HistoCrypt 2018

Proceedings of the
1st International Conference on
Historical Cryptology

June 18-20, 2018

Uppsala University
Uppsala, Sweden
 Proceedings of the
1st International Conference on
Historical Cryptology

HistoCrypt 2018

Editor
Beáta Megyesi

June 18-20, 2018

Department of Linguistics and Philology
Uppsala University
Sweden

Published by

NEALT Proceedings Series 34

Linköping University Electronic Press, Sweden
Linköping Electronic Conference Proceedings No. 149
ISSN: 1650-3686
eISSN: 1650-3740
ISBN: 978-91-7685-252-1
URL: http://www.ep.liu.se/ecp/contents.asp?issue=149
S PONSORS
Preface: Program Chair
We are very pleased to introduce the proceedings of the International Conference on
Historical Cryptology (H ISTO C RYPT 2018), held at the Department of Linguistics and
Philology on the English Park Campus, Uppsala University, Sweden, between June 18
and 20, 2018.
H ISTO C RYPT addresses all aspects of historical cryptology/cryptography includ-
ing work in closely related disciplines (such as history, history of ideas, computer
science, AI, computational linguistics, linguistics, or image processing) with rele-
vance to historical ciphertexts and codes. The subjects of the conference include, but
are not limited to the use of cryptography in military, diplomacy, business, and other
areas, analysis of historical ciphers with the help of modern computerized methods,
unsolved historical cryptograms, the Enigma and other encryption machines, the his-
tory of modern (computer-based) cryptography, linguistic aspects of cryptology, the
influence of cryptography on the course of history, or teaching and promoting cryp-
tology in schools, universities, and the public.
H ISTO C RYPT represents a continuation of the friendly events of European Histor-
ical Ciphers Colloquiums (EuroHCC) held in Heusenstamm (2012), Kassel (2016),
and Smolenice (2017) to discuss on-going research in historical cryptology in Europe.
Considering EuroHCC’s growing popularity among the crypto-historians and cryp-
tographers and the established HICRYPT network on historical cryptology with over
90 members from 20 countries around the world, our aim is to establish H ISTO C RYPT
as an annual, world-wide event. The first event in the series takes place in 2018 at
Uppsala University, Sweden. We are very happy that the conference has been inter-
nationally recognized outside Europe as well, and submissions are received from all
over the world. It is a great honor to serve as the Program Chair for H ISTO C RYPT
2018, to be held in Uppsala for the first time.
The scientific program was carefully planned by an international scientific pro-
gram committee, consisting of researchers in cryptology, history, intelligence and lan-
guage technology. The program committee invited paper submissions in two distinct
tracks: regular papers up to 10 pages on substantial, original, and unpublished re-
search, including empirical evaluation results, where appropriate; short papers up to
4 pages on smaller, focused contributions, work in progress, negative results, surveys,
tutorials, or opinion pieces; or summarizing a software system to be accompanied by
a live demonstration at the conference.
The conference received 24 submissions from all over Europe (Czechia, Den-
mark, France, Germany, Hungary, Italy, Netherlands, Poland, Slovakia, Sweden, and
the UK) as well as from Ghana, Israel, New Zealand, Russia, the United States, and
Uruguay.
Our primary goal in the program committee was to achieve a high quality program
using a double-blind, rigorous review process. All papers were reviewed by at least
three experts invited by the program committee members for reviewing. After dis-

v
cussion among the reviewers to synchronize recommendations, the final selection of
the papers was made by the program committee. The decision was not an easy task
due to many submissions with high scores and overall positive reviews, and the time
and space constraints of the two day long main conference. Our goal was to include
papers dealing with a wide variety of topics from various scientific areas of relevance
to historical cryptology. We aimed at achieving balance between regular and short
papers, and chose to accept papers—being regular or short—with high scores as oral
talks, while we were more lenient with poster presentations. 66% of the regular papers
and 33% of the short papers were accepted for oral presentations, while 22% of the
regular papers and 50% of the short papers were accepted as posters and/or demos. In
the final program, there are 16 regular, and 5 short papers, all collected in this volume,
thematically structured, in the same order as they are presented during the conference.
In addition to the accepted papers, we are proud to present six invited keynote
speakers, distinguished researchers from France, Germany, Israel, and the US. They
cover different areas of the conference. Craig Bauer (York College of Pennsylvania)
presents highlights from his book on the world’s greatest ciphers. Katherine Ellison
(Illinois State University) talks about the central role of cryptology in the history of
reading. Rémi Géraud tells us about his and David Naccache’s work (École normale
supérieure) on a French code from the late 19th century. Ephraim Lapid (Bar-Ilan
University and IDC Herzliya) presents the thrilling story behind the British “Israeli
Enigma”.
Given the location of H ISTO C RYPT at Uppsala University, special attention is
given to the heritage of Prof. Arne Beurling and his role in breaking the German
teletype ciphers. Therefore, we invited Kjell-Ove Widman, professor emeritus in ap-
plied mathematics (University of Linköping) to talk about Arne Beurling as a math-
ematician and code breaker, and George Lasry (University of Kassel) to tell us about
his very new methods to solve the “completely hopeless” T52, which Arne Beurling
worked on and which can be found in the archives of the Swedish National Defence
Radio Establishment (FRA). And in connection to the poster and demo session, we
organize an exhibition to show four Enigma machines, usually hidden in the FRA
archive.
Lastly, the conference program also includes two workshops, organized by their
own committees. The workshop on (Automated) Cryptanalysis of Classical Ciphers
with CrypTool 2 demonstrates the open-source e-learning tool consisting of several
classical and modern cryptographic algorithms where participants can learn and prac-
tice how to use CrypTool. The workshop Solving codes rather than ciphers. Is there
a software challenge? focuses on the fascinating codes, encrypted messages word by
word, aiming at finding solutions for breaking these.
These proceedings will provide a permanent record of the program. The confer-
ence proceedings are published by the Northern European Association for Language
Technology (NEALT) Proceedings Series by Linköping University Electronic Press,
as freely available Gold Open Access. The proceedings are indexed in the DBLP com-

vi
puter science bibliography and also published in the anthology of the Association of
Computational Linguistics (ACL Anthology) in parallel.
Organizing a conference with an interesting and diverse program in a highly cross-
disciplinary field is far from easy and relies on the goodwill of many researchers in-
volved in the various scientific areas, all with their own traditions. I would like to
express my gratitude and appreciation to my great fellows on the program committee
for their invaluable work, for fruitful discussions, and for sharing the effort of creating
the program. A special thank goes to the steering committee, especially Arno Wacker,
for his support and generous advice. I would also like to record my appreciation for
the work of the 23 reviewers and 4 subreviewers for their time and effort to contribute
to the reviewing, give constructive and collegial feedback, and help the program com-
mittee in the selection of papers. Wholehearted thanks go to the six keynote speakers,
and the workshop organizers, as well as Anders H. Wik and Åsa Ljungqvist for bring-
ing to light the Enigma machines and arranging the exhibition in connection to the
demo session. I would also like to thank all authors without whom this conference
would not have taken place! Nils Blomqvist deserves a huge and special thank for
professionally serving as the proceedings co-manager. My greatest debt goes to the
local organization, Eva Pettersson, for carrying the burden of the local organization,
and Bengt Dahlqvist, for helping out with the on-line registration and the conference
website. We are also extremely pleased to have received generous sponsorship from
the Swedish Foundation for Humanities and Social Sciences allowing free registra-
tion and covered accommodation and travel costs for many conference participants.
Lastly, I am grateful to my nearest and dearest—my twins, bonus kids, and partner—
for generously giving me the space to disappear into our world of hidden secrets from
the past.
I wish you all a fruitful conference and hope you will enjoy H ISTO C RYPT 2018!

Beáta Megyesi (Program Chair)

vii
Program Committee
• Beáta Megyesi (Program Chair), Uppsala University, Sweden
• Bernhard Esslinger, University of Siegen, Germany
• Otokar Grošek, Slovak University of Technology, Slovakia
• Benedek Láng, Budapest University of Technology and Economics, Hungary
• Mark Phythian, University of Leicester, UK
• Anne-Simone Rous, Saxon Academy of Sciences and Humanities, Germany
• Gerhard F. Straßer, Emeritus, Pennsylvania State University, USA

Local Organizing Committee

• Eva Pettersson (Local Chair), Uppsala University, Sweden
• Bengt Dahlqvist, Uppsala University, Sweden
• Beáta Megyesi, Uppsala University, Sweden

Steering Committee
• Arno Wacker, University of Kassel, Germany
• Joachim von zur Gathen, Emeritus, Bonn-Aachen International Center for In-
formation Technology, Germany
• Marek Grajek, Poland
• Klaus Schmeh, Private researcher, Germany

Extended Program Committee: Reviewers

• Eugen Antal, Slovak University of Technology in Bratislava, Slovakia
• Leopold Auer, Emeritus, Austria
• Charlotte Backerra, TU Darmstadt, Germany
• Nicolas Courtois, University College London, UK
• Karl de Leeuw, University of Amsterdam, Netherlands

viii
 • Camille Desenclos, Université de Haute-Alsace, France
• Mans Hulden, University of Colorado Boulder, USA

• Ioanna Iordanou, Oxford Brookes University, UK

• Pascal Junod, Snap, Switzerland
• Kevin Knight, University of Southern California, USA
• Jozef Kollár, Slovak University of Technology in Bratislava, Slovakia

• Grzegorz Kondrak, University of Alberta, Canada

• Nils Kopal, University Kassel/Applied Information Security, Germany
• George Lasry, University of Kassel, Germany

• Sjouke Mauw, University of Luxembourg, Luxemburg

• Jakub Mirka, The State Regional Archives in Pilsen, Czech Republic
• Michal Musilek, University of Hradec Kralove, Czech Republic
• Valerie Nachef, University of Cergy-Pontoise, France

• Stefan Porubsky, Academy of Sciences, Czech Republic

• Klaus Schmeh, Cryptovision, Germany
• Shlomo Shpiro, Bar-Ilan University, Israel
• Serge Vaudenay, Ecole Polytechnique Fédérale de Lausanne, Switzerland

• Pavol Zajac, Slovak University of Technology in Bratislava, Slovakia

Subreviewers
• Bradley Hauer, University of Alberta, Canada
• Saeed Najafi, University of Alberta, Canada

• Matteo Scarlata, University College London, UK

• Peter Spacek, Slovak University of Technology in Bratislava, Slovakia

ix
 I NVITED TALK :

Updates on the World’s Greatest Unsolved Ciphers

Craig Bauer
York College of Pennsylvania, USA

Abstract
Craig’s book, Unsolved! The History and Mystery of the World’s Greatest Ciphers from An-
cient Egypt to Online Secret Societies, saw print a little over a year ago. Many updates can
now be made. The talk includes highlights from the book, progress that has been made on sev-
eral ciphers contained therein, and images of more historic unsolved ciphers, as challenges for
conference attendees.

Bio
Craig P. Bauer is professor of mathematics at York College of Pennsylvania and the editor-
in-chief of Cryptologia. He was the 2011-2012 Scholar-in-Residence at the National Security
Agency (NSA) Center for Cryptologic History and is the author of two books: Secret History:
The Story of Cryptology and Unsolved!: The History and Mystery of the World’s Greatest
Ciphers from Ancient Egypt to Online Secret Societies. His television appearances include the
mini-series The Hunt for the Zodiac Killer and two episodes of Codes and Conspiracies.

xi
 I NVITED TALK :

Cryptology and the Fantasy of Reading

Katherine Ellison
Illinois State University, USA

Abstract
This presentation will explore the central role of cryptology in the history of reading, when lit-
eracy became a goal of the masses rather than a special skill reserved only for the educated elite.
Beginning in the seventeenth century, instructional cryptography manuals established the foun-
dational terms and methodologies of literacy training. Cryptologers including John Wilkins,
Gustavus Selenus, Gasparis Schotti, Noah Bridges, and John Falconer sought not only to edu-
cate the public in ciphering and deciphering but to establish multimodal habits of everyday lit-
eracy; they had a vision of the future of citizen literacy that resisted the dominance of alphabetic
reading and insisted that literacy must encompass alphabets as well as mathematics, algorithms,
scientific symbols, musical notation, visual images, and digital technologies (and they did use
the term “digital”, as in requiring the use of the digits). Cryptology also provided the framework
for teaching audiences how to see the ways in which the habits of printing, page layout, and the
physical materiality of books and paper all make meaning in relation to the symbols on the
page. Though their methods did not heavily influence eighteenth- and nineteenth-century edu-
cational theorists, the revival of cryptologic curiosity during World War I, in particular, brought
the seventeenth-century methods to the attention of figures like John Matthews Manly, Edith
Rickert, the Friedmans, and others. Riverbank Laboratory even began publishing primers for
teaching kindergarteners how to read – by teaching them the bilateral cipher of Francis Bacon.

Bio
Katherine Ellison is co-editor of A Material History of Medieval and Early Modern Ciphers:
Cryptography and the History of Literacy (2017) and author of A Cultural History of Early Mod-
ern English Cryptography Manuals (2016) and Fatal News: Reading and Information Overload
in Early Eighteenth-Century Literature (2006). Professor of English at Illinois State Univer-
sity, she has published widely on cryptology, media history, and literacy in Games and War,
Early Modern Trauma, Literature Compass, the Journal for Early Modern Cultural Studies,
the Journal of the Northern Renaissance, Book History, Eighteenth-Century Fiction, Educa-
tional Research, Academic Exchange Quarterly, Maternal Pedagogies, and Sex and Death in
Eighteenth-Century Literature. She is beginning a new collection with Medievalist Dr. Su-
san Kim on John Matthews Manly and Edith Rickert and a monograph on Fop Intelligence, an
investigation of cryptology and gender identity.

xiii
 I NVITED TALK :

A French Code from the Late 19th Century

David Naccache and Rémi Géraud
École normale supérieure, Paris, France

Abstract
The Franco-Prussian war (1870-1871) was the first major European conflict during which ex-
tensive telegraph use enabled fast communication across large distances. Field officers would
therefore have to learn how to use secret codes. But training officers also raises the probability
that defectors would reveal these codes to the enemy. Practically all known secret codes at the
time could be broken if the enemy knew how they worked.
Under Kerckhoffs’ impulsion, the French military thus developed new codes, meant to
resist even if the adversary knows the encoding and decoding algorithms, but simple enough to
be explained and taught to military personnel.
Many of these codes were lost to history. One of the designs however, due to Major H.
D. Josse, has been recovered and this article describes the features, history, and role of this
particular construction. Josse’s code was considered for field deployment and underwent some
experimental tests in the late 1800s, the result of which were condensed in a short handwritten
report. During World War II, German forces got hold of documents describing Josse’s work,
and brought them to Berlin to be analysed. A few years later these documents moved to Russia,
where they have resided since.

Bio
David Naccache heads the ENS’ ISG. His research areas are code security, forensics, the au-
tomated and the manual detection of vulnerabilities. Before joining ENS Paris (PSL) he was
a professor during 10 years at the Université Paris 2 (Sorbonne Universités). He previously
worked for 15 years for Gemplus (now Gemalto), Philips (now Oberthur) and Thomson (now
Technicolor). He is a forensic expert by several courts, and the incumbant of the Law and IT
forensics chair at EOGN. David is the inventor of 170 patent families and the author of 200
publications in information security and cryptography.

Dr. Rémi Géraud is cryptologist, security researcher, member of the Information Security
Group of École normale supérieure. His research interests include the mathematics of public-
key cryptographic protocols, information security, physical and network intrusion, defensive
design, and on a broader scale the economics and geopolitics of information.

xv
 I NVITED TALK :

The Israeli Enigma

Ephraim Lapid
Bar-Ilan University and IDC Herzliya, Israel

Abstract
From its early days, the Israeli military has developed a Signals Corp to provide effective and
secure communication to the needs of the defense establishment. From the start, there was good
cooperation between the functions of cyphering and deciphering, although they were conducted
by different organizations, to assure the security and reliability of military communications.
As soon as Israel gained its independence, it became a key target for British intelligence col-
lection. British espionage activities on Israel were coordinated from the Security Intelligence
Middle East (SIME) headquarters near Cairo, and later from Cyprus. The nascent Israeli cryp-
tography was of special interest for British intelligence, as Britain still maintained a substantial
military presence in the region, especially at the Suez Canal in Egypt and in Jordan. In the
early 1950s, British intelligence embarked on a covert operation aimed at giving them access to
Israel’s most secret communications. The Israeli Defense Forces (IDF) looked for an advanced
cypher machine to replace the hand-cypher, which caused bottlenecks of huge numbers of mes-
sages. Israel succeeded in purchasing from the United Kingdom 50 Enigmas in good order, and
believing in the Enigma’s invincibility, invested substantial effort and cost to transform them in
great secrecy into Hebrew. However, before these Enigmas were put to operational use, a warn-
ing was received from several Israelis, who were former members of Bletchley Park’s staff, on
British successes in cracking the Enigma during WWII. A decision was made to abandon the
Israeli Enigmas. Most of the Hebrew Enigmas were sadly destroyed, only one example was
retained and is today on display at the IDF heritage center.
In the British Bletchley Park team were several persons who later immigrated to Israel,
including Prof. Joseph Gilis, who founded the Department of Mathematics at the Weizmann
Institute and Dr. Walter Eytan, the First Director-General of Israel’s Ministry of Foreign Affairs.
Two other Jewish experts from South Africa, Shaul Bar-Levav and Meir Shapira, were the
founders of the IDF units of ciphering at the Signal Corp and deciphering in the Sigint unit.
Colonel Shaul Shamai, a prodigious decoder of Arabic codes, was the only soldier who was
decorated by an IDF Chief of Staff who had not fought on the battlefield, a testimony to his
crucial contribution to deciphering key Arab cyphers.

Bio
Brigadier General (Res.) Dr. Ephraim Lapid is a lecturer at Bar-Ilan University and IDC Her-
zliya Israel. He served as a Senior Intelligence officer in the Israel Defense Forces (I.D.F)
and was the I.D.F. Spokesperson and Instructor in the Israeli National Defense College. After
retiring from the Israeli Military, he was a senior official in the Jewish Agency.

xvii
 I NVITED TALK :
S PECIAL S ESSION ON A RNE B EURLING

Arne Beurling:
Mathematician and Code Breaker
Kjell-Ove Widman
Professor Emeritus, Sweden

Abstract
Arne Beurling was a 34-year old professor of mathematics at Uppsala University when the Sec-
ond World War broke out in 1939. He reported immediately to the Swedish SIGINT service
and was first entrusted with Soviet military codes which he helped solve, partly in cooperation
with Finnish colleagues. After the occupation of Norway in 1940, a hitherto unknown type
of encrypted traffic was picked up from telegraph cables running from Norway to Germany
through Sweden. Given the task of analysing the traffic, Beurling took the collected material
from two days in May and retreated to his office. Two weeks later he reappeared, having diag-
nosed the type of the transmission, deduced the ciphering algorithm, and found a way to attack
it. Special machines were built, and over a three-year period, more than 250 000 messages
sent between Berlin and the occupying forces in Norway were deciphered and forwarded to the
relevant Swedish authorities.
Beurling’s achievement is surely one of the more remarkable ones in the history of cryptog-
raphy, in particular since he worked with ciphered messages only and had no á priori knowledge
of the system. This talk will try to give a hint of his cryptanalytic work and the Swedish code
breaking effort during the war, as well as touch on his personality and his career as a mathe-
matician.

Bio
Kjell-Ove Widman has been professor of applied mathematics at the University of Linköping,
director of The Mittag-Leffler Institute of the Royal Swedish Academy of Science, and guest
professor at universities in Germany, Italy, Poland and the US. He became interested in cryp-
tology while doing his national service, and has worked on and off in the field since then,
consulting for governmental and private organisations and companies. He has also translated
books in mathematics and related fields.

xix
 I NVITED TALK :
S PECIAL S ESSION ON A RNE B EURLING

Modern Codebreaking of T52

George Lasry
University of Kassel, Germany

Abstract
The Siemens and Halske T52 is a family of teleprinter encryption systems, used in WWII by
the Luftwaffe, the German Navy and Army, and German diplomatic services. Codenamed
“Sturgeon” by the Allied, it was designed to provide enhanced security, compared to the other
German teleprinter encryption system, the Lorenz SZ42 (“Tunny”). In one of the most im-
pressive feats of cryptographic genius, the first model, the T52a/b, was reconstructed by Arne
Beurling only from encrypted traffic. It was also reconstructed at Bletchley Park. Until the end
of 1942, Sweden was able to read current T52 traffic that passed through its teleprinter lines,
taking advantage of errors by German operators (e.g., messages sent in depth). At the beginning
of 1943, Germany increased their security measures, also introducing a new model, the T52d.
The T52d was a much more secure system, featuring an irregular movement of the wheels, and
a “Klartext” (autokey) function. Sweden could not read its traffic, and a Bletchley Park report
from 1944 considers the T52d problem to be “completely hopeless”.
The T52 problem (when no depth is available) is still daunting today, even with modern
computing. Since WWII, no new methods for the cryptanalysis of the T52 have been published.
The machine complexity, and its huge keyspace size, 1027 , prohibit any brute-force attack. In
this presentation, George will describe how he applied a novel statistical approach, to decipher
rare original telegrams from 1942, encrypted using the T52a/b, and found in FRA archives.
Also, he will present a first-ever practical attack on the T52d and its successor, the T52e, which
takes advantage of a subtle weakness in the design of their stepping mechanism.

Bio
George Lasry specializes in the codebreaking of historical ciphers using modern optimization
techniques. He has developed state-of-the-art attacks for a series of challenging cipher machines
and systems. In 2013, he deciphered a collection of 600 original ADFGVX ciphertexts from
1918, which provide new insights into key events in the Eastern Front of WWI. In 2017, he also
reconstructed German diplomatic and naval codebooks and deciphered hundreds of encoded
messages from 1910 to 1915. Also, George has solved several public challenges, including
the Double Transposition challenge, Chaocipher Exhibit 6, the M-209 Challenge and the 2015
Enigma Challenge. George Lasry regularly writes about his findings in Cryptologia. The sub-
ject of his Ph.D. thesis is the Cryptanalysis of Classical Ciphers with Search Metaheuristics.

xxi
Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

I NVITED TALKS
Updates on the World’s Greatest Unsolved Ciphers
Craig Bauer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Cryptology and the Fantasy of Reading
Katherine Ellison . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
A French Code from the Late 19th Century
David Naccache and Rémi Géraud . . . . . . . . . . . . . . . . . . . xv
The Israeli Enigma
Ephraim Lapid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

I NVITED TALKS : S PECIAL S ESSION ON A RNE B EURLING

Arne Beurling: Mathematician and Code Breaker
Kjell-Ove Widman . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Modern Codebreaking of T52
George Lasry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

H ISTORICAL C IPHERS /C ODES

Nicodemo Tranchedini’s Diplomatic Cipher: New Evidence
Ekaterina Domnina . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Unsealing the Secret: Rebuilding the Renaissance French Cryptographic
Sources (1530-1630)
Camille Desenclos . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

C RYPTANALYSIS OF C LASSICAL A LGORITHMS

Uruguayan Cryptographic Carpet
Juan José Cabezas, Joachim von zur Gathen and Jorge Tiscornia . . . 21

xxiii
Solving Classical Ciphers with CrypTool 2
Nils Kopal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Hidden Markov Models for Vigenère Cryptanalysis
Mark Stamp, Fabio Di Troia, Miles Stamp and Jasper Huang . . . . . 39

W ORLD WAR I
The Solving of a Fleissner Grille during an Exercise by the Royal Nether-
lands Army in 1913
Karl de Leeuw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Deciphering German Diplomatic and Naval Attaché Messages from 1914-
1915
George Lasry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Learning Cryptanalysis the Hard Way: A Study on German Culture of Cryp-
tology in World War I
Ingo Niebel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
New Findings in a WWI Notebook of Luigi Sacco
Paolo Bonavoglia . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

W ORLD WAR II
The First Classical Enigmas. Swedish Views on Enigma Development 1924-
1930
Anders Wik . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
An Inventory of Early Inter-Allied Enigma Cooperation
Marek Grajek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
The Poles and Enigma after 1940: le voile se lève-t-il?
Dermot Turing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
US Navy Cryptanalytic Bombe – A Theory of Operation and Computer Sim-
ulation
Magnus Ekhall and Fredrik Hallenberg . . . . . . . . . . . . . . . . . 103
What We Know About Cipher Device ”Schlüsselgerät SG-41” so Far
Carola Dahlke . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

P OSTER AND DEMO

An Automatic Cryptanalysis of Playfair Ciphers Using Compression
Noor R. Al-Kazaz, Sean A. Irvine and William J. Teahan . . . . . . . 115
ManuLab System Demonstration
Eugen Antal and Pavol Zajac . . . . . . . . . . . . . . . . . . . . . . 125
Willard’s System
Niels O. Faurholt . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

xxiv
The Application of Hierarchical Clustering to Homophonic Ciphers
Anna Lehofer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Teaching and Promoting Cryptology at Faculty of Science, University of
Hradec Králové
Michael Musı́lek and Štepán Hubálovský . . . . . . . . . . . . . . . 137
Examining The Dorabella Cipher with Three Lesser-Known Cryptanalysis
Methods
Klaus Schmeh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Design and Strength of a Feasible Electronic Ciphermachine from the 1970s
Jaap van Tuyll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

xxv
xxvi
 CONFERENCE PROGRAM

Sunday, June 17, 2018

Welcome Reception 18:00-21:00 at the Linnaeus Garden1, Sweden's oldest botanic garden.

Monday, June 18, 2018 MAIN CONFERENCE

09:00 – 09:30 Opening

Arno Wacker Chair of the Steering Committee

Beáta Megyesi Chair of the Program Committee
Eva Pettersson Chair of the Local Organizing Committee

09:30 – 10:15 Keynote

Chair: Beáta Megyesi

Craig Bauer
Updates on the World’s Greatest Unsolved Ciphers

10:15-11:00 Historical Ciphers/Codes

Chair: Gerhard Strasser

Ekaterina Domnina
Nicodemo Tranchedini's Diplomatic Cipher: New Evidence

Camille Desenclos.
Unsealing the Secret: Rebuilding the Renaissance French Cryptographic Sources (1530-1630)

11:00-11:30 Coffee Break

11:30-12:30 Cryptanalysis of Classical Algorithms

Chair: Anne-Simone Rous

Juan José Cabezas, Joachim von zur Gathen, and Jorge Tiscornia
Uruguayan Cryptographic Carpet

Nils Kopal
Solving Classical Ciphers with CrypTool 2

Mark Stamp, Fabio Di Troia, Miles Stamp and Jasper Huang

Hidden Markov Models for Vigenère Cryptanalysis

1
http://www.botan.uu.se/our-gardens/the-linnaeus-garden/visit-the-garden/
12:30-13:30 Lunch

13.30-14.15 Keynote
Chair: Bernhard Esslinger

David Naccache and Rémi Géraud

A French Code from the Late 19th Century

14:15-14:45 Coffee break

14:45-16.15 WW1
Chair: Marek Grajek

Karl de Leeuw
The Solving of a Fleissner Grille during an Exercise by the Royal Netherlands Army in 1913

George Lasry
Deciphering German Diplomatic and Naval Attaché Messages from 1914-1915

Ingo Niebel
Learning Cryptanalysis the Hard Way: A Study on German Culture of Cryptology in World
War I

Paolo Bonavoglia
New Findings in a WWI Notebook of Luigi Sacco

16:15-16:45 Coffee break

16:45-17.30 Keynote
Chair: Benedek Láng

Katherine Ellison
Cryptology and the Fantasy of Reading

18:30-00:00 Conference Dinner at Norrlands Nation2

2
http://www.norrlandsnation.se/
Tuesday, June 19, 2018 MAIN CONFERENCE

09:00-09:45 Keynote
Chair: Otokar Grošek

Ephraim Lapid
The Israeli Enigma

09:45-10:15 Coffee break

10:15-12:00 WW2
Chair: Karl de Leeuw

Anders Wik
The First Classical Enigmas. Swedish Views on Enigma Development 1924-1930

Marek Grajek
Inventory of Early Inter-Allied Enigma Cooperation

Dermot Turing
The Poles and Enigma after 1940: le voile se lève-t-il?

Magnus Ekhall and Fredrik Hallenberg

US Navy Cryptanalytic Bombe – A Theory of Operation and Computer Simulation

Carola Dahlke
What We Know about Cipher Device "Schlüsselgerät SG-41" so far

12:00-13:00 Lunch

13:00–15:00 Business meeting

15:00-15.30 Coffee break

15:30-16:30 Keynote: Special Theme on Arne Beurling

Chair: Anders H. Wik

Kjell-Ove Widman
Arne Beurling: Mathematician and Code Breaker

George Lasry
Modern codebreaking of T52
16:30-18:00 Poster and demo session with exhibition and coffee

Posters

Noor R. Al-Kazaz, Sean A. Irvine and William J. Teahan

An Automatic Cryptanalysis of Playfair Ciphers Using Compression

Niels O. Faurholt
Willard's System

Anna Lehofer
The Application of Hierarchical Clustering to Homophonic Ciphers

Michal Musílek and Štěpán Hubálovský

Teaching and Promoting Cryptology at Faculty of Science University of Hradec Králové

Klaus Schmeh
Examining the Dorabella Cipher with Three Lesser-Known Cryptanalysis Methods

Jaap van Tuyll

Design and Strength of a Feasible Electronic Ciphermachine from the 1970s

Demos

Eugen Antal and Pavol Zajac

ManuLab System Demonstration

Magnus Ekhall and Fredrik Hallenberg

US Navy Cryptanalytic Bombe - A Theory of Operation and Computer Simulation

Nils Kopal
Solving Classical Ciphers with CrypTool 2

Extra demo by the organizers: Beáta Megyesi, Nils Blomqvist and Eva Pettersson
The DECODE database

Exhibition by FRA3: Anders H. Wik and Åsa Ljungqvist

Enigma machines

18:00-18:15 Closing

19:00-00:00 Conference Dinner at Restaurant Borgen4

3
http://www.fra.se/snabblankar/english.10.html
4
https://www.borgenuppsala.se/
Wednesday, June 20, 2018 WORKSHOPS

09:00-12:00 (Automated) Cryptanalysis of Classical Ciphers with CrypTool 2

Workshop organizers: Nils Kopal, Armin Krauss, Bernhard Esslinger

Room: 22-1017

12:00-13:00 Lunch

13:00-17:00 Solving Codes rather than Ciphers. Is there a Software Challenge?

Workshop organizer: Karl de Leeuw

Room: 22-1017
H ISTORICAL C IPHERS /C ODES
2
 Nicodemo Tranchedini’s Diplomatic Cipher: New Evidence

Ekaterina Domnina
Department of Area Studies
Faculty of Foreign Languages and Area Studies
Moscow State Lomonosov University
ekaterina.domnina@ffl.msu.ru

Abstract Petersburg, Coll. 48, Box 585, no. 35, f. 1). Thus,
Likhachev added one more artefact to his large
This paper discusses a newly identified letter, assemblage of cuneiforms, papyri and paper
written by Francesco Sforza’s diplomatic documents, which was one of the largest private
agent Nicodemo Tranchedini da Pontremoli collections in Russia at the time (Figure 1).
(1413-1481). The aim of this paper is to
establish the date and purpose of this The sellers of this particular letter, the
document and to offer a partial reconstruction Charavet family from Paris or some other
of the code Tranchedini used for it. auction catalogue contributor, advertised it as a
rare find to cast an additional light on the late
1 Introduction medieval diplomatic practice. Since the
document bore only the day and month (23
In 1902 Nikolay Petrovich Likhachev (1862–
February), but not the year, they dated it to the
1936), a Russian historian and antiquary, bought
reign of the French king Louis XI (1423–1483).
an encrypted fragment (a postscript) of a
They alleged that it reported on the diplomatic
diplomatic letter. Judging by the signature, a
congress in Mantua, which was organised in
certain Nicodemus wrote it from Florence on 23
1460 by the pope Pius II to promote the idea of a
February of an unknown year (The Scientific and
new crusade (Figure 2).
Historical Archive of the Russian Institute of
History, Russian Academy of Sciences, Saint

Figure 1. The Scientific and Historical Archive of the Russian Institute of History, Russian Academy
of Sciences, Saint Petersburg, Coll. 48, Box 585, no. 35, f. 1r (with permission)

Proceedings of the 1st Conference on Historical Cryptology, pages 3– 7,

Uppsala, Sweden, 18-20 June, 2018
 Likhachev’s attribution of this letter to
Tranchedini was correct or not. Now this can be
done by studing Tranchedini’s holographs from
the Italian archives.

Figure 2. The Scientific and Historical Archive

of the Russian Institute of History, Russian
Academy of Sciences, Saint Petersburg, Coll. 48,
Box 585, no. 35, f. 1v, detail (with permission)

Such an intriguing description definitely

worked well to sparkle collectors’ interest in this
document, but at the same time did not cite any
credible source for such an attribution. Indeed
the early twentieth century witnessed a rise of
interest towards medieval and Renaissance
cryptology. It was at that period that Aloys Figure 3. The Scientific and Historical Archive
Meister published his research on Italian ciphers of the Russian Institute of History, Russian
(Meister, 1902). In this sense Likhachev was in a Academy of Sciences, Saint Petersburg, Coll. 48,
good company when he purchased this encoded Box 585, no. 35, wrapper (with permission)
document from the Charavet antiquaries. At the
same time, he evidently never seriously Nicodemo Tranchedini da Pontremoli (1413-
attempted to decode this letter. 1481) was one of the most faithful and long-
standing diplomatic agents of Francesco Sforza
Today the study of this encoded letter could (1401-1466), both before the latter rose into
add to the discussion on how Italian Renaissance power and afterwards. He received a humanistic
cryptology evolved and, most importantly, education, taking keen interest in collecting and
whether there was any difference between the studying Latin and Greek manuscripts. A
codes devised by scholars and those employed in Florentine by birth, Tranchedini worked for
the daily diplomatic practice (Buonafalce, Sforza in his home city-state, enjoying
2008:64). When trying to find answers to these continuous favour of the Medici family. As
questions one should definitely take a closer look Sforza’s representative, he also resided in Rome
at this encoded letter from the Likhachev and Genoa, among other places (Sverzellati,
collection and establish its author, contents, 1998). Famous for his impact on the formation of
receiver and purpose. the diplomatic letter per se, Tranchedini left
behind a large amount of correspondence,
2 The author of the letter currently preserved primarily in the State
On a wrapper of this document Likhachev left a Archives of Milan (Archivio di Stato di Milano,
note, suggesting that it was written by Nicodemo Carteggio Visconteo Sforzesco, passim).
Tranchedini da Pontremoli (Figure 3). However,
Comparing Tranchedini’s alleged signature
during later cataloguing of the Likhachev’s
from the document in question to his signatures
collection this attribution was not taken into
on his letters in the Milanese State Archives I
consideration. Throughout the Soviet era, when
was able to conclude that it was indeed his own,
the majority of Russian scholars working with
but not from the 1460s or even later, contrary to
this collection had no access to the foreign
the Charavet attribution. Further study of
archives, it was impossible to check whether
Tranchedini’s correspondence showed that in the

4
1450s he primarily resided at the papal court, and However, the search through Nicodemo’s
thus the letter should be attributed to the 1440s, letters from 1450s bore some fruit. Not only did I
when he visited Florence as Sforza’s agent. find a document with a cipher identical to the
letter in question but also a partical deciphering
3 Tranchedini’s diplomatic cipher of the code (Archivio di Stato di Milano,
Carteggio Visconteo Sforzesco, 41, no. 106, fol.
In order to prove this hypothesis one should look
1, 11 March 1454, Rome). Judging by the
at the code itself and search for its key. The most
handwriting, it is evident that Cicco Simonetta
obvious starting point would be the cipher
deciphered this passage himself. Then his
collection of his son Francesco Tranchedini
addition was glued with wax over the ciphered
(c.1441–c.1496), preserved in several copies.
text. (Figure 4). Taking this fragment as a
Mentored by Cicco Simonetta (1410-1480), the
starting point and using simple substitution
ducal secretary, Francesco served the Sforza
analysis, I was able to reconstruct the code
family alongside his father. He listed
(Figure 5).
Nicodemo’s cipher on fol. 3r of his treaty
(Cerioni. 1970, II; Hoeflechner, 1970). As L. This nomenclator consisted of 81 signs: 36 for
Cerioni established (1970, I:6-7), it was letters, 4 for double letters, 1 for nulls, 30 for
employed from about 1471 until 1478. This syllables, 11 for words. It is incomplete since no
particular nomenclator consisted of 253 signs, 55 other extant examples of this code seem to have
– for letters, 12 – for double letters, 8 – for nulls, survived in Tranchedini’s correspondence from
65 – for syllables, 113 – for words. the 1450s in the State Archives of Milan. It is
also important to underline that certain signs
When compared to the code of the letter in
from the 1453 letter had a different meaning
question, it did not match. This means that the
compared to that in the postscript. This means
encoded postscript belonged to the earlier date.
that the code was evolving over the time.
After that I could only hope for some good luck,
However, since no other pieces of this code are
combined with thoroughly check through
available now, it is not possible to establish how
Nicodemo’s letters from the 1440-1450s. The
often Simonetta changed Tranchedini’s
search through Tranchedini’s correspondence
nomenclator.
from the 1440s returned neither similar encoded
letters of his, nor the original letter to which this
postscript belonged.

Figure 4. Archivio di Stato di Milano, Carteggio Visconteo Sforzesco, 41, no. 106, fol. 1v, 11 March
1454, Rome, a fragment (permission no. 4218/28.13.11/13, 24/2017 issued on 18.07.2017)

5
Figure 5. A reconstructed nomenclator for Tranchedini’s cipher from the Likhachev’s collection

4 Contents and dating of the document these events. At least, there is firm evidence that
in January of this year he negotiated with the
When analysing the reconstructed contents of Florentines to win their support for Sforza and
this postscript one could easily conclude that the succeeded in this endeavour, providing him with
key figure to understand and interpret it is 20.000 florins on their behalf (Zaccaria, 2015:33-
condottiere Francesco Piccinino (or Pitticino) 34, 371).
(c.1407– 16 October 1449) (See Appendix 1).
5 Conclusions
When on 13 August 1447 Filippo Maria
Visconti, the Duke of Milan, died and the Firstly, the letter should be dated 23 February
Ambrogian republic was proclaimed, it 1449 and was almost certainly intended for
continued its rivalry with Venice for the control Simonetta, who stood behind Tranchedini’s
of the river Po valley. Condottieri Jacopo and mission to Florence in January 1449. Secondly, it
Francesco Piccinini, as well as others, used these is not yet clear where the main part of this letter
adversities to enrich themselves by constantly is, if indeed it is preserved. Thirdly, the
switching sides in return for lucrative payments document adds new data to the discussion about
from Milan and Venice. Francesco Sforza also how Sforza prepared to conquer Milan, which he
participated in this worrisome diplomacy, did in early 1450. Finally, Tranchedini’s cipher
awaiting an opportunity to seize power from the in this postscript differs from the sophisticated
republicans in Milan. On 18 October 1448 he ciphers presented by his son in his cryptologic
and Venice concluded an alliance at Rivoltella, collection, which could indicate that there might
which upset Francesco Piccinino’s plan to get have been a significant difference between
employment from Venice. Instead, in late cryptologic theory and its practical
autumn 1448 Piccinino allied himself with implementation in Renaissance Italy. The study
Sforza to make him pay for his troops’ winter of these differences could help to establish the
expenses, but then, in the following spring he way the cryptographic methodology evolved not
defected to Milan (Ferrente, 2005:28). only in Italian states, but also in other European
countries, which followed their example.
It is most probable that this postscript
belonged to the letter that Tranchedini wrote to
Simonetta in February of 1449 as he witnessed

6
Acknowledgments Appendix 1. [Nicodemo Tranchedini a
Cicco Simonetta]
I would like to thank the wonderful staff of the
Scientific and Historical Archive of the Russian Post datuz come de missere Bossi?1 in questa
Institute of History, Russian Academy of hora partendossi questo messo me, ha chiamato
Sciences, Saint Petersburg and Archivio di Stato in piaza et dictomi, che fo pronte a la sua partita
di Milano for helping me with my research and da Venezia, quando forono gelusi li capitoli fra
for granting me permission to reproduce images veneziani et Frncesco Pitticino et che ebe
from their collections. I am also grateful to the Francesco deve havere quatro milla etc et non
anonymous reviewers of the HistoCrypt 2018 scrivere?, ne fare mostrare novanta dua millia
team for their comments on this paper and to Dr d’oro o de provisone et de essere socio, che
Justine Roehmel for her continuous support of aquista de qua delta, excepta Piacenza, et deve
my research work. essere con? quello ha et che aquista pe[r] di da
Malatesta? adherente de venetiani. Et più me
References dice, che may hanno altro in boca conte?
venetiani lo o non invetatessero[sic] fare
Archivio di Stato di Milano, Carteggio Visconteo
Sforzesco, 41, no. 106. avenenare o morire di qualche altro modi che
non gli toglie per? altro che Sforza, ill. conte, ala
The Scientific and Historical Archive of the Russian qual semper me racommando. Florentiae, 23 febr.
Institute of History, Russian Academy of Sciences, in mane ides? Nicodemus
Saint Petersburg, Coll. 48, Box 585, no. 35.
Augusto Buonafalce 2008. Cicco Simonetta’s cipher- The Scientific and Historical Archive of the Russian
Breaking rules. Cryptologia, 32(1):62-70. Institute of History, Russian Academy of Sciences,
Saint Petersburg, Coll. 48, Box 585, no. 35. f. 1r
Lydia Cerioni. 1970. La Diplomazia sforzesca nella
seconda metà del Quattrocento e i suoi cifrari Translation
segreti. Vol. I-II. Il centro di ricerca, Roma.
[Nicodemo Tranchedini to Cicco Simonetta]
Serena Ferente. 2005. La sfortuna di Jacopo
Piccinino. Storia dei bracceschi in Italia (1423- P.S. From mister Bossi?, leaving at this hour,
1465). Olschki, Firenze. he sent for me, called me in the square and told
Walter Hoeflechner. 1970. Hg. Diplomatische me he was ready to leave Venice when the
Geheimschriften. Codex Vindobonensis 2398 der agreement between the Venetians and Francesco
Oesterreichischen Nationalbibliothek. Akad. Pitticino was stalled and that Francesco had and
Druck- u. Verl.-Anst., Graz. should have four thousand etс. In addition,
Aloys Meister. 1902. Die Anfaenge der modern neither he should sign? [an agreement], nor
diplomatischen Geheimschrift: Beitraege zur demonstrate ninety two thousand in gold or
Geschichte der italienischen Kryptographie des XV. under condition to be an ally, that he obtained at
Jahrhunderts. F. Schöning, Paderborn this delta [of Po], save for Piacenza, and he
Paola Sverzellati. 1998. Per la biografia di Nicodemo should keep those [lands] he already has, which
Tranchedini da Pontremoli, ambasciatore sforzesco. he has just conquered from Malatesta?, the
Aevum, 72(2):485-557. Venetians’ ally. In addition, he told me that
never did the Venetians plot to poison or kill the
Raffaella Maria Zaccaria. 2015. Ed. Il carteggio della
Signoria fiorentina all’epoca del cancellierato di count? by any other means and that they would
Carlo Marsuppini (1444-1453). Inventario e not change Sforza, the illustrious count, for
regesti. Pubblicazioni degli archivi di Stato di anyone else, to whom I always commend myself.
Firenze. Strumenti CXCIX. Edifir-Edizioni, Firenze. Florence, 23 Febr. In the hand of Nicodemus

1
Question mark indicates the signs, the
meaning of which is not 100 per cent certain.

7
 Unsealing the Secret: Rebuilding the Renaissance French
Cryptographic Sources (1530-1630)

Camille Desenclos
CRÉSAT (EA-3436)
Université de Haute-Alsace
camille.desenclos@uha.fr

Abstract 17th century – has entailed the development of

new strategies and tools for the protection of
Neither political nor diplomatic historians can information. The more the circulation of
avoid working with enciphered sources. diplomatic correspondences increased, the more
However, we mostly study their content and ciphers became essential. During the 16th century,
not their writing processes. In the wake of a enciphered letters thus progressed from an
new history of political information, ciphers extraordinary use to common practice by the
and, more broadly, cryptographic usages, French diplomacy. In addition to this increased
practices and cultures should be embraced by usage in diplomatic correspondence, the political
historians. By considering cryptographic
and religious disorders within the French
sources as significant witnesses of a culture
of political information, we can no longer Kingdom during the second half of the
look at them as information repositories or 16th century led high-ranking but rebellious
instances for cryptanalysis but as complex noblemen to make use of ciphers, too, in order to
scientific and political objects. cover up their intentions and plots to their King
In that respect, Renaissance French ciphers and his spies.
form perfect study objects. They are not yet Although ciphers cannot be distinguished from
as complex and technical as in the mid- epistolary writing nor from the political or
seventeenth or eighteenth century and show a diplomatic writing usages, they have been
representative variety of goals (political or neglected by French historians for a long time.
diplomatic), systems (jargon, simple
The importance of ciphers for the protection of
substitution, homophonic substitution, …)
and usages. As any other early modern information was recognized, but their
source, however, cryptographic sources are functioning as well as their writing processes are
dispersed, incomplete and, sometimes, hardly still ignored, as ciphers were studied only in an
understandable at first sight. By studying intellectual and not material perspective. By
many ciphering tables, by observing studying them only for their content rather than
encryption and decipherment practices within considering them as significant objects, ciphers
a corres pondence, by matching the could not be entirely understood and were
enciphered letters and the related ciphering narrowed to their ability to protect information
table, by comparing cryptographic systems, and secrets (Tallon, 2010). Thus studies
we hope to rebuild, at least partly, the dedicated at most a few pages, nay a couple of
Renaissance French cryptographic practices.
lines, to ciphers and cryptographic usages and
1 Introduction practices, mostly in addition to a presentation of
the various ways of transmission: postal routes,
Anyone who works on Renaissance political or special couriers … (Martin, 2010). Ciphers were
diplomatic correspondences has faced, at least not only exclusively associated with the
once, ciphers or enciphered letters. The Kingdom protection of information but with diplomacy
of France, as any other European state, has also, at the expense of a wider analysis of the
provided favorable conditions to the rise of a cryptographic practices and usages within the
wide, diverse and frequent cryptographic French administration and high nobility,
practice. The implementation of permanent especially during political, social and/or religious
diplomatic representations all over disorders. However, French history, with its wars
Europe – there were twelve French permanent of religion, provides significant examples to be
diplomatic agents at the beginning of the analyzed by historians.

Proceedings of the 1st Conference on Historical Cryptology, pages 9– 17,

Uppsala, Sweden, 18-20 June, 2018
 While historians have not yet seized on the Renaissance cryptography as a significant
subject, historical cryptography and even more practice in French political writing.
historical cryptanalysis (Nachef et al., 2016)
arouse more interest. The history of cryptography 2 French Cryptographic Treatises
has been clearly studied more than once.
A study of Renaissance French cryptographic
However, those noteworthy but international
uses and practices faces some difficulties in
studies embrace its whole history. Yet the main
regard to the absence and/or dispersion of
focus relies on the modern era (Kahn, 1996)
sources. Many enciphered letters, even some
and/or on cryptographic theoretical treatises.
ciphering tables, have been preserved, but
Although this global perspective allows for the
without their related documentation. Ciphering
better understanding of each step of the
tables1 did not document the way they were used,
cryptographic evolution, French cryptographic
and neither did diplomatic instructions describe
practices during the 16th century until Rossignol's
the way ciphers had to be employed. The basic
works are, at best, briefly mentioned in these
principles appear to be obvious. In most cases,
global analyses. These studies do not present the
ciphers rely on homophonic substitutions. But
cryptographic patterns in detail and thus cannot
when a plain-text letter could be represented by
meet the needs of historians. If some studies
two or three cipher-text characters, how was the
have indeed been devoted to Renaissance
cipher-text character chosen? Their concrete
practical cryptography (Devos, 1950; Monts-de-
functioning stays unclear as it was probably
Savasse, 1997), they only describe the ciphers
explained orally before the correspondence or the
and cipher-text characters and/or focus on very
embassy started. Moreover, we cannot find any
specific case studies. They certainly promote a
recommendation about the nature of information
better knowledge of general processes and
which had to be enciphered, the required
c r y p t o g r a p h i c s e m ant i cs . Thi s r em ai ns
proportion of cipher-text within letters, and so
nevertheless technical and narrowly focused
on. Cryptographic practice relied certainly on a
knowledge, far from the expectations and needs
subjective interpretation by each user, but many
of historians. The impact of encrypting letters on
aspects were common to Renaissance political
the writing and circulation of information does
and diplomatic society.
not seem to have been noticeable in diplomatic
Moreover, no secondary sources have
or political history. Nevertheless, some historians
apparently been preserved in the French archives
(Ribera, 2007; Hugon, 2004) proceed from
or libraries. The diplomatic treatises, which have
diplomatic history to an early modern history of
become the main sources about the process of
political information. They analyze indeed
political writing, never describe the
ciphers in relation to their concrete uses as ways
cryptographic uses and practices nor the
to write and protect political information. By
influence of encryption on diplomatic writing. As
considering both their technical and political
a technical process, which belonged to the daily
dimensions, ciphers can become a new object of
diplomatic routine, encryption was apparently
study within a new field cutting across
not considered as part of the art of diplomacy.
boundaries: the history of information. The
Some general recommendations were expressed
presence of cipher-text and plain-text in one and
in later works only (Callières, 1716). Callière's
a same letter reveals the essential balance
treatise dedicated almost two pages to
between public and private spheres, public
cryptography, even if the main concern remained
decisions and secret actions. Beyond secrecy,
the diverse and general ways to protect
elaborating stronger ciphers as well as encrypting
information. Neither the purpose of encryption
a portion of text resulted from the same decision:
nor the functioning of ciphers were mentioned.
protecting what could be valuable information.
Only the strategies to protect information were
But what caused the French cryptographic
introduced. François de Callières did not mention
practices to evolve? The increasing circulation of
the encryption process and its technical
information? The structuring of diplomatic and
implementation. In addition to the technical
intelligence systems? Was secrecy more needed?
aspects of cryptographic practices that were not
Or did the political writing process itself evolve?
The aim of this paper will thus be to demonstrate 1
A few ciphering tables present a quick documentation,
the methodological and historical benefits of
mostly about the use of specific cipher-text characters.
matching the history of cryptography with the
However, they are more the exception to the rule than actual
history of information and to reposition documentation.

10
part of the art of diplomacy, this information cryptographic writing, which needed to be fast
needed to remain secret. Otherwise it would help and simple, after all. Through its many
other countries to break the French ciphers. That examples4 Brulart de Léon's treatise describes
can easily – though only partly – explain the cryptographic mechanisms, recommended
silence of these theoretical works. cipher-text characters, and so on. Following
Cryptographic treatises could therefore be Cicco Simonetta's work, this treatise went
useful sources both to learn how Renaissance further. It presents practical encryption processes
people understood the encryption process and which should enhance the protection of
how and why they used it. The first such work, information such as not leaving any space within
written in French, was nevertheless published the cipher-text; frequently using cipher-text
only at the very end of the 16 th century characters without any value (so-called nulls) so
(Vigenère, 1586). Blaise de Vigenère – like that rarely used characters would not lead to their
François Viète a few years after him – was in the value or nature; disguising the frequency of
service of the French King for several years. cipher-text characters, and so on. Brulart de Léon
Their proximity to centers of power suggests an thus proposed concrete rules for encryption. By
influence or even a participation in the following these recommendations, the writer
conception of ciphering tables. However, these could hide the origin of his letter and prevent any
treatises seem to have remained strictly interception. Brulart de Léon, as Cicco Simonetta
theoretical, even though some rare before him, probably dedicated his work to the
implementations could be observed, at least in state office. As a former diplomat, Brulart de
the 17th century (De Leeuw 2015). They Léon5 claimed to take advantage of his own
conceived complex cryptographic systems, but diplomatic experience and to propose various
they cannot be considered as practical encryption solutions to the main issues of the daily
manuals. Vigenère's work did indeed describe encryption practice that he himself has been
theoretical cryptographic mechanisms and tried faced. But even if Brulart de Léon' s
to conceive of a perfect, unbreakable, and thus recommendations paid better heed to the
almost ideal cipher2. Although Vigenère's work concrete diplomatic needs, they remained
was clearly not intended for regular users but complex, constraining and hardly compatible
only for other scholars or scientists, noblemen with the speed requested by diplomatic writing.
and diplomats could not use Vigenère's Whatever its initial or real goal, Brulart de
proposals, anyway, because of their lacks of Léon's work has stayed off the record. Only the
mathematical skills and their restricted writing original handwritten version has been preserved,
time. Yet if these works strictly remained and no written or printed copy has apparently
theoretical and had no influence on the been produced. Furthermore, its form looks more
cryptographic practice, Vigenère or Viète knew like a personal memorandum: there is no
real-life cryptography though not as authors of introduction and no inscription; the work has
cryptographic treatises but rather by working been preserved in the same manuscript along
directly with the regular creators of ciphers while with other personal notes and memorandums. If
decrypting enciphered letters for the Duke of Brulart de Léon's work was used by the state
Nevers (Vigenère) or for the French King office, it would have been preserved with the
(Viète). state office archives. Anyway, just like any other
Several technical diplomatic treatises, theoretical cryptographic treatise, Brulart de
however, such as Traicté des chiffres by Charles Léon's manuscript highlights only one aspect of
Brulart de Léon (circa 1630)3 intended to provide cryptographic practice. It describes the technical
practical solutions to the issues of daily aspects (how to choose cipher-text characters
2
Blaise de Vigenère explained it quite clearly in his 3
French National Library, fr. 17538, fol. 48sq.
dedicace to Antoine Séguier: “Ce traicté donques sera de
semblables usages de chiffres, diversifiez en plusieurs 4
Brulart de Léon's treatise, however, does not only present
manieres; tant pour incidemment parcourir ce qui se standard methods but also rare systems like a ciphering
presentera à propos de ces beaux et cachez mysteres, wheel.
adombrez sous l'escorce de l'escriture; que pour à l'imitation
5
de cela en trasser beaucoup de rares et à peu de gens Brulart de Léon has been ambassador to the Republic of
divulguez artifices […] et la plus grand' part provenans de Venice from 1611 to 1620, then extraordinary ambassador
nostre forge et meditation; non encore que nous scachions to the city of Avignon (1625) and to Switzerland (1628-
touchez jusques icy d'aucun” (Vigenère, 1586, page 4). 1630).

11
while conceiving ciphering tables, how to write tricky. They are rarely preserved within the same
cipher-text while drafting a letter) and tried to manuscript (or box) along with the related
improve them in order to increase the protection enciphered letters. For example, the cipher of
of information. But it never questions general Jean Hotman, the French resident to the Holy
aspects: what kind of information has to be Roman Empire between 1609 and 1614, can be
enciphered? Why? According to which found in the French National Library within the
principles? How were the ciphering tables used manuscript fr. 4030. On the other hand, his
and how were encryption and decipherment enciphered correspondence with the French King
operated? is now kept in manuscripts fr. 15924 to fr. 15930.
M o r e o v e r, t h e m a n i f o l d R e n a i s s a n c e
3 What About Primary Sources? denominations for the ciphering tables
(“jargon”7, “cipher”8, “key”9...) and the absence
Unlike their contemporary documentation about
of any name and/or date on the verso or on the
the cryptographic uses and practices, a
top of the ciphering tables seem to prevent
substantial amount of Renaissance French
historians from identifying the origins and usages
enciphered letters has been preserved. By
of these tables. Even more, the Renaissance
chance, most of them have survived with their
designations often mix tables and enciphered
deciphered text (in margins, between the lines or
letters. Both can be designated as ciphers
on a separate sheet). However, even if letters,
(“chiffres”)10. Thus identifying the right typology
like no other sources, transcribe perfectly the
of the cryptographic sources and matching
Renaissance cryptographic culture and practices,
enciphered letters to their related ciphering tables
enciphered letters present to historians a major
are real issues for historians.
issue. Not all letters contain a decipherment or, at
We have counted the cryptographic sources
least, their separate deciphered text has been lost.
which were already described and identified at
That can prevent the reading and understanding
the French National Library. In 2014, the catalog
of the content of such sources.
mentioned only 60 ciphering tables, a great deal
Upon receipt the state office systematically
less than their actual holdings. In fact, only one
wrote the decipherment on the letter so that the
fifth of the manuscripts are fully described in the
state secretary could more easily read the whole
catalog. In addition to cursory descriptions of the
piece. But if the recipient deciphered the letter
other manuscripts, some mistakes and omissions
himself, there was no need to rewrite the
(some bibliographic records were written in the
deciphered text on the original letter. The
19th century) have distorted these results, which
separate sheet on which the recipient processed
do not represent the diversity of political and
the decipherment could easily be lost, deleted or
diplomatic sources. Most of the diplomatic
even integrated into another set of documents.
correspondences, for example, are only described
The original enciphered letter thus becomes
i n a f e w w o r d s 11. A s us ual , pr i m ar y
unreadable for historians without the ciphering
table or cryptanalytic skills. Many letters still 7
French National Library, Cinq-Cent Colbert 474, fol. 1:
have kept their secrets6.
“Jargon au deschifre” [Deciphering jargon].
For several letters, however, their related
ciphering tables still exist. Although they should 8
French National Library, fr. 4053, fol. 57: “Chiffre de
be deleted at the end of each embassy or long- monseigneur le marechal” [Cipher of M. the marshal].
term correspondence, they have often been
9
preserved, sometimes by the state office itself, French National Library, fr. 3629, fol. 42: “Clef pour
and are now one of the most reliable sources of deschiffrer les lettres de Madame de Raiz” [Deciphering key
cryptographic uses and mechanisms. More than for the letters of Ms. de Raiz].
enciphered letters, ciphering tables make the 10
French National Library, fr. 3634, fol. 5: “Chiffre reçu le
understanding of the cryptographic systems and
dernier octobre à Meun par le duc de Nevers” [Cipher
their contextual or structural adaptations easier.
which was received the last day of October in Meun by the
However, the ciphering tables have faced duke of Nevers]. This cipher is thus a fully enciphered letter
different fates and their identification can be written to the Duke of Nevers.

6 11
No letter from Henri IV to François Savary de Brèves, The manuscript fr. 16113, for example, is labelled
French ambassador to the Ottoman Empire, can be read, as “Dépêches originales adressées à la Cour par divers
the decipherment has not been written directly on the ambassadeurs et agents français en Espagne” [Original
enciphered letters (French National Library, fr. 3541). letters from several French ambassadors and agents in Spain

12
cryptographic sources are widely dispersed, correspondences or reports) is systematically
poorly described or identified, or even checked. So far, 179 ciphering tables and more
completely missing. than 2 100 enciphered letters (including circa
Because of the need to access and analyze 200 non-deciphered letters) have been found and
cryptographic primary sources materially and described. At this stage, we presume that 50 non-
intellectually, a long-term research project is deciphered letters, and probably more in the
currently conducted in collaboration with the future, could be deciphered. Wherever possible,
French National Library in order to re-establish a this identification work leads to the correction of
direct contact with Renaissance French some incomplete bibliographic records. In
cryptographic sources. The French National addition we mention the presence of cipher-text
Library counts as the main repository for and/or decipherment, add dates and names if they
political and diplomatic sources (until the mid- can be restored, and so on. Nevertheless, only the
1620's). According to the Renaissance archival bibliographic records which already present a
practices, almost all diplomatic correspondences full description will be corrected. The aim of this
and reports before 1626 have made their way to project is not to completely describe the political
the French National Library, along with several and diplomatic collections at the French National
political correspondences from the second half of Library but to re-connect the cryptographic
the 16th century. Both kinds of sources are now sources to each other.
preserved in the collections of “manuscrits Thanks to this identification work, we should
français” [French manuscripts] and “nouvelles be able to cross-check ciphering tables and
acquisitions françaises” [French new enciphered letters and link the letters to their
acquisitions]. The “collection d'érudits” related tables. Each enciphered letter whose
[scholars' collection] presents exceptional ciphering table has not yet been found, will be
documents, too12. In fact, a major part of the compared to the anonymous ciphering tables.
French cryptographic sources (before the 1630's) The cross-checking (through cryptographic
is kept at the French National Library and forms systems and no more by names) will not be
a vast and representative corpus of Renaissance successful for each enciphered letter. More
cryptographic uses and practices, even if further enciphered letters from different writers than
research in the French National Archives and in ciphering tables have been preserved.
the French Diplomatic Archives will be Nevertheless, some ciphering tables, if still
mandatory. By studying the remaining ciphering missing, could be reconstructed thanks to the
tables, by observing actual encryption practices, decipherment in the letters. By comparing the
by analyzing additions on the verso or top of cipher-text and the deciphered text, the
ciphering tables, by comparing cryptographic cryptographic patterns could be understood and
systems, we hope to rebuild, at least partly, the restored to a great extent.
Renaissance French cryptographic practices, uses
and cultures. In that perspective, comparisons 4 First Results
with other European cryptographic practices
Our first results, though still incomplete, have
through case studies or similar projects such as
confirmed the real necessity to embrace
the one conducted by Benedek Lang (2018) on
cryptographic sources as material objects and to
Hungarian Early Modern cryptographic
look at them in a broader perspective. They are
practices, could lead to a useful, if not essential,
not only the implementation of cryptographic
distinction between European, “national” and
patterns, which could interest the history of
contextual cryptographic patterns.
sciences or technology, but a true testimony of a
As a first step in this ongoing project, we are
culture of political information. Facing only the
locating, identifying and dating every preserved
technical mechanisms is not enough. Of course,
ciphering table and enciphered letter. Every
both the history of technology and the history of
manuscript whose description suggests
sciences are essential to the understanding of the
cryptographic documents (mention of original
technical mechanisms and their evolutions. The
to the French Court]. However, it contains a ciphering table cryptographic sources, however, deserve to be
of André de Cochefilet, baron of Vaucelas, ambassador to s ubjected to different approaches and
Spain from 1609 to 1615. methodologies in order to merely surpass
political history or the history of technology.
12
The manuscript Clairambault 360 for example preserves More than any other political source,
the ciphering table of Henri IV and Maurice of Hesse.

