The Swiss cipher machine NeMa

Similar documents
Breaking the Enigma. Dmitri Gabbasov. June 2, 2015

CS408 Cryptography & Internet Security

Enigma. Developed and patented (in 1918) by Arthur Scherbius Many variations on basic design Eventually adopted by Germany

Eric Roberts and Jerry Cain Handout #36 CS 106J May 15, The Enigma Machine

1 Introduction 2. 3 Zygalski Sheets Using Zygalski Sheets Programmatic Replication Weaknesses/Problems 7

Lecture 8: Cracking the Codes based on Tony Sale s Codes & Ciphers Web Page. History of Computing. Today s Topics. History of Computing Cipher Systems

PART FOUR. Polyalphabetic Substitution Systems PERIODIC POLYALPHABETIC SUBSTITUTION SYSTEMS

The Evolution of the Cryptologic Bombe. Chris Christensen Department of Mathematics Northern Kentucky University

The Paper Enigma Machine

Exploring the Enigma [The MATH Connection]

The Tentatve List of Enigma and Other Machine Usages, formatted by Tony Sale. (c) July March l945 page 1

Attacking of Stream Cipher Systems Using a Genetic Algorithm

Stream Cipher. Block cipher as stream cipher LFSR stream cipher RC4 General remarks. Stream cipher

Facts and Myths of Enigma: Breaking Stereotypes

LFSR stream cipher RC4. Stream cipher. Stream Cipher

Cryptography CS 555. Topic 5: Pseudorandomness and Stream Ciphers. CS555 Spring 2012/Topic 5 1

An Introduction to Cryptography

Most people familiar with codes and cryptography have at least heard of the German

Stream Ciphers. Debdeep Mukhopadhyay

Relies on hiding a message by jumbling up individual letters of the message. Sending a whole message with the letters jumbled up using a cipher

VIDEO intypedia001en LESSON 1: HISTORY OF CRYPTOGRAPHY AND ITS EARLY STAGES IN EUROPE. AUTHOR: Arturo Ribagorda Garnacho

Appendix B: Project Literature Review

cs281: Introduction to Computer Systems Lab07 - Sequential Circuits II: Ant Brain

STA4000 Report Decrypting Classical Cipher Text Using Markov Chain Monte Carlo

Digital 1 Final Project Sequential Digital System - Slot Machine

CSc 466/566. Computer Security. 4 : Cryptography Introduction

FOR OFFICIAL USE ONLY

New Address Shift Linear Feedback Shift Register Generator

PA Substitution Cipher

Cryptanalysis of LILI-128

cryptography, plaintext; ciphertext. key,

V.Sorge/E.Ritter, Handout 5

Sequences and Cryptography

Institute of Southern Punjab, Multan

Sherlock Holmes and the adventures of the dancing men

THESIS/DISSERTATION FORMAT AND LAYOUT

Study Guide. Solutions to Selected Exercises. Foundations of Music and Musicianship with CD-ROM. 2nd Edition. David Damschroder

Randomness analysis of A5/1 Stream Cipher for secure mobile communication

KNX Dimmer RGBW - User Manual

Le Sphinx. Controls. 1 sur 5 17/04/ :59. Pocket cipher device

SECTION 5900 TRAFFIC SIGNALS CITY OF LEE S SUMMIT, MISSOURI DESIGN CRITERIA

Design and Implementation of Data Scrambler & Descrambler System Using VHDL

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 2 Stream Ciphers ver.

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 2 Stream Ciphers ver.

INTERNATIONAL TELECOMMUNICATION UNION SPECIFICATIONS OF MEASURING EQUIPMENT

MATHEMATICAL APPROACH FOR RECOVERING ENCRYPTION KEY OF STREAM CIPHER SYSTEM

PART FIVE. Transposition Systems TYPES OF TRANSPOSITION SYSTEMS

Introduction to Set Theory by Stephen Taylor

Shifty Manual. Shifty. Voice Allocator Hocketing Controller Analog Shift Register Sequential/Manual Switch. Manual Revision:

PLANE TESSELATION WITH MUSICAL-SCALE TILES AND BIDIMENSIONAL AUTOMATIC COMPOSITION

Characterization and improvement of unpatterned wafer defect review on SEMs

The Web Cryptology Game CODEBREAKERS.EU edition 2015

3rd Slide Set Computer Networks

Performance Evaluation of Stream Ciphers on Large Databases

STX Stairs lighting controller.

Substitution cipher. Contents

Exercise 4. Data Scrambling and Descrambling EXERCISE OBJECTIVE DISCUSSION OUTLINE DISCUSSION. The purpose of data scrambling and descrambling

Pivoting Object Tracking System

DesignandImplementationofDataScramblerDescramblerSystemusingVHDL

HCCA: A Cryptogram Analysis Algorithm Based on Hill Climbing

Long and Fast Up/Down Counters Pushpinder Kaur CHOUHAN 6 th Jan, 2003

Cardano Girolamo Cardano invented: Fleissner, after Austrian cryptologist (Eduard). Described by Jules Verne in the story Mathias Sandorf.

CPSC 121: Models of Computation Lab #5: Flip-Flops and Frequency Division

ENIGMA RELOADED I N T E R N A T I O N A L E V E N T

116 Facta Universitatis ser.: Elect. and Energ. vol. 11, No.1 è1998è to use any kind of encrypted information or with not very pleased attitude of loc

THE MAJORITY of the time spent by automatic test

Guidance For Scrambling Data Signals For EMC Compliance

Table of Contents. 2 Select camera-lens configuration Select camera and lens type Listbox: Select source image... 8

Fixed-Point Calculator

Reducing DDR Latency for Embedded Image Steganography

1. Turing Joins the Government Code and Cypher School

Contents Circuits... 1

THE ASTRO LINE SERIES GEMINI 5200 INSTRUCTION MANUAL

Transportation Engineering - II Dr. Rajat Rastogi Department of Civil Engineering Indian Institute of Technology - Roorkee

A Pseudorandom Binary Generator Based on Chaotic Linear Feedback Shift Register

VLSI Test Technology and Reliability (ET4076)

Figure 1 - General BERT Configuration

On the design of turbo codes with convolutional interleavers

International Research Journal of Engineering and Technology (IRJET) e-issn: Volume: 03 Issue: 07 July p-issn:

The Weakest Link: The Human Factor Lessons Learned from the German WWII Enigma Cryptosystem

FLIP-FLOPS AND RELATED DEVICES

CPSC 121: Models of Computation Lab #5: Flip-Flops and Frequency Division

21.1. Unit 21. Hardware Acceleration

Key- The key k for my cipher is a single number from 1-26 which is shared between the sender and the reciever.

CPS311 Lecture: Sequential Circuits

CONVOLUTIONAL CODING

BER MEASUREMENT IN THE NOISY CHANNEL

The reduced Enigma. Keywords: Education, Enigma, Public Understanding of Cryptography, reduced Enigma

WG Stream Cipher based Encryption Algorithm

A Comparison of Methods to Construct an Optimal Membership Function in a Fuzzy Database System

Application Note 11 - Totalization

How to Predict the Output of a Hardware Random Number Generator

ETSI TS V1.1.1 ( )

Linkage 3.6. User s Guide

Agilent Parallel Bit Error Ratio Tester. System Setup Examples

Previous Lecture Sequential Circuits. Slide Summary of contents covered in this lecture. (Refer Slide Time: 01:55)

University of Toronto

Digital Circuit Engineering

Pitch and Keyboard. Can you think of some examples of pitched sound in music? Can you think some examples of non-pitched sound in music?

The Discussion of this exercise covers the following points:

Transcription:

Faculty of Science, Technology and Communication The Swiss cipher machine NeMa Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master in Information and Computer Sciences Author: Ana María Gaggero Supervisor: Ass. Prof. Alex Biryukov Reviewer: Ass. Prof. Volker Müller Advisor: Ralf-Philipp Weinmann August 2013

ii

Abstract This is a functional description and cryptanalysis of the Swiss cipher machine NeMa. The description is based on the publication [1] by Geoff Sullivan and Frode Weierud and agrees with the "NeMa simulator" [2]. This work starts with a complete and detailed functional and mathematical description of the machine. The machine is then compared with its predecessor, the German Enigma. This analysis suggests taking a deeper look into NeMa s wheel stepping mechanism. NeMa s stepping mechanism was designed to avoid the attacks discoverd on Enigma s fast wheels. It turns out that NeMa s mechanism produces identifiable patterns that can be related to the machine s settings. Three attacks are proposed: The Stepping catalog attack which reduces the complexity of brute force attacks by discarding settings that do not match the produced stepping pattern. The Spy operator attack which aids in recovering the machine s inner settings when having partial access to the machine. The Known plaintext attack which is able to test some part of the machine s settings while discovering at the same time the rest of it. The last attack has complexity of 2 41 which is a significant improvement over a simple brute force attack which has complexity of 2 73.

