Turingery [1] or Turing's method [2] (playfully dubbed Turingismus by Peter Ericsson, Peter Hilton and Donald Michie [3] ) was a manual codebreaking method devised in July 1942 [4] by the mathematician and cryptanalyst Alan Turing at the British Government Code and Cypher School at Bletchley Park during World War II. [5] [6] It was for use in cryptanalysis of the Lorenz cipher produced by the SZ40 and SZ42 teleprinter rotor stream cipher machines, one of the Germans' Geheimschreiber (secret writer) machines. The British codenamed non-Morse traffic "Fish", and that from this machine "Tunny" (another word for the tuna fish).
Reading a Tunny message required firstly that the logical structure of the system was known, secondly that the periodically changed pattern of active cams on the wheels was derived, and thirdly that the starting positions of the scrambler wheels for this message—the message key—was established. [7] The logical structure of Tunny had been worked out by William Tutte and colleagues [8] over several months ending in January 1942. [9] Deriving the message key was called "setting" at Bletchley Park, but it was the derivation of the cam patterns—which was known as "wheel breaking"—that was the target of Turingery.
German operator errors in transmitting more than one message with the same key, producing a "depth", allowed the derivation of that key. Turingery was applied to such a key stream to derive the cam settings. [10]
The logical functioning of the Tunny system was worked out well before the Bletchley Park cryptanalysts saw one of the machines—which only happened in 1945, shortly before the allied victory in Europe. [11]
Wheel number | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 |
---|---|---|---|---|---|---|---|---|---|---|---|---|
BP wheel name | 1 | 2 | 3 | 4 | 5 | 37 | 61 | 1 | 2 | 3 | 4 | 5 |
Number of cams (pins) | 43 | 47 | 51 | 53 | 59 | 37 | 61 | 41 | 31 | 29 | 26 | 23 |
The SZ machines were 12-wheel rotor cipher machines which implemented a Vernam stream cipher. They were attached in-line to standard Lorenz teleprinters. The message characters were encoded in the 5-bit International Telegraph Alphabet No. 2 (ITA2). The output ciphertext characters were generated by combining a pseudorandom character-by-character key stream with the input characters using the "exclusive or" (XOR) function, symbolised as "" in mathematical notation. The relationship between the plaintext, ciphertext and cryptographic key is then:
Similarly, for deciphering, the ciphertext was combined with the same key to give the plaintext:
This produces the essential reciprocity to allow the same machine with the same settings to be used for both enciphering and deciphering.
Each of the five bits of the key for each character was generated by the relevant wheels in two parts of the machine. These were termed the chi () wheels, and the psi () wheels. The chi wheels all moved on one position for each character. The psi wheels also all moved together, but not after each character. Their movement was controlled by the two mu () or "motor" wheels. [13]
The key stream generated by the SZ machines thus had a chi component and a psi component that were combined with the XOR function. So, the key that was combined with the plaintext for enciphering—or with the ciphertext for deciphering—can be represented as follows. [13]
Symbolically:
The twelve wheels each had a series of cams (or "pins") around them. These cams could be set in a raised or lowered position. In the raised position they generated a "mark", written at Bletchley Park as "×" and equivalent to a binary digit 1, and in the lowered position they generated a "space", written as "·" and equivalent to a binary digit 0. The number of cams on each wheel equalled the number of impulses needed to cause them to complete a full rotation. These numbers are all co-prime with each other, giving the longest possible time before the pattern repeated. With a total of 501 cams this equals 2501 which is approximately 10151, an astronomically large number. [14] However, if the five impulses are considered independently, the numbers are much more manageable. The product of the rotation period of any pair of chi wheels gives numbers between 41×31=1271 and 26×23=598.
Cryptanalysis often involves finding patterns of some sort that provide a way into eliminating a range of key possibilities. At Bletchley Park the XOR combination of the values of two adjacent letters in the key or the ciphertext was called the difference (symbolised by the Greek letter delta) because XOR is the same as modulo 2 subtraction (without "borrow")—and, incidentally, modulo 2 addition (without "carry"). So, for the characters in the key (K), the difference was obtained as follows, where underline indicates the succeeding character:
(Similarly with the plaintext, the ciphertext, and the two components of the key).