13
cryptographic ones do indeed involve political, both were indeed designated as “chiffre” only. In
diplomatic, scientific, social and cultural history. the future, however, we must find out if both
Identifying cryptographic sources at the ciphering and deciphering tables were conceived
French National Library has required prior and written systematically, as they will be
research. In order to prevent hypotheses based on beginning with Rossignol, or if the existence of
better known, but modern, practices and uses, we one or the other relied on specific uses or users.
first needed to reassess the Renaissance patterns: Beyond the denominations, defining
which words referred to ciphers and similarities between the cryptographic processes
cryptographic practices? Did these is essential for the upcoming cross-checks. If the
denominations possess any specific value? French cryptographic systems were mostly based
Specific words can already be highlighted: on substitution, they became more complex and
“jargon”, “chiffre” [cipher], “clef” [key], rational during the 16th century. At the beginning
“deschiffre” [deciphered text], “table”. The word of the 16th century, ciphers only presented few
“jargon” especially referred systematically to the cipher-text characters (simple substitution and
same object and practice: a ciphering table using limited nomenclator). In the second half of the
a substitution system, by words and not by 16th century, though, especially from the 1580's,
characters (for example: the word rose for the homophonic substitution was introduced (two to
French King). Such tables were never called five cipher-text characters for one single plain-
anything else but “jargon”. On the contrary, the text letter), nomenclators were extended (around
word “chiffre” had many uses. If the main use, one hundred words on an average) and new
according to our modern practice, concerned cipher-text characters appeared: characters
ciphering tables, fully enciphered reports or without any value, canceling characters,
anonymous letters were sometimes designated repeating characters 14. These improvements,
(on the verso) as “chiffres”, too. The origin of however, did not go as far as the theoretical
this confusion could be related to the use, by recommendations of cryptographers were
diplomats mostly, of the expression “en chiffre” concerned. A large majority of ciphers, even in
[with cipher]. Moreover, if “deschiffre” is an the 1620's, still relied on homophonic
early modern word for both decipherment and substitution, much simpler for diplomats and
deciphered text, the cipher-text was hardly ever noblemen.
designated by “chiffre” but by “en chiffre” [with The fast technical evolution of French
cipher/enciphered]. The denominations of cryptographic practices makes the identification
cryptographic tools and productions were not yet of ciphering tables easier and confers to our
standardized: marginal mentions rarely described study an extra historical perspective. For each
the typology of documents in detail but provided ciphering table, its main features are highlighted
names or dates13. These mentions aimed to make and analyzed: enciphering pattern (simple
the identification of the document easier and substitution, homophonic substitution, jargon,
quicker for the state office, the diplomats or more nomenclators), type of cipher-text characters
generally its recipient. Ciphering tables were (Latin and/or Greek alphabet and/or numbers
often sent as attachment or handed over in and/or symbols). Most of the time, a careful
person; there was then no need for any additional analysis can lead to a precise dating (to within
mentions. At last, the expression “ciphering one or two decades at most). In addition to this
table” comes from modern usages. Renaissance first analysis, we get a closer look at the cipher-
cryptography was not yet practiced as an applied text characters as they give us the best clues for
science. It still relied on a spontaneous approach the cross-checking stage. In the same way that
as shown by the alphabetical and thematic encryption patterns have been improved, the
organization within ciphering tables. Everyone form of the cipher-text characters has become
had to be able to use such tables, even without more and more rational and easy to generate so
any cryptographic or algorithmic knowledge. that they can be written and read faster. From
Thus the distinction between ciphering tables and symbols or highly-modified Latin characters15,
deciphering tables was probably spontaneous;
14
See for example, French National Library, fr. 3668,
13
French National Library, fr. 3462, n.f.: “Chiffre reformé fol. 72: Cipher of the count of Tillières and the French King,
pour Levant duquel a esté envoyé un double à Monsieur de 1625.
Breves ambassadeur en avril 1604” [Modified cipher for the
15
Levant whose duplicate has been sent to M. de Breves, See, for example, French National Library, fr. 3329, fol. 2:
ambassador in April 1604]. Cipher of Jacques d'Humières and François de Balzac.

14
cipher-text characters were increasingly (few lines, one page or the whole letter) will help
transformed into numbers. Symbolic characters, to better understand the needs for writing secret
which are easy to spot, are thus a specific feature information.
of the first half of the 16th century, even if, until Diplomacy was obviously the main, and by
the 1580's, some examples, mostly in political the way first, user of ciphers. The oldest
ciphers, can still be found. From the 1560's on, enciphered letter which so far we have found in
however, symbols gradually disappeared and the French National Library, dates from 1526 and
were replaced by numbers or Latin or Greek comes from a French diplomatic agent in
characters. Therefore the presence of symbols Rome16. A vast majority of enciphered letters
within a cipher is a significant clue about the from the first half of the 16th century and beyond
date or, for ciphers after 1590, a real specific that from the first decades of the 17th century
feature. Nomenclators finally help dating the comes from the diplomatic practice. However, if
ciphering tables. The names within the ciphers were an essential tool for diplomacy, they
nomenclators represented indeed the main were not used systematically and on a daily
noblemen, ministers, clergymen or diplomats basis. Not every diplomatic agent was provided
from a specific time. For example, the with a ciphering table. Only the high-ranking
anonymous ciphering table in the manuscript diplomats possessed one or several such
fr. 3329 can be dated from 1574-1577 as the instruments. In fact, ciphering tables replicated
nomenclator includes the marshal of Montluc. the diplomatic hierarchy. On the contrary, the
Blaise de Montluc had been appointed marshal in political use of ciphers was not based on
1574 and died in 1577. Such a precise dating is hierarchy but only on needs, as it was not linked
of course not always possible, especially for the to professional or temporary tenure. Although
oldest ciphers which did not use large ciphers were only used by the French diplomacy
nomenclators. A date range can still be defined in during the first half of the 16th century, the
those cases. At last, nomenclators, as well as the French nobility started to also use ciphers during
improvements of the cryptographic patterns and the second half of the 16th century. Noblemen did
characters, inform on the circumstances of their not yet use ciphers for personal matters (Lang,
usage. A high proportion of foreign names 2014) but only for political purposes. Far from
reveals a diplomatic use, and if a country, for being anecdotal this use increased from the end
instance Spain, is more represented, it is highly of the 1570's and became more diversified in its
likely the cipher was used by a French practices and the origin of its users. That reveals
ambassador to Spain. how deeply ciphers were interwoven with the
But whatever its rise, cryptography is not used custom of political writing. The agitated political
in every Renaissance correspondence. The context in France substantially explains this
operation remained arduous both for writers and evolution: noblemen were watched by the royal
readers and was limited to what was considered power, French or foreign factions were watching
as crucial or secret information. Thus the each other …. Thus ciphers became essential to
presence and amount of cipher-text reveal the the political correspondence: they protected
significant political value of the text. However, information, reputation and sometimes physical
this was not representative of a specific time. integrity. Further counts and identifications will
Fully enciphered letters were already written in insert these examples from the 1580's in a
the first half of the 16th century, and an integral broader perspective. The corpus that is finally
encryption never became a standard. In addition expected should provide some more information
to their long and arduous writing, ciphers did not about the proportion of each use (political or
need to be systematical but, on the contrary, had diplomatic). We hope thereby to be able to
to adapt themselves as much as possible to the predict more precisely the motivations for the
evolving contextual needs: diplomatic conflict, political use of ciphers and confirm, or
war, insecure postal routes, and so on. invalidate, the current example of the 1580's. The
Information was not by nature secret; only the political use of ciphers could be permanent or
collecting of information and/or its use within a strictly limited to momentary needs (mostly
given context made its veiling inevitable. In the during disorders).
future, these usage hypotheses will require 16
French National Library, fr. 2984: letters from Nicolas
broader statistics, but the persistent general
Raincé to Anne de Montmorency. Nicolas Raincé was the
writing patterns seem logical for now. Moreover,
secretary of Jean du Bellay, cardinal and French
the amount of cipher-text within a given letter representative in Rome.

15
Anyway, political ciphers were not as advanced practiced in Renaissance France. We aim to
as their diplomatic counterparts. The needs were bridge a substantial divide between the
very different: users were not “professional” production and collect of information and the
agents; they had not been trained and this decision-making process: the material process of
political use was still rather new. Above all the the writing of political information. From then
main need remained speed, before safety. Except we could re-build a history of Renaissance
in some rare cases like Vigenère who served the French cryptography, not only in the perspective
Duke of Nevers in the 1580's, cryptographers of the history of sciences but also as part of a
served the French King, not other noblemen. The global history of information.
reduced complexity of their ciphering tables was
completely logical: there were more symbols; Acknowledgments
nomenclators were shorter, and homophonic
substitution was less advanced. The differences Part of the project has been supported by a Mark
between political ciphers, mostly the ones during Pigott Research Grant (2015). We would like to
the Catholic League, and diplomatic ciphers thank Gerhard F. Straßer and the anonymous
reveal how French diplomacy mastered the reviewers for their valuable comments,
cryptographic practice and did its best to meet suggestions and help with grammatical and
the agents' daily needs by constantly improving lexical issues.
the protection of information and facilitating the
encryption and decipherment operations. References
Renaissance French diplomacy acted like a François de Callières. 1716. De la manière de
laboratory in which ciphers and their négocier avec les souverains. La Compagnie,
implementation were constantly tested and Amsterdam.
improved. Its practices and patterns were then Jean-Pierre Devos. 1950. Les chiffres de Philippe II
reused in wider circles, few years or decades (1555-1598) et du Despacho universal durant le
after their conception by the French diplomacy. XVIIe siècle. Académie royale de Belgique,
Bruxelles.
5 Conclusion
Alain Hugon. 2004. Au service du Roi Catholique,
Two essential elements have been highlighted “honorables ambassadeurs” et “divins espions”:
during these first years of our research project: représentations diplomatiques et service secret
dans les relations hispano-françaises de 1598 à
the need for a methodology which is adapted to
1635. Casa de Velasquez, Madrid.
the cryptographic features (in order to proceed
successfully to the identification, analysis and David Kahn. 1996. The Codebreakers. Simon and
cross-checking of our ongoing corpus) as well as Schuster, New York.
the need for studying not only the ciphers but the Benedek Lang. 2014. “People's Secrets: Towards a
general context in which they were employed. If Social History of Early Modern Cryptography”. In
this research project is far from completion, The Sixteenth Century Journal. 45.2: 291-308.
some hypotheses can be stated about the general Benedek Lang. 2018. “Real-Life Cryptology:
uses and issues of cryptography within the Enciphering Practice in Early Modern Hungary”.
political and diplomatic society of the French In Katherine Ellison and Susan Kim (eds), A
Renaissance. Building on these first results and Material History of Medieval and Early Modern
future findings, we aim to study the encryption Ciphers: Cryptography and the History of
mechanisms and their improvements until Literacy. Routledge, New York/London, pages
cryptography became an applied science. We will 223-240.
thus be able to observe the intellectual evolution Karl de Leeuw. 2014. “Books, Science, and the Rise
of French cryptography: its increased use in of the Black Chambers in Early Modern Europe”.
political and diplomatic correspondences; the In Anne-Simone Rous and Martin Mulsow (dir.),
dichotomy between the practiced cryptography Geheime Post: Kryptologie und Steganographie
and its theory; the variations between the der diplomatischen Korrespondenz europaïscher
diplomatic or political cryptographic uses. We Höfe während der Frühen Neuzeit. Duncker &
hope to highlight the adaptation of ciphers to Humblot, Berlin, pages 87-99.
geographical locations and/or to political and Claire Martin. 2010. Mémoires de Benjamin Aubéry
diplomatic context and finally to understand the du Maurier, ambassadeur protestant de Louis XIII
refinement and complexity of cryptography as (1566-1636). Droz, Genève.

16
Jacques de Monts-de-Savasse, “Les chiffres de la Jean-Michel Ribera. 2007. Diplomatie et espionnage:
correspondance diplomatique des ambassadeurs les ambassadeurs du roi de France auprès de
d'Henri IV en l'année 1590”. In Pierre Albert (dir.). Philippe II du traité du Cateau-Cambrésis (1559)
1997. Correspondance jadis et naguère: congrès à la mort de Henri III (1589). Honoré Champion,
national des sociétés historiques et scientifiques. Paris.
Comité des travaux historiques et scientifiques.
Alain Tallon. 2010. L'Europe au XVIe siècle: États et
Paris, pages 219-228.
relations internationales. Presses universitaires de
Valérie Nachef, Jacques Patarin and Armel Dubois- France, Paris.
Nayt. 2016. “Mary of Guise's Enciphered Letters”.
Blaise de Vigenère. 1586. Traicté des chiffres ou
In Peter Y. A. Ryan, David Naccache and Jean-
secretes manieres d'escrire. Abel L'Angelier, Paris.
Jacques Quisquater (eds.). The New Codebreakers:
Essays Dedicated to David Kahn on the Occasion
of His 85th Birthday. Springer, Berlin, pages 3-24.

17
C RYPTANALYSIS OF C LASSICAL A LGORITHMS
20
 Uruguayan cryptographic carpet
Juan José Cabezas Joachim von zur Gathen Jorge Tiscornia
Instituto de Computación B-IT, Universität Bonn Presidencia Uruguay
Facultad de Ingeniería Germany Montevideo, Uruguay
Universidad de la República gathen@ jtiscornia@
Montevideo, Uruguay bit.uni-bonn.de presidencia.gub.uy
jcabezas@fing.edu.uy

Abstract aimed at the unions and other leftists, and their

death squads killed some of their enemies.
We present a unique item in the history of
On the left side was the MLN (Movimiento de
cryptography: a woollen carpet woven in
Liberación Nacional, Movement for national lib-
a Uruguayan penitentiary in 1980 during
eration). Its members were known as the Tupa-
the dictatorship in that country. The col-
maros, after the leader Túpac Amaru II of an anti-
ors of a pair of horizontally adjacent knots
colonial uprising in Perú around 1780.
encrypt a single letter. The carpet is in
By 1973, the Tupamaros were essentially de-
moderately good shape, with loss of colors
feated by the government forces, their leaders
and some damage by moths. We had ob-
killed, imprisoned, or refugees abroad. Many of
tained the original code and here report on
them were held at a penitentiary with the unlikely
the deciphering. The plaintext is a politi-
name of penal de Libertad. The town of Libertad
cal message destined to comrades outside,
(Liberty) is located 51 km from Montevideo, the
with a description of the political situation
capital of Uruguay, and was founded by European
and directives for actions.
refugees in the 19th century, happy to find their
The cryptosystem is a simple substitution. religious liberty. Penal is prison or penitentiary.
Breaking such codes is trivial. The real The Tupamaro inmates composed, in discus-
task here is to translate the knots into a sions over three years, a lengthy text to their com-
machine-readable representation of their panions outside, still in liberty (with small l). How
colors, in the presence of unclear colors to get it out of prison?
and damage to parts of the carpet. They were allowed to produce handicraft arti-
The encrypted carpet is an important cles, receiving the materials at 8 am and handing
document from the dark times of the them back at 4.30 pm. Ricardo García wove the
Uruguayan dictatorship, manufactured by carpet in several months’ work in 1980. The car-
prisoners from the guerrilla movement Tu- pet successfully left the prison.
pamaros. Two of the present authors A relative of Ricardo García received the carpet
(JJC and JT) were active members of this but it never reached its destination, an MLN group
group. Their personal memories were es- in Sweden. When the relative went into exile in
sential for our successful reconstruction of Germany, he had the cipher table (Table 2), but lost
the plaintext. it and remembered it only years later. The carpet
was never decrypted in its time.
1 Introduction
Uruguay regained democracy in 1985 and the
Uruguay (República Oriental del Uruguay) bor- prisoners of Libertad were freed. 29 years later,
ders on Brazil, Argentina, and the Atlantic Ocean Jorge Tiscornia found the carpet in Ricardo Gar-
with the estuary of the Río de la Plata. It was cía’s home, and he was also given the cipher ta-
known as the Switzerland of South America be- ble. At the end of 2014, he told Juan José Cabezas
cause of its wealth, safety, and democratic gov- about the carpet (Figure 1) who then set out to de-
ernance. An economic downturn started in the cipher it.
1960s. In its wake, militant groups arose. The carpet is unique in several aspects; it shows
On the extreme right side, the JUP (Juventud an imaginative use of simple cryptography under
Uruguaya de Pie, Uruguayan youth standing up) the dire circumstances of prison, and it is a unique

Proceedings of the 1st Conference on Historical Cryptology, pages 21– 27,

Uppsala, Sweden, 18-20 June, 2018
 Figure 1: The carpet.

testimony of its type concerning this historic pe- scribes the Tupamaros’ situation as well: “It was
riod. the best of times, it was the worst of times, it was
The only other encryption methods by weaving the age of wisdom, it was the age of foolishness,
or knotting that we are aware of are the Inca qui- it was the epoch of belief, it was the epoch of in-
pus and the encrypted quilts on the underground credulity, it was the season of Light, it was the sea-
railway for black slaves fleeing from the USA to son of Darkness, it was the spring of hope, it was
Canada in the 19th century (see Tobin (1999)). the winter of despair, we had everything before us,
we had nothing before us, we were all going di-
The Tupamaros were inspired by Dickens’ Tale rect to Heaven, we were all going direct the other
of Two Cities (Dickens, 1859). It distills the atmo- way.”.
sphere in pre-revolutionary France around 1789.
A tough tavern owner, a central character in the 2 The encryption method
book, works as the eyes and ears of the pre-
revolution. She knits diligently accounts into her In the following, we distinguish typographically
knitware, of evil persons, their deeds, and of spies, between ciphertext and plaintext.
dreaming of future vengeance. “Knitted, in her The coding method, communicated by Ricardo
own stitches and her own symbols, it will always García to us, uses a simple substitution on 18 let-
be as plain to her as the sun.” For any malefac- ters. Each letter is encoded by a pair of horizon-
tor, it would be easier “to erase himself from ex- tally adjacent colors, allowing six colors for the
istence, than to erase one letter of his name or first item and three for the second one.
crimes from the knitted register of Madame De- The encoding goes as follows:
farge.” Dickens says nothing about her encryption O G B L W P color
method, but these words were enough to fire the M A R K O S O
penitentiary inmates’ imagination and inspire the D I N T E L G
idea of their carpet. Dickens’ poetic introductory J U P V H F B
sentence refers to the French Revolution, but it de- Table 1: The code.

22
 using the following six colors: columns. Moths have totally or partially damaged
color abbr about 10% of the color pairs, and the borders are
orange, yellow O frayed, as is visible in the figures.
dark green G We distilled from a high-resolution digital im-
beige, pink, ochre B age of the carpet a machine-readable matrix of col-
light green L ors. Our software then transformed the resulting
white, light gray W RGB values to one of the six colors. This had
purple P to be done in a robust way so that similar colors
Table 2: The colors. were transformed to the same value, but distinct
colors were properly distinguished. Then adjacent
The lines stand for Marcos, (door) lintel, and
pairs of knots were deciphered as individual let-
JUP (see above). VHF presumably is a filler with
ters, proper word separations introduced, and the
the remaining letters and unlikely to refer to very
final decipherment produced. This was less than
high frequency. The system thus employs a re-
straightforward, and we encountered the following
duced alphabet of 18 letters: A, D, E, F, H, I, J, K,
problems.
L, M, N, O, P, R, S, T, U, V. Taking into account the
phonetics and orthography of the Latin American 1. Damage to the carpet.
Spanish language, some of them represent more
than one letter: 2. About 5% of the colors ran into adjacent
knots, affecting their (automatic) legibility.
• K represents the letter k, and qu, and also c
when pronounced like k. 3. After 35 years, colors have degraded. In
some parts, it is difficult to distinguish be-
• V represents v and b. tween white and ochre, and between light and
• S represents s, and also c when pronounced dark green.
like s. 4. The reading ambiguities mentioned above
• J represents j and g. sometimes make interpretation difficult. For
example, the string AKNTPERONOA is to be
• I represents i and y. read as a CNT pero no a . . . (to CNT but
not to . . . ) where CNT is the Convención Na-
It was not meant as a simplified orthography of
cional de Trabajadores (National Convention
Spanish, but can be taken as such. (In today’s text
of Workers).
messages in Spanish, K is often used for qu.) For
example, the list of color pairs 4 Decryption
(W,O),(P,G),(G,O),(L,O),
The digitized image is presented in Postscript,
(W,G),(L,G),(G,O),(P,G)
which is then converted to plaintext. We illustrate
encrypts the text OLAKETAL. Interword spaces, the process on the carpet’s second line, magnified
the (silent) initial H, and punctuation marks are not in Figures 3 through 5 and its decryption in Figure
present, and the list represents the phrase Hola que 6.
tal (Hi, how are you?). Each dot of color is given as an RGB (Newman
The absence of spaces, accents, and punctua- and Sprouil, 1983) triple of red, green, and blue
tion marks means that a string of colors may rep- values, each ranging from 0 to 25.
resent more than one grammatically and semanti- We took samples from various sections of the
cally valid text. In our decipherment, such ambi- carpet and determined the range of RGB values
guities were an obstacle, and this might be worse for each color, and also the fractions of these val-
if this method was used elsewhere without the a ues, in order to be able to account for dark or
priori knowledge we had about the context. light sections. That is, 6 7 8 and 7 8 9 repre-
sent the same hue, the latter slightly lighter than
3 The current state of the carpet
the former. Overlap of these values and fractions
The carpet measures 55.3 × 36.8 cm and contains occurred mainly for G (dark green) and L (light
almost 13 000 knots for about 6400 encrypted let- green), and for B (beige) and W (white). Since G
ters, arranged in a matrix of 67 rows and 96 and B occur more frequently in the carpet than L

23
 Figure 2: The bottom left shows moth damage and lost material on the fringes.

Figure 3: The second line, left part. It starts at top left and ends at bottom right.

Figure 4: The second line, middle part.

Figure 5: The second line, right part.

GO BO GO PB GO PG WG BO WO PG GB WG OB WO GG OG
a r a f a l e r o l u e j o i d
GO LB GG WG OB WO PO PO WG BB BO WO OG GB PO WG
a v i e j o s s e p r o d u s e
GO BG G? ?? LO GG GO OG GB BO GO BG LG WG
a n a r k i a d u r a n t e

Figure 6: Part of the second line transcribed (upper line) and decrypted (lower line).

24
and W, respectively, we opted to use the former in N[U|*L(SLF)ARD(DINTEL)SARROLLOIDAR
ambiguous cases. ESPLIKASION[I|*K[D|*EP*OTA
The next step was to convert these color val- TRESTENDENSIAAN<I>TIM<D>
ues into text. We covered each knot in the carpet LN[a|*(KTV)J[N|*FALSO*
by small horizontal rectangles, whose width was
about that of the whole knot. Our matrix algorithm N[U|*L(SLF)AR DESARROLLO I DAR
(James D. Foley and Hughes, 1990) scanned each ESPLIKASION [I|*K[D|*EP*OTA
rectangle and looked for a dominant color among TRES TENDENSIA AN<I>TIM<D>LN[a|
the rectangles of each knot. If a dominant color (KTV)J[N|* FALSO
was found, it was considered the color of the knot.
In a pair of adjacent knots starting in an “even” N[U|*L(SLF)AR DESARROLLO I DAR
position, there are six possible colors for its first ESPLIKASION [I|*K[D|*EP*OTA
member and three for its second one. Invalid dom- TRES TENDENSIA ANTI MLN [a|
inant colors, damaged areas, and the absence of a (KTV)J[N|* FALSO
dominant color are also reported.
In cases of doubt, we also employed a vec- pULSAR DESARROLLO I DAR
tor search using vertical vectors in the middle of ESPLIKASION DErrOTA
the knot. If two or more occurrences of a valid TRES TENDENSIA ANTI MLN
color were detected, then four vertical vectors de- KoN FALSO
termined its dominance in the knot. . . . pulsar desarrollo y dar explicación derrota.
In the end, we obtained a sequence of knot col- Tres - tendencia anti-MLN con falso ... (. . . further
ors, with numerous unresolved cases. the development and give an explanation of [our]
Bypassing the intermediate steps explained be- defeat. Third—anti-MLN tendency with false. . . )
low, we take the carpet’s second line as an example A translation into plaintext would have been
in Figures 3 through 6. hard without the personal acquaintance of Tis-
cornia with the situation and political context of
5 Recovering the plaintext the MLN and the penitentiary at Libertad around
1980.
In another example, from the carpet’s third line,
we illustrate some of the steps from the raw iden- 6 Conclusions
tification of letters, with many unclear positions,
into plaintext. This was no easy task and re- We have recovered the plaintext of about 95% of
quired substantial manual intervention. We first the carpet; only small parts of it are damaged be-
discovered some obvious plaintext snippets, then yond recognition. The carpet is now becoming a
searched for valid words before and after such valuable testimony of Uruguayan and Latin Amer-
pieces, and in the case of damaged knots, had to ican history.
visually inspect the carpet. From a cryptographical point of view, the fol-
Letters without parenthesis or bracket are con- lowing aspects are particularly interesting:
sidered correct by the software. * is an un-
recognized letter, (MARKOS), (DINTEL), and • The inmates have succeeded in encrypting a
(JUPVHF) show six possible choices, and sim- substantial amount of information by means
ilarly (MDJ), (AIU), (RNJ), (KTV), (OEH), and of material accessible to prisoners in the pen-
(SLF) correspond to three possibilities. These in- itentiary.
dicate that the first or second color of a pair, re-
spectively, may be damaged. [c1|c2 means that • The construction of the carpet presumably in-
letter c1 seems more likely than letter c2 in this volved a large number of hours, but then,
place, and < c > indicates the letter c, but with time is the one thing that is abundant in
low probability. prison.
So here are the steps from the original letters
to plaintext. Lower case letters in the fourth text • The prisoners used a simple coding mecha-
present guessed corrections of the automatic color nism in a clever way which even fooled the
readings. exit checks at the prison.

25
 In terms of cryptanalytic techniques, our task https://www.fing.edu.uy/˜jcabezas/
was trivial once the sequence of colors was estab- papers/ElTapizMLN2015.pdf.
lished. However, given just that sequence with its
many errors and ambiguities, it is not clear how
easy this task would have been without the knowl- [First line.] ...ona: sólo tu debe conocer vía
edge of the encryption in Table 2. y forma. Traduce esto, al final te aclaro. Hazlo
In synthesis, we have an original piece of cryp- llevar ...ama Falero.
tography, well conceived and well implemented. It [Introduction.] Luego ida viejos se produce
was secure, efficient, and economic under the dire anarquía durante tres años por causas:
circumstances of the penitentiary. The fact that we 1. pérdida confianza política y personal a todo
could decipher it 35 years later shows the success nivel,
of their method. 2. incapacidad dirigentes de impulsar desar-
rollo y dar explicación derrota y
7 The first lines of the computer
generated transcription. 3. tendencia anti-MLN con falso marxismo-
leninismo, destruyendo en vez de elevar, todo
The first four lines of the transcription read as fol- esto con poca comunicación y tensión repre-
siva.
lows:
(DINTEL)MD[A|*FA(DINTEL)*E*OLUEJO Arriba hay confianza y crece, fierreros y divi-
sionistas retroceden.
IDAVIEJO(MARKOS)SP<M>RODUSE
El correcto marxismo-leninismo va mas lento,
ANUJKIAD(AIU)RA(DINTEL)TETRESA(RNP)
dirección autocrítica MLN, un paso necesario y
(DINTEL)OSPORKAUSASUNO(SLF)
defectuoso.
[Previous events.] Luego del año 55, la
[*|*E(MARKOS)II<*>DI(KTV) izquierda marxista será determinada por dos he-
(JUPVHF)(DINTEL)FIATS chos:
APO<*>LITIKAI<P>UER 1. lucha de clases desatada por crisis
SONA(DINTEL)AT(JUPVHF) económica
DONI(KTV)E(DINTEL)
I[I|*O<*>SINKANASDI<A>RIJE< 2. discusión ideológica internacional entre vía
violenta o pacífica al socialismo.1
T>ITESN<*>EIM(SLF)
Acknowledgements
N[U|*L(SLF)ARD(DINTEL)SARROLLOIDAR
ESPLIKASION[I|*K[D|*EP*OTATR Alfredo “Tuba” Viola brought the authors to-
ESTENDENSIAAN<I>TIM<D>L gether during a course given by the second author
N[a|*(KTV)J[N|*FALSO* in Montevideo. Without his support, this paper
would not have come into being, and we thank him
DP[R|*SLE<I>NINDESTRUIENDO for it.
ENVE(MARKOS) About the authors. JJC is a professor of com-
DEELEV[N|*V[R|*T<*>ODOESTOK puter science at the Instituto de Computación in
ON(JUPVHF)OKAKOM<*>UNIA<I>D the Universidad de la República, Uruguay. He was
[A|*SIONITE(DINTEL)SIO* 1 [M]ona: only you must know the method and form.
Translate this, at the end I explain it. Take it [. . . ama] Falero.
Distilling cleartext from this is not always obvi- After the older leaders left, we had anarchy during three
ous. years for various reasons: 1. loss of political and personal
confidence at all levels, 2. inability of the leaders to further
development and explain our defeat, 3. anti-MLN tendency
8 Parts of the carpet’s cleartext. with false marxism-leninism, destroying rather than elevat-
ing, all this with little communication and repressive tension.
We present the initial part of the cleartext. The On the higher floors [where the leaders were housed, floors
opinions and political points of view expressed in 3 to 5] we have growing confidence, [but] warriors [who
want to continue the armed struggle] and divisionists [who
this document do not, in any way, reflect necessar- prefer a political party for the struggle] retreat. The correct
ily those of the authors or their institutions. Com- marxism-leninism goes more slowly, in the direction of MLN
self-criticism, a necessary step that is missing.
ments between brackets are the authors’. Since 1955, the marxist left has been determined by two
facts: 1. class struggle unleashed by the economic crisis,
A complete version of the clear- 2. international ideological discussion between violent and
text (in Spanish) can be found at peaceful road to socialism.

26
severely injured in 1970 while manufacturing a
bomb in his workshop and fled the country, hidden
in the trunk of a car. JvzG is an emeritus professor
of computer science at the Universität Bonn, Ger-
many, and has no experience in building bombs.
JT (Jorge Carlos Tiscornia Bazzi) is an Uruguayan
writer and was a member of the Tupamaro Colona
15, together with JJC. He now works at the Presi-
dencia Uruguay. During his 4646 days in the pen-
itentiary of Libertad, from 1972 to 1985, he kept
a secret diary on small slips of paper, normally
used to roll cigarettes. He hid them in wooden
clogs that he used in the shower. They are now
published (Tiscornia (2012)) and provide moving
insights into the (in)human conditions in prison,
see also Tiscornia (2014). They were turned into a
documentary movie (Charlo (2014)).

References
José Pedro Charlo. 2014. El almanaque. Documentary
movie. Argentina, Spain, Uruguay.
Charles Dickens. 1859. A Tale of Two Cities. Chap-
man & Hall, London.
Steven K. Feiner James D. Foley, Andries van Dam and
John F. Hughes. 1990. Computer Graphics Princi-
ples and Practice. Adisson Wesley.

William M. Newman and Robert F. Sprouil. 1983.

Principles of Interactive Computer Graphics. Mc
Graw Hill.

Jorge Tiscornia. 2012. El almanaque. Yaugurú, Mon-

tevideo, Uruguay.

Jorge Tiscornia. 2014. Nunca en domingo. Relatos.

Penal de Libertad 1972-1985. Ediciones de la
Banda Oriental, Montevideo, Uruguay.

Jacqueline Tobin. 1999. Hidden in Plain View. A secret

story of quilts and the underground railway. Anchor
Books, New York.

27
 Solving Classical Ciphers with CrypTool 2

Nils Kopal
Applied Information Security – University of Kassel
Pfannkuchstr. 1, 34121 Kassel, Germany
nils.kopal@uni-kassel.de

Abstract torians. In such cases, cryptanalysts and image-

processing experts are needed to support decipher-
The difficulty of solving classical ciphers ing the books, thus, enabling the historians to con-
varies between very easy and very hard. tinue their research.
For example, monoalphabetic substitution The ciphers used in historical books (from
ciphers can be solved easily by hand. the early antiquity over the Middle Ages to the
More complex ciphers like the polyalpha- early modern times) include simple monoalpha-
betic Vigenère cipher, are harder to solve betic substitution and transposition ciphers, code-
and the solution by hand takes much more books and homophone ciphers.
time. Machine ciphers like the Enigma With the open-source tool CrypTool 2 (CT2)
rotor machine, are nearly impossible to (Kopal et al., 2014) historians and cryptanalysts
be solved only by hand. To support have a powerful tool for the analysis as well as
researchers, cryptanalysts, and historians for the (automatic) decryption of encrypted texts.
analyzing ciphers, the open-source soft- Throughout this paper, we present how CT2 can
ware CrypTool 2 (CT2) was implemented. be used to actually break real world ciphertexts.
It contains a broad set of tools and meth- The following parts of this paper are structured
ods to automate the cryptanalysis of dif- as follows: The next section gives a short introduc-
ferent (classical and modern) ciphers. In tion to classical ciphers, as well as an overview of
this paper, we present a step-by-step ap- cryptanalysis. In Section 3, we briefly introduce
proach for analyzing classical ciphers and the CT2. In Section 4, we present a general step-
breaking these with the help of the tools in by-step approach for the analysis of ciphers with
CT2. The primary goals of this paper are: CT2. Section 5 shows real example analyses done
(1) Introduce historians and non-computer with the help of CT2. Section 6 gives an overview
scientists to classical encryption, (2) give of cryptanalysis components (for classical ciphers)
an introduction to CT2, enabling them to already implemented in CT2 as well as compo-
break ciphers by their own, and (3) present nents planned for the future. Finally, Section 7
our future plans for CT2 with respect to summarizes the paper.
(automatic) cryptanalysis of classical ci-
phers. This paper does not describe the 2 Foundations of Classical Ciphers and
used analysis methods in detail, but gives Cryptanalysis
the according references.
After a brief introduction to classical ciphers we
1 Motivation discuss the cryptanalysis of classical ciphers.

There are several historical documents contain- 2.1 Classical Ciphers

ing text enciphered with different encryption al- Ciphers encrypt plaintext into ciphertext based on
gorithms. Such books can be found for instance in a set of rules, i.e. the encryption algorithm, and a
the secret archives of the Vatican. Often, histori- secret key only known to the sender and intended
ans who find such encrypted books during their receiver of a message.
research are not able to decipher and reveal the Classical ciphers, as well as ciphers in general,
plaintext. Nevertheless, these books can contain can be divided into two different main classes:
secret information being of high interest for his- substitution ciphers and transposition ciphers. A

Proceedings of the 1st Conference on Historical Cryptology, pages 29– 38,

Uppsala, Sweden, 18-20 June, 2018
substitution cipher replaces letters or groups of let- ation, a plaintext symbol (here a bigram) is af-
ters of the plaintext alphabet with letters based on terwards fractionated into two different symbols,
a ciphertext alphabet. Transposition ciphers do making cryptanalysis even harder.
not change the letters themselves but their posi- Ciphers based on codebooks were often super-
tion in the text, i.e. plaintext alphabet and cipher- enciphered, thus, first the words were substituted,
text alphabet are equal. There also exist ciphers for instance with numbers. Then, the resulted
that combine both, substitution and transposition, ciphertexts were additionally super-encrypted by
to create a composed cipher, e.g. the ADFGVX ci- changing them according to special rules.
pher (Lasry et al., 2017). Many encrypted historical books that survived
Substitution ciphers can be furthermore di- history are available. Most of them are encrypted
vided into monoalphabetic and polyalphabetic ci- either with simple monoalphabetic substitutions or
phers (Forsyth and Safavi-Naini, 1993). With with homophone substitutions. For some books
monoalphabetic ciphers, only one ciphertext al- the type of cipher is unknown.
phabet exists. Thus, every plaintext letter is al- Many encrypted historical messages are en-
ways replaced with the same letter of the ci- crypted with simple substitution ciphers, homo-
phertext alphabet. If there are more possibilities phone substitution ciphers, polyalphabetic sub-
to choose from the ciphertext alphabet the sub- stitution ciphers, nomenclatures, or codebooks.
stitution cipher is a homophone substitution ci- Transposition ciphers were also used, but not as
pher (Dhavare et al., 2013). If there are more much as substitution ciphers since transpositions
than one ciphertext alphabet which are exchanged are more complex with respect to the encryption
after each encrypted letter, the substitution is a procedures. Additionally, performing a transpo-
polyalphabetic substitution, e.g. the Vigenère ci- sition cipher is more prone to errors. In modern
pher (Schrödel, 2008). Substitution may also not times, transposition was used by the IRA (Mahon
only be based on single letters but on multiple let- and Gillogly, 2008) and during World War II by
ters, e.g. the Playfair cipher (Cowan, 2008). In his- the Germans and the British.
tory, for military and diplomatic communication, In World War II, rotor cipher machines like
codebooks and nomenclatures were used. With the German Enigma (Gillogly, 1995) performing
a nomenclature, not only letters were substituted, polyalphabetic encryptions were introduced and
but additionally, complete words were substituted. widely used.
Codebooks contained substitutions for nearly all
words of a language. 2.2 Cryptanalysis
Transposition ciphers change the positions of Cryptanalysis is the science and art of breaking ci-
each letter in the plaintext based on a pattern that phers without the knowledge of the used key. To-
is based on a key. The most used transposition ci- day, cryptanalysis is used to evaluate the security
pher is the columnar transposition cipher (Lasry et of modern encryption algorithms and protocols.
al., 2016c). Here, a plaintext is written in a grid of We divide the cryptanalysis of classical ciphers
columns. Then, the columns are reordered based into two different approaches: the classical paper-
on the lexicographical order of a keyword written based cryptanalysis and the modern computer-
above the columns. Finally, the ciphertext is read based cryptanalysis. In his paper we focus on
out of the transposed text column-wise. Decryp- modern computer-based cryptanalysis which can
tion is done the same way but in the reverse order. be done with CT2.
Composed ciphers execute different cipher Substitution ciphers can be broken with the help
types in a consecutive order to strengthen the en- of language and text statistics. Since every letter
cryption. One famous composed cipher is AD- in a language as well as in the plaintext alpha-
FGVX. Here in the first step, each plaintext char- bet of a cipher has its unique frequency it can be
acter is substituted by a bigram only consisting of used to guess and identify putative plaintext let-
the 6 letters A,D,F,G,V, and X. After that, the in- ters. With monoalphabetic substitutions, plaintext
termediate ciphertext is encrypted with a colum- and ciphertext frequencies are identical, but the
nar transposition cipher. ADFGVX was used by letters differ. For example an ’E’ is substituted by
the Germans during World War I. It introduced a an ’X’ – ’X’ has then the same frequency in ci-
new concept, called fractionation. With fraction- phertext as ’E’ has in plaintext. Thus, an algorithm

30
to break a substitution ciphers aims at recovering we have either a plaintext, a monoalphabetic sub-
the original letter distribution. stituted text, or a transposed text. And it is prob-
Homophone substitutions as well as polyalpha- ably German. On the other hand, having an IC
betic substitutions flatten the distribution of let- close to 3.8% indicates that we have a polyalpha-
ters, hence, aiming to destroy the possibility to betic encrypted text. Clearly, the IC is more ac-
break the cipher with statistics. Nevertheless, hav- curate having long ciphertexts. Identification of
ing enough ciphertext and using sophisticated al- homophone ciphers can be done by counting the
gorithms, e.g. hill climbing and simulated anneal- number of different used letters or symbols. If the
ing, it is still possible to break them. number is above the expected alphabet size, it is
Transposition ciphers can also be attacked with probably a homophone substitution.
the help of statistics. Since transposition ciphers State-of-the-art for breaking classical ciphers
do not change the letters, the frequency of the un- are search metaheuristics (Lasry, 2018). Because
igrams in plaintext and ciphertext are exactly the with classical ciphers, a “better guessed key” often
same. Thus, to break transposition ciphers, text yields a “better decryption” of a ciphertext, such
statistics of higher orders (bigrams, trigrams, tetra- algorithms are able to “improve” a key to come
grams, or n-grams in general) are used to break close to the correct key and often finally reveal
them. Besides that, similar sophisticated algo- the correct key. “Better” in this context means,
rithms, e.g. hill climbing and simulated annealing, that the putative plaintext that is obtained by de-
are used to break transposition ciphers. crypting a given ciphertext is rated higher by a
so-called cost or fitness function. An example for
For breaking a classical cipher, it is useful to
such a function is the aforementioned IoC, which
know the language of the plaintext. It is possible to
comes close to a value indicating natural language
break a cipher using a “wrong” language, but the
when the key comes closer to the original one. A
correct one yields a higher chance of success. For
common and very successfully used search meta-
cryptanalysis most of the algorithms implemented
heuristic is hill climbing. A hill climbing algo-
in CT2 contain a set of multiple languages, e.g.
rithm first randomly guesses a putative “start key”.
English, German, French, Spanish, Italian, Latin,
Then, it rates its cost value using a cost function.
and Greek. In many cases, the language of an en-
After that, it tries to “improve” the key by ran-
crypted book is known to the cryptanalyst or can
domly changing elements of the key. With the
be guessed by its (historical) context.
Vigenère cipher for example, it would change the
To identify the type of the cipher, whether it is a first letter of the keyword. After changing the let-
substitution cipher or a transposition cipher, crypt- ter, it again computes the cost function. If the re-
analysts use the Index of Coincidence (IC) (Fried- sult is higher than for the previous key, the new
man, 1987). The IC, invented by William Fried- key is accepted. Otherwise, the new key is dis-
man, is the probability of two randomly drawn let- carded and another modified one is tested. The
ters out of a text to be identical. For English texts algorithm performs these steps until no new mod-
the IC is about 6.6% and for German texts about ified key can be found that yields a higher cost
7.8%. Simple monoalphabetic encryption, where value, i.e. the hill (= local maximum) of the fitness
a single letter is replaced by another letter, does score is reached. Most of our classical cryptana-
not change the IC of the text. Same applies to all lytic implementations in CT2 are based on such a
transposition ciphers, since these do not change hill climbing approach.
the text frequencies. Polyalphabetic substitution
aims at changing the letter distribution of a text to
3 An Introduction to CrypTool 2
become the uniform distribution. Thus, the IC is
1
about 26 ≈ 3.8% (where 26 is the length of the ci- CrypTool 2 (CT2) is an open-source tool for e-
phertext alphabet and all letters are used equally learning cryptology. The CrypTool community
distributed). Homophone substitution also aims at aims to integrate into CT2 the best known and
changing the letter distribution of a text to become most powerful algorithms to automatically break
the uniform distribution, but here the IC is about (classical and modern) ciphers. Additionally, our
1
n , where n is the amount of different symbols in goal is to make CT2 a tool that can be used by ev-
the text. eryone who needs to break a classical cipher. An-
Thus, having an IC close to 6.6% indicates that other well-known Windows analyzer for classical

31
ciphers is CryptoCrack (Pilcrow, 2018).
CT2 consists of a set of six main components:
the Startcenter, the Wizard, the WorkspaceMan-
ager, the Online Help, the templates, and the Cryp-
Cloud, which we present in detail in the following.
The Startcenter is the first screen appearing
when CT2 starts. From here, a user can come to
every other component by just clicking an icon.
The Wizard is intended for CT2 users that are
not yet very familiar with the topics cryptography
or cryptanalysis. The user just selects step by step
what he wants to do. The wizard displays at each
step a small set of choices for the user.
The WorkspaceManager is the heart of CT2
since it enables the user to create arbitrary cas-
cades of ciphers and cryptanalysis methods us-
ing graphical icons (components) that can be
connected. To create a cascade, the user may
drag&drop components (ciphers, analysis meth-
ods, and tools) onto the so-called workspace. Af-
ter that, he has to connect the components using
the connectors of each component. This can be
done by dragging connection lines between the in- Figure 1: CT2 Workspace with Caesar Cipher
puts (small triangles) and outputs (also small trian-
gles) using the mouse. Data in CT2 can be of dif- CT2 contains a huge Online Help describing
ferent types, e.g. text, numbers, binary data. The each component. By pressing F1 on a selected
type of data is indicated by a unique color. A sim- component of the WorkspaceManager, CT2 auto-
ple rule is, that connections between the same col- matically opens the online help of the correspond-
ors are always possible. Connections between dif- ing component.
ferent colors (data types) may also be possible, but CT2 also contains a huge set of more than 200
then data has to be converted. CT2 can do this au- so-called Templates. A template shows how to
tomatically in many cases, but sometimes special create a specific cipher or a cryptanalytic scenario
data converters are needed. using the graphical programming language and is
Figure 1 shows a sample workspace containing ready to use. The Startcenter contains a search
a so-called Caesar cipher (very simple monoal- field that enables the user to search for specific
phabetic substitution) component, a TextInput templates using keywords.
component enabling the user to enter text, and Finally, the CrypCloud (Kopal, 2018) is a
a TextOutput component displaying the final en- cloud framework built in CT2. We developed it
crypted text. The connectors are the small colored as a real-world prototype for evaluating distribu-
triangles. The connections are the lines between tion algorithms for distributed cryptanalysis using
the triangles. The color of the connectors and con- a multitude of computers.
nections indicate the data types (here text). When
the user wants to execute the flow, he has to start it 4 A Step-by-Step Approach for
by hitting the Play button in the top menu of CT2. Analyzing Classical Ciphers in
Currently, CT2 contains more than 160 different CrypTool 2
components for encryption, decryption, cryptanal-
ysis, etc. Many components that can be put onto In this section, we show a step-by-step approach
the workspace have a special visualization that can for analyzing classical ciphers in CT2. The first
be viewed when opening the component by double step is to make the cipher processable for CT2, so
clicking on it. Figure 2 shows such a maximized we create a digital transcription of the ciphertext.
visualization of a standard component. Then, we identify the type of the cipher. The third

32
step then finally breaks the cipher with CT2.

4.1 Create a Transcription

There are two ways to create a transcription of a ci-
phertext for CT2. The first method is to manually
assign to each ciphertext symbol a letter by hand
outside of CT2, e.g. with Windows Notepad. The
transcription is saved as a simple text file. This
file can be loaded into CT2 by using the FileInput
Figure 3: Frequency Test Component Showing
component and then be processed further.
Distribution of Plaintext

Figure 4: Frequency Test Component Showing

Distribution of Ciphertext
Figure 2: CT2 Transcriptor Component with
Marked Symbols for Transcription
In Figure 3 we show the distribution of a plain-
The second method to create a transcription text (“The Declaration of Independence” of the
uses the CT2 component Transcriptor (Figure 2). US). It can easily be seen, that the text follows
With the transcriptor, a user can load a picture, the letter distribution of the English language, i.e.
e.g. a scan of a document. Then, he can assign the ’E’ is the most frequent letter, the letters ’X’,
letters to the scanned symbols by marking them. ’Q’, and ’Z’ are very rare. In Figure 4 we show
Finally, the transcriptor is able to output the com- the distribution of a ciphertext (“The Declaration
plete transcription. It supports the user in two dif- of Independence” of the US, encrypted with a Vi-
ferent ways: (1) It automatically guesses, which genère cipher). Here, all letters are more or less
symbol the user just had marked by showing the equally distributed, showing the cryptanalyst that
most likely symbols and (2) it can be set to semi- it is possibly a polyalphabetic substitution cipher.
automatic mode. In semi-automatic mode, it auto- Another component that helps to analyze and
matically marks all other symbols that are similar identify a cipher is the Friedman Test, invented by
to the one just marked by the user. William Friedman. With this test the key length
The DECODE project (Megyesi et al., 2017) (number of letters of a key word or phrase) of a
already hosts a huge set of transcriptions of en- polyalphabetic cipher can be calculated.
crypted historical books done by experts. Within In Figure 5 we show the result of the Friedman
2018 there will be an interface to call either CT2 test performed on plaintext (“The Declaration of
from the DECODE website or to download DE- Independence” of the US). It shows that the given
CODE records from within CT2. text is possibly plaintext or a monoalphabetic sub-
stitution. Furthermore, the ciphertext could be
4.2 Identify the Cipher transposed since the transposition does not change
After creating the transcription of the cipher it is the letter distribution. In Figure 6 we show the re-
now possible to analyze its characteristics. A first sult of the Friedman test performed on ciphertext
analysis would be to create a text frequency analy- (“The Declaration of Independence” of the US,
sis. For that, CT2 contains a Frequency Test com- encrypted with a Vigenère cipher). It shows that
ponent. It can be configured to show unigram dis- the given text is possibly ciphertext and polyal-
tribution, bigram distribution, etc. phabetic. Additionally, it shows that the estimated

33
 component which automatically solved a Vigenère
cipher (“The Declaration of Independence” of the
US, encrypted with a Vigenère cipher. The solver
automatically tested every keylength between 5
and 20 using hill climbing. Only about ten sec-
onds are needed for the component to automati-
cally break the cipher. The decrypted text is auto-
matically outputted by the component and can be
displayed by an TextOutput component.

Figure 5: Friedman Test Component Showing Re-

sult of English Plaintext

key length is about 9. The component needs a pro-

Figure 7: Vigenère Analyzer Solving a Cipher
vided IC (IC provided) which is used as a refer-
ence value for the analyzed IC (IC analyzed).
All automatic cryptanalysis components have
the same style of user interface. Besides start
and end-time, the elapsed time for the analysis is
shown. Furthermore, some components estimate
the time for the remaining automatic analysis.

5 Example Cryptanalysis of Original

Classical Ciphers
In this section we present two different real-world
classical ciphers that can be broken with CT2.

5.1 Message in a Bottle Sent to General

Pemberton in the US Civil War
The following message was sent in a bottle by a
Confederate commander at the 4th of July 1863 in
Vicksburg to General Pemberton. It was broken
by the retired CIA codebreaker David Gaddy in
Figure 6: Friedman Test Component Showing Re- 2010 (Daily Mail Reporter, 2010). We here use
sult of Ciphertext this message (221 letters) as our first real-world
example for breaking classical ciphers with CT2.
In the first step, to automatically analyze the ci-
4.3 Break the Cipher phertext, we had to create a transcription as shown
After identifying the cipher type it can now be bro- in Section 4.1. We could have used the Transcrip-
ken with the help of different cryptanalysis com- tor component or do it manually. Since the let-
ponents. CT2 contains components for the au- ters are written differently, the scanned image has
tomatic breaking of the monoalphabetic substitu- only a low resolution, and the message contains
tion cipher, the Vigenère cipher, and the columnar ink spots, we did it manually. We show the result
transposition cipher. of the transcription of the ciphertext in Figure 9.
In Figure 7 we show the Vigenère Analyzer Now, we could analyze the text to identify the

34
 Vigenère Analyzer component to break it.
We automatically test all key lengths between 1
and 20. Figure 12 shows the final result of the
Vigenère Analyzer component. The component
displays a toplist of “best” decryptions based on
a cost function that rates the quality of the de-
crypted texts. The higher the cost value (sum of n-
gram probabilities of English language) the higher
Figure 8: Encrypted Message in a Bottle Sent by the place in the toplist. Furthermore, the com-
General Johnston ponent shows the used keyword or pass phrase.
With “MANCHESTERBLUFF” (15 letters), the
message can be broken. The analysis run took 5
seconds on a standard desktop computer with 2.4
GHz. We present the final plaintext in Figure 13.

Figure 9: Transcription of Encrypted Message in

a Bottle
Figure 10: Letter Frequency Analysis of En-
crypted Message in a Bottle
type of the cipher. First, we created a letter fre-
quency analysis (see Figure 10).
The distribution of letters indicated that the
message is not encrypted with monoalphabetic
substitution and possibly not transposed. Based
on the more or less equal distribution of the let-
ters we assume that the message is encrypted with
a polyalphabetic cipher. To further strengthen our
assumption, we applied the Friedman test and cal-
culated the IC. In Figure 11 we show the results of
the computation of the IC and the Friedman test.
The IC equal to 0.03834 indicated that the mes-
sage is possibly encrypted with a polyalphabetic
cipher. The estimated length of the key by the
Friedman analysis is ≈ 5730, which is impossible Figure 11: Friedman Test and IC of Encrypted
for a text of only 221 letters. Thus, the message is Message in a Bottle
either encrypted with a running key cipher, mean-
ing the key length is infinity, or the Friedman test
just fails because of the short length of the mes- 5.2 Borg Cipher – Encrypted Book from the
sage. Since we know that in the Civil War the Vi- 17th Century
genère cipher was often used, we assumed it could The Borg cipher is a 408 pages manuscript, prob-
be encrypted with the Vigenère cipher. Other pos- ably from the 17th century. The manuscript is lo-
sibilities would be a codebook or a homophone ci- cated at the Biblioteca Apostolica Vaticana (Al-
pher. darrab et al., 2018). It is written using special ci-
In the last step, we try to break the cipher. Since phertext symbols. Figure 14 shows a small part
we assume it to be a Vigenère cipher, we used the of the Borg cipher. We here use the book as our

35
Figure 12: Breaking the Encrypted Message in a
Bottle with the Vigenère Analyzer
Figure 15: Letter Frequency Analysis of the Borg
Cipher

Figure 16: Friedman Test of the Borg Cipher

Figure 13: Message in a Bottle – Revealed Plain-

guages to be used by the analyzer. Latin produced
text by Vigenère Analyzer
the best results, since the original text is Latin. The
analysis run took 8 seconds.
second real-world example for breaking classical
ciphers with CT2. The cipher was already broken
by (Aldarrab et al., 2018).

Figure 17: Breaking the Borg Cipher with the

Monoalphabetic Substitution Analyzer

We present the first part of the finally decrypted

Figure 14: Picture Taken from the Borg Cipher
Borg cipher in Figure 18.
We took the complete transcription of the book
6 Current Cryptanalysis Components in
from (Aldarrab et al., 2018).
CrypTool 2 and Open Tasks
First, we performed a frequency analysis of the
text shown in Figure 15. CT2 contains a set of different components for the
Then, we applied the Friedman test on the ci- automated cryptanalysis of classical ciphers. In
phertext and computed the IC (see the result in Table 1 we show an overview of already imple-
Figure 16). Both indicated, that the Borg cipher is mented components for the cryptanalysis of clas-
encrypted using the monoalphabetic substitution. sical ciphers. Green marked entries refer to com-
Thus, we finally used the Monoalphabetic Sub- ponents which we already implemented. Yellow
stitution Analyzer component of CT2 to break the marked entries refer to components that are not
cipher, see Figure 17. We tested different lan- implemented yet. The monoalphabetic substitu-

36
Figure 18: Borg Cipher – Revealed Plaintext by
Monoalphabetic Substitution Analyzer

tion, the columnar transposition, the Vigenère ci-

pher, and the Enigma machine are already break-
able using CT2. We plan to implement homo-
phone cipher analysis, codebook cipher analy-
sis, grille analysis (a special transposition cipher),
Playfair (a special substitution), strip and cylin- Table 1: Cryptanalysis Components for Classical
der cipher analyzers, ADFGVX analyzer, analyz- Ciphers in CT2 – Overview
ers for the Hagelin Machine (Lasry et al., 2016a)
(Lasry et al., 2016b) (e.g. the M209 cipher ma-
chine), and a Hill cipher analyzer. we gave an overview of methods for the automatic
The currently implemented analysis tools, like cryptanalysis already implemented in CT2 as well
frequency analysis, transcriptor, or Friedman test, as an overview of cryptanalytic components that
were shown and used in Section 5. For the future, we plan to implement.
we also plan to implement a “Cipher Detector” CT2 is a project that now runs for nearly 10
component which is able to automatically detect years. Within this time, we extended CT2 with
the used type of cipher (with a high probability). state-of-the-art methods for the cryptanalysis for
classical as well as for modern ciphers. CT2 con-
7 Conclusion
tains possibilities to cryptanalyze ciphers by con-
In this paper, we gave a brief introduction in the necting different CT2 instances over the Internet
e-learning program CrypTool 2 (CT2) and how it (CrypCloud). In the future, we plan to extend
can be used to automatically cryptanalyze clas- CT2 in such a way that it becomes easier and
sical ciphers. First, we gave an introduction to more user-friendly, thus, non-computer scientists
classical ciphers as well as to their cryptanaly- can more easily use it for breaking their classical
sis. Then, we shortly presented CT2 and its us- ciphers. There are still a lot of open tasks besides
age. After that, we showed an approach con- the implementation of cryptanalytic methods. We
sisting of three steps (transcription, identification, plan to extend the existing components by a huge
and analyzing) for breaking classical ciphers us- set of different languages (e.g. Latin, Greek, He-
ing CT2. We showed two classical real-world ci- brew, etc). Since many of the historical encrypted
phers (“Message in a Bottle Sent to General Pem- books are written in these languages, historians
berton in the US Civil War” and “Borg Cipher and cryptanalysts will benefit by the newly added
– Encrypted Book from the 17th Century”) and languages. Furthermore, we will extend exist-
described step-by-step how we broke them with ing cryptanalytic components to be more robust
components already implemented in CT2. Then, and more general with respect to the used alpha-

37
bets. Currently, the monoalphabetic substitution coincidence and its applications in cryptanalysis.
analyzer needs (for the transcription) a specific in- Aegean Park Press California.
put alphabet consisting of Latin letters. Till end of
James J Gillogly. 1995. Ciphertext-Only Cryptanaly-
2018 all kind of symbols a computer can process sis of Enigma. Cryptologia, 19(4):405–413.
will be possible (e.g. a support of UTF-8 charac-
ters). Furthermore, new kinds of classical ciphers Nils Kopal, Olga Kieselmann, Arno Wacker, and Bern-
and cryptanalytic methods will be added. Exam- hard Esslinger. 2014. CrypTool 2.0. Datenschutz
und Datensicherheit-DuD, 38(10):701–708.
ples are grilles and codebooks, which were exten-
sively used in history. Nils Kopal. 2018. Secure Volunteer Comput-
The CT2 team highly welcomes suggestions, ing for Distributed Cryptanalysis. http:
wishes, and ideas of historians, cryptanalysts, and //www.upress.uni-kassel.de/katalog/
abstract.php?978-3-7376-0426-0.
everybody else for additional ciphers and auto-
George Lasry, Nils Kopal, and Arno Wacker. 2016a.
mated cryptanalysis methods which should be in- Automated Known-Plaintext Cryptanalysis of Short
cluded in CT2 in the future. The list shown in Ta- Hagelin M-209 Messages. Cryptologia, 40(1):49–
ble 1 is open for new entries proposed by every- 69.
one. Since CT2 is open-source software, we wel-
George Lasry, Nils Kopal, and Arno Wacker. 2016b.
come everyone in contributing to the CT2 project Ciphertext-only cryptanalysis of Hagelin M-209
(programmers, testers, etc). Finally, everyone in- pins and lugs. Cryptologia, 40(2):141–176.
terested in CT2 may download the software for
free from https://www.cryptool.org/. George Lasry, Nils Kopal, and Arno Wacker. 2016c.
Cryptanalysis of columnar transposition cipher with
long keys. Cryptologia, 40(4):374–398.
References George Lasry, Ingo Niebel, Nils Kopal, and Arno
Nada Aldarrab, Kevin Knight, and Beata Megyesi. Wacker. 2017. Deciphering ADFGVX messages
2018. The Borg.lat.898 Cipher. http://stp. from the Eastern Front of World War I. Cryptolo-
lingfil.uu.se/~bea/borg/. gia, 41(2):101–136.

