•
Exatas
Prévia do material em texto
<p>PRAISE FOR SIMON SINGH AND The Code Book</p><p>“Singh spins tales of cryptic intrigue in every chapter.”</p><p>—The Wall Street Journal</p><p>“Brings together … the geniuses who have secured communications, saved lives, and</p><p>in�uenced the fate of nations. A pleasure to read.”</p><p>—Chicago Tribune</p><p>“Singh pursues the fascinating story [of codes] through the centuries, always providing</p><p>plenty of detailed examples of ciphers for those who appreciate the intricacies of the</p><p>medium.”</p><p>—Los Angeles Times</p><p>“Especially e�ective at putting the reader in the codebreaker’s shoes, facing each new,</p><p>apparently unbreakable code.… Singh does a �ne job.”</p><p>—The New York Times Book Review</p><p>“Entertaining.… Singh has a �air for narrative.”</p><p>—San Francisco Chronicle</p><p>“Singh is an interesting mix of scientist and storyteller, and this subject is the perfect mix</p><p>of true fact and tall tales.”</p><p>—The San Diego Union-Tribune</p><p>“Where would we Information Age ignoramuses be without smart guys like Stephen Jay</p><p>Gould, the late Carl Sagan, or Simon Singh? They are the troubadours of our time, making</p><p>complicated subjects understandable and entertaining.”</p><p>—The Plain Dealer</p><p>“In this entertaining survey, the evolution of cryptography is driven by the ongoing</p><p>struggle between code-makers and codebreakers.”</p><p>—The New Yorker</p><p>“[Singh] is well-equipped to describe all the arcane mathematics in layman’s language.”</p><p>—Forbes</p><p>“Wonderful stories.… Close reading is rewarded with the �ash of logical insight that the</p><p>codebreakers must enjoy.”</p><p>—Hartford Advocate</p><p>“An illuminating and entertaining account.… From the �rst page, Singh shows his knack</p><p>both for explaining complex areas of science and telling rip-roaring stories.”</p><p>—New York Law Journal</p><p>“My only regret is that this great book has come far too late. If only someone had given it</p><p>to me when I was 10, my secret plans for world playground domination might never have</p><p>been foiled.”</p><p>—James Flint, The Observer (London)</p><p>“Full of fascinating case histories covering the development and practical use of</p><p>cryptography.”</p><p>—Mail on Sunday (London)</p><p>“Singh has created an authoritative and engrossing read which both explains and</p><p>humanizes the subject.… This intelligent, exciting book takes its drive from a simple</p><p>premise-that nothing is as exciting as a secret.”</p><p>—Scotland on Sunday</p><p>SIMON SINGH</p><p>The Code Book</p><p>Simon Singh received his Ph.D. in physics from Cambridge</p><p>University. A former BBC producer, he directed an award-</p><p>winning documentary �lm on Fermat’s Last Theorem that</p><p>aired on PBS’s Nova series and wrote the bestselling book,</p><p>Fermat’s Enigma. He lives in London, England.</p><p>Also by Simon Singh</p><p>Fermat’s Enigma</p><p>FIRST ANCHOR BOOKS EDITION, SEPTEMBER 2000</p><p>Copyright © 1999 by Simon Singh</p><p>All rights reserved under International and Pan-American Copyright Conventions.</p><p>Published in the United States by Anchor Books, a division of Random House, Inc., New</p><p>York, and simultaneously in Canada by Random House of Canada Limited, Toronto.</p><p>Originally published in hardcover in the United States by Doubleday, a division of Random</p><p>House, Inc., New York, and in the United Kingdom by the Fourth Estate, London, in 1999.</p><p>Anchor Books and colophon are registered trademarks of Random House, Inc.</p><p>The Library of Congress has cataloged the Doubleday edition as follows:</p><p>Singh, Simon.</p><p>The code book : the evolution of secrecy from Mary Queen of Scots to quantum</p><p>cryptography / Simon Singh. –1st ed.</p><p>p. cm.</p><p>1. Cryptography–History. 2. Data encryption (Computer science)–History. I. Title.</p><p>Z103.S56 1999</p><p>652′.8′09–dc21 99-35261</p><p>eISBN: 978-0-307-78784-2</p><p>Author photo © Nigel Spalding</p><p>www.anchorbooks.com</p><p>v3.1_r2</p><p>http://www.anchorbooks.com/</p><p>For my mother and father,</p><p>Sawaran Kaur and Mehnga Singh</p><p>The urge to discover secrets is deeply ingrained in human</p><p>nature; even the least curious mind is roused by the</p><p>promise of sharing knowledge withheld from others. Some</p><p>are fortunate enough to �nd a job which consists in the</p><p>solution of mysteries, but most of us are driven to</p><p>sublimate this urge by the solving of arti�cial puzzles</p><p>devised for our entertainment. Detective stories or</p><p>crossword puzzles cater for the majority; the solution of</p><p>secret codes may be the pursuit of a few.</p><p>John Chadwick</p><p>The Decipherment of Linear B</p><p>Contents</p><p>Cover</p><p>About the Author</p><p>Other Books by This Author</p><p>Title Page</p><p>Copyright</p><p>Dedication</p><p>Epigraph</p><p>Introduction</p><p>1 The Cipher of Mary Queen of Scots</p><p>2 Le Chi�re Indéchi�rable</p><p>3 The Mechanization of Secrecy</p><p>4 Cracking the Enigma</p><p>5 The Language Barrier</p><p>6 Alice and Bob Go Public</p><p>7 Pretty Good Privacy</p><p>8 A Quantum Leap into the Future</p><p>The Cipher Challenge</p><p>Appendices</p><p>Glossary</p><p>Acknowledgments</p><p>Further Reading</p><p>file:///tmp/calibre_4.8.0_tmp_lQdxHR/uZyxh6_pdf_out/OEBPS/Sing_9780307787842_epub_cvi_r1.htm</p><p>Picture Credits</p><p>F</p><p>Introduction</p><p>or thousands of years, kings, queens and generals have relied on</p><p>e�cient communication in order to govern their countries and</p><p>command their armies. At the same time, they have all been aware</p><p>of the consequences of their messages falling into the wrong hands,</p><p>revealing precious secrets to rival nations and betraying vital</p><p>information to opposing forces. It was the threat of enemy</p><p>interception that motivated the development of codes and ciphers:</p><p>techniques for disguising a message so that only the intended</p><p>recipient can read it.</p><p>The desire for secrecy has meant that nations have operated</p><p>codemaking departments, responsible for ensuring the security of</p><p>communications by inventing and implementing the best possible</p><p>codes. At the same time, enemy codebreakers have attempted to</p><p>break these codes, and steal secrets. Codebreakers are linguistic</p><p>alchemists, a mystical tribe attempting to conjure sensible words out</p><p>of meaningless symbols. The history of codes and ciphers is the</p><p>story of the centuries-old battle between codemakers and</p><p>codebreakers, an intellectual arms race that has had a dramatic</p><p>impact on the course of history.</p><p>In writing The Code Book, I have had two main objectives. The</p><p>�rst is to chart the evolution of codes. Evolution is a wholly</p><p>appropriate term, because the development of codes can be viewed</p><p>as an evolutionary struggle. A code is constantly under attack from</p><p>codebreakers. When the codebreakers have developed a new</p><p>weapon that reveals a code’s weakness, then the code is no longer</p><p>useful. It either becomes extinct or it evolves into a new, stronger</p><p>code. In turn, this new code thrives only until the codebreakers</p><p>identify its weakness, and so on. This is analogous to the situation</p><p>facing, for example, a strain of infectious bacteria. The bacteria live,</p><p>thrive and survive until doctors discover an antibiotic that exposes a</p><p>weakness in the bacteria and kills them. The bacteria are forced to</p><p>evolve and outwit the antibiotic, and, if successful, they will thrive</p><p>once again and reestablish themselves. The bacteria are continually</p><p>forced to evolve in order to survive the onslaught of new antibiotics.</p><p>The ongoing battle between codemakers and codebreakers has</p><p>inspired a whole series of remarkable scienti�c breakthroughs. The</p><p>codemakers have continually striven to construct ever-stronger</p><p>codes for defending communications, while codebreakers have</p><p>continually invented more powerful methods for attacking them. In</p><p>their e�orts to destroy and preserve secrecy, both sides have drawn</p><p>upon a diverse range of disciplines and technologies, from</p><p>mathematics to linguistics, from information theory to quantum</p><p>theory. In return, codemakers and codebreakers have enriched these</p><p>subjects, and their work has accelerated technological development,</p><p>most notably in the case of the modern computer.</p><p>History is punctuated with codes. They have decided the</p><p>outcomes of battles and led to the deaths of kings and queens. I</p><p>have therefore been able to call upon stories of political intrigue and</p><p>tales of life and death to illustrate the key turning points in the</p><p>evolutionary development of codes. The history of codes is so</p><p>inordinately rich that I have been forced</p><p>ample opportunity to carry on a long-term a�air</p><p>with his wife. Toward the end of the sixteenth century the French</p><p>consolidated their codebreaking prowess with the arrival of François</p><p>Viète, who took particular pleasure in cracking Spanish ciphers.</p><p>Spain’s cryptographers, who appear to have been naive compared</p><p>with their rivals elsewhere in Europe, could not believe it when they</p><p>discovered that their messages were transparent to the French. King</p><p>Philip II of Spain went as far as petitioning the Vatican, claiming</p><p>that the only explanation for Viète’s cryptanalysis was that he was</p><p>an “arch�end in league with the devil.” Philip argued that Viète</p><p>should be tried before a Cardinal’s Court for his demonic deeds; but</p><p>the Pope, who was aware that his own cryptanalysts had been</p><p>reading Spanish ciphers for years, rejected the Spanish petition.</p><p>News of the petition soon reached cipher experts in various</p><p>countries, and Spanish cryptographers became the laughingstock of</p><p>Europe.</p><p>The Spanish embarrassment was symptomatic of the state of the</p><p>battle between cryptographers and cryptanalysts. This was a period</p><p>of transition, with cryptographers still relying on the</p><p>monoalphabetic substitution cipher, while cryptanalysts were</p><p>beginning to use frequency analysis to break it. Those yet to</p><p>discover the power of frequency analysis continued to trust</p><p>monoalphabetic substitution, ignorant of the extent to which</p><p>cryptanalysts such as Soro, Babou and Viète were able to read their</p><p>messages.</p><p>Meanwhile, countries that were alert to the weakness of the</p><p>straightforward monoalphabetic substitution cipher were anxious to</p><p>develop a better cipher, something that would protect their own</p><p>nation’s messages from being unscrambled by enemy cryptanalysts.</p><p>One of the simplest improvements to the security of the</p><p>monoalphabetic substitution cipher was the introduction of nulls,</p><p>symbols or letters that were not substitutes for actual letters, merely</p><p>blanks that represented nothing. For example, one could substitute</p><p>each plain letter with a number between 1 and 99, which would</p><p>leave 73 numbers that represent nothing, and these could be</p><p>randomly sprinkled throughout the ciphertext with varying</p><p>frequencies. The nulls would pose no problem to the intended</p><p>recipient, who would know that they were to be ignored. However,</p><p>the nulls would ba�e an enemy interceptor because they would</p><p>confuse an attack by frequency analysis. An equally simple</p><p>development was that cryptographers would sometimes deliberately</p><p>misspell words before encrypting the message. Thys haz thi ifekkt</p><p>o� diztaughting thi ballans o� frikwenseas—making it harder for</p><p>the cryptanalyst to apply frequency analysis. However, the intended</p><p>recipient, who knows the key, can unscramble the message and then</p><p>deal with the bad, but not unintelligible, spelling.</p><p>Another attempt to shore up the monoalphabetic substitution</p><p>cipher involved the introduction of codewords. The term code has a</p><p>very broad meaning in everyday language, and it is often used to</p><p>describe any method for communicating in secret. However, as</p><p>mentioned in the Introduction, it actually has a very speci�c</p><p>meaning, and applies only to a certain form of substitution. So far</p><p>we have concentrated on the idea of a substitution cipher, whereby</p><p>each letter is replaced by a di�erent letter, number or symbol.</p><p>However, it is also possible to have substitution at a much higher</p><p>level, whereby each word is represented by another word or symbol</p><p>—this would be a code. For example,</p><p>Technically, a code is de�ned as substitution at the level of words or</p><p>phrases, whereas a cipher is de�ned as substitution at the level of</p><p>letters. Hence the term encipher means to scramble a message using</p><p>a cipher, while encode means to scramble a message using a code.</p><p>Similarly, the term decipher applies to unscrambling an enciphered</p><p>message, and decode to unscrambling an encoded message. The</p><p>terms encrypt and decrypt are more general, and cover scrambling</p><p>and unscrambling with respect to both codes and ciphers. Figure 7</p><p>presents a brief summary of these de�nitions. In general, I shall</p><p>keep to these de�nitions, but when the sense is clear, I might use a</p><p>term such as “codebreaking” to describe a process that is really</p><p>“cipher breaking”-the latter phrase might be technically accurate,</p><p>but the former phrase is widely accepted.</p><p>Figure 7 The science of secret writing and its main branches.</p><p>At �rst sight, codes seem to o�er more security than ciphers,</p><p>because words are much less vulnerable to frequency analysis than</p><p>letters. To decipher a monoalphabetic cipher you need only identify</p><p>the true value of each of the 26 characters, whereas to decipher a</p><p>code you need to identify the true value of hundreds or even</p><p>thousands of codewords. However, if we examine codes in more</p><p>detail, we see that they su�er from two major practical failings</p><p>when compared with ciphers. First, once the sender and receiver</p><p>have agreed upon the 26 letters in the cipher alphabet (the key),</p><p>they can encipher any message, but to achieve the same level of</p><p>�exibility using a code they would need to go through the</p><p>painstaking task of de�ning a codeword for every one of the</p><p>thousands of possible plaintext words. The codebook would consist</p><p>of hundreds of pages, and would look something like a dictionary.</p><p>In other words, compiling a codebook is a major task, and carrying</p><p>it around is a major inconvenience.</p><p>Second, the consequences of having a codebook captured by the</p><p>enemy are devastating. Immediately, all the encoded</p><p>communications would become transparent to the enemy. The</p><p>senders and receivers would have to go through the painstaking</p><p>process of having to compile an entirely new codebook, and then</p><p>this hefty new tome would have to be distributed to everyone in the</p><p>communications network, which might mean securely transporting</p><p>it to every ambassador in every state. In comparison, if the enemy</p><p>succeeds in capturing a cipher key, then it is relatively easy to</p><p>compile a new cipher alphabet of 26 letters, which can be</p><p>memorized and easily distributed.</p><p>Even in the sixteenth century, cryptographers appreciated the</p><p>inherent weaknesses of codes, and instead relied largely on ciphers,</p><p>or sometimes nomenclators. A nomenclator is a system of encryption</p><p>that relies on a cipher alphabet, which is used to encrypt the</p><p>majority of a message, and a limited list of codewords. For example,</p><p>a nomenclator book might consist of a front page containing the</p><p>cipher alphabet, and then a second page containing a list of</p><p>codewords. Despite the addition of codewords, a nomenclator is not</p><p>much more secure than a straightforward cipher, because the bulk</p><p>of a message can be deciphered using frequency analysis, and the</p><p>remaining encoded words can be guessed from the context.</p><p>As well as coping with the introduction of the nomenclator, the</p><p>best cryptanalysts were also capable of dealing with badly spelled</p><p>messages and the presence of nulls. In short, they were able to break</p><p>the majority of encrypted messages. Their skills provided a steady</p><p>�ow of uncovered secrets, which in�uenced the decisions of their</p><p>masters and mistresses, thereby a�ecting Europe’s history at critical</p><p>moments.</p><p>Nowhere is the impact of cryptanalysis more dramatically</p><p>illustrated than in the case of Mary Queen of Scots. The outcome of</p><p>her trial depended wholly on the battle between her codemakers</p><p>and Queen Elizabeth’s codebreakers. Mary was one of the most</p><p>signi�cant �gures of the sixteenth century-Queen of Scotland,</p><p>Queen of France, pretender to the English throne-yet her fate would</p><p>be decided by a slip of paper, the message it bore, and whether or</p><p>not that message could be deciphered.</p><p>The Babington Plot</p><p>On November 24, 1542, the English forces of Henry VIII demolished</p><p>the Scottish army at the Battle of Solway Moss. It appeared that</p><p>Henry was on the verge of conquering Scotland and stealing the</p><p>crown of King James V. After the battle, the distraught Scottish king</p><p>su�ered a complete mental and physical breakdown, and withdrew</p><p>to the palace at Falkland.</p><p>Even the birth of a daughter, Mary, just</p><p>two weeks later could not revive the ailing king. It was as if he had</p><p>been waiting for news of an heir so that he could die in peace, safe</p><p>in the knowledge that he had done his duty. Just a week after</p><p>Mary’s birth, King James V, still only thirty years old, died. The</p><p>baby princess had become Mary Queen of Scots.</p><p>Mary was born prematurely, and initially there was considerable</p><p>concern that she would not survive. Rumors in England suggested</p><p>that the baby had died, but this was merely wishful thinking at the</p><p>English court, which was keen to hear any news that might</p><p>destabilize Scotland. In fact, Mary soon grew strong and healthy,</p><p>and at the age of nine months, on September 9, 1543, she was</p><p>crowned in the chapel of Stirling Castle, surrounded by three earls,</p><p>bearing on her behalf the royal crown, scepter and sword.</p><p>The fact that Queen Mary was so young o�ered Scotland a respite</p><p>from English incursions. It would have been deemed unchivalrous</p><p>had Henry VIII attempted to invade the country of a recently dead</p><p>king, now under the rule of an infant queen. Instead, the English</p><p>king decided on a policy of wooing Mary in the hope of arranging a</p><p>marriage between her and his son Edward, thereby uniting the two</p><p>nations under a Tudor sovereign. He began his maneuvering by</p><p>releasing the Scottish nobles captured at Solway Moss, on the</p><p>condition that they campaign in favor of a union with England.</p><p>However, after considering Henry’s o�er, the Scottish court</p><p>rejected it in favor of a marriage to Francis, the dauphin of France.</p><p>Scotland was choosing to ally itself with a fellow Roman Catholic</p><p>nation, a decision which pleased Mary’s mother, Mary of Guise,</p><p>whose own marriage with James V had been intended to cement the</p><p>relationship between Scotland and France. Mary and Francis were</p><p>still children, but the plan for the future was that they would</p><p>eventually marry, and Francis would ascend the throne of France</p><p>with Mary as his queen, thereby uniting Scotland and France. In the</p><p>meantime, France would defend Scotland against any English</p><p>onslaught.</p><p>The promise of protection was reassuring, particularly as Henry</p><p>VIII had switched from diplomacy to intimidation in order to</p><p>persuade the Scots that his own son was a more worthy groom for</p><p>Mary Queen of Scots. His forces committed acts of piracy, destroyed</p><p>crops, burned villages and attacked towns and cities along the</p><p>border. The “rough wooing,” as it is known, continued even after</p><p>Henry’s death in 1547. Under the auspices of his son, King Edward</p><p>VI (the would-be suitor), the attacks culminated in the Battle of</p><p>Pinkie Cleugh, in which the Scottish army was routed. As a result of</p><p>this slaughter it was decided that, for her own safety, Mary should</p><p>leave for France, beyond the reach of the English threat, where she</p><p>could prepare for her marriage to Francis. On August 7, 1548, at the</p><p>age of six, she set sail for the port of Rosco�.</p><p>Mary’s �rst few years in the French court would be the most</p><p>idyllic time of her life. She was surrounded by luxury, protected</p><p>from harm, and she grew to love her future husband, the dauphin.</p><p>At the age of sixteen they married, and the following year Francis</p><p>and Mary became King and Queen of France. Everything seemed set</p><p>for her triumphant return to Scotland, until her husband, who had</p><p>always su�ered from poor health, fell gravely ill. An ear infection</p><p>that he had nursed since a child had worsened, the in�ammation</p><p>spread toward his brain, and an abscess began to develop. In 1560,</p><p>within a year of being crowned, Francis was dead and Mary was</p><p>widowed.</p><p>From this point onward, Mary’s life would be repeatedly struck by</p><p>tragedy. She returned to Scotland in 1561, where she discovered a</p><p>transformed nation. During her long absence Mary had con�rmed</p><p>her Catholic faith, while her Scottish subjects had increasingly</p><p>moved toward the Protestant church. Mary tolerated the wishes of</p><p>the majority and at �rst reigned with relative success, but in 1565</p><p>she married her cousin, Henry Stewart, the Earl of Darnley, an act</p><p>that led to a spiral of decline. Darnley was a vicious and brutal man</p><p>whose ruthless greed for power lost Mary the loyalty of the Scottish</p><p>nobles. The following year Mary witnessed for herself the full horror</p><p>of her husband’s barbaric nature when he murdered David Riccio,</p><p>her secretary, in front of her. It became clear to everyone that for</p><p>the sake of Scotland it was necessary to get rid of Darnley.</p><p>Historians debate whether it was Mary or the Scottish nobles who</p><p>instigated the plot, but on the night of February 9, 1567, Darnley’s</p><p>house was blown up and, as he attempted to escape, he was</p><p>strangled. The only good to come from the marriage was a son and</p><p>heir, James.</p><p>Mary’s next marriage, to James Hepburn, the Fourth Earl of</p><p>Bothwell, was hardly more successful. By the summer of 1567 the</p><p>Protestant Scottish nobles had become completely disillusioned with</p><p>their Catholic Queen, and they exiled Bothwell and imprisoned</p><p>Mary, forcing her to abdicate in favor of her fourteen-month-old</p><p>son, James VI, while her half-brother, the Earl of Moray, acted as</p><p>regent. The next year, Mary escaped from her prison, gathered an</p><p>army of six thousand royalists, and made a �nal attempt to regain</p><p>her crown. Her soldiers confronted the regent’s army at the small</p><p>village of Langside, near Glasgow, and Mary witnessed the battle</p><p>from a nearby hilltop. Although her troops were greater in number,</p><p>they lacked discipline, and Mary watched as they were torn apart.</p><p>When defeat was inevitable, she �ed. Ideally she would have headed</p><p>east to the coast, and then on to France, but this would have meant</p><p>crossing territory loyal to her half-brother, and so instead she</p><p>headed south to England, where she hoped that her cousin Queen</p><p>Elizabeth I would provide refuge.</p><p>Mary had made a terrible misjudgment. Elizabeth o�ered Mary</p><p>nothing more than another prison. The o�cial reason for her arrest</p><p>was in connection with the murder of Darnley, but the true reason</p><p>was that Mary posed a threat to Elizabeth, because English Catholics</p><p>considered Mary to be the true queen of England. Through her</p><p>grandmother, Margaret Tudor, the elder sister of Henry VIII, Mary</p><p>did indeed have a claim to the throne, but Henry’s last surviving</p><p>o�spring, Elizabeth I, would seem to have a prior claim. However,</p><p>according to Catholics, Elizabeth was illegitimate because she was</p><p>the daughter of Anne Boleyn, Henry’s second wife after he had</p><p>divorced Catherine of Aragon in de�ance of the Pope. English</p><p>Catholics did not recognize Henry VIII’s divorce, they did not</p><p>acknowledge his ensuing marriage to Anne Boleyn, and they</p><p>certainly did not accept their daughter Elizabeth as Queen. Catholics</p><p>saw Elizabeth as a bastard usurper.</p><p>Mary was imprisoned in a series of castles and manors. Although</p><p>Elizabeth thought of her as one of the most dangerous �gures in</p><p>England, many Englishmen admitted that they admired her gracious</p><p>manner, her obvious intelligence and her great beauty. William</p><p>Cecil, Elizabeth’s Great Minister, commented on “her cunning and</p><p>sugared entertainment of all men,” and Nicholas White, Cecil’s</p><p>emissary, made a similar observation: “She hath withal an alluring</p><p>grace, a pretty Scotch accent, and a searching wit, clouded with</p><p>mildness.” But, as each year passed, her appearance waned, her</p><p>health deteriorated and she began to lose hope. Her jailer, Sir</p><p>Amyas Paulet, a Puritan, was immune to her charms, and treated</p><p>her with increasing harshness.</p><p>By 1586, after 18 years of imprisonment, she had lost all her</p><p>privileges. She was con�ned to Chartley Hall in Sta�ordshire, and</p><p>was no longer allowed to take the waters at Buxton, which had</p><p>previously helped to alleviate her frequent illnesses. On her last visit</p><p>to Buxton she used a diamond to inscribe a message on a</p><p>windowpane: “Buxton, whose warm waters have made thy name</p><p>famous, perchance I shall visit thee no more—Farewell.” It appears</p><p>that she suspected that she was about to lose what little freedom she</p><p>had. Mary’s growing sorrow was compounded</p><p>by the actions of her</p><p>nineteen-year-old son, King James VI of Scotland. She had always</p><p>hoped that one day she would escape and return to Scotland to</p><p>share power with her son, whom she had not seen since he was one</p><p>year old. However, James felt no such a�ection for his mother. He</p><p>had been brought up by Mary’s enemies, who had taught James that</p><p>his mother had murdered his father in order to marry her lover.</p><p>James despised her, and feared that if she returned then she might</p><p>seize his crown. His hatred toward Mary was demonstrated by the</p><p>fact that he had no qualms in seeking a marriage with Elizabeth I,</p><p>the woman responsible for his mother’s imprisonment (and who was</p><p>also thirty years his senior). Elizabeth declined the o�er.</p><p>Mary wrote to her son in an attempt to win him over, but her</p><p>letters never reached the Scottish border. By this stage, Mary was</p><p>more isolated then ever before: all her outgoing letters were</p><p>con�scated, and any incoming correspondence was kept by her</p><p>jailer. Mary’s morale was at its lowest, and it seemed that all hope</p><p>was lost. It was under these severe and desperate circumstances</p><p>that, on January 6, 1586, she received an astonishing package of</p><p>letters.</p><p>The letters were from Mary’s supporters on the Continent, and</p><p>they had been smuggled into her prison by Gilbert Gi�ord, a</p><p>Catholic who had left England in 1577 and trained as a priest at the</p><p>English College in Rome. Upon returning to England in 1585,</p><p>apparently keen to serve Mary, he immediately approached the</p><p>French Embassy in London, where a pile of correspondence had</p><p>accumulated. The Embassy had known that if they forwarded the</p><p>letters by the formal route, Mary would never see them. However</p><p>Gi�ord claimed that he could smuggle the letters into Chartley Hall,</p><p>and sure enough he lived up to his word. This delivery was the �rst</p><p>of many, and Gi�ord began a career as a courier, not only passing</p><p>messages to Mary but also collecting her replies. He had a rather</p><p>cunning way of sneaking letters into Chartley Hall. He took the</p><p>messages to a local brewer, who wrapped them in a leather packet,</p><p>which was then hidden inside a hollow bung used to seal a barrel of</p><p>beer. The brewer would deliver the barrel to Chartley Hall,</p><p>whereupon one of Mary’s servants would open the bung and take</p><p>the contents to the Queen of Scots. The process worked equally well</p><p>for getting messages out of Chartley Hall.</p><p>Meanwhile, unknown to Mary, a plan to rescue her was being</p><p>hatched in the taverns of London. At the center of the plot was</p><p>Anthony Babington, aged just twenty-four but already well known</p><p>in the city as a handsome, charming and witty bon viveur. What his</p><p>many admiring contemporaries failed to appreciate was that</p><p>Babington deeply resented the establishment, which had persecuted</p><p>him, his family and his faith. The state’s anti-Catholic policies had</p><p>reached new heights of horror, with priests being accused of</p><p>treason, and anybody caught harboring them punished by the rack,</p><p>mutilation and disemboweling while still alive. The Catholic mass</p><p>was o�cially banned, and families who remained loyal to the Pope</p><p>were forced to pay crippling taxes. Babington’s animosity was fueled</p><p>by the death of Lord Darcy, his great-grandfather, who was</p><p>beheaded for his involvement in the Pilgrimage of Grace, a Catholic</p><p>uprising against Henry VIII.</p><p>The conspiracy began one evening in March 1586, when</p><p>Babington and six con�dants gathered in The Plough, an inn outside</p><p>Temple Bar. As the historian Philip Caraman observed, “He drew to</p><p>himself by the force of his exceptional charm and personality many</p><p>young Catholic gentlemen of his own standing, gallant, adventurous</p><p>and daring in defense of the Catholic faith in its day of stress; and</p><p>ready for any arduous enterprise whatsoever that might advance the</p><p>common Catholic cause.” Over the next few months an ambitious</p><p>plan emerged to free Mary Queen of Scots, assassinate Queen</p><p>Elizabeth and incite a rebellion supported by an invasion from</p><p>abroad.</p><p>The conspirators were agreed that the Babington Plot, as it</p><p>became known, could not proceed without the blessing of Mary, but</p><p>there was no apparent way to communicate with her. Then, on July</p><p>6, 1586, Gi�ord arrived on Babington’s doorstep. He delivered a</p><p>letter from Mary, explaining that she had heard about Babington via</p><p>her supporters in Paris, and looked forward to hearing from him. In</p><p>reply, Babington compiled a detailed letter in which he outlined his</p><p>scheme, including a reference to the excommunication of Elizabeth</p><p>by Pope Pius V in 1570, which he believed legitimized her</p><p>assassination.</p><p>Myself with ten gentlemen and a hundred of our followers will undertake the delivery</p><p>of your royal person from the hands of your enemies. For the dispatch of the usurper,</p><p>from the obedience of whom we are by the excommunication of her made free, there</p><p>be six noble gentlemen, all my private friends, who for the zeal they bear to the</p><p>Catholic cause and your Majesty’s service will undertake that tragical execution.</p><p>As before, Gi�ord used his trick of putting the message in the bung</p><p>of a beer barrel in order to sneak it past Mary’s guards. This can be</p><p>considered a form of steganography, because the letter was being</p><p>hidden. As an extra precaution, Babington enciphered his letter so</p><p>that even if it was intercepted by Mary’s jailer, it would be</p><p>indecipherable and the plot would not be uncovered. He used a</p><p>cipher which was not a simple monoalphabetic substitution, but</p><p>rather a nomenclator, as shown in Figure 8. It consisted of 23</p><p>symbols that were to be substituted for the letters of the alphabet</p><p>(excluding j, v and w), along with 35 symbols representing words or</p><p>phrases. In addition, there were four nulls ( ) and a symbol</p><p>which signi�ed that the next symbol represents a double letter</p><p>(“dowbleth”).</p><p>Gi�ord was still a youth, even younger than Babington, and yet</p><p>he conducted his deliveries with con�dence and guile. His aliases,</p><p>such as Mr. Colerdin, Pietro and Cornelys, enabled him to travel the</p><p>country without suspicion, and his contacts within the Catholic</p><p>community provided him with a series of safe houses between</p><p>London and Chartley Hall. However, each time Gi�ord traveled to</p><p>or from Chartley Hall, he would make a detour. Although Gi�ord</p><p>was apparently acting as an agent for Mary, he was actually a</p><p>double agent. Back in 1585, before his return to England, Gi�ord</p><p>had written to Sir Francis Walsingham, Principal Secretary to Queen</p><p>Elizabeth, o�ering his services. Gi�ord realized that his Catholic</p><p>background would act as a perfect mask for in�ltrating plots against</p><p>Queen Elizabeth. In the letter to Walsingham, he wrote, “I have</p><p>heard of the work you do and I want to serve you. I have no</p><p>scruples and no fear of danger. Whatever you order me to do I will</p><p>accomplish.”</p><p>Figure 8 The nomenclator of Mary Queen of Scots, consisting of a cipher alphabet</p><p>and codewords.</p><p>Walsingham was Elizabeth’s most ruthless minister. He was a</p><p>Machiavellian �gure, a spymaster who was responsible for the</p><p>security of the monarch. He had inherited a small network of spies,</p><p>which he rapidly expanded into the Continent, where many of the</p><p>plots against Elizabeth were being hatched. After his death it was</p><p>discovered that he had been receiving regular reports from twelve</p><p>locations in France, nine in Germany, four in Italy, four in Spain and</p><p>three in the Low Countries, as well as having informants in</p><p>Constantinople, Algiers and Tripoli.</p><p>Walsingham recruited Gi�ord as a spy, and in fact it was</p><p>Walsingham who ordered Gi�ord to approach the French Embassy</p><p>and o�er himself as a courier. Each time Gi�ord collected a message</p><p>to or from Mary, he would �rst take it to Walsingham. The vigilant</p><p>spymaster would then pass it to his counterfeiters, who would break</p><p>the seal on each letter, make a copy, and then reseal the original</p><p>letter with an identical stamp before handing it back to Gi�ord. The</p><p>apparently untouched letter could then be delivered to Mary or her</p><p>correspondents, who remained oblivious to what was going on.</p><p>When Gi�ord handed Walsingham</p><p>a letter from Babington to</p><p>Mary, the �rst objective was to decipher it. Walsingham had</p><p>originally encountered codes and ciphers while reading a book</p><p>written by the Italian mathematician and cryptographer Girolamo</p><p>Cardano (who, incidentally, proposed a form of writing for the blind</p><p>based on touch, a precursor of Braille). Cardano’s book aroused</p><p>Walsingham’s interest, but it was a decipherment by the Flemish</p><p>cryptanalyst Philip van Marnix that really convinced him of the</p><p>power of having a codebreaker at his disposal. In 1577, Philip of</p><p>Spain was using ciphers to correspond with his half-brother and</p><p>fellow Catholic, Don John of Austria, who was in control of much of</p><p>the Netherlands. Philip’s letter described a plan to invade England,</p><p>but it was intercepted by William of Orange, who passed it to</p><p>Marnix, his cipher secretary. Marnix deciphered the plan, and</p><p>William passed the information to Daniel Rogers, an English agent</p><p>working on the Continent, who in turn warned Walsingham of the</p><p>invasion. The English reinforced their defenses, which was enough</p><p>to deter the invasion attempt.</p><p>Now fully aware of the value of cryptanalysis, Walsingham</p><p>established a cipher school in London and employed Thomas</p><p>Phelippes as his cipher secretary, a man “of low stature, slender</p><p>every way, dark yellow haired on the head, and clear yellow</p><p>bearded, eaten in the face with smallpox, of short sight, thirty years</p><p>of age by appearance.” Phelippes was a linguist who could speak</p><p>French, Italian, Spanish, Latin and German, and, more importantly,</p><p>he was one of Europe’s �nest cryptanalysts.</p><p>Upon receiving any message to or from Mary, Phelippes devoured</p><p>it. He was a master of frequency analysis, and it would be merely a</p><p>matter of time before he found a solution. He established the</p><p>frequency of each character, and tentatively proposed values for</p><p>those that appeared most often. When a particular approach hinted</p><p>at absurdity, he would backtrack and try alternative substitutions.</p><p>Gradually he would identify the nulls, the cryptographic red</p><p>herrings, and put them to one side. Eventually all that remained</p><p>were the handful of codewords, whose meaning could be guessed</p><p>from the context.</p><p>When Phelippes deciphered Babington’s message to Mary, which</p><p>clearly proposed the assassination of Elizabeth, he immediately</p><p>forwarded the damning text to his master. At this point Walsingham</p><p>could have pounced on Babington, but he wanted more than the</p><p>execution of a handful of rebels. He bided his time in the hope that</p><p>Mary would reply and authorize the plot, thereby incriminating</p><p>herself. Walsingham had long wished for the death of Mary Queen</p><p>of Scots, but he was aware of Elizabeth’s reluctance to execute her</p><p>cousin. However, if he could prove that Mary was endorsing an</p><p>attempt on the life of Elizabeth, then surely his queen would permit</p><p>the execution of her Catholic rival. Walsingham’s hopes were soon</p><p>ful�lled.</p><p>On July 17, Mary replied to Babington, e�ectively signing her</p><p>own death warrant. She explicitly wrote about the “design,”</p><p>showing particular concern that she should be released</p><p>simultaneously with, or before, Elizabeth’s assassination, otherwise</p><p>news might reach her jailer, who might then murder her. Before</p><p>reaching Babington, the letter made the usual detour to Phelippes.</p><p>Having cryptanalyzed the earlier message, he deciphered this one</p><p>with ease, read its contents, and marked it with a “ ”-the sign of the</p><p>gallows.</p><p>Walsingham had all the evidence he needed to arrest Mary and</p><p>Babington, but still he was not satis�ed. In order to destroy the</p><p>conspiracy completely, he needed the names of all those involved.</p><p>He asked Phelippes to forge a postscript to Mary’s letter, which</p><p>would entice Babington to name names. One of Phelippes’s</p><p>additional talents was as a forger, and it was said that he had the</p><p>ability “to write any man’s hand, if he had once seen it, as if the</p><p>man himself had writ it.” Figure 9 shows the postscript that was</p><p>added at the end of Mary’s letter to Babington. It can be deciphered</p><p>using Mary’s nomenclator, as shown in Figure 8, to reveal the</p><p>following plaintext:</p><p>I would be glad to know the names and qualities of the six gentlemen which are to</p><p>accomplish the designment; for it may be that I shall be able, upon knowledge of the</p><p>parties, to give you some further advice necessary to be followed therein, as also from</p><p>time to time particularly how you proceed: and as soon as you may, for the same</p><p>purpose, who be already, and how far everyone is privy hereunto.</p><p>The cipher of Mary Queen of Scots clearly demonstrates that a weak</p><p>encryption can be worse than no encryption at all. Both Mary and</p><p>Babington wrote explicitly about their intentions because they</p><p>believed that their communications were secure, whereas if they</p><p>had been communicating openly they would have referred to their</p><p>plan in a more discreet manner. Furthermore, their faith in their</p><p>cipher made them particularly vulnerable to accepting Phelippes’s</p><p>forgery. Sender and receiver often have such con�dence in the</p><p>strength of their cipher that they consider it impossible for the</p><p>enemy to mimic the cipher and insert forged text. The correct use of</p><p>a strong cipher is a clear boon to sender and receiver, but the</p><p>misuse of a weak cipher can generate a very false sense of security.</p><p>Figure 9 The forged postscript added by Thomas Phelippes to Mary’s message. It can</p><p>be deciphered by referring to Mary’s nomenclator (Figure 8). (photo credit 1.3)</p><p>Soon after receiving the message and its postscript, Babington</p><p>needed to go abroad to organize the invasion, and had to register at</p><p>Walsingham’s department in order to acquire a passport. This would</p><p>have been an ideal time to capture the traitor, but the bureaucrat</p><p>who was manning the o�ce, John Scudamore, was not expecting</p><p>the most wanted traitor in England to turn up at his door.</p><p>Scudamore, with no support to hand, took the unsuspecting</p><p>Babington to a nearby tavern, stalling for time while his assistant</p><p>organized a group of soldiers. A short while later a note arrived at</p><p>the tavern, informing Scudamore that it was time for the arrest.</p><p>Babington, however, caught sight of it. He casually said that he</p><p>would pay for the beer and meal and rose to his feet, leaving his</p><p>sword and coat at the table, implying that he would return in an</p><p>instant. Instead, he slipped out of the back door and escaped, �rst to</p><p>St. John’s Wood and then on to Harrow. He attempted to disguise</p><p>himself, cutting his hair short and staining his skin with walnut</p><p>juice to mask his aristocratic background. He managed to elude</p><p>capture for ten days, but by August 15, Babington and his six</p><p>colleagues were captured and brought to London. Church bells</p><p>across the city rang out in triumph. Their executions were horrid in</p><p>the extreme. In the words of the Elizabethan historian William</p><p>Camden, “they were all cut down, their privities were cut o�,</p><p>bowelled alive and seeing, and quartered.”</p><p>Meanwhile, on August 11, Mary Queen of Scots and her entourage</p><p>had been allowed the exceptional privilege of riding in the grounds</p><p>of Chartley Hall. As Mary crossed the moors she spied some</p><p>horsemen approaching, and immediately thought that these must be</p><p>Babington’s men coming to rescue her. It soon became clear that</p><p>these men had come to arrest her, not release her. Mary had been</p><p>implicated in the Babington Plot, and was charged under the Act of</p><p>Association, an Act of Parliament passed in 1584 speci�cally</p><p>designed to convict anybody involved in a conspiracy against</p><p>Elizabeth.</p><p>The trial was held in Fotheringhay Castle, a bleak, miserable place</p><p>in the middle of the featureless fens of East Anglia. It began on</p><p>Wednesday, October 15, in front of two chief justices, four other</p><p>judges, the Lord Chancellor, the Lord Treasurer, Walsingham, and</p><p>various earls, knights and barons. At the back of the courtroom</p><p>there was space for spectators, such as local villagers and the</p><p>servants of the commissioners, all eager to see the humiliated</p><p>Scottish queen beg forgiveness and plead for her life. However,</p><p>Mary remained digni�ed</p><p>and composed throughout the trial. Mary’s</p><p>main defense was to deny any connection with Babington. “Can I be</p><p>responsible for the criminal projects of a few desperate men,” she</p><p>proclaimed, “which they planned without my knowledge or</p><p>participation?” Her statement had little impact in the face of the</p><p>evidence against her.</p><p>Mary and Babington had relied on a cipher to keep their plans</p><p>secret, but they lived during a period when cryptography was being</p><p>weakened by advances in cryptanalysis. Although their cipher</p><p>would have been su�cient protection against the prying eyes of an</p><p>amateur, it stood no chance against an expert in frequency analysis.</p><p>In the spectators’ gallery sat Phelippes, quietly watching the</p><p>presentation of the evidence that he had conjured from the</p><p>enciphered letters.</p><p>The trial went into a second day, and Mary continued to deny any</p><p>knowledge of the Babington Plot. When the trial �nished, she left</p><p>the judges to decide her fate, pardoning them in advance for the</p><p>inevitable decision. Ten days later, the Star Chamber met in</p><p>Westminster and concluded that Mary had been guilty of</p><p>“compassing and imagining since June 1st matters tending to the</p><p>death and destruction of the Queen of England.” They recommended</p><p>the death penalty, and Elizabeth signed the death warrant.</p><p>On February 8, 1587, in the Great Hall of Fotheringhay Castle, an</p><p>audience of three hundred gathered to watch the beheading.</p><p>Walsingham was determined to minimize Mary’s in�uence as a</p><p>martyr, and he ordered that the block, Mary’s clothing, and</p><p>everything else relating to the execution be burned in order to avoid</p><p>the creation of any holy relics. He also planned a lavish funeral</p><p>procession for his son-in-law, Sir Philip Sidney, to take place the</p><p>following week. Sidney, a popular and heroic �gure, had died</p><p>�ghting Catholics in the Netherlands, and Walsingham believed that</p><p>a magni�cent parade in his honor would dampen sympathy for</p><p>Mary. However, Mary was equally determined that her �nal</p><p>appearance should be a de�ant gesture, an opportunity to rea�rm</p><p>her Catholic faith and inspire her followers.</p><p>While the Dean of Peterborough led the prayers, Mary spoke</p><p>aloud her own prayers for the salvation of the English Catholic</p><p>Church, for her son and for Elizabeth. With her family motto, “In</p><p>my end is my beginning,” in her mind, she composed herself and</p><p>approached the block. The executioners requested her forgiveness,</p><p>and she replied, “I forgive you with all my heart, for now I hope you</p><p>shall make an end of all my troubles.” Richard Wing�eld, in his</p><p>Narration of the Last Days of the Queen of Scots, describes her �nal</p><p>moments:</p><p>Then she laide herself upon the blocke most quietlie, & stretching out her armes &</p><p>legges cryed out In manus tuas domine three or foure times, & at the laste while one</p><p>of the executioners held her slightlie with one of his handes, the other gave two</p><p>strokes with an axe before he cutt of her head, & yet lefte a little gristle behinde at</p><p>which time she made verie small noyse & stirred not any parte of herself from the</p><p>place where she laye … Her lipps stirred up & downe almost a quarter of an hower</p><p>after her head was cutt of. Then one of her executioners plucking of her garters espied</p><p>her little dogge which was crept under her clothes which could not be gotten forth</p><p>but with force & afterwardes could not depart from her dead corpse, but came and</p><p>laye betweene her head & shoulders a thing dilligently noted.</p><p>Figure 10 The execution of Mary Queen of Scots. (photo credit 1.4)</p><p>F</p><p>2 Le Chi�re Indéchi�rable</p><p>or centuries, the simple monoalphabetic substitution cipher had</p><p>been su�cient to ensure secrecy. The subsequent development</p><p>of frequency analysis, �rst in the Arab world and then in Europe,</p><p>destroyed its security. The tragic execution of Mary Queen of Scots</p><p>was a dramatic illustration of the weaknesses of monoalphabetic</p><p>substitution, and in the battle between cryptographers and</p><p>cryptanalysts it was clear that the cryptanalysts had gained the</p><p>upper hand. Anybody sending an encrypted message had to accept</p><p>that an expert enemy codebreaker might intercept and decipher</p><p>their most precious secrets.</p><p>The onus was clearly on the cryptographers to concoct a new,</p><p>stronger cipher, something that could outwit the cryptanalysts.</p><p>Although this cipher would not emerge until the end of the</p><p>sixteenth century, its origins can be traced back to the �fteenth-</p><p>century Florentine polymath Leon Battista Alberti. Born in 1404,</p><p>Alberti was one of the leading �gures of the Renaissance-a painter,</p><p>composer, poet and philosopher, as well as the author of the �rst</p><p>scienti�c analysis of perspective, a treatise on the house�y and a</p><p>funeral oration for his dog. He is probably best known as an</p><p>architect, having designed Rome’s �rst Trevi Fountain and having</p><p>written De re aedi�catoria, the �rst printed book on architecture,</p><p>which acted as a catalyst for the transition from Gothic to</p><p>Renaissance design.</p><p>Sometime in the 1460s, Alberti was wandering through the</p><p>gardens of the Vatican when he bumped into his friend Leonardo</p><p>Dato, the ponti�cal secretary, who began chatting to him about</p><p>some of the �ner points of cryptography. This casual conversation</p><p>prompted Alberti to write an essay on the subject, outlining what he</p><p>believed to be a new form of cipher. At the time, all substitution</p><p>ciphers required a single cipher alphabet for encrypting each</p><p>message. However, Alberti proposed using two or more cipher</p><p>alphabets, switching between them during encipherment, thereby</p><p>confusing potential cryptanalysts.</p><p>For example, here we have two possible cipher alphabets, and we</p><p>could encrypt a message by alternating between them. To encrypt</p><p>the message hello, we would encrypt the �rst letter according to the</p><p>�rst cipher alphabet, so that h becomes A, but we would encrypt the</p><p>second letter according to the second cipher alphabet, so that e</p><p>becomes F. To encrypt the third letter we return to the �rst cipher</p><p>alphabet, and to encrypt the fourth letter we return to the second</p><p>alphabet. This means that the �rst l is enciphered as P, but the</p><p>second l is enciphered as A. The �nal letter, o, is enciphered</p><p>according to the �rst cipher alphabet and becomes D. The complete</p><p>ciphertext reads AFPAD. The crucial advantage of Alberti’s system is</p><p>that the same letter in the plaintext does not necessarily appear as</p><p>the same letter in the ciphertext, so the repeated l in hello is</p><p>enciphered di�erently in each case. Similarly, the repeated A in the</p><p>ciphertext represents a di�erent plaintext letter in each case, �rst h</p><p>and then l.</p><p>Although he had hit upon the most signi�cant breakthrough in</p><p>encryption for over a thousand years, Alberti failed to develop his</p><p>concept into a fully formed system of encryption. That task fell to a</p><p>diverse group of intellectuals, who built on his initial idea. First</p><p>came Johannes Trithemius, a German abbot born in 1462, then</p><p>Giovanni Porta, an Italian scientist born in 1535, and �nally Blaise</p><p>de Vigenère, a French diplomat born in 1523. Vigenère became</p><p>acquainted with the writings of Alberti, Trithemius and Porta when,</p><p>at the age of twenty-six, he was sent to Rome on a two-year</p><p>diplomatic mission. To start with, his interest in cryptography was</p><p>purely practical and was linked to his diplomatic work. Then, at the</p><p>age of thirty-nine, Vigenère decided that he had accumulated</p><p>enough money for him to be able to abandon his career and</p><p>concentrate on a life of study. It was only then that he examined in</p><p>detail the ideas of Alberti, Trithemius and Porta, weaving them into</p><p>a coherent and powerful new cipher.</p><p>Figure 11 Blaise de Vigenère. (photo credit 2.1)</p><p>Although Alberti, Trithemius and Porta all made vital</p><p>contributions, the cipher is known as the Vigenère cipher in honor</p><p>of the man who developed it into its �nal form. The strength of the</p><p>Vigenère cipher lies in its using not one, but 26 distinct cipher</p><p>alphabets to encrypt a message. The �rst step in encipherment is to</p><p>draw up a so-called Vigenère square, as shown in Table 3, a</p><p>plaintext alphabet followed by</p><p>26 cipher alphabets, each shifted by</p><p>one letter with respect to the previous alphabet. Hence, row 1</p><p>represents a cipher alphabet with a Caesar shift of 1, which means</p><p>that it could be used to implement a Caesar shift cipher in which</p><p>every letter of the plaintext is replaced by the letter one place</p><p>further on in the alphabet. Similarly, row 2 represents a cipher</p><p>alphabet with a Caesar shift of 2, and so on. The top row of the</p><p>square, in lower case, represents the plaintext letters. You could</p><p>encipher each plaintext letter according to any one of the 26 cipher</p><p>alphabets. For example, if cipher alphabet number 2 is used, then</p><p>the letter a is enciphered as C, but if cipher alphabet number 12 is</p><p>used, then a is enciphered as M.</p><p>Table 3 A Vigenère square.</p><p>If the sender were to use just one of the cipher alphabets to</p><p>encipher an entire message, this would e�ectively be a simple</p><p>Caesar cipher, which would be a very weak form of encryption,</p><p>easily deciphered by an enemy interceptor. However, in the</p><p>Vigenère cipher a di�erent row of the Vigenère square (a di�erent</p><p>cipher alphabet) is used to encrypt di�erent letters of the message.</p><p>In other words, the sender might encrypt the �rst letter according to</p><p>row 5, the second according to row 14, the third according to row</p><p>21, and so on.</p><p>To unscramble the message, the intended receiver needs to know</p><p>which row of the Vigenère square has been used to encipher each</p><p>letter, so there must be an agreed system of switching between</p><p>rows. This is achieved by using a keyword. To illustrate how a</p><p>keyword is used with the Vigenère square to encrypt a short</p><p>message, let us encipher divert troops to east ridge, using the</p><p>keyword WHITE. First of all, the keyword is spelled out above the</p><p>message, and repeated over and over again so that each letter in the</p><p>message is associated with a letter from the keyword. The ciphertext</p><p>is then generated as follows. To encrypt the �rst letter, d, begin by</p><p>identifying the key letter above it, W, which in turn de�nes a</p><p>particular row in the Vigenère square. The row beginning with W,</p><p>row 22, is the cipher alphabet that will be used to �nd the substitute</p><p>letter for the plaintext d. We look to see where the column headed</p><p>by d intersects the row beginning with W, which turns out to be at</p><p>the letter Z. Consequently, the letter d in the plaintext is represented</p><p>by Z in the ciphertext.