The relationship amongst them applies when they are differenced. For example, as well as:
It is the case that:
If the plaintext is represented by P and the cipertext by Z, the following also hold true:
And:
The reason that differencing provided a way into Tunny was that, although the frequency distribution of characters in the ciphertext could not be distinguished from a random stream, the same was not true for a version of the ciphertext from which the chi element of the key had been removed. This is because, where the plaintext contained a repeated character and the psi wheels did not move on, the differenced psi character () would be the null character ("·····" or 00000), or, in Bletchley Park terminology, "/". When XOR-ed with any character, this null character has no effect, so in these circumstances, . Repeated characters in the plaintext were more frequent, both because of the characteristics of German (EE, TT, LL and SS are relatively common), [15] and because telegraphists frequently repeated the figures-shift and letters-shift characters [16] as their loss in an ordinary telegraph message could lead to gibberish. [17]
To quote the General Report on Tunny:
Turingery introduced the principle that the key differenced at one, now called , could yield information unobtainable from ordinary key. This principle was to be the fundamental basis of nearly all statistical methods of wheel-breaking and setting. [1]
As well as applying differencing to the full 5-bit characters of the ITA2 code, it was also applied to the individual impulses (bits). So, for the first impulse, that was enciphered by wheels and , differenced at one:
And for the second impulse:
And so on.
It is also worth noting that the periodicity of the chi and psi wheels for each impulse (41 and 43 respectively for the first one) is reflected in its pattern of . However, given that the psi wheels did not advance for every input character, as did the chi wheels, it was not simply a repetition of the pattern every 41 × 43 = 1763 characters for , but a more complex sequence.
In July 1942 Turing spent a few weeks in the Research Section. [18] He had become interested in the problem of breaking Tunny from the keys that had been obtained from depths. [3] In July, he developed the method of deriving the cam settings from a length of key. [1] It involved an iterative, almost trial-and-error, process. It relied on the fact that when the differenced psi character is the null character ("·····" or 00000), /, then XOR-ing this with any other character does not change it. Thus the delta key character gives the character of the five chi wheels (i.e. ).
Given that the delta psi character was the null character half of the time on average, an assumption that had a 50% chance of being correct. The process started by treating a particular character as being the Δ for that position. The resulting putative bit pattern of × and · for each chi wheel, was recorded on a sheet of paper that contained as many columns as there were characters in the key, and five rows representing the five impulses of the . Given the knowledge from Tutte's work, of the periodicity of each of the wheels, this allowed the propagation of these values at the appropriate positions in the rest of the key.
A set of five sheets, one for each of the chi wheels, was also prepared. These contained a set of columns corresponding in number to the cams for the appropriate chi wheel, and were referred to as a 'cage'. So the cage had 29 such columns. [19] Successive 'guesses' of values then produced further putative cam state values. These might either agree or disagree with previous assumptions, and a count of agreements and disagreements was made on these sheets. Where disagreements substantially outweighed agreements, the assumption was made that the character was not the null character "/", so the relevant assumption was discounted. Progressively, all the cam settings of the chi wheels were deduced, and from them the psi and motor wheel cam settings.
As experience of the method developed, improvements were made that allowed it to be used with much shorter lengths of key than the original 500 or so characters. [1]
In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.
Cryptanalysis refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown.
Colossus was a set of computers developed by British codebreakers in the years 1943–1945 to help in the cryptanalysis of the Lorenz cipher. Colossus used thermionic valves to perform Boolean and counting operations. Colossus is thus regarded as the world's first programmable, electronic, digital computer, although it was programmed by switches and plugs and not by a stored program.
William Thomas TutteOC FRS FRSC was an English and Canadian codebreaker and mathematician. During the Second World War, he made a brilliant and fundamental advance in cryptanalysis of the Lorenz cipher, a major Nazi German cipher system which was used for top-secret communications within the Wehrmacht High Command. The high-level, strategic nature of the intelligence obtained from Tutte's crucial breakthrough, in the bulk decrypting of Lorenz-enciphered messages specifically, contributed greatly, and perhaps even decisively, to the defeat of Nazi Germany. He also had a number of significant mathematical accomplishments, including foundation work in the fields of graph theory and matroid theory.
In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most widely used attacks on block ciphers; the other being differential cryptanalysis.
In cryptography, coincidence counting is the technique of putting two texts side-by-side and counting the number of times that identical letters appear in the same position in both texts. This count, either as a ratio of the total or normalized by dividing by the expected count for a random source model, is known as the index of coincidence, or IC for short.
In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.
