1 Simon Singh - The code book the science of secrecy from ancient Egypt to quantum cryptography (2000, Anchor Books) - Inglês (2024)

Inglês

Exatas

pedro lima 30/09/2024

Prévia do material em texto

<p>PRAISE FOR SIMON SINGH AND The Code Book</p><p>“Singh spins tales of cryptic intrigue in every chapter.”</p><p>—The Wall Street Journal</p><p>“Brings together … the geniuses who have secured communications, saved lives, and</p><p>in�uenced the fate of nations. A pleasure to read.”</p><p>—Chicago Tribune</p><p>“Singh pursues the fascinating story [of codes] through the centuries, always providing</p><p>plenty of detailed examples of ciphers for those who appreciate the intricacies of the</p><p>medium.”</p><p>—Los Angeles Times</p><p>“Especially e�ective at putting the reader in the codebreaker’s shoes, facing each new,</p><p>apparently unbreakable code.… Singh does a �ne job.”</p><p>—The New York Times Book Review</p><p>“Entertaining.… Singh has a �air for narrative.”</p><p>—San Francisco Chronicle</p><p>“Singh is an interesting mix of scientist and storyteller, and this subject is the perfect mix</p><p>of true fact and tall tales.”</p><p>—The San Diego Union-Tribune</p><p>“Where would we Information Age ignoramuses be without smart guys like Stephen Jay</p><p>Gould, the late Carl Sagan, or Simon Singh? They are the troubadours of our time, making</p><p>complicated subjects understandable and entertaining.”</p><p>—The Plain Dealer</p><p>“In this entertaining survey, the evolution of cryptography is driven by the ongoing</p><p>struggle between code-makers and codebreakers.”</p><p>—The New Yorker</p><p>“[Singh] is well-equipped to describe all the arcane mathematics in layman’s language.”</p><p>—Forbes</p><p>“Wonderful stories.… Close reading is rewarded with the �ash of logical insight that the</p><p>codebreakers must enjoy.”</p><p>—Hartford Advocate</p><p>“An illuminating and entertaining account.… From the �rst page, Singh shows his knack</p><p>both for explaining complex areas of science and telling rip-roaring stories.”</p><p>—New York Law Journal</p><p>“My only regret is that this great book has come far too late. If only someone had given it</p><p>to me when I was 10, my secret plans for world playground domination might never have</p><p>been foiled.”</p><p>—James Flint, The Observer (London)</p><p>“Full of fascinating case histories covering the development and practical use of</p><p>cryptography.”</p><p>—Mail on Sunday (London)</p><p>“Singh has created an authoritative and engrossing read which both explains and</p><p>humanizes the subject.… This intelligent, exciting book takes its drive from a simple</p><p>premise-that nothing is as exciting as a secret.”</p><p>—Scotland on Sunday</p><p>SIMON SINGH</p><p>The Code Book</p><p>Simon Singh received his Ph.D. in physics from Cambridge</p><p>University. A former BBC producer, he directed an award-</p><p>winning documentary �lm on Fermat’s Last Theorem that</p><p>aired on PBS’s Nova series and wrote the bestselling book,</p><p>Fermat’s Enigma. He lives in London, England.</p><p>Also by Simon Singh</p><p>Fermat’s Enigma</p><p>FIRST ANCHOR BOOKS EDITION, SEPTEMBER 2000</p><p>Copyright © 1999 by Simon Singh</p><p>All rights reserved under International and Pan-American Copyright Conventions.</p><p>Published in the United States by Anchor Books, a division of Random House, Inc., New</p><p>York, and simultaneously in Canada by Random House of Canada Limited, Toronto.</p><p>Originally published in hardcover in the United States by Doubleday, a division of Random</p><p>House, Inc., New York, and in the United Kingdom by the Fourth Estate, London, in 1999.</p><p>Anchor Books and colophon are registered trademarks of Random House, Inc.</p><p>The Library of Congress has cataloged the Doubleday edition as follows:</p><p>Singh, Simon.</p><p>The code book : the evolution of secrecy from Mary Queen of Scots to quantum</p><p>cryptography / Simon Singh. –1st ed.</p><p>p. cm.</p><p>1. Cryptography–History. 2. Data encryption (Computer science)–History. I. Title.</p><p>Z103.S56 1999</p><p>652′.8′09–dc21 99-35261</p><p>eISBN: 978-0-307-78784-2</p><p>Author photo © Nigel Spalding</p><p>www.anchorbooks.com</p><p>v3.1_r2</p><p>http://www.anchorbooks.com/</p><p>For my mother and father,</p><p>Sawaran Kaur and Mehnga Singh</p><p>The urge to discover secrets is deeply ingrained in human</p><p>nature; even the least curious mind is roused by the</p><p>promise of sharing knowledge withheld from others. Some</p><p>are fortunate enough to �nd a job which consists in the</p><p>solution of mysteries, but most of us are driven to</p><p>sublimate this urge by the solving of arti�cial puzzles</p><p>devised for our entertainment. Detective stories or</p><p>crossword puzzles cater for the majority; the solution of</p><p>secret codes may be the pursuit of a few.</p><p>John Chadwick</p><p>The Decipherment of Linear B</p><p>Contents</p><p>Cover</p><p>About the Author</p><p>Other Books by This Author</p><p>Title Page</p><p>Copyright</p><p>Dedication</p><p>Epigraph</p><p>Introduction</p><p>1 The Cipher of Mary Queen of Scots</p><p>2 Le Chi�re Indéchi�rable</p><p>3 The Mechanization of Secrecy</p><p>4 Cracking the Enigma</p><p>5 The Language Barrier</p><p>6 Alice and Bob Go Public</p><p>7 Pretty Good Privacy</p><p>8 A Quantum Leap into the Future</p><p>The Cipher Challenge</p><p>Appendices</p><p>Glossary</p><p>Acknowledgments</p><p>Further Reading</p><p>file:///tmp/calibre_4.8.0_tmp_lQdxHR/uZyxh6_pdf_out/OEBPS/Sing_9780307787842_epub_cvi_r1.htm</p><p>Picture Credits</p><p>F</p><p>Introduction</p><p>or thousands of years, kings, queens and generals have relied on</p><p>e�cient communication in order to govern their countries and</p><p>command their armies. At the same time, they have all been aware</p><p>of the consequences of their messages falling into the wrong hands,</p><p>revealing precious secrets to rival nations and betraying vital</p><p>information to opposing forces. It was the threat of enemy</p><p>interception that motivated the development of codes and ciphers:</p><p>techniques for disguising a message so that only the intended</p><p>recipient can read it.</p><p>The desire for secrecy has meant that nations have operated</p><p>codemaking departments, responsible for ensuring the security of</p><p>communications by inventing and implementing the best possible</p><p>codes. At the same time, enemy codebreakers have attempted to</p><p>break these codes, and steal secrets. Codebreakers are linguistic</p><p>alchemists, a mystical tribe attempting to conjure sensible words out</p><p>of meaningless symbols. The history of codes and ciphers is the</p><p>story of the centuries-old battle between codemakers and</p><p>codebreakers, an intellectual arms race that has had a dramatic</p><p>impact on the course of history.</p><p>In writing The Code Book, I have had two main objectives. The</p><p>�rst is to chart the evolution of codes. Evolution is a wholly</p><p>appropriate term, because the development of codes can be viewed</p><p>as an evolutionary struggle. A code is constantly under attack from</p><p>codebreakers. When the codebreakers have developed a new</p><p>weapon that reveals a code’s weakness, then the code is no longer</p><p>useful. It either becomes extinct or it evolves into a new, stronger</p><p>code. In turn, this new code thrives only until the codebreakers</p><p>identify its weakness, and so on. This is analogous to the situation</p><p>facing, for example, a strain of infectious bacteria. The bacteria live,</p><p>thrive and survive until doctors discover an antibiotic that exposes a</p><p>weakness in the bacteria and kills them. The bacteria are forced to</p><p>evolve and outwit the antibiotic, and, if successful, they will thrive</p><p>once again and reestablish themselves. The bacteria are continually</p><p>forced to evolve in order to survive the onslaught of new antibiotics.</p><p>The ongoing battle between codemakers and codebreakers has</p><p>inspired a whole series of remarkable scienti�c breakthroughs. The</p><p>codemakers have continually striven to construct ever-stronger</p><p>codes for defending communications, while codebreakers have</p><p>continually invented more powerful methods for attacking them. In</p><p>their e�orts to destroy and preserve secrecy, both sides have drawn</p><p>upon a diverse range of disciplines and technologies, from</p><p>mathematics to linguistics, from information theory to quantum</p><p>theory. In return, codemakers and codebreakers have enriched these</p><p>subjects, and their work has accelerated technological development,</p><p>most notably in the case of the modern computer.</p><p>History is punctuated with codes. They have decided the</p><p>outcomes of battles and led to the deaths of kings and queens. I</p><p>have therefore been able to call upon stories of political intrigue and</p><p>tales of life and death to illustrate the key turning points in the</p><p>evolutionary development of codes. The history of codes is so</p><p>inordinately rich that I have been forced</p><p>ample opportunity to carry on a long-term a�air</p><p>with his wife. Toward the end of the sixteenth century the French</p><p>consolidated their codebreaking prowess with the arrival of François</p><p>Viète, who took particular pleasure in cracking Spanish ciphers.</p><p>Spain’s cryptographers, who appear to have been naive compared</p><p>with their rivals elsewhere in Europe, could not believe it when they</p><p>discovered that their messages were transparent to the French. King</p><p>Philip II of Spain went as far as petitioning the Vatican, claiming</p><p>that the only explanation for Viète’s cryptanalysis was that he was</p><p>an “arch�end in league with the devil.” Philip argued that Viète</p><p>should be tried before a Cardinal’s Court for his demonic deeds; but</p><p>the Pope, who was aware that his own cryptanalysts had been</p><p>reading Spanish ciphers for years, rejected the Spanish petition.</p><p>News of the petition soon reached cipher experts in various</p><p>countries, and Spanish cryptographers became the laughingstock of</p><p>Europe.</p><p>The Spanish embarrassment was symptomatic of the state of the</p><p>battle between cryptographers and cryptanalysts. This was a period</p><p>of transition, with cryptographers still relying on the</p><p>monoalphabetic substitution cipher, while cryptanalysts were</p><p>beginning to use frequency analysis to break it. Those yet to</p><p>discover the power of frequency analysis continued to trust</p><p>monoalphabetic substitution, ignorant of the extent to which</p><p>cryptanalysts such as Soro, Babou and Viète were able to read their</p><p>messages.</p><p>Meanwhile, countries that were alert to the weakness of the</p><p>straightforward monoalphabetic substitution cipher were anxious to</p><p>develop a better cipher, something that would protect their own</p><p>nation’s messages from being unscrambled by enemy cryptanalysts.</p><p>One of the simplest improvements to the security of the</p><p>monoalphabetic substitution cipher was the introduction of nulls,</p><p>symbols or letters that were not substitutes for actual letters, merely</p><p>blanks that represented nothing. For example, one could substitute</p><p>each plain letter with a number between 1 and 99, which would</p><p>leave 73 numbers that represent nothing, and these could be</p><p>randomly sprinkled throughout the ciphertext with varying</p><p>frequencies. The nulls would pose no problem to the intended</p><p>recipient, who would know that they were to be ignored. However,</p><p>the nulls would ba�e an enemy interceptor because they would</p><p>confuse an attack by frequency analysis. An equally simple</p><p>development was that cryptographers would sometimes deliberately</p><p>misspell words before encrypting the message. Thys haz thi ifekkt</p><p>o� diztaughting thi ballans o� frikwenseas—making it harder for</p><p>the cryptanalyst to apply frequency analysis. However, the intended</p><p>recipient, who knows the key, can unscramble the message and then</p><p>deal with the bad, but not unintelligible, spelling.</p><p>Another attempt to shore up the monoalphabetic substitution</p><p>cipher involved the introduction of codewords. The term code has a</p><p>very broad meaning in everyday language, and it is often used to</p><p>describe any method for communicating in secret. However, as</p><p>mentioned in the Introduction, it actually has a very speci�c</p><p>meaning, and applies only to a certain form of substitution. So far</p><p>we have concentrated on the idea of a substitution cipher, whereby</p><p>each letter is replaced by a di�erent letter, number or symbol.</p><p>However, it is also possible to have substitution at a much higher</p><p>level, whereby each word is represented by another word or symbol</p><p>—this would be a code. For example,</p><p>Technically, a code is de�ned as substitution at the level of words or</p><p>phrases, whereas a cipher is de�ned as substitution at the level of</p><p>letters. Hence the term encipher means to scramble a message using</p><p>a cipher, while encode means to scramble a message using a code.</p><p>Similarly, the term decipher applies to unscrambling an enciphered</p><p>message, and decode to unscrambling an encoded message. The</p><p>terms encrypt and decrypt are more general, and cover scrambling</p><p>and unscrambling with respect to both codes and ciphers. Figure 7</p><p>presents a brief summary of these de�nitions. In general, I shall</p><p>keep to these de�nitions, but when the sense is clear, I might use a</p><p>term such as “codebreaking” to describe a process that is really</p><p>“cipher breaking”-the latter phrase might be technically accurate,</p><p>but the former phrase is widely accepted.</p><p>Figure 7 The science of secret writing and its main branches.</p><p>At �rst sight, codes seem to o�er more security than ciphers,</p><p>because words are much less vulnerable to frequency analysis than</p><p>letters. To decipher a monoalphabetic cipher you need only identify</p><p>the true value of each of the 26 characters, whereas to decipher a</p><p>code you need to identify the true value of hundreds or even</p><p>thousands of codewords. However, if we examine codes in more</p><p>detail, we see that they su�er from two major practical failings</p><p>when compared with ciphers. First, once the sender and receiver</p><p>have agreed upon the 26 letters in the cipher alphabet (the key),</p><p>they can encipher any message, but to achieve the same level of</p><p>�exibility using a code they would need to go through the</p><p>painstaking task of de�ning a codeword for every one of the</p><p>thousands of possible plaintext words. The codebook would consist</p><p>of hundreds of pages, and would look something like a dictionary.</p><p>In other words, compiling a codebook is a major task, and carrying</p><p>it around is a major inconvenience.</p><p>Second, the consequences of having a codebook captured by the</p><p>enemy are devastating. Immediately, all the encoded</p><p>communications would become transparent to the enemy. The</p><p>senders and receivers would have to go through the painstaking</p><p>process of having to compile an entirely new codebook, and then</p><p>this hefty new tome would have to be distributed to everyone in the</p><p>communications network, which might mean securely transporting</p><p>it to every ambassador in every state. In comparison, if the enemy</p><p>succeeds in capturing a cipher key, then it is relatively easy to</p><p>compile a new cipher alphabet of 26 letters, which can be</p><p>memorized and easily distributed.</p><p>Even in the sixteenth century, cryptographers appreciated the</p><p>inherent weaknesses of codes, and instead relied largely on ciphers,</p><p>or sometimes nomenclators. A nomenclator is a system of encryption</p><p>that relies on a cipher alphabet, which is used to encrypt the</p><p>majority of a message, and a limited list of codewords. For example,</p><p>a nomenclator book might consist of a front page containing the</p><p>cipher alphabet, and then a second page containing a list of</p><p>codewords. Despite the addition of codewords, a nomenclator is not</p><p>much more secure than a straightforward cipher, because the bulk</p><p>of a message can be deciphered using frequency analysis, and the</p><p>remaining encoded words can be guessed from the context.</p><p>As well as coping with the introduction of the nomenclator, the</p><p>best cryptanalysts were also capable of dealing with badly spelled</p><p>messages and the presence of nulls. In short, they were able to break</p><p>the majority of encrypted messages. Their skills provided a steady</p><p>�ow of uncovered secrets, which in�uenced the decisions of their</p><p>masters and mistresses, thereby a�ecting Europe’s history at critical</p><p>moments.</p><p>Nowhere is the impact of cryptanalysis more dramatically</p><p>illustrated than in the case of Mary Queen of Scots. The outcome of</p><p>her trial depended wholly on the battle between her codemakers</p><p>and Queen Elizabeth’s codebreakers. Mary was one of the most</p><p>signi�cant �gures of the sixteenth century-Queen of Scotland,</p><p>Queen of France, pretender to the English throne-yet her fate would</p><p>be decided by a slip of paper, the message it bore, and whether or</p><p>not that message could be deciphered.</p><p>The Babington Plot</p><p>On November 24, 1542, the English forces of Henry VIII demolished</p><p>the Scottish army at the Battle of Solway Moss. It appeared that</p><p>Henry was on the verge of conquering Scotland and stealing the</p><p>crown of King James V. After the battle, the distraught Scottish king</p><p>su�ered a complete mental and physical breakdown, and withdrew</p><p>to the palace at Falkland.</p><p>Even the birth of a daughter, Mary, just</p><p>two weeks later could not revive the ailing king. It was as if he had</p><p>been waiting for news of an heir so that he could die in peace, safe</p><p>in the knowledge that he had done his duty. Just a week after</p><p>Mary’s birth, King James V, still only thirty years old, died. The</p><p>baby princess had become Mary Queen of Scots.</p><p>Mary was born prematurely, and initially there was considerable</p><p>concern that she would not survive. Rumors in England suggested</p><p>that the baby had died, but this was merely wishful thinking at the</p><p>English court, which was keen to hear any news that might</p><p>destabilize Scotland. In fact, Mary soon grew strong and healthy,</p><p>and at the age of nine months, on September 9, 1543, she was</p><p>crowned in the chapel of Stirling Castle, surrounded by three earls,</p><p>bearing on her behalf the royal crown, scepter and sword.</p><p>The fact that Queen Mary was so young o�ered Scotland a respite</p><p>from English incursions. It would have been deemed unchivalrous</p><p>had Henry VIII attempted to invade the country of a recently dead</p><p>king, now under the rule of an infant queen. Instead, the English</p><p>king decided on a policy of wooing Mary in the hope of arranging a</p><p>marriage between her and his son Edward, thereby uniting the two</p><p>nations under a Tudor sovereign. He began his maneuvering by</p><p>releasing the Scottish nobles captured at Solway Moss, on the</p><p>condition that they campaign in favor of a union with England.</p><p>However, after considering Henry’s o�er, the Scottish court</p><p>rejected it in favor of a marriage to Francis, the dauphin of France.</p><p>Scotland was choosing to ally itself with a fellow Roman Catholic</p><p>nation, a decision which pleased Mary’s mother, Mary of Guise,</p><p>whose own marriage with James V had been intended to cement the</p><p>relationship between Scotland and France. Mary and Francis were</p><p>still children, but the plan for the future was that they would</p><p>eventually marry, and Francis would ascend the throne of France</p><p>with Mary as his queen, thereby uniting Scotland and France. In the</p><p>meantime, France would defend Scotland against any English</p><p>onslaught.</p><p>The promise of protection was reassuring, particularly as Henry</p><p>VIII had switched from diplomacy to intimidation in order to</p><p>persuade the Scots that his own son was a more worthy groom for</p><p>Mary Queen of Scots. His forces committed acts of piracy, destroyed</p><p>crops, burned villages and attacked towns and cities along the</p><p>border. The “rough wooing,” as it is known, continued even after</p><p>Henry’s death in 1547. Under the auspices of his son, King Edward</p><p>VI (the would-be suitor), the attacks culminated in the Battle of</p><p>Pinkie Cleugh, in which the Scottish army was routed. As a result of</p><p>this slaughter it was decided that, for her own safety, Mary should</p><p>leave for France, beyond the reach of the English threat, where she</p><p>could prepare for her marriage to Francis. On August 7, 1548, at the</p><p>age of six, she set sail for the port of Rosco�.</p><p>Mary’s �rst few years in the French court would be the most</p><p>idyllic time of her life. She was surrounded by luxury, protected</p><p>from harm, and she grew to love her future husband, the dauphin.</p><p>At the age of sixteen they married, and the following year Francis</p><p>and Mary became King and Queen of France. Everything seemed set</p><p>for her triumphant return to Scotland, until her husband, who had</p><p>always su�ered from poor health, fell gravely ill. An ear infection</p><p>that he had nursed since a child had worsened, the in�ammation</p><p>spread toward his brain, and an abscess began to develop. In 1560,</p><p>within a year of being crowned, Francis was dead and Mary was</p><p>widowed.</p><p>From this point onward, Mary’s life would be repeatedly struck by</p><p>tragedy. She returned to Scotland in 1561, where she discovered a</p><p>transformed nation. During her long absence Mary had con�rmed</p><p>her Catholic faith, while her Scottish subjects had increasingly</p><p>moved toward the Protestant church. Mary tolerated the wishes of</p><p>the majority and at �rst reigned with relative success, but in 1565</p><p>she married her cousin, Henry Stewart, the Earl of Darnley, an act</p><p>that led to a spiral of decline. Darnley was a vicious and brutal man</p><p>whose ruthless greed for power lost Mary the loyalty of the Scottish</p><p>nobles. The following year Mary witnessed for herself the full horror</p><p>of her husband’s barbaric nature when he murdered David Riccio,</p><p>her secretary, in front of her. It became clear to everyone that for</p><p>the sake of Scotland it was necessary to get rid of Darnley.</p><p>Historians debate whether it was Mary or the Scottish nobles who</p><p>instigated the plot, but on the night of February 9, 1567, Darnley’s</p><p>house was blown up and, as he attempted to escape, he was</p><p>strangled. The only good to come from the marriage was a son and</p><p>heir, James.</p><p>Mary’s next marriage, to James Hepburn, the Fourth Earl of</p><p>Bothwell, was hardly more successful. By the summer of 1567 the</p><p>Protestant Scottish nobles had become completely disillusioned with</p><p>their Catholic Queen, and they exiled Bothwell and imprisoned</p><p>Mary, forcing her to abdicate in favor of her fourteen-month-old</p><p>son, James VI, while her half-brother, the Earl of Moray, acted as</p><p>regent. The next year, Mary escaped from her prison, gathered an</p><p>army of six thousand royalists, and made a �nal attempt to regain</p><p>her crown. Her soldiers confronted the regent’s army at the small</p><p>village of Langside, near Glasgow, and Mary witnessed the battle</p><p>from a nearby hilltop. Although her troops were greater in number,</p><p>they lacked discipline, and Mary watched as they were torn apart.</p><p>When defeat was inevitable, she �ed. Ideally she would have headed</p><p>east to the coast, and then on to France, but this would have meant</p><p>crossing territory loyal to her half-brother, and so instead she</p><p>headed south to England, where she hoped that her cousin Queen</p><p>Elizabeth I would provide refuge.</p><p>Mary had made a terrible misjudgment. Elizabeth o�ered Mary</p><p>nothing more than another prison. The o�cial reason for her arrest</p><p>was in connection with the murder of Darnley, but the true reason</p><p>was that Mary posed a threat to Elizabeth, because English Catholics</p><p>considered Mary to be the true queen of England. Through her</p><p>grandmother, Margaret Tudor, the elder sister of Henry VIII, Mary</p><p>did indeed have a claim to the throne, but Henry’s last surviving</p><p>o�spring, Elizabeth I, would seem to have a prior claim. However,</p><p>according to Catholics, Elizabeth was illegitimate because she was</p><p>the daughter of Anne Boleyn, Henry’s second wife after he had</p><p>divorced Catherine of Aragon in de�ance of the Pope. English</p><p>Catholics did not recognize Henry VIII’s divorce, they did not</p><p>acknowledge his ensuing marriage to Anne Boleyn, and they</p><p>certainly did not accept their daughter Elizabeth as Queen. Catholics</p><p>saw Elizabeth as a bastard usurper.</p><p>Mary was imprisoned in a series of castles and manors. Although</p><p>Elizabeth thought of her as one of the most dangerous �gures in</p><p>England, many Englishmen admitted that they admired her gracious</p><p>manner, her obvious intelligence and her great beauty. William</p><p>Cecil, Elizabeth’s Great Minister, commented on “her cunning and</p><p>sugared entertainment of all men,” and Nicholas White, Cecil’s</p><p>emissary, made a similar observation: “She hath withal an alluring</p><p>grace, a pretty Scotch accent, and a searching wit, clouded with</p><p>mildness.” But, as each year passed, her appearance waned, her</p><p>health deteriorated and she began to lose hope. Her jailer, Sir</p><p>Amyas Paulet, a Puritan, was immune to her charms, and treated</p><p>her with increasing harshness.</p><p>By 1586, after 18 years of imprisonment, she had lost all her</p><p>privileges. She was con�ned to Chartley Hall in Sta�ordshire, and</p><p>was no longer allowed to take the waters at Buxton, which had</p><p>previously helped to alleviate her frequent illnesses. On her last visit</p><p>to Buxton she used a diamond to inscribe a message on a</p><p>windowpane: “Buxton, whose warm waters have made thy name</p><p>famous, perchance I shall visit thee no more—Farewell.” It appears</p><p>that she suspected that she was about to lose what little freedom she</p><p>had. Mary’s growing sorrow was compounded</p><p>by the actions of her</p><p>nineteen-year-old son, King James VI of Scotland. She had always</p><p>hoped that one day she would escape and return to Scotland to</p><p>share power with her son, whom she had not seen since he was one</p><p>year old. However, James felt no such a�ection for his mother. He</p><p>had been brought up by Mary’s enemies, who had taught James that</p><p>his mother had murdered his father in order to marry her lover.</p><p>James despised her, and feared that if she returned then she might</p><p>seize his crown. His hatred toward Mary was demonstrated by the</p><p>fact that he had no qualms in seeking a marriage with Elizabeth I,</p><p>the woman responsible for his mother’s imprisonment (and who was</p><p>also thirty years his senior). Elizabeth declined the o�er.</p><p>Mary wrote to her son in an attempt to win him over, but her</p><p>letters never reached the Scottish border. By this stage, Mary was</p><p>more isolated then ever before: all her outgoing letters were</p><p>con�scated, and any incoming correspondence was kept by her</p><p>jailer. Mary’s morale was at its lowest, and it seemed that all hope</p><p>was lost. It was under these severe and desperate circumstances</p><p>that, on January 6, 1586, she received an astonishing package of</p><p>letters.</p><p>The letters were from Mary’s supporters on the Continent, and</p><p>they had been smuggled into her prison by Gilbert Gi�ord, a</p><p>Catholic who had left England in 1577 and trained as a priest at the</p><p>English College in Rome. Upon returning to England in 1585,</p><p>apparently keen to serve Mary, he immediately approached the</p><p>French Embassy in London, where a pile of correspondence had</p><p>accumulated. The Embassy had known that if they forwarded the</p><p>letters by the formal route, Mary would never see them. However</p><p>Gi�ord claimed that he could smuggle the letters into Chartley Hall,</p><p>and sure enough he lived up to his word. This delivery was the �rst</p><p>of many, and Gi�ord began a career as a courier, not only passing</p><p>messages to Mary but also collecting her replies. He had a rather</p><p>cunning way of sneaking letters into Chartley Hall. He took the</p><p>messages to a local brewer, who wrapped them in a leather packet,</p><p>which was then hidden inside a hollow bung used to seal a barrel of</p><p>beer. The brewer would deliver the barrel to Chartley Hall,</p><p>whereupon one of Mary’s servants would open the bung and take</p><p>the contents to the Queen of Scots. The process worked equally well</p><p>for getting messages out of Chartley Hall.</p><p>Meanwhile, unknown to Mary, a plan to rescue her was being</p><p>hatched in the taverns of London. At the center of the plot was</p><p>Anthony Babington, aged just twenty-four but already well known</p><p>in the city as a handsome, charming and witty bon viveur. What his</p><p>many admiring contemporaries failed to appreciate was that</p><p>Babington deeply resented the establishment, which had persecuted</p><p>him, his family and his faith. The state’s anti-Catholic policies had</p><p>reached new heights of horror, with priests being accused of</p><p>treason, and anybody caught harboring them punished by the rack,</p><p>mutilation and disemboweling while still alive. The Catholic mass</p><p>was o�cially banned, and families who remained loyal to the Pope</p><p>were forced to pay crippling taxes. Babington’s animosity was fueled</p><p>by the death of Lord Darcy, his great-grandfather, who was</p><p>beheaded for his involvement in the Pilgrimage of Grace, a Catholic</p><p>uprising against Henry VIII.</p><p>The conspiracy began one evening in March 1586, when</p><p>Babington and six con�dants gathered in The Plough, an inn outside</p><p>Temple Bar. As the historian Philip Caraman observed, “He drew to</p><p>himself by the force of his exceptional charm and personality many</p><p>young Catholic gentlemen of his own standing, gallant, adventurous</p><p>and daring in defense of the Catholic faith in its day of stress; and</p><p>ready for any arduous enterprise whatsoever that might advance the</p><p>common Catholic cause.” Over the next few months an ambitious</p><p>plan emerged to free Mary Queen of Scots, assassinate Queen</p><p>Elizabeth and incite a rebellion supported by an invasion from</p><p>abroad.</p><p>The conspirators were agreed that the Babington Plot, as it</p><p>became known, could not proceed without the blessing of Mary, but</p><p>there was no apparent way to communicate with her. Then, on July</p><p>6, 1586, Gi�ord arrived on Babington’s doorstep. He delivered a</p><p>letter from Mary, explaining that she had heard about Babington via</p><p>her supporters in Paris, and looked forward to hearing from him. In</p><p>reply, Babington compiled a detailed letter in which he outlined his</p><p>scheme, including a reference to the excommunication of Elizabeth</p><p>by Pope Pius V in 1570, which he believed legitimized her</p><p>assassination.</p><p>Myself with ten gentlemen and a hundred of our followers will undertake the delivery</p><p>of your royal person from the hands of your enemies. For the dispatch of the usurper,</p><p>from the obedience of whom we are by the excommunication of her made free, there</p><p>be six noble gentlemen, all my private friends, who for the zeal they bear to the</p><p>Catholic cause and your Majesty’s service will undertake that tragical execution.</p><p>As before, Gi�ord used his trick of putting the message in the bung</p><p>of a beer barrel in order to sneak it past Mary’s guards. This can be</p><p>considered a form of steganography, because the letter was being</p><p>hidden. As an extra precaution, Babington enciphered his letter so</p><p>that even if it was intercepted by Mary’s jailer, it would be</p><p>indecipherable and the plot would not be uncovered. He used a</p><p>cipher which was not a simple monoalphabetic substitution, but</p><p>rather a nomenclator, as shown in Figure 8. It consisted of 23</p><p>symbols that were to be substituted for the letters of the alphabet</p><p>(excluding j, v and w), along with 35 symbols representing words or</p><p>phrases. In addition, there were four nulls ( ) and a symbol</p><p>which signi�ed that the next symbol represents a double letter</p><p>(“dowbleth”).</p><p>Gi�ord was still a youth, even younger than Babington, and yet</p><p>he conducted his deliveries with con�dence and guile. His aliases,</p><p>such as Mr. Colerdin, Pietro and Cornelys, enabled him to travel the</p><p>country without suspicion, and his contacts within the Catholic</p><p>community provided him with a series of safe houses between</p><p>London and Chartley Hall. However, each time Gi�ord traveled to</p><p>or from Chartley Hall, he would make a detour. Although Gi�ord</p><p>was apparently acting as an agent for Mary, he was actually a</p><p>double agent. Back in 1585, before his return to England, Gi�ord</p><p>had written to Sir Francis Walsingham, Principal Secretary to Queen</p><p>Elizabeth, o�ering his services. Gi�ord realized that his Catholic</p><p>background would act as a perfect mask for in�ltrating plots against</p><p>Queen Elizabeth. In the letter to Walsingham, he wrote, “I have</p><p>heard of the work you do and I want to serve you. I have no</p><p>scruples and no fear of danger. Whatever you order me to do I will</p><p>accomplish.”</p><p>Figure 8 The nomenclator of Mary Queen of Scots, consisting of a cipher alphabet</p><p>and codewords.</p><p>Walsingham was Elizabeth’s most ruthless minister. He was a</p><p>Machiavellian �gure, a spymaster who was responsible for the</p><p>security of the monarch. He had inherited a small network of spies,</p><p>which he rapidly expanded into the Continent, where many of the</p><p>plots against Elizabeth were being hatched. After his death it was</p><p>discovered that he had been receiving regular reports from twelve</p><p>locations in France, nine in Germany, four in Italy, four in Spain and</p><p>three in the Low Countries, as well as having informants in</p><p>Constantinople, Algiers and Tripoli.</p><p>Walsingham recruited Gi�ord as a spy, and in fact it was</p><p>Walsingham who ordered Gi�ord to approach the French Embassy</p><p>and o�er himself as a courier. Each time Gi�ord collected a message</p><p>to or from Mary, he would �rst take it to Walsingham. The vigilant</p><p>spymaster would then pass it to his counterfeiters, who would break</p><p>the seal on each letter, make a copy, and then reseal the original</p><p>letter with an identical stamp before handing it back to Gi�ord. The</p><p>apparently untouched letter could then be delivered to Mary or her</p><p>correspondents, who remained oblivious to what was going on.</p><p>When Gi�ord handed Walsingham</p><p>a letter from Babington to</p><p>Mary, the �rst objective was to decipher it. Walsingham had</p><p>originally encountered codes and ciphers while reading a book</p><p>written by the Italian mathematician and cryptographer Girolamo</p><p>Cardano (who, incidentally, proposed a form of writing for the blind</p><p>based on touch, a precursor of Braille). Cardano’s book aroused</p><p>Walsingham’s interest, but it was a decipherment by the Flemish</p><p>cryptanalyst Philip van Marnix that really convinced him of the</p><p>power of having a codebreaker at his disposal. In 1577, Philip of</p><p>Spain was using ciphers to correspond with his half-brother and</p><p>fellow Catholic, Don John of Austria, who was in control of much of</p><p>the Netherlands. Philip’s letter described a plan to invade England,</p><p>but it was intercepted by William of Orange, who passed it to</p><p>Marnix, his cipher secretary. Marnix deciphered the plan, and</p><p>William passed the information to Daniel Rogers, an English agent</p><p>working on the Continent, who in turn warned Walsingham of the</p><p>invasion. The English reinforced their defenses, which was enough</p><p>to deter the invasion attempt.</p><p>Now fully aware of the value of cryptanalysis, Walsingham</p><p>established a cipher school in London and employed Thomas</p><p>Phelippes as his cipher secretary, a man “of low stature, slender</p><p>every way, dark yellow haired on the head, and clear yellow</p><p>bearded, eaten in the face with smallpox, of short sight, thirty years</p><p>of age by appearance.” Phelippes was a linguist who could speak</p><p>French, Italian, Spanish, Latin and German, and, more importantly,</p><p>he was one of Europe’s �nest cryptanalysts.</p><p>Upon receiving any message to or from Mary, Phelippes devoured</p><p>it. He was a master of frequency analysis, and it would be merely a</p><p>matter of time before he found a solution. He established the</p><p>frequency of each character, and tentatively proposed values for</p><p>those that appeared most often. When a particular approach hinted</p><p>at absurdity, he would backtrack and try alternative substitutions.