</p><p>To encipher the second letter of the message, i, the process is</p><p>repeated. The key letter above i is H, so it is encrypted via a</p><p>di�erent row in the Vigenère square: the H row (row 7) which is a</p><p>new cipher alphabet. To encrypt i, we look to see where the column</p><p>headed by i intersects the row beginning with H, which turns out to</p><p>be at the letter P. Consequently, the letter i in the plaintext is</p><p>represented by P in the ciphertext. Each letter of the keyword</p><p>indicates a particular cipher alphabet within the Vigenère square,</p><p>and because the keyword contains �ve letters, the sender encrypts</p><p>the message by cycling through �ve rows of the Vigenère square.</p><p>The �fth letter of the message is enciphered according to the �fth</p><p>letter of the keyword, E, but to encipher the sixth letter of the</p><p>message we have to return to the �rst letter of the keyword. A</p><p>longer keyword, or perhaps a keyphrase, would bring more rows</p><p>into the encryption process and increase the complexity of the</p><p>cipher. Table 4 shows a Vigenère square, highlighting the �ve rows</p><p>(i.e., the �ve cipher alphabets) de�ned by the keyword WHITE.</p><p>Table 4 A Vigenère square with the rows de�ned by the keyword WHITE highlighted.</p><p>Encryption is achieved by switching between the �ve highlighted cipher alphabets, de�ned</p><p>by W, H, I, T and E.</p><p>The great advantage of the Vigenère cipher is that it is</p><p>impregnable to the frequency analysis described in Chapter 1. For</p><p>example, a cryptanalyst applying frequency analysis to a piece of</p><p>ciphertext would usually begin by identifying the most common</p><p>letter in the ciphertext, which in this case is Z, and then assume that</p><p>this represents the most common letter in English, e. In fact, the</p><p>letter Z represents three di�erent letters, d, r and s, but not e. This is</p><p>clearly a problem for the cryptanalyst. The fact that a letter which</p><p>appears several times in the ciphertext can represent a di�erent</p><p>plaintext letter on each occasion generates tremendous ambiguity</p><p>for the cryptanalyst. Equally confusing is the fact that a letter which</p><p>appears several times in the plaintext can be represented by</p><p>di�erent letters in the ciphertext. For example, the letter o is</p><p>repeated in troops, but it is substituted by two di�erent letters—the</p><p>oo is enciphered as HS.</p><p>As well as being invulnerable to frequency analysis, the Vigenère</p><p>cipher has an enormous number of keys. The sender and receiver</p><p>can agree on any word in the dictionary, any combination of words,</p><p>or even fabricate words. A cryptanalyst would be unable to crack</p><p>the message by searching all possible keys because the number of</p><p>options is simply too great.</p><p>Vigenère’s work culminated in his Traicté des Chi�res (“A Treatise</p><p>on Secret Writing”), published in 1586. Ironically, this was the same</p><p>year that Thomas Phelippes was breaking the cipher of Mary Queen</p><p>of Scots. If only Mary’s secretary had read this treatise, he would</p><p>have known about the Vigenère cipher, Mary’s messages to</p><p>Babington would have ba�ed Phelippes, and her life might have</p><p>been spared.</p><p>Because of its strength and its guarantee of security, it would</p><p>seem natural that the Vigenère cipher would be rapidly adopted by</p><p>cipher secretaries around Europe. Surely they would be relieved to</p><p>have access, once again, to a secure form of encryption? On the</p><p>contrary, cipher secretaries seem to have spurned the Vigenère</p><p>cipher. This apparently �awless system would remain largely</p><p>neglected for the next two centuries.</p><p>From Shunning Vigenère to the Man in the Iron Mask</p><p>The traditional forms of substitution cipher, those that existed</p><p>before the Vigenère cipher, were called monoalphabetic substitution</p><p>ciphers because they used only one cipher alphabet per message. In</p><p>contrast, the Vigenère cipher belongs to a class known as</p><p>polyalphabetic, because it employs several cipher alphabets per</p><p>message. The polyalphabetic nature of the Vigenère cipher is what</p><p>gives it its strength, but it also makes it much more complicated to</p><p>use. The additional e�ort required in order to implement the</p><p>Vigenère cipher discouraged many people from employing it.</p><p>For many seventeenth-century purposes, the monoalphabetic</p><p>substitution cipher was perfectly adequate. If you wanted to ensure</p><p>that your servant was unable to read your private correspondence,</p><p>or if you wanted to protect your diary from the prying eyes of your</p><p>spouse, then the old-fashioned type of cipher was ideal.</p><p>Monoalphabetic substitution was quick, easy to use, and secure</p><p>against people unschooled in cryptanalysis. In fact, the simple</p><p>monoalphabetic substitution cipher endured in various forms for</p><p>many centuries (see Appendix D). For more serious applications,</p><p>such as military and government communications, where security</p><p>was paramount, the straightforward monoalphabetic cipher was</p><p>clearly inadequate. Professional cryptographers in combat with</p><p>professional cryptanalysts needed something better, yet they were</p><p>still reluctant to adopt the polyalphabetic cipher because of its</p><p>complexity. Military communications, in particular, required speed</p><p>and simplicity, and a diplomatic o�ce might be sending and</p><p>receiving hundreds of messages each day, so time was of the</p><p>essence. Consequently, cryptographers searched for an intermediate</p><p>cipher, one that was harder to crack than a straightforward</p><p>monoalphabetic cipher, but one that was simpler to implement than</p><p>a polyalphabetic cipher.</p><p>The various candidates included the remarkably e�ective</p><p>homophonic substitution cipher. Here, each letter is replaced with a</p><p>variety of substitutes, the number of potential substitutes being</p><p>proportional to the frequency of the letter. For example, the letter a</p><p>accounts for roughly 8 per cent</p><p>of all letters in written English, and</p><p>so we would assign eight symbols to represent it. Each time a</p><p>appears in the plaintext it would be replaced in the ciphertext by</p><p>one of the eight symbols chosen at random, so that by the end of the</p><p>encipherment each symbol would constitute roughly 1 per cent of</p><p>the enciphered text. By comparison, the letter b accounts for only 2</p><p>per cent of all letters, and so we would assign only two symbols to</p><p>represent it. Each time b appears in the plaintext either of the two</p><p>symbols could be chosen, and by the end of the encipherment each</p><p>symbol would also constitute roughly 1 per cent of the enciphered</p><p>text. This process of allotting varying numbers of symbols to act as</p><p>substitutes for each letter continues throughout the alphabet, until</p><p>we get to z, which is so rare that it has only one symbol to act as a</p><p>substitute. In the example given in Table 5, the substitutes in the</p><p>cipher alphabet happen to be two-digit numbers, and there are</p><p>between one and twelve substitutes for each letter in the plain</p><p>alphabet, depending on each letter’s relative abundance.</p><p>We can think of all the two-digit numbers that correspond to the</p><p>plaintext letter a as e�ectively representing the same sound in the</p><p>ciphertext, namely the sound of the letter a. Hence the origin of the</p><p>term homophonic substitution, homos meaning “same” and phonos</p><p>meaning “sound” in Greek. The point of o�ering several substitution</p><p>options for popular letters is to balance out the frequencies of</p><p>symbols in the ciphertext. If we enciphered a message using the</p><p>cipher alphabet in Table 5, then every number would constitute</p><p>roughly 1 per cent of the entire text. If no symbol appears more</p><p>frequently than any other, then this would appear to defy any</p><p>potential attack via frequency analysis. Perfect security? Not quite.</p><p>Table 5 An example of a homophonic substitution cipher. The top row represents the plain</p><p>alphabet, while the numbers below represent the cipher alphabet, with several options for</p><p>frequently occurring letters.</p><p>The ciphertext still contains many subtle clues for the clever</p><p>cryptanalyst. As we saw in Chapter 1, each letter in the English</p><p>language has its own personality, de�ned according to its</p><p>relationship with all the other letters, and these traits can still be</p><p>discerned even if the encryption is by homophonic substitution. In</p><p>English, the most extreme example of a letter with a distinct</p><p>personality is the letter q, which is only followed by one letter,</p><p>namely u. If we were attempting to decipher a ciphertext, we might</p><p>begin by noting that q is a rare letter, and is therefore likely to be</p><p>represented by just one symbol, and we know that u, which</p><p>accounts for roughly 3 per cent of all letters, is probably represented</p><p>by three symbols. So, if we �nd a symbol in the ciphertext that is</p><p>only ever followed by three particular symbols, then it would be</p><p>sensible to assume that the �rst symbol represents q and the other</p><p>three symbols represent u. Other letters are harder to spot, but are</p><p>also betrayed by their relationships to one another. Although the</p><p>homophonic cipher is breakable, it is much more secure than a</p><p>straightforward monoalphabetic cipher.</p><p>A homophonic cipher might seem similar to a polyalphabetic</p><p>cipher inasmuch as each plaintext letter can be enciphered in many</p><p>ways, but there is a crucial di�erence, and the homophonic cipher is</p><p>in fact a type of monoalphabetic cipher. In the table of homophones</p><p>shown above, the letter a can be represented by eight numbers.</p><p>Signi�cantly, these eight numbers represent only the letter a. In</p><p>other words, a plaintext letter can be represented by several</p><p>symbols, but each symbol can only represent one letter. In a</p><p>polyalphabetic cipher, a plaintext letter will also be represented by</p><p>di�erent symbols, but, even more confusingly, these symbols will</p><p>represent di�erent letters during the course of an encipherment.</p><p>Perhaps the fundamental reason why the homophonic cipher is</p><p>considered monoalphabetic is that once the cipher alphabet has</p><p>been established, it remains constant throughout the process of</p><p>encryption. The fact that the cipher alphabet contains several</p><p>options for encrypting each letter is irrelevant. However, a</p><p>cryptographer who is using a polyalphabetic cipher must</p><p>continually switch between distinctly di�erent cipher alphabets</p><p>during the process of encryption.</p><p>By tweaking the basic monoalphabetic cipher in various ways,</p><p>such as adding homophones, it became possible to encrypt messages</p><p>securely, without having to resort to the complexities of the</p><p>polyalphabetic cipher. One of the strongest examples of an</p><p>enhanced monoalphabetic cipher was the Great Cipher of Louis XIV.</p><p>The Great Cipher was used to encrypt the king’s most secret</p><p>messages, protecting details of his plans, plots and political</p><p>schemings. One of these messages mentioned one of the most</p><p>enigmatic characters in French history, the Man in the Iron Mask,</p><p>but the strength of the Great Cipher meant that the message and its</p><p>remarkable contents would remain undeciphered and unread for</p><p>two centuries.</p><p>The Great Cipher was invented by the father-and-son team of</p><p>Antoine and Bonaventure Rossignol. Antoine had �rst come to</p><p>prominence in 1626 when he was given a coded letter captured</p><p>from a messenger leaving the besieged city of Réalmont. Before the</p><p>end of the day he had deciphered the letter, revealing that the</p><p>Huguenot army which held the city was on the verge of collapse.</p><p>The French, who had previously been unaware of the Huguenots’</p><p>desperate plight, returned the letter accompanied by a</p><p>decipherment. The Huguenots, who now knew that their enemy</p><p>would not back down, promptly surrendered. The decipherment had</p><p>resulted in a painless French victory.</p><p>The power of codebreaking became obvious, and the Rossignols</p><p>were appointed to senior positions in the court. After serving Louis</p><p>XIII, they then acted as cryptanalysts for Louis XIV, who was so</p><p>impressed that he moved their o�ces next to his own apartments so</p><p>that Rossignol père et �ls could play a central role in shaping French</p><p>diplomatic policy. One of the greatest tributes to their abilities is</p><p>that the word rossignol became French slang for a device that picks</p><p>locks, a re�ection of their ability to unlock ciphers.</p><p>The Rossignols’ prowess at cracking ciphers gave them an insight</p><p>into how to create a stronger form of encryption, and they invented</p><p>the so-called Great Cipher. The Great Cipher was so secure that it</p><p>de�ed the e�orts of all enemy cryptanalysts attempting to steal</p><p>French secrets. Unfortunately, after the death of both father and</p><p>son, the Great Cipher fell into disuse and its exact details were</p><p>rapidly lost, which meant that enciphered papers in the French</p><p>archives could no longer be read. The Great Cipher was so strong</p><p>that it even de�ed the e�orts of subsequent generations of</p><p>codebreakers.</p><p>Historians knew that the papers encrypted by the Great Cipher</p><p>would o�er a unique insight into the intrigues of seventeenth-</p><p>century France, but even by the end of the nineteenth century they</p><p>were still unable to decipher them. Then, in 1890, Victor Gendron, a</p><p>military historian researching the campaigns of Louis XIV,</p><p>unearthed a new series of letters enciphered with the Great Cipher.</p><p>Unable to make sense of them, he passed them on to Commandant</p><p>Étienne Bazeries, a distinguished expert in the French Army’s</p><p>Cryptographic Department. Bazeries viewed the letters as the</p><p>ultimate challenge, and he spent the next three years of his life</p><p>attempting to decipher them.</p><p>The encrypted pages contained thousands of numbers, but only</p><p>587 di�erent ones. It was clear that the Great Cipher was more</p><p>complicated than a straightforward substitution cipher, because this</p><p>would require just 26 di�erent numbers, one for each letter.</p><p>Initially, Bazeries thought that the surplus of numbers represented</p><p>homophones, and that several numbers represented the same letter.</p><p>Exploring this avenue took months of painstaking e�ort, all to no</p><p>avail. The Great Cipher was not a homophonic cipher.</p><p>Next, he hit upon the idea that each number might represent a</p><p>pair of letters, or a digraph. There are only 26 individual letters, but</p><p>there are 676 possible pairs of letters, and this is roughly equal to</p><p>the variety of numbers in the ciphertexts. Bazeries attempted a</p><p>decipherment by looking for the most frequent numbers in the</p><p>ciphertexts (22, 42, 124, 125 and 341), assuming that these</p><p>probably stood for the commonest French digraphs (es, en, ou, de,</p><p>nt). In e�ect, he was applying frequency analysis at the level of</p><p>pairs of letters. Unfortunately, again after months of work, this</p><p>theory also failed to yield any meaningful decipherments.</p><p>Bazeries must have been on the point of abandoning his</p><p>obsession, when a new line of attack occurred to him. Perhaps the</p><p>digraph idea was not so far from the truth. He began to consider the</p><p>possibility that each number represented not a pair of letters, but</p><p>rather a whole syllable. He attempted to match each number to a</p><p>syllable, the most frequently occurring numbers presumably</p><p>representing the commonest French syllables. He tried various</p><p>tentative permutations, but they all resulted in gibberish—until he</p><p>succeeded in identifying one particular word. A cluster of numbers</p><p>(124-22-125-46-345) appeared several times on each page, and</p><p>Bazeries postulated that they represented les-en-ne-mi-s, that is, “les</p><p>ennemis.” This proved to be a crucial breakthrough.</p><p>Bazeries was then able to continue by examining other parts of</p><p>the ciphertexts where these numbers appeared within di�erent</p><p>words. He then inserted the syllabic values derived from “les</p><p>ennemis,” which revealed parts of other words. As crossword</p><p>addicts know, when a word is partly completed it is often possible</p><p>to guess the remainder of the word. As Bazeries completed new</p><p>words, he also identi�ed further syllables, which in turn led to other</p><p>words, and so on. Frequently he would be stumped, partly because</p><p>the syllabic values were never obvious, partly because some of the</p><p>numbers represented single letters rather than syllables, and partly</p><p>because the Rossignols had laid traps within the cipher. For</p><p>example, one number represented neither a syllable nor a letter, but</p><p>instead deviously deleted the previous number.</p><p>When the decipherment was eventually completed, Bazeries</p><p>became the �rst person for two hundred years to witness the secrets</p><p>of Louis XIV. The newly deciphered material fascinated historians,</p><p>who focused on one tantalizing letter in particular. It seemed to</p><p>solve one of the great mysteries of the seventeenth century: the true</p><p>identity of the Man in the Iron Mask.</p><p>The Man in the Iron Mask has been the subject of much</p><p>speculation ever since he was �rst imprisoned at the French fortress</p><p>of Pignerole in Savoy. When he was transferred to the Bastille in</p><p>1698, peasants tried to catch a glimpse of him, and variously</p><p>reported him as being short or tall, fair or dark, young or old. Some</p><p>even claimed that he was a she. With so few facts, everyone from</p><p>Voltaire to Benjamin Franklin concocted their own theory to explain</p><p>the case of the Man in the Iron Mask. The most popular conspiracy</p><p>theory relating to the Mask (as he is sometimes called) suggests that</p><p>he was the twin of Louis XIV, condemned to imprisonment in order</p><p>to avoid any controversy over who was the rightful heir to the</p><p>throne. One version of this theory argues that there existed</p><p>descendants of the Mask and an associated hidden royal bloodline.</p><p>A pamphlet published in 1801 said that Napoleon himself was a</p><p>descendant of the Mask, a rumor which, since it enhanced his</p><p>position, the emperor did not deny.</p><p>The myth of the Mask even inspired poetry, prose and drama. In</p><p>1848 Victor Hugo had begun writing a play entitled Twins, but</p><p>when he found that Alexandre Dumas had already plumped for the</p><p>same plot, he abandoned the two acts he had written. Ever since, it</p><p>has been Dumas’s name that we associate with the story of the Man</p><p>in the Iron Mask. The success of his novel reinforced the idea that</p><p>the Mask was related to the king, and this theory has persisted</p><p>despite the evidence revealed in one of Bazeries’s decipherments.</p><p>Bazeries had deciphered a letter written by François de Louvois,</p><p>Louis XIV’s Minister of War, which began by recounting the crimes</p><p>of Vivien de Bulonde, the commander responsible for leading an</p><p>attack on the town of Cuneo, on the French-Italian border. Although</p><p>he was ordered to stand his ground, Bulonde became concerned</p><p>about the arrival of enemy troops from Austria and �ed, leaving</p><p>behind his munitions and abandoning many of his wounded</p><p>soldiers. According to the Minister of War, these actions jeopardized</p><p>the whole Piedmont campaign, and the letter made it clear that the</p><p>king viewed Bulonde’s actions as an act of extreme cowardice:</p><p>His Majesty knows better than any other person the consequences of this act, and he</p><p>is also aware of how deeply our failure to take the place will prejudice our cause, a</p><p>failure which must be repaired during the winter. His Majesty desires that you</p><p>immediately arrest General Bulonde and cause him to be conducted to the fortress of</p><p>Pignerole, where he will be locked in a cell under guard at night, and permitted to</p><p>walk the battlements during the day with a mask.</p><p>This was an explicit reference to a masked prisoner at Pignerole,</p><p>and a su�ciently serious crime, with dates that seem to �t the myth</p><p>of the Man in the Iron Mask. Does this solve the mystery? Not</p><p>surprisingly, those favoring more conspiratorial solutions have</p><p>found �aws in Bulonde as a candidate. For example, there is the</p><p>argument that if Louis XIV was actually attempting to secretly</p><p>imprison his unacknowledged twin, then he would have left a series</p><p>of false trails. Perhaps the encrypted letter was meant to be</p><p>deciphered. Perhaps the nineteenth-century codebreaker Bazeries</p><p>had fallen into a seventeenth-century trap.</p><p>The Black Chambers</p><p>Reinforcing the monoalphabetic cipher by applying it to syllables or</p><p>adding homophones might have been su�cient during the 1600s,</p><p>but by the 1700s cryptanalysis was becoming industrialized, with</p><p>teams of government cryptanalysts working together to crack many</p><p>of the most complex monoalphabetic ciphers. Each European power</p><p>had its own so-called Black Chamber, a nerve center for deciphering</p><p>messages and gathering intelligence. The most celebrated,</p><p>disciplined and e�cient Black Chamber was the Geheime Kabinets-</p><p>Kanzlei in Vienna.</p><p>It operated according to a rigorous timetable, because it was vital</p><p>that its nefarious activities should not interrupt the smooth running</p><p>of the postal service. Letters which were supposed to be delivered to</p><p>embassies in Vienna were �rst routed via the Black Chamber,</p><p>arriving at 7 A.M. Secretaries melted seals, and a team of</p><p>stenographers worked in parallel to make copies of the letters. If</p><p>necessary, a language specialist would take responsibility for</p><p>duplicating unusual scripts. Within three hours the letters had been</p><p>resealed in their envelopes and returned to the central post o�ce, so</p><p>that they could be delivered to their intended destination. Mail</p><p>merely in transit through Austria would arrive at the Black Chamber</p><p>at 10 A.M., and mail leaving Viennese embassies for destinations</p><p>outside Austria would arrive at 4 P.M. All these letters would also be</p><p>copied before being allowed to continue on their journey. Each day</p><p>a hundred letters would �lter through the Viennese Black Chamber.</p><p>The copies were passed to the cryptanalysts, who sat in little</p><p>kiosks, ready to tease out the meanings of the messages. As well as</p><p>supplying the emperors of Austria with invaluable intelligence, the</p><p>Viennese Black Chamber sold the information it harvested to other</p><p>powers in Europe. In 1774 an arrangement was made with Abbot</p><p>Georgel, the secretary at the French Embassy, which gave him</p><p>access to a twice-weekly package of information in exchange for</p><p>1,000 ducats. He then sent these letters, which contained the</p><p>supposedly secret plans of various monarchs, straight to Louis XV in</p><p>Paris.</p><p>The Black Chambers were e�ectively</p><p>making all forms of</p><p>monoalphabetic cipher insecure. Confronted with such professional</p><p>cryptanalytic opposition, cryptographers were at last forced to adopt</p><p>the more complex but more secure Vigenère cipher. Gradually,</p><p>cipher secretaries began to switch to using polyalphabetic ciphers.</p><p>In addition to more e�ective cryptanalysis, there was another</p><p>pressure that was encouraging the move toward securer forms of</p><p>encryption: the development of the telegraph, and the need to</p><p>protect telegrams from interception and decipherment.</p><p>Although the telegraph, together with the ensuing</p><p>telecommunications revolution, came in the nineteenth century, its</p><p>origins can be traced all the way back to 1753. An anonymous letter</p><p>in a Scottish magazine described how a message could be sent</p><p>across large distances by connecting the sender and receiver with 26</p><p>cables, one for each letter of the alphabet. The sender could then</p><p>spell out the message by sending pulses of electricity along each</p><p>wire. For example, to spell out hello, the sender would begin by</p><p>sending a signal down the h wire, then down the e wire, and so on.</p><p>The receiver would somehow sense the electrical current emerging</p><p>from each wire and read the message. However, this “expeditious</p><p>method of conveying intelligence,” as the inventor called it, was</p><p>never constructed, because there were several technical obstacles</p><p>that had to be overcome.</p><p>For example, engineers needed a su�ciently sensitive system for</p><p>detecting electrical signals. In England, Sir Charles Wheatstone and</p><p>William Fothergill Cooke built detectors from magnetized needles,</p><p>which would be de�ected in the presence of an incoming electric</p><p>current. By 1839, the Wheatstone-Cooke system was being used to</p><p>send messages between railway stations in West Drayton and</p><p>Paddington, a distance of 29 km. The reputation of the telegraph</p><p>and its remarkable speed of communication soon spread, and</p><p>nothing did more to popularize its power than the birth of Queen</p><p>Victoria’s second son, Prince Alfred, at Windsor on August 6, 1844.</p><p>News of the birth was telegraphed to London, and within the hour</p><p>The Times was on the streets announcing the news. It credited the</p><p>technology that had enabled this feat, mentioning that it was</p><p>“indebted to the extraordinary power of the Electro-Magnetic</p><p>Telegraph.” The following year, the telegraph gained further fame</p><p>when it helped capture John Tawell, who had murdered his mistress</p><p>in Slough, and who had attempted to escape by jumping on to a</p><p>London-bound train. The local police telegraphed Tawell’s</p><p>description to London, and he was arrested as soon as he arrived at</p><p>Paddington.</p><p>Meanwhile, in America, Samuel Morse had just built his �rst</p><p>telegraph line, a system spanning the 60 km between Baltimore and</p><p>Washington. Morse used an electromagnet to enhance the signal, so</p><p>that upon arriving at the receiver’s end it was strong enough to</p><p>make a series of short and long marks, dots and dashes, on a piece</p><p>of paper. He also developed the now familiar Morse code for</p><p>translating each letter of the alphabet into a series of dots and</p><p>dashes, as given in Table 6. To complete his system he designed a</p><p>sounder, so that the receiver would hear each letter as a series of</p><p>audible dots and dashes.</p><p>Back in Europe, Morse’s approach gradually overtook the</p><p>Wheatstone-Cooke system in popularity, and in 1851 a European</p><p>form of Morse code, which included accented letters, was adopted</p><p>throughout the Continent. As each year passed, Morse code and the</p><p>telegraph had an increasing in�uence on the world, enabling the</p><p>police to capture more criminals, helping newspapers to bring the</p><p>very latest news, providing valuable information for businesses, and</p><p>allowing distant companies to make instantaneous deals.</p><p>However, guarding these often sensitive communications was a</p><p>major concern. The Morse code itself is not a form of cryptography,</p><p>because there is no concealment of the message. The dots and</p><p>dashes are merely a convenient way to represent letters for the</p><p>telegraphic medium; Morse code is e�ectively nothing more than an</p><p>alternative alphabet. The problem of security arose primarily</p><p>because anyone wanting to send a message would have to deliver it</p><p>to a Morse code operator, who would then have to read it in order</p><p>to transmit it. The telegraph operators had access to every message,</p><p>and hence there was a risk that one company might bribe an</p><p>operator in order to gain access to a rival’s communications. This</p><p>problem was outlined in an article on telegraphy published in 1853</p><p>in England’s Quarterly Review:</p><p>Means should also be taken to obviate one great objection, at present felt with respect</p><p>to sending private communications by telegraph—the violation of all secrecy—for in</p><p>any case half-a-dozen people must be cognizant of every word addressed by one</p><p>person to another. The clerks of the English Telegraph Company are sworn to secrecy,</p><p>but we often write things that it would be intolerable to see strangers read before our</p><p>eyes. This is a grievous fault in the telegraph, and it must be remedied by some means</p><p>or other.</p><p>The solution was to encipher a message before handing it to the</p><p>telegraph operator. The operator would then turn the ciphertext into</p><p>Morse code before transmitting it. As well as preventing the</p><p>operators from seeing sensitive material, encryption also stymied</p><p>the e�orts of any spy who might be tapping the telegraph wire. The</p><p>polyalphabetic Vigenère cipher was clearly the best way to ensure</p><p>secrecy for important business communications. It was considered</p><p>unbreakable, and became known as le chi�re indéchi�rable.</p><p>Cryptographers had, for the time being at least, a clear lead over the</p><p>cryptanalysts.</p><p>Table 6 International Morse Code symbols.</p><p>Mr. Babbage Versus the Vigenère Cipher</p><p>The most intriguing �gure in nineteenth-century cryptanalysis is</p><p>Charles Babbage, the eccentric British genius best known for</p><p>developing the blueprint for the modern computer. He was born in</p><p>1791, the son of Benjamin Babbage, a wealthy London banker.</p><p>When Charles married without his father’s permission, he no longer</p><p>had access to the Babbage fortune, but he still had enough money to</p><p>be �nancially secure, and he pursued the life of a roving scholar,</p><p>applying his mind to whatever problem tickled his fancy. His</p><p>inventions include the speedometer and the cowcatcher, a device</p><p>that could be �xed to the front of steam locomotives to clear cattle</p><p>from railway tracks. In terms of scienti�c breakthroughs, he was the</p><p>�rst to realize that the width of a tree ring depended on that year’s</p><p>weather, and he deduced that it was possible to determine past</p><p>climates by studying ancient trees. He was also intrigued by</p><p>statistics, and as a diversion he drew up a set of mortality tables, a</p><p>basic tool for today’s insurance industry.</p><p>Babbage did not restrict himself to tackling scienti�c and</p><p>engineering problems. The cost of sending a letter used to depend</p><p>on the distance the letter had to travel, but Babbage pointed out</p><p>that the cost of the labor required to calculate the price for each</p><p>letter was more than the cost of the postage. Instead, he proposed</p><p>the system we still use today—a single price for all letters,</p><p>regardless of where in the country the addressee lives. He was also</p><p>interested in politics and social issues, and toward the end of his life</p><p>he began a campaign to get rid of the organ grinders and street</p><p>musicians who roamed London. He complained that the music “not</p><p>infrequently gives rise to a dance by little ragged urchins, and</p><p>sometimes half-intoxicated men, who occasionally accompany the</p><p>noise with their own discordant voices. Another class who are great</p><p>supporters of street music consists of ladies of elastic virtue and</p><p>cosmopolitan tendencies, to whom it a�ords a decent excuse for</p><p>displaying their fascinations at their open windows.” Unfortunately</p><p>for Babbage, the musicians fought back by gathering in large groups</p><p>around his house and playing as loud as possible.</p><p>The turning point in Babbage’s scienti�c career came in 1821,</p><p>when he and the astronomer</p><p>John Herschel were examining a set of</p><p>mathematical tables, the sort used as the basis for astronomical,</p><p>engineering and navigational calculations. The two men were</p><p>disgusted by the number of errors in the tables, which in turn would</p><p>generate �aws in important calculations. One set of tables, the</p><p>Nautical Ephemeris for Finding Latitude and Longitude at Sea,</p><p>contained over a thousand errors. Indeed, many shipwrecks and</p><p>engineering disasters were blamed on faulty tables.</p><p>These mathematical tables were calculated by hand, and the</p><p>mistakes were simply the result of human error. This caused</p><p>Babbage to exclaim, “I wish to God these calculations had been</p><p>executed by steam!” This marked the beginning of an extraordinary</p><p>endeavor to build a machine capable of faultlessly calculating the</p><p>tables to a high degree of accuracy. In 1823 Babbage designed</p><p>“Di�erence Engine No. 1,” a magni�cent calculator consisting of</p><p>25,000 precision parts, to be built with government funding.</p><p>Although Babbage was a brilliant innovator, he was not a great</p><p>implementer. After ten years of toil, he abandoned “Di�erence</p><p>Engine No. 1,” cooked up an entirely new design, and set to work</p><p>building “Di�erence Engine No. 2.”</p><p>When Babbage abandoned his �rst machine, the government lost</p><p>con�dence in him and decided to cut its losses by withdrawing from</p><p>the project—it had already spent £17,470, enough to build a pair of</p><p>battleships. It was probably this withdrawal of support that later</p><p>prompted Babbage to make the following complaint: “Propose to an</p><p>Englishman any principle, or any instrument, however admirable,</p><p>and you will observe that the whole e�ort of the English mind is</p><p>directed to �nd a di�culty, a defect, or an impossibility in it. If you</p><p>speak to him of a machine for peeling a potato, he will pronounce it</p><p>impossible: if you peel a potato with it before his eyes, he will</p><p>declare it useless, because it will not slice a pineapple.”</p><p>Lack of government funding meant that Babbage never completed</p><p>Di�erence Engine No. 2. The scienti�c tragedy was that Babbage’s</p><p>machine would have been a stepping-stone to the Analytical Engine,</p><p>which would have been programmable. Rather than merely</p><p>calculating a speci�c set of tables, the Analytical Engine would have</p><p>been able to solve a variety of mathematical problems depending on</p><p>the instructions that it was given. In fact, the Analytical Engine</p><p>provided the template for modern computers. The design included a</p><p>“store” (memory) and a “mill” (processor), which would allow it to</p><p>make decisions and repeat instructions, which are equivalent to the</p><p>“IF … THEN …” and “LOOP” commands in modern programming.</p><p>Figure 12 Charles Babbage. (photo credit 2.2)</p><p>A century later, during the course of the Second World War, the</p><p>�rst electronic incarnations of Babbage’s machine would have a</p><p>profound e�ect on cryptanalysis, but, in his own lifetime, Babbage</p><p>made an equally important contribution to codebreaking: he</p><p>succeeded in breaking the Vigenère cipher, and in so doing he made</p><p>the greatest breakthrough in cryptanalysis since the Arab scholars of</p><p>the ninth century broke the monoalphabetic cipher by inventing</p><p>frequency analysis. Babbage’s work required no mechanical</p><p>calculations or complex computations. Instead, he employed nothing</p><p>more than sheer cunning.</p><p>Babbage had become interested in ciphers at a very young age. In</p><p>later life, he recalled how his childhood hobby occasionally got him</p><p>into trouble: “The bigger boys made ciphers, but if I got hold of a</p><p>few words, I usually found out the key. The consequence of this</p><p>ingenuity was occasionally painful: the owners of the detected</p><p>ciphers sometimes thrashed me, though the fault lay in their own</p><p>stupidity.” These beatings did not discourage him, and he continued</p><p>to be enchanted by cryptanalysis. He wrote in his autobiography</p><p>that “deciphering is, in my opinion, one of the most fascinating of</p><p>arts.”</p><p>He soon gained a reputation within London society as a</p><p>cryptanalyst prepared to tackle any encrypted message, and</p><p>strangers would approach him with all sorts of problems. For</p><p>example, Babbage helped a desperate biographer attempting to</p><p>decipher the shorthand notes of John Flamsteed, England’s �rst</p><p>Astronomer Royal. He also came to the rescue of a historian, solving</p><p>a cipher of Henrietta Maria, wife of Charles I. In 1854, he</p><p>collaborated with a barrister and used cryptanalysis to reveal crucial</p><p>evidence in a legal case. Over the years, he accumulated a thick �le</p><p>of encrypted messages, which he planned to use as the basis for an</p><p>authoritative book on cryptanalysis, entitled The Philosophy of</p><p>Decyphering. The book would contain two examples of every kind of</p><p>cipher, one that would be broken as a demonstration and one that</p><p>would be left as an exercise for the reader. Unfortunately, as with</p><p>many other of his grand plans, the book was never completed.</p><p>While most cryptanalysts had given up all hope of ever breaking</p><p>the Vigenère cipher, Babbage was inspired to attempt a</p><p>decipherment by an exchange of letters with John Hall Brock</p><p>Thwaites, a dentist from Bristol with a rather innocent view of</p><p>ciphers. In 1854, Thwaites claimed to have invented a new cipher,</p><p>which, in fact, was equivalent to the Vigenère cipher. He wrote to</p><p>the Journal of the Society of Arts with the intention of patenting his</p><p>idea, apparently unaware that he was several centuries too late.</p><p>Babbage wrote to the Society, pointing out that “the cypher … is a</p><p>very old one, and to be found in most books.” Thwaite was</p><p>unapologetic and challenged Babbage to break his cipher. Whether</p><p>or not it was breakable was irrelevant to whether or not it was new,</p><p>but Babbage’s curiosity was su�ciently aroused for him to embark</p><p>on a search for a weakness in the Vigenère cipher.</p><p>Cracking a di�cult cipher is akin to climbing a sheer cli� face.</p><p>The cryptanalyst is seeking any nook or cranny which could provide</p><p>the slightest purchase. In a monoalphabetic cipher the cryptanalyst</p><p>will latch on to the frequency of the letters, because the commonest</p><p>letters, such as e, t and a, will stand out no matter how they have</p><p>been disguised. In the polyalphabetic Vigenère cipher the</p><p>frequencies are much more balanced, because the keyword is used</p><p>to switch between cipher alphabets. Hence, at �rst sight, the rock</p><p>face seems perfectly smooth.</p><p>Remember, the great strength of the Vigenère cipher is that the</p><p>same letter will be enciphered in di�erent ways. For example, if the</p><p>keyword is KING, then every letter in the plaintext can potentially</p><p>be enciphered in four di�erent ways, because the keyword contains</p><p>four letters. Each letter of the keyword de�nes a di�erent cipher</p><p>alphabet in the Vigenère square, as shown in Table 7. The e column</p><p>of the square has been highlighted to show how it is enciphered</p><p>di�erently, depending on which letter of the keyword is de�ning the</p><p>encipherment:</p><p>If the K of KING is used to encipher e, then the resulting ciphertext letter is O.</p><p>If the I of KING is used to encipher e, then the resulting ciphertext letter is M.</p><p>If the N of KING is used to encipher e, then the resulting ciphertext letter is R.</p><p>If the G of KING is used to encipher e, then the resulting ciphertext letter is K.</p><p>Table 7 A Vigenère square used in combination with the keyword KING. The keyword</p><p>de�nes four separate cipher alphabets, so that the letter e may be encrypted as O, M, R or</p><p>K.</p><p>Similarly, whole words will be deciphered in di�erent ways: the</p><p>word the, for example, could be enciphered as DPR, BUK, GNO or</p><p>ZRM, depending on its position relative to the keyword. Although</p><p>this makes cryptanalysis di�cult, it is not impossible. The important</p><p>point to note is that if there are only four ways to encipher the word</p><p>the, and the original message contains several instances of the word</p><p>the, then it is highly likely that some of the four possible</p><p>encipherments will be repeated in the ciphertext. This is</p><p>demonstrated in the following example, in which the line The Sun</p><p>and the Man in the Moon has been enciphered using the Vigenère</p><p>cipher and the keyword KING.</p><p>to leave out many</p><p>fascinating stories, which in turn means that my account is not</p><p>de�nitive. If you would like to �nd out more about your favorite</p><p>tale or your favorite codebreaker then I would refer you to the list</p><p>of further reading, which should help those readers who would like</p><p>to study the subject in more detail.</p><p>Having discussed the evolution of codes and their impact on</p><p>history, the book’s second objective is to demonstrate how the</p><p>subject is more relevant today than ever before. As information</p><p>becomes an increasingly valuable commodity, and as the</p><p>communications revolution changes society, so the process of</p><p>encoding messages, known as encryption, will play an increasing</p><p>role in everyday life. Nowadays our phone calls bounce o� satellites</p><p>and our e-mails pass through various computers, and both forms of</p><p>communication can be intercepted with ease, so jeopardizing our</p><p>privacy. Similarly, as more and more business is conducted over the</p><p>Internet, safeguards must be put in place to protect companies and</p><p>their clients. Encryption is the only way to protect our privacy and</p><p>guarantee the success of the digital marketplace. The art of secret</p><p>communication, otherwise known as cryptography, will provide the</p><p>locks and keys of the Information Age.</p><p>However, the public’s growing demand for cryptography con�icts</p><p>with the needs of law enforcement and national security. For</p><p>decades, the police and the intelligence services have used wire-taps</p><p>to gather evidence against terrorists and organized crime syndicates,</p><p>but the recent development of ultra-strong codes threatens to</p><p>undermine the value of wire-taps. As we enter the twenty-�rst</p><p>century, civil libertarians are pressing for the widespread use of</p><p>cryptography in order to protect the privacy of the individual.</p><p>Arguing alongside them are businesses, who require strong</p><p>cryptography in order to guarantee the security of transactions</p><p>within the fast-growing world of Internet commerce. At the same</p><p>time, the forces of law and order are lobbying governments to</p><p>restrict the use of cryptography. The question is, which do we value</p><p>more—our privacy or an e�ective police force? Or is there a</p><p>compromise?</p><p>Although cryptography is now having a major impact on civilian</p><p>activities, it should be noted that military cryptography remains an</p><p>important subject. It has been said that the First World War was the</p><p>chemists’ war, because mustard gas and chlorine were employed for</p><p>the �rst time, and that the Second World War was the physicists’</p><p>war, because the atom bomb was detonated. Similarly, it has been</p><p>argued that the Third World War would be the mathematicians’</p><p>war, because mathematicians will have control over the next great</p><p>weapon of war—information. Mathematicians have been responsible</p><p>for developing the codes that are currently used to protect military</p><p>information. Not surprisingly, mathematicians are also at the</p><p>forefront of the battle to break these codes.</p><p>While describing the evolution of codes and their impact on</p><p>history, I have allowed myself a minor detour. Chapter 5 describes</p><p>the decipherment of various ancient scripts, including Linear B and</p><p>Egyptian hieroglyphics. Technically, cryptography concerns</p><p>communications that are deliberately designed to keep secrets from</p><p>an enemy, whereas the writings of ancient civilizations were not</p><p>intended to be indecipherable: it is merely that we have lost the</p><p>ability to interpret them. However, the skills required to uncover the</p><p>meaning of archaeological texts are closely related to the art of</p><p>codebreaking. Ever since reading The Decipherment of Linear B, John</p><p>Chadwick’s description of how an ancient Mediterranean text was</p><p>unraveled, I have been struck by the astounding intellectual</p><p>achievements of those men and women who have been able to</p><p>decipher the scripts of our ancestors, thereby allowing us to read</p><p>about their civilizations, religions and everyday lives.</p><p>Turning to the purists, I should apologize for the title of this book.</p><p>The Code Book is about more than just codes. The word “code” refers</p><p>to a very particular type of secret communication, one that has</p><p>declined in use over the centuries. In a code, a word or phrase is</p><p>replaced with a word, number or symbol. For example, secret agents</p><p>have codenames, words that are used instead of their real names in</p><p>order to mask their identities. Similarly, the phrase Attack at dawn</p><p>could be replaced by the codeword Jupiter, and this word could be</p><p>sent to a commander in the battle�eld as a way of ba�ing the</p><p>enemy. If headquarters and the commander have previously agreed</p><p>on the code, then the meaning of Jupiter will be clear to the</p><p>intended recipient, but it will mean nothing to an enemy who</p><p>intercepts it. The alternative to a code is a cipher, a technique that</p><p>acts at a more fundamental level, by replacing letters rather than</p><p>whole words. For example, each letter in a phrase could be replaced</p><p>by the next letter in the alphabet, so that A is replaced by B, B by C,</p><p>and so on. Attack at dawn thus becomes Buubdl bu ebxo. Ciphers</p><p>play an integral role in cryptography, and so this book should really</p><p>have been called The Code and Cipher Book. I have, however,</p><p>forsaken accuracy for snappiness.</p><p>As the need arises, I have de�ned the various technical terms used</p><p>within cryptography. Although I have generally adhered to these</p><p>de�nitions, there will be occasions when I use a term that is perhaps</p><p>not technically accurate, but which I feel is more familiar to the</p><p>non-specialist. For example, when describing a person attempting to</p><p>break a cipher, I have often used codebreaker rather than the more</p><p>accurate cipherbreaker. I have done this only when the meaning of</p><p>the word is obvious from the context. There is a glossary of terms at</p><p>the end of the book. More often than not, though, crypto-jargon is</p><p>quite transparent: for example, plaintext is the message before</p><p>encryption, and ciphertext is the message after encryption.</p><p>Before concluding this introduction, I must mention a problem</p><p>that faces any author who tackles the subject of cryptography: the</p><p>science of secrecy is largely a secret science. Many of the heroes in</p><p>this book never gained recognition for their work during their</p><p>lifetimes because their contribution could not be publicly</p><p>acknowledged while their invention was still of diplomatic or</p><p>military value. While researching this book, I was able to talk to</p><p>experts at Britain’s Government Communications Headquarters</p><p>(GCHQ), who revealed details of extraordinary research done in the</p><p>1970s which has only just been declassi�ed. As a result of this</p><p>declassi�cation, three of the world’s greatest cryptographers can</p><p>now receive the credit they deserve. However, this recent revelation</p><p>has merely served to remind me that there is a great deal more</p><p>going on, of which neither I nor any other science writer is aware.</p><p>Organizations such as GCHQ and America’s National Security</p><p>Agency continue to conduct classi�ed research into cryptography,</p><p>which means that their breakthroughs remain secret and the</p><p>individuals who make them remain anonymous.</p><p>Despite the problems of government secrecy and classi�ed</p><p>research, I have spent the �nal chapter of this book speculating</p><p>about the future of codes and ciphers. Ultimately, this chapter is an</p><p>attempt to see if we can predict who will win the evolutionary</p><p>struggle between codemaker and codebreaker. Will codemakers ever</p><p>design a truly unbreakable code and succeed in their quest for</p><p>absolute secrecy? Or will codebreakers build a machine that can</p><p>decipher any message? Bearing in mind that some of the greatest</p><p>minds work in classi�ed laboratories, and that they receive the bulk</p><p>of research funds, it is clear that some of the statements in my �nal</p><p>chapter may be inaccurate. For example, I state that quantum</p><p>computers—machines potentially capable of breaking all today’s</p><p>ciphers—are at a very primitive stage, but it is possible that</p><p>somebody has already built one. The only people who are in a</p><p>position to point out my errors are also those who are not at liberty</p><p>to reveal</p><p>The word the is enciphered as DPR in the �rst instance, and then as</p><p>BUK on the second and third occasions. The reason for the</p><p>repetition of BUK is that the second the is displaced by eight letters</p><p>with respect to the third the, and eight is a multiple of the length of</p><p>the keyword, which is four letters long. In other words, the second</p><p>the was enciphered according to its relationship to the keyword (the</p><p>is directly below ING), and by the time we reach the third the, the</p><p>keyword has cycled around exactly twice, to repeat the relationship,</p><p>and hence repeat the encipherment.</p><p>Babbage realized that this sort of repetition provided him with</p><p>exactly the foothold he needed in order to conquer the Vigenère</p><p>cipher. He was able to de�ne a series of relatively simple steps</p><p>which could be followed by any cryptanalyst to crack the hitherto</p><p>chi�re indéchi�rable. To demonstrate his brilliant technique, let us</p><p>imagine that we have intercepted the ciphertext shown in Figure 13.</p><p>We know that it was enciphered using the Vigenère cipher, but we</p><p>know nothing about the original message, and the keyword is a</p><p>mystery.</p><p>The �rst stage in Babbage’s cryptanalysis is to look for sequences</p><p>of letters that appear more than once in the ciphertext. There are</p><p>two ways that such repetitions could arise. The most likely is that</p><p>the same sequence of letters in the plaintext has been enciphered</p><p>using the same part of the key. Alternatively, there is a slight</p><p>possibility that two di�erent sequences of letters in the plaintext</p><p>have been enciphered using di�erent parts of the key, coincidentally</p><p>leading to the identical sequence in the ciphertext. If we restrict</p><p>ourselves to long sequences, then we largely discount the second</p><p>possibility, and, in this case, we shall consider repeated sequences</p><p>only if they are of four letters or more. Table 8 is a log of such</p><p>repetitions, along with the spacing between the repetition. For</p><p>example, the sequence E-F-I-Q appears in the �rst line of the</p><p>ciphertext and then in the �fth line, shifted forward by 95 letters.</p><p>As well as being used to encipher the plaintext into ciphertext, the</p><p>keyword is also used by the receiver to decipher the ciphertext back</p><p>into plaintext. Hence, if we could identify the keyword, deciphering</p><p>the text would be easy. At this stage we do not have enough</p><p>information to work out the keyword, but Table 8 does provide</p><p>some very good clues as to its length. Having listed which sequences</p><p>repeat themselves and the spacing between these repetitions, the</p><p>rest of the table is given over to identifying the factors of the spacing</p><p>—the numbers that will divide into the spacing.</p><p>Figure 13 The ciphertext, enciphered using the Vigenère cipher.</p><p>For example, the sequence W-C-X-Y-M repeats itself after 20 letters,</p><p>and the numbers 1, 2, 4, 5, 10 and 20 are factors, because they</p><p>divide perfectly into 20 without leaving a remainder. These factors</p><p>suggest six possibilities:</p><p>(1) The key is 1 letter long and is recycled 20 times between encryptions.</p><p>(2) The key is 2 letters long and is recycled 10 times between encryptions.</p><p>(3) The key is 4 letters long and is recycled 5 times between encryptions.</p><p>(4) The key is 5 letters long and is recycled 4 times between encryptions.</p><p>(5) The key is 10 letters long and is recycled 2 times between encryptions.</p><p>(6) The key is 20 letters long and is recycled 1 time between encryptions.</p><p>The �rst possibility can be excluded, because a key that is only 1</p><p>letter long gives rise to a monoalphabetic cipher—only one row of</p><p>the Vigenère square would be used for the entire encryption, and</p><p>the cipher alphabet would remain unchanged; it is unlikely that a</p><p>cryptographer would do this. To indicate each of the other</p><p>possibilities, a ✓ is placed in the appropriate column of Table 8.</p><p>Each ✓ indicates a potential key length.</p><p>To identify whether the key is 2, 4, 5, 10 or 20 letters long, we</p><p>need to look at the factors of all the other spacings. Because the</p><p>keyword seems to be 20 letters or smaller, Table 8 lists those factors</p><p>that are 20 or smaller for each of the other spacings. There is a clear</p><p>propensity for a spacing divisible by 5. In fact, every spacing is</p><p>divisible by 5. The �rst repeated sequence, E-F-I-Q, can be explained</p><p>by a keyword of length 5 recycled nineteen times between the �rst</p><p>and second encryptions. The second repeated sequence, P-S-D-L-P,</p><p>can be explained by a keyword of length 5 recycled just once</p><p>between the �rst and second encryptions. The third repeated</p><p>sequence, W-C-X-Y-M, can be explained by a keyword of length 5</p><p>recycled four times between the �rst and second encryptions. The</p><p>fourth repeated sequence, E-T-R-L, can be explained by a keyword</p><p>of length 5 recycled twenty-four times between the �rst and second</p><p>encryptions. In short, everything is consistent with a �ve-letter</p><p>keyword.