iv

Contents 1 Functional Description 1 1.1 General description............................... 1 1.2 The scrambler.................................. 2 1.2.1 The contact wheels........................... 3 1.2.2 The UKW................................ 3 1.2.3 The drive wheels............................ 4 1.2.4 The ETW................................ 5 1.2.5 Wheel movements........................... 7 1.3 Machine usage................................. 7 1.3.1 The secret key............................. 7 1.3.2 Encryption/Decryption process.................... 7 1.3.3 Key exchange procedure........................ 8 2 Mathematical Formulation 9 2.1 Introduction................................... 9 2.2 Basic Elements................................. 9 2.2.1 The "alphabet" set ABC....................... 9 2.2.2 The "text" set T EXT......................... 10 2.3 Encryption Elements.............................. 10 2.3.1 The "contact wheel" set CW..................... 10 2.3.2 The "notch ring" set NR....................... 11 2.3.3 The "keyboard/lampboard layout" set B.............. 11 2.3.4 The "scrambler configuration" SCR................. 11 2.4 The "encrypt letter" function......................... 11 2.5 The "scrambler movement" function..................... 13 2.6 The "encrypt_text" function......................... 13 3 Comparison with Enigma 15 3.1 Enigma Functional Description........................ 15 3.2 Enigma Mathematical Formulation...................... 16 3.2.1 The "contact wheel" set CW and "special contact wheel UKW" set UKW................................ 16 3.2.2 The "notch ring" set NR....................... 16 3.2.3 The "scrambler configuration" SCR................. 16 3.2.4 The "encrypt letter" function..................... 17 3.2.5 The "scrambler movement" function................. 19 3.2.6 The "encrypt_text" function..................... 19 3.3 Method of Batons................................ 19 3.3.1 Description of the method....................... 19 v

vi CONTENTS 3.3.2 Applicability to NeMa......................... 19 3.4 Rejewski s method............................... 20 3.5 The cyclometer................................. 20 3.6 Turing-Welchman known plaintext attack.................. 21 4 Stepping Pattern Analysis 23 4.1 Mathematical definitions............................ 23 4.2 Search space size................................ 23 4.2.1 The contact wheels........................... 23 4.2.2 The drive wheels............................ 24 4.3 Stepping pattern................................ 24 4.3.1 Maximum and minimum stepping................... 25 4.4 Experiment 1: The non-stepping pattern................... 25 4.4.1 Pseudocode............................... 26 4.4.2 Results................................. 26 4.5 Non-stepping groups.............................. 29 4.5.1 The groups............................... 32 4.6 Experiment 2: The all-stepping pattern................... 35 4.6.1 Pseudocode............................... 36 4.6.2 Results................................. 36 4.7 All-stepping groups............................... 38 4.7.1 The groups............................... 38 5 Attacks on NeMa 41 5.1 The stepping catalog attack.......................... 41 5.1.1 Size of the Catalog........................... 41 5.1.2 Creating the catalog by computer................... 42 5.1.3 Creating the catalog by hand..................... 42 5.1.4 How to use the catalog......................... 42 5.2 The spy operator attack............................ 44 5.2.1 The notch rings............................. 44 5.3 The known plaintext attack.......................... 46 5.3.1 Description............................... 46 5.3.2 Complexity............................... 47 5.3.3 Implementation............................. 49 5.3.4 Experimental results.......................... 50

Chapter 1 Functional Description 1.1 General description The Swiss NeMa (Neue Maschine) or T-D (Tastendrücker) is an electromechanical encryption/decryption machine designed by the Swiss Army s Cipher Bureau between 1941 and 1943. Its design is based on the German commercial Enigma machine which was already in use by the Swiss Army. Its main difference with the Enigma machine lies in the movement of the wheels that make up the mechanical part of the machine. NeMa encrypts/decrypts any alphabetical text according to a secret key. The machine s overall encryption/decryption mechanism has three basic parts: The keyboard, to input the plaintext to be encrypted (ciphertext to be decrypted). The lampboard, to read the encrypted ciphertext (decrypted plaintext) output. The scrambler (or drum) which creates a pseudorandom transformation according to the secret key. This transformation determines how the input from the keyboard is encrypted/decrypted to the lampboard output. The machine may include other components, such as, an optional extra lampboard, an optional teleprinter with its corresponding control keys on the keyboard (WR, ZL, BU and spacebar), an electrical power source, etc... These components will not be described because they do not have any influence on the encryption/decryption process. The keyboard and lampboard both have 26 letters which are arranged as in a typical QWERTZ typewriter. Each key/lamp in the first row is additionally marked with a digit from 0 to 9, starting with 1 on key Q and ending with 0 on key P. Each key from the keyboard and lamp from the lampboard is connected by a wire to the scrambler. Each time a key is pressed, the scrambler will perform certain mechanical movements according to the secret key to which it has been set. These movements change the internal electrical connections of the scrambler. After the scrambler performs its movements, electrical power is transmitted from the pressed key, through the scrambler to some lamp causing this lamp to light up. In order to encrypt/decrypt a text, each letter of the input plaintext/ciphertext must be keyed, taking note of the sequence of lamps that light up on the lampboard. This sequence corresponds to the ciphertext/plaintext output. 1

2 CHAPTER 1. FUNCTIONAL DESCRIPTION Figure 1.1: Nema s overall encryption/decryption mechanism. The movements of the scrambler depend on its current configuration, but they do not depend on which key is pressed. Its internal connections always map the keys to the lamps biunivocally and reversibly: if pressing key x makes lamp y to light up, had key y been pressed, lamp x would have lit. This makes the encryption/decryption process one and the same provided the initial configuration is the same. Additionally, no key is mapped to its same letter lamp. The map may change at each keystroke, and mostly does, generating a normally long sequence of maps. 1.2 The scrambler The scrambler is made up of ten wheels, five of them called Drive wheels, which determine the movement pattern of the scrambler, and five called Contact wheels, which determine the transformation to be applied by the scrambler to the input letter that has been keyed. Each wheel has a 26 letter ring over its circumference alphabetically ordered in counter-clockwise direction when viewed from its right hand side. It also has 26 electrical contacts on its right hand face and another 26 on its left hand face. These electrical contacts are numbered 1 to 26 in counter-clockwise direction when viewed from its right hand side, with contact number 1 matching letter I on the letter ring. The machine has a lid covering the scrambler which has an aperture that allows 5 rows of letters to be seen. The letters in the lowest row indicate the current position of each wheel. The middle row is aligned with fixed contact number 1, which is wired to letter Q in the keyboard/lampoard. Adjacent wheels are in contact with each other allowing electrical power to be

1.2. THE SCRAMBLER 3 Figure 1.2: Scrambler transmitted from one wheel to another through the horizontally aligned electrical contacts. Electrical power coming from a keyboard wire enters the scrambler through drive wheel 1, reaches contact wheel 10 through the aligned contacts, returns to drive wheel 1 and exits the scrambler to a lampboard wire. Each drive wheel has a notch ring screwed to its left hand face, and drive wheel 1 additionally has another notch ring screwed to its right hand face. These notch rings determine the movement pattern of the wheels preventing or not their stepping at each keystroke. There are two special wheels: drive wheel 1, also called ETW or "Red drive wheel", and contact wheel 10, also called UKW or Reflector, which does not have electrical contacts on its left hand face. 1.2.1 The contact wheels Each contact wheel has 26 electrical contacts on its right hand face, 26 electrical contacts on its left hand face and 26 internal wires, each of which connects one contact on the right hand face to one contact on the left hand face. This wiring is fixed for each contact wheel. The scrambler must be equipped with four contact wheels (besides the UKW). These four contact wheels must be chosen from a set of contact wheels provided with the machine. There are 6 different models of contact wheels with published internal wiring, named contact wheels A, B, C, D, E and F. 1.2.2 The UKW The UKW, or reflector, is the special contact wheel located at the left end of the scrambler. This wheel is not interchangeable with another wheel, its wiring is fixed. This wheel has 26 electrical contacts on its right hand face and 13 internal wires that connect the electrical contacts in pairs. Electrical power entering the UKW through one contact will exit the UKW through another contact on the same face of the wheel.

4 CHAPTER 1. FUNCTIONAL DESCRIPTION Figure 1.3: Wiring of contact wheels A, B, C, D, E and F 1.2.3 The drive wheels Drive wheels do not affect the internal electrical connections of the scrambler, each electrical contact on the right hand face is connected to the contact on the left hand face that is horizontally aligned with it. Each drive wheel has a notch ring screwed to its left hand face. The notch ring has low (active) and protruding (inactive) regions. The protruding regions are able to lift the stepping lever that would have caused the movement of the adjacent contact wheel to its left, preventing its movement. The stepping levers are located on the back side of the scrambler, so the region of the notch ring that affects the stepping lever is offset 10 letters on the letter ring from the letter that indicates the wheel s current position, in clockwise direction when viewed from the right hand side. For example, if the wheel s current position is letter A, then the region of the notch ring that affects the stepping lever will be the region of letter Q.

1.2. THE SCRAMBLER 5 Figure 1.4: Wiring of Contact wheel 10 (UKW) The notch rings are interchangeable and must be chosen from a set of notch rings provided with the machine. There are 14 models of notch rings with published active/inactive pattern numbered 1, 2 and 12 to 23. Notch rings 1 and 2 can only be screwed to the right hand face of the ETW, while notch rings 12 to 23 can be screwed to the left hand face of any drive wheel (including the ETW). NOTCH A B C D E F G H I J K L M N O P Q R S T U V W X Y Z RING 1 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 1 2 0 1 0 1 1 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 12 0 1 1 1 1 1 1 1 1 1 1 1 0 0 0 1 1 1 1 0 1 1 1 1 1 1 13 1 1 0 1 1 1 1 0 0 1 1 0 1 1 0 1 1 1 0 1 1 1 1 1 1 0 14 0 0 1 0 1 1 1 1 0 1 1 1 1 1 1 1 1 0 1 0 0 1 0 1 0 1 15 1 0 0 1 1 0 1 0 0 0 0 0 1 0 1 1 1 1 1 1 0 1 0 1 1 1 16 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 0 17 0 1 0 0 0 0 0 1 1 1 1 0 0 0 0 0 1 0 1 0 1 1 0 1 1 0 18 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 0 1 1 1 1 1 1 1 0 1 1 19 1 1 1 0 1 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 20 1 1 1 1 1 1 0 1 1 1 0 1 0 1 0 1 0 1 0 1 1 0 1 1 1 1 21 1 0 1 1 1 0 1 1 1 1 0 1 1 1 1 0 1 1 1 0 1 0 0 1 0 0 22 1 1 0 0 1 0 1 1 0 0 1 0 1 1 0 1 1 1 1 0 0 1 1 1 0 0 23 1 0 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 0 Table 1.1: Notch ring active/inactive patterns. 1 corresponds to active low regions, 0 to inactive protruding regions. 1.2.4 The ETW The ETW, or Red Drive wheel is the special drive wheel located at the right end of the scrambler. This wheel is not interchangeable with another drive wheel, but the notch rings screwed to it can be interchanged with other notch rings. The ETW has a notch ring (model 12 to 23) screwed to its left hand face which can prevent the movement of the adjacent contact wheel to its left, as every other drive wheel. Additionally, the ETW has a notch ring (model 1 or 2) screwed to its right hand face. The protruding regions of this notch ring are able to lift a sensing lever that controls 4 blocking arms. Each of these is able to prevent the movement of a

