Simple Enigma Cryptanalysis

Burton Rosenberg
25 January 2003.

One method for breaking the German Enigma depended on the repeat of a three letter message key at the beginning of the message. The three letter key was sent using the daily setting and was the setting for the remainder of the message. It was sent twice to reduce error. Eventually German operators stopped doing this and other methods were needed.

We illustrate the analysis with a vastly reduced Enigma machine. It has one rotor and a six letter alphabet. There is no sticker board, but this is not important for this attack. We assume that the message opens with a single letter code repeated twice and calculate the cycle structure of a certain product permutation. We will see that the cycle structure of the permutation depends on the initial setting of the rotor. Although the cycle structure does not completely identify the initial setting, it narrows the possibilities, and the sticker board has no effect.

Our enigma has the following structure. The reflecting wheel implements the permutation 

   r = (1 2)(3 4)(5 6).
The single rotor implements the permutation s_0 in its zero position, and s_i in its i-th position. s_i=s_{i mod 6}

After each character the rotor turns one position. The enciphering of the i-th character is: 

   a_i = s_i r s_i^{-1}
(reading permutations left to right) where 
   s_i = t^i s t^{-i}
where t is the permutation simulating the turning of the rotor by one 
   t = (1 2 3 4 5 6)

Since the first cleartext character is repeated, say xx, if the ciphertext begins yz then: 

    x = a_0^{-1}(y) = a_1^{-1}(z)
    z = a_0 a_1 (y)
since a_i has the same cycle structure as r, it is involutory, thus eliminating the inverse notation. We have one sample of the product permutation a_0 a_1. With additional messages we reconstruct a_0 a_1. The cycle structure depends on the initial setting.

We investigate three different rotor permutations.

The calculations were done in mathematica. The function enc1 is the enciphering function s r s^{-1}. The tws1 function is the "twist" function, simulating the turn of the rotor, t s t^{-1}. The composition permutation a_i a_{i+1} is computed for all i.

Rotor 1 
   s = (1)(2 3)(4 5 6).

Odd initial settings have cycle structure two three-cycles, even intial settings have cycle structure a pair of two-cycles and a pair of fixed points. This cuts key search in half. A larger Enigma would have a richer vocabulary of cycle structures, cutting the key space by a greater fraction, and the sticker board is rendered irrelavant. 

In[3]:= <<DiscreteMath`Combinatorica`

In[66]:= enc1[x_]:= ToCycles[Permute[
                                Permute[InversePermutation[FromCycles[x]],
                                        FromCycles[r]],
                                FromCycles[x]]]

In[68]:= tws1[x_]:= ToCycles[Permute[
                                Permute[InversePermutation[FromCycles[t]],
                                        FromCycles[x]],
                                FromCycles[t]]]

In[69]:= r={{1,2},{3,4},{5,6}}

In[70]:= t={{1,2,3,4,5,6}}

In[71]:= s0={{1},{2,3},{4,5,6}}

In[73]:= a0 = enc1[s0]

Out[73]= {{3, 1}, {6, 2}, {5, 4}}

In[74]:= s1=tws1[s0]

Out[74]= {{2, 1}, {4, 5, 3}, {6}}

In[75]:= a1=enc1[s1]

Out[75]= {{2, 1}, {5, 3}, {6, 4}}

In[76]:= s2=tws1[s1]

Out[76]= {{6, 1}, {3, 4, 2}, {5}}

In[77]:= a2=enc1[s2]

Out[77]= {{5, 1}, {3, 2}, {6, 4}}

In[78]:= s3=tws1[s2]

Out[78]= {{2, 3, 1}, {4}, {6, 5}}

In[79]:= a3=enc1[s3]

Out[79]= {{3, 1}, {4, 2}, {6, 5}}

In[80]:= s4=tws1[s3]

Out[80]= {{2, 6, 1}, {3}, {5, 4}}

In[81]:= a4=enc1[s4]

Out[81]= {{6, 1}, {4, 2}, {5, 3}}

In[82]:= s5=tws1[s4]

Out[82]= {{5, 6, 1}, {2}, {4, 3}}

In[83]:= a5=enc1[s5]

Out[83]= {{5, 1}, {6, 2}, {4, 3}}

In[84]:= tws1[s5]

Out[84]= {{1}, {3, 2}, {5, 6, 4}}

In[92]:= cmp[x_,y_]:= ToCycles[Permute[FromCycles[y],FromCycles[x]]]

In[93]:= cmp[a0,a1]

Out[93]= {{5, 6, 1}, {4, 3, 2}}

In[94]:= cmp[a1,a2]

Out[94]= {{3, 1}, {5, 2}, {4}, {6}}

In[95]:= cmp[a2,a3]

Out[95]= {{6, 2, 1}, {4, 5, 3}}

In[96]:= cmp[a3,a4]

Out[96]= {{5, 1}, {2}, {6, 3}, {4}}

In[97]:= cmp[a4,a5]

Out[97]= {{2, 3, 1}, {6, 5, 4}}

In[98]:= cmp[a5,a0]

Out[98]= {{4, 1}, {2}, {5, 3}, {6}}

Rotor 2 
   s = (1 2 3 4)(5 6)

This demonstrates that some choices of rotors are unfortunate. The sequence of permutations s_i repeat themselves. In particular 
   a_0=a_3, a_1=a_4, a_2=a_5.


