For the crack of Enigma machine

Recently saw an article detailing how the German Enigma machine was cracked during World War Ii. Enigma machine is essentially encrypted using the principle of substitution cipher.

1) The principle of replacement encryption and the method of cracking


In ancient times, when people wanted to encrypt a piece of text, the letters in the original text (that is, the plaintext) were replaced with other letters according to some kind of pairing, thus obtaining a cipher that others could not understand.

For example, we can encrypt plaintext according to the following pairing relationship:


In the encryption process, the letters in the first line of the plaintext table are replaced with uppercase letters that are located below the letter. After the encryption is over, you will get a piece of ciphertext that no one can read without being decrypted.

Let's say we're going to encrypt this piece of plaintext:

When your is old and grey and the full of sleep

Following the substitution rules above, we will get a cipher:

Kruz NAI CFU AXP CZP efun CZP Tixx at Gxuub

In this way, we have completed a replacement encryption. How difficult is it for us to get this cipher text cracked? In theory, the cracker could try to decrypt the phrase using a combination of possible cipher lists. But since the 26-letter possible permutation is 4.03x10^26, this means that if 6 billion people around the world can test one possible cipher table per second, it will take 2.1 billion years to finish all permutations. In fact, for a long time, this simple replacement password is considered impossible to crack.

It is supposed that our story should end here. By this can not be cracked password, the sender and receiver of the password like a fairy tale Prince and Princess, since then live a happy life forever.

But in this world, it's just that someone can come up with ingenious ways to crack this seemingly impenetrable cipher. The weapons they use are linguistics and statistics.

In a language that uses alphabetic text, the probability that each letter appears in plain text is actually different. In English, for example, in an ordinary article, the probability that the letter E, A, t appear is much greater than the probability of J, X, Z appearing. If enough text is analyzed, we can count the average probability of each letter appearing in English text.

Here's a picture from Wikipedia that shows the probability of 26 letters appearing in plain English text:


In the replacement encryption we just made, although each letter is transformed into another letter, it doesn't change how often it appears in a text. For example, in just the encryption process, the letter e was replaced with u, if we intercept long enough ciphertext for analysis, we will find that the letter U in the ciphertext frequency is much higher than the other letters. As long as the above probability map, the ciphertext in the highest frequency of the number of letters to try to replace with E, T, a these high-frequency letters, can be cracked.

As an aid, we can also count the frequency of letters appearing on the left and right sides of each letter in the ciphertext. If a letter can appear on the sides of most letters, it is likely to be a vowel letter. Conversely, if a letter never appears next to certain letters, it is likely to be a consonant because some consonants are never spelled together in English.

At this point, we have described abovesingle-Letter replacement passwordhave been ruthlessly cracked.

So, the cipher teachers who don't forget have inventedMulti-letter replacement Password。



The table above is called the Vigenard Square (Vigenère Square) and is designed to facilitate the multi-letter substitution of the crypto-holders. People can choose any number of rows in the table to encrypt the letter as the password table, further improve the complexity of the password.

However, the replacement password that "replaces the password table every time one letter is encrypted and never repeats" is beyond the scope of human resources.

However, the human cannot do things, does not mean that the machine can not do.

Next, let's look at how Engma works.

2) How the Engma works

Please make your own Google

3) Engma's crack

After the military Engma machine was put into use, the British and French intelligence agencies tried to decipher it, and found themselves like "Gray's 50 degrees grey" in the same way the heroine was abused a life. After many attempts, they announced that the cipher system was non-solvable.

If someone is expecting Turing to debut at the beginning of this part, I regret to tell you that the first breakthrough in cracking Engma is not from the British, but from the Polish Reyevski (Marian Rejewski).

To sum up what we have said in the second part, to decipher a cipher that is Engma encrypted, the Poles need the following three pieces of information:

A) The working principle and internal structure of the Engma, including the line connection of each rotor;
b) The German Military Code of Practice for Engma;
c) The daily initial settings used by the German army. The daily initial setup of the Engma contains three messages: the order of the rotors, the initial position of each rotor, and the setting of the power strip. This information is printed on the password book distributed to the army, every 24 hours change the settings, the monthly replacement of the password book;

To cut it short, the Poles got a and b through espionage and excellent math skills, both of which were part of the message.