6 CHAPTER 1. FUNCTIONAL DESCRIPTION drive wheel - contact wheel pair and can be set to active or inactive. The setting of these blocking arms is not part of the encryption key, therefore, once the machines were operational this setting did not change. A typical machine has two of these blocking arms set to active, the one that controls drive wheel 3 and contact wheel 4 and the one that controls drive wheel 7 and contact wheel 8. The blocking arms sensing lever is offset 9 letters on the letter ring from the letter that indicates the ETW s current position in clockwise direction when viewed from the right hand side. As on every other drive wheel, each electrical contact on the right hand face of the ETW is connected to the contact on its left hand face that is horizontally aligned with it. Electrical wires coming from the keyboard and lampboard are connected to fixed electrical contacts located to the right of the ETW (these do not turn with the wheel). These wires run in clockwise direction when viewed from the right hand side in QWERTZ sequence starting at contact 1. When the ETW is in current position K, contact number 1 of the ETW is aligned with fixed contact number 1 to its right, which corresponds to key/lamp Q. Figure 1.5: Wiring of ETW to keyboard and lampboard. The image does not show the notch rings.

1.3. MACHINE USAGE 7 1.2.5 Wheel movements Each time a key is pressed, each wheel moves one step in counter-clockwise direction when viewed from the right hand side unless some notch ring prevents its movement. The offset of the stepping levers and the blocking arms sensing lever must be taken into account to determine whether a notch ring is in an active or inactive region. Drive wheels 1 (ETW), 5 and 9 always move one step, no notch rings prevent their movement. Drive wheels 3 and 7 move rarely, only when the notch ring to the right of the ETW is in an active region, which is rare, because notch rings 1 and 2 have only 5 active regions out of 26. Contact wheels 4 and 8 move even more rarely, because the notch ring to the right of the ETW must be in an active region, and the notch ring of drive wheel 3 or 7 respectively must also be in an active region. Contact wheels 2, 6 and 10 (UKW) move one step whenever the notch ring of drive wheels 1, 5 or 9 respectively is in an active region (for drive wheel 1 (ETW), the notch ring screwed to its left hand face). 1.3 Machine usage 1.3.1 The secret key The inner key consists of the selection and arrangement of the contact wheels and notch rings used to set up the machine s scrambler. An inner key specification is given by a string of the following form: n 9 c 8 n 7 c 6 n 5 c 4 n 3 c 2 n 1L /n 1R where n i is an identifying number for a notch ring and c i an identifying letter for a contact wheel. n 9, c 8 correspond to the leftmost wheels (right of the UKW), and n 3, c 2 to the rightmost ones (left of the ETW). n 1L, n 1R correspond to the left and right notch rings of the ETW. The outer key is a string of 10 letters. Each letter in the string specifies the initial position of one wheel. The initial position of the wheels will be such that the outer key can be read on the lowest row seen through the scrambler s covering lid aperture. 1.3.2 Encryption/Decryption process The first step is to set the inner key (which rarely changed, so this step was usually omitted). The scrambler must be removed from the machine in order to change the contact wheels and notch rings as needed to match the inner key specification. The wheels must be set such that the message s outer key can be read on the lowest row seen through the scrambler s covering lid aperture. The character counter must be set to 0 and any key pressed. This first keystroke after adjusting the wheels does not cause the wheels to move nor is recorded by the character counter. The machine is now ready to encrypt/decrypt the message.

8 CHAPTER 1. FUNCTIONAL DESCRIPTION 1.3.3 Key exchange procedure The message s outer key must be known to decrypt it, but it is not practical nor secure to transmit each message s outer key (separately from the message, of course). Using the same outer key for several messages is not secure either. The following procedure was used: An initial outer key was usually the first 10 characters of a code word, which was at least 10 characters long. The wheels were set such that this initial outer key could be read on the lowest row seen through the scrambler s covering lid aperture. The character counter was set to 0 and any key was pressed. This first keystroke after adjusting the wheels does not cause the wheels to move nor is recorded by the character counter. The initial outer key was used to encrypt a randomly chosen 10 letter sequence, keying the 10 letter input and taking note of the encrypted 10 letter output on the lampboard. The 10 letter input was split into two halves of five letters and was transmitted, unencrypted, the first half before the encrypted message and the second half after it. The 10 letter output was the message s outer key. To decrypt a transmission, its first and last five characters were joined and encrypted with the initial outer key (the first 10 characters of the code word), to obtain the message s outer key and decrypt it.

Chapter 2 Mathematical Formulation 2.1 Introduction The encryption and decryption processes of the cipher machine NeMa are identical, so only the encryption process will be referred to from here on. The encryption of a string of letters can be divided in two parts, the encryption of each letter according to the current scrambler configuration (after the keystroke for that letter) and the movements performed by the scrambler on each keystroke, which depend on its configuration before the keystroke. The initial configuration and these movements determine the configuration that corresponds to each letter in the string. The mathematical formulation of the encryption process includes two main functions, the letter encryption function and the scrambler movement function. The letter encryption function yields the encrypted letter that corresponds to an input letter and a scrambler configuration. The scrambler movement function input is a scrambler configuration and its output is the configuration that the scrambler would adopt on the next keystroke. Some basic concepts will be introduced first, followed by the description of the elements needed to define the letter encryption function and finally the scrambler movement function. 2.2 Basic Elements 2.2.1 The "alphabet" set ABC The set ABC contains 26 elements that correspond to the 26 letters on the wheel s letter rings. ABC = {A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z} (2.1) The ordered sequence ord ABC ord ABC is an infinite sequence of alphabetically ordered letters. ord ABC =...X, Y, Z, A, B, C,..., I, J, K, L, M, N,..., X, Y, Z, A, B, C,... (2.2) The "alphabet shift" functions + ABC and ABC Every wheel placed in the machine has a current position. This position is identified by the letter on the wheel s letter ring that can be read on the lowest row seen through 9

10 CHAPTER 2. MATHEMATICAL FORMULATION the scrambler s covering lid aperture. On each keystroke, wheels may move one step in counter-clockwise direction, changing their current position. The alphabet shift function ABC (+ ABC ) takes as input an alphabet letter, which represents the wheel s current position and a natural number n and returns the new current position the wheel would have n steps afterwards (before). Informal definition: Shifting a letter x, n steps forward (backwards) results in the letter y that is n places before (after) x in the ord ABC sequence. ABC : ABC N ABC ABC (x, n) = y such that i N, a i, a i n ord ABC and a i = x, a i n = y (2.3) + ABC : ABC N ABC + ABC (x, n) = y such that i N, a i, a i+n ord ABC and a i = x, a i+n = y (2.4) 2.2.2 The "text" set T EXT A text is any finite sequence of elements from ABC. t = t 1, t 2, t 3,..., t n TEXT t i ABC i {1,..., n} (2.5) 2.3 Encryption Elements The encryption elements definition is adequate for NeMa analysis but is more general. 2.3.1 The "contact wheel" set CW Each element of CW is a binary biunivocal relation over the set ABC that represents the internal wiring of a contact wheel. Each contact wheel relates each letter x to a letter y such that the electrical contact on the right hand face of the wheel corresponding to letter x is connected to the electrical contact on the left hand face of the wheel corresponding to letter y. This set includes the six published models of contact wheels. cw ABC ABC CW x ABC! y ABC, (x, y) cw (x 1, y 1 ), (x 2, y 2 ) cw, x 1 x 2 y 1 y 2 (2.6) The "special contact wheel UKW" set UKW There is a special kind of contact wheel, the UKW, where the relation is additionally symmetric and irreflexive, i.e. if y corresponds to x, then x corresponds to y, and x cannot correspond to x. ukw ABC ABC UKW ukw CW, x 1, x 2 ABC, (x 1, x 2 ) ukw (x 2, x 1 ) ukw, x ABC, (x, x) / ukw (2.7)

