Lecture 5:
Enigma
Concluded
Bletchley Park (June 2004)
CS588: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/evans
Last Time: Added Plugboard
Plaintext
B
Ciphertext Plugboard
L
M
N
R
Rotor
1
Rotor
2
Rotor
3
Reflector
6 plugs: (26*25)/2 * (24*23)/2 * … * (16*15/2) / 6!
= 1011 times more keys
3 February 2005
University of Virginia CS 588
2
Poster in RAF Museum
3 February 2005
University of Virginia CS 588
3
Operation
• Day key (distributed in code book)
• Each message begins with message
key (“randomly” chosen by sender)
encoded using day key
• Message key sent twice to check
• After receiving message key, re-orient
rotors according to key
3 February 2005
University of Virginia CS 588
4
Letter Permutations
Symmetry of Enigma:
if Epos (x) = y we know Epos (y) = x
Given message openings
DMQ VBM
E1(m1) = D E4(m1) = V E1oE4(D) = V
VON PUY
=> E1(D) = m1
PUC FMQ
=> E4 (E1 (D)) = V
With enough message openings, we can build
complete cycles for each position pair:
E1oE4 = (DVPFKXGZYO) (EIJMUNQLHT) (BC) (RW) (A) (S)
Note: Cycles must come in pairs of equal length
3 February 2005
University of Virginia CS 588
5
Composing Involutions
• E1 and E2 are involutions (x  y  y  x)
• Without loss of generality, we can write:
E1 contains (a1a2) (a3a4) … (a2k-1a2k)
E2 contains (a2a3) (a4a5) … (a2ka1)
E1
E2
a1  a2
a2  x = a3
or x = a1
a3  a4
a4  x = a5
Why can’t
or x = a1
x be a2 or a3?
3 February 2005
University of Virginia CS 588
6
Rejewski’s Theorem
E1 contains (a1a2) (a3a4) … (a2k-1a2k)
E4 contains (a2a3) (a4a5) … (a2ka1)
E1E4 contains (a1a3a5…a2k-1)
(a2ka2k-2… a4a2)
• The composition of two involutions consists
of pairs of cycles of the same length
• For cycles of length n, there are n possible
factorizations
3 February 2005
University of Virginia CS 588
7
Factoring Permutations
E1E4 = (DVPFKXGZYO) (EIJMUNQLHT) (BC)
(RW) (A) (S)
(A) (S) = (AS) o (SA)
(BC) (RW) = (BR)(CW) o (BW)(CR)
or = (BW)(RC) o (WC) (BR)
(DVPFKXGZYO) (EIJMUNQLHT)
= (DE)(VI)… or (DI)(VJ) … or (DJ)(VM) …
… (DT)(VE)
10 possibilities
3 February 2005
University of Virginia CS 588
8
How many factorizations?
(DVPFKXGZYO) (EIJMUNQLHT)
E1
E2
D  a2
V  a4
a2  V
a4  P
Once we guess a2 everything else must follow!
So, only n possible factorizations for an n-letter cycle
Total to try = 2 * 10 = 20
E2E5 and E3E6 likely to have about 20 to try also
 About 203 (8000) factorizations to try
(still too many in pre-computer days)
3 February 2005
University of Virginia CS 588
9
Luckily…
• Operators picked message keys
(“cillies”)
– Identical letters
– Easy to type (e.g., QWE)
• If we can guess P1 = P2 = P3 (or known
relationships) can reduce number of
possible factorizations
• If we’re lucky – this leads to E1 …E6
3 February 2005
University of Virginia CS 588
10
Solving?
E1 = B-1L-1Q LB
E2 = B-1L-2QL2B
E3 = B-1L-3QL3B
E4 = B-1L-4QL4B
E5 = B-1L-5QL5B
E6 = B-1L-6QL6B
3 February 2005
6 equations, 3
unknowns
Not known to be
efficiently solvable
University of Virginia CS 588
11
Solving?
Often, know plugboard
E1 = B-1L-1Q LB
settings (didn’t change
frequently)
BE1B-1 = L-1Q L
6 equations, 2 unknowns – solvable
6 possible arrangements of 3 rotors, 263 starting locations
= 105,456 possibilities
Poles spent a year building a catalog of cycle structures
covering all of them (until Nov 1937): 20 mins to break
Then Germans changed reflector and they had to start over.
3 February 2005
University of Virginia CS 588
12
1939
• Early 1939 – Germany changes scamblers and
adds extra plugboard cables, stop doubletransmissions
– Poland unable to cryptanalyze
• 25 July 1939 – Rejewski invites French and
British cryptographers
– Gives England replica Enigma machine constructed
from plans, cryptanalysis
• 1 Sept 1939 – Germany invades Poland, WWII
starts
3 February 2005
University of Virginia CS 588
13
Bletchley Park
• Alan Turing leads British effort to crack
Enigma
• Use cribs (“WETTER” transmitted every
day at 6am) to find structure of plugboard
settings
• Built “bombes” to automate testing
• 10,000 people worked at Bletchley Park on
breaking Enigma (100,000 for Manhattan
Project)
3 February 2005
University of Virginia CS 588
14
Alan Turing’s “Bombe”
Steps through all possible rotor positions (263), testing
for probable plaintext; couldn’t search all plugboard
settings (> 1012); take advantage of loops in cribs
3 February 2005
University of Virginia CS 588
15
Enigma Cryptanalysis
• Relied on combination of sheer brilliance,
mathematics, espionage, operator errors, and
hard work
• Huge impact on WWII
– Britain knew where German U-boats were
– Advance notice of bombing raids
– But...keeping code break secret more important
than short-term uses
• The Coventry bombing story isn’t true, but decoy scouts is
3 February 2005
University of Virginia CS 588
16
Projects
• Start thinking about projects and forming
teams
• Prefer teams of 3 people
– In rare circumstances will allow solo projects
• Preliminary Proposals due Feb 15
– List of team members
• Use web forum to discuss project ideas, find interested
teammates
– Either:
• Short blurbs for at least 3 project ideas
• A description of a project idea with some background,
convincing argument it will be possible and interesting
3 February 2005
University of Virginia CS 588
17
Project Option 1: Research
• Research Projects
– Identify an interesting problem related to
cryptography/security
• Devise an approach for solving it
– Analyze security of some system
• GET PERMISSION FIRST!