</p><p>Gradually he would identify the nulls, the cryptographic red</p><p>herrings, and put them to one side. Eventually all that remained</p><p>were the handful of codewords, whose meaning could be guessed</p><p>from the context.</p><p>When Phelippes deciphered Babington’s message to Mary, which</p><p>clearly proposed the assassination of Elizabeth, he immediately</p><p>forwarded the damning text to his master. At this point Walsingham</p><p>could have pounced on Babington, but he wanted more than the</p><p>execution of a handful of rebels. He bided his time in the hope that</p><p>Mary would reply and authorize the plot, thereby incriminating</p><p>herself. Walsingham had long wished for the death of Mary Queen</p><p>of Scots, but he was aware of Elizabeth’s reluctance to execute her</p><p>cousin. However, if he could prove that Mary was endorsing an</p><p>attempt on the life of Elizabeth, then surely his queen would permit</p><p>the execution of her Catholic rival. Walsingham’s hopes were soon</p><p>ful�lled.</p><p>On July 17, Mary replied to Babington, e�ectively signing her</p><p>own death warrant. She explicitly wrote about the “design,”</p><p>showing particular concern that she should be released</p><p>simultaneously with, or before, Elizabeth’s assassination, otherwise</p><p>news might reach her jailer, who might then murder her. Before</p><p>reaching Babington, the letter made the usual detour to Phelippes.</p><p>Having cryptanalyzed the earlier message, he deciphered this one</p><p>with ease, read its contents, and marked it with a “ ”-the sign of the</p><p>gallows.</p><p>Walsingham had all the evidence he needed to arrest Mary and</p><p>Babington, but still he was not satis�ed. In order to destroy the</p><p>conspiracy completely, he needed the names of all those involved.</p><p>He asked Phelippes to forge a postscript to Mary’s letter, which</p><p>would entice Babington to name names. One of Phelippes’s</p><p>additional talents was as a forger, and it was said that he had the</p><p>ability “to write any man’s hand, if he had once seen it, as if the</p><p>man himself had writ it.” Figure 9 shows the postscript that was</p><p>added at the end of Mary’s letter to Babington. It can be deciphered</p><p>using Mary’s nomenclator, as shown in Figure 8, to reveal the</p><p>following plaintext:</p><p>I would be glad to know the names and qualities of the six gentlemen which are to</p><p>accomplish the designment; for it may be that I shall be able, upon knowledge of the</p><p>parties, to give you some further advice necessary to be followed therein, as also from</p><p>time to time particularly how you proceed: and as soon as you may, for the same</p><p>purpose, who be already, and how far everyone is privy hereunto.</p><p>The cipher of Mary Queen of Scots clearly demonstrates that a weak</p><p>encryption can be worse than no encryption at all. Both Mary and</p><p>Babington wrote explicitly about their intentions because they</p><p>believed that their communications were secure, whereas if they</p><p>had been communicating openly they would have referred to their</p><p>plan in a more discreet manner. Furthermore, their faith in their</p><p>cipher made them particularly vulnerable to accepting Phelippes’s</p><p>forgery. Sender and receiver often have such con�dence in the</p><p>strength of their cipher that they consider it impossible for the</p><p>enemy to mimic the cipher and insert forged text. The correct use of</p><p>a strong cipher is a clear boon to sender and receiver, but the</p><p>misuse of a weak cipher can generate a very false sense of security.</p><p>Figure 9 The forged postscript added by Thomas Phelippes to Mary’s message. It can</p><p>be deciphered by referring to Mary’s nomenclator (Figure 8). (photo credit 1.3)</p><p>Soon after receiving the message and its postscript, Babington</p><p>needed to go abroad to organize the invasion, and had to register at</p><p>Walsingham’s department in order to acquire a passport. This would</p><p>have been an ideal time to capture the traitor, but the bureaucrat</p><p>who was manning the o�ce, John Scudamore, was not expecting</p><p>the most wanted traitor in England to turn up at his door.</p><p>Scudamore, with no support to hand, took the unsuspecting</p><p>Babington to a nearby tavern, stalling for time while his assistant</p><p>organized a group of soldiers. A short while later a note arrived at</p><p>the tavern, informing Scudamore that it was time for the arrest.</p><p>Babington, however, caught sight of it. He casually said that he</p><p>would pay for the beer and meal and rose to his feet, leaving his</p><p>sword and coat at the table, implying that he would return in an</p><p>instant. Instead, he slipped out of the back door and escaped, �rst to</p><p>St. John’s Wood and then on to Harrow. He attempted to disguise</p><p>himself, cutting his hair short and staining his skin with walnut</p><p>juice to mask his aristocratic background. He managed to elude</p><p>capture for ten days, but by August 15, Babington and his six</p><p>colleagues were captured and brought to London. Church bells</p><p>across the city rang out in triumph. Their executions were horrid in</p><p>the extreme. In the words of the Elizabethan historian William</p><p>Camden, “they were all cut down, their privities were cut o�,</p><p>bowelled alive and seeing, and quartered.”</p><p>Meanwhile, on August 11, Mary Queen of Scots and her entourage</p><p>had been allowed the exceptional privilege of riding in the grounds</p><p>of Chartley Hall. As Mary crossed the moors she spied some</p><p>horsemen approaching, and immediately thought that these must be</p><p>Babington’s men coming to rescue her. It soon became clear that</p><p>these men had come to arrest her, not release her. Mary had been</p><p>implicated in the Babington Plot, and was charged under the Act of</p><p>Association, an Act of Parliament passed in 1584 speci�cally</p><p>designed to convict anybody involved in a conspiracy against</p><p>Elizabeth.</p><p>The trial was held in Fotheringhay Castle, a bleak, miserable place</p><p>in the middle of the featureless fens of East Anglia. It began on</p><p>Wednesday, October 15, in front of two chief justices, four other</p><p>judges, the Lord Chancellor, the Lord Treasurer, Walsingham, and</p><p>various earls, knights and barons. At the back of the courtroom</p><p>there was space for spectators, such as local villagers and the</p><p>servants of the commissioners, all eager to see the humiliated</p><p>Scottish queen beg forgiveness and plead for her life. However,</p><p>Mary remained digni�ed</p><p>and composed throughout the trial. Mary’s</p><p>main defense was to deny any connection with Babington. “Can I be</p><p>responsible for the criminal projects of a few desperate men,” she</p><p>proclaimed, “which they planned without my knowledge or</p><p>participation?” Her statement had little impact in the face of the</p><p>evidence against her.</p><p>Mary and Babington had relied on a cipher to keep their plans</p><p>secret, but they lived during a period when cryptography was being</p><p>weakened by advances in cryptanalysis. Although their cipher</p><p>would have been su�cient protection against the prying eyes of an</p><p>amateur, it stood no chance against an expert in frequency analysis.</p><p>In the spectators’ gallery sat Phelippes, quietly watching the</p><p>presentation of the evidence that he had conjured from the</p><p>enciphered letters.</p><p>The trial went into a second day, and Mary continued to deny any</p><p>knowledge of the Babington Plot. When the trial �nished, she left</p><p>the judges to decide her fate, pardoning them in advance for the</p><p>inevitable decision. Ten days later, the Star Chamber met in</p><p>Westminster and concluded that Mary had been guilty of</p><p>“compassing and imagining since June 1st matters tending to the</p><p>death and destruction of the Queen of England.” They recommended</p><p>the death penalty, and Elizabeth signed the death warrant.</p><p>On February 8, 1587, in the Great Hall of Fotheringhay Castle, an</p><p>audience of three hundred gathered to watch the beheading.</p><p>Walsingham was determined to minimize Mary’s in�uence as a</p><p>martyr, and he ordered that the block, Mary’s clothing, and</p><p>everything else relating to the execution be burned in order to avoid</p><p>the creation of any holy relics. He also planned a lavish funeral</p><p>procession for his son-in-law, Sir Philip Sidney, to take place the</p><p>following week. Sidney, a popular and heroic �gure, had died</p><p>�ghting Catholics in the Netherlands, and Walsingham believed that</p><p>a magni�cent parade in his honor would dampen sympathy for</p><p>Mary. However, Mary was equally determined that her �nal</p><p>appearance should be a de�ant gesture, an opportunity to rea�rm</p><p>her Catholic faith and inspire her followers.</p><p>While the Dean of Peterborough led the prayers, Mary spoke</p><p>aloud her own prayers for the salvation of the English Catholic</p><p>Church, for her son and for Elizabeth. With her family motto, “In</p><p>my end is my beginning,” in her mind, she composed herself and</p><p>approached the block. The executioners requested her forgiveness,</p><p>and she replied, “I forgive you with all my heart, for now I hope you</p><p>shall make an end of all my troubles.” Richard Wing�eld, in his</p><p>Narration of the Last Days of the Queen of Scots, describes her �nal</p><p>moments:</p><p>Then she laide herself upon the blocke most quietlie, & stretching out her armes &</p><p>legges cryed out In manus tuas domine three or foure times, & at the laste while one</p><p>of the executioners held her slightlie with one of his handes, the other gave two</p><p>strokes with an axe before he cutt of her head, & yet lefte a little gristle behinde at</p><p>which time she made verie small noyse & stirred not any parte of herself from the</p><p>place where she laye … Her lipps stirred up & downe almost a quarter of an hower</p><p>after her head was cutt of. Then one of her executioners plucking of her garters espied</p><p>her little dogge which was crept under her clothes which could not be gotten forth</p><p>but with force & afterwardes could not depart from her dead corpse, but came and</p><p>laye betweene her head & shoulders a thing dilligently noted.</p><p>Figure 10 The execution of Mary Queen of Scots. (photo credit 1.4)</p><p>F</p><p>2 Le Chi�re Indéchi�rable</p><p>or centuries, the simple monoalphabetic substitution cipher had</p><p>been su�cient to ensure secrecy. The subsequent development</p><p>of frequency analysis, �rst in the Arab world and then in Europe,</p><p>destroyed its security. The tragic execution of Mary Queen of Scots</p><p>was a dramatic illustration of the weaknesses of monoalphabetic</p><p>substitution, and in the battle between cryptographers and</p><p>cryptanalysts it was clear that the cryptanalysts had gained the</p><p>upper hand. Anybody sending an encrypted message had to accept</p><p>that an expert enemy codebreaker might intercept and decipher</p><p>their most precious secrets.</p><p>The onus was clearly on the cryptographers to concoct a new,</p><p>stronger cipher, something that could outwit the cryptanalysts.</p><p>Although this cipher would not emerge until the end of the</p><p>sixteenth century, its origins can be traced back to the �fteenth-</p><p>century Florentine polymath Leon Battista Alberti. Born in 1404,</p><p>Alberti was one of the leading �gures of the Renaissance-a painter,</p><p>composer, poet and philosopher, as well as the author of the �rst</p><p>scienti�c analysis of perspective, a treatise on the house�y and a</p><p>funeral oration for his dog. He is probably best known as an</p><p>architect, having designed Rome’s �rst Trevi Fountain and having</p><p>written De re aedi�catoria, the �rst printed book on architecture,</p><p>which acted as a catalyst for the transition from Gothic to</p><p>Renaissance design.</p><p>Sometime in the 1460s, Alberti was wandering through the</p><p>gardens of the Vatican when he bumped into his friend Leonardo</p><p>Dato, the ponti�cal secretary, who began chatting to him about</p><p>some of the �ner points of cryptography. This casual conversation</p><p>prompted Alberti to write an essay on the subject, outlining what he</p><p>believed to be a new form of cipher. At the time, all substitution</p><p>ciphers required a single cipher alphabet for encrypting each</p><p>message. However, Alberti proposed using two or more cipher</p><p>alphabets, switching between them during encipherment, thereby</p><p>confusing potential cryptanalysts.</p><p>For example, here we have two possible cipher alphabets, and we</p><p>could encrypt a message by alternating between them. To encrypt</p><p>the message hello, we would encrypt the �rst letter according to the</p><p>�rst cipher alphabet, so that h becomes A, but we would encrypt the</p><p>second letter according to the second cipher alphabet, so that e</p><p>becomes F. To encrypt the third letter we return to the �rst cipher</p><p>alphabet, and to encrypt the fourth letter we return to the second</p><p>alphabet. This means that the �rst l is enciphered as P, but the</p><p>second l is enciphered as A. The �nal letter, o, is enciphered</p><p>according to the �rst cipher alphabet and becomes D. The complete</p><p>ciphertext reads AFPAD. The crucial advantage of Alberti’s system is</p><p>that the same letter in the plaintext does not necessarily appear as</p><p>the same letter in the ciphertext, so the repeated l in hello is</p><p>enciphered di�erently in each case. Similarly, the repeated A in the</p><p>ciphertext represents a di�erent plaintext letter in each case, �rst h</p><p>and then l.</p><p>Although he had hit upon the most signi�cant breakthrough in</p><p>encryption for over a thousand years, Alberti failed to develop his</p><p>concept into a fully formed system of encryption. That task fell to a</p><p>diverse group of intellectuals, who built on his initial idea. First</p><p>came Johannes Trithemius, a German abbot born in 1462, then</p><p>Giovanni Porta, an Italian scientist born in 1535, and �nally Blaise</p><p>de Vigenère, a French diplomat born in 1523. Vigenère became</p><p>acquainted with the writings of Alberti, Trithemius and Porta when,</p><p>at the age of twenty-six, he was sent to Rome on a two-year</p><p>diplomatic mission. To start with, his interest in cryptography was</p><p>purely practical and was linked to his diplomatic work. Then, at the</p><p>age of thirty-nine, Vigenère decided that he had accumulated</p><p>enough money for him to be able to abandon his career and</p><p>concentrate on a life of study. It was only then that he examined in</p><p>detail the ideas of Alberti, Trithemius and Porta, weaving them into</p><p>a coherent and powerful new cipher.</p><p>Figure 11 Blaise de Vigenère. (photo credit 2.1)</p><p>Although Alberti, Trithemius and Porta all made vital</p><p>contributions, the cipher is known as the Vigenère cipher in honor</p><p>of the man who developed it into its �nal form. The strength of the</p><p>Vigenère cipher lies in its using not one, but 26 distinct cipher</p><p>alphabets to encrypt a message. The �rst step in encipherment is to</p><p>draw up a so-called Vigenère square, as shown in Table 3, a</p><p>plaintext alphabet followed by</p><p>26 cipher alphabets, each shifted by</p><p>one letter with respect to the previous alphabet. Hence, row 1</p><p>represents a cipher alphabet with a Caesar shift of 1, which means</p><p>that it could be used to implement a Caesar shift cipher in which</p><p>every letter of the plaintext is replaced by the letter one place</p><p>further on in the alphabet. Similarly, row 2 represents a cipher</p><p>alphabet with a Caesar shift of 2, and so on. The top row of the</p><p>square, in lower case, represents the plaintext letters. You could</p><p>encipher each plaintext letter according to any one of the 26 cipher</p><p>alphabets. For example, if cipher alphabet number 2 is used, then</p><p>the letter a is enciphered as C, but if cipher alphabet number 12 is</p><p>used, then a is enciphered as M.</p><p>Table 3 A Vigenère square.</p><p>If the sender were to use just one of the cipher alphabets to</p><p>encipher an entire message, this would e�ectively be a simple</p><p>Caesar cipher, which would be a very weak form of encryption,</p><p>easily deciphered by an enemy interceptor. However, in the</p><p>Vigenère cipher a di�erent row of the Vigenère square (a di�erent</p><p>cipher alphabet) is used to encrypt di�erent letters of the message.</p><p>In other words, the sender might encrypt the �rst letter according to</p><p>row 5, the second according to row 14, the third according to row</p><p>21, and so on.</p><p>To unscramble the message, the intended receiver needs to know</p><p>which row of the Vigenère square has been used to encipher each</p><p>letter, so there must be an agreed system of switching between</p><p>rows. This is achieved by using a keyword. To illustrate how a</p><p>keyword is used with the Vigenère square to encrypt a short</p><p>message, let us encipher divert troops to east ridge, using the</p><p>keyword WHITE. First of all, the keyword is spelled out above the</p><p>message, and repeated over and over again so that each letter in the</p><p>message is associated with a letter from the keyword. The ciphertext</p><p>is then generated as follows. To encrypt the �rst letter, d, begin by</p><p>identifying the key letter above it, W, which in turn de�nes a</p><p>particular row in the Vigenère square. The row beginning with W,</p><p>row 22, is the cipher alphabet that will be used to �nd the substitute</p><p>letter for the plaintext d. We look to see where the column headed</p><p>by d intersects the row beginning with W, which turns out to be at</p><p>the letter Z. Consequently, the letter d in the plaintext is represented</p><p>by Z in the ciphertext.</p><p>To encipher the second letter of the message, i, the process is</p><p>repeated. The key letter above i is H, so it is encrypted via a</p><p>di�erent row in the Vigenère square: the H row (row 7) which is a</p><p>new cipher alphabet. To encrypt i, we look to see where the column</p><p>headed by i intersects the row beginning with H, which turns out to</p><p>be at the letter P. Consequently, the letter i in the plaintext is</p><p>represented by P in the ciphertext. Each letter of the keyword</p><p>indicates a particular cipher alphabet within the Vigenère square,</p><p>and because the keyword contains �ve letters, the sender encrypts</p><p>the message by cycling through �ve rows of the Vigenère square.</p><p>The �fth letter of the message is enciphered according to the �fth</p><p>letter of the keyword, E, but to encipher the sixth letter of the</p><p>message we have to return to the �rst letter of the keyword. A</p><p>longer keyword, or perhaps a keyphrase, would bring more rows</p><p>into the encryption process and increase the complexity of the</p><p>cipher. Table 4 shows a Vigenère square, highlighting the �ve rows</p><p>(i.e., the �ve cipher alphabets) de�ned by the keyword WHITE.</p><p>Table 4 A Vigenère square with the rows de�ned by the keyword WHITE highlighted.</p><p>Encryption is achieved by switching between the �ve highlighted cipher alphabets, de�ned</p><p>by W, H, I, T and E.</p><p>The great advantage of the Vigenère cipher is that it is</p><p>impregnable to the frequency analysis described in Chapter 1. For</p><p>example, a cryptanalyst applying frequency analysis to a piece of</p><p>ciphertext would usually begin by identifying the most common</p><p>letter in the ciphertext, which in this case is Z, and then assume that</p><p>this represents the most common letter in English, e. In fact, the</p><p>letter Z represents three di�erent letters, d, r and s, but not e. This is</p><p>clearly a problem for the cryptanalyst. The fact that a letter which</p><p>appears several times in the ciphertext can represent a di�erent</p><p>plaintext letter on each occasion generates tremendous ambiguity</p><p>for the cryptanalyst. Equally confusing is the fact that a letter which</p><p>appears several times in the plaintext can be represented by</p><p>di�erent letters in the ciphertext. For example, the letter o is</p><p>repeated in troops, but it is substituted by two di�erent letters—the</p><p>oo is enciphered as HS.</p><p>As well as being invulnerable to frequency analysis, the Vigenère</p><p>cipher has an enormous number of keys. The sender and receiver</p><p>can agree on any word in the dictionary, any combination of words,</p><p>or even fabricate words. A cryptanalyst would be unable to crack</p><p>the message by searching all possible keys because the number of</p><p>options is simply too great.</p><p>Vigenère’s work culminated in his Traicté des Chi�res (“A Treatise</p><p>on Secret Writing”), published in 1586. Ironically, this was the same</p><p>year that Thomas Phelippes was breaking the cipher of Mary Queen</p><p>of Scots. If only Mary’s secretary had read this treatise, he would</p><p>have known about the Vigenère cipher, Mary’s messages to</p><p>Babington would have ba�ed Phelippes, and her life might have</p><p>been spared.</p><p>Because of its strength and its guarantee of security, it would</p><p>seem natural that the Vigenère cipher would be rapidly adopted by</p><p>cipher secretaries around Europe. Surely they would be relieved to</p><p>have access, once again, to a secure form of encryption? On the</p><p>contrary, cipher secretaries seem to have spurned the Vigenère</p><p>cipher. This apparently �awless system would remain largely</p><p>neglected for the next two centuries.</p><p>From Shunning Vigenère to the Man in the Iron Mask</p><p>The traditional forms of substitution cipher, those that existed</p><p>before the Vigenère cipher, were called monoalphabetic substitution</p><p>ciphers because they used only one cipher alphabet per message. In</p><p>contrast, the Vigenère cipher belongs to a class known as</p><p>polyalphabetic, because it employs several cipher alphabets per</p><p>message. The polyalphabetic nature of the Vigenère cipher is what</p><p>gives it its strength, but it also makes it much more complicated to</p><p>use. The additional e�ort required in order to implement the</p><p>Vigenère cipher discouraged many people from employing it.</p><p>For many seventeenth-century purposes, the monoalphabetic</p><p>substitution cipher was perfectly adequate. If you wanted to ensure</p><p>that your servant was unable to read your private correspondence,</p><p>or if you wanted to protect your diary from the prying eyes of your</p><p>spouse, then the old-fashioned type of cipher was ideal.</p><p>Monoalphabetic substitution was quick, easy to use, and secure</p><p>against people unschooled in cryptanalysis. In fact, the simple</p><p>monoalphabetic substitution cipher endured in various forms for</p><p>many centuries (see Appendix D). For more serious applications,</p><p>such as military and government communications, where security</p><p>was paramount, the straightforward monoalphabetic cipher was</p><p>clearly inadequate. Professional cryptographers in combat with</p><p>professional cryptanalysts needed something better, yet they were</p><p>still reluctant to adopt the polyalphabetic cipher because of its</p><p>complexity. Military communications, in particular, required speed</p><p>and simplicity, and a diplomatic o�ce might be sending and</p><p>receiving hundreds of messages each day, so time was of the</p><p>essence. Consequently, cryptographers searched for an intermediate</p><p>cipher, one that was harder to crack than a straightforward</p><p>monoalphabetic cipher, but one that was simpler to implement than</p><p>a polyalphabetic cipher.</p><p>The various candidates included the remarkably e�ective</p><p>homophonic substitution cipher. Here, each letter is replaced with a</p><p>variety of substitutes, the number of potential substitutes being</p><p>proportional to the frequency of the letter. For example, the letter a</p><p>accounts for roughly 8 per cent</p><p>of all letters in written English, and</p><p>so we would assign eight symbols to represent it. Each time a</p><p>appears in the plaintext it would be replaced in the ciphertext by</p><p>one of the eight symbols chosen at random, so that by the end of the</p><p>encipherment each symbol would constitute roughly 1 per cent of</p><p>the enciphered text. By comparison, the letter b accounts for only 2</p><p>per cent of all letters, and so we would assign only two symbols to</p><p>represent it. Each time b appears in the plaintext either of the two</p><p>symbols could be chosen, and by the end of the encipherment each</p><p>symbol would also constitute roughly 1 per cent of the enciphered</p><p>text. This process of allotting varying numbers of symbols to act as</p><p>substitutes for each letter continues throughout the alphabet, until</p><p>we get to z, which is so rare that it has only one symbol to act as a</p><p>substitute. In the example given in Table 5, the substitutes in the</p><p>cipher alphabet happen to be two-digit numbers, and there are</p><p>between one and twelve substitutes for each letter in the plain</p><p>alphabet, depending on each letter’s relative abundance.</p><p>We can think of all the two-digit numbers that correspond to the</p><p>plaintext letter a as e�ectively representing the same sound in the</p><p>ciphertext, namely the sound of the letter a. Hence the origin of the</p><p>term homophonic substitution, homos meaning “same” and phonos</p><p>meaning “sound” in Greek. The point of o�ering several substitution</p><p>options for popular letters is to balance out the frequencies of</p><p>symbols in the ciphertext. If we enciphered a message using the</p><p>cipher alphabet in Table 5, then every number would constitute</p><p>roughly 1 per cent of the entire text. If no symbol appears more</p><p>frequently than any other, then this would appear to defy any</p><p>potential attack via frequency analysis. Perfect security? Not quite.</p><p>Table 5 An example of a homophonic substitution cipher. The top row represents the plain</p><p>alphabet, while the numbers below represent the cipher alphabet, with several options for</p><p>frequently occurring letters.</p><p>The ciphertext still contains many subtle clues for the clever</p><p>cryptanalyst. As we saw in Chapter 1, each letter in the English</p><p>language has its own personality, de�ned according to its</p><p>relationship with all the other letters, and these traits can still be</p><p>discerned even if the encryption is by homophonic substitution. In</p><p>English, the most extreme example of a letter with a distinct</p><p>personality is the letter q, which is only followed by one letter,</p><p>namely u. If we were attempting to decipher a ciphertext, we might</p><p>begin by noting that q is a rare letter, and is therefore likely to be</p><p>represented by just one symbol, and we know that u, which</p><p>accounts for roughly 3 per cent of all letters, is probably represented</p><p>by three symbols. So, if we �nd a symbol in the ciphertext that is</p><p>only ever followed by three particular symbols, then it would be</p><p>sensible to assume that the �rst symbol represents q and the other</p><p>three symbols represent u. Other letters are harder to spot, but are</p><p>also betrayed by their relationships to one another. Although the</p><p>homophonic cipher is breakable, it is much more secure than a</p><p>straightforward monoalphabetic cipher.</p><p>A homophonic cipher might seem similar to a polyalphabetic</p><p>cipher inasmuch as each plaintext letter can be enciphered in many</p><p>ways, but there is a crucial di�erence, and the homophonic cipher is</p><p>in fact a type of monoalphabetic cipher. In the table of homophones</p><p>shown above, the letter a can be represented by eight numbers.</p><p>Signi�cantly, these eight numbers represent only the letter a. In</p><p>other words, a plaintext letter can be represented by several</p><p>symbols, but each symbol can only represent one letter. In a</p><p>polyalphabetic cipher, a plaintext letter will also be represented by</p><p>di�erent symbols, but, even more confusingly, these symbols will</p><p>represent di�erent letters during the course of an encipherment.</p><p>Perhaps the fundamental reason why the homophonic cipher is</p><p>considered monoalphabetic is that once the cipher alphabet has</p><p>been established, it remains constant throughout the process of</p><p>encryption. The fact that the cipher alphabet contains several</p><p>options for encrypting each letter is irrelevant. However, a</p><p>cryptographer who is using a polyalphabetic cipher must</p><p>continually switch between distinctly di�erent cipher alphabets</p><p>during the process of encryption.</p><p>By tweaking the basic monoalphabetic cipher in various ways,</p><p>such as adding homophones, it became possible to encrypt messages</p><p>securely, without having to resort to the complexities of the</p><p>polyalphabetic cipher. One of the strongest examples of an</p><p>enhanced monoalphabetic cipher was the Great Cipher of Louis XIV.</p><p>The Great Cipher was used to encrypt the king’s most secret</p><p>messages, protecting details of his plans, plots and political</p><p>schemings. One of these messages mentioned one of the most</p><p>enigmatic characters in French history, the Man in the Iron Mask,</p><p>but the strength of the Great Cipher meant that the message and its</p><p>remarkable contents would remain undeciphered and unread for</p><p>two centuries.</p><p>The Great Cipher was invented by the father-and-son team of</p><p>Antoine and Bonaventure Rossignol. Antoine had �rst come to</p><p>prominence in 1626 when he was given a coded letter captured</p><p>from a messenger leaving the besieged city of Réalmont. Before the</p><p>end of the day he had deciphered the letter, revealing that the</p><p>Huguenot army which held the city was on the verge of collapse.</p><p>The French, who had previously been unaware of the Huguenots’</p><p>desperate plight, returned the letter accompanied by a</p><p>decipherment. The Huguenots, who now knew that their enemy</p><p>would not back down, promptly surrendered. The decipherment had</p><p>resulted in a painless French victory.</p><p>The power of codebreaking became obvious, and the Rossignols</p><p>were appointed to senior positions in the court. After serving Louis</p><p>XIII, they then acted as cryptanalysts for Louis XIV, who was so</p><p>impressed that he moved their o�ces next to his own apartments so</p><p>that Rossignol père et �ls could play a central role in shaping French</p><p>diplomatic policy. One of the greatest tributes to their abilities is</p><p>that the word rossignol became French slang for a device that picks</p><p>locks, a re�ection of their ability to unlock ciphers.</p><p>The Rossignols’ prowess at cracking ciphers gave them an insight</p><p>into how to create a stronger form of encryption, and they invented</p><p>the so-called Great Cipher. The Great Cipher was so secure that it</p><p>de�ed the e�orts of all enemy cryptanalysts attempting to steal</p><p>French secrets. Unfortunately, after the death of both father and</p><p>son, the Great Cipher fell into disuse and its exact details were</p><p>rapidly lost, which meant that enciphered papers in the French</p><p>archives could no longer be read. The Great Cipher was so strong</p><p>that it even de�ed the e�orts of subsequent generations of</p><p>codebreakers.</p><p>Historians knew that the papers encrypted by the Great Cipher</p><p>would o�er a unique insight into the intrigues of seventeenth-</p><p>century France, but even by the end of the nineteenth century they</p><p>were still unable to decipher them. Then, in 1890, Victor Gendron, a</p><p>military historian researching the campaigns of Louis XIV,</p><p>unearthed a new series of letters enciphered with the Great Cipher.</p><p>Unable to make sense of them, he passed them on to Commandant</p><p>Étienne Bazeries, a distinguished expert in the French Army’s</p><p>Cryptographic Department. Bazeries viewed the letters as the</p><p>ultimate challenge, and he spent the next three years of his life</p><p>attempting to decipher them.</p><p>The encrypted pages contained thousands of numbers, but only</p><p>587 di�erent ones. It was clear that the Great Cipher was more</p><p>complicated than a straightforward substitution cipher, because this</p><p>would require just 26 di�erent numbers, one for each letter.</p><p>Initially, Bazeries thought that the surplus of numbers represented</p><p>homophones, and that several numbers represented the same letter.</p><p>Exploring this avenue took months of painstaking e�ort, all to no</p><p>avail. The Great Cipher was not a homophonic cipher.</p><p>Next, he hit upon the idea that each number might represent a</p><p>pair of letters, or a digraph. There are only 26 individual letters, but</p><p>there are 676 possible pairs of letters, and this is roughly equal to</p><p>the variety of numbers in the ciphertexts. Bazeries attempted a</p><p>decipherment by looking for the most frequent numbers in the</p><p>ciphertexts (22, 42, 124, 125 and 341), assuming that these</p><p>probably stood for the commonest French digraphs (es, en, ou, de,</p><p>nt). In e�ect, he was applying frequency analysis at the level of</p><p>pairs of letters. Unfortunately, again after months of work, this</p><p>theory also failed to yield any meaningful decipherments.</p><p>Bazeries must have been on the point of abandoning his</p><p>obsession, when a new line of attack occurred to him. Perhaps the</p><p>digraph idea was not so far from the truth. He began to consider the</p><p>possibility that each number represented not a pair of letters, but</p><p>rather a whole syllable. He attempted to match each number to a</p><p>syllable, the most frequently occurring numbers presumably</p><p>representing the commonest French syllables. He tried various</p><p>tentative permutations, but they all resulted in gibberish—until he</p><p>succeeded in identifying one particular word. A cluster of numbers</p><p>(124-22-125-46-345) appeared several times on each page, and</p><p>Bazeries postulated that they represented les-en-ne-mi-s, that is, “les</p><p>ennemis.” This proved to be a crucial breakthrough.</p><p>Bazeries was then able to continue by examining other parts of</p><p>the ciphertexts where these numbers appeared within di�erent</p><p>words. He then inserted the syllabic values derived from “les</p><p>ennemis,” which revealed parts of other words. As crossword</p><p>addicts know, when a word is partly completed it is often possible</p><p>to guess the remainder of the word. As Bazeries completed new</p><p>words, he also identi�ed further syllables, which in turn led to other</p><p>words, and so on. Frequently he would be stumped, partly because</p><p>the syllabic values were never obvious, partly because some of the</p><p>numbers represented single letters rather than syllables, and partly</p><p>because the Rossignols had laid traps within the cipher. For</p><p>example, one number represented neither a syllable nor a letter, but</p><p>instead deviously deleted the previous number.</p><p>When the decipherment was eventually completed, Bazeries</p><p>became the �rst person for two hundred years to witness the secrets</p><p>of Louis XIV. The newly deciphered material fascinated historians,</p><p>who focused on one tantalizing letter in particular. It seemed to</p><p>solve one of the great mysteries of the seventeenth century: the true</p><p>identity of the Man in the Iron Mask.</p><p>The Man in the Iron Mask has been the subject of much</p><p>speculation ever since he was �rst imprisoned at the French fortress</p><p>of Pignerole in Savoy. When he was transferred to the Bastille in</p><p>1698, peasants tried to catch a glimpse of him, and variously</p><p>reported him as being short or tall, fair or dark, young or old. Some</p><p>even claimed that he was a she. With so few facts, everyone from</p><p>Voltaire to Benjamin Franklin concocted their own theory to explain</p><p>the case of the Man in the Iron Mask. The most popular conspiracy</p><p>theory relating to the Mask (as he is sometimes called) suggests that</p><p>he was the twin of Louis XIV, condemned to imprisonment in order</p><p>to avoid any controversy over who was the rightful heir to the</p><p>throne. One version of this theory argues that there existed</p><p>descendants of the Mask and an associated hidden royal bloodline.</p><p>A pamphlet published in 1801 said that Napoleon himself was a</p><p>descendant of the Mask, a rumor which, since it enhanced his</p><p>position, the emperor did not deny.</p><p>The myth of the Mask even inspired poetry, prose and drama. In</p><p>1848 Victor Hugo had begun writing a play entitled Twins, but</p><p>when he found that Alexandre Dumas had already plumped for the</p><p>same plot, he abandoned the two acts he had written. Ever since, it</p><p>has been Dumas’s name that we associate with the story of the Man</p><p>in the Iron Mask. The success of his novel reinforced the idea that</p><p>the Mask was related to the king, and this theory has persisted</p><p>despite the evidence revealed in one of Bazeries’s decipherments.