2.4. THE "ENCRYPT LETTER" FUNCTION 11 2.3.2 The "notch ring" set NR Each element of NR is a binary relation from ABC to {0,1} that represents the active/inactive pattern of a notch ring. Each letter from ABC corresponds to a region of the notch ring which is either active (represented by 1) or inactive (represented by 0). The inactive regions of the notch rings are able to lift the stepping levers which prevent other wheels from moving. These levers are located offset from the wheel s current position, so the correct notch ring region that should be used to determine whether it will lift or not the lever is: current position + offset. This offset does not modify the analysis of the machine, so it will be omitted, it will be assumed to be taken care of in the notch ring relations. nr ABC {0, 1} NR x ABC! b {0, 1}, (x, b) nr (2.8) 2.3.3 The "keyboard/lampboard layout" set B Each element of B represents a possible keyboard/lampboard layout of the machine, that is, which letter of the fixed electrical contacts located to the right of the ETW is each key/lamp connected to. b ABC ABC B x ABC! y ABC, (x, y) b 2.3.4 The "scrambler configuration" SCR (x 1, y 1 ), (x 2, y 2 ) b, x 1 x 2 y 1 y 2 (2.9) The configuration of the scrambler consists of the selection and arrangement of its five contact wheels and six notch rings (inner key) and the position of its ten wheels. The initial scrambler configuration used to encrypt a text is called the key for that message. SCR = {ukw, n 9, c 8, n 7, c 6, n 5, c 4, n 3, c 2, n 1L, n 1R, w 10, w 9, w 8, w 7, w 6, w 5, w 4, w 3, w 2, w 1 } (2.10) where ukw represents the selected UKW contact wheel. n 9, n 7, n 5, n 3, n 1L, n 1R represent the six selected notch rings from left to right. c 8, c 6, c 4, c 2 represent the four selected contact wheels from left to right. w 10, w 9, w 8, w 7, w 6, w 5, w 4, w 3, w 2, w 1 represent the position of each wheel from left to right. 2.4 The "encrypt letter" function In order to encrypt a letter, electrical power is transmitted from the pressed key, through the scrambler to some lamp. The encrypt_letter function takes as input a plaintext letter p and a scrambler configuration scr and returns the ciphertext letter c that corresponds to the lamp that would light up if the scrambler s configuration were scr after the keystroke and the pressed key were p. The encryption of a letter is the result of the permutations performed by the wiring from the keyboard, each of the contact wheels from right to left, the reflector (ukw), once again the contact wheels from left to right and finally the wiring to the lampboard. Each contact wheel s current position may be offset from the position (K) where its contacts are aligned with the equally numbered fixed electrical contacts located to the right

12 CHAPTER 2. MATHEMATICAL FORMULATION Figure 2.1: Letter encryption process. of the ETW, so this offset should be considered before and after applying the wheel s permutation. encrypt_letter : ABC SCR ABC encrypt_letter(x, scr) = y such that y = x B( w 2 c 2 + w 2 )( w 4 c 4 + w 4 )( w 6 c 6 + w 6 ) ( w 8 c 8 + w 8 )( w 10 ukw + w 10 )( w 8 c 1 8 + w 8 ) ( w 6 c 1 6 + w 6 )( w 4 c 1 4 + w 4 )( w 2 c 1 2 + w 2 )B 1 (2.11) where B and B 1 are the keyboard/lampboard permutation and its inverse. w i and +w i are negative and positive shifts of the offset for the current position w i. c i and c 1 i are contact wheel permutations and their inverse. ukw is the reflector permutation.

2.5. THE "SCRAMBLER MOVEMENT" FUNCTION 13 2.5 The "scrambler movement" function On each keystroke, the scrambler performs certain movements according to its configuration, which set the scrambler to a different configuration. The scrambler_movement function takes as input a scrambler configuration scr 1 and returns the configuration scr 2 the scrambler would adopt on the next keystroke. scrambler_movement : SCR SCR scrambler_movement(scr 1 ) = scr 2 such that scr 2 (w i ) = ABC (scr 1 (w i ), 1), i {1, 5, 9} scr 2 (w i ) = ABC (scr 1 (w i ), 1) if (w 1, 1) scr 1 (n 1R ) = scr 1 (w i ) otherwise i {3, 7} scr 2 (w 2 ) = ABC (scr 1 (w 2 ), 1) if (w 1, 1) scr 1 (n 1L ) = scr 1 (w 2 ) otherwise scr 2 (w 6 ) = ABC (scr 1 (w 6 ), 1) if (w 5, 1) scr 1 (n 5 ) = scr 1 (w 6 ) otherwise scr 2 (w 10 ) = ABC (scr 1 (w 10 ), 1) if (w 9, 1) scr 1 (n 9 ) = scr 1 (w 10 ) otherwise scr 2 (w 4 ) = ABC (scr 1 (w 4 ), 1) if (w 3, 1) scr 1 (n 3 ) and (w 1, 1) scr 1 (n 1R ) = scr 1 (w 4 ) otherwise scr 2 (w 8 ) = ABC (scr 1 (w 8 ), 1) if (w 7, 1) scr 1 (n 7 ) and (w 1, 1) scr 1 (n 1R ) = scr 1 (w 8 ) otherwise (2.12) 2.6 The "encrypt_text" function The encryption process of a text can be decomposed in the encryption of each letter that makes up the text. The following function represents the encryption process of the cipher machine NeMa and shows how a text is encrypted, which depends only on the initial configuration of the scrambler. encrypt_text : T EXT SCR T EXT encrypt_text(plaintext, scr) = ciphertext such that plaintext = p 1, p 2,..., p n ciphertext = c 1, c 2,..., c n c i = encrypt_letter(p i, + SCR (scr, i)) where + SCR (scr, i) returns the scrambler configuration after applying the function scrambler_movement to scr i times. (2.13)

14 CHAPTER 2. MATHEMATICAL FORMULATION Figure 2.2: Scrambler movement process.

Chapter 3 Comparison with Enigma The following is a comparison of the Swiss cipher machine NeMa with the German Enigma machine. The purpose of this comparison is to search for aspects considered in Enigma s cryptanalysis that might be useful to analyze NeMa. The Enigma description that was used for this analysis can be found in [3] 3.1 Enigma Functional Description Enigma is an electromechanical encryption/decryption machine designed and patented by the German engineer Arthur Scherbius in 1918. NeMa, one if its successors, has the same basic operation. They both have an input keyboard, a scrambler unit and an output lampboard. Every time a key is pressed, mechanical movements change the internal electrical connections of the scrambler and electrical power is transmitted from the key through the scrambler to a lamp. This lamp yields the ciphertext/plaintext that corresponds to the input plaintext/ciphertext key. The differences between the encryption/decryption processes of these machines are due to the differences in their scramblers. The most relevant difference between the two machines lies in the mechanical movements it performs. Enigma s scrambler has three contact wheels, each of which performs a simple substitution, as NeMa s. Later Enigma versions included a fourth contact wheel, which adds complexity to the encryption/decryption transformation matching the complexity of NeMa. The main difference between the Enigma and NeMa machines lies in the mechanical movements performed by their scramblers. Different Enigma versions have different wheel movement patterns, ranging from a very simple regular stepping to a complex pseudo-random stepping. The commercial Enigma performs the most simple stepping pattern. The right most wheel steps with each keystroke, the middle wheel every 26 keystrokes, and the left most wheel every 26 26 = 676 keystrokes. Each of these two last wheels moves when its stepping lever matches the only notch on the wheel to its right. The notch can be set to any of the 26 possible positions, and this setting is called the ring setting. Other Enigma versions have several notches on each wheel. Another difference between NeMa and Enigma is that Enigma s reflector does not step. The position of the reflector can be set in some Enigma versions. Both, NeMa and Enigma wheels step in counter-clockwise direction when viewed from the right hand side but the letters are arranged in reverse order on the letter rings. 15

16 CHAPTER 3. COMPARISON WITH ENIGMA Enigma military versions additionally have a plugboard which allows swapping the connections of pairs of letters before and after the scrambler, acting as a modifiable stationary contact wheel to the right of the three rotating contact wheels. This feature was not included in the NeMa machine design and is irrelevant to our work. 3.2 Enigma Mathematical Formulation Enigma and NeMa designs are so similar that Enigma s mathematical formulation can be made in terms of the elements defined for NeMa s. Some of the elements defined for NeMa need to be modified, as they are not suitable for Enigma, such as, the encrypt letter and scrambler movement functions. This mathematical formulation is based on the description of the Enigma D (Commercial Enigma A26). 3.2.1 The "contact wheel" set CW and "special contact wheel UKW" set UKW Enigma and NeMa contact wheels and UKW are mathematically identical. 3.2.2 The "notch ring" set NR Mathematically speaking, Enigma and NeMa notch rings are the same, and it does not matter whether the notch rings are attached to the contact wheels or to drive wheels that step independently. The commercial Enigma N R set adds a restriction to NeMa s, because notch rings have only one active region. nr ABC {0, 1} NR x ABC! b {0, 1}, (x, b) nr (x 1, b 1 ) nr such that b 1 = 1 (x 2, b 2 ) nr, x 1 x 2 b 2 = 0 (3.1) 3.2.3 The "scrambler configuration" SCR The configuration of Enigma s scrambler consists of the selection and arrangement of its four contact wheels and two notch rings and the position of its four wheels. Each of the three rightmost contact wheels has a notch ring attached to it, which therefore steps with the contact wheel and not independently as in NeMa where notch rings are attached to separate drive wheels. The notch ring attached to the leftmost of these three wheels does not make the UKW step, so its position is irrelevant. SCR = {ukw, c 3, n 2, c 2, n 1, c 1, w 4, w 3, w 2, w 1 } (3.2) where ukw represents the selected UKW contact wheel. n 2, n 1 represent the notch rings attached to the two right most contact wheels, from left to right. c 3, c 2, c 1 represent the three selected contact wheels from left to right. w 4, w 3, w 2, w 1 represent the position of each wheel from left to right.

3.2. ENIGMA MATHEMATICAL FORMULATION 17 Figure 3.1: Enigma s letter encryption process. 3.2.4 The "encrypt letter" function encrypt_letter : ABC SCR ABC encrypt_letter(x, scr) = y such that y = x B( w 1 c 1 + w 1 )( w 2 c 2 + w 2 ) ( w 3 c 3 + w 3 )( w 4 ukw + w 4 ) ( w 3 c 1 3 + w 3 )( w 2 c 1 2 + w 2 ) ( w 1 c 1 1 + w 1 )B 1 (3.3) As for NeMa, B and B 1 are the keyboard/lampboard permutation and its inverse, w i and +w i are negative and positive shifts of the offset for the current position w i, c i and c 1 i are contact wheel permutations and their inverse, ukw is the reflector permutation.