• Doesn’t need to be limited to purely
computational systems
3 February 2005
University of Virginia CS 588
18
Project Option 2: “Outreach”
• Do something relevant to this course
that is beneficial to the larger
community. Examples include:
– Develop and teach a course for K-12
students that uses cryptography to make
math interesting
– Produce something that conveys important
security principles to the general public
• Movie screening at end of class today
3 February 2005
University of Virginia CS 588
19
Which should you do?
• Grad student, grad-school bound 3rd or
4th year: research project that integrates
with your main research
• 3rd/4th year looking for a job: something
you can talk about on job interviews
• 4th year with a job: outreach project
• 4th year who doesn’t want a job
3 February 2005
University of Virginia CS 588
20
Modern Symmetric Ciphers
A billion billion is a large number, but it's not that
large a number.
— Whitfield Diffie
3 February 2005
University of Virginia CS 588
21
Goals of Cipher:
Diffusion and Confusion
• Claude Shannon [1945]
• Diffussion:
– Small change in plaintext, changes lots of
ciphertext
– Statistical properties of plaintext hidden in
ciphertext
• Confusion:
– Statistical relationship between key and ciphertext
as complex as possible
• So, need to design functions that produce
output that is diffuse and confused
3 February 2005
University of Virginia CS 588
22
Block Ciphers
• Stream Ciphers
– Encrypts small (bit or byte) units one at a time
• Block Ciphers
– Encrypts large chunks (64 bits) at once
• Ciphers we have seen so far:
– Changing one letter of message only changes one
letter of ciphertext
– There were classical ciphers that had some
diffusion: Vigenère autokey, Hill cipher (2-letter
chunks)
3 February 2005
University of Virginia CS 588
23
Ideal Block Cipher
• 64 bit blocks
• 264 possible plaintext blocks, must have at
least 264 corresponding ciphertext blocks
– There are 264! possible mappings
• Why not just create a random mapping?
– Need a 264 * 64-bit table  1021 bits
– $14 quadrillion
– Need to distribute new table if compromised
• Approximate ideal random mapping using
components controlled by a key
3 February 2005
University of Virginia CS 588
24
Feistel Cipher Structure
Plaintext
R0
Substitution
L0
K1

F
Permutation
Round
L0 = left half of plaintext
R0 = right half of plaintext
Li = Ri - 1
Ri = Li - 1  F (Ri - 1, Ki )
C = Rn || Ln
L1
3 February 2005
R1
n is number of rounds
(undo last permutation)
University of Virginia CS 588
25
One Round Feistel
Li = Ri - 1
E (L0 || R0):
Ri = Li - 1  F (Ri - 1, Ki )
L1 = R0
R1 = L0  F (R0, K1))
C = R1 || L1 = L0  F (R0, K1)) || R0
3 February 2005
University of Virginia CS 588
26
Decryption
Ciphertext
RD0
LD0
Substitution
LD0 = left half of ciphertext
RD0 = right half of ciphertext
Kn

LDi = RDi - 1
RDi = LDi - 1
F
Permutation
 F (RDi - 1, Kn – i + 1)
L1
3 February 2005
R1
P = RDn || LDn
n is number of rounds
University of Virginia CS 588
27
Decryption
LDi = RDi - 1
RDi = LDi - 1  F (RDi - 1, Kn – i + 1)
D (L0  F (R0, K1)) || R0)
LD0 = L0  F (R0, K1) RD0 = R0
LD1 = R0
RD1 = LD0  F (RD0, K1)
= L0  F (R0, K1)  F (RD0, K1))
= L0
P = RD1 || LD1 = L0 || R0
Yippee!
3 February 2005
University of Virginia CS 588
28
Multiple Rounds
• The entire round is a function:
fK (L || R) = R || L  F (R, K))
swap (L || R) = R || L
• E = swap ° swap ° fKr ° swap ° fKr-1 °
... ° fK2 ° swap ° fK1
• D = fK1 ° swap ° fK2 ° ... °
fKr-1 ° swap ° fKr ° swap ° swap
3 February 2005
University of Virginia CS 588
29
Decryption
swap (fK (swap (fK (L || R))
= swap (fK (swap (R || L  F (R, K))))
= swap (fK (L  F (R, K) || R))
= swap (R || (L  F (R, K))  F (R, K))
= swap (R || L) = L || R
So swap ° fK its own inverse!
3 February 2005
University of Virginia CS 588
30
F
• What are the requirements on F?
– For decryption to work: none!
– For security:
• Hide patterns in plaintext
• Hide patterns in key
• Coming up with a good F is hard
3 February 2005
University of Virginia CS 588
31
Charge
• Start to think of interesting project ideas
• Post on discussion forum, find
teammates
• Next time:
– DES: a Feistel cipher
– Breaking DES (including Girish Ratanpal)
• Movie (if you can stay, otherwise it is on
the web)
3 February 2005
University of Virginia CS 588
32