Michael J Cowan. 2008. Breaking short playfair ci- George Lasry. 2018. A Methodology for the Crypt-
phers with the simulated annealing algorithm. Cryp- analysis of Classical Ciphers with Search Meta-
tologia, 32(1):71–83. heuristics. kassel university press GmbH.
Daily Mail Reporter. 2010. CIA codebreaker reveals Thomas G Mahon and James Gillogly. 2008. Decod-
147-year-old Civil War message about the Confed- ing the IRA. Mercier Press Ltd.
erate army’s desperation. https://dailym.ai/
2JkVFCu. Beata Megyesi, Kevin Knight, and Nada Aldarrab.
Amrapali Dhavare, Richard M Low, and Mark Stamp. 2017. DECODE – Automatic Decryption of Histor-
2013. Efficient cryptanalysis of homophonic substi- ical Manuscripts. http://stp.lingfil.uu.se/
tution ciphers. Cryptologia, 37(3):250–281. ~bea/decode/.

William S Forsyth and Reihaneh Safavi-Naini. 1993. Phil Pilcrow. 2018. CryptoCrack. http://www.
Automated cryptanalysis of substitution ciphers. cryptoprograms.com/.
Cryptologia, 17(4):407–418.
Tobias Schrödel. 2008. Breaking Short Vigenere Ci-
William Frederick Friedman. 1987. The index of phers. Cryptologia, 32(4):334–347.

38
 Hidden Markov Models for Vigenère Cryptanalysis
Mark Stamp∗ Fabio Di Troia† Miles Stamp Jasper Huang
Department of Computer Science Los Gatos High School Lynbrook High School
San Jose State University Los Gatos, California San Jose, California
San Jose, California milez000782@gmail.com jhuang821@student.fuhsd.org
∗ mark.stamp@sjsu.edu
† fabioditroia@msn.com

Abstract an HMM trained on Vigenère ciphertext is infor-

mative, in the sense that the model enables us to
Previous work has shown that hidden clearly see which features contribute to the suc-
Markov models (HMM) can be effective cess of the technique. We compare our results to
for the cryptanalysis of simple substitu- recent work in (Gomez et al., 2018), where a neu-
tion and homophonic substitution ciphers. ral network is used to break Vigenère ciphertext
Although computationally expensive, an messages.
HMM-based attack that employs multiple The remainder of this paper is organized as fol-
random restarts can offer a significant im- lows. In Section 2, we discuss relevant back-
provement over classic cryptanalysis tech- ground topics, with the emphasis on hidden
niques, in the sense of requiring less ci- Markov models. Experimental results obtain by
phertext to recover the key. In this pa- applying HMMs to Vigenère ciphertexts are given
per, we show that HMMs are also applica- in Section 3. Finally, in Section 4 we give our con-
ble to the cryptanalysis of the well-known clusions and briefly consider future work.
Vigenère cipher. We compare and contrast
our HMM-based approach to recent re- 2 Background
search that uses Vigenère cryptanalysis to
supposedly illustrate the strength of a type 2.1 Vigenère Cipher
of neural network known as a generative A simple substitution cipher uses a fixed one-to-
adversarial network (GAN). In the context one mapping of the alphabet. It is a standard text-
of Vigenère cryptanalysis, we show that an book exercise to break a simple substitution using
HMM can succeed with much less cipher- frequency analysis. A homophonic substitution
text than a GAN, and we argue that the can be viewed as a generalization of a simple sub-
model generated by an HMM is consider- stitution, where a fixed many-to-one mapping is
ably more informative than that produced used. That is, in a homophonic substitution, more
by a GAN. than one ciphertext symbol can map to a single
plaintext letter. In contrast, for a polyalphabetic
1 Introduction substitution, the “alphabet” (i.e., the mapping be-
Hidden Markov models (HMMs) are a class of tween plaintext and ciphertext) changes. As com-
machine learning techniques that have proved use- pared to a simple substitution, a homophonic sub-
ful in a wide variety of applications, ranging from stitution tends to flatten the ciphertext statistics,
speech analysis (Rabiner, 1989) to malware detec- thereby making frequency analysis more difficult.
tion (Wong and Stamp, 2006). In the realm of A Vigenère cipher is a simple polyalphabetic
classic ciphers, HMMs have been shown to per- scheme, where a keyword is specified, and each
form well in the cryptanalysis of monoalphabetic letter of the keyword represents a shift of the al-
substitution ciphers (Berg-Kirkpatrick and Klein, phabet. For example, suppose that the keyword
2013; Lee, 2002; Vobbilisetty et al., 2017). is CAT and we want to encrypt attackatdawn.
In this paper, we build on the work in (Vob- Then we have
bilisetty et al., 2017) to show that an HMM is a keyword: CATCATCATCAT
powerful and practical tool for the cryptanalysis plaintext: attackatdawn
of a Vigenère cipher. Furthermore, we show that ciphertext: ctmccdctwcwg

Proceedings of the 1st Conference on Historical Cryptology, pages 39– 46,

Uppsala, Sweden, 18-20 June, 2018
 Letter a b c d e f g h i j k l m
Frequency .082 .015 .028 .043 .127 .022 .020 .061 .070 .002 .008 .040 .024
Letter n o p q r s t u v w x y z
Frequency .067 .075 .019 .001 .060 .063 .091 .028 .010 .023 .001 .020 .001

Table 1: English monograph statistics

That is, each C in the keyword specifies a shift monograph statistics. The monograph statistics
by 3, each A represents a shift by 0, and each T for standard English appear in Table 1.
is a shift by 19, and the keyword is repeated as Let κe denote the IC for English text. If we com-
many times as needed. Of course, if the keyword pute the IC for a large selection of English text,
is known, it is trivial to decrypt a Vigenère cipher- then based on Table 1, we would expect to find
text.
κe = 0.0822 + 0.0152 + 0.0282
2.2 Friedman Test
+ · · · + 0.0202 + 0.0012 ≈ 0.0656.
When attempting to break a Vigenère ciphertext,
the first step is to determine the length of the key- On the other hand, if we have random text drawn
word. The Friedman test (Friedman, 1987), which from the 26 letter English alphabet, we would ex-
is based on the index of coincidence (IC), is a pect to find that the IC is
well-known method for determining the length of
the keyword, provided that sufficient ciphertext is κr = (1/26)2 + (1/26)2 + · · · + (1/26)2 ≈ 0.0385.
available. An alternative method of finding the
For a simple substitution cipher, we relabel the
keyword length is the Kasiski test (Kasiski, 1863);
letters, which has no effect on the IC. That is,
here we focus on the Friedman test. In any case,
when a monoalphabetic substitution is applied to
once the keyword is known, the Vigenère cipher
English plaintext, the IC of the ciphertext is the
consists of a sequence of shift ciphers, and the
same as that of the plaintext. Friedman noted that
shifts can be determined by a variety of means.
for a polyalphabetic substitution, the larger the
The IC measures the “repeat rate,” i.e., the prob-
number of alphabets, the closer the IC is to κr .
ability that two randomly selected letters from a
Hence, for a polyalphabetic substitution, we can
given string are identical. This test relies on the
use the observed IC to estimate the number of al-
non-uniformity of letter frequencies in the under-
phabets and, in particular, the length of the key-
lying plaintext.
word in a Vigenère cipher.
Suppose that we have a string of text of length N
Let L be the length of the Vigenère keyword,
with na > 0 occurrences of A and nb > 0 occur-
and assume that the ciphertext is of length N. Then
rences of B, and so on. If we randomly select two
we have L Caesar’s ciphers. To simplify the nota-
letters (without replacement) from this string, the
tion, we assume that each of these L ciphers has
probability that the letters match is given by
exactly N/L letters. Under this assumption, the
na (na − 1) nb (nb − 1) nz (nz − 1) probability of selecting two letters from the same
+ +···+ Caesar’s cipher is given by
N(N − 1) N(N − 1) N(N − 1)

In general, the repeat rate, or IC, which we denote N(N/L − 1) N/L − 1

= .
as κ , is given by N(N − 1) N −1

1 c−1 Similarly, the probability of selecting two letters

κ= ∑ ni (ni − 1)
N(N − 1) i=0
(1) from different alphabets is

N − N/L
where c is the size of the alphabet, ni is the fre- .
N −1
quency of the ith symbol, and N is the length of the
string. For English text (without spaces, punctua- In the former case, the letters are derived from the
tion, or case), we have c = 26, and the the expected same simple substitution (in fact, Caesar’s cipher),
frequency of each ni is known from the language so the chance that they match is κe , while in the

40
latter case, the letters are from different Caesar’s the corresponding observation Oi . That is, row i
ciphers, so the chance that they match is about κr . of the B matrix contains a discrete probability dis-
Let κc be the computed IC for a given Vigenère tribution that gives the probabilities of the vari-
ciphertext. Then κc is the probability of selecting ous observation symbols when the hidden Markov
two letters at random that match and, evidently, process is in state i. As we show below, the com-
this probability is given by ponent matrices of an HMM can reveal informa-
tion about the underlying data that is not otherwise
N/L − 1 N − N/L
κc = κe + κr . (2) readily apparent to a human analyst. This could be
N −1 N −1 considered an advantage of an HMM over other
Solving equation (2) for L, we obtain more opaque forms of machine learning, such as
neural networks.
N(κe − κr )
L= . The following notation (Stamp, 2004) is com-
N(κc − κr ) − (κe − κr )
monly used for HMMs:
Since N is large relative to κe , κr , and κc , we can
approximate the keyword length by T = length of the observation sequence
N = number of states in the model
κe − κr
L= (3) M = number of observation symbols
κc − κr Q = {q0 , q1 , . . . , qN−1 }
For the case of English text, the expected IC = distinct states of the Markov process
is κe ≈ 0.0656, while for the random case (and V = {0, 1, . . . , M − 1}
under the assumption that we have 26 symbols), = set of possible observations
the IC is κr ≈ 0.0385. Recall that κc is the IC for A = state transition probabilities
the ciphertext, which is computed as in (1). Thus, B = observation probability matrix
we can approximate the Vigenère keyword length π = initial state distribution
using (3). In practice, when attempting to break O = (O0 , O1 , . . . , OT −1 )
a Vigenère ciphertext message, we would need to = observation sequence.
test various keyword lengths near the value given
by (3). Note that the observations are associated with the
In Section 3, we compare an HMM-based tech- integers 0, 1, . . . , M − 1, since this simplifies the
nique to the results obtained using the standard ap- notation with no loss of generality. Consequently,
proach to Vigenère cryptanalysis, as discussed in we have Oi ∈ V for i = 0, 1, . . . , T − 1.
this section. For our test cases, we find that the If we are given a sequence of observations of
HMM outperforms the Friedman test, in the sense length T , denoted (O1 , O2 , . . . , OT ), we can train
of giving us a more precise result for the keyword an HMM, that is, we can determine matrices A
length. In addition, the HMM simultaneously re- and B in Figure 1 that maximize the probabil-
covers the shifts, so that the entire Vigenère key is ity of this training sequence. The HMM train-
determined. ing process can be viewed as a discrete hill climb
on the high dimensional parameter space of the
2.3 Hidden Markov Models matrices A and B, and an initial state distribu-
True to its name, a hidden Markov model (HMM) tion matrix that is denoted as π . Once we have
includes a Markov process that is “hidden,” in the trained an HMM, we can use the resulting model,
sense that it is not directly observable. Along with denoted λ = (A, B, π ), to compute a score for a
this hidden Markov process, an HMM includes a given observation sequence—the higher the score,
sequence of observations that are probabilistically the more closely the scored sequence matches the
related to the (hidden) states. An HMM can be training sequence.
viewed as a machine learning technique that relies The HMM matrix A is N × N, while B is N × M
on a discrete hill climb algorithm for training. and π is 1 × N. Here, N is the number of hid-
A generic HMM is illustrated in Figure 1, den states and M is the number of distinct obser-
where A is an N × N matrix that defines the state vation symbols. All three of these matrices are row
transitions in the underlying (hidden) Markov pro- stochastic, that is, each row satisfies the conditions
cess, and the matrix B contains discrete probabil- of a discrete probability distribution. To train an
ity distributions that relate each hidden state Xi to HMM, we specify N, the number of hidden states,

41
 A A A A
X0 X1 X2 ··· XT −1

B B B B

O0 O1 O2 ··· OT −1

Figure 1: Hidden Markov model

while M, the number of distinct observation sym- and description here closely follows that in the tu-
bols, is determined from the data. torial (Stamp, 2004).
Typically, the matrices that define the HMM, In a classic illustration of the strengths of
i.e., λ = (A, B, π ), are initialized so that they are the HMM technique, (Cave and Neuwirth, 1980)
approximately uniform. That is, each element show that HMMs can be successfully applied to
of A and π is initialized to approximately 1/N, English text analysis. In (Stamp, 2004), the spe-
while each element of B is initialized to approx- cific English text example in Table 2 is given. In
imately 1/M. In addition, each row is subject to this case, the observations consist of the 26 letters
the row stochastic condition. Also, we cannot use and word space, for a total of M = 27 symbols,
an exact uniform initialization as this represents a and the analyst chose to use N = 2 hidden states.
peak in the hill climb from which the model is un- The B matrix is initialized so that each element is
able to climb. approximately 1/27, subject to the row stochas-
On the other hand, if we know something spe- tic condition—the precise initial values used in
cific about the problem, we can sometimes use this this example are given in first 2 columns in Ta-
knowledge when initializing the matrices, which ble 2. After training the HMM using 50,000 ob-
can serve to speed convergence and reduce the servations, the resulting transpose of the B matrix
data requirements. For example, in (Vobbilisetty is given in the final 2 columns of Table 2.
et al., 2017) it is shown that an HMM can be used
From the example in Table 2, we see that when
to recover the key in a simple substitution cipher-
the Markov process is in (hidden) state 1, the prob-
text, where the underlying language is English.
ability that the observed symbol is a is 0.13845,
In this case, the A matrix corresponds to English
the probability that the observed symbol is b
language digraph statistics, and hence we can ini-
is 0.00000, the the probability that the observed
tialize the A matrix based on such statistics, and
symbol is c is 0.00062, the the probability that the
there is no need to re-estimate A when training the
observed symbol is d is 0.00000, the probability
model.
that the observed symbol is e is 0.21404, and so
An HMM is a machine learning technique in the on. On the other hand, if the model is in (hid-
sense that very little is required of the human an- den) state 2, then the probability that the observed
alyst. Specifically, we need to specify the number symbol is a is 0.00075, the probability that the ob-
of hidden states N, but all other initial parameters served symbol is b is 0.02311, the probability that
are derived from the data, or can be generated at the observed symbol is c is 0.05614, the proba-
random. During training, we rely entirely on the bility that the observed symbol is d is 0.06937,
“machine” (specifically, the HMM training algo- the probability that the observed symbol is e
rithm) to generate the model. Surprisingly often, is 0.00000, and so on. In this case, we can clearly
the HMM training algorithm succeeds in automat- see that the 2 hidden states correspond to conso-
ically extracting relevant and useful information nants and vowels. Since no a priori assumption
from the data. was made about the letters, this simple example
For additional information on HMMs, the stan- nicely illustrates the “machine learning” aspect of
dard reference is (Rabiner, 1989). The notation an HMM.

42
 Initial Final text example, we see that the B matrix contains
a 0.03735 0.03909 0.13845 0.00075
b 0.03408 0.03537 0.00000 0.02311
the interesting information.
c 0.03455 0.03537 0.00062 0.05614 Again, an HMM is defined by the 3 matrices, A,
d 0.03828 0.03909 0.00000 0.06937 B and π , and it is standard practice to denote an
e 0.03782 0.03583 0.21404 0.00000
f 0.03922 0.03630 0.00000 0.03559 HMM as λ = (A, B, π ). We also want to empha-
g 0.03688 0.04048 0.00081 0.02724 size that each of these matrices is row stochastic,
h 0.03408 0.03537 0.00066 0.07278
i 0.03875 0.03816 0.12275 0.00000
with each row representing a discrete probability
j 0.04062 0.03909 0.00000 0.00365 distribution.
k 0.03735 0.03490 0.00182 0.00703
l 0.03968 0.03723 0.00049 0.07231
Now, suppose that we train an HMM with 2 hid-
m 0.03548 0.03537 0.00000 0.03889 den states on simple substitution ciphertext, where
n 0.03735 0.03909 0.00000 0.11461 the plaintext is English. The resulting model will
o 0.04062 0.03397 0.13156 0.00000
p 0.03595 0.03397 0.00040 0.03674 partition the ciphertext letters into those corre-
q 0.03641 0.03816 0.00000 0.00153 sponding to consonants and vowels. On the other
r 0.03408 0.03676 0.00000 0.10225 hand, if we set the number of hidden states N to
s 0.04062 0.04048 0.00000 0.11042
t 0.03548 0.03443 0.01102 0.14392 equal the number of symbols (i.e., either N = 26
u 0.03922 0.03537 0.04508 0.00000 or N = 27, depending on whether we include word
v 0.04062 0.03955 0.00000 0.01621 spaces), the simple substitution key can be eas-
w 0.03455 0.03816 0.00000 0.02303
x 0.03595 0.03723 0.00000 0.00447 ily determined from a converged B matrix of an
y 0.03408 0.03769 0.00019 0.02587 HMM (Vobbilisetty et al., 2017). Furthermore, in
z 0.03408 0.03955 0.00000 0.00110 this latter case, the A matrix contains digraph prob-
space 0.03688 0.03397 0.33211 0.01298
sum 1.00000 1.00000 1.00000 1.00000 abilities of the English plaintext.
An analogous HMM-based attack applies to ho-
Table 2: Initial and final BT for English plaintext mophonic substitution ciphers. However, in the
homophonic substitution case, the key recovery
from the B matrix is slightly more complex as the
For the example in Table 2, the converged A ma- number of symbols mapping to each plaintext let-
trix as given in (Stamp, 2004) is ter is typically unknown (Vobbilisetty et al., 2017).
For these HMM-based cryptanalytic models to
0.25596 0.74404
 
A= converge, we generally require large amounts of
0.71571 0.28429
ciphertext, making such attacks impractical for
This A matrix tells us that when the Markov pro- most classic cryptanalysis problems. However,
cess is in (hidden) state 1, the probability that it since HMM training is a hill climb technique, ran-
transitions to state 1 is 0.25596, while the proba- dom restarts can be used in an attempt to gener-
bility that it transitions to state 2 is 0.74404. Sim- ate an improved solution. It is shown in (Berg-
ilarly, if the Markov process is in state 2, it next Kirkpatrick and Klein, 2013), and from a slightly
transitions to state 1 with probability 0.71571, and different perspective in (Vobbilisetty et al., 2017),
it stays in state 2 with probability 0.28429. In this that by using large numbers of random restarts, the
case, the A matrix is not particularly interesting, as performance of HMM-based attacks can surpass
this matrix simply gives the probability of transi- other techniques, in the sense of requiring less ci-
tioning from a consonant to a vowel, a vowel to a phertext. For example, it is shown in (Vobbilisetty
consonant, and so on. et al., 2017) that HMMs can outperform Jakob-
As mentioned above, an HMM also includes an sen’s algorithm (Jakobsen, 1995), which is a well-
initial state distribution denoted as π , which for known general-purpose simple substitution solv-
the example above converges (Stamp, 2004) to ing technique that is based on digraph statistics.
In this paper, we consider HMM-based crypt-
0.00000 1.00000 analysis of the classic Vigenère cipher. For the


π=
Vigenère cryptanalysis problem considered here,
This tells us that the model started in the second we will train an HMM, then we show that by
hidden state which, according to the converged B examining the resulting matrices A, B, and π of
matrix, corresponds to the vowel state. Again, this a converged model, we can easily determine the
is not particularly enlightening. For this English Vigenère key.

43
2.4 Related Work In the next section, we give experimental results
In (Berg-Kirkpatrick and Klein, 2013) an expec- for an HMM-based attack on a Vigenère cipher.
tation maximization (EM) technique is applied to We also provide some discussion of our results,
homophonic substitutions, with the goal of ana- and we compare our technique to the GAN-based
lyzing the unsolved Zodiac 340 cipher. The EM approach mentioned above.
technique in (Berg-Kirkpatrick and Klein, 2013)
3 Experimental Results
is analogous to the HMM process discussed in the
previous section. A novelty of this work is the use First, we train an HMM with N = 3 hidden states
of an extremely large number of random restarts on a Vigenère ciphertext that was generated us-
to improve on the hill climb results. ing the keyword CAT. Note that in this experiment
The paper (Lee, 2002) appears to be the first we have selected the number of hidden states N
to explicitly apply HMMs (or similar) to substi- to be equal to the keyword length. Also, we have
tution ciphers. However, the work in (Cave and used an observation sequence (i.e., English text)
Neuwirth, 1980), which focused on English text of length 1,000 extracted from the Brown Cor-
analysis, anticipates later cipher-based studies. pus (Francis and Kucera, 1969). In all of our ex-
In (Vobbilisetty et al., 2017), HMMs are ap- periments, we have removed all special charac-
plied to simple and homophonic substitutions, and ters and word space, and all letters have been con-
a careful comparison is made to other automated verted to lower case, resulting in M = 26 distinct
cryptanalysis techniques. This work shows that observation symbols.
HMMs can achieve superior results in many cases, For this experiment, the converged A matrix is
although the computational expense can also be give by
quite high.
0.00000 0.00000 1.00000
 
The work presented here is motivated in part
by the recent paper (Gomez et al., 2018), where A =  1.00000 0.00000 0.00000 
it is shown that a generative adversarial network 0.00000 1.00000 0.00000
(GAN), which is a type of neural network, can
In contrast to the English text and simple sub-
be used to successfully break a Vigenère cipher.
stitution examples discussed in Section 2, here
However, this GAN-based Vigenère attack as-
the A matrix is very informative—for one thing,
sumes unlimited ciphertext, which is unrealistic
this A matrix tells us that the transition between
in any classic cryptanalysis context. In addi-
the N = 3 hidden states is actually deterministic.
tion, in (Gomez et al., 2018) it is claimed that a
From the nature of the Vigenère cipher, it is clear
strength of the GAN technique is its ability to han-
that these states correspond to individual column
dle a large vocabulary (up to 200 symbols), which
shifts, and hence this is a result that we would ex-
seems to be of somewhat dubious value in the con-
pect for a keyword of length 3.
text of Vigenère cryptanalysis. Finally, as is gen-
erally true of neural networks, the resulting GAN The corresponding B matrix appears in Table 3,
is opaque, leaving the authors to make statements which reveals that the first hidden state corre-
such as the following (Gomez et al., 2018): sponds to a shift of 0 (i.e., keyword letter A),
as the probabilities approximately match the ex-
For both ciphers, the first mappings to pected letter frequencies of English. We also see
be correctly determined were those of that the second hidden state corresponds to a shift
the most frequently occurring vocabu- by 2 (i.e., keyword letter C) since the letter fre-
lary elements, suggesting that the net- quencies in this column are offset by 2 from those
work does indeed perform some form of of English, while the final column corresponds to
frequency analysis to distinguish outlier a shift by 19 (i.e., keyword letter T).
frequencies in the two banks of text. From the converged B matrix and the state tran-
sitions in the converged A matrix, we deduce that
The implication here is that the authors are forced the keyword must be either ATC, TCA, or CAT. In
to conjecture as to the relative importance of the this specific example, we also find that the initial
various features in the GAN, since such basic in- state distribution matrix π converges to
formation is not at all clear from an examination
of the model itself. π = 0.00000 1.00000 0.00000

44
 a 0.08761 0.01290 0.04950 Since some state transitions are deterministic, we
b 0.01560 0.00000 0.06811 suspect that the keyword length is less than 4 in
c 0.03540 0.07411 0.00480 this case. Similarly, an HMM with N = 5 hidden
d 0.04290 0.01470 0.00450 states yields
e 0.13171 0.03030 0.04320
0.00 0.00 0.00 1.00 0.00
 
f 0.02100 0.04740 0.02520
 0.00 0.00 1.00 0.00 0.00 
g 0.02190 0.12181 0.06661  
0.04170 0.02160 0.07291 A=  0.00 0.00 0.00 1.00 0.00 

h
 0.00 0.47 0.00 0.00 0.53 
i 0.06841 0.01470 0.02610
j 0.00180 0.04470 0.00060 1.00 0.00 0.00 0.00 0.00
k 0.00600 0.08101 0.06541 which, again, implies that the keyword length is
l 0.04080 0.00360 0.06541 likely less than 5. Finally, we point out that multi-
m 0.02340 0.00300 0.09871 ples of the keyword length behave similarly—for
n 0.06001 0.04800 0.02520 this example, with N = 6 hidden states we obtain
o 0.08131 0.02280 0.01050
p 0.02430 0.06721 0.01680 0.00 0.00 0.54 0.00 0.46 0.00
 
q 0.00090 0.07711 0.00300  0.00 0.00 0.00 0.00 0.00 1.00 
0.06601 0.02160 0.02130  0.00 0.00 0.00 1.00 0.00 0.00 
 
r
A=
0.06151 0.00090 0.00030

s  0.49 0.51 0.00 0.00 0.00 0.00 
0.09481 0.06451 0.07951
 
t  0.00 0.00 0.00 1.00 0.00 0.00 
u 0.02910 0.06541 0.01500 0.00 0.00 0.00 1.00 0.00 0.00
v 0.01020 0.09781 0.03090
w 0.01500 0.03180 0.03870 From these results, we conclude that the A ma-
x 0.00180 0.00960 0.13171 trix in a converged HMM will enable us to pre-
y 0.01590 0.02040 0.02310 cisely determine the keyword length used to en-
z 0.00090 0.00300 0.01290 crypt a Vigenère ciphertext. Furthermore, if suf-
ficient ciphertext is available so that English letter
distributions are (roughly) apparent, the B matrix,
Table 3: Final BT for Vigenère ciphertext with
together with the initial state matrix π , will com-
keyword CAT
pletely determine the keyword. That is, we simply
train HMMs with different values of N until we
This implies that we start in the second hidden obtain a deterministic A matrix, and then we use
state, which corresponds to C, and hence we have the corresponding B and π matrices to determine
determined that the keyword is CAT. the Vigenère key. Due to the fact that an HMM is a
Suppose that instead of using N = 3 hidden hill climb, to obtain a converged model, we might
states, we train an HMM with N = 2 hidden states need to train each HMM multiple times with dif-
using the same Vigenère encrypted data as in the ferent randomly-selected starting values.
previous example. In this case, we find that the A Next, we consider the amount of ciphertext
matrix converges to needed to determine the Vigenère key using this
HMM-based attack. Of course, the amount of ci-
0.75236 0.24764
 
A= phertext will depend on the length of the keyword.
0.34235 0.65765 We tested a few small keyword lengths until
we found an initialization that yielded a solution.
which tells us that we do not have deterministic
Then we reduced the amount of ciphertext until the
transitions between the states, and hence the key-
HMM was unable to solve the problem. This gives
word length is greater than 2.
us an upper bound on the amount of ciphertext
If, on the other hand, we attempt to train a
needed, at least in these selected cases. In these
model with N = 4 hidden states, we obtain
experiments, we define a “solution” as a trained
0.00000 1.00000 0.00000 0.00000 HMM where the average of the maximum value
 
 0.00000 0.00000 0.99884 0.00116  in each row of the A matrix is at least 0.99. Our
A=  1.00000 0.00000 0.00000 0.00000 

results are given in Table 4, based on 100 random
0.00000 0.15595 0.00000 0.84405 restarts of the HMM for each test case.

45
 Keyword Minimum Friedman References
Keyword
length ciphertext test Taylor Berg-Kirkpatrick and Dan Klein. 2013. De-
IT 2 175 1.4235 cipherment with a million random restarts. In Pro-
DOG 3 250 3.7209 ceedings of the Conference on Empirical Methods in
MORE 4 450 3.8208 Natural Language Processing, pages 874–878.
NEVER 5 1200 3.6467 Robert L. Cave and Lee P. Neuwirth. 1980. Hid-
SECURE 6 1400 4.5545 den Markov models for English. In J. D. Fergu-
ZOMBIES 7 1300 9.9334 son, editor, Hidden Markov Models for Speech,
IDA-CRD, Princeton, NJ, October 1980, pages 16–
56. https://www.cs.sjsu.edu/~stamp/RUA/
Table 4: HMM attack (100 random restarts) CaveNeuwirth/index.html.

W. Nelson Francis and Henry Kucera. 1969. The

From the results in Table 4, it seems likely that Brown Corpus: A standard corpus of present-day
edited American English. http://www.nltk.
with a large number or random restarts, we can org/nltk_data/.
significantly reduce the required length of the ci-
phertext. In any case, even the ciphertext lengths William F. Friedman. 1987. The Index of Coincidence
and Its Applications in Cryptography. Aegean Park
in Table 4 are far from the “unlimited” ciphertext Press.
that is assumed for the GANs training discussed
in (Gomez et al., 2018). It is also interesting that Aidan N. Gomez, Sicong Huang, Ivan Zhang,
our HMM result is accurate, even in cases where Bryan M. Li, Muhammad Osama, and Lukasz
Kaiser. 2018. Unsupervised cipher cracking using
the Friedman test gives an incorrect result. discrete GANs. https://arxiv.org/abs/1801.
04883.

4 Conclusion Thomas Jakobsen. 1995. A fast method for the

cryptanalysis of substitution ciphers. Cryptologia,
19:265–274.
In this paper, we showed that a hidden Markov
model (HMM) is a powerful and effective tool for Friedrich W. Kasiski. 1863. Die Geheim-
the cryptanalysis of Vigenère ciphertext messages. schriften und die Dechiffrirkunst (Cryptography
and the Art of Decryption). Mittler und
We also showed that a trained HMM is informa- Sohn, Berlin. http://pages.mtu.edu/~shene/
tive in this context, in particular when compared NSF-4/Tutorial/VIG/Vig-Kasiski.html.
to the neural network (GAN) based Vigenère at-
Dar-Shyang Lee. 2002. Substitution decipher-
tack discussed in (Gomez et al., 2018). Undoubt- ing based on HMMs with applications to com-
edly, GANs are powerful and useful tools for many pressed document processing. IEEE Transac-
types of problems. However, it appears that the tions on Pattern Analysis and Machine Intelligence,
Vigenère cipher may not be an ideal test case to il- 24(12):1661–1666, December.
lustrate the strengths of this particular type of neu- Lawrence R. Rabiner. 1989. A tutorial on hidden
ral network. Markov models and selected applications in speech
For future work, it would be interesting to test recognition. Proceedings of the IEEE, 77(2):257–
286.
an HMM-based Vigenère attack with large num-
bers (i.e., millions) of random restarts to deter- Mark Stamp. 2004. A revealing introduction to
mine the minimum amount of ciphertext needed. hidden Markov models. https://www.cs.sjsu.
edu/~stamp/RUA/HMM.pdf.
It would also be interesting to test similar HMM
based attacks on other more complex polyalpha- Rohit Vobbilisetty, Fabio Di Troia, Richard M. Low,
betic substitutions. Various combinations of clas- Corrado Aaron Visaggio, and Mark Stamp. 2017.
sic substitution and, perhaps, elementary trans- Classic cryptanalysis using hidden Markov models.
Cryptologia, 41(1):1–28.
position ciphers are also possibly amenable to
HMM-based analysis. Due to their general ap- Wing Wong and Mark Stamp. 2006. Hunting for meta-
plicability to classic substitution ciphers, HMMs morphic engines. Journal in Computer Virology,
2(3):211–229.
might be useful as a first line of analysis in cases
where a (classic) encryption technique is not com-
pletely known.

46
W ORLD WAR I
48
 The Solving of a Fleissner Grille during an Exercise by the Royal
Netherlands Army in 1913

Karl de Leeuw
University of Amsterdam / Informatics Institute
Science Park 904, 1098 XH Amsterdam
karl.de.leeuw@xs4all.nl

Abstract Initially the grille was intended for hiding that

a secret message was being sent at all, rather than
In 1885 the General Staff of the Royal as a means of encryption. This all changed dur-
Netherlands Army had adopted a variant ing the course of the 18th century, when the grille
of the turning grille devised by Edouard was increasingly used for jumbling the characters
Fleissner von Wostrowitz as a means for in a message by rotating them, according to the
encrypting messages, exchanged by tele- holes in the mask. The first description of such
graph between the General Headquarters use we find by the German mathematician Carl
and commanders in the field. Some staff Friedrich von Hindenburg (1796) who was aware
members harbored serious doubts about that such use could only be made at the expense
the security of this device, however, and of a loss in entropy and, therefore, cryptographic
during a military exercise in 1913 it was strength. The perforation pattern in one quadrant
solved with surprising ease by an army of the mask would automatically limit the possi-
captain. The matter was investigated by bilities for perforation in all others, because two
a committee of staff officers, concluding punch holes could not be allowed to cover the
that the army lacked the expertise to judge same position after a rotation.
matters like this. It recommended the
training of a staff officer for this purpose
in particular. The outbreak of the First
World War was to speed up the decision
process, but – against all odds – the newly
trained experts were not drawn from the
ranks that had demonstrated their talent
for code breaking a year earlier, because
these were destined to follow different ca-
reer paths altogether.

1 Introduction Figure 1: drawing showing how a turning grille

can be punched
Kahn (1967) describes the original grille, as con-
ceived by Cardano as: The appearance of the turning grille in scien-
“a sheet of stiff material, such as cardboard, tific literature only at the end of the 18th century
parchment or metal into which rectangular holes, does not mean, however, that it wasn’t used before.
the height of a line of writing and of varying Karl de Leeuw and Hans van der Meer (1995) have
lengths, are cut at irregular intervals. The enci- demonstrated that the practice existed already 50
pherer lays this mask over a sheet of paper and years earlier. The device gained wide popular-
writes the secret message through the perfora- ity much later, after a Austrian Colonel Edouard
tions, some of which will take a whole word, others Fleissner von Wostrowitz (1881) had drawn atten-
a single letter, others a syllable. He then removes tion to it in a handbook about military cryptogra-
the grille and fills in the remaining spaces with an phy. Essentially, he proposed the adding of two or
innocuous sounding cover message.” 1 more columns with nulls in order to hide the center
1 Kahn, 144-145 of rotation of the actual cryptogram. At the eve of

Proceedings of the 1st Conference on Historical Cryptology, pages 49– 54,

Uppsala, Sweden, 18-20 June, 2018
and during the first world war his suggestion was tress, because these could enter the shallow waters
followed widely. Kahn (1967) mentioned the use protecting the Dutch capital and its surroundings.
of turning grilles in different sizes by the Germans This clearly indicated that a German attack could
during the first months of 1917, only to be solved not be ruled out, in case war broke out in Western
by French code breakers not much later.2 The Europe (Klinkert, 2017).
Dutch were no exception. In a circular announce- During this exercise, lasting two days in June
ment dated 23 April 1885 the General Staff pro- 1913, a deployment of troops in the IJssel valley
scribed the use of the turning grille for telegraph was simulated, entailing a movement of troops by
traffic in times of crisis between the General Head- train from the western to the eastern part of the
quarter and field commanders.3 Some staff mem- country, including the transport of equipment for
bers, however, doubted the cryptographic strength a field hospital. On the eve of the second day of
of the device and one of them proposed the en- the exercise – on 20 June – a cable message was
ciphering of the original message by means of a sent by the field commander in the western part of
addition table, before deploying the turning grille country with orders for his troops already present
proper.4 This proposal did not get any follow-up, in the eastern part. It was to be intercepted by the
but the matter became urgent again on 20 June party supposedly defending the East, located in the
1913, when another army captain, C.J.H. van der stronghold Cortenoever, overlooking the valley.5
Harst (1876-1938), was able to break an encrypted The encrypted message was given to Captain
message from GHQ with surprising ease. This C.J.H. van der Harst who was to find out which or-
incident caused commander in chief General C.J. ders were given for the next day. It consisted of 15
Snijders (1852-1939) to appoint a committee to re- columns and thirty rows filled with letters only, no
examine the use of cryptography by the army. digits included. Captain van der Harst – who was
In this paper I will briefly discuss the military detached by his regiment with the General Staff –
exercise and then show how the message was bro- had three advantages: (1) he knew exactly how the
ken by Captain van der Harst. Subsequently I will turning grille had to be handled according to the
analyse the way in which the entire incident was guidelines, issued by his colleagues at the General
evaluated by the General Staff. In the conclusion, Staff, when it was introduced nearly twenty years
I will assess the viability of the measures taken. before; and (2) he was familiar with the language
used by army officers in cables like these; and (3)
2 The exercise he was well aware of the limitation in entropy, of-
fered by the turning grille, as he makes a remark
The Netherlands had been a neutral country since
about this in his notes.
the defeat of Napoleon in 1815. Apart from colo-
nial warfare, mainly in the East Indies and a mil- To start with the first: the use of punctuation
itary expedition to prevent Belgium from gaining marks and digits was strictly prohibited. Numbers
its independence in 1830 it had not fought a ma- were to be represented by the first 10 letters of the
jor war for almost 100 years, when finally war alphabet, omitting the “j”; punctuation marks were
broke out in 1914. The Netherlands managed to to be spelled out. The sides of the grille were al-
stay out of conflict, but were heavily affected by ways indicated by means of the first eight letters
trade embargoes and the flooding of half a mil- of the alphabet. The square in the exact middle of
lion refugees from Belgium. The army was not the grille was used to indicate which side had to
unprepared. It had to reckon with a military in- be placed on top to start with, from that position
vasion by the British in the south west to liber- on every following rotation was to be made clock-
ate Antwerp and with a German attack from the wise. If the message contained too many letters
east. The German building of armored flatboats to fit one cipher block, this procedure was sim-
with heavy guns had caused the army much dis- ply repeated. Remaining squares had to be filled
in with nulls. The adding of at least two columns
2 Kahn, 308-309 with nulls, recommend by Colonel Fleissner von
3 The Hague, Nationaal Archief, Department van Oorlog, Wostrowitz to hide the rotating center of the cryp-
Generale Staf, inv. nr. 82
4 Ibid., inv. nr. 305: Captain A. van Mens to General togram, was not mandatory for regular use. The
C.J. Snijders, Arnhem 1911, January 19. Van Mens wrote his
advice on request of the chief of staff, given by mouth five 5 Ibid., inv. nr. 305: handwritten note without date con-
days earlier. taining instructions for the exercise.

50
Figure 2: the supposedly intercepted message. Source: Nationaal Archief Den Haag

51
guidelines did mention this possibility, but only as expected the message to contain information about
a complicating measure, to be applied at will. A troop movements, not yet known to the field com-
second complicating measure mentioned was the mander, orders, or reconnaissance about the en-
filling of the mask before rotation with nulls and emy.
starting writing the actual message after turning The first row of the cryptogram contained the
the backside up. This procedure could only be in- letters ’i’, ’c’. ’h’, and ’t’, likely constituting the
dicated if the center for rotation was filled with last syllable of the word of ’bericht’; the last row
two letters: one to indicate the original position of contained ’b’, ’e’ and ’r’, constituting the first syl-
the mask and one to indicate how it had been laid lable of the same word. These letters had to cor-
after the backside had been turned up.6 respond with three punch holes of the mask. Con-
sequently, these squares had to remain black when
3 Reconstructing the grille in use the grille is turned. The drawing of the mask could
The approach taken by Captain Van der Harst to now begin. The last row contained one more prob-
solve the cryptogram can be derived from his per- able word: ’g’, ’r’, ’y’, ’p’, (attack). This word
sonal notes, handed over after the exercise to the is likely to occur in a sentence like this: ’gryp
commander in chief Lieutenant-General Snijders.7 morgen vyand aan’ (attack the enemy tomorrow).
The captain started his analysis by stating that the These words can be constituted from letters also to
size of the letter square, consisting 15 columns and be found in the first and second row, indicating the
30 rows, probably indicated a plain use of the turn- position of the punch holes when side II is put on
ing grille twice, without columns added. This im- top. Another probable grouping of words would
plied that the letter square had to be divided into be: ’met uwe geheele macht’ (with your entire
two halves of 15 rows each and that the punch hole force). Detecting of these words makes the unveil-
in the exact middle of each letter square would ing of the second cipher block almost complete.
have to contain a letter indicating which side of The text occurring in the punch holes when side
the grille had to be put on top first. IV is put on top can now be reconstructed: ’or u
vastgestelde stations zijn uitgeladen kondschaps-
The square in the middle of the first cipher block
ber’ (Railway stations allocated by you reconnais-
contained two letters, however, ’cg’, the square in
sance mess...). This implicates that the square is
the middle of the second cipher block only one let-
to be used first with side IV being put on top, be-
ter: ’d’. Therefore, Van der Harst decided to pro-
fore side I, II and III are moved to this position,
ceed with the second cipher block.
correponding with the letter ’d’ in the middle of
The captain subsequently asked which words
the second cipher block. The remaining letters oc-
were likely to emerge in the message, words that
curring when side III is put on top constitute rub-
could be detected easily, because of their spelling
bish. The entire text emerging in this cipher block
that is to say. He mentioned several: ’vyand’ (en-
is now clear:
emy), because the ’y’ does not occur very often
in Dutch; ’bericht’ (message), because the trigram ’door u vastgestelde stations zijn uitgeladen vol-
’cht’ is rare; and ’opperbevelhebber’ (commander gens kondschapsbericht heeft vyand te helder min-
in chief), because this word contained two dou- stens drie divisies ontscheept gryp morgen vyand
blings of consonants: ’pp’ and ’bb’ which is rare aan met uwe geheele macht en werp hem terug op-
in Dutch also. Generally speaking, Van der Harst perbevelhebber slot’
(allocated railwaystations are unloaded ac-
6 Ibid., inv. nr. 82: Aanwijzing voor het gebruik van
cording to reconnaissance message the enemy has
geheimschrift (Clues for the use of Secret Writing). It is un-
clear to me how this recommendation was to be put into prac- disembarked at least three divisions in helder at-
tice, if a cable gram was actually sent. After all, all of this de- tack the enemy tomorrow with your entire force
pended on the neatly reorganizing the cryptogram in groups
of four letters. Clearly, in one way or the other, it had to be
and throw him back commander in chief end).
indicated that the telegram contained two letters that had to With help of the reconstructed grille, but only
be placed in one square, but how? after moving the mask in various positions in a
7 Ibid., inv.nr. 305: | Methode van ontcijfering van
het geheimschrift (Method of Deciphering of Cryptogram). process of trial and error, the following message
Annex to the letter sent by Lieutenant-General C.J. Sni- emerged:
jders to staff captains P. Huizer, E.F. Insinger and P.J. Van
Munnekrede, s’Gravenhage, 7 November 1913, GS no 138, Derde divisie, korps RA en vliegafd zullen
Geheim. hedenavond en nacht worden aangevoerd en be-

52
 have the advantage that Army and Navy could ex-
change secret messages without additional effort.8
He also wanted them to take notice of a system,
described recently in a French journal.9
Unfortunately, this committee lacked all code
breaking experience. It proved, however, to be
well versed in the cryptologic literature of the
day. It cited among other titles Les chiffres secrets
dévoilées by E. Bazeries (1901); Etude sur la cryp-
tographie by A. Collon (1906); Kryptographik
by L. Kluber (1809); Die Geheimschriften im di-
enste des Geschäfts- und Verkeherslebens, by H.
Schneikert (1905); not to mention of course the
well-known Handbuch der Kryptographie by E.
Fleissner von Wostrowitz (1881).10 This sufficed,
however, to discourage adoption of the cipher sys-
tem used by the navy, because this consisted of
a simple Caesar alphabet to encipher the existing
optical signal register whenever needed, offering
no genuine protection at all.11 What is more, ac-
cording to the committee, a common cipher sys-
tem for army and navy was unnecessary and even
Figure 3: The grille as teconstructed by Van der dangerous: unnecessary because army and navy
Harst. Source: Nationaal Archief units were not be in direct contact, orders be-
ing always given top down; and dangerous, be-
halve verpleging en veldhosp afd morgenochtend cause the distribution of ciphers would become too
om zes uur aan de door u vastgestelde stations zijn widespread to offer security any longer. Encryp-
uitgeladen volgens kondschapsbericht heeft vyand tion had to remain limited to messages exchanged
te helder minstens drie divisies ontscheept gryp between the GHQ and the field commanders.12
morgen vyand aan met uwe geheele macht en werp Surprisingly, a careful examination of the liter-
hem terug opperbevelhebber slot’ ature had lead the committee to believe that the
(third division, royal horse artillery and air- turning grille was one of the strongest encryp-
craft unit will be conveyed this evening and night tion devices available, as no convincing cases were
and except for hospital staff and hospital equip- presented of its solution. It did believe, however,
ment tomorrow morning at six o’ clock unloaded that the way in which the system was used in the
at the designated railwaystations according to re- Netherlands, was ready for improvement.13 In the
connaissance message the enemy has disembarked view of his colleagues, Captain van der Harst was
at least three divisions in helder attack enemy to- able to break the cipher, only because he had a
morrow with your entire force and throw him back some idea what the messages was about; because
commander in chief end) he was well aware what probable words to look
8 Ibid., inv.nr. 305: Lieutenant-General C.J. Snijders
4 The staff report
to staff captains P. Huizer, E.F. Insinger and P.J. Van
Munnekrede.s’Gravenhage, 7 November 1913, GS no 138,
On 7 November 1913 General C.J. Snijders de- Geheim.
cided to put the matter before a committee of three 9 Génie Civil,XXIII (26), 420.
10 The Hague, Nationaal Archief, Departement van Oorlog,
staff officers: the captains P. Huizer, E.F. Insinger
Generale Staf, inv. nr. 305: Beschouwingen en voorstellen
and P.J. Van Munnekrede. He asked whether the in verband met het bij den Generale Staf in gebruik zijnde
turning grille could be improved or had to be re- geheimschrift. d.d. 30 May 1914. (Reflections and Proposi-
placed altogether. If the last was to be case, he tions with regard to Secret Writing as practiced by the Gen-
eral Staff.
demanded to pay attention to the question whether 11 Ibid., 4.
the system in use by the Royal Netherlands Navy 12 Ibid., 5-6.

could be adopted by the Army as well. This would 13 Ibid., 6-7

53
for; and, last but not least, because no complicat- General and governor in charge of the Royal Mil-
ing measures, such as the adding of columns to itary Academy.
hide the real rotating center of the cipher block
were ever taken.14 Much in line with the original
suggestion made by Captain Van Mens in 1911, References
the committee recommended the enciphering of Edouard Fleissner von Wostrowitz. 1881. Handbuch
the original message before putting it under a turn- der Kryptographie. Seidl & Sohn, Wien, Austria.
ing grille by way of a Vigenère, carefully explain- Carl Friedrich von Hindenburg. 1796. Fragen eines
ing how a Vigenère worked.15 Ungenannten über die Art durch Gitter geheim
The committee did not go into the actual crypt- zu schreiben. Archiv der reinen und angewandten
analysis of the message. It was well aware that it Mathematik III: 347–351, V: 81-99.
lacked the hands-on experience, needed in an ac- David Kahn. 1967. The Codebreakers. The Story of
tual war. Therefore, it recommended the appoint- Secret Writing. Macmillan Publishing Company,
ment and training of an additional staff officer to New York, USA.
gain expertise in this particular field. It doubted, Wim Klinkert. 2017. ’Espionage Is Practised Here on
however, that this job was suited for a career of- a Vast Scale’. The Neutral Netherlands, 1914-1940.
ficer, who had to rotate jobs on a regular basis. Floribert Baudet et al., Perspectives on Military In-
The mindset needed was one of patience, perse- telligence from the First World War to Mali. Between
Learning and Law. T.M.C. Asser Press, The Hague,
verance and wisdom: with the possible exception The Netherlands, 23-54.
of perseverance attributes difficult to find among
people who joined the army in most cases, because Karl de Leeuw and Hans van der Meer. 1995. A Turn-
ing Grille from the Ancestral Castle of the Dutch
they wanted to see action. The committee believed Stadtholders. Cryptologia, XIX(2), 153-164.
that a reserve officer would be better suited for this
task, because he would lack the ambition to make Karl de Leeuw. 2015. ’The Institution of Modern
a career in the army to start with. Descent was Cryptology in the Netherlands and the Netherlands
East Indies, 1914-1935.’ Intelligence and National
irrelevant, in this particular case. Security, 30: 26-46.

5 Conclusion
Less than a month after the committee had com-
pleted its report, Archduke Franz Ferdinand and
his spouse were murdered and less than two
months later war broke out, changing the face of
the continent. In this context it should not sur-
prise us that the committee’s advice was followed.
Henri Koot, a young lieutenant from the colonial
army who happened to be in the country to fol-
low a training program, possessed all the required
qualities and proved to be able to lay the ground-
work for the institution of modern cryptology in
the Netherlands, as Karl de Leeuw (2015) has
shown. Koot – recognizably of mixed descent –
was highly intelligent, but also modest and obedi-
ent to the extreme and he had no career expecta-
tions outside the colonial army whatsoever. Nor
should it, after all that has been said, surprise us,
that Van der Harst – who clearly had demonstrated
his talent as a cryptologist – wasn’t called upon
to do the job. He was to rise high in the Royal
Netherlands Army, ending his career as a Major
14 Ibid., 8.
15 Ibid., Bijlage B.

54
 Deciphering German Diplomatic
and Naval Attaché Messages from 1914-1915

George Lasry
University of Kassel
Germany
george.lasry@gmail.com

Abstract was not allowed to keep records in their encoded

form. Diplomatic archives in most cases do not
In World War One (WW1), the Ger-
contain original cryptograms. Furthermore, signal
man diplomatic services and the Imperial
intelligence and codebreaking agencies which in-
Navy employed codebooks as the primary
tercept enemy communications also have a policy
means for encoding confidential commu-
of not preserving the original cryptograms. As a
nications over telegraph and radio chan-
result, the discovery of a collection of such docu-
nels. The Entente cryptographic services
ments is a rare event and can be of significant value
were able to reconstruct most of those
for cryptology history research and general his-
codebooks, to obtain copies of others, and
torians. For example, hundreds of Enigma cryp-
to overcome various enhancements intro-
tograms from 1941 and 1945 were decrypted in
duced by the Germans.
2005, shedding new light on German communica-
A collection of diplomatic and naval at- tion procedures and on the fate of resistance lead-
taché cryptograms from and to the German ers who died in Nazi concentration camps (Sul-
consulate in Genoa, dating from the late livan and Weierud, 2005). In 2016, a collection
19th Century to 1915, has been preserved of ADFGVX cryptograms from the Eastern Front
and is held in German archives.1 of WW1 was deciphered, providing new insight
In this article, the author describes the into events which occurred towards the end of the
process of identifying the encoding meth- war (Lasry et al., 2017).
ods, of reconstructing the 18470 diplo- The Politisches Archiv des Auswärtigen Amtes
matic codebook, and of recovering the su- (PA AA), the political archives of the German For-
perencipherment applied to the German eign Office in Berlin, holds a series of documents
Navy’s Verkehrsbuch. recording communications to and from the Ger-
The vast majority of the messages can now man consulate in Genoa (Genova), a port in north-
be read in clear. Before the war, the com- western Italy (PAAA, c 1915). The records cover
munications are mainly about routine con- the period from 1867 to 1915, most of them from
sular matters. From the summer of 1914, 1914 until May 1915, at the time Italy left the
they reflect the sequence of events lead- Triple Alliance and declared war on the Austro-
ing to war, including the declarations of Hungarian Empire. While a large part of the doc-
war. The messages also describe the cru- uments consists of non-encrypted plaintexts, hun-
cial role played by the German consulate dreds of them consist of original cryptograms, en-
in collecting naval intelligence, and in as- coded using several types of diplomatic and naval
sisting the German warships Goeben and codebooks.
Breslau in their escape to the Dardanelles This article describes the process of recover-
in August 1914. ing the original plaintexts and analyzing their con-
tents. It is structured as follows: In Section 2,
1 Overview
we provide an introduction to codebooks, as well
Collections of original encrypted messages are as a description of the main German diplomatic
hard to find. As a standard security procedure, it and naval codebooks used in WW1. In Section 3,
1 RAV Genua - Records from the German General Con- we describe, step-by-step, the process of identi-
sulate in Genoa. Politisches Archiv des Auswärtigen Amtes. fying the various encryption methods, of recon-

Proceedings of the 1st Conference on Historical Cryptology, pages 55– 64,

Uppsala, Sweden, 18-20 June, 2018
structing one of the codebooks, and of recover- 2.2 Two-Part Codebooks
ing the superencipherment key for another code-
To achieve better cryptographic security, there
book. In Section 4, we provide preliminary find-
should ideally not be any relationship between the
ings about the contents of the messages. In Sec-
(alphabetical) order of the words and the numeri-
tion 5, we briefly assess the cryptographic weak-
cal order of the corresponding codes. While doing
nesses of WW1 German codebooks and proce-
so increases the cryptographic security of a code-
dures.
book, at the same time, it is not possible anymore
to use the same codebook for both enciphering and
2 German WW1 Code Books deciphering. Two versions of the codebook are re-
quired, the first one in alphabetical order for enci-
A codebook is essentially a dictionary of words phering, and the second one in numerical order for
and other entities that may be encoded using a deciphering, in other words, a two-part codebook.
code, such as a 5-digit number, or a 4-letter code. At first, the designers of German codebooks in-
In this section, the various types of codebooks are troduced two-part codebooks in which they scram-
described, focusing on diplomatic and naval code- bled the order of the pages, but the numerical
books used by the German Empire in WW1. codes for words within a page (usually 100 per
page) were still ordered according to the alpha-
betical order of the words. As a result, numeri-
2.1 One-Part Codebooks
cally close codes could still be guessed. Worse,
The one-part codebook is the most convenient new codebooks were often no more than a copy
form of a codebook. Compiling such a code- of a previous codebook (possibly already recon-
book is a relatively simple process. The codebook structed by the enemy) in which only the original
entries appear in alphabetical order. Numerical pages had been reshuffled, but not the words inside
codes are assigned to each entry in the same or- each page. To reconstruct such a codebook, it was
der. It is easy to search for a word and its cor- enough to map each page from the previous ver-
responding numerical code while enciphering a sion to the corresponding page in the new version.
message, or to search for a numerical code while For that purpose, the knowledge of the meaning
deciphering an encoded message. Therefore, the for only a few tens of codes (in the new codebook
same physical copy of the codebook can be used version) was usually sufficient.
for both enciphering and deciphering. To achieve a purely random ordering, ‘hat
Like any other form of enciphering using sub- codes’ (also known as ‘lottery codes’) were intro-
stitution, codebooks may be reconstructed by ad- duced during the war. Their name is derived from
versaries using frequency analysis. The most fre- the manual methods used in WW1, such as mix-
quent codes are most likely to represent the most ing paper strips inside a hat, and extracting them
frequent words of the language. To reduce the randomly and assigning them numerical codes, so
frequency of the most common codes, codebook that the numerical codes have no relation to the al-
compilers also included expressions and even full phabetical order of the words. Reconstructing a
sentences as entries in the book. Furthermore, they hat code by codebreaking agencies required a sig-
assigned multiple codes for the most heavily used nificantly larger and longer effort, including ex-
words. Those measures were not always effective, tensive trial-and-error. In general, cryptanalysts
as they often depended on the operator choices for could never reconstruct such a codebook in its en-
encoding sentences instead of single words, and tirety.
for not always selecting the same numerical code
2.3 Superencipherment
for a common word. The main weakness of one-
part codebooks is the strong relationship between Physical copies of a codebook may always fall
the alphabetic location of words and their corre- into the enemy’s hands, and while harder with hat
sponding numerical codes. If two numerical codes codebooks, reconstruction by analytical means is
are close to each other, and the meaning of the first still possible. Therefore, codebooks should not
word is known, it might be possible to guess the be used for an extended period of time. On the
meaning of the second word, as it is alphabetically other hand, compiling a new codebook and dis-
close to the first one. tributing its physical copies was often difficult, es-

56
pecially to embassies in countries without a bor- • Words and Expressions: A set of pages
der with Germany, such as Spain. To increase the (randomly numbered) dedicated to words,
security of existing codebooks without replacing expressions and some full sentences. Each
them, German cryptographers often applied a su- page contains 100 entries.
perencipherment (an additional encipherment) on
the numerical codes. Methods of superencipher- • Persons: A set of pages dedicated to names
ment either consisted of transpositions (changing of persons, and entities such as banks and
the order of the digits in the numerical code), sub- commercial shipping lines. Those pages, ran-
stitutions (replacing a digit with another digit), domly numbered, were sparsely populated
or additives (some number mathematically added (usually only ten names out of the possible
to the numerical codes). At first, superencipher- 100 in a page).
ment methods were simple or used over a long
time span, allowing Room 40, the section in the • Supplement: A set of pages with additional
British Admiralty responsible for cryptanalysis, to names and places, with numerical codes ran-
recover the keys on a regular basis.2 domly assigned.
Toward the end of the war, the Germans intro-
duced more sophisticated methods, but often made
the severe mistake of communicating the details of Except for the Dreinummerheft, which consists
a new superencipherment method in a message en- of 3 digits, the numerical codes have 4 or 5 dig-
coded with a previous version, already known to its. The three leftmost digits (for a 5-digit code)
Room 40.3 or the two leftmost digits (for a 4-digit code) rep-
resent the page number. The second digit to the
2.4 German Diplomatic Code Books right represents the block number. Each page has
ten blocks (from 0 to 9), each block containing ten
Germany started the war with several families of words. For example, code 10275 corresponds to
diplomatic codebooks in place, mainly the 13040 the word Dampfer (steamer), and it is the sixth
and the 18470 families. A family of codebooks word (the last digit is 5, we start counting from
includes several codebooks derived from one an- 0) in block 7 of page 102. The order of the pages
other. Those first German diplomatic codebooks (the page numbers) does not correspond to the al-
usually consisted of the following sections: phabetical order of the words they contain. Fur-
thermore, the order of the 10-word blocks inside
• Dreinummerheft(3-digit code): This section a page does not correspond to the alphabetical or-
was common to all codebooks in the 18470 der of their contained words. However, all the 100
and 13040 families. The prewar 18102 code- words inside a page are always relatively close al-
book also used the same Dreinummerheft phabetically. Also, the ten words inside each block
codes. The Dreinummerheft consists of 3- are in alphabetical order. While those codebooks
digit codes, from 000 to 999. They repre- are nominally two-part codebooks, it is still possi-
sent numbers (000 to 500, 00 to 99) and dates ble to deduce the meaning of one numerical code
(January 1 to December 31). The mapping based on the meaning of another code on the same
follows an almost predictable pattern. As a page or block.
result, to fully reconstitute the Dreinummer-
The 18470 and its derivatives, such as the
heft, an adversarial code-breaking organiza-
12444, the 1777, and the 2310, were fully recov-
tion such as Room 40 needed to know the
ered by Room 40, aided by the capture of code-
meaning of only a few of the Dreinummer-
book 3512 in Persia in 1915. Interestingly, it
heft codes.
seems that Room 40 never shared their copy of
the captured codebook 3512 with their US coun-
• Places: A set of pages (randomly numbered)
terparts, despite closely cooperating in various do-
dedicated to names of cities, countries, na-
mains. Room 40 was able to analytically recon-
tionalities, and foreign government institu-
struct most parts of the 13040 codebook (which
tions. Each page contains 100 entries.
was used to encipher the famous Zimmerman
2 (Gannon, 2010), p. 130. Telegram), as well as its derivatives, the 5950
3 (Gannon, 2010), p. 261, footnote 20. and the 26040 (the 13040 superenciphered using

57
a constant additive).4,5 entities into groups of 5 digits. It consists of sev-
The German diplomatic services also developed eral sections, for words and expressions, for names
a series of two-part hat codes, such as the 5300, of places and ships, as well as for indicating posi-
6400, 7500, 8600, and 9700 codebooks. Room 40 tions of ships on maps. The Stützel report (see
was able to recover large parts of those codes, and Section 2.4) caused great alarm at the German
in particular, codebook 7500, used to encipher one Admiralty, and the Navy introduced new, more
of the versions of the Zimmerman Telegram.6 complex superencipherment methods. Based on
Interestingly, despite the capture of a copy of the voluminous numbers of transcripts in British
the 3512 codebook, and the publication of the National Archives in Kew, which also mention
Zimmermann Telegram, the German diplomatic the types of code and superencipherment, those
cryptographers never realized that both the 18470 probably did not pose serious problems to Room
and 13040, and their relatives, had been com- 40’s codebreakers. Using decrypts from the traffic
promised. In a report from April 1917, Her- between Berlin and the naval attaché in Madrid,
man Stützel, a German Navy cryptographer, de- Room 40 was able to unravel and prevent various
scribes how he was able to decipher messages en- plots and espionage activities conducted from the
coded with the 18470 codebook, only from inter- German embassy in Madrid.7
cepted communications. He was also able to de-
cipher messages encoded with the 5300 hat code 3 Deciphering the Genoa Cryptograms
with various superencipherment methods (Stützel,
1969). Ironically, Room 40 intercepted and deci- In this section, we present the step-by-step process
phered a message containing the report. The re- of deciphering the majority of the cryptograms in
action of the German diplomatic services to the the Genoa collection. We describe the processes
report is unknown. The Imperial Navy swiftly of classifying the various types of cryptograms, of
reacted, implementing a series of new complica- reconstructing a diplomatic codebook, of identi-
tions on top of their naval attaché codes (see Sec- fying the superencipherment method for a naval
tion 2.5). attaché code, and of recovering its key. This de-
tective work also required the retrieval and survey
2.5 Naval Code Books of a multitude of documents from archives in Ger-
At the outset of the war, the Navy had several many, the UK, and the US, with the assistance of
codebooks in use for various purposes, including leading experts. The work continued with building
the Signalbuch der Kaiserlichen Marine (SKM), a computerized database of the cryptograms, suc-
used mainly for signaling and communications be- cessfully deciphering most of them, and validating
tween ships, and the Handelsverkehrsbuch (HVB), the decryptions with newly found documents.
for communications with merchant ships. For
3.1 Classifying the Cryptograms
communicating with naval attachés, the Imperial
Navy also employed the Satzbuch (SB), as well as At first, we obtained six files from the RAV Genua
the Verkehrsbuch (VB). The SKM, HVB, SB, and collection at the PA AA, containing both plaintexts
VB were all one-part codebooks. The VB and the and cryptograms.8,9,10,11,12,13
SB were usually superenciphered, but at the be- After analyzing the structure of the cryp-
ginning of the war, the keys were not frequently tograms, we were able to divide them into four
changed. The German Navy was slow to realize categories:
that copies of its books had fallen into enemy’s
7 (Gannon, 2010), Chapter 13 - The Spanish Interception.
hands, early on in the war. Later on, the Navy 8 PA AA - RAV Genua 09, Acten betreffend Ziffern 1867-
implemented various methods for superencipher- 1908.
ment, and also introduced new codebooks such as 9 PA AA - RAV Genua 10, Chiffrierwesen 1898-1913.
10 PA AA - RAV Genua 11, Sammlung der Chiffres 1889-
the Flottenfunkspruchbuch (FFB), which replaced
1908.
the SKM in 1917. 11 PA AA - RAV Genua 12, Sammlung der Chiffres mit
The main codebook for communicating with Ausschluss der Korrespondenz mit den Marinebehörden, Bd.
naval attachés, the Verkehrsbuch, maps words and 2, 1904-1914.
12 PA AA - RAV Genua 13, Chiffrierte Telegramme 1914-
4 (Gannon, 2010), p. 130. 1915
5 (Gannon, 2010), p. 205. 13 PA AA - RAV Genua 14, Telegramme in Chiffre. 1914-
6 (Gannon, 2010), p. 131. 1915.