</p><p>Table 8 Repetitions and spacings in the ciphertext.</p><p>Assuming that the keyword is indeed 5 letters long, the next step</p><p>is to work out the actual letters of the keyword. For the time being,</p><p>let us call the keyword L1-L2-L3-L4-L5, such that L1 represents the</p><p>�rst letter of the keyword, and so on. The process of encipherment</p><p>would have begun with enciphering the �rst letter of the plaintext</p><p>according to the �rst letter of the keyword, L1. The letter L1 de�nes</p><p>one row of the Vigenère square, and e�ectively provides a</p><p>monoalphabetic substitution cipher alphabet for the �rst letter of</p><p>the plaintext. However, when it comes to encrypting the second</p><p>letter of the plaintext, the cryptographer would have used L2 to</p><p>de�ne a di�erent row of the Vigenère square, e�ectively providing a</p><p>di�erent monoalphabetic substitution cipher alphabet. The third</p><p>letter of plaintext would be encrypted according to L3, the fourth</p><p>according to L4, and the �fth according to L5. Each letter of the</p><p>keyword is providing a di�erent cipher alphabet for encryption.</p><p>However, the sixth letter of the plaintext would once again be</p><p>encrypted according to L1, the seventh letter of the plaintext would</p><p>once again be encrypted according to L2, and the cycle repeats itself</p><p>thereafter. In other words, the polyalphabetic cipher consists of �ve</p><p>monoalphabetic ciphers, each monoalphabetic cipher is responsible</p><p>for encrypting one-�fth of the entire message, and, most</p><p>importantly, we already know how to cryptanalyze monoalphabetic</p><p>ciphers.</p><p>We proceed as follows. We know that one of the rows of the</p><p>Vigenère square, de�ned by L1, provided the cipher alphabet to</p><p>encrypt the 1st, 6th, 11th, 16th, … letters of the message. Hence, if</p><p>we look at the 1st, 6th, 11th, 16th, … letters of the ciphertext, we</p><p>should be able to use old-fashioned frequency analysis to work out</p><p>the cipher alphabet in question. Figure 14 shows the frequency</p><p>distribution of the letters that appear in the 1st, 6th, 11th, 16th, …</p><p>positions of the ciphertext, which are W, I, R, E,.… At this point,</p><p>remember that each cipher alphabet in the Vigenère square is</p><p>simply a standard alphabet shifted by a value between 1 and 26.</p><p>Hence, the frequency distribution in Figure 14 should have similar</p><p>features to the frequency distribution of a standard alphabet, except</p><p>that it will have been shifted by some distance. By comparing the L1</p><p>distribution with the standard distribution, it should be possible to</p><p>work out the shift. Figure 15 shows the standard frequency</p><p>distribution for a piece of English plaintext.</p><p>The standard distribution has peaks, plateaus and valleys, and to</p><p>match it with the L1 cipher distribution we look for the most</p><p>outstanding combination of features. For example, the three spikes</p><p>at R-S-T in the standard distribution (Figure 15) and the long</p><p>depression to its right that stretches across six letters from U to Z</p><p>together form a very distinctive pair of features. The only similar</p><p>features in the L1 distribution (Figure 14) are the three spikes at V-</p><p>W-X, followed by the depression stretching six letters from Y to D.</p><p>This would suggest that all the letters encrypted according to L1</p><p>have been shifted four places, or that L1 de�nes a cipher alphabet</p><p>which begins E, F, G, H,.… In turn, this means that the �rst letter of</p><p>the keyword, L1, is probably E. This hypothesis can be tested by</p><p>shifting the L1 distribution back four letters and comparing it with</p><p>the standard distribution. Figure 16 shows both distributions for</p><p>comparison. The match between the major peaks is very strong,</p><p>implying that it is safe to assume that the keyword does indeed</p><p>begin with E.</p><p>Figure 14 Frequency distribution for letters in the ciphertext encrypted using the L1</p><p>cipher alphabet (number of occurrences).</p><p>Figure 15 Standard frequency distribution (number of occurrences based on a piece</p><p>of plaintext containing the same number of letters as in the ciphertext).</p><p>Figure 16 The L1 distribution shifted back four letters (top), compared with the</p><p>standard frequency distribution (bottom). All major peaks and troughs match.</p><p>To summarize, searching for repetitions in the ciphertext has</p><p>allowed us to identify the length of the keyword, which turned out</p><p>to be �ve letters long. This allowed us to split the ciphertext into</p><p>�ve parts, each one enciphered according to a monoalphabetic</p><p>substitution as de�ned by one letter of the keyword. By analyzing</p><p>the fraction of the ciphertext that was enciphered according to the</p><p>�rst letter of the keyword, we have been able to show that this</p><p>letter, L1, is probably E. This process is repeated in order to identify</p><p>the second letter of the keyword. A frequency distribution is</p><p>established for the 2nd, 7th, 12th, 17th,… letters in the ciphertext.</p><p>Again, the resulting distribution, shown in Figure 17, is compared</p><p>with the standard distribution in order to deduce the shift.</p><p>This distribution is harder to analyze. There are no obvious</p><p>candidates for the three neighboring peaks that correspond to R-S -</p><p>T. However, the depression that stretches from G to L is very</p><p>distinct, and probably corresponds to the depression we expect to</p><p>see stretching from U to Z in the standard distribution. If this were</p><p>the case, we would expect the three R-S-T peaks to appear at D, E</p><p>and F, but the peak at E is missing. For the time being, we shall</p><p>dismiss the missing peak as a statistical glitch, and go with our</p><p>initial reaction, which is that the depression from G to L is a</p><p>recognizably shifted feature. This would suggest that all the letters</p><p>encrypted according to L2 have been shifted twelve places, or that</p><p>L2 de�nes a cipher alphabet which begins M, N, O, P,… and that the</p><p>second letter of the keyword, L2, is M. Once again, this hypothesis</p><p>can be tested by shifting the L2 distribution back twelve letters and</p><p>comparing it with the standard distribution. Figure 18 shows both</p><p>distributions, and the match between the major peaks is very strong,</p><p>implying that it is safe to assume that the second letter of the</p><p>keyword is indeed M.</p><p>Figure 17 Frequency distribution for letters in the ciphertext encrypted using the L2</p><p>cipher alphabet (number of occurrences).</p><p>Figure 18 The L2 distribution shifted back twelve letters (top), compared with the</p><p>standard frequency distribution (bottom). Most major peaks and troughs match.</p><p>I shall not continue the analysis; su�ce to say that analyzing the</p><p>3rd, 8th, 13th, … letters implies that the third letter of the keyword</p><p>is I, analyzing the 4th, 9th, 14th, … letters implies that the fourth</p><p>letter is L, and analyzing the 5th, 10th, 15th, … letters implies that</p><p>the �fth letter is Y. The keyword is EMILY. It is now possible to</p><p>reverse the Vigenère cipher and complete the cryptanalysis. The �rst</p><p>letter of the ciphertext is W, and it was encrypted according to the</p><p>�rst letter of the keyword, E. Working backward, we look at the</p><p>Vigenère square, and �nd W in the row beginning with E, and then</p><p>we �nd which letter is at the top of that column. The letter is s,</p><p>which must make it the �rst letter of the plaintext. By repeating this</p><p>process, we see that the plaintext begins</p><p>sittheedownandhavenoshamecheekbyjowl.… By inserting suitable</p><p>word-breaks and punctuation, we eventually get:</p><p>Sit thee down, and have no shame,</p><p>Cheek by jowl, and knee by knee:</p><p>What care I for any name?</p><p>What for order or degree?</p><p>Let me screw thee up a peg:</p><p>Let me loose thy tongue with wine:</p><p>Callest thou that thing a leg?</p><p>Which is thinnest? thine or mine?</p><p>Thou shalt not be saved by works:</p><p>Thou hast been a sinner too:</p><p>Ruined trunks on withered forks,</p><p>Empty scarecrows, I and you!</p><p>Fill the cup, and �ll the can:</p><p>Have a rouse before the morn:</p><p>Every moment dies a man,</p><p>Every moment one is born.</p><p>These are verses from a poem by Alfred Tennyson entitled “The</p><p>Vision of Sin.” The keyword happens to be the �rst name of</p><p>Tennyson’s wife, Emily Sellwood. I chose to use a section from this</p><p>particular poem as an example for cryptanalysis because it inspired</p><p>some curious correspondence between Babbage and the great poet.</p><p>Being a keen statistician and compiler of mortality tables, Babbage</p><p>was irritated by the lines “Every moment dies a man, Every moment</p><p>one is born,” which are the last lines of the plaintext above.</p><p>Consequently, he o�ered a correction to Tennyson’s “otherwise</p><p>beautiful” poem:</p><p>It must be manifest that if this were true, the population of the world would be at a</p><p>standstill … I would suggest that in the next edition of your poem you have it read</p><p>—“Every moment dies a man, Every moment 1 is born.” … The actual �gure is so</p><p>long I cannot get it onto a line, but I believe the �gure 1 will be su�ciently</p><p>accurate for poetry.</p><p>I am, Sir, yours, etc.,</p><p>Charles Babbage.</p><p>Babbage’s successful cryptanalysis of the Vigenère cipher was</p><p>probably achieved in 1854, soon after his spat with Thwaites, but</p><p>his discovery went completely unrecognized because he never</p><p>published it. The discovery came to light only in the twentieth</p><p>century, when scholars examined Babbage’s extensive notes. In the</p><p>meantime, his technique was independently discovered by Friedrich</p><p>Wilhelm Kasiski, a retired o�cer in the Prussian army. Ever since</p><p>1863, when he published his cryptanalytic breakthrough in Die</p><p>Geheimschriften und die Dechi�rir-kunst (“Secret Writing and the Art</p><p>of Deciphering”), the technique has been known as the Kasiski Test,</p><p>and Babbage’s contribution has been largely ignored.</p><p>And why did Babbage fail to publicize his cracking of such a vital</p><p>cipher? He certainly had a habit of not �nishing projects and not</p><p>publishing his discoveries, which might suggest that this is just one</p><p>more example of his lackadaisical attitude. However, there is an</p><p>alternative explanation. His discovery occurred soon after the</p><p>outbreak of the Crimean War, and one theory is that it gave the</p><p>British a clear advantage over their Russian enemy. It is quite</p><p>possible that British Intelligence demanded that Babbage keep his</p><p>work secret, thus providing them with a nine-year head start over</p><p>the rest of the world. If this was the case, then it would �t in with</p><p>the long-standing tradition of hushing up codebreaking</p><p>achievements in the interests of national security, a practice that has</p><p>continued into the twentieth century.</p><p>From Agony Columns to Buried Treasure</p><p>Thanks to the breakthroughs by Charles Babbage and Friedrich</p><p>Kasiski, the Vigenère cipher was no longer secure. Cryptographers</p><p>could no longer guarantee secrecy, now that cryptanalysts had</p><p>fought back to regain control in the communications war. Although</p><p>cryptographers attempted to design new ciphers, nothing of great</p><p>signi�cance emerged during the latter half of the nineteenth</p><p>century, and professional cryptography was in disarray. However,</p><p>this same period witnessed an enormous growth of interest in</p><p>ciphers among the general public.</p><p>The development of the telegraph, which had driven a</p><p>commercial interest in cryptography, was also responsible for</p><p>generating public interest in cryptography. The public became</p><p>aware of the need to protect personal messages of a highly sensitive</p><p>nature, and if necessary they would use encryption, even though</p><p>this took more time to send, thus adding to the cost of the telegram.</p><p>Morse operators could send plain English at speeds</p><p>of up to 35</p><p>words per minute because they could memorize entire phrases and</p><p>transmit them in a single burst, whereas the jumble of letters that</p><p>make up a ciphertext was considerably slower to transmit, because</p><p>the operator had to continually refer back to the sender’s written</p><p>message to check the sequence of letters. The ciphers used by the</p><p>general public would not have withstood attack by a professional</p><p>cryptanalyst, but they were su�cient to guard against the casual</p><p>snooper.</p><p>As people became comfortable with encipherment, they began to</p><p>express their cryptographic skills in a variety of ways. For example,</p><p>young lovers in Victorian England were often forbidden from</p><p>publicly expressing their a�ection, and could not even communicate</p><p>by letter in case their parents intercepted and read the contents.</p><p>This resulted in lovers sending encrypted messages to each other via</p><p>the personal columns of newspapers. These “agony columns,” as</p><p>they became known, provoked the curiosity of cryptanalysts, who</p><p>would scan the notes and try to decipher their titillating contents.</p><p>Charles Babbage is known to have indulged in this activity, along</p><p>with his friends Sir Charles Wheatstone and Baron Lyon Playfair,</p><p>who together were responsible for developing the deft Playfair cipher</p><p>(described in Appendix E). On one occasion, Wheatstone deciphered</p><p>a note in The Times from an Oxford student, suggesting to his true</p><p>love that they elope. A few days later, Wheatstone inserted his own</p><p>message, encrypted in the same cipher, advising the couple against</p><p>this rebellious and rash action. Shortly afterward there appeared a</p><p>third message, this time unencrypted and from the lady in question:</p><p>“Dear Charlie, Write no more. Our cipher is discovered.”</p><p>In due course a wider variety of encrypted notes appeared in the</p><p>newspapers. Cryptographers began to insert blocks of ciphertext</p><p>merely to challenge their colleagues. On other occasions, encrypted</p><p>notes were used to criticize public �gures or organizations. The</p><p>Times once unwittingly carried the following encrypted notice: “The</p><p>Times is the Je�reys of the press.” The newspaper was being likened</p><p>to the notorious seventeenth-century Judge Je�reys, implying that it</p><p>was a ruthless, bullying publication which acted as a mouthpiece for</p><p>the government.</p><p>Another example of the public’s familiarity with cryptography</p><p>was the widespread use of pinprick encryption. The ancient Greek</p><p>historian Aeneas the Tactician suggested conveying a secret message</p><p>by pricking tiny holes under particular letters in an apparently</p><p>innocuous page of text, just as there are dots under some letters in</p><p>this paragraph. Those letters would spell out a secret message, easily</p><p>read by the intended receiver. However, if an intermediary stared at</p><p>the page, they would probably be oblivious to the barely perceptible</p><p>pinpricks, and would probably be unaware of the secret message.</p><p>Two thousand years later, British letter writers used exactly the</p><p>same method, not to achieve secrecy but to avoid paying excessive</p><p>postage costs. Before the overhaul of the postage system in the mid-</p><p>1800s, sending a letter cost about a shilling for every hundred miles,</p><p>beyond the means of most people. However, newspapers could be</p><p>posted free of charge, and this provided a loophole for thrifty</p><p>Victorians. Instead of writing and sending letters, people began to</p><p>use pinpricks to spell out a message on the front page of a</p><p>newspaper. They could then send the newspaper through the post</p><p>without having to pay a penny.</p><p>The public’s growing fascination with cryptographic techniques</p><p>meant that codes and ciphers soon found their way into nineteenth-</p><p>century literature. In Jules Verne’s Journey to the Center of the Earth,</p><p>the decipherment of a parchment �lled with runic characters</p><p>prompts the �rst step on the epic journey. The characters are part of</p><p>a substitution cipher which generates a Latin script, which in turn</p><p>makes sense only when the letters are reversed: “Descend the crater</p><p>of the volcano of Sne�els when the shadow of Scartaris comes to</p><p>caress it before the calends of July, audacious voyager, and you will</p><p>reach the center of the Earth.” In 1885, Verne also used a cipher as</p><p>a pivotal element in his novel Mathias Sandor�. In Britain, one of</p><p>the �nest writers of cryptographic �ction was Sir Arthur Conan</p><p>Doyle. Not surprisingly, Sherlock Holmes was an expert in</p><p>cryptography and, as he explained to Dr. Watson, was “the author of</p><p>a tri�ing monograph upon the subject in which I analyze one</p><p>hundred and sixty separate ciphers.” The most famous of Holmes’s</p><p>decipherments is told in The Adventure of the Dancing Men, which</p><p>involves a cipher consisting of stick-men, each pose representing a</p><p>distinct letter.</p><p>On the other side of the Atlantic, Edgar Allan Poe was also</p><p>developing an interest in cryptanalysis. Writing for Philadelphia’s</p><p>Alexander Weekly Messenger, he issued a challenge to readers,</p><p>claiming that he could decipher any monoalphabetic substitution</p><p>cipher. Hundreds of readers sent in their ciphertexts, and he</p><p>successfully deciphered them all. Although this required nothing</p><p>more than frequency analysis, Poe’s readers were astonished by his</p><p>achievements. One adoring fan proclaimed him “the most profound</p><p>and skillful cryptographer who ever lived.”</p><p>In 1843, keen to exploit the interest he had generated, Poe wrote</p><p>a short story about ciphers, which is widely acknowledged by</p><p>professional cryptographers to be the �nest piece of �ctional</p><p>literature on the subject. “The Gold Bug” tells the story of William</p><p>Legrand, who discovers an unusual beetle, the gold bug, and collects</p><p>it using a scrap of paper lying nearby. That evening he sketches the</p><p>gold bug upon the same piece of paper, and then holds his drawing</p><p>up to the light of the �re to check its accuracy. However, his sketch</p><p>is obliterated by an invisible ink, which has been developed by the</p><p>heat of the �ames. Legrand examines the characters that have</p><p>emerged and becomes convinced that he has in his hands the</p><p>encrypted directions for �nding Captain Kidd’s treasure. The</p><p>remainder of the story is a classic demonstration of frequency</p><p>analysis, resulting in the decipherment of Captain Kidd’s clues and</p><p>the discovery of his buried treasure.</p><p>Figure 19 A section of the ciphertext from The Adventure of the Dancing Men, a</p><p>Sherlock Holmes adventure by Sir Arthur Conan Doyle.</p><p>Although “The Gold Bug” is pure �ction, there is a true</p><p>nineteenth-century story containing many of the same elements. The</p><p>case of the Beale ciphers involves Wild West escapades, a cowboy</p><p>who amassed a vast fortune, a buried treasure worth $20 million</p><p>and a mysterious set of encrypted papers describing its whereabouts.</p><p>Much of what we know about this story, including the encrypted</p><p>papers, is contained in a pamphlet published in 1885. Although only</p><p>23 pages long, the pamphlet has ba�ed generations of cryptanalysts</p><p>and captivated hundreds of treasure hunters.</p><p>The story begins at the Washington Hotel in Lynchburg, Virginia,</p><p>sixty-�ve years before the publication of the pamphlet. According to</p><p>the pamphlet, the hotel and its owner, Robert Morriss, were held in</p><p>high regard: “His kind disposition, strict probity, excellent</p><p>management, and well ordered household, soon rendered him</p><p>famous as a host, and his reputation extended even to other States.</p><p>His was the house par excellence of the town, and no fashionable</p><p>assemblages met at any other.” In January 1820 a stranger by the</p><p>name of Thomas J. Beale rode into Lynchburg and checked into the</p><p>Washington Hotel. “In person, he was about six feet in height,”</p><p>recalled Morriss, “with jet black eyes and hair of the same color,</p><p>worn longer than was the style at the time. His form was</p><p>symmetrical, and gave evidence of unusual strength and activity;</p><p>but his distinguishing feature was a dark and swarthy complexion,</p><p>as if much exposure to the sun and weather had thoroughly tanned</p><p>and discolored him; this, however, did not detract from his</p><p>appearance, and I thought him the handsomest man I had ever</p><p>seen.” Although Beale spent</p><p>the rest of the winter with Morriss and</p><p>was “extremely popular with every one, particularly the ladies,” he</p><p>never spoke about his background, his family or the purpose of his</p><p>visit. Then, at the end of March, he left as suddenly as he had</p><p>arrived.</p><p>Figure 20 The title page of The Beale Papers, the pamphlet that contains all that we know</p><p>about the mystery of the Beale treasure. (photo credit 2.3)</p><p>Two years later, in January 1822, Beale returned to the</p><p>Washington Hotel, “darker and swarthier than ever.” Once again, he</p><p>spent the rest of the winter in Lynchburg and disappeared in the</p><p>spring, but not before he entrusted Morriss with a locked iron box,</p><p>which he said contained “papers of value and importance.” Morriss</p><p>placed the box in a safe, and thought nothing more about it and its</p><p>contents until he received a letter from Beale, dated May 9, 1822,</p><p>and sent from St. Louis. After a few pleasantries and a paragraph</p><p>about an intended trip to the plains “to hunt the bu�alo and</p><p>encounter the savage grizzlies,” Beale’s letter revealed the</p><p>signi�cance of the box:</p><p>It contains papers vitally a�ecting the fortunes of myself and many others engaged in</p><p>business with me, and in the event of my death, its loss might be irreparable. You</p><p>will, therefore, see the necessity of guarding it with vigilance and care to prevent so</p><p>great a catastrophe. Should none of us ever return you will please preserve carefully</p><p>the box for the period of ten years from the date of this letter, and if I, or no one with</p><p>authority from me, during that time demands its restoration, you will open it, which</p><p>can be done by removing the lock. You will �nd, in addition to the papers addressed</p><p>to you, other papers which will be unintelligible without the aid of a key to assist</p><p>you. Such a key I have left in the hand of a friend in this place, sealed and addressed</p><p>to yourself, and endorsed not to be delivered until June 1832. By means of this you</p><p>will understand fully all you will be required to do.</p><p>Morriss dutifully continued to guard the box, waiting for Beale to</p><p>collect it, but the swarthy man of mystery never returned to</p><p>Lynchburg. He disappeared without explanation, never to be seen</p><p>again. Ten years later, Morriss could have followed the letter’s</p><p>instructions and opened the box, but he seems to have been</p><p>reluctant to break the lock. Beale’s letter had mentioned that a note</p><p>would be sent to Morriss in June 1832, and this was supposed to</p><p>explain how to decipher the contents of the box. However, the note</p><p>never arrived, and perhaps Morriss felt that there was no point</p><p>opening the box if he could not decipher what was inside it.</p><p>Eventually, in 1845, Morriss’s curiosity got the better of him and he</p><p>cracked open the lock. The box contained three sheets of enciphered</p><p>characters, and a note written by Beale in plain English.</p><p>The intriguing note revealed the truth about Beale, the box, and</p><p>the ciphers. It explained that in April 1817, almost three years</p><p>before his �rst meeting with Morriss, Beale and 29 others had</p><p>embarked on a journey across America. After traveling through the</p><p>rich hunting grounds of the Western plains, they arrived in Santa Fe,</p><p>and spent the winter in the “little Mexican town.” In March they</p><p>headed north and began tracking an “immense herd of bu�aloes,”</p><p>picking o� as many as possible along the way. Then, according to</p><p>Beale, they struck lucky:</p><p>One day, while following them, the party encamped in a small ravine, some 250 or</p><p>300 miles north of Santa Fe, and, with their horses tethered, were preparing their</p><p>evening meal, when one of the men discovered in a cleft of the rocks something that</p><p>had the appearance of gold. Upon showing it to the others it was pronounced to be</p><p>gold, and much excitement was the natural consequence.</p><p>The letter went on to explain that Beale and his men, with help</p><p>from the local tribe, mined the site for the next eighteen months, by</p><p>which time they had accumulated a large quantity of gold, as well</p><p>as some silver which was found nearby. In due course they agreed</p><p>that their newfound wealth should be moved to a secure place, and</p><p>decided to take it back home to Virginia, where they would hide it</p><p>in a secret location. In 1820, Beale traveled to Lynchburg with the</p><p>gold and silver, found a suitable location, and buried it. It was on</p><p>this occasion that he �rst lodged at the Washington Hotel and made</p><p>the acquaintance of Morriss. When Beale left at the end of the</p><p>winter, he rejoined his men who had continued to work the mine</p><p>during his absence.</p><p>After another eighteen months Beale revisited Lynchburg with</p><p>even more to add to his stash. This time there was an additional</p><p>reason for his trip:</p><p>Before leaving my companions on the plains it was suggested that, in case of an</p><p>accident to ourselves, the treasure so concealed would be lost to their relatives,</p><p>without some provision against such a contingency. I was, therefore, instructed to</p><p>select some perfectly reliable person, if such could be found, who should, in the event</p><p>of this proving acceptable to the party, be con�ded in to carry out their wishes in</p><p>regard to their respective shares.</p><p>Beale believed that Morriss was a man of integrity, which is why he</p><p>trusted him with the box containing the three enciphered sheets, the</p><p>so-called Beale ciphers. Each enciphered sheet contained an array of</p><p>numbers (reprinted here as Figures 21, 22 and 23), and deciphering</p><p>the numbers would reveal all the relevant details; the �rst sheet</p><p>described the treasure’s location, the second outlined the contents of</p><p>the treasure, and the third listed the relatives of the men who</p><p>should receive a share of the treasure. When Morriss read all of this,</p><p>it was some 23 years after he had last seen Thomas Beale. Working</p><p>on the assumption that Beale and his men were dead, Morriss felt</p><p>obliged to �nd the gold and share it among their relatives. However,</p><p>without the promised key he was forced to decipher the ciphers</p><p>from scratch, a task that troubled his mind for the next twenty</p><p>years, and which ended in failure.</p><p>In 1862, at the age of eighty-four, Morriss knew that he was</p><p>coming to the end of his life, and that he had to share the secret of</p><p>the Beale ciphers, otherwise any hope of carrying out Beale’s wishes</p><p>would die with him. Morriss con�ded in a friend, but unfortunately</p><p>the identity of this person remains a mystery. All we know about</p><p>Morriss’s friend is that it was he who wrote the pamphlet in 1885,</p><p>so hereafter I will refer to him simply as the author. The author</p><p>explained the reasons for his anonymity within the pamphlet:</p><p>I anticipate for these papers a large circulation, and, to avoid the multitude of letters</p><p>with which I should be assailed from all sections of the Union, propounding all sorts</p><p>of questions, and requiring answers which, if attended to, would absorb my entire</p><p>time, and only change the character of my work, I have decided upon withdrawing</p><p>my name from the publication, after assuring all interested that I have given all that I</p><p>know of the matter, and that I cannot add one word to the statements herein</p><p>contained.</p><p>To protect his identity, the author asked James B. Ward, a respected</p><p>member of the local community and the county’s road surveyor, to</p><p>act as his agent and publisher.</p><p>Everything we know about the strange tale of the Beale ciphers is</p><p>published in the pamphlet, and so it is thanks to the author that we</p><p>have the ciphers and Morriss’s account of the story. In addition to</p><p>this, the author is also responsible for successfully deciphering the</p><p>second Beale cipher. Like the �rst and third ciphers, the second</p><p>cipher consists of a page of numbers, and the author assumed that</p><p>each number represented a letter. However, the range of numbers</p><p>far exceeds the number of letters in the alphabet, so the author</p><p>realized that he was dealing with a cipher that uses several numbers</p><p>to represent the same letter. One cipher that ful�ls this criterion is</p><p>the so-called book cipher, in which a book, or any other piece of text,</p><p>is itself the key.</p><p>Figure 21 The �rst Beale cipher.</p><p>Figure</p><p>22 The second Beale cipher.</p><p>Figure 23 The third Beale cipher.</p><p>First, the cryptographer sequentially numbers every word in the</p><p>keytext. Thereafter, each number acts as a substitute for the initial</p><p>letter of its associated word. 1For 2example, 3if 4the 5sender 6and</p><p>7receiver 8agreed 9that 10this 11sentence 12were 13to 14be 15the</p><p>16keytext, 17then 18every 19word 20would 21be 22numerically</p><p>23labeled, 24each 25number 26providing 27the 28basis 29for</p><p>30encryption. Next, a list would be drawn up matching each number</p><p>to the initial letter of its associated word:</p><p>1 = f</p><p>2 = e</p><p>3 = i</p><p>4 = t</p><p>5 = s</p><p>6 = a</p><p>7 = r</p><p>8 = a</p><p>9 = t</p><p>10 = t</p><p>11 = s</p><p>12 = w</p><p>13 = t</p><p>14 = b</p><p>15 = t</p><p>16 = k</p><p>17 = t</p><p>18 = e</p><p>19 = w</p><p>20 = w</p><p>21 = b</p><p>22 = n</p><p>23 = l</p><p>24 = e</p><p>25 = n</p><p>26 = p</p><p>27 = t</p><p>28 = b</p><p>29 = f</p><p>30 = e</p><p>A message can now be encrypted by substituting letters in the</p><p>plaintext for numbers according to the list. In this list, the plaintext</p><p>letter f would be substituted with 1, and the plaintext letter e could</p><p>be substituted with either 2, 18, 24 or 30. Because our keytext is</p><p>such a short sentence, we do not have numbers that could replace</p><p>rare letters such as x and z, but we do have enough substitutes to</p><p>encipher the word beale, which could be 14-2-8-23-18. If the</p><p>intended receiver has a copy of the keytext, then deciphering the</p><p>encrypted message is trivial. However, if a third party intercepts</p><p>only the ciphertext, then cryptanalysis depends on somehow</p><p>identifying the keytext. The author of the pamphlet wrote, “With</p><p>this idea, a test was made of every book I could procure, by</p><p>numbering its letters and comparing the numbers with those of the</p><p>manuscript; all to no purpose, however, until the Declaration of</p><p>Independence a�orded the clue to one of the papers, and revived all</p><p>my hopes.”</p><p>The Declaration of Independence turned out to be the keytext for</p><p>the second Beale cipher, and by numbering the words in the</p><p>Declaration it is possible to unravel it. Figure 24 shows the start of</p><p>the Declaration of Independence, with every tenth word numbered</p><p>to help the reader see how the decipherment works. Figure 22</p><p>shows the ciphertext-the �rst number is 115, and the 115th word in</p><p>the Declaration is “instituted,” so the �rst number represents i. The</p><p>second number in the ciphertext is 73, and the 73rd word in the</p><p>Declaration is “hold,” so the second number represents h. Here is</p><p>the whole decipherment, as printed in the pamphlet:</p><p>I have deposited in the county of Bedford, about four miles from Buford’s, in an</p><p>excavation or vault, six feet below the surface of the ground, the following articles,</p><p>belonging jointly to the parties whose names are given in number “3,” herewith:</p><p>The �rst deposit consisted of one thousand and fourteen pounds of gold, and three</p><p>thousand eight hundred and twelve pounds of silver, deposited November, 1819. The</p><p>second was made December, 1821, and consisted of nineteen hundred and seven</p><p>pounds of gold, and twelve hundred and eighty-eight pounds of silver; also jewels,</p><p>obtained in St. Louis in exchange for silver to save transportation, and valued at</p><p>$13,000.</p><p>The above is securely packed in iron pots, with iron covers. The vault is roughly</p><p>lined with stone, and the vessels rest on solid stone, and are covered with others.</p><p>Paper number “1” describes the exact locality of the vault, so that no di�culty will be</p><p>had in �nding it.</p><p>It is worth noting that there are some errors in the ciphertext. For</p><p>example, the decipherment includes the words “four miles,” which</p><p>relies on the 95th word of the Declaration of Independence</p><p>beginning with the letter u. However, the 95th word is</p><p>“inalienable.” This could be the result of Beale’s sloppy encryption,</p><p>or it could be that Beale had a copy of the Declaration in which the</p><p>95th word was “unalienable,” which does appear in some versions</p><p>dating from the early nineteenth century. Either way, the successful</p><p>decipherment clearly indicated the value of the treasure-at least $20</p><p>million at today’s bullion prices.</p><p>Not surprisingly, once the author knew the value of the treasure,</p><p>he spent increasing amounts of time analyzing the other two cipher</p><p>sheets, particularly the �rst Beale cipher, which describes the</p><p>treasure’s location. Despite strenuous e�orts he failed, and the</p><p>ciphers brought him nothing but sorrow:</p><p>When, in the course of human events, it becomes 10necessary</p><p>for one people to dissolve the political bands which 20have</p><p>connected them with another, and to assume among the</p><p>30powers of the earth, the separate and equal station to 40which</p><p>the laws of nature and of nature’s God entitle 50them, a decent</p><p>respect to the opinions of mankind requires 60that they should</p><p>declare the causes which impel them to 70the separation.</p><p>We hold these truths to be self-evident, 80that all men are</p><p>created equal, that they are endowed 90by their Creator with</p><p>certain inalienable rights, that among these 100are life, liberty</p><p>and the pursuit of happiness; That to 110secure these rights,</p><p>governments are instituted among men, deriving their 120just</p><p>powers from the consent of the governed; That whenever</p><p>130any form of government becomes destructive of these ends,</p><p>it 140is the right of the people to alter or to 150abolish it, and to</p><p>institute a new government, laying its 160foundation on such</p><p>principles and organizing its powers in such 170form, as to them</p><p>shall seem most likely to e�ect 180their safety and happiness.</p><p>Prudence, indeed, will dictate that governments 190long</p><p>established should not be changed for light and transient</p><p>200causes; and accordingly all experience hath shewn, that</p><p>mankind are 210more disposed to su�er, while evils are</p><p>su�erable, than to 220right themselves by abolishing the forms</p><p>to which they are 230accustomed.</p><p>But when a long train of abuses and usurpations, 240pursuing</p><p>invariably the same object evinces a design to reduce them</p><p>250under absolute despotism, it is their right, it is their 260duty,</p><p>to throw o� such government, and to provide new 270Guards</p><p>for their future security. Such has been the patient 280su�erance</p><p>of these Colonies; and such is now the necessity 290which</p><p>constrains them to alter their former systems of government.</p><p>300The history of the present King of Great Britain is 310a</p><p>history of repeated injuries and usurpations, all having in</p><p>320direct object the establishment of an absolute tyranny over</p><p>these 330States. To prove this, let facts be submitted to a 340</p><p>candid world.</p><p>Figure 24 The �rst three paragraphs of the Declaration of Independence, with every</p><p>tenth word numbered. This is the key for deciphering the second Beale cipher.</p><p>In consequence of the time lost in the above investigation, I have been reduced from</p><p>comparative a�uence to absolute penury, entailing su�ering upon those it was my</p><p>duty to protect, and this, too, in spite of their remonstrations. My eyes were at last</p><p>opened to their condition, and I resolved to sever at once, and forever, all connection</p><p>with the a�air, and retrieve, if possible, my errors. To do this, as the best means of</p><p>placing temptation beyond my reach, I determined to make public the whole matter,</p><p>and shift from my shoulders my responsibility to Mr. Morriss.</p><p>Thus the ciphers, along with everything else known by the author,</p><p>were published in 1885. Although a warehouse �re destroyed most</p><p>of the pamphlets, those that survived caused quite a stir in</p><p>Lynchburg. Among the most ardent treasure hunters attracted to the</p><p>Beale ciphers were the Hart brothers, George and Clayton. For years</p><p>they pored over the two remaining ciphers, mounting various forms</p><p>of cryptanalytic attack, occasionally fooling themselves into</p><p>believing that they had a solution. A false line of attack will</p><p>sometimes generate a few tantalizing words within a sea of</p><p>gibberish, which then encourages the cryptanalyst to devise a series</p><p>of caveats to excuse the gibberish. To an unbiased observer the</p><p>decipherment is clearly nothing more than wishful thinking, but to</p><p>the blinkered treasure hunter it makes complete sense. One of the</p><p>Harts’ tentative decipherments encouraged</p><p>them to use dynamite to</p><p>excavate a particular site; unfortunately, the resulting crater yielded</p><p>no gold. Although Clayton Hart gave up in 1912, George continued</p><p>working on the Beale ciphers until 1952. An even more persistent</p><p>Beale fanatic has been Hiram Herbert, Jr., who �rst became</p><p>interested in 1923 and whose obsession continued right through to</p><p>the 1970s. He, too, had nothing to show for his e�orts.</p><p>Professional cryptanalysts have also embarked on the Beale</p><p>treasure trail. Herbert O. Yardley, who founded the U.S. Cipher</p><p>Bureau (known as the American Black Chamber) at the end of the</p><p>First World War, was intrigued by the Beale ciphers, as was Colonel</p><p>William Friedman, the dominant �gure in American cryptanalysis</p><p>during the �rst half of the twentieth century. While he was in</p><p>charge of the Signal Intelligence Service, he made the Beale ciphers</p><p>part of the training program, presumably because, as his wife once</p><p>said, he believed the ciphers to be of “diabolical ingenuity,</p><p>speci�cally designed to lure the unwary reader.” The Friedman</p><p>archive, established after his death in 1969 at the George C.</p><p>Marshall Research Center, is frequently consulted by military</p><p>historians, but the great majority of visitors are eager Beale</p><p>devotees, hoping to follow up some of the great man’s leads. More</p><p>recently, one of the major �gures in the hunt for the Beale treasure</p><p>has been Carl Hammer, retired director of computer science at</p><p>Sperry Univac and one of the pioneers of computer cryptanalysis.</p><p>According to Hammer, “the Beale ciphers have occupied at least</p><p>10% of the best cryptanalytic minds in the country. And not a dime</p><p>of this e�ort should be begrudged. The work—even the lines that</p><p>have led into blind alleys—has more than paid for itself in</p><p>advancing and re�ning computer research.” Hammer has been a</p><p>prominent member of the Beale Cypher and Treasure Association,</p><p>founded in the 1960s to encourage interest in the Beale mystery.</p><p>Initially, the Association required that any member who discovered</p><p>the treasure should share it with the other members, but this</p><p>obligation seemed to deter many Beale prospectors from joining,</p><p>and so the Association soon dropped the condition.</p><p>Despite the combined e�orts of the Association, amateur treasure</p><p>hunters and professional cryptanalysts, the �rst and third Beale</p><p>ciphers have remained a mystery for over a century, and the gold,</p><p>silver and jewels have yet to be found. Many attempts at</p><p>decipherment have revolved around the Declaration of</p><p>Independence, which was the key for the second Beale cipher.</p><p>Although a straightforward numbering of the words of the</p><p>Declaration yields nothing useful for the �rst and third ciphers,</p><p>cryptanalysts have tried various other schemes, such as numbering</p><p>it backward or numbering alternate words, but so far nothing has</p><p>worked. One problem is that the �rst cipher contains numbers as</p><p>high as 2906, whereas the Declaration contains only 1,322 words.</p><p>Other texts and books have been considered as potential keys, and</p><p>many cryptanalysts have looked into the possibility of an entirely</p><p>di�erent encryption system.</p><p>You might be surprised by the strength of the unbroken Beale</p><p>ciphers, especially bearing in mind that when we left the ongoing</p><p>battle between codemakers and codebreakers, it was the</p><p>codebreakers who were on top. Babbage and Kasiski had invented a</p><p>way of breaking the Vigenère cipher, and codemakers were</p><p>struggling to �nd something to replace it. How did Beale come up</p><p>with something that is so formidable? The answer is that the Beale</p><p>ciphers were created under circumstances that gave the</p><p>cryptographer a great advantage. This matter concerns just three</p><p>messages, and, because they related to such a valuable treasure,</p><p>Beale might have been prepared to create a special keytext for the</p><p>�rst and third ciphers. Indeed, if the keytext was penned by Beale</p><p>himself, this would explain why searches of published material have</p><p>not revealed it. We can imagine that Beale might have written a</p><p>2,000-word private essay on the subject of bu�alo hunting, of which</p><p>there was only one copy. Only the holder of this essay, the unique</p><p>keytext, would be able to decipher the �rst and third Beale ciphers.</p><p>Beale mentioned that he had left the key in “the hand of a friend” in</p><p>St. Louis, but if the friend lost or destroyed the key, then</p><p>cryptanalysts might never be able to crack the Beale ciphers.</p><p>Creating a keytext for a message is much more secure than using</p><p>a key based on a published book, but it is practical only if the</p><p>sender has the time to create the keytext and is able to convey it to</p><p>the intended recipient, requirements that are not feasible for</p><p>routine, day-to-day communications. In Beale’s case, he could</p><p>compose his keytext at leisure, deliver it to his friend in St. Louis</p><p>whenever he happened to be passing through, and then have it</p><p>posted or collected at some arbitrary time in the future, whenever</p><p>the treasure was to be reclaimed.</p><p>An alternative theory for explaining the indecipherability of the</p><p>Beale ciphers is that the author of the pamphlet deliberately</p><p>sabotaged them before having them published. Perhaps the author</p><p>merely wanted to �ush out the key, which was apparently in the</p><p>hands of Beale’s friend in St. Louis. If he had accurately published</p><p>the ciphers, then the friend would have been able to decipher them</p><p>and collect the gold, and the author would have received no reward</p><p>for his e�orts. However, if the ciphers were corrupted in some way,</p><p>then the friend would eventually realize that he needed the author’s</p><p>help, and would contact the publisher, Ward, who in turn would</p><p>contact the author. The author could then hand over the accurate</p><p>ciphers in exchange for a share of the treasure.</p><p>It is also possible that the treasure was found many years ago, and</p><p>that the discoverer spirited it away without being spotted by local</p><p>residents. Beale enthusiasts with a penchant for conspiracy theories</p><p>have suggested that the National Security Agency (NSA) has already</p><p>found the treasure. America’s central government cipher facility has</p><p>access to the most powerful computers and some of the most</p><p>brilliant minds in the world, and they may have discovered</p><p>something about the ciphers that has eluded everybody else. The</p><p>lack of any announcement would be in keeping with the NSA’s</p><p>hush-hush reputation—it has been proposed that NSA does not</p><p>stand for National Security Agency, but rather “Never Say Anything”</p><p>or “No Such Agency.”</p><p>Finally, we cannot exclude the possibility that the Beale ciphers</p><p>are an elaborate hoax, and that Beale never existed. Sceptics have</p><p>suggested that the unknown author, inspired by Poe’s “The Gold</p><p>Bug,” fabricated the whole story and published the pamphlet as a</p><p>way of pro�ting from the greed of others. Supporters of the hoax</p><p>theory have searched for inconsistencies and �aws in the Beale</p><p>story. For example, according to the pamphlet, Beale’s letter, which</p><p>was locked in the iron box and supposedly written in 1822, contains</p><p>the word “stampede,” but this word was not seen in print until</p><p>1834. However, it is quite possible that the word was in common</p><p>use in the Wild West at a much earlier date, and Beale could have</p><p>learned of it on his travels.</p><p>One of the foremost nonbelievers is the cryptographer Louis Kruh,</p><p>who claims to have found evidence that the pamphlet’s author also</p><p>wrote Beale’s letters, the one supposedly sent from St. Louis and the</p><p>one supposedly contained in the box. He performed a textual</p><p>analysis on the words attributed to the author and the words</p><p>attributed to Beale to see if there were any similarities. Kruh</p><p>compared aspects such as the percentage of sentences beginning</p><p>with “The,” “Of” and “And,” the average number of commas and</p><p>semicolons per sentence, and the writing style—the use of negatives,</p><p>negative passives, in�nitives, relative clauses, and so on. In addition</p><p>to the author’s words and Beale’s letters, the analysis also took in</p><p>the writing of three other nineteenth-century Virginians. Of the �ve</p><p>sets of writing, those authored by Beale and the pamphlet’s</p><p>author</p><p>bore the closest resemblance, suggesting that they may have been</p><p>written by the same person. In other words, this suggests that the</p><p>author faked the letters attributed to Beale and fabricated the whole</p><p>story.</p><p>On the other hand, evidence for the integrity of the Beale ciphers</p><p>is provided from various sources. First, if the undeciphered ciphers</p><p>were hoaxes, we might expect the hoaxer to have chosen the</p><p>numbers with little or no attention. However, the numbers give rise</p><p>to various intricate patterns. One of the patterns can be found by</p><p>using the Declaration of Independence as a key for the �rst cipher.</p><p>This yields no discernible words, but it does give sequences such as</p><p>abfdefghiijklmmnohpp. Although this is not a perfect alphabetical</p><p>list, it is certainly not random. James Gillogly of the American</p><p>Cryptogram Association is not convinced that the Beale ciphers are</p><p>authentic. However, he estimates that the probability of such</p><p>sequences appearing by chance is less than one in a hundred million</p><p>million, suggesting that there is a cryptographic principle</p><p>underlying the �rst cipher. One theory is that the Declaration is</p><p>indeed the key, but the resulting text requires a second stage of</p><p>decipherment; in other words, the �rst Beale cipher was enciphered</p><p>by a two-stage process, so-called superencipherment. If this is so,</p><p>then the alphabetical sequence might have been put there as a sign</p><p>of encouragement, a hint that the �rst stage of decipherment has</p><p>been successfully completed.</p><p>Further evidence favoring the probity of the ciphers comes from</p><p>historical research, which can be used to verify the story of Thomas</p><p>Beale. Peter Viemeister, a local historian, has gathered much of the</p><p>research in his book The Beale Treasure–History of a Mystery.</p><p>Viemeister began by asking if there was any evidence that Thomas</p><p>Beale actually existed. Using the census of 1790 and other</p><p>documents, Viemeister has identi�ed several Thomas Beales who</p><p>were born in Virginia and whose backgrounds �t the few known</p><p>details. Viemeister has also attempted to corroborate the other</p><p>details in the pamphlet, such as Beale’s trip to Santa Fe and his</p><p>discovery of gold. For example, there is a Cheyenne legend dating</p><p>from around 1820 which tells of gold and silver being taken from</p><p>the West and buried in Eastern Mountains. Also, the 1820</p><p>postmaster’s list in St. Louis contains a “Thomas Beall,” which �ts in</p><p>with the pamphlet’s claim that Beale passed through the city in</p><p>1820 on his journey westward after leaving Lynchburg. The</p><p>pamphlet also says that Beale sent a letter from St. Louis in 1822.</p><p>So there does seem to be a basis for the tale of the Beale ciphers,</p><p>and consequently it continues to enthrall cryptanalysts and treasure</p><p>hunters, such as Joseph Jancik, Marilyn Parsons and their dog</p><p>Mu�n. In February 1983 they were charged with “violation of a</p><p>sepulcher,” after being caught digging in the cemetery of Mountain</p><p>View Church in the middle of the night. Having discovered nothing</p><p>other than a co�n, they spent the rest of the weekend in the county</p><p>jail and were eventually �ned $500. These amateur gravediggers</p><p>can console themselves with the knowledge that they were hardly</p><p>any less successful than Mel Fisher, the professional treasure hunter</p><p>who salvaged $40 million worth of gold from the sunken Spanish</p><p>galleon Nuestra Señora de Atocha, which he discovered o� Key West,</p><p>Florida, in 1985. In November 1989, Fisher received a tip-o� from a</p><p>Beale expert in Florida, who believed that Beale’s hoard was buried</p><p>at Graham’s Mill in Bedford County, Virginia. Supported by a team</p><p>of wealthy investors, Fisher bought the site under the name of Mr.</p><p>Voda, in order to avoid arousing any suspicion. Despite a lengthy</p><p>excavation, he discovered nothing.</p><p>Some treasure hunters have abandoned hope of cracking the two</p><p>undeciphered sheets, and have concentrated instead on gleaning</p><p>clues from the one cipher that has been deciphered. For example, as</p><p>well as describing the contents of the buried treasure, the solved</p><p>cipher states that it is deposited “about four miles from Buford’s,”</p><p>which probably refers to the community of Buford or, more</p><p>speci�cally, to Buford’s Tavern, located at the center of Figure 25.</p><p>The cipher also mentions that “the vault is roughly lined with</p><p>stone,” so many treasure hunters have searched along Goose Creek,</p><p>a rich source of large stones. Each summer the region attracts</p><p>hopefuls, some armed with metal detectors, others accompanied by</p><p>psychics or diviners. The nearby town of Bedford has a number of</p><p>businesses which gladly hire out equipment, including industrial</p><p>diggers. Local farmers tend to be less welcoming to the strangers,</p><p>who often trespass on their land, damage their fences and dig giant</p><p>holes.</p><p>Having read the tale of the Beale ciphers, you might be</p><p>encouraged to take up the challenge yourself. The lure of an</p><p>unbroken nineteenth-century cipher, together with a treasure worth</p><p>$20 million, might prove irresistible. However, before you set o� on</p><p>the treasure trail, take heed of the advice given by the author of the</p><p>pamphlet:</p><p>Before giving the papers to the public, I would say a word to those who may take an</p><p>interest in them, and give them a little advice, acquired by bitter experience. It is, to</p><p>devote only such time as can be spared from your legitimate business to the task, and</p><p>if you can spare no time, let the matter alone … Again, never, as I have done,</p><p>sacri�ce your own and your family’s interests to what may prove an illusion; but, as I</p><p>have already said, when your day’s work is done, and you are comfortably seated by</p><p>your good �re, a short time devoted to the subject can injure no one, and may bring</p><p>its reward.</p><p>Figure 25 Part of a U.S. Geological Survey map of 1891. The circle has a radius of four</p><p>miles, and is centered on Buford’s Tavern, a location alluded to in the second cipher.</p><p>A</p><p>3 The Mechanization of Secrecy</p><p>t the end of the nineteenth century, cryptography was in</p><p>disarray. Ever since Babbage and Kasiski had destroyed the</p><p>security of the Vigenère cipher, cryptographers had been searching</p><p>for a new cipher, something that would reestablish secret</p><p>communication, thereby allowing businessmen and the military to</p><p>exploit the immediacy of the telegraph without their</p><p>communications being stolen and deciphered. Furthermore, at the</p><p>turn of the century, the Italian physicist Guglielmo Marconi</p><p>invented an even more powerful form of telecommunication, which</p><p>made the need for secure encryption even more pressing.</p><p>In 1894, Marconi began experimenting with a curious property of</p><p>electrical circuits. Under certain conditions, if one circuit carried an</p><p>electric current, this could induce a current in another isolated</p><p>circuit some distance away. By enhancing the design of the two</p><p>circuits, increasing the power and adding aerials, Marconi could</p><p>soon transmit and receive pulses of information across distances of</p><p>up to 2.5 km. He had invented radio. The telegraph had already</p><p>been established for half a century, but it required a wire to</p><p>transport a message between sender and receiver. Marconi’s system</p><p>had the great advantage of being wireless—the signal traveled, as if</p><p>by magic, through the air.