The Lorenz SZ40, SZ42a and SZ42b were German rotor stream cipher machines used by the German Army during World War II. They were developed by C. Lorenz AG in Berlin. The model name SZ was derived from Schlüssel-Zusatz, meaning cipher attachment. The instruments implemented a Vernam stream cipher.
The Siemens & Halske T52, also known as the Geheimschreiber, or Schlüsselfernschreibmaschine (SFM), was a World War II German cipher machine and teleprinter produced by the electrical engineering firm Siemens & Halske. The instrument and its traffic were codenamed Sturgeon by British cryptanalysts.
The known-plaintext attack (KPA) is an attack model for cryptanalysis where the attacker has access to both the plaintext and its encrypted version (ciphertext). These can be used to reveal secret keys and code books. The term "crib" originated at Bletchley Park, the British World War II decryption operation, where it was defined as:
A plain language passage of any length, usually obtained by solving one or more cipher or code messages, and occurring or believed likely to occur in a different cipher or code message, which it may provide a means of solving.
Gilbert Sandford Vernam was a Worcester Polytechnic Institute 1914 graduate and AT&T Bell Labs engineer who, in 1917, invented an additive polyalphabetic stream cipher and later co-invented an automated one-time pad cipher. Vernam proposed a teleprinter cipher in which a previously prepared key, kept on paper tape, is combined character by character with the plaintext message to produce the ciphertext. To decipher the ciphertext, the same key would be again combined character by character, producing the plaintext. Vernam later worked for the Postal Telegraph Company, and became an employee of Western Union when that company acquired Postal in 1943. His later work was largely with automatic switching systems for telegraph networks.
In cryptography, DES-X is a variant on the DES symmetric-key block cipher intended to increase the complexity of a brute-force attack. The technique used to increase the complexity is called key whitening.
In cryptography, the simple XOR cipher is a type of additive cipher, an encryption algorithm that operates according to the principles:
Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.
Heath Robinson was a machine used by British codebreakers at the Government Code and Cypher School (GC&CS) at Bletchley Park during World War II in cryptanalysis of the Lorenz cipher. This achieved the decryption of messages in the German teleprinter cipher produced by the Lorenz SZ40/42 in-line cipher machine. Both the cipher and the machines were called "Tunny" by the codebreakers, who named different German teleprinter ciphers after fish. It was mainly an electro-mechanical machine, containing no more than a couple of dozen valves, and was the predecessor to the electronic Colossus computer. It was dubbed "Heath Robinson" by the Wrens who operated it, after cartoonist William Heath Robinson, who drew immensely complicated mechanical devices for simple tasks, similar to Rube Goldberg in the U.S.
The Testery was a section at Bletchley Park, the British codebreaking station during World War II. It was set up in July 1942 as the "FISH Subsection" under Major Ralph Tester, hence its alternative name. Four founder members were Tester himself and three senior cryptanalysts were Captain Jerry Roberts, Captain Peter Ericsson and Major Denis Oswald. All four were fluent in German. From 1 July 1942 on, this team switched and was tasked with breaking the German High Command's most top-level code Tunny after Bill Tutte successfully broke Tunny system in Spring 1942.
Ralph Paterson Tester was an administrator at Bletchley Park, the British codebreaking station during World War II. He founded and supervised a section named the Testery for breaking Tunny.
In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. The information could be directly given, or leaked through a side-channel.
Cryptanalysis of the Lorenz cipher was the process that enabled the British to read high-level German army messages during World War II. The British Government Code and Cypher School (GC&CS) at Bletchley Park decrypted many communications between the Oberkommando der Wehrmacht in Berlin and their army commands throughout occupied Europe, some of which were signed "Adolf Hitler, Führer". These were intercepted non-Morse radio transmissions that had been enciphered by the Lorenz SZ teleprinter rotor stream cipher attachments. Decrypts of this traffic became an important source of "Ultra" intelligence, which contributed significantly to Allied victory.
A biclique attack is a variant of the meet-in-the-middle (MITM) method of cryptanalysis. It utilizes a biclique structure to extend the number of possibly attacked rounds by the MITM attack. Since biclique cryptanalysis is based on MITM attacks, it is applicable to both block ciphers and (iterated) hash-functions. Biclique attacks are known for having weakened both full AES and full IDEA, though only with slight advantage over brute force. It has also been applied to the KASUMI cipher and preimage resistance of the Skein-512 and SHA-2 hash functions.