Schneier, B., Applied Cryptography, 2nd ed., John Wiley & Sons, New York, 1996, p. xix.
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
10
Claude Shannon*
In Section 8.7, we took a brief look at the life of Alan Turing, who is consid-
ered by many to be the father of computer science. If anyone could be con-
sidered the American version of Turing, it would be Claude Shannon, who is
known as the father of information theory.
Elwood Shannon (1916–2001), Notices of the American Mathematical Society, 49(1), 10, 2002.
329
www.ebook777.com
free ebooks ==> www.ebook777.com
330 Secret History: The Story of Cryptology
10.2 Entropy
This concept arises from a simple question: How much information does a
given message contain? If the message verifies something we expect, it can
be argued that the amount of information is less than if it indicates the unex-
pected; for example, suppose the message is a weather report and the vari-
ous possibilities, along with their probabilities are as follows
M1 = Sunny .05
M2 = Cloudy .15
M3 = Partly Cloudy .70
M4 = Rain .10
* Shannon, C., A mathematical theory of communication, reprinted with corrections from Bell
System Technical Journal, in two parts: Vol. 27, July/October, 1948, pp. 379–423, 623–656.
free ebooks ==> www.ebook777.com
Claude Shannon 331
could be, consider the fact that if a message M has probability 1, no real infor-
mation is conveyed; that is, I(M) = 0 in this case.
Shannon found that there was essentially just one function that satisfied
his conditions—namely, negation of the logarithm.* The amount of informa-
tion contained in a message M is thus given by
− K ∑ log 2 ( Mi )
where the sum is taken over the individual components of the message,
using the probability of each component as the value for Mi. If the message
consists of seven weather reports, for example, we would sum seven terms to
get the total amount of information. There is some flexibility in that K may
be any positive constant, but because this only amounts to choosing units
Shannon simplified matters by taking it to be one.
Shannon presented his result as a weighted average.† Using his formula,
given below, one can calculate the average amount of information conveyed
by a message selected from a set of possibilities with probabilities given by
the pi.
− ∑ pi log 2 ( pi )
For example, a single weather report, selected from the four possibilities
given above, in accordance with its probability, will have an average infor-
mation content of
However, a single report may contain more or less information than this
average, depending on how likely it is. In probability, such a calculation
is known as an expected value. The units of this measure will be discussed
shortly.
Following the advice of John von Neumann, Shannon called this measure
of information entropy. This was an advantage, as nobody exactly knew what
entropy was.‡ Thus, rather than using I (standing for information) to denote
the function above, Shannon used H.
* Nyquist and Hartley both made use of logarithms in their work on information theory, prior
to Shannon. It seems that it was an idea whose time had arrived.
† Shannon, C., A mathematical theory of communication, reprinted with corrections from Bell
System Technical Journal, in two parts: Vol. 27, July/October, 1948, pp. 379–423, 623–656. The
result appears on p. 11 of the revised paper, but the proof is given in Appendix 2, which is in
the second part of the split paper.
‡ Arndt, C., Information Measures: Information and Its Description in Science and Engineering,
Springer, Berlin, 2001, p. 54. Arndt, in turn, cites Cambel, A.B., Applied Chaos Theory, Academic
Press, London, 1993.
www.ebook777.com
free ebooks ==> www.ebook777.com
332 Secret History: The Story of Cryptology
Now take logb of both sides. You may use b = 10 (common logarithm) or b = e
(natural logarithm) or any other base b > 0. Bases 10 and e are the ones that
commonly have keys devoted to them (log and ln, respectively) on calculators.
I’ll use base b = e, with the notation ln.
ln(2y) = ln(x)
Making use of one of the properties of logarithms, we may bring the expo-
nent of the argument down in front.
y ln(2) = ln( x)
ln( x)
y=
ln(2)
1
y = log 2 x as y = ln x
ln(2)
we see that logarithmic functions with different bases differ only by a con-
stant multiplier. Recalling that Shannon’s formulation for entropy was only
unique up to a constant multiple, we see that this flexibility was equivalent
to being able to use any base for the logarithm. Base 2 is especially conve-
nient when considering digital data; thus, 2 was the base chosen. Regardless
of what form the data take, using the base 2 logarithm results in the units of
entropy being “bits per message” or “bits per character,” if we want an aver-
age rate of information transmission.
The average entropy, H, of English may be calculated by using the prob-
ability of each of the 26 letters in the following formula:
H = − ∑ pi log 2 ( pi )
free ebooks ==> www.ebook777.com
Claude Shannon 333
but this is really only an estimate, as the effects over groups of letters have
not been accounted for yet. Rules such as Q being (almost always) followed
by U and “I before E, except after C” show there is order in English on the
scale of two- and three-character groupings. Entropy approximations based
on single-letter frequencies are often denoted as H1. Better estimates are given
by H2 and H3 where the probabilities used in these are for digraphs and tri-
graphs. As N grows, HN/N converges monotonically to a limit (see Table 10.1).
The idea of entropy existed in physics before Shannon applied it to text. To
make sense of entropy in physics, one must first understand that imbalances
in systems offer usable energy. A collection of bricks on the floor, for exam-
ple, offers no useful energy, but a brick located 10 feet above the floor has
potential energy that can be used to do work as it falls. Entropy corresponds
to the bricks on the floor, and after the brick in the air falls to the ground the
entropy of the system increases. That is, entropy corresponds to energy that
can no longer be used. Another example is provided by a hot cup of coffee in
an office. It has energy that can be used—one could warm one’s hands over
it or use it to melt an ice cube. If left alone, its energy will slowly dissipate
with no effect other than slightly warming the room. Once the coffee and the
room settle to an equilibrium temperature, no usable energy will remain and
the amount of entropy or “unusable energy” can be said to have increased.
TABLE 10.1
First-, Second-, and Third-Order Entropy
for Various Languages
Language H1 H2 H3
English
Contemporary 4.03 3.32 3.1
Poe 4.100 3.337 2.62
Shakespeare 4.106 3.308 2.55
Chaucer 4.00 3.07 2.12
German 4.08 3.18 —
French 4.00 3.14 —
Italian 3.98 3.03 —
Spanish 3.98 3.01 —
Portuguese 3.91 3.11 —
Latin 4.05 3.27 2.38
Greek 4.00 3.05 2.19
Japanese 4.809 3.633 —
Hawaiian 3.20 2.454 1.98
Voynich manuscript 3.66 2.22 1.86
Source: Bennett, Jr., W.R., Scientific and Engineering
Problem-Solving with the Computer, Prentice
Hall, Englewood Cliffs, NJ, 1976, p. 140.
www.ebook777.com
free ebooks ==> www.ebook777.com
334 Secret History: The Story of Cryptology
One of the few theories that scientists have enough confidence in to label
a “law” is the second law of thermodynamics. This states that entropy must
increase in a closed system; that is, if no energy is being added to a system (i.e.,
the system is closed), then the amount of energy in the system that cannot be
used must increase over time. In other words, the amount of usable energy in
the system must decrease. To simplify this further, everything winds down.
Shannon’s “text entropy” follows this rule, as the above table shows. Over
the centuries, the entropy of a particular language increases, as it does when
one language springs from another. This is an empirical result; in other
words, experiment (measuring the entropy of various texts) indicates that it is
true, but we do not have a proof. It makes sense, though, since, as a language
evolves, more exceptions to its rules appear, and more words come in from
foreign languages. Hence, the frequency distribution of character groups
tends to grow more uniform, increasing the entropy. This phenomenon can
be used to roughly date writings; however, not all authors in a particular gen-
eration, or even century, will exhibit the same entropy in their texts. Edgar
Allan Poe’s writings, for example, exhibit higher entropy than those of his
peers.* This is due to the unusually large vocabulary he commanded.
The maximum possible value for H1 occurs when all probabilities are equal
(1/26). This gives us
* Bennett, Jr., W.R., Scientific and Engineering Problem-Solving with the Computer, Prentice Hall,
Englewood Cliffs, NJ, 1976, p. 140.
† Asimov, I., Opus 100, Houghton Mifflin, Boston, 1969, pp. 68–84. The story originally appeared
in Science Fiction Quarterly, November 1956. Other reprints include Nine Tomorrows (1959), The
Best of Isaac Asimov (1973), Robot Dreams (1986), and Isaac Asimov: The Complete Stories, Vol. 1
(1990). Thanks to http://en.wikipedia.org/wiki/The_Last_Question for making it so easy to
provide this list!
‡ http://www.mchawking.com/ is the main page for the musician. The lyrics to “Entropy”
* Shannon, C., Communication theory of secrecy systems, Bell System Technical Journal, 28(4),
689, 1949.
† Ibid., p. 700.
‡ Shannon, C., A mathematical theory of communication, reprinted with corrections from Bell
System Technical Journal, in two parts: Vol. 27, July/October, 1948, pp. 379–423, 623–656. The
result appears on pages 14–15 of the revised paper.
§ Deavours, C., Unicity points in cryptanalysis, Cryptologia, 1(1), 46, 1977. Also see Shannon,
C.E., Communication theory of secrecy systems, Bell System Technical Journal, 28(4), 660, 1949.
www.ebook777.com
free ebooks ==> www.ebook777.com
336 Secret History: The Story of Cryptology
Word spacing isn’t the only omission that has been common historically.
The original Hebrew version of the Old Testament was written without vow-
els. The redundancy of this language allows it to be read anyway.
Not solely focused on solving “important problems,” Shannon applied the
idea of redundancy to a popular recreation for the cryptologically inclined:*
The ratio of the entropy of a source to the maximum value it could have
while still restricted to the same symbols will be called its relative entropy.
This is the maximum compression possible when we encode into the
same alphabet.
* Shannon, C., A mathematical theory of communication, reprinted with corrections from Bell
System Technical Journal, in two parts: Vol. 27, July/October, 1948, pp. 379–423, 623–656. The
result appears on page 15 of the revised paper.
† Ibid. The result appears on page 14 of the revised paper.
‡ We need to be careful in this area, though, not to credit Shannon with too much, as he does
make use of previous work by Richard Hamming. This is done on p. 28 (cited on p. 27) in
Shannon’s revised paper (Shannon, C., A mathematical theory of communication, reprinted
with corrections from Bell System Technical Journal, in two parts: Vol. 27, July/October, 1948,
pp. 379–423, 623–656.) A very simple means of adding redundancy to create an error-correct-
ing code is to insert an extra bit at regular intervals to serve as a parity check (making, for
instance, each block of bits have an even sum).
free ebooks ==> www.ebook777.com
Claude Shannon 337
10.4 Unicity Points
In previous chapters, formulas were provided for the unicity points (the
length for which a ciphertext can be expected to have a unique solution)
for various ciphers. Shannon presented a general technique for calculating
these values. We have the unicity point, U, given by U = log2(K)/D, where
K is the number of possible keys and D is the redundancy per letter of the
message. If the message is compressed prior to encipherment, the value of
D is decreased, thus raising the value of U. Some messages that would have
unique solutions can therefore be made ambiguous by taking this extra step.
As was seen above, the value for D is determined empirically. Like entropy,
it even varies from author to author.
www.ebook777.com
free ebooks ==> www.ebook777.com
338 Secret History: The Story of Cryptology
We’ll see examples of modern systems that combine substitution and trans-
position to satisfy Shannon’s conditions in Sections 12.1 and 19.3.
In addition to the important work described above, Shannon found time
to pursue other projects of a more recreational nature. Examples include
rocket-powered Frisbees, a motorized pogo stick, machines to play chess and
solve Rubik’s cube, a flame-throwing trumpet, and a mysterious box with a
switch on it. When someone saw this box sitting on his desk and flipped the
switch, the box would open and a mechanical hand would reach out and flip
the switch back again. After this, the hand would pull back into the box and
the lid would close, returning the system to its original state.†
* Shannon, C., Communication theory of secrecy systems, Bell System Technical Journal, 28(4),
713, 1949.
† http://en.wikipedia.org/wiki/Claude_Shannon.
free ebooks ==> www.ebook777.com
Claude Shannon 339
Videography
Claude Shannon: Father of the Information Age, http://www.ucsd.tv/search-details.
aspx?showID=6090. This first aired on January 30, 2002, on UCTV, San Diego.
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
11
National Security Agency
What few histories exist are so highly classified with multiple code-
words that almost no one has access to them.
—James Bamford*
The situation has changed somewhat, since Bamford made this comment.
NSA has released a four-volume history of the agency, but a great deal of
material has been redacted from it. Still, this represents a tremendous break
from tradition; the agency was literally born in secrecy.
* Bamford, J., Body of Secrets: Anatomy of the Ultra-Secret National Security Agency from the Cold
War through the Dawn of a New Century, Doubleday, New York, 2001.
341
www.ebook777.com
free ebooks ==> www.ebook777.com
342 Secret History: The Story of Cryptology
11.1 Origins of NSA
We now know that NSA was established by President Truman, with-
out informing Congress, in 1952, when he issued the top secret directive
“Communications Intelligence Activities.” This directive was still classified
30 years later.* However, NSA didn’t arise from nothing; rather, it had its
roots in the armed forces code and cipher groups of World War II—most
prominently, Friedman’s Army group, Signal Intelligence Service, later to
become the Army Security Agency,† and the Navy’s OP-20-G. Following
World War II, when the Air Force became a separate service, having previ-
ously been part of the Army, there was also an Air Force Security Service.
Before NSA existed, a move toward centralization was marked by the cre-
ation of the Armed Forces Security Agency (AFSA). Thus, there’s continu-
ity such that the birth of NSA was more like a renaming. NSA existed for
several years before moving to its current location, Fort Meade in Maryland
(Figure 11.2). Over the years, although the trend was toward centralization,
the Service Cryptologic Agencies (SCAs) continued.
Unlike the much smaller Central Intelligence Agency (CIA), NSA is
under the Secretary of Defense and is, per Truman’s original order, tasked
with serving the entire government. Today, NSA’s main directorates are
the Information Assurance Directorate (IAD) and the Signals Intelligence
Directorate (SID). Although the SID side (cryptanalysis) is sexier, IAD could
be more important. If you could only spend money on one side, which would
it be, offense or defense? You can ponder this while reading the history that
follows.
11.2 TEMPEST
NSA’s precursor, the AFSA, failed to predict the outbreak of war in Korea,
but America’s cryptologists did go on to have some cryptanalytic success
later in that conflict.‡ There were also early successes against the Soviets in
the Cold War.§
* Bamford, J., The Puzzle Palace, Houghton Mifflin, New York, 1982, p. 16.
† Both fell under the Signal Corps, and many other names were used for the group over the
years. Since Friedman obtained Yardley’s materials, we may start with the Cipher Bureau
and continue the chain with Signal Intelligence Service, Signal Security Division, Signal
Security Branch, Signal Security Service, Signal Security Agency, and finally Army Security
Agency. And this was all in a 30-year period (1917–1947)!
‡ Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book I. The Struggle for
Centralization, 1945–1960, Center for Cryptologic History, National Security Agency, Ft.
George G. Mead, MD, 1995, p. 33.
§ See Section 3.8 for information on Venona.
free ebooks ==> www.ebook777.com
National Security Agency 343
FIGURE 11.2
The National Security Agency’s headquarters at Fort Meade, MD. (Courtesy of the National
Security Agency, http://www.nsa.gov/about/_images/pg_hi_res/nsa_aerial.jpg.)
On the other side of the code battle, there were serious problems, right
from the start, in protecting the United States’ own communications, as a
once classified history relates:*
At this point, the newly established NSA decided to test all of its equip-
ment. The result—everything radiated. Whether it was mixers, keying
devices, crypto equipment, EAM machinery, or typewriters, it sent out
a signal…[half a line of text redacted]….Plain text was being broadcast
through…[half a line of text redacted]…the electromagnetic environ-
ment was full of it.
* Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book I. The Struggle for
Centralization, 1945–1960, Center for Cryptologic History, National Security Agency, Ft.
George G. Mead, MD, 1995, p. 221.
www.ebook777.com
free ebooks ==> www.ebook777.com
344 Secret History: The Story of Cryptology
Van Eck phreaking is a term that may properly be used for attacking a
system by measuring electromagnetic radiation, but only in the special
case of when the intent is to reproduce the monitor. This can be done at
impressive distances or from as nearby as the hotel room next door. This
type of attack is named after the Dutchman Wim van Eck, who authored
the 1985 paper “Electromagnetic Radiation from Video Display Units: An
Eavesdropping Risk?” in which he demonstrated the attack for CRTs.* In
2004, another researcher revealed that LCD systems are also vulnerable to
this sort of attack and constructed the necessary equipment to carry out the
attack for less than $2000.†
Attacks made possible by electromagnetic emissions are not limited to
monitors. In 1956, a bugged telephone allowed the British to hear a Hagelin
machine used by Egyptians in London. The mere sound of the machine
allowed the British cryptanalysts to determine its settings and recover mes-
sages.‡ In general, electromechanical cipher machines are vulnerable to
such acoustical attacks. This one example is used here to represent many
incidents.
In October 1960, following a briefing by NSA, the United States
Communications Security Board (USCSB) established the Subcommittee
on Control of Compromising Emanations (SCOCE) to study the problem.
This committee learned that the Flexowriter was the worst emanator, as it
allowed a properly equipped observer to read plaintext from a distance of
3200 feet.§
Non-electronic/electric encryption doesn’t offer a safe alternative.
Microphones have been hidden in typewriters to allow recordings to be
made of sensitive information being typed. The sounds of the keys hitting
the paper may be distinguished to reveal the individual letters. This can
also be done by placing a tiny microphone between keys on a computer key-
board.¶ It does not matter how good a nation’s ciphers are if the enemy can
get the messages by other means! A great many (possibly) secure methods of
encryption are implemented in insecure ways.
* van Eck, W., Electromagnetic radiation from video display units: an eavesdropping risk?,
Computers & Security, 4(4), 269–286, 1985. John Young wrote, “Wim van Eck’s article is actually
the source of most of the incorrect TEMPEST information out there.” See http://cryptome.
org/tempest-time.htm for a TEMPEST timeline with Young’s corrections.
† Kuhn, M.G., Electromagnetic Eavesdropping Risks of Flat-Panel Displays, paper presented
at the 4th Workshop on Privacy Enhancing Technologies, May 26–28, 2004, Toronto, Canada,
pp. 23–25.
‡ http://cryptome.org/tempest-time.htm.
§ Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book II. Centralization
Wins, 1960–1972, Center for Cryptologic History, National Security Agency, Ft. George G.
Mead, MD, 1995, p. 381.
¶ Keefe, P.R., CHATTER: Dispatches from the Secret World of Global Eavesdropping, Random
TABLE 11.1
Growth of Government Cryptology in America (1949–1960)
Cryptologic Population
Armed Forces National Total, Including
Security Agency Security Agency Service Cryptologic
Date (AFSA) (NSA) Agencies (SCAs)
Dec. 1949 4139 — 10,745
Dec. 1952 — 8760 33,010
Nov. 1956 — 10,380 50,550
Nov. 1960 — 12,120 72,560
Source: Johnson, T.R., American Cryptology During the Cold War, 1945–1989.
Book I. The Struggle for Centralization, 1945–1960, Center for
Cryptologic History, National Security Agency, Ft. George G.
Mead, MD, 1995, p. 64.
* Bamford, J., Body of Secrets: Anatomy of the Ultra-Secret National Security Agency from the Cold
War through the Dawn of a New Century, Doubleday, New York, 2001, p. 147.
† Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book II. Centralization
Wins, 1960–1972, Center for Cryptologic History, National Security Agency, Ft. George G.
Mead, MD, 1995, p. 293.
www.ebook777.com
free ebooks ==> www.ebook777.com
346 Secret History: The Story of Cryptology
* Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book II. Centralization
Wins, 1960–1972, Center for Cryptologic History, National Security Agency, Ft. George G.
Mead, MD, 1995, p. 479.
† Bamford, J., Body of Secrets: Anatomy of the Ultra-Secret National Security Agency from the Cold
War through the Dawn of a New Century, Doubleday, New York, 2001, p. 578. Also, Johnson, T.R.,
American Cryptology During the Cold War, 1945–1989. Book II. Centralization Wins, 1960–1972,
Center for Cryptologic History, National Security Agency, Ft. George G. Mead, MD, 1995, p.
368, reveals that the 5-acre mark had almost been hit by 1968.
‡ Odom, W., Fixing Intelligence for a More Secure America, 2nd ed., Yale University Press, New
down, the most famous incident being the U-2 piloted by Francis Gary Powers.
free ebooks ==> www.ebook777.com
National Security Agency 347
During the Six-Day War in June 1967, Israel attacked the spy ship USS
Liberty. Thirty-four men died as a result, and many more were injured.
Although the Liberty was flying an American flag, the Israeli government
claims to this day that they weren’t aware that it belonged to the United
States until after the attack. There is intense disagreement among research-
ers as to whether or not this is true. The section on the Liberty in the reference
list at the end of this chapter offers volumes representing both perspectives.
Like the question of whether or not Yardley sold secrets to the Japanese, this
debate is likely to continue for many years.
In January 1968, close on the heels of the attack on the Liberty, another
SIGINT ship, the USS Pueblo, was captured, along with its crew, by North
Korea. This happened so quickly that only a small fraction of the classified
material on board could be destroyed. A declassified history described the
event: “It was everyone’s worst nightmare, surpassing in damage anything
that had ever happened to the cryptologic community.”*
By following Kerckhoffs’ guidelines, however, NSA averted an even greater
disaster. All of NSA’s cipher equipment was designed to remain secure, even
if the enemy somehow gained the full details of the designs, as happened
here. Security truly resided in the keys, and those that were captured would
not be used again; hence, only messages from late 1967 and early 1968 were
compromised.†
Although there was less loss of life with the capture of the Pueblo (one
death) than in the attack on the Liberty, the Koreans held the surviving 82
crewmembers as prisoners, and they proved to be brutal captors. Beatings
were carried out in private while the North Koreans provided pictures for
public consumption intended to show how well the Americans were being
treated. The crew of the Pueblo minimized the propaganda value of these pic-
tures by positioning their hands to convey a coded signal that the Koreans
didn’t recognize. Upon being asked, the Americans explained that it was the
“Hawaiian good luck sign.” See Figure 11.3.
How the North Koreans learned that the true meaning of this gesture was
not “good luck” will be related shortly, but understand now that they only
learned this after the pictures had been distributed throughout the world!
Upon getting the message, the North Koreans retaliated with greater physi-
cal abuse. In all, the crew spent 11 months in captivity before America signed
an insincere apology that gained their release.
A reunion picture similar to that in Figure 11.4 served as the cover of the Fall
2008 CRYPTOLOG (Vol. 29, No. 4), the journal of the U.S. Naval Cryptologic
Veterans Association (NCVA). After seeing this cover, I emailed Jay Browne to
tell him that it gave me a chuckle. He responded, in part, with the following:
* Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book II. Centralization
Wins, 1960–1972, Center for Cryptologic History, National Security Agency, Ft. George G.
Mead, MD, 1995, p. 439.
† Ibid., p. 452.
www.ebook777.com
free ebooks ==> www.ebook777.com
348 Secret History: The Story of Cryptology
FIGURE 11.3
Pueblo crewmembers sending a coded message.
The cover photo was somewhat “controversial.” I told Bob Payne (our
Editor) to standby for heavy seas. In fact, of the 4000 or so copies we print,
we received a grand total of 2 negative comments! After we received the
first one I drafted an editorial for the winter issue—attached. Bob chose
to ignore the issue all together, and in hindsight he was probably right.
FIGURE 11.4
The 40th reunion of Pueblo crewmembers (Courtesy of Karen Pike Photography.).
free ebooks ==> www.ebook777.com
National Security Agency 349
That unpublished editorial sees print for the first time below:*
Editorial
CRYPTOLOG has received several “comments” regarding the cover photo-
graph of the Fall issue. Some readers may have been offended by the dis-
play of the assembled Pueblo crew members and the so-called “Hawaiian
Good Luck” sign, but CRYPTOLOG believes there is a larger story involved.
To appreciate the historical context, the reader must go back to the events
surrounding the capture of the United States Ship Pueblo—the first such
capture since the 1880s—and the treatment of her surviving crew. The late
Commanding Officer of the ship, Commander Lloyd M. Bucher, wrote in
his book, “My officers and I were hauled before [The] Glorious General
who suddenly reappeared on the scene and delivered one of his towering
histrionic rages, which were both comic and frightening to behold. He con-
fronted us with and let us examine a copy of a page from Time magazine
[18 October 1968 issue] containing a group picture of our infamous Room
13 gang. The caption fully explained the meaning of the “Hawaiian Good
Luck Sign.”…I also knew we were about to pay for their severe loss of face.
I had not been beaten yet, but Glorious General kept me after he had dis-
missed the other officers and during a denunciation lasting several hours,
threatened me with speedy execution after a trial which he indicated was
now absolutely inevitable. He was pretty convincing about it and I was
returned to my cell feeling that my chances for survival had sunk to zero.
On the following day, men continued to be selected for beatings.
Shingleton and Scarborough received brutal ones. Radioman Hayes had
his jaw broken. The officers began catching it as well.†
So the cost of an expression, a gesture, the men—our men—suffered
mightily at the hands of their capture. Other newspapers and magazines
printed the “offending” photo but it was Time that explained the meaning.
While the cover photo may have offended some readers, CRYPTOLOG
is offended, even today some 40 years later, by the treatment of the North
Koreans and the callous disregard of our people by Time magazine.
The cover photo speaks volumes to both—here’s to you North Korea
and to Time!
The losses described above brought an end to the use of slow-moving ships
for gathering intelligence.
www.ebook777.com
free ebooks ==> www.ebook777.com
350 Secret History: The Story of Cryptology
30
Civilian
25
Military
20
Thousands
15
10
0
73 75 77 79 81 83 85 87 89 91 93
FIGURE 11.5
Employment figures for NSA from 1973 to 1993. (From Johnson, T.R., American Cryptology During
the Cold War, 1945–1989. Book III. Retrenchment and Reform, 1972–1980, Center for Cryptologic
History, National Security Agency, Ft. George G. Mead, MD, 1995, p. 23.)
Tad Szulc, writing for Penthouse, estimated the numbers at $10 billion per
year and 120,000 respectively.* His budget calculation included the bud-
gets of the National Reconnaissance Office (NRO),† Army, Navy, and Air
Force Intelligence. The intimate connections between these agencies were
his justification for treating them as a single unit budget-wise.‡ The number
of employees is worldwide. Szulc estimated that 10,000 of these would be
working at the Fort Meade headquarters with a budget of around $1 billion
per year. Not to be outdone, Playboy published an article by David Kahn the
following month in which he estimated that NSA employed 100,000 people
with a budget of several billion dollars per year.§ A graph from a recently
declassified history of the agency reveals how many employees were actu-
ally under NSA’s control (Figure 11.5).
But why would Playboy and Penthouse both attempt to expose NSA’s size
and budget within a month of each other? In addition to their normal dis-
taste for cover-ups, there was a bandwagon to jump on. The U.S. intelligence
agencies were being investigated for alleged crimes by a Congressional com-
mittee and almost every magazine and newspaper had something to say
about it. The congressional committee was led by Senator Frank Church
and is therefore often referred to as the Church Committee. It examined
* Szulc, T., The NSA: America’s $10 billion Frankenstein, Penthouse, November, 1975, p. 194.
† The NRO once lost track of over $2 billion! See The New York Times, Secretive agency mis-
places $2 billion, Portland Press Herald, January 30, 1996, p. 5A.
‡ Some budgets were, in fact, lumped together, but not as Szulc figured it. Beginning with
fiscal year 1959, a Consolidated Cryptologic Program (CCP) centralized all cryptologic bud-
geting (including the three services, NSA, and, to a lesser extent CIA) under the Director of
NSA (DIRNSA). See Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book
I. The Struggle for Centralization, 1945–1960, Center for Cryptologic History, National Security
Agency, Ft. George G. Mead, MD, 1995, p. 260.
§ Kahn, D., The code battle, Playboy, December, 1975, pp. 132–136, 224–228.
free ebooks ==> www.ebook777.com
National Security Agency 351
ways in which the agencies illegally spied on and disrupted the activities of
American citizens. It seems that any group that did not fall in line with the
status quo was targeted. War protestors, civil rights activists, feminists, and
Native American activists were all harassed under the government-spon-
sored COINTELPRO (counterintelligence program). Many of the victims,
such as Martin Luther King, are now generally considered to have helped
move the country in the right direction.* Other well-known individuals who
had their privacy violated included actress Jane Fonda, pediatrician and
best-selling author Dr. Benjamin Spock, and folk singer Joan Baez.
The programs uncovered by the Church Committee investigation aroused
much public indignation. The CIA and FBI received the greatest scrutiny.
NSA might have had a tougher time, but it appears that the Committee
didn’t even want to investigate that particular agency! The paragraph from
Johnson’s history of NSA that indicates this follows (without any redactions
this time):†
To begin with NSA wasn’t even on the target list. But in the course of pre-
liminary investigation, two Senate staffers discovered in the National
Archives files some Defense paperwork relating to domestic wiretaps
which referred to NSA as the source of the request. The committee was
not inclined to make use of this material, but the two staffers leaked the
documents to Representative Bella Abzug of New York, who was start-
ing her own investigation. Church terminated the two staffers, but the
damage had been done, and the committee somewhat reluctantly broad-
ened its investigation to include the National Security Agency.
Reform, 1972–1980, Center for Cryptologic History, National Security Agency, Ft. George G.
Mead, MD, 1998, pp. 92–93.
‡ This program predated NSA, having begun with the ASA, following World War II.
§ Halperin, M.H., Berman, J.J., Borosage, R.L., and Marwick, C.M., The Lawless State: The Crimes
of the U.S. Intelligence Agencies, Penguin Books, New York, 1976, p. 173.
¶ Foerstal, H.N., Secret Science: Federal Control of American Science and Technology, Prager,
and Bergstra, J., Eds., The History of Information Security: A Comprehensive Handbook, Elsevier,
Amsterdam, 2007, pp. 545–546.
www.ebook777.com
free ebooks ==> www.ebook777.com
352 Secret History: The Story of Cryptology
Notice that in both cases at least one side of the communication link was
outside the Unites States, even though, in many cases, both individuals
were Americans. There is no evidence of NSA spying on pairs of Americans
within the United States. It’s been pointed out that Canada can legally spy on
Americans and that NSA has a cozy sort of reciprocal intelligence agreement
with Canada and other countries,* but NSA maintains that it doesn’t ask its
allies to do anything that it’s prohibited from doing itself.
Some web pages change frequently. At one time, the following was part of
NSA’s official web presence:
The agency, the investigations showed, had monitored the domestic con-
versations of Americans without the proper court warrants. It was chas-
tised and forbidden to overhear such communications, and Congress
established a special court to grant national-security wiretaps.
This is typically what happens when some part of the federal government is
caught breaking the law. An investigation is held, nobody is punished, and
legislation is passed to re-outlaw the crime. In another example of crime
without punishment, former CIA director Richard Helms committed per-
jury and got off with just a $2000 fine.†
The special court that was established to grant national-security wire-
taps came into being with the Foreign Intelligence Surveillance Act of 1978.
Permission slips for eavesdropping thus became known as FISA warrants
and were granted by the Foreign Intelligence Surveillance Court. This court
approved so many requests that one critic refused to characterize it as a rubber
stamp, pointing out that even a rubber stamp runs out of ink sometimes! On
the other hand, supporters of the program argue that warrants were almost
never refused because the applications were well justified in nearly every case.
When FISA was first imposed, NSA decided that there would be no close calls.
Applications were only to be made on solid evidence. Also, the statistics are
skewed by the fact that in the early days weaker applications were sometimes
returned without being officially denied. They could then be strengthened
with more information and submitted again or simply forgotten. In this way
some possible rejections never became part of the statistics we see today.
In his four-volume history of NSA, Thomas R. Johnson maintains that the
Agency did not act improperly. For example, he states repeatedly that the
1968 “Omnibus Crime Control and Safe Streets Act” overruled Section 605 of
the Federal Communications Act of 1934, which forbid eavesdropping.‡ Even
* Constance, P., How Jim Bamford probed the NSA, Cryptologia, 21(1), 71–74, 1997.
† Bamford, J., Body of Secrets: Anatomy of the Ultra-Secret National Security Agency from the Cold
War through the Dawn of a New Century, Doubleday, New York, 2001, p. 62.
‡ Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book I. The Struggle for
Centralization, 1945–1960, Center for Cryptologic History, National Security Agency, Ft.
George G. Mead, MD, 1995, p. 274; Johnson, T.R., American Cryptology During the Cold War,
1945–1989. Book II. Centralization Wins, 1960–1972, Center for Cryptologic History, National
Security Agency, Ft. George G. Mead, MD, 1995, p. 474.
free ebooks ==> www.ebook777.com
National Security Agency 353
if this is true under the letter of the law, it clearly violates the spirit of the
Constitution. Certainly the founding fathers would not have been amused
by this justification.
The second half of the 1970s also marked the beginning of a debate between
NSA and American professors, mainly mathematicians, computer scientists,
and engineers, who had begun to make important cryptographic discover-
ies. Previously, NSA had a monopoly on research in these areas, and they did
not want to see it end. They feared the loss of control that public pursuits in
this field would entail. The various attempts of NSA to stop the academics
are discussed in the following chapters of this book, along with the relevant
mathematics. Although much time was spent battling congressional com-
mittees and academics in the 1970s, NSA did manage to sign a treaty in 1977
with a long-time enemy, the CIA.*
Details are lacking, but a breakthrough was reportedly made in 1979 in
deciphering Russia’s encrypted voice transmissions.† With Venona successes
having been disclosed in 1996, we may be able to look forward to revelations
on how voice decrypts affected Cold War politics in the 1980s in the not-too-
distant future.
* Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book III. Retrenchment and
Reform, 1972–1980, Center for Cryptologic History, National Security Agency, Ft. George G.
Mead, MD, 1998, p. 197.
† Bamford, J., Body of Secrets: Anatomy of the Ultra-Secret National Security Agency from the Cold
War through the Dawn of a New Century, Doubleday, New York, 2001, p. 370.
‡ Bamford, J., A Pretext for War: 9/11, Iraq, and the Abuse of America’s Intelligence Agencies,
War through the Dawn of a New Century, Doubleday, New York, 2001, pp. 481–482.
¶ Kahn, D., The code battle, Playboy, December, 1975, pp. 132–136, 224–228.
www.ebook777.com
free ebooks ==> www.ebook777.com
354 Secret History: The Story of Cryptology
This did not represent a brand new perspective. Decades earlier, an American
president, and World War II general, commented on the opportunity cost of
military spending:
Every gun that is made, every warship launched, every rocket fired, sig-
nifies, in the final sense, a theft from those who hunger and are not fed,
those who are cold and are not clothed. The world in arms is not spend-
ing money alone. It is spending the sweat of its laborers, the genius of its
scientists, the hopes of its children.
—Dwight D. Eisenhower *
11.7 Some Speculation
One alleged NSA success, reported in the 1990s, still lacks the smoking
gun that allows it to be presented as straight history. It involves the Swiss
cipher machine company Crypto AG (see Section 8.1). Allegedly, NSA was
able to convince this trusted manufacturer to place a back door, for the use
of NSA and Britain’s Government Communications Headquarters (GCHQ),
* Eisenhower, D.D., The Chance for Peace, speech to the American Society of Newspaper
Editors, Washington DC, April 16, 1953. Quoted here from Zinn, H., Terrorism and War, Seven
Stories Press, New York, 2002, p. 96.
free ebooks ==> www.ebook777.com
National Security Agency 355
into their machines. This project is supposed to have begun in 1957, when
William Friedman traveled to Switzerland to meet with Boris Hagelin.* The
trips were first reported on in a biography of William Friedman written by
Ronald W. Clark.† NSA got wind of this and exhibited great interest in the
manuscript, which seems to confirm that there was something to the story.
Clark was not intimidated by the Agency, but he didn’t really know much
about the trip. His biography merely opened the door on this topic.
As the story goes, the deal was not made in a single trip. Friedman had
to return, and in 1958 Hagelin agreed. Crypto AG machines were eventu-
ally adopted for use by 120 nations, but it seems unlikely that they were all
rigged. According to some accounts the security levels provided depended
on the country in which the machine was to be used. In any case, there
doesn’t appear to have been any suspicion of rigging until 1983.‡ Twenty-five
years is a tremendous time to keep such a large-scale project secret. If true,
this would be one of the greatest success stories of all time in the intelligence
community. Since the 25-year time period includes the switch from electro-
mechanical machines to computerized digital encryption, the back doors
would have to have remained in place through this transition.
There are various accounts of how knowledge of the allegedly rigged
machines leaked out. One version is as follows. The spy Jonathan Pollard
betrayed a tremendous amount of material to Israel, including, apparently,
details of the Crypto AG machines’ back doors. This information was then
given to the Soviets, in 1983, in exchange for allowing a larger number of
Jews to leave the Soviet Union for Israel.§
However the news got out, it is claimed to have later spread to Iran. The
next episode in the story is very well documented. It is the arrest of the
Crypto AG salesman Hans Buehler in March 1992. The Iranians charged him
with spying for the Federal Republic of Germany and the United States and
imprisoned him for nine months. He was only released when Crypto AG
paid a $1 million bail. A few weeks later, the company dismissed Buehler and
insisted that he reimburse them for their expense! Buehler initially had no
idea why he was arrested, as he relates in his book Verschlüsselt.¶ He tells his
* Bamford, J., The Puzzle Palace, Houghton Mifflin, New York, 1982, pp. 321–324.
† Clark, R., The Man Who Broke Purple, Little, Brown, Boston, 1977. As we saw in Section 9.5,
Clark’s title is not very accurate. Previous biographies by this author include the very popu-
lar Einstein: The Life and Times (1971) and another on Bertrand Russell.
‡ Madsen, W., Crypto AG: The NSA’s Trojan whore?, Covert Action Quarterly, Issue 63, Winter
1998 (http://mediafilter.org/CAQ/caq63/caq63madsen.html).
§ At least, according to Madsen, W., The demise of global communications security: the neo-
cons’ unfettered access to America’s secrets, Onlinejournal.com, September 21, 2005. Madsen
also provides an alternative explanation (that doesn’t involve Pollard) for how the Soviets
learned the secret: “Ex-CIA agents report that the Russian intelligence successors to the for-
mer KGB were actually tipped off about the Crypto AG project by CIA spy Aldrich Ames.”
Having two different accounts shows how speculative this whole story really is.
¶ Buehler, H., Verschlüsselt, Werd, Zürich, 1994. This book is in German and no translation is
currently available.
www.ebook777.com
free ebooks ==> www.ebook777.com
356 Secret History: The Story of Cryptology
story in the same style as Franz Kafka’s Der Prozess (The Trial), in which the
protagonist, who is arrested early in the story, never learns what the charges
against him are. Prior to his arrest, Buehler was not aware of any rigging of
the machines he was selling, but he was to eventually conclude, after speak-
ing with several former employees of Crypto AG, that the machines were
rigged and that he was paying the price for the duplicity of others.
As you have surely noticed, I am not conveying any details of how exactly
the back doors worked. Full details are not publicly available. Statements
such as, “The KGB and GRU found out about the ‘seed key’ used by NSA as
a ‘master key’ to unlock encoded communications transmitted by Crypto
AG machines,” made by Wayne Madsen, only hint at how it might have
worked.* Other sources describe the keys as somehow being sent with
the messages by the rigged machines. Or, in the early days of mechanical
machines, it could have been a simple matter of omitting certain levers in
the devices sold to particular customers. Could a mathematical analysis
of the machines reveal the secret? This would make an excellent research
project, but a reluctance to approach it is understandable. It may merely
result in months of wasted effort with no new theorems or results to show
for the work.
In 1995, a Swiss engineer spoke to Scott Shane, then of The Baltimore Sun,†
under the condition that his anonymity be maintained. Shane revealed what
he learned:‡
* Madsen, W., The demise of global communications security: the neocons’ unfettered access
to America’s secrets, Onlinejournal.com, September 21, 2005.
† Shane now works for The New York Times.
‡ Shane, S. and Bowman, T., No such agency: America’s fortress of spies (six-part series), The
since retired, but she said she couldn’t talk about Crypto AG. It should be
noted that Crypto AG executives have consistently denied the existence of
back doors in any of their machines, as one would expect whether the tale
is true or not.
It is likely that much of the information gathered (by all modern nations)
is collected by means other than direct mathematical attacks on the mature
cipher systems of the 21st century. Back doors, exploitation of electromag-
netic emissions, and hacking attacks are probably the source of much intel-
ligence. A new Cyber Command Center (Cybercom) that carries out such
* Bamford, J., A Pretext for War: 9/11, Iraq, and the Abuse of America’s Intelligence Agencies,
Doubleday, New York, 2004, p. 53.
† Ibid., p. 113.
‡ Ibid., p. 356.
§ Keefe, P.R., CHATTER: Dispatches from the Secret World of Global Eavesdropping, Random
www.ebook777.com
free ebooks ==> www.ebook777.com
358 Secret History: The Story of Cryptology
* I know that he is legally correct. Corporate personhood is law. We live in a strange world.
The United States once had people as property (slaves) and now has property as people
(corporations).
free ebooks ==> www.ebook777.com
National Security Agency 359
1. The applicant does not have anything in his background that might
make him subject to blackmail.
2. The applicant is not a spy.
* See Interviewing with an Intelligence Agency (or, A Funny Thing Happened on the Way to Fort
Meade), by Ralph J. Perro (a pseudonym), available online at http://www.fas.org/irp/eprint/
nsa-interview.pdf. The pseudonym was a take-off on Ralph J. Canine, the first director of NSA.
† There are two types of polygraph tests. The first is the “lifestyle polygraph,” done prior to
employment. The second is the “counterintelligence polygraph,” which is given 5 years later.
‡ Bamford, J., Body of Secrets: Anatomy of the Ultra-Secret National Security Agency from the Cold
War through the Dawn of a New Century, Doubleday, New York, 2001, p. 540.
§ Ibid. A pair of NSA historians expressed skepticism that such statistics were ever compiled.
¶ Bamford, J., The Puzzle Palace, Houghton Mifflin, New York, 1982, p. 162.
www.ebook777.com
free ebooks ==> www.ebook777.com
360 Secret History: The Story of Cryptology
This quote is from 1982. NSA is now more tolerant. Although EPQs are still
used, homosexuality is not necessarily considered a problem. There is even
a social club, GLOBE, for Gay, Lesbian, or Bisexual Employees.* Of course,
the applicant need not worry in any case. The answers to these questions are
kept confidential.
It would not be revealed, for example, that Bernon F. Mitchell told his inter-
rogator about certain “sexual experimentations” with dogs and chickens he
had carried out when he was between the ages of 13 and 19.† Okay, maybe
this wasn’t the best example. Despite Mitchell’s strange history, he was hired
along with William H. Martin. Johnson summarized the interview pro-
cess for these two men with, “Certain questions about their psychological
health came up on the polygraph and background investigation but were not
regarded as serious impediments to employment.”‡
In 1960, these men betrayed the agency to the Russians, sparking a purge
of homosexuals. In all, 26 NSA employees were fired because of their sex-
ual conduct.§ The discrimination was even extended to other government
positions. President Eisenhower ordered a secret blacklisting of gays from
employment within the federal government. He was aided in this by J. Edgar
Hoover, who maintained a list of homosexuals.¶ Others who betrayed NSA
and affiliated groups include the following:**
* Bamford, J., Body of Secrets: Anatomy of the Ultra-Secret National Security Agency from the Cold
War through the Dawn of a New Century, Doubleday, New York, 2001, p. 485.
† Bamford, J., The Puzzle Palace, Houghton Mifflin, New York, 1982, p. 180.
‡ Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book I. The Struggle for
Centralization, 1945–1960, Center for Cryptologic History, National Security Agency, Ft.
George G. Mead, MD, 1995, p. 182. Part of my purpose in relating this story is to ease concerns
of potential NSA applicants. You do not have to be 100% squeaky clean to get hired. You’ll
probably do better on the interview than Mitchell and they hired him!
§ Ibid., p. 284.
¶ Bamford, J., Body of Secrets: Anatomy of the Ultra-Secret National Security Agency from the Cold
War through the Dawn of a New Century, Doubleday, New York, 2001, pp. 543–544.
** Examples were taken from Fitsanakis, J., National Security Agency: the historiography of
concealment, in de Leeuw, K. and Bergstra, J., Eds., The History of Information Security: A
Comprehensive Handbook, Elsevier, Amsterdam, 2007, pp. 535, 538, 543–544; Johnson, T.R.,
American Cryptology During the Cold War, 1945–1989. Book I. The Struggle for Centralization,
1945–1960, Center for Cryptologic History, National Security Agency, Ft. George G. Mead,
MD, 1995, pp. 277–279; Johnson, T.R., American Cryptology During the Cold War, 1945–1989.
Book II. Centralization Wins, 1960–1972, Center for Cryptologic History, National Security
Agency, Ft. George G. Mead, MD, 1995, pp. 470-471; Polmar, N. and Allen, T.B., Spy Book,
Random House, New York, 1997.
free ebooks ==> www.ebook777.com
National Security Agency 361
1.
William Weisband—His betrayal took place before NSA was created,
and he is thought by some to be responsible for “Black Friday,” the
day on which all Warsaw Pact encryption systems were changed,
shutting out the cryptanalysts, October 29, 1948.
2.
Joseph Sydney Petersen, Jr.—Caught in 1953, his indictment for betray-
ing secrets to the Dutch got NSA some unwanted publicity.
3.
Roy A. Rhodes—He provided the Soviets with cryptographic informa-
tion and was caught based on information from a NKVD Lieutenant
Colonel, who defected in 1957.
4.
Robert Lee Johnson—Active in the 1950s and early 1960s, he provided
the Soviets with key lists for cipher machines and other valuable
material.
5.
Jack Dunlap—As a spy for the Soviets from 1959 to 1963, he stole
documents by tucking them under his shirt. He committed suicide
while being investigated.
6.
Victor Norris Hamilton—This former NSA cryptanalyst defected to
the Soviet Union in July 1963.
7.
Robert S. Lipka—He got away with betraying NSA to the Soviets
while he worked there from 1964 to 1967, but in 1993 his ex-wife
turned him in.
8.
Christopher Boyce and Daulton Lee—The story of these traitors was
told in Robert Lindsey’s The Falcon and the Snowman (Simon &
Schuster, 1979). In 1984, the book was made into an excellent movie
of the same title that starred Timothy Hutton and Sean Penn.
9.
William Kampiles—This CIA employee sold the Soviets the Big Bird
Satellite manual in 1978. The system delivered both signals intelli-
gence and photo surveillance.
10.
John Anthony Walker, Jr.—He began spying for the Soviets in 1967 and
before his arrest in 1984 had managed to recruit three other Navy
men into what became known as the Walker Spy Ring.
11.
Jonathan Jay Pollard—Speculation concerning his revelations to Israel
was provided earlier in this chapter
12. Ronald William Pelton—He was convicted of espionage in 1986 for
providing the Soviets with detailed information on the United
States’ electronic espionage abilities.
13.
David Sheldon Boone—This NSA cryptanalyst sold secrets to the
Russians and in 1998 received a sentence of 24 years.
www.ebook777.com
free ebooks ==> www.ebook777.com
362 Secret History: The Story of Cryptology
* Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book I. The Struggle for
Centralization, 1945–1960, Center for Cryptologic History, National Security Agency, Ft.
George G. Mead, MD, 1995, p. 159.
† Ibid., p. 17.
‡ NSA, Declassified UKUSA Signals Intelligence Agreement Documents Available [press
release], National Security Agency, Washington, DC, June 24, 2010 (http://www.nsa.gov/
public_info/press_room/2010/ukusa.shtml).
§ There are also secondary or junior partners with whom some information is shared. Israel
is not among them, although in other ways the relationship between Israel and the United
States is very close.
free ebooks ==> www.ebook777.com
National Security Agency 363
In 1990, the German magazine Der Spiegel revealed that the NSA had
intercepted messages about an impending $200 million deal between
Indonesia and the Japanese satellite manufacturer NEC Corp. After
President Bush intervened in the negotiations on behalf of American
manufacturers, the contract was split between NEC and AT&T.*
In September 1993, President Clinton asked the CIA to spy on Japanese
auto manufacturers that were designing zero-emission cars and to for-
ward that information to the Big Three U.S. car manufacturers: Ford,
General Motors and Chrysler.†
Yet, it would be naïve to believe that the rest of the world was “playing fair.”
Another example shows how NSA is sometimes able to cancel out the treach-
ery of others.‡
In any case, private intelligence agencies are on the rise. If a large corporation
cannot get the government’s help, it can turn to one of these.
Although intercepts like those detailed above have revealed criminal
behavior, there could be much more hidden in plain sight. With the rise of the
Internet, steganography may be making a comeback. It’s very easy to embed
messages in digital images. One simply alters the least significant bit(s) in the
values representing the color of each pixel. It’s been claimed that terrorists
used this as a method of communication prior to 9/11. However, like most
post-WWII stories of clandestine cryptology, there is no proof available. If the
story is true, it remains classified.
We’ve taken a look at some who betrayed NSA, but they are, of course, the
rare exceptions. There are likely more than are publicly known, but I doubt
that they outnumber those at the other extreme, who gave their lives in ser-
vice to America through the agency. A wall inside NSA commemorates these
men and women (Figure 11.6). Sadly, during my time with NSA’s Center for
Cryptologic History, I saw this list grow. The rightmost column now extends
to the bottom and new names have been added in the triangular space above.
* http://www.bibliotecapleyades.net/ciencia/echelon/echelon_2.htm.
† Ibid.
‡ Shane, S. and Bowman, T., No such agency: America’s fortress of spies (six-part series), The
www.ebook777.com
free ebooks ==> www.ebook777.com
364 Secret History: The Story of Cryptology
FIGURE 11.6
A wall listing the names of those who have died serving NSA. (Courtesy of National Security
Agency, http://www.nsa.gov/about/_images/pg_hi_res/memorial_wall.jpg.)
Brownell, G.A., The Origin and Development of the National Security Agency, Aegean
Park Press, Laguna Hills, CA, 1981, 98 pp.
Buehler, H., Verschlüsselt, Werd, Zürich, 1994. This book is in German and no transla-
tion is currently available.
Churchill, W. and Vander Wall, J., The COINTELPRO Papers, South End Press, Boston,
MA, 1990. NSA is barely mentioned in this book, which is included in this list
solely for the information it contains on COINTELPRO. More information on
NSA’s role may be found at http://www.icdc.com/~paulwolf/cointelpro/
churchfinalreportIIIj.htm
Constance, P., How Jim Bamford probed the NSA, Cryptologia, 21(1), 71–74, 1997.
de Leeuw, K. and Bergstra, J., Eds., The History of Information Security, A Comprehensive
Handbook, Elsevier, Amsterdam, 2007. Chapter 18 (pp. 523–563) of this large $220
book is titled “National Security Agency: The Historiography of Concealment.”
It is by J. Fitsanakis, who complains about the lack of study of this topic and
then provides a list of 291 references.
Halperin, M.H., Berman, J.J., Borosage, R.L., and Marwick, C.M., The Lawless State:
The Crimes of the U.S. Intelligence Agencies, Penguin Books, New York, 1976.
Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book I. The Struggle
for Centralization, 1945–1960, Center for Cryptologic History, National Security
Agency, Ft. George G. Mead, MD, 1995. This book, and the next three references,
were declassified (with many redactions) beginning in 2008.
Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book II.
Centralization Wins, 1960–1972, Center for Cryptologic History, National Security
Agency, Ft. George G. Mead, MD, 1995.
Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book III.
Retrenchment and Reform, 1972–1980, Center for Cryptologic History, National
Security Agency, Ft. George G. Mead, MD, 1998.
Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book IV. Cryptologic
Rebirth, 1981–1989, Center for Cryptologic History, National Security Agency,
Ft. George G. Mead, MD, 1999.
Kahn, D., The Codebreakers, Macmillan, New York, 1967 (an updated edition appeared
in 1996). NSA was not pleased that Kahn devoted a chapter to them in his book,
and they considered various means of suppressing it. See Section 6.9.
Keefe, P.R., CHATTER: Dispatches from the Secret World of Global Eavesdropping, Random
House, New York, 2005. On page 97, Keefe placed NSA’s budget at $6 billion a
year with 60,000 employees.
Langmeyer, N. and Grimes, A.M., Mathematical life at the National Security Agency,
Math Horizons, 8(3), 30–31, 2001.
Madsen, W., Crypto AG: The NSA’s Trojan whore?, Covert Action Quarterly, Issue 63,
Winter 1998 (http://mediafilter.org/CAQ/caq63/caq63madsen.html).
National Security Agency, Website, http://www.nsa.gov/. NSA’s website also
includes a link to the National Cryptologic Museum.
NSA, NSA Employee’s Security Handbook, National Security Agency, Washington, DC.
This handbook (leaked in 1994) can be found online at http://theory.stanford.
edu/~robert/NSA.doc.html.
Odom, W., Fixing Intelligence for a More Secure America, 2nd ed., Yale University Press,
New Haven, CT, 2004.
Ransom, H.H., Central Intelligence and National Security, Harvard University Press,
1958; third printing, 1965. Pages 116 to 118 discuss NSA.
www.ebook777.com
free ebooks ==> www.ebook777.com
366 Secret History: The Story of Cryptology
Shane, S. and Bowman, T., No such agency: America’s fortress of spies (six-part
series), The Baltimore Sun, December 3–15, 1995.
Shane, S. and Bowman, T., U.S. secret agency scored world coup: NSA rigged
machines for eavesdropping, The Baltimore Sun, January 3, 1996, p. 1A.
Tully, A., The Super Spies, William Morrow, New York, 1969.
Wagner, M., Organizational profile: the inside scoop on mathematics at the NSA,
Math Horizons, 13(4), 20–23, 2006.
Weiner, T., Blank Check: The Pentagon’s Black Budget, Warner Books, New York, 1990.
This book makes a study of undisclosed budgets.
On the Liberty
Borne J.E., The USS Liberty: Dissenting History vs. Official History, Reconsideration
Press, New York, 1995. This doctoral dissertation was submitted in partial ful-
fillment of the requirements for the degree of Doctor of Philosophy, Department
of History, New York University.
Cristol, A.J., The Liberty Incident: The 1967 Israeli Attack on the U.S. Navy Spy Ship,
Brassey’s, Washington DC, 2002. Cristol served for many years in the U.S. Navy
and argues that the Israelis didn’t know they were attacking an American ship.
Ennes, Jr., J.M., Assault on the Liberty, Random House, New York, 1979. Ennes, a lieu-
tenant who was on the Liberty, thinks the attack was intentional.
Scott, J., The Attack on the Liberty, Simon & Schuster, New York, 2009. Scott, the son of a
Liberty survivor, thinks the Israelis knew they were attacking an American ship.
Other works that include material on the Liberty were listed in the “On
NSA” section of the references above; for example, James Bamford’s Body of
Secrets argues that the attack was intentional, whereas Book II of Thomas R.
Johnson’s history presents the view that it was not.
On the Pueblo
Armbrister, T., A Matter of Accountability: The True Story of the Pueblo Affair, Coward-
McCann, New York, 1970.
Brandt, E., The Last Voyage of the USS Pueblo, W.W. Norton, New York, 1969.
Bucher, L.M. and Rascovich, M., Bucher: My Story, Doubleday, Garden City, NY, 1970.
Crawford, D., Pueblo Intrigue, Tyndale House, Wheaton, IL, 1969.
Gallery, D.V., The Pueblo Incident, Doubleday, Garden City, New York, 1970.
Harris, S.R. and Hefley, J.C., My Anchor Held, Fleming H. Revell Co., Old Tappan, NJ,
1970. Harris was the intelligence officer aboard the Pueblo at the time of capture.
Lerner, M., The Pueblo Incident, University Press of Kansas, Lawrence, 2002.
Liston, R.A., The Pueblo Surrender, M. Evans & Co., New York, 1988. This book actu-
ally argues that it was intended that the Pueblo be captured!
Also of Interest
Bamford, J., A Pretext for War: 9/11, Iraq, and the Abuse of America’s Intelligence Agencies,
Doubleday, New York, 2004. Bamford examines the following questions: Did
Hussein have weapons of mass destruction, as George W. Bush claimed? Was
there a connection between Hussein and Al Qaeda? The results of a poll showed
free ebooks ==> www.ebook777.com
National Security Agency 367
that most Americans believed that the answer to both questions is yes. Bamford
clearly shows that the correct answer is no in both cases and details the abuse of
the intelligence agencies that led to the public’s misinformed beliefs concerning
these issues.
Not of Interest
Brown, D., Digital Fortress, St. Martin’s Press, New York, 1998. Dan Brown’s break-
through novel was The Da Vinci Code, but his first novel, Digital Fortress, dealt
with NSA. It can be read for entertainment, but doesn’t offer any insight into
NSA.
Videography
America’s Most Secret Agency, The History Channel, January 8, 2001. Although sup-
posedly on NSA, this video features material on World War II, as well. As NSA
was born in 1952, this can only be background. It turns out that there was more
footage shot on NSA, but the agency got cold feet and asked for it to be cut;
hence, the filler—stock footage from World War II, which, along with UFOs,
seems to be The History Channel’s bread and butter.
Inside the NSA: America’s Cyber Secrets [DVD], National Geographic, 2012.
Pueblo (alternative title, Pueblo Affair), ABC Theatre, originally broadcast March 29,
1973. A reviewer for The New York Times commented, “Despite network restric-
tions of the era, Pueblo is refreshingly frank, right down to the first-ever TV dis-
play of a familiar obscene gesture (which the American prisoners explain away
to their captors as a ‘salute!’)” (http://movies.nytimes.com/movie/128338/
Pueblo/overview).
The Spy Factory [DVD], Nova, originally broadcast February 3, 2009. This serves as a
companion to James Bamford’s most recent book on NSA.
Top Secret: Inside the World’s Most Secret Agencies [VHS/DVD], Discovery Channel,
1999. This series explores the National Security Agency, Scotland Yard, and
Israel’s Mossad and is narrated by Johnny Depp.
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
12
Data Encryption Standard*
We now turn to a cipher far more advanced than anything previously dis-
cussed in this book. The only reason it is not a good choice for use today is
because increased computing power allows brute-force solutions.
656–715, 1949.
¶ http://www-ee.stanford.edu/~hellman/crypto.html.
369
www.ebook777.com
free ebooks ==> www.ebook777.com
370 Secret History: The Story of Cryptology
* Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 980.
† Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
Viking, New York, 2001.
‡ Kinnucan, P., Data encryption gurus: Tuchman and Meyer, Cryptologia, 2(4), 371–381, 1978.
§ NBS was founded in 1901 but was renamed Bureau of Standards in 1903. It became NBS
again in 1934 and then, finally, National Institute of Standards and Technology (NIST) in 1988
(http://www.100.nist.gov/directors.htm).
¶ Roberts, R.W., Encryption algorithm for computer data protection: requests for comments,
Federal Register, 40(52), 12134–12139, 1975; National Bureau of Standards, Federal Information
Processing Data Encryption Proposed Standard, Federal Register, 40(149), 32395–32414, 1975.
** Morris, R., Sloane, N.J.A., and Wyner, A.D., Assessment of the National Bureau of Standards
proposed federal Data Encryption Standard, Cryptologia, 1(3), 284, 1977. Also see Winkel, B.J.,
There and there a department, Cryptologia, 1(4), 396–397, 1977.
free ebooks ==> www.ebook777.com
Data Encryption Standard 371
LO RO
L1 = R0 R1 = L0
FIGURE 12.2
L1, the new left-hand side, is simply R0, the old right-hand side; R1, the new right-hand side, is
L 0, the old left-hand side (http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf).
LO RO
K1
+ f
L1 = R0 R1 = L0 + f (RO, K1)
FIGURE 12.3
Function f (http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf).
DES can be intimidating when viewed all at once, but the individual pieces
it is made out of are very simple. The basic units (called blocks) on which the
algorithm works are 64 bits (8 characters) long. One operation used in DES
consists of breaking the 64 bit message block in half and switching sides,
as depicted in the diagram in Figure 12.2. This operation is clearly its own
inverse.
Another operation that is its own inverse is adding bits modulo 2. This is
also known as XOR (for exclusive OR) and is often denoted by ⊕. Figure 12.3
shows a function f, which takes K1 (derived from the 56-bit key K) and R0 as
inputs and outputs a value that is then XORed with L0 to obtain R1.
This combination of two self-inverse operations is referred to as a round.
DES goes through 16 such rounds. The manner in which the round keys are
derived from K will be detailed, but first we examine the function f. In general,
we refer to a cipher that uses rounds of the form depicted above (switching
sides and applying a function to one half) as a Feistel system, or Feistel cipher.
The most natural way of combining Ri and Ki would be to XOR them, but
Ri is 32 bits long and each of the round keys is 48 bits long. To even things up,
R is expanded by repeating some of the bits (their order is changed as well).
This is indicated in Figure 12.4 and referred to as E (for expansion). E is given
by the following:
www.ebook777.com
free ebooks ==> www.ebook777.com
372 Secret History: The Story of Cryptology
R (32 Bits)
S1 S2 S3 S4 S5 S6 S7 S8
32 Bits
FIGURE 12.4
Expanding R by repeating some of the bits (http://csrc.nist.gov/publications/fips/fips46-3/
fips46-3.pdf).
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
Once the expanded right-hand side and the round key have been XORed,
the result is broken up into eight pieces of six bits each, each of which is fed
into a substitution box (S-box) that returns only four bits. Finally, a permuta-
tion, P, is performed on the output and the round is complete. The permuta-
tion P is given by
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
free ebooks ==> www.ebook777.com
Data Encryption Standard 373
The nonlinear heart of the algorithm is the S-boxes. Each box converts a
6-bit number, b1b2b3 b4 b5 b6, to a 4-bit number by first breaking it up into b1b6
and b2b3 b4 b5. That is, we now have a 2-bit and a 4-bit number. Converting
each of these to base 10, the first is between 0 and 3 and the second is
between 0 and 15. Thus, a row and column of the S-box are referenced. The
value at that location is our 4-bit result. All eight S-boxes are provided in
Table 12.1.
As an example, suppose that just prior to heading into the S-boxes, you
have the following string of 48 bits:
01010000011010110011110100011011001100001111010101011001
The first six bits, b1b2b3b4b5b6 = 010100, will be substituted for using the first
S-box, S1. We have b1b6 = 00 and b2b3b4b5 = 1010. Converting these to base 10,
we get 0 and 10, so we look in row 0 and column 10 of S1, where we find 6.
Converting 6 to base 2 gives 0110. Thus, the first 6 bits of the 48-bit string
above are replaced by 0110.
We then move on to the next 6 bits of our original 48-bit string, 000110.
If we now label these as b1b2b3b4b5b6, we have b1b6 = 00 and b2b3b4b5 = 0011.
Converting these to base 10, we get 0 and 3, so we look in row 0 and column 3
of S2, where we find 14. Converting 14 to base 2 gives 1110. Thus, the second
6 bits of the 48-bit string above are replaced by 1110. We continue in this
manner, 6 bits at a time, until all 48 bits have been replaced by using each of
the 8 S-boxes, in order. The final result is a 32-bit string.
It might seem that the particular values that fill the substitution boxes
aren’t important. One substitution is as good as another, right? Wrong! The
official description for DES stated, “The choice of the primitive functions KS,
S1, …, S8 and P is critical to the strength of the encipherment resulting from
the algorithm.”*
Much more will be said about these S-boxes in this chapter, but for now we
continue the discussion of how DES works. We are now ready to look at the
big picture. Figure 12.5 illustrates the 16 rounds that were discussed above.
Notice that there is no swapping of right and left sides after the last round.
This is so that encryption and decryption follow the same steps, with the
only difference being that the round keys must be used in the opposite order
for decryption. It is important to note that the composition of rounds is not
a round; that is, in general, two rounds with different keys cannot be real-
ized by a single round using some third key. If this were the case, 16 rounds
would be no better than one; they’d only take longer!
The only new elements here are the initial permutation and, at the end, the
inverse initial permutation. The initial permutation is given by
* U.S. Department of Commerce, Data Encryption Standard, FIPS Pub. 46-3, National Institute
of Standards and Technology, Washington, DC, 1999, p. 17 (http://csrc.nist.gov/publications/
fips/fips46-3/fips46-3.pdf).
www.ebook777.com
free ebooks ==> www.ebook777.com
374 Secret History: The Story of Cryptology
TABLE 12.1
S-Boxes
Column Number
Row
Number 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
S1
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S2
0 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
1 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
2 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
3 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S3
0 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
1 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
2 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
3 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S4
0 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
1 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
2 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S5
0 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
2 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
3 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6
0 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
1 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
2 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
3 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S7
0 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
2 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
3 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S8
0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
free ebooks ==> www.ebook777.com
Data Encryption Standard 375
Intput
Initial Permutation
Permuted LO RO
Input
K1
+ f
L1 = R0 R1 = L0 + f (RO, K1)
K2
+ f
L2 = R1 R2 = L1 + f (R1, K2)
Kn
+ f
K16
+ f
Output
FIGURE 12.5
The big picture (http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf).
www.ebook777.com
free ebooks ==> www.ebook777.com
376 Secret History: The Story of Cryptology
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
Nobody seems to know why the designers bothered to rearrange the bits
of the plaintext—it has no cryptographic effect—but that’s how DES is
defined.
—Bruce Schneier *
Apparently, this permutation makes it easier to load the chip when DES
encryption is carried out by hardware, rather than software. Hardware
implementations of DES work really well, but software implementations are
not very efficient, since software doesn’t deal well with permutations of bits.
On the other hand, permuting bytes could be done more efficiently. This
approach is taken in portions of AES, an algorithm examined in Section 19.3.
The inverse of the initial permutation is
48 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
These permutations are always as above. They are not part of the key and
add nothing to the security of DES. The cipher would be just as strong (or
weak) without them, but it wouldn’t be DES.
Now, to complete the description of DES, we need to examine how the
round keys are obtained from K. It is accurate to refer to the key K as being
56 bits, but an extra 8 bits were used for error detection. These check bits are
inserted in positions 8, 16, 24, 32, 40, 48, 56, and 64 in order to make the parity
of each byte even. So, when selecting key bits from this 64 bit string, to use
as a round key, the positions holding the check digits should be ignored. The
relevant 56 bits are selected and permuted as follows:
* Schneier, B. and Ferguson, N., Practical Cryptography, Wiley, Indianapolis, IN, 2003, p. 52.
free ebooks ==> www.ebook777.com
Data Encryption Standard 377
c1c2c3 c4 c5 c6 c7c8 c9c10 c11c12c13 c14 c15 c16 c17c18 c19c20 c21c22c23 c24
and
d1d2 d3 d4 d5 d6 d7d8 d9 d10 d11d12 d13 d14 d15 d16 d17d18 d19 d20 d21d22 d23 d24
as the two halves and left shift each by two places, we get
c3 c4 c5 c6 c7c8 c9c10 c11c12c13 c14 c15 c16 c17c18 c19c20 c21c22c23 c24 c1c2
and
d3 d4 d5 d6 d7d8 d9 d10 d11d12 d13 d14 d15 d16 d17d18 d19 d20 d21d22 d23 d24 d1d2
As Figure 12.6 indicates, the number of shifts the halves undergo depends on
which round is being performed. After the number of left shifts required for
a particular round has been performed, the two halves are recombined and
48 bits are selected (and permuted) according to the following table:
* Cyclic shifts are often indicated with the notations “<<<” or “>>>” depending on whether the
shift is to the left or to the right.
www.ebook777.com
free ebooks ==> www.ebook777.com
378 Secret History: The Story of Cryptology
Key
Permuted
Choice 1
CO DO
Left Left
Shift Shift
C1 D1
Permuted
K1
Choice 2
Left Left
Shifts Shifts
Cn Dn
Permuted
Kn
Choice 2
Left Left
Shifts Shifts
C16 D16
Permuted
K16
Choice 2
FIGURE 12.6
Number of shifts depends on the round (http://csrc.nist.gov/publications/fips/fips46-3/
fips46-3.pdf).
The last necessary detail is the amount to left shift by in each round. It is
usually (but not always!) two units (see Table 12.2). Notice that the shifts add
up to 28, half the length of the key.
You now have enough information to implement DES in the programming
language of your choice. There were many details that required our atten-
tion, but each piece is very simple to explain, as well as to code.* However,
why the S-boxes took the form they did was far from clear when Lucifer
officially became DES. There’ll be more on this soon.
* It should be kept in mind, though, that DES was designed to be implemented on a chip, not
expressed in software.
free ebooks ==> www.ebook777.com
Data Encryption Standard 379
TABLE 12.2
Left Shift Schedule
Number of Number of
Iteration Number Left Shifts Iteration Number Left Shifts
1 1 9 1
2 1 10 2
3 2 11 2
4 2 12 2
5 2 13 2
6 2 14 2
7 2 15 2
8 2 16 1
For now, we note that Claude Shannon should have been pleased by the
design of DES. The combination of the transpositions and the substitutions
made by the S-boxes over 16 rounds provides the diffusion and confusion he
desired. Suppose we encipher some message M with DES using key K to get
ciphertext C. Then, we change a single bit of M or K and encipher again to get
a second ciphertext C′. Comparing C and C′, we will typically find that they
differ in about half of the positions.
See Figure 12.7 for another bit of cryptographic humor.
FIGURE 12.7
Another cartoon for the cryptologically informed (http://xkcd.com/153/). If you hover over the
cartoon with the mouse you get the alternate text, “If you got a big key space, let me search it.”)
www.ebook777.com
free ebooks ==> www.ebook777.com
380 Secret History: The Story of Cryptology
Diffie, Hellman and others have objected that a 56-bit key may be inad-
equate to resist a brute force attack using a special purpose computer
costing about $20 million. Others have estimated ten times that much.
Whichever figure is correct, there is little safety margin in a 56-bit key.
* Morris, R., Sloane, N.J.A., and Wyner, A.D., Assessment of the National Bureau of Standards
proposed federal Data Encryption Standard, Cryptologia, 1(3), 281, 1977. References for
their objection are Diffie, W., Preliminary Remarks on the National Bureau of Standards
Proposed Standard Encryption Algorithm for Computer Data Protection, unpublished
report, Stanford University, May 1975; Diffie, W. and Hellman, M.E., A critique of the pro-
posed Data Encryption Standard, Communications of the ACM, 19(3), 164–165, 1976; Diffie,
W. and Hellman, M.E., Exhaustive cryptanalysis of the NBS Data Encryption Standard,
Computer, 10(6), 74–84, 1977.
† Diffie, W. and Hellman, M.E., Exhaustive cryptanalysis of the NBS Data Encryption Standard,
systems with keys shorter than 64 bits to be exported, but not systems with
longer keys, a 56-bit key must be vulnerable to their attacks.* Others object-
ing to the 56-bit key included the following:
Morris, Sloane, and Wyner concluded that it would “very probably become
feasible sometime in the 1980s for those with large resources (e.g., govern-
ment and very large corporations) to decrypt [the proposed standard] by
exhaustive key search.”‡ They did admit that they were not aware of any
cryptanalytic shortcuts to decrypting; that is, brute-force was the best attack
they could find.
It was also observed that if the 56-bit key were obtained from 8 typed char-
acters, as opposed to 56 random bits, then “the cost of surreptitious decryp-
tion is lowered by a factor of about 200” and suggested that users be warned
of this, as well as advised that security can be increased by enciphering twice
www.ebook777.com
free ebooks ==> www.ebook777.com
382 Secret History: The Story of Cryptology
with two different keys.* This last statement seems premature (although it
did turn out to be correct, by a small margin). It was not until 1993 that DES
keys were proven not to form a group. So, until 1993, one couldn’t be sure
that double enciphering was any better.†
Morris, Sloane, and Wyner suggested that the key length should be
increased to 64 or even 128 bits.‡ In earlier versions, the algorithm did, in fact,
use a 128-bit key.§ They also wanted at least 32 iterations, instead of just 16.
Addressing concerns of the possibility of a back door having been built
into DES by NSA collaborators, Tuchman said, “We developed the DES algo-
rithm entirely within IBM using IBMers. The NSA did not dictate a single
wire.”¶ It is now known that IBM did in fact receive help from NSA. After
receiving IBM’s work, NBS sent it on to NSA, where changes were made,
with the algorithm described here being the final result.**
In fact, there were even contemporary accounts admitting NSA’s involve-
ment: “Aaron Wyner of Bell Laboratories in Murray Hill, New Jersey, says
‘IBM makes no bones about the fact that NSA got into the act before the
key size was chosen.’ [Alan] Konheim [of IBM at Yorktown Heights, NY]
admits that ‘IBM was involved with the NSA on an ongoing basis. They
[NSA employees] came up every couple of months to find out what IBM
was doing.’ But, Konheim says, ‘The 56-bit key was chosen by IBM because
it was a convenient size to implement on a chip.’ ”†† More inconvenient
would have been an inability to obtain an export license for a version with
a larger key!
From a recently declassified NSA history, we have the following:‡‡
* Morris, R., Sloane, N.J.A., and Wyner, A.D., Assessment of the National Bureau of Standards
proposed federal Data Encryption Standard, Cryptologia, 1(3), 281–282, 286, 1977.
† Although the claim should not have been stated as a fact, it was not based on nothing. For
the evidence, see Grossman, E., Group Theoretic Remarks on Cryptographic Systems Based on
Two Types of Addition, Research Report RC-4742, IBM T.J. Watson Research Center, Yorktown
Heights, NY, 1974.
‡ Morris, R., Sloane, N.J.A., and Wyner, A.D., Assessment of the National Bureau of Standards
Reports, 7(4), 1–12, 1971; Meyer, C.H., Design considerations for cryptography, AFIPS Conference
Proceedings, 42, 603–606, 1973 (see Figure 3 on p. 606).
¶ Kinnucan, P., Data encryption gurus: Tuchman and Meyer, Cryptologia, 2(4), 371–381, 1978.
** Trappe, W. and Washington, L.C., Introduction to Cryptography with Coding Theory, Prentice
NSA worked closely with IBM to strengthen the algorithm against all
except brute force attacks and to strengthen substitution tables, called
S-boxes. Conversely, NSA tried to convince IBM to reduce the length of
the key from 64 to 48 bits. Ultimately, they compromised on a 56-bit key.†
Though its export was restricted, it was known to be widely used outside
the United States. According to a March 1994 study, there were some
1,952 products developed and distributed in thirty-three countries.‡
* Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book III. Retrenchment and
Reform, 1972–1980, Center for Cryptologic History, National Security Agency, Ft. George G.
Mead, MD, 1998, p. 232.
† Ibid. Another source tells it differently, though: Foerstel, H.N., Secret Science: Federal Control of
American Science and Technology, Praeger, Westport, CT, 1993, p. 129, says the key was chopped
from 128 bits (as used in Lucifer) to 56 bits and that NSA really wanted a 32-bit key!
‡ Johnson, T.R., American Cryptology During the Cold War, 1945–1989. Book III. Retrenchment and
Reform, 1972–1980, Center for Cryptologic History, National Security Agency, Ft. George G.
Mead, MD, 1998, p. 239.
§ Morris, R., Sloane, N.J.A., and Wyner, A.D., Assessment of the National Bureau of Standards
A.D., Assessment of the National Bureau of Standards proposed federal Data Encryption
Standard, Cryptologia, 1(3), 287, 1977.
** Lexar Corporation, An Evaluation of the NBS Data Encryption Standard, unpublished report,
Lexar Corporation, 11611 San Vincente Boulevard, Los Angeles, CA, 1976.
www.ebook777.com
free ebooks ==> www.ebook777.com
384 Secret History: The Story of Cryptology
DES quickly took over the encryption market, becoming the code pro-
vided by 99 percent of the companies selling equipment.*
Even the Moscow-based Askri company offers a software encryption
package called Cryptos for $100. The package is based on the Data
Encryption Standard, America’s own national standard.†
The plea for a longer key was not heeded, though, nor were details of the
S-box construction revealed. Although adoption of DES was widespread,
these problems prevented it from being universally accepted:‡
Robert Morris of Bell Laboratories in Murray Hill, New Jersey, says that
officials of the Bell Telephone Company have decided that the DES is too
insecure to be used in the Bell System.
In 1985, when DES was used by bankers to encrypt electronic fund trans-
fers, NSA Deputy Director Walter Deeley said he “wouldn’t bet a plugged
nickel on the Soviet Union not breaking it.”§ Yet, DES remained mandatory
until 2002 for all federal agencies for protection of sensitive unclassified
information requiring encryption.
A common question over the years since the arrival of DES was whether
or not NSA could break it. The quote above seems to indicate an affirmative
answer by 1985, but the quote by Matt Blaze reproduced below comes at the
question from another perspective:¶
Blaze went on to give a list of the “Top Ten Threats to Security in Real
Systems.” Anyone concerned with actual security and not just the mathe-
matical aspects of the subject should study this list.**
* Foerstel, H.N., Secret Science: Federal Control of American Science and Technology, Praeger,
Westport, Connecticut, 1993, p. 129.
† Ibid., p. 138.
‡ Kolata, G.B., Computer encryption and the National Security Agency connection, Science,
16. Perhaps this was why! In fact, differential cryptanalysis was known to
the DES designers. They called it “T attack.” The mysterious S-boxes were
generated and tested until ones that fit certain criteria were found; they
needed to be able to resist T attack and linear cryptanalysis. Neither attack
was publicly known at the time. NSA knew about differential cryptanalysis,
but didn’t want the information shared; hence, the generation of the S-boxes
had to remain secret. Susan Landau, among others, believes that NSA had
not anticipated linear cryptanalysis.* In any case, both of these attacks were
rediscovered in the open community and are now available to anyone.
There are some “weak” keys for DES. This term is used to denote keys such
that all of the round keys they produce are identical. Obvious examples are a
key consisting of 56 zeros and a key consisting of 56 ones, but there are two
others. There are also six pairs of semiweak keys that should be avoided.
Rather than generating 16 distinct round keys, these only produce 2, each of
which is then used for 8 rounds. The result is that a key in each semiweak
pair can decrypt messages enciphered with the other key.† Each extra key
that can be used reduces the average runtime of a brute-force attack by a
factor of two.
To prove the insecurity of DES, EFF built the first unclassified hardware
for cracking messages encoded with it. On Wednesday, July 17, 1998, the
EFF DES Cracker, which was built for less than $250,000, easily won RSA
Laboratory’s DES Challenge II contest and a $10,000 cash prize. It took
the machine less than 3 days to complete the challenge, shattering the
previous record of 39 days set by a massive network of tens of thousands
of computers.
* In any case, it first appeared publicly in Matsui, M., Linear cryptanalysis method for DES
cipher, in Helleseth, T., Ed., Advances in Cryptology: EUROCRYPT ’93 Proceedings, Lecture
Notes in Computer Science, Vol. 765, Springer, Berlin, 1994, pp. 386–397.
† For more on this topic, see Moore, J.H. and Simmons, G., Cycle structure of the DES with weak
and semiweak keys, in Odlyzko, A.M., Ed., Advances in Cryptology: CRYPTO ’86 Proceedings,
Lecture Notes in Computer Science, Vol. 263, Springer, Berlin, 1987, pp. 9–32.
‡ http://www.eff.org/Privacy/Crypto_misc/DESCracker/.
www.ebook777.com
free ebooks ==> www.ebook777.com
386 Secret History: The Story of Cryptology
FIGURE 12.8
The EFF DES cracker sits behind Paul Kocher, the principal designer, who is holding one of
the 29 boards, each of which contains 64 custom microchips. (From http://www.cryptography.
com/technology/applied-research/research-efforts/des-key-search/des-key-search-photos.
html and used with the permission of Paul Kocher.)
FIGURE 12.9
A close-up view of one of the DES cracker circuit boards. (From http://www.cryptography.
com/technology/applied-research/research-efforts/des-key-search/des-key-search-photos.
html and used with the permission of Paul Kocher.)
free ebooks ==> www.ebook777.com
Data Encryption Standard 387
FIGURE 12.10
A close-up view of one of the “Deep Crack” custom microchips. (From http://www.cryptog-
raphy.com/technology/applied-research/research-efforts/des-key-search/des-key-search-
photos.html and used with the permission of Paul Kocher.)
www.ebook777.com
free ebooks ==> www.ebook777.com
388 Secret History: The Story of Cryptology
12.4 Second Chance
One way to possibly improve the security of DES is to compose it with itself
using different keys, but enciphering twice with two different DES keys does
not help much! Merkle and Hellman found that a meet-in-the middle attack
reduces the keyspace for a brute-force attack from the expected (256)(256) =
2112 to 257, only twice that of single DES!* The meet-in-the-middle attack is not
much more difficult conceptually than a brute-force attack, but it does require
a plaintext/ciphertext pair. If the double encryption is represented by
C = Ekey 2 ( Ekey 1 ( M ))
These two columns will have an entry in common. When key 1 is used in
column 1 and key 2 is used in column 2, the entries will both match the result
following the first encipherment of the original message. Thus, after calculat-
ing 2 columns of 256 values each, the keys must be revealed. This is how we
get 257 as the size of the space that must be brute forced.
When looking for a match between columns 1 and 2, we might find several.
If we have more than a single block of text to work with, we can apply the
potential keys to each of these to see which is actually the correct key pair.
With Triple DES, we gain more of an advantage. We may carry out the
triple encryption with just two keys by applying the following steps:†
* Merkle, R. and Hellman, M., On the security of multiple encryption, Communications of the
ACM, 24(7), 465–467, 1981.
† This procedure was suggested in Tuchman, W., Hellman presents no shortcut solutions to
* van Oorschot, P.C. and Wiener, M.J., A known-plaintext attack on two-key triple encryption,
in Damgård, I.B., Ed., Advances in Cryptology: EUROCRYPT ’90 Proceedings, Lecture Notes in
Computer Science, Vol. 473, Springer, Berlin, 1991, pp. 318–325.
† Kaliski Jr., B.S., Rivest, R.L., and Sherman, A.T., Is the Data Encryption Standard a group?
Cryptology: CRYPTO ’92 Proceedings, Lecture Notes in Computer Science, Vol. 740, Springer,
Berlin, 1993, pp. 512–520. This paper credits Don Coppersmith for the proof. It’s available
online at http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C92/512.PDF.
www.ebook777.com
free ebooks ==> www.ebook777.com
390 Secret History: The Story of Cryptology
messages is the order of E1E0. The cycle length of any particular message M
must divide the order of E1E0, which in turn divides the order of the group
formed by the DES keys (if it is indeed a group). So, to show that DES is
not a group, all that is necessary is to calculate the cycle lengths for various
choices of n and look at their least common multiple, which provides a lower
bound on the order of E1E0 (and hence the DES keys themselves).
Don Coppersmith was the first to do this.* The cycle lengths of 33 messages
he examined implied the order of E1E0 to be at least 10277. Keith W. Campbell
and Michael J. Wiener followed up on this with 295 more messages showing
that the subgroup generated by the DES permutation was bounded below by
1.94 × 102499. Campbell and Wiener noted that back in 1986 cycle lengths were
published by Moore and Simmons† that, when taken with the argument
above, were sufficient to show DES was not a group; however, this point was
missed and the question remained open for years!
DES was not to be the last cipher that NSA had a hand in designing for out-
side use. A less successful attempt was made with the Clipper chip in 1993.‡ It
differed from DES in that the algorithm was classified; all the user would get
would be a tamperproof chip. Even worse, the proposal came with the idea
of “key escrow,” meaning that the built-in key for each chip would be kept on
file so that it could be accessed by law enforcement agents who had obtained
warrants. The government’s past history of warrantless eavesdropping didn’t
inspire much confidence in this proposal. Following some heated debate,
Clipper vanished. Key escrow attempts proved to be even less welcome in the
European Union, where there are, in general, more laws protecting privacy.
12.5 Interesting Feature
One semester I worked with a student, Austen Duffy, on an attack on DES
that had no justification for working. Not surprisingly, it didn’t. However, it
did reveal something interesting. The idea was that if there existed a mes-
sage whose ciphertext had a bitsum (i.e., Hamming weight) that correlated
with the bitsum of the key, a brute-force attack could be launched on the
in Odlyzko, A.M., Ed., Advances in Cryptology: CRYPTO ’86 Proceedings, Lecture Notes in
Computer Science, Vol. 263, Springer, Berlin, 1987, pp. 9–32.
‡ For a nontechnical history of the Clipper chip, see pages 226–268 of Levy, S., Crypto: How the
Code Rebels Beat the Government, Saving Privacy in the Digital Age, Viking, New York, 2001. An
analysis of the algorithm used by Clipper (it was eventually released) is given in Kim, J. and
Phan, R.C.-W., Advanced differential-style cryptanalysis of the NSA’s Skipjack block cipher,
Cryptologia, 33(3), 246–270, 2009.
free ebooks ==> www.ebook777.com
Data Encryption Standard 391
FIGURE 12.11
Display of correlation values and messages.
E ( K , P ) = E( K , P)
* For a proof, see Schneier, B. and Ferguson, N., Practical Cryptography, Wiley, Indianapolis, IN,
2003, p. 54.
www.ebook777.com
free ebooks ==> www.ebook777.com
392 Secret History: The Story of Cryptology
FIGURE 12.12
Result of retrying “best” message with more random key sets.
This result was known (to others) well before we began our attack, but it was
new to us. Taking the message yielding the “best” correlation, we tried it
repeatedly with random sets of keys and computed the correlation for each
set. As the output in Figure 12.12 indicates, the correlation did not remain at
the value found above.
The situation is analogous to taking a large number of coins (as opposed to
messages) and flipping them 100 times each. Perhaps one of them will land
head side up 60% of the time. The distribution of the number of heads the
coins shows should follow a bell curve, so it’s not surprising that some coins
yield many more heads than others. However, if we take the coin yielding
the most heads and flip it another hundred times, repeatedly, we can expect,
on average, that there will be 50 heads each time.
So, a purely investigatory line of thought, not backed by any theory, pointed
us to an interesting feature of DES that we had not anticipated. Though the
result was not new, I think it serves as a good illustration of how research
may go. Even failures may prove interesting and useful.
Several DES variants have been offered to address attacks. The most
notable (and simplest) is Triple DES, but there is also DES with Independent
Subkeys, DESX, CRYPT(3), Generalized DES (GDES), DES with Alternate
S-Boxes, RDES, snDES (a number of variants, with n taking the values 2, 3, 4,
and 5), DES with Key-Dependent S-Boxes, and NEWDES.*
* For some details on these variants (and further references for those desiring yet more detail),
see Schneier, B., Applied Cryptography, 2nd ed., John Wiley & Sons, New York, 1996, pp. 294–
300, 306–308.
free ebooks ==> www.ebook777.com
Data Encryption Standard 393
12.5.1 Cryptologic Humor
In the Vol. 0, No. 0, issue of Journal of Craptology, the paper “Terms Used in
the Disciplines of Cryptography, IT Security and Risk Analysis” offered the
following definition:
If a civil liberties group can build a DES Cracker for $200,000, it’s pretty
likely that governments can do the same thing for under a million
dollars.
12.6 Modes of Encryption
DES can be implemented in many different modes. This isn’t a new idea.
Many of the ciphers examined in previous chapters may be implemented in
a variety of ways; for example, in Section 3.5, we saw the autokey of Blaise de
Vigenère (1523–1596). After a short “priming key” encryption was continued
in the manner of a running key cipher, but using previous portions of the
message itself (or the ciphertext that was being generated) as the key. This
was an important contribution, but little was done with it for hundreds of
years. In 1958, Jack Levine presented a pair of new methods for implement-
ing matrix encryption.† Before showing Levine’s approach, we set our nota-
tion. We will represent traditional matrix encryption by Ci = APi, where A is
the (never-changing) enciphering matrix, and Pi and Ci are the ith groups of
plaintext and ciphertext characters, respectively.
12.6.1 Levine’s Methods
Levine introduced a second invertible matrix B and made the ciphertext a func-
tion of not just the current plaintext block but also the one that went before:
Ci = APi + BPi–1
www.ebook777.com
free ebooks ==> www.ebook777.com
394 Secret History: The Story of Cryptology
This works well for enciphering the second, third, and so on groups of plain-
text, but for the first group of plaintext characters, P1, there is no previous
group to use for P0. Thus, in addition to the matrices A and B, Levine needed
to define a priming plaintext (P0) as part of the key.
Example 1
Our key will be
5 5 13 10 17
A= B= P0 =
6 11 3 3 6
Let the message be the following quote from Nobel Prize-winning physicist
Richard Feynman:*
8 19 14 11 3 7 8 12 14 5 2
14 20 17 18 4 19 7 0 19 8 3
8 3 13 19 10 13 14 22 22 7 8
2 7 8 18 12 24 0 13 18 22 4
17 19 14 0 11 12 14 18 19 4 21
4 17 24 16 20 4 18 19 8 14 13
5 5 8 13 10 17 0
C1 = + =
6 11 19 3 3 6 14
5 5 14 13 10 8 3
C2 = + =
6 11 11 3 3 19 0
5 5 3 13 10 14 4
C3 = + =
6 11 7 3 3 11 14
* Feynman, R., “What Do You Care What Other People Think?,” W.W. Norton, New York, 1988, p.
61.
free ebooks ==> www.ebook777.com
Data Encryption Standard 395
12.6.2 Modern Modes
These ideas surfaced again in the 1970s with modern block ciphers, such as
DES. In the following pages, a few modes of encryption currently in use are
detailed.
www.ebook777.com
free ebooks ==> www.ebook777.com
396 Secret History: The Story of Cryptology
Error propagation is only slightly worse for CBC than for ECB mode. If
an error is present in a given ciphertext block (due to transmission rather
than an error made by the encipherer), that block will decipher incorrectly,
as will the one that follows. However, the next ciphertext block will be cor-
rectly recovered, as its plaintext is only dependent on itself and the previ-
ous ciphertext block. The fact that the previous plaintext block is garbled
is irrelevant. The incorrect bits in the two damaged blocks will be of the
same number and in the same positions. This mode was invented in 1976 by
researchers at IBM.*
* Ehrsam, W.F., Meyer, C.H.W., Smith, J.L., and Tuchman, W.L., Message Verification and
Transmission Error Detection by Block Chaining, U.S. Patent 4074066, 1976.
free ebooks ==> www.ebook777.com
Data Encryption Standard 397
Shift Register
Encrypt
Pi Ci
(8 bits) (8 bits)
FIGURE 12.13
Cipher Feedback (CFB) mode.
www.ebook777.com
free ebooks ==> www.ebook777.com
398 Secret History: The Story of Cryptology
Shift Register
Encrypt
Pi Ci
(8 bits) (8 bits)
FIGURE 12.14
Output Feedback (OFB) mode.
The problem was that smaller values of m, such as the 8 used above, could
give rise to cycles of keys to be XORed with the text that are simply too short
for heavy traffic. So, it shouldn’t be a surprise that the update to this mode
definition, as given in SP 800-38A, is to have it operate on the entire block,
not just a portion of it.†
12.6.2.5 Counter Mode
Counter (CTR) mode requires a set of distinct counters (blocks of bits), each
having the same size as the plaintext blocks. We label these counters as CNTi.
We then have Ci = Mi ⊕ E(CNTi) for 1 ≤ i. There is no chaining involved in
this mode. Repeated plaintext blocks will be enciphered differently, due to
* Davies, D.W. and Parkin, G.I.P., The average cycle size of the key stream in output feedback
encipherment [abstract], in Chaum, D., Rivest, R.L., and Sherman, A.T., Eds., Advances in
Cryptology: CRYPTO ’82 Proceedings, Plenum Press, New York, 1983, pp. 97–98.
† See SP 800-38A, http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html.
free ebooks ==> www.ebook777.com
Data Encryption Standard 399
the counters all being distinct. The counters are normally defined by choos-
ing a random value for CNT1 and then incrementing successive counters by
one each time. Counter mode was first proposed by Diffie and Hellman in
1979.* New modes continue to be proposed today. The discussion here is only
intended to cover the most popular modes for basic encryption.
www.ebook777.com
free ebooks ==> www.ebook777.com
400 Secret History: The Story of Cryptology
Kahn, D., The Codebreakers, 2nd ed., Scribner, New York, 1996, p. 980. Do not consult
the first edition for information on DES. This cipher did not exist when the first
edition was published.
Katzman, Jr., H., The Standard Data Encryption Algorithm, Petrocelli Books, New York,
1977.
Kinnucan, P., Data encryption gurus: Tuchman and Meyer, Cryptologia, 2(4), 371–381,
1978 (reprinted from Mini-Micro Systems, 2(9), 54, 56–58, 60, 1978). This paper
quotes Walter Tuchman as saying, “The DES algorithm is for all practical pur-
poses unbreakable.” Feistel is mentioned, but this paper gives nearly all of the
credit for DES to Walter Tuchman and Carl Meyer. Tuchman was also quoted
as saying, “The NSA told us we had inadvertently reinvented some of the deep
secrets it uses to make its own algorithms.”
Landau, S., Standing the test of time: the Data Encryption Standard, Notices of the
AMS, 47(3), 341–349, 2000 (http://www.ams.org/notices/200003/fea-landau.
pdf).
Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital
Age, Viking, New York, 2001.
Matsui, M., Linear cryptanalysis method for DES cipher, in Helleseth, T., Ed., Advances
in Cryptology: EUROCRYPT ’93 Proceedings, Lecture Notes in Computer Science,
Vol. 765, Springer, Berlin, 1994, pp. 386–397.
Merkle, R. and Hellman, M., On the security of multiple encryption, Communications
of the ACM, 24, 465–467, 1981.
Morris, R., Sloane, N.J.A., and Wyner, A.D., Assessment of the National Bureau of
Standards proposed federal Data Encryption Standard, Cryptologia, 1(3), 281–
291, 1977. The authors attended the second of two workshops held by the NBS
on September 21–22, 1976, to evaluate the proposed Data Encryption Standard.
This paper presents their conclusions. It also provides many references on the
reports, papers, and patents leading up to DES.
Simovits, M.J., The DES: An Extensive Documentation and Evaluation, Aegean Park
Press, Laguna Hills, CA, 1996.
Solomon, R.J., The encryption controversy, Mini-Micro Systems, February 1978.
U.S. Department of Commerce, Data Encryption Standard, FIPS Pub. 46-3, National
Institute of Standards and Technology, Washington, DC, 1999 (http://csrc.nist.
gov/publications/fips/fips46-3/fips46-3.pdf). This is the final version of the
government document detailing the Data Encryption Standard.
van Oorschot, P.C. and Wiener, M.J., A known-plaintext attack on two-key triple
encryption, in Damgård, I.B., Ed., Advances in Cryptology: EUROCRYPT ’90
Proceedings, Lecture Notes in Computer Science, Vol. 473, Springer, Berlin, 1991,
pp. 318–325.
On Modes of Encryption
Davies, D.W. and Parkin, G.I.P., The average cycle size of the key stream in output
feedback encipherment [abstract], in Chaum, D., Rivest, R.L., and Sherman,
A.T., Eds., Advances in Cryptology: CRYPTO ’82 Proceedings, Plenum Press, New
York, 1983, pp. 97–98.
de Vigenère, B., Traicté des Chiffres, 1586. Although Cardano had previously hacked at
the problem, this is where the first working autokeys were presented.
free ebooks ==> www.ebook777.com
Data Encryption Standard 401
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
13
Birth of Public Key Cryptography*
A major problem with all of the methods of encipherment examined thus far
is that the sender and receiver must agree on a key prior to the creation and
delivery of the message. This is often inconvenient or impossible. There were
some failed attempts to overcome this problem before an elegant solution
was found. One is detailed below, before examining current solutions.
13.1 Revolutionary Cryptologist
During the American Revolutionary War, James Lovell attempted to deal
with the problem within the context of a cipher system of his own creation.†
His system was similar to the Vigenère cipher and is best explained through
an example. Suppose our message is I HAVE NOT YET BEGUN TO FIGHT
and the key is WIN. We form three alphabets by continuing from each of the
three key letters like so:
1 W I N 15 J W A
2 X J O 16 K X B
3 Y K P 17 L Y C
4 Z L Q 18 M Z D
5 & M R 19 N & E
6 A N S 20 O A F
7 B O T 21 P B G
8 C P U 22 Q C H
9 D Q V 23 R D I
10 E R W 24 S E J
11 F S X 25 T F K
12 G T Y 26 U G L
13 H U Z 27 V H M
14 I V &
Notice that Lovell included & as one of the characters in his alphabet.
403
www.ebook777.com
free ebooks ==> www.ebook777.com
404 Secret History: The Story of Cryptology
The first letter of our message is I, so we look for I in the column headed
by W (our first alphabet). It is found in position 14, so our ciphertext begins
with 14. Our next plaintext letter is H. We look for H in the column headed
by I (our second alphabet) and find it in position 27. Thus, 27 is our next
ciphertext number. Then we come to plaintext letter A. Looking at our third
alphabet, we find A in position 15. So far, our ciphertext is 14 27 15. We’ve
now used all three of our alphabets, so for the fourth plaintext letter we start
over with the first alphabet, in the same manner as the alphabets repeat in
the Vigenère cipher. The complete ciphertext is 14 27 15 27 24 1 20 12
12 10 12 16 10 26 8 19 12 2 11 1 21 13 12.
Lovell explained this system to John Adams and Ben Franklin and
attempted to communicate with them using it. He avoided having to agree
on keys ahead of time by prefacing his ciphertexts with clues to the key, such
as, “You begin your Alphabets by the first 3 letters of the name of that fam-
ily in Charleston, whose Nephew rode in Company with you from this City
to Boston.”* Thus, for every message Lovell sent using this scheme, if a key
hadn’t been agreed on ahead of time, he had to think of some bit of knowl-
edge that he and the recipient shared that could be hinted at without allow-
ing an interceptor to determine the answer. This may have typically taken
longer than enciphering! Also, Lovell’s cipher seems to have been too com-
plicated for Adams and Franklin even without the problem of key recovery,
as both failed to read messages Lovell sent. Abigail Adams was even moved
to write Lovell in 1780, “I hate a cipher of any kind.”†
* Weber, R.E., James Lovell and secret ciphers during the American Revolution, Cryptologia,
2(1), 83, 1978.
† Ibid., pp. 75–88.
‡ The idea of public key cryptography was presented in an earlier paper by Diffie and Hellman
titled “Multiuser Cryptographic Techniques.” An actual method was not yet ready at the
time of that publication. The authors wrote, “At present, we have neither a proof that public
key systems exist, nor a demonstration system.” Ralph Merkle, an undergraduate at Berkeley
had found a system in 1974, but it lacked elegance. It is of high historical value, yet it never
found use. It is described along with a second method (knapsack) developed by Merkle in
Chapter 15.
free ebooks ==> www.ebook777.com
Birth of Public Key Cryptography 405
* Diffie, W. and Hellman, M., New directions in cryptography, IEEE Transactions on Information
Theory, IT-22(6), 644–654, 1976.
† Koblitz, N., Random Curves: Journeys of a Mathematician, Springer, New York, 2007, pp. 301–302.
‡ http://www-ee.stanford.edu/~hellman/.
§ Hellman, M.E., Work on Cryptography, http://www-ee.stanford.edu/~hellman/crypto.html.
¶ James H. Ellis was the first to show that nonsecret encryption was possible, and Malcolm
Williamson first discovered the approach credited to Diffie and Hellman, but they both
worked for the Government Communications Headquarters (GCHQ), the British equivalent
of the National Security Agency, and their work was classified. It was only revealed in 1997.
Bobby Ray Inman, a former director of NSA has hinted that NSA had found this approach
prior to its discovery by the GCHQ, but this doesn’t appear to be true.
www.ebook777.com
free ebooks ==> www.ebook777.com
406 Secret History: The Story of Cryptology
Alice and Bob must first agree on a prime number (p) and a generator (α) of
the multiplicative group of units modulo p. If someone is eavesdropping on
the line and obtains these values, that’s okay! Next, each person (except the
eavesdropper) selects a number. Let’s say Alice chooses x and Bob chooses y.
They keep these values secret. Alice calculates αx (mod p) and Bob calculates
αy (mod p). They then exchange these new values. Alice would have great
difficulty calculating y from αy. Similarly, Bob is unlikely to be able to deter-
mine Alice’s x. However, both can form αxy. Alice simply raises the number
Bob sent her to the power of x and Bob raises the number Alice sent him to
the power of y. The eavesdropper cannot do this as she knows neither x nor
y. She may have intercepted α, p, αx, and αy, but this won’t help her find αxy.
Thus, Alice and Bob now share a secret number. This will serve as their key
for future communication, using whatever system they choose.
When α, p, and αx (mod p) are known, but not x, determining x is known as
the discrete log problem. The security of Diffie–Hellman key exchange sounds
like it should be equivalent to this problem, but this has yet to be proven. To
recap, the two problems are as follows:
It is possible that someone may find a way to defeat the key exchange (prob-
lem 2) without solving the discrete log problem (problem 1). This is a very
big open problem. More will be said about the difficulty of the discrete log
problem in Section 15.8, which follows a discussion of complexity theory. In
any case, we have a lovely system built on nothing more complicated than
the laws of exponents and the idea of remainder arithmetic!
Malcolm Williamson discovered Diffie-Hellman key exchange before the
individuals it is named after, but he was employed by GCHQ at the time, and
his work was classified. It was only released in 1997.
Implemented as described above, the key exchange requires several mes-
sages to be sent. If we are willing to do this, even some of the cryptosys-
tems discussed earlier in this text may be used to securely send a message
to someone with whom a key exchange has not taken place. An analogy will
make the process clear, after which it will be described more mathematically.
Alice can send Bob a message she places in a box and secures with a pad-
lock. Bob doesn’t try to open it, since he doesn’t have the key. He simply
adds his own padlock and mails it back to Alice. Anyone wishing to see the
message at this stage must be able to remove both padlocks. Alice can only
remove her own, which she does. She then mails it back to Bob, who removes
his padlock and reads the message.
Now for the mathematical version of the physical process described above:
• Let EA, EB, DA, and DB represent the enciphering and deciphering
algorithms (along with the keys A and B) used by Alice and Bob.
free ebooks ==> www.ebook777.com
Birth of Public Key Cryptography 407
Note: If DA and EB commute, DA and EA will then cancel out and Alice’s final
message will amount to EB(M).
• Bob then applies DB to Alice’s last message and reads the plaintext.
Commutativity is important here! This process will not work without it.
Diffie and Hellman obviously realized the great importance of their
paper (hence, the title*), but they also realized that theirs was far from the
last word on the topic; the paper included the line, “We propose some tech-
niques for developing public key cryptosystems, but the problem is still
largely open.Ӡ
All of the systems that we have looked at up to this point are examples of
symmetric algorithms; that is, the decryption key is the same or can be eas-
ily calculated from the encryption key (as in matrix encryption). More often
than not, in classical cryptography, the two keys are identical. The Diffie–
Hellman scheme detailed above results in such a key being generated, even
though it is done openly. That this could be done was revolutionary and
inspired others to search for more such techniques. Although there are sev-
eral “public key” algorithms, only one will be described in this chapter; oth-
ers will be examined later.‡ What they all have in common is asymmetric keys,
such that the enciphering and deciphering keys differ and it is not feasible to
calculate one from the other.
* Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
Viking, New York, 2001, p. 88. Levy points out that the title of the paper brings to mind the
“mind-blowing paperbacks of the New Directions publishing house,” which issued Waiting
for Godot, Siddhartha, and In the American Grain.
† Diffie, W. and Hellman, M., New directions in cryptography, IEEE Transactions on Information
www.ebook777.com
free ebooks ==> www.ebook777.com
408 Secret History: The Story of Cryptology
FIGURE 13.3
Adi Shamir (1952–), Ron Rivest (1947–), and Len Adleman (1945–). Between the necks of Rivest
and Adleman the chalkboard shows ∴ P = NP. (Courtesy of Len Adleman, http://www.usc.
edu/dept/molecular-science/RSApics.htm.)
The creators of RSA did not have immediate success in their attack on the
problem. In fact, they were able to break their first 32 attempts themselves.*
Finally, three years after beginning, a workable scheme was found. There
may have been an earlier breakthrough, as the following anecdote from a ski
trip the researchers went on suggests:†
On only the second day that the Israeli [Shamir] had ever been on skis,
he felt he’d cracked the problem. “I was going downhill and all of a sud-
den I had the most remarkable new scheme,” he later recalled. “I was so
excited that I left my skis behind as I went downhill. Then I left my pole.
And suddenly…I couldn’t remember what the scheme was.” To this day he
does not know if a brilliant, still-undiscovered cryptosystem was aban-
doned at Killington.
The details of RSA will soon be laid out, but first we must review some (old!)
results from number theory.
* Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
Viking, New York, 2001, p. 97.
† Ibid., p. 96. Was this what prompted Hughes-Hallett et al. to put a skier on the cover of their
calculus book? An attempt to jog Shamir’s memory? They even used the first-person perspec-
tive as if attempting to recreate Shamir’s field of vision at the moment that the great idea was
passing through his mind!
free ebooks ==> www.ebook777.com
Birth of Public Key Cryptography 409
Fermat stated the theorem in a different form and did not offer a proof. It
is presented here in a manner that will prove useful, but it first needs to be
generalized a bit. This was done by Leonhard Euler (with proof!) in 1760.‡
Euler’s generalization may be stated tersely as
The notation (m,n) = 1 means that m and n are relatively prime; that is,
their greatest common divisor is 1. It is sometimes written using the more
descriptive notation gcd(m,n) = 1. The exponent φ(n) is called the “Euler φ
function,” with φ pronounced as fee rather than figh. It is also sometimes
referred to as Euler’s totient function.§ However you read it, φ(n) is defined
to be the number of positive integers less than n and relatively prime to n.
For example, φ(8) = 4, because 1, 3, 5, and 7 are the only positive integers less
than 8 that have no positive factors in common with 8 other than 1. It is easy
to see that φ(p) = p – 1 if p is a prime. Hence, Fermat’s little theorem is just a
special case of Euler’s theorem.
Proof
Observing that the multiplicative group modulo n has order φ(n), and recall-
ing that the order of a group element must divide the order of the group,
we see that mφ(n) = 1 (mod n). The requirement that (m,n) = 1 is necessary to
guarantee that m is invertible modulo n or, in other words, to ensure that m
is an element of the group of units modulo n.
Although Fermat and Euler had not realized it, their work would find
application in cryptography, making RSA possible. The eventual applica-
tions of once pure mathematics are typically impossible to predict. To see
how RSA works, we first multiply both sides of Euler’s equation by m to get:
mφ(n)+1 = m (mod n)
‡ Sandifer, C.E., The Early Mathematics of Leonhard Euler, Mathematical Association of America,
Washington, DC, 2007, p. 203. Euler’s phi function was used at this time, but was not given a
name until three years later (see the next footnote). Carl Friedrich Gauss introduced the “mod
n” notation, the congruence symbol, and φ in 1801.
§ Totient is from Latin and means “to count.” Euler named this function in Euler, L.,
www.ebook777.com
free ebooks ==> www.ebook777.com
410 Secret History: The Story of Cryptology
13.3.2 Euclidean Algorithm
We begin by dividing the smaller number into the larger, noting the quotient
and remainder:
999,648 = 125(7997) + 23
We then repeat the procedure using 125 and 23 in place of 999,648 and 125:
125 = 23(5) + 10
* Proving φ(n) = (p – 1)(q – 1), when n is the product of two distinct primes, p and q, is left as an
exercise (with some hints—see the online exercises). All exercises are available online only.
† Dates are according to Wikipedia; however, http://www.gap-system.org/~history/
Biographies/Euclid.html gives c. 325–265 BC, but then both are indicated to be estimates!
free ebooks ==> www.ebook777.com
Birth of Public Key Cryptography 411
23 = 10(2) + 3
And again:
10 = 3(3) + 1
3 = 1(3) + 0
This algorithm may require more or fewer iterations for another pair of
numbers, but no matter what values are investigated the algorithm always
ends with a remainder of 0 and the last nonzero remainder is the gcd. That
we obtained 1 shows that the two numbers are relatively prime, so 125 was a
good choice for the enciphering key. It is invertible modulo 999,648.
Now that Alice has her enciphering exponent (part of her public key), how
can she compute her deciphering exponent (her private key)?
Rewriting the equations we obtained from the Euclidean algorithm allows
us to express the gcd as a linear combination of the two numbers that yielded
it. We rewrite the equations as
1 = 10 – (3)(3) (13.1)
3 = 23 – (10)(2) (13.2)
10 = 125 – (23)(5) (13.3)
23 = 999,648 – (125)(7,997) (13.4)
Substituting for 3 in Equation 13.1 with the value given by Equation 13.2 gives
We now use Equation 13.3 above to substitute for the 10 (twice) to get
1 = 125(7) – 23(38)
Finally, we substitute for 23 using Equation 13.4 and collect multiples of 125
and 999,648:
www.ebook777.com
free ebooks ==> www.ebook777.com
412 Secret History: The Story of Cryptology
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
He gets
14210312050118230118091914152023011809200919192109030904050114
04070514150309040518151212050409142015151405
Because the modulus is only a little over a million, the text must be split
into pieces less than a million; otherwise, the encryption could fail to be one
to one. That is, a given ciphertext block could have more than one possible
decipherment. Groups of six numbers will do; thus, we have
The fact that the last number is only four digits does not matter, nor do lead-
ing zeros in the seventh and other number groups.
To get the final ciphertext, Bob simply raises each number to the encipher-
ing exponent, 125, and reduces the answer modulo 1,001,653. He gets
* The plaintext was taken from The Nazi Within, an essay by Martin E. Hellman, which may be
found online at http://www-ee.stanford.edu/~hellman/opinion/bitburg.html.
free ebooks ==> www.ebook777.com
Birth of Public Key Cryptography 413
It should be noted that it is not guaranteed that all ciphertext blocks will be
nice six-digit numbers (after adding leading zeros when necessary). Moding
out by 1,001,653 could yield a remainder larger than 999,999, which would
then require seven digits. If the ciphertext were run together with the occa-
sional block of length 7, decipherment would be ambiguous. Alice wouldn’t
know where to insert the breaks (i.e., when to take six digits and when to
take seven). The problem could be resolved by writing all ciphertext numbers
using seven digits. For the example above (since we never got a number in
excess of 999,999), all of the ciphertext blocks would begin with a leading zero.
If one can factor the modulus, RSA encryption is easy to break, but the
security of RSA is not known to be equivalent to factoring. There may be a
way to break RSA by some other means that would not reveal the factoriza-
tion of n. This is an important open problem. So, as with Diffie–Hellman key
exchange, security is based on, if not equivalent to, the inability of an attacker
to solve a mathematical problem (factoring for RSA and the discrete log prob-
lem for Diffie–Hellman). Other public key systems are built on other suppos-
edly hard problems. There will be more on this in later chapters. It’s possible
that someone could come up with a quick solution for one (or all) of these
problems tomorrow or that someone already has and we just don’t know it!
The RSA algorithm has an important practical drawback—it is slow. We’ll
take a quick look at a good way to compute powers, but it is still tedious
compared to extremely fast operations like XORing used in other encryp-
tion algorithms. Thus, RSA is typically used only to encipher a key for some
symmetric system (like DES). The (enciphered) key is then sent along with
a message enciphered with that key in the symmetric system. This will be
discussed in greater detail in Chapter 17. Because RSA is just applied to the
relatively short (compared to most messages) key, the delay is tolerable!
Even if we are only enciphering a tiny amount of text with RSA, we would
still like to do it as efficiently as possible. The technique of repeated squar-
ing, demonstrated below, is a nice way to carry out the exponentiation. As an
example, consider 3851563 (mod 391). Obviously, this is too small of a modulus,
but the same technique applies for other values, and smaller numbers make
for clearer explanations. Naturally, we do not wish to repeatedly multiply
by 385, moding out as we go, 1563 times. Instead, we calculate the following
squares:
3852 = 148,225 = 36 (mod 391)
www.ebook777.com
free ebooks ==> www.ebook777.com
414 Secret History: The Story of Cryptology
* Gardner, M., Mathematical games: a new kind of cipher that would take millions of years to
break, Scientific American, 237(August), 120–124, 1977.
free ebooks ==> www.ebook777.com
Birth of Public Key Cryptography 415
Rivest quickly received 4000 requests for the paper,* and eventually 7000
requests were piled up in Shamir’s office.† The papers were finally mailed
in December 1977. Meanwhile, Gus Simmons and Mike Norris had a paper
published in the October 1977 issue of Cryptologia in which they improved
upon the system.‡ Why it took so long for the RSA team to mail out their
paper (and get it published in a journal) is not simply due to the volume of
requests.
August 1977 is also marked in the history of the politics of cryptology by a
letter received by the Institute of Electrical and Electronics Engineers (IEEE)
Information Theory Group. The letter claimed that publications dealing
with cryptology could be in violation of the 1954 Munitions Control Act, the
Arms Export Control Act, and the International Traffic in Arms Regulations
(ITAR). In other words, cryptologic research was restricted in the same man-
ner as work dealing with nuclear weapons! Indeed, this was made explicit
in the letter: “[A]tomic weapons and cryptology are also covered by special
secrecy laws.”§
The author’s provocation appears to have been a symposium on cryptol-
ogy that the IEEE had slated for October 10, 1977, at a conference at Cornell
University in Ithaca, New York. Hellman, Rivest, and others were scheduled
as speakers. The letter was reported on in Science and elsewhere, generating
a great deal of publicity for the conference.
Basically, the claim was that such publications and lectures should first be
cleared by the National Security Agency (NSA). If this sort of voluntary cen-
sorship could be achieved, the constitutionality of the matter need not arise.
The full letter is provided in Figure 13.4.¶ It was eventually revealed by an
NSA spokesman that the letter was written (unofficially) by Joseph A. Meyer
(Figure 13.5), an NSA employee.**
This wasn’t the first time Meyer had angered supporters of civil liberties.
Paul Dickson’s The Electronic Battlefield (1976) quotes a January 1971 article
“Crime Deterrent Transponder System” by Meyer in IEEE Transactions on
Aerospace and Electronics Systems:††
* Deavours, C., The Ithaca connection: computer cryptography in the making, Cryptologia, 1(4),
312, 1977.
† Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
Cryptologia, 1(4), 406–414, 1977. The improvement consisted of showing how poor choices for
the key can allow message recovery without factoring. Over the years a number of special
cases that need to be avoided have been recognized. These are detailed in Section 14.1.
§ Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
able to obtain it from Martin Hellman and posted it on his website in January 2010.
** Foerstel, H.N., Secret Science: Federal Control of American Science and Technology, Praeger,
www.ebook777.com
free ebooks ==> www.ebook777.com
416 Secret History: The Story of Cryptology
FIGURE 13.4
Letter received by the IEEE Information Theory Group.
free ebooks ==> www.ebook777.com
Birth of Public Key Cryptography 417
FIGURE 13.5
Joseph A. Meyer. (Adapted from Meyer, J.A., Crime deterrent transponder system, IEEE
Transactions on Aerospace and Electronics Systems, 7, 22, 1971. With permission from IEEE.)
www.ebook777.com
free ebooks ==> www.ebook777.com
418 Secret History: The Story of Cryptology
out some of the other applications of these portable units, which include
monitoring aliens and political minorities. Robert Barkan, the writer
who first brought the Meyer proposal and other such ideas to a broader
audience through his articles, had this to say about the transponder sys-
tem in The Guardian, “‘1984’ is still fiction, but no longer science fiction.
The technology of the police state is ready. All that remains is for the
government to implement it.”
Many of the requests generated by Gardner’s column for the RSA paper came
from outside the United States. In light of Meyer’s letter, Rivest remarked, “If
I were more of a skeptic, I’d think I was being set up.”*
Hellman explained how he dealt with the threat:†
Young.
free ebooks ==> www.ebook777.com
Birth of Public Key Cryptography 419
FIGURE 13.6
Responses to Meyer’s letter (figure continues on next two pages).
Cryptologia before the technical report was mailed to the Scientific American
readers or appeared in a journal. Ironically, prior to all of this, Simmons,
who managed the Applied Mathematics Department at Sandia Laboratories,
attempted to hire Rivest, but Rivest declined because he thought he would
have more freedom at MIT! Meyer’s letter was far from the last attempt to
control public cryptologic research.*
* Nor was it the first! Back in 1975, NSA attempted to intimidate other organizations, such as
the National Science Foundation (NSF), out of providing funding for cryptologic research
(for details, see Levy, p. 107). If grant money for important cryptographic work is only avail-
able through NSA, censorship is achieved in a more subtle (but still apparent) manner.
www.ebook777.com
free ebooks ==> www.ebook777.com
420 Secret History: The Story of Cryptology
* From p. xvii of the foreword by Whitfield Diffie in Schneier, B., Applied Cryptography, 2nd ed.,
Wiley, New York, 1996.
free ebooks ==> www.ebook777.com
Birth of Public Key Cryptography 421
* Kolata, G.B., Cryptography: a new clash between freedom and national security, Science,
209(29), 995–996, 1980.
† Bamford, J., The Puzzle Palace, Houghton Mifflin, Boston, 1982, p. 363.
www.ebook777.com
free ebooks ==> www.ebook777.com
422 Secret History: The Story of Cryptology
I thought this would be the least important paper my name would ever
appear on.
—Len Adleman†
* Quoted in Foerstel, H.N., Secret Science: Federal Control of American Science and Technology,
Praeger, Westport, CT, 1993, p. 125, which cites: The Government’s Classification of Private Ideas,
hearings before a subcommittee of the Committee on Government Operations, U.S. House of
Representatives, 96th Congress, Second Session, 28 February, 20 March, 21 August 1980, U.S.
Government Printing Office, Washington, DC, 1981, p. 410.
† Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
Bob,* the two characters who are typically used to illustrate cryptographic
protocols.† Previously, messages were sent from person A to person B. The
creation of Alice and Bob helped to humanize the protocols. Over the years,
other characters have been added to the cast. These characters are so con-
venient, I chose to use them in explaining earlier systems, even though the
original descriptions did not include them.
Schneier presents the characters as actors in a play‡:
Dramatis Personae
Alice First participant in all the protocols
Bob Second participant in all the protocols
Carol Participant in the three- and four-party protocols
Dave Participant in the four-party protocols
Eve Eavesdropper
Mallory§ Malicious active attacker
Trent Trusted arbitrator
Walter Warden; he’ll be guarding Alice and Bob in some protocols
Peggy Prover
Victor Verifier
Alice and Bob are also handy characters for those working in coding the-
ory. This does not refer to the study of the sort of codes discussed in this
text. Rather than provide a definition, I encourage you to read the transcript
(which does provide one) of the Alice and Bob After Dinner Speech, given at
the Zurich Seminar, April 1984, by John Gordon, by invitation of Professor
James Massey. To intrigue you, a few paragraphs are reproduced below:¶
Coding theorists are concerned with two things. Firstly and most impor-
tantly they are concerned with the private lives of two people called Alice
and Bob. In theory papers, whenever a coding theorist wants to describe
a transaction between two parties he doesn’t call then A and B. No. For
some longstanding traditional reason he calls them Alice and Bob.
* This was in the paper describing RSA: Rivest, R.L., Shamir, A., and Adleman, L., On Digital
Signatures and Public-Key Cryptosystems, MIT/LCS/TM-82, Massachusetts Institute of
Technology, Laboratory for Computer Science, Cambridge, MA, 1977.
† Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
Although he has since been replaced by Mallory, he served as the inspiration for the pen
name of an American Cryptogram Association (ACA) member.
¶ The transcript is available at http://downlode.org/Etext/alicebob.html.
www.ebook777.com
free ebooks ==> www.ebook777.com
424 Secret History: The Story of Cryptology
Now there are hundreds of papers written about Alice and Bob. Over
the years Alice and Bob have tried to defraud insurance companies,
they’ve played poker for high stakes by mail, and they’ve exchanged
secret messages over tapped telephones.
If we put together all the little details from here and there, snippets
from lots of papers, we get a fascinating picture of their lives. This may
be the first time a definitive biography of Alice and Bob has been given.
Whatever the details of their personal lives may be, Alice and Bob have cer-
tainly helped cryptologists. In Malgorzata Kupiecka’s paper, “Cryptanalysis
of Caesar Cipher,” * she formally acknowledged their help by writing at the
end, “I wish to thank Alice and Bob.”
Kahn, D., Cryptology goes public, Foreign Affairs, 58, 141–159, 1979.
Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital
Age, Viking, New York, 2001. Aimed at a general audience, this book is the best
single source on the history of modern cryptology. Of course, more technical
surveys exist for those wishing to see the mathematics in greater detail.
Rivest, R., Homepage, http://theory.lcs.mit.edu/~rivest/.
Rivest, R.L., Shamir, A., and Adleman, L., On Digital Signatures and Public-Key
Cryptosystems, MIT/LCS/TM-82, Massachusetts Institute of Technology,
Laboratory for Computer Science, Cambridge, MA, 1977. There was soon a title
change to A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,
but the date is the same for both. This report later appeared in Communications
of the ACM, 21(2), 120–126, 1978, with the latter title.
Simmons, G.J. and Norris, M.J., Preliminary comments on the MIT public-key crypto-
system, Cryptologia, 1(4), 406–414, 1977.
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
14
Attacking RSA*
The most obvious, most direct, and most difficult way to attack RSA is by
factoring the modulus. The paragraph below indicates how this approach
works. This chapter then details 11 non-factoring attacks, before returning to
examine various factoring algorithms.
One way to compute d (given e and n) is to first factor n. We will have
n = pq. Since p and q are distinct primes, they are relatively prime; hence,
φ(n) = (p – 1)(q – 1). Having calculated the value of φ(n), we may easily find
the multiplicative inverse of e modulo φ(n). Since this inverse is d, the deci-
phering exponent, we have now broken the system; however, the “factor n”
step is highly nontrivial!
If e1 and e2 are relatively prime, she may then use the Euclidean algorithm to
find integers x and y such that xe1 + ye2 = 1. Exactly one of x and y must be
negative. Assume it is x. Eve then calculates
(C )
−1 − x
1
C2y = C1x C2y = ( M e1 ) ( M e2 ) = M xe1 + ye2 = M 1 = M (mod n)
x y
180–182, 1983.
427
www.ebook777.com
free ebooks ==> www.ebook777.com
428 Secret History: The Story of Cryptology
FIGURE 14.1
Gustavus Simmons (1930–). (From Simmons, G., Ed., Contemporary Cryptology: The Science of
Information Integrity, IEEE Press, New York, 1991, p. 640. With permission.)
14.1.2 Attack 2. Man-in-the-Middle
In the attack described above, where a hacker controls the communications,
you may well ask why he doesn’t simply keep Bob’s public key and send
Alice his own. When Alice encrypts a message, thinking Bob will get it,
Mallet can read it using his own key and then re-encipher it with Bob’s key
before passing it on. He can even make changes first, if he desires. Similarly,
if Bob requests Alice’s key, Mallet can keep it and send Bob another key he
* Joye, M. and Quisquater, J.-J., Faulty RSA Encryption, UCL Crypto Group Technical Report
CG-1997/8, Université Catholique de Louvain, Louvain-La-Neuve, Belgium, 1987. This attack
was first presented in the paper cited here, although Mallet was not present. It was assumed
that an accidental error necessitated the resending of the message.
free ebooks ==> www.ebook777.com
Attacking RSA 429
has made for himself. In this manner, Mallet has complete control over the
exchanges. For obvious reasons, this is known as a man-in-the-middle attack.
Studying ways to break attacks like these falls under the “protocols” heading
of cryptography. We do not pursue this line here, but the reader will find the
subject treated nicely by Schneier.*
4
n
q < p < 2 q and d <
3
In this case, d may be computed efficiently. To see how this is done,‡ we begin
with ed = 1 (mod φ(n)) and rewrite it as ed – kφ(n) = 1 for some k in the set of
integers. We then divide both sides by dφ(n) to get
e k 1
− =
ϕ(n) d dϕ(n)
φ(n) ≈ n, so we have
e k e k ed − kn ed − kϕ(n) − kn + kϕ(n)
− ≈ − = =
ϕ(n) d n d nd nd
1 − kn + kϕ(n) 1 − k ( n − kϕ(n))
= =
nd nd
Previously it was noted that φ(n) ≈ n, but how good is this approximation?
The difference n – φ(n) now appears in our numerator, so we’d like to find a
bound for it. We have
* Schneier, B., Applied Cryptography, 2nd ed., John Wiley & Sons, New York, 1996.
† Wiener, M.J., Cryptanalysis of short RSA secret exponents, IEEE Transactions on Information
Theory, 36(3), 553–558, 1990.
‡ Adapted from p. 206 of Boneh, D., Twenty years of attacks on the RSA cryptosystem, Notices
www.ebook777.com
free ebooks ==> www.ebook777.com
430 Secret History: The Story of Cryptology
n – φ(n) = n – (n – p – q + 1) = p + q – 1
But, for this attack, we required q < p < 2q. The second half of this double
inequality gives us
p + q – 1 < 3q – 1
and the first half of the double inequality tells us that q is the smaller factor
and therefore,
q< n
Hence,
3q − 1 < 3 n − 1 < 3 n
n − ϕ(n) < 3 n
1 − k ( n − ϕ(n)) 3k n 3k
≤ =
nd nd d n
Now recall that we have ed – kφ(n) = 1. This may be rewritten as kφ(n) = ed – 1,
which is less than ed; that is, kφ(n) < ed. Because e < φ(n), this last inequality
requires k < d. We assumed that
4
n
d<
3
4
n
k<
3
4
3 n
e k 3k 3 1
− ≤ < = 4
n d d n d n d n
free ebooks ==> www.ebook777.com
Attacking RSA 431
Again using
4
n
d<
3
we see
1 3
> 4
d n
which gives
1 1
>
3d 4 n
e k 1
− < 2
n d 3d
which, in turn is
1
<
2d2
e k 1
− <
n d 2d2
implies that there are fewer than log2(n) fractions k/d that approximate e/n
this closely. A technique is available to efficiently check the possibilities until
the correct d is found.*
PATCH 1: Using a small value d allows for quicker decryption, but don’t do it!
PATCH 2: Use a small value for d but increase e to the point that the attack
above won’t work. We can increase e by multiples of φ(n) without mak-
ing any difference other than increasing the time needed for encryption.
Making e > n1.5 will block the attack above.
* For a little more detail, see p. 206 of Boneh, D., Twenty years of attacks on the RSA cryptosys-
tem, Notices of the American Mathematical Society, 46(2), 203–213, 1999. For a lot more detail, see
Wiener, M.J., Cryptanalysis of short RSA secret exponents, IEEE Transactions on Information
Theory, 36(3), 553–558, 1990.
www.ebook777.com
free ebooks ==> www.ebook777.com
432 Secret History: The Story of Cryptology
PATCH: Why would you let anyone see any portion of d in the first place? If
you’re going to be this careless, you need to use a large value for e.
* Coppersmith, D., Small solutions to polynomial equations, and low exponent RSA vulner-
abilities, Journal of Cryptology, 10, 233–260, 1997.
† Boneh, D., Durfee, G., and Frankel, Y., An attack on RSA given a small fraction of the private
key bits, in Ohta, K. and Pei, D., Eds., Advances in Cryptology: ASIACRYPT ’98, Lecture Notes
in Computer Science, Vol. 1514, Springer, Berlin, 1998, pp. 25–34.
free ebooks ==> www.ebook777.com
Attacking RSA 433
such that the ni are positive integers and pairwise relatively prime, and the
ai are integers, there exist values for x satisfying all of the equations. If one
solution is given by x’, then the set of all solutions is given by x = x’ + yn,
where y takes every integer value and n = n1n2n3…nk.
Gauss expressed the solution as
k
x = ∑ ai N i Mi (mod n)
i=1
where Ni = n/ni and Mi = Ni–1 (mod ni). The easiest way to see how a solution
may be obtained is through an example.
Example 1
Suppose we have
x = 5 (mod 9)
x = 8 (mod 11)
x = 6 (mod 14)
k
x = ∑ ai N i Mi (mod n) = a1 N 1 M1 + a2 N 2 M2 + a3 N 3 M3 (mod
d n)
i=1
The values for the ai were given in the problem, and the Ni are very easy to cal-
culate. To get the Mi, we could use a technique from Section 13.3 (the Euclidean
algorithm), but for such small values, it is easier to do the calculations in one’s
head. For large numbers we would resort to the algorithm. We have
www.ebook777.com
free ebooks ==> www.ebook777.com
434 Secret History: The Story of Cryptology
So, plugging in these values along with the ni and Ni, we have
Checking against our original three equations, we see that the answer, x = 734,
works.
Now that the Chinese remainder theorem is clear, we’re ready to examine
how it can be used to attack RSA encryption. We already saw the danger in
users destined to receive the same message sharing a modulus. It is also a
disaster if the same message goes to users who have different values for n
but share the same e. The Chinese remainder theorem may allow the mes-
sage to be recovered in this case. It only depends on how many copies of
the message are sent out relative to the value of e. If there are m copies sent,
all using the same e and distinct moduli, and m > e, then the message can
be recovered. As a small example, we use e = m = 3. Our three intercepted
ciphertexts follow below:
C1 = M3 (mod n1)
C2 = M3 (mod n2)
C3 = M3 (mod n3)
This looks a bit different than the example above, but we may rewrite these
equations as
M3 = C1 (mod n1)
M3 = C2 (mod n2)
M3 = C3 (mod n3)
We have M < n1, M < n2, and M < n3, so it follows that M3 < n1n2n3. Therefore,
we may solve for M in the equation above by taking the normal cube root of
C’ over the integers, without worrying about modular arithmetic.
A generalization of this attack was found by Johan Håstad, who realized
that the messages needn’t be identical, as long as they are related linearly.*
Don Coppersmith made further improvements.†
PATCH: Using a value for e that greatly exceeds the largest number of copies
of a message that would ever be sent will block this attack. An alternative
patch is to pad messages with random bits, so that no two are alike.
www.ebook777.com
free ebooks ==> www.ebook777.com
436 Secret History: The Story of Cryptology
PKCS #1. Describing his attack, he wrote, “We expect that the attack needs
roughly 220 chosen ciphertexts to succeed.”* This sounds daunting, but
Bleichenbacher pointed out that the attack is practical, since there are serv-
ers that will accept ciphertexts and return error messages when they are
not PKCS conforming. So, it is not like he is expecting Bob to respond to his
million-plus ciphertexts!
Reporting on experiments carried out for his new attack, Bleichenbacher
wrote, “We tested the algorithm with different 512-bit and 1024-bit keys. The
algorithm needed between 300 thousand and 2 million chosen ciphertexts
to find the message.” But, improved systems give new attacks a tough race,
and Bleichenbacher admitted that version 2 of PKCS #1, which made use of
results published in 1995, was not vulnerable to his attack.†
* Bleichenbacher, D., Chosen ciphertext attacks against protocols based on the RSA encryption
standard PKCS #1, in Krawczyk, H., Ed., Advances in Cryptology: CRYPTO ’98 Proceedings,
Lecture Notes in Computer Science, Vol. 1462, Springer, Berlin, 1998, pp. 1–12.
† The 1995 paper is Bellare, M., and Rogaway, P., Optimal asymmetric encryption, in De Santis,
A., Ed., Advances in Cryptology: EUROCRYPT ’94 Proceedings, Lecture Notes in Computer
Science, Vol. 950, Springer, Berlin, 1995, pp. 92–111.
‡ Kocher, P., Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other sys-
tems, in Koblitz, N., Ed., Advances in Cryptology: CRYPTO ’96 Proceedings, Lecture Notes in
Computer Science, Vol. 1109, Springer, Berlin, 1996, pp. 104–113.
free ebooks ==> www.ebook777.com
Attacking RSA 437
variety of systems. Kocher was also responsible for leading the design of
the Electronic Frontier Foundation’s DES cracker (see Section 12.3). I look
forward to seeing what he’ll do next. The manner in which his timing attack
applies to RSA follows.
For this attack to work, the attacker needs some access to the recipient’s
machine. If the attacker can obtain the ciphertexts, as well as the amount of
time taken by the recipient’s machine to decipher the messages, he can work
backward to find what the decryption exponent must be. That is, if decryp-
tion is done by, for instance, the repeated squaring method detailed in Section
13.3, then each multiplication will take a certain amount of time, dependent
on the machine doing it. These times then correspond to particular keys.
PATCH: In the paper that introduced his attack, Kocher also put himself in
the defensive position and suggested patches. He explained how random
delays may be inserted into the decryption algorithm to throw the timing
off, but moving back to offense indicated that an attacker could still break the
system by collecting more data. Another patch he proposed is called blinding.
Blinding had previously been used in another context. Here, it meant multi-
plying the received ciphertext by a random, but invertible number r raised to
the value of the enciphering exponent (mod n), prior to any deciphering. So,
one is then left to decipher r eC. This is done in the normal manner, by expo-
nentiation to the power d. We get (r eC)d = r edC d = rM. The recipient must then
multiply by the inverse of r to recover the message. Using a different r each
time will prevent an attacker from being able to find a correlation between
the original ciphertext block and the time needed to decipher.
* Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., and Wachter, C., Ron Was
Wrong, Whit Is Right, February 2012 (https://anonymous-proxy-servers.net/paper/064.pdf).
www.ebook777.com
free ebooks ==> www.ebook777.com
438 Secret History: The Story of Cryptology
The researchers simply gathered millions of public keys, then took the
moduli two at a time and used the Euclidean algorithm to find the greatest
common divisors. Nothing was achieved when the gcd turned out to be 1,
but in thousands of cases it was one of the prime factors of the moduli. This
happened because, in these cases, the two moduli were of the form n1 = pq
and n2 = pr, for some primes p, q, and r. Once the common factor p is found,
both moduli could then be very easily factored. Some of the moduli thus
factored were 2048 bits long. Greater size would tend to improve security for
most attacks, but the vulnerability resulting from different users selecting a
common prime still exists.
On average, 2 out of every 1000 moduli were factored, so RSA, as imple-
mented, is 98.8% secure against this attack. The authors conclude that RSA is
“significantly riskier” than systems based on Diffie–Hellman.
In a classic case of understatement, the authors of the “Ron Was Wrong,
Whit Is Right” paper pointed out that their results “may indicate that proper
seeding of random number generators is still a problematic issue.” They
went on to note
The lack of sophistication of our methods and findings make it hard for
us to believe that what we have presented is new, in particular to agen-
cies and parties that are known for their curiosity in such matters. It may
shed new light on NIST’s 1991 decision to adopt DSA as digital signature
standard as opposed to RSA, back then a public controversy.
PATCH: Somehow make sure you are choosing the primes p and q as ran-
domly as possible. This is much harder than it sounds.
There are many other non-factoring attacks on RSA. Some of these may be
found in the references for this chapter and others are discussed in Section
16.2. Factoring attacks are presented below; however, none of these (other
than attack 11, above) represents any real threat to RSA, provided that vari-
ous special cases are avoided when selecting primes and exponents and
when implementing the system. Of course, the minimum size of the modu-
lus required for decent security increases continually with computing speed
and the occasional improved factoring algorithm.
* Johnson, D., ECC, Future Resiliency and High Security Systems, Certicom whitepaper, 1999 (pages
12 to 14 are relevant here) (http://www.comms.engg.susx.ac.uk/fft/crypto/ECCFut.pdf).
free ebooks ==> www.ebook777.com
Attacking RSA 439
14.2 Factoring Challenge
The first part of this chapter was concerned with nonfactoring attacks on
RSA. We now take the direct approach. Various algorithms for factoring
are considered, although none is quick enough to break RSA with the size
primes currently used. Factoring is especially hard when the number is a
product of two large primes. To help convince yourself that this is a difficult
problem, try to factor
25195908475657893494027183240048398571429282126204
03202777713783604366202070759555626401852588078440
69182906412495150821892985591491761845028084891200
72844992687392807287776735971418347270261896375014
97182469116507761337985909570009733045974880842840
17974291006424586918171951187461215151726546322822
16869987549182422433637259085141865462043576798423
38718477444792073993423658482382428119816381501067
48104516603773060562016196762561338441436038339044
14952634432190114657544454178424020924616515723350
77870774981712577246796292638635637328991215483143
81678998850404453640235273819513786365643912120103
97122822120720357
This number has 617 digits in base 10, but it is called RSA-2048, as it has that
many bits in base 2. There was once a $200,000 prize offered by RSA Security
for anyone who could find the two prime factors and explain how they did
it. The RSA factoring challenge has expired, but they did give away several
prizes over the years for smaller products. See Table 14.1 for sizes and prizes.
TABLE 14.1
RSA Factoring Challenge Prizes
Challenge Number Prize ($US) Status Submission Date Submitters
RSA-576 $10,000 Factored December 3, 2003 J. Franke et al.
RSA-640 $20,000 Factored November 2, 2005 F. Bahr et al.
RSA-704 $30,000 Not factored
RSA-768 $50,000 Not factored
RSA-896 $75,000 Not factored
RSA-1024 $100,000 Not factored
RSA-1536 $150,000 Not factored
RSA-2048 $200,000 Not factored
Note: This table used to be located at www.rsasecurity.com/rsalabs/node.asp?id=2093.
www.ebook777.com
free ebooks ==> www.ebook777.com
440 Secret History: The Story of Cryptology
I think the challenge also served as a show of strength for the company.
Not many businesses will put their products to the test in such a straight-
forward way.
14.2.1 Old Problem
The problem of distinguishing prime numbers from composite numbers
and of resolving the latter into their prime factors is known to be one of
the most important and useful in arithmetic….The dignity of the science
itself seems to require that every possible means be explored for the solu-
tion of a problem so elegant and celebrated.
—Carl Friedrich Gauss (1801)†
There was no practical reason for wanting to find an efficient factoring algo-
rithm in Gauss’ day, but despite this fact the problem already had a long
history. We begin our brief survey of factoring algorithms with a method
from the ancient world that lives on, in a modified form, as a piece in the best
methods of today.
* http://www.rsa.com/rsalabs/node.asp?id=2094#WhyIs.
† Gauss, C.F., Disquisitiones Arithmeticae, Gerhard Fleischer, Leipzig, 1801, Article 329.
free ebooks ==> www.ebook777.com
Attacking RSA 441
FIGURE 14.4
Eratosthenes (c. 275–192 BCE) (http://www.livius.org/gi-gr/greeks/scientists.html).
then 4, 6, 8, etc., won’t be factors. If 3 is not a factor, then 6, 9, 12, 15, etc., won’t
be factors. Hence, we only need to check prime numbers when seeking fac-
tors; that is, we only need test the numbers 2, 3, 5, 7, 11, 13, 17, and 19. You’ll
notice that we stopped far short of 391 this time. We really only need to check
up to the square root of the number we’re trying to factor. If a number, n, is
the product of two smaller numbers, both numbers cannot exceed the square
root of n or the product would exceed n.
This sort of approach is the idea behind the sieve of Eratosthenes (Figure
14.4), the purpose of which is to eliminate the composite numbers from a list
of consecutive integers. To begin, we write out the first few natural numbers:
1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17 18 19 20
21 22 23 24 25 26 27 28 29 30
31 32 33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48 49 50
51 52 53 54 55 56 57 58 59 60
61 62 63 64 65 66 67 68 69 70
71 72 73 74 75 76 77 78 79 80
81 82 83 84 85 86 87 88 89 90
91 92 93 94 95 96 97 98 99 100
www.ebook777.com
free ebooks ==> www.ebook777.com
442 Secret History: The Story of Cryptology
1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17 18 19 20
21 22 23 24 25 26 27 28 29 30
31 32 33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48 49 50
51 52 53 54 55 56 57 58 59 60
61 62 63 64 65 66 67 68 69 70
71 72 73 74 75 76 77 78 79 80
81 82 83 84 85 86 87 88 89 90
91 92 93 94 95 96 97 98 99 100
Our next entry, 2, is prime. We now cross out all multiples of 2 (except 2
itself). The number 2 is boldfaced to stress its primality:
1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17 18 19 20
21 22 23 24 25 26 27 28 29 30
31 32 33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48 49 50
51 52 53 54 55 56 57 58 59 60
61 62 63 64 65 66 67 68 69 70
71 72 73 74 75 76 77 78 79 80
81 82 83 84 85 86 87 88 89 90
91 92 93 94 95 96 97 98 99 100
After 2, the next remaining entry, 3, is prime. We now cross out all mul-
tiples of 3:
1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17 18 19 20
21 22 23 24 25 26 27 28 29 30
31 32 33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48 49 50
51 52 53 54 55 56 57 58 59 60
61 62 63 64 65 66 67 68 69 70
71 72 73 74 75 76 77 78 79 80
81 82 83 84 85 86 87 88 89 90
91 92 93 94 95 96 97 98 99 100
1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17 18 19 20
21 22 23 24 25 26 27 28 29 30
31 32 33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48 49 50
51 52 53 54 55 56 57 58 59 60
61 62 63 64 65 66 67 68 69 70
71 72 73 74 75 76 77 78 79 80
81 82 83 84 85 86 87 88 89 90
91 92 93 94 95 96 97 98 99 100
1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17 18 19 20
21 22 23 24 25 26 27 28 29 30
31 32 33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48 49 50
51 52 53 54 55 56 57 58 59 60
61 62 63 64 65 66 67 68 69 70
71 72 73 74 75 76 77 78 79 80
81 82 83 84 85 86 87 88 89 90
91 92 93 94 95 96 97 98 99 100
The next prime is 11. We could cross out all multiples of 11, but this has
already been done, as these numbers, less than 100, all have smaller prime
divisors. In fact, all of the numbers that remain are prime. If one weren’t, it
would have to factor into a pair of numbers, both of which exceed 10. This is
an impossibility, as the product must be less than 100. As explained earlier,
we only need to search up to the square root of the number.
www.ebook777.com
free ebooks ==> www.ebook777.com
444 Secret History: The Story of Cryptology
FIGURE 14.5
Pierre de Fermat (1601–1665) (http://en.wikipedia.org/wiki/File:Pierre_de_Fermat.png).
x = n = 20
(The ⎡ ⎤ notation is referred to as the ceiling function, and it indicates that the
quantity within should be rounded up to the closest integer.)
Thus, y = 3 and we have n = 202 – 32, = (20 – 3)(20 + 3) = (17)(23). The factoriza-
tion is revealed! If the first value for x yielded a value for x2 – n that wasn’t a
perfect square, we would increment x by one and try again until a solution
is found. In general, quicker factorization algorithms now exist, but Fermat’s
method has an advantage when the prime factors are close together. Thus,
when picking primes p and q for RSA, we need to avoid values such that
p – q < 2n1/4. There is nothing magical about this particular bound. It just
roughly indicates for which primes Fermat’s method will be practical.
FIGURE 14.6
Leonhard Euler (1707–1783) (http://en.wikipedia.org/wiki/File:Leonhard_Euler.jpg).
www.ebook777.com
free ebooks ==> www.ebook777.com
446 Secret History: The Story of Cryptology
was left out! We’ve already seen how Euler’s generalization of Fermat’s lit-
tle theorem paved the way for RSA encryption. We now examine Euler’s
method for factoring. Instead of looking at n as the difference of two squares,
we may often view it as the sum of two squares (in two different ways); for
example, 130 = 112 + 32 = 72 + 92. Let us assume that we can do this for a num-
ber that we are attempting to factor. That is,
n = a 2 + b 2 = c 2 + d2
⇒ a 2 – c 2 = d2 – b 2
⇒ (a – c)(a + c) = (d – b)(d + b)
(gx)(a + c) = (gy)(d + b)
⇒ (x)(a + c) = (y)(d + b) (14.1)
g 2 m 2
+ and ( x + y )
2 2
2 2
g 2 m 2 2 g 2 m2 2
+ ( x + y ) = + (x + y )
2 2
2 2 4 4
1 1
= ( g 2 + m2 ) ( x 2 + y 2 ) = ( gx)2 + ( gy )2 + (mx)2 + (m my )2
4 4
1
= ( a − c)2 + (d − b)2 + (d + b)2 + ( a + c)2
4
1
= a 2 − 2 ac + c 2 + d 2 − 2bd + b 2 + d 2 + 2bd + b 2 + a 2 + 2 ac + c 2
4
1 1
= 2 a 2 + 2b 2 + 2 c 2 + 2 d 2 = 2 ( a 2 + b 2 ) + 2 ( c 2 + d 2 )
4 4
1 1
= (2 n + 2 n) = ( 4n)
4 4
=n
free ebooks ==> www.ebook777.com
Attacking RSA 447
14.6 Pollard’s p – 1 Algorithm
Recall Fermat’s little theorem:
m = ∏q q prime
q≤B
Example 2
Using n = 713 as a small example to illustrate this method, we may take a = 2
and B = 5. Then m = (2)(3)(5) = 30. It follows that gcd(am – 1, n) = gcd(230 – 1, 713)
= 31. Division then reveals that 713 = (31)(23).
This approach won’t work with n = 85, no matter how large we make B. The
reason for this is that the prime factors of 85 are p = 5 and q = 17, so when we
look at p – 1 and q – 1, we get 4 and 16. No matter how many primes we mul-
tiply together, we’ll never get a multiple of either of these numbers, unless we
repeat the prime factor 2. In case p – 1 and q – 1 both have a repeated prime fac-
tor, we must modify the way in which we defined m. Possible patches include
m = B ! and m = ∏ q n
q≤B
where the product runs over all prime factors q less than B, and n is some
positive integer greater than 1.
* There are a few terms in mathematics that sound like the names of gangsta rappers: B-smooth,
2-pi, cube root, etc.
www.ebook777.com
free ebooks ==> www.ebook777.com
448 Secret History: The Story of Cryptology
There are other twists we can put on this algorithm, but the above gives
the general idea. The time needed for this method is roughly proportional
to the largest prime factor of p – 1. Hence, it is efficient for p such that p – 1
is smooth. To resist this attack, choose primes of the form 2q + 1, where q
is prime. That way, p – 1 will have at least one large factor. There is also
Pollard’s ρ (rho) algorithm (1975) for factoring, but it is strongest when the
number being attacked has small factors, which is certainly not the case for
RSA, so it will not be detailed here.*
14.7 Dixon’s Algorithm†
John D. Dixon’s (Figure 14.7) algorithm
has its roots in Fermat’s method of fac-
torization. Rather than insist on finding
x and y such x2 – y2 = n, in order to factor
n, we could content ourselves with an x
and y such that x2 – y2 = kn. This may also
be expressed as x2 = y2 (mod n). So, if we
can find two squares, x2 and y2, that are
equal modulo n, we may have a factoriza-
tion given by (x – y)(x + y). It is only “may,”
since this broadening of Fermat’s method
allows the possibility that (x – y) = k and
(x + y) = n. This idea goes back to Maurice FIGURE 14.7
Kraitchik in the 1920s.‡ John D. Dixon. (Thanks to J.D. Dixon
for supplying this photograph.)
We can find potential x and y values
quicker by not insisting that y be a perfect
square.
255–260, 1981.
‡ Pomerance, C., A tale of two sieves, Notices of the American Mathematical Society, 43(12), 1474,
1996.
free ebooks ==> www.ebook777.com
Attacking RSA 449
So we get
so we see we get one factor equaling k and the other equaling n in this “fac-
torization”—not what we wanted!
We can get even more possible combinations by using negatives, as well.
Piecing together 282 from the first column and 262 and 312 from the second
column, we get
www.ebook777.com
free ebooks ==> www.ebook777.com
450 Secret History: The Story of Cryptology
That is,
(28 ⋅ 26 ⋅ 31)2 = (22 ⋅ 53)2 (mod 391)
(22,568)2 = (212)2 (mod 391)
(281)2 = (212)2 (mod 391)
(281 – 212) = 69
gcd(391, 69) = 23
so we’ve found a factor! But, we’d like a better way to pick values to test.
Ideally, we’d pick “most likely” candidates first. These are
The notations ⎣ ⎦ and ⎡ ⎤ mean round the result down to the closest integer
and round the result up to the closest integer, respectively. They are some-
times called the floor and ceiling functions. Most programming languages
have a command built in to perform this operation.
Also, once we have a list like the one above, we’d like a quicker way to
pull out potential solutions than just visual inspection. For a serious factor-
ing problem, the list might contain thousands or even millions* of entries—
visual inspection just won’t do!
We accomplish this with linear algebra. We first establish a factor base that
consists of –1 and the first few primes. For the example above, our factor base
could be taken as {–1, 2, 3, 5, 7, 9, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 51, 53}. Each
number in our table may then be represented as a vector. If the power of a fac-
tor is odd, we place a 1 in that position of the vector. If a given factor is not pres-
ent, or has an even power, we place a 0 in that position. A few examples follow:
{-1, 2, 3, 5, 7, 9,11,13,17,19,23,29,31,37,41,43,47,51,53}
* For factoring a record-breakingly large prime, the factor base will now contain about a million
values, according to Pomerance, C., A tale of two sieves, Notices of the American Mathematical
Society, 43(12), 1483, 1996.
free ebooks ==> www.ebook777.com
Attacking RSA 451
If we stop our factor base at 53, we cannot include values such as our sec-
ond factorization for 222, since it contained the factor 149. If we made our
factor base larger, it could be accommodated.
Finding a potential solution is equivalent to selecting vectors whose sum
modulo 2 is the zero vector. To find such solutions efficiently we may con-
struct a matrix M whose columns are the vectors above and then look for a
solution to the matrix equation
MX = 0 (mod 2)
x1
x
2
x
k
Having a large factor base increases the chances of finding a solution after a
given number of values has been investigated, but it slows down the linear
algebra step.
We look at this refinement with a second example. Suppose we wish to
factor 5141. We select the base {–1, 2, 3, 5, 7, 11, 13} and make a table of values.
Note that one representation was chosen for each value. We could have listed
two, but going with just the smaller of the two in absolute value gives us a
factorization more likely to be useful.
* Morrison, M.A. and Brillhart, J., A method of factoring and the factorization of F7, Mathematics
of Computation, 29(129), 183–205, 1975.
www.ebook777.com
free ebooks ==> www.ebook777.com
452 Secret History: The Story of Cryptology
1 0 1 1 0 0 1 x1 0
0 1 0 0 1 1 0 x2 0
0 0 0 1 1 0 0 x3 0
0 1 0 1 0 1 0 x 4 = 0
0 0 0 1 0 0 0 x5 0
0 0 0 0 0 0 0 x6 0
0 0 0 0 0 1 0 x7 0
A little bit of linear algebra leads us to the following solutions for the column
vector of xs:
1 1 1
0 0 0
1 0 1
0 , 0 , 0
0 0 0
0 0 0
0 1 1
free ebooks ==> www.ebook777.com
Attacking RSA 453
We may then divide 5141/97 = 53 to get the complete factorization: 5141 = (97)(53).
If the gcd had been 1, we would have gone on to try the second and possibly
the third solution.
Although the method detailed here is named after Dixon, Dixon himself
humbly pointed out that*
…the method goes back much further than my paper in 1981. References
to my paper sometimes do not seem to appreciate this fact. For example,
the entry in Wikipedia seems to credit the idea to me. The fact is the
idea in one form or another had been around for a much longer time,
but no-one had been able to give a rigorous analysis of the time com-
plexity of the versions which were used. What I did in my paper was to
show that a randomized version of the method can be analyzed and that
(at least qualitatively and asymptotically) it is faster than other known
methods (in particular, subexponential in log N). As far as I know, except
for improved constants, this is still true.…
I did not suggest that the randomized version which I described would
be competitive in practice with algorithms which were currently in use
(but most of which still have no rigorous analysis). I do not think anyone
has seriously tried to factor a large number using random squares.
Dixon did not know the whole history when he published his 1981 paper,
but he did include it in a later paper.† In what seems to be a theme with
important work in cryptology from the last 38 years, Dixon’s 1981 paper was
rejected by the first journal to which he submitted it.‡
www.ebook777.com
free ebooks ==> www.ebook777.com
454 Secret History: The Story of Cryptology
14.7.1 Quadratic Sieve
When using Dixon’s algorithm, much time may be wasted in factoring num-
bers that end up not being B-smooth and are therefore discarded prior to the
matrix step. The quadratic sieve eliminates much of this inefficiency by quickly
discarding numbers that aren’t B-smooth by using the sieve of Eratosthenes
with a twist. When running through the numbers, instead of crossing them
out if they are divisible by a prime, we divide them by the highest power of
that particular prime that goes into them. After sieving through in this man-
ner with all of the primes in the factor base, there is a 1 in every position of our
list that contained a B-smooth number. The numbers represented by other
values are discarded. This is an oversimplification; there are several shortcuts
that make the process run much quicker, but it conveys the general idea. The
interested reader can pursue the references for further details.
When Martin Gardner provided the first published description of RSA, he
gave his readers a chance to cryptanalyse the new system:*
1143816257578888676692357799761466120102182967212423625625618429357069
35245733897830597123563958705058989075147599290026879543541
3490529510847650949147849619903898133417764638493387843990820577
and
32769132993266709549961988190834461413177642967992942539798288533.
They were determined using a quadratic sieve, and the plaintext turned
out to be*
The magic words are squeamish ossifrage.
For numbers up to about 110 digits (in base 10), the quadratic sieve is the best
general method for factoring presently available. For larger values, the num-
ber field sieve is superior.†
* Hayes, B.P., The magic words are squeamish ossifrage, American Scientist, 82(4), 312–316, 1994.
† Stamp, M. and Low, R.M., Applied Cryptanalysis: Breaking Ciphers in the Real World, John Wiley
& Sons, Hoboken, NJ, 2007, p. 316.
‡ Lenstra, A.K., Lenstra, Jr., H.W., Manasse, M.S., and Pollard, J.M., The number field sieve, in
Lenstra, A.K. and Lenstra, Jr. H.W., Eds., The Development of the Number Field Sieve, Lecture
Notes in Mathematics, Vol. 1554, Springer, Berlin, pp. 11–42.
§ Pomerance, C., A tale of two sieves, Notices of the American Mathematical Society, 43(12), 1480,
1996.
¶ Shamir, A. and Tromer, E., Factoring large numbers with the twirl device, in Boneh, D., Ed.,
Advances in Cryptology: CRYPTO 2003 Proceedings, Lecture Notes in Computer Science, Vol.
2729, Springer, Berlin, 2003, pp. 1–27.
www.ebook777.com
free ebooks ==> www.ebook777.com
456 Secret History: The Story of Cryptology
14.8.1 Other Methods
There are many other algorithms for factoring, including ones that make
use of continued fractions (used in some of the above!) and elliptic curves.
Perhaps most intriguing is an approach put forth by Peter Shor in 1994 that
factors in polynomial time, provided that one has a quantum computer to
run it on.* The reader is encouraged to pursue the references to learn more.
14.8.2 Cryptological Humor
Although 2 is not the largest prime, it is the only even prime. I learned this
in a boring book titled Even Prime Numbers.† Of course, being the only even
prime, makes it the oddest prime of all.
* Shor, P., Algorithms for quantum computation: discrete logarithms and factoring, in
Goldwasser, S., Ed., 35th Annual IEEE Symposium on Foundations of Computer Science (FOCS),
November 20–22, 1994, Santa Fe, NM, IEEE Computer Society Press, Los Alamitos, CA, 1994,
pp. 124–134.
† By the author of Groups of Order One.
free ebooks ==> www.ebook777.com
Attacking RSA 457
Boneh, D., Twenty years of attacks on the RSA cryptosystem, Notices of the American
Mathematical Society, 46(2), 203–213, 1999. This is a nice survey paper.
Boneh, D. and Durfee, G., Cryptanalysis of RSA with private key d less than N0.292,
in Stern, J., Ed., Advances in Cryptology: EUROCRYPT ’99, Lecture Notes in
Computer Science, Vol. 1592, Springer, Berlin, 1999, pp. 1–11.
Boneh, D., Durfee, G., and Frankel, Y., An attack on RSA given a small fraction
of the private key bits, in Ohta, K. and Pei, D., Eds., Advances in Cryptology:
ASIACRYPT ’98, Lecture Notes in Computer Science, Vol. 1514, Springer, Berlin,
1998, pp. 25–34.
Coppersmith, D., Small solutions to polynomial equations, and low exponent RSA
vulnerabilities, Journal of Cryptology, 10(4), 233–260, 1997.
DeLaurentis, J.M., A further weakness in the common modulus protocol for the RSA
cryptoalgorithm, Cryptologia, 8(3), 253–259, 1984.
Diffie, W. and Hellman, M., New directions in cryptography, IEEE Transactions on
Information Theory, IT-22(6), 644–654, 1976.
Hayes, B.P., The magic words are squeamish ossifrage, American Scientist, 82(4), 312–
316, 1994. This paper discusses factoring techniques and includes some history.
The title celebrates the recovery of the message concealed by the RSA challenge
cipher in Martin Gardner’s Scientific American column.
Johnson, D., ECC, Future Resiliency and High Security Systems, Certicom whitepaper,
1999 (pages 12 to 14 are relevant here) (http://www.comms.engg.susx.ac.uk/
fft/crypto/ECCFut.pdf).
Joye, M. and Quisquater, J.-J., Faulty RSA Encryption, UCL Crypto Group Technical
Report CG-1997/8, Université Catholique de Louvain, Louvain-La-Neuve,
Belgium, 1987.
Kaliski, B. and Robshaw, M., The secure use of RSA, CryptoBytes, 1(3), 7–13, 1995
(ftp://ftp.rsa.com/pub/cryptobytes/crypto1n3.pdf). This paper summarizes
various attacks on RSA.
Kocher, P., Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other
systems, in Koblitz, N., Ed., Advances in Cryptology: CRYPTO ’96 Proceedings,
Lecture Notes in Computer Science, Vol. 1109, Springer, Berlin, 1996, pp. 104–113.
Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., and Wachter, C., Ron
Was Wrong, Whit Is Right, February 2012 (https://anonymous-proxy-servers.
net/paper/064.pdf).
Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital
Age, Viking, New York, 2001.
Rivest, R.L., Shamir, A., and Adleman, L., On Digital Signatures and Public-Key
Cryptosystems, MIT/LCS/TM-82, Massachusetts Institute of Technology,
Laboratory for Computer Science, Cambridge, MA, 1977.
Rivest, R.L., Shamir, A., and Adleman, L., A method for obtaining digital signatures
and public-key cryptosystems, Communications of the ACM, 21(2), 120–126, 1978.
Robinson, S., Still guarding secrets after years of attacks, RSA earns accolades for its
founders, SIAM News, 36(5), 1–4, 2003.
Simmons, G.J., A “weak” privacy protocol using the RSA crypto algorithm, Cryptologia,
7(2), 180–182, 1983.
Wiener, M.J., Cryptanalysis of short RSA secret exponents, IEEE Transactions on
Information Theory, 36(3), 553–558, 1990.
www.ebook777.com
free ebooks ==> www.ebook777.com
458 Secret History: The Story of Cryptology
On Factoring
Bach, E. and Shallit, J., Factoring with cyclotomic polynomials, Mathematics of
Computation, 52(185), 201–209, 1989.
Dixon, J.D., Asymptotically fast factorization of integers, Mathematics of Computation,
36(153), 255–260, 1981.
Dixon, J.D., Factorization and primality tests, American Mathematical Monthly, 91(6),
333–352, 1984 (see Section 11 of this paper for the historical background).
Lenstra, Jr., H.W., Factoring integers with elliptic curves, Annals of Mathematics, 126(3),
649–673, 1987.
Lenstra, A.K., Lenstra, Jr., H.W., Manasse, M.S., and Pollard, J.M., The number field
sieve, in Lenstra, A.K. and Lenstra, Jr., H.W., Eds., The Development of the Number
Field Sieve, Lecture Notes in Mathematics, Vol. 1554, Springer, Berlin, 1993, pp.
11–42.
Lenstra, A.K., Factoring, in Tel, G. and Vitanyi, P.M.B., Eds., Proceedings of the 8th
International Workshop on Distributed Algorithms on Graphs, Lecture Notes in
Computer Science, Vol. 857, Springer, Heidelberg, 1994, pp. 23–38.
Lenstra, A.K., Tromer, E., Shamir, A., Kortsmit, W., Dodson, B., Hughes, J., and Leyland,
P., Factoring estimates for a 1024-bit RSA modulus, in Laih, C.S., Ed., Advances
in Cryptology: ASIACRYPT 2003 Proceedings, Lecture Notes in Computer Science,
Vol. 2894, Springer, Berlin, 2003, pp. 55–74. This was a follow-up paper to the
one above.
Montgomery, P.L., and Silverman, R.D., An FFT extension to the p – 1 factoring algo-
rithm, Mathematics of Computation, 54(190), 839–854, 1990.
Morrison, M.A. and Brillhart, J., A method of factoring and the factorization of F7,
Mathematics of Computation, 29(129), 183–205, 1975. This paper describes factor-
ing with continued fractions.
Pollard, J.M., Theorems on factorization and primality testing, Proceedings of the
Cambridge Philosophical Society, 76(3), 521–528, 1974.
Pollard, J.M., A Monte-Carlo method for factorization, Bit Numerical Mathematics,
15(3), 331–334, 1975.
Pomerance, C. and Wagstaff, Jr., S.S., Implementation of the continued fraction inte-
ger factoring algorithm, Congressus Numerantium, 37, 99–118, 1983.
Pomerance, C., The quadratic sieve factoring algorithm, in Beth, T., Cot, N., and
Ingemarsson, I., Eds., Advances in Cryptology: EUROCRYPT ’84 Proceedings,
Lecture Notes in Computer Science, Vol. 209, Springer, Berlin, 1985, pp. 169–182
(www.math.dartmouth.edu/~carlp/PDF/paper52.pdf).
Pomerance, C., A tale of two sieves, Notices of the American Mathematical Society, 43(12),
1473–1485, 1996.
Shamir, A. and Tromer, E., Factoring large numbers with the twirl device, in Boneh,
D., Ed., Advances in Cryptology: CRYPTO 2003 Proceedings, Lecture Notes in
Computer Science, Vol. 2729, Springer, Berlin, 2003, pp. 1–27.
Shor, P., Algorithms for quantum computation: discrete logarithms and factoring, in
Goldwasser, S., Ed., 35th Annual IEEE Symposium on Foundations of Computer
Science (FOCS), November 20–22, 1994, Santa Fe, NM, IEEE Computer Society
Press, Los Alamitos, CA, 1994, pp. 124–134.