18 CHAPTER 3. COMPARISON WITH ENIGMA Figure 3.2: Enigma s scrambler movement process.

3.3. METHOD OF BATONS 19 3.2.5 The "scrambler movement" function scrambler_movement : SCR SCR scrambler_movement(scr 1 ) = scr 2 such that scr 2 (w 1 ) = + ABC (scr 1 (w 1 ), 1) scr 2 (w 2 ) = + ABC (scr 1 (w 2 ), 1) if (w 1, 1) scr 1 (n 1 ) = scr 1 (w 2 ) otherwise scr 2 (w 3 ) = + ABC (scr 1 (w 3 ), 1) if (w 2, 1) scr 1 (n 2 ) = scr 1 (w 3 ) otherwise (3.4) 3.2.6 The "encrypt_text" function The text encryption function is identical for both machines. 3.3 Method of Batons 3.3.1 Description of the method This method applies only to plugless Enigma. It assumes that the wiring of the contact wheels is known, that only the right most wheel is stepping and that there are some probable known words in the plaintext. It is very likely that the right most wheel is the only one stepping because this happens in 25 out of 26 keystrokes. The encrypt_letter function yields the ciphertext of a letter according to the current scrambler configuration. The scrambler configuration changes on each keystroke, which causes the function to change as determined by the change in the position of the wheels, the w i s. If only the right most wheel is stepping, only w 1 changes. Combining the effects of the two left most wheels with the reflector the expression of the encrypt_letter function is: y = x B ( w 1 c 1 + w 1 )Z( w 1 c 1 1 + w 1 ) B 1 (3.5) where Z is the previously mentioned combined effect. Then applying B( w 1 c 1 + w 1 ) to both sides, the following expression is obtained: y B ( w 1 c 1 + w 1 ) = x B ( w 1 c 1 + w 1 )Z (3.6) So, applying B( w 1 c 1 +w 1 ) to both, the ciphertext and the plaintext guess some of the substitutions performed by Z can be found. If contradictions are found, then the initial guess for c 1 and w 1 was incorrect. 3.3.2 Applicability to NeMa This method, as is, is not applicable to NeMa because it is not possible to assume that the left most wheels do not move. Anyway it suggests the following issues which may be worth considering: Is it possible to compute how many keystrokes does it take for all NeMa contact wheels simultaneously not to step except for the first one? If not, is it possible to determine a minimum and a maximum number of keystrokes between which it has to happen?

20 CHAPTER 3. COMPARISON WITH ENIGMA Likewise, can those values be determined for the number of keystrokes it takes for all contact wheels to step simultaneously? Knowing these values it might be possible to determine the identity and starting position of the left most contact wheel. It would not be possible to find cribs long enough for these events to take place. Yet this might be helpful when attempting a chosen or known plaintext attack. Sullivan and Weierud state in [1] that there are certain scrambler configurations for which none of the five contact wheels step repeatedly once every 26 keystrokes. What happens for the other configurations? Does it still happen but with longer period? What about all wheels stepping at the same time? An attack was proposed by Olga Tyurganova (Uni.lu bachelor student 2012) that uses this non-stepping feature. She proposed a chosen plaintext attack. Some chosen plaintext is encrypted with the unknown key. Repetitions every 26 letters are searched in the resulting ciphertext. If repetitions are found, the key must be one of the weak keys that cause the non-stepping feature. Brute force search is the carried out over this subset of weak keys. This attack has lower complexity than plain brute force search but it is not effective if the sought key is not a weak key. Can this attack be improved? Comment from [1]: "It is clear that the NeMa was designed to prevent attacks against the fast wheels that were used so successfully against the Enigma. It is interesting to speculate whether the peculiar stepping features of the NeMa offered a more secure cipher" 3.4 Rejewski s method Marian Rejewski was in charge of analyzing the Enigma traffic at the Polish Cipher Bureau in Warsaw. His method took advantage of the fact that a three letter key was repeated twice at the beginning of each message. This three letter key indicates the initial position of the three contact wheels. Once again, this method is not applicable to NeMa, because it is not possible to assume that only the right most wheel is stepping. What is interesting is that this attack succeeded because of an error made by the operators, who would sometimes use simple keyboard combinations for the key, such as three identical letters. As it happened with Enigma, is it valid to assume that NeMa operators would sometimes also use simple keyboard combinations such as, QW ERT Y UIOP or ABCDEF GHIJ? 3.5 The cyclometer The cyclometer was basically a catalog. There are 6 possible arrangements of the three contact wheels can be arranged and 26 3 possible ring settings, so there are 105,456 combinations. The catalog contained, the cycle structure for each of these combinations. With this catalog the wheel order and ring settings could be found in about 20 minutes. Is it possible to isolate some of NeMa s key elements in order to be able to build a catalog of a reasonable size?

3.6. TURING-WELCHMAN KNOWN PLAINTEXT ATTACK 21 3.6 Turing-Welchman known plaintext attack Turing s idea for solving the Enigma was to build a machine that was able to step through all the possible wheel positions testing for a probable plaintext. The high number of possible plugboard settings made exhaustive search impossible, so he developed a method to reduce the search space. Some plugboard independent characteristic had to be found: crib loops. This method is not applicable to NeMa either, because it assumes that only the right most wheel is stepping through the crib, which is not possible for NeMa. Nevertheless, is it possible to find some other characteristic in a crib that enables reducing NeMa s key search space?

22 CHAPTER 3. COMPARISON WITH ENIGMA

Chapter 4 Stepping Pattern Analysis The following is an in-depth analysis of the stepping pattern of the Swiss cipher machine NeMa. 4.1 Mathematical definitions k-permutations of n: k-combinations of n: Number of ordered sequences of k elements taken without repetition from a set of n different elements. n! P (n, k) = (n k)! 4.2 Search space size Number of subsets of k elements taken without repetition from a set of n different elements. n! C(n, k) = (n k)!k! NeMa s scrambler is made up of ten rotating wheels. Five of these wheels, the contact wheels, determine how each letter of the plaintext is encrypted. The transformation applied by them to the plaintext letter depends on their selection, order and position. The other five wheels, the drive wheels, determine the stepping pattern of the contact wheels. They determine how the contact wheels positions change from one letter to the next, which modifies the transformation they apply to the input letters. 4.2.1 The contact wheels Selection and Order NeMa s operational model was supplied with six different contact wheels: A, B, C, D, E and F (one of each model). Four out of the six available wheels have to be selected, and their placement order has to be determined. There are 4-permutations of 6 possible ways to do this. P (6, 4) = 6! (6 4)! = 6 5 4 3 2 = 6 5 4 3 = 360 (4.1) 2 23

24 CHAPTER 4. STEPPING PATTERN ANALYSIS Starting position Each of the five contact wheels (the four regular ones plus the UKW) can be placed in 26 different starting positions. This gives a total of 26 5 = 11.881.376 possible starting contact wheels positions. Taking selection, order and starting position of the contact wheels into account, there are 360 26 5 = 4.277.295.360 possibilities. 4.2.2 The drive wheels Selection and Order Each drive wheel has a notch ring attached to it, except for the ETW which has two. There are 14 different models of notch rings. Notch rings 1 and 2 can only be attached to the right hand face of the ETW, while notch rings 12 to 23 can be attached to the left hand face of any drive wheel. One notch ring of each model was supplied with the machine. Five out of the twelve available left hand face notch rings have to be selected and their placement order on the drive wheels has to be determined. There are 5-permutations of 12 possible ways to do this. P (12, 5) = 12! (12 5)! = 12! = 12 11 10 9 8 = 95.040 (4.2) 7! As there are two options for the notch ring on the right hand face of the ETW, there are a total of 95.040 2 = 190.080 possible notch rings selection and order. Starting position Each of the five drive wheels, as the contact wheels, can be placed in 26 different starting positions. Taking notch rings selection and order, and position of the drive wheels into account, there are 190.080 26 5 = 2.258.411.950.080 possibilities. The size of the key search space can now be determined: there are 4.277.295.360 2.258.411.950.080 = 9, 66 10 21 2 73 possible keys. 4.3 Stepping pattern Drive wheels 1, 5 and 9 always move one step. Drive wheels 3 and 7 move one step when the notch ring on the right hand face of drive wheel 1 is in an active region. Contact wheels 2, 6 and 10 move one step when the notch ring on drive wheel 1 (left face), 5 or 9 respectively, is in an active region. Contact wheels 4 and 8 move one step when the notch ring on drive wheel 3 or 7, respectively, is in an active region and the notch ring on the right hand face of drive wheel 1 is also in an active region.