What the poles need to do next is to crack down on the daily initial setup used by the Germans (hereinafter referred to asDay Key）。

Let's take a look back at how the German operator is encrypted once:

First, the operator will initially set the ENGMA based on the daily key. For example, he would arrange the order of the three rotors according to the daily Key's indication of 2-3-1, then rotate the three rotors sequentially to the q-v-m position, and finally the six-letter interchange on the power strip.

Before sending each message, the operator randomly selects three of the letters that now appear in their brains, such as XYZ, asThe key to this message, hereinafter referred to asInformation Key。

Before sending the message, the operator will first use the setting in the day key, which is the position of the rotor in q-v-m, and enter XYZ two times for example Hgable. Note that as the rotor rotates, two of the input XYZ is encrypted into different letters. The operator then Engma the three rotors to the x-y-z position and sends the body of the information into the Engma machine.

In the receiver's operator, the same is set Engma according to the daily Key, and then the information starts the 6 letter hgable input Engma, to get xyzxyz, then he just knows that XYZ is the information key used to encrypt the body. Next, he simply takes the position of the three rotors to x-y-z and then inputs the remainder to get the body of the message.

The secret of this method of operation is that the body of each piece of information is encrypted with a different key, which greatly avoids the possibility of being cracked. Only the first six letters of each message are encrypted with the universal daily key. This seems to be a perfect solution, but Reyevski has discovered one of these vulnerabilities with incredible insight.

We imagined that Reyevski intercepted a message from the German Army, the first six letters being hgable. He knew that this was the result of three consecutive letters of the two-time Grace machine. Although we do not know what these three letters are, we know that the output hgable the first letter H and the fourth letter B are the same letter encryption result. Since the rotor rotated three times during the period, the same letter was replaced with a different letter in two times of encryption. We can make a pair of them:

H-b

If Reyevski intercepted more telegrams in one day, and performed a similar operation on the first six letters of each telegram, it would get more pairs of letters until 26 letters were fitted:

H-b
A-o
......
Z-u

This seems to be just a boring letter matching game, with the crack Engma machine A little relationship also did not. But with extraordinary insight, Reyevski the six letters before each message to find a way to crack.

The Lord saw a lot of people in the comment area very calmly said that this article does not burn the brain at all. The Lord is here to say, well, that's because the content of this article really burns the brain hasn't started yet ...

Before elaborating on Reyevski's ideas, I need you to think seriously about a problem:

What is the essence of Engma?

You typed a letter on the Engma machine and it would output another letter. This is the essence of Engma: the substitution of letters.

In the same setting, you typed any of the letters in 26 letters, and the resulting substitution letters are determined to be constant. We can represent this substitution relationship with a function (A0). You might say that the Engma is very complex, and after each hit of a letter, the rotor rotates one, and then there is a completely different substitution relationship. It doesn't matter, we can use the A1 to turn a later substitution relationship. Similarly, we use (A2) to indicate that the rotor rotates after a two-bit replacement relationship, until (A5) indicates that the rotor rotates after five bits.

The Lord has avoided using mathematical symbols and public announcements to the fullest extent in this article, but the idea of Reyevski is too abstract, and some function symbols help to understand. After you fully understand the meaning of the last paragraph, let's look at the six-letter hgable that the Poles intercepted. Poles do not know which three letters are encrypted two times the result, but it's okay, let's assume it's XYZ for a moment. In this way, we can use the above substitution relationship to represent the encryption process as:

X (A0) =h
Y (A1) =g
Z (A2) =a
X (A3) =b
Y (A4) =l
Z (A5) =e

Remember in the second part of this article that we mentioned two very very important properties of Engma? The first of these is that Engma isreflexiveOf That is, if the input letter A to get the letter G, the same configuration to enter the letter G will get the letter A, which is also the principle of Engma decryption. If you use the function you just said, a letter is replaced two times by the function (an) to get itself, for example:

X (A0) (A0) =x

Well, it seems to be starting to make sense, if we write X in the previous fourth line X (A3) =b in this form, we get:

X (A0) (A0) (A3) =b

And then from the first line we already know X (A0) =h, so:

H (A0) (A3) =b

The magical thing happened, and the letter X was cancelled out! In other words, Reyevski foundthis connection between H and B is irrelevant to the information key used to encrypt each piece of information。 This connection is only related to the initial configuration of Engma on this day. Here, Reyevski does not know what (A0) is, and does not know (A3) is what, but through the preceding letters paired with the other 24-letter substitution between the game, Reyevski can be pushed to export (A0) (A3). This (A0) (A3) is exactly what Reyevski in front of the letter pairing game, the letters on the left side of the line are replaced with such an alternate relationship to the right.