Williams, H.C. and Shallit, J.O., Factoring integers before computers, in Gautschi,
W., Ed., Mathematics of Computation 1943–1993, American Mathematical Society,
Providence, RI, 1994, pp. 481–531.
free ebooks ==> www.ebook777.com
15
Primality Testing and Complexity Theory*
Thus, even starting with the most fundamental and ancient ideas con-
cerning prime numbers, one can quickly reach the fringe of modern
research. Given the millennia that people have contemplated prime
numbers, our continuing ignorance concerning the primes is stultifying.
—Richard Crandall and Carl Pomerance†
Proof by contradiction: Suppose there are only finitely many primes. Let
S be the set of all primes, p1 through pn. Now consider n = p1p2…pn + 1 (the
product of all primes + 1). This number is certainly larger than any in S, so
if it is prime we have a contradiction. We also have a contradiction if it is not
prime. Since all of the numbers in S leave a remainder of 1 when divided into
n, the prime factors of n cannot be in S; hence, the set S cannot contain every
prime, and we see that there must be infinitely many primes. Q.E.D.
There are several other proofs.‡ One of these follows immediately from
establishing that
1
∑p
i i
459
www.ebook777.com
free ebooks ==> www.ebook777.com
460 Secret History: The Story of Cryptology
TABLE 15.1
Top 10 Largest Known Primes
Rank Prime Digits When Reference
1 243112609–1 12978189 2008 Mersenne 47??
2 242643801–1 12837064 2009 Mersenne 46??
3 237156667–1 11185272 2008 Mersenne 45?
4 232582657–1 9808358 2006 Mersenne 44?
5 230402457–1 9152052 2005 Mersenne 43?
6 225964951–1 7816230 2005 Mersenne 42?
7 224036583–1 7235733 2004 Mersenne 41
8 220996011–1 6320430 2003 Mersenne 40
9 213466917–1 4053946 2001 Mersenne 39
10 19249 × 213018586+1 3918990 2007
Note: The top 10 as of May 12, 2012, anyway.
Source: http://primes.utm.edu/largest.html.
n π(n)
10 4
100 25
1000 168
* Caldwell, C. and Honaker, Jr., G.L., Prime Curios! The Dictionary of Prime Number Trivia,
CreateSpace, Seattle, WA, 2009, p. 218.
free ebooks ==> www.ebook777.com
Primality Testing and Complexity Theory 461
So, 40% of the first 10 integers are prime, but only 16.8% of the first 1000
are prime. π(n) may be calculated for any value of n by simply testing the pri-
mality of each positive integer less than or equal to n; however, if n is large,
this is a very time-consuming method. It would be nice if there were some
expression of π(n) that is easier to evaluate such as p(n) = ⎣ 1.591 + 0.242n –
0.0000752n2 ⎦. Recall that ⎣ n ⎦ denotes the greatest integer less than or equal
to n. By plugging in values, we see that p(n) works great for 10, 100, and 1000,
but it becomes inaccurate for higher values of n, as can be seen by expanding
the table above. Also, it does not do well for most values under 1000, other
than the ones in the table!*
n π(n)
10 4
100 25
1,000 168
10,000 1,229
100,000 9,592
1,000,000 78,498
10,000,000 664,579
100,000,000 5,761,455
1,000,000,000 50,847,534
10,000,000,000 455,052,511
Gauss came up with the prime number theorem but was unable to prove it.
The prime number theorem says:
n
π(n) ∼
ln(n)
* The function p(n) was obtained by using Lagrangian interpolation on the values for which it
was seen to work perfectly.
www.ebook777.com
free ebooks ==> www.ebook777.com
462 Secret History: The Story of Cryptology
15.2 Fermat Test
Recall Fermat’s little theorem (1640):
If p is a prime and a is not a multiple of p, then ap–1 = 1 (mod p).
This offers a test that may show a number to be composite, for if (a, n) = 1
and an–1 ≠ 1 (mod n) then n cannot be prime. If the result is 1, however, we
cannot conclude that n is prime. Fermat’s little theorem is not an “if and only
if” theorem.
* Skewes, S., On the difference π(x) – Li(x), Journal of the London Mathematical Society, 8(4), 277–
283, 1933.
† Skewes, S., On the difference π(x) – Li(x) (II), Proceedings of the London Mathematical Society, 5(1),
48–70, 1955.
‡ Littlewood, J.E., Sur la Distribution des Nombres Premiers, Comptes Rendus, 158, 1869–1872,
1914.
free ebooks ==> www.ebook777.com
Primality Testing and Complexity Theory 463
As usual, a proof was not offered by Fermat. The first to verify this with
a proof was Gottfried von Leibniz. The special case for a = 2 was known to
the Chinese as far back as 500 BCE, but they didn’t have the generalization
Fermat provided.*
To test a number n for primality, we can use values for a from the set
{2, 3, 4, …, n – 1}. If one of these yields anything other than 1, we know n is
composite. The repeated squaring technique of exponentiation can be used
to make these calculations go a bit quicker.
Example 1 (n = 391)
To calculate 2390 modulo 391, we use the repeated squaring technique intro-
duced in Section 13.3. We first calculate 2 to various powers of 2 modulo 391:
22 = 4
24 = 16
28 = 256
216 = 65,536 = 239 (mod 391)
232 = 57,121 = 35 (mod 391)
264 = 1225 = 52 (mod 391)
2128 = 2704 = 358 (mod 391)
2256 = 128,164 = 307 (mod 391)
Since 2390 did not simplify to 1, we can conclude that 391 is not prime.
This test gives us no indication what the factors of 391 are. Also, this test
doesn’t always work so nicely! The base 2 is nice to use for testing purposes,
but it won’t unmask all composites.
Example 2 (n = 341)
2340 = 1 (mod 341), so we cannot draw an immediate conclusion. We then
check 3340 (mod 341) and get 56. We may now conclude that 341 is compos-
ite. Because 341 was able to sneak by the base 2 test, we call 341 a base 2
pseudoprime. Base 3 revealed the composite nature of 341, but sometimes
neither 2 nor 3 will reveal composites.
www.ebook777.com
free ebooks ==> www.ebook777.com
464 Secret History: The Story of Cryptology
FIGURE 15.1
Robert Carmichael (1879–1967). (From http://www.maa.org/aboutmaa/carmichael.gif.* ©
Mathematical Association of America, 2012. All rights reserved.)
Example 3 (n = 1729)
For this example, 21728 = 1 (mod 1729), so we cannot draw an immediate con-
clusion. We then check 31728 (mod 1729) and get 1 again. We still cannot draw
a conclusion. Continuing on with other bases, we always get 1, if the base is
relatively prime to 1729. It is tempting to conclude that 1729 is prime. But,
because Fermat’s little theorem isn’t “if and only if,” we haven’t proven any-
thing. In fact, there is strong evidence that 1729 is not prime, such as the fact
that 1729 = (7)(13)(19)!
Using a base that’s less than 1729, but not relatively prime to it, will reveal
1729 to be composite, but such a number would be a factor of 1729. It would
be quicker to use trial division, if we need to find a base that is a factor of a
number to prove it is composite.
A composite number n for which every base relatively prime to n yields 1
is called a Carmichael number after Robert Carmichael (Figure 15.1). For years
it was an open problem to determine the number of Carmichael numbers,
but in 1994 it was shown that there are infinitely many.† Carmichael found
*
the first of the numbers that would be named after him in 1910. The first few
Carmichael numbers‡ are 561, 1105, 1729, 2465, 2821, 6601, 8911, 10585, ….
* This website is the result of following a link from http://www.maa.org/aboutmaa/maaapre
sidents.html. Other links lead to images of each of the Mathematical Association of America’s
presidents from 1916 to 2010. Carmichael was president in 1923.
† Alford, W.R., Granville, A., and Pomerance, C., There are infinitely many Carmichael num-
Only 20,138,200 Carmichael numbers are less than 1021, which is about
0.000000000002% of the total.* Thus, the odds that a randomly chosen num-
ber will be a Carmichael number are very small. Nevertheless, we would
like to have a primality test that isn’t fooled by these numbers.
15.3 Miller–Rabin Test †
This is the most popular scheme for testing the large numbers needed for
RSA encryption for primality. To test whether or not n is prime, we begin by
finding the highest power of 2 that divides n – 1. We label this power t and
then define d = (n – 1)/(2t). We have 2td = n – 1. (Note that d must be odd.) We
then pick an integer a < n. If n is prime, and a is relatively prime to n, then one
of the following must hold:
1.
ad = 1 (mod n)
s
a 2 d = −1 (mod n) for some 0 ≤ s < t − 1
2.
Example 4
Because n = 1729 caused trouble earlier, we’ll investigate this value with our
new test. We have n – 1 = 1728, which is divisible by 26, but not by 27, so t = 6.
1728/(26) = 27, so we have d = 27 and (26)(27) = n – 1. We’re now ready to investi-
gate condition 1, above. Picking a = 2 and calculating ad (mod n), we get
as the Rabin–Miller test, as does Bruce Schneier in the second edition of Applied Cryptography,
p. 259. Richard A. Mollin adds a name to get Miller–Rabin–Selfridge. He explains that John
Selfridge deserves this recognition, as he was using the test in 1974 before it was published by
Miller. See Mollin, R.A., An Introduction to Cryptography, Chapman & Hall/CRC, Boca Raton,
FL, 2001, p. 191. If you want to avoid names altogether, it is also referred to as the strong
pseudoprimality test. Whatever you choose to call it, the primary reference is Rabin, M.O.,
Probabilistic algorithm for testing primality, Journal of Number Theory, 12(1), 128–138, 1980.
www.ebook777.com
free ebooks ==> www.ebook777.com
466 Secret History: The Story of Cryptology
s
s a 2 d (mod n)
0 645 (this was already calculated in the step above)
2 1065
3 1
4 1
5 1
s
None of the values for a 2 d (mod n) yields –1, so condition 2 is not satisfied.
Since neither condition 1 nor condition 2 holds, 1729 fails the Miller–Rabin
test and cannot be prime.
Since there are guaranteed to be
bases that reveal n to be composite, if
it is composite, we could make this a
deterministic test by testing every base
less than the number. That would be
silly, though, as the time required to do
so would well exceed the time needed
to test for primality by trial division;
hence, we refer to the Miller–Rabin
test as a probabilistic test. Rabin and
Miller are pictured in Figures 15.2 and
15.3. Why is Rabin smiling? Perhaps he
could see the future, as revealed in the
caption to Figure 15.2.
FIGURE 15.2
Naturally, some enjoy the chal- Michael O. Rabin (1931–). Rabin split
lenge of finding numbers that fool the $1 million Dan David Prize with
primality tests. François Arnault did two others. (From SEAS, Michael O.
so for the Miller–Rabin test, as imple- Rabin Wins Dan David Prize: Computer
Science Pioneer Shares $1 Million Prize
mented by the computer algebra sys-
for Outstanding Achievements in the
tem ScratchPad.* Implementations such Field [press release], Harvard School
as this apply the test to a small set of of Engineering and Applied Science,
bases. The composite number that February 16, 2010.)
* Arnault, F., Rabin–Miller primality test: composite numbers which pass it, Mathematics of
Computation, 64(209), 355–361, 1995.
free ebooks ==> www.ebook777.com
Primality Testing and Complexity Theory 467
15.3.1 Generating Primes
The actual generation of large primes for use with RSA is usually done as
follows:
We now take a look at a few tests that are guaranteed to yield a correct
answer. These are known as deterministic tests. Unlike probabilistic tests,
there is no uncertainty. The downside is that they are not as fast as the
Miller–Rabin test.
www.ebook777.com
free ebooks ==> www.ebook777.com
468 Secret History: The Story of Cryptology
FIGURE 15.4
Manindra Agrawal (http://www.cse.iitk.ac.in/users/manindra/), Neeraj Kayal (http://research.
microsoft.com/en-us/people/neeraka/), and Nitin Saxena (http://www.math.uni-bonn.de/peo-
ple/saxena/to_photos.html).
* Waring, E., Meditationes Algebraicae, Cambridge University Press, Cambridge, UK, 1770.
† In 1773, according to Weisstein, E.W., Wilson’s theorem, MathWorld, http://mathworld.wol-
fram.com/WilsonsTheorem.html.
‡ Adleman, L., Pomerance, C., and, Rumely, R.S., On distinguishing prime numbers from com-
in September 2004. See Agrawal, M., Kayal, N., and Saxena, N., PRIMES is in P, Annals of
Mathematics, 160(2), 781–793, 2004 (http://www.math.princeton.edu/~annals/issues/2004/
Sept2004/Agrawal.pdf).
free ebooks ==> www.ebook777.com
Primality Testing and Complexity Theory 469
b
[1] If n = a for a ∈ N and b > 1, output COMPOSITE.
2
[2] Find the smallest r such that Or ( n) > log n.
FIGURE 15.5
The AKS algorithm. (From Agrawal, M. et al., Annals of Mathematics, 160(2), 784, 2004. With
permission.)
they were undergraduates when most of the work was done.* Just as the
encryption scheme developed by Rivest, Shamir, and Adleman became
known as RSA, so the primality test of Agrawal, Kayal, and Saxena became
known as AKS (Figure 15.5). The algorithm is very simple, but a few nota-
tions need to be explained:
• Or(n) is the order of n modulo r; that is, the smallest value k such that
nk = 1 (mod r).
• ϕ is the Euler phi function. I used a slightly different form of this let-
ter, φ, in Section 13.3 of this book.
• log denotes a base 2 logarithm.
• (mod Xr – 1, n) means divide by the polynomial Xr – 1 and take the
remainder, and also reduce all coefficients modulo n.
www.ebook777.com
free ebooks ==> www.ebook777.com
470 Secret History: The Story of Cryptology
Example 5 (n = 77)
Example 6 (n = 29)
3. Now check if 1 < (a, 29) < 29 for some a ≤ r = 31. There isn’t.
4. Because n < r, we conclude n is prime.
Rather than roll out another example to show how step 5 may come to be
used, we continue with Example 6, pretending that r didn’t exceed n. To do
so, we’ll pretend r was 24.*
For a = 1 to φ (r )log n do
if ((X + a)2 ≠ X n + a(mod
d X r − 1, n) , output COMPOSITE.
We have ϕ(r) = ϕ(24) = 8, since there are 8 numbers (1, 5, 7, 11, 13, 17, 19,
23) less than 24 and relatively prime to 24.
24 log(29) = 24 ( 4.85798) = 23
For the longest step, we verify that (X + a)29 = X29 + a (mod X24 – 1, 29),
for all a such that 1 ≤ a ≤ 23.
15.4.2 GIMPS
Some numbers are easier to test for primality than others. Mersenne num-
bers, which have the form 2n – 1, are currently the easiest. For values of n,
such as n = 2 or 3, that yield primes, we call the numbers Mersenne primes.
The ease of testing such numbers is why the top nine largest known primes
are all Mersenne primes. Another advantage that numbers of this form have,
when it comes to a chance of making it on the top 10 list, is that anyone with a
computer may download a program that allows him or her to join in the test-
ing. The program, Great Internet Mersenne Prime Search (GIMPS, for short),
allows people to donate otherwise idle time on their personal computers to
testing numbers of the form 2n – 1 for primality.
Primes having special forms should not be considered for cryptographic
purposes. Also, bigger isn’t always better. If your RSA modulus has
125910519380912 digits, how long do you think it will take an attacker to
figure out what two primes you multiplied together, when there are so few
primes known with millions of digits? Proving extremely large numbers to
be prime is not done for the sake of applications, but rather for love of the
game. If you need to get something useful out of the search for record-break-
ingly large primes, how about $100,000?†
Perhaps the most valuable prime ever found was 243112609 – 1. When Edson
Smith found this mathematical gem in 2008, it was the first one ever found
with more than ten million digits, so he won $100,000. He used software
* http://www.cse.iitk.ac.in/users/manindra/.
† Caldwell, C. and Honaker, Jr., G.L., Prime Curios! The Dictionary of Prime Number Trivia,
CreateSpace, Seattle, WA, 2009, p. 243.
www.ebook777.com
free ebooks ==> www.ebook777.com
472 Secret History: The Story of Cryptology
1.
Traveling salesman problem—Suppose a traveling salesman wants
to visit every state capital in the United States by car. What path
would be the shortest? We could solve this problem by considering
all of the possibilities. If we allow the salesman to start anywhere,
there are 50! possible routes, so although the solution is among
them we are not likely to find it.
2.
Knapsack problem—The knapsack problem (i.e., the subset sum
problem) consists of finding a selection of numbers from a given
set such that the sum matches some desired value. For example, if
our set is S = {4, 8, 13, 17, 21, 33, 95, 104, 243, 311, 400, 620, 698, 805,
818, 912} and we wish to find values that sum to 666, we may take
620 + 21 + 17 + 8. There may be no solution. In our example, we
cannot obtain a sum of 20; however, a solution may be found, or its
nonexistence demonstrated, simply by forming all possible subsets
of S and then checking their sums. This is clearly not practical for
large S, since the number of subsets grows exponentially with the
size of S (a set of n elements has 2n subsets). The name of this prob-
lem comes from imagining the desired value as the size of a knap-
sack that we wish to completely fill with the numbers representing
the sizes of objects.
3.
Hamiltonian graph problem—This is similar to the first example.
Imagine the salesman is restricted from traveling directly from
some cities to other cities. Pretend, for example, that the highway
from Harrisburg, PA, to Annapolis, MD, is one way. If the sales-
man wants to go from Annapolis to Harrisburg, he must first head
to some other capital. We will investigate this problem in greater
detail in Section 20.3.
Decoding linear codes—Let M be a m × n matrix of 0s and 1s. Let y be
4.
a vector with n components (i.e., an n-tuple), each of which is either 0
or 1. Finally, let k be a positive integer. The time-consuming question
* Karp, R.M., Reducibility among combinatorial problems, in Miller, R.E. and Thatcher, J.W.,
Eds., Complexity of Computer Computations, Plenum, New York, 1972, pp. 85–103.
www.ebook777.com
free ebooks ==> www.ebook777.com
474 Secret History: The Story of Cryptology
Some of the NP-complete problems have special cases that are easy to
solve. This doesn’t matter. Even if almost all instances of a problem can be
solved rapidly, a problem could be classified as NP-complete or NP-hard or
EXP. Complexity theory considers worst cases and is not concerned with the
time required on average or in the best case.
It is possible that polynomial time solutions exist for all NP problems and
that mathematicians have just not been clever enough to find them. The fact
that deterministic primality testing resisted being place in P until the 21st cen-
tury can be seen as evidence of this; however, it is widely believed that P ≠ NP.
A proof showing either P = NP or P ≠ NP is considered the Holy Grail
of computer science. This problem is one of the seven Millennium Prize
Problems, so a proof that withstands peer review will net the author a
$1,000,000 prize from the Clay Mathematics Institute.§
Conferences are a great place to learn a bit of mathematics outside one’s
own specialty. At the 2008 Joint Mathematics Meetings in San Diego, I greatly
enjoyed the AMS Josiah Willard Gibbs lecture delivered by Avi Wigderson of
the Institute for Advanced Study. It was titled “Randomness—A Computational
Complexity View.” The main result was likely well known to experts in com-
plexity theory but was new to me. It follows the conjectures below.
* Talbot, J. and Welsh, D., Complexity and Cryptography: An Introduction, Cambridge University
Press, Cambridge, UK, 2006, pp. 162–163.
† McEliece, R.J., A Public-Key Cryptosystem Based on Algebraic Coding Theory, Deep Space Network
Progress Report 42-44, Jet Propulsion Laboratory, California Institute of Technology, 1978,
pp. 114–116.
‡ Demaine, E.D., Hohenberger, S., and Liben-Nowell, D., Tetris is hard, even to approximate,
in Warnow, T. and Zhu, B., Eds., Proceedings of the 9th Annual International Conference on
Computing and Combinatorics (COCOON ’03), Lecture Notes in Computer Science, Vol. 2697,
Springer, New York, 2003, pp. 351–363.
§ http://www.claymath.org/ is the general page for the Clay Mathematics Institute and http://
15.5.1 Cryptologic Humor
I have a proof for P = NP in the special case where N = 1.
The paper “Terms Used in the Disciplines of Cryptography, IT Security and
Risk AnalysisӠ by John Gordon offered the following definition:
NP-hard a. Non-pharmacologically hard, i.e., not just due to Viagra.
* Impagliazzo, R. and Wigderson, A., P=BPP unless E has subexponential circuits: derandom-
izing the XOR lemma, in Proceedings of the 29th ACM Symposium on Theory of Computing (STOC
’97), El Paso, TX, 1997, pp. 220–229.
† Gordon J., Terms Used in the disciplines of cryptography, IT security and risk analysis,
www.ebook777.com
free ebooks ==> www.ebook777.com
476 Secret History: The Story of Cryptology
FIGURE 15.6
Ralph Merkle, Martin Hellman, and Whitfield Diffie (http://engineering.stanford.edu/about/
images/memories/pop_timemag.jpg (c) Chuck Painter/Stanford News Service).
I am sorry to have to inform you that the paper is not in the main stream
of present cryptography thinking and I would not recommend that it be
published in the Communications of the ACM.
FIGURE 15.7
First page of Merkle’s proposal.
The editor, in her rejection letter to Merkle, added that she “was particularly
bothered by the fact that there are no references to the literature.”* There
couldn’t be any references to the literature, because it was a brand-new idea!
On a personal note, knowing that reviewers will sometimes look at a paper’s
reference list before reading it, to see if the author has “done his homework,”
and then factor that into their decision, I always make sure my papers have
many references.
www.ebook777.com
free ebooks ==> www.ebook777.com
478 Secret History: The Story of Cryptology
But Merkle didn’t give up. He revised the paper, and eventually (almost
three years later) it was published in Communications of the ACM.* By this
time, Merkle was not the first to publish on the topic of public key cryptogra-
phy, although he was the first to conceive it, write it up, and submit it. What
lessons can we learn from this? I think there are three.
15.7 Knapsack Encryption
The knapsack problem is known to be NP-complete, so it should make a very
firm foundation to build a cryptosystem upon. After all, factoring, although
believed to be hard, has eluded attempts to pin it down to being NP-complete,
and look at how successful RSA has been. A system with a firmer founda-
tion might be used with even greater confidence, but how could it be done?
Merkle and Hellman worked out the details for their 1978 paper referred to
above. Their solution follows. We’ll use the knapsack from our brief list of
NP-complete problems:
S = {4, 8, 13, 17, 21, 33, 95, 104, 243, 311, 400, 620, 698, 805, 818, 912}
* All you need to know to understand what follows is that ASCII assigns values to each char-
acter and those for the capital letters are A = 65, B = 66, C = 67, …, Z = 90. These values may
then be converted to binary (base 2).
† The technical term for such a set is superincreasing.
www.ebook777.com
free ebooks ==> www.ebook777.com
480 Secret History: The Story of Cryptology
element of S that does not exceed our given number and, after subtracting it
from our desired total, repeat the process as many times as necessary until
we get to zero.
Fortunately, there is a way to disguise our knapsack so that an attacker will
not be able to take advantage of this simple approach. We multiply every ele-
ment in our knapsack by some number m and then reduce the result modulo
n. The modulus needs to exceed the sum of the elements of S, and m should
be relatively prime to n, to guarantee m–1 exists modulo n. The disguised
knapsack serves as the public key and is used as described above. The pri-
vate portion of the key is m–1 and n. It is also a good idea to keep m secret,
but it isn’t needed for decryption. The recipient simply multiplies each block
by m–1 modulo n and uses this value to solve the knapsack problem using
the fast algorithm that goes with the original superincreasing knapsack. The
answer he gets will also work for the value sent using the disguised knap-
sack, and thus yield the desired plaintext.
Example 7
We start with the superincreasing knapsack:
The total of our knapsack elements is 437461. Because n must exceed this
sum, we take n = 462193. Now we pick an m relatively prime to n, such as
m = 316929. Multiplying every element in our knapsack by m (mod n) gives
the disguised knapsack:
We then randomly scramble the order of our knapsack to further disguise it,
using the following key:
We can now reveal the elements of mS and the value of the modulus n to the
world and anyone wanting to send a message can, but to decipher we need
m–1 (mod n). We may find this by using the Euclidean algorithm, as demon-
strated in Section 13.3. We get m–1 = 304178.
free ebooks ==> www.ebook777.com
Primality Testing and Complexity Theory 481
If someone wants to send the message WELL DONE, he would have to enci-
pher the letters in pairs. The first pair WE is represented in ASCII by 87 and
69. In binary this is 01010111 and 01000101. Running all 16 bits together we
have 0101011101000101. The positions of the 1s indicate that we should sum
the reordered mS knapsack values in positions 2, 4, 6, 7, 8, 10, 14, and 16 and
add them together. We get
and finds values that sum to 259481 by using the greedy algorithm of looking
for the largest number in the knapsack that does not exceed 259481. Once it
is found, that number is subtracted from 259481 and the search is repeated
using the reduced number to get
The knapsack values used to get the sum 259481 are now in positions 7,
16, 8, 2, 10, 6, 14, and 4. Ordering these, the recipient has 2, 4, 6, 7, 8, 10, 14,
and 16 and constructs a 16-bit number with 1s in those positions. This is
0101011101000101. Splitting into bytes, converting to base 10, and finally to
the letters those numbers represent in ASCII, the recipient gets 01010111
01000101 = 87 69 = WE.
So, we now have a public key cryptosystem based on an NP-complete
problem, but you should not be overconfident! As was mentioned before, a
clever cryptanalyst might find a method of attack that avoids the intractable
problem. Indeed, such was the case here. Obviously, if the attacker multiplies
www.ebook777.com
free ebooks ==> www.ebook777.com
482 Secret History: The Story of Cryptology
the disguised knapsack by m–1 and mods out by n, he will be able to read
messages as easily as the intended recipient. That is why m–1 and n must be
kept secret; however, m–1 and n are not the only numbers that will work. It
turns out that any multiplier and modulus that yield a superincreasing set
will work to break the system. The attacker doesn’t even need any ciphertext
to begin his work. He may start the attack as soon as the public key is made
public! Once he recovers a superincreasing knapsack (not necessarily the one
the user is keeping secret), he is ready to read any message using the original
public key.
Even if the attack described above wasn’t possible, there would still be a
serious flaw. An attacker could simply encipher every 16-bit combination,
recording the results, and then crack any cipherext by doing a reverse look-
up in the table thus created. This could be averted by using a larger knapsack
and thus enciphering large blocks that would block the brute-force attack on
the message space. However, the attack above still stands.
The moral of this story is that a system built on a secure foundation isn’t
necessarily secure! Over the years, various revisions of the knapsack idea
have been put forth and broken. This has happened to other systems, such
as matrix encryption. After several rounds of cracks and patches, most cryp-
tographers consider a system too flawed to become workable and lose inter-
est in further iterations.
15.8 Elgamal Encryption
The difficulty of solving the discrete log problem (see Section 13.2) was used
by Taher Elgamal* (Figure 15.8), an Egyptian-born American cryptographer,
to create the Elgamal public key cryptosystem in 1985.† Alice and Bob will
illustrate how Elgamal works.
Alice begins by picking a large prime p and a primitive root g in the mul-
tiplicative group of integers modulo p. The term primitive root means that the
element has the largest possible order. Taking consecutive powers of such an
element (mod p) until we reach 1 will result in the entire group being gener-
ated. For that reason, we sometimes refer to a primitive root as a generator.
This is why we represent it with the letter g. Alice then selects a private key
a and computes A = ga (mod p). She publishes g, p, and A, only keeping the
value a secret.
* You will see Elgamal spelled El Gamal and ElGamal in the literature. In this text, the name is
spelled as Elgamal spells it.
† ElGamal, T., A public key cryptosystem and a signature scheme based on discrete loga-
FIGURE 15.8
Taher Elgamal (1955–). (From Malkevitch, J., Mathematics and Internet Security, American
Mathematical Society, http://www.ams.org/samplings/feature-column/fcarc-internet. Courtesy
of Dr. Taher Elgamal.)
Bob wishes to send a message M, which he must put in the form of a number
between 2 and p. If the message is too long for this, it can be broken into pieces.
Bob then selects a key k (mod p) and computes C1 = gk (mod p) and C2 = MAk
(mod p). He then sends Alice both C1 and C2. Thus, this system has the disad-
vantage that the ciphertext is twice as long as the message.
To recover the message M, Alice computes x = C1a (mod p). From this, she
is able to then calculate x–1 by using the Euclidean algorithm, as detailed in
Section 13.3.
Finally, Alice computes x–1C2 (mod p), which reveals the message, since
The security of this system relies on the inability of an attacker to find the
value of a when he is provided with g, p, and A = ga (mod p). This is the dis-
crete log problem.
Example 8
We may use the prime p = 2687 and the value g = 22 for illustrative pur-
poses. If Alice’s private key is a = 17, she must calculate A = ga (mod p). This
is 2217 = 824 (mod 2687). She reveals to the world p, g, and A. If Bob wants to
send the brief message HI, he must convert it to numbers first. We’ll simply
replace the letters using the scheme A = 0, B = 1, …, Z = 25, but ASCII or
other methods may be used. We get 0708, or 708. For his key Bob randomly
chooses k = 28. He computes
www.ebook777.com
free ebooks ==> www.ebook777.com
484 Secret History: The Story of Cryptology
Bob sends Alice 55 and 1601. To read the message, Alice first computes
x = C1a (mod p) = 5517 (mod 2687) = 841. Using the Euclidean algorithm, she
finds the multiplicative inverse of 841 (mod 2687) is 2048. She then computes
x–1C2 (mod p) = (2048)(1601) (mod 2687) = 708, which under our encoding
scheme, translates to HI.
Basing a cryptosystem on a “hard” problem is not an idea new to this
chapter. We’ve already examined a cipher based on the hardness of factor-
ing, namely RSA. Recall that RSA is based on the factoring problem, but it is
not known to be equivalent to that problem. Nor do we know that factoring
is NP-complete. It might fall in P, like primality testing. The same is true for
the discrete log problem. We don’t know if it is in P or NP-complete. The
Merkle–Hellman system and the McEliece system (alluded to briefly) are the
only systems in this chapter based on problems known to be NP-complete.
See Figure 15.9 for a photograph of the key players in the world of public
key cryptography.
FIGURE 15.9
The gang’s all here! From left to right: Adi Shamir, Ron Rivest, Len Adleman, Ralph Merkle,
Martin Hellman, and Whitfield Diffie. Notice that none of these cryptologic all-stars is wear-
ing a tie. It’s what’s in your head that matters! (Picture courtesy of Eli Biham, taken at the pre-
sentation on August 21 at Crypto 2000, an IACR conference. The 21 at the bottom right is part
of a date stamp that was mostly cropped out for reproduction here.)
free ebooks ==> www.ebook777.com
Primality Testing and Complexity Theory 485
www.ebook777.com
free ebooks ==> www.ebook777.com
486 Secret History: The Story of Cryptology
The following books each list the bracketed number as the first prime. Can
anyone continue the sequence?
[1] The 1986 Information Please Almanac, 39th ed., Houghton Mifflin, Boston, p. 430.
[2] Ribenboim, P., The New Book of Prime Number Records, Springer, New York, 1996,
p. 513.
[3] Garrett, P., Making, Breaking Codes: An Introduction to Cryptology, Prentice Hall,
Upper Saddle River, NJ, 2001, p. 509.
More primes? The following books indicate that the bracketed number is
prime.
[4] Posamentier, A.S. and Lehmann, I., The (Fabulous) Fibonacci Numbers, Prometheus
Books, Amherst, NY, 2007, p. 333. Typos aside, this is a very good book.
[27] King, S., Dreamcatcher, Scribner, New York, 2001, p. 211.
On Complexity Theory
Fortnow, L. and Homer, S., A Short History of Computational Complexity, 2002, http://
people.cs.uchicago.edu/~fortnow/papers/history.pdf.
Garey, M.R. and Johnson, D.S., Computers and Intractability: A Guide to the Theory
of NP-Completeness, W.H. Freeman, New York, 1979. This book lists over 300
NP-complete problems.
Hartmanis, J. and Stearns, R., On the computational complexity of algorithms,
Transactions of the American Mathematical Society, 117(5), 285–306, 1965.
Complexity theory begins here!
Talbot, J. and Welsh, D., Complexity and Cryptography an Introduction, Cambridge
University Press, Cambridge, 2006.
On Tetris
Breukelaar, R., Demaine, E.D., Hohenberger, S., Hoogeboom, H.J., Kosters, W.A., and
Liben-Nowell, D., Tetris is hard, even to approximate, International Journal of
Computational Geometry and Applications, 14(1), 41–68, 2004.
Demaine, E.D., Hohenberger, S., and Liben-Nowell, D., Tetris is hard, even to approx-
imate, in Warnow, T. and Zhu, B., Eds., Proceedings of the 9th Annual International
Conference on Computing and Combinatorics (COCOON ’03), Lecture Notes in
Computer Science, Vol. 2697, Springer, New York, 2003, pp. 351–363.
Peterson, I., Tetris Is Hard, Mathematical Association of America, Washington, DC,
2002 (http://www.maa.org/mathland/mathtrek_10_28_02.html).
On McEliece’s System
Chabaud, F., On the security of some cryptosystems based on error-correcting codes,
in De Santis, A., Ed., Advances in Cryptology: EUROCRYPT ’94 Proceedings,
Lecture Notes in Computer Science, Vol. 950, Springer, Berlin, 1995, pp. 131–139.
free ebooks ==> www.ebook777.com
Primality Testing and Complexity Theory 487
McEliece, R.J., A Public-Key Cryptosystem Based on Algebraic Coding Theory, Deep Space
Network Progress Report 42-44, Jet Propulsion Laboratory, California Institute
of Technology, 1978, pp. 114–116.
On Elgamal
Elgamal, T., A public key cryptosystem and a signature scheme based on discrete log-
arithms, in Blakley, G.R. and Chaum, D., Eds., Advances in Cryptology: CRYPTO
’84 Proceedings, Lecture Notes in Computer Science, Vol. 196, Springer, Berlin,
1985, pp. 10–18.
Elgamal, T., A public key cryptosystem and a signature scheme based on discrete
logarithms, IEEE Transactions on Information Theory, 31(4), 469–472, 1985.
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
16
Authenticity*
There are many situations in which we would like to be sure that a message
was actually composed and sent by the person it appears to be from. This
refers to the authenticity of the message, and it is not a new problem.
We thank you for the large deliveries of arms and ammunitions which
you have been kind enough to send us. We also appreciate the many tips
you have given us regarding your plans and intentions which we have
carefully noted. In case you are concerned about the health of some of
the visitors you have sent us you may rest assured they will be treated
with the consideration they deserve.
In addition to the security checks mentioned above, there are other ways to
verify a user’s identity. Just as you can recognize the voice of a friend on the
telephone, a telegraph operator has a style that can be recognized by other
operators. This is referred to as the fist of the sender, and it can be depicted
p. 522.
489
www.ebook777.com
free ebooks ==> www.ebook777.com
490 Secret History: The Story of Cryptology
graphically (Figures 16.1 and 16.2). This was known to the Nazis as well as
the British. Just as a skilled impersonator might be able to use his voice to
fool you into thinking he’s someone else, one telegrapher can imitate the fist
of another. The Nazis had success in this arena, but fists were used against
them to track U-boats by tracking the recognizable style of each of their radio
operators. In today’s world, the need for certainty of a sender’s identity con-
tinues to be of great importance, even in times of peace. We’ll now look at
some modern attempts to address this problem.
(M (mod na )
da eb
(mod nb )
Now Bob has twice as much work to do to recover the message, but he is the
only one who can do so, and Alice is the only one who could have sent it. Bob
first applies his private key, then he applies Alice’s public key, and finally he
reads the message.
Atari® used RSA “as the basis of its protection scheme on video game car-
tridges. Only cartridges that have been signed by the company’s public key
work in the company’s video game machines.” * The signing capability of
RSA makes it even more useful, but it does allow attacks not discussed in
Chapter 14.
* Garfinkel, S., PGP: Pretty Good Privacy, O’Reilly & Associates, Sebastopol, CA, 1995, p. 95.
free ebooks ==> www.ebook777.com
Authenticity 491
FIGURE 16.1
Each line represents a distinct “fist” sending the same alphabet and numbers. (From Lorain, P.,
Clandestine Operations: The Arms and Techniques of the Resistance 1941–1944 (in a translation by
David Kahn), Macmillan, New York, 1983, p. 169.)
FIGURE 16.2
The change in this agent’s fist was the result of his enlisting another operator’s help. (From
Lorain, P., Clandestine Operations: The Arms and Techniques of the Resistance 1941–1944 (in a trans-
lation by David Kahn), Macmillan, New York, 1983, p. 170.)
www.ebook777.com
free ebooks ==> www.ebook777.com
492 Secret History: The Story of Cryptology
( eM )( dM ) − 1 = ( 2 k ) (s)
If Mallet can find a value x ≠ ±1 such that x2 = 1 (mod n), he can use x to
factor n by writing x2 – 1 = 0 (mod n) and (x – 1)(x + 1) = 0 (mod n). A prime
factor of n will then be provided by either gcd(x – 1, n) or gcd(x + 1, n). We will
return to this idea, but first we make a few observations.
Since (eM)(dM) = 1 (mod φ(n)), by definition, we have (eM)(dM) – 1 = 0 (mod
φ(n)). Mallet can substitute into this last equality using the identity (eM)(dM)
– 1 = (2k)(s) to get (2k)(s) = 0 (mod φ(n)). In other words (2k)(s) is a multiple of
φ(n). Thus,
k
a 2 s = 1 (mod n)
( a2 s )2 = 1 (mod n)
k ′− 1
a2 s
in which case it is a square root of 1 (mod n), but not one that is useful for fac-
toring n. DeLaurentis showed that this happens at most half of the time. So,
if Mallet is unlucky, he can simply randomly choose another base a and try
again. Once n is factored, Mallet can easily generate all of the private keys.
Like the Miller–Rabin primality test, this is a probabilistic attack, but
DeLaurentis went on to show that assuming the Riemann hypothesis makes
his attack deterministic. He also presented a second attack that allows Mallet
to read and sign messages without factoring n.
Now eMdM – 1 need not be relatively prime to Alice’s public key eA.
www.ebook777.com
free ebooks ==> www.ebook777.com
494 Secret History: The Story of Cryptology
Let f be the greatest common divisor of eMdM – 1 and eA. The value of f may be
found rapidly using the Euclidean algorithm. We define r = (eMdM – 1)/f = (kφ(n))/f
and note that r is relatively prime to eA. Since f is a divisor of eA and eA is rela-
tively prime to φ(n), f must also be relatively prime to φ(n). We now have two
very useful facts:
1.
f is a factor of kφ(n).
f is relatively prime to φ(n).
2.
16.2.4 Elgamal Signatures
Like RSA, Elgamal can also be used to sign messages. Unlike RSA, how-
ever, the user needs an extra key component to do so. Recall that for regular
Elgamal encryption Alice only needs a large prime p, an element g of maxi-
mal order in the multiplicative group of integers modulo p, and a private
key a. She computes A = ga (mod p) and then publishes g, p, and A. Only a is
kept secret.
Let s denote Alice’s second secret key. She must compute v = gs (mod p).
Then, to sign a message M, she selects a random enciphering key e and
computes
S1 = ge (mod p) and S2 = (M – sS1)e–1 (mod p – 1)
−1
v S1 S1S2 = g sS1 g eS2 = g sS1 + eS2 = g sS1 + e ( M – sS1 ) e = g sS1 +( M – sS1 ) = g M
free ebooks ==> www.ebook777.com
Authenticity 495
1. The same message must always yield the same hash. That is, we have
a hash function. This will be important when it comes to verifying
signatures based on the hash. We denote the hash function by h(x).
2. Hashing should be fast. After all, speed is the drawback of using the
methods previously described.
3. It should be difficult (computationally infeasible) to find two mes-
sages that hash to the same value. That is, we should not be able
to find distinct x and x′ such that h(x) = h(x′). If this happens, we
say that a collision has been found. It would be very bad if a legiti-
mately signed document could have a portion replaced (with the
new text having some other meaning) and hash to the same value
as the original. This would make the altered document appear to
be signed as well. However, any collision is seen as a serious threat,
even if it is found using two messages that look more like random
text than meaningful messages. This is a very interesting condition,
as no hash function can be one to one—the whole idea is to create a
shorter message! Thus, collisions must exist, even for the best hash
functions, yet finding them should be very difficult!
4. Computing any preimage should be difficult. That is, given the hash
of a message, h(x), we should not be able to recover the message or
any other text y such that h(y) = h(x).