4.4. EXPERIMENT 1: THE NON-STEPPING PATTERN 25 4.3.1 Maximum and minimum stepping Drive wheels 1, 5 and 9 step 26 out of 26 keystrokes. Drive wheels 3 and 7 step 5 out of 26 keystrokes because notch rings 1 and 2 (which are the only ones that can be attached to the right hand face of the ETW), both have 5 active regions. The ETW steps on every keystroke, and the notch rings attached to it do the same, so each of the 26 regions of the notch ring takes effect once every 26 keystrokes. The movement of contact wheels 2, 6 and 10 is controlled by drive wheel 1, 5 or 9, respectively. These drive wheels step on each keystroke, so the number of times these contact wheels step every 26 keystrokes equals the number of active regions on the notch rings attached to the drive wheels. The notch ring with least active regions has 11, and the one with most has 23, so contact wheels 2, 6 and 10 step a minimum of 11 out of 26 keystrokes and a maximum of 23 out of 26 keystrokes. Moreover, each of these wheels steps the same number of times every 26 keystrokes. Contact wheels 4 and 8 are controlled by the combined effect of the notch ring on drive wheel 3 or 7, respectively, and the notch ring on the right hand face of drive wheel 1. Because they are controlled by the notch ring on the right hand face of drive wheel 1 they step a maximum of 5 out of 26 keystrokes. The number of steps depends on the notch ring attached to drive wheel 3 or 7, respectively. Drive wheels 3 and 7 step 5 out of 26 keystrokes, so only 5 regions of their notch rings take effect over the contact wheels within these 26 keystrokes. There are two notch rings (15 and 17) that have 5 consecutive inactive regions, so contact wheels 4 and 8 step a minimum of 0 out of 26 keystrokes. Wheel Minimum Steps Maximum Steps 1 (ETW) 26 26 2 11 23 3 5 5 4 0 5 5 26 26 6 11 23 7 5 5 8 0 5 9 26 26 10 (UKW) 11 23 Table 4.1: Minimum and maximum stepping 4.4 Experiment 1: The non-stepping pattern The purpose of this experiment was to find as much information as possible regarding the non-stepping event, where none of the contact wheels step during a keystroke. This causes identical transformations to be applied to two consecutive letters of the plaintext. For each randomly selected key, a very long message of identical letters was encrypted and pairs of successive identical letters were searched in the ciphertext. Each time a pair was found it may indicate that on the second keystroke none of the contact wheels

26 CHAPTER 4. STEPPING PATTERN ANALYSIS moved. For each randomly selected key and corresponding ciphertext the following information was gathered: Number of pairs of successive identical letters. Number of times the pair was coincidental. Number of times the pair was caused by non-stepping of the contact wheels. Number of keystrokes for each interval between pairs of letters caused by nonstepping. 4.4.1 Pseudocode Pseudocode of Experiment 1 PLAINTEXT = "AAA...AAA" (677 A s) create file to record results for 12000 times do KEY = select random key CIPHERTEXT = Encrypt(PLAINTEXT, KEY) IntervalCounter = 0 LetterMatches = 0 Coincidences = 0 Non-Stepping = 0 for all letter in CIPHERTEXT do if letter = previous-letter then LetterMatches = LetterMatches + 1 if wheels moved then Coincidences = Coincidences + 1 end if if Wheels not moved then Non-Stepping = Non-Stepping + 1 record interval length = IntervalCounter IntervalCounter = 0 end if end if IntervalCounter = IntervalCounter + 1 end for record KEY and results in file end for close results file 4.4.2 Results The first runs of this experiment were done with strings of 15000 A s as plaintext. The results showed that 60% of the keys did not present any non-stepping event and the remaining 40% presented different numbers of non-stepping events within these 15000 keystrokes. These numbers were clearly not random, because several numbers showed up repeatedly. Moreover, there were groups of consecutive numbers. The most common numbers found were 576, 577, 1153, 1154, 22, 23, 598, 599, 600, etc... The analysis of the keys that produced similar non-stepping patterns revealed that consecutive numbers were due to the length of the encrypted plaintext. Depending on the starting point in the drive wheel s cycle for each key there were, for example, 576 or 577 non-stepping events. In this example, the non-stepping event occurred once every 26 keystrokes, and as 15000 is not a multiple of 26 it was possible to have 576 or 577 non-stepping events. As explained below, the non-stepping events occur once every 26 keystrokes or once every 676 keystrokes. To avoid consecutive numbers in the results

4.4. EXPERIMENT 1: THE NON-STEPPING PATTERN 27 the length of the input plaintext of the experiment was changed to 676 + 1. The length cannot be 676 because some encryptions may start in the middle of a non-stepping event, and in this case the event would not be detected. The additional letter allows detecting this extra event at the end. The results shown in the following tables were obtained from 12000 randomly selected keys. Figure 4.1 shows the overall results. As can be seen, 40% of the keys present some nonstepping events, and the other 60% of the keys never present a non-stepping event. The most common numbers of non-stepping events found in 676 keystrokes are summarized in figure 4.2. The most common number is 26 non-stepping events in 676 keystrokes. From the subset of keys that present some non-stepping event, 62.5% fall in this group. As can be seen, 95% of the keys that present some non-stepping events can be split in 11 different groups according to the number of non-stepping events they present. Analyzing further the results, it is possible to see that all keys that fall in the same group share some common pattern. Figure 4.3 summarizes the patterns found for each of the first 8 groups (The patterns of the other groups were omitted for simplicity). Figure 4.1: Results for Experiment 1

28 CHAPTER 4. STEPPING PATTERN ANALYSIS Figure 4.2: Results for Experiment 1

4.5. NON-STEPPING GROUPS 29 Figure 4.3: Results for Experiment 1 4.5 Non-stepping groups A non-stepping event happens when the notch rings attached to the drive wheels prevent the contact wheels from stepping. A non-stepping event is caused by the following conditions: Inactive regions of the notch ring on drive wheels 9, 5 and 1 (left face) prevent contact wheel 10, 6 or 2, respectively, from stepping. Inactive regions of the notch ring on drive wheel 3 or of the notch ring on the right hand face of drive wheel 1 prevent contact wheel 4 from stepping. Inactive regions of the notch ring on drive wheel 7 or of the notch ring on the right hand face of drive wheel 1 prevent contact wheel 8 from stepping. This means that there are two different situations in which none of the contact wheels step: Type 1 non-stepping: When the notch rings on drive wheels 9, 5 and 1 (left and right faces) are in inactive regions. Type 2 non-stepping: When the notch rings on drive wheels 9, 7, 5, 3 and 1 (left face) are in inactive regions. Drive wheels 9, 5 and 1 step on every keystroke, so the relative position between the notch rings attached to these wheels does not change, because they all move together. This characteristic of the stepping mechanism of the machine causes that each time a type 1 non-stepping event occurs, it repeats every 26 keystrokes. After 26 keystrokes the three drive wheels return to the same position, so if the notch rings attached to them caused non-stepping once they will cause non-stepping again 26 keystrokes afterwards. When the non-stepping is of type 2, it repeats every 676 keystrokes. Drive wheels 9, 5 and 1 all step together on every keystroke. Drive wheels 3 and 7 also step together but only 5 times every 26 keystrokes. This stepping pattern causes the five wheels to return to the same position after 26 26 = 676 keystrokes.

30 CHAPTER 4. STEPPING PATTERN ANALYSIS Figure 4.4: Notch rings cycle for non-stepping events every 676 keystrokes Taking a look at the notch rings attached to the drive wheels when they are at their initial position it is possible to determine how many non-stepping events will occur. For each aligned inactive regions on the notch rings on drive wheels 9, 5 and 1 (left and right faces) at the initial position, there will be one non-stepping event every 26 keystrokes. For each pair of aligned inactive regions on the notch rings on drive wheels 7 and 3 and on the notch rings on drive wheels 9, 5 and 1 (left face only) at the initial position, there will be one non-stepping event every 676 keystrokes. To clarify these concepts we will compute the number of non-stepping events for the following configuration. INNER KEY : 17B 14F 15C 12E 20/2 OUTER KEY : P BONNMUKLW The first step to be able to compute the number of non-stepping events a notch ring combination will generate, is to align the notch rings to their initial position. In doing this, the offset of the stepping levers must be taken into account. For notch rings 9, 7, 5, 3 and 1 left, their offset is 10. For notch ring 1 right, their offset is 9. The initial positions of the notch rings are B, N, M, K, W and W from left to right. Considering the offset, the initial region of each notch ring to match the stepping levers will be R, D, C, A, M and N (again, from left to right). Next, the aligned inactive regions must be searched through the notch rings. Every time there are aligned inactive regions on notch rings 9, 5, 1 left and 1 right, they will be marked in red. Aligned inactive regions on notch rings 9, 5 and 1 left, but not on 1

4.5. NON-STEPPING GROUPS 31 Figure 4.5: Initial notch ring configuration right will be marked in blue, and aligned inactive regions on notch rings 7 and 3 will be marked in green. The number of non-stepping events this combination will generate is: (#red columns 26) + (#blue columns #green columns) = (2 26) + (1 3) = 55 non-stepping events every 676 keystrokes These non-stepping patterns allow us to separate the keys into different groups. In order to easily identify each element we will assign the following names: Each group will be identified with a number. These numbers correspond to the number of non-stepping events that occur when encrypting a text of 676 letters. Red column: Each aligned inactive regions on the notch rings on drive wheels 9, 5 and 1 (left and right faces). Blue column: Each aligned inactive regions on the notch rings on drive wheels 9, 5 and 1 (left face only). Green column: Each aligned inactive regions on the notch rings on drive wheels 7 and 3. Each red column will cause one non-stepping event every 26 keystrokes, therefore, it will cause 676/26 = 26 non-stepping events every 676 keystrokes. Each pair of blue and green columns will cause one non-stepping event every 676 keystrokes. Each group can also be divided into subgroups because the distance between columns in the configuration affects the non-stepping pattern. For example, two configurations with 2 red columns each have the same number of non-stepping events but differ in their nonstepping pattern. If the distance between the columns is different for each configuration, the length of the intervals between non-stepping events is also different. Configuration 1: 2 red columns separated by 3 columns. This configuration has 1040 non-stepping events with interval lengths of 4 and 22. Configuration 2: 2 red columns separated by 10 columns. This configuration has 1040 non-stepping events with interval lengths of 11 and 15.