</p><p>In 1896, in search of �nancial backing for his idea, Marconi</p><p>emigrated to Britain, where he �led his �rst patent. Continuing his</p><p>experiments, he increased the range of his radio communications,</p><p>�rst transmitting a message 15 km across the Bristol Channel, and</p><p>then 53 km across the English Channel to France. At the same time</p><p>he began to look for commercial applications for his invention,</p><p>pointing out to potential backers the two main advantages of radio:</p><p>it did not require the construction of expensive telegraph lines, and</p><p>it had the potential to send messages between otherwise isolated</p><p>locations. He pulled o� a magni�cent publicity stunt in 1899, when</p><p>he equipped two ships with radios so that journalists covering the</p><p>America’s Cup, the world’s most important yacht race, could send</p><p>reports back to New York for the following day’s newspapers.</p><p>Interest increased still further when Marconi shattered the myth</p><p>that radio communication was limited by the horizon. Critics had</p><p>argued that because radio waves could not bend and follow the</p><p>curvature of the Earth, radio communication would be limited to a</p><p>hundred kilometers or so. Marconi attempted to prove them wrong</p><p>by sending a message from Poldhu in Cornwall to St. John’s in</p><p>Newfoundland, a distance of 3,500 km. In December 1901, for three</p><p>hours each day, the Poldhu transmitter sent the letter S (dot-dot-</p><p>dot) over and over again, while Marconi stood on the windy cli�s of</p><p>Newfoundland trying to detect the radio waves. Day after day, he</p><p>wrestled to raise aloft a giant kite, which in turn hoisted his antenna</p><p>high into the air. A little after midday on December 12, Marconi</p><p>detected three faint dots, the �rst transatlantic radio message. The</p><p>explanation of Marconi’s achievement remained a mystery until</p><p>1924, when physicists discovered the ionosphere, a layer of the</p><p>atmosphere whose lower boundary is about 60 km above the Earth.</p><p>The ionosphere acts as a mirror, allowing radio waves to bounce o�</p><p>it. Radio waves also bounce o� the Earth’s surface, so radio</p><p>messages could e�ectively reach anywhere in the world after a</p><p>series of re�ections between the ionosphere and the Earth.</p><p>Marconi’s invention tantalized the military, who viewed it with a</p><p>mixture of desire and trepidation. The tactical advantages of radio</p><p>are obvious: it allows direct communication between any two points</p><p>without the need for a wire between the locations. Laying such a</p><p>wire is often impractical, sometimes impossible. Previously, a naval</p><p>commander based in port had no way of communicating with his</p><p>ships, which might disappear for months on end, but radio would</p><p>enable him to coordinate a �eet wherever the ships might be.</p><p>Similarly, radio would allow generals to direct their campaigns,</p><p>keeping them in continual contact with battalions, regardless of</p><p>their movements. All this is made possible by the nature of radio</p><p>waves, which emanate in all directions, and reach receivers</p><p>wherever they may be. However, this all-pervasive property of radio</p><p>is also its greatest military weakness, because messages will</p><p>inevitably reach the enemy as well as the intended recipient.</p><p>Consequently, reliable encryption became a necessity. If the enemy</p><p>were going to be able to intercept every radio message, then</p><p>cryptographers had to �nd a way of preventing them from</p><p>deciphering these messages.</p><p>The mixed blessings of radio—ease of communication and ease of</p><p>interception—were brought into sharp focus at the outbreak of the</p><p>First World War. All sides were keen to exploit the power of radio,</p><p>but were also unsure of how to guarantee security. Together, the</p><p>advent of radio and the Great War intensi�ed the need for e�ective</p><p>encryption. The hope was that there would be a breakthrough, some</p><p>new cipher that would reestablish secrecy for military commanders.</p><p>However, between 1914 and 1918 there was to be no great</p><p>discovery, merely a catalogue of cryptographic failures. Codemakers</p><p>conjured up several new ciphers, but one by one they were broken.</p><p>One of the most famous wartime ciphers was the German</p><p>ADFGVX cipher, introduced on March 5, 1918, just before the major</p><p>German o�ensive that began on March 21. Like any attack, the</p><p>German thrust would bene�t from the element of surprise, and a</p><p>committee of cryptographers had selected the ADFGVX cipher from</p><p>a variety of candidates, believing that it o�ered the best security. In</p><p>fact, they were con�dent that it was unbreakable. The cipher’s</p><p>strength lay in its convoluted nature, a mixture of a substitution and</p><p>transposition (see Appendix F).</p><p>By the beginning of June 1918, the German artillery was only 100</p><p>km from Paris, and was preparing for one �nal push. The only hope</p><p>for the Allies was to break the ADFGVX cipher to �nd just where the</p><p>Germans were planning to punch through their defenses.</p><p>Fortunately, they had a secret weapon, a cryptanalyst by the name</p><p>of Georges Painvin. This dark, slender Frenchman with a</p><p>penetrating mind had recognized his talent for cryptographic</p><p>conundrums only after a chance meeting with a member of the</p><p>Bureau du Chi�re soon after the outbreak of war. Thereafter, his</p><p>priceless skill was devoted to pinpointing the weaknesses in German</p><p>ciphers. He grappled day and night with the ADFGVX cipher, in the</p><p>process losing 15 kg in weight.</p><p>Eventually, on the night of June 2, he cracked an ADFGVX</p><p>message. Painvin’s breakthrough led to a spate of other</p><p>decipherments, including a message that contained the order “Rush</p><p>munitions. Even by day if not seen.” The preamble to the message</p><p>indicated that it was sent from somewhere between Montdidier and</p><p>Compiègne, some 80 km to the north of Paris. The urgent need for</p><p>munitions implied that this was to be the location of the imminent</p><p>German thrust. Aerial reconnaissance con�rmed that this was the</p><p>case. Allied soldiers were sent to reinforce this stretch of the front</p><p>line, and a week later the German onslaught began. Having lost the</p><p>element of surprise, the German army was beaten back in a hellish</p><p>battle that lasted �ve days.</p><p>The breaking of the ADFGVX cipher typi�ed cryptography during</p><p>the First World War. Although there was a �urry of new ciphers,</p><p>they were all variations or combinations of nineteenth-century</p><p>ciphers that had already been broken. While some of them initially</p><p>o�ered security, it was never long before cryptanalysts got the</p><p>better of them. The biggest problem for cryptanalysts was dealing</p><p>with the sheer volume of tra�c. Before the advent of radio,</p><p>intercepted messages were rare and precious items, and</p><p>cryptanalysts cherished each one. However, in the First World War,</p><p>the amount of radio tra�c was enormous, and every single message</p><p>could be intercepted, generating a steady �ow of ciphertexts to</p><p>occupy the minds of the cryptanalysts. It is estimated that the</p><p>French intercepted a hundred million words of German</p><p>communications during the course of the Great War.</p><p>Of all the wartime cryptanalysts, the French were the most</p><p>e�ective. When they entered the war, they already had the strongest</p><p>team of codebreakers in Europe, a consequence of the humiliating</p><p>French defeat in the Franco-Prussian War. Napoleon III, keen to</p><p>restore his declining popularity, had invaded Prussia in 1870, but he</p><p>had not anticipated the alliance between Prussia in the north and</p><p>the southern German states. Led by Otto von Bismarck, the</p><p>Prussians steamrollered the French army, annexing the provinces of</p><p>Alsace and Lorraine and bringing an end to French domination of</p><p>Europe. Thereafter, the continued threat of the newly united</p><p>Germany seems to have been the spur for French cryptanalysts to</p><p>master the skills necessary to provide France with detailed</p><p>intelligence about the plans of its enemy.</p><p>It was in this climate that Auguste Kerckho�s wrote his treatise La</p><p>Cryptographie militaire. Although Kerckho�s was Dutch, he spent</p><p>most of his life in France, and his writings provided the French with</p><p>an exceptional guide to the principles of cryptanalysis. By the time</p><p>the First World War had begun, three decades later, the French</p><p>military had implemented Kerckho�s’ ideas on an industrial scale.</p><p>While lone geniuses like Painvin sought to break new ciphers, teams</p><p>of experts, each with specially developed skills for tackling a</p><p>particular cipher, concentrated on the day-to-day decipherments.</p><p>Time was of the essence, and conveyor-belt cryptanalysis could</p><p>provide intelligence quickly and e�ciently.</p><p>Figure 26 Lieutenant Georges Painvin. (photo credit 3.1)</p><p>Sun-Tzu, author of the Art of War, a text on military strategy</p><p>dating from the fourth century B.C., stated that: “Nothing should be</p><p>as favorably regarded as intelligence; nothing should be as</p><p>generously rewarded as intelligence; nothing should be as</p><p>con�dential as the work of intelligence.” The French were fervent</p><p>believers in the words of Sun-Tzu, and in addition to honing their</p><p>cryptanalytic skills they also developed several ancillary techniques</p><p>for gathering radio intelligence, methods that did not involve</p><p>decipherment. For example, the French listening posts learned to</p><p>recognize a radio operator’s �st. Once encrypted, a message is sent</p><p>in Morse code, as a series of dots and dashes, and each operator can</p><p>be identi�ed by his pauses, the speed of transmission, and the</p><p>relative lengths of dots and dashes. A �st is the equivalent of a</p><p>recognizable style of handwriting. As well as operating listening</p><p>posts, the French established six direction �nding stations which</p><p>were able to detect where each message was coming from. Each</p><p>station moved its antenna until the incoming signal was strongest,</p><p>which identi�ed a direction for the source of a message. By</p><p>combining the directional information from two or more stations it</p><p>was possible to locate the exact source of the enemy transmission.</p><p>By combining �st information with direction �nding, it was possible</p><p>to establish both the identity and the location of, say, a particular</p><p>battalion. French intelligence could then track its path over the</p><p>course of several days, and potentially deduce its destination and</p><p>objective. This form of intelligence gathering, known as tra�c</p><p>analysis, was particularly valuable after the introduction of a new</p><p>cipher. Each new cipher would make cryptanalysts temporarily</p><p>impotent, but even if a message was indecipherable it could still</p><p>yield information via tra�c analysis.</p><p>The vigilance of the French was in sharp contrast to the attitude</p><p>of the Germans, who entered the war with no military cryptanalytic</p><p>bureau. Not until 1916 did they set up the Abhorchdienst, an</p><p>organization devoted to intercepting Allied messages. Part of the</p><p>reason for their tardiness in establishing the Abhorchdienst was that</p><p>the German army had advanced into French territory in the early</p><p>phase of the war. The French, as they retreated, destroyed the</p><p>landlines, forcing the advancing Germans to rely on radios for</p><p>communication. While this gave the French a continuous supply of</p><p>German intercepts, the opposite was not true. As the French were</p><p>retreating back into their own territory, they still had access to their</p><p>own landlines, and had no need to communicate by radio. With a</p><p>lack of French radio communication, the Germans could not make</p><p>many interceptions, and hence they did not bother to develop their</p><p>cryptanalytic department until two years into the war.</p><p>The British and the Americans also made important contributions</p><p>to Allied cryptanalysis. The supremacy of the Allied codebreakers</p><p>and their in�uence on the Great War are best illustrated by the</p><p>decipherment of a German telegram that was intercepted by the</p><p>British on January 17, 1917. The story of this decipherment shows</p><p>how cryptanalysis can a�ect the course of war at the very highest</p><p>level, and demonstrates the potentially devastating repercussions of</p><p>employing inadequate encryption. Within a matter of weeks, the</p><p>deciphered telegram would force America to rethink its policy of</p><p>neutrality, thereby shifting the balance of the war.</p><p>Despite calls from politicians in Britain and America, President</p><p>Woodrow Wilson had spent the �rst two years of the war steadfastly</p><p>refusing to send American troops to support the Allies. Besides not</p><p>wanting to sacri�ce his nation’s youth on the bloody battle�elds of</p><p>Europe, he was convinced that the war could be ended only by a</p><p>negotiated settlement, and he believed that he could best serve the</p><p>world if he remained neutral and acted as a mediator. In November</p><p>1916, Wilson saw hope for a settlement when Germany appointed a</p><p>new Foreign Minister, Arthur Zimmermann, a jovial giant of a man</p><p>who appeared to herald a new era of enlightened German</p><p>diplomacy. American newspapers ran headlines such as OUR FRIEND</p><p>ZIMMERMANN and LIBERALIZATION OF GERMANY, and one article proclaimed him as</p><p>“one of the most auspicious omens for the future of German-</p><p>American relations.” However, unknown to the Americans,</p><p>Zimmermann had no intention of pursuing peace. Instead, he was</p><p>plotting to extend Germany’s military aggression.</p><p>Back in 1915, a submerged German U-boat had been responsible</p><p>for sinking the ocean liner Lusitania, drowning 1,198 passengers,</p><p>including 128 U.S. civilians. The loss of the Lusitania would have</p><p>drawn America into the war, were it not for Germany’s reassurances</p><p>that henceforth Uboats would surface before attacking, a restriction</p><p>that was intended to avoid accidental attacks on civilian ships.</p><p>However, on January 9, 1917, Zimmermann attended a momentous</p><p>meeting at the German castle of Pless, where the Supreme High</p><p>Command was trying to persuade the Kaiser that it was time to</p><p>renege on their promise, and embark on a course of unrestricted</p><p>submarine warfare. German commanders knew that their U-boats</p><p>were almost invulnerable if they launched their torpedoes while</p><p>remaining submerged, and they believed that this would prove to be</p><p>the decisive factor in determining the outcome of the war. Germany</p><p>had been constructing a �eet of two hundred U-boats, and the</p><p>Supreme High Command argued that unrestricted U-boat aggression</p><p>would cut o� Britain’s supply lines and starve it into submission</p><p>within six months.</p><p>A swift victory was essential. Unrestricted submarine warfare and</p><p>the inevitable sinking of U.S. civilian ships would almost certainly</p><p>provoke America into declaring war on Germany. Bearing this in</p><p>mind, Germany needed to force an Allied surrender before America</p><p>could mobilize its troops and make an impact in the European</p><p>arena. By the end of the meeting at Pless, the Kaiser was convinced</p><p>that a swift victory could be achieved, and he signed an order to</p><p>proceed with unrestricted U-boat warfare, which would take e�ect</p><p>on February 1.</p><p>In the three weeks that remained, Zimmermann devised an</p><p>insurance policy. If unrestricted U-boat warfare increased the</p><p>likelihood of America entering the war, then Zimmermann had a</p><p>plan that would delay and weaken American involvement in Europe,</p><p>and which might even discourage it completely. Zimmermann’s idea</p><p>was to propose an alliance with Mexico, and persuade the President</p><p>of Mexico to invade America and reclaim territories such as Texas,</p><p>New Mexico and Arizona. Germany would support Mexico in its</p><p>battle with their common enemy, aiding it �nancially and militarily.</p><p>Furthermore, Zimmermann wanted the Mexican president to act</p><p>as a mediator and persuade Japan that it too should attack America.</p><p>This way, Germany would pose a threat to America’s East Coast,</p><p>Japan would attack from the west, while Mexico invaded from the</p><p>south. Zimmermann’s main motive was to pose America such</p><p>problems at home that it could not a�ord to send troops to Europe.</p><p>Thus Germany could win the battle at sea, win the war in Europe</p><p>and then withdraw from the American campaign. On January 16,</p><p>Zimmermann encapsulated his proposal in a telegram to the German</p><p>Ambassador in Washington, who would then retransmit it to the</p><p>German Ambassador in Mexico, who would �nally deliver it to the</p><p>Mexican President. Figure 28 shows the encrypted telegraph; the</p><p>actual message is as follows:</p><p>Figure 27 Arthur Zimmermann. (photo credit 3.1)</p><p>We intend to begin unrestricted submarine warfare on the �rst of February. We shall</p><p>endeavor in spite of this to keep the United States neutral. In the event of this not</p><p>succeeding, we make Mexico a proposal of alliance on the following basis: make war</p><p>together, make peace together, generous �nancial support, and an understanding on</p><p>our part that Mexico is to reconquer the lost territory in Texas, New Mexico and</p><p>Arizona. The settlement in detail is left to you.</p><p>You will inform the President [of Mexico] of the above most secretly, as soon as the</p><p>outbreak of war with the United States is certain, and add the suggestion that he</p><p>should, on his own initiative, invite Japan to immediate adherence and at the same</p><p>time mediate between Japan and ourselves.</p><p>Please call the President’s attention to the fact that the unrestricted employment of</p><p>our submarines now o�ers the prospect of compelling England to make peace</p><p>within</p><p>a few months. Acknowledge receipt.</p><p>Zimmermann</p><p>Zimmermann had to encrypt his telegram because Germany was</p><p>aware that the Allies were intercepting all its transatlantic</p><p>communications, a consequence of Britain’s �rst o�ensive action of</p><p>the war. Before dawn on the �rst day of the First World War, the</p><p>British ship Telconia approached the German coast under cover of</p><p>darkness, dropped anchor, and hauled up a clutch of undersea</p><p>cables. These were Germany’s transatlantic cables—its</p><p>communication links to the rest of the world. By the time the sun</p><p>had risen, they had been severed. This act of sabotage was aimed at</p><p>destroying Germany’s most secure means of communication, thereby</p><p>forcing German messages to be sent via insecure radio links or via</p><p>cables owned by other countries. Zimmermann was forced to send</p><p>his encrypted telegram via Sweden and, as a back-up, via the more</p><p>direct American-owned cable. Both routes touched England, which</p><p>meant that the text of the Zimmermann telegram, as it would</p><p>become known, soon fell into British hands.</p><p>The intercepted telegram was immediately sent to Room 40, the</p><p>Admiralty’s cipher bureau, named after the o�ce in which it was</p><p>initially housed. Room 40 was a strange mixture of linguists,</p><p>classical scholars and puzzle addicts, capable of the most ingenious</p><p>feats of cryptanalysis. For example, the Reverend Montgomery, a</p><p>gifted translator of German theological works, had deciphered a</p><p>secret message hidden in a postcard addressed to Sir Henry Jones,</p><p>184 King’s Road, Tighnabruaich, Scotland.</p><p>Figure 28 The Zimmermann telegram, as forwarded by von Bernstor�, the German</p><p>Ambassador in Washington, to Eckhardt, the German Ambassador in Mexico City.</p><p>(photo credit 3.2)</p><p>The postcard had been sent from Turkey, so Sir Henry had assumed</p><p>that it was from his son, a prisoner of the Turks. However, he was</p><p>puzzled because the postcard was blank, and the address was</p><p>peculiar—the village of Tighnabruaich was so tiny that none of the</p><p>houses had numbers and there was no King’s Road. Eventually, the</p><p>Reverend Montgomery spotted the postcard’s cryptic message. The</p><p>address alluded to the Bible, First Book of Kings, Chapter 18, Verse</p><p>4: “Obadiah took a hundred prophets, and hid them �fty in a cave,</p><p>and fed them with bread and water.” Sir Henry’s son was simply</p><p>reassuring his family that he was being well looked after by his</p><p>captors.</p><p>When the encrypted Zimmermann telegram arrived in Room 40, it</p><p>was Montgomery who was made responsible for deciphering it,</p><p>along with Nigel de Grey, a publisher seconded from the �rm of</p><p>William Heinemann. They saw immediately that they were dealing</p><p>with a form of encryption used only for high-level diplomatic</p><p>communications, and tackled the telegram with some urgency. The</p><p>decipherment was far from trivial, but they were able to draw upon</p><p>previous analyses of other similarly encrypted telegrams. Within a</p><p>few hours the codebreaking duo had been able to recover a few</p><p>chunks of text, enough to see that they were uncovering a message</p><p>of the utmost importance. Montgomery and de Grey persevered with</p><p>their task, and by the end of the day they could discern the outline</p><p>of Zimmermann’s terrible plans. They realized the dreadful</p><p>implications of unrestricted U-boat warfare, but at the same time</p><p>they could see that the German Foreign Minister was encouraging</p><p>an attack on America, which was likely to provoke President Wilson</p><p>into abandoning America’s neutrality. The telegram contained the</p><p>deadliest of threats, but also the possibility of America joining the</p><p>Allies.</p><p>Montgomery and de Grey took the partially deciphered telegram</p><p>to Admiral Sir William Hall, Director of Naval Intelligence,</p><p>expecting him to pass the information to the Americans, thereby</p><p>drawing them into the war. However, Admiral Hall merely placed</p><p>the partial decipherment in his safe, encouraging his cryptanalysts</p><p>to continue �lling in the gaps. He was reluctant to hand the</p><p>Americans an incomplete decipherment, in case there was a vital</p><p>caveat that had not yet been deciphered. He also had another</p><p>concern lurking in the back of his mind. If the British gave the</p><p>Americans the deciphered Zimmermann telegram, and the</p><p>Americans reacted by publicly condemning Germany’s proposed</p><p>aggression, then the Germans would conclude that their method of</p><p>encryption had been broken. This would goad them into developing</p><p>a new and stronger encryption system, thus choking a vital channel</p><p>of intelligence. In any case, Hall was aware that the all-out U-boat</p><p>onslaught would begin in just two weeks, which in itself might be</p><p>enough to incite President Wilson into declaring war on Germany.</p><p>There was no point jeopardizing a valuable source of intelligence</p><p>when the desired outcome might happen anyway.</p><p>On February 1, as ordered by the Kaiser, Germany instigated</p><p>unrestricted naval warfare. On February 2, Woodrow Wilson held a</p><p>cabinet meeting to decide the American response. On February 3, he</p><p>spoke to Congress and announced that America would continue to</p><p>remain neutral, acting as a peacemaker, not a combatant. This was</p><p>contrary to Allied and German expectations. American reluctance to</p><p>join the Allies left Admiral Hall with no choice but to exploit the</p><p>Zimmermann telegram.</p><p>In the fortnight since Montgomery and de Grey had �rst contacted</p><p>Hall, they had completed the decipherment. Furthermore, Hall had</p><p>found a way of keeping Germany from suspecting that their security</p><p>had been breached. He realized that von Bernstor�, the German</p><p>Ambassador in Washington, would have forwarded the message to</p><p>von Eckhardt, the German Ambassador in Mexico, having �rst made</p><p>some minor changes. For example, von Bernstor� would have</p><p>removed the instructions aimed at himself, and would also have</p><p>changed the address. Von Eckhardt would then have delivered this</p><p>revised version of the telegram, unencrypted, to the Mexican</p><p>President. If Hall could somehow obtain this Mexican version of the</p><p>Zimmermann telegram, then it could be published in the</p><p>newspapers and the Germans would assume that it had been stolen</p><p>from the Mexican Government, not intercepted and cracked by the</p><p>British on its way to America. Hall contacted a British agent in</p><p>Mexico, known only as Mr. H., who in turn in�ltrated the Mexican</p><p>Telegraph O�ce. Mr. H. was able to obtain exactly what he needed</p><p>—the Mexican version of the Zimmermann telegram.</p><p>It was this version of the telegram that Hall handed to Arthur</p><p>Balfour, the British Secretary of State for Foreign A�airs. On</p><p>February 23, Balfour summoned the American Ambassador, Walter</p><p>Page, and presented him with the Zimmermann telegram, later</p><p>calling this “the most dramatic moment in all my life.” Four days</p><p>later, President Wilson saw for himself the “eloquent evidence,” as</p><p>he called it, proof that Germany was encouraging direct aggression</p><p>against America.</p><p>The telegram was released to the press and, at last, the American</p><p>nation was confronted with the reality of Germany’s intentions.</p><p>Although there was little doubt among the American people that</p><p>they should retaliate, there was some concern within the U.S.</p><p>administration that the telegram might be a hoax, manufactured by</p><p>the British to guarantee American involvement in the war. However,</p><p>the question of authenticity soon vanished when Zimmermann</p><p>publicly admitted his authorship. At a press conference in Berlin,</p><p>without being pressured, he simply stated, “I cannot deny it. It is</p><p>true.”</p><p>Figure 29 “Exploding in his Hands,” a cartoon by Rollin Kirby published on March 3,</p><p>1917, in The World.(photo credit 3.3)</p><p>In Germany, the Foreign O�ce began an investigation into how</p><p>the Americans had obtained the Zimmermann telegram. They fell</p><p>for Admiral Hall’s ploy, and came to the conclusion that “various</p><p>indications suggest that the treachery was committed in Mexico.”</p><p>Meanwhile, Hall continued to distract attention from the work of</p><p>British cryptanalysts. He planted a story in the British press</p><p>criticizing his own organization for not intercepting the</p><p>Zimmermann telegram, which in turn led to a spate of articles</p><p>them.</p><p>O</p><p>1 The Cipher of Mary Queen of Scots</p><p>n the morning of Saturday, October 15, 1586, Queen Mary</p><p>entered the crowded courtroom at Fotheringhay Castle. Years</p><p>of imprisonment and the onset of rheumatism had taken their toll,</p><p>yet she remained digni�ed, composed and indisputably regal.</p><p>Assisted by her physician, she made her way past the judges,</p><p>o�cials and spectators, and approached the throne that stood</p><p>halfway along the long, narrow chamber. Mary had assumed that</p><p>the throne was a gesture of respect toward her, but she was</p><p>mistaken. The throne symbolized the absent Queen Elizabeth,</p><p>Mary’s enemy and prosecutor. Mary was gently guided away from</p><p>the throne and toward the opposite side of the room, to the</p><p>defendant’s seat, a crimson velvet chair.</p><p>Mary Queen of Scots was on trial for treason. She had been</p><p>accused of plotting to assassinate Queen Elizabeth in order to take</p><p>the English crown for herself. Sir Francis Walsingham, Elizabeth’s</p><p>Principal Secretary, had already arrested the other conspirators,</p><p>extracted confessions, and executed them. Now he planned to prove</p><p>that Mary was at the heart of the plot, and was therefore equally</p><p>culpable and equally deserving of death.</p><p>Walsingham knew that before he could have Mary executed, he</p><p>would have to convince Queen Elizabeth of her guilt. Although</p><p>Elizabeth despised Mary, she had several reasons for being reluctant</p><p>to see her put to death. First, Mary was a Scottish queen, and many</p><p>questioned whether an English court had the authority to execute a</p><p>foreign head of state. Second, executing Mary might establish an</p><p>awkward precedent—if the state is allowed to kill one queen, then</p><p>perhaps rebels might have fewer reservations about killing another,</p><p>namely Elizabeth. Third, Elizabeth and Mary were cousins, and their</p><p>blood tie made Elizabeth all the more squeamish about ordering her</p><p>execution. In short, Elizabeth would sanction Mary’s execution only</p><p>if Walsingham could prove beyond any hint of doubt that she had</p><p>been part of the assassination plot.</p><p>Figure 1 Mary Queen of Scots.(photo credit 1.1)</p><p>The conspirators were a group of young English Catholic</p><p>noblemen intent on removing Elizabeth, a Protestant, and replacing</p><p>her with Mary, a fellow Catholic. It was apparent to the court that</p><p>Mary was a �gurehead for the conspirators, but it was not clear that</p><p>she had actually given her blessing to the conspiracy. In fact, Mary</p><p>had authorized the plot. The challenge for Walsingham was to</p><p>demonstrate a palpable link between Mary and the plotters.</p><p>On the morning of her trial, Mary sat alone in the dock, dressed in</p><p>sorrowful black velvet. In cases of treason, the accused was</p><p>forbidden counsel and was not permitted to call witnesses. Mary</p><p>was not even allowed secretaries to help her prepare her case.</p><p>However, her plight was not hopeless because she had been careful</p><p>to ensure that all her correspondence with the conspirators had been</p><p>written in cipher. The cipher turned her words into a meaningless</p><p>series of symbols, and Mary believed that even if Walsingham had</p><p>captured the letters, then he could have no idea of the meaning of</p><p>the words within them. If their contents were a mystery, then the</p><p>letters could not be used as evidence against her. However, this all</p><p>depended on the assumption that her cipher had not been broken.</p><p>Unfortunately for Mary, Walsingham was not merely Principal</p><p>Secretary, he was also England’s spymaster. He had intercepted</p><p>Mary’s letters to the plotters, and he knew exactly who might be</p><p>capable of deciphering them. Thomas Phelippes was the nation’s</p><p>foremost expert on breaking codes, and for years he had been</p><p>deciphering the messages of those who plotted against Queen</p><p>Elizabeth, thereby providing the evidence needed to condemn them.</p><p>If he could decipher the incriminating letters between Mary and the</p><p>conspirators, then her death would be inevitable. On the other hand,</p><p>if Mary’s cipher was strong enough to conceal her secrets, then there</p><p>was a chance that she might survive. Not for the �rst time, a life</p><p>hung on the strength of a cipher.</p><p>The Evolution of Secret Writing</p><p>Some of the earliest accounts of secret writing date back to</p><p>Herodotus, “the father of history” according to the Roman</p><p>philosopher and statesman Cicero. In The Histories, Herodotus</p><p>chronicled the con�icts between Greece and Persia in the �fth</p><p>century B.C., which he viewed as a confrontation between freedom</p><p>and slavery, between the independent Greek states and the</p><p>oppressive Persians. According to Herodotus, it was the art of secret</p><p>writing that saved Greece from being conquered by Xerxes, King of</p><p>Kings, the despotic leader of the Persians.</p><p>The long-running feud between Greece and Persia reached a crisis</p><p>soon after Xerxes began constructing a city at Persepolis, the new</p><p>capital for his kingdom. Tributes and gifts arrived from all over the</p><p>empire and neighboring states, with the notable exceptions of</p><p>Athens and Sparta. Determined to avenge this insolence, Xerxes</p><p>began mobilizing a force, declaring that “we shall extend the empire</p><p>of Persia such that its boundaries will be God’s own sky, so the sun</p><p>will not look down upon any land beyond the boundaries of what is</p><p>our own.” He spent the next �ve years secretly assembling the</p><p>greatest �ghting force in history, and then, in 480 B.C., he was ready</p><p>to launch a surprise attack.</p><p>However, the Persian military buildup had been witnessed by</p><p>Demaratus, a Greek who had been expelled from his homeland and</p><p>who lived in the Persian city of Susa. Despite being exiled he still</p><p>felt some loyalty to Greece, so he decided to send a message to warn</p><p>the Spartans of Xerxes’ invasion plan. The challenge was how to</p><p>dispatch the message without it being intercepted by the Persian</p><p>guards. Herodotus wrote:</p><p>As the danger of discovery was great, there was only one way in which he could</p><p>contrive to get the message through: this was by scraping the wax o� a pair of</p><p>wooden folding tablets, writing on the wood underneath what Xerxes intended to do,</p><p>and then covering the message over with wax again. In this way the tablets, being</p><p>apparently blank, would cause no trouble with the guards along the road. When the</p><p>message reached its destination, no one was able to guess the secret, until, as I</p><p>understand, Cleomenes’ daughter Gorgo, who was the wife of Leonidas, divined and</p><p>told the others that if they scraped the wax o�, they would �nd something written on</p><p>the wood underneath. This was done; the message was revealed and read, and</p><p>afterward passed on to the other Greeks.</p><p>As a result of this warning, the hitherto defenseless Greeks began to</p><p>arm themselves. Pro�ts from the state-owned silver mines, which</p><p>were usually shared among the citizens, were instead diverted to the</p><p>navy for the construction of two hundred warships.</p><p>Xerxes had lost the vital element of surprise and, on September</p><p>23, 480 B.C., when the Persian �eet approached the Bay of Salamis</p><p>near Athens, the Greeks were prepared. Although Xerxes believed he</p><p>had trapped the Greek navy, the Greeks were deliberately enticing</p><p>the Persian ships to enter the bay. The Greeks knew that their ships,</p><p>smaller and fewer in number, would have been destroyed in the</p><p>open sea, but they realized that within the con�nes of the bay they</p><p>might outmaneuver the Persians. As the wind changed direction the</p><p>Persians found themselves being blown into the bay, forced into an</p><p>engagement on Greek terms. The Persian princess Artemisia became</p><p>surrounded on three sides and attempted to head back out to sea,</p><p>only to ram one of her own ships. Panic ensued, more Persian ships</p><p>collided and the Greeks launched a full-blooded onslaught. Within a</p><p>day, the formidable forces of Persia had been humbled.</p><p>Demaratus’ strategy for secret communication relied on simply</p><p>hiding the message. Herodotus also recounted another incident in</p><p>which concealment was su�cient to secure the safe passage of a</p><p>message. He chronicled the story of Histaiaeus, who wanted to</p><p>encourage Aristagoras of Miletus to revolt against the Persian king.</p><p>To convey his instructions</p><p>attacking the British secret service and praising the Americans.</p><p>At the beginning of the year, Wilson had said that it would be a</p><p>“crime against civilization” to lead his nation to war, but by April 2,</p><p>1917, he had changed his mind: “I advise that the Congress declare</p><p>the recent course of the Imperial Government to be in fact nothing</p><p>less than war against the government and people of the United</p><p>States, and that it formally accept the status of belligerent which has</p><p>thus been thrust upon it.” A single breakthrough by Room 40</p><p>cryptanalysts had succeeded where three years of intensive</p><p>diplomacy had failed. Barbara Tuchman, American historian and</p><p>author of The Zimmermann Telegram, o�ered the following analysis:</p><p>Had the telegram never been intercepted or never been published, inevitably the</p><p>Germans would have done something else that would have brought us in eventually.</p><p>But the time was already late and, had we delayed much longer, the Allies might have</p><p>been forced to negotiate. To that extent the Zimmermann telegram altered the course</p><p>of history … In itself the Zimmermann telegram was only a pebble on the long road</p><p>of history. But a pebble can kill a Goliath, and this one killed the American illusion</p><p>that we could go about our business happily separate from other nations. In world</p><p>a�airs it was a German Minister’s minor plot. In the lives of the American people it</p><p>was the end of innocence.</p><p>The Holy Grail of Cryptography</p><p>The First World War saw a series of victories for cryptanalysts,</p><p>culminating in the decipherment of the Zimmermann telegram. Ever</p><p>since the cracking of the Vigenère cipher in the nineteenth century,</p><p>codebreakers had maintained the upper hand over the codemakers.</p><p>Then, toward the end of the war, when cryptographers were in a</p><p>state of utter despair, scientists in America made an astounding</p><p>breakthrough. They discovered that the Vigenère cipher could be</p><p>used as the basis for a new, more formidable form of encryption. In</p><p>fact, this new cipher could o�er perfect security.</p><p>The fundamental weakness of the Vigenère cipher is its cyclical</p><p>nature. If the keyword is �ve letters long, then every �fth letter of</p><p>the plaintext is encrypted according to the same cipher alphabet. If</p><p>the cryptanalyst can identify the length of the keyword, the</p><p>ciphertext can be treated as a series of �ve monoalphabetic ciphers,</p><p>and each one can be broken by frequency analysis. However,</p><p>consider what happens as the keyword gets longer.</p><p>Imagine a plaintext of 1,000 letters encrypted according to the</p><p>Vigenère cipher, and imagine that we are trying to cryptanalyze the</p><p>resulting ciphertext. If the keyword used to encipher the plaintext</p><p>were only 5 letters long, the �nal stage of cryptanalysis would</p><p>require applying frequency analysis to 5 sets of 200 letters, which is</p><p>easy. But if the keyword had been 20 letters long, the �nal stage</p><p>would be a frequency analysis of 20 sets of 50 letters, which is</p><p>considerably harder. And if the keyword had been 1,000 letters</p><p>long, you would be faced with frequency analysis of 1,000 sets of 1</p><p>letter each, which is completely impossible. In other words, if the</p><p>keyword (or keyphrase) is as long as the message, then the</p><p>cryptanalytic technique developed by Babbage and Kasiski will not</p><p>work.</p><p>Using a key as long as the message is all well and good, but this</p><p>requires the cryptographer to create a lengthy key. If the message is</p><p>hundreds of letters long, the key also needs to be hundreds of letters</p><p>long. Rather than inventing a long key from scratch, it might be</p><p>tempting to base it on, say, the lyrics of a song. Alternatively, the</p><p>cryptographer could pick up a book on birdwatching and base the</p><p>key on a series of randomly chosen bird names. However, such</p><p>shortcut keys are fundamentally �awed.</p><p>In the following example, I have enciphered a piece of ciphertext</p><p>using the Vigenère cipher, using a keyphrase that is as long as the</p><p>message. All the cryptanalytic techniques that I have previously</p><p>described will fail. None the less, the message can be deciphered.</p><p>This new system of cryptanalysis begins with the assumption that</p><p>the ciphertext contains some common words, such as the. Next, we</p><p>randomly place the at various points in the plaintext, as shown</p><p>below, and deduce what sort of keyletters would be required to turn</p><p>the into the appropriate ciphertext. For example, if we pretend that</p><p>the is the �rst word of the plaintext, then what would this imply for</p><p>the �rst three letters of the key? The �rst letter of the key would</p><p>encrypt t into V. To work out the �rst letter of the key, we take a</p><p>Vigenère square, look down the column headed by t until we reach</p><p>V, and �nd that the letter that begins that row is C. This process is</p><p>repeated with h and e, which would be encrypted as H and R</p><p>respectively, and eventually we have candidates for the �rst three</p><p>letters of the key, CAN. All of this comes from the assumption that</p><p>the is the �rst word of the plaintext. We place the in a few other</p><p>positions, and, once again, deduce the corresponding keyletters.</p><p>(You can check the relationship between each plaintext letter and</p><p>ciphertext letter by referring to the Vigenère square in Table 9.)</p><p>We have tested three the’s against three arbitrary fragments of the</p><p>ciphertext, and generated three guesses as to the elements of certain</p><p>parts of the key. How can we tell whether any of the the’s are in the</p><p>right position? We suspect that the key consists of sensible words,</p><p>and we can use this to our advantage. If a the is in a wrong position,</p><p>it will probably result in a random selection of keyletters. However,</p><p>if it is in a correct position, the keyletters should make some sense.</p><p>For example, the �rst the yields the keyletters CAN, which is</p><p>encouraging because this is a perfectly reasonable English syllable.</p><p>It is possible that this the is in the correct position. The second the</p><p>yields BSJ, which is a very peculiar combination of consonants,</p><p>suggesting that the second the is probably a mistake. The third the</p><p>yields YPT, an unusual syllable but one which is worth further</p><p>investigation. If YPT really were part of the key, it would be within</p><p>a larger word, the only possibilities being APOCALYPTIC, CRYPT</p><p>and EGYPT, and derivatives of these words. How can we �nd out if</p><p>one of these words is part of the key? We can test each hypothesis</p><p>by inserting the three candidate words in the key, above the</p><p>appropriate section of the ciphertext, and working out the</p><p>corresponding plaintext:</p><p>If the candidate word is not part of the key, it will probably result</p><p>in a random piece of plaintext, but if it is part of the key the</p><p>resulting plaintext should make some sense. With APOCALYPTIC as</p><p>part of the key the resulting plaintext is gibberish of the highest</p><p>quality. With CRYPT, the resulting plaintext is cithe, which is not an</p><p>inconceivable piece of plaintext. However, if EGYPT were part of</p><p>the key it would generate atthe, a more promising combination of</p><p>letters, probably representing the words at the.</p><p>For the time being let us assume that the most likely possibility is</p><p>that EGYPT is part of the key. Perhaps the key is a list of countries.</p><p>This would suggest that CAN, the piece of the key that corresponds</p><p>to the �rst the, is the start of CANADA. We can test this hypothesis</p><p>by working out more of the plaintext, based on the assumption that</p><p>CANADA, as well as EGYPT, is part of the key:</p><p>Our assumption seems to be making sense. CANADA implies that</p><p>the plaintext begins with themee which perhaps is the start of the</p><p>meeting. Now that we have deduced some more letters of the</p><p>plaintext, ting, we can deduce the corresponding part of the key,</p><p>which turns out to be BRAZ. Surely this is the beginning of BRAZIL.</p><p>Using the combination of CANADABRAZILEGYPT as the bulk of the</p><p>key, we get the following decipherment: the meeting is at the ????.</p><p>In order to �nd the �nal word of the plaintext, the location of the</p><p>meeting, the best strategy would be to complete the key by testing</p><p>one by one the names of all possible countries, and deducing the</p><p>resulting plaintext.</p><p>The only sensible plaintext is derived if the �nal</p><p>piece of the key is CUBA:</p><p>Table 9 Vigenère square.</p><p>So, a key that is as long as the message is not su�cient to</p><p>guarantee security. The insecurity in the example above arises</p><p>because the key was constructed from meaningful words. We began</p><p>by randomly inserting the throughout the plaintext, and working</p><p>out the corresponding keyletters. We could tell when we had put a</p><p>the in the correct place, because the keyletters looked as if they</p><p>might be part of meaningful words. Thereafter, we used these</p><p>snippets in the key to deduce whole words in the key. In turn this</p><p>gave us more snippets in the message, which we could expand into</p><p>whole words, and so on. This entire process of toing and froing</p><p>between the message and the key was only possible because the key</p><p>had an inherent structure and consisted of recognizable words.</p><p>However, in 1918 cryptographers began experimenting with keys</p><p>that were devoid of structure. The result was an unbreakable cipher.</p><p>As the Great War drew to a close, Major Joseph Mauborgne, head</p><p>of cryptographic research for the U.S. Army, introduced the concept</p><p>of a random key-one that consisted not of a recognizable series of</p><p>words, but rather a random series of letters. He advocated</p><p>employing these random keys as part of a Vigenère cipher to give an</p><p>unprecedented level of security. The �rst stage of Mauborgne’s</p><p>system was to compile a thick pad consisting of hundreds of sheets</p><p>of paper, each sheet bearing a unique key in the form of lines of</p><p>randomly sequenced letters. There would be two copies of the pad,</p><p>one for the sender and one for the receiver. To encrypt a message,</p><p>the sender would apply the Vigenère cipher using the �rst sheet of</p><p>the pad as the key. Figure 30 shows three sheets from such a pad (in</p><p>reality each sheet would contain hundreds of letters), followed by a</p><p>message encrypted using the random key on the �rst sheet. The</p><p>receiver can easily decipher the ciphertext by using the identical key</p><p>and reversing the Vigenère cipher. Once that message has been</p><p>successfully sent, received and deciphered, both the sender and the</p><p>receiver destroy the sheet that acted as the key, so that it is never</p><p>used again. When the next message is encrypted, the next random</p><p>key in the pad is employed, which is also subsequently destroyed,</p><p>and so on. Because each key is used once, and only once, this system</p><p>is known as a onetime pad cipher.</p><p>The onetime pad cipher overcomes all previous weaknesses.</p><p>Imagine that the message attack the valley at dawn has been</p><p>enciphered as in Figure 30, sent via a radio transmitter and</p><p>intercepted by the enemy. The ciphertext is handed to an enemy</p><p>cryptanalyst, who then attempts to decipher it. The �rst hurdle is</p><p>that, by de�nition, there is no repetition in a random key, so the</p><p>method of Babbage and Kasiski cannot break the onetime pad</p><p>cipher. As an alternative, the enemy cryptanalyst might try placing</p><p>the word the in various places, and deduce the corresponding piece</p><p>of the key, just as we did when we attempted to decipher the</p><p>previous message. If the cryptanalyst tries putting the at the</p><p>beginning of the message, which is incorrect, then the</p><p>corresponding segment of key would be revealed as WXB, which is a</p><p>random series of letters. If the cryptanalyst tries placing the so that</p><p>it begins at the seventh letter of the message, which happens to be</p><p>correct, then the corresponding segment of key would be revealed as</p><p>QKJ, which is also a random series of letters. In other words, the</p><p>cryptanalyst cannot tell whether the trial word is, or is not, in the</p><p>correct place.</p><p>In desperation, the cryptanalyst might consider an exhaustive</p><p>search of all possible keys. The ciphertext consists of 21 letters, so</p><p>the cryptanalyst knows that the key consists of 21 letters. This</p><p>means that there are roughly</p><p>500,000,000,000,000,000,000,000,000,000 possible keys to test,</p><p>which is completely beyond what is humanly or mechanically</p><p>feasible. However, even if the cryptanalyst could test all these keys,</p><p>there is an even greater obstacle to be overcome. By checking every</p><p>possible key the cryptanalyst will certainly �nd the right message—</p><p>but every wrong message will also be revealed. For example, the</p><p>following key applied to the same ciphertext generates a completely</p><p>di�erent message:</p><p>Figure 30 Three sheets, each a potential key for a onetime pad cipher. The message</p><p>is enciphered using Sheet 1.</p><p>If all the di�erent keys could be tested, every conceivable 21-</p><p>letter message would be generated, and the cryptanalyst would be</p><p>unable to distinguish between the right one and all the others. This</p><p>di�culty would not have arisen had the key been a series of words</p><p>or a phrase, because the incorrect messages would almost certainly</p><p>have been associated with a meaningless key, whereas the correct</p><p>message would be associated with a sensible key.</p><p>The security of the onetime pad cipher is wholly due to the</p><p>randomness of the key. The key injects randomness into the</p><p>ciphertext, and if the ciphertext is random then it has no patterns,</p><p>no structure, nothing the cryptanalyst can latch onto. In fact, it can</p><p>be mathematically proved that it is impossible for a cryptanalyst to</p><p>crack a message encrypted with a onetime pad cipher. In other</p><p>words, the onetime pad cipher is not merely believed to be</p><p>unbreakable, just as the Vigenère cipher was in the nineteenth</p><p>century, it really is absolutely secure. The onetime pad o�ers a</p><p>guarantee of secrecy: the Holy Grail of cryptography.</p><p>At last, cryptographers had found an unbreakable system of</p><p>encryption. However, the perfection of the onetime pad cipher did</p><p>not end the quest for secrecy: the truth of the matter is that it was</p><p>hardly ever used. Although it is perfect in theory, it is �awed in</p><p>practice because the cipher su�ers from two fundamental</p><p>di�culties. First, there is the practical problem of making large</p><p>quantities of random keys. In a single day an army might exchange</p><p>hundreds of messages, each containing thousands of characters, so</p><p>radio operators would require a daily supply of keys equivalent to</p><p>millions of randomly arranged letters. Supplying so many random</p><p>sequences of letters is an immense task.</p><p>Some early cryptographers assumed that they could generate huge</p><p>amounts of random keys by haphazardly tapping away at a</p><p>typewriter. However, whenever this was tried, the typist would tend</p><p>to get into the habit of typing a character using the left hand, and</p><p>then a character using the right hand, and thereafter alternate</p><p>between the two sides. This might be a quick way of generating a</p><p>key, but the resulting sequence has structure, and is no longer</p><p>random—if the typist hits the letter D, from the left side of the</p><p>keyboard, then the next letter is predictable in as much as it is</p><p>probably from the right side of the keyboard. If a onetime pad key</p><p>was to be truly random, a letter from the left side of the keyboard</p><p>should be followed by another letter from the left side of the</p><p>keyboard on roughly half the occasions.</p><p>Cryptographers have come to realize that it requires a great deal</p><p>of time, e�ort and money to create a random key. The best random</p><p>keys are created by harnessing natural physical processes, such as</p><p>radioactivity, which is known to exhibit truly random behavior. The</p><p>cryptographer could place a lump of radioactive material on a</p><p>bench, and detect its emissions with a Geiger counter. Sometimes</p><p>the emissions follow each other in rapid succession, sometimes there</p><p>are long delays—the time between emissions is unpredictable and</p><p>random. The cryptographer could then connect a display to the</p><p>Geiger counter, which rapidly cycles through the alphabet at a �xed</p><p>rate, but which freezes momentarily as soon as an emission is</p><p>detected. Whatever letter is on the display could be used as the next</p><p>letter of the random key. The display restarts and once again cycles</p><p>through the alphabet until it is stopped at random by the next</p><p>emission, the letter frozen on the display is added to the key, and so</p><p>on. This arrangement would</p><p>be guaranteed to generate a truly</p><p>random key, but it is impractical for day-to-day cryptography.</p><p>Even if you could fabricate enough random keys, there is a second</p><p>problem, namely the di�culty of distributing them. Imagine a</p><p>battle�eld scenario in which hundreds of radio operators are part of</p><p>the same communications network. To start with, every single</p><p>person must have identical copies of the onetime pad. Next, when</p><p>new pads are issued, they must be distributed to everybody</p><p>simultaneously. Finally, everybody must remain in step, making</p><p>sure that they are using the right sheet of the onetime pad at the</p><p>right time. Widespread use of the onetime pad would �ll the</p><p>battle�eld with couriers and bookkeepers. Furthermore, if the</p><p>enemy captures just one set of keys, then the whole communication</p><p>system is compromised.</p><p>It might be tempting to cut down on the manufacture and</p><p>distribution of keys by reusing onetime pads, but this is a</p><p>cryptographic cardinal sin. Reusing a onetime pad would allow an</p><p>enemy cryptanalyst to decipher messages with relative ease. The</p><p>technique used to prize open two pieces of ciphertext encrypted</p><p>with the same onetime pad key is explained in Appendix G, but for</p><p>the time being the important point is that there can be no shortcuts</p><p>in using the onetime pad cipher. The sender and receiver must use a</p><p>new key for every message.