(A0) The physical meaning of (A3) is to replace a letter with the initial setting of the Engma, and then turn the rotor backwards by three bits to replace the resulting result again. If you omit the intermediate step, it is essentially a replacement, no different from the simplest single-letter substitution password described at the beginning of this article, as can be written in the following form:

If we already know that this is the substitution relationship (A0) (A3), can we use this result to brute force the Engma? If there is no power strip, this practice is theoretically feasible. For the en-grid machines in any state, we can test whether each letter has obtained the correct result after the "initial position" and "rotation three position after two" encryption. Three rotor arrangement and initial position there are about 100,000 possibilities, if the manufacture of 100 of the Grace Machine, by 100 people at the same time brute force, 10 seconds per person to complete a check, you can complete the violence within three hours.

However, due to the existence of power strip, the number of possible combinations increased by 100 billion times times, completely eliminate the possibility of all violent cracking. At this time, Reyevski found a way to subtly eliminate the effects of power strip.

Let's do a little exercise, assuming there is a replacement password table, which we will generally write in the following form (for illustrative purposes, I use a eight-letter password here):

Clear text A B C D E F G H
Ciphertext C H E F A B D G

We can do a game of solitaire. For example, the above table in clear text A is replaced redact C, then we found in the first line C, found that C was replaced by E, then found in the first line of E, found that e was replaced by a, so we completed a letter chain. Then we'll start again with a letter that doesn't appear in the previous chain until all the letters are included in a chain. We will be in the same chain of letters written in a parenthesis, this code table becomes:

(A, C, E) (B, H, G, D, F)

In contrast to the original form, the cipher tables written in this form pass the exact same message. As you can know a should be replaced with c,c should be replaced with e,e should be replaced by a ... Wait a minute. What good would it be to write this form? This form can reveal an intrinsic feature of a cipher list, such as the above-mentioned cipher table consisting of two-letter chains, with chain lengths of "3" and "5" respectively. This "3" and "5" are the eigenvalues of this cipher table.

If we had previously obtained (A0) (A3) also changed into this chain form, we will get the result:

(A, C, M, Y, N, Z, Q, D, P, B, O) (E, U, I, S, G) (F, T, H, R) (J, V) (K, W) (L, X)

As can be seen, this (A0) (A3) corresponding to the cipher table is composed of 6 letter chain, the length is "11", "5", "4", "2", "2", "2".

Power strip can increase the number of combinations of Engma settings by up to 100 billion times times, or you can replace the letters in the cipher list with more than recognition. But since power strip is exchanging letters in pairs, this exchange does not change the chain number and length of the cipher table. In the chain form of the cipher table, any exchange of two-letter position, no matter how many times will not change the chain number and length.

In this way, Reyevski succeeded in finding a way around power strip.

Corresponds to the ENGMA rotor set 100,000 possible combinations, poles the number and length of letter chains produced by each combination are categorized (easy to say, it took a year). With such a catalog, Poles can follow these steps to hack:

A) The number and length of the letter chain are derived first according to the first six letters of each telegram intercepted on the day.
b) then find the corresponding possible rotor settings in the catalogue (a much smaller number than 100,000)
c) Brute force for all possible rotor settings.

Here, the Poles have got the German day key in addition to all the contents of the power strip setting.

After the setting of the rotor, Reyevski will put a grace machine in accordance with this setup, but power strip completely do not plug any wires, and then a piece of ciphertext input this machine. He will get a meaningless message because the six pairs of letters in the message are randomly swapped. But this type of letter exchange is just a very rudimentary way of encrypting it, and can be easily cracked by using manual labor. In this way, the cracker gets the power strip setup again.

So the poles get the Germans.everything in the day key。 In other words, Reyevski is in full parity with the German receiver, and all German communications are completely transparent to the poles-at least until 12 o'clock midnight of the day.

If Engma were to be cracked by the Poles, what about Turing?

Before and after the outbreak of World War II, the Germans took a lot of measures to strengthen the safety of Engma (Metamorphosis), some of which made the Polish above this method of cracking ineffective:

A) Starting September 15, 1938, the German army in a few days the rotor position in the key is also available to the operator. This way, even the first six letters of each message become encrypted with different keys.
b) December 15, 1938, the German army increased the number of rotors from three to five, when installed from five randomly selected three installed on the Engma machine, the possible combination of the rotor increased 10 times times. More importantly, with the extra rotors, the poles do not have a catalogue.
c) on January 1, 1939, the Germans increased the maximum number of letters exchanged on the power strip from 6 pairs to 10 pairs.
d) May 1, 1940, the German forces require that the information key for each message be sent once, without repeating two times.