32 CHAPTER 4. STEPPING PATTERN ANALYSIS Figure 4.6: Subgroup configuration 1 Figure 4.7: Subgroup configuration 2 4.5.1 The groups The set of notch rings provided with the machine determines which are the possible groups and subgroups. If all possible constructible notch rings were available then every mathematical combination of columns would be possible for a group or subgroup. Groups and subgroups were determined experimentally. This was done by testing every possible combination of 3 and 2 notch rings and the relative position between them. Aligned inactive regions on three notch rings. There are 3-combinations of 12 = 12 11 10 3 2 1 = 220 ways to select three notch rings from the available set of 12. The order of the notch rings does not matter for this purpose. If we fix the position of one of the notch rings and change among the 26 possible positions for the other 2, we will get all possible relative positions between the 3 of them. There are 26 26 = 676 relative positions. In all, this gives 148.720 combinations to be searched for aligned inactive regions. Table 3 shows the number of combinations found for each number of aligned inactive regions. # Aligned # Combinations Percentage of # Distinct Inactive Regions total Patterns 0 89410 60,12% 1 1 42737 28,74% 1 2 12536 8,43% 13 3 3098 2,08% 94 4 787 0,53% 180 5 128 0,086% 68 6 19 0,012% 10 7 5 0,002% 4 TOTAL 148720 100% 371 Table 4.2: Aligned inactive regions on three notch rings Aligned inactive regions on two notch rings. There are 2-combinations of 12 = 12 11 2 1 = 66 ways to select two notch rings from the available set of 12. The order of the notch rings does not matter for this purpose. If we

4.5. NON-STEPPING GROUPS 33 fix the position of one of the notch rings and change among the 26 possible positions for the other, we will get all possible relative positions between them. There are 26 relative positions. In all, this gives 66 26 = 1716 combinations to be searched for aligned inactive regions. Table 4 shows the number of combinations found for each number of aligned inactive regions. # Aligned # Combinations Percentage of # Distinct Inactive Regions total Patterns 0 303 17,66% 1 1 491 28,61% 1 2 395 23,02% 13 3 212 12,35% 65 4 147 8,57% 97 5 92 5,36% 79 6 41 2,39% 39 7 23 1,34% 20 8 10 0,58% 10 9 2 0,12% 2 TOTAL 1716 100% 327 Table 4.3: Aligned inactive regions on two notch rings Red column groups and subgroups For almost every combination of aligned inactive regions on 3 notch rings it is possible to form red columns selecting either notch ring 1 or notch ring 2. Out of the 370 different combinations of aligned inactive regions on 3 notch rings, it is possible to form exclusively red columns with 365 of them. 0: This group includes every combination that does not have any column of aligned inactive regions and therefore will not show any non-stepping event. 26: One red column. This group s pattern will have intervals of 26 keystrokes between non-stepping events. There is only one subgroup in this group because every combination with only one red column will have the same pattern. 52: Two red columns. This group s pattern will have intervals of x keystrokes and intervals of y keystrokes, such that x + y = 26. There are 13 different subgroups in this group. 78: Three red columns. This group s pattern will have intervals of x, y and z keystrokes, such that x+y+z = 26. Theoretically, there are 100 different subgroups with 3 columns. In practice, with the notch rings provided with the machine, 94 are possible. 104: Four red columns. This group s pattern will have intervals of w, x, y and z keystrokes, such that w + x + y + z = 26. Theoretically, there are 578 different subgroups with 4 columns. In practice, with the notch rings provided with the machine, 178 are possible. 130: Five red columns. This group s pattern will have intervals of v, w, x, y and z keystrokes, such that v + w + x + y + z = 26. Theoretically, there are 2530 different

34 CHAPTER 4. STEPPING PATTERN ANALYSIS subgroups with 5 columns. machine, 66 are possible. In practice, with the notch rings provided with the 156: Six red columns. This group s pattern will have intervals of u, v, w, x, y and z keystrokes, such that u + v + w + x + y + z = 26. Theoretically, there are 8866 different subgroups with 6 columns. In practice, with the notch rings provided with the machine, only 10 are possible. 182: Seven red columns. This group s pattern will have intervals of t, u, v, w, x, y and z keystrokes, such that t + u + v + w + x + y + z = 26. Theoretically, there are 25300 different subgroups with 7 columns. In practice, with the notch rings provided with the machine, only 3 are possible. Eight or more red columns are theoretically possible but are not achievable with the notch rings provided with the machine. Blue and Green column groups and subgroups Blue columns On the other hand, not every combination of aligned inactive regions on 3 notch rings will form exclusively blue columns with either notch ring 1 or notch ring 2. Blue columns were determined experimentally. For each combination of aligned inactive regions on 3 notch rings we tested if it was possible to find some position such that for every aligned inactive regions of the combination it would match an active region on notch ring 1 or 2. Out of the 370 combinations of aligned inactive regions on 3 notch rings, it turns out that only 11 of them can be used to form exclusively blue columns. There is 1 combination with 1 blue column, 8 combinations with 2 blue columns and 2 combinations with 3 blue columns. Green columns Green columns are due to aligned inactive regions on the notch rings of drive wheels 3 and 7. There are 326 different patterns for green columns that can be formed with the available notch rings. It is possible to have from 1 to 9 green columns in one combination. Non-stepping with blue and green columns For every pair of blue and green columns there will be a non-stepping event every 676 keystrokes. Some groups are listed below. For each group there will also be subgroups depending on the distance between consecutive columns of the same color. 1: One blue and one green column. This group s pattern will have intervals of 676 keystrokes between non-stepping events. There is only one subgroup in this group. 2: Two blue columns and one green column, or, one blue column and two green columns. There are 8 distinct configurations of 2 blue columns and 13 distinct configurations of 2 green columns, which means that there are 21 subgroups with 2 non-stepping events in 676 keystrokes. The lengths of the intervals found in each subgroup depends on the distance between the columns of the same color. For those subgroups with two blue columns it also depends on the number of active regions found in the notch ring on the right hand face of drive wheel 1 between the columns. This group s pattern will have intervals of x keystrokes and intervals of y keystrokes such that x + y = 676.

4.6. EXPERIMENT 2: THE ALL-STEPPING PATTERN 35 3: Three blue columns and one green column, or, one blue column and three green columns. There are 2 distinct configurations with 3 blue columns and 65 distinct configurations with 3 green columns, making a total of 67 subgroups in this group. The other possible groups are 4, 5, 6, 7, 8, 9, 10, 12, 14, 15, 16, 18, 21, 24 and 27. Combined groups and subgroups with red, blue and green columns There are 1244 distinct configurations with blue and red columns. Each of these configurations combined with a configuration with green columns will fall into one of the following groups: # Red # Blue 1 Green 2 Green 3 Green 4 Green 5 Green 6 Green 7 Green 8 Green 9 Green Columns Columns Column Column Column Column Column Column Column Column Column 1 1 27 28 29 30 31 32 33 34 35 2 1 53 54 55 56 57 58 59 60 61 3 1 79 80 81 82 83 84 85 86 87 4 1 105 106 107 108 109 110 111 112 113 5 1 131 132 133 134 135 136 137 138 139 6 1 157 158 159 160 161 162 163 164 165 1 2 28 30 32 34 36 38 40 42 44 2 2 54 56 58 60 62 64 66 68 70 3 2 80 82 84 86 88 90 92 94 96 4 2 106 108 110 112 114 116 118 120 122 5 2 132 134 136 138 140 142 144 146 148 1 3 29 32 35 38 41 44 47 50 53 2 3 55 58 61 64 67 70 73 76 79 3 3 81 84 87 90 93 96 99 102 105 4 3 107 110 113 116 119 122 125 128 131 Table 4.4: Red, Blue and Green column groups. 4.6 Experiment 2: The all-stepping pattern In a similar way as we can detect non-stepping events, it is also possible to detect allstepping events. These will give us additional information about the machine s notch ring initial configuration. We call All-stepping to the event where all contact wheels step during a keystroke. When this happens, the relative position between the contact wheels doesn t change. This causes the same paths through the scrambler, shifted one position, to be applied to two consecutive input letters. The keyboard and lampboard are connected to the scrambler as in a regular QWERTZ typewriter. We will call this letter sequence QWERTZ sequence. For each randomly selected key we will encrypt the QWERTZ sequence in reverse order. We will search in the ciphertext for pairs of consecutive letters within this sequence. Each time a pair is found it will be necessary to test whether the pair was coincidental or was caused by an all-stepping event.

36 CHAPTER 4. STEPPING PATTERN ANALYSIS 4.6.1 Pseudocode Pseudocode of Experiment 2 PLAINTEXT = "...MNBVCXYLKJHGFDSAPOIUZTREWQMNBV..." (677 letters) create file to record results for 12000 times do KEY = select random key CIPHERTEXT = Encrypt(PLAINTEXT, KEY) IntervalCounter = 0 LetterMatches = 0 Coincidences = 0 All-Stepping = 0 for all letter in CIPHERTEXT do if previous-letter QWERTZ CONSECUTIVE OF letter then LetterMatches = LetterMatches + 1 if some wheel didn t move then Coincidences = Coincidences + 1 end if if All wheels moved then All-Stepping = All-Stepping + 1 record interval length = IntervalCounter IntervalCounter = 0 end if end if IntervalCounter = IntervalCounter + 1 end for record KEY and results in file end for close results file 4.6.2 Results The following results were obtained from this experiment. As can be seen, the all-stepping event is much more common than the non-stepping event, 85% of the keys present some all-stepping event. From these keys, over 75% of them can be split into 24 different groups. Figure 4.8: Results for Experiment 2