Hash functions came about in the 1950s, but they were not then intended
to serve cryptographic purposes.* The idea of these functions was simply
to map values in a dataset to smaller values. In this manner, comparisons
could be made more easily and searches could be accelerated. In 1974,
researchers who may not have been aware of hash functions recognized
that “hard-to-invert” functions offered a way to check if a message had
been changed.† They credited the idea to Gus Simmons, who had pre-
* Knuth, D., The Art of Computer Programming: Sorting and Searching, Vol. 3, Addison-Wesley,
Reading, MA, 1973, pp. 506–549.
† Gilbert, E.N., MacWilliams, F.J., and Sloane, N.J.A., Codes which detect deception, Bell System
www.ebook777.com
free ebooks ==> www.ebook777.com
496 Secret History: The Story of Cryptology
MD5 was obviously used as the model for SHA-1, since they share many
common features.
—Mark Stamp and Richard M. Low**
* Gilbert, E.N., MacWilliams, F.J., and Sloane, N.J.A., Codes which detect deception, Bell System
Technical Journal, 53(3), 406, 1974.
† Wegman, M.N. and Carter, J.L., New hash functions and their use in authentication and set
eprint.iacr.org/2009/223.pdf.
** Stamp, M. and Low, R.M., Applied Cryptanalysis: Breaking Ciphers in the Real World, Wiley-
The Secure Hash Standard (SHA) offers another series of hash functions.
The first, now called SHA-0, was designed by the National Security Agency
(NSA) in 1993. It was followed by NSA’s SHA-1 in 1995. Both produced a
160-bit hash. In fact, there is only a very small difference between the two,
and NSA claimed that the modification improved security, but they didn’t
provide an explanation as to how.
Although much cryptanalysis went before, it was not until 2004 that a col-
lision was actually found for SHA-0. It took the equivalent of 13 days’ work
on a supercomputer.* The following year, a flaw was found in SHA-1, and
NSA is now recommending that SHA-2 be used instead.† Despite this,‡
www.ebook777.com
free ebooks ==> www.ebook777.com
498 Secret History: The Story of Cryptology
But this cannot be correct, as I’ll soon be presenting an example from 1972,
which predates DES. As a substitute for a firm identification of who was first,
some (possibly) early examples are provided. Anyone who can provide a
definitive first is encouraged to contact me! Cipher Deavours wrote, “Non-
classified work on such functions dates back to the early 1970s.Ӡ One would
assume that the government had studied the problem before then. Deavours
goes on to reference a 1977 paper by Downey that described a system in use
in 1972.‡
This system’s initial step was vaguely described as “some preliminary
reductions in [the password’s] length,” but after that, the next step is crystal
clear. The password, p, was enciphered as
Downey went on to break this system, recovering passwords from their enci-
phered values. Doing so only required computing the multiplicative inverse
of 216 (mod 1019 – 1). It’s a wonder anyone thought this could be secure!
Hashes used in this manner needn’t decrease the size of the data being
“hashed,” but they must have the property that preimages are difficult to
compute. Sometimes these are referred to as one-way functions; however,
there is no mathematical proof that one-way functions even exist! Other ref-
erences to password protection from the early 1970s are listed below:
* http://en.wikipedia.org/wiki/Password#History_of_passwords.
† Deavours, C., The Ithaca connection: computer cryptography in the making, a special status
report, Cryptologia, 1(4), 313, 1977.
‡ Downey, P.J., Multics Security Evaluation: Password and File Encryption Techniques, ESD-TR-74-193,
Vol. III, Electronic Systems Division, Hanscom Air Force Base, MA, 1977.
free ebooks ==> www.ebook777.com
Authenticity 499
The inverse of k, needed for S2 , is calculated (mod q). The two values S1 and
S2 constitute the signature for message M and are sent with it.
To verify that a signature is genuine, we compute the following:
* U.S. Department of Commerce, Digital Signature Standard (DSS), FIPS Pub. 186-2, National
Institute of Standards and Technology, Washington, DC, 2000 (http://csrc.nist.gov/publica-
tions/fips/fips180-2/fips180-2withchangenotice.pdf).
† There is actually a different scheme for generating p and q that is recommended by NIST. The
www.ebook777.com
free ebooks ==> www.ebook777.com
500 Secret History: The Story of Cryptology
U1 requires calculating the inverse of S2. This is done modulo q. The signa-
ture, S1 S2, is deemed genuine if V = S1. DSA creates signatures at the same
speed as RSA but requires 10 to 40 times as long to verify signatures.* It is
quicker than Elgamal, though.
Example 1
As a small example to illustrate DSA, we choose the prime q = 53. We
then need a much larger prime p, such that p – 1 is divisible by q. We try
10q + 1 = 531, but it is divisible by 3. We are also able to factor 12q + 1 = 637.
Finally, 14q + 1 gives us the prime 743. So we now have q = 53 and p = 743 as
our two primes. We also need an element g of order q in the multiplicative
group modulo p. So, we compute g = h(p–1)/q (mod p), where h is an element
of maximal order modulo p. We quickly find that h = 5 is suitable. We then
have g = 5(p–1)/q (mod p) = 514 (mod p) = 212. We randomly set s = 31. Then v = gs
(mod p), so we get v = 21231 = 128; p, q, g, and v are made public, but s is kept
secret. We are now ready to sign a message.
We will let the message be the single letter D—perhaps a grade someone
will be receiving. We represent it numerically as 3 (using our old scheme
A = 0, B = 1, …, Z = 25). Our signature requires two numbers be calculated.
These numbers require us to pick a random value k between 1 and q – 1.
We let k = 7. Then
becomes (ignoring the hash step and simply using the full message instead)
Recall that all the inverses that need to be calculated for DSA are done mod-
ulo q, the smaller prime. These two values constitute the signature for mes-
sage M and are sent with it.
To verify that the signature is genuine, we compute the following:
* Schneier, B., Applied Cryptography, 2nd ed., John Wiley & Sons, New York, 1996, p. 485.
free ebooks ==> www.ebook777.com
Authenticity 501
= 94 (mod 53) = 41
* Schneier, B., Applied Cryptography, 2nd ed., John Wiley & Sons, New York, 1996, p. 486.
† Ibid.
www.ebook777.com
free ebooks ==> www.ebook777.com
502 Secret History: The Story of Cryptology
Pfitzmann, B., Digital Signature Schemes: General Framework and Fail-Stop Signatures,
Lecture Notes in Computer Science, Vol. 1100, Springer, New York, 1991.
Preneel, B., Cryptographic hash functions, European Transactions on Telecommunications,
5(4), 431–448, 1994.
Preneel, B., Analysis and Design of Cryptographic Hash Functions, doctoral dissertation,
Katholieke Universiteit Leuven, Belgium, 2003 (http://homes.esat.kuleuven.
be/~preneel/phd_preneel_feb1993.pdf).
Preneel, B., Govaerts, R., and Vandewalle, J., Information authentication: hash func-
tions and digital signatures, in Preneel, B., Govaerts, R., and Vandewalle, J.,
Eds., Computer Security and Industrial Cryptography: State of the Art and Evolution,
Lecture Notes in Computer Science, Vol. 741, Springer, Berlin, 1993, pp. 87–131.
Stallings, W., Cryptography and Network Security: Principles and Practice, 5th ed., Prentice
Hall, Upper Saddle River, NJ, 2010. This is a comprehensive look at cryptogra-
phy. No cryptanalysis is present, but there is much material on hash functions.
Stamp, M. and Low, R.M., Applied Cryptanalysis: Breaking Ciphers in the Real World,
Wiley-Interscience, Hoboken, NJ, 2007. Chapter 5 of this book (pp. 193–264) dis-
cusses cryptanalysis of hash functions. The authors state in the conclusion for
this chapter (p. 256), “For many years, it seems that hash functions had been
largely ignored by cryptographers. But with the successful attack on MD5, and
similar results for SHA-1 pending, hash functions have moved from a sleepy
cryptographic backwater to the forefront of research.”
U.S. Department of Commerce, Secure Hash Standard, FIPS Pub. 180-1, National
Institute of Standards and Technology, Washington, DC, 1995 (http://www.itl.
nist.gov/fipspubs/fip180-1.htm). This describes SHA-1.
U.S. Department of Commerce, Digital Signature Standard (DSS), FIPS Pub. 186-2,
National Institute of Standards and Technology, Washington, DC, 2000 (http://
csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf).
U.S. Department of Commerce, Secure Hash Standard, FIPS Pub. 180-2 (+ Change
Notice to include SHA-224), National Institute of Standards and Technology,
Washington, DC, 2002 (http://csrc.nist.gov/publications/fips/fips180-2/
fips180-2withchangenotice.pdf). This describes SHA-2.
Wegman, M.N. and Carter, J.L., New hash functions and their use in authentication
and set equality, Journal of Computer and System Sciences, 22(3), 265–279, 1981.
Winternitz, R.S., Producing a one-way hash function from DES, in Chaum, D., Ed.,
Advances in Cryptology: Proceedings of Crypto ’83, Plenum Press, New York, 1984,
pp. 203–207.
Xie, T. and Feng, D., How to Find Weak Input Differences for MD5 Collision Attacks, 2009,
http://eprint.iacr.org/2009/223.pdf.
free ebooks ==> www.ebook777.com
17
Pretty Good Privacy
The recipient can use RSA to recover the session key K. He then applies it
to the ciphertext and reads the original message. Because RSA is only ever
used on the relatively short (compared to the message) key, its slowness is
not much of a disadvantage. The whole process is fast and does not pose any
serious key management problems.
Sending a session key along with the ciphertext wasn’t a new idea. Recall
that the Nazis used Enigma in this manner, although they needed a daily
key to encipher every session key. Public key encryption did away with that.
The same RSA key may be used for years.
* Kohnfelder, L.M., Toward a Practical Public Key Encryption Algorithm, undergraduate the-
sis, Department of Electrical Engineering, Massachusetts Institute of Technology, Cambridge,
MA, 1978. His thesis advisor was Len Adleman.
† Diffie, W., The first ten years of public-key cryptography, Proceedings of the IEEE, 76(5), 566,
1988.
503
www.ebook777.com
free ebooks ==> www.ebook777.com
504 Secret History: The Story of Cryptology
17.2 Birth of PGP
It was in the 1980s that Charlie Merritt, along with two friends, made a pro-
gram to (slowly) run public key encryption on Z-80 computers,* but there
didn’t seem to be any demand. Merritt’s friends quit, and Merritt continued
on with his wife. Most of the interest was from businesses who wanted to
protect their secrets from foreign competitors, but National Security Agency
(NSA) representatives kept stopping by to warn Merritt against export-
ing any crypto software. Trying to find domestic buyers led him to Philip
Zimmermann, who owned a small company.†
Zimmermann had come up with the idea of a hybrid system on his own in
1984 (he hadn’t seen Kohnfelder’s thesis), but he was confronted with many
technical problems in implementing it. He was very happy to hear from
Merritt, who helped him with these problems. Zimmermann had a degree
in computer science, but he had struggled with calculus. He planned to call
his program PGP, which stood for Pretty Good Privacy. This was a tribute
to Ralph’s Pretty Good Groceries, a fictional sponsor of Garrison Keillor’s
Prairie Home Companion radio show. Meanwhile, another hybrid system, con-
structed by Rivest and Adleman, was about to be marketed by RSA Data
Security as “Mailsafe.”
With Merritt’s help, Zimmermann conquered the necessary mathematics to
get RSA implemented as efficiently as possible on the slow machines of the
time period. Zimmermann himself moved slowly, working on the project part
time. Finally, in 1990, he pushed other matters aside, risking financial ruin,
and spent six months of 12-hour days to get it done.‡ This was not an attempt
to get rich. He planned on making it shareware. Interested people could obtain
* It took 10 minutes to create a 256-bit key and 20 to 30 seconds to encipher a small file. See
Garfinkel, S., PGP: Pretty Good Privacy, O’Reilly & Associates, Sebastopol, CA, 1995, p. 88.
† Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
it freely, but they were expected to mail Zimmermann a check if they decided
they wanted to use it. Rather than being financial, Zimmermann’s motivations
were political. Strong encryption would be a way to keep a prying government
out of the affairs of its citizens. Zimmermann’s motivations became intensified
when he learned in April 1991 that then-Senator Joseph Biden had cospon-
sored the Senate’s “Anti-Crime” Bill 266, which, if passed, would require “that
providers of electronic communications services and manufacturers of elec-
tronic communications service equipment shall ensure that communications
systems permit the government to obtain the plaintext contents of voice, data,
and other communications when appropriately authorized by law.”*
There is no agreement on who initiated the particular provision of the bill
quoted above. Some say the Federal Bureau of Investigation was responsible,
but according to the Electronic Frontier Foundation (EFF), Joe Biden himself
was responsible.† In any case, as of this writing, Biden is Vice President in
an administration that hopes to bring back the deleted provision. A para-
graph from a September 27, 2010, The New York Times piece sums up the new
proposal:‡
They can promise strong encryption. They just need to figure out how
they can provide us plain text.
—FBI General Counsel Valerie Caproni, September 27, 2010§
According to the New York Times article, the administration expected that
the bill would be considered in 2011. As of this writing, the bill has not been
brought forward, but it is still being talked about. There’s a lot of disagree-
ment between different agencies; some think it’s a really bad idea.
Back in 1991, fearing that strong crypto was about to be outlawed,
Zimmermann quickly finished his program, relabeled it as freeware, and
with the help of friends began to distribute it on American Internet sites in
* Quote reproduced here from Levy, S., Crypto: How the Code Rebels Beat the Government, Saving
Privacy in the Digital Age, Viking, New York, 2001, p. 195. Also, Garfinkel, S., PGP: Pretty Good
Privacy, O’Reilly & Associates, Sebastopol, CA, 1995, p. 97.
† Garfinkel, S., PGP: Pretty Good Privacy, O’Reilly & Associates, Sebastopol, CA, 1995, p. 97.
www.ebook777.com
free ebooks ==> www.ebook777.com
506 Secret History: The Story of Cryptology
June 1991. He needn’t have rushed, as Biden reacted to anger over his pro-
posed anti-privacy legislation by withdrawing that section from the bill.*
Zimmermann still faced legal troubles, though. Although he wasn’t directly
responsible, PGP left the country within a day of being posted online, in
violation of encryption export laws.
Zimmermann’s cipher for his first hybrid system was based on work
Merritt had done for the Navy.† After making his changes, he renamed it
Bass-O-Matic, after a blender used in a Saturday Night Live skit, in which
Dan Aykroyd portrayed a salesman who used the machine to chop up a
fish.‡ Bass-O-Matic proved to be the weak link in PGP, but Zimmermann had
other problems. RSA was patented and he did not have permission to make
use of it.
Back in November 1986, Zimmermann had met with James Bidzos,
the president of RSA Data Security. It was mainly a meeting between
Bidzos and Merritt, who did contract work for RSA Data Security, but
Zimmermann was there. Bidzos and Zimmermann didn’t get along at
all—they were complete political opposites. Zimmermann refused contract
work from Bidzos because his company had a military connection. As for
Bidzos’ view of the military, he had joined the U.S Marines even though he
was a citizen of Greece.§
Despite these differences, Bidzos gave Zimmermann a copy of Mailsafe.
What he didn’t give him was permission to use RSA in his own encryption
program. Bidzos remembered this when PGP appeared. Simson Garfinkel
observed that, “What followed could only be described as a low-intensity
war by Bidzos against PGP and Zimmermann.”¶
Zimmermann wasn’t the only one to infringe upon the RSA patent. The
following excerpt from a question-and-answer session at a Computers,
Freedom, and Privacy conference in 1992 shows that Bidzos could have a
sense of humor about it.** The question, left out here for brevity, was ini-
tially answered by John P. Barlow (cofounder of the Electronic Frontier
Foundation):
* The anger came from two groups—civil libertarians and industry. It makes for an unlikely
alliance, but big businesses depend on strong encryption to protect themselves from spying
competitors, so they found themselves on the same side as the privacy advocates.
† Merritt had protested the war in Vietnam, but he did not see any conflict between that view-
point and his doing work for the Navy. See Garfinkel, S., PGP: Pretty Good Privacy, O’Reilly &
Associates, Sebastopol, CA, 1995, p. 91.
‡ Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
Topanga, CA, March 1992. The tape shows a panel session, with questions and answers, from
the Second Conference on Computers, Freedom, and Privacy (CFP). See http://www.cfp.org/
for what this group is currently doing and http://www.forests.com/cfpvideo/ for their full
video catalog.
free ebooks ==> www.ebook777.com
Pretty Good Privacy 507
Apparently PGP did not initially bother NSA. Zimmermann soon learned
(from Eli Biham) that his system was vulnerable to differential cryptanaly-
sis.* Other flaws were present, too, including one that prevented the last bit
of each byte from being properly encrypted.† After the flaws were pointed
out, Zimmermann began working on Version 2.0, but this time he got help
from much stronger cryptographers from around the world,‡ who appreci-
ated what he was trying to do. Bass-O-Matic was replaced by a Swiss cipher,
the International Data Encryption Algorithm (IDEA), which offered a 128-
bit key. Many other improvements were made and new features introduced.
PGP 2.0 was released from Amsterdam and Auckland (the hometowns of
two of Zimmermann’s new collaborators) in September 1992.§
In November 1993, following a deal Zimmermann made in August of
that year, ViaCrypt PGP Version 2.4 came out. ViaCrypt had a license for
RSA, so their product was legal, but it was indeed a product. Users had to
pay $100 for it.¶
In the meanwhile, RSA Data Security had released a free version, RSAREF,
for noncommercial use. The first version had restrictions that prevented
Zimmermann from making use of it within PGP,** but RSAREF 2.0 didn’t, and
Zimmermann made use of it for PGP Version 2.5. Thus, this version, while free,
* Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
Viking, New York, 2001, p. 200.
† Garfinkel, S., PGP: Pretty Good Privacy, O’Reilly & Associates, Sebastopol, CA, 1995, p. 102.
‡ Branko Lankester (Netherlands), Peter Gutmann (New Zealand), Jean-Loup Gailly (France),
Miguel Gallardo (Spain), and Peter Simons (Germany). See Garfinkel, S., PGP: Pretty Good
Privacy, O’Reilly & Associates, Sebastopol, CA, 1995, p. 103; Levy, S., Crypto: How the Code
Rebels Beat the Government, Saving Privacy in the Digital Age, Viking, New York, 2001, p. 200.
§ Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
ously infringed upon the RSA patent. See Garfinkel, S., PGP: Pretty Good Privacy, O’Reilly &
Associates, Sebastopol, CA, 1995, p. 105.
www.ebook777.com
free ebooks ==> www.ebook777.com
508 Secret History: The Story of Cryptology
was only legal for noncommercial use. Soon thereafter, Version 2.6 appeared,
an update made to appease Bidzos who was furious. Version 2.6 was inten-
tionally made incompatible with previous versions of PGP, beginning on
September 1, 1994, so as not to allow the patent infringers to continue without
the upgrade.* The program quickly appeared in Europe, in violation of the
export laws of the time. This was followed by the appearance of PGP 2.6ui,
which was an “unofficial international” version that updated an older version
in a way that made it compatible with 2.6, for private or commercial use.
So, in 1993 and 1994, PGP was legitimized in both commercial and free-
ware versions, but in the meantime Zimmermann began to have legal trou-
bles with the U.S. government. Beginning in February 1993, Zimmermann
faced investigators from the U.S. Customs Department. They were concerned
about how PGP was exported. It seems that they were looking for someone
small to make an example of. It would be easier to gain a prosecution of
Zimmermann based on the export laws than to take on RSA Data Security
(whose RSAREF had been exported) or Netcom (whose FTP servers could be
used to download PGP from abroad).†
This wasn’t Zimmermann’s first brush with the law. He had been arrested
twice before at nuclear freeze rallies in the 1980s. No charges were ever filed,
though.‡ Ultimately, the export violation investigation ended the same way.
In 1996, the government closed the case without charges being pressed. Still,
it must have been a nerve-wracking experience, as he could have faced seri-
ous jail time if convicted.
PGP 3 was not a minor upgrade. It used a new algorithm for encryption,
CAST-128, and replaced the RSA component with a choice of DSA or Elgamal.
Also, for the first time, the program had a nice interface. All previous versions
were run from the command line. ViaCrypt was still producing commercial
versions. They used even numbers for their versions, while Zimmermann
used odd numbers for the free versions, but commercial Version 4 was ready
before free Version 3, so Zimmermann renamed the free version PGP 5, for
its May 1997 release.§
The commercial production of PGP software has changed hands several
times since 1997. Most recently, in 2010, Symantec Corp. bought PGP for $300
million.¶ The company would certainly be worth far less if the export laws
had not been changed in 2000. Thus, all versions of PGP became legal for
export. Was this a victory for privacy advocates? Zimmermann wrote:**
* Garfinkel, S., PGP: Pretty Good Privacy, O’Reilly & Associates, Sebastopol, CA, 1995, p. 108.
† Ibid., p. 112. The opinion concerning why Zimmermann was targeted is my own.
‡ Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
(http://www.computerworld.com/s/article/9176121/Symantec_buys_encryption_specialist_
PGP_for_300M).
** http://www.philzimmermann.com/EN/faq/index.html.
free ebooks ==> www.ebook777.com
Pretty Good Privacy 509
The law changed because the entire U.S. computer industry (which is the
largest, most powerful industry in the U.S.) was united in favor of lift-
ing the export controls. Money means political influence. After years of
fighting it, the government finally had to surrender. If the White House
had not lifted the export controls, the Congress and the Judicial system
were preparing to intervene to do it for them.
This is why the legislation originally planned for 2011 will fail if it is eventu-
ally brought forward. It may be declared a victory for civil libertarians, but it
will only be a victory because they have powerful allies in this battle.
There is much more that can be said about PGP. Back in Section 2.13 we
briefly digressed into data compression. This is relevant to PGP, which com-
presses files prior to encryption. Since compression reduces redundancy
and redundancy is of great value to the cryptanalyst, this step is well worth
the extra time it takes. It should also be pointed out that PGP isn’t just for
e-mail. It includes a feature allowing the user to apply conventional cryp-
tography (no RSA involved here) to compress and encipher files for storage.*
The user only needs to come up with a random passphrase to use as a key.
It’s personal. It’s private. And it’s no one’s business but yours. You may
be planning a political campaign, discussing your taxes, or having a
secret romance. Or you may be communicating with a political dissi-
dent in a repressive country. Whatever it is, you don’t want your private
electronic mail (email) or confidential documents read by anyone else.
There’s nothing wrong with asserting your privacy. Privacy is as apple-
pie as the Constitution.
The right to privacy is spread implicitly throughout the Bill of Rights.
But when the United States Constitution was framed, the Founding
Fathers saw no need to explicitly spell out the right to a private con-
versation. That would have been silly. Two hundred years ago, all
* Zimmermann, P.R., The Official PGP User’s Guide, MIT Press, Cambridge, MA, 1995, p. 18.
† Reproduced from http://web.mit.edu/prz/, Phil’s homepage.
www.ebook777.com
free ebooks ==> www.ebook777.com
510 Secret History: The Story of Cryptology
FIGURE 17.1
Philip Zimmermann (1954–).
www.ebook777.com
free ebooks ==> www.ebook777.com
512 Secret History: The Story of Cryptology
for a particular speaker’s voice. If the government doesn’t find the target
in the first 1 percent sample, the wiretaps can be shifted over to a differ-
ent 1 percent until the target is found, or until everyone’s phone line has
been checked for subversive traffic. The FBI said they need this capac-
ity to plan for the future. This plan sparked such outrage that it was
defeated in Congress. But the mere fact that the FBI even asked for these
broad powers is revealing of their agenda. Advances in technology will
not permit the maintenance of the status quo, as far as privacy is con-
cerned. The status quo is unstable. If we do nothing, new technologies
will give the government new automatic surveillance capabilities that
Stalin could never have dreamed of. The only way to hold the line on
privacy in the information age is strong cryptography.
You don’t have to distrust the government to want to use cryptography.
Your business can be wiretapped by business rivals, organized crime, or
foreign governments. Several foreign governments, for example, admit
to using their signals intelligence against companies from other coun-
tries to give their own corporations a competitive edge. Ironically, the
United States government’s restrictions on cryptography in the 1990s
have weakened U.S. corporate defenses against foreign intelligence and
organized crime.
The government knows what a pivotal role cryptography is destined
to play in the power relationship with its people. In April 1993, the
Clinton administration unveiled a bold new encryption policy initiative,
which had been under development at the National Security Agency
(NSA) since the start of the Bush administration. The centerpiece of this
initiative was a government-built encryption device, called the Clipper
chip, containing a new classified NSA encryption algorithm. The gov-
ernment tried to encourage private industry to design it into all their
secure communication products, such as secure phones, secure faxes,
and so on. AT&T put Clipper into its secure voice products. The catch:
At the time of manufacture, each Clipper chip is loaded with its own
unique key, and the government gets to keep a copy, placed in escrow.
Not to worry, though—the government promises that they will use these
keys to read your traffic only “when duly authorized by law.” Of course,
to make Clipper completely effective, the next logical step would be to
outlaw other forms of cryptography.
The government initially claimed that using Clipper would be vol-
untary, that no one would be forced to use it instead of other types
of cryptography. But the public reaction against the Clipper chip was
strong, stronger than the government anticipated. The computer indus-
try monolithically proclaimed its opposition to using Clipper. FBI direc-
tor Louis Freeh responded to a question in a press conference in 1994
by saying that if Clipper failed to gain public support, and FBI wire-
taps were shut out by non-government-controlled cryptography, his
office would have no choice but to seek legislative relief. Later, in the
aftermath of the Oklahoma City tragedy, Mr. Freeh testified before the
Senate Judiciary Committee that public availability of strong cryptog-
raphy must be curtailed by the government (although no one had sug-
gested that cryptography was used by the bombers).
free ebooks ==> www.ebook777.com
Pretty Good Privacy 513
The government has a track record that does not inspire confidence
that they will never abuse our civil liberties. The FBI’s COINTELPRO
program targeted groups that opposed government policies. They
spied on the antiwar movement and the civil rights movement. They
wiretapped the phone of Martin Luther King Jr. Nixon had his enemies
list. Then there was the Watergate mess. More recently, Congress has
either attempted to or succeeded in passing laws curtailing our civil lib-
erties on the Internet. Some elements of the Clinton White House col-
lected confidential FBI files on Republican civil servants, conceivably for
political exploitation. And some overzealous prosecutors have shown a
willingness to go to the ends of the Earth in pursuit of exposing sexual
indiscretions of political enemies. At no time in the past century has
public distrust of the government been so broadly distributed across the
political spectrum, as it is today.
Throughout the 1990s, I figured that if we want to resist this unsettling
trend in the government to outlaw cryptography, one measure we can
apply is to use cryptography as much as we can now while it’s still legal.
When use of strong cryptography becomes popular, it’s harder for the
government to criminalize it. Therefore, using PGP is good for preserv-
ing democracy. If privacy is outlawed, only outlaws will have privacy.
It appears that the deployment of PGP must have worked, along
with years of steady public outcry and industry pressure to relax the
export controls. In the closing months of 1999, the Clinton administra-
tion announced a radical shift in export policy for crypto technology.
They essentially threw out the whole export control regime. Now, we
are finally able to export strong cryptography, with no upper limits on
strength. It has been a long struggle, but we have finally won, at least
on the export control front in the US. Now we must continue with our
efforts to deploy strong crypto, to blunt the effects increasing surveil-
lance efforts on the Internet by various governments. And we still need
to entrench our right to use it domestically over the objections of the FBI.
PGP empowers people to take their privacy into their own hands.
There has been a growing social need for it. That’s why I wrote it.
Philip R. Zimmermann
Boulder, Colorado
June 1991 (updated 1999)
17.4 Impact of PGP
So what difference did exporting strong encryption make? Did it merely sup-
port terrorists, drug dealers, and pedophiles, as those favoring a government
monopoly on cryptology like to suggest? Messages sent to Zimmermann,
now posted on his website, show PGP to have benefited human rights activ-
ists in Guatemala and the Balkans and freedom fighters in Kosovo and
www.ebook777.com
free ebooks ==> www.ebook777.com
514 Secret History: The Story of Cryptology
17.5 Implementation Issues
Although the mathematics is beautifully simple, implementation issues
require much thought to keep the system secure. For example, the recipi-
ent’s private key must be available for deciphering but ought not be stored
on the computer, where it might become accessible to someone else. PGP
addresses this issue by enciphering the user’s private key before storing it
on the machine. A password must be entered to “unlock” the key. A func-
tion combines the password and the enciphered key to reveal, temporarily,
the private key for the program’s use. Now, of course, that password must be
carefully chosen.
Poor password selection can be illustrated with a few anecdotes. As an
undergraduate, I worked in a computer lab on campus. One day a girl came
in and asked how to change her password. Before I could answer, a coworker
responded, “Why? Did you break up with him?” She immediately blushed.
Her password was not well chosen.
The psychological approach was also applied by Richard Feynman at Los
Alamos during the Manhattan Project, when the secrets of the atomic bomb
warranted the highest level of protection. He turned to one of the safes that
stored those secrets and guessed that the combination might be set to an
important mathematical constant. He tried pi first, forward, backward, every
* http://www.philzimmermann.com/EN/letters/index.html.
† Levy, S., Crypto: How the Code Rebels Beat the Government, Saving Privacy in the Digital Age,
Viking, New York, 2001, p. 289.
‡ http://en.wikipedia.org/wiki/Pretty_Good_Privacy.
free ebooks ==> www.ebook777.com
Pretty Good Privacy 515
way he could imagine. It didn’t work, but e did. The combination was 27–18–
28, and Feynman soon found he could open all of the five safes with that
combination.*
A study of 43,713 hacked MySpace account passwords revealed the follow-
ing top 10 list, with their frequencies in parentheses.†
1. password1 (99)
2. iloveyou1 (52)
3. abc123 (47)
4. myspace1 (39)
5. fuckyou1 (31)
6. summer07 (29)
7. iloveyou2 (28)
8. qwerty1 (26)
9. football1 (25)
10. 123abc (22)
1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123
* Feynman, R., “Surely You’re Joking, Mr. Feynman!”, W.W. Norton, New York, 1985, pp. 147–151.
† A brief analysis of 40,000 leaked MySpace passwords is available online at http://www.
the-interweb.com/serendipity/index.php?/archives/94-A-brief-analysis-of-40,000-leaked-
MySpace-passwords.html.
‡ Coursey, D., Study: hacking passwords easy as 123456, PCWorld, January 21, 2010 (http://
www.pcworld.com/businesscenter/article/187354/study_hacking_passwords_easy_as_
123456.html).
www.ebook777.com
free ebooks ==> www.ebook777.com
516 Secret History: The Story of Cryptology
* Zimmermann, P.R., The Official PGP User’s Guide, MIT Press, Cambridge, MA, 1995, p. 21.
† Ibid., p. 22.
free ebooks ==> www.ebook777.com
Pretty Good Privacy 517
Zimmermann, P.R., PGP Source Code and Internals, MIT Press, Cambridge, MA, 1995.
The export laws were strange. Although PGP couldn’t legally be exported as
software, the source code could. And, of course, source code can be scanned and
converted for use by a text editor; hence, this book. On another note, the experts
know that trying to keep an algorithm secret is a bad sign! Revealing the details,
if the software is any good, will ease concerns, not increase them.
Zimmermann, P.R., Home Page, http://www.philzimmermann.com/EN/back
ground/index.html.
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
18
Stream Ciphers*
The tape machine depicted in Section 3.9 can be seen as the beginning of a
still ongoing area of cryptographic research—stream ciphers. Such systems
attempt to generate random numbers that can be combined with the mes-
sage in an approximation of the unbreakable one-time pad. The problem is
that machines cannot generate random numbers. Thus, we usually refer to
such numerical sequences as pseudorandom and the devices that create them
as pseudorandom number generators, or PRNGs for short.
It should be noted that a much earlier origin for stream ciphers is offered
by the autokey ciphers of the 16th century, as discussed in Section 3.5. In any
case, stream ciphers are especially important when we want to encipher and
decipher data in real time. Applications such as secure cellphone conversa-
tions and encrypted streaming video provide examples. In these cases, the
pseudorandom sequences consist of 0s and 1s that are usually generated bit by
bit or byte by byte. We begin with an early attempt using modular arithmetic.
18.1 Congruential Generators
One way to generate a pseudorandom sequence is with a linear congruential
generator (LCG):‡
Xn = (aXn–1 + b) (mod m)
(NSASAB). He’s quoted here from Salomon, D., Data Privacy and Security, Springer, New York,
2003, p. 97.
‡ Lehmer, D.H., Mathematical methods in large-scale computing units, in Proceedings of the
519
www.ebook777.com
free ebooks ==> www.ebook777.com
520 Secret History: The Story of Cryptology
X0 = 2
X1 = 3(2) + 5 = 11
X2 = 3(11) + 5 = 12 (mod 26)
X3 = 3(12) + 5 = 15 (mod 26)
X4 = 3(15) + 5 = 24 (mod 26)
X5 = 3(24) + 5 = 25 (mod 26)
X6 = 3(25) + 5 = 2 (mod 26)
At this point, we’re back at our starting value. The output will now con-
tinue, as before: 11, 12, 15, 24, 25, …. Clearly, this is not random! We get stuck
in a cycle of period 6. Still, if this could be modified to generate a cycle with
a much longer period, longer than any message we might want to encipher,
it seems like it could be a reasonable way to generate a key that could then be
paired with the message, one letter at a time, modulo 26.
Of course, the modern approach uses bits instead. This isn’t a problem,
as we could convert these values to bits and XOR them with our message
(also expressed in bits). However, the effect is the same as that of a binary
Vigenère cipher, since the values to be XORed repeat.
If we select the values of a, b, and m more carefully, we can cycle through
all values from 0 to m – 1, but we must then repeat the cycle, as in the example
above. If m is large enough, this might seem safe; for example, m may be
larger than the length of the message. Nevertheless, this technique is not
secure. Jim Reeds was the first to publicly break such ciphers in 1977. *
An obvious next step for the cryptographer is to try higher power congru-
ential generators, such as quadratics. Notice that each term still only depends
on the one that came before:
But these were broken by Joan B. Plumstead, along with cubic generators.† In
fact, as others showed, no matter what degree we try, such systems can be
broken!‡
* Reeds, J., Cracking a random number generator, Cryptologia, 1(1), 20–26, 1977. A later paper
on this topic is Plumstead, J.B., Inferring a sequence generated by a linear congruence, in
Proceedings of the 23rd IEEE Symposium on the Foundations of Computer Science, IEEE Computer
Society Press, Los Alamitos, CA, 1982, pp. 153–159.
† Boyar, J., Inferring sequences produced by pseudo-random number generators, Journal of the
ACM, 36(1), 129–141, 1989. Joan B. Plumstead’s later papers were published under the name
Joan Boyar.
‡ Lagarias, J.C. and Reeds, J., Unique extrapolation of polynomial recurrences, SIAM Journal on
b3 b2 b1
FIGURE 18.1
A small LFSR.
Guinier stayed linear but suggested up to 1024 LCGs be used, and com-
bined additively, to get an “astronomically” long period.* He was not the first
to consider using more than one, but he did take it to an extreme. Alas, com-
binations of LCGs, and other variations such as multiplying previous terms,
have failed to stand the test of time. At this point we move on to another
method for generating pseudorandom sequences.
This way each value depends on the two previous values (hence, degree 2)
and we can attain longer periods. Nothing is squared. We would, of course,
need two seed values, X0 and X1. The first number we generate would be X2.
This is the basic idea behind linear feedback shift registers (LFSRs). They are
very fast (in hardware) when working with bits modulo 2. We could indicate
modulo 2 by setting m = 2, but, as we’ve seen before, the convention is to
replace + with ⊕ to represent XOR, which is the same as addition modulo 2.
LFSRs are usually represented diagrammatically rather than algebraically
(Figure 18.1).
The figure is best explained with an example. We may seed the register
(the values of the bs) with the bits 101; that is, b3 = 1, b2 = 0, and b1 = 1. The
diagonal arrows indicate that we get our new bit by taking the XOR of b3
and b1, which is 1 ⊕ 1 = 0. This new bit, following the longest arrow, takes
the place of b3, but b3 doesn’t just vanish. Instead, it advances to the right to
* Guinier, D., A fast uniform “astronomical” random number generator, SIGSAC Review, 7(1),
1–13, 1989.
www.ebook777.com
free ebooks ==> www.ebook777.com
522 Secret History: The Story of Cryptology
take the place of b2, which in turn advances to the right to replace b1. With
nowhere left to go, b1 “falls off the edge” (indicated by the shortest arrow)
and is gone. These steps are then all repeated with the new values. Starting
with the seed, our register holds the following values, as we iterate:
101
010
001
100
110
111
011
101
which brings us back to the start. Notice that this register cycles through
seven different sets of values. We say that it has period 7. The rule depicted
diagrammatically may also be represented algebraically as
To use a LFSR as a stream cipher, we simply take the bits that shift through
the register. The LFSR above gives the stream 1010011 (which then repeats).
This is the third column in the list of register values given above. XORing
our plaintext with a string of only 7 bits, used repeatedly, is not a very secure
method of encryption! We’ll improve upon this, but what is to come will be
clearer if we start out slowly.
Observe that there’s a “bad seed” that is useless for cryptographic pur-
poses. If we start off with b3 = 0, b2 = 0, and b1 = 0, we’ll never get any nonzero
values, and XORing whatever positions we tap with the plaintext will have
no effect.
In general, the longest period possible for a LFSR with n elements is 2n – 1,
so our original example above was maximized in this respect. A different
(nonzero) seed will simply cycle through the same values beginning at a dif-
ferent point. We cannot get a longer period by XORing different bits, although
this can cause the states to be cycled through in a different order. So, if we
want a LFSR that generates a longer key, we must look at those with more ele-
ments, but more elements don’t guarantee that longer keys will result.
We can investigate whether or not a LFSR produces a maximal period by
examining a polynomial associated with the register. For example, for the
LFSR pictured in Figure 18.1, the polynomial is p(x) = x3 + x1 + 1. The powers
of x are taken to be the positions of the bits that are made use of in the XOR,
and + 1 is always tacked on to the end. This is called a tap polynomial or con-
nection polynomial.
free ebooks ==> www.ebook777.com
Stream Ciphers 523
We first see whether or not the tap polynomial can be factored (mod 2). If
it cannot, we say it is irreducible. In this case, if the polynomial is of degree n
the period must divide 2n – 1. We can check the polynomial above for reduc-
ibility modulo 2 by plugging in 0 and 1 to get
p(0) = 03 + 01 + 1 = 1 (mod 2)
p(1) = 13 + 12 + 1 = 3 = 1 (mod 2)
We then have the following result: A LFSR with a tap polynomial that is primi-
tive will have a maximal period. As an example of an LFSR with a long period,
we have bn+31 = bn+3 ⊕ bn for n = 1, 2, …. This LFSR requires a 31-bit seed, which
will then generate a sequence of bits with a period of 231 – 1 = 2,147,483,647.
www.ebook777.com
free ebooks ==> www.ebook777.com
524 Secret History: The Story of Cryptology
to have that possibility here. However, there are other mathematical options
open to us for attacking this system. We will assume that for a portion of
the ciphertext the corresponding plaintext is known (i.e., we have a crib).
From this, we easily obtain a portion of the key. Suppose this cribbed key is
10101100. We can see that the period is greater than or equal to 8, since there
is no repetition in the portion we recovered; therefore, the LFSR must have
at least four elements. Assuming it has exactly four elements, the LFSR must
be of the form
bn+4 = a3bn+3 ⊕ a2bn+2 ⊕ a1bn+1 ⊕ a0 bn
where each of the ai is either 0 or 1. The string of known key bits, 10101100,
labeled b1b2b3b4b5b6b7b8 for convenience, although they needn’t be from the
start of the message, tells us
From this system of equations, we may solve for the ai. This may be done
without the techniques of linear algebra, but for larger examples we would
really want to use matrices, so we’ll use one here. We have
1 0 1 0 a0 1
0 1 0 1 a1 1
=
1 0 1 1 a2 0
0 1 1 0 a3 0
0 1 1 1
1 1 1 0
1 1 1 1
1 0 1 0
So our solution is
a0 0 1 1 1 1 1
a 1 1 1 0 1 0
1 = =
a2 1 1 1 1 0 0
a 1 0 1 0 0 1
3
free ebooks ==> www.ebook777.com
Stream Ciphers 525
Thus, the equation for the LFSR appears to be bn+4 = bn+3 ⊕ bn. This equation
may then be used to generate all future key bits, as well as previous key bits,
if the crib occurred in a position other than the start of the message.