Next, the Englishman appeared.

================ the split line beginning with the add-on ==============

Before the official appearance of Turing, there were several people in the comments that said that the German new Code of Practice a) do not understand, answer the Lord here to explain briefly.

In the later period of the grace of the machine, the Germans also modified the rotor, so that the outer ring of the core of the rotor can be rotated around the rotor. In this way, the German daily key content becomes the following three parts:

1) Select three specific rotors from five rotors and arrange them in a certain order;
2) The position of the letter ring on the outer side of each rotor relative to the rotor core;
3) The 10 pairs of letters exchanged by the Power strip;

Please note that after the new German rules, the daily key does not exist in the day-to-day general rotor initial position. Before sending each message, the operator choosesRotor initial position, and then choose the information of this articleInformation Key。

For example, after the operator has completed three settings for Engma on the date in the password book, it is ready to send a message. Before sending, he chose ABC and XYZ respectively asRotor initial positionAndInformation Key。 He first Engma the three rotor to a-b-c position, type two times xyz after the Hblzqo, so that the information key is completed encryption. Then he moves the Engma rotor to the x-y-z position and continues to enter the body of the message.

Comment Area Many people's problem is how does the operator send ABC the initial position of the rotor to the receiver? The answer is sent in clear text.Yes, you read it correctly, it is sent in clear text! So the operator will send the ABC in clear text, followed by the encrypted hblzqo, and finally the message body after the information key is encrypted.

When the receiving party receives the above information, it will first toggle the Engma to the position of ABC, and then get xyzxyz after typing hblzqo, so he knows that the next message body is encrypted with key XYZ. Then he just turns the Engma to XYZ position, and then he can get the plaintext of the information.

Even if the cracker intercepts the telegram and knows that ABC is clear, there is no way to know the information key of this piece of information. Because the cracker does not know how many bits the letter ring on the Engma machine in the German hands has been rotated relative to the rotor, it is not known exactly what the actual position of the rotor of the ABC corresponds to.

Reyevski skillfully used the German army "the first six letters of each message are encrypted with the same universal key" to crack. But after the Germans have done this, the six letters in front of each message are encrypted with different keys. So Reyevski's method of cracking also fails.

However, this time the poles came up with another effective way to crack (the potential of human intelligence is endless), until 1940, the Germans set the information key only one time after the complete failure. Given the length of this article, there is no introduction here.

================ Supplemental description End of Split line ==============

On the eve of the German invasion of Poland in 1939, the Poles offered copies of the Engma and the methods they mastered to the British and French countries. The Poles proved to the British that Engma is not a perfect cipher system, and it shows the importance of mathematical knowledge in cracking.

I do not know how the British feel after learning the work of the Polish people, perhaps the shock will be mixed with a little bit ashamed of it. This is the country that once bred Newton, before unexpectedly so easily give up the attempt.

The Polish incentives for British morale are more psychological than technical. Although Turing admired the wisdom of the Poles, he also soberly realized that the poles ' methods of cracking were too dependent on the loopholes in the way the Germans operated. Once the Germans stop repeating the information key two times, the hack will completely expire overnight. Turing's quest for a more purely and more direct brute force is a way to crack.

If the Poles were to use loopholes on the enemy's defenses to make a parachute raid, Turing would like to be more of a frontal confrontation with the Infantry Division. The cipher monsters created by machines can only be defeated by machines. The human task is simply to design the workings of the machine and to optimize the amount of computing that the machine will perform.

have done so long cushion, finally to enter the big finale. Let's take a look at the English hack Engma.

First, the British need to identify a "crib" in the ciphertext. The so-called crib, refers to a guess out of the plaintext and the letter in the cipher one by one correspondence. It is not difficult to guess the clear text of several words in the ciphertext, because the Germans in the rules like to use fixed phrases such as keine Besonderen Ereignisse (no special case), Heil Hitler (Long live Hitler). Another example is the British found that Germans like to send a weather forecast at 6 o'clock in the morning, so the word "weather" must be included in the beginning of the message intercepted at 6 o'clock in the morning wetter.