</p><p>A onetime pad is practicable only for people who need ultrasecure</p><p>communication, and who can a�ord to meet the enormous costs of</p><p>manufacturing and securely distributing the keys. For example, the</p><p>hotline between the presidents of Russia and America is secured via</p><p>a onetime pad cipher.</p><p>The practical �aws of the theoretically perfect onetime pad meant</p><p>that Mauborgne’s idea could never be used in the heat of battle. In</p><p>the aftermath of the First World War and all its cryptographic</p><p>failures, the search continued for a practical system that could be</p><p>employed in the next con�ict. Fortunately for cryptographers, it</p><p>would not be long before they made a breakthrough, something that</p><p>would reestablish secret communication on the battle�eld. In order</p><p>to strengthen their ciphers, cryptographers were forced to abandon</p><p>their pencil-and-paper approach to secrecy, and exploit the very</p><p>latest technology to scramble messages.</p><p>The Development of Cipher Machines—from Cipher Disks to the</p><p>Enigma</p><p>The earliest cryptographic machine is the cipher disk, invented in</p><p>the �fteenth century by the Italian architect Leon Alberti, one of the</p><p>fathers of the polyalphabetic cipher. He took two copper disks, one</p><p>slightly larger than the other, and inscribed the alphabet around the</p><p>edge of both. By placing the smaller disk on top of the larger one</p><p>and �xing them with a needle to act as an axis, he constructed</p><p>something similar to the cipher disk shown in Figure 31. The two</p><p>disks can be independently rotated so that the two alphabets can</p><p>have di�erent relative positions, and can thus be used to encrypt a</p><p>message with a simple Caesar shift. For example, to encrypt a</p><p>message with a Caesar shift of one place, position the outer A next</p><p>to the inner B—the outer disk is the plain alphabet, and the inner</p><p>disk represents the cipher alphabet. Each letter in the plaintext</p><p>message is looked up on the outer disk, and the corresponding letter</p><p>on the inner disk is written down as part of the ciphertext. To send a</p><p>message with a Caesar shift of �ve places, simply rotate the disks so</p><p>that the outer A is next to the inner F, and then use the cipher disk</p><p>in its new setting.</p><p>Even though the cipher disk is a very basic device, it does ease</p><p>encipherment, and it endured for �ve centuries. The version shown</p><p>in Figure 31 was used in the American Civil War. Figure 32 shows a</p><p>Code-o-Graph, a cipher disk used by the eponymous hero of Captain</p><p>Midnight, one of the early American radio dramas. Listeners could</p><p>obtain their own Code-o-Graph by writing to the program sponsors,</p><p>Ovaltine, and enclosing a label from one of their containers.</p><p>Occasionally the program would end with a secret message from</p><p>Captain Midnight, which could be deciphered by loyal listeners</p><p>using the Code-o-Graph.</p><p>The cipher disk can be thought of as a “scrambler,” taking each</p><p>plaintext letter and transforming it into something else. The mode of</p><p>operation described so far is straightforward, and the resulting</p><p>cipher is relatively trivial to break, but the cipher disk can be used</p><p>in a more complicated way. Its inventor, Alberti, suggested changing</p><p>the setting of the disk during the message, which in e�ect generates</p><p>a polyalphabetic cipher instead of a monoalphabetic cipher. For</p><p>example, Alberti could have used his disk to encipher the word</p><p>goodbye, using the keyword LEON. He would begin by setting his</p><p>disk according to the �rst letter of the keyword, moving the outer A</p><p>next to the inner L. Then he would encipher the �rst letter of the</p><p>message, g, by �nding it on the outer disk and noting the</p><p>corresponding letter on the inner disk, which is R. To encipher the</p><p>second letter of the message, he would reset his disk according to</p><p>the second letter of the keyword, moving the outer A next to the</p><p>inner E. Then he would encipher o by �nding it on the outer disk</p><p>and noting the corresponding letter on the inner disk, which is S.</p><p>The encryption process continues with the cipher disk being set</p><p>according to the keyletter O, then N, then back to L, and so on.</p><p>Alberti has e�ectively encrypted a message using the Vigenère</p><p>cipher with his �rst name acting as the keyword. The cipher disk</p><p>speeds up encryption and reduces errors compared with performing</p><p>the encryption via a Vigenère square.</p><p>Figure 31 A U.S. Confederate cipher disk used in the American Civil War. (photo</p><p>credit 3.4)</p><p>Figure 32 Captain Midnight’s Code-o-Graph, which enciphers each plaintext letter</p><p>(outer disk) as a number (inner disk), rather than a letter.</p><p>The important feature of using the cipher disk in this way is the</p><p>fact that the disk is changing its mode of scrambling during</p><p>encryption. Although this extra level of complication makes the</p><p>cipher harder to break, it does not make it unbreakable, because we</p><p>are simply dealing with a mechanized version of the Vigenère</p><p>cipher, and the Vigenère cipher was broken by Babbage and Kasiski.</p><p>However, �ve hundred years after Alberti, a more complex</p><p>reincarnation of his cipher disk would lead to a new generation of</p><p>ciphers, an order of magnitude more di�cult to crack than anything</p><p>previously used.</p><p>In 1918, the German inventor Arthur Scherbius and his close</p><p>friend Richard Ritter founded the company of Scherbius & Ritter, an</p><p>innovative engineering �rm that dabbled in everything from</p><p>turbines to heated pillows. Scherbius was in charge of research and</p><p>development, and was constantly looking for new opportunities.</p><p>One of his pet projects was to replace the inadequate systems of</p><p>cryptography used in the First World War by swapping pencil-and-</p><p>paper ciphers with a form of encryption that exploited twentieth-</p><p>century technology. Having studied electrical engineering in</p><p>Hanover and Munich, he developed a piece of cryptographic</p><p>machinery that was essentially an electrical version of Alberti’s</p><p>cipher disk. Called Enigma, Scherbius’s invention would become the</p><p>most fearsome system of encryption in history.</p><p>Scherbius’s Enigma machine consisted of a number of ingenious</p><p>components, which he combined into a formidable and intricate</p><p>cipher machine. However, if we break the machine down into its</p><p>constituent parts and rebuild it in stages, then its underlying</p><p>principles will become apparent. The basic form of Scherbius’s</p><p>invention consists of three elements connected by wires: a keyboard</p><p>for inputting each plaintext letter, a scrambling unit that encrypts</p><p>each plaintext letter into a corresponding ciphertext letter, and a</p><p>display board consisting of various lamps for indicating the</p><p>ciphertext letter. Figure 33 shows a stylized layout of the machine,</p><p>limited to a six-letter alphabet for simplicity. In order to encrypt a</p><p>plaintext letter, the operator presses the appropriate plaintext</p><p>letter</p><p>on the keyboard, which sends an electric pulse through the central</p><p>scrambling unit and out the other side, where it illuminates the</p><p>corresponding ciphertext letter on the lampboard.</p><p>The scrambler, a thick rubber disk riddled with wires, is the most</p><p>important part of the machine. From the keyboard, the wires enter</p><p>the scrambler at six points, and then make a series of twists and</p><p>turns within the scrambler before emerging at six points on the</p><p>other side. The internal wirings of the scrambler determine how the</p><p>plaintext letters will be encrypted. For example, in Figure 33 the</p><p>wirings dictate that:</p><p>typing in a will illuminate the letter B, which means that a is encrypted as B,</p><p>typing in b will illuminate the letter A, which means that b is encrypted as A,</p><p>typing in c will illuminate the letter D, which means that c is encrypted as D,</p><p>typing in d will illuminate the letter F, which means that d is encrypted as F,</p><p>typing in e will illuminate the letter E, which means that e is encrypted as E,</p><p>typing in f will illuminate the letter C, which means that f is encrypted as C.</p><p>The message cafe would be encrypted as DBCE. With this basic</p><p>setup, the scrambler essentially de�nes a cipher alphabet, and the</p><p>machine can be used to implement a simple monoalphabetic</p><p>substitution cipher.</p><p>However, Scherbius’s idea was for the scrambler disk to</p><p>automatically rotate by one-sixth of a revolution each time a letter</p><p>is encrypted (or one-twenty-sixth of a revolution for a complete</p><p>alphabet of 26 letters). Figure 34(a) shows the same arrangement as</p><p>in Figure 33; once again, typing in the letter b will illuminate the</p><p>letter A. However, this time, immediately after typing a letter and</p><p>illuminating the lampboard, the scrambler revolves by one-sixth of a</p><p>revolution to the position shown in Figure 34(b). Typing in the</p><p>letter b again will now illuminate a di�erent letter, namely C.</p><p>Immediately afterward, the scrambler rotates once more, to the</p><p>position shown in Figure 34(c). This time, typing in the letter b will</p><p>illuminate E. Typing the letter b six times in a row would generate</p><p>the ciphertext ACEBDC. In other words, the cipher alphabet changes</p><p>after each encryption, and the encryption of the letter b is</p><p>constantly changing. With this rotating setup, the scrambler</p><p>essentially de�nes six cipher alphabets, and the machine can be</p><p>used to implement a polyalphabetic cipher.</p><p>The rotation of the scrambler is the most important feature of</p><p>Scherbius’s design. However, as it stands the machine su�ers from</p><p>one obvious weakness. Typing b six times will return the scrambler</p><p>to its original position, and typing b again and again will repeat the</p><p>pattern of encryption. In general, cryptographers are keen to avoid</p><p>repetition because it leads to regularity and structure in the</p><p>ciphertext, symptoms of a weak cipher. This problem can be</p><p>alleviated by introducing a second scrambler disk.</p><p>Figure 33 A simpli�ed version of the Enigma machine with an alphabet of just six letters.</p><p>The most important element of the machine is the scrambler. By typing in b on the</p><p>keyboard, a current passes into the scrambler, follows the path of the internal wiring, and</p><p>then emerges so as illuminate the A lamp. In short, b is encrypted as A. The box to the</p><p>right indicates how each of the six letters is encrypted.</p><p>Figure 34 Every time a letter is typed into the keyboard and encrypted, the scrambler</p><p>rotates by one place, thus changing how each letter is potentially encrypted. In (a) the</p><p>scrambler encrypts b as A, but in (b) the new scrambler orientation encrypts b as C. In (c),</p><p>after rotating one more place, the scrambler encrypts b as E. After encrypting four more</p><p>letters, and rotating four more places, the scrambler returns to its original orientation.</p><p>Figure 35 is a schematic of a cipher machine with two scramblers.</p><p>Because of the di�culty of drawing a three-dimensional scrambler</p><p>with three-dimensional internal wirings, Figure 35 shows only a</p><p>two-dimensional representation. Each time a letter is encrypted, the</p><p>�rst scrambler rotates by one space, or in terms of the two-</p><p>dimensional diagram, each wiring shifts down one place. In</p><p>contrast, the second scrambler disk remains stationary for most of</p><p>the time. It moves only after the �rst scrambler has made a</p><p>complete revolution. The �rst scrambler is �tted with a tooth, and it</p><p>is only when this tooth reaches a certain point that it knocks the</p><p>second scrambler on one place.</p><p>In Figure 35(a), the �rst scrambler is in a position where it is just</p><p>about to knock forward the second scrambler. Typing in and</p><p>encrypting a letter moves the mechanism to the con�guration</p><p>shown in Figure 35(b), in which the �rst scrambler has moved on</p><p>one place, and the second scrambler has also been knocked on one</p><p>place. Typing in and encrypting another letter again moves the �rst</p><p>scrambler on one place, Figure 35(c), but this time the second</p><p>scrambler has remained stationary. The second scrambler will not</p><p>move again until the �rst scrambler completes one revolution,</p><p>which will take another �ve encryptions. This arrangement is</p><p>similar to a car odometer—the rotor representing single miles turns</p><p>quite quickly, and when it completes one revolution by reaching</p><p>“9,” it knocks the rotor representing tens of miles forward one place.</p><p>The advantage of adding a second scrambler is that the pattern of</p><p>encryption is not repeated until the second scrambler is back where</p><p>it started, which requires six complete revolutions of the �rst</p><p>scrambler, or the encryption of 6 × 6, or 36 letters in total. In other</p><p>words, there are 36 distinct scrambler settings, which is equivalent</p><p>to switching between 36 cipher alphabets. With a full alphabet of 26</p><p>letters, the cipher machine would switch between 26 × 26, or 676</p><p>cipher alphabets. So by combining scramblers (sometimes called</p><p>rotors), it is possible to build an encryption machine which is</p><p>continually switching between di�erent cipher alphabets. The</p><p>operator types in a particular letter and, depending on the scrambler</p><p>arrangement, it can be encrypted according to any one of hundreds</p><p>of cipher alphabets. Then the scrambler arrangement changes, so</p><p>that when the next letter is typed into the machine it is encrypted</p><p>according to a di�erent cipher alphabet. Furthermore, all of this is</p><p>done with great e�ciency and accuracy, thanks to the automatic</p><p>movement of scramblers and the speed of electricity.</p><p>Figure 35 On adding a second scrambler, the pattern of encryption does not repeat until</p><p>36 letters have been enciphered, at which point both scramblers have returned to their</p><p>original positions. To simplify the diagram, the scramblers are represented in just two</p><p>dimensions; instead of rotating one place, the wirings move down one place. If a wire</p><p>appears to leave the top or bottom of a scrambler, its path can be followed by continuing</p><p>from the corresponding wire at the bottom or top of the same scrambler. In (a), b is</p><p>encrypted as D. After encryption, the �rst scrambler rotates by one place, also nudging the</p><p>second scrambler around one place—this happens only once during each complete</p><p>revolution of the �rst wheel. This new setting is shown in (b), in which b is encrypted as F.</p><p>After encryption, the �rst scrambler rotates by one place, but this time the second</p><p>scrambler remains �xed. This new setting is shown in (c), in which b is encrypted as B.</p><p>Before explaining in detail how Scherbius intended his encryption</p><p>machine to be used, it is necessary to describe two more elements of</p><p>the Enigma, which are shown in Figure 36. First, Scherbius’s</p><p>standard encryption machine employed a third scrambler for extra</p><p>complexity—for a full alphabet these three scramblers would</p><p>provide 26 × 26 × 26, or 17,576 distinct scrambler arrangements.</p><p>Second, Scherbius added a re�ector. The re�ector is a bit like a</p><p>scrambler, inasmuch as it is a rubber disk with internal wirings, but</p><p>it di�ers because it does not rotate, and the wires enter on one side</p><p>and then reemerge on the same side. With the re�ector in place, the</p><p>operator</p><p>types in a letter, which sends an electrical signal through</p><p>the three scramblers. When the re�ector receives the incoming</p><p>signal it sends it back through the same three scramblers, but along</p><p>a di�erent route. For example, with the setup in Figure 36, typing</p><p>the letter b would send a signal through the three scramblers and</p><p>into the re�ector, whereupon the signal would return back through</p><p>the wirings to arrive at the letter D. The signal does not actually</p><p>emerge through the keyboard, as it might seem from Figure 36, but</p><p>instead is diverted to the lampboard. At �rst sight the re�ector</p><p>seems to be a pointless addition to the machine, because its static</p><p>nature means that it does not add to the number of cipher</p><p>alphabets. However, its bene�ts become clear when we see how the</p><p>machine was actually used to encrypt and decrypt a message.</p><p>Figure 36 Scherbius’s design of the Enigma included a third scrambler and a</p><p>re�ector that sends the current back through the scramblers. In this particular</p><p>setting, typing in b eventually illuminates D on the lampboard, shown here adjacent</p><p>to the keyboard.</p><p>An operator wishes to send a secret message. Before encryption</p><p>begins, the operator must �rst rotate the scramblers to a particular</p><p>starting position. There are 17,576 possible arrangements, and</p><p>therefore 17,576 possible starting positions. The initial setting of the</p><p>scramblers will determine how the message is encrypted. We can</p><p>think of the Enigma machine in terms of a general cipher system,</p><p>and the initial settings are what determine the exact details of the</p><p>encryption. In other words, the initial settings provide the key. The</p><p>initial settings are usually dictated by a codebook, which lists the</p><p>key for each day, and which is available to everybody within the</p><p>communications network. Distributing the codebook requires time</p><p>and e�ort, but because only one key per day is required, it could be</p><p>arranged for a codebook containing 28 keys to be sent out just once</p><p>every four weeks. By comparison, if an army were to use a onetime</p><p>pad cipher, it would require a new key for every message, and key</p><p>distribution would be a much greater task. Once the scramblers</p><p>have been set according to the codebook’s daily requirement, the</p><p>sender can begin encrypting. He types in the �rst letter of the</p><p>message, sees which letter is illuminated on the lampboard, and</p><p>notes it down as the �rst letter of the ciphertext. Then, the �rst</p><p>scrambler having automatically stepped on by one place, the sender</p><p>inputs the second letter of the message, and so on. Once he has</p><p>generated the complete ciphertext, he hands it to a radio operator</p><p>who transmits it to the intended receiver.</p><p>In order to decipher the message, the receiver needs to have</p><p>another Enigma machine and a copy of the codebook that contains</p><p>the initial scrambler settings for that day. He sets up the machine</p><p>according to the book, types in the ciphertext letter by letter, and</p><p>the lampboard indicates the plaintext. In other words, the sender</p><p>typed in the plaintext to generate the ciphertext, and now the</p><p>receiver types in the ciphertext to generate the plaintext—</p><p>encipherment and decipherment are mirror processes. The ease of</p><p>decipherment is a consequence of the re�ector. From Figure 36 we</p><p>can see that if we type in b and follow the electrical path, we come</p><p>back to D. Similarly, if we type in d and follow the path, then we</p><p>come back to B. The machine encrypts a plaintext letter into a</p><p>ciphertext letter, and, as long as the machine is in the same setting,</p><p>it will decrypt the same ciphertext letter back into the same</p><p>plaintext letter.</p><p>It is clear that the key, and the codebook that contains it, must</p><p>never be allowed to fall into enemy hands. It is quite possible that</p><p>the enemy might capture an Enigma machine, but without knowing</p><p>the initial settings used for encryption, they cannot easily decrypt an</p><p>intercepted message. Without the codebook, the enemy cryptanalyst</p><p>must resort to checking all the possible keys, which means trying all</p><p>the 17,576 possible initial scrambler settings. The desperate</p><p>cryptanalyst would set up the captured Enigma machine with a</p><p>particular scrambler arrangement, input a short piece of the</p><p>ciphertext, and see if the output makes any sense. If not, he would</p><p>change to a di�erent scrambler arrangement and try again. If he can</p><p>check one scrambler arrangement each minute and works night and</p><p>day, it would take almost two weeks to check all the settings. This is</p><p>a moderate level of security, but if the enemy set a dozen people on</p><p>the task, then all the settings could be checked within a day.</p><p>Scherbius therefore decided to improve the security of his invention</p><p>by increasing the number of initial settings and thus the number of</p><p>possible keys.</p><p>He could have increased security by adding more scramblers</p><p>(each new scrambler increases the number of keys by a factor of</p><p>26), but this would have increased the size of the Enigma machine.</p><p>Instead, he added two other features. First, he simply made the</p><p>scramblers removable and interchangeable. So, for example, the �rst</p><p>scrambler disk could be moved to the third position, and the third</p><p>scrambler disk to the �rst position. The arrangement of the</p><p>scramblers a�ects the encryption, so the exact arrangement is</p><p>crucial to encipherment and decipherment. There are six di�erent</p><p>ways to arrange the three scramblers, so this feature increases the</p><p>number of keys, or the number of possible initial settings, by a</p><p>factor of six.</p><p>The second new feature was the insertion of a plugboard between</p><p>the keyboard and the �rst scrambler. The plugboard allows the</p><p>sender to insert cables which have the e�ect of swapping some of</p><p>the letters before they enter the scrambler. For example, a cable</p><p>could be used to connect the a and b sockets of the plugboard, so</p><p>that when the cryptographer wants to encrypt the letter b, the</p><p>electrical signal actually follows the path through the scramblers</p><p>that previously would have been the path for the letter a, and vice</p><p>versa. The Enigma operator had six cables, which meant that six</p><p>pairs of letters could be swapped, leaving fourteen letters unplugged</p><p>and unswapped. The letters swapped by the plugboard are part of</p><p>the machine’s setting, and so must be speci�ed in the codebook.</p><p>Figure 37 shows the layout of the machine with the plugboard in</p><p>place. Because the diagram deals only with a six-letter alphabet,</p><p>only one pair of letters, a and b, have been swapped.</p><p>There is one more feature of Scherbius’s design, known as the</p><p>ring, which has not yet been mentioned. Although the ring does</p><p>have some e�ect on encryption, it is the least signi�cant part of the</p><p>whole Enigma machine, and I have decided to ignore it for the</p><p>purposes of this discussion. (Readers who would like to know about</p><p>the exact role of the ring should refer to some of the books in the</p><p>list of further reading, such as Seizing the Enigma by David Kahn.</p><p>This list also includes two Web sites containing excellent Enigma</p><p>emulators, which allow you to operate a virtual Enigma machine.)</p><p>Now that we know all the main elements of Scherbius’s Enigma</p><p>machine, we can work out the number of keys, by combining the</p><p>number of possible plugboard cablings with the number of possible</p><p>scrambler arrangements and orientations. The following list shows</p><p>each variable of the machine and the corresponding number of</p><p>possibilities for each one:</p><p>Figure 37 The plugboard sits between the keyboard and the �rst scrambler. By inserting</p><p>cables it is possible to swap pairs of letters, so that, in this case, b is swapped with a. Now,</p><p>b is encrypted by following the path previously associated with the encryption of a. In the</p><p>real 26-letter Enigma, the user would have six cables for swapping six pairs of letters.</p><p>Scrambler orientations. Each of the 3 scramblers can be set in one of</p><p>26 orientations. There are therefore</p><p>26 × 26 × 26 settings:</p><p>17,576</p><p>Scrambler arrangements. The three scramblers (1, 2 and 3) can be</p><p>positioned in any of the following six orders:</p><p>123, 132, 213, 231, 312, 321.</p><p>6</p><p>Plugboard.</p><p>The number of ways of connecting, thereby swapping, six</p><p>pairs of letters out of 26 is enormous:</p><p>100,391,791,500</p><p>Total. The total number of keys is the multiple of these three</p><p>numbers: 17,576 × 6 × 100,391,791,500</p><p>≈10,000,000,000,000,000</p><p>As long as sender and receiver have agreed on the plugboard</p><p>cablings, the order of the scramblers and their respective</p><p>orientations, all of which specify the key, they can encrypt and</p><p>decrypt messages easily. However, an enemy interceptor who does</p><p>not know the key would have to check every single one of the</p><p>10,000,000,000,000,000 possible keys in order to crack the</p><p>ciphertext. To put this into context, a persistent cryptanalyst who is</p><p>capable of checking one setting every minute would need longer</p><p>than the age of the universe to check every setting. (In fact, because</p><p>I have ignored the e�ect of the rings in these calculations, the</p><p>number of possible keys is even larger, and the time to break</p><p>Enigma even longer.)</p><p>Since by far the largest contribution to the number of keys comes</p><p>from the plugboard, you might wonder why Scherbius bothered</p><p>with the scramblers. On its own, the plugboard would provide a</p><p>trivial cipher, because it would do nothing more than act as a</p><p>monoalphabetic substitution cipher, swapping around just 12</p><p>letters. The problem with the plugboard is that the swaps do not</p><p>change once encryption begins, so on its own it would generate a</p><p>ciphertext that could be broken by frequency analysis. The</p><p>scramblers contribute a smaller number of keys, but their setup is</p><p>continually changing, which means that the resulting ciphertext</p><p>cannot be broken by frequency analysis. By combining the</p><p>scramblers with the plugboard, Scherbius protected his machine</p><p>against frequency analysis, and at the same time gave it an</p><p>enormous number of possible keys.</p><p>Scherbius took out his �rst patent in 1918. His cipher machine</p><p>was contained in a compact box measuring only 34 × 28 × 15 cm,</p><p>but it weighed a hefty 12 kg. Figure 39 shows an Enigma machine</p><p>with the outer lid open, ready for use. It is possible to see the</p><p>keyboard where the plaintext letters are typed in, and, above it, the</p><p>lampboard which displays the resulting ciphertext letter. Below the</p><p>keyboard is the plugboard; there are more than six pairs of letters</p><p>swapped by the plugboard, because this particular Enigma machine</p><p>is a slightly later modi�cation of the original model, which is the</p><p>version that has been described so far. Figure 40 shows an Enigma</p><p>with the cover plate removed to reveal more features, in particular</p><p>the three scramblers.</p><p>Scherbius believed that Enigma was impregnable, and that its</p><p>cryptographic strength would create a great demand for it. He tried</p><p>to market the cipher machine to both the military and the business</p><p>community, o�ering di�erent versions to each. For example, he</p><p>o�ered a basic version of Enigma to businesses, and a luxury</p><p>diplomatic version with a printer rather than a lampboard to the</p><p>Foreign O�ce. The price of an individual unit was as much as</p><p>$30,000 in today’s prices.</p><p>Figure 38 Arthur Scherbius. (photo credit 3.5)</p><p>Unfortunately, the high cost of the machine discouraged potential</p><p>buyers. Businesses said that they could not a�ord Enigma’s security,</p><p>but Scherbius believed that they could not a�ord to be without it.</p><p>He argued that a vital message intercepted by a business rival could</p><p>cost a company a fortune, but few businessmen took any notice of</p><p>him. The German military were equally unenthusiastic, because they</p><p>were oblivious to the damage caused by their insecure ciphers</p><p>during the Great War. For example, they had been led to believe</p><p>that the Zimmermann telegram had been stolen by American spies</p><p>in Mexico, and so they blamed that failure on Mexican security.</p><p>They still did not realize that the telegram had in fact been</p><p>intercepted and deciphered by the British, and that the</p><p>Zimmermann debacle was actually a failure of German</p><p>cryptography.</p><p>Scherbius was not alone in his growing frustration. Three other</p><p>inventors in three other countries had independently and almost</p><p>simultaneously hit upon the idea of a cipher machine based on</p><p>rotating scramblers. In the Netherlands in 1919, Alexander Koch</p><p>took out patent No. 10,700, but he failed to turn his rotor machine</p><p>into a commercial success and eventually sold the patent rights in</p><p>1927. In Sweden, Arvid Damm took out a similar patent, but by the</p><p>time he died in 1927 he had also failed to �nd a market. In</p><p>America, inventor Edward Hebern had complete faith in his</p><p>invention, the so-called Sphinx of the Wireless, but his failure was</p><p>the greatest of all.</p><p>In the mid-1920s, Hebern began building a $380,000 factory, but</p><p>unfortunately this was a period when the mood in America was</p><p>changing from paranoia to openness. The previous decade, in the</p><p>aftermath of the First World War, the U.S. Government had</p><p>established the American Black Chamber, a highly e�ective cipher</p><p>bureau sta�ed by a team of twenty cryptanalysts, led by the</p><p>�amboyant and brilliant Herbert Yardley. Later, Yardley wrote that</p><p>“The Black Chamber, bolted, hidden, guarded, sees all, hears all.</p><p>Though the blinds are drawn and the windows heavily curtained, its</p><p>far-seeking eyes penetrate the secret conference chambers at</p><p>Washington, Tokyo, London, Paris, Geneva, Rome. Its sensitive ears</p><p>catch the faintest whisperings in the foreign capitals of the world.”</p><p>The American Black Chamber solved 45,000 cryptograms in a</p><p>decade, but by the time Hebern built his factory, Herbert Hoover</p><p>had been elected President and was attempting to usher in a new</p><p>era of trust in international a�airs. He disbanded the Black</p><p>Chamber, and his Secretary of State, Henry Stimson, declared that</p><p>“Gentlemen should not read each other’s mail.” If a nation believes</p><p>that it is wrong to read the messages of others, then it also begins to</p><p>believe that others will not read its own messages, and it does not</p><p>see the necessity for fancy cipher machines. Hebern sold only twelve</p><p>machines at a total price of roughly $1,200, and in 1926 he was</p><p>brought to trial by dissatis�ed shareholders and found guilty under</p><p>California’s Corporate Securities Act.</p><p>Figure 39 An army Enigma machine ready for use. (photo credit 3.6)</p><p>Figure 40 An Enigma machine with the inner lid opened, revealing the three scramblers.</p><p>Fortunately for Scherbius, however, the German military were</p><p>eventually shocked into appreciating the value of his Enigma</p><p>machine, thanks to two British documents. The �rst was Winston</p><p>Churchill’s The World Crisis, published in 1923, which included a</p><p>dramatic account of how the British had gained access to valuable</p><p>German cryptographic material:</p><p>At the beginning of September 1914, the German light cruiser Magdeburg was</p><p>wrecked in the Baltic. The body of a drowned German under-o�cer was picked up by</p><p>the Russians a few hours later, and clasped in his bosom by arms rigid in death, were</p><p>the cipher and signal books of the German navy and the minutely squared maps of</p><p>the North Sea and Heligoland Bight. On September 6 the Russian Naval Attaché came</p><p>to see me. He had received a message from Petrograd telling him what had happened,</p><p>and that the Russian Admiralty with the aid of the cipher and signal books had been</p><p>able to decode portions at least of the German naval messages. The Russians felt that</p><p>as the leading naval Power, the British Admiralty ought to have these books and</p><p>charts. If we would send a vessel to Alexandrov, the Russian o�cers in charge of the</p><p>books would bring them to England.</p><p>This material had helped the cryptanalysts in Room 40 to crack</p><p>Germany’s encrypted messages on a regular basis. Finally, almost a</p><p>decade later, the Germans were made aware of this failure in their</p><p>communications security. Also in 1923, the British Royal Navy</p><p>published their o�cial history of the First World War, which</p><p>reiterated the fact that the interception and cryptanalysis of German</p><p>communications had provided the Allies with a clear advantage.</p><p>These proud achievements of British Intelligence were a stark</p><p>condemnation of those responsible for</p><p>German security, who then</p><p>had to admit in their own report that, “the German �eet command,</p><p>whose radio messages were intercepted and deciphered by the</p><p>English, played so to speak with open cards against the British</p><p>command.”</p><p>The German military held an enquiry into how to avoid repeating</p><p>the cryptographic �ascos of the First World War, and concluded that</p><p>the Enigma machine o�ered the best solution. By 1925 Scherbius</p><p>began mass-producing Enigmas, which went into military service</p><p>the following year, and were subsequently used by the government</p><p>and by state-run organizations such as the railways. These Enigmas</p><p>were distinct from the few machines that Scherbius had previously</p><p>sold to the business community, because the scramblers had</p><p>di�erent internal wirings. Owners of a commercial Enigma machine</p><p>did not therefore have a complete knowledge of the government and</p><p>military versions.</p><p>Over the next two decades, the German military would buy over</p><p>30,000 Enigma machines. Scherbius’s invention provided the</p><p>German military with the most secure system of cryptography in the</p><p>world, and at the outbreak of the Second World War their</p><p>communications were protected by an unparalleled level of</p><p>encryption. At times, it seemed that the Enigma machine would play</p><p>a vital role in ensuring Nazi victory, but instead it was ultimately</p><p>part of Hitler’s downfall. Scherbius did not live long enough to see</p><p>the successes and failures of his cipher system. In 1929, while</p><p>driving a team of horses, he lost control of his carriage and crashed</p><p>into a wall, dying on May 13 from internal injuries.</p><p>I</p><p>4 Cracking the Enigma</p><p>n the years that followed the First World War, the British</p><p>cryptanalysts in Room 40 continued to monitor German</p><p>communications. In 1926 they began to intercept messages which</p><p>ba�ed them completely. Enigma had arrived, and as the number of</p><p>Enigma machines increased, Room 40’s ability to gather intelligence</p><p>diminished rapidly. The Americans and the French also tried to</p><p>tackle the Enigma cipher, but their attempts were equally dismal,</p><p>and they soon gave up hope of breaking it. Germany now had the</p><p>most secure communications in the world.</p><p>The speed with which the Allied cryptanalysts abandoned hope of</p><p>breaking Enigma was in sharp contrast to their perseverance just a</p><p>decade earlier in the First World War. Confronted with the prospect</p><p>of defeat, the Allied cryptanalysts had worked night and day to</p><p>penetrate German ciphers. It would appear that fear was the main</p><p>driving force, and that adversity is one of the foundations of</p><p>successful codebreaking. Similarly, it was fear and adversity that</p><p>galvanized French cryptanalysis at the end of the nineteenth</p><p>century, faced with the increasing might of Germany. However, in</p><p>the wake of the First World War the Allies no longer feared</p><p>anybody. Germany had been crippled by defeat, the Allies were in a</p><p>dominant position, and as a result they seemed to lose their</p><p>cryptanalytic zeal. Allied cryptanalysts dwindled in number and</p><p>deteriorated in quality.</p><p>One nation, however, could not a�ord to relax. After the First</p><p>World War, Poland reestablished itself as an independent state, but</p><p>it was concerned about threats to its newfound sovereignty. To the</p><p>east lay Russia, a nation ambitious to spread its communism, and to</p><p>the west lay Germany, desperate to regain territory ceded to Poland</p><p>after the war. Sandwiched between these two enemies, the Poles</p><p>were desperate for intelligence information, and they formed a new</p><p>cipher bureau, the Biuro Szyfrów. If necessity is the mother of</p><p>invention, then perhaps adversity is the mother of cryptanalysis.</p><p>The success of the Biuro Szyfrów is exempli�ed by their success</p><p>during the Russo-Polish War of 1919–20. In August 1920 alone,</p><p>when the Soviet armies were at the gates of Warsaw, the Biuro</p><p>deciphered 400 enemy messages. Their monitoring of German</p><p>communications had been equally e�ective, until 1926, when they</p><p>too encountered the Enigma messages.</p><p>In charge of deciphering German messages was Captain</p><p>Maksymilian Ciezki, a committed patriot who had grown up in the</p><p>town of Szamotuty, a center of Polish nationalism. Ciezki had access</p><p>to a commercial version of the Enigma machine, which revealed all</p><p>the principles of Scherbius’s invention. Unfortunately, the</p><p>commercial version was distinctly di�erent from the military one in</p><p>terms of the wirings inside each scrambler. Without knowing the</p><p>wirings of the military machine, Ciezki had no chance of</p><p>deciphering messages being sent by the German army. He became</p><p>so despondent that at one point he even employed a clairvoyant in a</p><p>frantic attempt to conjure some sense from the enciphered</p><p>intercepts. Not surprisingly, the clairvoyant failed to make the</p><p>breakthrough the Biuro Szyfrów needed. Instead, it was left to a</p><p>disa�ected German, Hans-Thilo Schmidt, to make the �rst step</p><p>toward breaking the Enigma cipher.</p><p>Hans-Thilo Schmidt was born in 1888 in Berlin, the second son of</p><p>a distinguished professor and his aristocratic wife. Schmidt</p><p>embarked on a career in the German Army and fought in the First</p><p>World War, but he was not considered worthy enough to remain in</p><p>the army after the drastic cuts implemented as part of the Treaty of</p><p>Versailles. He then tried to make his name as a businessman, but his</p><p>soap factory was forced to close because of the postwar depression</p><p>and hyperin�ation, leaving him and his family destitute.</p><p>The humiliation of Schmidt’s failures was compounded by the</p><p>success of his elder brother, Rudolph, who had also fought in the</p><p>war, and who was retained in the army afterward. During the 1920s</p><p>Rudolph rose through the ranks and was eventually promoted to</p><p>chief of sta� of the Signal Corps. He was responsible for ensuring</p><p>secure communications, and in fact it was Rudolph who o�cially</p><p>sanctioned the army’s use of the Enigma cipher.</p><p>After his business collapsed, Hans-Thilo was forced to ask his</p><p>brother for help, and Rudolph arranged a job for him in Berlin at</p><p>the Chi�rierstelle, the o�ce responsible for administrating</p><p>Germany’s encrypted communications. This was Enigma’s command</p><p>center, a top-secret establishment dealing with highly sensitive</p><p>information. When Hans-Thilo moved to his new job, he left his</p><p>family behind in Bavaria, where the cost of living was a�ordable.</p><p>He was living alone in expensive Berlin, impoverished and isolated,</p><p>envious of his perfect brother and resentful toward a nation which</p><p>had rejected him. The result was inevitable. By selling secret Enigma</p><p>information to foreign powers, Hans-Thilo Schmidt could earn</p><p>money and gain revenge, damaging his country’s security and</p><p>undermining his brother’s organization.</p><p>On November 8, 1931, Schmidt arrived at the Grand Hotel in</p><p>Verviers, Belgium, for a liaison with a French secret agent</p><p>codenamed Rex. In exchange for 10,000 marks (equivalent to</p><p>$30,000 in today’s money), Schmidt allowed Rex to photograph two</p><p>documents: “Gebrauchsanweisung für die Chi�riermaschine</p><p>Enigma” and “Schlüsselanleitung für die Chi�riermaschine Enigma.”</p><p>These documents were essentially instructions for using the Enigma</p><p>machine, and although there was no explicit description of the</p><p>wirings inside each scrambler, they contained the information</p><p>needed to deduce those wirings.</p><p>Figure 41 Hans-Thilo Schmidt. (photo credit 4.1)</p><p>Thanks to Schmidt’s treachery, it was now possible for the Allies</p><p>to create an accurate replica of the German military Enigma</p><p>machine. However, this was not enough to enable them to decipher</p><p>messages encrypted by Enigma. The strength of the cipher depends</p><p>not on keeping the machine secret, but on keeping the initial setting</p><p>of the machine (the key) secret. If a cryptanalyst wants to decipher</p><p>an intercepted message, then, in addition to having a replica of the</p><p>Enigma machine, he still has to �nd which of the millions of billions</p><p>of possible keys was used to encipher it. A German memorandum</p><p>put it thus: “It is assumed in judging the security of the</p><p>cryptosystem that the enemy has at his disposition the machine.”</p><p>The French Secret Service was clearly</p><p>up to scratch, having found</p><p>an informant in Schmidt, and having obtained the documents that</p><p>suggested the wirings of the military Enigma machine. In</p><p>comparison, French cryptanalysts were inadequate, and seemed</p><p>unwilling and unable to exploit this newly acquired information. In</p><p>the wake of the First World War they su�ered from overcon�dence</p><p>and lack of motivation. The Bureau du Chi�re did not even bother</p><p>trying to build a replica of the military Enigma machine, because</p><p>they were convinced that achieving the next stage, �nding the key</p><p>required to decipher a particular Enigma message, was impossible.</p><p>As it happened, ten years earlier the French had signed an</p><p>agreement of military cooperation with the Poles. The Poles had</p><p>expressed an interest in anything connected with Enigma, so in</p><p>accordance with their decade-old agreement the French simply</p><p>handed the photographs of Schmidt’s documents to their allies, and</p><p>left the hopeless task of cracking Enigma to the Biuro Szyfrów. The</p><p>Biuro realized that the documents were only a starting point, but</p><p>unlike the French they had the fear of invasion to spur them on. The</p><p>Poles convinced themselves that there must be a shortcut to �nding</p><p>the key to an Enigma-encrypted message, and that if they applied</p><p>su�cient e�ort, ingenuity and wit, they could �nd that shortcut.</p><p>As well as revealing the internal wirings of the scramblers,</p><p>Schmidt’s documents also explained in detail the layout of the</p><p>codebooks used by the Germans. Each month, Enigma operators</p><p>received a new codebook which speci�ed which key should be used</p><p>for each day. For example, on the �rst day of the month, the</p><p>codebook might specify the following day key:</p><p>(1) Plugboard settings: A/L-P/R-T/D-B/W-K/F-O/Y.</p><p>(2) Scrambler: arrangement: 2-3-1.</p><p>(3)Scrambler orientations: Q-C-W.</p><p>Together, the scrambler arrangement and orientations are known as</p><p>the scrambler settings. To implement this particular day key, the</p><p>Enigma operator would set up his Enigma machine as follows:</p><p>(1) Plugboard settings: Swap the letters A and L by connecting them</p><p>via a lead on the plugboard, and similarly swap P and R, then T</p><p>and D, then B and W, then K and F, and then O and Y.</p><p>(2) Scrambler arrangement: Place the 2nd scrambler in the 1st slot of</p><p>the machine, the 3rd scrambler in the 2nd slot, and the 1st</p><p>scrambler in the 3rd slot.</p><p>(3) Scrambler orientations: Each scrambler has an alphabet engraved</p><p>on its outer rim, which allows the operator to set it in a particular</p><p>orientation. In this case, the operator would rotate the scrambler</p><p>in slot 1 so that Q is facing upward, rotate the scrambler in slot 2</p><p>so that C is facing upward, and rotate the scrambler in slot 3 so</p><p>that W is facing upward.</p><p>One way of encrypting messages would be for the sender to</p><p>encrypt all the day’s tra�c according to the day key. This would</p><p>mean that for a whole day at the start of each message all Enigma</p><p>operators would set their machines according to the same day key.</p><p>Then, each time a message needed to be sent, it would be �rst typed</p><p>into the machine; the enciphered output would then be recorded,</p><p>and handed to the radio operator for transmission. At the other end,</p><p>the receiving radio operator would record the incoming message,</p><p>hand it to the Enigma operator, who would type it into his machine,</p><p>which would already be set to the same day key. The output would</p><p>be the original message.</p><p>This process is reasonably secure, but it is weakened by the</p><p>repeated use of a single day key to encrypt the hundreds of</p><p>messages that might be sent each day. In general, it is true to say</p><p>that if a single key is used to encipher an enormous quantity of</p><p>material, then it is easier for a cryptanalyst to deduce it. A large</p><p>amount of identically encrypted material provides a cryptanalyst</p><p>with a correspondingly larger chance of identifying the key. For</p><p>example, harking back to simpler ciphers, it is much easier to break</p><p>a monoalphabetic cipher with frequency analysis if there are several</p><p>pages of encrypted material, as opposed to just a couple of</p><p>sentences.</p><p>As an extra precaution, the Germans therefore took the clever step</p><p>of using the day key settings to transmit a new message key for each</p><p>message. The message keys would have the same plugboard settings</p><p>and scrambler arrangement as the day key, but di�erent scrambler</p><p>orientations. Because the new scrambler orientation would not be in</p><p>the codebook, the sender had to transmit it securely to the receiver</p><p>according to the following process. First, the sender sets his machine</p><p>according to the agreed day key, which includes a scrambler</p><p>orientation, say QCW. Next, he randomly picks a new scrambler</p><p>orientation for the message key, say PGH. He then enciphers PGH</p><p>according to the day key. The message key is typed into the Enigma</p><p>twice, just to provide a double-check for the receiver. For example,</p><p>the sender might encipher the message key PGHPGH as KIVBJE.</p><p>Note that the two PGH’s are enciphered di�erently (the �rst as KIV,</p><p>the second as BJE) because the Enigma scramblers are rotating after</p><p>each letter, and changing the overall mode of encryption. The</p><p>sender then changes his machine to the PGH setting and encrypts</p><p>the main message according to this message key. At the receiver’s</p><p>end, the machine is initially set according to the day key, QCW. The</p><p>�rst six letters of the incoming message, KIVBJE, are typed in and</p><p>reveal PGHPGH. The receiver then knows to reset his scramblers to</p><p>PGH, the message key, and can then decipher the main body of the</p><p>message.</p><p>This is equivalent to the sender and receiver agreeing on a main</p><p>cipher key. Then, instead of using this single main cipher key to</p><p>encrypt every message, they use it merely to encrypt a new cipher</p><p>key for each message, and then encrypt the actual message</p><p>according to the new cipher key. Had the Germans not employed</p><p>message keys, then everything—perhaps thousands of messages</p><p>containing millions of letters—would have been sent using the same</p><p>day key. However, if the day key is only used to transmit the</p><p>message keys, then it encrypts only a limited amount of text. If there</p><p>are 1,000 message keys sent in a day, then the day key encrypts</p><p>only 6,000 letters. And because each message key is picked at</p><p>random and is used to encipher only one message, then it encrypts a</p><p>limited amount of text, perhaps just a few hundred characters.</p><p>At �rst sight the system seemed to be impregnable, but the Polish</p><p>cryptanalysts were undaunted. They were prepared to explore every</p><p>avenue in order to �nd a weakness in the Enigma machine and its</p><p>use of day and message keys. Foremost in the battle against Enigma</p><p>was a new breed of cryptanalyst. For centuries, it had been assumed</p><p>that the best cryptanalysts were experts in the structure of language,</p><p>but the arrival of Enigma prompted the Poles to alter their</p><p>recruiting policy. Enigma was a mechanical cipher, and the Biuro</p><p>Szyfrów reasoned that a more scienti�c mind might stand a better</p><p>chance of breaking it. The Biuro organized a course on cryptography</p><p>and invited twenty mathematicians, each of them sworn to an oath</p><p>of secrecy. The mathematicians were all from the university at</p><p>Poznán. Although not the most respected academic institution in</p><p>Poland, it had the advantage of being located in the west of the</p><p>country, in territory that had been part of Germany until 1918.</p><p>These mathematicians were therefore �uent in German.</p><p>Three of the twenty demonstrated an aptitude for solving ciphers,</p><p>and were recruited into the Biuro. The most gifted of them was</p><p>Marian Rejewski, a timid, spectacled twenty-three-year-old who had</p><p>previously studied statistics in order to pursue a career in insurance.</p><p>Although a competent student at the university, it was within the</p><p>Biuro Szyfrów that he was to �nd his true calling. He served his</p><p>apprenticeship by breaking a series of traditional ciphers before</p><p>moving on to the more forbidding challenge of Enigma. Working</p><p>entirely alone, he concentrated all of his energies on the intricacies</p><p>of Scherbius’s machine. As a mathematician, he would try to</p><p>analyze</p><p>every aspect of the machine’s operation, probing the e�ect</p><p>of the scramblers and the plugboard cablings. However, as with all</p><p>mathematics, his work required inspiration as well as logic. As</p><p>another wartime mathematical cryptanalyst put it, the creative</p><p>codebreaker must “perforce commune daily with dark spirits to</p><p>accomplish his feats of mental ju-jitsu.”</p><p>Rejewski’s strategy for attacking Enigma focused on the fact that</p><p>repetition is the enemy of security: repetition leads to patterns, and</p><p>cryptanalysts thrive on patterns. The most obvious repetition in the</p><p>Enigma encryption was the message key, which was enciphered</p><p>twice at the beginning of every message. If the operator chose the</p><p>message key ULJ, then he would encrypt it twice so that ULJULJ</p><p>might be enciphered as PEFNWZ, which he would then send at the</p><p>start before the actual message. The Germans had demanded this</p><p>repetition in order to avoid mistakes caused by radio interference or</p><p>operator error. But they did not foresee that this would jeopardize</p><p>the security of the machine.</p><p>Each day, Rejewski would �nd himself with a new batch of</p><p>intercepted messages. They all began with the six letters of the</p><p>repeated three-letter message key, all encrypted according to the</p><p>same agreed day key. For example, he might receive four messages</p><p>that began with the following encrypted message keys:</p><p>In each case, the 1st and 4th letters are encryptions of the same</p><p>letter, namely the �rst letter of the message key. Also, the 2nd and</p><p>5th letters are encryptions of the same letter, namely the second</p><p>letter of the message key, and the 3rd and 6th letters are</p><p>encryptions of the same letter, namely the third letter of the</p><p>message key. For example, in the �rst message L and R are</p><p>encryptions of the same letter, the �rst letter of the message key.</p><p>The reason why this same letter is encrypted di�erently, �rst as L</p><p>and then as R, is that between the two encryptions the �rst Enigma</p><p>scrambler has moved on three steps, changing the overall mode of</p><p>scrambling.</p><p>The fact that L and R are encryptions of the same letter allowed</p><p>Rejewski to deduce some slight constraint on the initial setup of the</p><p>machine. The initial scrambler setting, which is unknown, encrypted</p><p>the �rst letter of the day key, which is also unknown, into L, and</p><p>then another scrambler setting, three steps on from the initial</p><p>setting, which is still unknown, encrypted the same letter of the day</p><p>key, which is also still unknown, into R.</p><p>This constraint might seem vague, as it is full of unknowns, but at</p><p>least it demonstrates that the letters L and R are intimately related</p><p>by the initial setting of the Enigma machine, the day key. As each</p><p>new message is intercepted, it is possible to identify other</p><p>relationships between the 1st and 4th letters of the repeated</p><p>message key. All these relationships are re�ections of the initial</p><p>setting of the Enigma machine. For example, the second message</p><p>above tells us that M and X are related, the third tells us that J and</p><p>M are related, and the fourth that D and P are related. Rejewski</p><p>began to summarize these relationships by tabulating them. For the</p><p>four messages we have so far, the table would re�ect the</p><p>relationships between (L, R), (M, X), (J, M) and (D, P):</p><p>If Rejewski had access to enough messages in a single day, then he</p><p>would be able to complete the alphabet of relationships. The</p><p>following table shows such a completed set of relationships:</p><p>Figure 42 Marian Rejewski.</p><p>Rejewski had no idea of the day key, and he had no idea which</p><p>message keys were being chosen, but he did know that they resulted</p><p>in this table of relationships. Had the day key been di�erent, then</p><p>the table of relationships would have been completely di�erent. The</p><p>next question was whether there existed any way of determining the</p><p>day key by looking at the table of relationships. Rejewski began to</p><p>look for patterns within the table, structures that might indicate the</p><p>day key. Eventually, he began to study one particular type of</p><p>pattern, which featured chains of letters. For example, in the table,</p><p>A on the top row is linked to F on the bottom row, so next he would</p><p>look up F on the top row. It turns out that F is linked to W, and so</p><p>he would look up W on the top row. And it turns out that W is</p><p>linked to A, which is where we started. The chain has been</p><p>completed.</p><p>With the remaining letters in the alphabet, Rejewski would</p><p>generate more chains. He listed all the chains, and noted the</p><p>number of links in each one:</p><p>So far, we have only considered the links between the 1st and 4th</p><p>letters of the six-letter repeated key. In fact, Rejewski would repeat</p><p>this whole exercise for the relationships between the 2nd and 5th</p><p>letters, and the 3rd and 6th letters, identifying the chains in each</p><p>case and the number of links in each chain.</p><p>Rejewski noticed that the chains changed each day. Sometimes</p><p>there were lots of short chains, sometimes just a few long chains.</p><p>And, of course, the letters within the chains changed. The</p><p>characteristics of the chains were clearly a result of the day key</p><p>setting-a complex consequence of the plugboard settings, the</p><p>scrambler arrangement and the scrambler orientations. However,</p><p>there remained the question of how Rejewski could determine the</p><p>day key from these chains. Which of 10,000,000,000,000,000</p><p>possible day keys was related to a particular pattern of chains? The</p><p>number of possibilities was simply too great.</p><p>It was at this point that Rejewski had a profound insight.</p><p>Although the plugboard and scrambler settings both a�ect the</p><p>details of the chains, their contributions can to some extent be</p><p>disentangled. In particular, there is one aspect of the chains which is</p><p>wholly dependent on the scrambler settings, and which has nothing</p><p>to do with the plugboard settings: the numbers of links in the chains</p><p>is purely a consequence of the scrambler settings. For instance, let</p><p>us take the example above and pretend that the day key required</p><p>the letters S and G to be swapped as part of the plugboard settings.</p><p>If we change this element of the day key, by removing the cable that</p><p>swaps S and G, and use it to swap, say, T and K instead, then the</p><p>chains would change to the following:</p><p>Some of the letters in the chains have changed, but, crucially, the</p><p>number of links in each chain remains constant. Rejewski had</p><p>identi�ed a facet of the chains that was solely a re�ection of the</p><p>scrambler settings.</p><p>The total number of scrambler settings is the number of scrambler</p><p>arrangements (6) multiplied by the number of scrambler</p><p>orientations (17,576) which comes to 105,456. So, instead of having</p><p>to worry about which of the 10,000,000,000,000,000 day keys was</p><p>associated with a particular set of chains, Rejewski could busy</p><p>himself with a drastically simpler problem: which of the 105,456</p><p>scrambler settings was associated with the numbers of links within a</p><p>set of chains? This number is still large, but it is roughly one</p><p>hundred billion times smaller than the total number of possible day</p><p>keys. In short, the task has become one hundred billion times easier,</p><p>certainly within the realm of human endeavor.</p><p>Rejewski proceeded as follows. Thanks to Hans-Thilo Schmidt’s</p><p>espionage, he had access to replica Enigma machines. His team</p><p>began the laborious chore of checking each of 105,456 scrambler</p><p>settings, and cataloguing the chain lengths that were generated by</p><p>each one. It took an entire year to complete the catalogue, but once</p><p>the Biuro had accumulated the data, Rejewski could �nally begin to</p><p>unravel the Enigma cipher.</p><p>Each day, he would look at the encrypted message keys, the �rst</p><p>six letters of all the intercepted messages, and use the information to</p><p>build his table of relationships. This would allow him to trace the</p><p>chains, and establish the number of links in each chain. For</p><p>example, analyzing the 1st and 4th letters might result in four</p><p>chains with 3, 9, 7 and 7 links. Analyzing the 2nd and 5th letters</p><p>might also result in four chains, with 2, 3, 9 and 12 links. Analyzing</p><p>the 3rd and 6th letters might result in �ve</p><p>chains with 5, 5, 5, 3 and</p><p>8 links. As yet, Rejewski still had no idea of the day key, but he</p><p>knew that it resulted in 3 sets of chains with the following number</p><p>of chains and links in each one:</p><p>4 chains from the 1st and 4th letters, with 3, 9, 7 and 7 links.</p><p>4 chains from the 2nd and 5th letters, with 2, 3, 9 and 12 links.</p><p>5 chains from the 3rd and 6th letters, with 5, 5, 5, 3 and 8 links.</p><p>Rejewski could now go to his catalogue, which contained every</p><p>scrambler setting indexed according to the sort of chains it would</p><p>generate. Having found the catalogue entry that contained the right</p><p>number of chains with the appropriate number of links in each one,</p><p>he immediately knew the scrambler settings for that particular day</p><p>key. The chains were e�ectively �ngerprints, the evidence that</p><p>betrayed the initial scrambler arrangement and orientations.</p><p>Rejewski was working just like a detective who might �nd a</p><p>�ngerprint at the scene of a crime, and then use a database to match</p><p>it to a suspect.</p><p>Although he had identi�ed the scrambler part of the day key,</p><p>Rejewski still had to establish the plugboard settings. Although</p><p>there are about a hundred billion possibilities for the plugboard</p><p>settings, this was a relatively straightforward task. Rejewski would</p><p>begin by setting the scramblers in his Enigma replica according to</p><p>the newly established scrambler part of the day key. He would then</p><p>remove all cables from the plugboard, so that the plugboard had no</p><p>e�ect. Finally, he would take a piece of intercepted ciphertext and</p><p>type it in to the Enigma machine. This would largely result in</p><p>gibberish, because the plugboard cablings were unknown and</p><p>missing. However, every so often vaguely recognizable phrases</p><p>would appear, such as alliveinbelrin—presumably, this should be</p><p>“arrive in Berlin.” If this assumption is correct, then it would imply</p><p>that the letters R and L should be connected and swapped by a</p><p>plugboard cable, while A, I, V, E, B and N should not. By analyzing</p><p>other phrases it would be possible to identify the other �ve pairs of</p><p>letters that had been swapped by the plugboard. Having established</p><p>the plugboard settings, and having already discovered the scrambler</p><p>settings, Rejewski had the complete day key, and could then</p><p>decipher any message sent that day.</p><p>Rejewski had vastly simpli�ed the task of �nding the day key by</p><p>divorcing the problem of �nding the scrambler settings from the</p><p>problem of �nding the plugboard settings. On their own, both of</p><p>these problems were solvable. Originally, we estimated that it would</p><p>take more than the lifetime of the universe to check every possible</p><p>Enigma key. However, Rejewski had spent only a year compiling his</p><p>catalogue of chain lengths, and thereafter he could �nd the day key</p><p>before the day was out. Once he had the day key, he possessed the</p><p>same information as the intended receiver and so could decipher</p><p>messages just as easily.</p><p>Following Rejewski’s breakthrough, German communications</p><p>became transparent. Poland was not at war with Germany, but there</p><p>was a threat of invasion, and Polish relief at conquering Enigma was</p><p>nevertheless immense. If they could �nd out what the German</p><p>generals had in mind for them, there was a chance that they could</p><p>defend themselves. The fate of the Polish nation had depended on</p><p>Rejewski, and he did not disappoint his country. Rejewski’s attack</p><p>on Enigma is one of the truly great accomplishments of</p><p>cryptanalysis. I have had to sum up his work in just a few pages,</p><p>and so have omitted many of the technical details, and all of the</p><p>dead ends. Enigma is a complicated cipher machine, and breaking it</p><p>required immense intellectual force. My simpli�cations should not</p><p>mislead you into underestimating Rejewski’s extraordinary</p><p>achievement.</p><p>The Polish success in breaking the Enigma cipher can be</p><p>attributed to three factors: fear, mathematics and espionage.</p><p>Without the fear of invasion, the Poles would have been discouraged</p><p>by the apparent invulnerability of the Enigma cipher. Without</p><p>mathematics, Rejewski would not have been able to analyze the</p><p>chains. And without Schmidt, codenamed “Asche,” and his</p><p>documents, the wirings of the scramblers would not have been</p><p>known, and cryptanalysis could not even have begun. Rejewski did</p><p>not hesitate to express the debt he owed Schmidt: “Asche’s</p><p>documents were welcomed like manna from heaven, and all doors</p><p>were immediately opened.”</p><p>The Poles successfully used Rejewski’s technique for several years.</p><p>When Hermann Göring visited Warsaw in 1934, he was totally</p><p>unaware of the fact that his communications were being intercepted</p><p>and deciphered. As he and other German dignitaries laid a wreath at</p><p>the Tomb of the Unknown Soldier next to the o�ces of the Biuro</p><p>Szyfrów, Rejewski could stare down at them from his window,</p><p>content in the knowledge that he could read their most secret</p><p>communications.</p><p>Even when the Germans made a minor alteration to the way they</p><p>transmitted messages, Rejewski fought back. His old catalogue of</p><p>chain lengths was useless, but rather than rewriting the catalogue he</p><p>devised a mechanized version of his cataloguing system, which</p><p>could automatically search for the correct scrambler settings.</p><p>Rejewski’s invention was an adaptation of the Enigma machine, able</p><p>to rapidly check each of the 17,576 settings until it spotted a match.</p><p>Because of the six possible scrambler arrangements, it was necessary</p><p>to have six of Rejewski’s machines working in parallel, each one</p><p>representing one of the possible arrangements. Together, they</p><p>formed a unit that was about a meter high, capable of �nding the</p><p>day key in roughly two hours. The units were called bombes, a name</p><p>that might re�ect the ticking noise they made while checking</p><p>scrambler settings. Alternatively, it is said that Rejewski got his</p><p>inspiration for the machines while at a cafe eating a bombe, an ice</p><p>cream shaped into a hemisphere. The bombes e�ectively</p><p>mechanized the process of decipherment. It was a natural response</p><p>to Enigma, which was a mechanization of encipherment.</p><p>For most of the 1930s, Rejewski and his colleagues worked</p><p>tirelessly to uncover the Enigma keys. Month after month, the team</p><p>would have to deal with the stresses and strains of cryptanalysis,</p><p>continually having to �x mechanical failures in the bombes,</p><p>continually having to deal with the never-ending supply of</p><p>encrypted intercepts. Their lives became dominated by the pursuit</p><p>of the day key, that vital piece of information that would reveal the</p><p>meaning of the encrypted messages. However, unknown to the</p><p>Polish codebreakers, much of their work was unnecessary. The chief</p><p>of the Biuro, Major Gwido Langer, already had the Enigma day keys,</p><p>but he kept them hidden, tucked away in his desk.</p><p>Langer, via the French, was still receiving information from</p><p>Schmidt. The German spy’s nefarious activities did not end in 1931</p><p>with the delivery of the two documents on the operation of Enigma,</p><p>but continued for another seven years. He met the French secret</p><p>agent Rex on twenty occasions, often in secluded alpine chalets</p><p>where privacy was guaranteed. At every meeting, Schmidt handed</p><p>over one or more codebooks, each one containing a month’s worth</p><p>of day keys. These were the codebooks that were distributed to all</p><p>German Enigma operators, and they contained all the information</p><p>that was needed to encipher and decipher messages. In total, he</p><p>provided codebooks that contained 38 months’ worth of day keys.</p><p>The keys would have saved Rejewski an enormous amount of time</p><p>and e�ort, shortcutting the necessity for bombes and sparing</p><p>manpower that could have been used in other sections of the Biuro.</p><p>However, the remarkably astute Langer decided not to tell Rejewski</p><p>that the keys existed. By depriving Rejewski of the keys, Langer</p><p>believed he was preparing him for the inevitable time when the keys</p><p>would no longer be available. He knew that if war broke out it</p><p>would be impossible for Schmidt to continue to attend covert</p><p>meetings, and Rejewski would then be forced to be self-su�cient.</p><p>Langer thought that Rejewski should practice self-su�ciency</p><p>securely, Histaiaeus shaved the head of</p><p>his messenger, wrote the message on his scalp, and then waited for</p><p>the hair to regrow. This was clearly a period of history that</p><p>tolerated a certain lack of urgency. The messenger, apparently</p><p>carrying nothing contentious, could travel without being harassed.</p><p>Upon arriving at his destination he then shaved his head and</p><p>pointed it at the intended recipient.</p><p>Secret communication achieved by hiding the existence of a</p><p>message is known as steganography, derived from the Greek words</p><p>steganos, meaning “covered,” and graphein, meaning “to write.” In</p><p>the two thousand years since Herodotus, various forms of</p><p>steganography have been used throughout the world. For example,</p><p>the ancient Chinese wrote messages on �ne silk, which was then</p><p>scrunched into a tiny ball and covered in wax. The messenger would</p><p>then swallow the ball of wax. In the sixteenth century, the Italian</p><p>scientist Giovanni Porta described how to conceal a message within</p><p>a hard-boiled egg by making an ink from a mixture of one ounce of</p><p>alum and a pint of vinegar, and then using it to write on the shell.</p><p>The solution penetrates the porous shell, and leaves a message on</p><p>the surface of the hardened egg albumen, which can be read only</p><p>when the shell is removed. Steganography also includes the practice</p><p>of writing in invisible ink. As far back as the �rst century A.D., Pliny</p><p>the Elder explained how the “milk” of the thithymallus plant could</p><p>be used as an invisible ink. Although transparent after drying, gentle</p><p>heating chars the ink and turns it brown. Many organic �uids</p><p>behave in a similar way, because they are rich in carbon and</p><p>therefore char easily. Indeed, it is not unknown for modern spies</p><p>who have run out of standard-issue invisible ink to improvise by</p><p>using their own urine.</p><p>The longevity of steganography illustrates that it certainly o�ers a</p><p>modicum of security, but it su�ers from a fundamental weakness. If</p><p>the messenger is searched and the message is discovered, then the</p><p>contents of the secret communication are revealed at once.</p><p>Interception of the message immediately compromises all security. A</p><p>thorough guard might routinely search any person crossing a</p><p>border, scraping any wax tablets, heating blank sheets of paper,</p><p>shelling boiled eggs, shaving people’s heads, and so on, and</p><p>inevitably there will be occasions when the message is uncovered.</p><p>Hence, in parallel with the development of steganography, there</p><p>was the evolution of cryptography, derived from the Greek word</p><p>kryptos, meaning “hidden.” The aim of cryptography is not to hide</p><p>the existence of a message, but rather to hide its meaning, a process</p><p>known as encryption. To render a message unintelligible, it is</p><p>scrambled according to a particular protocol which is agreed</p><p>beforehand between the sender and the intended recipient. Thus the</p><p>recipient can reverse the scrambling protocol and make the message</p><p>comprehensible. The advantage of cryptography is that if the enemy</p><p>intercepts an encrypted message, then the message is unreadable.</p><p>Without knowing the scrambling protocol, the enemy should �nd it</p><p>di�cult, if not impossible, to recreate the original message from the</p><p>encrypted text.</p><p>Although cryptography and steganography are independent, it is</p><p>possible to both scramble and hide a message to maximize security.</p><p>For example, the microdot is a form of steganography that became</p><p>popular during the Second World War. German agents in Latin</p><p>America would photographically shrink a page of text down to a dot</p><p>less than 1 millimeter in diameter, and then hide this microdot on</p><p>top of a full stop in an apparently innocuous letter. The �rst</p><p>microdot to be spotted by the FBI was in 1941, following a tip-o�</p><p>that the Americans should look for a tiny gleam from the surface of</p><p>a letter, indicative of smooth �lm. Thereafter, the Americans could</p><p>read the contents of most intercepted microdots, except when the</p><p>German agents had taken the extra precaution of scrambling their</p><p>message before reducing it. In such cases of cryptography combined</p><p>with steganography, the Americans were sometimes able to</p><p>intercept and block communications, but they were prevented from</p><p>gaining any new information about German spying activity. Of the</p><p>two branches of secret communication, cryptography is the more</p><p>powerful because of this ability to prevent information from falling</p><p>into enemy hands.</p><p>In turn, cryptography itself can be divided into two branches,</p><p>known as transposition and substitution. In transposition, the letters of</p><p>the message are simply rearranged, e�ectively generating an</p><p>anagram. For very short messages, such as a single word, this</p><p>method is relatively insecure because there are only a limited</p><p>number of ways of rearranging a handful of letters. For example,</p><p>three letters can be arranged in only six di�erent ways, e.g., cow,</p><p>cwo, ocw, owc, wco, woc. However, as the number of letters</p><p>gradually increases, the number of possible arrangements rapidly</p><p>explodes, making it impossible to get back to the original message</p><p>unless the exact scrambling process is known. For example, consider</p><p>this short sentence. It contains just 35 letters, and yet there are more</p><p>than 50,000,000,000,000,000,000,000,000,000,000 distinct</p><p>arrangements of them. If one person could check one arrangement</p><p>per second, and if all the people in the world worked night and day,</p><p>it would still take more than a thousand times the lifetime of the</p><p>universe to check all the arrangements.</p><p>A random transposition of letters seems to o�er a very high level</p><p>of security, because it would be impractical for an enemy</p><p>interceptor to unscramble even a short sentence. But there is a</p><p>drawback. Transposition e�ectively generates an incredibly di�cult</p><p>anagram, and if the letters are randomly jumbled, with neither</p><p>rhyme nor reason, then unscrambling the anagram is impossible for</p><p>the intended recipient, as well as an enemy interceptor. In order for</p><p>transposition to be e�ective, the rearrangement of letters needs to</p><p>follow a straightforward system, one that has been previously</p><p>agreed by sender and receiver, but kept secret from the enemy. For</p><p>example, schoolchildren sometimes send messages using the “rail</p><p>fence” transposition, in which the message is written with alternate</p><p>letters on separate upper and lower lines. The sequence of letters on</p><p>the lower line is then tagged on at the end of the sequence on the</p><p>upper line to create the �nal encrypted message. For example:</p><p>The receiver can recover the message by simply reversing the</p><p>process. There are various other forms of systematic transposition,</p><p>including the three-line rail fence cipher, in which the message is</p><p>�rst written on three separate lines instead of two. Alternatively,</p><p>one could swap each pair of letters, so that the �rst and second</p><p>letters switch places, the third and fourth letters switch places, and</p><p>so on.</p><p>Another form of transposition is embodied in the �rst ever</p><p>military cryptographic device, the Spartan scytale, dating back to the</p><p>�fth century B.C. The scytale is a wooden sta� around which a strip</p><p>of leather or parchment is wound, as shown in Figure 2. The sender</p><p>writes the message along the length of the scytale, and then</p><p>unwinds the strip, which now appears to carry a list of meaningless</p><p>letters. The message has been scrambled. The messenger would take</p><p>the leather strip, and, as a steganographic twist, he would</p><p>sometimes disguise it as a belt with the letters hidden on the inside.</p><p>To recover the message, the receiver simply wraps the leather strip</p><p>around a scytale of the same diameter as the one used by the</p><p>sender. In 404 B.C. Lysander of Sparta was confronted by a</p><p>messenger, bloody and battered, one of only �ve to have survived</p><p>the arduous journey from Persia. The messenger handed his belt to</p><p>Lysander, who wound it around his scytale to learn that</p><p>Pharnabazus of Persia was planning to attack him. Thanks to the</p><p>scytale, Lysander was prepared for the attack and repulsed it.</p><p>Figure 2 When it is unwound from the sender’s scytale (wooden sta�), the leather</p><p>strip appears</p><p>in</p><p>peacetime, as preparation for what lay ahead.</p><p>Rejewski’s skills eventually reached their limit in December 1938,</p><p>when German cryptographers increased Enigma’s security. Enigma</p><p>operators were all given two new scramblers, so that the scrambler</p><p>arrangement might involve any three of the �ve available</p><p>scramblers. Previously there were only three scramblers (labeled 1,</p><p>2 and 3) to choose from, and only six ways to arrange them, but</p><p>now that there were two extra scramblers (labeled 4 and 5) to</p><p>choose from, the number of arrangements rose to 60, as shown in</p><p>Table 10. Rejewski’s �rst challenge was to work out the internal</p><p>wirings of the two new scramblers. More worryingly, he also had to</p><p>build ten times as many bombes, each representing a di�erent</p><p>scrambler arrangement. The sheer cost of building such a battery of</p><p>bombes was �fteen times the Biuro’s entire annual equipment</p><p>budget. The following month the situation worsened when the</p><p>number of plugboard cables increased from six to ten. Instead of</p><p>twelve letters being swapped before entering the scramblers, there</p><p>were now twenty swapped letters. The number of possible keys</p><p>increased to 159,000,000,000,000,000,000.</p><p>In 1938 Polish interceptions and decipherments had been at their</p><p>peak, but by the beginning of 1939 the new scramblers and extra</p><p>plugboard cables stemmed the �ow of intelligence. Rejewski, who</p><p>had pushed forward the boundaries of cryptanalysis in previous</p><p>years, was confounded. He had proved that Enigma was not an</p><p>unbreakable cipher, but without the resources required to check</p><p>every scrambler setting he could not �nd the day key, and</p><p>decipherment was impossible. Under such desperate circumstances</p><p>Langer might have been tempted to hand over the keys that had</p><p>been obtained by Schmidt, but the keys were no longer being</p><p>delivered. Just before the introduction of the new scramblers,</p><p>Schmidt had broken o� contact with agent Rex. For seven years he</p><p>had supplied keys which were super�uous because of Polish</p><p>innovation. Now, just when the Poles needed the keys, they were no</p><p>longer available.</p><p>The new invulnerability of Enigma was a devastating blow to</p><p>Poland, because Enigma was not merely a means of communication,</p><p>it was at the heart of Hitler’s blitzkrieg strategy. The concept of</p><p>blitzkrieg (“lightning war”) involved rapid, intense, coordinated</p><p>attack, which meant that large tank divisions would have to</p><p>communicate with one another and with infantry and artillery.</p><p>Furthermore, land forces would be backed up by air support from</p><p>dive-bombing Stukas, which would rely on e�ective and secure</p><p>communication between the front-line troops and the air�elds. The</p><p>ethos of blitzkrieg was “speed of attack through speed of</p><p>communications.” If the Poles could not break Enigma, they had no</p><p>hope of stopping the German onslaught, which was clearly only a</p><p>matter of months away. Germany already occupied the Sudetenland,</p><p>and on April 27, 1939, it withdrew from its nonaggression treaty</p><p>with Poland. Hitler’s anti-Polish rhetoric became increasingly</p><p>vitriolic. Langer was determined that if Poland was invaded, then its</p><p>cryptanalytic breakthroughs, which had so far been kept secret from</p><p>the Allies, should not be lost. If Poland could not bene�t from</p><p>Rejewski’s work, then at least the Allies should have the chance to</p><p>try and build on it. Perhaps Britain and France, with their extra</p><p>resources, could fully exploit the concept of the bombe.</p><p>Table 10 Possible arrangements with �ve scramblers.</p><p>Figure 43 General Heinz Guderian’s command post vehicle. An Enigma machine can be</p><p>seen in use in the bottom left. (photo credit 4.2)</p><p>On June 30, Major Langer telegraphed his French and British</p><p>counterparts, inviting them to Warsaw to discuss some urgent</p><p>matters concerning Enigma. On July 24, senior French and British</p><p>cryptanalysts arrived at the Biuro’s headquarters, not knowing quite</p><p>what to expect. Langer ushered them into a room in which stood an</p><p>object covered with a black cloth. He pulled away the cloth,</p><p>dramatically revealing one of Rejewski’s bombes. The audience were</p><p>astonished as they heard how Rejewski had been breaking Enigma</p><p>for years. The Poles were a decade ahead of anybody else in the</p><p>world. The French were particularly astonished, because the Polish</p><p>work had been based on the results of French espionage. The French</p><p>had handed the information from Schmidt to the Poles because they</p><p>believed it to be of no value, but the Poles had proved them wrong.</p><p>As a �nal surprise, Langer o�ered the British and French two</p><p>spare Enigma replicas and blueprints for the bombes, which were to</p><p>be shipped in diplomatic bags to Paris. From there, on August 16,</p><p>one of the Enigma machines was forwarded to London. It was</p><p>smuggled across the Channel as part of the baggage of the</p><p>playwright Sacha Guitry and his wife, the actress Yvonne Printemps,</p><p>so as not to arouse the suspicion of German spies who would be</p><p>monitoring the ports. Two weeks later, on September 1, Hitler</p><p>invaded Poland and the war began.</p><p>The Geese that Never Cackled</p><p>For thirteen years the British and the French had assumed that the</p><p>Enigma cipher was unbreakable, but now there was hope. The</p><p>Polish revelations had demonstrated that the Enigma cipher was</p><p>�awed, which boosted the morale of Allied cryptanalysts. Polish</p><p>progress had ground to a halt on the introduction of the new</p><p>scramblers and extra plugboard cables, but the fact remained that</p><p>Enigma was no longer considered a perfect cipher.</p><p>The Polish breakthroughs also demonstrated to the Allies the</p><p>value of employing mathematicians as codebreakers. In Britain,</p><p>Room 40 had always been dominated by linguists and classicists,</p><p>but now there was a concerted e�ort to balance the sta� with</p><p>mathematicians and scientists. They were recruited largely via the</p><p>old-boy network, with those inside Room 40 contacting their former</p><p>Oxford and Cambridge colleges. There was also an old-girl network</p><p>which recruited women undergraduates from places such as</p><p>Newnham College and Girton College, Cambridge.</p><p>The new recruits were not brought to Room 40 in London, but</p><p>instead went to Bletchley Park, Buckinghamshire, the home of the</p><p>Government Code and Cypher School (GC&CS), a newly formed</p><p>codebreaking organization that was taking over from Room 40.</p><p>Bletchley Park could house a much larger sta�, which was</p><p>important because a deluge of encrypted intercepts was expected as</p><p>soon as the war started. During the First World War, Germany had</p><p>transmitted two million words a month, but it was anticipated that</p><p>the greater availability of radios in the Second World War could</p><p>result in the transmission of two million words a day.</p><p>At the center of Bletchley Park was a large Victorian Tudor-Gothic</p><p>mansion built by the nineteenth-century �nancier Sir Herbert Leon.</p><p>The mansion, with its library, dining hall and ornate ballroom,</p><p>provided the central administration for the whole of the Bletchley</p><p>operation. Commander Alastair Denniston, the director of GC&CS,</p><p>had a ground-�oor o�ce overlooking the gardens, a view that was</p><p>soon spoiled by the erection of numerous huts. These makeshift</p><p>wooden buildings housed the various codebreaking activities. For</p><p>example, Hut 6 specialized in attacking the German Army’s Enigma</p><p>communications. Hut 6 passed its decrypts to Hut 3, where</p><p>intelligence operatives translated the messages, and attempted to</p><p>exploit the information. Hut 8 specialized in the naval Enigma, and</p><p>they passed their decrypts to Hut 4 for translation and intelligence</p><p>gathering. Initially, Bletchley Park had a sta� of only two hundred,</p><p>but within �ve years the mansion and the huts would house seven</p><p>thousand men and women.</p><p>Figure 44 In August 1939, Britain’s senior codebreakers visited Bletchley Park to</p><p>assess its suitability as the site for the new Government Code and Cypher School. To</p><p>avoid arousing suspicion from locals, they claimed to be part of Captain Ridley’s</p><p>shooting party. (photo credit 4.3)</p><p>During the autumn of 1939, the scientists and mathematicians at</p><p>Bletchley learned the intricacies of the Enigma</p><p>cipher and rapidly</p><p>mastered the Polish techniques. Bletchley had more sta� and</p><p>resources than the Polish Biuro Szyfrów, and were thus able to cope</p><p>with the larger selection of scramblers and the fact that Enigma was</p><p>now ten times harder to break. Every twenty-four hours the British</p><p>codebreakers went through the same routine. At midnight, German</p><p>Enigma operators would change to a new day key, at which point</p><p>whatever breakthroughs Bletchley had achieved the previous day</p><p>could no longer be used to decipher messages. The codebreakers</p><p>now had to begin the task of trying to identify the new day key. It</p><p>could take several hours, but as soon as they had discovered the</p><p>Enigma settings for that day, the Bletchley sta� could begin to</p><p>decipher the German messages that had already accumulated,</p><p>revealing information that was invaluable to the war e�ort.</p><p>Surprise is an invaluable weapon for a commander to have at his</p><p>disposal. But if Bletchley could break into Enigma, German plans</p><p>would become transparent and the British would be able to read the</p><p>minds of the German High Command. If the British could pick up</p><p>news of an imminent attack, they could send reinforcements or take</p><p>evasive action. If they could decipher German discussions of their</p><p>own weaknesses, the Allies would be able to focus their o�ensives.</p><p>The Bletchley decipherments were of the utmost importance. For</p><p>example, when Germany invaded Denmark and Norway in April</p><p>1940, Bletchley provided a detailed picture of German operations.</p><p>Similarly, during the Battle of Britain, the cryptanalysts were able to</p><p>give advance warning of bombing raids, including times and</p><p>locations. They could also give continual updates on the state of the</p><p>Luftwa�e, such as the number of planes that had been lost and the</p><p>speed with which they were being replaced. Bletchley would send</p><p>all this information to MI6 headquarters, who would forward it to</p><p>the War O�ce, the Air Ministry and the Admiralty.</p><p>In between in�uencing the course of the war, the cryptanalysts</p><p>occasionally found time to relax. According to Malcolm Muggeridge,</p><p>who served in the secret service and visited Bletchley, rounders, a</p><p>version of softball, was a favorite pastime:</p><p>Every day after luncheon when the weather was propitious the cipher crackers played</p><p>rounders on the manor-house lawn, assuming the quasi-serious manner dons a�ect</p><p>when engaged in activities likely to be regarded as frivolous or insigni�cant in</p><p>comparison with their weightier studies. Thus they would dispute some point about</p><p>the game with the same fervor as they might the question of free will or determinism,</p><p>or whether the world began with a big bang or a process of continuing creation.</p><p>Figure 45 Bletchley’s codebreakers relax with a game of rounders.</p><p>Once they had mastered the Polish techniques, the Bletchley</p><p>cryptanalysts began to invent their own shortcuts for �nding the</p><p>Enigma keys. For example, they cottoned on to the fact that the</p><p>German Enigma operators would occasionally choose obvious</p><p>message keys. For each message, the operator was supposed to</p><p>select a di�erent message key, three letters chosen at random.</p><p>However, in the heat of battle, rather than straining their</p><p>imaginations to pick a random key, the overworked operators would</p><p>sometimes pick three consecutive letters from the Enigma keyboard</p><p>(Figure 46), such as QWE or BNM. These predictable message keys</p><p>became known as cillies. Another type of cilly was the repeated use</p><p>of the same message key, perhaps the initials of the operator’s</p><p>girlfriend—indeed, one such set of initials, C.I.L., may have been the</p><p>origin of the term. Before cracking Enigma the hard way, it became</p><p>routine for the cryptanalysts to try out the cillies, and their hunches</p><p>would sometimes pay o�.</p><p>Cillies were not weaknesses of the Enigma machine, rather they</p><p>were weaknesses in the way the machine was being used. Human</p><p>error at more senior levels also compromised the security of the</p><p>Enigma cipher. Those responsible for compiling the codebooks had</p><p>to decide which scramblers would be used each day, and in which</p><p>positions. They tried to ensure that the scrambler settings were</p><p>unpredictable by not allowing any scrambler to remain in the same</p><p>position for two days in a row. So, if we label the scramblers 1, 2, 3,</p><p>4 and 5, then on the �rst day it would be possible to have the</p><p>arrangement 134, and on the second day it would be possible to</p><p>have 215, but not 214, because scrambler number 4 is not allowed</p><p>to remain in the same position for two days in a row. This might</p><p>seem a sensible strategy because the scramblers are constantly</p><p>changing position, but enforcing such a rule actually makes life</p><p>easier for the cryptanalyst. Excluding certain arrangements to avoid</p><p>a scrambler remaining in the same position meant that the codebook</p><p>compilers reduced by half the number of possible scrambler</p><p>arrangements. The Bletchley cryptanalysts realized what was</p><p>happening and made the most of it. Once they identi�ed the</p><p>scrambler arrangement for one day, they could immediately rule out</p><p>half the scrambler arrangements for the next day. Hence, their</p><p>workload was reduced by half.</p><p>Figure 46 Layout of the Enigma keyboard.</p><p>Similarly, there was a rule that the plugboard settings could not</p><p>include a swap between any letter and its neighbor, which meant</p><p>that S could be swapped with any letter except R and T. The theory</p><p>was that such obvious swappings should be deliberately avoided,</p><p>but once again the implementation of a rule drastically reduced the</p><p>number of possible keys.</p><p>This search for new cryptanalytic shortcuts was necessary because</p><p>the Enigma machine continued to evolve during the course of the</p><p>war. The cryptanalysts were continually forced to innovate, to</p><p>redesign and re�ne the bombes, and to devise wholly new</p><p>strategies. Part of the reason for their success was the bizarre</p><p>combination of mathematicians, scientists, linguists, classicists,</p><p>chess grandmasters and crossword addicts within each hut. An</p><p>intractable problem would be passed around the hut until it reached</p><p>someone who had the right mental tools to solve it, or reached</p><p>someone who could at least partially solve it before passing it on</p><p>again. Gordon Welchman, who was in charge of Hut 6, described his</p><p>team as “a pack of hounds trying to pick up the scent.” There were</p><p>many great cryptanalysts and many signi�cant breakthroughs, and</p><p>it would take several large volumes to describe the individual</p><p>contributions in detail. However, if there is one �gure who deserves</p><p>to be singled out, it is Alan Turing, who identi�ed Enigma’s greatest</p><p>weakness and ruthlessly exploited it. Thanks to Turing, it became</p><p>possible to crack the Enigma cipher under even the most di�cult</p><p>circumstances.</p><p>Alan Turing was conceived in the autumn of 1911 in Chatrapur, a</p><p>town near Madras in southern India, where his father Julius Turing</p><p>was a member of the Indian civil service. Julius and his wife Ethel</p><p>were determined that their son should be born in Britain, and</p><p>returned to London, where Alan was born on June 23, 1912. His</p><p>father returned to India soon afterward and his mother followed just</p><p>�fteen months later, leaving Alan in the care of nannies and friends</p><p>until he was old enough to attend boarding school.</p><p>In 1926, at the age of fourteen, Turing became a pupil at</p><p>Sherborne School, in Dorset. The start of his �rst term coincided</p><p>with the General Strike, but Turing was determined to attend the</p><p>�rst day, and he cycled 100 km unaccompanied from Southampton</p><p>to Sherborne, a feat that was reported in the local newspaper. By</p><p>the end of his �rst year at the school he had gained a reputation as a</p><p>shy, awkward boy whose only skills were in the area of science. The</p><p>aim of Sherborne was to turn boys into well-rounded men, �t to rule</p><p>the Empire, but Turing did not share this ambition and had a</p><p>generally unhappy schooling.</p><p>His only real friend at Sherborne was Christopher Morcom, who,</p><p>like Turing, had an interest in science. Together they discussed the</p><p>latest scienti�c news and conducted their own experiments. The</p><p>relationship</p><p>�red Turing’s intellectual curiosity, but, more</p><p>importantly, it also had a profound emotional e�ect on him. Andrew</p><p>Hodges, Turing’s biographer, wrote that “This was �rst love … It</p><p>had that sense of surrender, and a heightened awareness, as of</p><p>brilliant color bursting upon a black and white world.” Their</p><p>friendship lasted four years, but Morcom seems to have been</p><p>unaware of the depth of feeling Turing had for him. Then, during</p><p>their �nal year at Sherborne, Turing lost forever the chance to tell</p><p>him how he felt. On Thursday, February 13, 1930, Christopher</p><p>Morcom suddenly died of tuberculosis.</p><p>Turing was devastated by the loss of the only person he would</p><p>ever truly love. His way of coming to terms with Morcom’s death</p><p>was to focus on his scienti�c studies in an attempt to ful�ll his</p><p>friend’s potential. Morcom, who appeared to be the more gifted of</p><p>the two boys, had already won a scholarship to Cambridge</p><p>University. Turing believed it was his duty also to win a place at</p><p>Cambridge, and then to make the discoveries his friend would</p><p>otherwise have made. He asked Christopher’s mother for a</p><p>photograph, and when it arrived he wrote back to thank her: “He is</p><p>on my table now, encouraging me to work hard.”</p><p>In 1931, Turing gained admission to King’s College, Cambridge.</p><p>He arrived during a period of intense debate about the nature of</p><p>mathematics and logic, and was surrounded by some of the leading</p><p>voices, such as Bertrand Russell, Alfred North Whitehead and</p><p>Ludwig Wittgenstein. At the center of the argument was the issue of</p><p>undecidability, a controversial notion developed by the logician Kurt</p><p>Gödel. It had always been assumed that, in theory at least, all</p><p>mathematical questions could be answered. However, Gödel</p><p>demonstrated that there could exist a minority of questions which</p><p>were beyond the reach of logical proof, so-called undecidable</p><p>questions. Mathematicians were traumatized by the news that</p><p>mathematics was not the all-powerful discipline they had always</p><p>believed it to be. They attempted to salvage their subject by trying</p><p>to �nd a way of identifying the awkward undecidable questions, so</p><p>that they could put them safely to one side. It was this objective that</p><p>eventually inspired Turing to write his most in�uential</p><p>mathematical paper, “On Computable Numbers,” published in 1937.</p><p>In Breaking the Code, Hugh Whitemore’s play about the life of</p><p>Turing, a character asks Turing the meaning of his paper. He replies,</p><p>“It’s about right and wrong. In general terms. It’s a technical paper</p><p>in mathematical logic, but it’s also about the di�culty of telling</p><p>right from wrong. People think—most people think—that in</p><p>mathematics we always know what is right and what is wrong. Not</p><p>so. Not any more.”</p><p>Figure 47 Alan Turing. (photo credit 4.4)</p><p>In his attempt to identify undecidable questions, Turing’s paper</p><p>described an imaginary machine that was designed to perform a</p><p>particular mathematical operation, or algorithm. In other words, the</p><p>machine would be capable of running through a �xed, prescribed</p><p>series of steps which would, for example, multiply two numbers.</p><p>Turing envisaged that the numbers to be multiplied could be fed</p><p>into the machine via a paper tape, rather like the punched tape that</p><p>is used to feed a tune into a Pianola. The answer to the</p><p>multiplication would be output via another tape. Turing imagined a</p><p>whole series of these so-called Turing machines, each specially</p><p>designed to tackle a particular task, such as dividing, squaring or</p><p>factoring. Then Turing took a more radical step.</p><p>He imagined a machine whose internal workings could be altered</p><p>so that it could perform all the functions of all conceivable Turing</p><p>machines. The alterations would be made by inserting carefully</p><p>selected tapes, which transformed the single �exible machine into a</p><p>dividing machine, a multiplying machine, or any other type of</p><p>machine. Turing called this hypothetical device a universal Turing</p><p>machine because it would be capable of answering any question that</p><p>could logically be answered. Unfortunately, it turned out that it is</p><p>not always logically possible to answer a question about the</p><p>undecidability of another question, and so even the universal Turing</p><p>machine was unable to identify every undecidable question.</p><p>Mathematicians who read Turing’s paper were disappointed that</p><p>Gödel’s monster had not been subdued but, as a consolation prize,</p><p>Turing had given them the blueprint for the modern programmable</p><p>computer. Turing knew of Babbage’s work, and the universal Turing</p><p>machine can be seen as a reincarnation of Di�erence Engine No. 2.</p><p>In fact, Turing had gone much further, and provided computing</p><p>with a solid theoretical basis, imbuing the computer with a hitherto</p><p>unimaginable potential. It was still the 1930s though, and the</p><p>technology did not exist to turn the universal Turing machine into a</p><p>reality. However, Turing was not at all dismayed that his theories</p><p>were ahead of what was technically feasible. He merely wanted</p><p>recognition from within the mathematical community, who indeed</p><p>applauded his paper as one of the most important breakthroughs of</p><p>the century. He was still only twenty-six.</p><p>This was a particularly happy and successful period for Turing.</p><p>During the 1930s he rose through the ranks to become a fellow of</p><p>King’s College, home of the world’s intellectual elite. He led the life</p><p>of an archetypal Cambridge don, mixing pure mathematics with</p><p>more trivial activities. In 1938 he made a point of seeing the �lm</p><p>Snow White and the Seven Dwarfs, containing the memorable scene in</p><p>which the Wicked Witch dunks an apple in poison. Afterward his</p><p>colleagues heard Turing continually repeating the macabre chant,</p><p>“Dip the apple in the brew, Let the sleeping death seep through.”</p><p>Turing cherished his years at Cambridge. In addition to his</p><p>academic success, he found himself in a tolerant and supportive</p><p>environment. Homosexuality was largely accepted within the</p><p>university, which meant that he was free to engage in a series of</p><p>relationships without having to worry about who might �nd out,</p><p>and what others might say. Although he had no serious long-term</p><p>relationships, he seemed to be content with his life. Then, in 1939,</p><p>Turing’s academic career was brought to an abrupt halt. The</p><p>Government Code and Cypher School invited him to become a</p><p>cryptanalyst at Bletchley, and on September 4, 1939, the day after</p><p>Neville Chamberlain declared war on Germany, Turing moved from</p><p>the opulence of the Cambridge quadrangle to the Crown Inn at</p><p>Shenley Brook End.</p><p>Each day he cycled 5 km from Shenley Brook End to Bletchley</p><p>Park, where he spent part of his time in the huts contributing to the</p><p>routine codebreaking e�ort, and part of his time in the Bletchley</p><p>think tank, formerly Sir Herbert Leon’s apple, pear and plum store.</p><p>The think tank was where the cryptanalysts brainstormed their way</p><p>through new problems, or anticipated how to tackle problems that</p><p>might arise in the future. Turing focused on what would happen if</p><p>the German military changed their system of exchanging message</p><p>keys. Bletchley’s early successes relied on Rejewski’s work, which</p><p>exploited the fact that Enigma operators encrypted each message</p><p>key twice (for example, if the message key was YGB, the operator</p><p>would encipher YGBYGB). This repetition was supposed to ensure</p><p>that the receiver did not make a mistake, but it created a chink in</p><p>the security of Enigma. British cryptanalysts guessed it would not be</p><p>long before the Germans noticed that the repeated key was</p><p>compromising the Enigma cipher, at which point the Enigma</p><p>operators would be told to abandon the repetition, thus confounding</p><p>Bletchley’s current codebreaking techniques. It was Turing’s job to</p><p>�nd an alternative way to attack Enigma, one that did not rely on a</p><p>repeated message key.</p><p>As the weeks passed, Turing realized that Bletchley was</p><p>accumulating a vast library of decrypted messages, and he noticed</p><p>that many of them conformed to a rigid structure. By studying old</p><p>decrypted messages, he believed he could sometimes predict part of</p><p>the contents of an undeciphered</p><p>message, based on when it was sent</p><p>and its source. For example, experience showed that the Germans</p><p>sent a regular enciphered weather report shortly after 6 A.M. each</p><p>day. So, an encrypted message intercepted at 6:05 A.M. would be</p><p>almost certain to contain wetter, the German word for “weather.”</p><p>The rigorous protocol used by any military organization meant that</p><p>such messages were highly regimented in style, so Turing could</p><p>even be con�dent about the location of wetter within the encrypted</p><p>message. For example, experience might tell him that the �rst six</p><p>letters of a particular ciphertext corresponded to the plaintext letters</p><p>wetter. When a piece of plaintext can be associated with a piece of</p><p>ciphertext, this combination is known as a crib.</p><p>Turing was sure that he could exploit the cribs to crack Enigma. If</p><p>he had a ciphertext and he knew that a speci�c section of it, say</p><p>ETJWPX, represented wetter, then the challenge was to identify the</p><p>settings of the Enigma machine that would transform wetter into</p><p>ETJWPX. The straightforward, but impractical, way to do this would</p><p>be for the cryptanalyst to take an Enigma machine, type in wetter</p><p>and see if the correct ciphertext emerged. If not, then the</p><p>cryptanalyst would change the settings of the machine, by swapping</p><p>plugboard cables, and swapping or reorienting scramblers, and then</p><p>type in wetter again. If the correct ciphertext did not emerge, the</p><p>cryptanalyst would change the settings again, and again, and again,</p><p>until he found the right one. The only problem with this trial and</p><p>error approach was the fact that there were</p><p>159,000,000,000,000,000,000 possible settings to check, so �nding</p><p>the one that transformed wetter into ETJWPX was a seemingly</p><p>impossible task.</p><p>To simplify the problem, Turing attempted to follow Rejewski’s</p><p>strategy of disentangling the settings. He wanted to divorce the</p><p>problem of �nding the scrambler settings (�nding which scrambler</p><p>is in which slot, and what their respective orientations are) from the</p><p>problem of �nding the plugboard cablings. For example, if he could</p><p>�nd something in the crib that had nothing to do with the</p><p>plugboard cablings, then he could feasibly check each of the</p><p>remaining 1,054,560 possible scrambler combinations (60</p><p>arrangements × 17,576 orientations). Having found the correct</p><p>scrambler settings, he could then deduce the plugboard cablings.</p><p>Eventually, his mind settled on a particular type of crib which</p><p>contained internal loops, similar to the chains exploited by</p><p>Rejewski. Rejewski’s chains linked letters within the repeated</p><p>message key. However, Turing’s loops had nothing to do with the</p><p>message key, as he was working on the assumption that soon the</p><p>Germans would stop sending repeated message keys. Instead,</p><p>Turing’s loops connected plaintext and ciphertext letters within a</p><p>crib. For example, the crib shown in Figure 48 contains a loop.</p><p>Figure 48 One of Turing’s cribs, showing a loop.</p><p>Remember, cribs are only guesses, but if we assume that this crib is</p><p>correct, we can link the letters W→E, e→T, t→W as part of a loop.</p><p>Although we know none of the Enigma machine settings, we can</p><p>label the �rst setting, whatever it is, S. In this �rst setting we know</p><p>that w is encrypted as E. After this encryption, the �rst scrambler</p><p>clicks around one place to setting S+1, and the letter e is</p><p>enciphered as T. The scrambler clicks forward another place and</p><p>encrypts a letter that is not part of the loop, so we ignore this</p><p>encryption. The scrambler clicks forward one more place and, once</p><p>again, we reach a letter that is part of the loop. In setting S+3, we</p><p>know that the letter t is enciphered as W. In summary, we know</p><p>that</p><p>In setting S, Enigma encrypts w as E.</p><p>In setting S+1, Enigma encrypts e as T.</p><p>In setting S+3, Enigma encrypts t as W.</p><p>So far the loop seems like nothing more than a curious pattern, but</p><p>Turing rigorously followed the implications of the relationships</p><p>within the loop, and saw that they provided him with the drastic</p><p>shortcut he needed in order to break Enigma. Instead of working</p><p>with just one Enigma machine to test every setting, Turing began to</p><p>imagine three separate machines, each dealing with the</p><p>encipherment of one element of the loop. The �rst machine would</p><p>try to encipher w into E, the second would try to encipher e into T,</p><p>and the third t into W. The three machines would all have identical</p><p>settings, except that the second would have its scrambler</p><p>orientations moved forward one place with respect to the �rst, a</p><p>setting labeled S+1, and the third would have its scrambler</p><p>orientations moved forward three places with respect to the �rst, a</p><p>setting labeled S+3. Turing then pictured a frenzied cryptanalyst,</p><p>continually changing plugboard cables, swapping scrambler</p><p>arrangements and changing their orientations in order to achieve</p><p>the correct encryptions. Whatever cables were changed in the �rst</p><p>machine would also be changed in the other two. Whatever</p><p>scrambler arrangements were changed in the �rst machine would</p><p>also be changed in the other two. And, crucially, whatever</p><p>scrambler orientation was set in the �rst machine, the second would</p><p>have the same orientation but stepped forward one place, and the</p><p>third would have the same orientation but stepped forward three</p><p>places.</p><p>Turing does not seem to have achieved much. The cryptanalyst</p><p>still has to check all 159,000,000,000,000,000,000 possible settings,</p><p>and, to make matters worse, he now has to do it simultaneously on</p><p>all three machines instead of just one. However, the next stage of</p><p>Turing’s idea transforms the challenge, and vastly simpli�es it. He</p><p>imagined connecting the three machines by running electrical wires</p><p>between the inputs and the outputs of each machine, as shown in</p><p>Figure 49. In e�ect, the loop in the crib is paralleled by the loop of</p><p>the electrical circuit. Turing pictured the machines changing their</p><p>plugboard and scrambler settings, as described above, but only</p><p>when all the settings are correct for all three machines would the</p><p>circuit be completed, allowing a current to �ow through all three</p><p>machines. If Turing incorporated a lightbulb within the circuit, then</p><p>the current would illuminate it, signaling that the correct settings</p><p>had been found. At this point, the three machines still have to check</p><p>up to 159,000,000,000,000,000,000 possible settings in order to</p><p>illuminate the bulb. However, everything done so far has merely</p><p>been preparation for Turing’s �nal logical leap, which would make</p><p>the task over a hundred million million times easier in one fell</p><p>swoop.</p><p>Turing had constructed his electrical circuit in such a way as to</p><p>nullify the e�ect of the plugboard, thereby allowing him to ignore</p><p>the billions of plugboard settings. Figure 49 shows that the �rst</p><p>Enigma has the electric current entering the scramblers and</p><p>emerging at some unknown letter, which we shall call L1. The</p><p>current then �ows through the plugboard, which transforms L1 into</p><p>E. This letter E is connected via a wire to the letter e in the second</p><p>Enigma, and as the current �ows through the second plugboard it is</p><p>transformed back to L1. In other words, the two plugboards cancel</p><p>each other out. Similarly, the current emerging from the scramblers</p><p>in the second Enigma enters the plugboard at L2 before being</p><p>transformed into T. This letter T is connected via a wire to the letter</p><p>t in the third Enigma, and as the current �ows through the third</p><p>plugboard it is transformed back to L2. In short, the plugboards</p><p>cancel themselves out throughout the whole circuit, so Turing could</p><p>ignore them completely.</p><p>Turing needed only to connect the output of the �rst set of</p><p>scramblers, L1, directly to the input of the second set of scramblers,</p><p>also L1, and so on. Unfortunately, he did not know the value of the</p><p>letter L1, so he had to connect all 26 outputs of the �rst set of</p><p>scramblers to all 26 corresponding inputs in the second set of</p><p>scramblers, and so on. In e�ect, there were now 26 electrical loops,</p><p>and each one would have a lightbulb to signal the completion of an</p><p>electrical circuit. The three sets</p><p>of scramblers could then simply</p><p>check each of the 17,576 orientations, with the second set of</p><p>scramblers always one step ahead of the �rst set, and the third set of</p><p>scramblers two steps ahead of the second set. Eventually, when the</p><p>correct scrambler orientations had been found, one of the circuits</p><p>would be completed and the bulb would be illuminated. If the</p><p>scramblers changed orientation every second, it would take just �ve</p><p>hours to check all the orientations.</p><p>Only two problems remained. First, it could be that the three</p><p>machines are running with the wrong scrambler arrangement,</p><p>because the Enigma machine operates with any three of the �ve</p><p>available scramblers, placed in any order, giving sixty possible</p><p>arrangements. Hence, if all 17,576 orientations have been checked,</p><p>and the lamp has not been illuminated, it is then necessary to try</p><p>another of the sixty scrambler arrangements, and to keep on trying</p><p>other arrangements until the circuit is completed. Alternatively, the</p><p>cryptanalyst could have sixty sets of three Enigmas running in</p><p>parallel.</p><p>The second problem involved �nding the plugboard cablings,</p><p>once the scrambler arrangement and orientations had been</p><p>established. This is relatively simple. Using an Enigma machine with</p><p>the correct scrambler arrangement and orientations, the</p><p>cryptanalyst types in the ciphertext and looks at the emerging</p><p>plaintext. If the result is tewwer rather than wetter, then it is clear</p><p>that plugboard cables should be inserted so as to swap w and t.</p><p>Typing in other bits of ciphertext would reveal other plugboard</p><p>cablings.</p><p>The combination of crib, loops and electrically connected</p><p>machines resulted in a remarkable piece of cryptanalysis, and only</p><p>Turing, with his unique background in mathematical machines,</p><p>could ever have come up with it. His musings on the imaginary</p><p>Turing machines were intended to answer esoteric questions about</p><p>mathematical undecidability, but this purely academic research had</p><p>put him in the right frame of mind for designing a practical machine</p><p>capable of solving very real problems.</p><p>Bletchley was able to �nd £100,000 to turn Turing’s idea into</p><p>working devices, which were dubbed bombes because their</p><p>mechanical approach bore a passing resemblance to Rejewski’s</p><p>bombe. Each of Turing’s bombes was to consist of twelve sets of</p><p>electrically linked Enigma scramblers, and would thus be able to</p><p>cope with much longer loops of letters. The complete unit would be</p><p>about two meters tall, two meters long and a meter wide. Turing</p><p>�nalized the design at the beginning of 1940, and the job of</p><p>construction was given to the British Tabulating Machinery factory</p><p>at Letchworth.</p><p>Figure 49 The loop in the crib can be paralleled by an electrical loop. Three Enigma</p><p>machines are set up in identical ways, except that the second one has its �rst scrambler</p><p>moved forward one place (setting S + 1), and the third has its scrambler moved forward</p><p>two further places (setting S + 3). The output of each Enigma is then connected to the</p><p>input of the next one. The three sets of scramblers then click around in unison until the</p><p>circuit is complete and the light illuminates. At this point the correct setting has been</p><p>found. In the diagram above, the circuit is complete, corresponding to the correct setting.</p><p>While waiting for the bombes to be delivered, Turing continued</p><p>his day-to-day work at Bletchley. News of his breakthrough soon</p><p>spread among the other senior cryptanalysts, who recognized that</p><p>he was a singularly gifted codebreaker. According to Peter Hilton, a</p><p>fellow Bletchley codebreaker, “Alan Turing was obviously a genius,</p><p>but he was an approachable, friendly genius. He was always willing</p><p>to take time and trouble to explain his ideas; but he was no narrow</p><p>specialist, so that his versatile thought ranged over a vast area of the</p><p>exact sciences.”</p><p>However, everything at the Government Code and Cypher School</p><p>was top secret, so nobody outside of Bletchley Park was aware of</p><p>Turing’s remarkable achievement. For example, his parents had</p><p>absolutely no idea that Alan was even a codebreaker, let alone</p><p>Britain’s foremost cryptanalyst. He had once told his mother that he</p><p>was involved in some form of military research, but he did not</p><p>elaborate. She was merely disappointed that this had not resulted in</p><p>a more respectable haircut for her scru�y son. Although Bletchley</p><p>was run by the military, they had conceded that they would have to</p><p>tolerate the scru�ness and eccentricities of these “professor types.”</p><p>Turing rarely bothered to shave, his nails were stu�ed with dirt, and</p><p>his clothes were a mass of creases. Whether the military would also</p><p>have tolerated his homosexuality remains unknown. Jack Good, a</p><p>veteran of Bletchley, commented: “Fortunately the authorities did</p><p>not know that Turing was a homosexual. Otherwise we might have</p><p>lost the war.”</p><p>The �rst prototype bombe, christened Victory, arrived at Bletchley</p><p>on March 14, 1940. The machine was put into operation</p><p>immediately, but the initial results were less than satisfactory. The</p><p>machine turned out to be much slower than expected, taking up to a</p><p>week to �nd a particular key. There was a concerted e�ort to</p><p>increase the bombe’s e�ciency, and a modi�ed design was</p><p>submitted a few weeks later. It would take four more months to</p><p>build the upgraded bombe. In the meantime, the cryptanalysts had</p><p>to cope with the calamity they had anticipated. On May 1, 1940, the</p><p>Germans changed their key exchange protocol. They no longer</p><p>repeated the message key, and thereupon the number of successful</p><p>Enigma decipherments dropped dramatically. The information</p><p>blackout lasted until August 8, when the new bombe arrived.</p><p>Christened Agnus Dei, or Agnes for short, this machine was to ful�ll</p><p>all Turing’s expectations.</p><p>Within eighteen months there were �fteen more bombes in</p><p>operation, exploiting cribs, checking scrambler settings and</p><p>revealing keys, each one clattering like a million knitting needles. If</p><p>everything was going well, a bombe might �nd an Enigma key</p><p>within an hour. Once the plugboard cablings and the scrambler</p><p>settings (the message key) had been established for a particular</p><p>message, it was easy to deduce the day key. All the other messages</p><p>sent that same day could then be deciphered.</p><p>Even though the bombes represented a vital breakthrough in</p><p>cryptanalysis, decipherment had not become a formality. There</p><p>were many hurdles to overcome before the bombes could even</p><p>begin to look for a key. For example, to operate a bombe you �rst</p><p>needed a crib. The senior codebreakers would give cribs to the</p><p>bombe operators, but there was no guarantee that the codebreakers</p><p>had guessed the correct meaning of the ciphertext. And even if they</p><p>did have the right crib, it might be in the wrong place—the</p><p>cryptanalysts might have guessed that an encrypted message</p><p>contained a certain phrase, but associated that phrase with the</p><p>wrong piece of the ciphertext. However, there was a neat trick for</p><p>checking whether a crib was in the correct position.</p><p>In the following crib, the cryptanalyst is con�dent that the</p><p>plaintext is right, but he is not sure if he has matched it with the</p><p>correct letters in the ciphertext.</p><p>One of the features of the Enigma machine was its inability to</p><p>encipher a letter as itself, which was a consequence of the re�ector.</p><p>The letter a could never be enciphered as A, the letter b could never</p><p>be enciphered as B, and so on. The particular crib above must</p><p>therefore be misaligned, because the �rst e in wetter is matched</p><p>with an E in the ciphertext. To �nd the correct alignment, we simply</p><p>slide the plaintext and the ciphertext relative to each other until no</p><p>letter is paired with itself. If we shift the plaintext one place to the</p><p>left, the match still fails because this time the �rst s in sechs is</p><p>matched with S in the ciphertext. However, if we shift the plaintext</p><p>one place to the right there are no illegal encipherments. This crib is</p><p>therefore likely to be in the right place, and could be used as the</p><p>basis for a bombe decipherment:</p><p>The intelligence gathered at Bletchley was</p><p>passed on to only the</p><p>most senior military �gures and selected members of the war</p><p>cabinet. Winston Churchill was fully aware of the importance of the</p><p>Bletchley decipherments, and on September 6, 1941, he visited the</p><p>codebreakers. On meeting some of the cryptanalysts, he was</p><p>surprised by the bizarre mixture of people who were providing him</p><p>with such valuable information; in addition to the mathematicians</p><p>and linguists, there was an authority on porcelain, a curator from</p><p>the Prague Museum, the British chess champion and numerous</p><p>bridge experts. Churchill muttered to Sir Stewart Menzies, head of</p><p>the Secret Intelligence Service, “I told you to leave no stone</p><p>unturned, but I didn’t expect you to take me so literally.” Despite</p><p>the comment, he had a great fondness for the motley crew, calling</p><p>them “the geese who laid golden eggs and never cackled.”</p><p>Figure 50 A bombe in action. (photo credit 4.5)</p><p>The visit was intended to boost the morale of the codebreakers by</p><p>showing them that their work was appreciated at the very highest</p><p>level. It also had the e�ect of giving Turing and his colleagues the</p><p>con�dence to approach Churchill directly when a crisis loomed. To</p><p>make the most of the bombes, Turing needed more sta�, but his</p><p>requests had been blocked by Commander Edward Travis, who had</p><p>taken over as Director of Bletchley, and who felt that he could not</p><p>justify recruiting more people. On October 21, 1941, the</p><p>cryptanalysts took the insubordinate step of ignoring Travis and</p><p>writing directly to Churchill.</p><p>Dear Prime Minister,</p><p>Some weeks ago you paid us the honor of a visit, and we believe that you regard our</p><p>work as important. You will have seen that, thanks largely to the energy and foresight</p><p>of Commander Travis, we have been well supplied with the “bombes” for the</p><p>breaking of the German Enigma codes. We think, however, that you ought to know</p><p>that this work is being held up, and in some cases is not being done at all, principally</p><p>because we cannot get su�cient sta� to deal with it. Our reason for writing to you</p><p>direct is that for months we have done everything that we possibly can through the</p><p>normal channels, and that we despair of any early improvement without your</p><p>intervention …</p><p>We are, Sir, Your obedient servants,</p><p>A.M. Turing</p><p>W.G. Welchman</p><p>C.H.O’D. Alexander</p><p>P.S. Milner-Barry</p><p>Churchill had no hesitation in responding. He immediately issued a</p><p>memorandum to his principal sta� o�cer:</p><p>ACTION THIS DAY</p><p>Make sure they have all they want on extreme priority and report to me that this has</p><p>been done.</p><p>Figure 51 The Daily Telegraph crossword used as a test to recruit new codebreakers (the</p><p>solution is in Appendix H). (photo credit 4.6)</p><p>Henceforth there were to be no more barriers to recruitment or</p><p>materials. By the end of 1942 there were 49 bombes, and a new</p><p>bombe station was opened at Gayhurst Manor, just north of</p><p>Bletchley. As part of the recruitment drive, the Government Code</p><p>and Cypher School placed a letter in the Daily Telegraph. They issued</p><p>an anonymous challenge to its readers, asking if anybody could</p><p>solve the newspaper’s crossword (Figure 51) in under 12 minutes. It</p><p>was felt that crossword experts might also be good codebreakers,</p><p>complementing the scienti�c minds that were already at Bletchley—</p><p>but of course, none of this was mentioned in the newspaper. The 25</p><p>readers who replied were invited to Fleet Street to take a crossword</p><p>test. Five of them completed the crossword within the allotted time,</p><p>and another had only one word missing when the 12 minutes had</p><p>expired. A few weeks later, all six were interviewed by military</p><p>intelligence and recruited as codebreakers at Bletchley Park.</p><p>Kidnapping Codebooks</p><p>So far in this chapter, the Enigma tra�c has been treated as one</p><p>giant communications system, but in fact there were several distinct</p><p>networks. The German Army in North Africa, for instance, had its</p><p>own separate network, and their Enigma operators had codebooks</p><p>that were di�erent from those used in Europe. Hence, if Bletchley</p><p>succeeded in identifying the North African day key, it would be able</p><p>to decipher all the German messages sent from North Africa that</p><p>day, but the North African day key would be of no use in cracking</p><p>the messages being transmitted in Europe. Similarly, the Luftwa�e</p><p>had its own communications network, and so in order to decipher</p><p>all Luftwa�e tra�c, Bletchley would have to unravel the Luftwa�e</p><p>day key.</p><p>Some networks were harder to break into than others. The</p><p>Kriegsmarine network was the hardest of all, because the German</p><p>Navy operated a more sophisticated version of the Enigma machine.</p><p>For example, the Naval Enigma operators had a choice of eight</p><p>scramblers, not just �ve, which meant that there were almost six</p><p>times as many scrambler arrangements, and therefore almost six</p><p>times as many keys for Bletchley to check. The other di�erence in</p><p>the Naval Enigma concerned the re�ector, which was responsible</p><p>for sending the electrical signal back through the scramblers. In the</p><p>standard Enigma the re�ector was always �xed in one particular</p><p>orientation, but in the Naval Enigma the re�ector could be �xed in</p><p>any one of 26 orientations. Hence the number of possible keys was</p><p>further increased by a factor of 26.</p><p>Cryptanalysis of the Naval Enigma was made even harder by the</p><p>Naval operators, who were careful not to send stereotypical</p><p>messages, thus depriving Bletchley of cribs. Furthermore, the</p><p>Kriegsmarine also instituted a more secure system for selecting and</p><p>transmitting message keys. Extra scramblers, a variable re�ector,</p><p>nonstereotypical messages and a new system for exchanging</p><p>message keys all contributed to making German Naval</p><p>communications impenetrable.</p><p>Bletchley’s failure to crack the Naval Enigma meant that the</p><p>Kriegsmarine were steadily gaining the upper hand in the Battle of</p><p>the Atlantic. Admiral Karl Dönitz had developed a highly e�ective</p><p>two-stage strategy for naval warfare, which began with his U-boats</p><p>spreading out and scouring the Atlantic in search of Allied convoys.</p><p>As soon as one of them spotted a target, it would initiate the next</p><p>stage of the strategy by calling the other U-boats to the scene. The</p><p>attack would commence only when a large pack of U-boats had</p><p>been assembled. For this strategy of coordinated attack to succeed,</p><p>it was essential that the Kriegsmarine had access to secure</p><p>communication. The Naval Enigma provided such communication,</p><p>and the U-boat attacks had a devastating impact on the Allied</p><p>shipping that was supplying Britain with much-needed food and</p><p>armaments.</p><p>As long as U-boat communications remained secure, the Allies</p><p>had no idea of the locations of the U-boats, and could not plan safe</p><p>routes for the convoys. It seemed as if the Admiralty’s only strategy</p><p>for pinpointing the location of U-boats was by looking at the sites of</p><p>sunken British ships. Between June 1940 and June 1941 the Allies</p><p>lost an average of 50 ships each month, and they were in danger of</p><p>not being able to build new ships quickly enough to replace them.</p><p>Besides the intolerable destruction of ships, there was also a terrible</p><p>human cost-50,000 Allied seamen died during the war. Unless these</p><p>losses could be drastically reduced, Britain was in danger of losing</p><p>the Battle of the Atlantic, which would have meant losing the war.</p><p>Churchill would later write, “Amid the torrent of violent events one</p><p>anxiety reigned supreme. Battles might be won or lost, enterprises</p><p>might succeed or miscarry, territories might be gained or quitted,</p><p>but dominating all our power to carry on war, or even keep</p><p>ourselves alive, lay our mastery of the ocean routes and the free</p><p>approach and entry to our ports.”</p><p>The Polish experience and the case of Hans-Thilo Schmidt had</p><p>taught Bletchley Park that if intellectual endeavor fails to break a</p><p>cipher, then it is necessary to rely on espionage, in�ltration and</p><p>theft in order to obtain the enemy keys. Occasionally, Bletchley</p><p>would make a breakthrough against the Naval Enigma, thanks to a</p><p>clever ploy by the RAF. British planes would lay mines in a</p><p>particular location,</p><p>provoking German vessels to send out warnings</p><p>to other craft. These Enigma encrypted warnings would inevitably</p><p>contain a map reference, but crucially this map reference would</p><p>already be known by the British, so it could be used as a crib. In</p><p>other words, Bletchley knew that a particular piece of ciphertext</p><p>represented a particular set of coordinates. Sowing mines to obtain</p><p>cribs, known as “gardening,” required the RAF to �y special</p><p>missions, so this could not be done on a regular basis. Bletchley had</p><p>to �nd another way of breaking the Naval Enigma.</p><p>An alternative strategy for cracking the Naval Enigma depended</p><p>on stealing keys. One of the most intrepid plans for stealing keys</p><p>was concocted by Ian Fleming, creator of James Bond and a member</p><p>of Naval Intelligence during the war. He suggested crashing a</p><p>captured German bomber in the English Channel, close to a German</p><p>ship. The German sailors would then approach the plane to rescue</p><p>their comrades, whereupon the aircrew, British pilots pretending to</p><p>be German, would board the ship and capture its codebooks. These</p><p>German codebooks contained the information that was required for</p><p>establishing the encryption key, and because ships were often away</p><p>from base for long periods, the codebooks would be valid for at least</p><p>a month. By capturing such codebooks, Bletchley would be able to</p><p>decipher the Naval Enigma for an entire month.</p><p>After approving Fleming’s plan, known as Operation Ruthless,</p><p>British Intelligence began preparing a Heinkel bomber for the crash</p><p>landing, and assembled an aircrew of German-speaking Englishmen.</p><p>The plan was scheduled for a date early in the month, so as to</p><p>capture a fresh codebook. Fleming went to Dover to oversee the</p><p>operation, but unfortunately there was no German shipping in the</p><p>area so the plan was postponed inde�nitely. Four days later, Frank</p><p>Birch, who headed the Naval section at Bletchley, recorded the</p><p>reaction of Turing and his colleague Peter Twinn: “Turing and</p><p>Twinn came to me like undertakers cheated of a nice corpse two</p><p>days ago, all in a stew about the cancelation of Operation Ruthless.”</p><p>In due course Operation Ruthless was canceled, but German Naval</p><p>codebooks were eventually captured during a spate of daring raids</p><p>on weather ships and U-boats. These so-called “pinches” gave</p><p>Bletchley the documents it needed to bring an end to the</p><p>intelligence blackout. With the Naval Enigma transparent, Bletchley</p><p>could pinpoint the location of U-boats, and the Battle of the Atlantic</p><p>began to swing in favor of the Allies. Convoys could be steered clear</p><p>of U-boats, and British destroyers could even begin to go on the</p><p>o�ensive, seeking out and sinking U-boats.</p><p>It was vital that the German High Command never suspected that</p><p>the Allies had pinched Enigma codebooks. If the Germans found that</p><p>their security had been compromised, they would upgrade their</p><p>Enigma machines, and Bletchley would be back to square one. As</p><p>with the Zimmermann telegram episode, the British took various</p><p>precautions to avoid arousing suspicion, such as sinking a German</p><p>vessel after pinching its codebooks. This would persuade Admiral</p><p>Dönitz that the cipher material had found its way to the bottom of</p><p>the sea, and not fallen into British hands.</p><p>Once material had been secretly captured, further precautions had</p><p>to be taken before exploiting the resulting intelligence. For example,</p><p>the Enigma decipherments gave the locations of numerous U-boats,</p><p>but it would have been unwise to have attacked every single one of</p><p>them, because a sudden unexplained increase in British success</p><p>would warn Germany that its communications were being</p><p>deciphered. Consequently, the Allies would allow some U-boats to</p><p>escape, and would attack others only when a spotter plane had been</p><p>sent out �rst, thus justifying the approach of a destroyer some hours</p><p>later. Alternatively, the Allies might send fake messages describing</p><p>sightings of U-boats, which likewise provided su�cient explanation</p><p>for the ensuing attack.</p><p>Despite this policy of minimizing telltale signs that Enigma had</p><p>been broken, British actions did sometimes raise concerns among</p><p>Germany’s security experts. On one occasion, Bletchley deciphered</p><p>an Enigma message giving the exact location of a group of German</p><p>tankers and supply ships, nine in total. The Admiralty decided not to</p><p>sink all of the ships in case a clean sweep of targets aroused German</p><p>suspicions. Instead, they informed destroyers of the exact location of</p><p>just seven of the ships, which should have allowed the Gedania and</p><p>the Gonzenheim to escape unharmed. The seven targeted ships were</p><p>indeed sunk, but Royal Navy destroyers accidentally encountered</p><p>the two ships that were supposed to be spared, and also sank them.</p><p>The destroyers did not know about Enigma or the policy of not</p><p>arousing suspicion—they merely believed they were doing their</p><p>duty. Back in Berlin, Admiral Kurt Fricke instigated an investigation</p><p>into this and other similar attacks, exploring the possibility that the</p><p>British had broken Enigma. The report concluded that the numerous</p><p>losses were either the result of natural misfortune, or caused by a</p><p>British spy who had in�ltrated the Kriegsmarine. The breaking of</p><p>Enigma was considered impossible and inconceivable.</p><p>The Anonymous Cryptanalysts</p><p>As well as breaking the German Enigma cipher, Bletchley Park also</p><p>succeeded in deciphering Italian and Japanese messages. The</p><p>intelligence that emerged from these three sources was given the</p><p>codename Ultra, and the Ultra Intelligence �les were responsible for</p><p>giving the Allies a clear advantage in all the major arenas of</p><p>con�ict. In North Africa, Ultra helped to destroy German supply</p><p>lines and informed the Allies of the status of General Rommel’s</p><p>forces, enabling the Eighth Army to �ght back against the German</p><p>advances. Ultra also warned of the German invasion of Greece,</p><p>which allowed British troops to retreat without heavy losses. In fact,</p><p>Ultra provided accurate reports on the enemy’s situation throughout</p><p>the entire Mediterranean. This information was particularly valuable</p><p>when the Allies landed in Italy and Sicily in 1943.</p><p>In 1944, Ultra played a major role in the Allied invasion of</p><p>Europe. For example, in the months prior to D-Day, the Bletchley</p><p>decipherments provided a detailed picture of the German troop</p><p>concentrations along the French coast. Sir Harry Hinsley, o�cial</p><p>historian of British Intelligence during the war, wrote:</p><p>As Ultra accumulated, it administered some unpleasant shocks. In particular, it</p><p>revealed in the second half of May—following earlier disturbing indications that the</p><p>Germans were concluding that the area between Le Havre and Cherbourg was a</p><p>likely, and perhaps even the main, invasion area-that they were sending</p><p>reinforcements to Normandy and the Cherbourg peninsula. But this evidence arrived</p><p>in time to enable the Allies to modify the plans for the landings on and behind the</p><p>Utah beach; and it is a singular fact that before the expedition sailed the Allied</p><p>estimate of the number, identi�cation, and location of the enemy’s divisions in the</p><p>west, �fty-eight in all, was accurate in all but two items that were to be of operational</p><p>importance.</p><p>Throughout the war, the Bletchley codebreakers knew that their</p><p>decipherments were vital, and Churchill’s visit to Bletchley had</p><p>reinforced this point. But the cryptanalysts were never given any</p><p>operational details or told how their decipherments were being</p><p>used. For example, the codebreakers were given no information</p><p>about the date for D-Day, and they arranged a dance for the evening</p><p>before the landings. This worried Commander Travis, the Director of</p><p>Bletchley and the only person on site who was privy to the plans for</p><p>D-Day. He could not tell the Hut 6 Dance Committee to cancel the</p><p>event because this would have been a clear hint that a major</p><p>o�ensive was in the o�ng, and as such a breach of security. The</p><p>dance was allowed to go ahead. As it happened, bad weather</p><p>postponed the landings for twenty-four hours, so the codebreakers</p><p>had time to recover from the frivolities.</p><p>On the day of the landings,</p><p>the French resistance destroyed landlines, forcing the Germans to</p><p>communicate solely by radio, which in turn gave Bletchley the</p><p>opportunity to intercept and decipher even more messages. At the</p><p>turning point of the war, Bletchley was able to provide an even</p><p>more detailed picture of German military operations.</p><p>Stuart Milner-Barry, one of the Hut 6 cryptanalysts, wrote: “I do</p><p>not imagine that any war since classical times, if ever, has been</p><p>fought in which one side read consistently the main military and</p><p>naval intelligence of the other.” An American report came to a</p><p>similar conclusion: “Ultra created in senior sta�s and at the political</p><p>summit a state of mind which transformed the taking of decisions.</p><p>To feel that you know your enemy is a vastly comforting feeling. It</p><p>grows imperceptibly over time if you regularly and intimately</p><p>observe his thoughts and ways and habits and actions. Knowledge of</p><p>this kind makes your own planning less tentative and more assured,</p><p>less harrowing and more buoyant.”</p><p>It has been argued, albeit controversially, that Bletchley Park’s</p><p>achievements were the decisive factor in the Allied victory. What is</p><p>certain is that the Bletchley codebreakers signi�cantly shortened the</p><p>war. This becomes evident by rerunning the Battle of the Atlantic</p><p>and speculating what might have happened without the bene�t of</p><p>Ultra intelligence. To begin with, more ships and supplies would</p><p>certainly have been lost to the dominant U-boat �eet, which would</p><p>have compromised the vital link to America and forced the Allies to</p><p>divert manpower and resources into the building of new ships.</p><p>Historians have estimated that this would have delayed Allied plans</p><p>by several months, which would have meant postponing the D-Day</p><p>invasion until at least the following year. According to Sir Harry</p><p>Hinsley, “the war, instead of �nishing in 1945, would have ended in</p><p>1948 had the Government Code and Cypher School not been able to</p><p>read the Enigma cyphers and produce the Ultra intelligence.”</p><p>During this period of delay, additional lives would have been lost</p><p>in Europe, and Hitler would have been able to make greater use of</p><p>his V-weapons, in�icting damage throughout southern England. The</p><p>historian David Kahn summarizes the impact of breaking Enigma:</p><p>“It saved lives. Not only Allied and Russian lives but, by shortening</p><p>the war, German, Italian, and Japanese lives as well. Some people</p><p>alive after World War II might not have been but for these solutions.</p><p>That is the debt that the world owes to the codebreakers; that is the</p><p>crowning human value of their triumphs.”</p><p>After the war, Bletchley’s accomplishments remained a closely</p><p>guarded secret. Having successfully deciphered messages during the</p><p>war, Britain wanted to continue its intelligence operations, and was</p><p>reluctant to divulge its capabilities. In fact, Britain had captured</p><p>thousands of Enigma machines, and distributed them among its</p><p>former colonies, who believed that the cipher was as secure as it</p><p>had seemed to the Germans. The British did nothing to disabuse</p><p>them of this belief, and routinely deciphered their secret</p><p>communications in the years that followed.</p><p>Meanwhile, the Government Code and Cypher School at Bletchley</p><p>Park was closed and the thousands of men and women who had</p><p>contributed to the creation of Ultra were disbanded. The bombes</p><p>were dismantled, and every scrap of paper that related to the</p><p>wartime decipherments was either locked away or burned. Britain’s</p><p>codebreaking activities were o�cially transferred to the newly</p><p>formed Government Communications Headquarters (GCHQ) in</p><p>London, which was moved to Cheltenham in 1952. Although some</p><p>of the cryptanalysts moved to GCHQ, most of them returned to their</p><p>civilian lives, sworn to secrecy, unable to reveal their pivotal role in</p><p>the Allied war e�ort. While those who had fought conventional</p><p>battles could talk of their heroic achievements, those who had</p><p>fought intellectual battles of no less signi�cance had to endure the</p><p>embarrassment of having to evade questions about their wartime</p><p>activities. Gordon Welchman recounted how one of the young</p><p>cryptanalysts working with him in Hut 6 had received a scathing</p><p>letter from his old headmaster, accusing him of being a disgrace to</p><p>his school for not being at the front. Derek Taunt, who also worked</p><p>in Hut 6, summed up the true contribution of his colleagues: “Our</p><p>happy band may not have been with King Harry on St. Crispin’s</p><p>Day, but we had certainly not been abed and have no reason to</p><p>think ourselves accurs’t for having been where we were.”</p><p>After three decades of silence, the secrecy over Bletchley Park</p><p>eventually came to an end in the early 1970s. Captain F.W.</p><p>Winterbotham, who had been responsible for distributing the Ultra</p><p>intelligence, began to badger the British Government, arguing that</p><p>the Commonwealth countries had stopped using the Enigma cipher</p><p>and that there was now nothing to be gained by concealing the fact</p><p>that Britain had broken it. The intelligence services reluctantly</p><p>agreed, and permitted him to write a book about the work done at</p><p>Bletchley Park. Published in the summer of 1974, Winterbotham’s</p><p>book The Ultra Secret was the signal that Bletchley personnel were at</p><p>last free to discuss their wartime activities. Gordon Welchman felt</p><p>enormous relief: “After the war I still avoided discussions of wartime</p><p>events for fear that I might reveal information obtained from Ultra</p><p>rather than from some published account … I felt that this turn of</p><p>events released me from my wartime pledge of secrecy.”</p><p>Those who had contributed so much to the war e�ort could now</p><p>receive the recognition they deserved. Possibly the most remarkable</p><p>consequence of Winterbotham’s revelations was that Rejewski</p><p>realized the staggering consequences of his prewar breakthroughs</p><p>against Enigma. After the invasion of Poland, Rejewski had escaped</p><p>to France, and when France was overrun he �ed to Britain. It would</p><p>seem natural that he should have become part of the British Enigma</p><p>e�ort, but instead he was relegated to tackling menial ciphers at a</p><p>minor intelligence unit in Boxmoor, near Hemel Hempstead. It is not</p><p>clear why such a brilliant mind was excluded from Bletchley Park,</p><p>but as a result he was completely unaware of the activities of the</p><p>Government Code and Cypher School. Until the publication of</p><p>Winterbotham’s book, Rejewski had no idea that his ideas had</p><p>provided the foundation for the routine decipherment of Enigma</p><p>throughout the war.</p><p>For some, the publication of Winterbotham’s book came too late.</p><p>Many years after the death of Alastair Denniston, Bletchley’s �rst</p><p>director, his daughter received a letter from one of his colleagues:</p><p>“Your father was a great man in whose debt all English-speaking</p><p>people will remain for a very long time, if not forever. That so few</p><p>should know exactly what he did is the sad part.”</p><p>Alan Turing was another cryptanalyst who did not live long</p><p>enough to receive any public recognition. Instead of being</p><p>acclaimed a hero, he was persecuted for his homosexuality. In 1952,</p><p>while reporting a burglary to the police, he naively revealed that he</p><p>was having a homosexual relationship. The police felt they had no</p><p>option but to arrest and charge him with “Gross Indecency contrary</p><p>to Section 11 of the Criminal Law Amendment Act 1885.” The</p><p>newspapers reported the subsequent trial and conviction, and</p><p>Turing was publicly humiliated.</p><p>Turing’s secret had been exposed, and his sexuality was now</p><p>public knowledge. The British Government withdrew his security</p><p>clearance. He was forbidden to work on research projects relating to</p><p>the development of the computer. He was forced to consult a</p><p>psychiatrist and had to undergo hormone treatment, which made</p><p>him impotent and obese. Over the next two years he became</p><p>severely depressed, and on June 7, 1954, he went to his bedroom,</p><p>carrying with him a jar of cyanide solution and an apple. Twenty</p><p>years earlier he had chanted the rhyme of the Wicked Witch: “Dip</p><p>the apple in the brew, Let the sleeping death seep through.” Now he</p><p>was ready</p><p>to obey her incantation. He dipped the apple in the</p><p>cyanide and took several bites. At the age of just forty-two, one of</p><p>the true geniuses of cryptanalysis committed suicide.</p><p>5 The Language Barrier</p><p>While British codebreakers were breaking the German Enigma</p><p>cipher and altering the course of the war in Europe, American</p><p>codebreakers were having an equally important in�uence on events</p><p>in the Paci�c arena by cracking the Japanese machine cipher known</p><p>as Purple. For example, in June 1942 the Americans deciphered a</p><p>message outlining a Japanese plan to draw U.S. Naval forces to the</p><p>Aleutian Islands by faking an attack, which would allow the</p><p>Japanese Navy to take their real objective, Midway Island. Although</p><p>American ships played along with the plan by leaving Midway, they</p><p>never strayed far away. When American cryptanalysts intercepted</p><p>and deciphered the Japanese order to attack Midway, the ships were</p><p>able to return swiftly and defend the island in one of the most</p><p>important battles of the entire Paci�c war. According to Admiral</p><p>Chester Nimitz, the American victory at Midway “was essentially a</p><p>victory of intelligence. In attempting surprise, the Japanese were</p><p>themselves surprised.”</p><p>Almost a year later, American cryptanalysts identi�ed a message</p><p>that showed the itinerary for a visit to the northern Solomon Islands</p><p>by Admiral Isoruko Yamamoto, Commander-in-Chief of the</p><p>Japanese Fleet. Nimitz decided to send �ghter aircraft to intercept</p><p>Yamamoto’s plane and shoot him down. Yamamoto, renowned for</p><p>being compulsively punctual, approached his destination at exactly</p><p>8:00 A.M., just as stated in the intercepted schedule. There to meet</p><p>him were eighteen American P-38 �ghters. They succeeded in</p><p>killing one of the most in�uential �gures of the Japanese High</p><p>Command.</p><p>Although Purple and Enigma, the Japanese and German ciphers,</p><p>were eventually broken, they did o�er some security when they</p><p>were initially implemented and provided real challenges for</p><p>American and British cryptanalysts. In fact, had the cipher machines</p><p>been used properly—without repeated message keys, without cillies,</p><p>without restrictions on plugboard settings and scrambler</p><p>arrangements, and without stereotypical messages which resulted in</p><p>cribs—it is quite possible that they might never have been broken at</p><p>all.</p><p>The true strength and potential of machine ciphers was</p><p>demonstrated by the Typex (or Type X) cipher machine used by the</p><p>British army and air force, and the SIGABA (or M-143-C) cipher</p><p>machine used by the American military. Both these machines were</p><p>more complex than the Enigma machine and both were used</p><p>properly, and therefore they remained unbroken throughout the</p><p>war. Allied cryptographers were con�dent that complicated</p><p>electromechanical machine ciphers could guarantee secure</p><p>communication. However, complicated machine ciphers are not the</p><p>only way of sending secure messages. Indeed, one of the most secure</p><p>forms of encryption used in the Second World War was also one of</p><p>the simplest.</p><p>During the Paci�c campaign, American commanders began to</p><p>realize that cipher machines, such as SIGABA, had a fundamental</p><p>drawback. Although electromechanical encryption o�ered relatively</p><p>high levels of security, it was painfully slow. Messages had to be</p><p>typed into the machine letter by letter, the output had to be noted</p><p>down letter by letter, and then the completed ciphertext had to be</p><p>transmitted by the radio operator. The radio operator who received</p><p>the enciphered message then had to pass it on to a cipher expert,</p><p>who would carefully select the correct key, and type the ciphertext</p><p>into a cipher machine, to decipher it letter by letter. The time and</p><p>space required for this delicate operation is available at</p><p>headquarters or onboard a ship, but machine encryption was not</p><p>ideally suited to more hostile and intense environments, such as the</p><p>islands of the Paci�c. One war correspondent described the</p><p>di�culties of communication during the heat of jungle battle:</p><p>“When the �ghting became con�ned to a small area, everything had</p><p>to move on a split-second schedule. There was not time for</p><p>enciphering and deciphering. At such times, the King’s English</p><p>became a last resort—the profaner the better.” Unfortunately for the</p><p>Americans, many Japanese soldiers had attended American colleges</p><p>and were �uent in English, including the profanities. Valuable</p><p>information about American strategy and tactics was falling into the</p><p>hands of the enemy.</p><p>One of the �rst to react to this problem was Philip Johnston, an</p><p>engineer based in Los Angeles, who was too old to �ght but still</p><p>wanted to contribute to the war e�ort. At the beginning of 1942 he</p><p>began to formulate an encryption system inspired by his childhood</p><p>experiences. The son of a Protestant missionary, Johnston had</p><p>grown up on the Navajo reservations of Arizona, and as a result he</p><p>had become fully immersed in Navajo culture. He was one of the</p><p>few people outside the tribe who could speak their language</p><p>�uently, which allowed him to act as an interpreter for discussions</p><p>between the Navajo and government agents. His work in this</p><p>capacity culminated in a visit to the White House, when, as a nine-</p><p>year-old, Johnston translated for two Navajos who were appealing</p><p>to President Theodore Roosevelt for fairer treatment for their</p><p>community. Fully aware of how impenetrable the language was for</p><p>those outside the tribe, Johnston was struck by the notion that</p><p>Navajo, or any other Native American language, could act as a</p><p>virtually unbreakable code. If each battalion in the Paci�c employed</p><p>a pair of Native Americans as radio operators, secure</p><p>communication could be guaranteed.</p><p>He took his idea to Lieutenant Colonel James E. Jones, the area</p><p>signal o�cer at Camp Elliott, just outside San Diego. Merely by</p><p>throwing a few Navajo phrases at the bewildered o�cer, Johnston</p><p>was able to persuade him that the idea was worthy of serious</p><p>consideration. A fortnight later he returned with two Navajos, ready</p><p>to conduct a test demonstration in front of senior marine o�cers.</p><p>The Navajos were isolated from each other, and one was given six</p><p>typical messages in English, which he translated into Navajo and</p><p>transmitted to his colleague via a radio. The Navajo receiver</p><p>translated the messages back into English, wrote them down, and</p><p>handed them over to the o�cers, who compared them with the</p><p>originals. The game of Navajo whispers proved to be �awless, and</p><p>the marine o�cers authorized a pilot project and ordered</p><p>recruitment to begin immediately.</p><p>Before recruiting anybody, however, Lieutenant Colonel Jones</p><p>and Philip Johnston had to decide whether to conduct the pilot</p><p>study with the Navajo, or select another tribe. Johnston had used</p><p>Navajo men for his original demonstration because he had personal</p><p>connections with the tribe, but this did not necessarily make them</p><p>the ideal choice. The most important selection criterion was simply</p><p>a question of numbers: the marines needed to �nd a tribe capable of</p><p>supplying a large number of men who were �uent in English and</p><p>literate. The lack of government investment meant that the literacy</p><p>rate was very low on most of the reservations, and attention was</p><p>therefore focused on the four largest tribes: the Navajo, the Sioux,</p><p>the Chippewa and the Pima-Papago.</p><p>The Navajo was the largest tribe, but also the least literate, while</p><p>the Pima-Papago was the most literate but much fewer in number.</p><p>There was little to choose between the four tribes, and ultimately</p><p>the decision rested on another critical factor. According to the</p><p>o�cial report on Johnston’s idea:</p><p>The Navajo is the only tribe in the United States that has not been infested with</p><p>German students during the past twenty years. These Germans, studying the various</p><p>tribal dialects under the guise of art students, anthropologists, etc., have undoubtedly</p><p>attained a good working knowledge of all tribal dialects except Navajo. For this</p><p>reason the Navajo is the only tribe available o�ering complete security for the type of</p><p>work under consideration. It should also be noted that the Navajo tribal dialect</p><p>is</p><p>completely unintelligible to all other tribes and all other people, with the possible</p><p>exception of as many as 28 Americans who have made a study of the dialect. This</p><p>dialect is equivalent to a secret code to the enemy, and admirably suited for rapid,</p><p>secure communication.</p><p>At the time of America’s entry into the Second World War, the</p><p>Navajo were living in harsh conditions and being treated as inferior</p><p>people. Yet their tribal council supported the war e�ort and</p><p>declared their loyalty: “There exists no purer concentration of</p><p>Americanism than among the First Americans.” The Navajos were so</p><p>eager to �ght that some of them lied about their age, or gorged</p><p>themselves on bunches of bananas and swallowed great quantities of</p><p>water in order to reach the minimum weight requirement of 55 kg.</p><p>Similarly, there was no di�culty in �nding suitable candidates to</p><p>serve as Navajo code talkers, as they were to become known. Within</p><p>four months of the bombing of Pearl Harbor, 29 Navajos, some as</p><p>young as �fteen, began an eight-week communications course with</p><p>the Marine Corps.</p><p>Before training could begin, the Marine Corps had to overcome a</p><p>problem that had plagued the only other code to have been based</p><p>on a Native American language. In Northern France during the First</p><p>World War, Captain E.W. Horner of Company D, 141st Infantry,</p><p>ordered that eight men from the Choctaw tribe be employed as</p><p>radio operators. Obviously none of the enemy understood their</p><p>language, so the Choctaw provided secure communications.</p><p>However, this encryption system was fundamentally �awed because</p><p>the Choctaw language had no equivalent for modern military</p><p>jargon. A speci�c technical term in a message might therefore have</p><p>to be translated into a vague Choctaw expression, with the risk that</p><p>this could be misinterpreted by the receiver.</p><p>The same problem would have arisen with the Navajo language,</p><p>but the Marine Corps planned to construct a lexicon of Navajo terms</p><p>to replace otherwise untranslatable English words, thus removing</p><p>any ambiguities. The trainees helped to compile the lexicon, tending</p><p>to choose words describing the natural world to indicate speci�c</p><p>military terms. Thus, the names of birds were used for planes, and</p><p>�sh for ships (Table 11). Commanding o�cers became “war chiefs,”</p><p>platoons were “mud-clans,” forti�cations turned into “cave</p><p>dwellings” and mortars were known as “guns that squat.”</p><p>Even though the complete lexicon contained 274 words, there was</p><p>still the problem of translating less predictable words and the names</p><p>of people and places. The solution was to devise an encoded</p><p>phonetic alphabet for spelling out di�cult words. For example, the</p><p>word “Paci�c” would be spelled out as “pig, ant, cat, ice, fox, ice,</p><p>cat,” which would then be translated into Navajo as bi-sodih, wol-la-</p><p>chee, moasi, tkin, ma-e, tkin, moasi. The complete Navajo alphabet</p><p>is given in Table 12. Within eight weeks, the trainee code talkers</p><p>had learned the entire lexicon and alphabet, thus obviating the need</p><p>for codebooks which might fall into enemy hands. For the Navajos,</p><p>committing everything to memory was trivial because traditionally</p><p>their language had no written script, so they were used to</p><p>memorizing their folk stories and family histories. As William</p><p>McCabe, one of the trainees, said, “In Navajo everything is in the</p><p>memory—songs, prayers, everything. That’s the way we were</p><p>raised.”</p><p>Table 11 Navajo codewords for planes and ships.</p><p>At the end of their training, the Navajos were put to the test.</p><p>Senders translated a series of messages from English into Navajo,</p><p>transmitted them, and then receivers translated the messages back</p><p>into English, using the memorized lexicon and alphabet when</p><p>necessary. The results were word-perfect. To check the strength of</p><p>the system, a recording of the transmissions was given to Navy</p><p>Intelligence, the unit that had cracked Purple, the toughest Japanese</p><p>cipher. After three weeks of intense cryptanalysis, the Naval</p><p>codebreakers were still ba�ed by the messages. They called the</p><p>Navajo language a “weird succession of guttural, nasal, tongue-</p><p>twisting sounds … we couldn’t even transcribe it, much less crack</p><p>it.” The Navajo code was judged a success. Two Navajo soldiers,</p><p>John Benally and Johnny Manuelito, were asked to stay and train</p><p>the next batch of recruits, while the other 27 Navajo code talkers</p><p>were assigned to four regiments and sent to the Paci�c.</p><p>Table 12 The Navajo alphabet code.</p><p>Japanese forces had attacked Pearl Harbor on December 7, 1941,</p><p>and not long after they dominated large parts of the western Paci�c.</p><p>Japanese troops overran the American garrison on Guam on</p><p>December 10, they took Guadalcanal, one of the islands in the</p><p>Solomon chain, on December 13, Hong Kong capitulated on</p><p>December 25, and U.S. troops on the Philippines surrendered on</p><p>January 2, 1942. The Japanese planned to consolidate their control</p><p>of the Paci�c the following summer by building an air�eld on</p><p>Guadalcanal, creating a base for bombers which would enable them</p><p>to destroy Allied supply lines, thus making any Allied counterattack</p><p>almost impossible. Admiral Ernest King, Chief of American Naval</p><p>Operations, urged an attack on the island before the air�eld was</p><p>completed, and on August 7, the 1st Marine Division spearheaded</p><p>an invasion of Guadalcanal. The initial landing parties included the</p><p>�rst group of code talkers to see action.</p><p>Although the Navajos were con�dent that their skills would be a</p><p>blessing to the marines, their �rst attempts generated only</p><p>confusion. Many of the regular signal operators were unaware of</p><p>this new code, and they sent panic messages all over the island,</p><p>stating that the Japanese were broadcasting on American</p><p>frequencies. The colonel in charge immediately halted Navajo</p><p>communications until he could convince himself that the system was</p><p>worth pursuing. One of the code talkers recalled how the Navajo</p><p>code was eventually brought back into service:</p><p>Figure 52 The �rst 29 Navajo code talkers pose for a traditional graduation</p><p>photograph. (photo credit 5.1)</p><p>The colonel had an idea. He said he would keep us on one condition: that I could</p><p>outrace his “white code”—a mechanical ticking cylinder thing. We both sent</p><p>messages, by white cylinder and by my voice. Both of us received answers and the</p><p>race was to see who could decode his answer �rst. I was asked, “How long will it take</p><p>you? Two hours?” “More like two minutes,” I answered. The other guy was still</p><p>decoding when I got the roger on my return message in about four and a half</p><p>minutes. I said, “Colonel, when are you going to give up on that cylinder thing?” He</p><p>didn’t say anything. He just lit up his pipe and walked away.</p><p>The code talkers soon proved their worth on the battle�eld.</p><p>During one episode on the island of Saipan, a battalion of marines</p><p>took over positions previously held by Japanese soldiers, who had</p><p>retreated. Suddenly a salvo exploded nearby. They were under</p><p>friendly �re from fellow Americans who were unaware of their</p><p>advance. The marines radioed back in English explaining their</p><p>position, but the salvos continued because the attacking American</p><p>troops suspected that the messages were from Japanese</p><p>impersonators trying to fool them. It was only when a Navajo</p><p>message was sent that the attackers saw their mistake and halted</p><p>the assault. A Navajo message could never be faked, and could</p><p>always be trusted.</p><p>The reputation of the code talkers soon spread, and by the end of</p><p>1942 there was a request for 83 more men. The Navajo were to</p><p>serve in all six Marine Corps divisions, and were sometimes</p><p>borrowed by other American forces. Their war of words soon turned</p><p>the Navajos into heroes. Other soldiers would o�er to carry their</p><p>radios and ri�es, and they were even given personal bodyguards,</p><p>partly to protect them from their own comrades. On at least three</p><p>occasions code talkers were mistaken for Japanese soldiers and</p><p>captured by fellow Americans. They were released only when</p><p>colleagues from their own battalion vouched for them.</p><p>The impenetrability of the Navajo code was all down</p><p>to carry a list of random letters; S, T, S, F,.… Only by rewinding the strip</p><p>around another scytale of the correct diameter will the message reappear.