In[1]:= <<DiscreteMath`Combinatorica`

In[2]:= enc1[x_]:=ToCycles[Permute[Permute[InversePermutation[FromCycles[x]],FromCycles[r]],FromCycles[x]]]

In[3]:= tws1[x_]:=ToCycles[Permute[Permute[InversePermutation[FromCycles[t]],FromCycles[x]],FromCycles[t]]]

In[4]:= cmp[x_,y_]:=ToCycles[Permute[FromCycles[y],FromCycles[x]]]

In[5]:= r={{1,2},{3,4},{5,6}}

In[6]:= t={{1,2,3,4,5,6}}

In[25]:= s0={{1,2,3,4},{5,6}}

In[26]:= a0=enc1[s0]

Out[26]= {{4, 1}, {3, 2}, {6, 5}}

In[27]:= s1=tws1[s0]

Out[27]= {{2, 3, 6, 1}, {5, 4}}

In[28]:= a1=enc1[s1]

Out[28]= {{6, 1}, {5, 2}, {4, 3}}

In[29]:= s2=tws1[s1]

Out[29]= {{2, 5, 6, 1}, {4, 3}}

In[30]:= a2=enc1[s2]

Out[30]= {{6, 1}, {5, 2}, {4, 3}}

In[31]:= s3=tws1[s2]

Out[31]= {{4, 5, 6, 1}, {3, 2}}

In[32]:= a3=enc1[s3]

Out[32]= {{2, 1}, {6, 3}, {5, 4}}

In[33]:= s4=tws1[s3]

Out[33]= {{2, 1}, {4, 5, 6, 3}}

In[34]:= a4=enc1[s4]

Out[34]= {{2, 1}, {6, 3}, {5, 4}}

In[35]:= s5=tws1[s4]

Out[35]= {{6, 1}, {3, 4, 5, 2}}

In[36]:= a5=enc1[s5]

Out[36]= {{4, 1}, {3, 2}, {6, 5}}

In[37]:= s6=tws1[s5]

Out[37]= {{2, 3, 4, 1}, {6, 5}}

In[43]:= cmp[a0,a1]

Out[43]= {{3, 5, 1}, {4, 6, 2}}

In[44]:= cmp[a1,a2]

Out[44]= {{1}, {2}, {3}, {4}, {5}, {6}}

In[45]:= cmp[a2,a3]

Out[45]= {{3, 5, 1}, {4, 6, 2}}

In[48]:= cmp[a3,a4]

Out[48]= {{1}, {2}, {3}, {4}, {5}, {6}}

In[49]:= cmp[a4,a5]

Out[49]= {{3, 5, 1}, {4, 6, 2}}

In[50]:= cmp[a5,a0]

Out[50]= {{1}, {2}, {3}, {4}, {5}, {6}}

Rotor 3 
    s = (1 2 3)(4 5 6)

This demonstrates that certain rotors prevent this attack. All products a_i a_{i+1} have similar cycle structure. In this case, a pair of three cycles. 

In[1]:= <<DiscreteMath`Combinatorica`

In[2]:= enc1[x_]:=ToCycles[Permute[Permute[InversePermutation[FromCycles[x]],FromCycles[r]],FromCycles[x]]]

In[3]:= tws1[x_]:=ToCycles[Permute[Permute[InversePermutation[FromCycles[t]],FromCycles[x]],FromCycles[t]]]

In[4]:= cmp[x_,y_]:=ToCycles[Permute[FromCycles[y],FromCycles[x]]]

In[5]:= r={{1,2},{3,4},{5,6}}

In[6]:= t={{1,2,3,4,5,6}}

In[7]:= s0={{1,2,3},{4,5,6}}

In[8]:= a0=enc1[s0]

Out[8]= {{3, 1}, {6, 2}, {5, 4}}

In[9]:= s1=tws1[s0]

Out[9]= {{2, 6, 1}, {4, 5, 3}}

In[10]:= a1=enc1[s1]

Out[10]= {{6, 1}, {4, 2}, {5, 3}}

In[11]:= s2=tws1[s1]

Out[11]= {{5, 6, 1}, {3, 4, 2}}

In[12]:= a2=enc1[s2]

Out[12]= {{5, 1}, {3, 2}, {6, 4}}

In[13]:= s3=tws1[s2]

Out[13]= {{2, 3, 1}, {5, 6, 4}}

In[14]:= a3=enc1[s3]

Out[14]= {{3, 1}, {6, 2}, {5, 4}}

In[15]:= s4=tws1[s3]

Out[15]= {{2, 6, 1}, {4, 5, 3}}

In[16]:= a4=enc1[s4]

Out[16]= {{6, 1}, {4, 2}, {5, 3}}

In[17]:= s5=tws1[s4]

Out[17]= {{5, 6, 1}, {3, 4, 2}}

In[18]:= a5=enc1[s5]

Out[18]= {{5, 1}, {3, 2}, {6, 4}}

In[19]:= s6=tws1[s5]

Out[19]= {{2, 3, 1}, {5, 6, 4}}

In[20]:= cmp[a0,a1]

Out[20]= {{5, 2, 1}, {6, 4, 3}}

In[21]:= cmp[a1,a2]

Out[21]= {{4, 3, 1}, {6, 5, 2}}

In[22]:= cmp[a2,a3]

Out[22]= {{4, 2, 1}, {6, 5, 3}}

In[23]:= cmp[a3,a4]

Out[23]:= {{5, 2, 1}, {6, 4, 3}}

In[24]:= cmp[a4,a5]

Out[24]= {{4, 3, 1}, {6, 5, 2}}

In[25]:= cmp[a5,a0]

Out[25]= {{4, 2, 1}, {6, 5, 3}}