58
 • Sequences of letters: Two messages from meaning for the codes in those cryptograms. With
1897 and 1898, each composed of series of those, we were able to reconstruct about 10% of
letters, from a to z. After a quick analy- the 18470 codebook and to produce fragmentary
sis, we identified the encryption method to be decryptions for some of the messages in the Genoa
Vigenère, and we deciphered the two cryp- files.
tograms. The German plaintexts contain ref- In codebook 18470, while the pages are scram-
erences to another cipher system, as well bled, the words inside each page (such as the
as new keywords for that system, for which words with codes between 12100 and 12199) are
there are no corresponding cryptograms in alphabetically close. Based on this, we tried to
the Genoa collection. guess assignments for unknown numerical codes
in pages for which we had other known assign-
• 5-digit codes with indicator 1847X: A set ments. A team of linguists investing time on the
of messages composed of groups of 3, 4, or problem would probably have been able to recon-
5 digits, from December 1913 to mid-1915. struct large parts of the codebook and decipher
Those cryptograms have an indicator of the most of the cryptograms, given the availability of
form 1847X (18470 to 18479, usually 18470) hundreds of them. However, such resources were
as one of the first groups. not available to the author. To progress, either a
• 5-digit codes with indicator 1810X: A set copy of the codebook, or some plaintexts match-
of messages composed of groups of 3, 4, or 5 ing the cryptograms were required. A search for
digits, from 1898 to November 1913. Those matching plaintexts in archives produced only a
cryptograms have an indicator of the form single message, dated August 1, 1914, sent by the
1810X (18100 to 18109, usually 18102) as German consul in Genoa, von Herff, to the Ger-
one of the first groups. man Foreign Office. 14
It reads as follows:
• 10-letter codes: A set of nine messages from
August 1914, composed of groups of 10 let- Nummber 7. Im hiesigen Hafen
ters each, sent between the Kaiserliche Ma- liegende englische Dampfer der White
rine Admiralsstab (German Imperial Navy Star Line und British India Company
Admiralty), German warships Goeben and ‘Celtic’ und ‘Malda’ sind von ihren
Breslau, and the German consulate in Genoa. Gesellschaften angewiesen möglichst
rasch auslaufen und westlisch.15
3.2 Deciphering Diplomatic Codebook 18470
Cryptograms The plaintext is a report about British ships
leaving Genoa westbound. Using the date, the
Following the successful decryption of the Vi- message length, and the correspondents, we were
genère messages, we first analyzed the cryp- able to locate the original ciphertext in the Genoa
tograms with the 1847X indicators. In the archive files.16
records, a few hundred of them are available. The code corresponding to the word Dampfer
Although plaintexts also appear in the original (steamer), 10275, also appears in Mendelsohn’s
records, we could not match any of them to a cor- study and has the same meaning. Other codes cor-
responding cryptogram with a 1847X indicator. respond to words or expressions located in alpha-
We found a key document on the subject, Stud- betical positions as expected from Mendelsohn’s
ies in German Diplomatic Codes Employed dur- interpretation of the 18470 code. Based on this,
ing the World War, written by Charles J. Mendel- we were able to conclude that not only the mes-
sohn, and compiled into a War Department re- sages with the 1847X indicators were indeed en-
port in 1937 (Mendelsohn, 1937). The first of coded with the 18470 codebook, but that they
its three sections is named Code 18470 and Its
14 PA AA, R 19875, Bl. 31. Generalkonsul von Herff an
Derivatives. It describes the structure of codebook
das Auswärtige Amt.
18470, based on a 1918-19 study by Mendelsohn 15 ‘In local port anchored steamers of the White Star Line
and a team of cryptographers at the Military Intel- and British India Company ‘Celtic’ and ‘Malda’ have been
ligence Division of the General Staff in Washing- instructed by their companies to leave port as soon as possible
and (sail) westbound.’
ton. The study also includes a few original mes- 16 PA AA - RAV Genua 13, Chiffrierte Telegramme 1914-
sages encoded using 18470, as well as the German 1915, p. 6.

59
were encoded without any additional encipher- tually, and after an extensive trial-and-error pro-
ment. This finding was an important step. But cess, we were able to reconstruct almost the entire
while the plaintext also provided the meaning for mapping between the codebooks. While some ran-
a few additional codes, this was not enough to dom elements of the mapping created some chal-
progress with the decryption of other 18470 mes- lenges, the compilers of the 18470 derivatives (in-
sages in the collection. cluding the 3512) had applied several regular pat-
We started to look for copies of original terns in the process, which helped us significantly
codebooks. Copies of various WW1 German (and also weaken the security of the codebook).
codebooks are available at the British National After the mapping was established, we wrote a
Archives at Kew, including naval codes such as the special software and used it to decrypt all the mes-
SKM, captured in 1914 from the German warship sages encoded with 18470, except for a few names
Magdeburg. The archives also include a version which appear in a special supplement of the code-
of code 13040, reconstructed via cryptanalysis by books (and for which there is no conversion for-
Room 40, and used to encode the (in)famous Zim- mula or pattern).
mermann Telegram in 1917. The successful de-
3.3 Diplomatic Codebook 18102
cipherment of the Zimmermann Telegram, along
Cryptograms
with German pursuance of unrestricted submarine
warfare, contributed to the entry of the United After successfully reconstructing codebook
States into the war. However, neither the 18470 18470, we turned to the 1810X cryptograms.
codebook, nor the 18102 appear in British, Ger- Several plaintexts from October and November
man, or US archives. 1913 announce the transition from the 18102
In his study, Mendelsohn described how the codebook to the 18470 codebook, and an order
18470 codebook was part of a larger family of to destroy all physical copies of the 18102.
codes, including the 12444, the 1777, and the 2310 Unfortunately, we were unable to find copies of
codebooks, all derived from the same division of the 18102 codebook in any of the relevant British,
words and expressions to pages, the pages being German or US archives. An analysis of the ranges
reshuffled differently. We could not find any of of pages showed that the 18102 code could not
the 18470 derivatives listed by Mendelsohn in US, have been a derivative of the 18470. Codebook
British, or German archives. Further research in 18102 might still be a derivative of the 13040
the British National Archives at Kew produced an- codebook, as the 13040 was also in use before the
other document, The Political Branch of Room 40, war, but there is no evidence in that direction, and
which mentions two other codebooks, 89374 and further work is needed to check this hypothesis.
3512, captured by the British in Persia in 1915. Lacking a corresponding plaintext for any of the
According to this report, an analysis by the Polit- 18102 messages, or a derivative of this code, we
ical Branch led to the conclusion that those two were neither able to reconstruct the codebook,
codes stem from the same source, albeit reordered nor to decipher any of the cryptograms. Since
differently.17 the 18102 and the 18470 share the encoding of
numbers and dates (Dreinummerheft), it might be
Several recent papers also link those two code-
possible to look for matching plaintext-ciphertexts
books to the 18470 family, and this assumption
in the files based on the message serial numbers.
was strengthened by the fact that Mendelsohn
mentions there existed at least one member of that 3.4 Deciphering Naval Codebook
family, unknown to him (Freeman, 2006; Kelly, Cryptograms
2013). Fortunately, a copy of the 3512 codebook
The last category is comprised of only nine cryp-
is available at Kew.18
tograms, sent in August 1914, and involving Navy
After obtaining a photocopy of the 3512 code- recipients or senders. They consist of 10-letter
book, we needed to establish the precise relation- codes, such as DUMOSEPIRE or CLYHMUIMUS, with
ship between the 3512 and the 18470, using the the prefix (the first five letters) of one of the 10-
known numerical codes from Mendelsohn. Even- letter codes often used as the prefix in another
17 (ADM, 223) ADM 223/773, George Young, Political 10-letter code, or the suffix (the last 5 letters) of
Branch of Room 40, Section ‘89374 and 3512’. one code often used as the suffix of another code.
18 (HW, 7) HW 7/26 German Codebook Number 3512. A likely codebook candidate appeared to be the

60
HVB, used for communicating with German mer- sources (Lorey, 1928). Unfortunately, we could
chant ships. While the HVB is primarily a 4-letter not (yet) draw any conclusions from this sample
code, each code also has a 10-letter equivalent, alone.22
composed of a combination of a 5-letter prefix A breakthrough came from a review of the mes-
and a 5-letter suffix. However, none of the HVB sages sent in the 18470 codebook, which by then
prefixes or suffixes seemed to match any of those we were already able to decipher. A message from
found in the Genoa cryptograms. The HVB also Berlin was sent in 18470 code to Genoa on August
had an optional substitution superencipherment.19 1, 1914, with the following instructions:
This substitution preserves the vowel-consonant
structure of the original ten letters, and since this Nummer 9 unter Bezugnahme auf Telegr.
characteristic can be used to validate possible out- Nummer 10. Schlüsselzahlen zu Marine
puts, we were able to rule out the possibility that Chiffres lauten: Schlüssel B: 469,
the cryptograms were encoded with HVB with reserve B: 718. Auswärtig. Amt.23
substitution.
In a serious breach of security, this message
The next obvious candidate was the VB, in-
specifies the primary key (469) as well as the re-
tended for naval and military attaché communica-
serve key (718) for the Navy’s cipher. We hy-
tions. The VB consists of 5-digit codes. With the
pothesized that those could be the key for some
assistance of other scholars, the author was able to
superencipherment. The next step was to look
obtain a photocopy of the VB, as well as a copy of
for references to any of the two keys, hoping this
a VB supplement.20,21
might help to identify the type of superencipher-
The supplement describes a mapping of 5-digit
ment. We were unable to find any reference to
VB codes to 5-letter prefixes (representing the first
key 469. However, the author vaguely remem-
three digits) and 5-digit suffixes (representing the
bered a mention of key 718, in the multitude of
last two digits). Those prefixes matched those
archive files already reviewed. Luckily, an exten-
found in the Genoa files. Therefore, we were able
sive survey of all the material gathered so far re-
to map all the 10-letter codes in the collection, into
sulted in the (re)discovery of a reference to key
their 5-digit equivalents. However, none of these
718, in Mendelsohn’s study (Mendelsohn, 1937).
5-digit codes would map to words or expressions
The third chapter lists several methods for the su-
in VB which have a logical or relevant meaning,
perencipherment of codes. One of them is based
indicating that some form of superencipherment
on sliders (Schieber in German), which consist of
had been employed. After all, naval communica-
a set of three substitution slides. Those slides map
tions were deemed to be more sensitive than reg-
some of the digits of the 5-digit codes to other
ular diplomatic communications. There was no
digits according to some random pattern. A 3-
clue, however, about the specific type of superen-
digit key specifies the starting position of each one
cipherment employed here. At this stage, the re-
of the three sliders. Mendelsohn provides the or-
search had reached a dead end regarding the 10-
dering for a set of 3 sliders used before the war
letter cryptograms.
and until 1917, described in Table 1 (Mendelsohn,
After several months of extensive research, we
1937). In this example, the sliders are set to key
found in the British National Archives at Kew a
718, and are to be applied on the second, third,
message sent on August 3, 1914, to the Goeben
and fourth digits (the first and last digits are kept
warship by the Admiralty in enciphered VB. The
unchanged).
file consists of a log of English transcripts (trans-
Interestingly, the example given by Mendel-
lations) of VB messages from 1914, intercepted
sohn uses key 718 which happens to be the re-
and deciphered by Room 40. The message from
serve naval key mentioned in the 18470 message.
August 3, 1914, is the only one in the file for
This was a clear indication that the 10-letter cryp-
which the cryptogram is also available. The
tograms might have been superenciphered using
German plaintext was also available from other
22 (ADM, 137) ADM 137/4065, Log of intercepted Ger-
19 (ADM, 137) ADM 137/4320, Chiffresschlüssel H.V.B. man signals in Verkehrsbuch code from various sources
1913. 1914-1915, entry 113.
20 (ADM, 137) ADM 137/4374, Verkehrsbuch (VB) 1908. 23 ‘Number 9 with reference to telegram number 10. The
21 (ADM, 137) ADM 137/4314, Verkehrsbuch Supple- keys for Marine cipher are: Key B: 469, reserve B: 718. For-
ment. eign Office.’

61
 Original Second Third Fourth them included plaintexts, many of which could be
Digit Digit Digit Digit matched to original 18470 cryptograms based on
Becomes Becomes Becomes their serial numbers. The matching could not be
0 7 1 8 done before as the serial numbers appear encoded
1 0 9 3 in the cryptograms. Further analysis showed that
2 9 4 4 those new files include plaintexts for about 40%
3 2 6 6 of the 18470 cryptograms, and it was possible to
4 6 2 5 validate that they had been (mostly) corrected de-
5 3 7 2 ciphered.25,26
6 5 3 7 A third file contained messages from 1910 en-
7 8 5 1 coded using VB with sliders. Surprisingly, those
8 1 0 9 could be decrypted using slider key 469, which
9 4 8 0 indicates that this key was in effect for several
years and until the war broke, highlighting a se-
Table 1: Slider for VB vere breach of security.27
Those decryptions further confirmed the cor-
rectness of our solutions for the 1914 naval mes-
sliders. Next, we tried to decode some of the 10-
sages in the collection.
letter cryptograms using the sliders with key 718,
but this failed to produce any plausible plaintext. 4 The Contents of the Cryptograms
Another option was key 469. We tested that slider
key on one of the cryptograms and obtained a few The ”RAV Genua - Generalkonsulat Genua” col-
German words related to Kohle (coal), a topic very lection at the PA AA covers the period from 1867
much relevant to the escape of the Goeben. When to May 24, 1915, when the German consulate was
applying the sliders with key 469 to other cryp- closed after Italy entered the war on the side of
tograms, we could finally recover plausible plain- the Entente powers. It also covers the period from
texts. To further validate those findings, we tried 1921, after the consulate reopened, until the end of
to apply the same slider method to the message World War 2. Our research focuses on the first pe-
from August 3, 1914, sent from the Admiralty to riod, and especially on the years 1913, 1914, and
the Goeben. While this message could not be de- 1915. The records cover a wide area of topics, in-
ciphered using key 469, further analysis showed cluding administrative and legal matters (such as
that another key was applied, namely 5288, with passports and visas), protocol, local politics, naval
the 3rd slider (at key position 8) also being applied intelligence, economy, trade, and shipping.
to the fifth digit (in addition to being applied to the Of particular interest are the decryptions related
fourth digit). This message reads as follows: to three subjects, namely the declarations of war in
summer 1914, the role played by the consulate in
August 3 Bündnis geschlossen mit gathering naval intelligence, and its role in assist-
Türkei Goeben Breslau sofort gehen ing the Goeben and Breslau warships to escape to
24
nach Konstantinopel bescheinigen. the Dardanelles. The latter event had a significant
impact on the war in the Mediterranean Sea and
We had thus achieved a complete solution for
the Middle East.
the elusive 10-letter naval cryptograms in the
Genoa collection. We were now certain that those 4.1 No War Without Declaration
consisted of VB codes superenciphered with slid- World War I was one of the last modern, major
ers, using key 469. military conflicts in Europe which started with for-
3.5 New Genoa Files mal declarations of war, by all parties involved.
Countries felt obliged to formally declare war, as
Our project did not end here. One year after suc-
part of an official international protocol defined
cessfully deciphering the cryptograms in the first
25 PA
six files, we were able to obtain three new files AA - RAV Genua 74, Kriegsgefahr 1914-1915.
26 PA AA - RAV Genua 77, Krieg, Militärsachen 1914-
from the Genoa collection in the PA AA. Two of
1915.
24 ‘August 3:Alliance with Turkey concluded. Goeben and 27 PA AA - RAV Genua 68, Chiffres nach d. Marine 1907-
Breslau should at once sail to Constantinople.’ 1914.

62
at The Hague Peace Conference of 1907, and for to the region one of her most modern warships,
internal legal and political reasons. With a for- the battle cruiser Goeben, together with the light
mal declaration, a country could start mobilizing cruiser Breslau, under the command of Rear Ad-
its army. Also, military and merchant navy ships miral Souchon. Given the vast superiority of the
had to be informed that they should leave hostile British and French fleets in the Mediterranean Sea,
ports, to avoid being seized. As this was usually those two lone ships were threatened to be iso-
done before issuing the formal declaration of war, lated, captured or destroyed, as the war broke out.
any signs of movement of ships in times of cri- Souchon was first ordered to escape via the Gibral-
sis might indicate an upcoming declaration of war. tar straights but instead decided to attack French
The Genoa collection includes a series of mes- facilities in North Africa. After the attack, with
sages informing the consulate of the various dec- the westbound route being blocked, he was or-
larations of war, and of their impact such as the dered to reach the Dardanelles, following the sign-
freedom of movement of German nationals. From ing of an alliance between the Ottoman Empire
the first declaration of war between Russia and the and the German Empire in the beginning of Au-
Austro-Hungarian Empire, and throughout August gust 1914. To successfully escape vastly superior
1914, the tensions escalate, and this is reflected in enemy forces, the Goeben needed large quantities
the communications. For example, on August 2, of coal, required to reach higher speeds. Sup-
1914, the following message is sent from the Ger- ply of coal in sufficient quantities could only be
man Foreign Office to Genoa: found in Italy or obtained from German merchant
ships. For that purpose, the German Foreign Of-
Nummer 8. Durch allerhöchst fice instructed its local representations to assist the
kabinettsorder ist Mobilmachung Goeben and Breslau to secure large quantities of
angeordnet. Bitte deutsche Schiffe coal. This effort is reflected in several messages,
im dortig Amtsbezirk ohne rücksicht encrypted with the 18470 codebook, as well as
auf Geheimhaltung weiter warnen with the VB with superencipherment. For exam-
und Dienstpflicht zur Rückkehr ple, the following message was sent on August 1,
auffordern. Jagow.28 1914, from von Herff, the consul in Genoa, to Rear
Admiral Souchon:
4.2 Naval Intelligence
A large number of cryptograms relate to naval in- Goeben - Messina. Auf Ersuchen von
telligence collected mainly from public sources, Breslau: Kohlendampfer ist nicht
such as newspapers, or German nationals return- vorhanden. Deutsches Kohlendepot
ing from British and French colonies. Movements ist bemüht, möglichst viele Kohle
of ships, including warships as well as merchant kaufen, hoffen Montag 2000 Tonnen
ships transporting troops, are routinely reported. gemischte gut Kohle zu sammeln und
An example of such a report is given in Sec- Bescheid zu geben. Welche Menge von
tion 3.2. Kohle gebraucht und wohin zu liefern?
Herff29
4.3 Assistance to the Goeben and Breslau
Warships Other records describe the requisition of Ger-
man merchant ships and their coal, the securing
The most interesting findings in the decrypted of funds for transactions, and negotiations with
records are about the extensive assistance given by Italian authorities. Eventually, the Goeben and
the German consulate in Genoa (as well as other Breslau were able to obtain significant quantities
German representations in the region), to the Ger- of coal, allowing them to escape the British and
man warships Goeben and Breslau in their escape French fleets, and to reach the Dardanelles. They
to the Dardanelles, in August 1914. To extend joined the Ottoman fleet under the Ottoman flag.
its presence and influence in the Mediterranean Their attack on Russian facilities, carried indepen-
Sea, the German Empire had before the war sent
29 ‘Goeben - Messina. At the request of Breslau: Coal
28 ‘Number 8. By highest cabinet decision mobilization has steamer is not available. German coal depot working hard
been ordered. Please continue warning German ships in the to buy as much coal as possible and expects to collect 2000
local district, regardless of confidentiality, and request those tons of mixed, good quality coal on Monday, and will report
liable for [military] service to return. Jagow.’ on it. How much coal is needed and where to deliver? Herff’

63
dently of their Turkish counterparts, later precip- References
itated the entry of the Ottoman Empire into the ADM. 137. Admiralty: Historical Section: Records
war (Van der Vat, 2000). As a result, the Entente used for Official History, First World War. The Na-
powers had to divert significant resources to the tional Archives.
Mediterranean Sea and the Middle East, including ADM. 223. Admiralty: Naval Intelligence Division
for the catastrophic Dardanelles offensive in 1915. and Operational Intelligence Centre: Intelligence
The critical role played by the consulate in Genoa Reports and Papers. The National Archives.
is for the first time exposed in the decrypted mes-
Peter Freeman. 2006. The Zimmermann Telegram Re-
sages from the Genoa collection. visited: A Reconciliation of the Primary Sources.
Cryptologia, 30(2):98–150.
5 Conclusion
Paul Gannon. 2010. Inside Room 40: The Codebreak-
This research highlights inherent weaknesses in ers of World War 1. Ian Allan Publishing Ltd.
German cryptographic methods and procedures HW. 7. Room 40 and successors: World War I Official
for diplomatic and naval communications at the Histories. The National Archives.
beginning of WW1, as follows:
Saul Kelly. 2013. Room 47: The Persian Prelude to the
Zimmermann Telegram. Cryptologia, 37(1):11–50.
• Most of the confidential diplomatic commu-
nications relied on codebooks, which were in George Lasry, Ingo Niebel, Nils Kopal, and Arno
use for long periods of time. Also, the com- Wacker. 2017. Deciphering ADFGVX messages
pilers of codebooks often used regular pat- from the Eastern Front of World War I. Cryptolo-
gia, 41(2):101–136.
terns, rather than fully random patterns, to
map certain elements of the codebook to their Hermann Lorey. 1928. Der Krieg in den türkischen
equivalent numerical codes, thus facilitating Gewässern: Bd. Die Mittelmeer-Division, volume 1.
ES Mittler.
the work of adversarial codebreakers.
Charles J. Mendelsohn. 1937. Studies in German
• Instead of issuing entirely new codebooks, Diplomatic Codes Employed during the World War.
the German cryptographic services created War Department, Office of the Chief Signal Officer,
Government Printing Office, Washington, DC. Reg-
new variants of existing codebooks by only
ister 191.
modifying the order of their pages. As a re-
sult, the capture of one codebook was often PAAA. c. 1915. RAV Genua - Records from the
enough in order to reconstruct other related German General Consulate in Genoa. Politisches
Archiv des Auswärtigen Amtes.
codebooks.
Hermann Stützel. 1969. Geheimschrift und Entzif-
• The key for the superencipherment of ferung im Ersten Weltkrieg. Truppenpraxis, 7:541–
one codebook was often transmitted using 545.
another, possibly compromised codebook. Geoff Sullivan and Frode Weierud. 2005. Breaking
Moreover, the superencipherment methods, German Army Ciphers. Cryptologia, 29(3):193–
as well as the keys, were infrequently mod- 232.
ified. Dan Van der Vat. 2000. The Ship that Changed the
World. The Escape of the Goeben to the Dardanelles
As a result of those weaknesses, the author was in 1914. Edinburgh.
able to decipher the vast majority of the Genoa en-
coded traffic, using methods which are very sim-
ilar to those employed by Room 40 and other
WW1 codebreaking agencies. The decipherment
of the cryptograms in the Genoa collection also
exposes new historical material related to key de-
velopments and events in 1914-1915. Further re-
search is underway to analyze the contents of the
messages, and their historical context and signifi-
cance.

64
 Learning Cryptanalysis the Hard Way:
A Study on German Culture of Cryptology in World War I
Dr. Ingo Niebel
Historian and journalist
Kasparstr. 10
50670 Köln, FR Germany
ingo.niebel@berriak-news.de

Abstract World War I by the US cryptanalyst, James R.

Child. This collection was successfully decrypted
The history of World War I is well by George Lasry, Nils Kopal, and Arno Wacker
documented, but a comprehensive study of (Lasry et al. 2017). An outcome of that
German cryptology during that epoch is yet investigation was a realization that we lack a
to be undertaken. Owing to the silence of comprehensive study of German cryptology
German cryptologists and intelligence during the second German Empire (1871-1918).
officers, this topic remains almost untouched
to date. Hence, a perspective on the role of Our investigation starts from David Kahn’s
German cryptology in World War I comes statement on this subject: "German cryptology
mainly from British and US authors, but goose-stepped toward war with a top-heavy
generally not from German sources. This cryptography and no cryptanalysis." (Kahn
paper provides an overview of an ongoing
1996:pos. 5347). His conclusion underscores a
research, focused on the German culture of
cryptology between 1871 and 1918. It is
specific aspect, namely: talking about German
based on the assumption that a fixation on cryptology between 1870 and 1914 is clearly an
cryptography is the essential part of that oxymoron.
cryptology culture of those times. From 1914
on, Germans had to learn cryptanalysis the Today, we understand cryptology as a science
hard way. Questions regarding who started with well-defined theories, methods, and results,
this learning process, how it developed, the consisting of cryptography and cryptanalysis as
failures and successes it produced, and the its two main pillars. As a third, we can add
structures that were involved in the process, steganography. This, however, is a very modern
are yet to be answered. This investigation (20th century) Anglo-Saxon definition, which
links the current state of the art with data does not match the German understanding of
obtained from the archives. Connecting secret writing and deciphering prior to and at the
cryptology with intelligence and technology,
beginning of World War I. In fact, the German
it also evaluates its impact on decision-
making. Finally, understanding the term "Kryptologie" was neither introduced in
antecedent German culture of cryptology German encyclopedias nor in the Duden
enables us to investigate that of its dictionary until the end of the 20th century. The
descendants – spanning the decades from German "Geheimwissenschaft" (secret science)
World War II to the Cold War, as well as is the literal translation of the cryptology, which
today's "information security culture". in general referred to occultism, and is therefore
unsuitable for use in the modern context.
1 Introduction
The research becomes even more complicated
This article resumes the research to a still because prominent German cryptanalysts during
unwritten monograph on the German culture of both World Wars remained silent and their line
cryptology (1870/71-1918/19), whose of work was never publicly discussed. All what
investigation intended to reconstruct the we know about the German cryptanalytic efforts,
historical context of the intercepted and successes, and failures originate mainly from
encrypted German telegrams collected after

Proceedings of the 1st Conference on Historical Cryptology, pages 65– 75,

Uppsala, Sweden, 18-20 June, 2018
Anglo-Saxon publications and sources. Kahn’s – around the same time – they had already lost
books and articles are only a tip of that iceberg, their first battle at the Marne river in France, as a
and the German perspective awaits exploration. consequence of French cryptanalysts breaking
Uncovering this perspective will provide a better their codes. Despite all the efforts towards
description of the German culture of cryptology. improvement, Germany would ultimately lose
the war because her vulnerable codes would
Focusing on the cultural aspect is of provide critical information to her enemies at
importance because – though the science of crucial junctures. So, the history of the German
cryptology itself can be applied irrespective of culture of cryptology during that epoch is about
the language in use or the nationality of those how Germany's leadership learnt from a defeat it
using it – the national circumstances define the unknowingly suffered even before the imperial
characteristics of its development and use; for troops crossed the borders to Belgium,
instance, whether or not civilians are permitted to Luxembourg, and France.
use this science.
Although British, French, and US went
"Culture is the art (‘ars’, ‘téchne’), through through their own learning processes, whose
which societies secure their survival and their outcomes are known, it is worth describing how
evolution in an overwhelming nature”, states the Germans managed to transform their
Hartmut Böhme. (1996:53). In our case, the cryptography into cryptology by incorporating
culture of cryptology can be understood as the art cryptanalysis. Therefore, we have to look for the
of utilizing this science in a hostile environment various structures and personnel that intervened
comprising of alien interests to convey in this process.
information and intentions in secret. This
definition can be applied to all countries On the one hand, we have the governmental
involved in a given war during this time period structures and agents concerned above all with
and used cryptology to gather intelligence and cryptographic matters. On the other hand, it is
plan their military and diplomatic operations. surprising how freely civilian “amateurs” wrote
about cryptology and even criticized the
However, we have to “nationalize” every government. That raises further questions,
culture of cryptology because it is defined by the namely: Who were they, how could they acquire
cultural, social, political, and military knowledge of cryptology, and how did the
characteristics of each country. All these factors governmental institutions react to this kind of
may explain why the German culture of non-governmental cryptology? Looking for these
cryptology in 1914 was defined exclusively by a answers, we have also to take into consideration
presence of cryptography and a near absolute the impact of their work on intelligence, as well
absence of cryptanalysis. German decision- as military and political decision-making.
makers therefore came to learn of this imbalance
the hard way. Nearly a 100 years after the end of World War
I, an investigation focused on the German culture
During the Russian offensive against Prussia of cryptology matches actual studies on what we
in August 1914, German reserve army officers – call now the “information security culture”.
at great personal risk after ignoring several Maria Bada und Angela Sasse (2014) used this
orders – discovered the advantages of signal term when they analyzed how to improve Cyber
intelligence (SIGINT) in combination with Security Awareness Campaigns. The
cryptanalysis. This new kind of intelligence information security culture requires, according
enabled their commander to win the battle of to the authors, on the one side, knowledge and
Tannenberg. Therefore, this victoryalso shows awareness, on the other, positive information
that the culture of cryptology entails a learning security behaviors. Though since 1914 our
process. In the aftermath of this military success, technology has improved a lot, the user remains
German commanders initiated a large, to be the weakest link, not so much his hard- and
complicated, and inconsistent learning process to software.
improve their interception and cryptanalytical
skills. All these aspects should be taken into
consideration if the goal is not to write a purely
German military and diplomats learned the technical history of German cryptology
benefits of cryptanalysis the hard way, because concentrated only on its theories, methods, and

66
results, but also to link it with other fields and 2 Methods
disciplines. That approach will be explained in
the following three parts. Since the first decade of the 21st century, we
count with declassified records and information
In the following section, I will present the recovered from encrypted radiograms. The US
assumptions on which I have based this foreign secret service, the Central Intelligence
investigation. In two subsections, my aim is to Agency (CIA), and its technological partner, the
define my understanding of intelligence and why National Security Agency (NSA), published
it is still a "missing dimension" in historical documents related to cryptology
historiography. This in turn leads to the second including the names of persons, on their
subsection, which encroaches upon the German webpages. In parallel, the community of non-
"culture of cryptology". The third section governmental researchers, who dedicate
focuses on telecommunication and its impact on themselves to historical cryptology, were seeking
cryptology as in the earlier 20th century, the field unsolved messages from both World Wars. So,
of telecommunication was a relatively new with on the one hand, historians and cryptologists
unknown advantages and disadvantages. Finally, have access to new sources, on the other,
I shall refer to the sources, with a focus on the cryptanalysts provide "new" records and insights
the problems that historians encounter when by recovering and solving forgotten cryptograms.
using records obtained from the intelligence (Lasry et al. 2017, Sullivan and Weierud 2005)
services. All these new sources need to be put in a greater
academic context.
Following which, I shall present some of my
first results in chronological order. The four The ongoing investigation is based on two
subsections describe different aspects of the suppositions: Firstly, every state creates the
German cryptology culture. It begins with intelligence community it considers necessary.
specific terms Germans referred to in cryptology Therefore, the organizational charts of its
encyclopedias. The second subsection resumes ministries and armed forces can reveal the
the case when a German citizen publicly accused importance given to the secret and cryptologic
the Foreign Office of having plagiarized his services. Investigating these structures, also
code-system. The quarrel reveals that the Foreign sheds light on how the government allowed
Office showed no concern for security. The privateers to handle cryptology.
Crypto-Crisis of 1917 served two purposes, on
the one hand, it discussed the problems a Secondly, the saying “once an agent, always
historian deals with when he or she has to rely on an agent” defines the other mainline of research.
intelligence records; on the other, it indicated It focusses on the persons who worked for one or
also how such a source can push the various secret and/or cryptologic institutions.
investigation forward. The last subsection Both research fields are connected by seeking the
provides a firsthand explanation as to why there interactions between institutions and their
is still no comprehensive study on German personnel. That implies that one must follow the
cryptology. organizational change in the departments. It
would be interesting to know the social,
The fourth and last section brings us back professional, and cryptologic background of the
from the past to the presence. It provides some personnel.
hints as to why the German cryptology culture of
1914/1918 is linked in some way to the today's Today it is common to talk about the
"information security culture". This would also intelligence community by referring to all
provide some proposals for further governmental, military, and police institutions
investigations. dealing with intelligence. In parallel, we have the
cryptology community, composed also of
Due to time and space restrictions, and to the officials, privateers, and their departments or
fact that this article resumes the status of a firms. In contrast to their British and US
current investigation, it raises no claim to counterparts, the German cryptologists remain
completeness. relatively unknown. This fact makes both
cryptology and intelligence a part of a "missing
dimension" in historiography.

67
2.1 Intelligence, a "Missing Dimension" sense as information" concluded Kahn (2001).In
my mind, information becomes intelligence
Spies were additional pawns on the great according to the importance that is given to e.g.,
chessboard where the European powers played things, individuals, organizations, data, messages
the tragedy of World War I. As previously at a concrete time and for a specific aim. 1
mentioned, some crucial moves performed by
the decision-makers of one or the other sides, For delimiting intelligence as a "missing
were based on the intelligence gathered by their dimension", I consider its three principles very
radio stations and cryptanalysts. The question helfpful, which according to Kahn (2001),
lies in understanding to what extent this kind of describe its function. First, it helps to optimize
intelligence influenced military and political one’s resources. Second, intelligence "is an
decision-making. auxiliary, not a primary, element in war".
Thirdly, it is "essential to the defense but not the
In the 1980s some German and British authors offense". The yet mentioned battles of the Marne
had already mentioned intelligence as being the and Tannenberg seem to confirm Kahn’s theory.
"missing dimension" in political and military At this point we have the intersection between
historiography. (Höhne 1993:7) After analyzing intelligence and cryptology, but it is not
several dozen international publications on the necessarily the only one.
topic, Larsen (2014:282) concludes that this In 2016 the German Historical Institute
military conflict "remains in many ways London (GHIL) held a conference on "Cultures
underexplored by intelligence scholars." In fact, of Intelligence". In that context, the GHIL stated
he found less than a handful of German works on that "Culture was understood to include the role
that subject. of intelligence services in society and/or the
state, the representation of intelligence in the
This problem is caused partly by the public sphere and among the members of the
intelligence agencies themselves, because it is military/intelligence community itself, as well as
part of their nature to act secretly, without the interests, assumptions, and operating
always acting in a legal or morally correct procedures of intelligence." (Sassmann, Schmidt
manner. So, for the sake of security, the 2016:135) This definition can be used to define
intelligence services have good reason not to the German culture of cryptology.
share their records with historians who, on the
other, without these documents could not 2.2 About a German Culture of Cryptology
evaluate how large the "missing dimension" It is difficult to answer whether it is "a" or "the"
really is. German culture of cryptology because it depends
on the epoch. When we refer to a time before
Although intelligence services release their
1870/71, we should preferably use "a", because
records from time to time, historians cannot
the culture in question may be linked to a
expect to receive complete files. Due to the fact
specific kingdom on German soil. For example,
that deception and cover-ups belong to the
Rous (2011) analyzed the Saxon culture of
working tools of secret services and their assets,
cryptology in the 17th and 18th century. But we
scholars are forced to crosscheck every disclosed
unfortunately lack a similar investigation on the
information. Moreover, this makes their
Prussian culture prior to 1870.
investigations more complicated. On the other
hand, just Paul Gannon (2010) proved, referring When the Germans created their second
to the British interception log books, that His empire, the Prussian king got also their emperor.
Majesty’s codebreakers could read enciphered As a result all key areas such as the military,
German Naval messages already months before foreign, economic and home policy, for instance,
the war broke out and the Room 40 was installed. became centralized to the Prussian capital,
In consequence, his finding contradicts the
official version and requires reviewing of the 1
This is another very Anglo-Saxon definition of
prewar history of British cryptological efforts. "intelligence", it differs to how German secret service
officers used to interpret "Information" which, according to
Another complication derives from the them, becomes "Nachricht" (intelligence) when it is
necessity to define what intelligence really confirmed by other sources.
means. "I define intelligence in the broadest

68
Berlin. In the light of lacking documents, we codes and keys from the cipher-bureau. The
have to assume that the overwhelming presence Foreign Office provided the naval attachés with
of cryptography and the absence of cryptology codes, too.
reflects the Prussian culture of cryptology.
One research line focuses on the indivuuals
A characteristic of the new Reich was that the within the the Army and the Navy structures
ruling aristocracy managed to integrate the who dealt with cryptography. The other research
bourgeoisie in the new project. Instead of line concentrates on the "Abteilung für
democratizing the state, by getting rid of the Nachrichtenmittel" (department of
aristocrats, the bourgeois supported the communication means)2 of the Royal Prussian
monarchy. So entrepreneurs and bankers pushed War Ministry, another on the "Reichsmarineamt"
Germany’s industrialization and implementation (Empire's Navy Office). Both produced codes
of new technologies. Their crème de la crème and ciphers, and delivered them to the troops
were further ennobled. “Nonetheless the and the civil authorities. They primarily had
Wilhelminian Germany was still an authoritarian administrative functions, not operative.
society with a static social order of considerable Therefore, another research line looks for the
stickiness”, states the historian Wolfgang importance the armed services gave to
Mommsen (1995:71). cryptography in the education of their officers.

This and further investigations on the social The common denominator of these three
order should be taken into consideration, as they governmental institutions was that they favored
might explain the absence of an intelligence and cryptography, reducing cryptanalysis to a
cryptologic community, and also the "guessing" or buying codes and keys on the
incompetence of the armed services and the black market. This German credo of
Foreign Office to develop intercepting and cryptography expressed itself by the main code
codebreaking capabilities, as it had occurred in books such as the Handelsschiffsverkehrsbuch
the United Kingdom. The known facts indicate (HVB), the Signalbuch der Kaiserlichen Marine
that listening to foreign conversations and (SKM) and the Verkehrsbuch (VB). These
reading confidential messages could have put the became one of the essential parts of the very
above mentioned rigid order and separation of specific German culture of cryptology
powers at risk.
Opposite to the governmental cryptographic
From this point of view, the use of structures we find a considerable number of non-
cryptography seemed have come into place as a governmental cryptologists, who along the 19th
measure to guarantee the established order. In
and at the beginning of the 20th century,
fact, only officers and high ranking civil servants
were allowed to cipher and decipher encoded published a certain number of articles and books
messages. Following that logic, another measure on secret scripts and their decipherment. This
was to avoid the promotion of cryptanalytic allowed people interested in the specific field
skills. access information without major problems.
Germany’s oldest cryptographic institution 2.3 Telecommunication and cryptology
was Chiffrierbureau of the Foreign Office. It was
built in 1814 and belonged to the ministry's Telecommunication is in many ways essential for
Zentraldepartement. (PAAA 1936), thereby understanding the development of the German
putting the Chiffrierbureau and its personnel in culture of cryptology. On the one hand, the new
the focus of the current investigation. During that technology changed how people handled
time, the head of the government, the chancellor, communication. Telegraph, radio and telephone
was responsible for foreign policy. But his role replaced the traditional royal messenger services,
was limited, as he was only a counselor to the as the depeches were delivered faster by wire,
monarch.
2
The Kaiser acted also as the commander-in- The German "Nachrichten" can mean "news",
chief of the armed services. It is known that he "intelligence", "signals" or "communications". That makes
is complicate to decide whether a "Nachrichtenoffizier" is
used cryptography, but the extent to which it was
an "intelligence" or a "signals/communications officer".
used remains unknown. He supposedly got the

69
wave and cable. This mode of communication into their decision-making. This in itself
seemed to secure to everyone who believed that constituted another learning process because in
his or her codes were unbreakable. 1914 they had still not changed their plan of
attack that had been drawn up in 1905 under
At the very beginning of World War I, the very different circumstances. Nine years later,
British destroyed the German transatlantic they still believed they could win the war in the
telegraph cables. So they forced the Germans to west by the same manner as in 1870/71. They
communicate via radio with their colonies and thought that once again infantry, artillery, and
embassies or by telegraph connections. These cavalry plus modern weapons would bring
connections could be monitored by British victory, but not the less regarded signals troops.
telecommunication companies. In both cases,
London could intercept the communication and The information that is not included in the
try to read the encoded messages. publications has to be found in the archives. This
makes the project difficult because the principal
For this project it is necessary to take into Prussian-German military archives vanished
account this fact because there are several during World War II. The records of the different
German thesis in which lawyers addressed the cryptologic departments were either destroyed or
legal and strategic issues of such a violation of captured by the victors who delivered them to
the postal secrecy long before the Royal Navy their cryptologic or intelligence services. As
made their worries real in 1914. mentioned before, the CIA and NSA declassified
such documents, as also did the British services.
Another important aspect is that the In consequence, the respective holdings could
importance of SIGINT can only be understood if aid in recovering such information that is lacking
we know the technical equipment of the signals in the German archives.
troops and its limitation. Because of the
technology, climate and geography, messages A first look into the Political Archive of the
had to very often be repeated. This increased the German Foreign Ministry (PAAA) showed that
possibility of a radiogram being intercepted. In the entire holdings of the Chiffrierbüro have
this way, experienced cryptologists and analysts disappeared. The existence of the cipher-bureau
could complete crippled messages. is only confirmed because its name appears in
the organizational charts of the ministry, and on
In this context it is also necessary to refer to several documents which can be found in other
the technical efforts to mechanize the encoding holdings. If there has once been a
and decoding process. Although the German correspondence, for example, between the
Army would purchase the Enigma only in the cipher-bureau, the Army and the Navy on codes,
1920s, some documents indicate that, at least, its it not longer exists, at least not in this archive.
theoretical development might have already The unpublished memories of cryptologists such
started before World War I. as those of Adolf Paschke somewhat enlightened
2.4 "Ad fontes" - To the Sources the gloomy situation.

As I mentioned above, Kahn’s publications on The situation in the German Federal Archive,
cryptology are essential because they frame the the Bundesarchiv, is slightly different. On the
investigation. Articles such as those written by one hand, there are only a few sources related to
Stützel (1969), Brückner (2005), and Samuels the cryptography in the Army, on the other hand
(2016) give further information on facts and there is much more information on the
sources regarding the German cryptology. In cryptological work done by the Navy before and
contrast, selected monographies on the French, during World War I. The first impression after a
British, US cryptology and SIGINT describe the stay in the Military Archive of the Bundesarchiv
“hostile environment” in which the German at Freiburg is that there is more information than
culture of cryptology started to grow in the I expected.
summer of 1914.
Due to the fact, that the archives of the
The investigation takes into account, how the Prussian Army and the War Ministry were
military commanders integrated cryptology destroyed, there is some hope that the
SIGINT and this kind of intelligence gathering correspondent holdings of the Bavarian State
Archive could close this gap in some way. The

70
research in the regional archive of North Rhine- 3 How Germans learnt cryptology
Westfalia provided some information on how the
Prussian Interior Ministry introduced 3.1 Ignoring cryptanalysis and SIGINT
cryptography in its communication with the
In search of reasons to explain the German
regional military institutions. 3
fixation on cryptography, I consulted several
In this context, the "William F. Friedman editions of the popular encyclopedias such as
Collection of Official Papers", as called by the Meyer’s Konversations-Lexikon and the
NSA, is of particular interest. It contains more Brockhaus. Between the 19th and 20th centuries,
than 7,600 documents spanning over 52,000 both publications not only ignored the existence
pages. The collection can be searched and of the word "Kryptologie", but also indicated that
downloaded as a PDF via Internet. 4 Due to the the term should be replaced by "Geheimschrift"
close relationship between the cryptologic and or "Chiffre". Since the beginning of the 19th
intelligences communities of the US and the UK, century, the cryptologic horizon seemed to be
the NSA collection must be seen in connection to limited to cryptography.
the respective holdings in the British National
This limitation is curious because just a retired
Archives at Kew, as some German related
officer published a classic on cryptology in 1863.
documents of supposed US origin were gathered
Major Friedrich Wilhelm Kasiski titled his book
in fact by their English "cousins".
"Die Geheimschriften und die Dechiffrir-Kunst"
In this context, and from a purely academic (Secret scripts and the art of decipherment). As
point of view, the decrypts of intercepted the title indicates, it reflects upon our modern
German radiograms published by Lasry et al. understanding of cryptology and is based on
(2017) present a special kind of document. To cryptography and cryptanalysis.
some extent, they are "retranslations" from an
The facts collected on Kasiski indicate that he
original text which was encoded and sent by
had nothing to do with the cryptology while in
radio. Albeit the cryptanalysts broke the code
the military. Though he dedicated his book to the
and got a plaintext again, the latter should be
acting war minister Albrecht von Roon, the
compared with the original message, if possible.
author addresses him only as his former
In any case, researchers need an organizational commander. It seems that the military hierarchy
chart of the institution in question. This is decided to ignore both Kasiski’s cryptological
essential for two reasons. First, an organizational efforts and SIGINT as well.
chart helps to identify the departments concerned
“In Germany to be sure, the General Staff
with cryptology inside a ministry, which can be
thought of such possibilities, but down to the
helpful if the search using keywords was not
outbreak of World War I had undertaken
successful. Second, an organizational chart
practically nothing. Even in the Foreign Office
uncovers the position of a cryptologic section in
nothing had been done in this direction which
the respective structure. It makes a difference if
was worthy of mention” states the signals officer
it is attached directly to the minister's bureau or
Wilhelm Flicke.5 Only during the battle of
if it is a department or if it positioned on a lower
Tannenberg in 1914, the high command would
level being only a section or a subsection. So, the
discover the advantages of SIGINT and
archives and their holdings themselves generate
cryptanalysis. It took several months until the
valuable "intelligence" on the German culture of
new possibilities were included into its military
cryptology.
organization.

3.2 The Chiffrierbureau Accused of

Plagiarism
Due to the lack of documentation, it is
3 assumed that the Foreign Office and its
LAV NRW, Abteilung Rheinland, BR 0021 Nr. 107,
108
5
https://www.nsa.gov/news-features/declassified-
4
https://www.nsa.gov/news-features/declassified- documents/cryptologic-
documents/friedman-documents/, last seen 15.01.2018 spectrum/assets/files/beginnings_radio_intercept.pdf, p.21.

71
Chiffrierbureau underestimated cryptanalysis and can only result if the entire cipher is betrayed or
the interception of foreign messages by technical essential parts and keys come to the knowledge
means. Security did not seem to feature high on of a foreign government. Of course, there is no
their list of priorities. absolute security against betrayal and the only
aid is the frequent change of cipher and of keys,
It seems strange, at first, that until the end of which is abundantly provided for here." 6
World War I the Auswärtiges Amt published in
the "Handbook for the German Reich" the This information on the Foreign Office's culture
identities of all the officials who worked for its of cryptology is provided by a document kept in
Chiffrierbureau. This extent of governmental the above-mentioned Friedman Collection. The
transparency included the names of individuals NSA labeled it "CRYPTOGRAPHIC SYSTEMS
who were civil servants and all the medals they USED BY GERMAN FOREIGN OFFICE; THE
had been awarded. Any foreign intelligence ZIMMERMAN [sic] TELEGRAM.” A
serviceman would have been grateful to get his handwritten remark on the first page of the PDF
hands on the list of potential targets, who had indicates that it belonged to a folder where
access to classified material. Friedman stored various information on the
Zimmermann-telegram. This thereby leads to the
Secondly, neither the Ministry nor the cipher- beginning of the problem.
bureau seemed to be concerned when in 1872 the
printer M. Niethe accused both to have stolen his The NSA, as the CIA, does not scan entire
code-system. The fact that several editions of his folders but only documents. At this point, we see
book can be found in various German public again the primacy of intelligence and information
libraries proves his enthusiasm but also that over the archival context of a document, as
neither the Reich government nor the described in chapter 2.4. From the historical
Auswärtiges Amt tried to silence him using point of view we are not dealing with an original
censorship, albeit at one point during the conflict but with a copy, meaning, an English translation.
Niethe was summoned by the police.
Though the translator seemed to be a
The background information on the cipher- professional -he or she even reproduces the
bureau personnel mentioned in the Handbook, layout of the German original- but we are
and the Niethe case are the basis for further unaware of how Friedman got possession of the
investigation on the culture of cryptology document. Nor do we have further information
followed by the Auswärtiges Amt. on the remaining original German texts. Despite
all these questions, Zimmermann's statement and
3.3 The Crypto-Crisis of 1917 other correspondences scanned into the PDF
The publication of the Zimmermann-telegram seem to be genuine because they are supported
in spring of 1917 not only brought the US into by the article Stützel (1969) mentionededited in a
the war but also exposed the opinion of the West German military publication.
Auswärtiges Amt about the security of its codes. In 1917, Stützel was a "lieutenant of the
The incident caused a major discussion reserve", as we can read in one of the translated
reagarding cryptography between the Foreign letters. He proved that in terms of the strength
Office, High Army Command, the Army and the and security of its codes, the quoted assumption
Navy. The “crypto-crisis” can be considered also of the Foreign Office was inaccurate. Stützel
as the endstart of the German cryptology because intercepted and solved the encrypted messages
from that point on, cryptanalysis was used as a sent between the Auswärtiges Amt and the
means to test the strength or weakness of German Embassy at Madrid. His discovery
German codes. generated the mentioned discussion on insecure
On 23 March 1917, the secretary of State, codes.
Alfred Zimmermann, wrote to the representative This incident is important because it uncovers
of his Foreign Office at the General different aspects of the German cryptology
Headquarters, the baron Kurt von Lersner: culture. First, it stresses the role of the
"Decipherment of these telegrams is simply
impossible even for the most clever specialists. It 6
The PDF’s filename is 41716799075610.pdf

72
Chiffrierbureau as the unique provider of Though the political system changed, and the
diplomatic codes. Second, to believe that its military had to downsize its structures according
codes are unbreakable can be considered as to the Treaty of Versailles, the Army and the
ignorance but it also expresses the inflexibility Navy maintained their principal SIGINT and
that was characteristic of imperial Germany. cryptology organizations, which also included
Third, itthis above mentioned stickiness made it part of the personnel.
impossible that the governmental structures
reacted quickly regarding changes in its Lasry et al. (2017) provide solved radiograms
structures and codes. Finally, Stützel’s sent by the signals captain Walther Seifert. After
cryptanalysis on the diplomatic codes questioned the collapse and defeat of 1918, he switched over
not only the expertise of the Chiffrierbureau but to the Chiffrierstelle (cipher-section) of the
also theput at risk the trust competence of the Reichswehrministerium (Ministry of the Armed
entire division of the the armed services in the Forces). In 1933, he was a part of the founders of
Foreign Office. the Forschungsamt (Research Office). The latter
became the technical intelligence agency of the
3.4 The imposed silence National-Socialist Germany, which was a part of
Hermann Göring’s Reich Air Ministry, and
In the 1920s, the former Austrian captain, Seifert its head of cryptanalysis.
Andreas Figl, planned to publish his memoires
and experiences as the head of the cryptologic Albert Praun started his military career in the
section of the Austro-Hungarian army signals troops of the Bavarian Army. He later
intelligence service, Evidenzbüro. This took over several military commands until 1944
publication reveals reasons as to why German and then became the Army's Chief Signals
cryptology of World War I never was treated by Officer. From 1956 to 1965 he headed the
its protagonists as the British did. SIGINT department of the West German foreign
intelligence service, the Bundesnachrichtendienst
After the first of three volumes werewas (BND). Although Praun published some articles
published, Figl was pressurized to step back from on that subject, he kept his imposed silence.
his project. "The action against me came from
the [Austrian] Federal Army and -as I 4 The Presence of the Past
ascertained later- from the German General
Staff", Figl recognized in his unpublished In spite of the mentioned publications and
memories.7 He states that the intelligence and sources, the imposed silence on the German
cryptologic communities held opposite opinions culture of cryptology persists. The research on
on weather he and his colleagues were still this area has recently begun and some questions
bound by the duty of secrecy or not. Figl thought might never be answered. Investigating the
he was no longer bound as the state he swore to - German culture of cryptology prior to and during
the Austro-Hungarian Monarchy- was no longer World War I is linked to our modern security
in existence since 1918, when it broke into culture because both are parts of the same chain.
several independent republics. The Austrian
Emperor had to abdicate and go into exile, There are at least two further links, those of
similar to his German incumbent. cryptology and intelligence during World War II
and the Cold War. For the latter it would be
Obviously, on the other side of the Alps, the interesting to know whether the cultures of
German military saw that quite differently. From cryptology in the two German states were
the legal perspective, one has to question different because of their opposite
whether the duty of secrecy sworn before 1918 politicalideological views due to their particular
persisted or not. The oath was considered intelligence cultures. The next step would be to
legitimate if it was to the German Reich but not compare it at least with the French, English, US,
to the Kaiser and king. The latter, although and Russian cultures of cryptology, if possible.
converted from monarchy into republic, persisted
as the official denomination of the new state. But before we follow the chain up to the
present time, we should look back from the
German Reich of 1871 to the earlier epoch of the
7
18th-century-Black Chambers. Perhaps, on the
Bundesarchiv, MSG 2_18031
one hand, this investigation can provide

73
information for closing the gap between the Prof. Arno Wacker, Dr. Nils Kopal, and Dr.
cryptologic and intelligence system of the late George Lasry who invited me to reconstruct the
19th century and that of Prussian king Frederick historical context of the German messages they
the Great in the 18th century. If, on the other, due had solved. I also thank the three anonymous
to the lack of reliable sources, it could be helpful reviewers whose commentaries made me rethink
to compare at least the code-systems used in both some aspects of this article. Last but not least, I
periods. Maybe similarities could be found and am deeply indebted to Dr. Roopika Menon who
shed some light on Prussian cryptology and its helped me to improve my English text.
continuity.
References
Describing the learning process the German
culture of cryptology, it underwent, between Maria Bada and Angela Sasse. 2014. Cyber Security
1870 and 1918, several changes. The truereal Awareness Campaigns: Why do they fail to change
activity of the Chiffrierbureau will never be behaviour?
discovered but at least the files on its personnel http://discovery.ucl.ac.uk/1468954/1/Awareness%2
could provide information on how they entered 0CampaignsDraftWorkingPaper.pdf, last seen
the section and what kind of preparation they 15.01.2018.
undertook for their work. In this context it would Böhme, Hartmut: Vom Cultus zur
be interesting to analyze the path and networks
Kultur(wissenschaft). Zur historischen Semantik
of those cryptologists who started their career in
des Kulturbegriffs. In: Renate Glaser/Matthias
the Army or in the Navy.
Luserke (Ed.). 1996. Literaturwissenschaft –
A part of a learning process is also how people Kulturwissenschaft. Positionen, Themen,
handle their successes and above all their Perspektiven. Westdeutscher Verlag, Opladen: 48-
failures. As Figl mentioned, the German military 68.
and political elites avoided being held liable for Hilmar-Detlef Brückner. 2005. Germany's first
their failures in matters of cryptology and
Cryptanalysis on the Western Front: Decrypting
intelligence. They covered up their first major
British and French Naval Ciphers in World War I.
defeat in France by calling the correspondent
Cryptologia, 29(1):1-22.
battle the "wonder of the Marne". In this and
other cases, the history of German cryptology Paul Gannon. 2010. Inside Room 40: The
can correct the greater picture of World War I by Codebreakers of World War 1. Ian Allan
demythologizing some of its narratives. Publishing, Hersham.