After guessing the plaintext words contained in the ciphertext, how exactly are they positioned? I hope you haven't forgotten the second very, very important nature of the Engma we talked about earlier, which is that a letter will never be replaced by itself. According to this characteristic of Engma, we can judge a clear text letter moving back and forth over the ciphertext of the guessing correspondence. Below we use the German word wetter to make a simple example:


In the above picture, the clear text position 1 can be excluded, because in this position, the E in the plaintext is encrypted to E, which is a violation of Engma characteristics. In the same vein, clear text position 3 can also be ruled out, because the R in the plaintext is encrypted as R. Excluding the impossible, the clear text position 2 is very likely to be the real place where the word wetter. So we get a crib, where the correspondence between plaintext and ciphertext is as follows:

PlainText W e t T E R
Ciphertext E R K M G W

In the correspondence above, Turing uses the letter chain of the end-to-end to design a machine that can crack Engma violently. In this section of the crib, the plaintext W is encrypted into e, the rotor rotates a post e is encrypted to r, the rotor rotates five bits after R is encrypted to W. We can express the relationship between them in the following way:

W-Rotor position 0 encryption-E-rotor position 1 Encryption-R--rotor position 5 encryption W

Let's take a detailed look at the process of encrypting the letter W into the letter e Engma:


When the operator knocks the letter "W" on the keyboard, it is first replaced by power strip with another letter (and may not be replaced), we recorded the result as V1, then v1 into three rotors and replaced with V2, and finally v2 re-entered power strip was replaced with the letter E. Here we do not know what the V1 and V2 are, but this does not affect our understanding of how this works.

In the w-e-r-w chain, we imagine that three Engma are inserted between these three letters and form a loop:

The above loop is a complete representation of the process that the letter W is encrypted into a e,e that is encrypted into r,r and then encrypted into W. One of the v1,v2,v3,v4 involves the substitution of power strip, and since we don't yet know the power strip setting, we don't know what the four letters are. However, since power strip's settings are constant throughout the encryption process, since w is replaced by power strip by V1, and V4 is replaced by power strip by W, we can be surev1=v4。 This conclusion is marked with a red box in the diagram. In addition, in this cycle, V2 first by power strip was replaced by E, and then after entering the second en-grid machine was replaced by power strip back to V2. We can simply omit this step and let the V2 directly into the rotor of the second en-Mars machine. For V3 We can also do similar ellipsis, so it can be simplified to:

Turing now just input v1 (assuming v1=k), and then try to let this V1 successively through three Engma of the rotor section to get an output V4, and the results are checked. If V1 is not equal to V4, then it is wrong to indicate that the current grace machine rotor is set. If V1=V4, then the current Grace machine settings may be correct.

Although there are three of them, the total number of combinations is only 60x26x26x26=1054560 due to the fact that the rotor position gap between them has been determined. Once again we see that the total number of rotor combinations to be inspected is immediately reduced to an acceptable range, as long as the power strip interference is bypassed. Turing can find all possible combinations of rotor settings as long as the combination of these 1 million is brute force. If the crib can provide enough letter chains, even the only possible rotor settings can be locked directly.

What the? You said Turing didn't know what letter V1 was? There are only 26 possibilities, Turing can just plug in this place with 26 wires and test 26 letters at the same time.

Turing's design of the Machine "bomb" (Bombe) is the use of the above principles of the Engma password system to brute force. Let's take a look at what the bomb looks like and go directly to the Wikipedia diagram:


Everyone in the above figure can see a lot of three a set of turntable, which each turntable is equivalent to a rotor in the Engma machine, so each set of turntable is equivalent to a grace machine. A standard "bomb" a total of 36 sets of such a turntable.

After the British put the prepared crib into the "bomb", the machine will be based on the input of the content of the brute force, if it encounters a possible solution, it will stop for the staff to stop to record the results. And when it does not stop, all humans can do is stand by and wait-because the machine creates the cipher monsters that only machines can overcome.

Above.

PS: Comments in the comment area there is a saying that the Lord did not explain the original question about the German girlfriend name Cally for the British Army what is the use. I did not see this movie, but guess this refers to a lot of German transmitters are asked to randomly select three letters as the information key, in order to save trouble on the keyboard casually knock on ABC or XYZ such a simple combination, but also someone for convenience of memory simply direct their girlfriend name of the first three letters.

The emergence of such a phenomenon is not the problem of Engma machine itself, but the weakness of human nature caused. After discovering this phenomenon, the British Army has prioritized these common combinations to shorten the time it takes to get a key.

This article is really good quqqqqq there are limitations

From Zhihu

For the crack of Enigma machine