If the equation fails to yield meaningful text beyond the crib, we’d have
to consider a five-element LFSR, and if that doesn’t work out, then a six-ele-
ment LFSR, etc. However, we’d need more key bits to uniquely determine
the coefficients for anything beyond four elements. In general, we need 2n
bits of key for an n-element LFSR. As n grows, 2n quickly becomes tiny,
as a percentage, compared to the maximal period of 2n – 1 for the n-ele-
ment LFSR. So, although we needed a little over half of the repeating key
to uniquely solve the four-element LFSR, the period 231 – 1 = 2,147,483,647
LFSR defined by bn+31 = bn ⊕ bn+3 could be recovered from only 62 bits of
key, a tiny percentage of the whole (and less than 8 characters, since each
keyboard character translates to 8 bits). This is not an unreasonable crib!
As mentioned before, modern ciphers are expected to hold strong against
known-plaintext attacks, so the LFSRs described above are not useful for
cryptographic purposes. However, they are incorporated as components of
stronger systems.
www.ebook777.com
free ebooks ==> www.ebook777.com
526 Secret History: The Story of Cryptology
18 17 16 13 8 0
21 20 10 0
22 21 20 10 7 0
FIGURE 18.2
A5/1 stream cipher (http://en.wikipedia.org/wiki/Stream_cipher).
In defiance of Kerckhoffs’ law, the algorithm provided above was kept secret
while it was being placed in over 100 million cellphones. In compliance with
Kerckhoff’s law, the public learned it anyway! It was part of the Global System
for Mobile Communications (GSM) cellphone standard. Various attacks have
made it clear that the system is insecure. Details may be found in the papers in
the References and Further Reading list at the end of this chapter.
A5/2 made use of four LFSRs that advance in an irregular manner, like
those of A5/1. Although this might make A5/2 sound stronger than A5/1
(4 is bigger than 3, right?), it isn’t. It was purposely made weaker, intended
for use in certain countries, while Americans and Europeans used the
stronger A5/1. A5/2 was made public in August 1999, and before the month
ended Ian Goldberg, David A. Wagner, and Lucky Green broke it.*
18.5 RC4
One very popular stream cipher is RC4 (Rivest Cipher 4), designed by Ron
Rivest in 1987. Again, in denial of Kerckhoff’s laws, the details of this cipher
were kept secret and could only be obtained by signing a nondisclosure
* Goldberg, I., Wagner, D., and Green, L., The (Real-Time) Cryptanalysis of A5/2, paper presented
at the Rump Session of CRYPTO ’99 conference, Santa Barbara, CA, August 15–19, 1999.
free ebooks ==> www.ebook777.com
Stream Ciphers 527
agreement with RSA Data Security, Inc. In September 1994, however, the
source code was anonymously posted to the Cypherpunks mailing list.* The
cipher starts off with a list of all 8-bit numbers, in order. These bytes are
S0 = 00000000
S1 = 00000001
S2 = 00000010
S3 = 00000011
S4 = 00000100
S5 = 00000101
..
.
S255 = 11111111
j=0
for i = 0 to 255
j = (j + Si + Ki) (mod 256)
Swap Si and Sj
next i
After resetting the index variables i and j to 0, we’re ready to generate our
key stream for enciphering. The key, K, actually used for encryption is then
generated byte by byte using the following six lines, applied repeatedly:
i = (i + 1) (mod 256)
j = (j + Si) (mod 256)
Swap Si and Sj
* Schneier, B., Applied Cryptography, 2nd ed., John Wiley & Sons, New York, 1996, p. 397.
www.ebook777.com
free ebooks ==> www.ebook777.com
528 Secret History: The Story of Cryptology
We apply the steps above to each byte, Mi, of the message, until they are all
enciphered.
RC4 is a simple cipher and easy to program. It also marks a departure from
the other methods discussed in this section. The exact period of RC4 is not
known, but analysis thus far indicates that it is very likely in excess of 10100.*
This lower bound is a familiar number. Mathematicians were referring to
10100 as a googol long before an Internet search engine appropriated the name
in a misspelled form.
RC4 is used in the Secure Socket Layer (SSL) and Wired Equivalent Privacy
(WEP). WEP is sometimes said to stand for White Elephant Protection,
because it is not secure, but this really has nothing to do with RC4. The flaw
is in the implementation.
WEP implements RC4 in a manner similar to how Enigma was used, as
described in Chapter 8. A 24-bit initialization vector (IV) placed at the front
of WEP ciphertexts helps to generate a session key.
When it comes time to fill the key bytes, these bits are used first. They are
then followed by a key that can be used many times, since the randomly
generated IV will result in the scrambled key differing each time. However,
given a sufficient depth of messages (just like the Poles needed to recover
the Enigma keys), these initialization vectors allow WEP to be broken.†
Other software packages that make use of RC4 include Microsoft®
Windows® and Lotus Notes®. RC4 is actually the most popular stream cipher
in software. This is especially impressive in light of the fact that it was cre-
ated way back in 1987.
You may come upon references to RC5 and RC6. Although these sound like
newer versions of the system described above, they are not. Both RC5 and
RC6 are block ciphers. The numbering simply indicates the order in which
Rivest developed these unrelated ciphers. It is analogous to the numbering
of Beethoven’s symphonies.
* http://www.rsa.com/rsalabs/node.asp?id=2250.
† For more details of this attack presented in a clear manner, see Stamp, M. and Low, R.M.,
Applied Cryptanalysis: Breaking Ciphers in the Real World, Wiley-Interscience, Hoboken, NJ,
2007, pp. 105–110.
free ebooks ==> www.ebook777.com
Stream Ciphers 529
On LFSRs
Barker, W.G., Cryptanalysis of Shift-Register Generated Stream Cipher Systems, Aegean
Park Press, Laguna Hills, CA, 1984.
Golomb, S., Shift Register Sequences, 2nd ed., Aegean Park Press, Laguna Hills, CA,
1982. Golomb worked for the National Security Agency. This edition is a reprint
of one from Holden-Day, San Francisco, CA, 1967.
www.ebook777.com
free ebooks ==> www.ebook777.com
530 Secret History: The Story of Cryptology
Goresky, M. and Klapper, A., Algebraic Shift Register Sequences, Cambridge University
Press, Cambridge, UK, 2012.
Selmer, E.S., Linear Recurrence Relations Over Finite Fields, mimeographed lecture
notes, 1966, Department of Mathematics, University of Bergen, Norway. Selmer
was the Norwegian government’s chief cryptographer.
Zierler, N., Linear recurring sequences, Journal of the Society for Industrial and Applied
Mathematics, 7(1), 31–48, 1959.
On A5/1
Barkan, E. and Biham, E., Conditional estimators: an effective attack on A5/1, in
Preneel, B. and Tavares, S., Eds., Selected Areas in Cryptography 2005, Springer,
Berlin, 2006, pp. 1–19.
Barkan, E., Biham, E., and Keller, N., Instant ciphertext-only cryptanalysis of GSM
encrypted communication, in Boneh, D., Ed., Advances in Cryptology: CRYPTO
2003 Proceedings, Lecture Notes in Computer Science, Vol. 2729, Springer, Berlin,
2003, pp. 600–616 (http://cryptome.org/gsm-crack-bbk.pdf).
Barkan, E., Biham, E., and Keller, N., Instant ciphertext-only cryptanalysis of GSM
encrypted communication, Journal of Cryptology, 21(3), 392–429, 2008. This
was published earlier as Technical Report CS-2006-07-2006, Computer Science
Department, Technion, Israel Institute of Technology (http://www.cs.technion.
ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf).
Biham, E. and Dunkelman, O., Cryptanalysis of the A5/1 GSM stream cipher, in Roy,
B.K. and Okamoto, E., Eds., Progress in Cryptology: INDOCRYPT 2000, Lecture
Notes in Computer Science, Vol. 2247, Springer, Berlin, 2001, pp. 43–51.
Biryukov, A., Shamir, A., and Wagner, D., Real time cryptanalysis of A5/1 on a PC, in
Schneier, B., Ed., Fast Software Encryption: FSE 2000, Lecture Notes in Computer
Science, Vol. 1978, Springer, Berlin, 2001, pp. 1–18 (http://cryptome.info/0001/
a51-bsw/a51-bsw.htm).
Ekdahl, P. and Johansson, T., Another attack on A5/1, IEEE Transactions on Information
Theory, 49(1), 284–289, 2003 (http://www.it.lth.se/patrik/papers/a5full.pdf).
Golic, J.D., Cryptanalysis of alleged A5 stream cipher, in Fumy, W., Ed., Advances in
Cryptology: EUROCRYPT ’97 Proceedings, Lecture Notes in Computer Science,
Vol. 1233, Springer, Berlin, 1997, pp. 239–255 (http://jya.com/a5-hack.htm).
Maximov, A., Johansson, T., and Babbage, S., An improved correlation attack on A5/1,
in Handschuh, H. and Hasan, M.A., Eds., Selected Areas in Cryptography 2004,
Lecture Notes in Computer Science, Vol. 3357, Springer, Berlin, 2004, pp. 1–18.
Stamp, M., Information Security: Principles and Practice, Wiley-Interscience, Hoboken,
NJ, 2006. Several GSM security flaws are detailed in this book.
On RC4
Arbaugh, W.A., Shankar, N., and Wan, Y.C., Your 802.11 wireless network has no
clothes, IEEE Wireless Communications, 9(6), 44–51, 2002. (The publication date
was given in this formal reference; the paper itself was dated March 30, 2001.)
free ebooks ==> www.ebook777.com
Stream Ciphers 531
Borisov, N., Goldberg, I., and Wagner, D., Security of the WEP Algorithm, ISAAC,
Computer Science Department, University of California Berkeley, http://www.
isaac.cs.berkeley.edu/isaac/wep-faq.html. This page contains a summary of
the findings of Brisov, Goldberg, and Wagner, as well as links to their paper and
slides from a pair of presentations.
Fluhrer, S., Mantin, I., and Shamir, A., Weaknesses in the key scheduling algorithm
of RC4, in Vaudenay, S. and Youssef, A.M., Eds., Selected Areas in Cryptography
2001, Lecture Notes in Computer Science, Vol. 2259, Springer, Berlin, 2002, pp.
1–24 (www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf).
Kundarewich, P.D., Wilton, S.J.E., and Hu, A.J., A CPLD-based RC4 cracking sys-
tem, in Proceedings of 1999 IEEE Canadian Conference on Electrical and Computer
Engineering, Edmonton, Alberta, Canada, May 9–12, 1999, pp. 397–401.
Mantin, I., Analysis of the Stream Cipher RC4, master’s thesis under the supervision
of Adi Shamir, Weizmann Institute of Science, New York, November 27, 2001
(http://www.wisdom.weizmann.ac.il/~itsik/RC4/rc4.html). This thesis is
sometimes referenced under the title “The Security of the Stream Cipher RC4.”
The website referenced contains other papers on RC4 and WEP.
Stubblefield, A., Ioannidis, J., and Rubin, A.D., Using the Fluhrer, Mantin and Shamir
attack to break WEP, Proceedings of the Network and Distributed System Security
System (NDSS 2002), San Diego, CA, February 6–8, 2002 (http://www.isoc.
org/isoc/conferences/ndss/02/papers/stubbl.pdf). Revision 2, dated August
21, 2001, can be found at http://taz.newffr.com/TAZ/Reseaux/Techniques_
Attaques/wireless/wep_attack.pdf.
Walker, J.R., IEEE P802.11 Wireless LANs, Unsafe at Any Key Size; An Analysis of the
WEP Encapsulation, IEEE Document 802.11-00/362, submitted October 27, 2000.
General
Cusick, T.W., Ding, C., and Renvall, A., Stream Ciphers and Number Theory, Rev. ed.,
North-Holland Mathematical Library Vol. 66, Elsevier, New York, 2004. The
original edition, published in 1998, was Vol. 55 of the same series.
Ritter, T., The efficient generation of cryptographic confusion sequences, Cryptologia,
15(2), 81–139, 1991. This survey paper includes a list of 213 references.
Robshaw, M.J..B., Stream Ciphers, Technical Report TR-701, Version 2.0, RSA
Laboratories, Bedford, MA, 1995.
Rubin, F., Computer methods for decrypting random stream ciphers, Cryptologia,
2(3), 215–231, 1978.
Rueppel, R.A., Analysis and Design of Stream Ciphers, Springer, New York, 1986.
van der Lubbe, J., Basic Methods of Cryptography, Cambridge University Press,
Cambridge, UK, 1998.
www.ebook777.com
free ebooks ==> www.ebook777.com
free ebooks ==> www.ebook777.com
19
Suite B All-Stars*
In 2005, the National Security Agency (NSA) made public a list of recom-
mended cryptographic algorithms and protocols. Known as “Suite B,” these
are believed to be the best of the unclassified schemes. Two of these are cov-
ered in this chapter.
The long history should not be surprising, since, as Koblitz pointed out,
“Elliptic curves are the simplest type of curve that is more complicated than
a conic section.”¶ It’s just a small step from degree 2 to 3.
Society Lecture Note Series, Vol. 265, Cambridge University Press, Cambridge, UK, 1999, p. 9.
‡ Other “big names” who studied elliptic curves include Abel, Jacobi, Gauss, and Legendre.
§ Koblitz, N., Random Curves: Journeys of a Mathematician, Springer, Berlin, 2008, p. 313.
¶ Ibid., p. 303.
533
www.ebook777.com
free ebooks ==> www.ebook777.com
534 Secret History: The Story of Cryptology
—Karl Weierstrass†
FIGURE 19.3
Elliptic curves do not resemble ellipses. Karl Weierstrass (1815–1897) (http://
The name arises from their connection en.wikipedia.org/wiki/File:Karl_
with elliptic integrals, which arose in the Weierstrass.jpg).
* Another simplification involves not using fields of characteristic 2 or 3. The interested reader
may consult the references for the reasons for these simplifications. These simplifications are
just that. We may proceed, with greater difficulty, without them.
† Quoted here from Bell, E.T., Men of Mathematics, Dover Publications, New York, 1937, p. 432.
free ebooks ==> www.ebook777.com
Suite B All-Stars 535
7 7
–7 7 –7 7
–7 –7
y2 = x3 – 4x = (x)(x – 2)(x + 2) y2 = x3 + 5
FIGURE 19.4
Examples of elliptic curves.
and
d
x dx
∫ x + ax + b
3
c
www.ebook777.com
free ebooks ==> www.ebook777.com
536 Secret History: The Story of Cryptology
P2
P1
–7 7
P3
–7
FIGURE 19.5
Elliptic curve point addition.
The addition can be carried out algebraically as follows. P1 = (x1, y1) and
P2 = (x2, y2) implies P1 + P2 = (m2 – x1 – x2, m(2x1 – (m2 – x2)) – y1), where
m = ( y 2 – y1 ) ( x2 – x1 ) , if P1 ≠ P2
and
m = ( 3 x12 + a ) 2 y i , if P1 = P2
By plugging in the values 0, 1, 2, 3, 4, 5, and 6 for x and seeing which are per-
fect squares modulo 7, we’re able to quickly get the complete set of solutions:
(0, 4), (0, 5), (1, 1), (1, 6), (2, 2), (2, 5), (5, 2), (5, 5), (6, 0), ∞
There is no point on the curve with an x value of 3, for example, since that
would imply y2 = 2 (mod 7) for some y value in the set {0, 1, 2, 3, 4, 5, 6 } and
this is not true.
free ebooks ==> www.ebook777.com
Suite B All-Stars 537
Notice that with the exception of 0, every perfect square that results from
plugging in a value for x leads to two values for y.
It’s interesting to note that if we are looking for points (x, y) on an elliptic
curve such that x and y are both rational numbers, the number of solutions
may be infinite or finite, but if there are only finitely many, there will be no
more than 16. On the other hand, we’re able to get arbitrarily large, yet still
finite, solution sets by working modulo a prime.
So, how many points will satisfy a given elliptic curve modulo p? If we
plug in the values, 0, 1, 2, …, p – 1, we can expect to get a value that is
a square root modulo p (and hence, a point on the curve) about half the
time. This is because of a result from number theory that tells us half of
the nonzero integers are perfect squares modulo a prime. But, each square
root, other than 0, will have two answers, so there should be about p points.
Adding in the point ∞, we are now up to p + 1 points, but we don’t always get
this exact value. Letting the correct value be denoted by N, our error will be
|N – (p + 1)|. German mathematician Helmut Hasse found a bound on this
error around 1930. He showed
N − ( p + 1) ≤ 2 p
For example, with p = 101, our estimate suggests 102 points, and Hasse’s theo-
rem guarantees the actual number is between 102 − 2 101 and 102 + 2 101 ;
that is, rounding to the appropriate integer, it is between 82 and 122.
We’re now ready to show how elliptic curves can be used to agree on a key
over an insecure channel. This is the elliptic curve cryptography (ECC) version
of Diffie–Hellman key exchange. Normally, Alice and Bob would appear at
this point, but Neal Koblitz recalled:*
As a tribute to Koblitz, the key exchange will be carried out by Aïda and
Bernardo as follows:
1. Aïda and Bernardo agree on an elliptic curve E (mod p), for some
prime p.
2. They agree on a point B on their curve E (this is also done publicly).
* Koblitz, N., Random Curves: Journeys of a Mathematician, Springer, Berlin, 2008, p. 321.
www.ebook777.com
free ebooks ==> www.ebook777.com
538 Secret History: The Story of Cryptology
3. Aïda selects a random (secret) integer a and computes aB, which she
sends to Bernardo.
4. Bernardo selects a random (secret) integer b and computes bB, which
he sends to Aïda.
5. Both Aïda and Bernardo are now able to compute abB, the x coordi-
nate of which can be adapted to serve as their secret key for a sym-
metric system.
When we do this, we subtract 1 from the number we are reducing. Now that
we are down to 42, we halve it again, by placing a 2 in our representation.
We get
2(P + 2
2(P + 2(P +
* This example was taken from Koblitz, N., A Course in Number Theory and Cryptography, 2nd
ed., Springer, New York, 1994, p. 178. The example also appears on p. 162 of the first edition,
but a pair of typos present in that edition obscure this simple technique.
free ebooks ==> www.ebook777.com
Suite B All-Stars 539
Subtracting 1 from 21, we get 20, which can be halved twice, so we append
a pair of 2s:
2(P + 2(P + 2(2
We are finally down to 1, so we end with a P, and close off all of the
parentheses:
2(P + 2(P + 2(2(P + 2(2P)))))
Once the message has been converted to points on the curve, we’re ready to
begin the enciphering.
* Dimitrov, V.S., Jarvinen, K., Jacobson, M.J., Chan, W., and Huang, Z. Provably sublinear point
multiplication on Koblitz curves and its hardware implementation, IEEE Transactions on
Computers, 57(11), 1469–1481, 2008.
† However, there are probabilistic algorithms that may be applied to make the chance of failure
arbitrarily small, and a theorem from Section 15.5 leads me to believe that a deterministic
algorithm in polynomial time does exist.
www.ebook777.com
free ebooks ==> www.ebook777.com
540 Secret History: The Story of Cryptology
1.
Doubling—Because multiplying a point by 2 is the same as adding
it to itself, we use the formula (adapted from what was given here
earlier):
B + 2B = (8, 21) + (14, 14) = (m2 – x1 – x2, m(2x1 – (m2 – x2)) – y1)
Aditsan now reveals his public key as follows. The elliptic curve y2 = x3 –
2x + 3 (mod 29) and the points B = (8, 21) and sB = (14, 15). He keeps s secret.
Recall that for larger values knowing B and sB does not allow us to efficiently
find s.
Seeing that Aditsan has posted his public key, Bisahalani prepares his
message. He does this by converting it to an x value, adding bits at the end,
to guarantee that x3 – 2x + 3 will be a perfect square modulo 29. To make
things simpler, for illustrative purposes, we’ll just assume his message is
represented as 12. He ends up with the point on the curve M = (12, 5). He
then selects a random number k = 5 and computes
free ebooks ==> www.ebook777.com
Suite B All-Stars 541
Since we’ve already shown how such calculations are carried out, the work
is omitted this time.* Upon receiving Bisahalani’s two-part message, Aditsan
computes
s(kB) = 3(14, 15) = (8, 8)
followed by
[M + k(sB)] – a(kB) = (15, 19) – (8, 8)
Now, this is something new. How is subtraction carried out? Very simply!
The point –(8, 8) is just a reflection. We have –(8, 8) = (8, –8). Picturing the
curve may help you to see this. So we have (15, 19) – (8, 8) = (15, 19) + (8, –8) =
(15, 19) + (8, 21) (mod 29). Performing this last addition gives (12, 5) = M, and
so Aditsan has now recovered the original message.
There is also an ECC analog for Elgamal signatures.
www.ebook777.com
free ebooks ==> www.ebook777.com
542 Secret History: The Story of Cryptology
The Suite B block cipher, AES, is detailed later in this chapter. ECC earned
NSA’s endorsement by standing the test of time and massive peer review:¶
[E]xcept for a relatively small set of elliptic curves that are easy to avoid,
even at present—more than twenty years after the invention of ECC—no
algorithm is known that finds discrete logs in fewer than 10n/2 opera-
tions, where n is the number of decimal digits in the size of the elliptic
curve group.
Neal Koblitz’s political convictions have also stood the test of time.
Whereas many activist burn out, Koblitz’s autobiography shows him sus-
taining his radicalism for decades on end. He’s been arrested several times,
including during his first year teaching at Harvard, but he never worried
about it affecting his employment:**
I had read about the history of mathematics and was aware of the long
tradition of tolerance of eccentricity and political dissidence among
mathematicians.
In June 1997, Koblitz learned that the official RSA website put up a page filled
with skeptical remarks about ECC. This was part of the American company’s
aggressive approach and it included a comment from RSA co-creator Ron
Rivest:††
But the security of a cryptosystem based on elliptic curves is not well
understood, due in large part to the abstruse nature of elliptic curves.
Few cryptographers understand elliptic curves, so…trying to get an
evaluation of the security of an elliptic curve cryptosystem is a bit like
trying to get an evaluation of some recently discovered Chaldean poetry.
* Koblitz, N., Random Curves: Journeys of a Mathematician, Springer, Berlin, 2008, p. 314.
† Ibid., p. 319.
‡ NSA/CSS, NSA Suite B Cryptography, National Security Agency/Central Security Service,
Koblitz’s reaction, after asking his wife who the Chaldeans were,* was not
to post a webpage bashing RSA, but rather to have shirts made featuring an
elliptic curve and the text “I Love Chaldean Poetry.” He reports that they
were a hit with the students, with the exception of those hoping to intern at
RSA.†
When Weierstrass said that a mathematician could not be perfect without
being something of a poet, it is doubtful that he had Chaldean poetry in
mind! It’s more likely that he was referring to the poet’s creativity and sense
of beauty. Victor Miller has engaged his artistic side as an actor/singer in
17 community theater productions.‡ He’s also sung in many choirs and was
one of the winners of a vocal competition at Westminster Conservatory in
2003.
For many years, Miller bred and exhibited pedigreed cats. He was a former
president of a national breed club, and bred the U.S. national best of breed
Colorpoint Shorthair in 1997. Miller himself is a rare breed, being one of the
few mathematicians to have a Bacon number. Not strictly limited to commu-
nity theater, he appeared as an extra in A Beautiful Mind, which featured Ed
Harris, who starred in Apollo 13 with Kevin Bacon. Hence, two links connect
Miller to Bacon. This connection game began long before Bacon, as math-
ematicians tried to find their shortest path to Paul Erdös, a number theorist
with over 1500 papers and over 500 coauthors. Miller’s Erdös number is also
two. Successful at all of these outside pursuits, Miller once faced an unfair
rejection in his professional life:§
* His wife knows some mathematics, as well, and has authored a biography of Sofia
Kovalevskaia: Koblitz, A.H., A Convergence of Lives—Sofia Kovalevskaia: Scientist, Writer,
Revolutionary, Rutgers University Press, New Brunswick, NJ, 1983.
† Koblitz, N., Random Curves: Journeys of a Mathematician, Springer, Berlin, 2008, p. 314.
‡ Theater is a passion Miller shares with his daughter, who is, as of this writing, a professional
www.ebook777.com
free ebooks ==> www.ebook777.com
544 Secret History: The Story of Cryptology
speeds continued to increase rapidly, the problem only got worse. Finally, in
January 1997, another competition was sponsored by the National Institute
of Standards and Technology (NIST). The winner would be declared the
Advanced Encryption Standard, or AES for short. Unlike the first time
around, in 1997 a large worldwide community of mathematicians and com-
puter scientists was carrying out cryptographic research in the open. It was
this community that would be responsible for analyzing the security of the
submitted systems. Cryptanalysts could submit their findings to NIST’s
AES website or present them at AES conferences.
Acceptance of submissions ended on May 15, 1998. The 15 accepted submis-
sions were presented at the First Advanced Encryption Standard Candidate
Conference in Ventura, CA, August 20–22, 1998.* The second conference was
held in Rome, Italy, March 22–23, 1999. Five candidates were eliminated at (or
prior to) this conference due to various kinds of security problems that were
identified.
From the remaining 10 candidates, the finalists, announced by NIST a year
later in August 1999, were
* All 15 are listed in Daemen, J. and Rijmen, V., The Design of Rijndael: AES—The Advanced
Encryption Standard, Springer, New York, 2002, p. 3.
† John Kelsey and Bruce Schneier examined this system in a paper that bore the wonderful title
the first round of the development of the Advanced Encryption Standard, Journal of Research
of the National Institute of Standards and Technology, 104(5), 435–459, 1999 (http://nvlpubs.nist.
gov/nistpubs/jres/104/5/j45nec.pdf).
free ebooks ==> www.ebook777.com
Suite B All-Stars 545
FIGURE 19.6
Joan Daemen (1965–) and Vincent Rijmen (1970–). (Courtesy of Vincent Rijmen, 2009.)
provided online once more.* The name Rijndael is a combination of the last
names of the Belgians who collaborated on its design, Vincent Rijmen and
Joan Daemen (Figure 19.6). Various pronunciations have been offered. Many
Americans pronounce it Rhine–Doll. At one point, the creators had a link on
their website for those wishing to hear the authoritative pronunciation, and
the recording said, “The correct pronunciation is…AES.”
The algorithm is royalty free. This was required of all submissions to
NIST, should the algorithm be declared the winner. This fact, combined
with endorsement by NIST and the worldwide community of cryptogra-
phers, prompted Ron Rivest to remark, somewhat obviously, “It is likely
that Rijndael will soon become the most widely used cryptosystem in the
world.Ӡ
AES offers a choice of key sizes (128, 192, or 256 bits), but always acts on
blocks of 128 bits (16 characters). The number of rounds depends on the key
size. The different key sizes are often distinguished by referring to AES-
128 (10 rounds), AES-192 (12 rounds), or AES-256 (14 rounds). Like DES,
AES is derived from earlier systems. Unlike, DES a large safety margin
was built into AES. The only attacks the creators could find that were better
than brute force apply only to six or fewer rounds (for the 128-bit version).‡
To help drive home the size of 2128 we look at it written out:
340,282,366,920,938,463,463,374,607,431,768,211,456.
* Nechvatal, J., Barker, E., Bassham, L., Burr, W., Dworkin, M., Foti, J., and Roback, E., Report
on the Development of the Advanced Encryption Standard (AES), National Institute of Standards
and Technology, Washington, DC, 2000, 116 pp. (http://csrc.nist.gov/archive/aes/round2/
r2report.pdf).
† Daemen, J. and Rijmen, V., The Design of Rijndael, Springer, Berlin, 2002, p. vi. Although it was
behind the scenes, NSA also examined AES on NIST’s behalf. They didn’t want NIST to be
surprised if there was some flaw the open community couldn’t find.
‡ Ibid., p. 41.
www.ebook777.com
free ebooks ==> www.ebook777.com
546 Secret History: The Story of Cryptology
AES is basically composed of four simple and fast operations that act on
a 4 × 4 array of bytes, referred to as “the state.” Each of the operations is
detailed below.
19.3.1 SubBytes
As the name suggests, this operation makes substitutions for the bytes
using the table below. It can be illustrated like the S-boxes of DES and is
even known as the Rijndael S-box, but there is only one (along with its
inverse) and there are other ways to represent it. Below is Rijndael’s S-box:*
99 124 119 123 242 107 111 197 48 1 103 43 254 215 171 118
202 130 201 125 250 89 71 240 173 212 162 175 156 164 114 192
183 253 147 38 54 63 247 204 52 165 229 241 113 216 49 21
4 199 35 195 24 150 5 154 7 18 128 226 235 39 178 117
9 131 44 26 27 110 90 160 82 59 214 179 41 227 47 132
83 209 0 237 32 252 177 91 106 203 190 57 74 76 88 207
208 239 170 251 67 77 51 133 69 249 2 127 80 60 159 168
81 163 64 143 146 157 56 245 188 182 218 33 16 255 243 210
205 12 19 236 95 151 68 23 196 167 126 61 100 93 25 115
96 129 79 220 34 42 144 136 70 238 184 29 222 94 11 219
224 50 58 10 73 6 36 92 194 211 172 98 145 149 228 121
231 200 55 109 141 213 78 169 108 86 244 234 101 122 174 8
186 120 37 46 28 166 180 198 232 221 116 31 75 189 139 138
112 62 181 102 72 3 246 14 97 53 87 185 134 193 29 158
225 248 152 17 105 217 142 148 155 30 135 233 206 85 40 223
140 161 137 13 191 230 66 104 65 153 45 15 176 84 187 22
This table is meant to be read from left to right and from top to bottom,
like normal English text. Thus, in base 10, 0 goes to 99, 1 goes to 124, …, 255
goes to 22. These numbers are only expressed in base 10 for convenience
(and familiarity). In base 2, each is a byte. These 8 bits may be viewed as
the coefficients of a polynomial of degree at most 7. Viewed in this manner,
the table above has a much more terse representation. It simply sends each
polynomial to its inverse modulo x8 + x4 + x3 + x + 1, followed by the affine
transformation
* This substitution box is usually presented in hexadecimal. For this book, I thought base 10
would be clearer. Finding such a table in Trappe, W. and Washington, L.C., Introduction to
Cryptography with Coding Theory, Prentice Hall, Upper Saddle River, NJ, 2002, saved me the trou-
ble of conversion. This is one of the most clearly written books covering modern cryptography.
free ebooks ==> www.ebook777.com
Suite B All-Stars 547
⎛1 1 1 1 1 0 0 0⎞ ⎛ a 7 ⎞ ⎛ 0 ⎞
⎜0 1 1 1 1 1 0 0⎟ ⎜ a6 ⎟ ⎜ 1⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎜0 0 1 1 1 1 1 0 ⎟ ⎜ a5 ⎟ ⎜ 1 ⎟
⎜0 0 0 1 1 1 1 1⎟ ⎜ a4 ⎟ ⎜ 0⎟
⎜ ⎟ × ⎜ ⎟ ⊕⎜ ⎟
⎜1 0 0 0 1 1 1 1⎟ ⎜ a3 ⎟ ⎜ 0⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎜1 1 0 0 0 1 1 1⎟ ⎜ a2 ⎟ ⎜ 0⎟
⎜1 1 1 0 0 0 1 1⎟ ⎜ a1 ⎟ ⎜ 1⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎝1 1 1 1 0 0 0 1⎠ ⎝ a0 ⎠ ⎝ 1⎠
Example 1
The Rijndael S-box sends 53 to 150. We verify that the alternative method
does the same. Converting 53 to binary we get 00110101, which has the poly-
nomial representation
x 5 + x4 + x 2 + 1
The final remainder of 1 shows that the two polynomials are relatively prime,
a necessary condition for the inverse of one to exist modulo the other.
We now solve for the remainder in each of the two equalities above:
Using the first equality to substitute for (x3 + x2 + 1) in the second gives
1 = ( x 5 + x 4 + x 2 + 1) – ( x 2 ) ( x 8 + x 4 + x 3 + x + 1) – ( x 3 + x 2 + x ) ( x 5 + x 4 + x 2 + 1)
1 = ( x 5 + x 4 + x 2 + 1) – ( x 2 ) ( x 8 + x 4 + x 3 + x + 1) + ( x 5 + x 4 + x 3 ) ( x 5 + x 4 + x 2 + 1)
www.ebook777.com
free ebooks ==> www.ebook777.com
548 Secret History: The Story of Cryptology
1 = – ( x 2 ) ( x 8 + x 4 + x 3 + x + 1) + ( x 5 + x 4 + x 3 + 1) ( x 5 + x 4 + x 2 + 1)
1 = ( x 5 + x 4 + x 3 + 1) ( x 5 + x 4 + x 2 + 1)
⎛1 1 1 1 1 0 0 0⎞ ⎛ a 7 ⎞ ⎛ 0 ⎞
⎜0 1 1 1 1 1 0 0⎟ ⎜ a6 ⎟ ⎜ 1⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎜0 0 1 1 1 1 1 0 ⎟ ⎜ a5 ⎟ ⎜ 1 ⎟
⎜0 0 0 1 1 1 1 1⎟ ⎜ a4 ⎟ ⎜ 0⎟
⎜ ⎟ × ⎜ ⎟ ⊕⎜ ⎟
⎜1 0 0 0 1 1 1 1⎟ ⎜ a3 ⎟ ⎜ 0⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎜1 1 0 0 0 1 1 1⎟ ⎜ a2 ⎟ ⎜ 0⎟
⎜1 1 1 0 0 0 1 1⎟ ⎜ a1 ⎟ ⎜ 1⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎝1 1 1 1 0 0 0 1⎠ ⎝ a0 ⎠ ⎝ 1⎠
to get
⎛1 1 1 1 1 0 0 0 ⎞ ⎛ 0 ⎞ ⎛ 0 ⎞ ⎛ 1 ⎞ ⎛ 0 ⎞ ⎛ 1⎞
⎜0 1 1 1 1 1 0 0 ⎟ ⎜ 0 ⎟ ⎜ 1⎟ ⎜ 1 ⎟ ⎜ 1⎟ ⎜ 0 ⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎜0 0 1 1 1 1 1 0 ⎟ ⎜ 1 ⎟ ⎜ 1⎟ ⎜ 1 ⎟ ⎜ 1⎟ ⎜ 0 ⎟
⎜0 0 0 1 1 1 1 1⎟ ⎜ 1⎟⎟ ⎜⎜ 0⎟⎟ ⎜⎜ 1⎟⎟ ⎜⎜ 0⎟⎟ ⎜⎜ 1⎟⎟
⎜ ⎟ ×⎜ ⊕ = ⊕ =
⎜1 0 0 0 1 1 1 1⎟ ⎜ 1⎟ ⎜ 0⎟ ⎜ 0⎟ ⎜ 0⎟ ⎜ 0⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎜1 1 0 0 0 1 1 1⎟ ⎜ 0⎟ ⎜ 0⎟ ⎜ 1⎟ ⎜ 0⎟ ⎜ 1⎟
⎜1 1 1 0 0 0 1 1⎟ ⎜ 0⎟ ⎜ 1⎟ ⎜ 0⎟ ⎜ 1⎟ ⎜ 1⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎝1 1 1 1 0 0 0 1⎠ ⎝ 1⎠ ⎝ 1⎠ ⎝ 1⎠ ⎝ 1⎠ ⎝ 0⎠
Converting the output, 10010110, to base 10 gives 150, which matches what
our table provides.
To invert the affine transformation, we must perform the XOR first and fol-
low it by multiplication with the inverse of the 8 × 8 matrix above. We then
have
free ebooks ==> www.ebook777.com
Suite B All-Stars 549
⎛0 1 0 1 0 0 1 0⎞ ⎛ ⎛ a 7 ⎞ ⎛ 0 ⎞ ⎞
⎜0 0 1 0 1 0 0 1⎟ ⎜ ⎜ a6 ⎟ ⎜ 1⎟ ⎟
⎜ ⎟ ⎜⎜ ⎟ ⎜ ⎟⎟
⎜1 0 0 1 0 1 0 0 ⎟ ⎜ ⎜ a 5 ⎟ ⎜ 1⎟ ⎟
⎜0 ⎜ ⎟
1 0 0 1 0 1 0⎟ ⎜ ⎜ a 4 ⎟ ⎜ 0 ⎟ ⎟
⎜ ⎟ × ⎜ ⎟ ⊕⎜ ⎟
⎜0 0 1 0 0 1 0 1⎟ ⎜ ⎜ a3 ⎟ ⎜ 0 ⎟ ⎟
⎜ ⎟ ⎜⎜ ⎟ ⎜ ⎟⎟
⎜1 0 0 1 0 0 1 0 ⎟ ⎜ ⎜ a2 ⎟ ⎜ 0 ⎟ ⎟
⎜0 1 0 0 1 0 0 1⎟ ⎜ ⎜ a1 ⎟ ⎜ 1⎟ ⎟
⎜ ⎟ ⎜⎜ ⎟ ⎜ ⎟⎟
⎝1 0 1 0 0 1 0 0⎠ ⎜⎝ ⎝ a ⎠ ⎝ 1⎠ ⎟⎠
0
⎛0 1 0 1 0 0 1 0⎞ ⎛ a7 ⎞ ⎛ 0⎞
⎜0 0 1 0 1 0 0 1⎟ ⎜ a6 ⎟ ⎜ 0⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎜1 0 0 1 0 1 0 0 ⎟ ⎜ a5 ⎟ ⎜ 0 ⎟
⎜0 1 0 0 1 0 1 0⎟ ⎜ a4 ⎟ ⎜ 0⎟
⎜ ⎟ ×⎜ ⎟ ⊕⎜ ⎟
⎜0 0 1 0 0 1 0 1⎟ ⎜ a 3 ⎟ ⎜ 0 ⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎜1 0 0 1 0 0 1 0 ⎟ ⎜ a2 ⎟ ⎜ 1 ⎟
⎜0 1 0 0 1 0 0 1⎟ ⎜ a1 ⎟ ⎜ 0⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎝1 0 1 0 0 1 0 0 ⎠ ⎝ a0 ⎠ ⎝ 1 ⎠
The polynomial m(x) (“11B”) for the multiplication in GF(28) is the first
one of the list of irreducible polynomials of degree 8, given in [LiNi86,
p. 378].
* Daemen, J. and Rijmen, V., AES Proposal: Rijndael, Document version 2, Date: 03/09/99, p. 25.
Thanks to Bill Stallings for providing this reference!
www.ebook777.com
free ebooks ==> www.ebook777.com
550 Secret History: The Story of Cryptology
TABLE 19.1
ShiftRows
Before After Change
a0,0 a0,1 a0,2 a0,3 → a0,0 a0,1 a0,2 a0,3 No change
a1,0 a1,1 a1,2 a1,3 → a1,1 a1,2 a1,3 a1,0 One-byte left shift
a2,0 a2,1 a2,2 a2,3 → a2,2 a2,3 a2,0 a2,1 Two-byte left shift
a3,0 a3,1 a3,2 a3,3 → a3,3 a3,0 a3,1 a3,2 Three-byte left shift
19.3.2 ShiftRows
In this step, the first row is left unchanged, but the second, third, and fourth
rows have their bytes shifted left by one, two, and three bytes respectively.
The shifts are all cyclical. Denoting each byte as ai,j for some 0 ≤ i, j ≤ 3, we
get the results shown Table 19.1 to represent the ShiftRows operation. The
inverse of this step is a cyclic right shift of the rows by the same amounts.
19.3.3 MixColumns
In this step, each column of the state is viewed as a polynomial of degree 3 or
less. For example, the following column
a0
a
1
a2
a
3
is viewed as a(x) = a3x3 + a2x2 + a1x + a0. However, the coefficients, a3, a2, a1, and
a0, are all bytes. That is, the coefficients themselves form polynomials that may
be added or multiplied modulo the irreducible polynomial x8 + x4 + x3 + x + 1
from the SubBytes step.
In the MixColumns step, each column, expressed as a polynomial, is mul-
tiplied by the polynomial c(x) = 3x3 + x2 + x + 2. It is then reduced modulo
x4 + 1, so that it may still be expressed as a column (i.e., a polynomial of
degree 3 or smaller).
Working modulo x4 + 1 is a bit different than modulo x8 + x4 + x3 + x + 1.
First of all, x4 + 1 is reducible! So a randomly chosen c(x) need not be invertible.
For this reason, c(x) had to be chosen carefully, but how was x4 + 1 chosen? It
was picked so that products could be easily reduced. Moding out by x4 + 1 is
the same as defining x4 = –1, but –1 = 1 (mod 2), so we have x4 = 1. This allows
us to very easily reduce powers of x. We have x 5 = x, x6 = x 2, x 7 = x 3, and
x 8 = x 0 = 1. In general, x n = x n (mod 4). Thus,
free ebooks ==> www.ebook777.com
Suite B All-Stars 551
2 3 1 1 a0
1 2 3 1 a1
×
1 1 2 3 a2
3 1 1 2 a3
This needs to be applied to every column. The multiplication is done for each
pair of bytes modulo x8 + x4 + x3 + x + 1.
However, because the matrix consists only of 1, 2, and 3, which correspond
to the polynomials, 1, x, and x + 1, respectively, the byte multiplication is
especially simply. Multiplying a byte by 1 modulo x8 + x4 + x3 + x + 1 changes
nothing. Multiplying by x amounts to a left shift of all of the bits. Multiplying
by x + 1 is just the shift described for x, followed by an XOR with the original
value. We need to be careful with the left shifts, though! If the leftmost bit
was already a 1, it will be shifted out and we must then XOR our result with
00011011 to compensate. This is because the x7 bit was shifted to x8, which
cannot be represented by bits 0 through 7, but we have x8 = x4 + x3 + x + 1
(mod x8 + x4 + x3 + x + 1), so the representation for x4 + x3 + x + 1 will serve.
For deciphering, one must use the inverse of c(x) modulo x4 + 1. This is
given by d(x) = 11x3 + 13x2 + 9x + 14.
www.ebook777.com
free ebooks ==> www.ebook777.com
552 Secret History: The Story of Cryptology
19.3.4 AddRoundKey
Finally, we involve the key! This is simply an XOR (self-inverse) of each byte
of the state with a byte of the key for the relevant round. Each round uses a
distinct key derived from the original key. This is done as follows.
First, the original key is taken 32 bits at a time and placed at the beginning
of what will become the “expanded key.” This expanded key will eventually
be divided into equal size pieces to provide the round keys, in order. For
AES-128, the original key will serve to initialize the expanded key blocks k0,
k1, k2, k3. For AES-196, k4 and k5 will also be filled at this point; for AES‑256,
k6 and k7 will be filled. Then, more 32-bit blocks are defined recursively. The
formulas for each of the three key sizes follow. They all involve a function, f,
which will be detailed shortly.
For 128-bit keys:
ki = ki–4 ⊕ ki–1, if i ≠ 0 (mod 4)
ki = ki–4 ⊕ f(ki–1), if i = 0 (mod 4)
For 196-bit keys:
ki = ki–6 ⊕ ki–1, if i ≠ 0 (mod 6)
ki = ki–6 ⊕ f(ki–1), if i = 0 (mod 6)
where f consists of a circular left shift of 1 byte for the input, followed by a
substitution using Rijndael’s S-box, for each byte, and finally an XOR of this
result with the appropriate round constant, RC (to be discussed).
The 256-bit case uses f but also requires us to introduce a second function,
f 2.
For 256-bit keys:
ki = ki–8 ⊕ ki–1, if i ≠ 0 (mod 8) and i ≠ 4 (mod 8)
ki = ki–8 ⊕ f(ki–1), if i = 0 (mod 8)
ki = ki–8 ⊕ f2(ki–1), if i = 4 (mod 8)
The case of f2 is simpler than f, as it only makes use of the S-box. The shift
and XOR are omitted.
The round constants are defined as follows (for any size key):
RC1 = x0
RC2 = x1
RCi = xRCi–1 = xi–1, for i > 2
RC1 = 00000001
RC2 = 00000010
RC3 = 00000100
RC4 = 00001000
RC5 = 00010000
RC6 = 00100000
RC7 = 01000000
RC8 = 10000000
RC9 = 00011011
This indicates that AES is used for enciphering, combined with Elliptic
Curve Diffie–Hellman (ECDH) key exchange. Thus, Google can be seen to be
following NSA’s recommendations. TLS stands for Transport Layer Security,
a protocol that is an upgrade of SSL 3.0 (Secure Socket Layer 3.0). Such proto-
cols are outside the scope of the present book.
19.4 AES Attacks
In October 2000, Bruce Schneier made the incredible comment, “I do not
believe that anyone will ever discover an attack that will allow someone
to read Rijndael traffic.”* But, by 2003, he and coauthor Niels Ferguson
* Schneier, B., AES announced, Crypto-Gram Newsletter, October 15, 2000 (http://www.schneier.
com/crypto-gram-0010.html).
www.ebook777.com
free ebooks ==> www.ebook777.com
554 Secret History: The Story of Cryptology
were putting their doubts into print: “We have one criticism of AES: we
don’t quite trust the security.” * They went on to explain the reason for their
distrust:†
What concerns us the most about AES is its simple algebraic structure. It
is possible to write AES encryption as a relatively simple closed algebraic
formula over the finite field with 256 elements. This is not an attack, just
a representation, but if anyone can ever solve those formulas, then AES
will be broken. This opens up an entirely new avenue of attack. No other
block cipher we know of has such a simple algebraic representation. We
have no idea whether this leads to an attack or not, but not knowing is
reason enough to be skeptical about the use of AES.
They referenced a paper by Ferguson and others, detailing the simple rep-
resentation of AES.‡ Meanwhile, AES has been endorsed by the NSA, which
made it part of their “Suite B” list of recommendations.
There is, as of this writing, no practical attack against AES. There are some
theoretical attacks, but this is a completely different matter. If someone finds
a way to break a cipher in 2% of the time that a brute-force attack would
require, it will be of tremendous interest to cryptologists, but if that 2% still
requires millions of years on the world’s fastest computer, it has no impor-
tance to someone simply wanting to keep his messages private. A few theo-
retical attacks and attacks against reduced rounds versions of AES can be
found in the papers referenced below.
* Ferguson, N. and Schneier, B., Practical Cryptography, Wiley, Indianapolis, IN, 2003, p. 56.
† Ibid., p. 57.
‡ Ferguson, N., Schroeppel, R., and Whiting, D., A simple algebraic representation of Rijndael,
in Vaudenay, S. and Youssef, A.M., Eds., Selected Areas in Cryptography: 8th Annual International
Workshop, Lecture Notes in Computer Science, Vol. 2259, Springer, New York, 2001, pp. 103–111.
§ Schneier, B., Schneier on Security, a blog covering security and security technology, http://
www.schneier.com/. There are links here to many of his published essays, as well as links for
purchasing signed copies of his books.
free ebooks ==> www.ebook777.com
Suite B All-Stars 555
FIGURE 19.7
Bruce Schneier (1963–), master of metaphors. (Photograph by Geoffrey Stone; http://www.
schneier.com/photo/.)
articles covering all aspects of security. Schneier was a strong critic of policies
implemented under George W. Bush following 9/11. A conclusion he and coau-
thor Niels Ferguson drew from their years of experience is a bit unsettling:*
In all our years working in this field, we have yet to see an entire system
that is secure. That’s right. Every system we have analyzed has been bro-
ken in one way or another.
* Schneier, B. and Ferguson, N., Practical Cryptography, Wiley, Indianapolis, IN, 2003, p. 1.
www.ebook777.com
free ebooks ==> www.ebook777.com
556 Secret History: The Story of Cryptology
method for numbers that don’t have some special form. Mersenne numbers, for
example, can be tested more rapidly by a specialized algorithm. This is why we
have the seemingly paradoxical situation where the quickest general method is not
responsible for identifying the largest known primes (Mersenne primes).
Blake, I., Seroussi, G., and Smart, N., Elliptic Curves in Cryptography, London
Mathematical Society Lecture Note Series 265, Cambridge University Press,
Cambridge, UK, 1999.
Cohen, H., Cryptographie, Factorisation et Primalité: L’utilisation des Courbes
Elliptiques, Comptes Rendus de la Journée annuelle de la Société Mathématique de
France, January 1987.
Dimitrov, V.S., Järvinen, K.U., Jacobson, M.J., Chan, W.F., and Huang, Z., Provably
sublinear point multiplication on Koblitz curves and its hardware implementa-
tion, IEEE Transactions on Computers, 57(11), 1469–1481, 2008.
Hankerson, D., Menezes, A., and Vanstone, S., Guide to Elliptic Curve Cryptography,
Springer, New York, 2004.
Koblitz, N., Introduction to Elliptic Curves and Modular Forms, Graduate Texts in
Mathematics No. 97, Springer, New York, 1984; 2nd ed., 1993. The first edition
preceded Koblitz’s discovery of elliptic curve cryptography.
Koblitz, N., Elliptic curve cryptosystems, Mathematics of Computation, 48(177), 203–
209, 1987.
Koblitz, N., A Course in Number Theory and Cryptography, Springer, New York, 1987;
2nd ed., 1994. This was the first book on cryptography with an introduction to
elliptic curves.
Koblitz, N., Hyperelliptic cryptosystems, Journal of Cryptology, 1(3), 139–150, 1989.
“These are curves having even higher powers of x; for example, y2 = x5 – x is
such a curve. In recent years a lot of research, especially in Germany, has been
devoted to hyperelliptic curve cryptosystems.”*
Koblitz, N., Algebraic Aspects of Cryptography, Springer, New York, 1998.
Koblitz, N., The uneasy relationship between mathematics and cryptography, Notices
of the AMS, 54(8), 972–979, 2007.
Koblitz, N., Random Curves: Journeys of a Mathematician, Springer, Berlin, 2008. This is
Koblitz’s autobiography. It is primarily concerned with radical politics. Chapter
14 is devoted to cryptography, but for those interested in politics I recommend
the entire work. On p. 312, we have, “In any case, the popularity of randomly
generated elliptic curves is my justification for the title of this book.”
Koblitz, N. and Menezes, A., Another look at ‘provable security,’ Journal of Cryptology,
20(1), 3–37, 2007. Provable security is an area of mathematics that, as the name
indicates, claims to be able to prove the security of certain systems. Koblitz and
Menezes reacted with this paper, which essentially observes that the Emperor
has no clothes. The assault on provable security claims continued in a pair of
papers in the Notices of the AMS that are also referenced in the present list.
Koblitz, N. and Menezes, A., The brave new world of bodacious assumptions in cryp-
tography, Notices of the AMS, 57(3), 357–365, 2010.
Koblitz, N., Menezes, A., and Vanstone, S., The state of elliptic curve cryptography,
Designs, Codes and Cryptography, 19(2–3), 173–193, 2000.
* Koblitz, N., Random Curves: Journeys of a Mathematician, Springer, Berlin, 2008, p. 313.
free ebooks ==> www.ebook777.com
Suite B All-Stars 557
Lenstra, Jr., H.W., Factoring integers with elliptic curves, Annals of Mathematics,
126(3), 649–673, 1987. Lenstra had his result in 1984, before elliptic curves
served any other cryptologic purpose. See Koblitz, N., Random Curves: Journeys
of a Mathematician, Springer, Berlin, 2008, p. 299.
Menezes, A.J. Elliptic Curve Public Key Cryptosystems, Kluwer, Boston, MA, 1993. This
was the first book devoted completely to elliptic curve cryptography.
Miller, V.S., Use of elliptic curves in cryptography, in Williams, H.C., Ed., Advances in
Cryptology: CRYPTO ’85 Proceedings, Lecture Notes in Computer Science, Vol.
218, Springer, Berlin, 1986, pp. 417–426.
NSA/CSS, The Case for Elliptic Curve Cryptography, National Security Agency/Central
Security Service, Washington, DC, 2009 (http://www.nsa.gov/business/pro-
grams/elliptic_curve.shtml). The reasons behind the National Security Agency’s
endorsement of elliptic curve cryptography are detailed in this essay. The
concluding paragraph states, “Elliptic Curve Cryptography provides greater
security and more efficient performance than the first generation public key
techniques (RSA and Diffie–Hellman) now in use. As vendors look to upgrade
their systems they should seriously consider the elliptic curve alternative for the
computational and bandwidth advantages they offer at comparable security.”
Rosing, M., Implementing Elliptic Curve Cryptography, Manning Publications,
Greenwich, CT, 1999.
Smart, N.P., The discrete logarithm problem on elliptic curves of trace one, Journal
of Cryptology, 12(3), 193–196, 1999. This paper presents an attack against a very
rare sort of elliptic curve that can easily be avoided.
Solinas, J.A., An improved algorithm for arithmetic on a family of elliptic curves, in
Kaliski, Jr., B.S., Ed., Advances in Cryptology: CRYPTO ’97 Proceedings, Lecture
Notes in Computer Science, Vol. 1294, Springer, Berlin, 1997, pp. 357–371. At
the Crypto ’97 conference, Solinas gave an analysis of an improved algorithm
for computations on the curves Koblitz proposed. This was the first paper pre-
sented publicly at a cryptography meeting by an NSA employee.*
Washington, L.C., Elliptic Curves: Number Theory and Cryptography, CRC Press, Boca
Raton, FL, 2003.
Will’s Elliptic Curve Calculator, http://www.csulb.edu/~wmurray/java/WillElliptic
Applet.html. This website provides an online elliptic curve calculator created by
Will Murray, assistant professor in the department of mathematics and statistics
as California State University, Long Beach. It asks for the characteristic of the
elliptic curve, which is a simple idea that wasn’t discussed in this chapter. The
characteristic is the smallest positive integer n such that nP = 0 for all points P. In
the Elgamal example, the characteristic was the modulus, 29.
On AES
Biham, E. and Keller, N., Cryptanalysis of reduced variants of Rijndael, in Proceedings
of the Third Advanced Encryption Standard Candidate Conference, New York, April
13–14, 2000, National Institute of Standards and Technology, Washington, DC,
2000.
* Koblitz, N., Random Curves: Journeys of a Mathematician, Springer, Berlin, 2008, p. 312.
www.ebook777.com
free ebooks ==> www.ebook777.com
558 Secret History: The Story of Cryptology
Biryukov, A., Khovratovich, D., and Nikolic, I., Distinguisher and related-key attack
on the full AES-256, in Halevi, S., Ed., Advances in Cryptology: CRYPTO 2009
Proceedings, Lecture Notes in Computer Science, Vol. 5677, Springer, Berlin,
2009, pp. 231–249.
Biryukov, A., Dunkelman, O., Keller, N., Khovratovich, D., and Shamir, A., Key recov-
ery attacks of practical complexity on AES-256 variants with up to 10 rounds, in
Gilbert, H., Ed., Advances in Cryptology: EUROCRYPT 2010 Proceedings, Lecture
Notes in Computer Science, Vol. 6110, Springer, Berlin, 2010, pp. 299–319. This
paper presents a practical attack on 10-round AES-256. Because AES-256 has 14
rounds, this attack is not practical against real-world AES.
Courtois, N.T. and Pieprzyk, J., Cryptanalysis of block ciphers with overdefined sys-
tems of equations, in Zheng, Y., Ed., Advances in Cryptology: ASIACRYPT 2002
Proceedings, Lecture Notes in Computer Science, Vol. 2501, Springer, Berlin,
2002, pp. 267–287. Is this an important paper? As of November 29, 2012, Google
Scholar indicated that this paper has been cited 654 times already. You decide!
Daemen, J. and Rijmen, V., The Design of Rijndael: AES—The Advanced Encryption
Standard, Springer, New York, 2002. This is full disclosure, a 238-page book
by the creators of AES explaining exactly how the cipher was constructed and
tested. Something like this should have accompanied DES.
Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, M., Wagner, D., and Whiting, D.,
Improved cryptanalysis of Rijndael, in Schneier, B., Ed., Fast Software Encryption:
7th International Workshop, Lecture Notes in Computer Science, Vol. 1978,
Springer, New York, 2000, pp. 213–230.
Ferguson, N., Schroeppel, R., and Whiting, D., A simple algebraic representation of
Rijndael, in Vaudenay, S. and Youssef, A.M., Eds., Selected Areas in Cryptography:
8th Annual International Workshop, Lecture Notes in Computer Science, Vol. 2259,
Springer, New York, 2001, pp. 103–111.
Moser, J., A stick figure guide to the Advanced Encryption Standard (AES), Moserware,
Jeff Moser’s Software Development Adventures, September 22, 2009 (http://www.
moserware.com/2009/09/stick-figure-guide-to-advanced.html).
Musa, M.A, Schaefer, E.F., and Wedig, S., A simplified AES algorithm and its linear
and differential cryptanalyses, Cryptologia, 27(2), 148–177, 2003. This is useful
for pedagogical purposes, but it must be stressed that attacks on the simplified
version do not necessarily “scale up” to attacks on AES.
NIST, Announcing the Advanced Encryption Standard (AES), FIPS Pub. 197, National
Institute of Standards and Technology, Washington, DC, 2001, 51 pp. (http://
csrc.nist.gov/publications/fips/fips197/fips-197.pdf).
Phan, R.C.-W., Impossible differential cryptanalysis of 7-round Advanced Encryption
Standard (AES), Information Processing Letters, 91(1), 33–38, 2004.
free ebooks ==> www.ebook777.com
20
Possible Futures
Like most everything else, the future for cryptology is difficult to predict.
This chapter covers a pair of topics that could potentially have a massive
impact on the field: quantum cryptography (and quantum computers) and
DNA computing. The latter is newer, and I suspect it will have less impact,
so this chapter opens with quantum cryptography.
559
www.ebook777.com
free ebooks ==> www.ebook777.com
560 Secret History: The Story of Cryptology
0 1 1 0 1 0 1 1 1 0 0 1 0 0 1 0 1 1 0 1
+ × + + × × × + × + × + + × + + × + × ×
She will now polarize photons to represent each 0 and 1. The + signs indi-
cate she polarizes those particular photons in either the | direction or the —
direction. She will use | to represent 1 and — to represent 0. If a particular bit
has an × under it, Alice will use \ to represent 1 and / to represent 0. Adding
a third line to our previous list of bits and polarization schemes, we show
what Alice actually sends (photons with the indicated polarizations):
0 1 1 0 1 0 1 1 1 0 0 1 0 0 1 0 1 1 0 1
+ × + + × × × + × + × + + × + + × + × ×
— \ | — \ / \ | \ — / | — / | — \ | / \
On the receiving end, Bob sets up a filter for each photon in an attempt to
determine its polarization. If he sets his filter up like so, |, he will correctly
interpret any photons sent using the + scheme. The | photons will come
through and the — photons will reveal themselves by not coming through!
Similarly, setting his filter up as — will correctly identify all photons sent
according to the + scheme. However, photons sent using the × scheme will
come through with probability 1/2. Once through, they will appear to have
the orientation of the filter; thus, Bob only has a 50% chance of guessing these
correctly.
Similarly, if he uses one of the filters from the × scheme, he’ll correctly
identify the polarizations of all photons sent according to the × scheme but
err on average on half of the rest. Remember, Bob does not know which
scheme, + or ×, Alice used for any particular photon. He must guess!
We now add a fourth line to our diagram showing what sort of filter Bob
used for each photon.
0 1 1 0 1 0 1 1 1 0 0 1 0 0 1 0 1 1 0 1
+ × + + × × × + × + × + + × + + × + × ×
— \ | — \ / \ | \ — / | — / | — \ | / \
× + + × × + × + × × + × + × × + + × + ×
Of course, Bob has no way of knowing which recovered bits are correct and
which aren’t. He calls Alice and tells her what scheme he used for each. In
our example, she would tell him that he guessed correctly for positions 3, 5,
7, 8, 9, 13, 14, 16, and 20. It is okay if someone is listening in at this stage. Alice
and Bob then discard all positions for which Bob guessed incorrectly. The
bits that remain will serve as their key. Thus, their key begins 111110001.
These digits should not be revealed; Alice only confirms that Bob guessed
free ebooks ==> www.ebook777.com
Possible Futures 561
the correct filtering scheme for certain positions. This being the case, the pair
knows that Bob has correctly recovered the bits in those positions. He may
have correctly recovered other bits by chance, but those are ignored. Now
suppose someone, say Eve, was eavesdropping on the first communication,
when Alice sent the photons. To eavesdrop, Eve would have had to set up fil-
ters to measure the photon polarizations. There is no other way to obtain the
information she seeks. But Eve’s filters will have changed the polarizations
on the photons for which she guessed the wrong scheme. These changes
would carry through to Bob. Thus, to make sure Eve wasn’t listening in,
Alice and Bob spot check some positions. Alice might ask, “For positions 7,
13, and 16 did you get 1, 0, and 0?” If Bob answers affirmatively, they gain
confidence that there was no eavesdropper, discard the bits revealed, and
use the rest as their key.
To make the example above fit on a single line, only 20 of the photons
sent were detailed. In a real implementation, Alice would have to send many
more. If she hopes to establish a 128-bit key, sending 256 photons wouldn’t
be enough. Bob may guess the correct filtering scheme for half of the photons
he receives, but no room would be left to check for an eavesdropper. Alice
would be wiser to send 300 bits, allowing room for Bob to be an unlucky
guesser, as well as allowing enough randomly checked values to determine
with a high degree of certainty that no one was listening in.
It may happen that Eve guessed correctly on the filter orientations for all
of the bits Alice and Bob used to check for her presence on the line, but the
probability of her managing that for n bits is only (1/2)n; however, the prob-
ability of her eavesdropping going undetected is a bit higher. She’ll guess the
correct orientation half the time, but even when she guesses wrong she will
get the correct value half the time by chance; hence, she draws the correct
conclusion 3/4 of the time. Thus, by using n check bits, Alice and Bob reduce
the chances of Eve’s going unnoticed to (3/4)n, which can still be made as
small a value as they desire.
* A minor theme in this book, an important paper that was initially rejected: Wiesner, S.,
Conjugate coding, SIGACT News, 15(1), 78–88, 1983.
www.ebook777.com
free ebooks ==> www.ebook777.com
562 Secret History: The Story of Cryptology
circa 1970. Its publication was triggered by the appearance of another paper,
one he wrote with Bennett, Brassard, and Seth Breidbart that introduced the
term quantum cryptography, namely “Quantum Cryptography, or Unforgeable
Subway Tokens.”* These papers mark historic milestones, but the idea pre-
sented at the start of this chapter had not yet appeared. To get to that point in
the history, we must recount another rejection first. Brassard recalls:†
* Bennett, C.H., Brassard, G., Breidbart, S., and Wiesner, S., Quantum cryptography, or
unforgeable subway tokens, in Chaum, D., Rivest, R.L., and Sherman, A.T., Eds., Advances in
Cryptology: Proceedings of Crypto ’82, Plenum Press, New York, 1983, pp. 267–275. This is the
first published paper on quantum cryptography. Indeed, the first paper in which those words
were even put together.
† Brassard, G., Brief history of quantum cryptography: a personal perspective, in Proceedings
of IEEE Information Theory Workshop on Theory and Practice in Information Theoretic Security,
Awaji Island, Japan, October 17, 2005, pp. 19–23. A longer, 14-page version is available online
at http://arxiv.org/pdf/quant-ph/0604072v1.pdf. The passage here is taken from p. 4 of the
online version.
free ebooks ==> www.ebook777.com
Possible Futures 563
title of our paper was “Quantum Cryptography II: How to Reuse a One-
Time Pad Safely Even If P = NP.”* We submitted this paper to major theo-
retical computer science conferences, such as STOC (the ACM Annual
Symposium on Theoretical Computer Science), but we failed to have
it accepted. Contrary to Wiesner’s “Conjugate Coding,” however, our
“Quantum Cryptography II” paper has forever remained unpublished
(copies are available from the authors).
* Bennett, C.H., Brassard, G., and Breidbart, S., Quantum Cryptography II: How to Reuse a
One-Time Pad Safely Even If P = NP, paper rejected from 15th Annual ACM Symposium on
Theory of Computing, Boston, May 1983. Historical document dated “November 1982” is
available from the first two authors.
† Bennett, C.H. and Brassard, G., Quantum cryptography and its application to provably secure
key expansion, public key distribution, and coin tossing, in Proceedings of IEEE International
Symposium on Information Theory, St. Jovite, Quebec, Canada, September 26–30, 1983, p. 91.
‡ Brassard, G., Brief history of quantum cryptography: a personal perspective, in Proceedings
of IEEE Information Theory Workshop on Theory and Practice in Information Theoretic Security,
Awaji Island, Japan, October 17, 2005, pp. 19–23. A longer, 14-page version is available online
at http://arxiv.org/pdf/quant-ph/0604072v1.pdf. The passage here is taken from page 5 of the
online version.
§ Bennett, C.H. and Brassard, G., Quantum cryptography: public key distribution and coin
tossing, in Proceedings of the IEEE International Conference on Computers, Systems, and Signal
Processing, Bangalore, India, December 9–12, 1984, pp. 175–179.
¶ Watson, J.D. and Crick, F.H.C., A structure for deoxyribose nucleic acid, Nature, 171(4356),
737–738, 1953. This paper was really a single page. Acknowledgments and references caused
it to spill over a bit onto a second page.
www.ebook777.com
free ebooks ==> www.ebook777.com
564 Secret History: The Story of Cryptology
writing to a given length, rather than writing until the topic has been com-
pletely covered in as clear a manner as possible. They usually keep asking
after I make comments like those above.
Back to Bennett and Brassard! The 3343 citations referred to above are
strongly skewed to more recent years. Brassard noted, “Throughout the
1980s, very few people took quantum cryptography seriously and most peo-
ple simply ignored it.”* In fact, in 1987, Doug Wiedemann had a paper pub-
lished in Sigact News that presented the exact same scheme as in the 1984
paper by Bennett and Brassard. He even called it quantum cryptography!†
So, there was someone deeply interested in the topic who didn’t know about
Bennett and Brassard’s work—nor, apparently, did the editor who published
the reinvention! One wonders who the reviewers were.
The two researchers decided that they needed to physically demonstrate
their scheme to gain some attention. They recruited some help and (without
any special budget) had their secret quantum transmission system, over a
distance of 32.5 centimeters, working in October 1989. Brassard recalls,‡
The funny thing is that, while our theory had been serious, our proto-
type was mostly a joke. Indeed, the largest piece in the prototype was
the power supply needed to feed in the order of one thousand volts to
Pockels cells, used to turn photon polarization. But power supplies make
noise, and not the same noise for the different voltages needed for differ-
ent polarizations. So, we could literally hear the photons as they flew, and
zeroes and ones made different noises. Thus, our prototype was uncon-
ditionally secure against any eavesdropper who happened to be deaf! :-)
Despite the noise, this demonstration marked the turning point for
Bennett and Brassard. Physicists were now interested. Physicist Artur K.
Ekert found a different way to accomplish the quantum key distribution. He
used quantum entanglement, rather than polarity, and published his result
in a physics journal, which helped spread the idea of quantum cryptography
more broadly.§ The results thus far were even featured in the popular journal
Scientific American.¶
of IEEE Information Theory Workshop on Theory and Practice in Information Theoretic Security,
Awaji Island, Japan, October 17, 2005, pp. 19–23. A longer, 14-page version is available online
at http://arxiv.org/pdf/quant-ph/0604072v1.pdf. The passage here is taken from p. 6 of the
online version.
§ Ekert, A.K., Quantum cryptography based on Bell’s theorem, Physical Review Letters, 67(6),
661–663, 1991.
¶ Bennett, C.H., Brassard, G., and Ekert, A.K., Quantum cryptography, Scientific American,
nature.com/news/2007/070305/full/news070305-12.html).
§ I actually think it will happen sooner. I picked a year far enough away to give me a wide
safety margin, yet still within my expected lifetime, so I can receive criticism in person if I’m
wrong.
www.ebook777.com
free ebooks ==> www.ebook777.com
566 Secret History: The Story of Cryptology
20.3 DNA Computing
We now consider another new form of
computing that could have a devastat-
ing impact on many current encryp-
tion algorithms. This tale begins with a
familiar face. Len Adleman (Figure 20.3),
the “A” in RSA, has another claim to
fame. He’s the one who came up with the
term “computer virus” for those pesky
programs that are the bane of everyone
who owns a machine, from those who
only use it to browse the Internet to the
mathematical maestros at the National
Security Agency. His graduate student,
Fred Cohen, released the first such virus
(under carefully controlled conditions!)
in 1983.*
Should we have been nervous when
Adleman decided to try mixing com-
puting science and biology once again
FIGURE 20.3
in the 1990s? He found biology hard to Len Adleman (1945–). (Courtesy of Len
resist, as it was now becoming “math- Adleman; http://www.usc.edu/dept/
ematized,” as he put it:† molecular-science/fm-adleman.htm.)
When I was an undergraduate in the ’60s, I thought biology was stuff that
smelled funny in the refrigerator. Now, biology is finite strings over a four-
letter alphabet and functions performed by enzymes on these strings.
His new insight for the ’90s was that DNA could take the place of traditional
computing means. It would be well suited for calculations that can be made
through the use of parallel processing to a massive degree. Adleman demon-
strated the idea of DNA computing by solving an instance of the (noncryp-
tographic) directed Hamiltonian path problem. It is illustrated in Figure 20.4
with the graph he used.
0 6
FIGURE 20.4
Solving an instance of the directed Hamiltonian path problem.
You may imagine the circles as locations on a map. They are called vertices
(or nodes or points). The lines connecting them may be thought of as roads
connecting the points of interest. They are usually called edges. Some of the
edges are one way, in the directions indicated by the arrows. In some cases,
there is a separate edge, connecting the same vertices, but in the opposite
direction, offering the traveler a simple way back. The challenge is, given a
starting vertex vin and an ending vertex vout, to find a path that passes through
all of the other vertices exactly once. The path needn’t make use of every
edge. Such paths do not exist for every directed graph. If one is present, it is
called a Hamiltonian path, after William Rowan Hamilton (1805–1865). Take a
few moments to find a Hamiltonian path for the graph in Figure 20.4 with
vin = 0 and vout = 6. Once you have found it, label the intermediate points 1,
2, 3, 4, 5, in the order your solution passes through them. For this particular
problem, the solution is unique. Some graphs have several distinct solutions
for a given starting point and ending point.
This simple-sounding problem is NP-complete. We can solve small exam-
ples by hand, but there is no known polynomial time solution for such prob-
lems in general.
To find the solution you discovered, Adleman began by randomly choos-
ing bases to form strands of DNA, labeled O0, O1, O2, O3, O4, O5, and O6. Known
as oligonucleotides (hence, the O used in our notation), these strands are only
half of the DNA “ladder” we usually picture when imagining DNA. A few
sample values are given below:
O2 = TATCGGATCGGTATATCCGA
O3 = GCTATTCGAGCTTAAAGCTA
O4 = GGCTAGGTACCAGCATGCTT
www.ebook777.com
free ebooks ==> www.ebook777.com
568 Secret History: The Story of Cryptology
We may then form the Watson–Crick complement of each of these, using the
fact that the complement of A is T and the complement of G is C:
O2 = ATAGCCTAGCCATATAGGCT
O3 = CGATAAGCTCGAATTTCGAT
O4 = CCGATCCATGGTCGTACGAA
There is nothing special about the choices used for the bases or their order.
All that matters is that we have as many strands as there are vertices in our
graph. Random strings of A, C, G, and T will suffice. However, there is no
flexibility in forming the complements (above) or in selecting the bases used
to represent the edges (below).
O2→3 = GTATATCCGAGCTATTCGAG
O3→4 = CTTAAAGCTAGGCTAGGTAC
Edge Oi→j is created by taking the second half of Oi and appending to it the
first half of Oj. These edges are defined so that they may join (by bonding)
the oligonucleotides representing the vertices, as shown below:
Thus, the vertices of our original graph are represented by O1, O2, O3, O4, O5,
O6, and O7. Notice that the edge O3→2 will not be the same as the edge O2→3.
Starting off with oligonucleotides of length 20 ensures that we’ll have more
than enough different possibilities to encode all 7 vertices, and from these
get the representations of all 14 edges. When the strands representing the
vertices and edges are placed close enough to bond, the bonds will represent
paths in the graph.
Since the only possible bondings are between C and G or A and T, we
can only have vertices linked by edges, in the manner shown above, if the
appropriate path is in fact present. A much weaker sort of bonding, like the
following, is possible:
(edge O2→3)
GTATATCCGAGCTATTCGAG
CGATAAGCTCGAATTTCGAT
(vertex O3)
free ebooks ==> www.ebook777.com
Possible Futures 569
www.ebook777.com
free ebooks ==> www.ebook777.com
570 Secret History: The Story of Cryptology
Back in 1995, Lipton estimated that a DNA computer with trillions of par-
allel processors could be made for $100,000.* This price tag brings to mind
the high cost that Diffie and Hellman originally placed on their hypothetical
DES cracker ($20 million). When that machine finally appeared, thanks to
the Electronic Frontier Foundation, it only cost $250,000. How much cheaper
will DNA computers be in the future? Will you end up owning one?
Just as traditional computers began as specialized machines for solv-
ing particular problems and only later became “universal” programmable
machines, so the history of DNA computers goes. A programmable DNA
computer was put forth by Israeli researchers from the Weizmann Institute
of Science in 2002.† It offered a tremendous advantage in terms of speed,
efficiency, and storage capacity over traditional machines but couldn’t do
everything they can. Who says you can’t have it all? Not Melina Kramer et
al.! In 2008, they created a hybrid device, combining biological components
and traditional silicon-based chips.‡ With such hybrids, the biological com-
ponents can take over where they offer an advantage, while we still have old-
school silicon technology to handle tasks for which it’s better suited.
It’s hard to predict where this technology will lead. Should we be sur-
prised that this brand new field was created by someone outside of biology,
thinking about it in his spare time? Not at all, according to Adleman. As
more and more fields of inquiry are reduced to mathematics, the ability of
a single person to comprehend large portions of it becomes more plausible.
Adleman predicted that,§
The next generation could produce a scientist in the old sense, a real gen-
eralist, who could learn the physics, chemistry, and biology, and be able
to contribute to all three disciplines at once.
For a hundred years it has seemed that science has been growing ever
more complicated, but perhaps mathematics will serve as a simplifying
force. Andrew Wiles, the man who finally proved Fermat’s last theorem, has
made a similar comment about mathematics itself:¶
* ftp://ftp.cs.princeton.edu/pub/people/rjl/bio.ps.
† Benenson, Y., Adar, R., Paz-Elizur, T., Livneh, Z., and Shapiro, E., DNA molecule provides a
computing machine with both data and fuel, Proceedings of the National Academy of Sciences,
100(5), 2191–2196, 2003 (submitted in 2002). For a popular account, see Lovgren, S., Computer
made from DNA and enzymes, National Geographic News, February 24, 2003 (http://news.
nationalgeographic.com/news/2003/02/0224_030224_DNAcomputer.html).
‡ Kramer, M., Pita, M., Zhou, J., Ornatska, M., Poghossian, A., Schoning, M., and Katz, E.,
Coupling of biocomputing systems with electronic chips: electronic interface for transduc-
tion of biochemical information, Journal of Physical Chemistry, 113(6), 2573–2579, 2009. The
work was done in 2008 but published in 2009.
§ Bass, T.A., Gene genie, Wired, 3(8), 114–117, 164–168, 1995.
¶ Fermat’s Last Tango [VHS], Clay Mathematics Institute, Cambridge, MA, 2001, bonus feature
www.ebook777.com
free ebooks ==> www.ebook777.com
572 Secret History: The Story of Cryptology
* http://www.iet.ntnu.no/groups/optics/qcr/.
free ebooks ==> www.ebook777.com
Possible Futures 573
On Post-Quantum Cryptography
Although quantum computers aren’t publicly available at this time, research-
ers have already been looking ahead to develop systems that can resist
such machines. It’s not true that quantum computers can break any cipher.
McEliece’s system, alluded to briefly in Section 15.5, and lattice-based sys-
tems, such as NTRU,* are believed to be secure against such machines…so
far. A few references follow.
On DNA Computing
Adleman, L.M., Molecular computation of solutions to combinatorial problems,
Science, 266(5187), 1021–1024, 1994 (http://www.usc.edu/dept/molecular-sci
ence/papers/fp-sci94.pdf). This is where it all began.
Adleman, L.M., On constructing a molecular computer, in Baum, E.B. and Lipton, R.J.,
Eds., DNA Based Computers, Vol. 27 in DIMACS Series in Discrete Mathematics
and Computer Science, American Mathematical Society, Washington, DC, 1996,
pp. 1–22 (ftp://usc.edu/pub/csinfo/papers/adleman/molecular_computer.
ps). Other papers in this important volume are referenced below.
Adleman, L.M., Computing with DNA, Scientific American, 279(2), 54–61, 1998.
Another article on the same topic, by the same author, but aimed at a more
general audience.
Amos, M., Theoretical and Experimental DNA Computation, Springer, Berlin, 2005.
Bass, T.A., Gene genie, Wired, 3(8), 114–117, 164–168, 1995. This is a lively account of
DNA computing that also gives the reader a glimpse into Adleman’s personality.
Benenson, Y., Adar, R., Paz-Elizur, T., Livneh, Z., and Shapiro, E., DNA molecule pro-
vides a computing machine with both data and fuel, Proceedings of the National
Academy of Sciences, 100(5), 2191–2196, 2003.
* Hoffstein, J., Pipher, J., and Silverman, J.H., An Introduction to Mathematical Cryptography,
Springer, New York, 2008. Chapter 6 of this introductory text is focused on lattice-based
cryptosystems, including NTRU, which was created by the authors.
www.ebook777.com
free ebooks ==> www.ebook777.com
574 Secret History: The Story of Cryptology
Boneh, D., Dunworth, C., Lipton, R.J., and Sgall, J., On the computational power
of DNA, Discrete Applied Mathematics, 71(1–3), 79–94, 1996 (http://www.dna.
caltech.edu/courses/cs191/paperscs191/bonehetal.pdf).
Boneh, D., Lipton, R.J., and Dunworth, C., Breaking DES using a molecular computer,
in Baum, E.B. and Lipton, R.J., Eds., DNA Based Computers, Vol. 27 in DIMACS
Series in Discrete Mathematics and Computer Science, American Mathematical
Society, Washington, DC, 1996, pp. 37–66. Here is the abstract:
Recently Adleman has shown that a small traveling salesman problem can
be solved by molecular operations. In this paper we show how the same
principles can be applied to breaking the Data Encryption Standard (DES).
Our method is based on an encoding technique presented by Lipton. We
describe in detail a library of operations which are useful when working
with a molecular computer. We estimate that given one arbitrary (plain-
text, cipher-text) pair, one can recover the DES key in about 4 months of
work. Furthermore, if one is given ciphertext, but the plaintext is only
known to be one of several candidates then it is still possible to recover the
key in about 4 months of work. Finally, under chosen cipher-text attack it
is possible to recover the DES key in one day using some preprocessing.
Devlin, K., Test tube computing with DNA, Math Horizons, 2(April), 14–21, 1995. This
Mathematical Association of America (MAA) journal consists of articles easily
accessible to undergraduates. The article cited here is especially nice and pro-
vides a more detailed description of the biochemistry than is given in this book.
Ignatova, Z., Martinez-Perez, I., and Zimmermann, K.-H., DNA Computing Models,
Springer, Berlin, 2008.
Kari, L., Gloor, G., and Yu, S., Using DNA to solve the bounded post correspondence
problem, Theoretical Computer Science, 231(2), 192–203, 2000 (http://citeseer.ist.
psu.edu/kari00using.html).
Lipton, R.J., DNA solution of hard computational problems, Science, 268(5210), 542–
545, 1995.
Lipton, R.J., Speeding up computation via molecular biology, in Baum, E.B. and Lipton,
R.J., Eds., DNA Based Computers, Vol. 27 in DIMACS Series in Discrete Mathematics
and Computer Science, American Mathematical Society, Washington, DC, 1996,
pp. 67–74 (ftp://ftp.cs.princeton.edu/pub/people/rjl/bio.ps).
Lovgren, S., Computer made from DNA and enzymes, National Geographic News,
February 24, 2003 (http://news.nationalgeographic.com/news/2003/02/0224_
030224_DNAcomputer.html). This is a popular account of Benenson, Y., Adar,
R., Paz-Elizur, T., Livneh, Z., and Shapiro, E., DNA molecule provides a com-
puting machine with both data and fuel, Proceedings of the National Academy of
Sciences, 100(5), 2191–2196, 2003.
Păun, G., Rozenberg, G., and Salomaa, A., DNA Computing: New Computing Paradigms,
Springer, New York, 1998.
Cryptography
free ebooks ==> www.ebook777.com
DISCRETE MATHEMATICS AND ITS APPLICATIONS
Series Editor KENNETH H. ROSEN
The second part of the book examines modern cryptology. The author looks
at the work of Claude Shannon and the origin and current status of the NSA,
including some of its Suite B algorithms such as elliptic curve cryptography
and the Advanced Encryption Standard. He also details the controversy that
surrounded the Data Encryption Standard and the early years of public key
cryptography. The book not only provides the how-to of the Diffie-Hellman
key exchange and RSA algorithm, but also covers many attacks on the
latter. Additionally, it discusses Elgamal, digital signatures, PGP, and stream
ciphers and explores future directions such as quantum cryptography and
DNA computing.
K15955
www.ebook777.com