In this context, the fact that humans tend to Heinz Höhne. 1993. Der Krieg im Dunkeln. Macht
copy behaviors, becomes a problem. To change und Einfluss der deutschen und russischen
certain cultures renders itself even more difficult Geheimdienste. [The war in the dark. Power and
influence of the German and Russian secret
if people are not used to questioning ideals. The
services.] (Special printing). Gondrom Verlag,
official silence imposed on cryptology and its Bindlach.
history was absolutely not helpful. This might
explain the reason, amongst others, why in David Kahn. 1996. The Codebreakers. The Story of
World War II German officials kept using the Secret Writing, [Kindle, ipad mini version].
Enigma cipher machine even though they knew Downloaded from Amazon.com.
of its weaknesses. Referring to Zimmermann's David Kahn. 2001. An Historical Theory of
statement on code security, one has to question Intelligence. Intelligence and National Security,
human ignorance because till date some things 16:79-92. http://david-kahn.com/articles-
were not meant to be. In this context matches the historical-theory-intelligence.htm, last seen
warning, the US-philosopher George Santayana 14.01.2012.
gave us: "Those who cannot remember the past
are condemned to repeat it." Friedrich Wilhelm Kasiski. 1863. Die
Geheimschriften und die Dechiffrir-Kunst. [The
Acknowledgements Secret Scripts and the Art of Decipherment] E.S.
Mittler, Berlin.
I would like to express my appreciation to
Prof. Christof Paar (Bochum) who brought me
from history into the world of cryptology, to

74
Daniel Larsen. 2014. Intelligence in the First World German Historical Institute London Bulletin,
War: The State of the Field. Intelligence and 38(2):135-140.
National Security, 29(2):282-302.
Hermann Stützel. 1969. Geheimschrift und
George Lasry, Ingo Niebel, Nils Kopal, and Arno Entzifferung im Ersten Weltkrieg [Code and
Wacker. 2017. Deciphering ADFGVX messages Decipherment in World War I]. Truppenpraxis
7:541-545.
from the Eastern Front of World War I.
Cryptologia 41(2): 101-136. Geoff Sullivan and Frode Weierud. 2005. Breaking
German Army Ciphers. Cryptologia, 29(3):193-
Wolfgang J. Mommsen. 1995. Bürgerstolz und
232.
Weltmachtstreben. Deutschland unter Wilhelm II.
1890 bis 1918. Propyläen Verlag, Berlin.
David Paull Nickles. 2003. Under the Wire: How the
Telegraph Changed Diplomacy. Harvard Univ.
Press, Cambridge, Mass.
M. Niethe. 1875. Das "Suum cuique" in neuer
Interpretation seitens des Auswärtigen Amts:
nothwendig gewordener Anhang zu des Verfassers
Werk: Das bei der Chiffrir-Abtheilung des
Deutschen Reichskanzleramts eingeführte
telegraphische Chiffrirsystem etc. [The "Suum
cuique" (to each his own) in a new Interpretation
from the Foreign Office: An Annex, which had
become necessary, to the Author"s Work: The
Telegraphic Cipher-System introduced into the
Cipher-Department of the German Reich
Chancellory etc.] M. Niethe, Berlin.
Markus Pöhlmann. 2005. German Intelligence at
War, 1914-1918. Journal of Intelligence History,
5(2):25-54.
Politisches Archiv des Auswärtigen Amtes (PAAA).
1936. Organisation des Auswärtigen Amtes bis
1936. [handwritten chart] Berlin.
Anne-Simone Rous. 2011. Geheimschriften in
sächsischen Akten der Neuzeit [Secret Writing in
Saxon Files of the Modern Age]. Neues Archiv für
sächsische Geschichte, 82:243-254.
Anne-Simone Rous and Martin Mulsow (Ed.). 2015.
Geheime Post: Kryptologie und Steganographie
der diplomatischen Korrespondenz europäischer
Höfe während der Frühen Neuzeit [Secret Mail:
Cryptology and Steganography in the
Correspondance of the European Courts during the
Early Modern Age]. Duncker & Humblot, Berlin.
Martin Samuels. 2016. Ludwig Föppl: A Bavarian
Cryptanalyst on the Western front. Cryptologia,
40(4):355-373.
Bernhard Sassmann and Tobias Schmitt. 2016.
Cultures of Intelligence Conference Report.

75
 New Findings in a WWI Notebook of Luigi Sacco

Paolo Bonavoglia
former teacher of Mathematics
Convitto Nazionale Marco Foscarini,
Cannaregio 4942, I 30121 Venezia, Italy
paolo.bonavoglia@liceofoscarini.it

examples taken from Valerio (the French treatise

Abstract of cryptography which Sacco used extensively).
And most other messages are in German and
A small size booklet was found by the this is a first clue in favor of the hypothesis that
author among the papers of Luigi Sacco, these cryptograms are real WW1 messages. Most
his grandfather, founder and chief of the cryptograms have names of persons or places of
Italian Army cryptographic office (a.k.a. the war on the eastern front, mainly on the
Reparto crittografico) during WW1. This Rumanian theatre, which is consistent, both in
paper presents a new research, still work space and time, with the conjecture that these
in progress, about new cryptograms found German messages were intercepted by Sacco’s
in the booklet containing historical links radio stations in the Italian Friuli region, not so far
to events of WW1. from the Danube region. They could also come
from other Italian intercepting stations, a good
1 The booklet candidate is for instance the one in Lecce, not far
from the Danube region.
The booklet has 160 pages, mostly handwritten,
some left blank. The cover has the date 18 July 3 A transposition cryptogram
1916, the last pages are dated November 1916.
Therefore, the book covers the very beginning of A particularly interesting transposition cipher
the Italian cryptographic office in WW1. appears in the following couple of pages1 :
The first part looks like an exercise book with
examples and explanations. The following pages
have a mix of German language cryptograms,
mainly transposition ciphers.
A paper about this booklet has been already
published on-line by the author (Bonavoglia
2018). Recent research has produced more
interesting results.
2 Are these real WW1 cryptograms?
This is the first question arising from this booklet. Figure 1 : The couple of pages.
Are all these cryptograms real war messages? Or
are only examples, exercises?
Examining the pages, the most likely
hypothesis is there both are true. A first good
criterion is language; several cryptograms at the
beginning are in French; since France was an ally
of Italy, it looks very likely these are mere Figure 2 : The cryptogram of 79
exercises. And the text states clearly these are letters on top of the left page.

1 Only a few pages have a date; these are between a page

dated 24-09-1916 and one dated 11-10-1916; this should be
a good clue about the date.

Proceedings of the 1st Conference on Historical Cryptology, pages 77– 80,

Uppsala, Sweden, 18-20 June, 2018
 In the right page Sacco writes down a possible The decrypted text is:
strategy to decrypt it: he tries to arrange the text Bei Orsova haben unsere Truppen wieder
in 6 8 10 12 columns rectangles in the hypothesis Gelände gewonnen. Sudlich von Hatzeg
of an irregular rectangle. No solution is given. verloren die Rumen.2
and at last the final words make sense!
This text is interesting because of the
geographic names: Orsova and Hatzeg are
Rumanian cities by the Danube; and in September
1916 the German Army under General
Falkenhayn launched a counter offensive between
Orsova and Hatzeg against the Rumanian Army to
regain the ground lost in August and early
September when Romania declared war to
Austria-Hungary and occupied regions near
Figure 3 : The second couple of pages. Transylvania.
This gives a good accordance of times between
Two pages forward we find another couple of these cryptograms of Sacco’s notebook, and
pages with a slightly different cryptogram, a few historical events of WW1. Another clue in favor
letters changed with similar letters, e.g. L → V, H of the idea that these cryptograms are real WW1
→ E, N →W. It’s likely Sacco found some encrypted messages which Sacco decrypted and
transcription errors from the original. used to find a method for decrypting transposition
Finally, Sacco finds a solution which has ciphers.
strange errors in the last lines.
4 Solved transposition cryptograms
The decrypted text is:
These two pages 3 of the booklet have a lot of
BEI ORSOVA HABEN UNSERE TRUPPEN decrypted transposition cryptograms of various
WIEDER GELANDE GWONNEN X kinds.
SUDLICH VON HATZEG VERVEREN DIE
RUME
Taking the X as a separator, and GWONNEN
for GEWONNEN we have a text sounding good
in German, except for the last line:
Bei Orsova haben unsere Truppen wieder
Gelande gewonnen. Sudlich von Hatzeg
ververen die Rume.
But Ververen die Rume has no meaning in
German, and Sacco writes near this solution:
“The end does not work for errors in the text”. Figure 4 : A few have the original
Quite puzzled by these strange final errors I cryptogram, many only the final solved
supposed there was some mistake in the rectangle.
cryptogram, maybe a handwriting problem, and
made a few attempts; I restored the D present in
the first cryptogram and for some reason removed Here is the first, top left, a simple transposition
from the second and changed it in O. So we have cipher with alternate up and down writing; the
this 80 letters cryptogram: original cryptogram is also shown on the right.
HEEEU AARID SHLVE WNXNR OSNAN The decrypted text is:
OEIMS NELEV VDURU PENHG NONPG
NCEEI EUROI ZRRNE BREWL TOEEB
ATDGD

2 English: At Orsova our troops have gained ground again. 3 These pages are between a page dated 11-10-1916 and one
South of Hatzeg lost the Rumanians dated 17-10-1916.

78
 Major Koppen deutsche Gesandtschaft Sofia Bitte um Nachricht ob Assistenzarzt Moritz
erbitte Draht Antwort welche Formationen zuletzt in Valievo7 als Arzttatig aus Serbischer
dort unterstellts in4 befreit wurde8
Another cryptogram is an irregular rectangle 5 October ‘16: three grille cryptograms
key transposition, much more difficult to break.
Near the end of the booklet, October 19169, a few
grilles appear; Sacco only presents them together
with some conjecture about a possible solution,
but no solution is given.
In the following couple of page, Sacco
displays two 8x8 grilles, both unsolved, the
second incomplete.
Figure 5 : The original cryptogram is missing,
but of course it can easily be reconstructed.

The decrypted text is:

Bitte bei Bulgarischer Heeresleitung sofortige
mit Anweisung der Truppen su erwirken
Koppen Major Etappen Kdo5
Who was this Major Koppen, named twice
here? I could find an answer only in the German
Wikipedia6 ; he was a chief of staff at the High
Command of the German Army. Figure 7 : A couple of pages with grilles.
A third cryptogram is shown hereafter. Here is the first grille; Sacco, searching for the
digraph ’CH’ very common in German, thought it
was a double transposition grille and tried a
permutation of the columns shown on the right,
under the label “Griglia invertita”:10
5.1 Decrypted texts
In 2017 a challenge was launched on the
Cryptograms & Classical Ciphers Facebook
group and both grilles were decrypted with the aid
Figure 6 : A simple transposition, with alternate of dedicated software.
direction of writing, left-right, right-left. The Fleissner 7x7 grille11, with a black case in
the middle is shown in the following figure.
Not very hard to break, in spite of some typos At first look the X and Y on the bottom left
like Artz instead of Arzt. could be nulls to fill the grille; and this was a first
aid for the cryptanalyst. At last the raw decrypted
The decrypted text finally is: text is12 :

4 English: Major Koppen asks the German Embassy in¨ Sofia 8 English: Please let us know if the assistant physician Moritz
a wired answer, which formations are placed there. recently in Valjevo as aid physician has been released.
5 English: You are asked to get by the Bulgarian Army 9these pages have a beginning date, 17-10-1916; the next is
Command the disposition of the troops. Major Koppen, Stage dated 20-10-1916.
(rear) command.
10
under these two grilles he showed some unfinished and
6 Wikipedia is not the best source for serious research and its unsuccessful trials.
reliability is variable; but in this case it was the only source I
11
could find about this Major Koppen; and, after all, I just See (Bauer 1997) p. 96,97.
needed a confirmation he was a real German military officer.
12 The cryptogram was decrypted by Barth Wenmeckers with
7 Valjevo is a city of Serbia. a hill cipher algorithm and independently by the author with
a computer aided software implemented ad hoc.

79
 ESWURDENDREIPUNKTEGESEHEN fleet in the Adriatic Sea; not very likely from
OTLLICHWEITESRSSUCHENXY German ships in the Black Sea.
There are a few typos and some extra S; the 7 Conclusion
spaced and cleaned text is:
Es wurden drei Punkte gesehen östlich weiter As already stated, the booklet has 160 pages, there
suchen XY13 are still a lot of pages to be studied; these are the
more interesting found so far, but there is always
the possibility of something more important to be
found.
Other pages are about the Austrian diplomatic
code, Austrian and German Navy codes, and
others, but no complete cryptograms with
decrypted texts are given.
Figure 8 : The 7x7 grille
I’m publishing the whole booklet on the web,
so any researcher will be able to examine it.
The 8x8 grilles were also decrypted; here is the
Acknowledgements
first:
Feuer eingestellt feindliche Fahrzeuge I wish to thank Cosmo Colavito, engineer and
abgewandte ausser Sicht Flotten telecommunications historian, for help about
K[ommando?]14 Italian Army history in WW 1, and Diana
Schindler, for help in translating German
And here is the decrypted text of the second cryptograms.
8x8 grille, which happened to be encrypted with
the same grille: References
Krieg Ministerium ist ersucht beantragtes Friedrich L. Bauer. 1997. Decrypted Secrets. Springer,
Guthaben von Zw15 Berlin, D. ISBN: 3-540-24502-2

6 Open questions Paolo Bonavoglia. 2017. A 1916 World War I notebook

of Luigi Sacco. Cryptologia, 42:3, 205-221
A few questions remain unanswered: DOI:10.1080/01611194.2017.1362064

Bauer in his book 16 , writes that the German Yves Gylden. 1933. The contribution of the
Army “early in 1917 suddenly introduced turning cryptographic bureaus in the world war. Signal
grilles with denotations like ANNA (5x5), Corps Bulletin 75 and 81, Washington, DC.
BERTA(6x6), CLARA(7x7), DORA(8x8), David Kahn. 1967. Codebreakers. Scribner, New
EMIL(9x9), FRANZ(10x0).” Are these grilles the York, NY. ISBN: 978-0-684-83130-5
first of this kind? A few months earlier that
reported by Bauer? Why this small difference? Luigi Sacco. 1947.Manuale di Crittografia.
Did Sacco manage to solve these grilles in the Ist. Poligrafico dello Stato, Roma, Italy.
following months? At the end of October 1916, Luigi Sacco. 1977. Manual of Cryptography Laguna
he moved to Rome, and his booklet ends in the Hills, Aegean Park Press, (English translation).
same days. We simply do not know. The answer
could be in the notebooks and papers of Sacco in
his Rome office, but all these papers were likely
destroyed or lost.
Could these cryptograms be Austrian rather
than German? The first two cryptograms look like
Navy messages and could come from the Austrian

13 15
English: Three points were seen eastwards, seek further English: The War Ministry is requested of the required
XY. balance by Zw
14English: Ceased fire, enemy vehicles got out of sight. Fleet 16 (Bauer, 1997) pag. 96; see also (Kahn, 1967) pag. 308.
Command.

80
W ORLD WAR II
82
 The First Classical Enigmas
Swedish Views on Enigma Development 1924-1930

Anders Wik
S Catalinagr 9
S-18368 Täby, Sweden
anders.h.wik@gmail.com

Abstract for Foreign Affairs “System 1920” (Faurholt,

2006). Systems of the Wheatstone clock type
This paper concerns the very first “classical” were in use in the Military since 1907. Captain
Enigma from 1924, with rotors, reflector and de Champs had developed a revolving cylinder
lamp display. A description is given of the cipher for the Navy in 1920 but it was just a
Enigma machines bought by the Swedish prototype until 1926. A.G. Damm at AB
General Staff in early 1925, of the Cryptograph had developed an impressive
competition regarding the first standard number of different crypto devices since the mid
crypto machine for the Swedish armed forces, 1910s but at the time the only system
and of some later developments. Cryptograph could offer to the General Staff was
the handheld model A22.
1 Introduction
Looking at the available options it is easy to
The Enigma cipher machine which had such understand that the Enigmas on show at the
importance in the Second World War has its exhibition in 1924 seemed very attractive.
roots in a machine that was first shown publicly
at the Universal Postal Union Congress in 3 The Stockholm machine
Stockholm 1924. In Sweden it generated a strong
interest which lasted for about five years during a At the exhibition during the Congress of the
time when the Enigma machine was developed Universal Postal Union in Stockholm in the
through a number of models. This paper is summer of 1924 ChiMaAG demonstrated two
mainly based on some 80 pages of crypto machines, an Enigma “Handelsmaschine”
correspondence between the Swedish General and a small “Militärmaschine”. The
Staff (SGS) and Chiffriermaschinen AG Handelsmaschine was big machine (about 65 x
(ChiMaAG) in Berlin and documents in 45 x 38 cm) and was quite heavy (about 50 kg).
connection with that. That material is used in a It had earlier been shown at exhibitions in
multitude of places throughout this paper and is Leipzig and Bern in 1923. It could print the
not specifically referenced. It comes from the output using a type wheel. The
archive of FRA, the National Defence Radio “Glühlampenmaschine” was a new model,
Establishment, Stockholm, Sweden (FRA 1924- probably made in just a few copies. It was the
1930). Communication and cooperation was first model in a development, which was to last
handled through the Swedish military attaché in for more than 20 years. No such original
Berlin. Much of the correspondence is in machine or parts of it have been found. Since
Swedish, whereas letters and documentation SGS had a strong interest in both machines the
from ChiMaAG are in German. company left them in Stockholm for trials by the
prospective customer. Also supplied was a one
2 Crypto use in Sweden 1924 page typewritten description entitled
“Glühlampenmaschine Enigma A” as well as a
The main players regarding ciphers were the 16 page printed booklet describing the
General Staff and the Ministry for Foreign Handelsmaschine (ENIGMA Chiffriermaschinen,
Affairs. Codes and simple lookup-tables were 1924).
used, sometimes with a superencipherment, e.g.
by the Köhl cipher ruler which was the Ministry

Proceedings of the 1st Conference on Historical Cryptology, pages 83– 88,

Uppsala, Sweden, 18-20 June, 2018
 It should be noted that ChiMaAG uses the matter for SGS asked for changes in the Enigma
name Enigma A and later Enigma B for the early A they would like to see and test. In October
“Glühlampenmaschine”. The Enigma A is also 1924 he wrote that they considered buying 15
called “die kleine Militärmaschine” and in this such machines. The desired modifications of the
paper, for clarity, “the Stockholm machine”. This machine were:
is contrary to what has earlier been assumed, i.e.
that A and B were the printing Enigma models. 1. A possibility to turn on all lamps at the
This paper will use the notations A and B as same time to check that no lamps are
ChiMaAG used them in the correspondence. broken.
2. The lamp field should have dark
Some details about the Stockholm machine can background and the letters lit. (Apparently
be gathered from the letters and the short this was not the case with the Stockholm
description: machine.)
3. The lamp field ought to be behind the
1. It measured 23 x 27 x 13 cm with a
keyboard and the keys should not be blank
weight of about 5 kilograms.
but instead marked with letters.
2. It had 26 keys and 26 lamps arranged in
two rows each, alternating lamp rows 4. The lever to move the wheels
(presumably the Antriebstaste) should be
and key rows.
on the left side of the machine.
3. The keys and the lamp covers were
unmarked and left for the user to mark Gyllencreutz added further tentative
(with characters or symbols). improvements
4. There was an “Antriebstaste”, a key that
advances the rotors and that must be 5. The machine should have a larger
pressed each time before ciphering a character set, preferably around 40, with
character. digits, comma and period.
5. There were three rotors, one marked 6. It would be desirable to have four wheels
with letters and two with numbers. It had like in the big machine.
a period length of 676 and “more than
17000” (presumably 263) different As to the bigger machine, the Handelsmaschine,
settings. Gyllencreutz was less certain, but possibly SGS
6. Ciphering and deciphering were the might be interested in buying two or three.
same.
7. A reasonable conclusion is that it had 4 Further negotiations
two rotors and in addition an important
novelty, a settable reflector During the rest of 1924 discussions continued
(Umkehrwalze). between SGS in Stockholm and the company in
Berlin through the Swedish military attaché
There does not seem to be any other remaining Major Henry Peyron in Berlin. In October the
documents elsewhere about the Stockholm price with the requested modifications and some
machine (Enigma A). It may have been a further other improvements was given as 100 dollars
development of a German patent application, each at an order of 15 machines. The technical
DE407804, filed on January 18, 1924 by the officer at SGS suggested that the offer should be
inventor Paul Bernstein for ChiMaAG (Bernstein accepted. The total cost for 15 Enigma A
1924). That construction was the first with a machines with modifications 1-4 above would be
lamp field but it had straight ciphering from the 6250 Swedish crowns. The problem was funding.
keyboard through two rotors to the lamps field An attempt to influence the Swedish government
without a reflector, i.e. similar but simpler than was made through General von Bender who
the Handelsmaschine. It is not known whether knew the Grand Duke of Baden, father of the
any machines were produced on basis of Swedish queen Victoria. This seems to have been
Bernstein´s patent. unsuccessful.

In November 1924 ChiMaAG offered a new

The Handelsmaschine and the Enigma A were possibility, a model they call “Enigma B”. In this
returned by courier to ChiMaAG in September machine the third rotor, which in the first model
1924. Captain Gyllencreutz who handled the was a settable reflector, would be a true rotor and

84
step in the encipherment process giving it a ChiMaAG had changed the layout compared to
period length of “about 17500” (263=17576). what they had offered, probably after consent
The new machine could also be delivered with a from SGS. From the back are now rotors, three
28-character alphabet whereas the Enigma A rows of lamps and then the keyboard set up in
only could have a 26-character set. The Enigma alphabetical order. The rotors have an adjustable
A was apparently in stock since they stated that ring setting.
up to 10 machines could be sold with immediate
delivery. Improvements for the Enigma B The wiring of the rotors is as follows in
compared to the machine shown in Stockholm cyclical notation:
should be:
I: (ÖAPRE) (CBSZYLÄKOFXN) (DGQTVI)
1. Different layout: From back to front first (JH) (MUÅ)
two rows of lamps, then the rotors, then
II: (7, 1, 3, 14, 23, 21, 11, 20, 5, 24, 16, 27, 22,
two rows of keys.
2. The rotors move automatically when a 17, 9, 13, 25, 6, 28, 10, 15, 2, 8, 4, 19, 26, 12, 18)
key is pressed making the Antriebstaste III: (5, 1, 26, 11, 28, 12, 25) (10, 2, 22, 4, 9)
unnecessary. (15, 3, 17, 24, 13, 19, 14, 16, 6, 27, 7, 23)
3. The letters are white on a black (8, 18, 21) (20)
background
4. The possibility to check that no lamp is The reflector is fixed in one position and has
faulty. the following connections:

(1,12) (2,4) (3,7) (5, 27) (6, 14) (8,16) (9,19)

(10,11) (13, 22) (15,25) (17,23) (18,21) (20,26)
(24,28)

In theory it would be possible to change the

wiring. The following picture shows that this
would be a tricky procedure with clear risks to
damage the function.

Photo 1: A133 without cover. Source: FRA

5 Swedish Enigmas

On January 13, 1925 SGS places an order for

Photo 2: Opened rotor A133. Source: FRA
two “Enigma B” with a Swedish 28-character
alphabet A…Z ÅÄÖ without W. The price was
650 RM each. The machines were delivered on
April 6, 1925. They have serial numbers A133 6 Funkschlüssel C
and A134 and are today part of the FRA Crypto
collections. The machines do not seem to be ChiMaAG was also negotiating with the
much used, possibly only for evaluation purposes. Reichsmarine which in December 1924 ordered
The weight is 5 kilo (without the wooden box) 10 prototype machines. That model was called
and the measures WxDxH = 26 x 27,5 x 11 cm, “Funkschlüssel C” and had rotors with 28
somewhat wider and lower than the Stockholm contacts. This fits very well with what was
machine. offered to Sweden and the two machines that
were ordered in January 1925. The

85
“Funkschlüssel C” had 29 keys and 29 lamps It seemed clear that SGS thought highly of the
where the letter X went straight to the lamps Enigma and were going to buy it. In his memoirs
without being enciphered. The wiring of the Boris Hagelin wrote that he visited the person in
rotors was most likely different. The Swedish charge at SGS, major Warberg, and asked him to
machine had a reflector which was fixed in one wait six months with their decision. This would
position whereas the Funkschlüssel C had a allow Cryptograph to make a prototype of a
possibility to fix the reflector in four different machine of Enigma type – but better. He was
positions. Apart from that the two machine types granted the time.
would very likely have been the same.
A G Damm had in 1919, independently of
A delivery of 50 machines to the Reichsmarine Scherbius and Koch, patented a form of wired
took place in January 1926 (Weierud 2014). rotors (Damm 1919). This was essential for
These machines were supplied with two extra Hagelin. By using parts of Damm´s B1 and B13
rotors. This was mentioned in a report from the machines he was able to produce a prototype of
Swedish military attaché in October 1925, which what was to become the B21 machine. His
said that a customer had ordered two extra rotors machine had lamps and rotors, an irregular
which gives 60 different rotor combinations stepping mechanism for the rotors and a wider
instead of 6. ChiMaAG suggested that SGS variety of operator key settings. Hagelin´s
should do the same. prototype was enough to stall immediate
decisions and eventually secure the order from
7 Swedish competition SGS and the Ministry for Foreign Affairs.

Boris Hagelin, who was now in charge of AB Cryptograph had acquired an Enigma (A344),
Cryptograph, heard about the strong interest which was sent to Damm in Paris. He sent back a
from SGS for the new Enigma machines. preliminary report in August 1927 (Damm 1927).
Cryptograph had good contacts with the Swedish There he noted that he made a study already in
military, but their only viable product was the September 1924 based on patent descriptions and
A22, which was far less attractive than the other available information. That earlier report
Enigma. has not been found. In the 1927 report he wrote
that the security is low if the wirings are known.
Nevertheless, the two machines were tested He claims that he is developing a method to
against each other in May 1925. Captain solve Enigma but writes that it would be
Backlund limited his comparison to practical improper to give details in a letter. Instead he
matters such as encryption speed where he stated goes into a detailed discussion of the machine.
that encrypting a 100 character message would
take 6 1/2, 4 and 3 minutes respectively for 1, 2 He concluded his seven-page report with his
or 3 persons whereas for the A22 it would take verdict. Enigma is a reasonably handy method to
around 4 minutes independently of the number of encipher… but … the security is directly
people involved. Backlund noted that the Enigma dependent on keeping absolutely secret not only
machines had a stepping error. This is the double machine details but also texts - even if they are
stepping effect described by Hamer (1997). meaningless – that have been enciphered.

Lt Samsioe gave a preliminary assessment of His report might have helped Cryptograph by
the security in November 1925. He wrote that the casting doubt on the Enigma even if his report
A22 seems to give a fairly low security, which does not contain arguments to show that the
possibly could be improved. His study of Enigma Enigma system is weak.
B was not concluded. He notes that the period is
283 but that there are subperiods of 28 which it 8 The next generation Enigmas
might be possible to isolate. (Actually the period
is 28 x 27 x 28 because of the double stepping.) Contacts between SGS (through the embassy in
A22 and Enigma B share the problem that a Berlin) and ChiMaAG continued during 1925
change of message keys does not change the while the two delivered machines were being
character of the cipher enough. A new key is just evaluated in Stockholm. A request from SGS
a new starting position in the same crypto period. concerned a machine with printer and compatible
Since the order of the three rotors could be with the lamp machines. At first the company
changed there could be six different key series. seemed to be developing such a compatible pair.

86
However, in April 1926 the company stated that that the pair of machines could be tested in
such a solution would not be developed since the operational use. Herslow was quite familiar with
printing machine would lose functionality and the Enigmas after many discussions at ChiMaAG.
the lamp machine would be heavier, costlier and
less reliable. When Herslow left for Moscow in the
beginning of April 1927 the new machines were
In the summer of 1926 LtColonel Carl Herslow not ready so the company supplied two machines
succeeded Henry Peyron as military attaché. on loan (A361, A362), one for Herslow, one for
Herslow had a good knowledge of crypto matters Stockholm. Warberg provided a 12-page
and had worked in the group of officers at SGS document with detailed instructions for key
which solved Russian diplomatic code traffic settings etc. (FRA 1927). The two Zählwerk
during WW1. This work was in cooperation with machines (A350 and A351) were delivered in
Germany, which may have benefitted Herslow´s May 1927 and the machines on loan were sent
insights into German security matters (Grahn back.
2017). In August 1926 Herslow visited the
company and reported that the new machine was 9 Enigma or B21
in its final shape. It had been introduced at the
Auswärtiges Amt and would soon also be Presumably the Zählwerk Enigma was studied
presented to the Reichswehrministerium. The and tested. There is no communication in the file
new machine had four rotors (presumably three for the coming six months. In December 1927
plus a reflector) and also spare rotors in a SGS asked for a quotation for the delivery of 40-
separate box. The price was quoted as 600 RM. 60 machines with a 28-character alphabet – with
Warberg at SGS was interested. He would like to or without Zählwerk. The reply from the
test the new machine, preferably with a 28- company was prompt. They quoted a basic price
character alphabet. of 600 RM for a 26-character machine and gave
two options. A Zählwerk would add 100RM and
In November 1926 Herslow wrote to Warberg 28-character alphabet 30 RM.
to tell him that the Reichswehrministerium had
got delivery of a small series of the new machine. Parallel negotiations were going on between
With Swedish specifications (28 characters) the SGS and Cryptograph and the decision was made.
new machine would be slightly bigger and could B21 was chosen as m/29, SGS standard machine
be offered at a price of 600 RM a piece at an model of 1929. No final evaluation has been
order of 30-40 machines. A counter (Zählwerk) found in the archives. Therefore one can only
was optional and would add 40 RM to the price. speculate about which arguments were the
A new machine with printer (a development of decisive ones. A longer key period? Rotors wired
the Handelsmaschine) was expected to be in Sweden? Wider user key space? Support to
developed by March 1927. It was aimed for use Swedish industry?
by higher staffs and had a price of about 2000
RM. The Navy had some independence from SGS.
Their order for three Enigmas was the last sign
Test machines meeting Swedish requirements of interest from the Swedish armed forces. After
would be quite costly. Therefore, in February delivery of A853, A854 and A855 in April 1929
1927, Warberg asked Herslow to buy two 26- there seems to be no interest in Enigmas from
character Enigmas with Zählwerk (at 700 RM a Swedish authorities.
piece). In March 1927 Warberg reminds him that
he should check the machines on delivery so that 10 Not quite the end
they do not have the stepping error of the earlier
machines (cf section 7 above). The new Carl Herslow, mentioned above, was in 1928
machines were Zählwerk machines and had a recruited by Ivar Kreuger, a Swedish industrialist
different stepping mechanism. That check should and entrepreneur known as the “Match King”.
therefore have worked without problem. By aggressive investments and innovative
financial instruments he built a financial empire
Herslow was going to take up a position as which in the end controlled between two thirds
military attaché in Moscow. He was instructed to and three quarters of worldwide match
take one machine with him to Moscow. The production. His activities needed secure
other one should be delivered to Stockholm so communications and the Swedish match

87
company Svenska Tändsticks AB (S.T.A.B) Damm, Arvid Gerhard. 1919. Swedish patent SE52
became one of just a few non-government buyers 279. Filed Oct 10, 1919. US patent 1 502 376, July
of Enigma machines. 22, 1924.

There is a note that Herslow bought two Damm, Arvid Gerhard. 1927. Preliminärt utlåtande
machines “for Kreuger” in the spring of 1928. angående “Glühlampen-Chiffriermaschine
Enigma”. Krigsarkivet, Stockholm. Boris Hagelins
Also there is a note from 1935 that two machines
privatarkiv, vol F II:3.
(A343 and A344) were presumed to be at
S.T.A.B. All in all it seems that Kreuger´s ENIGMA Chiffriermaschinen. 1924.
company bought six Enigmas (numbered A327, Handelsmaschine. FRA Crypto collections.
A328, A343, A344, A801, A802) (Weierud 2014) Booklet.

Apart from these regular machines S.T.A.B Faurholt, Niels O. 2006. Alexis Køhl: A Danish
also bought three small Enigmas, model Z30, Inventor of Cryptosystems. Cryptologia vol 30.
aimed at enciphering digital codes. No
FRA archive. 1924-1930. Bearbetningsbyrån F V:1.
documentation concerning this has been found. “Chifferapparaten Enigma”.
The acquisition of these three machines, bought
around 1930, concludes all dealings between FRA archive. 1927. Bearbetningsbyrån F V:1.
Sweden and Chiffriermaschinen AG. The three Instruktion för användning av Chifferapparat
Z30 machines are part of FRA Crypto collections Enigma B /Chiffer EZ/.
(Wik 2016).
Grahn, Jan-Olof. 2017. Om svensk signalspaning -
A broader picture of Swedish cryptography and Pionjärerna (“On Swedish SIGINT – The
early Swedish Sigint between the world wars is pioneers”). Medströms bokförlag, Stockholm.
given by McKay and Beckman (2003).
Hamer, David. 1997. Enigma: Actions involved in
Acknowledgements the ‘double stepping’ of the middle rotor.
Cryptologia vol 21.
The author is most grateful to Frode Weierud for
sharing his Enigma expertise and for his valuable McKay and Beckman. 2003. Swedish signal
advise. intelligence 1900-1945. Frank Cass, London.

References Weierud, Frode. 2014. Personal communication.

Bernstein, Carl. 1924. German patent DE 407 804. Wik, Anders. 2016. Enigma Z30 retrieved.
http://www.cryptomuseum.com/crypto/enigma/pat Cryptologia vol 40.
ents/files/DE407804.pdf

88
 An Inventory of Early Inter-Allied Enigma Cooperation

Marek Grajek
Freelance cryptography consultant and historian
Poland
mjg@interia.eu

Abstract Bletchley Park in 1945. Unfortunately this

document is lost or at least has not been
Shortcomings in the earliest reports coming declassified so far and remains unavailable to
from the wartime work at Bletchley Park historians.
resulted in a slightly distorted picture of the
early inter-Allied cooperation in cryptology. This author believes that he has identified a
The ultimate evidence of the Polish document representing an edited, albeit a slightly
contribution to the success over Enigma, a later and abridged version, of the original Pyry
report passed on to the British and French report. The document found is potentially even
participants of the meeting in Pyry in July
more valuable than the original report, covering
1939, remains unavailable to historians.
Some files declassified in 2015 by the French events up till the fall of France in June 1940. It
intelligence service contain a document may be regarded as an inventory of the early
representing most probably an abridged and inter-Allied cooperation in the struggle against
rewritten version of the Pyry report. This the Enigma ciphers. This paper presents early
paper offers a preliminary analysis of this findings regarding this document.
document.
2 Historical context
1 Introduction
Since their first meeting in Paris, in January
Although some attempts to coordinate the 1939, chiefs of the codebreaking services of the
British, French and Polish efforts aimed at three countries, France, Great Britain, and
breaking the Enigma ciphers had been Poland, knew that finding a common language
undertaken earlier, the conference at Pyry on 24- was not going to be easy. In the literal sense of
27 July 1939 marked the effective start of the the word they could hardly find a way to
inter-Allied cooperation in that field. The general communicate, before they agreed to use the
nature of the reports from the Pyry meeting, as language of their common cryptologic adversary
known so far, does not allow the precise – German. They did not know at that stage that
assessment of the contribution of the countries they were coming to the table bearing different
participating in the conference in unravelling the levels of knowledge regarding Enigma,
secret of Enigma at that early stage of work. experience and probably – different instructions
and goals. The tension around the table was
Both cryptographers and historians have been almost palpable, in spite of Bertrand’s efforts to
aware for a long time of the existence of a integrate the group using the services of the best
definitive source of information regarding the restaurants in Paris. In those circumstances, it is
Pyry conference and early work on Enigma. not surprising that the meeting’s only measurable
Before the chiefs of Polish intelligence service result was a decision to convey further meetings,
authorised the invitation of the British and once any of the parties had news to
French codebreaking services to Warsaw, they communicate.
instructed the Cipher Bureau to prepare a
detailed report presenting the complete Polish That moment arrived sooner than expected; in
knowledge about, and experience with, the July invitation from Warsaw arrived, declaring
Enigma machine and its ciphers. Copies of that that ‘il y a du nouveau’. But when the
report were passed on to the British and French codebreakers arrived in Warsaw on July 24th
guests during the Pyry meeting. British post- they had to switch back to German again, as the
WWII reports (Alexander, 1945; Mahon, 1945; document they were discussing was in that
Millner-Barry et al., 1945) contain references to language. Mahon (1945, p. 13) stated in his post-
the report indicating that it was available at war report that “(n)early all the early work on
German Naval Enigma was done by Polish

Proceedings of the 1st Conference on Historical Cryptology, pages 89– 94,

Uppsala, Sweden, 18-20 June, 2018
cryptographers who handed over the details of cipher machines derived from the results of the
their very considerable achievements just before evolution of Enigma. While we could understand
the outbreak of war”, and added that “the Poles the versions of events presented by
devised a new method which is of considerable Winterbotham, Cave Brown and Stevenson as
interest. Their account of this system, written in obvious disinformation, the same information
stilted German, still exists and makes amusing produced in the 21st century represents nothing
reading for anyone who has dealt with machines” more than anachronism. On the other hand,
(Mahon, 1945, p. 13). however, it illustrates the need for an ultimate
proof of the real scope of contributions delivered
British post-war reports were compiled by by the Allied nations to the victory over Enigma.
G.C.&C.S. section heads, who had no first-hand For the author of this paper, this was the main
knowledge of events of 1939. In fact in 1945 no reason to spend several years searching for the
participant of the Pyry conference remained at document which could provide indisputable
Bletchley Park. Dilly Knox had passed away in evidence.
February 1943; Alastair Denniston had been
sacked from his position in February 1942 and Until recently this search did not bring
exiled to the diplomatic section. Mahon admits encouraging results. Archivists representing
having gained most of his knowledge about the major institutions were sceptical. According to
early attacks at Enigma from Alan Turing; but their opinions, if the document in question had
Turing had neither participated in the Pyry been written in the German language, the
conference, nor was he known to be an effective chances are that it had been transferred to the
communicator. Under the circumstances as German files immediately after the war, where it
described, it is natural that post-war reports are has stayed unrecognised up till now or has been
full of unanswered questions and presumptions entirely lost. However, on 2 December 2015, the
of disputable value. French Direction Générale de la Sécurité
Extérieure announced the declassification of the
The view of early work on Enigma became set of documents relating to the French role in
even more confused after the British secret Enigma breaking and the transfer of those
services felt obliged in mid-1970s to react to the documents to the archives of the Service
publication of Bertrand’s book. They obviously Historique de la Défence. Preliminary
considered Bertrand’s revelation as premature investigation of these documents at Château de
and decided to wrap them up with a shroud of Vincennes confirmed that they represented part
disinformation. Frederick Winterbotham was of the private archive accumulated by the late
commissioned to provide a cover version of Gen. Gustave Bertrand over the years of his
history: “In 1938 a Polish mechanic had been active service at various units of French
employed in a factory in Eastern Germany which intelligence service and seized by his former
was making (…) some sort of secret signalling employer immediately after the General’s death
machine. (…) In due course the young Pole was at his home at Théoule-sur-Mer.
(…) secretly smuggled out under a false passport
(…), installed in Paris where (…) he was given a 3 Preliminary analysis of the document
workshop. With the help of a carpenter to look
after him, he began to make a wooden mock-up Bertrand’s collection represents an extremely
of the machine he had been working on in interesting object of research for Enigma
Germany” (Winterbotham, 1974). Similar historians. In this paper we shall focus on just
versions of this story were later on presented by one of its elements; an unsigned and undated
Cave Brown (1975), Stevenson (1976) and, in typescript described in the inventory as
more recent times, by Aldrich (2010) and Davies “Technical note in German” 1 (unsigned, 1940a).
(2008). Their stories have a crucial element in The document is 61 pages long, contains a title
common in attempting to provide a cover for the page, a table of contents, and 38 sections. Its title
compromise of Enigma ciphers in the breach of page leaves no doubt as to its contents:
machine’s physical security. That reaction is “ENIGMA. Abridged presentation of solution
understandable; in 1973, when Bertrand (1973)
revealed the Allied success with Enigma ciphers,
the Cold War was at full swing and the armies of
Warsaw Pact were making extensive use of rotor
1
In original: Notice technique en allemande.

90
methods” 2, and its preface partially reveals the 1945, had confused the question of the
identity of its, otherwise unsigned, authors; document’s attribution. The German reports
“Below we sketch how the Cipher Bureau of the based on his interrogation in 1944 mention only
Polish General Staff managed to reconstruct the two mathematicians; it seems probable that
Enigma model described above, and methods Langer’s mind adjusted (consciously or
invented to assure prompt deciphering of its unconsciously) to the situation after Różycki’s
messages, in spite of the changes and death.
improvements introduced by the German cipher
service to protect their security”. A brief mention While the scope of the document covers
in one of Lt. Col. Langer’s (former head of events having taken place between the Pyry
Polish Cipher Bureau) reports allowed this conference and the fall of France in June 1940,
author not only to place the document in its time- its basic structure and form, as well as
line, but also to understand the circumstances of comparison with other documents edited by
its creation. After his liberation from the German Marian Rejewski and his colleagues, suggest
internment camp, Langer (1945) was existence of their common source – presumed to
commissioned to write a report presenting the be the Pyry report. The term “abridged” used in
circumstances of his team’s evacuation from the title might suggest existence of a full version
southern France in 1942 and the events that of the same document. Working in France, in
followed. It is in that report that we find a 1940 or later, at Bertrand’s request, it would be
following statement: “At Château des Fouzes, natural for the codebreakers to prepare the text in
Bertrand requested that a report be prepared French (at least two members of the team were
presenting the contribution brought by each of fluent in that language). However, existence of
three partners to Enigma solution. The report was the German language reference, and economy of
prepared by Lt. Rejewski and Zygalski. After labour dictated the preparation of an abridged
Bertrand had studied the result he declared that version of the existing German language
the work must be rewritten from scratch, as document, complementing it with coverage of
reading it in its present form one gets the the recent events and adding elements
impression that the contribution of the French specifically requested by Bertrand.
was negligible”. The declared purpose of the While working on the original Pyry report,
report is consistent with its otherwise somewhat the codebreakers having full access to their own
mysterious fragment; Section 38 presents an archive, could, and certainly would have wanted
inventory of contributions of the three countries to, demonstrate their mastery of the subject by
towards the success over Enigma ciphers (see including as much detail as possible. However,
Figure 1 below). the archive of the Cipher Bureau was lost during
its evacuation towards the Romanian border.
The analysed document is unsigned; the same When the team attempted to continue its work in
report by Langer sheds some light and a bit of France, the Poles had to recreate their
doubt on the question of its authorship. documentation using their memory as the only
According to that report, the document was reference available. Process was slow and
prepared by Marian Rejewski and Henryk gradual, as can be seen from the effects of its
Zygalski. That would point to its creation either first stage – the so called “Dokument L”
in 1941 (during Jerzy Różycki’s detachment to (unsigned, 1940b), representing an appendix to
Algiers) or in 1942 (after Różycki’s death). This Langer’s report from the pre-war activity of the
author believes that more probable time of its Cipher Bureau. “Dokument L” was written
creation was late 1940 or early 1941, when during the first half of 1940 and supposedly
Bertrand was still unable to provide the covers the period 1930-1940 (although its scope
codebreakers with enough intercepts to keep ends with the Pyry conference). In spite of its
them engaged. Moreover, should the document scope similar to the discussed document it counts
have been written in 1942, it would most only 31 pages – about half of the latter.
probably include some references to British reports prepared in 1945 include some
codebreakers’ work at P.C. Cadix. It is also details of the Polish pre-war activities, which are
possible that Langer, when writing his report in otherwise unknown from the available Polish
sources. Alexander (1945, p. 18) describes the
2
Polish attack on naval Enigma using the term
In original: ENIGMA. Kurzgefasste Darstellung der
“Forty Weepy”. That term was coined by the
Auflösungsmethoden.

91
Poles from the representation of numbers used however, in the discussed document they are
by Kriegsmarine cipher clerks in 1937. The presented in a more systematic way than in other
British codebreakers could not have known about versions. At least some novel elements deserve
that from their own experience, as the system special attention. The first one concerns the radio
was changed before they focused attention on the network of the German Sicherheitsdienst (S.D.).
naval Enigma. The same report by Alexander Section 34 presents the history of Polish struggle
names the call sign, AFA, of the German torpedo with the S.D. network between its first
boat whose signals permitted Polish appearance in October 1937 and a major change
codebreakers to break the new Enigma procedure on 1 August 1939. Messages in the S.D. network
adopted by Kriegsmarine in May 1937. None of were masked with a 3-letter code before
those details (“Forty Weepy” or AFA) are enciphering with Enigma. That did not prevent
mentioned in the analysed document (or any Polish codebreakers from breaking both the code
other Polish sources) and must have been known and the Enigma key and reading the messages up
to the British codebreakers from the original to 31 July 1939.
Pyry report.
This statement contradicts the opinion
The scope of information regarding pre-war formulated in Dilly Knox’s (1939a) report from
efforts of the Polish Cipher Bureau available in the Pyry meeting, and repeated since then by
the analysed document goes far beyond the limits numerous sources, that Poles were unable to read
of the original, Polish sources available so far. Enigma after the change of the indicator
On the other hand it does not include some structure on 15 September 1938. The statement
details quoted in the existing British reports. The in Section 27 reinforces this argument indicating
structure of the document is very similar, even in that the military key from 25 August 1939, the
translation, to the structures of other documents day of general German mobilization, was the last
edited by the members of Cipher Bureau team broken day before the evacuation of the Cipher
(“Dokument L” or Rejewski’s “Memories”), Bureau from Warsaw.
hinting at their common source. All those details
considered together permit the positioning of the Section 29 refers to the preparation by
document as an intermediate link between the Bletchley Park staff of a special catalogue
fragmentary sources known so far and their already proposed by the Poles before the
common reference – the original Pyry report. outbreak of war. Lack of resources prevented the
Polish team from implementing its own idea, but
4 Preliminary findings and conclusions the more resourceful British were able to
manufacture the proposed catalogue, which went
Systematic analysis of this recently found into history as Jeffreys’ sheets. Jeffreys’ sheets
document is far beyond the scope of this paper, represented an extension of Zygalski sheets;
although the preface to the edited version while the latter identified only the location of a
(Grajek, 2017) of the report provides its early female, the former permitted also to identify the
stage. The document, although obviously not character corresponding to the female (“(…) we
identical to the original Pyry report, represents had the idea to create catalogues with characters
the best approximation currently available. It has that would correspond to all female cases, (…)
been created by the same team, for the similar now the British (…) put our plans into practice”).
purpose and using the same language. It is the
first material proof of otherwise obvious fact – Section 30 offers an update to the history of
the transfer of Enigma secrets by Polish Cipher the Herivel method, which was brilliantly
Bureau to the Allies, which was found in the conceived but useless as long as the positions of
Allied archives. This author hopes that this the turnover notches in rotors IV and V were
information might spark a wider search for its unknown. Herivel’s discovery was
presumed predecessor – the original Pyry report. complemented by the Polish team, who
identified the notch positions in both rotors and
Most facts presented in the report are known communicating them to BP thereby enabling the
from other sources, in particular from practical application of the Herivel Tip.
“Dokument L” and Rejewski’s “Memories”;

92
 Figure 1: Final section of the analysed document - contributions of the three states to the breaking of Enigma

Section 31 refers to the new Enigma of the German Kriegsmarine. The story long
ciphering procedure used from 1 May 1940. We established among Enigma historians states that
learn that some German cipher clerks started to while Poles provided the foundations for
use it prematurely, on 30 April. The Poles, who breaking the Wehrmacht and Luftwaffe ciphers,
managed to break the military key for that day, breaking the Kriegsmarine Enigma represented a
were able to work out the procedure and purely British adventure. The analysed document
communicate its details to Bletchley. presents this question in a new light. The Poles
were obviously watching the evolution and
While sections 1–32 have a more or less breaking the Kriegsmarine ciphers from their
chronological structure, section 33 is dedicated non-machine beginnings to the establishment in
to the S.D. network, Sections 34–37 break the May 1937 of the system used during the war.
chronological narration and represent an The report confirms that they were able to work
appendix dedicated to the area only incidentally out the details of the new procedure and, thanks
covered in the reports known so far – the ciphers to the German blunder in the transition period, to

93
break enough messages to provide the British Denniston, A. G., How News was Brought from
codebreakers with the reference material for their Warsaw at the end of July 1939, NA 25/12
own efforts. Alan Turing and his team designed a
number of methods (EINS-ing, banburismus) Grajek Marek. 2017. Sztafeta Enigmy.
which could assure regular decryption operation Odnaleziony raport polskich kryptologów,
once the system is first broken, however they ABW, Centralny Ośrodek Szkolenia ABW,
could not advance their practical mastery of the Emów.
cipher beyond the point reached by the Poles in
1937. Their final success in 1941 was based both Knox, A. D. 1939a. Letter to A. G. Denniston,
on the information provided by the Poles and the 1939, NA HW 25/12
documents captured on board the seized German
ships. Knox, A. D. 1939b. Memorandum, NA HW
25/12.
Section 38 represents an element of the
document most appealing to the reader’s mind; it Langer, Gwido Karol. 1945. Sprawozdanie
offers an enumerative list of elements dotyczące ewakuacji Ekspozytury Nr 300,
contributed by the three participants of the Instytut Józefa Piłsudskiego w Londynie,
cryptologic cooperation until June 1940 (cf. 709/133/5.
Figure 1 below). While this picture has changed
significantly in the later stages of war, there is no Mahon, A.P. 1945. The History of Hut Eight, NA
doubt that during the first year of this conflict, HW 25/2.
the Enigma adventure was still heavily
dominated by the achievements of the Polish Milner-Barry, Philip Stuart (ed.). 1945. The
Cipher Bureau team. History of Hut Six, NA HW 4/70.

Acknowledgements Rejewski, Marian, Zygalski, Henryk. 1940.

ENIGMA 1930-1940. Metoda i historia
I would like to express my gratitude to Sir rozwiązania niemieckiego szyfru maszynowego
Dermot Turing for providing an important clue, (w zarysie).
and to Philippe Guillot for assisting my research.
I would like to thank also the Internal Security Rejewski Marian. 1967. Memories of my work at
Agency of Republic of Poland for its help in the Cipher Bureau of the General Staff Second
publishing the source version of the document. Department 1930-1945, Adam Mickiewicz
University Press, Poznań 2013
References
Stevenson, William. 1976. A Man Called
Aldrich, Richard J. 2010. GCHQ. The Intrepid, Skyhorse Publishing, New York.
Uncensored Story of Britain’s most secret
intelligence agency, Harper Press. Unsigned. 1940a. Notice technique en allemande
[sans date], SHD DE2016 ZB25 6, Dossier
Alexander, C.H.O’D. 1945. Cryptographic 281.
History of Work on the German Naval Enigma,
NA HW 25/1. Unsigned. 1940b. Dokument L, appendix to Lt.
Col. Langer’s report on Polish Cipher
Bertrand Gustave. 1973. ENIGMA ou la plus Bureau’s pre-war activities, Instytut Józefa
grande énigme de la guerre 1939-1945, Piłsudskiego w Londynie, 709/133/5.
Librarie Plon, Paris
Winterbotham, Frederic. 1974. The Ultra Secret,
Cave Brown, Anthony. 1975. Bodyguard of Lies, Weidenfeld and Nicolson, London
Harper and Row.

Davies, Norman 2008. Europe at War 1939-

1945. No Simple Victory, Pan Macmillan.

94
 The Poles and Enigma after 1940: le voile se lève-t-il?

Dermot Turing
68 Marshalswick Lane, St Albans, UK
❞❡r♠♦tt✉r✐♥❣❅❜t✐♥t❡r♥❡t✳❝♦♠

Abstract when after some adventures, the survivors of

the Polish team were brought to the UK and
Recently declassified papers, together integrated into the cryptanalytical team of the
with other archival material, begin to Polish General Staff located at Felden, just outside
reveal more details of the activities of London (Rejewski, 2011).
the Polish code-breakers after the outbreak A more genuine mystery concerns the actual
of war in France in 1940. Despite work of the Poles after they left Poland, and the
challenging operating conditions, they extent to which they were able to work on Enigma
continued to work on Enigma problems, ciphers. It is well understood that, during the
though without the benefits of the new first period at ‘PC Bruno’, before the invasion
technology developed at Bletchley Park. of France, they were attacking Enigma using the
Their role in the war effort, with particular Zygalski sheets method (Kapera, 2015). But
focus on Enigma, can thus be re- their later work at PC Cadix and Felden has, until
examined. Although various questions recently, remained more obscure. In 1944, Marian
remain unanswered, it is fair to conclude Rejewski wrote a semi-official memorandum,2
that the Polish contribution continued to objecting to being excluded from current work
be valued by the Allies, and that the role on Enigma, which has been interpreted as further
played by the Polish code-breakers in the evidence of side-lining of the Polish code-breakers
final year of the war needs to be re- by the official British authorities. Borrowing a
evaluated in light of the prevailing political title from the work of Paul Paillole on Enigma
climate. (Paillole, 1985), this paper looks at the archival
material concerning the Polish team’s work,
1 Introduction
considers the extent to which the veil has been
It is a persistent myth that the Polish code-breakers lifted from it, and re-examines the nature of
who had successfully attacked the Enigma cipher Rejewski’s discontent.
before World War 2 were rejected by the UK’s
Government Code and Cypher School (GCCS). 2 The Source Materials
It is, however, just that, a myth: GCCS made There are three principal contemporary accounts
concerted efforts in 1940 after both the fall of of the Polish codebreakers’ activities in the
Poland and the fall of France to have the Poles period 1940-1945: by Gwido Langer,3 by
join Bletchley Park.1 Instead, the Poles were Gustave Bertrand,4 and by Marian Rejewski
integrated into the operation of Gustave Bertrand, (2011). Comments may be made about each of
initially as part of the official French Service de them. Langer’s account was prepared as part of
Renseignements and, after the Armistice agreed his campaign for rehabilitation with the Polish
between France and Germany, as part of the General Staff, which had been induced to question
Vichy regime’s Bureau des Menées Antinationales Langer’s leadership of the Polish team at the
(BMA) at a secret location called ‘PC Cadix’.
2 Polish Institute and Sikorski Museum (PISM), London,
This state of affairs continued until the takeover
Kol 242/92 (Jul 1944).
of the Zone Libre of France in November 1942, 3 PISM Kol 79/50 (1946).
4 Service Historique de la Défense (SHD), Vincennes, DE
1 UK National Archives (TNA) HW 14/3 (Jan 1940), HW
2016 ZB 25/1 (1949).
14/5 (Jun 1940).

Proceedings of the 1st Conference on Historical Cryptology, pages 95– 102,

Uppsala, Sweden, 18-20 June, 2018
time of its forced withdrawal from France in late and informative perspective on the cryptanalysis
1942. The circumstances in which Bertrand’s conducted under Bertrand, including for the
account - only declassified in December 2015 - period when the Polish team was included within
was prepared in 1949 are less certain. However, his organisation. Taken together, the materials
his motivation can be imagined. At that time build a good picture of the activities of the Polish
it was important to Bertrand, who had acquired code-breakers during the years 1940 to1945, and
a senior position in the intelligence service re- facilitate a re-assessment of their contribution and
established by President de Gaulle after the war, of their ongoing involvement in the Enigma story.
to bring to the fore his patriotic Resistance
credentials notwithstanding his arguably-dubious 2.1 Literature
association with the Vichy regime during the The work of the Poles on Enigma has been covered
period of the BMA. Rejewski’s account, prepared by many authors (Grajek, 2010; Garliński, 1979;
in the late 1960s, was careful to avoid any Kozaczuk, 1998) to name just a few. Their
mention of activities which might expose him achievement in uncovering the workings of the
further to the attentions of the Soviet-inspired Wehrmacht Enigma machine and finding methods
Polish security services (Polak, 2005). The to expose the daily key-settings in use has,
ambiguity of the position of Bertrand in relation naturally, been the focus of these works. A
to the Vichy régime after the Armistice of June smaller body of scholarship focuses specifically
1940 led to a degree of concealment, even from on the Poles’ activities after June 1940, when
Bertrand himself, of the true nature of the Polish their operating conditions had become much more
operation (Medrala, 2005)5 . The British were also difficult. Medrala (2005) gives a comprehensive
concerned as to where Bertrand’s loyalties lay.6 and objective account of this period, but his
Each of these reports, then, may be open to an sources revealed little about the nature of the
accusation of partiality or selective reportage. code-breaking activities or the methods used.
Notwithstanding these criticisms, the three Ciechanowski and Tebinka (2005) specifically
accounts may be relied on for what they say about discuss Enigma, but in relation to the period after
the nature of the cryptological activities of the June 1940 they have little to add on what ciphers
Polish team, except in that Rejewski’s account we were broken or how.
are unlikely to find evidence of attacks on Russian Paillole (1975) and Navarre (1978) provide
ciphers. In relation to the assault on German much insight on the Vichy period, but they cover
Enigma, all three accounts might be expected to all aspects of intelligence, rather than focusing on
be straightforward and reliable, if not complete.7 cryptanalysis. Given the background, with Poland
In addition to the three main accounts, there is a overrun by Germany and the USSR, one might
wealth of correspondence and supporting evidence expect the efforts of the Polish code-breakers to
in the UK National Archives, the remaining have been directed against those powers, and not,
Polish Intelligence Bureau archives at the Polish for example, following the more complex agenda
Institute and Sikorski Museum in London, and of Vichy, which included the Allies as objects
the dossiers of original papers accompanying of its intelligence-gathering.8 Bloch (1986)
Bertrand’s 1949 account. These last-mentioned focuses on the code-breakers, raising a number
dossiers, only recently declassified, provide a new of pertinent questions concerning the Polish team,
5 Langer’s account also shows how thousands of encrypted and their relationship with Bertrand; but like
messages were relayed by his team from Polish Intelligence the other authors does not go into detail on the
in North Africa to London. ciphers or techniques. In any case,the French
6 See, for example, TNA HW 14/8, telegrams of
writers all draw heavily on Betrand as their source.
November 1940.
7 It may, however, be observed that the typewritten Bertrand’s own book (1972) is entitled ‘Enigma’
account of Enigma code-breaking entitled ‘Kurzgefasste and gives the impression that Enigma must have
Darstellung der Auflösungsmethoden’, also revealed as part been the main, if not the only, target of the Polish
of the Bertrand Archive (SHD DE 2016 ZB 25/6, Dossiers
Nos. 281 and 282), is not comprehensive, and conceals team. However, the hypothesis that the Poles
important facts now known about co-operation between were devoting themselves at this time to Enigma,
the Allies on Enigma cryptanalysis. The three accounts without code-breaking machinery and possibly
mentioned may also suffer from the same issue of selective
reportage. 8 Cf. Paillole (1975).

96
without even an Enigma machine, presents some reconstructed Enigma machines. With the one
difficulty; existing literature does not face up to they had sent to Bertrand through the diplomatic
that challenge. bag in 1939, that made a total of two to work
with. Bertrand had just made arrangements for the
3 The Cadix Period production of duplicates of the synthetic Enigma
After the fall of France, the Polish code-breakers machines by a factory in Paris when the invasion
were rapidly evacuated to French North Africa, of France took place.9 For the purposes of
despite the plea of Alastair Denniston, the head the reproduction, one of the precious machines
of GCCS, to assimilate them into his team at had been dismantled, leaving the team with only
Bletchley Park. There, there was a near-mutiny one. Before the invasion, a teleprinter link
when some of the team, including notably Marian between Bertrand at PC Bruno and Britain had
Rejewski and Jerzy Różycki, did not want to enabled some degree of sharing of key-finding
return to France but to go to Britain instead. results derived from Zygalski’s sheets, and some
Gwido Langer put down the rebellion and the team decipherment of intercepts, but these had little
moved to a new location near Uzès in the so-called impact on military operations10 and in any case
Zone Libre, the Château des Fouzes, in October the work had come to an end with the evacuation
1940. The conditions were sub-optimal: the code- of PC Bruno. Evidently, at PC Cadix, there was
breakers complained of having to peel potatoes, at best the one surviving Polish reconstruction to
chop wood, and do other manual labour, and the work with, and none of the sophisticated key-
nearest bath was 27 km away; but on the other finding machinery which the British Enigma team
hand Bertrand had arranged for the team’s work, at Bletchley Park were beginning to exploit from
accommodation and wages to be funded by the mid-1940 onwards.
Vichy Government (Bertrand, 1972). Thus it is legitimate to enquire to what extent
Initially, the team had to struggle to obtain the Poles at PC Cadix were able to work on
intercept material to work on, though Bertrand Enigma, if at all, and if so how. In the
arranged a system by which the organs of the first place it must be mentioned that the attack
Vichy state would feed intercepted encrypted on Swiss machine ciphers was an attack on
material to him to be worked on. Insofar Enigma. ‘The Swiss machine turned out to
as this was manually-enciphered material, the be an ordinary commercial model of Enigma,
talented Polish team were able to tackle it naturally with different internal rotor connections’
without special equipment or machinery. So it (Rejewski, 2011). Tackling this machine would
appears that a substantial amount of the work have been straightforward for Rejewski and his
carried out consisted of an attack on German colleagues, who had honed their skills on the much
transposition ciphers, notably a difficult double- harder Wehrmacht version of Enigma without
Playfair method, though there were also successful the modern machinery now in use at Bletchley
attacks on Swiss machine ciphers and, in a Park. Reverse-engineering the Swiss machine,
moment causing some embarrassment to the Poles without the fearsome plugboard, would have been
themselves, on the Poles’ own cipher machine a challenging but ultimately routine task, and
Lacida (Rejewski, 2011). The targets included Rejewski gives a brief description of it in his
the Wehrmacht, operating all across Europe from account.
France to well beyond the Soviet frontier, the However, a substantial contribution to
SS and other ’police’ units, the Abwehr and the intelligence derived from Wehrmacht Enigma
Sicherheitsdienst in France and North Africa, and messages was not likely to be feasible without
the German Armistice Commission (Kozaczuk, the assistance of modern technology. Zygalski’s
1998). sheets had been rendered obsolete by the change
in key-transmission procedure adopted in May
3.1 Enigma 1940, after which the Germans ceased to encipher
The paucity of resources at PC Cadix was not the ‘indicator’ (the required orientation of the
limited to firewood and intercepted signals. In the 9 Bertrand1949 report, and dossier No.272.
flight from Poland, the Polish team had been able 10 As both the Langer account of 1946 and the Bertrand
to bring with them only one of their synthetically account of 1949 graphically describe.