</p><p>The alternative to transposition is substitution. One of the earliest</p><p>descriptions of encryption by substitution appears in the Kāma-</p><p>Sūtra, a text written in the fourth century A.D. by the Brahmin scholar</p><p>Vātsyāyana, but based on manuscripts dating back to the fourth</p><p>century B.C. The Kāma-Sūtra recommends that women should study</p><p>64 arts, such as cooking, dressing, massage and the preparation of</p><p>perfumes. The list also includes some less obvious arts, namely</p><p>conjuring, chess, bookbinding and carpentry. Number 45 on the list</p><p>is mlecchita-vikalpā, the art of secret writing, advocated in order to</p><p>help women conceal the details of their liaisons. One of the</p><p>recommended techniques is to pair letters of the alphabet at</p><p>random, and then substitute each letter in the original message with</p><p>its partner. If we apply the principle to the Roman alphabet, we</p><p>could pair letters as follows:</p><p>Then, instead of meet at midnight, the sender would write CUUZ VZ</p><p>CGXSGIBZ. This form of secret writing is called a substitution cipher</p><p>because each letter in the plaintext is substituted for a di�erent</p><p>letter, thus acting in a complementary way to the transposition</p><p>cipher. In transposition each letter retains its identity but changes</p><p>its position, whereas in substitution each letter changes its identity</p><p>but retains its position.</p><p>The �rst documented use of a substitution cipher for military</p><p>purposes appears in Julius Caesar’s Gallic Wars. Caesar describes</p><p>how he sent a message to Cicero, who was besieged and on the</p><p>verge of surrendering. The substitution replaced Roman letters with</p><p>Greek letters, rendering the message unintelligible to the enemy.</p><p>Caesar described the dramatic delivery of the message:</p><p>The messenger was instructed, if he could not approach, to hurl a spear, with the</p><p>letter fastened to the thong, inside the entrenchment of the camp. Fearing danger, the</p><p>Gaul discharged the spear, as he had been instructed. By chance it stuck fast in the</p><p>tower, and for two days was not sighted by our troops; on the third day it was sighted</p><p>by a soldier, taken down, and delivered to Cicero. He read it through and then recited</p><p>it at a parade of the troops, bringing the greatest rejoicing to all.</p><p>Caesar used secret writing so frequently that Valerius Probus wrote</p><p>an entire treatise on his ciphers, which unfortunately has not</p><p>survived. However, thanks to Suetonius’ Lives of the Caesars LVI,</p><p>written in the second century A.D., we do have a detailed description</p><p>of one of the types of substitution cipher used by Julius Caesar. He</p><p>simply replaced each letter in the message with the letter that is</p><p>three places further down the alphabet. Cryptographers often think</p><p>in terms of the plain alphabet, the alphabet used to write the original</p><p>message, and the cipher alphabet, the letters that are substituted in</p><p>place of the plain letters. When the plain alphabet is placed above</p><p>the cipher alphabet, as shown in Figure 3, it is clear that the cipher</p><p>alphabet has been shifted by three places, and hence this form of</p><p>substitution is often called the Caesar shift cipher, or simply the</p><p>Caesar cipher. A cipher is the name given to any form of</p><p>cryptographic substitution in which each letter is replaced by</p><p>another letter or symbol.</p><p>Figure 3 The Caesar cipher applied to a short message. The Caesar cipher is based on</p><p>a cipher alphabet that is shifted a certain number of places (in this case three),</p><p>relative to the plain alphabet. The convention in cryptography is to write the plain</p><p>alphabet in lower-case letters, and the cipher alphabet in capitals. Similarly, the</p><p>original message, the plaintext, is written in lower case, and the encrypted message,</p><p>the ciphertext, is written in capitals.</p><p>Although Suetonius mentions only a Caesar shift of three places, it</p><p>is clear that by using any shift between 1 and 25 places it is possible</p><p>to generate 25 distinct ciphers. In fact, if we do not restrict</p><p>ourselves to shifting the alphabet and permit the cipher alphabet to</p><p>be any rearrangement of the plain alphabet, then we can generate</p><p>an even greater number of distinct ciphers. There are over</p><p>400,000,000,000,000,000,000,000,000 such rearrangements, and</p><p>therefore the same number of distinct ciphers.</p><p>Each distinct cipher can be considered in terms of a general</p><p>encrypting method, known as the algorithm, and a key, which</p><p>speci�es the exact details of a particular encryption. In this case, the</p><p>algorithm involves substituting each letter in the plain alphabet</p><p>with a letter from a cipher alphabet, and the cipher alphabet is</p><p>allowed to consist of any rearrangement of the plain alphabet. The</p><p>key de�nes the exact cipher alphabet to be used for a particular</p><p>encryption. The relationship between the algorithm and the key is</p><p>illustrated in Figure 4.</p><p>An enemy studying an intercepted scrambled message may have a</p><p>strong suspicion of the algorithm, but would not know the exact</p><p>key. For example, they may well suspect that each letter in the</p><p>plaintext has been replaced by a di�erent letter according to a</p><p>particular cipher alphabet, but they are unlikely to know which</p><p>cipher alphabet has been used. If the cipher alphabet, the key, is</p><p>kept a closely guarded secret between the sender and the receiver,</p><p>then the enemy cannot decipher the intercepted message. The</p><p>signi�cance of the key, as opposed to the algorithm, is an enduring</p><p>principle of cryptography. It was de�nitively stated in 1883 by the</p><p>Dutch linguist Auguste Kerckho�s von Nieuwenhof in his book La</p><p>Cryptographie militaire: “Kerckho�s’ Principle: The security of a</p><p>cryptosystem must not depend on keeping secret the crypto-</p><p>algorithm. The security depends only on keeping secret the key.”</p><p>Figure 4 To encrypt a plaintext message, the sender passes it through an encryption</p><p>algorithm. The algorithm is a general system for encryption, and needs to be</p><p>speci�ed exactly by selecting a key. Applying the key and algorithm together to a</p><p>plaintext generates the encrypted message, or ciphertext. The ciphertext may be</p><p>intercepted by an enemy while it is being transmitted to the receiver, but the enemy</p><p>should not be able to decipher the message. However, the receiver, who knows both</p><p>the key and the algorithm used by the sender, is able to turn the ciphertext back into</p><p>the plaintext message.</p><p>In addition to keeping the key secret, a secure cipher system must</p><p>also have a wide range of potential keys. For example, if the sender</p><p>uses the Caesar shift cipher to encrypt a message, then encryption is</p><p>relatively weak because there are only 25 potential keys. From the</p><p>enemy’s point of view, if they intercept the message and suspect</p><p>that the algorithm being used is the Caesar shift, then they merely</p><p>have to check the 25 possibilities. However, if the sender uses the</p><p>more general substitution algorithm, which permits the cipher</p><p>alphabet to be any rearrangement of the plain alphabet, then there</p><p>are 400,000,000,000,000,000,000,000,000 possible keys from</p><p>which to choose. One such is shown in Figure 5. From the enemy’s</p><p>point of view, if the message is intercepted and the algorithm is</p><p>known, there is still the horrendous task of checking all possible</p><p>keys. If an enemy agent were able to check one of the</p><p>400,000,000,000,000,000,000,000,000 possible keys every second,</p><p>it would take roughly a billion times the lifetime of the universe to</p><p>check all of them and decipher the message.</p><p>Figure 5 An example of the general substitution algorithm, in which each letter in</p><p>the plaintext is substituted with another letter according to a key. The key is de�ned</p><p>by the cipher alphabet, which can be any rearrangement of the plain alphabet.</p><p>The beauty of this type of cipher is that it is easy to implement,</p><p>but provides a high level of security. It is easy for the sender to</p><p>de�ne the key, which consists merely of stating the order of the 26</p><p>letters in the rearranged cipher alphabet, and yet it is e�ectively</p><p>to the fact</p><p>that Navajo belongs to the Na-Dene family of languages, which has</p><p>no link with any Asian or European language. For example, a</p><p>Navajo verb is conjugated not solely according to its subject, but</p><p>also according to its object. The verb ending depends on which</p><p>category the object belongs to: long (e.g., pipe, pencil), slender and</p><p>�exible (e.g., snake, thong), granular (e.g., sugar, salt), bundled</p><p>(e.g., hay), viscous (e.g., mud, feces) and many others. The verb will</p><p>also incorporate adverbs, and will re�ect whether or not the speaker</p><p>has experienced what he or she is talking about, or whether it is</p><p>hearsay. Consequently, a single verb can be equivalent to a whole</p><p>sentence, making it virtually impossible for foreigners to disentangle</p><p>its meaning.</p><p>Despite its strengths, the Navajo code still su�ered from two</p><p>signi�cant �aws. First, words that were neither in the natural</p><p>Navajo vocabulary nor in the list of 274 authorized codewords had</p><p>to be spelled out using the special alphabet. This was time-</p><p>consuming, so it was decided to add another 234 common terms to</p><p>the lexicon. For example, nations were given Navajo nicknames:</p><p>“Rolled Hat” for Australia, “Bounded by Water” for Britain, “Braided</p><p>Hair” for China, “Iron Hat” for Germany, “Floating Land” for the</p><p>Philippines, and “Sheep Pain” for Spain.</p><p>The second problem concerned those words that would still have</p><p>to be spelled out. If it became clear to the Japanese that words were</p><p>being spelled out, they would realize that they could use frequency</p><p>analysis to identify which Navajo words represented which letters. It</p><p>would soon become obvious that the most commonly used word was</p><p>dzeh, which means “elk” and which represents e, the most</p><p>commonly used letter of the English alphabet. Just spelling out the</p><p>name of the island Guadalcanal and repeating the word wol-la-chee</p><p>(ant) four times would be a big clue as to what word represented</p><p>the letter a. The solution was to add more words to act as extra</p><p>substitutes (homophones) for the commonly used letters. Two extra</p><p>words were introduced as alternatives for each of the six commonest</p><p>letters (e, t, a, o, i, n), and one extra word for the six next</p><p>commonest letters (s, h, r, d, l, u). The letter a, for example, could</p><p>now also be substituted by the words be-la-sana (apple) or tse-nihl</p><p>(axe). Thereafter, Guadalcanal could be spelled with only one</p><p>repetition: klizzie, shi-da, wol-la-chee, lha-cha-eh, be-la-sana, dibeh-</p><p>yazzie, moasi, tse-nihl, nesh-chee, tse-nihl, ah-jad (goat, uncle, ant,</p><p>dog, apple, lamb, cat, axe, nut, axe, leg).</p><p>As the war in the Paci�c intensi�ed, and as the Americans</p><p>advanced from the Solomon Islands to Okinawa, the Navajo code</p><p>talkers played an increasingly vital role. During the �rst days of the</p><p>attack on Iwo Jima, more than eight hundred Navajo messages were</p><p>sent, all without error. According to Major General Howard Conner,</p><p>“without the Navajos, the marines would never have taken Iwo</p><p>Jima.” The contribution of the Navajo code talkers is all the more</p><p>remarkable when you consider that, in order to ful�ll their duties,</p><p>they often had to confront and defy their own deeply held spiritual</p><p>fears. The Navajo believe that the spirits of the dead, chindi, will</p><p>seek revenge on the living unless ceremonial rites are performed on</p><p>the body. The war in the Paci�c was particularly bloody, with</p><p>corpses strewn across the battle�elds, and yet the code talkers</p><p>summoned up the courage to carry on regardless of the chindi that</p><p>haunted them. In Doris Paul’s book The Navajo Code Talkers, one of</p><p>the Navajo recounts an incident which typi�es their bravery,</p><p>dedication and composure:</p><p>Figure 53 Corporal Henry Bake, Jr. (left) and Private First Class George H. Kirk using</p><p>the Navajo code in the dense jungles of Bougainville in 1943.</p><p>If you so much as held up your head six inches you were gone, the �re was so intense.</p><p>And then in the wee hours, with no relief on our side or theirs, there was a dead</p><p>standstill. It must have gotten so that this one Japanese couldn’t take it anymore. He</p><p>got up and yelled and screamed at the top of his voice and dashed over our trench,</p><p>swinging a long samurai sword. I imagine he was shot from 25 to 40 times before he</p><p>fell.</p><p>There was a buddy with me in the trench. But that Japanese had cut him across the</p><p>throat, clear through to the cords on the back of his neck. He was still gasping</p><p>through his windpipe. And the sound of him trying to breathe was horrible. He died,</p><p>of course. When the Jap struck, warm blood spattered all over my hand that was</p><p>holding a microphone. I was calling in code for help. They tell me that in spite of</p><p>what happened, every syllable of my message came through.</p><p>Altogether, there were 420 Navajo code talkers. Although their</p><p>bravery as �ghting men was acknowledged, their special role in</p><p>securing communications was classi�ed information. The</p><p>government forbade them to talk about their work, and their unique</p><p>contribution was not made public. Just like Turing and the</p><p>cryptanalysts at Bletchley Park, the Navajo were ignored for</p><p>decades. Eventually, in 1968, the Navajo code was declassi�ed, and</p><p>the following year the code talkers held their �rst reunion. Then, in</p><p>1982, they were honored when the U.S. Government named August</p><p>14 “National Navajo Code Talkers Day.” However, the greatest</p><p>tribute to the work of the Navajo is the simple fact that their code is</p><p>one of very few throughout history that was never broken.</p><p>Lieutenant General Seizo Arisue, the Japanese chief of intelligence,</p><p>admitted that, although they had broken the American Air Force</p><p>code, they had failed to make any impact on the Navajo code.</p><p>Deciphering Lost Languages and Ancient Scripts</p><p>The success of the Navajo code was based largely on the simple fact</p><p>that the mother tongue of one person is utterly meaningless to</p><p>anybody unacquainted with it. In many ways, the task that</p><p>confronted Japanese cryptanalysts is similar to that which is faced</p><p>by archaeologists attempting to decipher a long-forgotten language,</p><p>perhaps written in an extinct script. If anything, the archaeological</p><p>challenge is much more severe. For example, while the Japanese</p><p>had a continuous stream of Navajo words which they could attempt</p><p>to identify, the information available to the archaeologist can</p><p>sometimes be just a small collection of clay tablets. Furthermore,</p><p>the archaeological codebreaker often has no idea of the context or</p><p>contents of an ancient text, clues which military codebreakers can</p><p>normally rely on to help them crack a cipher.</p><p>Deciphering ancient texts seems an almost hopeless pursuit, yet</p><p>many men and women have devoted themselves to this arduous</p><p>enterprise. Their obsession is driven by the desire to understand the</p><p>writings of our ancestors, allowing us to speak their words and catch</p><p>a glimpse of their thoughts and lives. Perhaps this appetite for</p><p>cracking ancient scripts is best summarized by Maurice Pope, the</p><p>author of The Story of Decipherment: “Decipherments are by far the</p><p>most glamorous achievements of scholarship. There is a touch of</p><p>magic about unknown writing, especially when it comes from the</p><p>remote past, and a corresponding glory is bound to attach itself to</p><p>the person who �rst solves its mystery.”</p><p>The decipherment of ancient scripts is not part of the ongoing</p><p>evolutionary battle between codemakers and codebreakers, because,</p><p>although there are codebreakers in the shape of archaeologists,</p><p>there are no codemakers. That is to say, in most cases of</p><p>archaeological decipherment there was no deliberate attempt by the</p><p>original scribe to hide the meaning of the text. The remainder of this</p><p>chapter, which is a discussion of archaeological decipherments, is</p><p>therefore a slight detour from the book’s main theme. However, the</p><p>principles of archaeological decipherment are essentially the same</p><p>as those of conventional military cryptanalysis. Indeed, many</p><p>military codebreakers have been attracted by the challenge of</p><p>unraveling an ancient script. This is probably because</p><p>archaeological decipherments make a refreshing change</p><p>impossible for the enemy to check all possible keys by the so-called</p><p>brute-force attack. The simplicity of the key is important, because</p><p>the sender and receiver have to share knowledge of the key, and the</p><p>simpler the key, the less the chance of a misunderstanding.</p><p>In fact, an even simpler key is possible if the sender is prepared to</p><p>accept a slight reduction in the number of potential keys. Instead of</p><p>randomly rearranging the plain alphabet to achieve the cipher</p><p>alphabet, the sender chooses a keyword or keyphrase. For example,</p><p>to use JULIUS CAESAR as a keyphrase, begin by removing any</p><p>spaces and repeated letters (JULISCAER), and then use this as the</p><p>beginning of the jumbled cipher alphabet. The remainder of the</p><p>cipher alphabet is merely the remaining letters of the alphabet, in</p><p>their correct order, starting where the keyphrase ends. Hence, the</p><p>cipher alphabet would read as follows.</p><p>The advantage of building a cipher alphabet in this way is that it is</p><p>easy to memorize the keyword or keyphrase, and hence the cipher</p><p>alphabet. This is important, because if the sender has to keep the</p><p>cipher alphabet on a piece of paper, the enemy can capture the</p><p>paper, discover the key, and read any communications that have</p><p>been encrypted with it. However, if the key can be committed to</p><p>memory it is less likely to fall into enemy hands. Clearly the number</p><p>of cipher alphabets generated by keyphrases is smaller than the</p><p>number of cipher alphabets generated without restriction, but the</p><p>number is still immense, and it would be e�ectively impossible for</p><p>the enemy to unscramble a captured message by testing all possible</p><p>keyphrases.</p><p>This simplicity and strength meant that the substitution cipher</p><p>dominated the art of secret writing throughout the �rst millennium</p><p>A.D. Codemakers had evolved a system for guaranteeing secure</p><p>communication, so there was no need for further development-</p><p>without necessity, there was no need for further invention. The onus</p><p>had fallen upon the codebreakers, those who were attempting to</p><p>crack the substitution cipher. Was there any way for an enemy</p><p>interceptor to unravel an encrypted message? Many ancient scholars</p><p>considered that the substitution cipher was unbreakable, thanks to</p><p>the gigantic number of possible keys, and for centuries this seemed</p><p>to be true. However, codebreakers would eventually �nd a shortcut</p><p>to the process of exhaustively searching all keys. Instead of taking</p><p>billions of years to crack a cipher, the shortcut could reveal the</p><p>message in a matter of minutes. The breakthrough occurred in the</p><p>East, and required a brilliant combination of linguistics, statistics</p><p>and religious devotion.</p><p>The Arab Cryptanalysts</p><p>At the age of about forty, Muhammad began regularly visiting an</p><p>isolated cave on Mount Hira just outside Mecca. This was a retreat,</p><p>a place for prayer, meditation and contemplation. It was during a</p><p>period of deep re�ection, around A.D. 610, that he was visited by the</p><p>archangel Gabriel, who proclaimed that Muhammad was to be the</p><p>messenger of God. This was the �rst of a series of revelations which</p><p>continued until Muhammad died some twenty years later. The</p><p>revelations were recorded by various scribes during the Prophet’s</p><p>life, but only as fragments, and it was left to Abū Bakr, the �rst</p><p>caliph of Islam, to gather them together into a single text. The work</p><p>was continued by Umar, the second caliph, and his daughter Hafsa,</p><p>and was eventually completed by Uthmān, the third caliph. Each</p><p>revelation became one of the 114 chapters of the Koran.</p><p>The ruling caliph was responsible for carrying on the work of the</p><p>Prophet, upholding his teachings and spreading his word. Between</p><p>the appointment of Abū Bakr in 632 to the death of the fourth</p><p>caliph, Alī, in 661, Islam spread until half of the known world was</p><p>under Muslim rule. Then in 750, after a century of consolidation,</p><p>the start of the Abbasid caliphate (or dynasty) heralded the golden</p><p>age of Islamic civilization. The arts and sciences �ourished in equal</p><p>measure. Islamic craftsmen bequeathed us magni�cent paintings,</p><p>ornate carvings, and the most elaborate textiles in history, while the</p><p>legacy of Islamic scientists is evident from the number of Arabic</p><p>words that pepper the lexicon of modern science such as algebra,</p><p>alkaline and zenith.</p><p>The richness of Islamic culture was to a large part the result of a</p><p>wealthy and peaceful society. The Abbasid caliphs were less</p><p>interested than their predecessors in conquest, and instead</p><p>concentrated on establishing an organized and a�uent society.</p><p>Lower taxes encouraged businesses to grow and gave rise to greater</p><p>commerce and industry, while strict laws reduced corruption and</p><p>protected the citizens. All of this relied on an e�ective system of</p><p>administration, and in turn the administrators relied on secure</p><p>communication achieved through the use of encryption. As well as</p><p>encrypting sensitive a�airs of state, it is documented that o�cials</p><p>protected tax records, demonstrating a widespread and routine use</p><p>of cryptography. Further evidence comes from many administrative</p><p>manuals, such as the tenth-century Adab al-Kuttāb (“The Secretaries’</p><p>Manual”), which include sections devoted to cryptography.</p><p>The administrators usually employed a cipher alphabet which was</p><p>simply a rearrangement of the plain alphabet, as described earlier,</p><p>but they also used cipher alphabets that contained other types of</p><p>symbols. For example, a in the plain alphabet might be replaced by</p><p># in the cipher alphabet, b might be replaced by +, and so on. The</p><p>monoalphabetic substitution cipher is the general name given to any</p><p>substitution cipher in which the cipher alphabet consists of either</p><p>letters or symbols, or a mix of both. All the substitution ciphers that</p><p>we have met so far come within this general category.</p><p>Had the Arabs merely been familiar with the use of the</p><p>monoalphabetic substitution cipher, they would not warrant a</p><p>signi�cant mention in any history of cryptography. However, in</p><p>addition to employing ciphers, the Arab scholars were also capable</p><p>of destroying ciphers. They in fact invented cryptanalysis, the science</p><p>of unscrambling a message without knowledge of the key. While the</p><p>cryptographer develops new methods of secret writing, it is the</p><p>cryptanalyst who struggles to �nd weaknesses in these methods in</p><p>order to break into secret messages. Arabian cryptanalysts</p><p>succeeded in �nding a method for breaking the monoalphabetic</p><p>substitution cipher, a cipher that had remained invulnerable for</p><p>several centuries.</p><p>Cryptanalysis could not be invented until a civilization had</p><p>reached a su�ciently sophisticated level of scholarship in several</p><p>disciplines, including mathematics, statistics and linguistics. The</p><p>Muslim civilization provided an ideal cradle for cryptanalysis,</p><p>because Islam demands justice in all spheres of human activity, and</p><p>achieving this requires knowledge, or ilm. Every Muslim is obliged</p><p>to pursue knowledge in all its forms, and the economic success of</p><p>the Abbasid caliphate meant that scholars had the time, money and</p><p>materials required to ful�ll their duty. They endeavored to acquire</p><p>the knowledge of previous civilizations by obtaining Egyptian,</p><p>Babylonian, Indian, Chinese, Farsi, Syriac, Armenian, Hebrew and</p><p>Roman texts and translating them into Arabic. In 815, the Caliph al-</p><p>Ma’mūn established in Baghdad the Bait al-Hikmah (“House of</p><p>Wisdom”), a library and center for translation.</p><p>At the same time as acquiring knowledge, the Islamic civilization</p><p>was able to disperse it, because it had procured the art of</p><p>papermaking from the Chinese. The manufacture of paper gave rise</p><p>to the profession of warraqīn, or “those who handle paper,” human</p><p>photocopying machines who copied manuscripts and supplied the</p><p>burgeoning publishing industry. At its peak, tens of thousands of</p><p>books were published every year, and in just one suburb of Baghdad</p><p>there were over a hundred bookshops. As well as such classics as</p><p>Tales from the Thousand and One Nights, these bookshops also sold</p><p>textbooks on every imaginable subject, and helped to support the</p><p>most literate and learned society in the world.</p><p>In addition to a greater understanding of secular subjects, the</p><p>invention of cryptanalysis also depended on the growth of religious</p><p>scholarship. Major theological schools were established in Basra,</p><p>Kufa and Baghdad, where theologians scrutinized the revelations of</p><p>Muhammad as contained in the Koran. The theologians were</p><p>interested in establishing the chronology of the revelations, which</p><p>they did by counting the frequencies of words contained in each</p><p>revelation. The theory was that certain words had evolved relatively</p><p>recently, and hence if a revelation contained a high number of these</p><p>newer words, this would indicate that it came later in the</p><p>chronology. Theologians also studied the Hadīth, which consists of</p><p>the Prophet’s daily utterances. They tried to demonstrate that each</p><p>statement was indeed attributable to Muhammad. This was done by</p><p>studying the etymology of words and the structure of sentences, to</p><p>test whether particular texts were consistent with the linguistic</p><p>patterns of the Prophet.</p><p>Signi�cantly, the religious scholars did not stop their scrutiny at</p><p>the level of words. They also analyzed individual letters, and in</p><p>particular they discovered that some letters are more common than</p><p>others. The letters a and l are the most common in Arabic, partly</p><p>because of the de�nite article al-, whereas the letter j appears only a</p><p>tenth as frequently. This apparently innocuous observation would</p><p>lead to the �rst great breakthrough in cryptanalysis.</p><p>Although it is not known who �rst realized that the variation in</p><p>the frequencies of letters could be exploited in order to break</p><p>ciphers, the earliest known description of the technique is by the</p><p>ninth-century scientist Abū Yūsūf Ya’qūb ibn Is-hāq ibn as-Sabbāh</p><p>ibn ‘omrān ibn Ismaīl al-Kindī. Known as “the philosopher of the</p><p>Arabs,” al-Kindī was the author of 290 books on medicine,</p><p>astronomy, mathematics, linguistics and music. His greatest treatise,</p><p>which was rediscovered only in 1987 in the Sulaimaniyyah Ottoman</p><p>Archive in Istanbul, is entitled A Manuscript on Deciphering</p><p>Cryptographic Messages; the �rst page is shown in Figure 6. Although</p><p>it contains detailed discussions on statistics, Arabic phonetics and</p><p>Arabic syntax, al-Kindī’s revolutionary system of cryptanalysis is</p><p>encapsulated in two short paragraphs:</p><p>One way to solve an encrypted message, if we know its language, is to �nd a di�erent</p><p>plaintext of the same language long enough to �ll one sheet or so, and then we count</p><p>the occurrences of each letter. We call the most frequently occurring letter the “�rst,”</p><p>the next most occurring letter the “second,” the following most occurring letter the</p><p>“third,” and so on, until we account for all the di�erent letters in the plaintext</p><p>sample.</p><p>Then we look at the ciphertext we want to solve and we also classify its symbols.</p><p>We �nd the most occurring symbol and change it to the form of the “�rst” letter of</p><p>the plaintext sample, the next most common symbol is changed to the form of the</p><p>“second” letter, and the following most common symbol is changed to the form of the</p><p>“third” letter, and so on, until we account for all symbols of the cryptogram we want</p><p>to solve.</p><p>Al-Kindī’s explanation is easier to explain in terms of the English</p><p>alphabet. First of all, it is necessary to study a lengthy piece of</p><p>normal English text, perhaps several, in order to establish the</p><p>frequency of each letter of the alphabet. In English, e is the most</p><p>common letter, followed by t, then a, and so on, as given in Table 1.</p><p>Next, examine the ciphertext in question, and work out the</p><p>frequency of each letter. If the most common letter in the ciphertext</p><p>is, for example, J then it would seem likely that this is a substitute</p><p>for e. And if the second most common letter in the ciphertext is P,</p><p>then this is probably a substitute for t, and so on. Al-Kindī’s</p><p>technique, known as frequency analysis, shows that it is unnecessary</p><p>to check each of the billions of potential keys. Instead, it is possible</p><p>to reveal the contents of a scrambled message simply by analyzing</p><p>the frequency of the characters in the ciphertext.</p><p>Figure 6 The �rst page of al-Kindī’s manuscript On Deciphering Cryptographic</p><p>Messages, containing the oldest known description of cryptanalysis by frequency</p><p>analysis. (photo credit 1.2)</p><p>However, it is not possible to apply al-Kindī’s recipe for</p><p>cryptanalysis unconditionally, because the standard list of</p><p>frequencies in Table 1 is only an average, and it will not correspond</p><p>exactly to the frequencies of every text. For example, a brief</p><p>message discussing the e�ect of the atmosphere on the movement of</p><p>striped quadrupeds in Africa would not yield to straightforward</p><p>frequency analysis: “From Zanzibar to Zambia and Zaire, ozone</p><p>zones make zebras run zany zigzags.” In general, short texts are</p><p>likely to deviate signi�cantly from the standard frequencies, and if</p><p>there are less than a hundred letters, then decipherment will be very</p><p>di�cult. On the other hand, longer texts are more likely to follow</p><p>the standard frequencies, although this is not always the case. In</p><p>1969, the French author Georges Perec wrote La Disparition, a 200-</p><p>page novel that did not use words that contain the letter e. Doubly</p><p>remarkable is the fact that the English novelist and critic Gilbert</p><p>Adair succeeded in translating La Disparition into English, while still</p><p>following Perec’s shunning of the letter e. Entitled A Void, Adair’s</p><p>translation is surprisingly readable (see Appendix A). If the entire</p><p>book were encrypted via a monoalphabetic substitution cipher, then</p><p>a naive attempt to decipher it might be stymied by the complete</p><p>lack of the most frequently occurring letter in the English alphabet.</p><p>Table 1 This table of relative frequencies is based on passages taken from newspapers and</p><p>novels, and the total sample was 100,362 alphabetic characters. The table was compiled by</p><p>H. Beker and F. Piper, and originally published in Cipher Systems: The Protection Of</p><p>Communication.</p><p>Letter Percentage</p><p>a 8.2</p><p>b 1.5</p><p>c 2.8</p><p>d 4.3</p><p>e 12.7</p><p>f 2.2</p><p>g 2.0</p><p>h 6.1</p><p>i 7.0</p><p>j 0.2</p><p>k 0.8</p><p>l 4.0</p><p>m 2.4</p><p>n 6.7</p><p>o 7.5</p><p>p 1.9</p><p>q 0.1</p><p>r 6.0</p><p>s 6.3</p><p>t 9.1</p><p>u 2.8</p><p>v 1.0</p><p>w 2.4</p><p>x 0.2</p><p>y 2.0</p><p>z 0.1</p><p>Having described the �rst tool of cryptanalysis, I shall continue by</p><p>giving an example of how frequency analysis is used to decipher a</p><p>ciphertext. I have avoided peppering the whole book with examples</p><p>of cryptanalysis, but with frequency analysis I make an exception.</p><p>This is partly because frequency analysis is not as di�cult as it</p><p>sounds, and partly because it is the primary cryptanalytic tool.</p><p>Furthermore, the example that follows provides insight into the</p><p>modus operandi of the cryptanalyst. Although frequency analysis</p><p>requires logical thinking, you will see that it also demands guile,</p><p>intuition, �exibility and guesswork.</p><p>Cryptanalyzing a Ciphertext</p><p>PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV</p><p>XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX’XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV</p><p>ZOICJO BYS, KXUYPD: “DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC</p><p>UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC</p><p>AJXNO X IXNCMJ CI UCMJ SXGOKLU?”</p><p>OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLK</p><p>Imagine that we have intercepted this scrambled message. The</p><p>challenge is to decipher it. We know that the text is in English, and</p><p>that it has been scrambled according to a monoalphabetic</p><p>substitution cipher, but we have no idea of the key. Searching all</p><p>possible keys is impractical, so we must apply frequency analysis.</p><p>What follows is a step-by-step guide to cryptanalyzing the</p><p>ciphertext, but if you feel con�dent then you might prefer to ignore</p><p>this and attempt your own independent cryptanalysis.</p><p>The immediate reaction of any cryptanalyst upon seeing such a</p><p>ciphertext is to analyze the frequency of all the letters, which results</p><p>in Table 2. Not surprisingly, the letters vary in their frequency. The</p><p>question is, can we identify</p><p>what any of them represent, based on</p><p>their frequencies? The ciphertext is relatively short, so we cannot</p><p>slavishly apply frequency analysis. It would be naive to assume that</p><p>the commonest letter in the ciphertext, O, represents the commonest</p><p>letter in English, e, or that the eighth most frequent letter in the</p><p>ciphertext, Y, represents the eighth most frequent letter in English,</p><p>h. An unquestioning application of frequency analysis would lead to</p><p>gibberish. For example, the �rst word PCQ would be deciphered as</p><p>aov.</p><p>However, we can begin by focusing attention on the only three</p><p>letters that appear more than thirty times in the ciphertext, namely</p><p>O, X and P. It is fairly safe to assume that the commonest letters in</p><p>the ciphertext probably represent the commonest letters in the</p><p>English alphabet, but not necessarily in the right order. In other</p><p>words, we cannot be sure that O = e, X = t, and P = a, but we can</p><p>make the tentative assumption that:</p><p>O = e, t or a, X = e, t or a, P = e, t or a.</p><p>Table 2 Frequency analysis of enciphered message.</p><p>Letter Frequency</p><p>Occurrences Percentage</p><p>A 3 0.9</p><p>B 25 7.4</p><p>C 27 8.0</p><p>D 14 4.1</p><p>E 5 1.5</p><p>F 2 0.6</p><p>G 1 0.3</p><p>H 0 0.0</p><p>I 11 3.3</p><p>J 18 5.3</p><p>K 26 7.7</p><p>L 25 7.4</p><p>M 11 3.3</p><p>N 3 0.9</p><p>O 38 11.2</p><p>P 31 9.2</p><p>Q 2 0.6</p><p>R 6 1.8</p><p>S 7 2.1</p><p>T 0 0.0</p><p>U 6 1.8</p><p>V 18 5.3</p><p>W 1 0.3</p><p>X 34 10.1</p><p>Y 19 5.6</p><p>Z 5 1.5</p><p>In order to proceed with con�dence, and pin down the identity of</p><p>the three most common letters, O, X and P, we need a more subtle</p><p>form of frequency analysis. Instead of simply counting the frequency</p><p>of the three letters, we can focus on how often they appear next to</p><p>all the other letters. For example, does the letter O appear before or</p><p>after several other letters, or does it tend to neighbor just a few</p><p>special letters? Answering this question will be a good indication of</p><p>whether O represents a vowel or a consonant. If O represents a</p><p>vowel it should appear before and after most of the other letters,</p><p>whereas if it represents a consonant, it will tend to avoid many of</p><p>the other letters. For example, the letter e can appear before and</p><p>after virtually every other letter, but the letter t is rarely seen before</p><p>or after b, d, g, j, k, m, q or v.</p><p>The table below takes the three most common letters in the</p><p>ciphertext, O, X and P, and lists how frequently each appears before</p><p>or after every letter. For example, O appears before A on 1 occasion,</p><p>but never appears immediately after it, giving a total of 1 in the �rst</p><p>box. The letter O neighbors the majority of letters, and there are</p><p>only 7 that it avoids completely, represented by the 7 zeros in the O</p><p>row. The letter X is equally sociable, because it too neighbors most</p><p>of the letters, and avoids only 8 of them. However, the letter P is</p><p>much less friendly. It tends to lurk around just a few letters, and</p><p>avoids 15 of them. This evidence suggests that O and X represent</p><p>vowels, while P represents a consonant.</p><p>Now we must ask ourselves which vowels are represented by O and</p><p>X. They are probably e and a, the two most popular vowels in the</p><p>English language, but does O = e and X = a, or does O = a and X</p><p>= e? An interesting feature in the ciphertext is that the combination</p><p>OO appears twice, whereas XX does not appear at all. Since the</p><p>letters ee appear far more often than aa in plaintext English, it is</p><p>likely that O = e and X = a.</p><p>At this point, we have con�dently identi�ed two of the letters in</p><p>the ciphertext. Our conclusion that X = a is supported by the fact</p><p>that X appears on its own in the ciphertext, and a is one of only two</p><p>English words that consist of a single letter. The only other letter</p><p>that appears on its own in the ciphertext is Y, and it seems highly</p><p>likely that this represents the only other one-letter English word,</p><p>which is i. Focusing on words with only one letter is a standard</p><p>cryptanalytic trick, and I have included it among a list of</p><p>cryptanalytic tips in Appendix B. This particular trick works only</p><p>because this ciphertext still has spaces between the words. Often, a</p><p>cryptographer will remove all the spaces to make it harder for an</p><p>enemy interceptor to unscramble the message.</p><p>Although we have spaces between words, the following trick</p><p>would also work where the ciphertext has been merged into a single</p><p>string of characters. The trick allows us to spot the letter h, once we</p><p>have already identi�ed the letter e. In the English language, the</p><p>letter h frequently goes before the letter e (as in the, then, they,</p><p>etc.), but rarely after e. The table below shows how frequently the</p><p>O, which we think represents e, goes before and after all the other</p><p>letters in the ciphertext. The table suggests that B represents h,</p><p>because it appears before 0 on 9 occasions, but it never goes after it.</p><p>No other letter in the table has such an asymmetric relationship</p><p>with O.</p><p>Each letter in the English language has its own unique personality,</p><p>which includes its frequency and its relation to other letters. It is</p><p>this personality that allows us to establish the true identity of a</p><p>letter, even when it has been disguised by monoalphabetic</p><p>substitution.</p><p>We have now con�dently established four letters, O = e, X = a,</p><p>Y = i and B = h, and we can begin to replace some of the letters in</p><p>the ciphertext with their plaintext equivalents. I shall stick to the</p><p>convention of keeping ciphertext letters in upper case, while putting</p><p>plaintext letters in lower case. This will help to distinguish between</p><p>those letters we still have to identify, and those that have already</p><p>been established.</p><p>PCQ VMJiPD LhiK LiSe KhahJaWaV haV ZCJPe EiPD KhahJiUaJ LhJee KCPK. CP Lhe</p><p>LhCMKaPV aPV IiJKL PiDhL, QheP Khe haV ePVeV Lhe LaRe CI Sa’aJMI, Khe JCKe</p><p>aPV EiKKev Lhe DJCMPV ZeICJe h i S, KaUiPD: “DJeaL EiPD, ICJ a LhCMKaPV aPV</p><p>CPe PiDhLK i haNe ZeeP JeACMPLiPD LC UCM Lhe IaZReK CI FaKL aDeK aPV Lhe</p><p>ReDePVK CI aPAiePL EiPDK. SaU i SaEe KC ZCRV aK LC AJaNe a IaNCMJ CI UCMJ</p><p>SaGeKLU?”</p><p>eFiRCDMe, LaReK IJCS Lhe LhCMKaPV aPV CPe PiDhLK</p><p>This simple step helps us to identify several other letters, because</p><p>we can guess some of the words in the ciphertext. For example, the</p><p>most common three-letter words in English are the and and, and</p><p>these are relatively easy to spot-Lhe, which appears six times, and</p><p>aPV, which appears �ve times. Hence, L probably represents t, P</p><p>probably represents n, and V probably represents d. We can now</p><p>replace these letters in the ciphertext with their true values:</p><p>nCQ dMJinD thiK tiSe KhahJaWad had ZCJne EinD KhahJiUaJ thJee KCnK. Cn the</p><p>thCMKand and IiJKt niDht, Qhen Khe had ended the taRe CI Sa’aJMI, Khe JCKe and</p><p>EiKKed the DJCMnd ZeICJe hiS, KaUinD: “DJeat EinD, ICJ a thCMKand and Cne</p><p>niDhtK i haNe Zeen JeACMntinD tC UCM the IaZReK CI FaKt aDeK and the ReDendK</p><p>CI anAient EinDK. SaU i SaEe KC ZCRd aK tC AJaNe a IaNCMJ CI UCMJ SaGeKtU?”</p><p>eFiRCDMe, taReK IJCS the thCMKand and Cne niDhtK</p><p>Once a few letters have been established, cryptanalysis progresses</p><p>very rapidly. For example, the word at the beginning of the second</p><p>sentence is Cn. Every word has a vowel in it, so C must be a vowel.</p><p>There are only two vowels that remain to be identi�ed, u and o; u</p><p>does not �t, so C must represent o. We also have the word Khe,</p><p>which implies that K represents either t or s. But we already know</p><p>that L = t, so it becomes clear that K = s. Having identi�ed these</p><p>two letters, we insert them into the ciphertext, and there appears</p><p>the phrase thoMsand and one niDhts. A sensible guess for this would</p><p>be thousand and one nights, and it seems likely that the �nal line is</p><p>telling us that this is a passage from Tales from the Thousand and One</p><p>Nights. This implies that M = u, I = f, J = r, D = g, R = l, and S</p><p>= m.</p><p>We could continue trying to establish other letters by guessing</p><p>other words, but instead let us have a look at what we know about</p><p>the plain alphabet and cipher alphabet. These two alphabets form</p><p>the key, and they were used by the cryptographer in order to</p><p>perform the substitution that scrambled the message. Already, by</p><p>identifying the true values of letters in the ciphertext, we</p><p>have</p><p>e�ectively been working out the details of the cipher alphabet. A</p><p>summary of our achievements, so far, is given in the plain and</p><p>cipher alphabets below.</p><p>By examining the partial cipher alphabet, we can complete the</p><p>cryptanalysis. The sequence VOIDBY in the cipher alphabet suggests</p><p>that the cryptographer has chosen a keyphrase as the basis for the</p><p>key. Some guesswork is enough to suggest the keyphrase might be A</p><p>VOID BY GEORGES PEREC, which is reduced to AVOID BY GERSPC</p><p>after removing spaces and repetitions. Thereafter, the letters</p><p>continue in alphabetical order, omitting any that have already</p><p>appeared in the keyphrase. In this particular case, the cryptographer</p><p>took the unusual step of not starting the keyphrase at the beginning</p><p>of the cipher alphabet, but rather starting it three letters in. This is</p><p>possibly because the keyphrase begins with the letter A, and the</p><p>cryptographer wanted to avoid encrypting a as A. At last, having</p><p>established the complete cipher alphabet, we can unscramble the</p><p>entire ciphertext, and the cryptanalysis is complete.</p><p>Now during this time Shahrazad had borne King Shahriyar three sons. On the</p><p>thousand and �rst night, when she had ended the tale of Ma’aruf, she rose and kissed</p><p>the ground before him, saying: “Great King, for a thousand and one nights I have</p><p>been recounting to you the fables of past ages and the legends of ancient kings. May I</p><p>make so bold as to crave a favor of your majesty?”</p><p>Epilogue, Tales from the Thousand and One Nights</p><p>Renaissance in the West</p><p>Between A.D. 800 and 1200, Arab scholars enjoyed a vigorous period</p><p>of intellectual achievement. At the same time, Europe was �rmly</p><p>stuck in the Dark Ages. While al-Kindī was describing the invention</p><p>of cryptanalysis, Europeans were still struggling with the basics of</p><p>cryptography. The only European institutions to encourage the</p><p>study of secret writing were the monasteries, where monks would</p><p>study the Bible in search of hidden meanings, a fascination that has</p><p>persisted through to modern times (see Appendix C).</p><p>Medieval monks were intrigued by the fact that the Old</p><p>Testament contained deliberate and obvious examples of</p><p>cryptography. For example, the Old Testament includes pieces of</p><p>text encrypted with atbash, a traditional form of Hebrew</p><p>substitution cipher. Atbash involves taking each letter, noting the</p><p>number of places it is from the beginning of the alphabet, and</p><p>replacing it with a letter that is an equal number of places from the</p><p>end of the alphabet. In English this would mean that a, at the</p><p>beginning of the alphabet, is replaced by Z, at the end of the</p><p>alphabet, b is replaced by Y, and so on. The term atbash itself hints</p><p>at the substitution it describes, because it consists of the �rst letter</p><p>of the Hebrew alphabet, aleph, followed by the last letter taw, and</p><p>then there is the second letter, beth, followed by the second to last</p><p>letter shin. An example of atbash appears in Jeremiah 25: 26 and 51:</p><p>41, where “Babel” is replaced by the word “Sheshach”; the �rst</p><p>letter of Babel is beth, the second letter of the Hebrew alphabet, and</p><p>this is replaced by shin, the second-to-last letter; the second letter of</p><p>Babel is also beth, and so it too is replaced by shin; and the last letter</p><p>of Babel is lamed, the twelfth letter of the Hebrew alphabet, and this</p><p>is replaced by kaph, the twelfth-to-last letter.</p><p>Atbash and other similar biblical ciphers were probably intended</p><p>only to add mystery, rather than to conceal meaning, but they were</p><p>enough to spark an interest in serious cryptography. European</p><p>monks began to rediscover old substitution ciphers, they invented</p><p>new ones, and, in due course, they helped to reintroduce</p><p>cryptography into Western civilization. The �rst known European</p><p>book to describe the use of cryptography was written in the</p><p>thirteenth century by the English Franciscan monk and polymath</p><p>Roger Bacon. Epistle on the Secret Works of Art and the Nullity of</p><p>Magic included seven methods for keeping messages secret, and</p><p>cautioned: “A man is crazy who writes a secret in any other way</p><p>than one which will conceal it from the vulgar.”</p><p>By the fourteenth century the use of cryptography had become</p><p>increasingly widespread, with alchemists and scientists using it to</p><p>keep their discoveries secret. Although better known for his literary</p><p>achievements, Geo�rey Chaucer was also an astronomer and a</p><p>cryptographer, and he is responsible for one of the most famous</p><p>examples of early European encryption. In his Treatise on the</p><p>Astrolabe he provided some additional notes entitled “The Equatorie</p><p>of the Planetis,” which included several encrypted paragraphs.</p><p>Chaucer’s encryption replaced plaintext letters with symbols, for</p><p>example b with . A ciphertext consisting of strange symbols rather</p><p>than letters may at �rst sight seem more complicated, but it is</p><p>essentially equivalent to the traditional letter-for-letter substitution.</p><p>The process of encryption and the level of security are exactly the</p><p>same.</p><p>By the �fteenth century, European cryptography was a</p><p>burgeoning industry. The revival in the arts, sciences and</p><p>scholarship during the Renaissance nurtured the capacity for</p><p>cryptography, while an explosion in political machinations o�ered</p><p>ample motivation for secret communication. Italy, in particular,</p><p>provided the ideal environment for cryptography. As well as being</p><p>at the heart of the Renaissance, it consisted of independent city</p><p>states, each trying to outmaneuver the others. Diplomacy �ourished,</p><p>and each state would send ambassadors to the courts of the others.</p><p>Each ambassador received messages from his respective head of</p><p>state, describing details of the foreign policy he was to implement.</p><p>In response, each ambassador would send back any information that</p><p>he had gleaned. Clearly there was a great incentive to encrypt</p><p>communications in both directions, so each state established a</p><p>cipher o�ce, and each ambassador had a cipher secretary.</p><p>At the same time that cryptography was becoming a routine</p><p>diplomatic tool, the science of cryptanalysis was beginning to</p><p>emerge in the West. Diplomats had only just familiarized themselves</p><p>with the skills required to establish secure communications, and</p><p>already there were individuals attempting to destroy this security. It</p><p>is quite probable that cryptanalysis was independently discovered in</p><p>Europe, but there is also the possibility that it was introduced from</p><p>the Arab world. Islamic discoveries in science and mathematics</p><p>strongly in�uenced the rebirth of science in Europe, and</p><p>cryptanalysis might have been among the imported knowledge.</p><p>Arguably the �rst great European cryptanalyst was Giovanni Soro,</p><p>appointed as Venetian cipher secretary in 1506. Soro’s reputation</p><p>was known throughout Italy, and friendly states would send</p><p>intercepted messages to Venice for cryptanalysis. Even the Vatican,</p><p>probably the second most active center of cryptanalysis, would send</p><p>Soro seemingly impenetrable messages that had fallen into its</p><p>hands. In 1526, Pope Clement VII sent him two encrypted messages,</p><p>and both were returned having been successfully cryptanalyzed.</p><p>And when one of the Pope’s own encrypted messages was captured</p><p>by the Florentines, the Pope sent a copy to Soro in the hope that he</p><p>would be reassured that it was unbreakable. Soro claimed that he</p><p>could not break the Pope’s cipher, implying that the Florentines</p><p>would also be unable to decipher it. However, this may have been a</p><p>ploy to lull the Vatican cryptographers into a false sense of security-</p><p>Soro might have been reluctant to point out the weaknesses of the</p><p>Papal cipher, because this would only have encouraged the Vatican</p><p>to switch to a more secure cipher, one that Soro might not have</p><p>been able to break.</p><p>Elsewhere in Europe, other courts were also beginning to employ</p><p>skilled cryptanalysts, such as Philibert Babou, cryptanalyst to King</p><p>Francis I of France. Babou gained a reputation for being incredibly</p><p>persistent, working day and night and persevering for weeks on end</p><p>in order to crack an intercepted message. Unfortunately for Babou,</p><p>this gave the king</p>
- MJP Atividade Avaliativa Geografia e História 1 ano_3 BIM
- Atividade teleaula III Gerenciamento de projetos de software
- Governo Aberto Transparência e Dados Abertos Exercício Avaliativo - Módulo 2_ Revisão da tentativa
- Governo Aberto Transparência e Dados Abertos Exercício Avaliativo - Módulo 1_ Revisão da tentativa
- Higiene ocupacional Exercício avaliativo - Módulo 3_ Revisão da tentativa
- Higiene ocupacional Exercício avaliativo - Módulo 2_ Revisão da tentativa
- Higiene ocupacional Exercício avaliativo - Módulo 1_ Revisão da tentativa
- Governo Aberto Transparência e Dados Abertos Exercício Avaliativo - Módulo 3_ Revisão da tentativa
- Mapa do Mil 2024 (segundo semestre) (2)
- AVALIAÇÃO ADAPTADA 1 ANO
- AVALIACAO_N1_COZINHA_TIPICA_DO_MUNDO_II_-_NOTURNO_-_ANA_GLORIA 2024
- Unidade_2_-_Parasitologia (1)
- Avaliação 1_ HISTÓRIA E CULTURA AFRO-BRASILEIRA E INDÍGENA
- Para as licenciaturas, a pesquisa, o ensino e a extensão são elementos cruciais que se entrelaçam para formar uma base sólida de preparação e aprim...
- ÍTULO: A APLICAÇÃO DE VETORES E TRANFORMAÇÕES LINEARES NA FÍSICA CONTEXTUALIZAÇÃO Os vetores são de fundamental importância para o estudo e co...
- Marque a alternativa que melhor define um gene. Escolha uma opção: a. Trecho do RNA que contém sequências de nucleotídeos que são usados para a s...
- portifolio Pedro Cassio, gestor de pessoas, reúne o seu pessoal em nível de chefia para preparar o anúncio de recrutamento para o cargo de recepcio...
- Na tirinha, o fato inicial indicado na fala de Haroldo é marcada pela oposição na fala de Calvin. Tal contradição é marcada por um organizador text...
- Criança: "Eu preciso de ajuda para resolver os problemas de matemática! Às vezes eu acerto, outras eu erro, por isso preciso de alguém para me expl...
- A autonomia é valiosa tanto na sala de aula quanto no desenvolvimento contínuo como educadores ao longo de suas carreiras. Para Alexandre (2021) a ...
- Ao buscar aprofundar sobre a característica manifestam em classes sociais e o fenômeno movimento social nos deparamos com o conceito da questão soc...
- De acordo com seus conhecimentos sobre a Administração por Objetivos, marque a única alternativa correta: Questão 5Escolha uma opção: a. As metas...
- Ao estudar a vida social huma na a respeito das análises construídas pela sociologia clássica sobre esta relação entre sociedade e indivíduos é cor...
- O meio que conduz melhor a eletricidade é a(o): Escolha uma opção: a. plástico, pois deriva-se do petróleo, grande fonte de energia. b. ar, devid...
- Leia o atributo de valor humano abaixo: que se expressa com a convivência com o outro, em grupo; aprendizagem com o outro; assimilação de normas s...
- Questão 9) - 0,50 ponto(s) As intervenções ergonômicas têm por objetivo modificar uma dada situação de trabalho. Dependendo da ocasião da interven...
- Sintaxe
- A2 MÉTODOS E ABORDAGEM DO ENSINO DE LÍNGUA INGLESA
Conteúdos escolhidos para você
Grátis
FAM
Grátis
UNICESUMAR
UNIMAR
Perguntas dessa disciplina
Grátis
Grátis