</p><p>Bazeries had deciphered a letter written by François de Louvois,</p><p>Louis XIV’s Minister of War, which began by recounting the crimes</p><p>of Vivien de Bulonde, the commander responsible for leading an</p><p>attack on the town of Cuneo, on the French-Italian border. Although</p><p>he was ordered to stand his ground, Bulonde became concerned</p><p>about the arrival of enemy troops from Austria and �ed, leaving</p><p>behind his munitions and abandoning many of his wounded</p><p>soldiers. According to the Minister of War, these actions jeopardized</p><p>the whole Piedmont campaign, and the letter made it clear that the</p><p>king viewed Bulonde’s actions as an act of extreme cowardice:</p><p>His Majesty knows better than any other person the consequences of this act, and he</p><p>is also aware of how deeply our failure to take the place will prejudice our cause, a</p><p>failure which must be repaired during the winter. His Majesty desires that you</p><p>immediately arrest General Bulonde and cause him to be conducted to the fortress of</p><p>Pignerole, where he will be locked in a cell under guard at night, and permitted to</p><p>walk the battlements during the day with a mask.</p><p>This was an explicit reference to a masked prisoner at Pignerole,</p><p>and a su�ciently serious crime, with dates that seem to �t the myth</p><p>of the Man in the Iron Mask. Does this solve the mystery? Not</p><p>surprisingly, those favoring more conspiratorial solutions have</p><p>found �aws in Bulonde as a candidate. For example, there is the</p><p>argument that if Louis XIV was actually attempting to secretly</p><p>imprison his unacknowledged twin, then he would have left a series</p><p>of false trails. Perhaps the encrypted letter was meant to be</p><p>deciphered. Perhaps the nineteenth-century codebreaker Bazeries</p><p>had fallen into a seventeenth-century trap.</p><p>The Black Chambers</p><p>Reinforcing the monoalphabetic cipher by applying it to syllables or</p><p>adding homophones might have been su�cient during the 1600s,</p><p>but by the 1700s cryptanalysis was becoming industrialized, with</p><p>teams of government cryptanalysts working together to crack many</p><p>of the most complex monoalphabetic ciphers. Each European power</p><p>had its own so-called Black Chamber, a nerve center for deciphering</p><p>messages and gathering intelligence. The most celebrated,</p><p>disciplined and e�cient Black Chamber was the Geheime Kabinets-</p><p>Kanzlei in Vienna.</p><p>It operated according to a rigorous timetable, because it was vital</p><p>that its nefarious activities should not interrupt the smooth running</p><p>of the postal service. Letters which were supposed to be delivered to</p><p>embassies in Vienna were �rst routed via the Black Chamber,</p><p>arriving at 7 A.M. Secretaries melted seals, and a team of</p><p>stenographers worked in parallel to make copies of the letters. If</p><p>necessary, a language specialist would take responsibility for</p><p>duplicating unusual scripts. Within three hours the letters had been</p><p>resealed in their envelopes and returned to the central post o�ce, so</p><p>that they could be delivered to their intended destination. Mail</p><p>merely in transit through Austria would arrive at the Black Chamber</p><p>at 10 A.M., and mail leaving Viennese embassies for destinations</p><p>outside Austria would arrive at 4 P.M. All these letters would also be</p><p>copied before being allowed to continue on their journey. Each day</p><p>a hundred letters would �lter through the Viennese Black Chamber.</p><p>The copies were passed to the cryptanalysts, who sat in little</p><p>kiosks, ready to tease out the meanings of the messages. As well as</p><p>supplying the emperors of Austria with invaluable intelligence, the</p><p>Viennese Black Chamber sold the information it harvested to other</p><p>powers in Europe. In 1774 an arrangement was made with Abbot</p><p>Georgel, the secretary at the French Embassy, which gave him</p><p>access to a twice-weekly package of information in exchange for</p><p>1,000 ducats. He then sent these letters, which contained the</p><p>supposedly secret plans of various monarchs, straight to Louis XV in</p><p>Paris.</p><p>The Black Chambers were e�ectively</p><p>making all forms of</p><p>monoalphabetic cipher insecure. Confronted with such professional</p><p>cryptanalytic opposition, cryptographers were at last forced to adopt</p><p>the more complex but more secure Vigenère cipher. Gradually,</p><p>cipher secretaries began to switch to using polyalphabetic ciphers.</p><p>In addition to more e�ective cryptanalysis, there was another</p><p>pressure that was encouraging the move toward securer forms of</p><p>encryption: the development of the telegraph, and the need to</p><p>protect telegrams from interception and decipherment.</p><p>Although the telegraph, together with the ensuing</p><p>telecommunications revolution, came in the nineteenth century, its</p><p>origins can be traced all the way back to 1753. An anonymous letter</p><p>in a Scottish magazine described how a message could be sent</p><p>across large distances by connecting the sender and receiver with 26</p><p>cables, one for each letter of the alphabet. The sender could then</p><p>spell out the message by sending pulses of electricity along each</p><p>wire. For example, to spell out hello, the sender would begin by</p><p>sending a signal down the h wire, then down the e wire, and so on.</p><p>The receiver would somehow sense the electrical current emerging</p><p>from each wire and read the message. However, this “expeditious</p><p>method of conveying intelligence,” as the inventor called it, was</p><p>never constructed, because there were several technical obstacles</p><p>that had to be overcome.</p><p>For example, engineers needed a su�ciently sensitive system for</p><p>detecting electrical signals. In England, Sir Charles Wheatstone and</p><p>William Fothergill Cooke built detectors from magnetized needles,</p><p>which would be de�ected in the presence of an incoming electric</p><p>current. By 1839, the Wheatstone-Cooke system was being used to</p><p>send messages between railway stations in West Drayton and</p><p>Paddington, a distance of 29 km. The reputation of the telegraph</p><p>and its remarkable speed of communication soon spread, and</p><p>nothing did more to popularize its power than the birth of Queen</p><p>Victoria’s second son, Prince Alfred, at Windsor on August 6, 1844.</p><p>News of the birth was telegraphed to London, and within the hour</p><p>The Times was on the streets announcing the news. It credited the</p><p>technology that had enabled this feat, mentioning that it was</p><p>“indebted to the extraordinary power of the Electro-Magnetic</p><p>Telegraph.” The following year, the telegraph gained further fame</p><p>when it helped capture John Tawell, who had murdered his mistress</p><p>in Slough, and who had attempted to escape by jumping on to a</p><p>London-bound train. The local police telegraphed Tawell’s</p><p>description to London, and he was arrested as soon as he arrived at</p><p>Paddington.</p><p>Meanwhile, in America, Samuel Morse had just built his �rst</p><p>telegraph line, a system spanning the 60 km between Baltimore and</p><p>Washington. Morse used an electromagnet to enhance the signal, so</p><p>that upon arriving at the receiver’s end it was strong enough to</p><p>make a series of short and long marks, dots and dashes, on a piece</p><p>of paper. He also developed the now familiar Morse code for</p><p>translating each letter of the alphabet into a series of dots and</p><p>dashes, as given in Table 6. To complete his system he designed a</p><p>sounder, so that the receiver would hear each letter as a series of</p><p>audible dots and dashes.</p><p>Back in Europe, Morse’s approach gradually overtook the</p><p>Wheatstone-Cooke system in popularity, and in 1851 a European</p><p>form of Morse code, which included accented letters, was adopted</p><p>throughout the Continent. As each year passed, Morse code and the</p><p>telegraph had an increasing in�uence on the world, enabling the</p><p>police to capture more criminals, helping newspapers to bring the</p><p>very latest news, providing valuable information for businesses, and</p><p>allowing distant companies to make instantaneous deals.</p><p>However, guarding these often sensitive communications was a</p><p>major concern. The Morse code itself is not a form of cryptography,</p><p>because there is no concealment of the message. The dots and</p><p>dashes are merely a convenient way to represent letters for the</p><p>telegraphic medium; Morse code is e�ectively nothing more than an</p><p>alternative alphabet. The problem of security arose primarily</p><p>because anyone wanting to send a message would have to deliver it</p><p>to a Morse code operator, who would then have to read it in order</p><p>to transmit it. The telegraph operators had access to every message,</p><p>and hence there was a risk that one company might bribe an</p><p>operator in order to gain access to a rival’s communications. This</p><p>problem was outlined in an article on telegraphy published in 1853</p><p>in England’s Quarterly Review:</p><p>Means should also be taken to obviate one great objection, at present felt with respect</p><p>to sending private communications by telegraph—the violation of all secrecy—for in</p><p>any case half-a-dozen people must be cognizant of every word addressed by one</p><p>person to another. The clerks of the English Telegraph Company are sworn to secrecy,</p><p>but we often write things that it would be intolerable to see strangers read before our</p><p>eyes. This is a grievous fault in the telegraph, and it must be remedied by some means</p><p>or other.</p><p>The solution was to encipher a message before handing it to the</p><p>telegraph operator. The operator would then turn the ciphertext into</p><p>Morse code before transmitting it. As well as preventing the</p><p>operators from seeing sensitive material, encryption also stymied</p><p>the e�orts of any spy who might be tapping the telegraph wire. The</p><p>polyalphabetic Vigenère cipher was clearly the best way to ensure</p><p>secrecy for important business communications. It was considered</p><p>unbreakable, and became known as le chi�re indéchi�rable.</p><p>Cryptographers had, for the time being at least, a clear lead over the</p><p>cryptanalysts.</p><p>Table 6 International Morse Code symbols.</p><p>Mr. Babbage Versus the Vigenère Cipher</p><p>The most intriguing �gure in nineteenth-century cryptanalysis is</p><p>Charles Babbage, the eccentric British genius best known for</p><p>developing the blueprint for the modern computer. He was born in</p><p>1791, the son of Benjamin Babbage, a wealthy London banker.</p><p>When Charles married without his father’s permission, he no longer</p><p>had access to the Babbage fortune, but he still had enough money to</p><p>be �nancially secure, and he pursued the life of a roving scholar,</p><p>applying his mind to whatever problem tickled his fancy. His</p><p>inventions include the speedometer and the cowcatcher, a device</p><p>that could be �xed to the front of steam locomotives to clear cattle</p><p>from railway tracks. In terms of scienti�c breakthroughs, he was the</p><p>�rst to realize that the width of a tree ring depended on that year’s</p><p>weather, and he deduced that it was possible to determine past</p><p>climates by studying ancient trees. He was also intrigued by</p><p>statistics, and as a diversion he drew up a set of mortality tables, a</p><p>basic tool for today’s insurance industry.</p><p>Babbage did not restrict himself to tackling scienti�c and</p><p>engineering problems. The cost of sending a letter used to depend</p><p>on the distance the letter had to travel, but Babbage pointed out</p><p>that the cost of the labor required to calculate the price for each</p><p>letter was more than the cost of the postage. Instead, he proposed</p><p>the system we still use today—a single price for all letters,</p><p>regardless of where in the country the addressee lives. He was also</p><p>interested in politics and social issues, and toward the end of his life</p><p>he began a campaign to get rid of the organ grinders and street</p><p>musicians who roamed London. He complained that the music “not</p><p>infrequently gives rise to a dance by little ragged urchins, and</p><p>sometimes half-intoxicated men, who occasionally accompany the</p><p>noise with their own discordant voices. Another class who are great</p><p>supporters of street music consists of ladies of elastic virtue and</p><p>cosmopolitan tendencies, to whom it a�ords a decent excuse for</p><p>displaying their fascinations at their open windows.” Unfortunately</p><p>for Babbage, the musicians fought back by gathering in large groups</p><p>around his house and playing as loud as possible.</p><p>The turning point in Babbage’s scienti�c career came in 1821,</p><p>when he and the astronomer</p><p>John Herschel were examining a set of</p><p>mathematical tables, the sort used as the basis for astronomical,</p><p>engineering and navigational calculations. The two men were</p><p>disgusted by the number of errors in the tables, which in turn would</p><p>generate �aws in important calculations. One set of tables, the</p><p>Nautical Ephemeris for Finding Latitude and Longitude at Sea,</p><p>contained over a thousand errors. Indeed, many shipwrecks and</p><p>engineering disasters were blamed on faulty tables.</p><p>These mathematical tables were calculated by hand, and the</p><p>mistakes were simply the result of human error. This caused</p><p>Babbage to exclaim, “I wish to God these calculations had been</p><p>executed by steam!” This marked the beginning of an extraordinary</p><p>endeavor to build a machine capable of faultlessly calculating the</p><p>tables to a high degree of accuracy. In 1823 Babbage designed</p><p>“Di�erence Engine No. 1,” a magni�cent calculator consisting of</p><p>25,000 precision parts, to be built with government funding.</p><p>Although Babbage was a brilliant innovator, he was not a great</p><p>implementer. After ten years of toil, he abandoned “Di�erence</p><p>Engine No. 1,” cooked up an entirely new design, and set to work</p><p>building “Di�erence Engine No. 2.”</p><p>When Babbage abandoned his �rst machine, the government lost</p><p>con�dence in him and decided to cut its losses by withdrawing from</p><p>the project—it had already spent £17,470, enough to build a pair of</p><p>battleships. It was probably this withdrawal of support that later</p><p>prompted Babbage to make the following complaint: “Propose to an</p><p>Englishman any principle, or any instrument, however admirable,</p><p>and you will observe that the whole e�ort of the English mind is</p><p>directed to �nd a di�culty, a defect, or an impossibility in it. If you</p><p>speak to him of a machine for peeling a potato, he will pronounce it</p><p>impossible: if you peel a potato with it before his eyes, he will</p><p>declare it useless, because it will not slice a pineapple.”</p><p>Lack of government funding meant that Babbage never completed</p><p>Di�erence Engine No. 2. The scienti�c tragedy was that Babbage’s</p><p>machine would have been a stepping-stone to the Analytical Engine,</p><p>which would have been programmable. Rather than merely</p><p>calculating a speci�c set of tables, the Analytical Engine would have</p><p>been able to solve a variety of mathematical problems depending on</p><p>the instructions that it was given. In fact, the Analytical Engine</p><p>provided the template for modern computers. The design included a</p><p>“store” (memory) and a “mill” (processor), which would allow it to</p><p>make decisions and repeat instructions, which are equivalent to the</p><p>“IF … THEN …” and “LOOP” commands in modern programming.</p><p>Figure 12 Charles Babbage. (photo credit 2.2)</p><p>A century later, during the course of the Second World War, the</p><p>�rst electronic incarnations of Babbage’s machine would have a</p><p>profound e�ect on cryptanalysis, but, in his own lifetime, Babbage</p><p>made an equally important contribution to codebreaking: he</p><p>succeeded in breaking the Vigenère cipher, and in so doing he made</p><p>the greatest breakthrough in cryptanalysis since the Arab scholars of</p><p>the ninth century broke the monoalphabetic cipher by inventing</p><p>frequency analysis. Babbage’s work required no mechanical</p><p>calculations or complex computations. Instead, he employed nothing</p><p>more than sheer cunning.</p><p>Babbage had become interested in ciphers at a very young age. In</p><p>later life, he recalled how his childhood hobby occasionally got him</p><p>into trouble: “The bigger boys made ciphers, but if I got hold of a</p><p>few words, I usually found out the key. The consequence of this</p><p>ingenuity was occasionally painful: the owners of the detected</p><p>ciphers sometimes thrashed me, though the fault lay in their own</p><p>stupidity.” These beatings did not discourage him, and he continued</p><p>to be enchanted by cryptanalysis. He wrote in his autobiography</p><p>that “deciphering is, in my opinion, one of the most fascinating of</p><p>arts.”</p><p>He soon gained a reputation within London society as a</p><p>cryptanalyst prepared to tackle any encrypted message, and</p><p>strangers would approach him with all sorts of problems. For</p><p>example, Babbage helped a desperate biographer attempting to</p><p>decipher the shorthand notes of John Flamsteed, England’s �rst</p><p>Astronomer Royal. He also came to the rescue of a historian, solving</p><p>a cipher of Henrietta Maria, wife of Charles I. In 1854, he</p><p>collaborated with a barrister and used cryptanalysis to reveal crucial</p><p>evidence in a legal case. Over the years, he accumulated a thick �le</p><p>of encrypted messages, which he planned to use as the basis for an</p><p>authoritative book on cryptanalysis, entitled The Philosophy of</p><p>Decyphering. The book would contain two examples of every kind of</p><p>cipher, one that would be broken as a demonstration and one that</p><p>would be left as an exercise for the reader. Unfortunately, as with</p><p>many other of his grand plans, the book was never completed.</p><p>While most cryptanalysts had given up all hope of ever breaking</p><p>the Vigenère cipher, Babbage was inspired to attempt a</p><p>decipherment by an exchange of letters with John Hall Brock</p><p>Thwaites, a dentist from Bristol with a rather innocent view of</p><p>ciphers. In 1854, Thwaites claimed to have invented a new cipher,</p><p>which, in fact, was equivalent to the Vigenère cipher. He wrote to</p><p>the Journal of the Society of Arts with the intention of patenting his</p><p>idea, apparently unaware that he was several centuries too late.</p><p>Babbage wrote to the Society, pointing out that “the cypher … is a</p><p>very old one, and to be found in most books.” Thwaite was</p><p>unapologetic and challenged Babbage to break his cipher. Whether</p><p>or not it was breakable was irrelevant to whether or not it was new,</p><p>but Babbage’s curiosity was su�ciently aroused for him to embark</p><p>on a search for a weakness in the Vigenère cipher.</p><p>Cracking a di�cult cipher is akin to climbing a sheer cli� face.</p><p>The cryptanalyst is seeking any nook or cranny which could provide</p><p>the slightest purchase. In a monoalphabetic cipher the cryptanalyst</p><p>will latch on to the frequency of the letters, because the commonest</p><p>letters, such as e, t and a, will stand out no matter how they have</p><p>been disguised. In the polyalphabetic Vigenère cipher the</p><p>frequencies are much more balanced, because the keyword is used</p><p>to switch between cipher alphabets. Hence, at �rst sight, the rock</p><p>face seems perfectly smooth.</p><p>Remember, the great strength of the Vigenère cipher is that the</p><p>same letter will be enciphered in di�erent ways. For example, if the</p><p>keyword is KING, then every letter in the plaintext can potentially</p><p>be enciphered in four di�erent ways, because the keyword contains</p><p>four letters. Each letter of the keyword de�nes a di�erent cipher</p><p>alphabet in the Vigenère square, as shown in Table 7. The e column</p><p>of the square has been highlighted to show how it is enciphered</p><p>di�erently, depending on which letter of the keyword is de�ning the</p><p>encipherment:</p><p>If the K of KING is used to encipher e, then the resulting ciphertext letter is O.</p><p>If the I of KING is used to encipher e, then the resulting ciphertext letter is M.</p><p>If the N of KING is used to encipher e, then the resulting ciphertext letter is R.</p><p>If the G of KING is used to encipher e, then the resulting ciphertext letter is K.</p><p>Table 7 A Vigenère square used in combination with the keyword KING. The keyword</p><p>de�nes four separate cipher alphabets, so that the letter e may be encrypted as O, M, R or</p><p>K.</p><p>Similarly, whole words will be deciphered in di�erent ways: the</p><p>word the, for example, could be enciphered as DPR, BUK, GNO or</p><p>ZRM, depending on its position relative to the keyword. Although</p><p>this makes cryptanalysis di�cult, it is not impossible. The important</p><p>point to note is that if there are only four ways to encipher the word</p><p>the, and the original message contains several instances of the word</p><p>the, then it is highly likely that some of the four possible</p><p>encipherments will be repeated in the ciphertext. This is</p><p>demonstrated in the following example, in which the line The Sun</p><p>and the Man in the Moon has been enciphered using the Vigenère</p><p>cipher and the keyword KING.</p><p>to leave out many</p><p>fascinating stories, which in turn means that my account is not</p><p>de�nitive. If you would like to �nd out more about your favorite</p><p>tale or your favorite codebreaker then I would refer you to the list</p><p>of further reading, which should help those readers who would like</p><p>to study the subject in more detail.</p><p>Having discussed the evolution of codes and their impact on</p><p>history, the book’s second objective is to demonstrate how the</p><p>subject is more relevant today than ever before. As information</p><p>becomes an increasingly valuable commodity, and as the</p><p>communications revolution changes society, so the process of</p><p>encoding messages, known as encryption, will play an increasing</p><p>role in everyday life. Nowadays our phone calls bounce o� satellites</p><p>and our e-mails pass through various computers, and both forms of</p><p>communication can be intercepted with ease, so jeopardizing our</p><p>privacy. Similarly, as more and more business is conducted over the</p><p>Internet, safeguards must be put in place to protect companies and</p><p>their clients. Encryption is the only way to protect our privacy and</p><p>guarantee the success of the digital marketplace. The art of secret</p><p>communication, otherwise known as cryptography, will provide the</p><p>locks and keys of the Information Age.</p><p>However, the public’s growing demand for cryptography con�icts</p><p>with the needs of law enforcement and national security. For</p><p>decades, the police and the intelligence services have used wire-taps</p><p>to gather evidence against terrorists and organized crime syndicates,</p><p>but the recent development of ultra-strong codes threatens to</p><p>undermine the value of wire-taps. As we enter the twenty-�rst</p><p>century, civil libertarians are pressing for the widespread use of</p><p>cryptography in order to protect the privacy of the individual.</p><p>Arguing alongside them are businesses, who require strong</p><p>cryptography in order to guarantee the security of transactions</p><p>within the fast-growing world of Internet commerce. At the same</p><p>time, the forces of law and order are lobbying governments to</p><p>restrict the use of cryptography. The question is, which do we value</p><p>more—our privacy or an e�ective police force? Or is there a</p><p>compromise?</p><p>Although cryptography is now having a major impact on civilian</p><p>activities, it should be noted that military cryptography remains an</p><p>important subject. It has been said that the First World War was the</p><p>chemists’ war, because mustard gas and chlorine were employed for</p><p>the �rst time, and that the Second World War was the physicists’</p><p>war, because the atom bomb was detonated. Similarly, it has been</p><p>argued that the Third World War would be the mathematicians’</p><p>war, because mathematicians will have control over the next great</p><p>weapon of war—information. Mathematicians have been responsible</p><p>for developing the codes that are currently used to protect military</p><p>information. Not surprisingly, mathematicians are also at the</p><p>forefront of the battle to break these codes.</p><p>While describing the evolution of codes and their impact on</p><p>history, I have allowed myself a minor detour. Chapter 5 describes</p><p>the decipherment of various ancient scripts, including Linear B and</p><p>Egyptian hieroglyphics. Technically, cryptography concerns</p><p>communications that are deliberately designed to keep secrets from</p><p>an enemy, whereas the writings of ancient civilizations were not</p><p>intended to be indecipherable: it is merely that we have lost the</p><p>ability to interpret them. However, the skills required to uncover the</p><p>meaning of archaeological texts are closely related to the art of</p><p>codebreaking. Ever since reading The Decipherment of Linear B, John</p><p>Chadwick’s description of how an ancient Mediterranean text was</p><p>unraveled, I have been struck by the astounding intellectual</p><p>achievements of those men and women who have been able to</p><p>decipher the scripts of our ancestors, thereby allowing us to read</p><p>about their civilizations, religions and everyday lives.</p><p>Turning to the purists, I should apologize for the title of this book.</p><p>The Code Book is about more than just codes. The word “code” refers</p><p>to a very particular type of secret communication, one that has</p><p>declined in use over the centuries. In a code, a word or phrase is</p><p>replaced with a word, number or symbol. For example, secret agents</p><p>have codenames, words that are used instead of their real names in</p><p>order to mask their identities. Similarly, the phrase Attack at dawn</p><p>could be replaced by the codeword Jupiter, and this word could be</p><p>sent to a commander in the battle�eld as a way of ba�ing the</p><p>enemy. If headquarters and the commander have previously agreed</p><p>on the code, then the meaning of Jupiter will be clear to the</p><p>intended recipient, but it will mean nothing to an enemy who</p><p>intercepts it. The alternative to a code is a cipher, a technique that</p><p>acts at a more fundamental level, by replacing letters rather than</p><p>whole words. For example, each letter in a phrase could be replaced</p><p>by the next letter in the alphabet, so that A is replaced by B, B by C,</p><p>and so on. Attack at dawn thus becomes Buubdl bu ebxo. Ciphers</p><p>play an integral role in cryptography, and so this book should really</p><p>have been called The Code and Cipher Book. I have, however,</p><p>forsaken accuracy for snappiness.</p><p>As the need arises, I have de�ned the various technical terms used</p><p>within cryptography. Although I have generally adhered to these</p><p>de�nitions, there will be occasions when I use a term that is perhaps</p><p>not technically accurate, but which I feel is more familiar to the</p><p>non-specialist. For example, when describing a person attempting to</p><p>break a cipher, I have often used codebreaker rather than the more</p><p>accurate cipherbreaker. I have done this only when the meaning of</p><p>the word is obvious from the context. There is a glossary of terms at</p><p>the end of the book. More often than not, though, crypto-jargon is</p><p>quite transparent: for example, plaintext is the message before</p><p>encryption, and ciphertext is the message after encryption.</p><p>Before concluding this introduction, I must mention a problem</p><p>that faces any author who tackles the subject of cryptography: the</p><p>science of secrecy is largely a secret science. Many of the heroes in</p><p>this book never gained recognition for their work during their</p><p>lifetimes because their contribution could not be publicly</p><p>acknowledged while their invention was still of diplomatic or</p><p>military value. While researching this book, I was able to talk to</p><p>experts at Britain’s Government Communications Headquarters</p><p>(GCHQ), who revealed details of extraordinary research done in the</p><p>1970s which has only just been declassi�ed. As a result of this</p><p>declassi�cation, three of the world’s greatest cryptographers can</p><p>now receive the credit they deserve. However, this recent revelation</p><p>has merely served to remind me that there is a great deal more</p><p>going on, of which neither I nor any other science writer is aware.</p><p>Organizations such as GCHQ and America’s National Security</p><p>Agency continue to conduct classi�ed research into cryptography,</p><p>which means that their breakthroughs remain secret and the</p><p>individuals who make them remain anonymous.</p><p>Despite the problems of government secrecy and classi�ed</p><p>research, I have spent the �nal chapter of this book speculating</p><p>about the future of codes and ciphers. Ultimately, this chapter is an</p><p>attempt to see if we can predict who will win the evolutionary</p><p>struggle between codemaker and codebreaker. Will codemakers ever</p><p>design a truly unbreakable code and succeed in their quest for</p><p>absolute secrecy? Or will codebreakers build a machine that can</p><p>decipher any message? Bearing in mind that some of the greatest</p><p>minds work in classi�ed laboratories, and that they receive the bulk</p><p>of research funds, it is clear that some of the statements in my �nal</p><p>chapter may be inaccurate. For example, I state that quantum</p><p>computers—machines potentially capable of breaking all today’s</p><p>ciphers—are at a very primitive stage, but it is possible that</p><p>somebody has already built one. The only people who are in a</p><p>position to point out my errors are also those who are not at liberty</p><p>to reveal</p><p>The word the is enciphered as DPR in the �rst instance, and then as</p><p>BUK on the second and third occasions. The reason for the</p><p>repetition of BUK is that the second the is displaced by eight letters</p><p>with respect to the third the, and eight is a multiple of the length of</p><p>the keyword, which is four letters long. In other words, the second</p><p>the was enciphered according to its relationship to the keyword (the</p><p>is directly below ING), and by the time we reach the third the, the</p><p>keyword has cycled around exactly twice, to repeat the relationship,</p><p>and hence repeat the encipherment.</p><p>Babbage realized that this sort of repetition provided him with</p><p>exactly the foothold he needed in order to conquer the Vigenère</p><p>cipher. He was able to de�ne a series of relatively simple steps</p><p>which could be followed by any cryptanalyst to crack the hitherto</p><p>chi�re indéchi�rable. To demonstrate his brilliant technique, let us</p><p>imagine that we have intercepted the ciphertext shown in Figure 13.</p><p>We know that it was enciphered using the Vigenère cipher, but we</p><p>know nothing about the original message, and the keyword is a</p><p>mystery.</p><p>The �rst stage in Babbage’s cryptanalysis is to look for sequences</p><p>of letters that appear more than once in the ciphertext. There are</p><p>two ways that such repetitions could arise. The most likely is that</p><p>the same sequence of letters in the plaintext has been enciphered</p><p>using the same part of the key. Alternatively, there is a slight</p><p>possibility that two di�erent sequences of letters in the plaintext</p><p>have been enciphered using di�erent parts of the key, coincidentally</p><p>leading to the identical sequence in the ciphertext. If we restrict</p><p>ourselves to long sequences, then we largely discount the second</p><p>possibility, and, in this case, we shall consider repeated sequences</p><p>only if they are of four letters or more. Table 8 is a log of such</p><p>repetitions, along with the spacing between the repetition. For</p><p>example, the sequence E-F-I-Q appears in the �rst line of the</p><p>ciphertext and then in the �fth line, shifted forward by 95 letters.</p><p>As well as being used to encipher the plaintext into ciphertext, the</p><p>keyword is also used by the receiver to decipher the ciphertext back</p><p>into plaintext. Hence, if we could identify the keyword, deciphering</p><p>the text would be easy. At this stage we do not have enough</p><p>information to work out the keyword, but Table 8 does provide</p><p>some very good clues as to its length. Having listed which sequences</p><p>repeat themselves and the spacing between these repetitions, the</p><p>rest of the table is given over to identifying the factors of the spacing</p><p>—the numbers that will divide into the spacing.</p><p>Figure 13 The ciphertext, enciphered using the Vigenère cipher.</p><p>For example, the sequence W-C-X-Y-M repeats itself after 20 letters,</p><p>and the numbers 1, 2, 4, 5, 10 and 20 are factors, because they</p><p>divide perfectly into 20 without leaving a remainder. These factors</p><p>suggest six possibilities:</p><p>(1) The key is 1 letter long and is recycled 20 times between encryptions.</p><p>(2) The key is 2 letters long and is recycled 10 times between encryptions.</p><p>(3) The key is 4 letters long and is recycled 5 times between encryptions.</p><p>(4) The key is 5 letters long and is recycled 4 times between encryptions.</p><p>(5) The key is 10 letters long and is recycled 2 times between encryptions.</p><p>(6) The key is 20 letters long and is recycled 1 time between encryptions.</p><p>The �rst possibility can be excluded, because a key that is only 1</p><p>letter long gives rise to a monoalphabetic cipher—only one row of</p><p>the Vigenère square would be used for the entire encryption, and</p><p>the cipher alphabet would remain unchanged; it is unlikely that a</p><p>cryptographer would do this. To indicate each of the other</p><p>possibilities, a ✓ is placed in the appropriate column of Table 8.</p><p>Each ✓ indicates a potential key length.</p><p>To identify whether the key is 2, 4, 5, 10 or 20 letters long, we</p><p>need to look at the factors of all the other spacings. Because the</p><p>keyword seems to be 20 letters or smaller, Table 8 lists those factors</p><p>that are 20 or smaller for each of the other spacings. There is a clear</p><p>propensity for a spacing divisible by 5. In fact, every spacing is</p><p>divisible by 5. The �rst repeated sequence, E-F-I-Q, can be explained</p><p>by a keyword of length 5 recycled nineteen times between the �rst</p><p>and second encryptions. The second repeated sequence, P-S-D-L-P,</p><p>can be explained by a keyword of length 5 recycled just once</p><p>between the �rst and second encryptions. The third repeated</p><p>sequence, W-C-X-Y-M, can be explained by a keyword of length 5</p><p>recycled four times between the �rst and second encryptions. The</p><p>fourth repeated sequence, E-T-R-L, can be explained by a keyword</p><p>of length 5 recycled twenty-four times between the �rst and second</p><p>encryptions. In short, everything is consistent with a �ve-letter</p><p>keyword.</p><p>Table 8 Repetitions and spacings in the ciphertext.</p><p>Assuming that the keyword is indeed 5 letters long, the next step</p><p>is to work out the actual letters of the keyword. For the time being,</p><p>let us call the keyword L1-L2-L3-L4-L5, such that L1 represents the</p><p>�rst letter of the keyword, and so on. The process of encipherment</p><p>would have begun with enciphering the �rst letter of the plaintext</p><p>according to the �rst letter of the keyword, L1. The letter L1 de�nes</p><p>one row of the Vigenère square, and e�ectively provides a</p><p>monoalphabetic substitution cipher alphabet for the �rst letter of</p><p>the plaintext. However, when it comes to encrypting the second</p><p>letter of the plaintext, the cryptographer would have used L2 to</p><p>de�ne a di�erent row of the Vigenère square, e�ectively providing a</p><p>di�erent monoalphabetic substitution cipher alphabet. The third</p><p>letter of plaintext would be encrypted according to L3, the fourth</p><p>according to L4, and the �fth according to L5. Each letter of the</p><p>keyword is providing a di�erent cipher alphabet for encryption.</p><p>However, the sixth letter of the plaintext would once again be</p><p>encrypted according to L1, the seventh letter of the plaintext would</p><p>once again be encrypted according to L2, and the cycle repeats itself</p><p>thereafter. In other words, the polyalphabetic cipher consists of �ve</p><p>monoalphabetic ciphers, each monoalphabetic cipher is responsible</p><p>for encrypting one-�fth of the entire message, and, most</p><p>importantly, we already know how to cryptanalyze monoalphabetic</p><p>ciphers.</p><p>We proceed as follows. We know that one of the rows of the</p><p>Vigenère square, de�ned by L1, provided the cipher alphabet to</p><p>encrypt the 1st, 6th, 11th, 16th, … letters of the message. Hence, if</p><p>we look at the 1st, 6th, 11th, 16th, … letters of the ciphertext, we</p><p>should be able to use old-fashioned frequency analysis to work out</p><p>the cipher alphabet in question. Figure 14 shows the frequency</p><p>distribution of the letters that appear in the 1st, 6th, 11th, 16th, …</p><p>positions of the ciphertext, which are W, I, R, E,.… At this point,</p><p>remember that each cipher alphabet in the Vigenère square is</p><p>simply a standard alphabet shifted by a value between 1 and 26.</p><p>Hence, the frequency distribution in Figure 14 should have similar</p><p>features to the frequency distribution of a standard alphabet, except</p><p>that it will have been shifted by some distance. By comparing the L1</p><p>distribution with the standard distribution, it should be possible to</p><p>work out the shift. Figure 15 shows the standard frequency</p><p>distribution for a piece of English plaintext.</p><p>The standard distribution has peaks, plateaus and valleys, and to</p><p>match it with the L1 cipher distribution we look for the most</p><p>outstanding combination of features. For example, the three spikes</p><p>at R-S-T in the standard distribution (Figure 15) and the long</p><p>depression to its right that stretches across six letters from U to Z</p><p>together form a very distinctive pair of features. The only similar</p><p>features in the L1 distribution (Figure 14) are the three spikes at V-</p><p>W-X, followed by the depression stretching six letters from Y to D.</p><p>This would suggest that all the letters encrypted according to L1</p><p>have been shifted four places, or that L1 de�nes a cipher alphabet</p><p>which begins E, F, G, H,.… In turn, this means that the �rst letter of</p><p>the keyword, L1, is probably E. This hypothesis can be tested by</p><p>shifting the L1 distribution back four letters and comparing it with</p><p>the standard distribution. Figure 16 shows both distributions for</p><p>comparison. The match between the major peaks is very strong,</p><p>implying that it is safe to assume that the keyword does indeed</p><p>begin with E.</p><p>Figure 14 Frequency distribution for letters in the ciphertext encrypted using the L1</p><p>cipher alphabet (number of occurrences).</p><p>Figure 15 Standard frequency distribution (number of occurrences based on a piece</p><p>of plaintext containing the same number of letters as in the ciphertext).</p><p>Figure 16 The L1 distribution shifted back four letters (top), compared with the</p><p>standard frequency distribution (bottom). All major peaks and troughs match.</p><p>To summarize, searching for repetitions in the ciphertext has</p><p>allowed us to identify the length of the keyword, which turned out</p><p>to be �ve letters long. This allowed us to split the ciphertext into</p><p>�ve parts, each one enciphered according to a monoalphabetic</p><p>substitution as de�ned by one letter of the keyword. By analyzing</p><p>the fraction of the ciphertext that was enciphered according to the</p><p>�rst letter of the keyword, we have been able to show that this</p><p>letter, L1, is probably E. This process is repeated in order to identify</p><p>the second letter of the keyword. A frequency distribution is</p><p>established for the 2nd, 7th, 12th, 17th,… letters in the ciphertext.</p><p>Again, the resulting distribution, shown in Figure 17, is compared</p><p>with the standard distribution in order to deduce the shift.</p><p>This distribution is harder to analyze. There are no obvious</p><p>candidates for the three neighboring peaks that correspond to R-S -</p><p>T. However, the depression that stretches from G to L is very</p><p>distinct, and probably corresponds to the depression we expect to</p><p>see stretching from U to Z in the standard distribution. If this were</p><p>the case, we would expect the three R-S-T peaks to appear at D, E</p><p>and F, but the peak at E is missing. For the time being, we shall</p><p>dismiss the missing peak as a statistical glitch, and go with our</p><p>initial reaction, which is that the depression from G to L is a</p><p>recognizably shifted feature. This would suggest that all the letters</p><p>encrypted according to L2 have been shifted twelve places, or that</p><p>L2 de�nes a cipher alphabet which begins M, N, O, P,… and that the</p><p>second letter of the keyword, L2, is M. Once again, this hypothesis</p><p>can be tested by shifting the L2 distribution back twelve letters and</p><p>comparing it with the standard distribution. Figure 18 shows both</p><p>distributions, and the match between the major peaks is very strong,</p><p>implying that it is safe to assume that the second letter of the</p><p>keyword is indeed M.</p><p>Figure 17 Frequency distribution for letters in the ciphertext encrypted using the L2</p><p>cipher alphabet (number of occurrences).</p><p>Figure 18 The L2 distribution shifted back twelve letters (top), compared with the</p><p>standard frequency distribution (bottom). Most major peaks and troughs match.</p><p>I shall not continue the analysis; su�ce to say that analyzing the</p><p>3rd, 8th, 13th, … letters implies that the third letter of the keyword</p><p>is I, analyzing the 4th, 9th, 14th, … letters implies that the fourth</p><p>letter is L, and analyzing the 5th, 10th, 15th, … letters implies that</p><p>the �fth letter is Y. The keyword is EMILY. It is now possible to</p><p>reverse the Vigenère cipher and complete the cryptanalysis. The �rst</p><p>letter of the ciphertext is W, and it was encrypted according to the</p><p>�rst letter of the keyword, E. Working backward, we look at the</p><p>Vigenère square, and �nd W in the row beginning with E, and then</p><p>we �nd which letter is at the top of that column. The letter is s,</p><p>which must make it the �rst letter of the plaintext. By repeating this</p><p>process, we see that the plaintext begins</p><p>sittheedownandhavenoshamecheekbyjowl.… By inserting suitable</p><p>word-breaks and punctuation, we eventually get:</p><p>Sit thee down, and have no shame,</p><p>Cheek by jowl, and knee by knee:</p><p>What care I for any name?</p><p>What for order or degree?</p><p>Let me screw thee up a peg:</p><p>Let me loose thy tongue with wine:</p><p>Callest thou that thing a leg?</p><p>Which is thinnest? thine or mine?</p><p>Thou shalt not be saved by works:</p><p>Thou hast been a sinner too:</p><p>Ruined trunks on withered forks,</p><p>Empty scarecrows, I and you!</p><p>Fill the cup, and �ll the can:</p><p>Have a rouse before the morn:</p><p>Every moment dies a man,</p><p>Every moment one is born.</p><p>These are verses from a poem by Alfred Tennyson entitled “The</p><p>Vision of Sin.” The keyword happens to be the �rst name of</p><p>Tennyson’s wife, Emily Sellwood. I chose to use a section from this</p><p>particular poem as an example for cryptanalysis because it inspired</p><p>some curious correspondence between Babbage and the great poet.</p><p>Being a keen statistician and compiler of mortality tables, Babbage</p><p>was irritated by the lines “Every moment dies a man, Every moment</p><p>one is born,” which are the last lines of the plaintext above.</p><p>Consequently, he o�ered a correction to Tennyson’s “otherwise</p><p>beautiful” poem:</p><p>It must be manifest that if this were true, the population of the world would be at a</p><p>standstill … I would suggest that in the next edition of your poem you have it read</p><p>—“Every moment dies a man, Every moment 1 is born.” … The actual �gure is so</p><p>long I cannot get it onto a line, but I believe the �gure 1 will be su�ciently</p><p>accurate for poetry.</p><p>I am, Sir, yours, etc.,</p><p>Charles Babbage.</p><p>Babbage’s successful cryptanalysis of the Vigenère cipher was</p><p>probably achieved in 1854, soon after his spat with Thwaites, but</p><p>his discovery went completely unrecognized because he never</p><p>published it. The discovery came to light only in the twentieth</p><p>century, when scholars examined Babbage’s extensive notes. In the</p><p>meantime, his technique was independently discovered by Friedrich</p><p>Wilhelm Kasiski, a retired o�cer in the Prussian army. Ever since</p><p>1863, when he published his cryptanalytic breakthrough in Die</p><p>Geheimschriften und die Dechi�rir-kunst (“Secret Writing and the Art</p><p>of Deciphering”), the technique has been known as the Kasiski Test,</p><p>and Babbage’s contribution has been largely ignored.</p><p>And why did Babbage fail to publicize his cracking of such a vital</p><p>cipher? He certainly had a habit of not �nishing projects and not</p><p>publishing his discoveries, which might suggest that this is just one</p><p>more example of his lackadaisical attitude. However, there is an</p><p>alternative explanation. His discovery occurred soon after the</p><p>outbreak of the Crimean War, and one theory is that it gave the</p><p>British a clear advantage over their Russian enemy. It is quite</p><p>possible that British Intelligence demanded that Babbage keep his</p><p>work secret, thus providing them with a nine-year head start over</p><p>the rest of the world. If this was the case, then it would �t in with</p><p>the long-standing tradition of hushing up codebreaking</p><p>achievements in the interests of national security, a practice that has</p><p>continued into the twentieth century.</p><p>From Agony Columns to Buried Treasure</p><p>Thanks to the breakthroughs by Charles Babbage and Friedrich</p><p>Kasiski, the Vigenère cipher was no longer secure. Cryptographers</p><p>could no longer guarantee secrecy, now that cryptanalysts had</p><p>fought back to regain control in the communications war. Although</p><p>cryptographers attempted to design new ciphers, nothing of great</p><p>signi�cance emerged during the latter half of the nineteenth</p><p>century, and professional cryptography was in disarray. However,</p><p>this same period witnessed an enormous growth of interest in</p><p>ciphers among the general public.</p><p>The development of the telegraph, which had driven a</p><p>commercial interest in cryptography, was also responsible for</p><p>generating public interest in cryptography. The public became</p><p>aware of the need to protect personal messages of a highly sensitive</p><p>nature, and if necessary they would use encryption, even though</p><p>this took more time to send, thus adding to the cost of the telegram.</p><p>Morse operators could send plain English at speeds</p><p>of up to 35</p><p>words per minute because they could memorize entire phrases and</p><p>transmit them in a single burst, whereas the jumble of letters that</p><p>make up a ciphertext was considerably slower to transmit, because</p><p>the operator had to continually refer back to the sender’s written</p><p>message to check the sequence of letters. The ciphers used by the</p><p>general public would not have withstood attack by a professional</p><p>cryptanalyst, but they were su�cient to guard against the casual</p><p>snooper.</p><p>As people became comfortable with encipherment, they began to</p><p>express their cryptographic skills in a variety of ways. For example,</p><p>young lovers in Victorian England were often forbidden from</p><p>publicly expressing their a�ection, and could not even communicate</p><p>by letter in case their parents intercepted and read the contents.</p><p>This resulted in lovers sending encrypted messages to each other via</p><p>the personal columns of newspapers. These “agony columns,” as</p><p>they became known, provoked the curiosity of cryptanalysts, who</p><p>would scan the notes and try to decipher their titillating contents.</p><p>Charles Babbage is known to have indulged in this activity, along</p><p>with his friends Sir Charles Wheatstone and Baron Lyon Playfair,</p><p>who together were responsible for developing the deft Playfair cipher</p><p>(described in Appendix E). On one occasion, Wheatstone deciphered</p><p>a note in The Times from an Oxford student, suggesting to his true</p><p>love that they elope. A few days later, Wheatstone inserted his own</p><p>message, encrypted in the same cipher, advising the couple against</p><p>this rebellious and rash action. Shortly afterward there appeared a</p><p>third message, this time unencrypted and from the lady in question:</p><p>“Dear Charlie, Write no more. Our cipher is discovered.”</p><p>In due course a wider variety of encrypted notes appeared in the</p><p>newspapers. Cryptographers began to insert blocks of ciphertext</p><p>merely to challenge their colleagues. On other occasions, encrypted</p><p>notes were used to criticize public �gures or organizations. The</p><p>Times once unwittingly carried the following encrypted notice: “The</p><p>Times is the Je�reys of the press.” The newspaper was being likened</p><p>to the notorious seventeenth-century Judge Je�reys, implying that it</p><p>was a ruthless, bullying publication which acted as a mouthpiece for</p><p>the government.</p><p>Another example of the public’s familiarity with cryptography</p><p>was the widespread use of pinprick encryption. The ancient Greek</p><p>historian Aeneas the Tactician suggested conveying a secret message</p><p>by pricking tiny holes under particular letters in an apparently</p><p>innocuous page of text, just as there are dots under some letters in</p><p>this paragraph. Those letters would spell out a secret message, easily</p><p>read by the intended receiver. However, if an intermediary stared at</p><p>the page, they would probably be oblivious to the barely perceptible</p><p>pinpricks, and would probably be unaware of the secret message.</p><p>Two thousand years later, British letter writers used exactly the</p><p>same method, not to achieve secrecy but to avoid paying excessive</p><p>postage costs. Before the overhaul of the postage system in the mid-</p><p>1800s, sending a letter cost about a shilling for every hundred miles,</p><p>beyond the means of most people. However, newspapers could be</p><p>posted free of charge, and this provided a loophole for thrifty</p><p>Victorians. Instead of writing and sending letters, people began to</p><p>use pinpricks to spell out a message on the front page of a</p><p>newspaper. They could then send the newspaper through the post</p><p>without having to pay a penny.</p><p>The public’s growing fascination with cryptographic techniques</p><p>meant that codes and ciphers soon found their way into nineteenth-</p><p>century literature. In Jules Verne’s Journey to the Center of the Earth,</p><p>the decipherment of a parchment �lled with runic characters</p><p>prompts the �rst step on the epic journey. The characters are part of</p><p>a substitution cipher which generates a Latin script, which in turn</p><p>makes sense only when the letters are reversed: “Descend the crater</p><p>of the volcano of Sne�els when the shadow of Scartaris comes to</p><p>caress it before the calends of July, audacious voyager, and you will</p><p>reach the center of the Earth.” In 1885, Verne also used a cipher as</p><p>a pivotal element in his novel Mathias Sandor�. In Britain, one of</p><p>the �nest writers of cryptographic �ction was Sir Arthur Conan</p><p>Doyle. Not surprisingly, Sherlock Holmes was an expert in</p><p>cryptography and, as he explained to Dr. Watson, was “the author of</p><p>a tri�ing monograph upon the subject in which I analyze one</p><p>hundred and sixty separate ciphers.” The most famous of Holmes’s</p><p>decipherments is told in The Adventure of the Dancing Men, which</p><p>involves a cipher consisting of stick-men, each pose representing a</p><p>distinct letter.</p><p>On the other side of the Atlantic, Edgar Allan Poe was also</p><p>developing an interest in cryptanalysis. Writing for Philadelphia’s</p><p>Alexander Weekly Messenger, he issued a challenge to readers,</p><p>claiming that he could decipher any monoalphabetic substitution</p><p>cipher. Hundreds of readers sent in their ciphertexts, and he</p><p>successfully deciphered them all. Although this required nothing</p><p>more than frequency analysis, Poe’s readers were astonished by his</p><p>achievements. One adoring fan proclaimed him “the most profound</p><p>and skillful cryptographer who ever lived.”</p><p>In 1843, keen to exploit the interest he had generated, Poe wrote</p><p>a short story about ciphers, which is widely acknowledged by</p><p>professional cryptographers to be the �nest piece of �ctional</p><p>literature on the subject. “The Gold Bug” tells the story of William</p><p>Legrand, who discovers an unusual beetle, the gold bug, and collects</p><p>it using a scrap of paper lying nearby. That evening he sketches the</p><p>gold bug upon the same piece of paper, and then holds his drawing</p><p>up to the light of the �re to check its accuracy. However, his sketch</p><p>is obliterated by an invisible ink, which has been developed by the</p><p>heat of the �ames. Legrand examines the characters that have</p><p>emerged and becomes convinced that he has in his hands the</p><p>encrypted directions for �nding Captain Kidd’s treasure. The</p><p>remainder of the story is a classic demonstration of frequency</p><p>analysis, resulting in the decipherment of Captain Kidd’s clues and</p><p>the discovery of his buried treasure.</p><p>Figure 19 A section of the ciphertext from The Adventure of the Dancing Men, a</p><p>Sherlock Holmes adventure by Sir Arthur Conan Doyle.</p><p>Although “The Gold Bug” is pure �ction, there is a true</p><p>nineteenth-century story containing many of the same elements. The</p><p>case of the Beale ciphers involves Wild West escapades, a cowboy</p><p>who amassed a vast fortune, a buried treasure worth $20 million</p><p>and a mysterious set of encrypted papers describing its whereabouts.</p><p>Much of what we know about this story, including the encrypted</p><p>papers, is contained in a pamphlet published in 1885. Although only</p><p>23 pages long, the pamphlet has ba�ed generations of cryptanalysts</p><p>and captivated hundreds of treasure hunters.</p><p>The story begins at the Washington Hotel in Lynchburg, Virginia,</p><p>sixty-�ve years before the publication of the pamphlet. According to</p><p>the pamphlet, the hotel and its owner, Robert Morriss, were held in</p><p>high regard: “His kind disposition, strict probity, excellent</p><p>management, and well ordered household, soon rendered him</p><p>famous as a host, and his reputation extended even to other States.</p><p>His was the house par excellence of the town, and no fashionable</p><p>assemblages met at any other.” In January 1820 a stranger by the</p><p>name of Thomas J. Beale rode into Lynchburg and checked into the</p><p>Washington Hotel. “In person, he was about six feet in height,”</p><p>recalled Morriss, “with jet black eyes and hair of the same color,</p><p>worn longer than was the style at the time. His form was</p><p>symmetrical, and gave evidence of unusual strength and activity;</p><p>but his distinguishing feature was a dark and swarthy complexion,</p><p>as if much exposure to the sun and weather had thoroughly tanned</p><p>and discolored him; this, however, did not detract from his</p><p>appearance, and I thought him the handsomest man I had ever</p><p>seen.” Although Beale spent</p><p>the rest of the winter with Morriss and</p><p>was “extremely popular with every one, particularly the ladies,” he</p><p>never spoke about his background, his family or the purpose of his</p><p>visit. Then, at the end of March, he left as suddenly as he had</p><p>arrived.</p><p>Figure 20 The title page of The Beale Papers, the pamphlet that contains all that we know</p><p>about the mystery of the Beale treasure. (photo credit 2.3)</p><p>Two years later, in January 1822, Beale returned to the</p><p>Washington Hotel, “darker and swarthier than ever.” Once again, he</p><p>spent the rest of the winter in Lynchburg and disappeared in the</p><p>spring, but not before he entrusted Morriss with a locked iron box,</p><p>which he said contained “papers of value and importance.” Morriss</p><p>placed the box in a safe, and thought nothing more about it and its</p><p>contents until he received a letter from Beale, dated May 9, 1822,</p><p>and sent from St. Louis. After a few pleasantries and a paragraph</p><p>about an intended trip to the plains “to hunt the bu�alo and</p><p>encounter the savage grizzlies,” Beale’s letter revealed the</p><p>signi�cance of the box:</p><p>It contains papers vitally a�ecting the fortunes of myself and many others engaged in</p><p>business with me, and in the event of my death, its loss might be irreparable. You</p><p>will, therefore, see the necessity of guarding it with vigilance and care to prevent so</p><p>great a catastrophe. Should none of us ever return you will please preserve carefully</p><p>the box for the period of ten years from the date of this letter, and if I, or no one with</p><p>authority from me, during that time demands its restoration, you will open it, which</p><p>can be done by removing the lock. You will �nd, in addition to the papers addressed</p><p>to you, other papers which will be unintelligible without the aid of a key to assist</p><p>you. Such a key I have left in the hand of a friend in this place, sealed and addressed</p><p>to yourself, and endorsed not to be delivered until June 1832. By means of this you</p><p>will understand fully all you will be required to do.</p><p>Morriss dutifully continued to guard the box, waiting for Beale to</p><p>collect it, but the swarthy man of mystery never returned to</p><p>Lynchburg. He disappeared without explanation, never to be seen</p><p>again. Ten years later, Morriss could have followed the letter’s</p><p>instructions and opened the box, but he seems to have been</p><p>reluctant to break the lock. Beale’s letter had mentioned that a note</p><p>would be sent to Morriss in June 1832, and this was supposed to</p><p>explain how to decipher the contents of the box. However, the note</p><p>never arrived, and perhaps Morriss felt that there was no point</p><p>opening the box if he could not decipher what was inside it.</p><p>Eventually, in 1845, Morriss’s curiosity got the better of him and he</p><p>cracked open the lock. The box contained three sheets of enciphered</p><p>characters, and a note written by Beale in plain English.</p><p>The intriguing note revealed the truth about Beale, the box, and</p><p>the ciphers. It explained that in April 1817, almost three years</p><p>before his �rst meeting with Morriss, Beale and 29 others had</p><p>embarked on a journey across America. After traveling through the</p><p>rich hunting grounds of the Western plains, they arrived in Santa Fe,</p><p>and spent the winter in the “little Mexican town.” In March they</p><p>headed north and began tracking an “immense herd of bu�aloes,”</p><p>picking o� as many as possible along the way. Then, according to</p><p>Beale, they struck lucky:</p><p>One day, while following them, the party encamped in a small ravine, some 250 or</p><p>300 miles north of Santa Fe, and, with their horses tethered, were preparing their</p><p>evening meal, when one of the men discovered in a cleft of the rocks something that</p><p>had the appearance of gold. Upon showing it to the others it was pronounced to be</p><p>gold, and much excitement was the natural consequence.</p><p>The letter went on to explain that Beale and his men, with help</p><p>from the local tribe, mined the site for the next eighteen months, by</p><p>which time they had accumulated a large quantity of gold, as well</p><p>as some silver which was found nearby. In due course they agreed</p><p>that their newfound wealth should be moved to a secure place, and</p><p>decided to take it back home to Virginia, where they would hide it</p><p>in a secret location. In 1820, Beale traveled to Lynchburg with the</p><p>gold and silver, found a suitable location, and buried it. It was on</p><p>this occasion that he �rst lodged at the Washington Hotel and made</p><p>the acquaintance of Morriss. When Beale left at the end of the</p><p>winter, he rejoined his men who had continued to work the mine</p><p>during his absence.</p><p>After another eighteen months Beale revisited Lynchburg with</p><p>even more to add to his stash. This time there was an additional</p><p>reason for his trip:</p><p>Before leaving my companions on the plains it was suggested that, in case of an</p><p>accident to ourselves, the treasure so concealed would be lost to their relatives,</p><p>without some provision against such a contingency. I was, therefore, instructed to</p><p>select some perfectly reliable person, if such could be found, who should, in the event</p><p>of this proving acceptable to the party, be con�ded in to carry out their wishes in</p><p>regard to their respective shares.</p><p>Beale believed that Morriss was a man of integrity, which is why he</p><p>trusted him with the box containing the three enciphered sheets, the</p><p>so-called Beale ciphers. Each enciphered sheet contained an array of</p><p>numbers (reprinted here as Figures 21, 22 and 23), and deciphering</p><p>the numbers would reveal all the relevant details; the �rst sheet</p><p>described the treasure’s location, the second outlined the contents of</p><p>the treasure, and the third listed the relatives of the men who</p><p>should receive a share of the treasure. When Morriss read all of this,</p><p>it was some 23 years after he had last seen Thomas Beale. Working</p><p>on the assumption that Beale and his men were dead, Morriss felt</p><p>obliged to �nd the gold and share it among their relatives. However,</p><p>without the promised key he was forced to decipher the ciphers</p><p>from scratch, a task that troubled his mind for the next twenty</p><p>years, and which ended in failure.</p><p>In 1862, at the age of eighty-four, Morriss knew that he was</p><p>coming to the end of his life, and that he had to share the secret of</p><p>the Beale ciphers, otherwise any hope of carrying out Beale’s wishes</p><p>would die with him. Morriss con�ded in a friend, but unfortunately</p><p>the identity of this person remains a mystery. All we know about</p><p>Morriss’s friend is that it was he who wrote the pamphlet in 1885,</p><p>so hereafter I will refer to him simply as the author. The author</p><p>explained the reasons for his anonymity within the pamphlet:</p><p>I anticipate for these papers a large circulation, and, to avoid the multitude of letters</p><p>with which I should be assailed from all sections of the Union, propounding all sorts</p><p>of questions, and requiring answers which, if attended to, would absorb my entire</p><p>time, and only change the character of my work, I have decided upon withdrawing</p><p>my name from the publication, after assuring all interested that I have given all that I</p><p>know of the matter, and that I cannot add one word to the statements herein</p><p>contained.</p><p>To protect his identity, the author asked James B. Ward, a respected</p><p>member of the local community and the county’s road surveyor, to</p><p>act as his agent and publisher.</p><p>Everything we know about the strange tale of the Beale ciphers is</p><p>published in the pamphlet, and so it is thanks to the author that we</p><p>have the ciphers and Morriss’s account of the story. In addition to</p><p>this, the author is also responsible for successfully deciphering the</p><p>second Beale cipher. Like the �rst and third ciphers, the second</p><p>cipher consists of a page of numbers, and the author assumed that</p><p>each number represented a letter. However, the range of numbers</p><p>far exceeds the number of letters in the alphabet, so the author</p><p>realized that he was dealing with a cipher that uses several numbers</p><p>to represent the same letter. One cipher that ful�ls this criterion is</p><p>the so-called book cipher, in which a book, or any other piece of text,</p><p>is itself the key.</p><p>Figure 21 The �rst Beale cipher.</p><p>Figure</p><p>22 The second Beale cipher.</p><p>Figure 23 The third Beale cipher.</p><p>First, the cryptographer sequentially numbers every word in the</p><p>keytext. Thereafter, each number acts as a substitute for the initial</p><p>letter of its associated word. 1For 2example, 3if 4the 5sender 6and</p><p>7receiver 8agreed 9that 10this 11sentence 12were 13to 14be 15the</p><p>16keytext, 17then 18every 19word 20would 21be 22numerically</p><p>23labeled, 24each 25number 26providing 27the 28basis 29for</p><p>30encryption. Next, a list would be drawn up matching each number</p><p>to the initial letter of its associated word:</p><p>1 = f</p><p>2 = e</p><p>3 = i</p><p>4 = t</p><p>5 = s</p><p>6 = a</p><p>7 = r</p><p>8 = a</p><p>9 = t</p><p>10 = t</p><p>11 = s</p><p>12 = w</p><p>13 = t</p><p>14 = b</p><p>15 = t</p><p>16 = k</p><p>17 = t</p><p>18 = e</p><p>19 = w</p><p>20 = w</p><p>21 = b</p><p>22 = n</p><p>23 = l</p><p>24 = e</p><p>25 = n</p><p>26 = p</p><p>27 = t</p><p>28 = b</p><p>29 = f</p><p>30 = e</p><p>A message can now be encrypted by substituting letters in the</p><p>plaintext for numbers according to the list. In this list, the plaintext</p><p>letter f would be substituted with 1, and the plaintext letter e could</p><p>be substituted with either 2, 18, 24 or 30. Because our keytext is</p><p>such a short sentence, we do not have numbers that could replace</p><p>rare letters such as x and z, but we do have enough substitutes to</p><p>encipher the word beale, which could be 14-2-8-23-18. If the</p><p>intended receiver has a copy of the keytext, then deciphering the</p><p>encrypted message is trivial. However, if a third party intercepts</p><p>only the ciphertext, then cryptanalysis depends on somehow</p><p>identifying the keytext. The author of the pamphlet wrote, “With</p><p>this idea, a test was made of every book I could procure, by</p><p>numbering its letters and comparing the numbers with those of the</p><p>manuscript; all to no purpose, however, until the Declaration of</p><p>Independence a�orded the clue to one of the papers, and revived all</p><p>my hopes.”</p><p>The Declaration of Independence turned out to be the keytext for</p><p>the second Beale cipher, and by numbering the words in the</p><p>Declaration it is possible to unravel it. Figure 24 shows the start of</p><p>the Declaration of Independence, with every tenth word numbered</p><p>to help the reader see how the decipherment works. Figure 22</p><p>shows the ciphertext-the �rst number is 115, and the 115th word in</p><p>the Declaration is “instituted,” so the �rst number represents i. The</p><p>second number in the ciphertext is 73, and the 73rd word in the</p><p>Declaration is “hold,” so the second number represents h. Here is</p><p>the whole decipherment, as printed in the pamphlet:</p><p>I have deposited in the county of Bedford, about four miles from Buford’s, in an</p><p>excavation or vault, six feet below the surface of the ground, the following articles,</p><p>belonging jointly to the parties whose names are given in number “3,” herewith:</p><p>The �rst deposit consisted of one thousand and fourteen pounds of gold, and three</p><p>thousand eight hundred and twelve pounds of silver, deposited November, 1819. The</p><p>second was made December, 1821, and consisted of nineteen hundred and seven</p><p>pounds of gold, and twelve hundred and eighty-eight pounds of silver; also jewels,</p><p>obtained in St. Louis in exchange for silver to save transportation, and valued at</p><p>$13,000.</p><p>The above is securely packed in iron pots, with iron covers. The vault is roughly</p><p>lined with stone, and the vessels rest on solid stone, and are covered with others.</p><p>Paper number “1” describes the exact locality of the vault, so that no di�culty will be</p><p>had in �nding it.</p><p>It is worth noting that there are some errors in the ciphertext. For</p><p>example, the decipherment includes the words “four miles,” which</p><p>relies on the 95th word of the Declaration of Independence</p><p>beginning with the letter u. However, the 95th word is</p><p>“inalienable.” This could be the result of Beale’s sloppy encryption,</p><p>or it could be that Beale had a copy of the Declaration in which the</p><p>95th word was “unalienable,” which does appear in some versions</p><p>dating from the early nineteenth century. Either way, the successful</p><p>decipherment clearly indicated the value of the treasure-at least $20</p><p>million at today’s bullion prices.</p><p>Not surprisingly, once the author knew the value of the treasure,</p><p>he spent increasing amounts of time analyzing the other two cipher</p><p>sheets, particularly the �rst Beale cipher, which describes the</p><p>treasure’s location. Despite strenuous e�orts he failed, and the</p><p>ciphers brought him nothing but sorrow:</p><p>When, in the course of human events, it becomes 10necessary</p><p>for one people to dissolve the political bands which 20have</p><p>connected them with another, and to assume among the</p><p>30powers of the earth, the separate and equal station to 40which</p><p>the laws of nature and of nature’s God entitle 50them, a decent</p><p>respect to the opinions of mankind requires 60that they should</p><p>declare the causes which impel them to 70the separation.</p><p>We hold these truths to be self-evident, 80that all men are</p><p>created equal, that they are endowed 90by their Creator with</p><p>certain inalienable rights, that among these 100are life, liberty</p><p>and the pursuit of happiness; That to 110secure these rights,</p><p>governments are instituted among men, deriving their 120just</p><p>powers from the consent of the governed; That whenever</p><p>130any form of government becomes destructive of these ends,</p><p>it 140is the right of the people to alter or to 150abolish it, and to</p><p>institute a new government, laying its 160foundation on such</p><p>principles and organizing its powers in such 170form, as to them</p><p>shall seem most likely to e�ect 180their safety and happiness.</p><p>Prudence, indeed, will dictate that governments 190long</p><p>established should not be changed for light and transient</p><p>200causes; and accordingly all experience hath shewn, that</p><p>mankind are 210more disposed to su�er, while evils are</p><p>su�erable, than to 220right themselves by abolishing the forms</p><p>to which they are 230accustomed.</p><p>But when a long train of abuses and usurpations, 240pursuing</p><p>invariably the same object evinces a design to reduce them</p><p>250under absolute despotism, it is their right, it is their 260duty,</p><p>to throw o� such government, and to provide new 270Guards</p><p>for their future security. Such has been the patient 280su�erance</p><p>of these Colonies; and such is now the necessity 290which</p><p>constrains them to alter their former systems of government.</p><p>300The history of the present King of Great Britain is 310a</p><p>history of repeated injuries and usurpations, all having in</p><p>320direct object the establishment of an absolute tyranny over</p><p>these 330States. To prove this, let facts be submitted to a 340</p><p>candid world.</p><p>Figure 24 The �rst three paragraphs of the Declaration of Independence, with every</p><p>tenth word numbered. This is the key for deciphering the second Beale cipher.</p><p>In consequence of the time lost in the above investigation, I have been reduced from</p><p>comparative a�uence to absolute penury, entailing su�ering upon those it was my</p><p>duty to protect, and this, too, in spite of their remonstrations. My eyes were at last</p><p>opened to their condition, and I resolved to sever at once, and forever, all connection</p><p>with the a�air, and retrieve, if possible, my errors. To do this, as the best means of</p><p>placing temptation beyond my reach, I determined to make public the whole matter,</p><p>and shift from my shoulders my responsibility to Mr. Morriss.</p><p>Thus the ciphers, along with everything else known by the author,</p><p>were published in 1885. Although a warehouse �re destroyed most</p><p>of the pamphlets, those that survived caused quite a stir in</p><p>Lynchburg. Among the most ardent treasure hunters attracted to the</p><p>Beale ciphers were the Hart brothers, George and Clayton. For years</p><p>they pored over the two remaining ciphers, mounting various forms</p><p>of cryptanalytic attack, occasionally fooling themselves into</p><p>believing that they had a solution. A false line of attack will</p><p>sometimes generate a few tantalizing words within a sea of</p><p>gibberish, which then encourages the cryptanalyst to devise a series</p><p>of caveats to excuse the gibberish. To an unbiased observer the</p><p>decipherment is clearly nothing more than wishful thinking, but to</p><p>the blinkered treasure hunter it makes complete sense. One of the</p><p>Harts’ tentative decipherments encouraged</p><p>them to use dynamite to</p><p>excavate a particular site; unfortunately, the resulting crater yielded</p><p>no gold. Although Clayton Hart gave up in 1912, George continued</p><p>working on the Beale ciphers until 1952. An even more persistent</p><p>Beale fanatic has been Hiram Herbert, Jr., who �rst became</p><p>interested in 1923 and whose obsession continued right through to</p><p>the 1970s. He, too, had nothing to show for his e�orts.</p><p>Professional cryptanalysts have also embarked on the Beale</p><p>treasure trail. Herbert O. Yardley, who founded the U.S. Cipher</p><p>Bureau (known as the American Black Chamber) at the end of the</p><p>First World War, was intrigued by the Beale ciphers, as was Colonel</p><p>William Friedman, the dominant �gure in American cryptanalysis</p><p>during the �rst half of the twentieth century. While he was in</p><p>charge of the Signal Intelligence Service, he made the Beale ciphers</p><p>part of the training program, presumably because, as his wife once</p><p>said, he believed the ciphers to be of “diabolical ingenuity,</p><p>speci�cally designed to lure the unwary reader.” The Friedman</p><p>archive, established after his death in 1969 at the George C.</p><p>Marshall Research Center, is frequently consulted by military</p><p>historians, but the great majority of visitors are eager Beale</p><p>devotees, hoping to follow up some of the great man’s leads. More</p><p>recently, one of the major �gures in the hunt for the Beale treasure</p><p>has been Carl Hammer, retired director of computer science at</p><p>Sperry Univac and one of the pioneers of computer cryptanalysis.</p><p>According to Hammer, “the Beale ciphers have occupied at least</p><p>10% of the best cryptanalytic minds in the country. And not a dime</p><p>of this e�ort should be begrudged. The work—even the lines that</p><p>have led into blind alleys—has more than paid for itself in</p><p>advancing and re�ning computer research.” Hammer has been a</p><p>prominent member of the Beale Cypher and Treasure Association,</p><p>founded in the 1960s to encourage interest in the Beale mystery.</p><p>Initially, the Association required that any member who discovered</p><p>the treasure should share it with the other members, but this</p><p>obligation seemed to deter many Beale prospectors from joining,</p><p>and so the Association soon dropped the condition.</p><p>Despite the combined e�orts of the Association, amateur treasure</p><p>hunters and professional cryptanalysts, the �rst and third Beale</p><p>ciphers have remained a mystery for over a century, and the gold,</p><p>silver and jewels have yet to be found. Many attempts at</p><p>decipherment have revolved around the Declaration of</p><p>Independence, which was the key for the second Beale cipher.</p><p>Although a straightforward numbering of the words of the</p><p>Declaration yields nothing useful for the �rst and third ciphers,</p><p>cryptanalysts have tried various other schemes, such as numbering</p><p>it backward or numbering alternate words, but so far nothing has</p><p>worked. One problem is that the �rst cipher contains numbers as</p><p>high as 2906, whereas the Declaration contains only 1,322 words.</p><p>Other texts and books have been considered as potential keys, and</p><p>many cryptanalysts have looked into the possibility of an entirely</p><p>di�erent encryption system.</p><p>You might be surprised by the strength of the unbroken Beale</p><p>ciphers, especially bearing in mind that when we left the ongoing</p><p>battle between codemakers and codebreakers, it was the</p><p>codebreakers who were on top. Babbage and Kasiski had invented a</p><p>way of breaking the Vigenère cipher, and codemakers were</p><p>struggling to �nd something to replace it. How did Beale come up</p><p>with something that is so formidable? The answer is that the Beale</p><p>ciphers were created under circumstances that gave the</p><p>cryptographer a great advantage. This matter concerns just three</p><p>messages, and, because they related to such a valuable treasure,</p><p>Beale might have been prepared to create a special keytext for the</p><p>�rst and third ciphers. Indeed, if the keytext was penned by Beale</p><p>himself, this would explain why searches of published material have</p><p>not revealed it. We can imagine that Beale might have written a</p><p>2,000-word private essay on the subject of bu�alo hunting, of which</p><p>there was only one copy. Only the holder of this essay, the unique</p><p>keytext, would be able to decipher the �rst and third Beale ciphers.</p><p>Beale mentioned that he had left the key in “the hand of a friend” in</p><p>St. Louis, but if the friend lost or destroyed the key, then</p><p>cryptanalysts might never be able to crack the Beale ciphers.</p><p>Creating a keytext for a message is much more secure than using</p><p>a key based on a published book, but it is practical only if the</p><p>sender has the time to create the keytext and is able to convey it to</p><p>the intended recipient, requirements that are not feasible for</p><p>routine, day-to-day communications. In Beale’s case, he could</p><p>compose his keytext at leisure, deliver it to his friend in St. Louis</p><p>whenever he happened to be passing through, and then have it</p><p>posted or collected at some arbitrary time in the future, whenever</p><p>the treasure was to be reclaimed.</p><p>An alternative theory for explaining the indecipherability of the</p><p>Beale ciphers is that the author of the pamphlet deliberately</p><p>sabotaged them before having them published. Perhaps the author</p><p>merely wanted to �ush out the key, which was apparently in the</p><p>hands of Beale’s friend in St. Louis. If he had accurately published</p><p>the ciphers, then the friend would have been able to decipher them</p><p>and collect the gold, and the author would have received no reward</p><p>for his e�orts. However, if the ciphers were corrupted in some way,</p><p>then the friend would eventually realize that he needed the author’s</p><p>help, and would contact the publisher, Ward, who in turn would</p><p>contact the author. The author could then hand over the accurate</p><p>ciphers in exchange for a share of the treasure.</p><p>It is also possible that the treasure was found many years ago, and</p><p>that the discoverer spirited it away without being spotted by local</p><p>residents. Beale enthusiasts with a penchant for conspiracy theories</p><p>have suggested that the National Security Agency (NSA) has already</p><p>found the treasure. America’s central government cipher facility has</p><p>access to the most powerful computers and some of the most</p><p>brilliant minds in the world, and they may have discovered</p><p>something about the ciphers that has eluded everybody else. The</p><p>lack of any announcement would be in keeping with the NSA’s</p><p>hush-hush reputation—it has been proposed that NSA does not</p><p>stand for National Security Agency, but rather “Never Say Anything”</p><p>or “No Such Agency.”</p><p>Finally, we cannot exclude the possibility that the Beale ciphers</p><p>are an elaborate hoax, and that Beale never existed. Sceptics have</p><p>suggested that the unknown author, inspired by Poe’s “The Gold</p><p>Bug,” fabricated the whole story and published the pamphlet as a</p><p>way of pro�ting from the greed of others. Supporters of the hoax</p><p>theory have searched for inconsistencies and �aws in the Beale</p><p>story. For example, according to the pamphlet, Beale’s letter, which</p><p>was locked in the iron box and supposedly written in 1822, contains</p><p>the word “stampede,” but this word was not seen in print until</p><p>1834. However, it is quite possible that the word was in common</p><p>use in the Wild West at a much earlier date, and Beale could have</p><p>learned of it on his travels.</p><p>One of the foremost nonbelievers is the cryptographer Louis Kruh,</p><p>who claims to have found evidence that the pamphlet’s author also</p><p>wrote Beale’s letters, the one supposedly sent from St. Louis and the</p><p>one supposedly contained in the box. He performed a textual</p><p>analysis on the words attributed to the author and the words</p><p>attributed to Beale to see if there were any similarities. Kruh</p><p>compared aspects such as the percentage of sentences beginning</p><p>with “The,” “Of” and “And,” the average number of commas and</p><p>semicolons per sentence, and the writing style—the use of negatives,</p><p>negative passives, in�nitives, relative clauses, and so on. In addition</p><p>to the author’s words and Beale’s letters, the analysis also took in</p><p>the writing of three other nineteenth-century Virginians. Of the �ve</p><p>sets of writing, those authored by Beale and the pamphlet’s</p><p>author</p><p>bore the closest resemblance, suggesting that they may have been</p><p>written by the same person. In other words, this suggests that the</p><p>author faked the letters attributed to Beale and fabricated the whole</p><p>story.</p><p>On the other hand, evidence for the integrity of the Beale ciphers</p><p>is provided from various sources. First, if the undeciphered ciphers</p><p>were hoaxes, we might expect the hoaxer to have chosen the</p><p>numbers with little or no attention. However, the numbers give rise</p><p>to various intricate patterns. One of the patterns can be found by</p><p>using the Declaration of Independence as a key for the �rst cipher.</p><p>This yields no discernible words, but it does give sequences such as</p><p>abfdefghiijklmmnohpp. Although this is not a perfect alphabetical</p><p>list, it is certainly not random. James Gillogly of the American</p><p>Cryptogram Association is not convinced that the Beale ciphers are</p><p>authentic. However, he estimates that the probability of such</p><p>sequences appearing by chance is less than one in a hundred million</p><p>million, suggesting that there is a cryptographic principle</p><p>underlying the �rst cipher. One theory is that the Declaration is</p><p>indeed the key, but the resulting text requires a second stage of</p><p>decipherment; in other words, the �rst Beale cipher was enciphered</p><p>by a two-stage process, so-called superencipherment. If this is so,</p><p>then the alphabetical sequence might have been put there as a sign</p><p>of encouragement, a hint that the �rst stage of decipherment has</p><p>been successfully completed.</p><p>Further evidence favoring the probity of the ciphers comes from</p><p>historical research, which can be used to verify the story of Thomas</p><p>Beale. Peter Viemeister, a local historian, has gathered much of the</p><p>research in his book The Beale Treasure–History of a Mystery.</p><p>Viemeister began by asking if there was any evidence that Thomas</p><p>Beale actually existed. Using the census of 1790 and other</p><p>documents, Viemeister has identi�ed several Thomas Beales who</p><p>were born in Virginia and whose backgrounds �t the few known</p><p>details. Viemeister has also attempted to corroborate the other</p><p>details in the pamphlet, such as Beale’s trip to Santa Fe and his</p><p>discovery of gold. For example, there is a Cheyenne legend dating</p><p>from around 1820 which tells of gold and silver being taken from</p><p>the West and buried in Eastern Mountains. Also, the 1820</p><p>postmaster’s list in St. Louis contains a “Thomas Beall,” which �ts in</p><p>with the pamphlet’s claim that Beale passed through the city in</p><p>1820 on his journey westward after leaving Lynchburg. The</p><p>pamphlet also says that Beale sent a letter from St. Louis in 1822.</p><p>So there does seem to be a basis for the tale of the Beale ciphers,</p><p>and consequently it continues to enthrall cryptanalysts and treasure</p><p>hunters, such as Joseph Jancik, Marilyn Parsons and their dog</p><p>Mu�n. In February 1983 they were charged with “violation of a</p><p>sepulcher,” after being caught digging in the cemetery of Mountain</p><p>View Church in the middle of the night. Having discovered nothing</p><p>other than a co�n, they spent the rest of the weekend in the county</p><p>jail and were eventually �ned $500. These amateur gravediggers</p><p>can console themselves with the knowledge that they were hardly</p><p>any less successful than Mel Fisher, the professional treasure hunter</p><p>who salvaged $40 million worth of gold from the sunken Spanish</p><p>galleon Nuestra Señora de Atocha, which he discovered o� Key West,</p><p>Florida, in 1985. In November 1989, Fisher received a tip-o� from a</p><p>Beale expert in Florida, who believed that Beale’s hoard was buried</p><p>at Graham’s Mill in Bedford County, Virginia. Supported by a team</p><p>of wealthy investors, Fisher bought the site under the name of Mr.</p><p>Voda, in order to avoid arousing any suspicion. Despite a lengthy</p><p>excavation, he discovered nothing.</p><p>Some treasure hunters have abandoned hope of cracking the two</p><p>undeciphered sheets, and have concentrated instead on gleaning</p><p>clues from the one cipher that has been deciphered. For example, as</p><p>well as describing the contents of the buried treasure, the solved</p><p>cipher states that it is deposited “about four miles from Buford’s,”</p><p>which probably refers to the community of Buford or, more</p><p>speci�cally, to Buford’s Tavern, located at the center of Figure 25.</p><p>The cipher also mentions that “the vault is roughly lined with</p><p>stone,” so many treasure hunters have searched along Goose Creek,</p><p>a rich source of large stones. Each summer the region attracts</p><p>hopefuls, some armed with metal detectors, others accompanied by</p><p>psychics or diviners. The nearby town of Bedford has a number of</p><p>businesses which gladly hire out equipment, including industrial</p><p>diggers. Local farmers tend to be less welcoming to the strangers,</p><p>who often trespass on their land, damage their fences and dig giant</p><p>holes.</p><p>Having read the tale of the Beale ciphers, you might be</p><p>encouraged to take up the challenge yourself. The lure of an</p><p>unbroken nineteenth-century cipher, together with a treasure worth</p><p>$20 million, might prove irresistible. However, before you set o� on</p><p>the treasure trail, take heed of the advice given by the author of the</p><p>pamphlet:</p><p>Before giving the papers to the public, I would say a word to those who may take an</p><p>interest in them, and give them a little advice, acquired by bitter experience. It is, to</p><p>devote only such time as can be spared from your legitimate business to the task, and</p><p>if you can spare no time, let the matter alone … Again, never, as I have done,</p><p>sacri�ce your own and your family’s interests to what may prove an illusion; but, as I</p><p>have already said, when your day’s work is done, and you are comfortably seated by</p><p>your good �re, a short time devoted to the subject can injure no one, and may bring</p><p>its reward.</p><p>Figure 25 Part of a U.S. Geological Survey map of 1891. The circle has a radius of four</p><p>miles, and is centered on Buford’s Tavern, a location alluded to in the second cipher.</p><p>A</p><p>3 The Mechanization of Secrecy</p><p>t the end of the nineteenth century, cryptography was in</p><p>disarray. Ever since Babbage and Kasiski had destroyed the</p><p>security of the Vigenère cipher, cryptographers had been searching</p><p>for a new cipher, something that would reestablish secret</p><p>communication, thereby allowing businessmen and the military to</p><p>exploit the immediacy of the telegraph without their</p><p>communications being stolen and deciphered. Furthermore, at the</p><p>turn of the century, the Italian physicist Guglielmo Marconi</p><p>invented an even more powerful form of telecommunication, which</p><p>made the need for secure encryption even more pressing.</p><p>In 1894, Marconi began experimenting with a curious property of</p><p>electrical circuits. Under certain conditions, if one circuit carried an</p><p>electric current, this could induce a current in another isolated</p><p>circuit some distance away. By enhancing the design of the two</p><p>circuits, increasing the power and adding aerials, Marconi could</p><p>soon transmit and receive pulses of information across distances of</p><p>up to 2.5 km. He had invented radio. The telegraph had already</p><p>been established for half a century, but it required a wire to</p><p>transport a message between sender and receiver. Marconi’s system</p><p>had the great advantage of being wireless—the signal traveled, as if</p><p>by magic, through the air.</p><p>In 1896, in search of �nancial backing for his idea, Marconi</p><p>emigrated to Britain, where he �led his �rst patent. Continuing his</p><p>experiments, he increased the range of his radio communications,</p><p>�rst transmitting a message 15 km across the Bristol Channel, and</p><p>then 53 km across the English Channel to France. At the same time</p><p>he began to look for commercial applications for his invention,</p><p>pointing out to potential backers the two main advantages of radio:</p><p>it did not require the construction of expensive telegraph lines, and</p><p>it had the potential to send messages between otherwise isolated</p><p>locations. He pulled o� a magni�cent publicity stunt in 1899, when</p><p>he equipped two ships with radios so that journalists covering the</p><p>America’s Cup, the world’s most important yacht race, could send</p><p>reports back to New York for the following day’s newspapers.</p><p>Interest increased still further when Marconi shattered the myth</p><p>that radio communication was limited by the horizon. Critics had</p><p>argued that because radio waves could not bend and follow the</p><p>curvature of the Earth, radio communication would be limited to a</p><p>hundred kilometers or so. Marconi attempted to prove them wrong</p><p>by sending a message from Poldhu in Cornwall to St. John’s in</p><p>Newfoundland, a distance of 3,500 km. In December 1901, for three</p><p>hours each day, the Poldhu transmitter sent the letter S (dot-dot-</p><p>dot) over and over again, while Marconi stood on the windy cli�s of</p><p>Newfoundland trying to detect the radio waves. Day after day, he</p><p>wrestled to raise aloft a giant kite, which in turn hoisted his antenna</p><p>high into the air. A little after midday on December 12, Marconi</p><p>detected three faint dots, the �rst transatlantic radio message. The</p><p>explanation of Marconi’s achievement remained a mystery until</p><p>1924, when physicists discovered the ionosphere, a layer of the</p><p>atmosphere whose lower boundary is about 60 km above the Earth.</p><p>The ionosphere acts as a mirror, allowing radio waves to bounce o�</p><p>it. Radio waves also bounce o� the Earth’s surface, so radio</p><p>messages could e�ectively reach anywhere in the world after a</p><p>series of re�ections between the ionosphere and the Earth.</p><p>Marconi’s invention tantalized the military, who viewed it with a</p><p>mixture of desire and trepidation. The tactical advantages of radio</p><p>are obvious: it allows direct communication between any two points</p><p>without the need for a wire between the locations. Laying such a</p><p>wire is often impractical, sometimes impossible. Previously, a naval</p><p>commander based in port had no way of communicating with his</p><p>ships, which might disappear for months on end, but radio would</p><p>enable him to coordinate a �eet wherever the ships might be.</p><p>Similarly, radio would allow generals to direct their campaigns,</p><p>keeping them in continual contact with battalions, regardless of</p><p>their movements. All this is made possible by the nature of radio</p><p>waves, which emanate in all directions, and reach receivers</p><p>wherever they may be. However, this all-pervasive property of radio</p><p>is also its greatest military weakness, because messages will</p><p>inevitably reach the enemy as well as the intended recipient.</p><p>Consequently, reliable encryption became a necessity. If the enemy</p><p>were going to be able to intercept every radio message, then</p><p>cryptographers had to �nd a way of preventing them from</p><p>deciphering these messages.</p><p>The mixed blessings of radio—ease of communication and ease of</p><p>interception—were brought into sharp focus at the outbreak of the</p><p>First World War. All sides were keen to exploit the power of radio,</p><p>but were also unsure of how to guarantee security. Together, the</p><p>advent of radio and the Great War intensi�ed the need for e�ective</p><p>encryption. The hope was that there would be a breakthrough, some</p><p>new cipher that would reestablish secrecy for military commanders.</p><p>However, between 1914 and 1918 there was to be no great</p><p>discovery, merely a catalogue of cryptographic failures. Codemakers</p><p>conjured up several new ciphers, but one by one they were broken.</p><p>One of the most famous wartime ciphers was the German</p><p>ADFGVX cipher, introduced on March 5, 1918, just before the major</p><p>German o�ensive that began on March 21. Like any attack, the</p><p>German thrust would bene�t from the element of surprise, and a</p><p>committee of cryptographers had selected the ADFGVX cipher from</p><p>a variety of candidates, believing that it o�ered the best security. In</p><p>fact, they were con�dent that it was unbreakable. The cipher’s</p><p>strength lay in its convoluted nature, a mixture of a substitution and</p><p>transposition (see Appendix F).</p><p>By the beginning of June 1918, the German artillery was only 100</p><p>km from Paris, and was preparing for one �nal push. The only hope</p><p>for the Allies was to break the ADFGVX cipher to �nd just where the</p><p>Germans were planning to punch through their defenses.</p><p>Fortunately, they had a secret weapon, a cryptanalyst by the name</p><p>of Georges Painvin. This dark, slender Frenchman with a</p><p>penetrating mind had recognized his talent for cryptographic</p><p>conundrums only after a chance meeting with a member of the</p><p>Bureau du Chi�re soon after the outbreak of war. Thereafter, his</p><p>priceless skill was devoted to pinpointing the weaknesses in German</p><p>ciphers. He grappled day and night with the ADFGVX cipher, in the</p><p>process losing 15 kg in weight.</p><p>Eventually, on the night of June 2, he cracked an ADFGVX</p><p>message. Painvin’s breakthrough led to a spate of other</p><p>decipherments, including a message that contained the order “Rush</p><p>munitions. Even by day if not seen.” The preamble to the message</p><p>indicated that it was sent from somewhere between Montdidier and</p><p>Compiègne, some 80 km to the north of Paris. The urgent need for</p><p>munitions implied that this was to be the location of the imminent</p><p>German thrust. Aerial reconnaissance con�rmed that this was the</p><p>case. Allied soldiers were sent to reinforce this stretch of the front</p><p>line, and a week later the German onslaught began. Having lost the</p><p>element of surprise, the German army was beaten back in a hellish</p><p>battle that lasted �ve days.</p><p>The breaking of the ADFGVX cipher typi�ed cryptography during</p><p>the First World War. Although there was a �urry of new ciphers,</p><p>they were all variations or combinations of nineteenth-century</p><p>ciphers that had already been broken. While some of them initially</p><p>o�ered security, it was never long before cryptanalysts got the</p><p>better of them. The biggest problem for cryptanalysts was dealing</p><p>with the sheer volume of tra�c. Before the advent of radio,</p><p>intercepted messages were rare and precious items, and</p><p>cryptanalysts cherished each one. However, in the First World War,</p><p>the amount of radio tra�c was enormous, and every single message</p><p>could be intercepted, generating a steady �ow of ciphertexts to</p><p>occupy the minds of the cryptanalysts. It is estimated that the</p><p>French intercepted a hundred million words of German</p><p>communications during the course of the Great War.</p><p>Of all the wartime cryptanalysts, the French were the most</p><p>e�ective. When they entered the war, they already had the strongest</p><p>team of codebreakers in Europe, a consequence of the humiliating</p><p>French defeat in the Franco-Prussian War. Napoleon III, keen to</p><p>restore his declining popularity, had invaded Prussia in 1870, but he</p><p>had not anticipated the alliance between Prussia in the north and</p><p>the southern German states. Led by Otto von Bismarck, the</p><p>Prussians steamrollered the French army, annexing the provinces of</p><p>Alsace and Lorraine and bringing an end to French domination of</p><p>Europe. Thereafter, the continued threat of the newly united</p><p>Germany seems to have been the spur for French cryptanalysts to</p><p>master the skills necessary to provide France with detailed</p><p>intelligence about the plans of its enemy.</p><p>It was in this climate that Auguste Kerckho�s wrote his treatise La</p><p>Cryptographie militaire. Although Kerckho�s was Dutch, he spent</p><p>most of his life in France, and his writings provided the French with</p><p>an exceptional guide to the principles of cryptanalysis. By the time</p><p>the First World War had begun, three decades later, the French</p><p>military had implemented Kerckho�s’ ideas on an industrial scale.</p><p>While lone geniuses like Painvin sought to break new ciphers, teams</p><p>of experts, each with specially developed skills for tackling a</p><p>particular cipher, concentrated on the day-to-day decipherments.</p><p>Time was of the essence, and conveyor-belt cryptanalysis could</p><p>provide intelligence quickly and e�ciently.</p><p>Figure 26 Lieutenant Georges Painvin. (photo credit 3.1)</p><p>Sun-Tzu, author of the Art of War, a text on military strategy</p><p>dating from the fourth century B.C., stated that: “Nothing should be</p><p>as favorably regarded as intelligence; nothing should be as</p><p>generously rewarded as intelligence; nothing should be as</p><p>con�dential as the work of intelligence.” The French were fervent</p><p>believers in the words of Sun-Tzu, and in addition to honing their</p><p>cryptanalytic skills they also developed several ancillary techniques</p><p>for gathering radio intelligence, methods that did not involve</p><p>decipherment. For example, the French listening posts learned to</p><p>recognize a radio operator’s �st. Once encrypted, a message is sent</p><p>in Morse code, as a series of dots and dashes, and each operator can</p><p>be identi�ed by his pauses, the speed of transmission, and the</p><p>relative lengths of dots and dashes. A �st is the equivalent of a</p><p>recognizable style of handwriting. As well as operating listening</p><p>posts, the French established six direction �nding stations which</p><p>were able to detect where each message was coming from. Each</p><p>station moved its antenna until the incoming signal was strongest,</p><p>which identi�ed a direction for the source of a message. By</p><p>combining the directional information from two or more stations it</p><p>was possible to locate the exact source of the enemy transmission.</p><p>By combining �st information with direction �nding, it was possible</p><p>to establish both the identity and the location of, say, a particular</p><p>battalion. French intelligence could then track its path over the</p><p>course of several days, and potentially deduce its destination and</p><p>objective. This form of intelligence gathering, known as tra�c</p><p>analysis, was particularly valuable after the introduction of a new</p><p>cipher. Each new cipher would make cryptanalysts temporarily</p><p>impotent, but even if a message was indecipherable it could still</p><p>yield information via tra�c analysis.</p><p>The vigilance of the French was in sharp contrast to the attitude</p><p>of the Germans, who entered the war with no military cryptanalytic</p><p>bureau. Not until 1916 did they set up the Abhorchdienst, an</p><p>organization devoted to intercepting Allied messages. Part of the</p><p>reason for their tardiness in establishing the Abhorchdienst was that</p><p>the German army had advanced into French territory in the early</p><p>phase of the war. The French, as they retreated, destroyed the</p><p>landlines, forcing the advancing Germans to rely on radios for</p><p>communication. While this gave the French a continuous supply of</p><p>German intercepts, the opposite was not true. As the French were</p><p>retreating back into their own territory, they still had access to their</p><p>own landlines, and had no need to communicate by radio. With a</p><p>lack of French radio communication, the Germans could not make</p><p>many interceptions, and hence they did not bother to develop their</p><p>cryptanalytic department until two years into the war.</p><p>The British and the Americans also made important contributions</p><p>to Allied cryptanalysis. The supremacy of the Allied codebreakers</p><p>and their in�uence on the Great War are best illustrated by the</p><p>decipherment of a German telegram that was intercepted by the</p><p>British on January 17, 1917. The story of this decipherment shows</p><p>how cryptanalysis can a�ect the course of war at the very highest</p><p>level, and demonstrates the potentially devastating repercussions of</p><p>employing inadequate encryption. Within a matter of weeks, the</p><p>deciphered telegram would force America to rethink its policy of</p><p>neutrality, thereby shifting the balance of the war.</p><p>Despite calls from politicians in Britain and America, President</p><p>Woodrow Wilson had spent the �rst two years of the war steadfastly</p><p>refusing to send American troops to support the Allies. Besides not</p><p>wanting to sacri�ce his nation’s youth on the bloody battle�elds of</p><p>Europe, he was convinced that the war could be ended only by a</p><p>negotiated settlement, and he believed that he could best serve the</p><p>world if he remained neutral and acted as a mediator. In November</p><p>1916, Wilson saw hope for a settlement when Germany appointed a</p><p>new Foreign Minister, Arthur Zimmermann, a jovial giant of a man</p><p>who appeared to herald a new era of enlightened German</p><p>diplomacy. American newspapers ran headlines such as OUR FRIEND</p><p>ZIMMERMANN and LIBERALIZATION OF GERMANY, and one article proclaimed him as</p><p>“one of the most auspicious omens for the future of German-</p><p>American relations.” However, unknown to the Americans,</p><p>Zimmermann had no intention of pursuing peace. Instead, he was</p><p>plotting to extend Germany’s military aggression.</p><p>Back in 1915, a submerged German U-boat had been responsible</p><p>for sinking the ocean liner Lusitania, drowning 1,198 passengers,</p><p>including 128 U.S. civilians. The loss of the Lusitania would have</p><p>drawn America into the war, were it not for Germany’s reassurances</p><p>that henceforth Uboats would surface before attacking, a restriction</p><p>that was intended to avoid accidental attacks on civilian ships.</p><p>However, on January 9, 1917, Zimmermann attended a momentous</p><p>meeting at the German castle of Pless, where the Supreme High</p><p>Command was trying to persuade the Kaiser that it was time to</p><p>renege on their promise, and embark on a course of unrestricted</p><p>submarine warfare. German commanders knew that their U-boats</p><p>were almost invulnerable if they launched their torpedoes while</p><p>remaining submerged, and they believed that this would prove to be</p><p>the decisive factor in determining the outcome of the war. Germany</p><p>had been constructing a �eet of two hundred U-boats, and the</p><p>Supreme High Command argued that unrestricted U-boat aggression</p><p>would cut o� Britain’s supply lines and starve it into submission</p><p>within six months.</p><p>A swift victory was essential. Unrestricted submarine warfare and</p><p>the inevitable sinking of U.S. civilian ships would almost certainly</p><p>provoke America into declaring war on Germany. Bearing this in</p><p>mind, Germany needed to force an Allied surrender before America</p><p>could mobilize its troops and make an impact in the European</p><p>arena. By the end of the meeting at Pless, the Kaiser was convinced</p><p>that a swift victory could be achieved, and he signed an order to</p><p>proceed with unrestricted U-boat warfare, which would take e�ect</p><p>on February 1.</p><p>In the three weeks that remained, Zimmermann devised an</p><p>insurance policy. If unrestricted U-boat warfare increased the</p><p>likelihood of America entering the war, then Zimmermann had a</p><p>plan that would delay and weaken American involvement in Europe,</p><p>and which might even discourage it completely. Zimmermann’s idea</p><p>was to propose an alliance with Mexico, and persuade the President</p><p>of Mexico to invade America and reclaim territories such as Texas,</p><p>New Mexico and Arizona. Germany would support Mexico in its</p><p>battle with their common enemy, aiding it �nancially and militarily.</p><p>Furthermore, Zimmermann wanted the Mexican president to act</p><p>as a mediator and persuade Japan that it too should attack America.</p><p>This way, Germany would pose a threat to America’s East Coast,</p><p>Japan would attack from the west, while Mexico invaded from the</p><p>south. Zimmermann’s main motive was to pose America such</p><p>problems at home that it could not a�ord to send troops to Europe.</p><p>Thus Germany could win the battle at sea, win the war in Europe</p><p>and then withdraw from the American campaign. On January 16,</p><p>Zimmermann encapsulated his proposal in a telegram to the German</p><p>Ambassador in Washington, who would then retransmit it to the</p><p>German Ambassador in Mexico, who would �nally deliver it to the</p><p>Mexican President. Figure 28 shows the encrypted telegraph; the</p><p>actual message is as follows:</p><p>Figure 27 Arthur Zimmermann. (photo credit 3.1)</p><p>We intend to begin unrestricted submarine warfare on the �rst of February. We shall</p><p>endeavor in spite of this to keep the United States neutral. In the event of this not</p><p>succeeding, we make Mexico a proposal of alliance on the following basis: make war</p><p>together, make peace together, generous �nancial support, and an understanding on</p><p>our part that Mexico is to reconquer the lost territory in Texas, New Mexico and</p><p>Arizona. The settlement in detail is left to you.</p><p>You will inform the President [of Mexico] of the above most secretly, as soon as the</p><p>outbreak of war with the United States is certain, and add the suggestion that he</p><p>should, on his own initiative, invite Japan to immediate adherence and at the same</p><p>time mediate between Japan and ourselves.</p><p>Please call the President’s attention to the fact that the unrestricted employment of</p><p>our submarines now o�ers the prospect of compelling England to make peace</p><p>within</p><p>a few months. Acknowledge receipt.</p><p>Zimmermann</p><p>Zimmermann had to encrypt his telegram because Germany was</p><p>aware that the Allies were intercepting all its transatlantic</p><p>communications, a consequence of Britain’s �rst o�ensive action of</p><p>the war. Before dawn on the �rst day of the First World War, the</p><p>British ship Telconia approached the German coast under cover of</p><p>darkness, dropped anchor, and hauled up a clutch of undersea</p><p>cables. These were Germany’s transatlantic cables—its</p><p>communication links to the rest of the world. By the time the sun</p><p>had risen, they had been severed. This act of sabotage was aimed at</p><p>destroying Germany’s most secure means of communication, thereby</p><p>forcing German messages to be sent via insecure radio links or via</p><p>cables owned by other countries. Zimmermann was forced to send</p><p>his encrypted telegram via Sweden and, as a back-up, via the more</p><p>direct American-owned cable. Both routes touched England, which</p><p>meant that the text of the Zimmermann telegram, as it would</p><p>become known, soon fell into British hands.</p><p>The intercepted telegram was immediately sent to Room 40, the</p><p>Admiralty’s cipher bureau, named after the o�ce in which it was</p><p>initially housed. Room 40 was a strange mixture of linguists,</p><p>classical scholars and puzzle addicts, capable of the most ingenious</p><p>feats of cryptanalysis. For example, the Reverend Montgomery, a</p><p>gifted translator of German theological works, had deciphered a</p><p>secret message hidden in a postcard addressed to Sir Henry Jones,</p><p>184 King’s Road, Tighnabruaich, Scotland.</p><p>Figure 28 The Zimmermann telegram, as forwarded by von Bernstor�, the German</p><p>Ambassador in Washington, to Eckhardt, the German Ambassador in Mexico City.</p><p>(photo credit 3.2)</p><p>The postcard had been sent from Turkey, so Sir Henry had assumed</p><p>that it was from his son, a prisoner of the Turks. However, he was</p><p>puzzled because the postcard was blank, and the address was</p><p>peculiar—the village of Tighnabruaich was so tiny that none of the</p><p>houses had numbers and there was no King’s Road. Eventually, the</p><p>Reverend Montgomery spotted the postcard’s cryptic message. The</p><p>address alluded to the Bible, First Book of Kings, Chapter 18, Verse</p><p>4: “Obadiah took a hundred prophets, and hid them �fty in a cave,</p><p>and fed them with bread and water.” Sir Henry’s son was simply</p><p>reassuring his family that he was being well looked after by his</p><p>captors.</p><p>When the encrypted Zimmermann telegram arrived in Room 40, it</p><p>was Montgomery who was made responsible for deciphering it,</p><p>along with Nigel de Grey, a publisher seconded from the �rm of</p><p>William Heinemann. They saw immediately that they were dealing</p><p>with a form of encryption used only for high-level diplomatic</p><p>communications, and tackled the telegram with some urgency. The</p><p>decipherment was far from trivial, but they were able to draw upon</p><p>previous analyses of other similarly encrypted telegrams. Within a</p><p>few hours the codebreaking duo had been able to recover a few</p><p>chunks of text, enough to see that they were uncovering a message</p><p>of the utmost importance. Montgomery and de Grey persevered with</p><p>their task, and by the end of the day they could discern the outline</p><p>of Zimmermann’s terrible plans. They realized the dreadful</p><p>implications of unrestricted U-boat warfare, but at the same time</p><p>they could see that the German Foreign Minister was encouraging</p><p>an attack on America, which was likely to provoke President Wilson</p><p>into abandoning America’s neutrality. The telegram contained the</p><p>deadliest of threats, but also the possibility of America joining the</p><p>Allies.</p><p>Montgomery and de Grey took the partially deciphered telegram</p><p>to Admiral Sir William Hall, Director of Naval Intelligence,</p><p>expecting him to pass the information to the Americans, thereby</p><p>drawing them into the war. However, Admiral Hall merely placed</p><p>the partial decipherment in his safe, encouraging his cryptanalysts</p><p>to continue �lling in the gaps. He was reluctant to hand the</p><p>Americans an incomplete decipherment, in case there was a vital</p><p>caveat that had not yet been deciphered. He also had another</p><p>concern lurking in the back of his mind. If the British gave the</p><p>Americans the deciphered Zimmermann telegram, and the</p><p>Americans reacted by publicly condemning Germany’s proposed</p><p>aggression, then the Germans would conclude that their method of</p><p>encryption had been broken. This would goad them into developing</p><p>a new and stronger encryption system, thus choking a vital channel</p><p>of intelligence. In any case, Hall was aware that the all-out U-boat</p><p>onslaught would begin in just two weeks, which in itself might be</p><p>enough to incite President Wilson into declaring war on Germany.</p><p>There was no point jeopardizing a valuable source of intelligence</p><p>when the desired outcome might happen anyway.</p><p>On February 1, as ordered by the Kaiser, Germany instigated</p><p>unrestricted naval warfare. On February 2, Woodrow Wilson held a</p><p>cabinet meeting to decide the American response. On February 3, he</p><p>spoke to Congress and announced that America would continue to</p><p>remain neutral, acting as a peacemaker, not a combatant. This was</p><p>contrary to Allied and German expectations. American reluctance to</p><p>join the Allies left Admiral Hall with no choice but to exploit the</p><p>Zimmermann telegram.</p><p>In the fortnight since Montgomery and de Grey had �rst contacted</p><p>Hall, they had completed the decipherment. Furthermore, Hall had</p><p>found a way of keeping Germany from suspecting that their security</p><p>had been breached. He realized that von Bernstor�, the German</p><p>Ambassador in Washington, would have forwarded the message to</p><p>von Eckhardt, the German Ambassador in Mexico, having �rst made</p><p>some minor changes. For example, von Bernstor� would have</p><p>removed the instructions aimed at himself, and would also have</p><p>changed the address. Von Eckhardt would then have delivered this</p><p>revised version of the telegram, unencrypted, to the Mexican</p><p>President. If Hall could somehow obtain this Mexican version of the</p><p>Zimmermann telegram, then it could be published in the</p><p>newspapers and the Germans would assume that it had been stolen</p><p>from the Mexican Government, not intercepted and cracked by the</p><p>British on its way to America. Hall contacted a British agent in</p><p>Mexico, known only as Mr. H., who in turn in�ltrated the Mexican</p><p>Telegraph O�ce. Mr. H. was able to obtain exactly what he needed</p><p>—the Mexican version of the Zimmermann telegram.</p><p>It was this version of the telegram that Hall handed to Arthur</p><p>Balfour, the British Secretary of State for Foreign A�airs. On</p><p>February 23, Balfour summoned the American Ambassador, Walter</p><p>Page, and presented him with the Zimmermann telegram, later</p><p>calling this “the most dramatic moment in all my life.” Four days</p><p>later, President Wilson saw for himself the “eloquent evidence,” as</p><p>he called it, proof that Germany was encouraging direct aggression</p><p>against America.</p><p>The telegram was released to the press and, at last, the American</p><p>nation was confronted with the reality of Germany’s intentions.</p><p>Although there was little doubt among the American people that</p><p>they should retaliate, there was some concern within the U.S.</p><p>administration that the telegram might be a hoax, manufactured by</p><p>the British to guarantee American involvement in the war. However,</p><p>the question of authenticity soon vanished when Zimmermann</p><p>publicly admitted his authorship. At a press conference in Berlin,</p><p>without being pressured, he simply stated, “I cannot deny it. It is</p><p>true.”</p><p>Figure 29 “Exploding in his Hands,” a cartoon by Rollin Kirby published on March 3,</p><p>1917, in The World.(photo credit 3.3)</p><p>In Germany, the Foreign O�ce began an investigation into how</p><p>the Americans had obtained the Zimmermann telegram. They fell</p><p>for Admiral Hall’s ploy, and came to the conclusion that “various</p><p>indications suggest that the treachery was committed in Mexico.”</p><p>Meanwhile, Hall continued to distract attention from the work of</p><p>British cryptanalysts. He planted a story in the British press</p><p>criticizing his own organization for not intercepting the</p><p>Zimmermann telegram, which in turn led to a spate of articles</p><p>them.</p><p>O</p><p>1 The Cipher of Mary Queen of Scots</p><p>n the morning of Saturday, October 15, 1586, Queen Mary</p><p>entered the crowded courtroom at Fotheringhay Castle. Years</p><p>of imprisonment and the onset of rheumatism had taken their toll,</p><p>yet she remained digni�ed, composed and indisputably regal.</p><p>Assisted by her physician, she made her way past the judges,</p><p>o�cials and spectators, and approached the throne that stood</p><p>halfway along the long, narrow chamber. Mary had assumed that</p><p>the throne was a gesture of respect toward her, but she was</p><p>mistaken. The throne symbolized the absent Queen Elizabeth,</p><p>Mary’s enemy and prosecutor. Mary was gently guided away from</p><p>the throne and toward the opposite side of the room, to the</p><p>defendant’s seat, a crimson velvet chair.</p><p>Mary Queen of Scots was on trial for treason. She had been</p><p>accused of plotting to assassinate Queen Elizabeth in order to take</p><p>the English crown for herself. Sir Francis Walsingham, Elizabeth’s</p><p>Principal Secretary, had already arrested the other conspirators,</p><p>extracted confessions, and executed them. Now he planned to prove</p><p>that Mary was at the heart of the plot, and was therefore equally</p><p>culpable and equally deserving of death.</p><p>Walsingham knew that before he could have Mary executed, he</p><p>would have to convince Queen Elizabeth of her guilt. Although</p><p>Elizabeth despised Mary, she had several reasons for being reluctant</p><p>to see her put to death. First, Mary was a Scottish queen, and many</p><p>questioned whether an English court had the authority to execute a</p><p>foreign head of state. Second, executing Mary might establish an</p><p>awkward precedent—if the state is allowed to kill one queen, then</p><p>perhaps rebels might have fewer reservations about killing another,</p><p>namely Elizabeth. Third, Elizabeth and Mary were cousins, and their</p><p>blood tie made Elizabeth all the more squeamish about ordering her</p><p>execution. In short, Elizabeth would sanction Mary’s execution only</p><p>if Walsingham could prove beyond any hint of doubt that she had</p><p>been part of the assassination plot.</p><p>Figure 1 Mary Queen of Scots.(photo credit 1.1)</p><p>The conspirators were a group of young English Catholic</p><p>noblemen intent on removing Elizabeth, a Protestant, and replacing</p><p>her with Mary, a fellow Catholic. It was apparent to the court that</p><p>Mary was a �gurehead for the conspirators, but it was not clear that</p><p>she had actually given her blessing to the conspiracy. In fact, Mary</p><p>had authorized the plot. The challenge for Walsingham was to</p><p>demonstrate a palpable link between Mary and the plotters.</p><p>On the morning of her trial, Mary sat alone in the dock, dressed in</p><p>sorrowful black velvet. In cases of treason, the accused was</p><p>forbidden counsel and was not permitted to call witnesses. Mary</p><p>was not even allowed secretaries to help her prepare her case.</p><p>However, her plight was not hopeless because she had been careful</p><p>to ensure that all her correspondence with the conspirators had been</p><p>written in cipher. The cipher turned her words into a meaningless</p><p>series of symbols, and Mary believed that even if Walsingham had</p><p>captured the letters, then he could have no idea of the meaning of</p><p>the words within them. If their contents were a mystery, then the</p><p>letters could not be used as evidence against her. However, this all</p><p>depended on the assumption that her cipher had not been broken.</p><p>Unfortunately for Mary, Walsingham was not merely Principal</p><p>Secretary, he was also England’s spymaster. He had intercepted</p><p>Mary’s letters to the plotters, and he knew exactly who might be</p><p>capable of deciphering them. Thomas Phelippes was the nation’s</p><p>foremost expert on breaking codes, and for years he had been</p><p>deciphering the messages of those who plotted against Queen</p><p>Elizabeth, thereby providing the evidence needed to condemn them.</p><p>If he could decipher the incriminating letters between Mary and the</p><p>conspirators, then her death would be inevitable. On the other hand,</p><p>if Mary’s cipher was strong enough to conceal her secrets, then there</p><p>was a chance that she might survive. Not for the �rst time, a life</p><p>hung on the strength of a cipher.</p><p>The Evolution of Secret Writing</p><p>Some of the earliest accounts of secret writing date back to</p><p>Herodotus, “the father of history” according to the Roman</p><p>philosopher and statesman Cicero. In The Histories, Herodotus</p><p>chronicled the con�icts between Greece and Persia in the �fth</p><p>century B.C., which he viewed as a confrontation between freedom</p><p>and slavery, between the independent Greek states and the</p><p>oppressive Persians. According to Herodotus, it was the art of secret</p><p>writing that saved Greece from being conquered by Xerxes, King of</p><p>Kings, the despotic leader of the Persians.</p><p>The long-running feud between Greece and Persia reached a crisis</p><p>soon after Xerxes began constructing a city at Persepolis, the new</p><p>capital for his kingdom. Tributes and gifts arrived from all over the</p><p>empire and neighboring states, with the notable exceptions of</p><p>Athens and Sparta. Determined to avenge this insolence, Xerxes</p><p>began mobilizing a force, declaring that “we shall extend the empire</p><p>of Persia such that its boundaries will be God’s own sky, so the sun</p><p>will not look down upon any land beyond the boundaries of what is</p><p>our own.” He spent the next �ve years secretly assembling the</p><p>greatest �ghting force in history, and then, in 480 B.C., he was ready</p><p>to launch a surprise attack.</p><p>However, the Persian military buildup had been witnessed by</p><p>Demaratus, a Greek who had been expelled from his homeland and</p><p>who lived in the Persian city of Susa. Despite being exiled he still</p><p>felt some loyalty to Greece, so he decided to send a message to warn</p><p>the Spartans of Xerxes’ invasion plan. The challenge was how to</p><p>dispatch the message without it being intercepted by the Persian</p><p>guards. Herodotus wrote:</p><p>As the danger of discovery was great, there was only one way in which he could</p><p>contrive to get the message through: this was by scraping the wax o� a pair of</p><p>wooden folding tablets, writing on the wood underneath what Xerxes intended to do,</p><p>and then covering the message over with wax again. In this way the tablets, being</p><p>apparently blank, would cause no trouble with the guards along the road. When the</p><p>message reached its destination, no one was able to guess the secret, until, as I</p><p>understand, Cleomenes’ daughter Gorgo, who was the wife of Leonidas, divined and</p><p>told the others that if they scraped the wax o�, they would �nd something written on</p><p>the wood underneath. This was done; the message was revealed and read, and</p><p>afterward passed on to the other Greeks.</p><p>As a result of this warning, the hitherto defenseless Greeks began to</p><p>arm themselves. Pro�ts from the state-owned silver mines, which</p><p>were usually shared among the citizens, were instead diverted to the</p><p>navy for the construction of two hundred warships.</p><p>Xerxes had lost the vital element of surprise and, on September</p><p>23, 480 B.C., when the Persian �eet approached the Bay of Salamis</p><p>near Athens, the Greeks were prepared. Although Xerxes believed he</p><p>had trapped the Greek navy, the Greeks were deliberately enticing</p><p>the Persian ships to enter the bay. The Greeks knew that their ships,</p><p>smaller and fewer in number, would have been destroyed in the</p><p>open sea, but they realized that within the con�nes of the bay they</p><p>might outmaneuver the Persians. As the wind changed direction the</p><p>Persians found themselves being blown into the bay, forced into an</p><p>engagement on Greek terms. The Persian princess Artemisia became</p><p>surrounded on three sides and attempted to head back out to sea,</p><p>only to ram one of her own ships. Panic ensued, more Persian ships</p><p>collided and the Greeks launched a full-blooded onslaught. Within a</p><p>day, the formidable forces of Persia had been humbled.</p><p>Demaratus’ strategy for secret communication relied on simply</p><p>hiding the message. Herodotus also recounted another incident in</p><p>which concealment was su�cient to secure the safe passage of a</p><p>message. He chronicled the story of Histaiaeus, who wanted to</p><p>encourage Aristagoras of Miletus to revolt against the Persian king.</p><p>To convey his instructions</p><p>attacking the British secret service and praising the Americans.</p><p>At the beginning of the year, Wilson had said that it would be a</p><p>“crime against civilization” to lead his nation to war, but by April 2,</p><p>1917, he had changed his mind: “I advise that the Congress declare</p><p>the recent course of the Imperial Government to be in fact nothing</p><p>less than war against the government and people of the United</p><p>States, and that it formally accept the status of belligerent which has</p><p>thus been thrust upon it.” A single breakthrough by Room 40</p><p>cryptanalysts had succeeded where three years of intensive</p><p>diplomacy had failed. Barbara Tuchman, American historian and</p><p>author of The Zimmermann Telegram, o�ered the following analysis:</p><p>Had the telegram never been intercepted or never been published, inevitably the</p><p>Germans would have done something else that would have brought us in eventually.</p><p>But the time was already late and, had we delayed much longer, the Allies might have</p><p>been forced to negotiate. To that extent the Zimmermann telegram altered the course</p><p>of history … In itself the Zimmermann telegram was only a pebble on the long road</p><p>of history. But a pebble can kill a Goliath, and this one killed the American illusion</p><p>that we could go about our business happily separate from other nations. In world</p><p>a�airs it was a German Minister’s minor plot. In the lives of the American people it</p><p>was the end of innocence.</p><p>The Holy Grail of Cryptography</p><p>The First World War saw a series of victories for cryptanalysts,</p><p>culminating in the decipherment of the Zimmermann telegram. Ever</p><p>since the cracking of the Vigenère cipher in the nineteenth century,</p><p>codebreakers had maintained the upper hand over the codemakers.</p><p>Then, toward the end of the war, when cryptographers were in a</p><p>state of utter despair, scientists in America made an astounding</p><p>breakthrough. They discovered that the Vigenère cipher could be</p><p>used as the basis for a new, more formidable form of encryption. In</p><p>fact, this new cipher could o�er perfect security.</p><p>The fundamental weakness of the Vigenère cipher is its cyclical</p><p>nature. If the keyword is �ve letters long, then every �fth letter of</p><p>the plaintext is encrypted according to the same cipher alphabet. If</p><p>the cryptanalyst can identify the length of the keyword, the</p><p>ciphertext can be treated as a series of �ve monoalphabetic ciphers,</p><p>and each one can be broken by frequency analysis. However,</p><p>consider what happens as the keyword gets longer.</p><p>Imagine a plaintext of 1,000 letters encrypted according to the</p><p>Vigenère cipher, and imagine that we are trying to cryptanalyze the</p><p>resulting ciphertext. If the keyword used to encipher the plaintext</p><p>were only 5 letters long, the �nal stage of cryptanalysis would</p><p>require applying frequency analysis to 5 sets of 200 letters, which is</p><p>easy. But if the keyword had been 20 letters long, the �nal stage</p><p>would be a frequency analysis of 20 sets of 50 letters, which is</p><p>considerably harder. And if the keyword had been 1,000 letters</p><p>long, you would be faced with frequency analysis of 1,000 sets of 1</p><p>letter each, which is completely impossible. In other words, if the</p><p>keyword (or keyphrase) is as long as the message, then the</p><p>cryptanalytic technique developed by Babbage and Kasiski will not</p><p>work.</p><p>Using a key as long as the message is all well and good, but this</p><p>requires the cryptographer to create a lengthy key. If the message is</p><p>hundreds of letters long, the key also needs to be hundreds of letters</p><p>long. Rather than inventing a long key from scratch, it might be</p><p>tempting to base it on, say, the lyrics of a song. Alternatively, the</p><p>cryptographer could pick up a book on birdwatching and base the</p><p>key on a series of randomly chosen bird names. However, such</p><p>shortcut keys are fundamentally �awed.</p><p>In the following example, I have enciphered a piece of ciphertext</p><p>using the Vigenère cipher, using a keyphrase that is as long as the</p><p>message. All the cryptanalytic techniques that I have previously</p><p>described will fail. None the less, the message can be deciphered.</p><p>This new system of cryptanalysis begins with the assumption that</p><p>the ciphertext contains some common words, such as the. Next, we</p><p>randomly place the at various points in the plaintext, as shown</p><p>below, and deduce what sort of keyletters would be required to turn</p><p>the into the appropriate ciphertext. For example, if we pretend that</p><p>the is the �rst word of the plaintext, then what would this imply for</p><p>the �rst three letters of the key? The �rst letter of the key would</p><p>encrypt t into V. To work out the �rst letter of the key, we take a</p><p>Vigenère square, look down the column headed by t until we reach</p><p>V, and �nd that the letter that begins that row is C. This process is</p><p>repeated with h and e, which would be encrypted as H and R</p><p>respectively, and eventually we have candidates for the �rst three</p><p>letters of the key, CAN. All of this comes from the assumption that</p><p>the is the �rst word of the plaintext. We place the in a few other</p><p>positions, and, once again, deduce the corresponding keyletters.</p><p>(You can check the relationship between each plaintext letter and</p><p>ciphertext letter by referring to the Vigenère square in Table 9.)</p><p>We have tested three the’s against three arbitrary fragments of the</p><p>ciphertext, and generated three guesses as to the elements of certain</p><p>parts of the key. How can we tell whether any of the the’s are in the</p><p>right position? We suspect that the key consists of sensible words,</p><p>and we can use this to our advantage. If a the is in a wrong position,</p><p>it will probably result in a random selection of keyletters. However,</p><p>if it is in a correct position, the keyletters should make some sense.</p><p>For example, the �rst the yields the keyletters CAN, which is</p><p>encouraging because this is a perfectly reasonable English syllable.</p><p>It is possible that this the is in the correct position. The second the</p><p>yields BSJ, which is a very peculiar combination of consonants,</p><p>suggesting that the second the is probably a mistake. The third the</p><p>yields YPT, an unusual syllable but one which is worth further</p><p>investigation. If YPT really were part of the key, it would be within</p><p>a larger word, the only possibilities being APOCALYPTIC, CRYPT</p><p>and EGYPT, and derivatives of these words. How can we �nd out if</p><p>one of these words is part of the key? We can test each hypothesis</p><p>by inserting the three candidate words in the key, above the</p><p>appropriate section of the ciphertext, and working out the</p><p>corresponding plaintext:</p><p>If the candidate word is not part of the key, it will probably result</p><p>in a random piece of plaintext, but if it is part of the key the</p><p>resulting plaintext should make some sense. With APOCALYPTIC as</p><p>part of the key the resulting plaintext is gibberish of the highest</p><p>quality. With CRYPT, the resulting plaintext is cithe, which is not an</p><p>inconceivable piece of plaintext. However, if EGYPT were part of</p><p>the key it would generate atthe, a more promising combination of</p><p>letters, probably representing the words at the.</p><p>For the time being let us assume that the most likely possibility is</p><p>that EGYPT is part of the key. Perhaps the key is a list of countries.</p><p>This would suggest that CAN, the piece of the key that corresponds</p><p>to the �rst the, is the start of CANADA. We can test this hypothesis</p><p>by working out more of the plaintext, based on the assumption that</p><p>CANADA, as well as EGYPT, is part of the key:</p><p>Our assumption seems to be making sense. CANADA implies that</p><p>the plaintext begins with themee which perhaps is the start of the</p><p>meeting. Now that we have deduced some more letters of the</p><p>plaintext, ting, we can deduce the corresponding part of the key,</p><p>which turns out to be BRAZ. Surely this is the beginning of BRAZIL.</p><p>Using the combination of CANADABRAZILEGYPT as the bulk of the</p><p>key, we get the following decipherment: the meeting is at the ????.</p><p>In order to �nd the �nal word of the plaintext, the location of the</p><p>meeting, the best strategy would be to complete the key by testing</p><p>one by one the names of all possible countries, and deducing the</p><p>resulting plaintext.</p><p>The only sensible plaintext is derived if the �nal</p><p>piece of the key is CUBA:</p><p>Table 9 Vigenère square.</p><p>So, a key that is as long as the message is not su�cient to</p><p>guarantee security. The insecurity in the example above arises</p><p>because the key was constructed from meaningful words. We began</p><p>by randomly inserting the throughout the plaintext, and working</p><p>out the corresponding keyletters. We could tell when we had put a</p><p>the in the correct place, because the keyletters looked as if they</p><p>might be part of meaningful words. Thereafter, we used these</p><p>snippets in the key to deduce whole words in the key. In turn this</p><p>gave us more snippets in the message, which we could expand into</p><p>whole words, and so on. This entire process of toing and froing</p><p>between the message and the key was only possible because the key</p><p>had an inherent structure and consisted of recognizable words.</p><p>However, in 1918 cryptographers began experimenting with keys</p><p>that were devoid of structure. The result was an unbreakable cipher.</p><p>As the Great War drew to a close, Major Joseph Mauborgne, head</p><p>of cryptographic research for the U.S. Army, introduced the concept</p><p>of a random key-one that consisted not of a recognizable series of</p><p>words, but rather a random series of letters. He advocated</p><p>employing these random keys as part of a Vigenère cipher to give an</p><p>unprecedented level of security. The �rst stage of Mauborgne’s</p><p>system was to compile a thick pad consisting of hundreds of sheets</p><p>of paper, each sheet bearing a unique key in the form of lines of</p><p>randomly sequenced letters. There would be two copies of the pad,</p><p>one for the sender and one for the receiver. To encrypt a message,</p><p>the sender would apply the Vigenère cipher using the �rst sheet of</p><p>the pad as the key. Figure 30 shows three sheets from such a pad (in</p><p>reality each sheet would contain hundreds of letters), followed by a</p><p>message encrypted using the random key on the �rst sheet. The</p><p>receiver can easily decipher the ciphertext by using the identical key</p><p>and reversing the Vigenère cipher. Once that message has been</p><p>successfully sent, received and deciphered, both the sender and the</p><p>receiver destroy the sheet that acted as the key, so that it is never</p><p>used again. When the next message is encrypted, the next random</p><p>key in the pad is employed, which is also subsequently destroyed,</p><p>and so on. Because each key is used once, and only once, this system</p><p>is known as a onetime pad cipher.</p><p>The onetime pad cipher overcomes all previous weaknesses.</p><p>Imagine that the message attack the valley at dawn has been</p><p>enciphered as in Figure 30, sent via a radio transmitter and</p><p>intercepted by the enemy. The ciphertext is handed to an enemy</p><p>cryptanalyst, who then attempts to decipher it. The �rst hurdle is</p><p>that, by de�nition, there is no repetition in a random key, so the</p><p>method of Babbage and Kasiski cannot break the onetime pad</p><p>cipher. As an alternative, the enemy cryptanalyst might try placing</p><p>the word the in various places, and deduce the corresponding piece</p><p>of the key, just as we did when we attempted to decipher the</p><p>previous message. If the cryptanalyst tries putting the at the</p><p>beginning of the message, which is incorrect, then the</p><p>corresponding segment of key would be revealed as WXB, which is a</p><p>random series of letters. If the cryptanalyst tries placing the so that</p><p>it begins at the seventh letter of the message, which happens to be</p><p>correct, then the corresponding segment of key would be revealed as</p><p>QKJ, which is also a random series of letters. In other words, the</p><p>cryptanalyst cannot tell whether the trial word is, or is not, in the</p><p>correct place.</p><p>In desperation, the cryptanalyst might consider an exhaustive</p><p>search of all possible keys. The ciphertext consists of 21 letters, so</p><p>the cryptanalyst knows that the key consists of 21 letters. This</p><p>means that there are roughly</p><p>500,000,000,000,000,000,000,000,000,000 possible keys to test,</p><p>which is completely beyond what is humanly or mechanically</p><p>feasible. However, even if the cryptanalyst could test all these keys,</p><p>there is an even greater obstacle to be overcome. By checking every</p><p>possible key the cryptanalyst will certainly �nd the right message—</p><p>but every wrong message will also be revealed. For example, the</p><p>following key applied to the same ciphertext generates a completely</p><p>di�erent message:</p><p>Figure 30 Three sheets, each a potential key for a onetime pad cipher. The message</p><p>is enciphered using Sheet 1.</p><p>If all the di�erent keys could be tested, every conceivable 21-</p><p>letter message would be generated, and the cryptanalyst would be</p><p>unable to distinguish between the right one and all the others. This</p><p>di�culty would not have arisen had the key been a series of words</p><p>or a phrase, because the incorrect messages would almost certainly</p><p>have been associated with a meaningless key, whereas the correct</p><p>message would be associated with a sensible key.</p><p>The security of the onetime pad cipher is wholly due to the</p><p>randomness of the key. The key injects randomness into the</p><p>ciphertext, and if the ciphertext is random then it has no patterns,</p><p>no structure, nothing the cryptanalyst can latch onto. In fact, it can</p><p>be mathematically proved that it is impossible for a cryptanalyst to</p><p>crack a message encrypted with a onetime pad cipher. In other</p><p>words, the onetime pad cipher is not merely believed to be</p><p>unbreakable, just as the Vigenère cipher was in the nineteenth</p><p>century, it really is absolutely secure. The onetime pad o�ers a</p><p>guarantee of secrecy: the Holy Grail of cryptography.</p><p>At last, cryptographers had found an unbreakable system of</p><p>encryption. However, the perfection of the onetime pad cipher did</p><p>not end the quest for secrecy: the truth of the matter is that it was</p><p>hardly ever used. Although it is perfect in theory, it is �awed in</p><p>practice because the cipher su�ers from two fundamental</p><p>di�culties. First, there is the practical problem of making large</p><p>quantities of random keys. In a single day an army might exchange</p><p>hundreds of messages, each containing thousands of characters, so</p><p>radio operators would require a daily supply of keys equivalent to</p><p>millions of randomly arranged letters. Supplying so many random</p><p>sequences of letters is an immense task.</p><p>Some early cryptographers assumed that they could generate huge</p><p>amounts of random keys by haphazardly tapping away at a</p><p>typewriter. However, whenever this was tried, the typist would tend</p><p>to get into the habit of typing a character using the left hand, and</p><p>then a character using the right hand, and thereafter alternate</p><p>between the two sides. This might be a quick way of generating a</p><p>key, but the resulting sequence has structure, and is no longer</p><p>random—if the typist hits the letter D, from the left side of the</p><p>keyboard, then the next letter is predictable in as much as it is</p><p>probably from the right side of the keyboard. If a onetime pad key</p><p>was to be truly random, a letter from the left side of the keyboard</p><p>should be followed by another letter from the left side of the</p><p>keyboard on roughly half the occasions.</p><p>Cryptographers have come to realize that it requires a great deal</p><p>of time, e�ort and money to create a random key. The best random</p><p>keys are created by harnessing natural physical processes, such as</p><p>radioactivity, which is known to exhibit truly random behavior. The</p><p>cryptographer could place a lump of radioactive material on a</p><p>bench, and detect its emissions with a Geiger counter. Sometimes</p><p>the emissions follow each other in rapid succession, sometimes there</p><p>are long delays—the time between emissions is unpredictable and</p><p>random. The cryptographer could then connect a display to the</p><p>Geiger counter, which rapidly cycles through the alphabet at a �xed</p><p>rate, but which freezes momentarily as soon as an emission is</p><p>detected. Whatever letter is on the display could be used as the next</p><p>letter of the random key. The display restarts and once again cycles</p><p>through the alphabet until it is stopped at random by the next</p><p>emission, the letter frozen on the display is added to the key, and so</p><p>on. This arrangement would</p><p>be guaranteed to generate a truly</p><p>random key, but it is impractical for day-to-day cryptography.</p><p>Even if you could fabricate enough random keys, there is a second</p><p>problem, namely the di�culty of distributing them. Imagine a</p><p>battle�eld scenario in which hundreds of radio operators are part of</p><p>the same communications network. To start with, every single</p><p>person must have identical copies of the onetime pad. Next, when</p><p>new pads are issued, they must be distributed to everybody</p><p>simultaneously. Finally, everybody must remain in step, making</p><p>sure that they are using the right sheet of the onetime pad at the</p><p>right time. Widespread use of the onetime pad would �ll the</p><p>battle�eld with couriers and bookkeepers. Furthermore, if the</p><p>enemy captures just one set of keys, then the whole communication</p><p>system is compromised.</p><p>It might be tempting to cut down on the manufacture and</p><p>distribution of keys by reusing onetime pads, but this is a</p><p>cryptographic cardinal sin. Reusing a onetime pad would allow an</p><p>enemy cryptanalyst to decipher messages with relative ease. The</p><p>technique used to prize open two pieces of ciphertext encrypted</p><p>with the same onetime pad key is explained in Appendix G, but for</p><p>the time being the important point is that there can be no shortcuts</p><p>in using the onetime pad cipher. The sender and receiver must use a</p><p>new key for every message.</p><p>A onetime pad is practicable only for people who need ultrasecure</p><p>communication, and who can a�ord to meet the enormous costs of</p><p>manufacturing and securely distributing the keys. For example, the</p><p>hotline between the presidents of Russia and America is secured via</p><p>a onetime pad cipher.</p><p>The practical �aws of the theoretically perfect onetime pad meant</p><p>that Mauborgne’s idea could never be used in the heat of battle. In</p><p>the aftermath of the First World War and all its cryptographic</p><p>failures, the search continued for a practical system that could be</p><p>employed in the next con�ict. Fortunately for cryptographers, it</p><p>would not be long before they made a breakthrough, something that</p><p>would reestablish secret communication on the battle�eld. In order</p><p>to strengthen their ciphers, cryptographers were forced to abandon</p><p>their pencil-and-paper approach to secrecy, and exploit the very</p><p>latest technology to scramble messages.</p><p>The Development of Cipher Machines—from Cipher Disks to the</p><p>Enigma</p><p>The earliest cryptographic machine is the cipher disk, invented in</p><p>the �fteenth century by the Italian architect Leon Alberti, one of the</p><p>fathers of the polyalphabetic cipher. He took two copper disks, one</p><p>slightly larger than the other, and inscribed the alphabet around the</p><p>edge of both. By placing the smaller disk on top of the larger one</p><p>and �xing them with a needle to act as an axis, he constructed</p><p>something similar to the cipher disk shown in Figure 31. The two</p><p>disks can be independently rotated so that the two alphabets can</p><p>have di�erent relative positions, and can thus be used to encrypt a</p><p>message with a simple Caesar shift. For example, to encrypt a</p><p>message with a Caesar shift of one place, position the outer A next</p><p>to the inner B—the outer disk is the plain alphabet, and the inner</p><p>disk represents the cipher alphabet. Each letter in the plaintext</p><p>message is looked up on the outer disk, and the corresponding letter</p><p>on the inner disk is written down as part of the ciphertext. To send a</p><p>message with a Caesar shift of �ve places, simply rotate the disks so</p><p>that the outer A is next to the inner F, and then use the cipher disk</p><p>in its new setting.</p><p>Even though the cipher disk is a very basic device, it does ease</p><p>encipherment, and it endured for �ve centuries. The version shown</p><p>in Figure 31 was used in the American Civil War. Figure 32 shows a</p><p>Code-o-Graph, a cipher disk used by the eponymous hero of Captain</p><p>Midnight, one of the early American radio dramas. Listeners could</p><p>obtain their own Code-o-Graph by writing to the program sponsors,</p><p>Ovaltine, and enclosing a label from one of their containers.</p><p>Occasionally the program would end with a secret message from</p><p>Captain Midnight, which could be deciphered by loyal listeners</p><p>using the Code-o-Graph.</p><p>The cipher disk can be thought of as a “scrambler,” taking each</p><p>plaintext letter and transforming it into something else. The mode of</p><p>operation described so far is straightforward, and the resulting</p><p>cipher is relatively trivial to break, but the cipher disk can be used</p><p>in a more complicated way. Its inventor, Alberti, suggested changing</p><p>the setting of the disk during the message, which in e�ect generates</p><p>a polyalphabetic cipher instead of a monoalphabetic cipher. For</p><p>example, Alberti could have used his disk to encipher the word</p><p>goodbye, using the keyword LEON. He would begin by setting his</p><p>disk according to the �rst letter of the keyword, moving the outer A</p><p>next to the inner L. Then he would encipher the �rst letter of the</p><p>message, g, by �nding it on the outer disk and noting the</p><p>corresponding letter on the inner disk, which is R. To encipher the</p><p>second letter of the message, he would reset his disk according to</p><p>the second letter of the keyword, moving the outer A next to the</p><p>inner E. Then he would encipher o by �nding it on the outer disk</p><p>and noting the corresponding letter on the inner disk, which is S.</p><p>The encryption process continues with the cipher disk being set</p><p>according to the keyletter O, then N, then back to L, and so on.</p><p>Alberti has e�ectively encrypted a message using the Vigenère</p><p>cipher with his �rst name acting as the keyword. The cipher disk</p><p>speeds up encryption and reduces errors compared with performing</p><p>the encryption via a Vigenère square.</p><p>Figure 31 A U.S. Confederate cipher disk used in the American Civil War. (photo</p><p>credit 3.4)</p><p>Figure 32 Captain Midnight’s Code-o-Graph, which enciphers each plaintext letter</p><p>(outer disk) as a number (inner disk), rather than a letter.</p><p>The important feature of using the cipher disk in this way is the</p><p>fact that the disk is changing its mode of scrambling during</p><p>encryption. Although this extra level of complication makes the</p><p>cipher harder to break, it does not make it unbreakable, because we</p><p>are simply dealing with a mechanized version of the Vigenère</p><p>cipher, and the Vigenère cipher was broken by Babbage and Kasiski.</p><p>However, �ve hundred years after Alberti, a more complex</p><p>reincarnation of his cipher disk would lead to a new generation of</p><p>ciphers, an order of magnitude more di�cult to crack than anything</p><p>previously used.</p><p>In 1918, the German inventor Arthur Scherbius and his close</p><p>friend Richard Ritter founded the company of Scherbius & Ritter, an</p><p>innovative engineering �rm that dabbled in everything from</p><p>turbines to heated pillows. Scherbius was in charge of research and</p><p>development, and was constantly looking for new opportunities.</p><p>One of his pet projects was to replace the inadequate systems of</p><p>cryptography used in the First World War by swapping pencil-and-</p><p>paper ciphers with a form of encryption that exploited twentieth-</p><p>century technology. Having studied electrical engineering in</p><p>Hanover and Munich, he developed a piece of cryptographic</p><p>machinery that was essentially an electrical version of Alberti’s</p><p>cipher disk. Called Enigma, Scherbius’s invention would become the</p><p>most fearsome system of encryption in history.</p><p>Scherbius’s Enigma machine consisted of a number of ingenious</p><p>components, which he combined into a formidable and intricate</p><p>cipher machine. However, if we break the machine down into its</p><p>constituent parts and rebuild it in stages, then its underlying</p><p>principles will become apparent. The basic form of Scherbius’s</p><p>invention consists of three elements connected by wires: a keyboard</p><p>for inputting each plaintext letter, a scrambling unit that encrypts</p><p>each plaintext letter into a corresponding ciphertext letter, and a</p><p>display board consisting of various lamps for indicating the</p><p>ciphertext letter. Figure 33 shows a stylized layout of the machine,</p><p>limited to a six-letter alphabet for simplicity. In order to encrypt a</p><p>plaintext letter, the operator presses the appropriate plaintext</p><p>letter</p><p>on the keyboard, which sends an electric pulse through the central</p><p>scrambling unit and out the other side, where it illuminates the</p><p>corresponding ciphertext letter on the lampboard.</p><p>The scrambler, a thick rubber disk riddled with wires, is the most</p><p>important part of the machine. From the keyboard, the wires enter</p><p>the scrambler at six points, and then make a series of twists and</p><p>turns within the scrambler before emerging at six points on the</p><p>other side. The internal wirings of the scrambler determine how the</p><p>plaintext letters will be encrypted. For example, in Figure 33 the</p><p>wirings dictate that:</p><p>typing in a will illuminate the letter B, which means that a is encrypted as B,</p><p>typing in b will illuminate the letter A, which means that b is encrypted as A,</p><p>typing in c will illuminate the letter D, which means that c is encrypted as D,</p><p>typing in d will illuminate the letter F, which means that d is encrypted as F,</p><p>typing in e will illuminate the letter E, which means that e is encrypted as E,</p><p>typing in f will illuminate the letter C, which means that f is encrypted as C.</p><p>The message cafe would be encrypted as DBCE. With this basic</p><p>setup, the scrambler essentially de�nes a cipher alphabet, and the</p><p>machine can be used to implement a simple monoalphabetic</p><p>substitution cipher.</p><p>However, Scherbius’s idea was for the scrambler disk to</p><p>automatically rotate by one-sixth of a revolution each time a letter</p><p>is encrypted (or one-twenty-sixth of a revolution for a complete</p><p>alphabet of 26 letters). Figure 34(a) shows the same arrangement as</p><p>in Figure 33; once again, typing in the letter b will illuminate the</p><p>letter A. However, this time, immediately after typing a letter and</p><p>illuminating the lampboard, the scrambler revolves by one-sixth of a</p><p>revolution to the position shown in Figure 34(b). Typing in the</p><p>letter b again will now illuminate a di�erent letter, namely C.</p><p>Immediately afterward, the scrambler rotates once more, to the</p><p>position shown in Figure 34(c). This time, typing in the letter b will</p><p>illuminate E. Typing the letter b six times in a row would generate</p><p>the ciphertext ACEBDC. In other words, the cipher alphabet changes</p><p>after each encryption, and the encryption of the letter b is</p><p>constantly changing. With this rotating setup, the scrambler</p><p>essentially de�nes six cipher alphabets, and the machine can be</p><p>used to implement a polyalphabetic cipher.</p><p>The rotation of the scrambler is the most important feature of</p><p>Scherbius’s design. However, as it stands the machine su�ers from</p><p>one obvious weakness. Typing b six times will return the scrambler</p><p>to its original position, and typing b again and again will repeat the</p><p>pattern of encryption. In general, cryptographers are keen to avoid</p><p>repetition because it leads to regularity and structure in the</p><p>ciphertext, symptoms of a weak cipher. This problem can be</p><p>alleviated by introducing a second scrambler disk.</p><p>Figure 33 A simpli�ed version of the Enigma machine with an alphabet of just six letters.</p><p>The most important element of the machine is the scrambler. By typing in b on the</p><p>keyboard, a current passes into the scrambler, follows the path of the internal wiring, and</p><p>then emerges so as illuminate the A lamp. In short, b is encrypted as A. The box to the</p><p>right indicates how each of the six letters is encrypted.</p><p>Figure 34 Every time a letter is typed into the keyboard and encrypted, the scrambler</p><p>rotates by one place, thus changing how each letter is potentially encrypted. In (a) the</p><p>scrambler encrypts b as A, but in (b) the new scrambler orientation encrypts b as C. In (c),</p><p>after rotating one more place, the scrambler encrypts b as E. After encrypting four more</p><p>letters, and rotating four more places, the scrambler returns to its original orientation.</p><p>Figure 35 is a schematic of a cipher machine with two scramblers.</p><p>Because of the di�culty of drawing a three-dimensional scrambler</p><p>with three-dimensional internal wirings, Figure 35 shows only a</p><p>two-dimensional representation. Each time a letter is encrypted, the</p><p>�rst scrambler rotates by one space, or in terms of the two-</p><p>dimensional diagram, each wiring shifts down one place. In</p><p>contrast, the second scrambler disk remains stationary for most of</p><p>the time. It moves only after the �rst scrambler has made a</p><p>complete revolution. The �rst scrambler is �tted with a tooth, and it</p><p>is only when this tooth reaches a certain point that it knocks the</p><p>second scrambler on one place.</p><p>In Figure 35(a), the �rst scrambler is in a position where it is just</p><p>about to knock forward the second scrambler. Typing in and</p><p>encrypting a letter moves the mechanism to the con�guration</p><p>shown in Figure 35(b), in which the �rst scrambler has moved on</p><p>one place, and the second scrambler has also been knocked on one</p><p>place. Typing in and encrypting another letter again moves the �rst</p><p>scrambler on one place, Figure 35(c), but this time the second</p><p>scrambler has remained stationary. The second scrambler will not</p><p>move again until the �rst scrambler completes one revolution,</p><p>which will take another �ve encryptions. This arrangement is</p><p>similar to a car odometer—the rotor representing single miles turns</p><p>quite quickly, and when it completes one revolution by reaching</p><p>“9,” it knocks the rotor representing tens of miles forward one place.</p><p>The advantage of adding a second scrambler is that the pattern of</p><p>encryption is not repeated until the second scrambler is back where</p><p>it started, which requires six complete revolutions of the �rst</p><p>scrambler, or the encryption of 6 × 6, or 36 letters in total. In other</p><p>words, there are 36 distinct scrambler settings, which is equivalent</p><p>to switching between 36 cipher alphabets. With a full alphabet of 26</p><p>letters, the cipher machine would switch between 26 × 26, or 676</p><p>cipher alphabets. So by combining scramblers (sometimes called</p><p>rotors), it is possible to build an encryption machine which is</p><p>continually switching between di�erent cipher alphabets. The</p><p>operator types in a particular letter and, depending on the scrambler</p><p>arrangement, it can be encrypted according to any one of hundreds</p><p>of cipher alphabets. Then the scrambler arrangement changes, so</p><p>that when the next letter is typed into the machine it is encrypted</p><p>according to a di�erent cipher alphabet. Furthermore, all of this is</p><p>done with great e�ciency and accuracy, thanks to the automatic</p><p>movement of scramblers and the speed of electricity.</p><p>Figure 35 On adding a second scrambler, the pattern of encryption does not repeat until</p><p>36 letters have been enciphered, at which point both scramblers have returned to their</p><p>original positions. To simplify the diagram, the scramblers are represented in just two</p><p>dimensions; instead of rotating one place, the wirings move down one place. If a wire</p><p>appears to leave the top or bottom of a scrambler, its path can be followed by continuing</p><p>from the corresponding wire at the bottom or top of the same scrambler. In (a), b is</p><p>encrypted as D. After encryption, the �rst scrambler rotates by one place, also nudging the</p><p>second scrambler around one place—this happens only once during each complete</p><p>revolution of the �rst wheel. This new setting is shown in (b), in which b is encrypted as F.</p><p>After encryption, the �rst scrambler rotates by one place, but this time the second</p><p>scrambler remains �xed. This new setting is shown in (c), in which b is encrypted as B.</p><p>Before explaining in detail how Scherbius intended his encryption</p><p>machine to be used, it is necessary to describe two more elements of</p><p>the Enigma, which are shown in Figure 36. First, Scherbius’s</p><p>standard encryption machine employed a third scrambler for extra</p><p>complexity—for a full alphabet these three scramblers would</p><p>provide 26 × 26 × 26, or 17,576 distinct scrambler arrangements.</p><p>Second, Scherbius added a re�ector. The re�ector is a bit like a</p><p>scrambler, inasmuch as it is a rubber disk with internal wirings, but</p><p>it di�ers because it does not rotate, and the wires enter on one side</p><p>and then reemerge on the same side. With the re�ector in place, the</p><p>operator</p><p>types in a letter, which sends an electrical signal through</p><p>the three scramblers. When the re�ector receives the incoming</p><p>signal it sends it back through the same three scramblers, but along</p><p>a di�erent route. For example, with the setup in Figure 36, typing</p><p>the letter b would send a signal through the three scramblers and</p><p>into the re�ector, whereupon the signal would return back through</p><p>the wirings to arrive at the letter D. The signal does not actually</p><p>emerge through the keyboard, as it might seem from Figure 36, but</p><p>instead is diverted to the lampboard. At �rst sight the re�ector</p><p>seems to be a pointless addition to the machine, because its static</p><p>nature means that it does not add to the number of cipher</p><p>alphabets. However, its bene�ts become clear when we see how the</p><p>machine was actually used to encrypt and decrypt a message.</p><p>Figure 36 Scherbius’s design of the Enigma included a third scrambler and a</p><p>re�ector that sends the current back through the scramblers. In this particular</p><p>setting, typing in b eventually illuminates D on the lampboard, shown here adjacent</p><p>to the keyboard.</p><p>An operator wishes to send a secret message. Before encryption</p><p>begins, the operator must �rst rotate the scramblers to a particular</p><p>starting position. There are 17,576 possible arrangements, and</p><p>therefore 17,576 possible starting positions. The initial setting of the</p><p>scramblers will determine how the message is encrypted. We can</p><p>think of the Enigma machine in terms of a general cipher system,</p><p>and the initial settings are what determine the exact details of the</p><p>encryption. In other words, the initial settings provide the key. The</p><p>initial settings are usually dictated by a codebook, which lists the</p><p>key for each day, and which is available to everybody within the</p><p>communications network. Distributing the codebook requires time</p><p>and e�ort, but because only one key per day is required, it could be</p><p>arranged for a codebook containing 28 keys to be sent out just once</p><p>every four weeks. By comparison, if an army were to use a onetime</p><p>pad cipher, it would require a new key for every message, and key</p><p>distribution would be a much greater task. Once the scramblers</p><p>have been set according to the codebook’s daily requirement, the</p><p>sender can begin encrypting. He types in the �rst letter of the</p><p>message, sees which letter is illuminated on the lampboard, and</p><p>notes it down as the �rst letter of the ciphertext. Then, the �rst</p><p>scrambler having automatically stepped on by one place, the sender</p><p>inputs the second letter of the message, and so on. Once he has</p><p>generated the complete ciphertext, he hands it to a radio operator</p><p>who transmits it to the intended receiver.</p><p>In order to decipher the message, the receiver needs to have</p><p>another Enigma machine and a copy of the codebook that contains</p><p>the initial scrambler settings for that day. He sets up the machine</p><p>according to the book, types in the ciphertext letter by letter, and</p><p>the lampboard indicates the plaintext. In other words, the sender</p><p>typed in the plaintext to generate the ciphertext, and now the</p><p>receiver types in the ciphertext to generate the plaintext—</p><p>encipherment and decipherment are mirror processes. The ease of</p><p>decipherment is a consequence of the re�ector. From Figure 36 we</p><p>can see that if we type in b and follow the electrical path, we come</p><p>back to D. Similarly, if we type in d and follow the path, then we</p><p>come back to B. The machine encrypts a plaintext letter into a</p><p>ciphertext letter, and, as long as the machine is in the same setting,</p><p>it will decrypt the same ciphertext letter back into the same</p><p>plaintext letter.</p><p>It is clear that the key, and the codebook that contains it, must</p><p>never be allowed to fall into enemy hands. It is quite possible that</p><p>the enemy might capture an Enigma machine, but without knowing</p><p>the initial settings used for encryption, they cannot easily decrypt an</p><p>intercepted message. Without the codebook, the enemy cryptanalyst</p><p>must resort to checking all the possible keys, which means trying all</p><p>the 17,576 possible initial scrambler settings. The desperate</p><p>cryptanalyst would set up the captured Enigma machine with a</p><p>particular scrambler arrangement, input a short piece of the</p><p>ciphertext, and see if the output makes any sense. If not, he would</p><p>change to a di�erent scrambler arrangement and try again. If he can</p><p>check one scrambler arrangement each minute and works night and</p><p>day, it would take almost two weeks to check all the settings. This is</p><p>a moderate level of security, but if the enemy set a dozen people on</p><p>the task, then all the settings could be checked within a day.</p><p>Scherbius therefore decided to improve the security of his invention</p><p>by increasing the number of initial settings and thus the number of</p><p>possible keys.</p><p>He could have increased security by adding more scramblers</p><p>(each new scrambler increases the number of keys by a factor of</p><p>26), but this would have increased the size of the Enigma machine.</p><p>Instead, he added two other features. First, he simply made the</p><p>scramblers removable and interchangeable. So, for example, the �rst</p><p>scrambler disk could be moved to the third position, and the third</p><p>scrambler disk to the �rst position. The arrangement of the</p><p>scramblers a�ects the encryption, so the exact arrangement is</p><p>crucial to encipherment and decipherment. There are six di�erent</p><p>ways to arrange the three scramblers, so this feature increases the</p><p>number of keys, or the number of possible initial settings, by a</p><p>factor of six.</p><p>The second new feature was the insertion of a plugboard between</p><p>the keyboard and the �rst scrambler. The plugboard allows the</p><p>sender to insert cables which have the e�ect of swapping some of</p><p>the letters before they enter the scrambler. For example, a cable</p><p>could be used to connect the a and b sockets of the plugboard, so</p><p>that when the cryptographer wants to encrypt the letter b, the</p><p>electrical signal actually follows the path through the scramblers</p><p>that previously would have been the path for the letter a, and vice</p><p>versa. The Enigma operator had six cables, which meant that six</p><p>pairs of letters could be swapped, leaving fourteen letters unplugged</p><p>and unswapped. The letters swapped by the plugboard are part of</p><p>the machine’s setting, and so must be speci�ed in the codebook.</p><p>Figure 37 shows the layout of the machine with the plugboard in</p><p>place. Because the diagram deals only with a six-letter alphabet,</p><p>only one pair of letters, a and b, have been swapped.</p><p>There is one more feature of Scherbius’s design, known as the</p><p>ring, which has not yet been mentioned. Although the ring does</p><p>have some e�ect on encryption, it is the least signi�cant part of the</p><p>whole Enigma machine, and I have decided to ignore it for the</p><p>purposes of this discussion. (Readers who would like to know about</p><p>the exact role of the ring should refer to some of the books in the</p><p>list of further reading, such as Seizing the Enigma by David Kahn.</p><p>This list also includes two Web sites containing excellent Enigma</p><p>emulators, which allow you to operate a virtual Enigma machine.)</p><p>Now that we know all the main elements of Scherbius’s Enigma</p><p>machine, we can work out the number of keys, by combining the</p><p>number of possible plugboard cablings with the number of possible</p><p>scrambler arrangements and orientations. The following list shows</p><p>each variable of the machine and the corresponding number of</p><p>possibilities for each one:</p><p>Figure 37 The plugboard sits between the keyboard and the �rst scrambler. By inserting</p><p>cables it is possible to swap pairs of letters, so that, in this case, b is swapped with a. Now,</p><p>b is encrypted by following the path previously associated with the encryption of a. In the</p><p>real 26-letter Enigma, the user would have six cables for swapping six pairs of letters.</p><p>Scrambler orientations. Each of the 3 scramblers can be set in one of</p><p>26 orientations. There are therefore</p><p>26 × 26 × 26 settings:</p><p>17,576</p><p>Scrambler arrangements. The three scramblers (1, 2 and 3) can be</p><p>positioned in any of the following six orders:</p><p>123, 132, 213, 231, 312, 321.</p><p>6</p><p>Plugboard.</p><p>The number of ways of connecting, thereby swapping, six</p><p>pairs of letters out of 26 is enormous:</p><p>100,391,791,500</p><p>Total. The total number of keys is the multiple of these three</p><p>numbers: 17,576 × 6 × 100,391,791,500</p><p>≈10,000,000,000,000,000</p><p>As long as sender and receiver have agreed on the plugboard</p><p>cablings, the order of the scramblers and their respective</p><p>orientations, all of which specify the key, they can encrypt and</p><p>decrypt messages easily. However, an enemy interceptor who does</p><p>not know the key would have to check every single one of the</p><p>10,000,000,000,000,000 possible keys in order to crack the</p><p>ciphertext. To put this into context, a persistent cryptanalyst who is</p><p>capable of checking one setting every minute would need longer</p><p>than the age of the universe to check every setting. (In fact, because</p><p>I have ignored the e�ect of the rings in these calculations, the</p><p>number of possible keys is even larger, and the time to break</p><p>Enigma even longer.)</p><p>Since by far the largest contribution to the number of keys comes</p><p>from the plugboard, you might wonder why Scherbius bothered</p><p>with the scramblers. On its own, the plugboard would provide a</p><p>trivial cipher, because it would do nothing more than act as a</p><p>monoalphabetic substitution cipher, swapping around just 12</p><p>letters. The problem with the plugboard is that the swaps do not</p><p>change once encryption begins, so on its own it would generate a</p><p>ciphertext that could be broken by frequency analysis. The</p><p>scramblers contribute a smaller number of keys, but their setup is</p><p>continually changing, which means that the resulting ciphertext</p><p>cannot be broken by frequency analysis. By combining the</p><p>scramblers with the plugboard, Scherbius protected his machine</p><p>against frequency analysis, and at the same time gave it an</p><p>enormous number of possible keys.</p><p>Scherbius took out his �rst patent in 1918. His cipher machine</p><p>was contained in a compact box measuring only 34 × 28 × 15 cm,</p><p>but it weighed a hefty 12 kg. Figure 39 shows an Enigma machine</p><p>with the outer lid open, ready for use. It is possible to see the</p><p>keyboard where the plaintext letters are typed in, and, above it, the</p><p>lampboard which displays the resulting ciphertext letter. Below the</p><p>keyboard is the plugboard; there are more than six pairs of letters</p><p>swapped by the plugboard, because this particular Enigma machine</p><p>is a slightly later modi�cation of the original model, which is the</p><p>version that has been described so far. Figure 40 shows an Enigma</p><p>with the cover plate removed to reveal more features, in particular</p><p>the three scramblers.</p><p>Scherbius believed that Enigma was impregnable, and that its</p><p>cryptographic strength would create a great demand for it. He tried</p><p>to market the cipher machine to both the military and the business</p><p>community, o�ering di�erent versions to each. For example, he</p><p>o�ered a basic version of Enigma to businesses, and a luxury</p><p>diplomatic version with a printer rather than a lampboard to the</p><p>Foreign O�ce. The price of an individual unit was as much as</p><p>$30,000 in today’s prices.</p><p>Figure 38 Arthur Scherbius. (photo credit 3.5)</p><p>Unfortunately, the high cost of the machine discouraged potential</p><p>buyers. Businesses said that they could not a�ord Enigma’s security,</p><p>but Scherbius believed that they could not a�ord to be without it.</p><p>He argued that a vital message intercepted by a business rival could</p><p>cost a company a fortune, but few businessmen took any notice of</p><p>him. The German military were equally unenthusiastic, because they</p><p>were oblivious to the damage caused by their insecure ciphers</p><p>during the Great War. For example, they had been led to believe</p><p>that the Zimmermann telegram had been stolen by American spies</p><p>in Mexico, and so they blamed that failure on Mexican security.</p><p>They still did not realize that the telegram had in fact been</p><p>intercepted and deciphered by the British, and that the</p><p>Zimmermann debacle was actually a failure of German</p><p>cryptography.</p><p>Scherbius was not alone in his growing frustration. Three other</p><p>inventors in three other countries had independently and almost</p><p>simultaneously hit upon the idea of a cipher machine based on</p><p>rotating scramblers. In the Netherlands in 1919, Alexander Koch</p><p>took out patent No. 10,700, but he failed to turn his rotor machine</p><p>into a commercial success and eventually sold the patent rights in</p><p>1927. In Sweden, Arvid Damm took out a similar patent, but by the</p><p>time he died in 1927 he had also failed to �nd a market. In</p><p>America, inventor Edward Hebern had complete faith in his</p><p>invention, the so-called Sphinx of the Wireless, but his failure was</p><p>the greatest of all.</p><p>In the mid-1920s, Hebern began building a $380,000 factory, but</p><p>unfortunately this was a period when the mood in America was</p><p>changing from paranoia to openness. The previous decade, in the</p><p>aftermath of the First World War, the U.S. Government had</p><p>established the American Black Chamber, a highly e�ective cipher</p><p>bureau sta�ed by a team of twenty cryptanalysts, led by the</p><p>�amboyant and brilliant Herbert Yardley. Later, Yardley wrote that</p><p>“The Black Chamber, bolted, hidden, guarded, sees all, hears all.</p><p>Though the blinds are drawn and the windows heavily curtained, its</p><p>far-seeking eyes penetrate the secret conference chambers at</p><p>Washington, Tokyo, London, Paris, Geneva, Rome. Its sensitive ears</p><p>catch the faintest whisperings in the foreign capitals of the world.”</p><p>The American Black Chamber solved 45,000 cryptograms in a</p><p>decade, but by the time Hebern built his factory, Herbert Hoover</p><p>had been elected President and was attempting to usher in a new</p><p>era of trust in international a�airs. He disbanded the Black</p><p>Chamber, and his Secretary of State, Henry Stimson, declared that</p><p>“Gentlemen should not read each other’s mail.” If a nation believes</p><p>that it is wrong to read the messages of others, then it also begins to</p><p>believe that others will not read its own messages, and it does not</p><p>see the necessity for fancy cipher machines. Hebern sold only twelve</p><p>machines at a total price of roughly $1,200, and in 1926 he was</p><p>brought to trial by dissatis�ed shareholders and found guilty under</p><p>California’s Corporate Securities Act.</p><p>Figure 39 An army Enigma machine ready for use. (photo credit 3.6)</p><p>Figure 40 An Enigma machine with the inner lid opened, revealing the three scramblers.</p><p>Fortunately for Scherbius, however, the German military were</p><p>eventually shocked into appreciating the value of his Enigma</p><p>machine, thanks to two British documents. The �rst was Winston</p><p>Churchill’s The World Crisis, published in 1923, which included a</p><p>dramatic account of how the British had gained access to valuable</p><p>German cryptographic material:</p><p>At the beginning of September 1914, the German light cruiser Magdeburg was</p><p>wrecked in the Baltic. The body of a drowned German under-o�cer was picked up by</p><p>the Russians a few hours later, and clasped in his bosom by arms rigid in death, were</p><p>the cipher and signal books of the German navy and the minutely squared maps of</p><p>the North Sea and Heligoland Bight. On September 6 the Russian Naval Attaché came</p><p>to see me. He had received a message from Petrograd telling him what had happened,</p><p>and that the Russian Admiralty with the aid of the cipher and signal books had been</p><p>able to decode portions at least of the German naval messages. The Russians felt that</p><p>as the leading naval Power, the British Admiralty ought to have these books and</p><p>charts. If we would send a vessel to Alexandrov, the Russian o�cers in charge of the</p><p>books would bring them to England.</p><p>This material had helped the cryptanalysts in Room 40 to crack</p><p>Germany’s encrypted messages on a regular basis. Finally, almost a</p><p>decade later, the Germans were made aware of this failure in their</p><p>communications security. Also in 1923, the British Royal Navy</p><p>published their o�cial history of the First World War, which</p><p>reiterated the fact that the interception and cryptanalysis of German</p><p>communications had provided the Allies with a clear advantage.</p><p>These proud achievements of British Intelligence were a stark</p><p>condemnation of those responsible for</p><p>German security, who then</p><p>had to admit in their own report that, “the German �eet command,</p><p>whose radio messages were intercepted and deciphered by the</p><p>English, played so to speak with open cards against the British</p><p>command.”</p><p>The German military held an enquiry into how to avoid repeating</p><p>the cryptographic �ascos of the First World War, and concluded that</p><p>the Enigma machine o�ered the best solution. By 1925 Scherbius</p><p>began mass-producing Enigmas, which went into military service</p><p>the following year, and were subsequently used by the government</p><p>and by state-run organizations such as the railways. These Enigmas</p><p>were distinct from the few machines that Scherbius had previously</p><p>sold to the business community, because the scramblers had</p><p>di�erent internal wirings. Owners of a commercial Enigma machine</p><p>did not therefore have a complete knowledge of the government and</p><p>military versions.</p><p>Over the next two decades, the German military would buy over</p><p>30,000 Enigma machines. Scherbius’s invention provided the</p><p>German military with the most secure system of cryptography in the</p><p>world, and at the outbreak of the Second World War their</p><p>communications were protected by an unparalleled level of</p><p>encryption. At times, it seemed that the Enigma machine would play</p><p>a vital role in ensuring Nazi victory, but instead it was ultimately</p><p>part of Hitler’s downfall. Scherbius did not live long enough to see</p><p>the successes and failures of his cipher system. In 1929, while</p><p>driving a team of horses, he lost control of his carriage and crashed</p><p>into a wall, dying on May 13 from internal injuries.</p><p>I</p><p>4 Cracking the Enigma</p><p>n the years that followed the First World War, the British</p><p>cryptanalysts in Room 40 continued to monitor German</p><p>communications. In 1926 they began to intercept messages which</p><p>ba�ed them completely. Enigma had arrived, and as the number of</p><p>Enigma machines increased, Room 40’s ability to gather intelligence</p><p>diminished rapidly. The Americans and the French also tried to</p><p>tackle the Enigma cipher, but their attempts were equally dismal,</p><p>and they soon gave up hope of breaking it. Germany now had the</p><p>most secure communications in the world.</p><p>The speed with which the Allied cryptanalysts abandoned hope of</p><p>breaking Enigma was in sharp contrast to their perseverance just a</p><p>decade earlier in the First World War. Confronted with the prospect</p><p>of defeat, the Allied cryptanalysts had worked night and day to</p><p>penetrate German ciphers. It would appear that fear was the main</p><p>driving force, and that adversity is one of the foundations of</p><p>successful codebreaking. Similarly, it was fear and adversity that</p><p>galvanized French cryptanalysis at the end of the nineteenth</p><p>century, faced with the increasing might of Germany. However, in</p><p>the wake of the First World War the Allies no longer feared</p><p>anybody. Germany had been crippled by defeat, the Allies were in a</p><p>dominant position, and as a result they seemed to lose their</p><p>cryptanalytic zeal. Allied cryptanalysts dwindled in number and</p><p>deteriorated in quality.</p><p>One nation, however, could not a�ord to relax. After the First</p><p>World War, Poland reestablished itself as an independent state, but</p><p>it was concerned about threats to its newfound sovereignty. To the</p><p>east lay Russia, a nation ambitious to spread its communism, and to</p><p>the west lay Germany, desperate to regain territory ceded to Poland</p><p>after the war. Sandwiched between these two enemies, the Poles</p><p>were desperate for intelligence information, and they formed a new</p><p>cipher bureau, the Biuro Szyfrów. If necessity is the mother of</p><p>invention, then perhaps adversity is the mother of cryptanalysis.</p><p>The success of the Biuro Szyfrów is exempli�ed by their success</p><p>during the Russo-Polish War of 1919–20. In August 1920 alone,</p><p>when the Soviet armies were at the gates of Warsaw, the Biuro</p><p>deciphered 400 enemy messages. Their monitoring of German</p><p>communications had been equally e�ective, until 1926, when they</p><p>too encountered the Enigma messages.</p><p>In charge of deciphering German messages was Captain</p><p>Maksymilian Ciezki, a committed patriot who had grown up in the</p><p>town of Szamotuty, a center of Polish nationalism. Ciezki had access</p><p>to a commercial version of the Enigma machine, which revealed all</p><p>the principles of Scherbius’s invention. Unfortunately, the</p><p>commercial version was distinctly di�erent from the military one in</p><p>terms of the wirings inside each scrambler. Without knowing the</p><p>wirings of the military machine, Ciezki had no chance of</p><p>deciphering messages being sent by the German army. He became</p><p>so despondent that at one point he even employed a clairvoyant in a</p><p>frantic attempt to conjure some sense from the enciphered</p><p>intercepts. Not surprisingly, the clairvoyant failed to make the</p><p>breakthrough the Biuro Szyfrów needed. Instead, it was left to a</p><p>disa�ected German, Hans-Thilo Schmidt, to make the �rst step</p><p>toward breaking the Enigma cipher.</p><p>Hans-Thilo Schmidt was born in 1888 in Berlin, the second son of</p><p>a distinguished professor and his aristocratic wife. Schmidt</p><p>embarked on a career in the German Army and fought in the First</p><p>World War, but he was not considered worthy enough to remain in</p><p>the army after the drastic cuts implemented as part of the Treaty of</p><p>Versailles. He then tried to make his name as a businessman, but his</p><p>soap factory was forced to close because of the postwar depression</p><p>and hyperin�ation, leaving him and his family destitute.</p><p>The humiliation of Schmidt’s failures was compounded by the</p><p>success of his elder brother, Rudolph, who had also fought in the</p><p>war, and who was retained in the army afterward. During the 1920s</p><p>Rudolph rose through the ranks and was eventually promoted to</p><p>chief of sta� of the Signal Corps. He was responsible for ensuring</p><p>secure communications, and in fact it was Rudolph who o�cially</p><p>sanctioned the army’s use of the Enigma cipher.</p><p>After his business collapsed, Hans-Thilo was forced to ask his</p><p>brother for help, and Rudolph arranged a job for him in Berlin at</p><p>the Chi�rierstelle, the o�ce responsible for administrating</p><p>Germany’s encrypted communications. This was Enigma’s command</p><p>center, a top-secret establishment dealing with highly sensitive</p><p>information. When Hans-Thilo moved to his new job, he left his</p><p>family behind in Bavaria, where the cost of living was a�ordable.</p><p>He was living alone in expensive Berlin, impoverished and isolated,</p><p>envious of his perfect brother and resentful toward a nation which</p><p>had rejected him. The result was inevitable. By selling secret Enigma</p><p>information to foreign powers, Hans-Thilo Schmidt could earn</p><p>money and gain revenge, damaging his country’s security and</p><p>undermining his brother’s organization.