97
three Enigma rotors for the transmitted message) communication between London and PC Cadix.13
twice over. From that point onwards, there were Bertrand’s cryptologist colleague Henri Braquenié
basically two methods for key-finding. The first noted with amusement that the arrival of the
was to use what the British called ‘Cillying’ and machines enabled PC Cadix to communicate
‘Herivelismus’, and the Franco-Polish team called with MI6 using Enigma technology: to rub in
the ‘Method Kx’ (after the British cryptanalyst the irony he would sign off his messages (in
Dilly Knox, who had presumably described cipher) with the words ‘Heil Hitler’ (Braquenié,
the technique to them at one of the trilateral 1975). However, the use of Enigma machines
conferences in 1939). Cillying assumes that the at PC Cadix, for any purposes, was short-lived.
German operator has chosen a predictable six- Within weeks of the approval by London of
letter word like HITLER, or another predictable the use of the new Enigma-type machinery for
sequence like QWERTZ, for the indicator; the communications, the possibility of the Zone Libre
first three letters (transmitted in clear) give a being overrun had become a live threat; the team
clue to the second three (which are enciphered). at PC Cadix knew they were being tracked by
Herivelismus is named for John Herivel, a the ‘Funkabwehr’, German counter-intelligence’s
Bletchley Park code-breaker who imagined an radio direction-finding unit; and on 7 November
operator would be lazy enough to use the last 1942, continued operations at the château became
position of the rotors (or a position very close to imprudent. The premises were evacuated and
it) showing at the end of the previous transmission code-breaking by the Poles in France came to an
- which helped when a long message was broken end.
into several parts (Herivel, 2008). These methods
could have been exploited at PC Cadix without 3.2 Results
the need for special technology - apart from the By all accounts the Polish team at PC Cadix were
much-needed replica Engima machine itself. kept extremely busy for the two years they were
The other method of tackling Enigma in the there. Much of the work involved relaying (and
period after October 1940 was machine-based. re-enciphering) messages for London from the
Developing ideas suggested by the pre-war Polish outpost of Polish Intelligence in North Africa, an
bomba, Bletchley Park cryptanalysts, including activity which seems to have taken place under
Alan Turing, had invented a new means of key- Bertrand’s nose but without his knowledge. As for
finding based on guessed-at message content and the actual code-breaking, PC Cadix was able to
running a logic-check through all 17,576 possible obtain copies of signals which were unavailable to
combinations of rotor start-positions. Their Bletchley Park, which meant that the Polish team’s
machine, the famous Bombe, was used to find reports on the activities of the SS as German forces
thousands of keys each month for the remainder moved east, following the outbreak of hostiliies
of the war. This option was denied to Bertrand with the USSR in 1941, were highly prized in
and the team at PC Cadix: indeed, it seems that London.14 Those reports do not make comfortable
Bertrand was kept largely, if not wholly, in the reading, as they itemize round-ups and ethnic
dark about the degree of success achieved by the cleansing carried out in the newly-occupied areas
British with their Bombes.11 of Belarus and the Ukraine.
However, Bertrand had not lost contact with Towards the end of the Cadix period, the
his engineering firm in Paris, and eventually the code-breakers achieved a breakthrough against the
reproductions of the Polish reconstructed Enigmas hand ciphers of the Funkabwehr. In another
began to arrive in pieces for reassembly at PC irony, the trackers from the Funkabwehr who
Cadix. By 10 September 1942, Bertrand was able were hunting down illicit radio transmissions
to contact his British liaison and report that he had in the (increasingly Nazified) Zone Libre were
reassembled three of these Enigma machines,12 themselves being tracked by their own prey.
suggesting that one of them be used for secure Gustave Bertrand built up a detailed profile of
11 TNA the Funkabwehr, its activities and personnel, its
HW 65/7 (Mar-May 1942).
12 Medrala (2005), page 183, says there were seven vehicles and locations, and above all its secret
machines of which four were reassembled models; 13 TNA HW 65/7.
unfortunately in this instance his source is not specified. 14 TNA HW 65/7.

98
signals. The Cadix team thus knew exactly when mainstream Wehrmacht units in combat roles, and
the net was closing in; and Bertrand himself was others engaged in ‘special’ activities now known
able to equip de Gaulle with a detailed profile of to be part of the program for extermination of
German direction-finding and radio-suppression Jews and other classes of society. ‘German Police’
in occupied France, once he joined the Free French signals were thus regarded as being of significant
in 1944.15 value in building up an overall picture of German
These examples show that the Polish team military and political activities and plans. In
continued to make a valuable contribution to October 1943, the British told Polish Intelligence,
intelligence based on decrypted signals throughout ‘We are very glad to receive the T.G.D. German
their time at PC Cadix. In conclusion, however, traffic taken at Felden,’ and ‘Police Traffic is
it seems unlikely that any significant results were steadily gaining in operational importance’.17
obtained at PC Cadix by the Polish code-breakers
as a result of decrypting Enigma. However, a 4.1 TGD
different story emerges when the remnants of the The specific version of German Police signals on
team reached Britain in August 1943. which the Poles were working was known by its
old call-sign ‘TGD’. TGD was described in the
4 The Felden Period GCCS History of Hut 6 as ‘the famous T.G.D.’,
The story of what happened to the Poles of with the comment ‘this key was never broken
PC Cadix after their forced departure is highly during the war and to this day is one of the classic
dramatic and in some instances tragic. Suffice mysteries of Hut 6. It never cillied so far as we
it to say that only a handful, including Marian know and no convincing re-encodement from any
Rejewski and Henryk Zygalski, eventually made other key was ever produced.’18 Reports filed
it over the Pyrenees, only to be arrested and spend by Gordon Welchman of Bletchley Park’s Bombe
several months in Spanish prisons. On 3 August team in 1942 reinforce the idea that Bletchley Park
1943 the escaped Polish code-breakers - only five had got nowhere with TGD, unlike other German
in number - were relocated to Britain, and assigned Police ciphers based on Enigma.19 However, from
to the Polish signals intelligence unit at Felden, the GCCS reports it is quite plain that TGD was
a rural hamlet situated on the outskirst of Hemel indeed an Enigma cipher, and one of particular
Hempstead, north-west of London. Felden was significance, since it was immune to ordinary
the heart of an operation, approved and directed means of attack. The careful security measures in
by MI6, which was clandestinely monitoring the place to protect TGD traffic imply that the content
signals output of the USSR, notwithstanding that of the signals was more sensitive than other SS
the USSR was notionally the ally of both Britain material.
and Poland in the struggle against Germany In terms of TGD’s structure, the recently-
(Maresch, 2005). declassified Bertrand archive includes an
On arrival at Felden, Rejewski, Zygalski and intriguing dossier (Dossier 278) prepared by
their colleague Sylwester Palluth were assigned the Poles in approximately 1940. This dossier has
to ‘Team N’, which was directed against German not been discussed in the previous literature, and
rather than Russian traffic.16 During this period, it gives the missing technical detail on the cipher.
they enjoyed particular and noteworthy success The dossier was part of a series of intelligence
against ‘German Police’ signals, and received exchanges between PC Bruno and Bletchley
commendation from Bletchley Park, relayed via Park on technical matters, and it summarises
MI6, for their work. To understand this better, the key procedure being used, and thus explains
it is necessary to know that the phrase ‘German why TGD resisted the attacks which worked
Police’ covered a wide range of uniformed for ordinary SS messages. In summary, TGD
services carrying out a wide range of activities used a rigorous key system which precluded
ordinarily associated with armed forces rather than cillies. All three letters of the indicator had to
law enforcement agencies. Nazi Germany had be different, and the message-setting was first
many such organizations, some substituting for enciphered using a substitution alphabet before
17 PISMKol 242/92, TNA HW 14/90.
15 SHD DE 2016 ZB 25/1, file 01H002. 18 TNA HW 43/71 (undated, c.1946).
16 PISM Kol 242/64 (Oct 1943). 19 TNA HW 25/27 (Mar, Jun, Dec 1942).

99
re-encipherment on the Enigma machine. (In First, how was it that Bletchley Park was unable
practice this is unlikely to have made a major to exploit TGD, given that it had been armed
difference to security, and the dossier reports that with the dossier? The answer may be a lack
the preliminary encipherment of indicators was of resources, or that Bletchley Park decided to
discontinued before the war.) More significant focus on the Enigma keys that were susceptible
was the jumbling-up of material normally located to the Bombe technique. Breaking Enigma keys
in a standardized way in a message’s preamble: on a Bombe requires a crib, i.e. guessed-at
in TGD messages message-data like the sender, plaintext, and without a history of prior decrypts
addressee, message-key and so forth could be it is a tough assignment to come up with a
positioned differently on different days, albeit viable crib. Furthermore, the structure of TGD
following a pattern. The ‘biggest surprise’, will have precluded the use of cribs. The Poles
according to the Polish authors of the dossier, at Felden were not relying on Bombes, and it
related to the content of messages. A coding- seems reasonable to infer that they dusted off their
system was used to mask the content (before the previous know-how and reapplied it in their new
entire message was enciphered on the Enigma working environment.
machine), but with a twist: only part of the text A second intriguing feature of the success
would be in code, and the rest was in plain-text. against TGD at Felden relates to Enigma
The toggle between code and plain-text would machines. Not only is it absurd to imagine that the
have made a crib-based attack to find the Enigma PC Cadix Poles managed to smuggle a counterfeit
key extremely hard. The code was in three-letter Enigma with them when they escaped, but there
groups which used no vowels and omitted Q, X is sound evidence that the Enigma duplicates
and Y; Q denoted a shift from alpha to numeric, made in France remained there, with Rejewski
X was punctuation, and Y denoted a shift from and Zygalski making a special trip to France
code to plain-text. Instead of spelling out numbers after the war’s end to retrieve them from where
in full, as in standard Enigma procedure, the they had been concealed.20 Without an Enigma
alphabet was used (A, B, C, ... standing for 1, 2, 3, machine the effort against TGD at Felden would
..., with redundancy, so that K, L, M, ..., and V, W, surely have been doomed. It would therefore
Z would also stand for 1, 2, 3, ...). Unfortunately, appear that the British, who had been supplying
the dossier does not divulge the extent to which Felden with equipment of various descriptions,
the code-book had been reconstituted by the may also have provided an Enigma (or more likely,
Poles. a modified Typex machine reconfigured to emulate
The significance of the messages is mentioned an Enigma, as used by deciphering clerks at
briefly in the dossier. The Poles had, at the time Bletchley Park). Unfortunately there is no archival
the dossier was written, been monitoring evidence to clarify how exactly the Poles did their
exchanges between the Sicherheitsdienst work.
headquarters in Berlin and various border
outposts responsible for gathering political and 5 Rejewski’s 1944 request
other intelligence from Germany’s annexed By the summer of 1944, as the Allied forces
territories and peripheral states. At the time, began their recapture of continental Europe from
before the outbreak of hostilities, this included the Wehrmacht, the importance of German Police
reports on subversive action being taken on traffic to the overall intelligence picture waned.
behalf of the Nazis. Evidently TGD traffic was at The Polish General Staff were told by MI6 that
that time more high-level political material than the British no longer required the ‘German Police
short-term operational information. The extent Intercepts’ on 8 July.21 If it is right that TGD
to which the nature of the traffic had evolved by signals were being relied on for the insights they
1943 is difficult to ascertain. provided into high-level thinking at the top of the
4.2 A veil half-raised Nazi hierarchy, the timing of the shut-down of
work on TGD is no coincidence. By this stage
The declassified dossier thus unveils part of the in the war, Bletchley Park had begun to tap into a
‘classic mystery’ of TGD. But in doing so, it
20 PISM Kol 242/69, Kol 242/93 (May 1945).
merely intrigues us with further unsolved puzzles. 21 PISM Kol 242/92.

100
far more powerful and informative source, namely already in late 1944 it would have been plainly
the teleprinter traffic enciphered on the Lorenz obvious that the Soviet influence in Poland was
Schlüsselzusatz device and broken at Bletchley pervasive and pernicious. To be involved in
Park with the help of novel electronic machinery. the assault on Russian ciphers was an extremely
The change in British priorities for Felden also unwelcome change for Rejewski, as it ratcheted up
signalled a redisposition of Rejewski, Zygalski the danger-level for him personally. Yet precisely
and Palluth, who were assigned in November the same reasoning would have led Bletchley
1944 to ‘Team R’, which was responsible for Park, assuming they were aware of his request,24
monitoring and decrypting Soviet traffic.22 Their to feel uncomfortable with Rejewski obtaining
reassignment followed an unwelcome period of knowledge of the achievements and methods in
idleness and was, for Rejewski at least, an use there, if Rejewski were going to go back to
unwanted development. Rejewski was moved Poland after the war. Regardless of all the rhetoric
to write a long note, dated 20 October 1944, about the USSR as an ally, the British were only
in which he eloquently sets out the Enigma- too well aware that the Soviets needed to be
related debt owed by the British to the Poles and watched, and what the dangers were. After all,
requests closer involvement in the British work it was the British who were sponsoring the Polish
against Enigma.23 Rejewski’s request was viewed efforts at Felden which were directed against the
sympathetically by Polish Intelligence, and passed USSR’s secret messages.
on to the British, but nothing came of it.
By this date, though, Bletchley Park had 6 Conclusion
become a thoroughly industrial operation, The Polish attacks on the plugboard version of the
churning out intelligence based on its Bombes, Enigma machine in the 1930s stand as one of the
in a volume which would have astonished most impressive achievements of mathematical
Rejewski if he had been aware of the scale of cryptanalysis of all time. The fact that, after
the operation. While there remained brilliant May 1940, the individuals who had created those
code-breakers at Bletchley whose skills were earlier successes did not become part of the
put to use right up to the end of the war, the Bletchley Park team which took over, built from,
focus of intellectual attention was no longer the and multiplied, their achievements, has been a
Enigma. The old hands who had met and learned source of dismay to many observers. It has been
to respect Rejewski and Zygalski were out of considered shameful that no place was found in
the picture: Denniston in a new role relating to Britain for Marian Rejewski and his colleagues
diplomatic ciphers, Knox dead, and Alan Turing after the fall of Poland or after the German
redeployed onto speech encipherment. Rejewski takeover of the Zone Libre in France. No doubt,
had no advocates at Bletchley, and, in truth, no until late 1942, a valuable role could have been
Enigma-related role there. Moreover, it would found for them at Bletchley Park alongside code-
have been wholly counter to the culture of secrecy breakers of other allied nations who were already
at Bletchley Park to allow a Polish code-breaker there. But the political weather had changed by
to see the nature of the new operation there. The 1943 when the Poles eventually arrived in Britain,
British brush-off must also be seen against the and in any event the Polish code-breakers were
prevailing political climate, where Poland was, in still under Polish, not British, military command.
1944, thought to be an ‘unreliable’ ally owing to The fact is that the Poles did manage to carry
tension growing between the Poles, aggrieved at on valuable cryptanalytical work in France until
the murders at Katyn, and the acquisitive USSR. the end of 1942 and in Britain from 1943 until the
Viewed in the light of the politics of 1944, end of the war. Only to a limited extent was their
Rejewski’s plea takes on a different colour. Like effort directed against Enigma, but that should
all exiles whose family were left behind, Marian not be regarded as official lack of interest in the
Rejewski was in no doubt that he intended to Poles, rather as a decision about deployment of
return home after the war. As future events would cryptanalytic talent in a changing world. What
show, this was a courageous thing to do; but
24 Rejewski’s paper, or a summary of it, was almost
22 PISM Kol A.XII.24/63, Kol 242/54. certainly provided to MI6, but it may have gone no further.
23 PISM Kol A.XII.24/63. There is no indication in the GCCS files that it was received
or acted upon at Bletchley Park.

101
the Poles actually did, both at PC Cadix and at Medrala, Jean. 2005. Les Reseaux de Renseignements
Felden, was of high quality and highly regarded, Franco-Polonais 1940-1944 L’Harmattan, Paris,
France.
and it should not be seen as a slight on them that
they were asked to carry out this work. Navarre, Henri. 1978. Le Service de Renseignements
1871-1944 Plon, Évreux, France.
Acknowledgments
Paillole, Paul. 1975. Services Spéciaux (1939-1945)
The author acknowledges the invaluable Robert Laffont, Paris, France.
assistance of Dr Janka Skrzypek in interpreting
Paillole, Paul. 1985. Notre Espion chez Hitler Robert
and translating Polish-language material and Dr Laffont, Paris, France.
Marek Grajek for useful discussions. He also
wishes to thank the staff of the SHD, and of the Polak, Wojciech. 2005. Marian Rejewski in the
sights of the Security Services, in ‘Living with the
Sikorski and Piłsudski Institutes in London for Enigma Secret’, p 75-88, Bydgoszcz City Council,
help with archival material, and to acknowledge Bydgoszcz, Poland.
the contribution of the reviewers of the draft
manuscript for their helpful comments. No Rejewski, Marian. 2011. Memories of my work
at the Cipher Bureau of the General Staff Second
external funding was provided and no conflict of Department Adam Mickiewicz University Press,
interest is believed to exist in the creation of this Poznań, Poland.
paper.

References
Bertrand, Gustave. 1972. Enigma, ou la plus grande
énigme de la guerre 1939-1945 PLON, Condé-sur-
Escaut, France.
Bloch, Gilbert. 1986. Quelques Eléments Relatifs au
PC ‘Cadix’, à sa fin et au Sort de l’Équipe Polonaise
(unpublished manuscript) SHD GR 1K 953/2.
Braquenié, Henri. 1975. Interview avec le capitaine
Henri Braquenié, in ‘Geheimoperation Wicher’,
p318-328, 1989, Karl Müller, Bonn, Germany.
Ciechanowski, Jan Stanisław, and Jacek Tebinka.
2005. Cryptographic Cooperation - Enigma, in The
Report of the Anglo-Polish Historical Committee,
vol 1, chapter 46 (Tessa Stirling, Daria Nał˛ecz
and Tadeusz Dubicki, eds) Vallentine Mitchell,
Edgware, UK.
Garliński, Józef. 1979. Intercept J.M. Dent & Sons
Ltd, London, UK.
Grajek, Marek. 2010. Enigma - Bliżej Prawdy Rebis,
Poznań, Poland.
Herivel, John. 2008. Herivelismus and the German
Military Enigma M and M Baldwin, Cleobury
Mortimer, UK.
Kozaczuk, Władysław. 1998. Enigma Greenwood
Press, Westport, CT.
Kapera, Zdzisław J. 2015. The Triumph of Zygalski’s
Sheets The Enigma Press, Kraków-Mogilany,
Poland.
Maresch, Eugenia. 2005. The Radio-intelligence
Company in Britain, in ‘Living with the Enigma
Secret’, p 185-200, Bydgoszcz City Council,
Bydgoszcz, Poland.

102
 US Navy Cryptanalytic Bombe - A Theory of Operation and Computer
Simulation

Magnus Ekhall Fredrik Hallenberg

magnus.ekhall@gmail.com fredrik.hallenberg@gmail.com

Abstract cally accurate speed. The simulator will be made

available to the public.
This paper presents a computer simulation
of the US Navy Turing bombe. The US
Navy bombe, an improved version of the
British Turing-Welchman bombe, was pre-
dominantly used to break German naval
Enigma messages during World War II. By
using simulations of a machine to break an
example message it is shown how the US
Navy Turing bombe could have been oper-
ated and how it would have looked when
running.

1 Introduction
In 1942, with the help of Bletchley Park, the US
Navy signals intelligence and cryptanalysis group
OP-20-G started working on a new Turing bombe Figure 1: An operator setting up the wheels on a
design. The result was a machine with both sim- US Navy bombe. Source: NSA
ilarities and differences compared to its British
counterpart. It is assumed that the reader is familiar with the
There is an original US Navy bombe still in Enigma machine. This knowledge is widely avail-
existence at the National Cryptologic Museum in able, for example in (Welchman, 2014).
Fort Meade, MD, USA. The bombe on display is To find an Enigma message key with the bombe
not in working order and the exact way it was op- it is necessary to have a piece of plaintext, a crib,
erated is not fully known. corresponding to a part of the encrypted message.
The US Navy bombe was based on the same A crib could be a common word or a stereotyped
principles as its British version but had a different phrase which is likely to be present in a mes-
appearance and thus a different way of operation. sage, for example Wettervorhersage which is the
The bombes were used to search through a part German word for weather forecast. The crib is
of the Enigma key space, looking for a possible used to derive a configuration of the bombe and
Enigma rotor core starting position which would an assumption of the Enigma rotor starting posi-
not contradict a given enciphered message and its tion is made. Once started the bombe will scan
plaintext (Carter, 2008). through all possible Enigma rotor core positions
A theory, based on previous research (Wilcox, and stop when a position has been found that does
2006) and knowledge of how the British bombe not lead to a logical contradiction for the given crib
works, is presented of how the US Navy bombe (Carter, 2008). If a logical contradiction occurs
was operated and it is shown with a computer sim- then the state of the bombe represents a setting of
ulation that the theory is sound. an Enigma where it would not be possible to en-
The computer simulation presents a graphical cipher the assumed plaintext to the ciphertext of
user interface and runs at approximately histori- the crib. Each stop is subject to further tests after

Proceedings of the 1st Conference on Historical Cryptology, pages 103– 108,

Uppsala, Sweden, 18-20 June, 2018
 Position: A B C D E F G H I J K L M 3 Setting Up the Bombe
Plaintext: K R K R A L L E X X F O L
Ciphertext: L A N O T C T O U A R B B Preparing the bombe to work on a message con-
sists of a number of steps. Firstly, the wheels need
Table 1: Crib and corresponding ciphertext used to be selected and set to the appropriate starting
throughout this paper positions. Secondly, the bank switches need to be
set according to the letters in the crib. Thirdly, one
or two input switches need to be activated. Finally,
which the bombe is automatically restarted. some of the printer cables are connected to the di-
If a test is passed, relevant information on the agonal board.
stop in question is automatically printed onto pa-
per (Desch, 1942). 3.1 Enigma Rotor Equivalent Wheels
The bombe has sixteen wheel banks of four wheels
2 Example Message
with each wheel bank representing the rotors of an
The bombe simulation will be tested using a Enigma machine. Eight wheel banks are on the
real message sent May 1st 1945 (CryptoMuseum, front of the bombe and eight are on the back.
2017). The crib is the thirteen first letters of the The bombe was primarily designed to break
plaintext. The wheels used for this message was messages encrypted with the M4 Enigma which
β , V, VI and VIII, with the thin C-reflector being had four rotors. However, it could also work
used. The original Enigma rotor start position was on messages encrypted with a three-rotor Enigma
{CDSZ} (this notation will henceforth be used to such as the one used by the German Army. For this
show positions of the corresponding wheels). This purpose there is a switch which selects between
means that the leftmost rotor on the Enigma, in three- or four-wheel mode. In three wheel mode,
this case the β rotor, is set to position C, the sec- the slowest wheel in each of the 16 wheel banks
ond rotor is set to D and so on. The ring setting would be stationary (Desch, 1942). By observing
of the rotors for this message was {EPEL}. Note how the wheels in a wheel bank are interconnected
that the difference between the ring setting and the it can be assumed that the bottom wheels of each
rotor start position is 24, 14, 14, 14 positions re- wheel bank would not move in this configuration.
spectively. This is called the rotor core starting To configure the bombe for the message, a
position. wheel order which is to be tested is installed. As
The row labeled ”Position” in table 1 shows mentioned in section 2 the correct wheel order
what setting the rightmost Enigma wheel would is already known in this case. The correspond-
have when encrypting a given plaintext letter into ing wheels are loaded onto all wheel banks of the
ciphertext. The assumption is that the Enigma ma- bombe. Also, the ”thin C”-type reflector cables are
chine would have been set to {ZZZZ} before the connected to all the reflector plugs on the bombe.
message was coded. This leads to the first letter In reality the wheel order was not known but
being encrypted at position {ZZZA}, the next at many different wheel orders could be tested in par-
{ZZZB} and so on. allel, one wheel order per bombe. A total of 121
The plug board connectors, Stecker in German, US Navy bombes were built (Wilcox, 2006).
used on the Enigma for this message was: Normally it is assumed that the second wheel
of the Enigma does not advance during the crib.
A B C D H J L P S V Since the second wheel of the Enigma will ad-
l l l l l l l l l l vance one step once or twice per revolution of the
E F M Q U N X R Z W first wheel there is a high probability that this is
not the case, and if so, the bombe will fail to find a
The letters of the alphabet not listed in the possible solution. There are techniques that could
plugboard connector pairs above did not have a have been used if a second wheel turnover was
wire connected on the plugboard which results in suspected, but those are not in the scope of this
them being electrically connected to themselves. paper.
There were normally ten plugboard cables used With the example message there was in fact a
in the daily Enigma key, leaving six letters self- second wheel turnover before the first letter was
connected (Copeland et al., 2017). encrypted. This knowledge will be taken into ac-

104
count in the following discussion. In practice this 11=L, 1=B according to the last letter of the crib
could not have been known, but the bombe would (see table 1).
still have found a solution since there is no further
second wheel movement during the crib; the entire 3.3 Wheel Positioning
crib has one and only one wheel position for the Apart from the four wheels in a wheel bank, one
second wheel. The difference is that the second for each Enigma rotor, there is also a reflector plug
wheel now has to be set to A instead of Z which it which has the same function as the reflector on the
otherwise would have been assumed to be. There- Enigma. Since the top wheel of the bombe is con-
fore the bombe is adjusted so that the wheels on nected to the reflector plug it can be assumed that
wheel bank 1 are set to 25, 25, 0, 0. This corre- this represent the leftmost Enigma-rotor which is
sponds to {ZZAA}. connected to the reflector of the Enigma. The bot-
The wheels of wheel bank 2 are set to tom wheel of the bombe corresponds to the right-
25, 25, 0, 1 = {ZZAB}, wheel bank 3 to most Enigma-rotor.
25, 25, 0, 2 = {ZZAC} and so on all the way
3.4 Input Switch
up to wheel bank 13 which is set to 25, 25, 0, 12
= {ZZAM}. The bombe works by injecting a test current into
The wheel order, reflector plugs and the start a position corresponding to a certain letter of
position of the bombe wheels are now set up. The the diagonal board. This current then propagates
next step is to connect the wheel banks according through the system and stops the bombe if it fails
to the letters of the message. to reach all other letters of the alphabet.
To select the letters where test currents are in-
3.2 Bank Switches jected the bombe has two 26-step rotary switches
marked PRI and SEC for primary and secondary.
There are two 26-step rotary switches for each Normally only the primary input is set. When us-
wheel bank. One for the input letter to the ing a crib where the letters of the crib and the
bank and one for the output letter. The rotary corresponding ciphertext are forming two separate
switch connects the rotor bank to the diagonal graphs the secondary input is also needed.
board which utilises the symmetrical properties of The input should be connected to a frequently
the Enigma plugboard to interconnect the bombe occurring letter in the crib. L is selected as it oc-
wheel banks. All of the 32 switches are located on curs at three places in the example message. The
the front of the bombe. These switches eliminate primary input switch is switched to 11 which cor-
the need of a plug board as found on the back of responds to L. The secondary input switch is not
the British bombe and thus makes setting up a crib needed in this case and is set to OFF.
on the bombe much faster (Turing, 1942).
The British bombe, on the other hand, could 3.5 Printer
have up to three cribs or wheel orders connected at On the back of the bombe the cables of the printer
the same time on one bombe. The British bombes are connected to the diagonal board sockets repre-
usually had 36 wheel banks of three wheels each, senting the letters in the message. The following
corresponding to 36 Enigma machines. letters are present: A, B, C, E, F, K, L, N, O, R, T,
The plaintext letters of the message are con- U, X. The printer cables for these letters should be
sidered to be the input to the corresponding rotor connected to their respective socket on the diago-
bank and the ciphertext letters to be the output. nal board with A=0, B=1 and so on.
For example, for wheel bank 1 which corre-
sponds to the first letter of the message, the input 4 US Navy Bombe Model
is K and the output L. Therefore the left switch of A theoretical model is presented of how it is as-
the two bank switches corresponding to rotor bank sumed the different parts of the US Navy bombe
1 is set to 10 for the letter K. The right switch is set interacted.
to 11 for L.
For wheel bank switch 2 the input switch is set 4.1 Diagonal Board
to 17=R and the output switch to 0=A. The central component in the US Navy bombe is
The rest of the wheel bank switches are set up the diagonal board. The diagonal board has 26 in-
in the same way with the last, number 13, set to put nodes, one for each letter of the alphabet. Each

105
input node consists of 26 conductors, one for each
letter of the alphabet. The diagonal board utilises
the fact that if a letter A on the plugboard of the
Enigma is connected to letter B, then it follows by
the symmetrical design of the plugboard that let-
ter B must be connected to A. Let conductor y of
diagonal board node x be denoted DB(x, y), then
the connections on the diagonal board can be de-
scribed: DB(x, y) is connected to DB(y, x).

Figure 3: Rotor bank n, where n = 1, ..., 16. All

Figure 2: The principle of the diagonal board, here wires in this figure are 26-way. The 26-way input
in a simplified form as if the alphabet would only switches A and B of rotor bank n controls where
have three letters. The actual diagonal board is of on the diagonal board the two rotor bank nodes
size 26 x 26. are connected. DB 00 is diagonal board position
0, corresponding to the letter A, and so on.
The use of the diagonal board greatly reduces
the number of false stops the bombe otherwise
would have had. All the rotor banks of the bombe which can be seen as a 26-input AND-gate. Fol-
can be connected to any of the letters on the diag- lowing this, a second test called the “hot point
onal board. test”, is automatically performed. This test applies
There are also two input switches which can a voltage in sequence to the 26 conductors of the
inject a test current to any node on the diagonal input letter node on the diagonal board. This test
board. will determine the possible plugboard connections
On the back of the US Navy bombe there is for the stop and if contradicting connections are
a panel which exposes the diagonal board. The found the stop is ignored (Desch, 1942).
checking logic and printer is connected to to the When a stop which passes the tests mentioned
diagonal board through cables plugged into sock- above has occurred, the ring setting for that rotor
ets on this panel. core position will be printed along with the plug-
Each input node on the diagonal board thus has board connections that could be concluded from
quite a large number of potential inputs connected the given bombe connections.
in parallel. The operating speed of the US Navy bombe was
much higher than the British Turing Welchman
4.2 Rotor Banks
bombe. The fastest wheel on the US Navy bombe
The 16 rotor banks are connected to the diagonal rotated at about 1725 revolutions per minute, al-
board via the two rotor bank switches A and B (see most twenty times the speed of the British bombe.
section 3.2) of each bank as illustrated in figure 3. A complete four wheel run on the US Navy bombe
took approximately 20 minutes (Wilcox, 2006).
5 Operation
The simulation of this example message yields
Once the message has been set up on the bombe 188 stops out of the 264 = 456, 976 possible rotor
the machine is started. It will iterate through every core positions tested. Of these, only one stop will
possible rotor core position, searching for a condi- pass the hot point test resulting in the following
tion which will satisfy the crib. information being printed:
The bombe will stop if the test current fails to
• Ring setting: 24 14 14 14
reach all 26 conductors of the input letter node on
the diagonal board. This is called a “cold point • Plugboard: B/F E/A K/K O/O T/T X/L
test” and was implemented with a Rossi circuit

106
 The exact format of the original printouts is
unclear. The information in the example above
would most likely have been represented by num-
bers only (Wilcox, 2006) as this is the norm on
the rest of the bombe. This matches the rotor core
starting position of the Enigma used to encrypt the
message (see section 2).
The setting found will be subject to further,
manual, tests using a simplified Enigma machine:
the M-9 Checking Machine. The output from this
process would be either more of the plugboard
connection pairs, or the conclusion that the stop
was in fact false.
After this there would be a brief set of trial and
error tests to find a suitable ring setting that would Figure 4: Sequence diagram showing how the cen-
decrypt the whole message. tral switchboard component of the simulator dis-
tribute information between two rotor banks and
6 Computer Simulation the diagonal board.

A computer simulation was setup based on the

that is connected, according to the list of nodes, to
model described in section 4. The main difficulty
the input. This triggers the owner of the connected
of simulating the bombe lies in the parallel na-
node to calculate the effect of this state, which
ture of the electrical circuit implemented by the
usually will propagate the voltage state to another
bombe. For each rotor position the simulator has
node in the circuit, and so on. This process is re-
to calculate what happens if an input current is in-
peated until no node has registered any change.
jected into a certain position in the circuit. This
The simulation of that rotor position is then com-
input current is propagated until it does not reach
plete. In the real bombe this process would be car-
any new nodes. At that time the stop condition is
ried out almost instantaneous. Figure 4 illustrates
checked. The US Navy bombe tested about 750
how the switchboard works.
rotor positions per second. Since the simulator
aims to run at a historically accurate speed, for ev- The simulator, which runs at approximately the
ery frame drawn on the screen several rotor posi- same speed as a real US Navy bombe, lets the user
tions will have to be simulated and tested. setup and run the machine by a graphical user in-
terface as shown in figure 5.
To implement this the simulator uses a switch-
board model, which basically is a bi-directional
7 Conclusion
list of nodes that can be connected to each other.
Each switchboard node has a state which is a list It has been shown, using an authentic M4 Enigma
of 26 booleans, one for each letter of the alphabet. message, that the simulated US Navy bombe is
This switchboard does not exist in the bombe but able to find the correct rotor core starting position
is a way to handle the parallelism described above. as well as six correct plugboard connector pairs.
Most components in the modeled bombe will The simulated bombe stopped 188 times but
add connections to the switchboard, this includes only one stop, matching the correct Enigma key,
the rotor banks, the printer, the diagonal board passed the automatic tests. This shows that the
and the bank switch selectors. Each of the com- theory presented in this paper is plausible but fur-
ponents owns one or more switchboard sockets ther research is needed to verify if this was exactly
which allows the components to react to voltage how the bombe was operated.
state changes from the switchboard and to send an Some effort has been made to make the sim-
updated state. ulation as graphically accurate as possible. The
At every iteration the simulator clears the states photographs that exist of the US navy bombes
of all the nodes in the switchboard. It is then given shows that there were several different models in
the input voltage in one of its nodes. The switch- operation. The simulator is mostly based on pho-
board propagates this change of state to the node tographs of the US Navy bombe located in the Na-

107
Figure 5: US Navy Bombe computer simulation screenshot showing the front of the bombe. By interact-
ing with the various parts of the bombe in the simulation, a crib can be set up and run. The simulator is
written in the Haxe programming language and uses the NME framework.

tional Cryptologic Museum. This bombe is sup- CryptoMuseum. 2017. Enigma M4 mes-
posedly the last one manufactured. sage. http://www.cryptomuseum.com/
crypto/enigma/msg/p1030681.htm. [On-
8 Acknowledgments line; accessed 24-October-2017].

We would like to thank the National Cryptologic Joseph R. Desch. 1942. Memo of Present Plans
for an Electro-Mechanical Analytical Machine.
Museum for providing us with useful informa- http://cryptocellar.org/USBombe/
tion on the US Navy bombe, and we thank the desch.pdf. [Published online by Frode Weierud
three anonymous reviewers for their valuable com- in 2000, accessed 16-September-2016].
ments. We would also like to thank Dr. J Ja-
Alan M. Turing. 1942. Visit to NCR.
cob Wikner, Associate Professor at the Depart- http://cryptocellar.org/USBombe/
ment of Electrical Engineering, Linköping Univer- turncr.pdf. [Published online by Frode
sity, Sweden, for hints and tips on how to shape the Weierud in 2000, accessed 16-September-2016].
manuscript. Gordon Welchman. 2014. The Hut Six Story. M & M
Baldwin, 6 edition. ISBN: 978-0-947712-34-1.

References Jennifer Wilcox. 2006. Solving the Enigma: History of

the Cryptoanalytic Bombe. Center for Cryptologic
Frank Carter. 2008. The Turing Bombe. Report No. History, NSA.
4. Bletchley Park Trust, new edition. ISBN: 978-1-
906723-03-3.
B. Jack Copeland, Jonathan P. Bowen, Mark Sprevak,
and Robin Wilson. 2017. The Turing Guide. Ox-
ford University Press. ISBN: 978-0-19-874782-6.

108
 What We Know About Cipher Device “Schlüsselgerät SG-41” so Far

Carola Dahlke
Deutsches Museum, Germany
c.dahlke@deutsches-museum.de

Abstract But despite the highly sophisticated encryption

of SG 41, in fact far above the security level of
Almost everyone knows the Enigma. But the ENIGMA, its development was neglected and
cipher device “Schlüsselgerät 41”? Never even blocked by the army (WDGAS-14).
heard of it. This German cipher machine is
much rarer than its famous predecessor. Only When it finally came to a decision to build and
around 1500 units were manufactured spread the machine, wartime shortages of
towards the end of the Second World War. aluminium and magnesium caused the machine
And information is even scarcer. Up to now, weight up to 15 kilograms – too heavy for field
the Deutsches Museum has only been able to use. Although already about 11.000 machines
collect broken devices. Recent contacts to were ordered (see Sächsisches Staatsarchiv
collectors reveal that functional Chemnitz), only few – an unknown quantity -
Schlüsselgeräte 41 still exist. They could help
were really fabricated at the Wanderer Werke
to solve the secret of the encryption
algorithm. This contribution aims to present
AG, Siegmar-Schönau (today a part of Chemnitz)
our current state of research. and used. TICOM documents speak about 1000
pieces (Mowry, 2014).
1 Menzer’s Machines at OKW/ Chi
2 About Schlüsselgerät SG-41
In 1941, the cryptologist Fritz Menzer (1908-
Menzer wanted to design a pure mechanical,
2005) from the OKW/Chi (Signal Intelligence
lightweight, durable and practical machine. So he
Agency of the Supreme Command of the
invented several interesting features to make the
Wehrmacht) designed a mechanical cipher
device robust and practical for military use, e.g.
device that for certain would have complicated
he developed an improved, reversible insert for
all decipherment efforts of Bletchley Park
the ink pad and a mechanism to quickly remove
(Mowry, 1983-1984).
the daily key settings (Kopacz, in prep).
Menzer was chief of the communications
And Menzer was a cryptoanalyst as well who
security for the Wehrmacht, and his staff had
had already developed two decipherment
criticized for a long time that the German coding
methods to break C-36. Subsequently, his
devices (including ENIGMA and LORENZ SZ-
knowledge about Hagelin devices was strong. He
42) had not been mathematically checked for
designed SG-41 with a printer and a keyboard,
security. In fact, this was only carried out from
and with a crank handle like Hagelin’s BC-38.
1942 onwards (Hüttenhain, 1970). Consequently,
Cipher text and plain text would be printed on
Menzer insisted - against the ignorance of the
two stripes of paper.
troops and their command – upon the
construction of an enhanced cipher device. First, The algorithm was based on the Hagelin C
he started to develop “Schlüsselgerät 39” – an devices with a characteristic Hagelin pin-and-
enhanced version of ENIGMA, but as we know lug-principle, but showed an enhanced
so far, only three models existed (Mowry, 2014). encryption because of two characteristics
In 1941, Menzer invented a second cipher (WDGAS-14; Kopacz, in prep):
machine called "Schlüsselgerät SG-41”.

Proceedings of the 1st Conference on Historical Cryptology, pages 109– 111,

Uppsala, Sweden, 18-20 June, 2018
1) The wheel stepping was not only interacting Material analyses showed that the keys of the
but irregular – controlled by the pin positions of keyboard are made of nitrocellulose which is a
the wheels. problematic substance because it emits nitrous
gases. As well, it decomposes when exposed to
2) Five of the six wheels formed the pseudo- light and heat – facts that have to be considered
random key for each letter encryption. The sixth when planning to store or to exhibit the object.
wheel, however, could accept or negate the
settings of the other five wheels. 2.2 Special Model Z

Although there are basic explanations of the A special model Z with ten figure traffic was
working principle of the machine (e.g. WDGAS- constructed to be used for encrypting weather
14), it was hitherto not possible to understand the reports. Originally, 2.000 – 7.000 pieces were
exact mode of operation of the machine and to be ordered at Wanderer Werke AG at Siegmar-
able to simulate it. No construction drawings Schönau/ Chemnitz (see Sächsisches
were found, and interrogation papers from Staatsarchiv Chemnitz). But TICOM documents
Menzer himself and from colleagues have not speak of very few (TICOM I-194) or about 1.000
been released so far (e.g. TICOM I-71, I-72, I-73 (TICOM I-57) pieces that were truly fabricated
& DF-174). In addition, only few devices are and used by the Luftwaffe (Air Force) from 1944
known. Mostly, they were destroyed, dumped or until the end of the war.
burnt at the end of WW2. So after all, if a device
is found nowadays, it is in most cases not in
working order anymore.
2.1 Standard Model
Menzer’s standard Schlüsselgerät 41 had a
QWERTZ keyboard and was used from 1944
until the end of the war by the Abwehr (Secret
Service) (Mowry, 1983-84). The letter J replaces
the space-key (Kopacz, in prep) and is marked in
red on the keyboard. According to Batey (2009),
Bletchley managed to decipher few messages
due to handling mistakes of the user, but they
could not reconstruct the principle of the Figure 2: SG-41Z Collection Deutsches Museum
machine until they captured it after the end of No. 2013-1092, Photo: Inga Ziegler
WW2.
In 2013, the Deutsches Museum was able to
The Deutsches Museum owns a SG-41 that purchase a SG-41Z that had been dumped in a
has lately been found in the forest grounds near lake near Berlin at the end of WW2. As it was
Munich. It seems that someone had deposited it restored before it was put up for sale, it looks as
there at the end of WW2. Of course, after new, at least from the outside. Internally it is -
approximately 70 years in the ground, it is like our other model - completely corroded.
completely corroded – so it is not possible to
gain helpful information from it regarding its 3 Sources and Outlook
encryption algorithm.
The Schlüsselgerät 41 and its inventor, Fritz
Menzer, are largely unknown up to date. Some
interesting details have already been provided by
documents from the Target Intelligence
Committee, USA and UK (TICOM).
Immediately after the end of the war, TICOM
conducted surveys and investigations with
prisoners of war and recorded these in the
TICOM documents; since 2009 released by the
Figure 1: SG-41 Collection Deutsches Museum NSA as so-called declassified documents).
No. 2017-803, Photo: Konrad Rainer

110
 But as long as the respective TICOM and most of all we thank Klaus Kopacz for his
documents are not available it will only be time and energy to explain the Schlüsselgerät 41
possible to reconstruct the encryption algorithm and to share his exciting insights with us.
by the help of a functional Schlüsselgerät.
Fortunately, the engineer and specialist for References
cipher machines Klaus Kopacz from Stuttgart, David Mowry. 1983-1984. Regierungs-Oberinspektor
Germany, was recently able to purchase and Fritz Menzer: Cryptographic Inventor
repair an original SG 41. A publication about the Extraordinaire. Cryptologic Quarterly Articles, 2
working principle and the complete technical (3-4).
details is planned by him in the near future.
David Mowry. 2014. German Cypher Machines of
As soon as the encryption details are published, World War II. NSA history program.
it will be possible to simulate the algorithm and Erich Hüttenhain. 1970. Einzeldarstellungen aus dem
to evaluate the real impact of this device for the Gebiet der Kryptologie. Bavarian State Library,
development of cipher machines after WW2. For Reading Room for Manuscripts and Rare Books.
example, the wheel-stepping mechanism, as well Munich.
as the negation function of the sixth wheel, were Klaus Kopacz. In prep. Schlüsselgerät 41.
implemented again in other pin-and-lug cipher
Mavis Batey. 2009. Dilly, The Man Who Broke
devices after WW2, although mechanically
Enigmas. ISBN 978-1-906447-01-4.
solved in a different way (see H54 from Hell,
and Version M of the CX52 from Crypto AG; Sächsisches Staatsarchiv Chemnitz, 31030 Wanderer-
Kopacz, in prep). Werke AG, Sigmar-Schönau, Signatures: 1975,
3156 and 1212.
Other sources, especially German, British and TICOM I-194: Report on German meteorological
U.S. American sources from archives, museums, cipher systems and the German met. Intelligence
and collectors, could provide more aspects and service. Released by NSA 2009. No DOCID.
information. As well, we intend to perform a CT-
TICOM I-57: Enciphering devices worked on by Dr.
scan to retrieve information about the internal Liebknecht at Wa Pruef 7. Released by NSA 2009.
parts of our machines. This is the focus for the DOCID: 3541302.
next year.
The cryptology of German Intelligence Services.
Acknowledgments Released by NSA 2009. DOCID: 2525898
TICOM I-194: Report on German meteorological
First of all we would like to thank Dr. Marisa cipher systems and the German met. Intelligence
Pamplona and Christina Elsässer from the service. Released by NSA 2009. No DOCID.
restoration research department of the Deutsches
WDGAS-14: Volume 2 – Notes on German high level
Museum for the material analysis and the helpful
cryptography and cryptoanalysis. Released by
tips for designing the showcase, and Konrad NSA 2009. DOCID: 3560816.
Rainer and Inga Ziegler for the beautiful photos.
We also thank Robert Jahn from Libellulafilm
for his research in the Chemnitz Archive. Finally

111
P OSTER AND DEMO
114
 An Automatic Cryptanalysis of Playfair Ciphers Using
Compression
Noor R. Al-Kazaz1 Sean A. Irvine William J. Teahan
School of Computer Science Real Time Genomics School of Computer Science
Bangor University Hamilton, New Zealand Bangor University
Bangor, UK sairvin@gmail.com Bangor, UK
n.al-kazaz@bangor.ac.uk w.j.teahan@bangor.ac.uk
noor82.nra@gmail.com

Abstract by exploiting statistical regularities or redun-

dancy in the source. Since compression re-
This paper introduces a new moves redundancy from a source, it is im-
compression-based approach to the mediately apparent why compression is advo-
automatic cryptanalysis of Playfair cated prior to encryption (Irvine, 1997). How-
ciphers. More specifically, it shows ever, this paper considers another application
how the Prediction by Partial Match- of compression to tackle the plaintext iden-
ing (‘PPM’) data compression model, tification problem for cryptanalysis. This is
a method that shows a high level of an approach that has resulted in relatively
performance when applied to different few publications compared to the many other
natural language processing tasks, can methods that have been proposed for break-
also be used for the automatic decryp- ing ciphers. The purpose of this paper is to
tion of very short Playfair ciphers with explore the use of a compression model for the
no probable word. Our new method automatic cryptanalysis of Playfair ciphers.
is the result of an efficient combina- The primary motivation for data compres-
tion between data compression and sion has always been making messages smaller
simulated annealing. The method has so they can be transmitted more quickly or
been tried on a variety of cryptograms stored in less space. Compression is achieved
with different lengths (starting from by removing redundancy from the message, re-
60 letters) and a substantial majority sulting in a more ‘random’ output. There are
of these ciphers are solved rapidly two main classes of text compression adap-
without any errors with 100% of tive techniques: dictionary based and sta-
ciphers of length over 120 being solved. tistical (Bell et al., 1990). Prediction by
In addition, as the spaces are omitted Partial Matching (’PPM’), first described in
from the ciphertext traditionally, we 1984 (Cleary and Witten, 1984), is an adap-
have also tried a compression-based tive statistical coding approach, which dy-
approach in order to achieve readabil- namically constructs and updates fixed order
ity by adding spaces automatically Markov-based models that help predict the
to the decrypted texts. The PPM upcoming character relying on the previous
compression model is used again to symbols or characters being processed. PPM
rank the solutions and almost all the models are one of the best computer models
decrypted examples were effectively of English and rival the predictive ability of
segmented with a low average number human experts (Teahan and Cleary, 1996).
of errors. Furthermore, we have also Our new approach to the automatic crypt-
been able to break a Playfair cipher analysis of Playfair ciphers uses PPM com-
for a 6 × 6 grid using our method. pression to tackle the plaintext recognition
problem. We rank the quality of the differ-
1 Introduction ent plaintexts using the size of the compressed
output in bits as the metric. We also use an-
Compression can be used in several ways to other PPM-based algorithm to automatically
enhance cryptography and cryptanalysis. For insert spaces into the decrypted texts in order
example, many cryptosystems can be broken to achieve readability.
1 Computer Science Department, College of Science This paper is organised as follows. Sec-
for Women, Baghdad University, Baghdad, Iraq. tion 2 covers the basics of Playfair ciphers and

Proceedings of the 1st Conference on Historical Cryptology, pages 115– 124,

Uppsala, Sweden, 18-20 June, 2018
also includes a general overview of previous There are three basic encryption rules to be
research on the cryptanalysis of Playfair ci- applied (Klima and Sigmon, 2012):
phers as well as a discussion of its weaknesses.
Our PPM based method and the simulated an- • If both letters of the bigram occupy the
nealing search we use are explained in section same row, replace them with letters to
3. Section 4 covers the experimentation and the immediate right respectively, wrap-
results obtained with the conclusions to our ping from the end of the row to the start
findings presented in the final section. if the plaintext letter is at the end of the
row.
2 Playfair Ciphers
• If both letters occupy the same column,
The Playfair cipher is a symmetric encryption
then replace them with the letters imme-
method which is based on bigram substitution.
diately below them. So ‘IS’ enciphers to
It was first invented by Charles Wheatstone
‘SZ’. Wrapping in this case occurs from
in 1854. The cipher was named after Lord
the bottom to the top if the plaintext let-
Lyon Playfair who published it and strongly
ter is at the bottom of the column.
promoted its use. It was considered as a sig-
nificant improvement on existing encryption • If both letters occupy different rows and
methods. A key is written into a 5 × 5 grid columns, replace them with the letters at
and this may involve using a keyword (as in the free end points of the rectangle de-
the example below). For English, the 25 let- fined by both letters. Thus ‘TO’ enci-
ters are arranged into the grid with one letter phers to ‘CB’. The order is important—
omitted from the alphabet. Usually, the letter the letters must correspond between the
‘I’ takes the place of letter ‘J’ in the text to be encrypted and plaintext pairs (the one on
encrypted. the row of the first letter of the plaintext
To generate the key that is used, spaces in should be selected first).
the grid are filled with the letters of the key-
word and then the remaining spaces are filled
Following these rules, the encrypted message
with the rest of the letters from the alpha-
would be:
bet in order. The key is usually written into
the top rows of the grid, from left to right, “CB LI LC KG PZ CB LI PI BP SZ PI HM VD ZB
although some other patterns can be used in- DB QW”
stead. For example, if the keyword ‘CRYPTOL-
OGY’ is used, the key grid would be as below: The Playfair cipher is one of the most well
known multiple letter enciphering systems.
C R Y P T
O L G A B However, despite the high efficiency demon-
D E F H I strated by this cipher, it suffers from a number
K M N Q S of drawbacks. The existing Playfair method is
U V W X Z
based on 25 English alphabetic letters with no
To encrypt any plaintext message, all spaces support for any numeric or special characters.
and non-alphabetic characters must be re- Several algorithms have been proposed aim-
moved from the message at the beginning, ing to enhance this method (Srivastava and
then the message is split into groups of two Gupta, 2011; Murali and Senthilkumar, 2009;
letters (i.e. bigrams). If any bigrams contain Hans et al., 2014). One particular extended
repeated letters, an ‘X’ letter is used to sepa- Playfair cipher method (Ravindra Babu et al.,
rate between them. (It is inserted between the 2011) is based on 36 characters (26 alphabeti-
first pair of repeated letters, and then bigram cal letters and 10 numeric characters). Here, a
splitting continues from that point). This pro- 6 × 6 key matrix was constructed with no need
cess is repeated (as necessary) until no bigrams to replace the letter ‘J’ with ‘I’. By using the
with repeated letters. If the plaintext has an same previous keyword ‘CRYPTOLOGY’, the
odd number of letters, an ‘X’ is inserted at the key matrix in this case would be:
end so that the last letter is in a bigram (Klima
and Sigmon, 2012). For example, the message C R Y P T O
“To be or not to be that is the question” would L G A B D E
F H I J K M
end up as: N Q S U V W
“TO BE OR NO TX TO BE TH AT IS TH EQ UE X Z 0 1 2 3
ST IO NX”. 4 5 6 7 8 9

116
Plaintexts containing any numerical values short Playfair ciphers are extremely difficult
such as, contact number, house number, date to break without some known words. In our
of birth, can be easily enciphered using this ex- paper, even Playfair ciphertexts as short as
tended method (Ravindra Babu et al., 2011). 60 letters (without a probable crib) have been
successfully decrypted using our new univer-
2.1 Cryptanalysis of Playfair Ciphers sal compression-based approach. We use simu-
lated annealing in combination with compres-
Different cryptanalysis methods have been in- sion for the automatic decryption. Moreover,
vented to break Playfair ciphers using com- we have also effectively managed to break ex-
puter methods. An evolutionary method for tended Playfair ciphers that use a 6 × 6 key
Playfair cipher cryptanalysis was presented by matrix.
Rhew (2003). The fitness function was based
on a simple version of dictionary look-up with 2.2 Playfair’s Weaknesses
the fitness calculated based on the number of
words found. However, results obtained from The Playfair cipher suffers from some major
this method were poor with run-time requiring weaknesses. An interesting weakness is that
several hours. A genetic algorithm was pro- repeated bigrams in the plaintext will create
posed by Negara (2012) where character uni- repeated bigrams in the ciphertext. Further-
gram and bigram statistics were both used as more, a ciphertext bigram and its reverse will
a basis of calculating the fitness function. The decipher to the same pattern in the plaintext.
efficiency of the algorithm is affected by differ- For example, if the ciphertext bigram “CD”
ent parameters such as the genetic operators, deciphers to “IS”, then the ciphertext “DC”
ciphertext length and fitness function. Five will decrypt to “SI”. This can help in recognis-
initial keys out of twenty were successfully rec- ing words easily, especially most likely words.
ognized in less than 1000 generations and ten Another weakness is that English bigrams that
out of twenty were fully recovered in less than are most frequently occurring can be recog-
2000 generations. Two ciphertexts were ex- nised from bigram frequency counts. This can
amined in this paper: one with 520 charac- help again in guessing probable plain words
ters and the other with 870 characters. Ham- (Smith, 1955; Cowan, 2008).
mood (2013) presented an automatic attack Breaking short Playfair ciphertexts (less
against the Playfair cipher using a memetic than 100 letters) without good depth of knowl-
algorithm. The fitness function calculation edge of previous messages or with no prob-
was based on character bigram, trigram and able words has proven to be a challenge.
four-gram statistics. A ciphertext of 1802 let- Past research has often used much longer
ters was examined in this paper and 22 letters ciphertexts—for example, Mauborgne (1914)
out of 25 were successfully recovered using this developed his methods by deciphering a Play-
method. fair ciphertext of 800 letters. Also, the Play-
fair messages that were circulating between
Simulated annealing was successful at
the Germans and the British during war had
solving lengthy ciphers as reported by
enough depth with many probable words to
Stumpel (2017). However, he found that short
make them easily readable between these two
Playfair ciphers of 100 letters or so were un-
sides, with no predictor of decrypting suc-
able to be solved. Simulated annealing was
cess for short messages on anonymous top-
also used with a tetragraph scoring function
ics (Cowan, 2008). However, the two con-
for the automatic cryptanalysis of short Play-
ditions that the message is short with lit-
fair ciphers by Cowan (2008). Cowan man-
tle depth (no probable words) apply to cryp-
aged to solve seven short ciphertexts (80-130
tograms published by the American Cryp-
letters) that were published by the American
togram Association.
Cryptogram Association.
In summary, several different cryptanalysis 3 Our Method
methods have been proposed aiming to break
Playfair ciphers with varying degrees of suc- This section describes our new method for
cess. However, most of these methods were the automated cryptanalysis of the Playfair
focused on long ciphertexts of 500 letters or cipher. The problem of quickly recognising
more, except Cowan’s method (2008). A large a valid decrypt in a ciphertext only attack
amount of information that is provided by long has been acknowledged as a difficult prob-
ciphertexts makes breaking them easier while lem (Irvine, 1997). What we require is a com-

117
puter model that is able to accurately predict context predicts each symbol with equal prob-
natural language so that we can use it as a ability.
metric for ranking the quality of each possi- Most experiments show that the PPMD
ble permutation (Al-Kazaz et al., 2016). The variant developed by Howard (1993) produces
PPM text compression algorithm provides one the best compression compared to the other
possibility since it is known that PPM com- variants. The probabilities for a particular
pression models can predict language about context using PPMD are estimated as follows:
as well as expert human subjects (Teahan and
Cleary, 1996). 2c(s) − 1 t
p(s) = and e =
2n 2n
Hence, the main idea of our approach de-
pends on using the PPM method to com- where p(s) is the probability for symbol s, c(s)
pute the compression ‘codelength’ for each pu- is the number of times symbol s followed the
tative decryption of the ciphertext with the context in the past, n is the number of times
given key. The codelength of a permutation the context has occurred, t denotes the num-
for a cryptogram in this case is the length of ber of symbol types and e is the probability as-
the compressed cryptogram, in bits, when it signed to perform an escape. For example, if a
has been compressed using the PPM language specific context has occurred three times pre-
model. The smaller the codelength, the more viously, with three symbols a, b and c follow-
closely the cryptogram resembles the model. ing it one time, then, the probability of each
Experiments have shown that this metric is one of them is equal to 61 and escape symbol
very effective at finding valid solutions auto- probability is 36 .
matically in other types of cryptanalysis (Al- As PPM is normally an adaptive method,
Kazaz et al., 2016). In this paper, we show at the beginning there is insufficient data to
how to use this approach to quickly and auto- effectively compress the texts which results
matically recognise the valid decrypt in a ci- in the different permutations producing sim-
phertext only attack specifically against Play- ilar codelength values. This can be overcome
fair ciphers. by priming the models using training texts
In the PPM compression algorithm, the that are representative of the text being com-
probability of the next symbol is conditioned pressed. In our experiments described below,
using the ‘context’ of the previously transmit- we use nineteen novels and the Brown corpus
ted symbols. These probabilities are based converted to 25 letter English by case-folding
on simple frequency counts of the symbols to upper case with I and J coinciding for the
that have already been transmitted. The pri- 5 × 5 grid and 36 alphanumeric characters for
mary decision to be made is the maximum the 6 × 6 grid to train our models. Also, un-
context length to use to make the predictions like standard PPM which uses purely adaptive
of the upcoming symbol. The ‘order’ of the models, we use static models which are not
model is the maximum context length used updated once they have been primed from the
to make the prediction. Many variants of training texts.
the original Cleary and Witten approach have Our new method is divided into two main
been devised such as PPMA, PPMB, PPMC phases. The first phase (Phase I) is based
and PPMD. These differ mainly by the maxi- on trying to automatically crack a Playfair
mum context length used, and the mechanism ciphertext using a combination of two ap-
used to cope with previously unseen or novel proaches, which is the compression method
symbols (called the zero frequency problem). for the plaintext recognition and simulated
When a novel symbol is seen in a particular annealing for the search. The second phase
context, an ‘escape’ is encoded, which results (Phase II) is based on achieving readability by
in the encoder backing off to the next shorter automatically adding spaces to the decrypted
context. Several escapes may be needed before message produced from phase I, as the spaces
a context is reached which predicts the sym- are omitted from the ciphertext traditionally.
bol. It may be necessary to escape down to A variation of an order 5 PPMD model with-
the order 0 (null) context which predicts each out update exclusions has been used in our ex-
symbol based on the number of times it has periments for both Phase I and Phase II. This
occurred previously, or for symbols not previ- variation is where symbol counts are updated
ously encountered in the transmission stream, for all contexts unlike standard PPM where
a default model is used where an order ‘-1’ only the highest order contexts are updated