4.6. EXPERIMENT 2: THE ALL-STEPPING PATTERN 37 Figure 4.9: Results for Experiment 2

38 CHAPTER 4. STEPPING PATTERN ANALYSIS 4.7 All-stepping groups An all-stepping event occurs when every contact wheel steps at the same time. There is only one possible way for this to happen, every notch ring attached to the drive wheels must be in an active region simultaneously. As was explained earlier, drive wheels 9, 5 and 1 step together and drive wheels 3 and 7 also step together but independently from the others. This stepping pattern causes that every all-stepping event, which is caused by aligned active regions on every notch ring, will be repeated every 676 keystrokes. The following example computes the number of all-stepping events for the configuration. INNER KEY : 14D 22B 12C 16A 18/2 OUTER KEY : GMXSKXY XAF Figure 4.10: Initial notch ring configuration The first step is to align the notch rings to their initial position. Taking the offset of the stepping levers into account, the initial effective regions of the notch rings, from left to right, are: C, I, N, N, V and W. Next, every column of aligned active regions on notch rings 9, 5, 1 left and 1 right is marked in orange and every column of aligned active regions on notch rings 7 and 3 is marked in yellow. The number of all-stepping events this combination generates is: #orange columns #yellow columns = 4 13 = 52 all-stepping events every 676 keystrokes 4.7.1 The groups The same procedure used to determine non-stepping groups and subgroups was used to determine the all-stepping groups and subgroups. Every possible combination of 4 and 2 notch rings was tested searching for aligned active regions. Aligned active regions on four notch rings There are 220 ways to select 3 notch rings out of 12 and 676 relative positions between them. There are 2 options to select the notch ring on the right hand face of the ETW. The position of this notch ring will match the position of the one on the left hand face of the ETW, so there are 3 possible positions for this notch ring depending on which of the three previously selected notch rings is placed on the left hand face of the ETW. There are 220 676 2 3 = 892320 combinations. These combinations will have a maximum

4.7. ALL-STEPPING GROUPS 39 of 5 columns of aligned active regions because the notch ring on the right hand face of the ETW has 5 active regions. The following table summarizes the results. # Aligned # Combinations Percentage of # Distinct Active Regions total Patterns 0 92068 10,32% 1 1 234531 26,28% 1 2 300453 33,67% 12 3 193761 21,71% 20 4 63241 7,09% 10 5 8266 0,93% 2 TOTAL 892320 100% 46 Table 4.5: Aligned active regions on four notch rings Aligned active regions on two notch rings There are 66 ways to select 2 notch rings from the available set of 12 and there are 26 relative positions between them. This gives a total of 1716 combinations to be searched for aligned active regions. The following table summarizes the results. # Aligned # Combinations Percentage of # Distinct Active Regions total Patterns 4 5 0,29% 5 5 11 0,64% 11 6 30 1,75% 29 7 60 3,5% 53 8 75 4,37% 65 9 110 6,41% 85 10 131 7,63% 96 11 122 7,11% 103 12 151 8,8% 149 13 174 10,14% 155 14 180 10,5% 138 15 167 9,73% 146 16 145 8,45% 127 17 85 4,95% 77 18 111 6,47% 105 19 68 3,96% 66 20 66 3,85% 65 21 23 1,34% 22 22 2 0,12% 2 TOTAL 1716 100% 1499 Table 4.6: Aligned active regions on two notch rings

40 CHAPTER 4. STEPPING PATTERN ANALYSIS All-stepping groups and subgroups Every combination that belongs to one all-stepping group will cause the same number of all-stepping events. The group will be identified by this number. The minimum possible number is 4 all-stepping events in 676 keystrokes and the maximum number is 110. There are 63 different all-stepping groups and as it happens for the non-stepping groups, each group is also divided into subgroups. These subgroups split the combinations according to the all-stepping pattern they produce.

Chapter 5 Attacks on NeMa 5.1 The stepping catalog attack In the case of a chosen plaintext attack, where the attacker can obtain the ciphertexts that correspond to plaintexts of his choice, it is possible to narrow down the search space for the notch rings and their initial position for a brute force attack by using a catalog. For each non-stepping subgroup it is possible to build a catalog with possible combinations for the notch rings used and their initial positions. The same can be done for each all-stepping subgroup. If the attacker is able to obtain the ciphertext of a long plaintext of his choice, or several shorter ones, then he will be able to identify the non-stepping and all-stepping patterns from the plaintext/ciphertext pairs. With this information, it will be possible to search for the corresponding subgroups in the catalogs. The catalogs will provide all possible combinations of notch rings and their initial positions that match the non-stepping and all-stepping patterns. This subgroup of combinations provided by the catalogs will reduce the complexity of a brute force attack. 5.1.1 Size of the Catalog The catalog will allow to narrow down the search of the following key elements: The subset of 2 notch rings that are placed on drive wheels 9 and 5. It does not provide any information about which of these notch rings is on which wheel. The subset of 2 notch rings that are placed on drive wheels 7 and 3. It also does not provide information about which notch ring is on which wheel. The notch rings placed on the left and right hand faces of drive wheel 1. The initial position of each of the wheels. There are 12 options for the notch ring on the left hand face of the ETW and 2 options for the notch ring on its right hand face. From the remaining 11 notch rings, there are 2-combinations of 11 = 11 10 2 = 55 ways to select the 2 notch rings for drive wheels 9 and 5. Afterwards, from the remaining 9 notch rings, there are 2-combinations of 9 = 9 9 2 = 36 ways to select the 2 notch rings for drive wheels 3 and 7. Additionally, there are 26 5 = 11.881.376 possible initial positions for the 5 drive wheels. This gives a total of 12 2 55 36 11.881.376 = 564.602.987.520 different combinations. 41

42 CHAPTER 5. ATTACKS ON NEMA 5.1.2 Creating the catalog by computer The simplest way to create this catalog is to test each combination. Each combination s subgroup will be experimentally determined and the combination added to the subgroup. Creating this catalog, even by computer, is a big task. We estimate that it would take approximately 1 month on a dual core 1.6GHz computer. Analyzing further the catalog elements it is possible to see that the catalog elements can be split into two independent groups, drive wheels 9, 5 and 1 on one side and drive wheels 7 and 3 on the other, therefore, it is possible to create two independent catalogs. In total, there will be 2 non-stepping catalogs and 2 all-stepping catalogs: Red/Blue non-stepping catalog One catalog with combinations of 4 notch rings for drive wheels 9, 5, 1 left and 1 right. This catalog will have 892320 combinations (12 options for the notch ring on the left of the ETW, 2 options for the notch ring on its right, 55 options for notch rings on drive wheels 9 and 5 and 26 2 relative positions between the 3 wheels) Green non-stepping catalog One catalog with combinations of 2 notch rings for drive wheels 7 and 3. This catalog will have 1716 combinations (66 ways of selecting 2 notch rings out of 12 26 relative positions between them). Orange all-stepping catalog One catalog with combinations of 4 notch rings for drive wheels 9, 5, 1 left and 1 right. This catalog will have the same size as the Red/Blue non-stepping catalog: 892320 combinations. Yellow all-stepping catalog One catalog with combinations of 2 notch rings for drive wheels 7 and 3. This catalog will have the same size as the Green non-stepping catalog: 1716 combinations. 5.1.3 Creating the catalog by hand The usefulness of the catalogs back when the machine was in use seems very low, mainly because it was not feasible to obtain plaintext/ciphertext pairs long enough to allow an attacker to be able to identify the non-stepping and all-stepping patterns of the machine. Anyway, if some other method to detect the patterns was developed, the catalogs could have been of great use. We estimate that an operator would be able, in average, to process one combination per minute. He could write simultaneously the combination on the Red/Blue and Orange catalogs or on the Green and Yellow catalogs. The total number of combinationsto be processed is 892320 + 1716 = 894036, so it would take approximately 10 months to compute the catalog considering a group of 6 operators working 8 hours per day. 5.1.4 How to use the catalog How to find the stepping patterns The first step necessary to achieve this attack is to compute the stepping patterns generated by the machine. In order to detect the pattern, the attacker needs to obtain: the ciphertext of 3 plaintexts which consist of 677 identical letters or the ciphertext of a plaintext consisting of 2029 identical letters. the ciphertext of 3 plaintexts which consist of 677 letters ordered in QWERTZ sequence, or the ciphertext of a plaintext consisting of 2029 letters ordered in QWERTZ sequence.

5.1. THE STEPPING CATALOG ATTACK 43 The attacker must proceed as follows: If using long plaintext/ciphertext pairs, then he must split them into three parts. The first part from the first letter to the 677th letter, the second part from the 676th letter to the 1353th letter and the last part from the 1352th letter to the end. He must take note of the positions in which there are pairs of identical letters in each of the first three ciphertexts (or in each of the three parts of the ciphertext). For the last three ciphertexts, he must take note of the position of pairs of consecutive letters in reverse QWERTZ sequence order. The common positions found on the first three ciphertexts will give him the nonstepping pattern. The common positions found on the last three ciphertexts will give him the allstepping pattern. The following example shows the first 52 letters of each ciphertext: Figure 5.1: Computation of stepping patterns from ciphertexts This figure shows in yellow every pair of identical letters and in red every pair of consecutive letters in reverse QWERTZ sequence order. Some of the pairs were not caused by a non-stepping or all-stepping event, they were coincidental. This is the reason why it is necessary to have 3 ciphertexts in order to compute the stepping pattern. A coincidental pair will happen once every 26 letters, so it is likely that once every 676 letters there will be a coincidental pair at the same position for two different ciphertexts. This is the reason why three ciphertexts are needed. In this example, the non-stepping pattern starts with: 2-7 - 17-28 - 33-43 -... In this example, the all-stepping pattern starts with: 23 -... How to search in the catalog Once the attacker has computed the stepping patterns, he will need to search for these patterns in the catalog. In order to do this, he must find out which Red/Blue and Green columns produce the non-stepping pattern he found and which Orange and Yellow columns produce the all-stepping pattern he found. For the previous example, the non-stepping pattern shows non-stepping events that repeat every 26 keystrokes. There are 3 non-stepping events in every 26 keystrokes interval with 5, 10 and 11 keystrokes intervals between them. This means that the

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback