![Page 1: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/1.jpg)
Cryptography in World War IIJefferson Institute for Lifelong Learning at UVa
Spring 2006 David Evans
Class 2:The Lorenz Cipher and
the Postman’s Computer
http://www.cs.virginia.edu/jillcrypto
Colossus Rebuilt, Bletchley Park, Summer 2004
![Page 2: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/2.jpg)
2JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
One-Time Pad
Vernam [1917](AT&T Bell Labs)
Plaintext Letters
Key Letters
Relays combine key and plaintext letters
![Page 3: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/3.jpg)
3JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
The Baudot Code(like Morse Code, not a cipher)
A 00011 H 10100 space0010
0
B 11001 I 00110 ... ... return0100
0
C 01110 J 01011 V1111
0line feed
00010
D 01001 K 01111 W1001
1letter shift
11111
E 00001 L 10010 X1110
1figure
shift1101
1
F 01101 M 11100 Y10101
error0000
0
G 11010 N 01100 Z10001
Encode 32 letters using 5 on/off signals
![Page 4: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/4.jpg)
4JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Why perfectly secure?
For any given ciphertext, all plaintexts are equally possible.Ciphertext: J = 01001Key1: I = 00110Plaintext1: 01111 = KKey2: L = 10010Plaintext2: = 11011 = shift
![Page 5: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/5.jpg)
5JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Vernam’s Key
• A long paper tape with random letters on it (using Baudot code)
• Cannot reuse key – tape must be very long!
This has 6 holes per letter(not Baudot code)
![Page 6: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/6.jpg)
6JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Morehouse’s Improvement
• Like Vernam machine, but with two key tapes
Tape 1 (999 letters)
Tape 2 (1000 letters)
![Page 7: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/7.jpg)
7JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Morehouse’s Improvement(patented in 1920)
Tape 1 (999 letters)
Tape 2 (1000 letters)
Message
Ciphertext
=
![Page 8: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/8.jpg)
8JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Looping Tapes
Tape 1 (999 letters)
Tape 2 (1000 letters)
The tape equivalent to Tape 1 Tape 2would not repeat for 999 * 1000 letters!
Note: it is no longer a perfect cipher though. Some keys are not possible after 1001 letters.
![Page 9: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/9.jpg)
9JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Lorenz Cipher• Based on the Vernam and Morehouse
– Used Baudot code
• Believed managing long paper tapes during wartime was too difficult
• Machine generates key sequence– If two machines start in same configuration,
same key sequence– Will not repeat for ~ 1019 letters
All words ever spoken or written by all humans is estimated around 1018 letters
![Page 10: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/10.jpg)
10JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Lorenz Cipher Machine
![Page 11: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/11.jpg)
11JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Lorenz Wheels
12 wheels501 pinstotal (setto control wheels)
![Page 12: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/12.jpg)
12JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Wheel Operation
Bitchannels
(5 for Baudot)
Two XORswith key bits
(like paper tapes)
![Page 13: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/13.jpg)
13JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Wheel OperationEach K wheelrotates every
letter
M wheels control if S
wheels rotate
Each S wheelrotates when M wheels output 1
![Page 14: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/14.jpg)
14JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Use by Nazis• Considered most secure cipher
machine• Messages between Hitler’s army
headquarters and European capital headquarters
• Each link had a slightly different system (British named them for fish):– Tunny: Vienna - Athens– Jelly: Berlin – Paris
![Page 15: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/15.jpg)
15JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
General Report on Tunny(1945, declassified in 2000)
“It is regretted that it is not possible to give an adequate idea of the fascination of a Colossus at work: its sheer bulk and apparent complexity; the fantastic speed of thin paper tape round the glittering pulleys; the childish pleasure of not-not, span, print main heading and other gadgets; the wizardry of purely mechanical decoding letter by letter (one novice thought she was being hoaxed); the periods of eager expectation culmniating in the sudden appearance of the longed-for score; the strange rhythms characterizing every type of run; the stolid rectangle interrupted by the wild leaps of the carriage-return, the frantic chatter of a motor run, the ludicrous frenzy of hosts of bogus scores.”
![Page 16: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/16.jpg)
16JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Breaking Fish• GCHQ learned about first Fish link
(Tunny) in May 1941– Intercepted unencrypted Baudot-encoded
test messages
• August 30, 1941: Big Break!– Operator retransmits failed message with
same starting configuration– Gets lazy and uses some abbreviations,
makes some mistakes• SPRUCHNUMMER/SPRUCHNR (Serial Number)
![Page 17: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/17.jpg)
17JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
“Two Time” Pad• Allies have intercepted:
C1 = M1 K1C2 = M2 K1Same key used for both (same starting configuration)
• Breaking message:C1 C2 = (M1 K1) (M2 K1) = (M1 M2) (K1 K1) = M1 M2
![Page 18: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/18.jpg)
18JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
“Cribs”• Know: C1, C2 (intercepted ciphertext)
C1 C2 = M1 M2• Don’t know M1 or M2
– But, can make some guesses (cribs)• SPRUCHNUMMER• Sometimes allies moved ships, sent out bombers to
help the cryptographers get good cribs
• Given guess for M1, calculate M2M2 = C1 C2 M1
• Once guesses that work for M1 and M2K1 = M1 C1 = M2 C2
![Page 19: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/19.jpg)
19JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Finding K1• From the 2 intercepted messages, Col.
John Tiltman worked on guessing cribs to find M1 and M2 – 4000 letter message, found 4000 letter key
• Bill Tutte (recent Chemistry graduate) given task of determining machine structure from key– Already knew it was 2 sets of 5 wheels and
2 wheels of unknown function
![Page 20: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/20.jpg)
20JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Reverse Engineering Lorenz• Looked at patterns of bits in key• Found repeating sequence:
– Repetition period of 41, learned first wheel had 41 pins
– Similar for other wheels, determining S/M/K wheel structure
• After 6 months of hard work: determined likely machine structure that would generate K1
![Page 21: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/21.jpg)
21JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Intercepting Traffic• Set up listening post to intercept traffic
from 12 Lorenz (Fish) links– Different links between conquered capitals– Slightly different coding procedures, and
different configurations
• 600 people worked on intercepting traffic
• Sent intercepts to Bletchley (usually by motorcycle courier)
![Page 22: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/22.jpg)
22JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Breaking Traffic• Knew machine structure, but a
different initial configuration was used for each message
• Need to determine wheel setting:– Initial position of each of the 12 wheels– 1271 possible starting positions– Needed to try them fast enough to
decrypt message while it was still strategically valuable
![Page 23: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/23.jpg)
23JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Recognizing a Good Guess
• Intercepted Message (divided into 5 channels for each Baudot code bit)
Zc = z0z1z2z3z4z5z6z7…
zc, i = mc,i xc,i sc,i
Message Key (parts from S-wheels and rest)
• Look for statistical properties– How many of the zc,i’s are 0?
– How many of (zc,i+1 zc,i) are 0?
½ (not useful)½
![Page 24: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/24.jpg)
24JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Double Delta Zc,i = Zc,i Zc,i+1
• Combine two channels: Z1,i Z2,I =
M1,i M2,i
X1,i X2,i
S1,i S2,i
= ½ (key)
> ½ Yippee!
> ½
![Page 25: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/25.jpg)
25JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Double Delta M1,i M2,i
X1,i X2,i
S1,i S2,i
= ½ (key)
> ½ Yippee!
> ½
Why is M1,i M2,i > ½ Message is in German, more likely
following letter is a repetition than random
Why is S1,i S2,i > ½ S-wheels only turn some of the time (when M-wheel is 1)
![Page 26: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/26.jpg)
26JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Actual Advantage• Probability of repeating letters
Prob[ M1,i M2,i = 0] ~ 0.614 3.3% of German digraphs are repeating
• Probability of repeating S-keys Prob[ S1,i S2,i = 0] ~ 0.73
Prob[ Z1,i Z2,I X1,i X2,i = 0]
= 0.614 * 0.73 + (1-0.614) * (1-0.73) M and S are 0 M and S are 1
= 0.55
![Page 27: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/27.jpg)
27JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Using the Advantage• If the guess of X is correct, should see
higher than ½ of the double deltas are 0• Try guessing different configurations to
find highest number of 0 double deltas• Problem:
# of double delta operations to try one config= length of Z * length of X= for 10,000 letter message = 12 M for each
setting * 7 per double delta = 89 M operations
![Page 28: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/28.jpg)
28JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Heath Robinson• Dec 1942: Decide to build
a machine to do these s quickly, due June 1943
• Apr 1943: first Heath Robinson machine is delivered!
• Intercepted ciphertext on tape: – 2000 characters per second
(12 miles per hour)– Needed to perform 7
operations each ½ ms
Heath Robinson, British Cartoonist (1872-1944)
![Page 29: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/29.jpg)
29JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Colossus
• Heath Robinson machines were too slow• Colossus designed and first built in Jan 1944• Replaced keytext tape loop with electronic
keytext generator• Speed up ciphertext tape:
– 5,000 chars per second = 30 mph – Perform 5 double deltas simultaneously – Speedup = 2.5X for faster tape * 5X for parallelism
![Page 30: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/30.jpg)
30JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Colossus Design
Electronic Keytext
GeneratorLogic Tape Reader
CounterPosition Counter
Printer
Ciphertext Tape
![Page 31: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/31.jpg)
31JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Impact on WWII• 10 Colossus machines operated at
Bletchley park– Various improvements in speed
• Decoded 63 million letters in Nazi command messages
• Learned German troop locations to plan D-Day (knew the deception was working)
![Page 32: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/32.jpg)
32JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Colossus History
• Kept secret after the war, all machines destroyed
During WWIIRebuild, Bletchley Park, Summer 2004
![Page 33: Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d7d550346895dbada3f/html5/thumbnails/33.jpg)
33JILL WWII Crypto Spring 2006 - Class 2: Breaking Fish
Next Class
• Enigma and how it was broken
• Some similarities to Colossus:– Exploited operator
errors– Built machines to
quickly try possibilities