118
until the symbol has been seen in the context. zero, the simulated annealing becomes identi-
In our experiments, this variation has proven cal to the hill climbing technique.
to be the most effective method that can be The main idea of using simulated annealing
applied to the problem of automatically recog- for the breaking of Playfair ciphers is to mod-
nising the valid decryption for Playfair ciphers, ify the current key in the hope of producing
but also in other experiments with transposi- a better key. This is based on an approach
tion ciphers (Al-Kazaz et al., 2016). proposed by Cowan (2008). This can be done
Simulated annealing is a probabilistic by randomly swapping two characters. How-
method for approximating the global optimi- ever, this random change is not enough to ef-
sation of a given function in a large search fectively break the Playfair cipher by itself. It
space. It is a descendant of the hill-climbing will usually result in a long search process that
technique. This latter technique is based on often gets stuck within reach of the final solu-
starting with a random key, followed by a ran- tion. So other modifications are needed such
dom change over this key such as swapping two as randomly swapping two rows, swapping two
letters, to generate a new key. If this key pro- columns, reversing the key, and reflecting the
duces a better solution than the current key, key vertically and horizontally (flipping the
it replaces the current one. Different n-graph key top to bottom and left to right). Using a
statistics were used as the scoring function to mix of these modifications can lead to the valid
judge the quality of solutions. After millions solution. For example, swapping two rows will
of distinct random changes, this technique at- help rearrange rows if they are out of order,
tempts to discover the correct key. as it is very important that rows be in the
The weakness of this approach lies in the correct order according to the encipherment
possibility of being stuck in local optima, rules (Lyons, 2012).
where the search has to be abandoned and it During the whole search process, the hope is
is necessary to restart all over again. Simu- that the best plaintext solution that appears
lated annealing (inspired by a process similar is also the correct plaintext. Alternatively, the
to metal annealing) is similar to hill-climbing whole process must be restarted all over again
with a small modification that often leads to and the value of the temperature should be
an improvement in performance. In addition reset to its original high value (Cowan, 2008).
to accepting better solutions, simulated an- An important aspect of this whole process is
nealing also accepts worse solutions in order to the metric that is used to rank the different
avoid the local optima. This approach permits plaintexts (such as our PPM method). A good
it to jump from local optima to different loca- metric needs to be able to distinguish effec-
tions in order to find new optima. The proba- tively between good and poor plaintexts.
bility of the acceptance of the specific solution Algorithms 1 and 2 present the pseudo code
is dependent on how much the score value is for the first phase of our method. In a prepro-
worse. The formula for calculating the accep- cessing step prior to the applications of these
tance probability is PA = (d1/T ) where e is the algorithms, all non-letters including spaces,
e
exponential constant 2.718, d denotes the dif- numbers and punctuation were removed from
ference between the score of the new solution the ciphertext if a grid of 5 × 5 is chosen. If
and the score of the current solution, and T is a a 6 × 6 grid-width is selected, all non alpha-
value called temperature (further details con- betic letters and numbers were removed from
cerning this parameter are described below). the ciphertext instead. According to selected
Whenever the difference is small, the probabil- grid-width, a random key is generated (line 1)
ity of accepting the new solution is high, while and the deciphering operation is initiated us-
if this solution is much worse than the current ing this key. In order to rank the quality of
one (the difference is large in magnitude), the the solutions, the PPM compression method
probability becomes small. The probability is used by calculating the codelength value for
value is also influenced by the temperature T . each possible solution (lines 3 and 4). For each
Initially, the algorithm starts with a high tem- iteration, a sequence of changes is performed
perature value, then it is reduced (‘cooled’) at over the generated key in order to find a so-
each step according to some annealing sched- lution with a smaller codelength value which
ule, until it reaches zero or some low limit. As represents the valid decryption (lines 5 to 33).
the temperature drops, the probability of ac- The greater the number of iterations, the more
ceptance also decreases and when T is set to likely a solution will be found, but longer ex-

119
ecution time will be needed. It is important ble combinations of 4 symbols to try to avoid
to note here that we have used negative scores that. Trying 3, 5, or even more combinations
based on the PPM codelengths values in or- of symbols is possible, but of course the higher
der to maximize rather than minimize scores the number, the search starts getting very ex-
for the simulated annealing process as per the pensive, so 4 provides a reasonable compro-
standard approach adopted in various solu- mise. Finally, the deciphered text is returned
tions (Cowan, 2008; Lyons, 2012). with the smaller codelength value which rep-
The temperature for the simulated anneal- resents the best solution found (line 34). This
ing based algorithm is initially set to 20 and has proved adequate for the solution of most
reduced by 0.2 in subsequent iterations. (The ciphers, but if necessary, it is still possible to
smaller this amount is, the more likely a so- iterate the attack several more times.
lution will be found but this will also result
in longer execution time). The initial tem- Algorithm 1: Pseudo code of the main
perature value is essentially dependent on the decryption phase ‘Phase I’.
cryptogram’s length. The shorter the cipher- Input : ciphertext, Playfair grid-width to be either 5 × 5
or 6 × 6
text, the lower the temperature will be needed Output: deciphered-text
generate a random key according the Playfair grid-width
and vice versa. We have found in experi- 1
selected
ments with different length ciperhetexts that 2
3
currentBestKey ← randomKey
decipher the ciphertext using the currentBestKey and
for cryptograms of a length of around 70, an calculate the codelength value using the PPM
compression method
initial temperature will need to start at around 4 currentBestScore ← − PPM-codelength score (decipher-text)
10, but for the cryptogram of 700 characters, 5
6
for Iteration ← 0 to 99 by 1 do
maxKey ← currentBestKey
a temperature at 20 or so is effective. 7 decipher and calculate the codelength value using
the PPM compression method
For each temperature, 10,000 keys are tested 8 maxScore ← − PPM-codelength score (decipher-text)
9 for Temp ← 20 downto 0 by 0.2 do
then a reduction in the temperature is per- 10 for Count ← 0 to 9999 by 1 do
modify maxKey by choose a random
formed (see lines 9 to 32 in the algorithm). A 11
number between (1, 50):
loop is executed 10,000 times (lines 10 to 31) 12 if the number is 0 then swap two
rows, chosen at random
that modifies the key in the hope of finding 13 if the number is 1 then swap two
a better key with a smaller codelength value. 14
columns, chosen at random
if the number is 2 then reverse the
A sequence of different modifications over the 15
key
if the number is 3 then reflect the
key is performed in lines 11 to 17. The en- key vertically, flip top to bottom
if the number is 4 then reflect the
crypted text is then deciphered using the mod- 16
key horizontally, flip left to right
ified key and the codelength value is calculated 17 if any other number then swap two
characters at random
using the PPM compression method (lines 19 18 newKey ← modi f ied-maxKey
decipher and calculate the codelength
and 20). Then, the difference is calculated be- 19
value using the PPM compression method
tween the new codelength value and the pre- 20 newScore ←
− PPM-codelength score (decipher-text)
vious one. If the new value (line 21) is bet- 21 calculate di f f ← newScore − maxScore
ter (that is, the codelength value is smaller), 22 if di f f >= 0 then {maxScore ← newScore;
maxKey ← newKey}
then the maximum score is set to the new score 23 else if Temp > 0 then
calculate probability ← exp(di f f /Temp)
(line 22), otherwise a probability of acceptance 24
25 generate a random number between
is calculated (line 24) if the temperature is 26
(0, 1)
if probability > randomNumber then
greater than 0 (line 23). In this case, a random 27 {maxScore ← newScore;
number between 0 and 1 is generated, and if 28
maxKey ← newKey}
if maxScore > currentBestScore then
the calculated probability is greater than this 29 currentBestScore ← maxScore;
currentBestKey ← maxKey
number, the modified key is accepted (see lines 30 Make systematic
26 to 27). If we have a new best score, then rearrangements(ciphertext,
currentBestKey, currentBestScore)
the old one is replaced (line 29) and system- 31 end
atic rearrangements are performed by calling 32 end
33 end
Algorithm 2. These include mutations (lines 34 return the deciphered text with the best key
4 to 10 in the new algorithm), row swapping
and column swapping (lines 11 to 17) and an
exhaustive search over all 4 ! possible permu- Concerning the second phase of our ap-
tations of each group of four symbols (lines 18 proach, Algorithm 3 illustrates the pseudo
to 24). Swapping single pairs of letters results code for this phase. The main idea of this
in the search getting stuck in local maxima too phase, as stated before, is to try to insert
often, so we added the swapping of all possi- spaces into the deciphered text outputted from

120
 Algorithm 2: Make systematic rearrange- method the order-5 PPMD model has been
ments trained on a corpus of nineteen novels and the
Input : ciphertext, currentBestKey, currentBestScore Brown corpus using 25 English letters (when
Output: currentBestKey, decipher-text
1 f lag ← true a 5 × 5 grid is used) and 36 alphanumeric
2 while flag do
3 f lag ← f alse
characters (when a 6 × 6 grid is used). Af-
4 perform systematic mutations over the ter this training operation and during crypt-
currentBestKey:
5 decipher and calculate the codelength value analysis, these models remain static. Regard-
6
using the PPM compression method
newscore ← ing the cryptograms test corpus, 70 different
− PPM-codelength score (decipher-text) cryptograms were chosen at random from dif-
7 if newscore > currentBestScore then
8 f lag ← true ferent resources including cryptograms pub-
9 currentBestScore ← newScore;
currentBestKey ← newKey
lished by the American Cryptogram Associ-
10 continue outer W hile loop ation, cryptograms published by geocache en-
11 perform systematic row-swaps and column-swaps
over the currentBestKey: thusiasts, and two cryptograms that were also
12 decipher and calculate the codelength value
using the PPM compression method
experimented with by Negara (2012). Cryp-
13 newscore ← togram lengths ranged from 60 to 750 letters.
− PPM-codelength score (decipher-text)
14
15
if newscore > currentBestScore then
f lag ← true
A sample trace of a decryption is
16 currentBestScore ← newScore; shown in Figure 1 for the cryptogram:
‘dohrxnwpscqusfrwchrnpctsehagvpstsfaprdtuipwol-
currentBestKey ← newKey
17 continue outer W hile loop
18 perform swapping of four characters: acgqupfwptslaqsizbedxqusfwscosfraevstngqu’.
19 decipher and calculate the codelength value
using the PPM compression method This shows the best score as it changes during
20
the execution of Algorithm 2 for the main de-
newscore ←
− PPM-codelength score (decipher-text)
21
22
if newScore > currentBestScore then
f lag ← true
cryption phase. The scores are increasing (i.e
23 currentBestScore ← newScore; the codelengths are decreasing). The solution
of this ciphertext is a proverbial wisdom that
currentBestKey ← newKey
24 continue outer W hile loop
25 end
26 return currentBestKey, decipher-text
has been attributed to Damon Runyon: “It
may be that the race is not always to the swift
nor the battle to the strong but that is the way
Phase I in order to achieve readability. PPM to bet”. This ciphertext is one of the short
is again applied to rank the solutions. The cryptograms (82 character long) that have
Viterbi algorithm is used in this phase to find been published by the American Cryptogram
the best possible segmentation. In this algo- Association, which usually publishes 100
rithm, looping over the deciphered text (that ciphertexts every two months including one
was produced as output from Algorithm 1) is or more Playfair ciphers, as a challenge to its
performed in line 2. A word segmentation al- members (Cowan, 2008). Cowan has stated
gorithm based on the Viterbi algorithm (Tea- that it is extremely difficult to break short
han, 1998) is then used to search for the best messages of 100 letters or so, especially when
performing segmentations to keep in a prior- there are no suspected probable words or cribs
ity queue, and those which showed poor code- and very little depth of knowledge of previous
length values are pruned (see lines 3 to 5). The messages. However, our method is able to
best segmented deciphered text is returned in solve the following examples in addition to
the last line (line 6). the other cryptograms that were listed by
Cowan as well as even shorter ciphertexts of
60 letters or so.
Algorithm 3: Pseudo code for Phase II
Input : the deciphered text from Phase I A second example in Figure 2 illustrates
Output: segmented deciphered text
1 maximum size of Q1 (priority queue) ← 1; the robustness of our compression approach
2 do
3 use the Viterbi algorithm to search for the best
by showing how it is able to solve a very
segmentation sequences; short cryptogram. The ciphertext is a
store the text that have the best segmentation
4
which present in Q1; 60 letter sentence (a quote by Garrison
5 while the end of the deciphered text;
6 return the best segmented deciphered text from Q1;
Keillor): Cats are intended to teach us
that not everything in nature has a pur-
pose. The best solution for this exam-
ple is ‘catsareintendedtoteachusthatnotexeryt-
4 Experimental Results
hinginxnaturehaoapurposew’ with the best code-
In this section, we discuss the experimental length value -137.68 resulting in only two er-
results of our approach. As stated, in our rors: x→v in ‘exerything’ and o→d in ‘hao’.

121
 Iteration:35 Iteration:0
Mutation -221.66 ridaybetoktxtherkdeconotalwaystothescru- Mutation -311.85 tuemuirecolstaurytrtforxreafmstoopanile-
gain: fyorthebrtxtletothestucngmitxthatoithewaytobetx gain: rcekqbsulatydopatiekedanalondtfulsmonytancheck-
Key:zkbncwagerfhmlduvxyitsqpo andeqloilerchui
Mutation -220.15 ridaybetvstxthersaeksnotalwaystotheskru- ...
gain: fyorthebatxtletothestukngmitxthatksthewaytobetx Iteration:2
Key: zcbnkwagerfhmlduvxyitsqpo -311.01 adpcdhowwhsvalarcaucedofowleyldmailiumw-
Mutation -215.91 ridaybetvstxthersaemsnotalwaystothesmru- oseheatrelarbailaonmemlilgatstorelylscalikeese-
gain: fyorthebatxtletothestumngkitxthatmsthewaytobetx ctswpgaumwokedh
Key: zcbnmwagerfhklduvxyitsqpo ...
Mutation -207.60 rmdaybetvstxthersaeisnotalwaystothesiru- Iteration:24
gain: fnorthebatxtletothestningkmtxthatisthewaytobetx -309.15 hkxepmmaskbitesratokhdtvmabasedaeferela-
Key: zcbniwagerfhklduvxymtsqpo mlamntbinetnrefetlpgwhereeceithinesevaterbcalx-
Mutation -204.66 itzaybetvstxthersaeisnotalwaystotheswiu- leismecelambcpm
gain: fnorthebatxtletothestorngbutxthatisthewaytobetx ...
Key: dcbniwagerfhklzuvxymtsqpo Iteration:30
Mutation -195.04 itmaybetvstxthersaeisnotalwaystotheswiu- Row -304.26 amsegplaysonasarealmcarblaterstcrustita-
gain: fnorthebatxtletothestomngbutxthatisthewaytobetx swap lsniymeinsahirusaezkstatsorodtbinsrmreastpensn-
Key: dcbniwagerfhklmuvxyztsqpo gain: kodyboritalpegp
Row-swap -184.98 itmaybethvtxthervaeisnotalwaystotheswif- ...
gain: tnorthebatxtletothestzongbutxthatisthewaytobetx Iteration:89
Key: dcbniwagerfhklmtsqpouvxyz Row -215.81 thecoxordinatesarenorthfortydegrexeszer-
Row-swap -162.46 itmaybethatxtheraceisnotalwaystotheswif- swap opointfivethrexetwowestseventyfivedegreestwopoi-
gain: tnorthebatxtletothestrongbutxthatisthewaytobetx gain: ntfivezerotwox
key: dcbnifhklmtsqpouvxyzwager ...
Iteration:100

Figure 1: Example cryptogram of 82 letters

from the American Cryptogram Association. Figure 3: Solutions produced during selected
iterations for a puzzle cryptogram of 96 letters.
Iteration:89
-164.32 catsareintencectoteakiusthhonotexerythi-
nginxnaturehatapurposid lpqtj zfpvf ndsvb joamd j4mva nrfeu nbhis nhcru
Mutation -161.21 catsareintencectoteakiusthaonotexerythi-
gain: nginxnaturehatapurposid chhfs otb1e kbueg qejtv kgscn kq3ez kgwix eavej
Mutation -160.36 pltsapeintencectoteadbusthahnotexerythi-
gain: nginxnatureoatapurposid nstda usbfj cvkgs cbtqz 5nmqa nc0jc xeiue nhtnb
Mutation -159.28 pltsapeintendedtoteacbusthahnotexexbthi-
gain: nginxnatureoatapurposic
rbwhg krabz 1j0mn dierf rabfq vjvkf dnrbk nkd0u
Mutation -156.08 datsareintendedtoteakiusthaonotexexfthi- cbwhn dsdlv vpvha gvucb bnyjc vtzpf brrab gtmqa
gain: nginxnaturehatapurposic
Mutation -155.29 katsareintendedtoteakiusthatnotexexythi- j4fmt ryjbu vldtq fsnts awfhl pvthc 0hpvv obvmd
gain: nginxnaturehaoapurposic
Mutation -154.12 ratsakeintendedtoteakiusthatnotexeocthi- jvra7 zhfew irgh3 8qpck r5z7r gaw1k biyjg h3w8w
gain: nginxnaturehasapukposic qfau3 v7dra bfnbe jgkke kvhfc 0dsjy raghx bjbqm
Mutation -150.31 ratsileintendedtotealausthatnotexeokthi-
gain: nginxnaturehasapudiospc bhhgc hnwyj bxgkk ekvhf dcvjo uebxr rsch1 jwmvu
2-Mutation -149.97 ratsileintendedtotealhusthatnotexevcthi-
gain: nginxnaturehasapudiosev bxlbi nmraw ckbnh g1jrn dtchl vfpur raihj 4fmoq
Mutation -143.16 ratsaceintendedtoteachusthatnotexelvthi- jbrbj zfmtr yjbur acjck vughh tchjv rauxc hrzkc
gain: nginxnaturehasapucposev
Mutation -138.52 catsareintendedtoteachusthatnotexerythi- hchff elnob mvvjh cgerf rgawu xchrz uxvfb fcqbt
gain: nginxnaturehaoapurposev
Mutation -137.68 catsareintendedtoteachusthatnotexerythi- mdfjh chgrf sujep qbrej yjrgy jchmv eseue ckgau
gain: nginxnaturehaoapurposew
ejrbr uvlej mq1jv mh0mv txhz
Figure 2: Example short 60 letter cryptogram. Part of the execution trace is shown in Fig. 4.
Iteration: 1
-1604.59 jolxlygoodandwelldoneyouhavecrackedanextendedpl-
ayfaircipherusingasixbysixgridtheadvantageofusingall30sl-
A third example is a puzzle cryptogram phanumericxcharactersisthatyoucangivethecoxordinatesasnu-
of 96 letters from the geocache world mbersandnotwordsbutbecarefultogetthefullkeycorxrecttoavo-
idawastedjourneynowofftonorthztdegrexesx3poinwytzwest3de-
(https://bcaching.wordpress.com/2008/08/08/ grees5x9xoint1x2athecacheishidxdenunderthestilepleaseens-
ureitishidxdenfromviewxwhenyouputitbackjustincaseyouhave-
puzzles-part-3/): ‘sa cb av hm ka do st th ps notgotxthekeycompletelycorxrecttheminutesarenorthtwentyn-
inedecimalfouronefivewesttwentytwodecimaloneonesevenweho-
mn qs fr hm sx bt su tw tg wg mh mc ok sd oz petherewereenoughcribsinthetexttohelpyouonyourway
ts fy tw ts vc ec gs gt wl dl sr oz tb tl ps -1594.57 jolxlygoodandwelldoneyouhavecrackedanextendedpl-
ayfaircipherusingasp5bysixgridtheadvantageofusingall50kl-
tg ex cm co dl kh wl wg mh ex av’. Figure 3 phanumericxcharactersisthatyoucangivethecoxordinatesasnu-
presents the intermediate results and the mbersandnotwordsbutbecarefultogetthefullkeycorxrecttoavo-
idawastedjourneynowofftonorthztdegrexesw3poinxytzwest5de-
final solutions produced by each iteration for greeswp3point1w2athecacheishidxdenunderthestilepleaseens-
ureitishidxdenfromviewxwhenyouputitbackjustincaseyouhave-
this cryptogram. According to this example, notgotxthekeycompletelycorxrecttheminutesarenorthtwentyn-
iteration 89 produced the best solution with inedecimalfouronefivewesttwentytwodecimaloneonesevenweho-
petherewereenoughcribsinthetexttohelpyouonyourway
the best score with a compression codelength
value of 215.81 and is the valid decrypt. Figure 4: Example solutions produced for a
Our method was also able to solve a 6 × 6 6 × 6 Playfair cryptogram.
Playfair cipher with a few minor errors. The
next sample is a cryptogram that was posted The experimental results of Phase I, when
on a puzzles forum originating from geo- the order 5 PPM method without update ex-
cache enthusiasts (http://members2.boardhost. clusions is used, showed that most of the cryp-
com/barryispuzzled/msg/1500564217.html): tograms are successfully decrypted with no er-

122
rors. Table 1 presents the results from testing average space insertion errors for the cipher-
ciphertexts for various lengths. The results texts that were experimented with in Phase II
overall showed that we are able to attain very is less than one error.
high success rates and 60 ciphertexts out of 70
were efficiently solved. Also, 100% of ciphers 10

of length greater than 120 were decrypted.

8

Cipher 60-79 80-99 100-119 120-149 150-199 200-750

Number of errors
6
Length
No. of 9 21 15 11 8 6 4
Ciphers
Success 67 81 80 100 100 100
Rate (%) 2

Table 1: Results when testing ciphertexts with

0

different lengths. 0 100 200 300 400 500

String length
600 700 800 900

Referring to the second phase of our Figure 6: Segmenting errors produced as a re-
method, as the spaces are omitted from the sult of the Phase II algorithm.
ciphertext traditionally, this phase focuses on
segmenting the decrypted messages that are Table 2 lists the high recall and precision
outputted from the first phase. The edit dis- rates and the low error rate produced by our
tance (or Levenshtein distance) metric is used segmentation algorithm. The recall rate is cal-
to qualify how the decrypted message is differ- culated by dividing the number of successfully
entiated from the original message by count- segmented words over the number of words in
ing the minimum number of the removal, in- the original testing texts, the precision rate by
sertion, or substitution operations required to dividing the number of successfully segmented
transform one message into the other (Leven- words by the number of words which are cor-
shtein, 1966). In almost all cases, the correct rectly and incorrectly segmented and the er-
readable decryptions were efficiently found as ror rate by dividing the number of unsuccess-
the illustrated in Figure 5. fully segmented words by the number of words
Ciphertext byntlbneonnuimmzqnhpbkxnqmfqoqnmugclqmeuersuqp-
in the original testing texts (Al-Kazaz et al.,
nzigqbqyipilqtku 2016).
Decrypted cats are intended to teach us that not
text exerything in nature ha o a purpose
Ciphertext kuinbrnuikcnqmhuvgtnnmybkgbromruknqmmnknqdmpvg-
niignkoneumokgpgxytqsu Recall (%) Precision (%) Errors (%)
Decrypted experience is the worst teacher it gives the 96.72 96.12 3.28
text test before presenting the lesson
Ciphertext pqghqncnndqyhfqugqqmeusxqmfqdpkgqbitqdkunurqio-
innlpgvqvpbmlwhuqoimigbzka
Table 2: Recall, precision and errors rates for
Decrypted a n egotist is a man who thinks that if he hadnt our method for word segmenting the decrypted
text been born people would have wondered why
Ciphertext qmghblxytkyfihogkunugiqoqmgnqmgincimtlqmmpnuik-
output produced from Phase I.
iwszqmgiknliqrbhafgtigtldnnqgtxz
Decrypted the grass may be greener on the other side of
text the fence but there s probably more of it to
mow The execution times required to decrypt a
Ciphertext hmfnuwfntufdbgushmtuqmckqnutfpmatuzfmbfntylxqp- number of Playfair ciphertexts by our method
thrkucnrkrmcqdamibarurntumucoffdummbrnki
Decrypted the likeliness of a thing happening is inversely are presented in Table 3. This table shows the
text proportional to its desirability fin agles
first law decryption time in seconds for Phase I of our
Ciphertext dohrxnwpscqusfrwchrnpctsehagvpstsfaprdtuipwola- method. The results indicate that our method
cgqupfwptslaqsizbedxqusfwscosfraevstngqu
Decrypted it may be that the race is not always to the produces reasonable decryption times, and in
text swift nor the battle to the strong but that is most cases the successful decrypts of longer
the way to bet
ciphertexts were obtained after only one or two
Figure 5: Example of solved ciphertexts with iterations.
spaces inserted after Phase II.
Ciphertext 60 71 86 100 124 185 235 526 730
Length (Letter)
The number of space insertion errors for Time (Sec) 457 539 507 93 36 17 135 107 101

each testing cryptogram is plotted in Figure 6.

Table 3: Decryption times for Phase I for dif-
We can see that the number of errors for most
ferent ciphertexts.
cryptograms are very low and the correct seg-
mentations are obtained in most cases. The

123
5 Conclusion Swati Hans, Rahul Johari, and Vishakha Gautam.
2014. An extended playfair cipher using rota-
An automatic cryptanalysis of Playfair ciphers tion and random swap patterns. In Computer and
using compression has been introduced in this Communication Technology (ICCCT), 2014 Inter-
national Conference on, pages 157–160. IEEE.
paper. In particular, a combination of sim-
ulated annealing and PPM compression was Paul Glor Howard. 1993. The design and analysis of
used in the automatic decryption method. efficient lossless data compression systems. Ph.D.
thesis, Brown University, Providence, Rhode Island.
The compression scheme was found to be an ef-
fective method for ranking the quality of each Sean A Irvine. 1997. Compression and cryptology.
possible permutation as the search was per- Ph.D. thesis, University of Waikato, New Zealand.
formed. In 60 of the 70 ciphertexts that were Richard E Klima and Neil P Sigmon. 2012. Cryptology:
experimented with (without using a probable classical and modern with maplets. CRC Press.
word) for different lengths (from as short as 60 Vladimir I Levenshtein. 1966. Binary codes capable
letters up to 750), almost all the correct solu- of correcting deletions, insertions, and reversals. In
tions were found. The exception was just two Soviet physics doklady, volume 10, pages 707–710.
very short ciphers which resulted in two mi- James Lyons. 2012. Cryptanalysis of the play-
nor errors in the decrypted output. Moreover, fair cipher. http://practicalcryptography.
we have also managed to decrypt an extended com/cryptanalysis/stochastic-searching/
cryptanalysis-playfair/.
Playfair cipher for a 6 × 6 key matrix.
In addition, a compression-based method Joseph Oswald Mauborgne. 1914. An advanced prob-
lem in cryptography and its solution. Fort Leaven-
was used to segment the decrypted output by worth, Kansas: Leavenworth Press.
insertion of spaces in order to improve read-
ability. Experimental results show that the Packirisamy Murali and Gandhidoss Senthilkumar.
2009. Modified version of playfair cipher using lin-
segmentation method was very effective pro- ear feedback shift register. In Information Manage-
ducing on average less than one space inser- ment and Engineering, 2009. ICIME’09. Interna-
tion error with a recall and precision of over tional Conference on, pages 488–490. IEEE.
96% for the ciphertexts that were tested. G Negara. 2012. An evolutionary approach for the
As PPM provides a different type of scor- playfair cipher cryptanalysis. In Proc. of the Int.
ing function compared to the standard n-gram Conference on Security and Management (SAM),
analysis (such as update exclusions, the es- page 1. The Steering Committee of The World
Congress in Computer Science, Computer Engineer-
caping back-off mechanism for smoothing the ing and Applied Computing (WorldComp).
models), it is not clear whether using longer
K Ravindra Babu, S Uday Kumar, A Vinay Babu,
context for n-grams might lead to better re- IVN S Aditya, and P Komuraiah. 2011. An exten-
sults. It is also not clear how PPM compares sion to traditional playfair cryptographic method.
to the standard n-grams approach and fur- International Journal of Computer Applications,
ther experimentation (for example with hex- 17(5):34–36.
agrams) needs to be done. Benjamin Rhew. 2003. Cryptanalyzing the playfair
cipher using evolutionary algorithms. Avail-
able: http://citeseerx.ist.psu.edu/viewdoc/
References download?doi=10.1.1.129.4325&rep=rep1&type=
pdf.
Noor R Al-Kazaz, Sean A Irvine, and William J Tea-
han. 2016. An automatic cryptanalysis of transpo- Laurence Dwight Smith. 1955. Cryptography: The
sition ciphers using compression. In Int. Conference science of secret writing. Courier Corporation.
on Cryptology and Network Security, pages 36–52.
Springer, Springer Int. Publishing. Shiv Shakti Srivastava and Nitin Gupta. 2011. Se-
curity aspects of the extended playfair cipher. In
Timothy C Bell, John G Cleary, and Ian H Witten. Communication Systems and Network Technologies
1990. Text compression. Prentice-Hall, Inc. (CSNT), 2011 International Conference on, pages
144–147. IEEE.
John Cleary and Ian Witten. 1984. Data compression
using adaptive coding and partial string matching. Jan Stumpel. 2017. Fast playfair programs. www.
IEEE Transactions on Communications, 32(4):396– jw-stumpel.nl/playfair.html. last accessed De-
402. cember 13, 2017.
William J Teahan and John G Cleary. 1996. The en-
Michael J Cowan. 2008. Breaking short playfair
tropy of English using PPM-based models. In Data
ciphers with the simulated annealing algorithm.
Compression Conference, 1996. DCC’96. Proceed-
Cryptologia, 32(1):71–83.
ings, pages 53–62. IEEE.
Dalal Abdulmohsin Hammood. 2013. Breaking a play- William J Teahan. 1998. Modelling English text.
fair cipher using memetic algorithm. Journal of En- Ph.D. thesis, University of Waikato, New Zealand.
gineering and Development, 17(5).

124
 ManuLab System Demonstration

Eugen Antal Pavol Zajac

Slovak University of Technology Slovak University of Technology
Bratislava, Slovakia Bratislava, Slovakia
eugen.antal@stuba.sk pavol.zajac@stuba.sk

Abstract 2.1 Project background

ManuLab is a software product for sta- While preparing the software to study the Voynich
tistical analysis of encrypted historical manuscript, we have identified a lack of support
manuscripts. The document analysis is software that helps an analyst with his work on an
performed via a chain of filters (main electronic version of a historical manuscript. We
building elements). A filter represents any have originally prepared a software enabling par-
operation realizable on a document tran- allel side-by-side display of the original Voynich
scription divided into a set of pages. The manuscript, its transcription, and possibly some
implemented filters allow to change the different substitutions of symbols and basic statis-
reading direction, select sub-pages, or a tics. Later on, we have decided to create a
subsection from the document, and cal- more general framework allowing any researcher
culate several statistics like the index of to work with different manuscripts in an efficient
coincidence, Shannon’s entropy, n-gram way, and to apply multiple transformations on the
frequency, etc. The software design also document transcription.
includes document visualization, display-
2.2 Goals and requirements
ing pairs of manuscript pages with corre-
sponding transcriptions. During the analysis of the proposed software we
have identified the following design requirements:
1 Introduction
• Operating system independence.
A lot of historical ciphers1 (both solved and un-
solved) are well studied, and can be analysed • Manuscript visualization, including visual
by well known tools (CrypTool, 2018), (dCode, data (scanned document), and its transcrip-
2018). The main problem with the existing tools tion.
is that they are not adapted to perform the analysis
on manuscripts with multiple pages and sections. • Chain of filters. Each filter can do atomic op-
In most of these tools, there are missing features erations on document transcription (see sec-
like the document visualization, the reading direc- tion 2.3).
tion management, etc. • Adjustable reading direction (both horizontal
ManuLab (Manuscript Laboratory) is an open and vertical).
source project. The goal of this project was to cre-
ate a framework (application) for document anal- The most important requirement was to enable
ysis adapted to historical manuscripts. ManuLab a side-by-side manuscript visualization. This fea-
is fully compatible to analyse manuscripts like the ture allows to display image-transcription pairs.
Voynich manuscript or the Rohoncz Codex. This can be very helpful during a document anal-
ysis, especially if it is integrated with a display of
2 ManuLab software design analytic results (via filters).
ManuLab is an open source and multi-platform To adopt the system to any manuscript or histor-
software, written in C++, Qt. ical cipher, we have analysed several documents
1 A lot of historical ciphers and manuscripts can be found
to identify their main properties and include them
at (Cipher Mysteries, 2018), (The Cipher Foundation, 2018) in the software design. We analysed the Voyn-
or (Klausis Krypto Kolumne, 2018). ich manuscript, the Rohoncz codex, the Codex

Proceedings of the 1st Conference on Historical Cryptology, pages 125– 128,

Uppsala, Sweden, 18-20 June, 2018
Seraphinainus, the Blitz cipher and other docu- 2.5 License
ments. Many manuscripts consist of several pages, The project is open source, licensed under Apache
where the reading direction of the used cryptosys- License, Version 2.0.
tem is not necessarily clear. Another possible
problem is that documents may contains hundreds 3 Software description
of symbols/glyphs.
The ManuLab software provides two main func-
2.3 Filters tions: manuscript visualisation, and analysis. In
Filter is the main building element used to perform the following subsections, we shortly introduce
any analysis/action on the loaded document. Ev- the main components, with example screenshots
ery filter is derived from a common interface and of the software.
works with a set of strings, where each string rep- 3.1 Main components
resents a page transcription. A filter can perform
The user interface (Figure 1) of the ManuLab soft-
it’s action per page or on the whole document tran-
ware consists of 5 main components:
scription (merged pages) depending on the imple-
mentation. • Menu (not visible in the figure)
The application is using two types of filters, that
• 1a - selected page (image) of the manuscript,
a) modify the transcription,
• 2 - the transcription of the selected page,
b) do not modify the transcription, and are only
used in analysis. • 3 - available filters palette,

In both cases, the filter contains a set of strings as • 4 - selected filters palette.
an input, and also produces a set of strings as an
output. In case b), the output corresponds with the
input. This feature allows to join several filters as
a chain of operations. This chain can be also saved
and loaded.
We have already implemented the following fil-
ters:
• n-gram frequency,

• n-gram distances,

• index of coincidence,

• Shannon’s entropy,

• substitution,
Figure 1: Main components of the UI, displaying
• sub-pages selection, a page of the Rilke Cryptogram (Klausis Krypto
Kolumne, 2018).
• changing the read direction,
ManuLab was designed to provide a manuscript
• pattern search.
visualisation with a good user experience. This vi-
The result of the analysis is visualised through sualisation is visible in the major part of the ap-
pop-up menu for each filter. In most cases, the plication window (parts 1a and 2). A side-by-
data can also be exported into a csv file for further side image/transcription pair is displayed on the
processing. screen. In case of multiple images, the scrollbar
(visible under part 1a) or the left arrow and right
2.4 Source code arrow keys of the keyboard can be used to switch
The source code is available online at the follow- to other page. The orientation/alignment of com-
ing GIT repository: https://bitbucket.org/ ponents 1a and 2 can be changed to display the
jugin/manulab.git. parts vertically (see Figure 2).

126
 The document transcription may contain any
valid characters. It is recommended to use a line
separator for each line and to use a custom de-
limiter between the symbols. This is very help-
ful in case of documents containing special sym-
bols, like the Rohoncz codex, where each symbol
can be transcribed into a unique number. The tran-
scription can be also displayed using any custom
font2 (In Figure 2, the upper part is the original
image and the lower part is the transcription using
a custom font).

Figure 3: Find and Replace; filter settings; dis-

playing a page of the Rilke Cryptogram (Klausis
Krypto Kolumne, 2018).

For example, in case of available transcription

of the Rilke cryptogram (see Figure 3), we can
calculate the frequency of quads (four letters sep-
arated with space) with setting the space character
as the delimiter. If a researcher decides to calcu-
late the frequency of unigrams excluding the space
character, it is enough to add two filters. One filter
to remove the space characters (the filter Substi-
tution) and the Frequency filter second time. The
frequency calculation then works with a modified
dataset. The results can be displayed separately
Figure 2: The Dorabella cipher (Klausis Krypto for each filter.
Kolumne, 2018). A selected chain of filters with specific settings
can be saved to files, thus there is no need to set
To enable a quick per-page analysis, a classical it up every time. The same manuscript analysis
Find and Replace functionality (Figure 3) can is therefore replicable. Some predefined chains of
be enabled through the Edit menu item. It is filters can also be shared between researchers.
displayed at the bottom of component 2, when An example of the pop-up menu for the Fre-
enabled. This widget is only for preliminary quency filter is visible in Figure 4. Pressing the
analysis. The searched pattern is highlighted on Edit button shows a new pop-up with the available
the page. Replaced symbols are never saved to the filter settings (visible in Figure 5).
original transcription on exit.

The document analysis (all actions) is per-

formed using filters. The filters from palette 3 are
displayed in palette 4 in the selected order. Some
filters change the document transcription directly,
so each filter can be selected multiple times. Ap-
plying the chain of filters to the whole document
(all pages) is done by the Apply button (Figure 1,
part 5). Each filter can be set up through a pop-up
Figure 4: Pop-up menu for the Frequency filter.
menu. After the setup, the Apply button should be
pressed. The pop-up menu also serves to display the
2 Installed on the operating system. analysis results. Figure 6 shows the frequency

127
Figure 5: Pop-up menu for the Frequency filter,
with available filter settings.

analysis result of the Rilke Cryptogram (Klausis

Krypto Kolumne, 2018). Figure 7 shows the re-
sults displayed as a histogram. Figure 7: Frequency analysis result - histogram of
the Rilke Cryptogram (Klausis Krypto Kolumne,
2018).

Klaus Schmeh. Klausis Krypto Kolumne http://

scienceblogs.de/klausis-krypto-kolumne
Nick Pelling. Cipher Mysteries http://
ciphermysteries.com/

Nick Pelling. The Cipher Foundation http://

cipherfoundation.org/

Figure 6: Frequency analysis result of the Rilke

Cryptogram (Klausis Krypto Kolumne, 2018).

Acknowledgments
This work was partially supported by grant VEGA
1/0159/17.

References
CrypTool Contributors. Cryptool Portal, https://
www.cryptool.org/en/

Team dCode. dCode The ultimate ’toolkit’ to solve

every games / riddles / geocaches. dCode. https:
//www.dcode.fr/

128
 Willard’s System

Niels O. Faurholt
MJ, DAA, retired
DDIS Technical-Historical Collection
faurholt@fasttvnet.dk

Abstract cryptography, before he went on to other fields of

mathematics and geometry. He is mostly known
Willard’s cryptosystem is an unusual sys- for his contribution to graph theory. In 1875
tem, designed by an otherwise unknown he, anonymously1 , wrote a remarkable series of
American around 1870. It was used for a articles in the Danish weekly journal ”Nær og
short period of time by the Danish Min- Fjern” (Near and Far) about seven international
istry of Foreign Affairs. The article de- and Danish cryptographic systems, describing the
scribes the system. Furthermore the article systems and showing how they could be broken.
mentions an interesting and lively period At least three of the systems had been in use in
of Danish crypto activities 1873 - 1918. the Danish MFA. Each article ended with some
ciphertexts in that system, and amateur cryptana-
1 Background
lysts had two weeks to solve them and report them
For a few years before 1873 the Danish Min- to the journal, before the solutions were given in
istry of Foreign Affairs (MFA) used for its enci- the next issue. The systems described were:
phered communication a crypto system invented
by a person named Willard, presumably an Amer- Carré Indéchiffrable (Vigenère type)
ican. It has not been possible to find more infor- Willard’s System
mation about Willard. According to papers in the Léopold Auvray’s System
MFA he was an acquaintance of the Danish diplo- Wheatstone’s Cryptograph
matic representative in Washington D.C., and the Clausen’s Apparatus (Danish Military)
MFA must have bought the system around 1870. Orloff’s System
In 1873 a Danish school teacher, Gravers Peder- Orloff’s Modified System.
sen, who later took the name Orloff, showed to
the MFA that messages enciphered in Willard’s Julius Petersen followed up with a pa-
system could fairly easily be broken by sim- per&pencil system of his own later in 1875. It
ple cryptanalysis. The result was that the MFA is assumed that it originally should have been in-
stopped using Willard’s system, and on 18th Octo- cluded in the series in the journal. It was a rather
ber 1873 introduced a new system, invented by Mr. complicated system, and Julius Petersen consid-
Orloff, for its enciphered communication. How- 1 The articles were written under a pseudonym: 46,9,4 –
ever, Willard’s system is a curious invention, even 57,3,5. The meaning of this is not known, but might indicate
if it had a short life in the Danish MFA. page, line and place in a book, as seen in book ciphers. How-
ever, the authorship of Julius Petersen is strongly indicated
2 Danish Crypto Activities 1873 - 1918 by three facts:
a. Immediately after the articles in ”Nær og Fjern”, where
he demonstrated the lack of secure cryptosystems, Julius
Before going into the details of Willard’s system Petersen published his own (unbreakable) Système Cryp-
I would like to mention the remarkable crypto tographique.
activity in Denmark from 1873 to about 1918. b. Alexis Køhl in an unpublished article in 1916 refers to
the articles in ”Nær og Fjern”, that ”long ago were written
The inspirator was professor Julius Petersen by the late Julius Petersen”, as his inspiration for going into
(1839-1910). He was teaching mathematics at the cryptography. Køhl publishes his first system in 1876.
Polytechnical University and later became pro- c. The plaintext used in one of the examples in the Willard
article in ”Nær og Fjern” is a quote from one of Julius Pe-
fessor of mathematics at Copenhagen University. tersen’s own mathematical textbooks (observation by Knud
He was for a few years from 1875 very active in Nissen, Aarhus Academy).

Proceedings of the 1st Conference on Historical Cryptology, pages 129– 132,

Uppsala, Sweden, 18-20 June, 2018
ered it unbreakable which in principle probably
was correct at the time. It seems likely that Julius
Petersen’s intention with the series in ”Nær og
Fjern” was the creation of a Danish ”Black Cham-
ber”. The successful problem solvers might be re-
cruited for such an organisation. However, there
was no political will to support such a project,
and nothing came out of it. In his footsteps fol-
lowed the Danish engineer, Alexis Køhl (1846-
1920) who openly admitted that Julius Petersen
was his inspirator. Køhl started with two pa-
per&pencil systems in 1876, not unlike Petersen’s
from 1875, and in 1883 Køhl presented his Au-
tomatic Cryptograph, based om Rasmus Malling-
Hansen’s Writing Ball (now in Musée des Arts
et Métiers in Paris). Køhl continued construct-
ing crypto systems, a paper&pencil system in
1888, a cryptograph in the late 1880es (now in Figure 1: Willard’s Table
Deutsches Museum im München), other cryp-
tographs around 1890 and around 1913 (both now
in the Danish Technical Museum). His last devices
are from 1917-18. Army captain (later colonel) 4 Encipherment/Decipherment
E.J.Sommerfeldt was another inventor of cryp-
tosystems, and his cryptograph was adopted by the A keyword must be ordered, here e.g. DAN-
Danish army in 1883 and used for a number of MARK. From the keyword we choose the columns
years. (sticks) to be used for the encipherment, here the
columns with the key letters D,A,N,M,R,K (re-
3 Willard’s System peated letters are skipped). The sticks are laid up,
so that they form a rectangle. (Figure 2 and 3)
The description of the system is mainly based on
professor Julius Petersen’s article from 13th June
1875. The heart of the system is a table consisting
of 28 columns with a Danish alphabet that in ad-
dition to the standard 26 characters has the letters
Æ and Ø. (Figure 1)
The table is constructed as follows: In the top
row are the letters A to Ø. In the second row is
the alphabet starting with B. The A-column is
filled in alphabetic order, but every second place
is left open. When the bottom of the A-column
is reached, the alphabet is continued upwards
in the empty spaces. The rows are then filled
alphabetically, starting with the letters in the
A-column. When Ø is reached the row continues
with A. The system ”hardware” is simply 28
cardboard sticks, each corresponding to one of the
columns in the table. The top letter on each stick
is called the key letter. The set is enclosed in a red
cardboard box (Figure 3).

Figure 2: Sticks, selected according to ordered

keyword

130
 Figure 3: Willard ”hardware” and the encipherment process

You want to encipher the word ”HIS- (15 - 20 times the length of the keyword) it can
TOCRYPT”. You find the first plaintext letter be broken. The periodicity is the weak point. An-
”H” in the first column. The corresponding cipher other weak point is that if you have to count many
letter stands x places above or below ”H”. This places up or down in the columns, it will be dif-
must be agreed beforehand. If the agreed rule is ficult and give frequent errors. So normally you
”x=go down 2”, you go two places down from could assume that 5 places up or down will be the
”H” in the first column and find the cipher letter maximum. The length of the keyword will also
”I”. The second plaintext letter ”I” is found in for practical reasons seldom exceed 6 -10 letters.
the second column. Down 2 gives cipher letter In theory all the sticks could be used, 28 in all, but
”J”. The third plaintext letter ”S” is found in the that would give a very cumbersome operation.
third column. Down 2 gives cipher letter ”T”.
And so on. If a plaintext letter is at the bottom of
a column, you go to the top of that column to find
the cipher letter.

Plaintext HISTOCRYPT thus becomes cipher-

text
IJTUN BEXQU

Decipherment is performed in exactly the same

manner, except that you go ”up 2” from the cipher
letter.

5 Security
How secure is this system? As the Danish school
teacher showed in 1873, it is not particularly
secure.If you have a cipher message long enough

131
6 Cryptanalysis Acknowledgements
Due to the construction of the Willard table, I am most grateful to professor emeritus Ole Im-
breaking the cipher depends largely upon the manuel Franksen from the Danish Technical Uni-
number of steps you go up or down in the opera- versity. Mr. Franksen brought the old periodical,
tion. Even numbers are much easier to break than ”Nær og Fjern”, to my attention and kindly al-
uneven numbers. lowed me to use his extensive research in the Dan-
ish crypto history in this article.
Even number of steps (2 or 4): As the Without the great help of my good colleague,
columns are in alphabetic order with every second Hans-Erik Hansen, this article would never have
place skipped, only a few letters can come 2 or 4 been converted to the required format.
places above or below a given cipher letter. We The Danish Defence Intelligence Service
start with 2 places up and down: E.g. cipher ”I” (DDIS) Technical-Historical Collection owns the
above will become plaintext ”J” or ”H” (there are Willard hardware, presented to the collection by a
exceptions in columns A and Ø). Cipher ”J” will former MFA employee. I am the curator (volun-
become plaintext ”K” or ”I”. It is possible quickly teer, unpaid) of the collection.
to form tables with 2 up or down, and 4 up or
down, and it will be obvious which of these is
the correct one. The plaintext can then be read in References
the table. Finding the keyword requires a longer Buonafalce, Augusto, Niels Faurholt and Bjarne Toft.
message. If the test for even number of steps does 2006. Julius Petersen - Danish Mathematician and
Cryptologist. Cryptologia, Vol. 30: 353-360.
not succeed, uneven steps are probably used.
Faurholt, Niels. 2006. Alexis Køhl: A Danish Inventor
Uneven number of steps (1, 3 or 5): Here the of Cryptosystems. Cryptologia, Vol. 30: 23-29.
construction of the table cannot help in the same Johnsen, Erik, Morten Christensen, Ole Immanuel
way. In principle any cipher letter can become any Franksen and Knud Nissen. 1994. Willard’s Sys-
plaintext letter. So we will have to use the Ka- tem. Matematiklærerforeningen DTU, Lyngby, DK
siski2 method to find the length of the keyword,
Kasiski, Friedrich W. 1863. Die Geheimschriften und
e.g. 5, and then solve the resulting monoalpha- die Dechiffrier-Kunst. E.S.Mittler und Sohn, Berlin
betic cipher texts the hard way. However, there is
a possibility to find the keyword: You have a good Kjølsen, Klaus and Viggo Sjöqvist. 1970. Den danske
Udenrigstjeneste 1770-1970, Vol. I. J.H.Schultz,
chance to locate ”E” in each of the 5 monoalpha- Copenhagen, DK
betic cipher texts. You can construct a table that
for each (cipher) letter shows in which column that Petersen, Julius. 1875. Nær og Fjern, 154:4-7. Peri-
odical, Copenhagen, DK
letter stands 1, 3 and 5 steps above or below ”E”.
If you combine the ”E”-equivalents with that ta-
ble, you may find which 5 columns (sticks) were
used in the encipherment. This gives the keyword
and an easy way to read the whole message.

2 The Kasiski method looks after repeated trigrams or

longer in the ciphertext, and determines the distances be-
tween these. These distances will in most cases be a multiple
of the length of the keyword. Once the length of the key-
word is found, the cipher message is split into that number of
monoalphabetically enciphered texts, that must be solved by
frequency analysis.

132
 The Application of Hierarchical Clustering to Homophonic Ciphers

Anna Lehofer
Department of Philosophy and History of Science
Budapest University of Technology and Economics
Budapest H-1111, Egry József u. 1. E 610, Hungary
lehofer.anna@gmail.com

Abstract Both pure homophonic ciphers and advanced

homophonic systems were part of the early modern
In this work in progress study I examined practice, even the simple monoalphabetic
whether the method of hierarchical substitution was in use in some cases. Breaking
clustering could be used efficiently on these monoalphabetic codes can even be an easy
Hungarian homophonic ciphers from the task. The frequency analysis of the code characters,
early modern age. First I have tested the recurring character lines, vowel-consonant analysis
methodology on artificial homophonic can bring us closer to find the plaintext letters of the
ciphers. The original corpora of these ciphers.
artificial codes were appropriate to ascertain The same cannot be said about homophonic
the effectiveness of the method: knowing ciphers. Speaking of advanced homophonic systems
the plaintext I could control the outcome. In of the 16th century, the few pages long character
connection with text length I have identified tables consisted of two or three homophones for
the limits of the applicability of hierarchical each plaintext letter, about 10 symbols for nulls, 10
clustering. In a second part, the investigation for bigraphs, 100-150 characters for syllables and
of eight original letters from the early even 300 characters for logograms (Láng, 2015, 37).
modern age followed. The testing of original For such codes, a properly composed and correctly
manuscripts shows whether the results based used cipher-key can result in an almost even
on the artificial ciphers are applicable to distribution in the frequency of the code characters,
original historical documents as well. making the task of the codebreakers much harder.
So the tools that can lead us to the decryption of
1 Homophonic Ciphers of the Early monoalphabetic codes give us no help for decrypting
homophonic systems.
Modern Age In the practice, using homophonic substitution
meant a higher security compared to simple
In a homophonic substitution cipher single plaintext
monoalphabetic ciphering, but it also had its
letters can be replaced with several code characters.
drawbacks. The complexity of the cipher-keys made
In simpler cases only the vowels and the most
the usage of this encrypting method slower and more
frequent letters are replaced with more code
complicated.
characters, but in an advanced, complex cipher key,
each of the plaintext letters receive several code 2 Hierarchical Clustering
characters, so-called homophones. I call these
ciphers pure homophonic ciphers. But in many "Cluster analysis groups data objects based only on
cases, early modern homophonic ciphers used information found in the data that describes the
separate tokens for syllables, logograms (characters objects and their relationships. The goal is that the
representing frequent words or names) and nulls objects within a group be similar (or related) to one
(meaningless tokens to confuse the cryptanalysis) another and different from (or unrelated to) the
beyond the homophones. I call these types of ciphers objects in other groups. The greater the similarity (or
advanced homophonic systems. homogeneity) within a group and the greater the

Proceedings of the 1st Conference on Historical Cryptology, pages 133– 136,

Uppsala, Sweden, 18-20 June, 2018
difference between groups, the better or more about the criteria for the optimal application. These
distinct the clustering (Kumar et al., 2005, 490)." artificial codes are pure homophonic codes which
Speaking of homophonic ciphers, the base set of were created by Cran R that randomly assigned the
these data objects is the multitude of the code desired number of homophones to the plaintext
characters. The aim of the clustering process is to letters.
ascertain with which right and left neighbors the In the testing process I have investigated two
particular code characters appear in the text. things. First I have gradually increased the number
To illustrate the operation of hierarchical of homophones assigned to a plaintext letter (starting
clustering to homophonic codes let’s suppose that with a monoalphabetic set of code characters) to see
we have a homophonic cipher using 100 different how long hierarchical clustering is able to detect the
code characters. The aim of the method is to homophone groups. Secondly I have gradually
investigate which code characters are likely to reduced the length of the examined part of the text to
appear together. Based on the 100 code characters of find the point where hierarchical clustering loses its
the text, we prepare two 100x100 matrices. Both the efficiency in finding the vowel and consonant
rows and columns of the matrix represent the code groups and the groups of homophones.
characters of the cipher. If we point at a number in
this matrix, it indicates the occurrence-frequency, 3.1 Full Text Codes
how often the concerning two code characters Based on the artificial codes created from the full
(indicated by the row and the column) appear text of the novel I have faced with the followings.
together. One matrix shows the occurrence The first, monoalphabetic code has immediately
frequency with the left neighbors, the other shows brought in an interesting result. The software
the occurrence frequency with the right neighbors. separated two bigger clusters on the dendrogram:
To create one attribution from the left and right one big cluster showed only vowels, the other bigger
neighborhood, we combine these two matrices and group contained only consonants. So the method can
use the new 100x200 matrix in the following step. In be used on monoalphabetic ciphers as well: it can
this matrix, each line is a 200-dimensional vector, almost perfectly separate vowels and consonants in a
representing one code character. Depending on the monoalphabetic ciphertext.
neighbors of these code characters, each vector By tripling the number of the homophones
points to different directions. Similar vectors point clustering can also find the vowel and consonant
almost to the same direction, vectors that differ from groups, furthermore it can correctly recognize the
each other point into different directions. three-element homophone groups belonging to the
From the upper vectors, on the basis of cosine particular plaintext letters.
distance function we generate a 100x100 distance I was surprised when the program could even
matrix with values from 0 to 1. In the diagonal of identify the vowel and consonant groups and the
this matrix (where the distance of the vectors from homophone groups when 20 homophones were
themselves appears, namely the distance of two assigned to a plaintext letter. It seems that in case of
equal vectors) the function gets a value of 1. The a 400-page corpus hierarchical clustering can
other values – depending on the angle locked identify the homophone groups belonging to the
together – will get values between 0 and 1. The more particular plaintext letters, even if we have far more
similar these vector pairs, the more they point to the homophones than the early modern practice shows
same direction (the closer this value is to 1). (early modern cipher keys usually have 2-3 or 5-6
To display hierarchical clustering graphically I code characters for one plaintext letter at most).
have used the open source Cran R software. It uses a Of course, in reality, codebreakers do not have
tree-like diagram called a dendrogram to visualize book-lengthy texts. Most often they have a
these relationships. It draws these dendrograms on paragraph or at most a few pages written with
the basis of the distance-matrix. encrypted characters. In the following, I have
Exactly the same method was efficiently used by examined how the method worked when I started to
the decryption process of the famous Copiale code reduce the length of the examined text.
(Kevin et al., 2011).
3.2 Unicity Point
3 Artificial Ciphers According to the writings of Elliot Fischer and
James Reeds the limits of using hierarchical
Hereupon I have created artificial homophonic codes
clustering efficiently will be discussed here with the
from a Hungarian corpus (Géza Gárdonyi, Eclipse
concepts of text redundancy and unicity point. The
of the Crescent Moon) to be able to tell a bit more
unicity point of a cipher is U=H(k)/D where H(k) is

134
the logarithm of the number of possible keys of the cluster for vowels and another one for consonants
ciphers and D is the redundancy of the language. almost perfectly, the dendrogram of the 700-
The unicity point is the message length beyond character-long text (of which unicity point value is
which decipherment using a known system becomes already much lower than the real text length) falls
a unique process. From the given formula it is clear into smaller clusters. These small clusters may still
that the lower the redundancy of a language, the support the individual codebreaking process but
greater the unicity point for a given cipher (Fischer, neither separate vowels and consonants, nor identify
1979 and Reeds, 1977). the homophone pairs of the ciphertext in a proper
I examined the original corpus in two ways. The way.
first table shows how entropy – thus redundancy –
and the unicity point changes when increasing the 4 Early Modern Letters
number of homophones gradually from 1 to 5 on the
700000-character-long corpus. Despite of the In this section, I will investigate encrypted letters1
indicated infinite limit of the 5th case, all of the from the early modern age. The cipher keys of these
related five dendrograms have identified the vowel letters were also available (in an archive or
and consonant groups correctly and clustering could reconstructed form), thus the keys offered help and
even find the 1-2-3-4-5 element homophone groups control when examining the efficiency of clustering.
of the ciphers. The first letter I have examined – C.Bay.01 – was
a 419-character-long almost fully encrypted letter
Number of
Number of
used code Hmax Hreal Redundancy Unicity point
that uses a very complex cipher key: beyond the
homophones
characters homophonic set of code characters it also indicates
1 35 5.129 4.58 0.107 1240 syllables, logograms and nulls with separate signs.
2 70 6.129 5.579 0.09 3706 The dendrogram outlined as a result of clustering
3 105 6.714 6.164 0.082 6816 proved that this letter was too short, the cipher key
4 138 7.109 6.579 0.074 10569 was too complex to give any help in the decoding
5 174 7.443 6.901 0.073 ∞ process.
After the Bay letter I looked for a letter with a less
Table 1: Increasing the number of homophones in the full complex cipher key than the first one, and examined
text
C.Wes.03.a. It was a 2359-character-long letter
The second table shows how unicity point using an all-in-all 43-element cipher key, assigning
changes when decreasing text length assuming 2 more (5-6) code characters only to the vowels.
homophones for each plaintext letters. The first The cluster map of this cipher looked more
value (around 700000 characters) shows the full promising. The software separated two bigger
length of the text, 100%. Than follows 10%, 1%, clusters: one showed only consonants, the other
0.5% and finally 0.1%. bigger cluster contained almost exclusively vowels.
The program identified homophone pairs in five
Text length (number of characters) Number of used code characters Unicity point cases. The remaining smaller groups and the
700934 70 3706 characters that were not grouped to other ones were
70093 66 3986 mostly logograms, so they were "outranked"
7009 66 4059 correctly from the homophones.
3504 65 4203 So far I have examined 6 more early modern
700 62 3515 ciphers to find out where the limits of applicability
are. All of the scrutinized letters come from the
Table 2: How unicity point changes when reducing text period 1664-1706 and have their cipher keys in an
length using 2 homophones per letter available form as well.
To describe applicability, two outcomes were
We can see that in the given artificial code,
tested: 1) whether the clustering process could
speaking of pure homophonic substitution, using
identify the vowels and consonants in different
two homophones for each plaintext letter, the
efficiency of hierarchical clustering falls down
around the text length of 3500 characters. Here the
1 Up to now I have investigated 8 early modern
unicity point is around 4200 characters, so a longer
Hungarian letters. Since this is a work in progress, this
text is needed for a safe codebreaking than the
outcome will be better grounded, after I will have
examined one. The dendrograms of these cases also transcribed and analyzed several other manuscripts in the
corroborate this statement: while the dendrogram of near future.
the 3500-character-long text can still separate a big

135
clusters, and 2) whether the clustering process could homophones (20) than the early modern practice
identify the homophone groups belonging to the showed (2-6). Investigating the unicity points of
particular plaintext letters. In cases where clustering ciphertexts it can be stated that hierarchical
can show up any of these two identifications, clustering was still efficient when text length was
hierarchical clustering can be stated effective. In under the unicity point, but near to it. In cases when
these cases hierarchical clustering can support the text length was much lower than the unicity point,
codebreaking process. the dendrograms could not give any help for the
The outcomes of the examined letters are codebreaking process.
summarized in the following table. The first column In a second part I have processed original early
shows the name of the letters following the notation modern ciphers with the upper methodology. I have
of Benedek Láng (Láng, 2015, 233). The column of stated that hierarchical clustering was efficient if it
text length shows how many code characters the could clearly identify the vowels and consonants in
concrete letters are made of; number of used code separate clusters on the dendrogram and/or if it
characters shows how many characters were could find the homophone groups belonging to the
actually used in the concrete letters. Hmax shows the particular plaintext letters. The features and
maximum value of entropy, Hreal stands for the outcomes of the eight early modern letters showed
actual values of entropy. Redundancy shows the text that when the unicity point was under or near the
redundancy of the letters, the column of unicity point text length the dendrograms could help the
indicates the required text length. Vowel-consonant codebreaking process. Hierarchical clustering could
groups shows whether the method of hierarchical not bring any results in case of letters that were
clustering could separate the vowels and the much shorter than the unicity point.
consonants in different clusters; and homophone Consequently, speaking of homophonic
groups shows if the clustering process could identify substitution ciphers we can state that the longer an
the homophone groups belonging to the particular encrypted letter, or the less symbols its cipher key
plaintext letters. uses, the more probable the cipher can be solved
with the help of hierarchical clustering. Since the
Number of Vowel-
Letters2
Text
length
used code Hmax Hreal Redundancy
Unicity
point
consonant
Homophone
groups
historical manuscripts of the early modern age do
involve such encrypted letters – we can find ciphers
characters groups

C.Bay.01 419 113 6.82 6.113 0.104 5905 no no

with thousands of code characters, or cipher keys
that have only 30-40 symbols – hierarchical
C.Bay.02 494 130 7.022 6.338 0.097 7490 no no

C.Kov.02 1537 189 7.562 6.689 0.115 ∞ no no

clustering offers significant contribution to the
C.Wess.03.a 2359 64 6 4.92 0.18 1643 vowels in 6 cases
codebreaking process of historical homophonic
C.Wess.03.b 828 61 5.931 4.939 0.167 1662 vowels in 5 cases
substitution ciphers.
C.Wes.04 1525 77 6.267 4.994 0.203 1850 vowels in 5 cases

C.Wes.05 749 26, 4.7 4.029 0.143 618 partly -

C.Wes.06 417 37 5.209 4.231 0.188 763 no no

References
Benedek Láng. 2015. Titkosírás a Kora Újkori
Table 3: Features of the examined early modern letters Magyarországon. Balassi Kiadó, Budapest.
Elliot Fischer. 1979. Language Redundancy and
5 Summary Cryptanalysis. In Cryptologia, volume 3, pages 233-
235.
In this paper I have first tested hierarchical clustering
on artificial codes by modifying two parameters: James Reeds. 1977. Entropy Calculations and Particular
increasing the number of homophones assigned to a Methods of Cryptanalysis. In Cryptologia, volume 1,
plaintext letter and decreasing the text length. It can pages 235-254.
be stated that in case of a 400-page corpus Kevin Knight, Beáta Megyesi, Christiane Schaefer. 2011.
hierarchical clustering could identify the homophone The Copiale Cipher. Presented at the ACL Workshop
groups successfully, even if we had far more on Building and Using Comparable Corpora.
Vipin Kumar, Michael Steinbach, Pang-Ning Tan. 2005.
Introduction to Data Mining. Pearson (Education Inc.),
2 These letters can be found in the Hungarian
Boston.
National Arcives, G 15 Caps. D. Fasc 81. and G 15 Caps. C.
Fasc 36. fol. 3-4. and in the ÖStA HHStA Ungarische Akten
Specialia Verschwörerakten VII. Varia (Pressburger
Kommission etc.) Fasc. 327. Konv. D. Chiffres 1664-1668,
fol 35-37, 40-41, 62, 63.

136
 Teaching and Promoting Cryptology at Faculty of Science
University of Hradec Králové

Michal Musílek Štěpán Hubálovský

Faculty of Science Faculty of Science
University of Hradec Kralove University of Hradec Kralove
Rokitanskeho 62, Hradec Kralove Rokitanskeho 62, Hradec Kralove
michal.musilek@uhk.cz stepan.hubalovsky@uhk.cz

Abstract which students learn, for example, to multiply

numerical numbers using a counter or to perform
University of Hradec Králové is one of calculations on a logarithmic ruler.
the smaller public higher education Different way to learning of cipher is used in the
institutions in the Czech Republic. At subject of Programming subject. The cipher
present, there are about 7,000 students system is used to enter interesting and motivating
studying here. Even though at any of programming tasks during Structured
their faculties it is not possible to study a Programming course. In addition to cryptology,
study program closely focused on attention is also paid to the problems associated
cryptology, we pay attention to the with wireless transmission and plain coding of
historical and modern cryptology at the information (Musílek, 2012; Musílek,
Faculty of Science in several subjects. Hubálovský, & Hubálovská, 2017).
Basic concepts, principles and methods
of modern computer cryptology form an 2 Theoretical Background
important part of the subject Computer
and Data Protection. Principles of A deeper insight into the issue of cryptology is
encrypting, decrypting and deciphering then made possible for students who are
of basic substitution and transposition interested in this topic within realization of the
ciphers and the history of cryptology bachelor as well as diploma thesis. The
have become part of the subjects of Department of Cybernetics of the Faculty of
Computer Science and Structured Science of the University of Hradec Králové,
Programming in various degrees and with with the two authors of this article, prepares
different approaches. future lower and upper secondary schools
teachers of Informatics in the Czech Republic.
1 Introduction Teacher preparation is always carried out for two
teaching subjects and significant space is devoted
Overview of the history of cryptology is included not only to these two areas, but also to basic
in the subject History of Computer Science as an pedagogical-psychological, general and subject
expanding and enlightening of the curriculum. didactics preparation. Interestingly, although our
Special attention is paid to rotate encryption students are studying many different
machines such as Enigma, the Lorenz SZ42 combinations of subjects, interest in historical
cryptographic telegraph and to machines used to ciphers has so far been shown only by students
break them as well - Turing's bomb, the first of two different combinations, namely
British computers, Colossus Mark 1 and 2 Informatics - Mathematics and Informatics -
(Boone, 2005; Singh, 2000). Part of the exercises History.
in the subject History of Computer Science is
devoted to the encryption, decryption and The individual bachelor theses of the students
deciphering of some basic types of hand ciphers, of the program Mathematics and Informatics
because this course also has practical lessons in with a focus on education had following topics:

Proceedings of the 1st Conference on Historical Cryptology, pages 137– 143,

Uppsala, Sweden, 18-20 June, 2018
“Deciphering of substitution ciphers with The algorithm for automatic deciphering of
computer support” (Procházka, 2012), short simple substitution cipher text is similar to
“Deciphering of ciphers with computer support” algorithm for deciphering of long ciphered text.
(Hanzalová, 2014; Hájková, 2015). The diploma
theses in the follow-up master's program The algorithm for deciphering of long
Teaching of Mathematics and Informatics for ciphered text is based on method of evaluation of
Secondary Schools was oriented more frequency of pairs of consecutive letters and
didactically with following topics: “Ciphers as compares it with the frequency of bigrams of
motivation in the teaching of algorithms and reference text using the evaluation function:
programming” (Bukáček, 2013); “Board games, 26 26
puzzles, anagrams and ciphers as motivation in f   Dij  Eij (1)
the teaching of algorithms and programming” i 1 j 1
(Procházka, 2014); “Fundamentals of cryptology
as a teaching topic in subject "Informatics" at where Eij is matrix of bigrams of reference text
lower secondary school” (Hájková, 2017). The and Dij is matrix of bigrams of ciphered text.
topics of bachelor's thesis in the study program
Informatics and History were “Computer Similarly, the algorithm for deciphering of
Analysis of Encrypted Correspondence of House short ciphered text is based on automatic analysis
of Piccolomini” (Vlnas, 2017) and “History of of evaluation function f of trigrams:
ciphering of transposition ciphers with computer
support” (Musílek, 2017).
26 26 26
f    Dijk  Eijk (2)
i 1 j 1 k 1
Thesis focused on specific historical clues
used by Marshal Ottavio Piccolomini during the
where Eijk is matrix of trigrams of reference text
Thirty Years War links the work of the historian
and Dijk is matrix of trigrams of ciphered text.
- investigator in the archive - with the approach
of informatics. The routine decryption algorithms The algorithm consists o three relatively
were realized in macros in Visual Basic for independent sub-procedures (Hanzalová, Hubá-
Applications in a MS Excel spreadsheet. This lovský, & Musílek, 2012).
thesis was evaluated by the Dean of the Faculty
of Science of the University of Hradec Králové The first sub-procedure Frequency creates
for the best bachelor thesis in the study program three-dimensional reference matrix E that
Informatics. corresponds to the frequencies of letters in the
reference text.
3 Samples of advancement of students
The second sub-procedure Trigrams creates
In the following text, we will discuss in detail three-dimensional matrix D of relative
two bachelor's theses: work for the automatic frequencies of the trigrams of the cipher text.
analysis of text encoded by monoalphabetic The part of the matrix D is shown on the Figure
substitution based on the trigram frequency 2. In next step (Hanzalová, Hubálovský, & Musí-
analysis (Hanzalová, 2014) and work analyzing lek, 2012) the procedure evaluates the
real historical ciphers of the early 17th century compliance with the reference text by using an
(Vlnas, 2017). evaluation function:
3.1 Using spreadsheet in cryptanalysis of 26 26 26
short cipher text f    Dijk  Eijk (2)
i 1 j 1 k 1
The authors of the paper suggest new method
and algorithm for deciphering and automation The third sub-procedure Exchange provides
analysis of the ciphered monoalphabetic text. exchange of two x-vectors, two y-vectors and
The method generalized frequency analysis of two z-vectors of three dimensional matrix D and
the bigram saved in a two-dimensional array to creates new matrix D‘. The vectors are
frequency analysis of the trigrams saved in a exchanged in the order of the frequencies of the
three-dimensional array with 26 x 26 x 26 = letters in the cipher text from the most frequent
14576 elements. to the least frequent based on following rules -
see Hanzalová, Hubálovský, & Musílek (2012):

138
 • the x-vector corresponding to the order of 3.2 Computer Analysis of Encrypted
the first exchanged character is replaced Correspondence of House of
by the x-vector corresponding to the Piccolomini
second exchanged character; Bachelor thesis titled Computer Analysis of
• then y-vector corresponding to the order of Encrypted Correspondence of House of
the first exchanged character is replaced Piccolomini interconnects the two author’s study
by the y-vector corresponding to the areas (Vlnas, 2017). The author is a student of
second exchanged character; Informatics and History in education. Archives,
• then z-vector corresponding to the order of especially archives of aristocratic families whose
the first exchanged character is replaced members held important state, military or
by the y-vector corresponding to the diplomatic positions, contain, in addition to open
second exchanged character; documents, very often-encrypted documents.
After each substitution a new matrix D‘ is The analysis of archive ciphertexts is a
obtained, and the evaluation of the compliance of complex task. Standardly, the task is necessary to
the relative frequency of the trigrams in the do in large part by hand, such as recognizing
cipher text and the reference text is obtained different forms of written fonts (different types
using the evaluation function: of ancient shape handwritings or special cipher
26 26 26
characters), counting frequencies of individual
f '    D'ijk  Eijk (3) characters, etc. Some monotonous tasks can be
i 1 j 1 k 1 performed a computer. The author of the
bachelor thesis had appropriately used custom-
After each substitution the values f and f‘ are made macros in Visual Basic for Applications to
compared and if f‘ < f, the procedure decrypt encrypted texts transcribed into Excel
immediately stops the process of the letter spreadsheets. After identifying a given cipher
substitution and the exchange in the conversion system and determining the transmission table, it
table is proposed, which will improve the is a purely mechanical matter. Macro combined
compliance (lowering the value of evaluation both basic principles used to make mono-
function f). Finally, the sub-procedure will alphabetic substitution, i.e. simple swapping and
creates a new matrix D of relative frequencies of supposed words, and was created in such a way
the trigrams of the cipher text, and it will provide that allow the gradual uncovering of the
a new assessment of compliance with the spreadsheets that effectively supports cipher
reference text using the evaluation function (3). shredders in the phase of stepwise reconstruction
of the encryption table.
The sub-procedure Frequency is run only once
at the beginning of the program to set the The first phase of the work was to obtain
appropriate initial conditions. The sub- appropriate cipher texts. The State Regional
procedures Trigrams and Exchange are run Archive of Zámrsk offers to researchers a family
alternately. archive of the genus Piccolomini on microfilms.
It has advantages and disadvantages. The
Above mentioned sub-procedures were advantage is the possibility of fast document
realized in Visual Basic for Application in MS browsing, where the scrolling of the microfilm in
Excel Spreadsheet. Deciphering based on the reader can be significantly faster than
trigrams’ analysis has been studied in cipher text working with original archives. The disadvantage
with the length in the range from 200 to 500 is the lower contrast and the overall loss of
characters. It was proved that algorithm for quality and the worse possibility of photographic
deciphering of short simple substitution cipher documentation. The student focused on
text based on automatic analysis of the trigrams documents related to the person of Ottavio
enables decryption almost without manually Piccolomini and his activities during the Thirty
performed exchanges Years' War. He found two microfilms with a
number of cryptic texts, partially decrypted,
apparently immediately after receiving the
addressee, but partly un-decrypted. The student
took photographs of the corresponding microfilm
images. He thought he had captured only a small

139
 Figure 1: A homophone substitution cipher - pair of digits represents a letter or null character

part of Ottavio Piccolomini's cipher was certainly easier to read digits then to read
correspondence. The archive contains large handwritten characters in shapes which had been
number of the ciphertext than cannot be found written in individual manuscripts of many
within one business day. different scribes. This text was copied in the cell
of Excel spreadsheet. Also deciphering table was
Firstly, the document number 25039 was placed in the same sheet. The deciphering table
analyzed, see Figure 1. Part of this letter was was step by step filled in and simultaneously was
written in plain text and part was written in used for decrypting of prepared ciphertext. It was
numerical code. Some letters of the alphabet found that the open text in French was encrypted
have been written above the two-digit codes. It by simply replacing the alphabet letters with
allows reconstructed the decryption conversion two-digit numbers, but with the use of vowel
table - see Table 1. The entire cipher text, homophones and special codes for some selected
composed only of digits, was read quite well. It short words, supplemented by several null

140
characters. It is a simple nomenclator. Partially teees état misérable comme elle samuue du
decrypted text was a significant help, however, passé au camp skoprocle Bérenburg. En
the use of macros in Visual Basic for Application quoi consiste néanmoins la conservation ou
significantly simplified the complete decryption perte du reste de l'empire gedlusrc?“
of the encrypted part of the letter.
The similar system, based on a square table, with
1 2 3 4 5 6 7 8 9 otherwise delimited letters, was used in several
1 a b u C d que f other cipher letters. From the cryptanalysis point
2 e g et L a e l of view, the letter with non-encrypted cipher
3 i m sko n p q sections consisting of letters and numbers was
more interesting. This letter was included in
4 o r tre s t m o document number 24873, see Figure 2. The
5 u y s cipher was taken by standard methods, i.e. by
6 a a g e i l frequency analysis and predicted words. The
7 n o r s rc t plain cipher text was in Italian. Even this cipher
contained the null characters represented by all
8 u * * e *
even digits (2, 4, 6, 8). The cipher does not
9 e n r contain any homophones. If these null characters
were omitted, the very simple monoalphabetic
Table 1: Encryption table of the document 25039
substitution cipher was reached - the consonants
(* = null characters)
did not replace and the vowels, were
„C'est une misère que si nous puissions nous successively replaced by the numbers 1, 3, 5, 7,
entretenir un mois dans ce camp Xabucd que 9. As soon as the eyes of the solver became used
to the Italian handwriting of the first half of the
fais-je là et lim skonpqor très
17th century, reading the text was relatively
tmouysaageilnorsrctu et en joignant presque simple. Fig. 3.
le leur, ladite armée, ennemie seroit réduite
à la ruine, il nous faudra, à faute d'une b c d f g h j k l m n p q
trentaine de mil patacons pour faire la b c d f g h j k l m n p q
provision nécessaire de la prouiange
laquelle nous manque, que prendre autre r s t v 1 2 3 4 5 6 7 8 9
résolution à nous? sloigcer de quelques r s t v a * e * i * o * u
ligues d'ici où nous puissions muuerles dit su Table 2: Encryption table of the document 24873
iures et fourrage à fin de ne voir ce que dit (* = null characters)
une plais est réduit et cette belle armée en

Figure 2: An example of a cipher text (cut-off from document 24873) that was not decrypted by the recipient

141
 Figure 3: Sample of decryption of the text from the Figure 2 (cut-off from document 24873)

4 Conclusion Bukáček, D. 2013. Ciphers as motivation in the

teaching of algorithms and programming.
It is pleasing that some of the students of the Diploma Thesis at Faculty of Science University
Faculty of Science of the University of Hradec of Hradec Králové. Supervisor Š. Hubálovský.
Králové, supervised by the authors of this 118 p.
paper, contributed to solution of tasks of Hájková, S. 2015. Deciphering of transposition
historical cryptology. The important is the fact ciphers with computer support. Bachelor Thesis
that not only students mentioned above, but at Faculty of Science University of Hradec
also many other graduates of study program Králové. Supervisor M. Musílek. 41 p.
the teaching of informatics or also teaching Hájková, S. 2017. Fundaments of cryptology as
mathematics or history will to motivate the teaching topic in subject “Informatics” at lower
secondary school students by examples of secondary school. Diploma Thesis at Faculty of
cipher systems, or by historical events that Science University of Hradec Králové.
were affected by revealing of secret Supervisor M. Musílek. 74 p.
correspondence or by breaking of cipher Hanzalová, P., Hubálovský, Š., & Musílek, M.
systems. 2012. Automatic cryptanalysis of the short
monoalphabetic substituted cipher text. In
Acknowledgments Proceedings of the 5th WSEAS International
Conference on Visualization, Imaging and
The research was supported by Specific Simulation. Sliema, Malta: Wseas Press. p. 199-
research project at Faculty of Science, 204. ISBN: 978-1-61804-119-7.
University of Hradec Kralove, 2018.
Hanzalová, P. 2014. Using of spreadsheet in
cryptanalysis of short cipher text. Bachelor
References Thesis at Faculty of Science University
Boone, J. V. 2005. Brief History of Cryptology. of Hradec Králové. Supervisor Š. Hubálovský.
Annapolis: Naval Institute Press. 192 p. ISBN 1- 48 p.
59114-084-6. Hubálovský, Š., & Musílek, M. 2010. Automatic
cryptanalysis of the monoalphabetic substitution

142
 as a method of the system approach in the Bachelor Thesis at Faculty of Science University
algorithm development thinking. International of Hradec Králové. Supervisor Š. Hubálovský.
journal of applied mathematics and informatics. 58 p.
4 (4), 92-102. ISSN 2074-1278.
Procházka, L. 2014. Board games, puzzles,
Hubálovský, S., & Musílek, M. 2014. Algorithm anagrams and ciphers as motivation in the
for Automatic Deciphering of Mono-Alphabetic teaching of algorithms and programming.
Substituted Cipher Realized in MS Excel Diploma Thesis at Faculty of Science University
Spreadsheet. Applied Mechanics and Materials. of Hradec Králové. Supervisor M. Musílek. 75 p.
p. 624-627
Procházka, L. 2012. Deciphering of substitution
Musílek, M., Hubálovský, Š., & Hubálovská, M. ciphers with computer support. Bachelor Thesis
2017. Mathematical Modeling and Computer at Faculty of Science University of Hradec
Simulation of Codes with Variable Bit-Length. Králové. Supervisor M. Musílek. 37 p.
International Journal of Applied Mathematics
Singh, S. 2000. The code book: the science of
and Statistics. 56 (1), 1-12. ISSN 0973-7545.
secrecy from Ancient Egypt to quantum
Musílek, M. 2012. Morse telegraph alphabet and cryptography. New York: Anchor Books. 411 p.
cryptology as a method of system approach in ISBN 0-385-49532-3.
computer science education. In Proceedings of
Vlnas, V. 2017. Computer Analysis of Encrypted
9th International Scientific Conference on
Correspondence of House of Piccolomini.
Distance Learning in Applied Informatics
Bachelor Thesis at Faculty of Science,
(DIVAI). Štúrovo, Slovakia: Wolters Kluwer. p.
University of Hradec Králové. Supervisor M.
223-231. ISBN 978‐80‐558‐0092‐9.
Musílek. 58 p.
Musílek, P. 2017. History of ciphering of
transposition ciphers with computer support.

143
 Examining The Dorabella Cipher with Three Lesser-Known
Cryptanalysis Methods

Klaus Schmeh
Freelanced Journalist
klaus@schmeh.org

Abstract In spite of all this progress, breaking a MASC

Most mono-alphabetic substitution ci- encryption still may be difficult, especially if some
phers (MASCs) can be solved with well- of the following pre-conditions are given:
known techniques, like frequency analy- • The ciphertext is especially short.
sis, or hill climbing. However, there are
exceptions. It therefore makes sense to • The cleartext language is not known.
look around for additional MASC solv-
ing techniques—like the ones described in • The word boundaries are not indicated.
the book Cryptanalysis by Helen Fouché • The cleartext contains unusual expressions or
Gaines. These techniques—vowel detec- abbreviations.
tion, digram analysis, and consonant lin-
ing—have been almost forgotten since the • The cryptogram is hard to read because of
advent of computer technology. In this pa- bad penmanship or bad reproduction.
per, two of these methods (the third one
is not suitable) will be applied on a fa- I am aware of over 20 cryptograms that have
mous unsolved cryptogram, the Dorabella the appearance of a MASC (of course, one does
Cryptogram, and on an unencrypted com- not know before the cipher is broken) and that are
parison text. Although this paper will not still unsolved, potentially for one or several of the
present a solution of the Dorabella Cryp- named reasons. The following are the most impor-
togram, a number of interesting insights tant of these cryptograms:
will be introduced. Especially, it will be
• The Dorabella Cryptogram (Wikipedia,
shown that one of the methods applied
2018)
works surpsingly well on the comparison
text and that there are still ways to im- • The MLH cryptogram (Schmeh1, 2017)
prove this technique. In addition, some in-
teresting properties of the Dorabella Cryp- • The Voynich Manuscript (Wikipedia, 2018)
togram will be presented, which might be
• The Rayburn cryptogram (Schneier, 2006)
helpful for further cryptanalysis.
1 Introduction • Cigaret Case Cryptogram (Schmeh2, 2017)

With the advent of computer technology and suit- For these cryptograms, frequency analysis,
able software (especially, the open source tool word pattern analysis, word guessing, and hill
CrypTool), breaking a mono-alphabetic substitu- climbing have failed so far. An interesting ques-
tion cipher (MASC) has become quite easy. Fre- tion is whether there are other MASC breaking
quency analysis, which once was the most impor- methods that can be applied in such a case. In
tant way to break a MASC, is often not even nec- fact, there are. The book Cryptanalysis by He-
essary any more, as a word pattern search con- len Fouché Gaines mentions three MASC break-
ducted by a software is usually more effective. In ing methods that are worth considering (Fouché
addition, hill climbing—another technique that re- Gaines, 1939): vowel detection, digram analysis,
quires computer support—has proven a powerful and consonant lining. All three methods are as
technique to break MASCs. good as not mentioned in the literature that has

Proceedings of the 1st Conference on Historical Cryptology, pages 145– 152,

Uppsala, Sweden, 18-20 June, 2018
been published since computer technology came A B C D E F G H I
up. 4 1 3 6 9 1 2 5 8
The goal of this paper is to apply the three meth-
ods mentioned by Fouché Gaines on the afore- J K L M N O P Q R
mentioned Dorabella Cryptogram. The Dorabella - - 5 2 7 8 1 - 3
Cryptogram was created by British composer Ed-
ward Elgar (1857-1934). In 1897, Elgar, who had S T U V W X Y Z
a strong interest in cryptology, sent an encrypted 5 9 3 - 2 - 3 -
message to a female friend named Dora Penny.
This cryptogram is written in symbols consisting According to Fouché Gaines, the nine most fre-
of one, two or three bows (see figure 1)—probably quent letters of the English languange (E, T, A, O,
an alphabet of Elgar’s own creation. N, I, R, S, H) make up about 70 percent of an En-
The Dorabella Cryptogram has never been glish text. In the comparison text the nine most
solved, although many experts have tried. It frequent letters are E, T, D, O, N, I, L, S, and H.
is covered in virtually every famous unsolved These are not exactly the letters we have expected.
cipher list, e.g., on Elonka Dunin’s web- However, they appear 62 times (71.3%), which is
site (http://elonka.com/UnsolvedCodes.html), in a pretty good fit.
Craig Bauer’s book Unsolved! (Bauer, 2017), Here’s the frequency analysis of the Dorabella
in Klaus Schmeh’s Nicht zu knacken (Schmeh, Cryptogram:
2012), and in Richard Belfield’s Can You Crack A B C D E F G H I
the Enigma Code? (Belfield, 2006). 2 4 6 6 2 8 6 4 4
To check whether the three cryptanalysis meth-
ods work, I will apply them not only on the Dora- J K L M N O P Q R
bella Cryptogram but also on a non-encrypted 11 4 4 1 6 1 8 3 1
comparison text. When looking for a suitable text,
I came across the novel The Gadfly by Ethel Boole S T U
(Boole 1897), the wife of Wilfrid Voynich, who is 1 1 4
known to crypto history scholars as the person the
Voynich Manuscript is named for. The Gadfly was
The seven most frequent letters (J, F, P, C, D,
published in 1897, the same year as the Dorabella
and N) together appear 45 times (51.7%). In ad-
cryptogram was created. I chose the following 87
dition, there are four letters with a frequency of
letter excerpt (same length as the Dorabella Cryp-
6 (6.9%) each. If we take two of the latter we get
togram) from the The Gadfly as the comparison
57 appearances (65.5%) for the nine most frequent
text (I will ignore the spaces because the Dorabella
letters. This is reasonably close to the 70% postu-
Cryptogram doesn’t contain any):
lated by Fouché Gaines. We can take this as an in-
THEYW ENTOU TINTO THEST ILLSH ADOWY dication that the Dorabella Cryptogram is a MASC
CLOIS TERGA RDENT HESEM INARY OCCUP encryption of an English, not a hoax.
IEDTH EBUIL DINGS OFANO LDDOM IN To follow Fouché Gaines’ approach, we now
Here’s a transcription of the Dorabella Cryp- need to identifiy three groups of letters: the fre-
togram: quent, the less frequent, and the rare ones. Fouché
Gaines’ book does not define exactly the borders
ABCDE FGDHA IJKLJ MJJFB BJNGO GNIP between these groups. I will work with the follow-
GJGFQ DHRSC JJCFN KGJIJ FTPKL QHHQI P ing definitions:
CPFUP CLUUN PCJFU KPNDB NPFDL ED
• High frequency group (6 or more appear-
2 Basic Examinations ances): In the comparison text the follow-
ing letters belong to this group: D, E, I, N,
As both Elgar and Penny spoke English, I will as- O, T. In the Dorabella Cryptogram the high-
sume that the Dorabella Cryptogram is written in frequency letters are F, J, P, C, D, G, and N.
English. As proposed by Fouché Gaines in her
book, I started my examinations with a frequency • Medium frequency group (3-5 appearances):
count. I examined the comparison text first: The medium-frequent letters of the com-

146
Figure 1: The Dorabella Cryptogram is an unsolved ciphertext that has the appearance of a mono-
alphabetic substitution cipher (MASC).

parison text are H, L, S, C, R, and Y. I J K L M N O P

The medium-frequent letters of the Dorabella TN - - IL EI ET TU UI
Cryptogram are B, H, I, K, L, U, and Q. TL - - LS OI IT TT
OS - - CO ET DW
HN - - ID IA LO
PE - - OD IG YC
• Low frequency group (1-2 appearances):
UL - - AO SF
Letters with a low frequency are B, F, G, M,
DN - - I- NL
P, and W (comparison text) and A, E, M, O,
MN - - DM
R, S, and T (Dorabella Cryptogram).

Q R S T U V W X
- EG ET -H OT - YE -
As the next step, we determine the contacts of - AD LH NO CP - OY -
each letter. A contact is defined as a letter that - AY IT UI BI - -
stands directly before or behind a certain charac- - EE NO - -
ter. As the Dorabella Cryptogram doesn’t indicate - NS OH - -
spaces (and as we ignore the spaces in the com- - SI - -
parison text), each of the 87 letters, except the first - SE - -
and the last one, has two contacts. The examples - NH - -
described by Fouché Gaines contain spaces, which - DH - -
means that her contact analysis is a little different
from the one performed here. Y
Here’s the contact analysis for the comparison EW
text (below each letter the left and the right con- WC
tacts are isted, one contact pair per line): RO

Here’s the contact analysis for the Dorabella Cryp-

togram:
A B C D E F G H
HD EU YL AO HY OA RA TE A B C D E F G
GR OC RE WN NS TE -B AC BD CE DF EG FD
NR CU ET HS SA HI FB SJ GH LD JB NO
FN LI TR TE BJ JF QH GQ ON
LD DN TE DN PP NB CN PJ
DO HS PL FL JT JF
SM PJ E- PU KJ
ID JU
HB PD

147
 H I J K L M N Vowel candidates in the Dorabella Cryptogram:
DA AJ IK JL KJ JJ JG F, J, P, C, D, G, N
DR NP LM NG NG GI
QH JJ MJ PL PL FK
HQ QP JF UP UP UP 3.2 Pointer 2: Letters contacting
BN PD low-frequency letters
NC What Fouché Gaines writes: Letters contacting
KN low-frequency letters are usually vowels.
NF
Does this hold for the comparison text? Yes. The
O P Q R S T U letters with frequency 1 are contacted by A, E, I,
GG IG FD HS RC FB FP O, and U. The letters with frequency 2 are con-
TK LH LU tacted by A, N, R, S, E, O, Y, and Y. This means
IC HI UN that 10 of 13 letters contacting low-frequency
CF FK letters are vowels. If we count only the contacts
UC that appear more than once or that contact a letter
NC that appears only once we get exactly A, E, I, O,
KN U, and Y.
NF
What does this mean for the Dorabella Cryp-
3 Vowel Detection Method togram? The letters contacting low-frequency
letters are B, B, D, D, F, H, I, J, J, L, G, G, H,
The vowel detection method is the first one de-
S, R, C, and F. If we count only the contacts that
scribed by Fouché Gaines. It is based on eight cri-
appear more than once or that contact a letter that
teria (Fouché Gaines calls them pointers) that can
appears only once we get B, D, J, G, H, S, R,
be used to identifiy vowels in a ciphertext. The
C, F, and B. As can be seen, the vowel detection
idea of this method is to use the vowels identified
doesn’t work here as good as for the comparison
for further investigations with other cryptanalysis
text.
methods (i.e., the vowel detection method alone
will usually not break a cipher, but it can help to
Vowel candidates in the comparison text: A, E, I ,
do so). Fouché Gaines’ vowel detection method
N, O R, S, and Y
should not be confused with the Shukotin algo-
rithm (Guy, 1991), which has the same purpose.
Vowel candidates in the Dorabella Cryptogram:
3.1 Pointer 1: High frequency of vowels A, E, B, D, F, H, I, J, L, G, H, S, R, C, F
I, and O
What Fouché Gaines writes: The vowels A, E, I, 3.3 Pointer 3: Wide variety in contact letters
and O are normally found in the high-frequency What Fouché Gaines writes: Letters showing
section of a cryptogram. wide variety in their contact letters are vowels.

Does this hold for the comparison text? It is true Does this hold for the comparison text? Yes.
for the vowels E, I, and O. The letter A, however, Fouché Gaines does not define exactly what wide
has a lower frequency than expected. variety means. However, if we look at the three
letters with the widest variety we see that these
What does this mean for the Dorabella Cryp- are the vowels E, I and O.
togram? If Fouché Gaines is correct the ciphertext
letters F, J, P, C, D, G, and N contain the cleartext What does this mean for the Dorabella Cryp-
vowels A, E, I, and O. togram? The three letters with the widest variety
are J, F, and P.
Vowel candidates in the comparison text: D, E, I,
N, O, T Vowel candidates in the comparison text: E, I, O.

148
Vowel candidates in the Dorabella Cryptogram: 3.6 Pointer 6: Doubled consonants
J, F, P. What Fouché Gaines writes: Doubled consonants
are usually flanked by vowels, and vice-versa.

3.4 Pointer 4: Repeated digrams Does this hold for the comparison text? The
comparison text contains three doubled letters:
What Fouché Gaines writes: In repeated digrams
LL, CC, and DD. Only CC appears inside a word
(in immediate succession), one letter is usually a
(OCCUPY), while the other two stand at the end
vowel.
of a word (STILL) or are spread to two words
(OLD DOMIN). While CC is flanked by two
Does this hold for the comparison text? There is
vowels, LL and DD aren’t. It seems that this
no repeated digram in the comparison text.
pointer is not applicable, if the word boundaries
are not known.
What does this mean for the Dorabella Cryp-
togram? There is no repeated digram in the What does this mean for the Dorabella Cryp-
Dorabella Cryptogram. togram: The digram JJ appears twice. HH and
UU are two more doubled letters. No conclusions
Vowel candidates in the comparison text: - can be drawn from these facts at this stage.

Vowel candidates in the Dorabella Cryptogram: - Vowel candidates in the comparison text: -

Vowel candidates in the Dorabella Cryptogram: -

3.5 Pointer 5: Reveresed digrams
What Fouché Gaines writes: In reversed digrams, 3.7 Pointer 7: Five consonants in succession
one letter is usually a vowel. What Fouché Gaines writes: It is unusual to find
more than five consonants in succession.
Does this hold for the comparison text? Yes.
The reversed digrams of the comparison text are Does this hold for the comparison text? Yes.
TO/OT, DE/ED, LO/OL, NA/AN, YW/WY, and
SE/ES. Each of these six pairs consists of a vowel What does this mean for the Dorabella Cryp-
and a consonant. togram? No conclusions can be drawn at this
stage.
What does this mean for the Dorabella Cryp-
togram? The reversed digrams are GJ/JG, JI/IJ, Vowel candidates in the comparison text: -
DE/ED, GF/FG, MJ/JM, GN/NG, FG/GF, JC/CJ,
KP/PK, QH/HQ, PC/CP, and PN/NP. 9 of these Vowel candidates in the Dorabella Cryptogram: -
12 digrams contain one of the vowel candidates
identified above (J, F, P). It is important to note
that the Dorabella Cryptogram has double as 3.8 Pointer 8: Vowels contacting each other
many reversed digrams as the comparison text. What Fouché Gaines writes: Vowels do not often
It is beyond the scope of this paper to examine contact one another.
whether this high number of reversed diagrams is
still consistent with an English text or whether it Does this hold for the comparison text? Yes.
is evidence for the Dorabella Cryptogram being
something else as English text. What does this mean for the Dorabella Cryp-
togram: There are five contacts between two
Vowel candidates in the comparison text: - of the supposed vowels J, F, and P. Further
work might examine whether this information is
Vowel candidates in the Dorabella Cryptogram: - of any use for breaking the Dorabella Cryptogram.

149
Vowel candidates in the comparison text: -
J P B C D F G H I K U
Vowel candidates in the Dorabella Cryptogram: - 11 8 4 6 6 8 6 4 4 4 4
10 8 7 7 9 11 7 5 5 6 6

3.9 Result of vowel detection L N Q E A R S T M O

Only three of the eight criteria can be used to 4 6 3 2 2 1 1 1 1 1
search for vowel candidates in the two texts exam- 7 9 5 4 3 2 2 2 1 1
ined in this paper. In the comparison text there are Here we have 117 accumulated contacts. 20
three letters that fulfill all three criteria: E, I, and percent of 117 are 23. The letters M, O, R, S, T,
O. This means that this method works to a certain A, and E together have 15 appearances, so they
degree for the comparison text, although the vow- should be consonants. The next candidates are H,
els A, U, and Y remained undetected. I and Q (five appearances each). If we include all
Only two letters of the Dorabella Cryptogram, J of them we are above 20 percent. It seems best to
and F, fulfill all three criteria. The letter P fulfills omit all three.
two of them. Although this is an interesting re- It is important to note that Fouché Gaines’ state-
sult, it is not enough to solve the Dorabella Cryp- ments about contacts at this place refer to a text
togram. of roughly 100 letters. They make no sense for a
much longer or shorter text. It is therefore an inter-
4 Digram Method esting question how the frequency of consonants
The digram solution method is the second one can be measured in a way that is independent from
proposed by Fouché Gaines. However, Fouché the message length. This question, which is out
Gaines writes that 80 letters are not enough for this of scope in this paper, is addressed in (Schmeh3,
technique. For this reason she demonstrates it on a 2017).
235 letter message. The 87 letters in the Dorabella In the next step, I write all the consonants I have
Cryptogram and the comparison text are clearly identified in a line (see figure 2, ignore the under-
not enough for this method to work. I therefore lined letters for now). Below, I write the left con-
skip it in this paper. tacts of each letter left of the line, and the right
contacts right of the line (see figure 2, again ig-
5 Consonant Line Method nore the underlined letters).
Now, according to Fouché Gaines, all letters
The third method Fouché Gaines introduces is the
that don’t show up as contacts left or right of the
consonant line method. To apply this technique
line can be identified as consonants, as well. These
we need to assemble a table that lists the letters of
are C, D, L, and T (comparison text) and C, K, N,
the text along with their frequencies and number of
P, Q, and U (Dorabella Cryptogram). Note that
different letters contacting them. Here’s the table
this method has now correctly identified 11 con-
for the comparison text:
sonants in the comparison text. The newly de-
O E I T D N S A U C tected values are included in the upper line of con-
8 9 8 9 6 7 5 4 3 3 sonant line diagram (underlined), and the contacts
12 11 11 8 8 6 6 6 6 5 of these letters are added left and right of the ver-
tical line (underlined).
R Y G H M W B F P According to Fouché Gaines, the N can now be
3 3 2 5 2 2 1 1 1 identified, as it is a frequent letter that stands al-
5 5 4 4 3 3 2 2 2 most always left of the consonant line. The H can
According to Fouché Gaines, the lowest 20 per- be identified, as it almost always stands right of it.
cent of the total number of contacts are conso- Both identifications works pretty well for the com-
nants. The letters G, M, W, B, F, P, and H to- parison text, though the N could be confused with
gether have 20 appearances. As we have a total of the T.
106 contacts, we can determine these (correctly) Following Fouché Gaines’ instructions, we can
as consonants. Here’s the same table for the Dora- now also indentify a few vowels. The vowels A,
bella Cryptogram: E, I, and O (i.e., the frequent ones) are expected

150
 like a vowel. Figure 3 shows the Dorabella Cryp-
togram with marked vowels and consonants (this
is the next step recommended by Fouché Gaines).
In my view, there is no obvious way to proceed
from here. So, I will leave further steps (for in-
stance, checking if one of the different candidates
for N and H makes sense) to future research.
All in all, it can be said that the consonant line
method, which works surpisingly well on an ordi-
nary English text of the same length and written in
the same year, doesn’t render a clear result for the
Dorabella Cryptogram.

6 Conclusion
To my regret, none of the three methods described
in this paper has led to a solution of the Dora-
bella Cryptogram. Nevertheless, there are a num-
ber of interesting conclusions that can be drawn
Figure 2: Consonant lines for the comparison text from the examinations described in the previous
(left) and the Dorabella Cipher (right). paragraphs. Here are some general ones:

• The consonant line method has worked sur-

prisingly well on the comparison text. It not
to appear in a high frequency and on both sides of
only correctly identified G, M, W, B, F, P,
the line. Looking at the comparison text, this is
H, C, D, L, and T as vowels but also found
absolutely correct for the O and partially holds for
the letters N and H. This information would
E, I, and U, while the A behaves a little different
be enough to break a MASC-encrypted text.
than expected. This attempted vowel identification
The consonant line method therefore appears
is far from perfect, but it would certainly provide
to be an interesting alternative, whenever
helpful evidence when combined with other crypt-
other methods (including frequency analysis
analysis methods.
and word pattern guessing) don’t work.
The information we have gathered by now
would be sufficient to break the comparison text, • Digram analysis doesn’t work on a cryp-
if it were a cryptogram. It is very likely that the togram consisting of 87 letters. As virtually
consonant that precedes the H four times is T (TH all unsolved MASC encryptions known to me
is the most frequent consonant pair in the English are of about this size or smaller, this method
language). In addition, it is clear that the vowel will not be of much value.
that follows TH four times in the text is E (THE is
the most frequent trigram in English texts). Know- • Vowel detection has worked on the compari-
ing the four letters T, H, E, and N, the rest would son text. It correctly identified E, I, and O as
be routine cryptanalysis work. vowels. While this is, of course, not enough
to break a cipher, it might be an interesting
In the case of the Dorabella Cryptogram, things
aid.
are less clear. There are several candidates for the
N (L, H, and U) and several for the H (D, I, and • Generally, the concept of letter contacts
K). The most promising vowel candidates are J, seems to be an interesting tool in cryptanaly-
F, and P (the same candidates as determined us- sis, which has been underestimated so far. As
ing the vowel detection method). Note that the far as I know, this concept is not mentioned at
letter P was identified as a consonant in the sec- all in the crypto history literature of the last
ond step of the consonant line method (because it decades.
doesn’t touch any of the vowels determined in the
first step), though its appearance on the consonant The following conclusions can be drawn about
line (five left and five right contacts) makes it look the Dorabella Cryptogram:

151
Figure 3: The Dorabella Cipher transcription with marked vowels (bold) and consonants (underlined).
Further research may show whether there are conclusions that can be drawn from this.

• The frequency count and the contact counts • The consonant line method should be adapted
of the Dorabella Cryptogram are consistent to other languages.
with the English language.
• The concept of reversed digrams might be
• The following letters in the transcribed Dora- helpful for cryptanalysis. It should be ex-
bella Cryptogram could be vowels: F, J, and plored.
P. I am optimistic that some of the unsolved cryp-
• The number of reversed digrams in the com- tograms mentioned in the introduction can be
parison text is double as high as in the Dora- solved with the methods covered here. I hope that
bella Cryptogram. additional research in this direction will be con-
ducted.
• Candidates for the letters H and N have been
found in the Dorabella Cryptogram.
References
• The vowel detection method and the con- Bauer, Craig. 2017. Unsolved!. Princeton University
sonant line method work less good on the Press, Princeton, NJ.
Dorabella Cryptogram than on the compari-
Belfield, Richard. 2006. Can You Crack The Enigma
son text. Code. Orion Publishing, London, UK.
Here are some some ideas for future work: Fouché Gaines, Helen. 1939. Cryptanalysis. Dover
Publications, New York, USA.
• Some of the instructions given by Fouché
Guy, Jacques B. M. 1991. Vowel Identification: An
Gaines are a little fuzzy. Especially, the def- Old (but Good) Algorithm. Cryptologia (4), 258-
inition of letter frequency classes and the 262 (1991)
quantification of contact variety is not very
Schmeh, Klaus. 2012. Nicht zu Knacken. Hanser, Mu-
precise. This leaves room for further re- nich, Germany.
search.
Schmeh, Klaus 2017. The Top 50 unsolved en-
• Fouché Gaines’ methods assume that the ci- crypted messages: 31. The MLH cryptogram Klau-
sis Krypto Kolumne, 2017-05-23
phertext examined contains spaces. As this
is not the case in many cases, the methods Schmeh, Klaus 2017. Who can decipher this en-
should be adapted to cryptograms without crypted inscription on a cigaret case? Klausis
Krypto Kolumne, 2017-11-26
known word boundaries.
Schmeh, Klaus 2017. Mathematical formula needed
• The concept of letter contacts should be made Klausis Krypto Kolumne, 2017-12-22
more popular in cryptananalysis.
Schneier, Bruce 2006. Handwritten Real-World Cryp-
togram Schneier on Security, 2006-01-30
• The consonant line method should be applied
on other cryptograms, as well. Wikipedia. Dorabella Cipher. Retreived 2018-01-08.

• Further tests whether the Dorabella Cryp- Wikipedia. Voynich manuscript. Retreived 2018-01-
08.
togram is a real text should be made.

152
 Design and Strength of a Feasible Electronic Ciphermachine from the
1970s

Jaap van Tuyll

Retired cryptanalyst
The Netherlands
jaapvantuyll@gmail.com

Abstract One aspect is the need of a large key space for

the initialisation keys. If the number of different
This paper explores the design and initialisation keys is relatively small, it is possible
strength of a feasible electronic cipherma- for a cryptanalyst to test all the different keys (an
chine that might have been invented in the exhaustive search) in a relatively short time.
1970’s. The design uses linear feedback A key generator without input is by its nature
shift registers, to get a key generator that periodic. If it contains n memory elements of one
satisfies some necessary requirements bit, then the number of different states of the key
for a secure cryptographic algorithm. generator is at most 2n . Therefore the period can
The analysis of the strength however, also not be larger than this number. The key gen-
shows that the algorithm can be attacked erator should be designed in such a way, that the
successfully. periods that are attained, are in the order of magni-
tude of this number. A very short period produces
the possibility of reading in depth of a message
1 Introduction shifted against itself. A somewhat longer period
gives a cryptanalyst the possibility of testing all
Around 1970 a number of new off-line commer-
the positions of the period.
cial cryptographic machines for the encryption of
Different messages should use different parts of
messages in telexcode, appeared on the market.
the period of the key generator to prevent reading
Some examples are the H460 produced by Crypto
in depth of the messages. This could be achieved
AG, the TC803 produced by Gretag, the DC105
by changing the complete initialisation key for the
and DC26 produced by Datotek, the T1000CA
machine, but for many reasons this is not a practi-
produced by Siemens and the TST9669 produced
cal solution. Mostly this is achieved, by changing
by Telesecurity Timmann. These machines have
a small part of the initialisation key (the message
in common, that they make use of electronic com-
key) from message to message.
ponents, such as logical gates and shift registers.
Then the key numbers that are used should have
Thereby they mark a new generation of crypto-
a flat distribution. If this distribution is skewed, it
graphic machines, when compared with the older
might be possible for a cryptanalyst to guess (part
electromechanical machines such as the CX52.
of) the plaintext.
Not much is known in the open literature about
Lastly there is the special off-line problem:
the design of these machines. Therefore it might
be interesting to explore and evaluate one of the For an off-line machine using the telex alpha-
possible ideas to design such a cryptographic ma- bet the following problem has to be solved. If
chine, using electronic components. the keystream is randomly generated, it contains
all 32 five bit combinations, so the result of the
2 General design criteria encryption of a plain character can be any of the
32 combinations. However, only the 26 printable
Around 1970 there were several properties of a key combinations are acceptable as a cipher character.
generator known, to which a designer should pay This problem can be solved in several ways. One
attention. All of these have to be addressed by the of them is the following one: Generate key num-
designer of a cryptographic machine to make sure bers between 0 and 31, use as encryption a modulo
that the design will not a priori be a weak one. 32 addition of plain and key numbers, and in case

Proceedings of the 1st Conference on Historical Cryptology, pages 153– 158,

Uppsala, Sweden, 18-20 June, 2018
the result is a non-letter, repeat the encryption with must be left out of the plaintext alphabet. (If not,
the same key, until an acceptable result has been the plain alphabet would have more elements than
achieved. the cipher alphabet which is unacceptable, because
that prevents unique decipherment). The space
2.1 Properties of shift registers will then be replaced by the word separator dur-
A linear feedback shift register (LFSR) is an im- ing the encipherment. The consequence is, that the
portant building block for electronic cryptographic word separator itself cannot be used in the text of a
machines. The reason is that an LFSR can produce plain message. If the resulting letter after decryp-
a pseudo-random sequence of bits. This is a se- tion is the word separator, a space will be printed.
quence with properties, resembling those of a real That implies that it becomes invisible which is un-
random sequence. Such a sequence is also called a desirable. A reasonable choice for a word separa-
maximum-length sequence, because the length of tor could be the X and if the X itself is needed in
the period is maximal for a linear shift register (i.e. a plaintext, then a trick must be used, e.g. repre-
2n − 1 for a shift register of length n). If this num- senting an X by KS.
ber is a prime, then each irreducible polynomial of
3.2 The key generator
degree n is associated with a shift register produc-
ing a maximum-length sequence. Moreover it is To encrypt five-bit telex characters it is necessary
the polynomial with the lowest degree associated to produce five-bit key characters. Therefore it
to that shift register, the so-called minimal polyno- seems plausible to use five binary LFSRs. Each
mial. register can then produce one of the required key-
The length of the period is a property that makes bits. For convenience they can all have the same
maximum-length sequences important for crypto- length n and the same feedback trinomial polyno-
graphic purposes. Another property which is im- mial
portant is that the distribution of bit-combinations Xn + X f + 1
upto length n is flat. This must be an irreducible polynomial produc-
For practical purposes it is convenient to use ing a maximum-length sequence of period 2n − 1.
feedbacks that only have two connections. The The required keybits can then be read off from the
polynomial then becomes a trinomial. In that case sections k of the registers. Because the shift reg-
one XOR gate is sufficient to determine the feed- isters all produce pseudo-random sequences, the
back. produced key characters also are pseudo-random.
An important property of a binary LFSR is the See figure 1 for a picture.
following: Every bit in the output sequence of a
binary LFSR is a linear combination of the bits of ✲⊕
the initial content. A consequence is that as soon ✻ ❄
as n independent bits of the output sequence are
known, it is possible to solve the initial content of
a shift register of length n by solving a set of n
linear equations.
More information on shift registers can be n s k f 1
found in (Golomb, 1967).
Figure 1: Shift registers
3 Design
The goal is an off-line cryptographic machine 3.3 Initialising the machine
that encrypts plaintexts, containing letters and the The registers could be initialised by n − 1 key char-
space character. The ciphertext should consist of acters. One of the sections of each register (e.g.
letters only, so that a ciphertext could be printed the first) should be set to 1 to ensure that no reg-
before transmisson. ister starts in the all-zero state. The five bits of
a key letter could then be read into the registers
3.1 The plaintext alphabet 1 through 5. As the initialisation of the machine
Because the space character is wanted in the plain needs to be different for every message, two keys
alphabet, one letter (called the word separator) should be used: a long-term key of n − m − 1 letters

154
and a message key, unique for one message, of m in a plaintext, because the corresponding charac-
letters. In practice it might be necessary to send ter cannot be printed. In such a case the decipher-
the message key in the clear with the message, so ment is repeated with the same keynumber, until
the message key should not be used unmodified. an acceptable result has been reached. If the plain
This could be achieved by using (part of) the long- number equals 4, the plain character is a space.
term key to change the bits of the message key,
before they are entered into the machine. 3.6 Stepping of the registers
The key space of this machine has the size After the encryption of a letter has ended success-
25(n−1) . fully, the registers should step a number of times.
To ensure a high period for the keystream gener-
3.4 Character encipherment
ated by the machine, at most one register can have
To encipher a plain letter, a key number K could be a constant step, so e.g. register 1 steps a constant
determined by reading off the contents of sections number of steps. Then the higher numbered regis-
k of all the registers. ters should make a variable number of steps, e.g.
P the number of steps could be determined by the
K = 5i=1 Ri,k ∗ 2i−1
XOR of the content of the sections s of the lower
(where Ri, j is the content of section j of register i).
numbered registers.
The plain letter could be converted to a number P
P using its ITA2 bit value. For the word separator S i = i−1
j=1 R j,s mod 2
representing the space, the value P = 4 could be where S i determines the number of steps of regis-
used. ter i for i > 1.
The formula for the encipherment could be: In this way it is guaranteed, that whenever one
C = P − K mod 32 register completes its period, all the other regis-
ters do not. This ensures that the period of the
where the number C is converted through the
keystream of the machine is in the order of magni-
ITA2 table into a cipher letter. If C is equal to
tude of (2n )5 .
0, 2, 8, 27, 31 or the number corresponding to the
letter used as the word separator, it cannot be used 3.7 Summary of the design
in a ciphertext, because the corresponding charac-
ter cannot be printed. (Such a character is con- The design of the machine meets the necessary cri-
sidered illegal for this machine). In such a case teria for a secure algorithm that were mentioned
the encipherment could be repeated with the same earlier:
keynumber, until an acceptable result has been The keyspace has a large size.
reached. It is easy to verify that this procedure The keystream has a large period.
always stops. The keycharacters generated have a flat distri-
bution.
3.5 Character decipherment Different messages use different parts of the
Character decipherment is the inverse operation of keystream.
the character encipherment. To decipher a cipher
letter, a key number K is determined as described 4 Strength
above, by reading off the contents of sections k of When attacking the feasible cryptographic ma-
all the registers. chine described above, it is reasonable to assume
P
K = 5i=1 Ri,k ∗ 2i−1 that the details of the design are known to an at-
The cipher letter is converted to a number C using tacker. This approach is fully in line with the sec-
its ITA2 bit value. ond Kerckhoffs’ principle that was stated by Au-
The formula for the decipherment is: guste Kerckhoffs in 1883 in (Kerckhoffs, 1883).
It is clear that the variable stepping of the higher
P = C + K mod 32 numbered registers implies that the start of an at-
where the number P is converted through the tempt to break this feasible machine, can only be
ITA2 table into a plain letter. If P is equal to an attack on the first register, the only one that has
0, 2, 8, 27, 31 or the number corresponding to the a constant step. After solving the first register the
letter used as the word separator, it cannot be used stepping pattern of the second one is known and

155
then the second register could be attacked and so Then the initial content is solved by solving the
on. set of equations, generated by those reliable bits.
Under certain conditions on the values of the bias
4.1 Fast correlation attack and the length of the used part of the shift register
The fast correlation attack is a procedure to deter- sequence this method converges.
mine the initial content of a shift register if only a
4.2 Correlation attack on register 1
part of the output sequence containing some errors
is known. For every letter of the ciphertext the 32 possible
This attack has been presented for the first time decryptions can be divided into two groups, one
at Eurocrypt 1988 in Davos by Willi Meier and corresponding with an even key number and the
Othmar Staffelbach and has been published in other one corresponding with an odd key num-
(Meier and Staffelbach, 1989), although the attack ber. Depending on the letter frequencies in the lan-
was already known many years before. guage of the plaintext, the two groups have a dif-
The method works as follows: ferent probability of occurrence. The consequence
The enciphering method modifies the bits of the is that the probability of the last bit of the key num-
register that will be attacked. This modification is ber being 0, is different from the probability of the
not random, but biased to either 0 or 1. The part last bit of the key number being 1. In other words
of the shift register sequence for which this biased for every cipher letter there is a bias to either 0 or
information is available is initialised with values 1 for the last bit (K1 ) of the key number K.
coming from the bias. Compare
The feedback polynomial gives a relation that is P(K1 = 0 | cipherletter = C)
satisfied by all the bits in the output sequence of with
the shift register. Moreover all the multiples and P(K1 = 1 | cipherletter = C)
in particular all the 2n powers of this polynomial
(which are all also trinomials) give relations that An example: For cipher letter H the set of decryp-
are satisfied. tions with an even keynumber is:
As an example if X n + X f + 1 is the feedback {B,G,H,L,M,O,P,Q,T,V,W,Y,Z}
polynomial, then if bi is the i-th bit of the out- The letters L, W and Z occur twice as a decryp-
put sequence, bi+n + bi+n− f + bi = 0 mod 2 is sat- tion with different keynumbers.
isfied for all i > 0. But also bi+2n + bi+2(n− f ) + For odd keynumbers the set is:
bi = 0 mod 2 and so on. Moreover one can add {A,C,D,E,F,G,I,J,K,N,R,S,U,X}
bi+n+ f + bi+n + bi+ f = 0 mod 2 to bi+n + bi+n− f + bi = Here F and U occur twice as a decryption with
0 mod 2 and in this way get the new relation different keynumbers.
bi+n+ f + bi+n− f + bi+ f + bi = 0 mod 2. In this way In most languages the second set is much more
many trinomial and tetranomial relations can be frequent than the first one, especially because the
found which are satisfied by the bits of the pro- X in the second set is the word separator and thus
duced output sequence. represents the space character. So for cipher letter
Step 1 is: Count for every position the number H the bias is for a 1 as the last keybit.
of relations involving that position that are satis- This bias makes it possible to determine the ini-
fied and the number of relations that are not satis- tial shift register sequence. First the bias is used
fied. If the number of satisfied relations is much to make an approximation of the shift register se-
higher, then the bit at that position is probably re- quence produced by the first register of the ma-
liable and nothing is changed. In the other case chine.
the bit is probably unreliable and it is declared un- If the language statistics are favourable enough
known. and the message length is sufficiently large, the
Step 2 is: Compute for all the unknown bits a fast correlation attack reconstructs the initial con-
new value on the basis of the reliable bits only. For tent of the first register of the machine.
many unreliable bits this will succeed and then a
new sequence has been determined. 4.3 Correlation attack on register 2
The counting and correcting steps are repeated A similar approach can be used for the higher
until enough highly reliable bits have been found. numbered registers. Once register one is known

156
the stepping of register two is also known. More- of the registers 1 and 2 are known only 8 possible
over for every cipher letter one keybit is known. decryptions remain possible.
In this case the decryptions of a given cipher letter If the cipher letter is H and the keybits from the
are divided into four groups. In each group the key first and second register both are 1 then the plain-
numbers have a fixed value modulo 4. letter must be one of the set {A,E,F,G,I,S,U,X}.
An example: For cipher letter H the four groups Now it is possible to test for every position in
are: the ciphertext, whether a word that probably will
be present in the plaintext, fits the ciphertext.
key = 0 mod 4 {H,L,P,Q,T,W,Y,Z}
So you might get the following situation:
key = 2 mod 4 {B,G,L,M,O,V,W,Z}
(CT is the ciphertext letter and k1 and k2 are
key = 1 mod 4 {C,D,F,J,K,N,R,U}
the known keybits from the registers 1 and 2).
key = 3 mod 4 {A,E,F,G,I,S,U,X}
CT D P I F E R U O B K
Then depending on the value of the keybit pro- k1 0 0 1 1 0 1 0 1 0 0
duced by register one, either the groups with key k2 1 1 1 0 0 0 0 1 0 0
numbers equal to 0 and 2 modulo 4 are compared S V V A E G U N B K
or the groups with key numbers equal to 1 and 3 A B B H S V X R O N
modulo 4 are compared. U T P Z A B X C O N
Compare C L R O U X S D G R
P(K2 = 0 | cipherletter = C ∧ K1 = b) X Z D M E I I F O C
with K O O G X S E J M D
I M M V A O S K G F
P(K2 = 1 | cipherletter = C ∧ K1 = b)
E G G B I M A T V J
where b is the known keybit from the first register. The boldface letters show that here the word
For every ciphertext letter the bias between the AMBASSADOR is possible.
groups that are compared is used to initialise an If the word has a sufficient length only correct
approximation for the second register. Once again positions are found. (Almost) every plaintext let-
if the conditions are favourable the fast correlation ter that is found in this way fixes a keybit in the
attack finds the initial content of register two. registers 3, 4 and 5. In the example above that
is the case for all ciphertext letters, except the ci-
4.4 Registers 3, 4 and 5 phertext letter B, for which there are three possible
In principle the same method can be used for the decryptions as O.
registers 3, 4 and 5. However, in many languages As soon as enough independent keybits have
the statistics are unfavourable for a successful at- been found, the initial content of the registers 3,
tack on register 3. 4 and 5 can be found by solving a set of linear
One way to improve the statistics is by using bi- equations for each register.
grams of the ciphertext instead of single ciphertext
letters. That improves the bias because in that case 5 Conclusion
the frequencies of plain letter bigrams are used to The cryptographic algorithm that has been de-
calculate the bias. scribed could very well have been invented in the
Compare 1970’s, when new ideas in cryptography were gen-
P(K3 = 0 | cipherpair = CC ′ ∧ K1 = b1 ∧ K2 = erated by the new electronic components that be-
b2 ∧ K1′ = b′1 ∧ K2′ = b′2 ) came available. The paper shows that although
with the algorithm meets a number of design criteria,
P(K3 = 1 | cipherpair = CC ′ ∧ K1 = b1 ∧ K2 = it still could have been broken using an idea that
b2 ∧ K1′ = b′1 ∧ K2′ = b′2 ) was published in 1989.

where b and b′ are the keys for the consecutive

cipherletters C and C ′ . References
Solomon W. Golomb. 1967. Shift Register Sequences.
4.5 Probable word method Holden–Day.
There is however another method: the probable Auguste Kerckhoffs. 1883. La cryptografie militaire.
word method. If for every cipher letter the key bits Journal des Sciences Militaires, IX:5–38, jan.

157
Willi Meier and Othmar Staffelbach. 1989. Fast Cor-
relation Attacks on certain Stream Ciphers. Journal
of Cryptology, 1(3):159–176.

158
Author Index

Al-Kazaz, Noor R., 115 Stamp, Mark, 39

Antal, Eugen, 125 Stamp, Miles, 39

Bonavoglia, Paolo, 77 Teahan, William J., 115

Tiscornia, Jorge, 21
Cabezas, Juan José, 21 Turing, Dermot, 95
van Tuyll, Jaap, 153
Dahlke, Carola, 109
Desenclos, Camille, 9 Wik, Anders, 83
Di Troia, Fabio, 39
Domnina, Ekaterina, 3 Zajac, Pavol, 125

Ekhall, Magnus, 103

Faurholt, Niels O., 129

von zur Gathen, Joachim, 21

Grajek, Marek, 89

Hallenberg, Fredrik, 103

Huang, Jasper, 39
Hubálovský, Štepán, 137

Irvine, Sean A., 115

Kopal, Nils, 29

Lasry, George, 55
de Leeuw, Karl, 49
Lehofer, Anna, 133

Musı́lek, Michael, 137

Niebel, Ingo, 65

Schmeh, Klaus, 145

159
Published by

NEALT Proceedings Series 34

Linköping University Electronic Press, Sweden
Linköping Electronic Conference Proceedings No. 149
ISSN: 1650-3686
eISSN: 1650-3740
ISBN: 978-91-7685-252-1
URL: http://www.ep.liu.se/ecp/contents.asp?issue=149