</p><p>On November 8, 1931, Schmidt arrived at the Grand Hotel in</p><p>Verviers, Belgium, for a liaison with a French secret agent</p><p>codenamed Rex. In exchange for 10,000 marks (equivalent to</p><p>$30,000 in today’s money), Schmidt allowed Rex to photograph two</p><p>documents: “Gebrauchsanweisung für die Chi�riermaschine</p><p>Enigma” and “Schlüsselanleitung für die Chi�riermaschine Enigma.”</p><p>These documents were essentially instructions for using the Enigma</p><p>machine, and although there was no explicit description of the</p><p>wirings inside each scrambler, they contained the information</p><p>needed to deduce those wirings.</p><p>Figure 41 Hans-Thilo Schmidt. (photo credit 4.1)</p><p>Thanks to Schmidt’s treachery, it was now possible for the Allies</p><p>to create an accurate replica of the German military Enigma</p><p>machine. However, this was not enough to enable them to decipher</p><p>messages encrypted by Enigma. The strength of the cipher depends</p><p>not on keeping the machine secret, but on keeping the initial setting</p><p>of the machine (the key) secret. If a cryptanalyst wants to decipher</p><p>an intercepted message, then, in addition to having a replica of the</p><p>Enigma machine, he still has to �nd which of the millions of billions</p><p>of possible keys was used to encipher it. A German memorandum</p><p>put it thus: “It is assumed in judging the security of the</p><p>cryptosystem that the enemy has at his disposition the machine.”</p><p>The French Secret Service was clearly</p><p>up to scratch, having found</p><p>an informant in Schmidt, and having obtained the documents that</p><p>suggested the wirings of the military Enigma machine. In</p><p>comparison, French cryptanalysts were inadequate, and seemed</p><p>unwilling and unable to exploit this newly acquired information. In</p><p>the wake of the First World War they su�ered from overcon�dence</p><p>and lack of motivation. The Bureau du Chi�re did not even bother</p><p>trying to build a replica of the military Enigma machine, because</p><p>they were convinced that achieving the next stage, �nding the key</p><p>required to decipher a particular Enigma message, was impossible.</p><p>As it happened, ten years earlier the French had signed an</p><p>agreement of military cooperation with the Poles. The Poles had</p><p>expressed an interest in anything connected with Enigma, so in</p><p>accordance with their decade-old agreement the French simply</p><p>handed the photographs of Schmidt’s documents to their allies, and</p><p>left the hopeless task of cracking Enigma to the Biuro Szyfrów. The</p><p>Biuro realized that the documents were only a starting point, but</p><p>unlike the French they had the fear of invasion to spur them on. The</p><p>Poles convinced themselves that there must be a shortcut to �nding</p><p>the key to an Enigma-encrypted message, and that if they applied</p><p>su�cient e�ort, ingenuity and wit, they could �nd that shortcut.</p><p>As well as revealing the internal wirings of the scramblers,</p><p>Schmidt’s documents also explained in detail the layout of the</p><p>codebooks used by the Germans. Each month, Enigma operators</p><p>received a new codebook which speci�ed which key should be used</p><p>for each day. For example, on the �rst day of the month, the</p><p>codebook might specify the following day key:</p><p>(1) Plugboard settings: A/L-P/R-T/D-B/W-K/F-O/Y.</p><p>(2) Scrambler: arrangement: 2-3-1.</p><p>(3)Scrambler orientations: Q-C-W.</p><p>Together, the scrambler arrangement and orientations are known as</p><p>the scrambler settings. To implement this particular day key, the</p><p>Enigma operator would set up his Enigma machine as follows:</p><p>(1) Plugboard settings: Swap the letters A and L by connecting them</p><p>via a lead on the plugboard, and similarly swap P and R, then T</p><p>and D, then B and W, then K and F, and then O and Y.</p><p>(2) Scrambler arrangement: Place the 2nd scrambler in the 1st slot of</p><p>the machine, the 3rd scrambler in the 2nd slot, and the 1st</p><p>scrambler in the 3rd slot.</p><p>(3) Scrambler orientations: Each scrambler has an alphabet engraved</p><p>on its outer rim, which allows the operator to set it in a particular</p><p>orientation. In this case, the operator would rotate the scrambler</p><p>in slot 1 so that Q is facing upward, rotate the scrambler in slot 2</p><p>so that C is facing upward, and rotate the scrambler in slot 3 so</p><p>that W is facing upward.</p><p>One way of encrypting messages would be for the sender to</p><p>encrypt all the day’s tra�c according to the day key. This would</p><p>mean that for a whole day at the start of each message all Enigma</p><p>operators would set their machines according to the same day key.</p><p>Then, each time a message needed to be sent, it would be �rst typed</p><p>into the machine; the enciphered output would then be recorded,</p><p>and handed to the radio operator for transmission. At the other end,</p><p>the receiving radio operator would record the incoming message,</p><p>hand it to the Enigma operator, who would type it into his machine,</p><p>which would already be set to the same day key. The output would</p><p>be the original message.</p><p>This process is reasonably secure, but it is weakened by the</p><p>repeated use of a single day key to encrypt the hundreds of</p><p>messages that might be sent each day. In general, it is true to say</p><p>that if a single key is used to encipher an enormous quantity of</p><p>material, then it is easier for a cryptanalyst to deduce it. A large</p><p>amount of identically encrypted material provides a cryptanalyst</p><p>with a correspondingly larger chance of identifying the key. For</p><p>example, harking back to simpler ciphers, it is much easier to break</p><p>a monoalphabetic cipher with frequency analysis if there are several</p><p>pages of encrypted material, as opposed to just a couple of</p><p>sentences.</p><p>As an extra precaution, the Germans therefore took the clever step</p><p>of using the day key settings to transmit a new message key for each</p><p>message. The message keys would have the same plugboard settings</p><p>and scrambler arrangement as the day key, but di�erent scrambler</p><p>orientations. Because the new scrambler orientation would not be in</p><p>the codebook, the sender had to transmit it securely to the receiver</p><p>according to the following process. First, the sender sets his machine</p><p>according to the agreed day key, which includes a scrambler</p><p>orientation, say QCW. Next, he randomly picks a new scrambler</p><p>orientation for the message key, say PGH. He then enciphers PGH</p><p>according to the day key. The message key is typed into the Enigma</p><p>twice, just to provide a double-check for the receiver. For example,</p><p>the sender might encipher the message key PGHPGH as KIVBJE.</p><p>Note that the two PGH’s are enciphered di�erently (the �rst as KIV,</p><p>the second as BJE) because the Enigma scramblers are rotating after</p><p>each letter, and changing the overall mode of encryption. The</p><p>sender then changes his machine to the PGH setting and encrypts</p><p>the main message according to this message key. At the receiver’s</p><p>end, the machine is initially set according to the day key, QCW. The</p><p>�rst six letters of the incoming message, KIVBJE, are typed in and</p><p>reveal PGHPGH. The receiver then knows to reset his scramblers to</p><p>PGH, the message key, and can then decipher the main body of the</p><p>message.</p><p>This is equivalent to the sender and receiver agreeing on a main</p><p>cipher key. Then, instead of using this single main cipher key to</p><p>encrypt every message, they use it merely to encrypt a new cipher</p><p>key for each message, and then encrypt the actual message</p><p>according to the new cipher key. Had the Germans not employed</p><p>message keys, then everything—perhaps thousands of messages</p><p>containing millions of letters—would have been sent using the same</p><p>day key. However, if the day key is only used to transmit the</p><p>message keys, then it encrypts only a limited amount of text. If there</p><p>are 1,000 message keys sent in a day, then the day key encrypts</p><p>only 6,000 letters. And because each message key is picked at</p><p>random and is used to encipher only one message, then it encrypts a</p><p>limited amount of text, perhaps just a few hundred characters.</p><p>At �rst sight the system seemed to be impregnable, but the Polish</p><p>cryptanalysts were undaunted. They were prepared to explore every</p><p>avenue in order to �nd a weakness in the Enigma machine and its</p><p>use of day and message keys. Foremost in the battle against Enigma</p><p>was a new breed of cryptanalyst. For centuries, it had been assumed</p><p>that the best cryptanalysts were experts in the structure of language,</p><p>but the arrival of Enigma prompted the Poles to alter their</p><p>recruiting policy. Enigma was a mechanical cipher, and the Biuro</p><p>Szyfrów reasoned that a more scienti�c mind might stand a better</p><p>chance of breaking it. The Biuro organized a course on cryptography</p><p>and invited twenty mathematicians, each of them sworn to an oath</p><p>of secrecy. The mathematicians were all from the university at</p><p>Poznán. Although not the most respected academic institution in</p><p>Poland, it had the advantage of being located in the west of the</p><p>country, in territory that had been part of Germany until 1918.</p><p>These mathematicians were therefore �uent in German.</p><p>Three of the twenty demonstrated an aptitude for solving ciphers,</p><p>and were recruited into the Biuro. The most gifted of them was</p><p>Marian Rejewski, a timid, spectacled twenty-three-year-old who had</p><p>previously studied statistics in order to pursue a career in insurance.</p><p>Although a competent student at the university, it was within the</p><p>Biuro Szyfrów that he was to �nd his true calling. He served his</p><p>apprenticeship by breaking a series of traditional ciphers before</p><p>moving on to the more forbidding challenge of Enigma. Working</p><p>entirely alone, he concentrated all of his energies on the intricacies</p><p>of Scherbius’s machine. As a mathematician, he would try to</p><p>analyze</p><p>every aspect of the machine’s operation, probing the e�ect</p><p>of the scramblers and the plugboard cablings. However, as with all</p><p>mathematics, his work required inspiration as well as logic. As</p><p>another wartime mathematical cryptanalyst put it, the creative</p><p>codebreaker must “perforce commune daily with dark spirits to</p><p>accomplish his feats of mental ju-jitsu.”</p><p>Rejewski’s strategy for attacking Enigma focused on the fact that</p><p>repetition is the enemy of security: repetition leads to patterns, and</p><p>cryptanalysts thrive on patterns. The most obvious repetition in the</p><p>Enigma encryption was the message key, which was enciphered</p><p>twice at the beginning of every message. If the operator chose the</p><p>message key ULJ, then he would encrypt it twice so that ULJULJ</p><p>might be enciphered as PEFNWZ, which he would then send at the</p><p>start before the actual message. The Germans had demanded this</p><p>repetition in order to avoid mistakes caused by radio interference or</p><p>operator error. But they did not foresee that this would jeopardize</p><p>the security of the machine.</p><p>Each day, Rejewski would �nd himself with a new batch of</p><p>intercepted messages. They all began with the six letters of the</p><p>repeated three-letter message key, all encrypted according to the</p><p>same agreed day key. For example, he might receive four messages</p><p>that began with the following encrypted message keys:</p><p>In each case, the 1st and 4th letters are encryptions of the same</p><p>letter, namely the �rst letter of the message key. Also, the 2nd and</p><p>5th letters are encryptions of the same letter, namely the second</p><p>letter of the message key, and the 3rd and 6th letters are</p><p>encryptions of the same letter, namely the third letter of the</p><p>message key. For example, in the �rst message L and R are</p><p>encryptions of the same letter, the �rst letter of the message key.</p><p>The reason why this same letter is encrypted di�erently, �rst as L</p><p>and then as R, is that between the two encryptions the �rst Enigma</p><p>scrambler has moved on three steps, changing the overall mode of</p><p>scrambling.</p><p>The fact that L and R are encryptions of the same letter allowed</p><p>Rejewski to deduce some slight constraint on the initial setup of the</p><p>machine. The initial scrambler setting, which is unknown, encrypted</p><p>the �rst letter of the day key, which is also unknown, into L, and</p><p>then another scrambler setting, three steps on from the initial</p><p>setting, which is still unknown, encrypted the same letter of the day</p><p>key, which is also still unknown, into R.</p><p>This constraint might seem vague, as it is full of unknowns, but at</p><p>least it demonstrates that the letters L and R are intimately related</p><p>by the initial setting of the Enigma machine, the day key. As each</p><p>new message is intercepted, it is possible to identify other</p><p>relationships between the 1st and 4th letters of the repeated</p><p>message key. All these relationships are re�ections of the initial</p><p>setting of the Enigma machine. For example, the second message</p><p>above tells us that M and X are related, the third tells us that J and</p><p>M are related, and the fourth that D and P are related. Rejewski</p><p>began to summarize these relationships by tabulating them. For the</p><p>four messages we have so far, the table would re�ect the</p><p>relationships between (L, R), (M, X), (J, M) and (D, P):</p><p>If Rejewski had access to enough messages in a single day, then he</p><p>would be able to complete the alphabet of relationships. The</p><p>following table shows such a completed set of relationships:</p><p>Figure 42 Marian Rejewski.</p><p>Rejewski had no idea of the day key, and he had no idea which</p><p>message keys were being chosen, but he did know that they resulted</p><p>in this table of relationships. Had the day key been di�erent, then</p><p>the table of relationships would have been completely di�erent. The</p><p>next question was whether there existed any way of determining the</p><p>day key by looking at the table of relationships. Rejewski began to</p><p>look for patterns within the table, structures that might indicate the</p><p>day key. Eventually, he began to study one particular type of</p><p>pattern, which featured chains of letters. For example, in the table,</p><p>A on the top row is linked to F on the bottom row, so next he would</p><p>look up F on the top row. It turns out that F is linked to W, and so</p><p>he would look up W on the top row. And it turns out that W is</p><p>linked to A, which is where we started. The chain has been</p><p>completed.</p><p>With the remaining letters in the alphabet, Rejewski would</p><p>generate more chains. He listed all the chains, and noted the</p><p>number of links in each one:</p><p>So far, we have only considered the links between the 1st and 4th</p><p>letters of the six-letter repeated key. In fact, Rejewski would repeat</p><p>this whole exercise for the relationships between the 2nd and 5th</p><p>letters, and the 3rd and 6th letters, identifying the chains in each</p><p>case and the number of links in each chain.</p><p>Rejewski noticed that the chains changed each day. Sometimes</p><p>there were lots of short chains, sometimes just a few long chains.</p><p>And, of course, the letters within the chains changed. The</p><p>characteristics of the chains were clearly a result of the day key</p><p>setting-a complex consequence of the plugboard settings, the</p><p>scrambler arrangement and the scrambler orientations. However,</p><p>there remained the question of how Rejewski could determine the</p><p>day key from these chains. Which of 10,000,000,000,000,000</p><p>possible day keys was related to a particular pattern of chains? The</p><p>number of possibilities was simply too great.</p><p>It was at this point that Rejewski had a profound insight.</p><p>Although the plugboard and scrambler settings both a�ect the</p><p>details of the chains, their contributions can to some extent be</p><p>disentangled. In particular, there is one aspect of the chains which is</p><p>wholly dependent on the scrambler settings, and which has nothing</p><p>to do with the plugboard settings: the numbers of links in the chains</p><p>is purely a consequence of the scrambler settings. For instance, let</p><p>us take the example above and pretend that the day key required</p><p>the letters S and G to be swapped as part of the plugboard settings.</p><p>If we change this element of the day key, by removing the cable that</p><p>swaps S and G, and use it to swap, say, T and K instead, then the</p><p>chains would change to the following:</p><p>Some of the letters in the chains have changed, but, crucially, the</p><p>number of links in each chain remains constant. Rejewski had</p><p>identi�ed a facet of the chains that was solely a re�ection of the</p><p>scrambler settings.</p><p>The total number of scrambler settings is the number of scrambler</p><p>arrangements (6) multiplied by the number of scrambler</p><p>orientations (17,576) which comes to 105,456. So, instead of having</p><p>to worry about which of the 10,000,000,000,000,000 day keys was</p><p>associated with a particular set of chains, Rejewski could busy</p><p>himself with a drastically simpler problem: which of the 105,456</p><p>scrambler settings was associated with the numbers of links within a</p><p>set of chains? This number is still large, but it is roughly one</p><p>hundred billion times smaller than the total number of possible day</p><p>keys. In short, the task has become one hundred billion times easier,</p><p>certainly within the realm of human endeavor.</p><p>Rejewski proceeded as follows. Thanks to Hans-Thilo Schmidt’s</p><p>espionage, he had access to replica Enigma machines. His team</p><p>began the laborious chore of checking each of 105,456 scrambler</p><p>settings, and cataloguing the chain lengths that were generated by</p><p>each one. It took an entire year to complete the catalogue, but once</p><p>the Biuro had accumulated the data, Rejewski could �nally begin to</p><p>unravel the Enigma cipher.</p><p>Each day, he would look at the encrypted message keys, the �rst</p><p>six letters of all the intercepted messages, and use the information to</p><p>build his table of relationships. This would allow him to trace the</p><p>chains, and establish the number of links in each chain. For</p><p>example, analyzing the 1st and 4th letters might result in four</p><p>chains with 3, 9, 7 and 7 links. Analyzing the 2nd and 5th letters</p><p>might also result in four chains, with 2, 3, 9 and 12 links. Analyzing</p><p>the 3rd and 6th letters might result in �ve</p><p>chains with 5, 5, 5, 3 and</p><p>8 links. As yet, Rejewski still had no idea of the day key, but he</p><p>knew that it resulted in 3 sets of chains with the following number</p><p>of chains and links in each one:</p><p>4 chains from the 1st and 4th letters, with 3, 9, 7 and 7 links.</p><p>4 chains from the 2nd and 5th letters, with 2, 3, 9 and 12 links.</p><p>5 chains from the 3rd and 6th letters, with 5, 5, 5, 3 and 8 links.</p><p>Rejewski could now go to his catalogue, which contained every</p><p>scrambler setting indexed according to the sort of chains it would</p><p>generate. Having found the catalogue entry that contained the right</p><p>number of chains with the appropriate number of links in each one,</p><p>he immediately knew the scrambler settings for that particular day</p><p>key. The chains were e�ectively �ngerprints, the evidence that</p><p>betrayed the initial scrambler arrangement and orientations.</p><p>Rejewski was working just like a detective who might �nd a</p><p>�ngerprint at the scene of a crime, and then use a database to match</p><p>it to a suspect.</p><p>Although he had identi�ed the scrambler part of the day key,</p><p>Rejewski still had to establish the plugboard settings. Although</p><p>there are about a hundred billion possibilities for the plugboard</p><p>settings, this was a relatively straightforward task. Rejewski would</p><p>begin by setting the scramblers in his Enigma replica according to</p><p>the newly established scrambler part of the day key. He would then</p><p>remove all cables from the plugboard, so that the plugboard had no</p><p>e�ect. Finally, he would take a piece of intercepted ciphertext and</p><p>type it in to the Enigma machine. This would largely result in</p><p>gibberish, because the plugboard cablings were unknown and</p><p>missing. However, every so often vaguely recognizable phrases</p><p>would appear, such as alliveinbelrin—presumably, this should be</p><p>“arrive in Berlin.” If this assumption is correct, then it would imply</p><p>that the letters R and L should be connected and swapped by a</p><p>plugboard cable, while A, I, V, E, B and N should not. By analyzing</p><p>other phrases it would be possible to identify the other �ve pairs of</p><p>letters that had been swapped by the plugboard. Having established</p><p>the plugboard settings, and having already discovered the scrambler</p><p>settings, Rejewski had the complete day key, and could then</p><p>decipher any message sent that day.</p><p>Rejewski had vastly simpli�ed the task of �nding the day key by</p><p>divorcing the problem of �nding the scrambler settings from the</p><p>problem of �nding the plugboard settings. On their own, both of</p><p>these problems were solvable. Originally, we estimated that it would</p><p>take more than the lifetime of the universe to check every possible</p><p>Enigma key. However, Rejewski had spent only a year compiling his</p><p>catalogue of chain lengths, and thereafter he could �nd the day key</p><p>before the day was out. Once he had the day key, he possessed the</p><p>same information as the intended receiver and so could decipher</p><p>messages just as easily.</p><p>Following Rejewski’s breakthrough, German communications</p><p>became transparent. Poland was not at war with Germany, but there</p><p>was a threat of invasion, and Polish relief at conquering Enigma was</p><p>nevertheless immense. If they could �nd out what the German</p><p>generals had in mind for them, there was a chance that they could</p><p>defend themselves. The fate of the Polish nation had depended on</p><p>Rejewski, and he did not disappoint his country. Rejewski’s attack</p><p>on Enigma is one of the truly great accomplishments of</p><p>cryptanalysis. I have had to sum up his work in just a few pages,</p><p>and so have omitted many of the technical details, and all of the</p><p>dead ends. Enigma is a complicated cipher machine, and breaking it</p><p>required immense intellectual force. My simpli�cations should not</p><p>mislead you into underestimating Rejewski’s extraordinary</p><p>achievement.</p><p>The Polish success in breaking the Enigma cipher can be</p><p>attributed to three factors: fear, mathematics and espionage.</p><p>Without the fear of invasion, the Poles would have been discouraged</p><p>by the apparent invulnerability of the Enigma cipher. Without</p><p>mathematics, Rejewski would not have been able to analyze the</p><p>chains. And without Schmidt, codenamed “Asche,” and his</p><p>documents, the wirings of the scramblers would not have been</p><p>known, and cryptanalysis could not even have begun. Rejewski did</p><p>not hesitate to express the debt he owed Schmidt: “Asche’s</p><p>documents were welcomed like manna from heaven, and all doors</p><p>were immediately opened.”</p><p>The Poles successfully used Rejewski’s technique for several years.</p><p>When Hermann Göring visited Warsaw in 1934, he was totally</p><p>unaware of the fact that his communications were being intercepted</p><p>and deciphered. As he and other German dignitaries laid a wreath at</p><p>the Tomb of the Unknown Soldier next to the o�ces of the Biuro</p><p>Szyfrów, Rejewski could stare down at them from his window,</p><p>content in the knowledge that he could read their most secret</p><p>communications.</p><p>Even when the Germans made a minor alteration to the way they</p><p>transmitted messages, Rejewski fought back. His old catalogue of</p><p>chain lengths was useless, but rather than rewriting the catalogue he</p><p>devised a mechanized version of his cataloguing system, which</p><p>could automatically search for the correct scrambler settings.</p><p>Rejewski’s invention was an adaptation of the Enigma machine, able</p><p>to rapidly check each of the 17,576 settings until it spotted a match.</p><p>Because of the six possible scrambler arrangements, it was necessary</p><p>to have six of Rejewski’s machines working in parallel, each one</p><p>representing one of the possible arrangements. Together, they</p><p>formed a unit that was about a meter high, capable of �nding the</p><p>day key in roughly two hours. The units were called bombes, a name</p><p>that might re�ect the ticking noise they made while checking</p><p>scrambler settings. Alternatively, it is said that Rejewski got his</p><p>inspiration for the machines while at a cafe eating a bombe, an ice</p><p>cream shaped into a hemisphere. The bombes e�ectively</p><p>mechanized the process of decipherment. It was a natural response</p><p>to Enigma, which was a mechanization of encipherment.</p><p>For most of the 1930s, Rejewski and his colleagues worked</p><p>tirelessly to uncover the Enigma keys. Month after month, the team</p><p>would have to deal with the stresses and strains of cryptanalysis,</p><p>continually having to �x mechanical failures in the bombes,</p><p>continually having to deal with the never-ending supply of</p><p>encrypted intercepts. Their lives became dominated by the pursuit</p><p>of the day key, that vital piece of information that would reveal the</p><p>meaning of the encrypted messages. However, unknown to the</p><p>Polish codebreakers, much of their work was unnecessary. The chief</p><p>of the Biuro, Major Gwido Langer, already had the Enigma day keys,</p><p>but he kept them hidden, tucked away in his desk.</p><p>Langer, via the French, was still receiving information from</p><p>Schmidt. The German spy’s nefarious activities did not end in 1931</p><p>with the delivery of the two documents on the operation of Enigma,</p><p>but continued for another seven years. He met the French secret</p><p>agent Rex on twenty occasions, often in secluded alpine chalets</p><p>where privacy was guaranteed. At every meeting, Schmidt handed</p><p>over one or more codebooks, each one containing a month’s worth</p><p>of day keys. These were the codebooks that were distributed to all</p><p>German Enigma operators, and they contained all the information</p><p>that was needed to encipher and decipher messages. In total, he</p><p>provided codebooks that contained 38 months’ worth of day keys.</p><p>The keys would have saved Rejewski an enormous amount of time</p><p>and e�ort, shortcutting the necessity for bombes and sparing</p><p>manpower that could have been used in other sections of the Biuro.</p><p>However, the remarkably astute Langer decided not to tell Rejewski</p><p>that the keys existed. By depriving Rejewski of the keys, Langer</p><p>believed he was preparing him for the inevitable time when the keys</p><p>would no longer be available. He knew that if war broke out it</p><p>would be impossible for Schmidt to continue to attend covert</p><p>meetings, and Rejewski would then be forced to be self-su�cient.</p><p>Langer thought that Rejewski should practice self-su�ciency</p><p>securely, Histaiaeus shaved the head of</p><p>his messenger, wrote the message on his scalp, and then waited for</p><p>the hair to regrow. This was clearly a period of history that</p><p>tolerated a certain lack of urgency. The messenger, apparently</p><p>carrying nothing contentious, could travel without being harassed.</p><p>Upon arriving at his destination he then shaved his head and</p><p>pointed it at the intended recipient.</p><p>Secret communication achieved by hiding the existence of a</p><p>message is known as steganography, derived from the Greek words</p><p>steganos, meaning “covered,” and graphein, meaning “to write.” In</p><p>the two thousand years since Herodotus, various forms of</p><p>steganography have been used throughout the world. For example,</p><p>the ancient Chinese wrote messages on �ne silk, which was then</p><p>scrunched into a tiny ball and covered in wax. The messenger would</p><p>then swallow the ball of wax. In the sixteenth century, the Italian</p><p>scientist Giovanni Porta described how to conceal a message within</p><p>a hard-boiled egg by making an ink from a mixture of one ounce of</p><p>alum and a pint of vinegar, and then using it to write on the shell.</p><p>The solution penetrates the porous shell, and leaves a message on</p><p>the surface of the hardened egg albumen, which can be read only</p><p>when the shell is removed. Steganography also includes the practice</p><p>of writing in invisible ink. As far back as the �rst century A.D., Pliny</p><p>the Elder explained how the “milk” of the thithymallus plant could</p><p>be used as an invisible ink. Although transparent after drying, gentle</p><p>heating chars the ink and turns it brown. Many organic �uids</p><p>behave in a similar way, because they are rich in carbon and</p><p>therefore char easily. Indeed, it is not unknown for modern spies</p><p>who have run out of standard-issue invisible ink to improvise by</p><p>using their own urine.</p><p>The longevity of steganography illustrates that it certainly o�ers a</p><p>modicum of security, but it su�ers from a fundamental weakness. If</p><p>the messenger is searched and the message is discovered, then the</p><p>contents of the secret communication are revealed at once.</p><p>Interception of the message immediately compromises all security. A</p><p>thorough guard might routinely search any person crossing a</p><p>border, scraping any wax tablets, heating blank sheets of paper,</p><p>shelling boiled eggs, shaving people’s heads, and so on, and</p><p>inevitably there will be occasions when the message is uncovered.</p><p>Hence, in parallel with the development of steganography, there</p><p>was the evolution of cryptography, derived from the Greek word</p><p>kryptos, meaning “hidden.” The aim of cryptography is not to hide</p><p>the existence of a message, but rather to hide its meaning, a process</p><p>known as encryption. To render a message unintelligible, it is</p><p>scrambled according to a particular protocol which is agreed</p><p>beforehand between the sender and the intended recipient. Thus the</p><p>recipient can reverse the scrambling protocol and make the message</p><p>comprehensible. The advantage of cryptography is that if the enemy</p><p>intercepts an encrypted message, then the message is unreadable.</p><p>Without knowing the scrambling protocol, the enemy should �nd it</p><p>di�cult, if not impossible, to recreate the original message from the</p><p>encrypted text.</p><p>Although cryptography and steganography are independent, it is</p><p>possible to both scramble and hide a message to maximize security.</p><p>For example, the microdot is a form of steganography that became</p><p>popular during the Second World War. German agents in Latin</p><p>America would photographically shrink a page of text down to a dot</p><p>less than 1 millimeter in diameter, and then hide this microdot on</p><p>top of a full stop in an apparently innocuous letter. The �rst</p><p>microdot to be spotted by the FBI was in 1941, following a tip-o�</p><p>that the Americans should look for a tiny gleam from the surface of</p><p>a letter, indicative of smooth �lm. Thereafter, the Americans could</p><p>read the contents of most intercepted microdots, except when the</p><p>German agents had taken the extra precaution of scrambling their</p><p>message before reducing it. In such cases of cryptography combined</p><p>with steganography, the Americans were sometimes able to</p><p>intercept and block communications, but they were prevented from</p><p>gaining any new information about German spying activity. Of the</p><p>two branches of secret communication, cryptography is the more</p><p>powerful because of this ability to prevent information from falling</p><p>into enemy hands.</p><p>In turn, cryptography itself can be divided into two branches,</p><p>known as transposition and substitution. In transposition, the letters of</p><p>the message are simply rearranged, e�ectively generating an</p><p>anagram. For very short messages, such as a single word, this</p><p>method is relatively insecure because there are only a limited</p><p>number of ways of rearranging a handful of letters. For example,</p><p>three letters can be arranged in only six di�erent ways, e.g., cow,</p><p>cwo, ocw, owc, wco, woc. However, as the number of letters</p><p>gradually increases, the number of possible arrangements rapidly</p><p>explodes, making it impossible to get back to the original message</p><p>unless the exact scrambling process is known. For example, consider</p><p>this short sentence. It contains just 35 letters, and yet there are more</p><p>than 50,000,000,000,000,000,000,000,000,000,000 distinct</p><p>arrangements of them. If one person could check one arrangement</p><p>per second, and if all the people in the world worked night and day,</p><p>it would still take more than a thousand times the lifetime of the</p><p>universe to check all the arrangements.</p><p>A random transposition of letters seems to o�er a very high level</p><p>of security, because it would be impractical for an enemy</p><p>interceptor to unscramble even a short sentence. But there is a</p><p>drawback. Transposition e�ectively generates an incredibly di�cult</p><p>anagram, and if the letters are randomly jumbled, with neither</p><p>rhyme nor reason, then unscrambling the anagram is impossible for</p><p>the intended recipient, as well as an enemy interceptor. In order for</p><p>transposition to be e�ective, the rearrangement of letters needs to</p><p>follow a straightforward system, one that has been previously</p><p>agreed by sender and receiver, but kept secret from the enemy. For</p><p>example, schoolchildren sometimes send messages using the “rail</p><p>fence” transposition, in which the message is written with alternate</p><p>letters on separate upper and lower lines. The sequence of letters on</p><p>the lower line is then tagged on at the end of the sequence on the</p><p>upper line to create the �nal encrypted message. For example:</p><p>The receiver can recover the message by simply reversing the</p><p>process. There are various other forms of systematic transposition,</p><p>including the three-line rail fence cipher, in which the message is</p><p>�rst written on three separate lines instead of two. Alternatively,</p><p>one could swap each pair of letters, so that the �rst and second</p><p>letters switch places, the third and fourth letters switch places, and</p><p>so on.</p><p>Another form of transposition is embodied in the �rst ever</p><p>military cryptographic device, the Spartan scytale, dating back to the</p><p>�fth century B.C. The scytale is a wooden sta� around which a strip</p><p>of leather or parchment is wound, as shown in Figure 2. The sender</p><p>writes the message along the length of the scytale, and then</p><p>unwinds the strip, which now appears to carry a list of meaningless</p><p>letters. The message has been scrambled. The messenger would take</p><p>the leather strip, and, as a steganographic twist, he would</p><p>sometimes disguise it as a belt with the letters hidden on the inside.</p><p>To recover the message, the receiver simply wraps the leather strip</p><p>around a scytale of the same diameter as the one used by the</p><p>sender. In 404 B.C. Lysander of Sparta was confronted by a</p><p>messenger, bloody and battered, one of only �ve to have survived</p><p>the arduous journey from Persia. The messenger handed his belt to</p><p>Lysander, who wound it around his scytale to learn that</p><p>Pharnabazus of Persia was planning to attack him. Thanks to the</p><p>scytale, Lysander was prepared for the attack and repulsed it.</p><p>Figure 2 When it is unwound from the sender’s scytale (wooden sta�), the leather</p><p>strip appears</p><p>in</p><p>peacetime, as preparation for what lay ahead.</p><p>Rejewski’s skills eventually reached their limit in December 1938,</p><p>when German cryptographers increased Enigma’s security. Enigma</p><p>operators were all given two new scramblers, so that the scrambler</p><p>arrangement might involve any three of the �ve available</p><p>scramblers. Previously there were only three scramblers (labeled 1,</p><p>2 and 3) to choose from, and only six ways to arrange them, but</p><p>now that there were two extra scramblers (labeled 4 and 5) to</p><p>choose from, the number of arrangements rose to 60, as shown in</p><p>Table 10. Rejewski’s �rst challenge was to work out the internal</p><p>wirings of the two new scramblers. More worryingly, he also had to</p><p>build ten times as many bombes, each representing a di�erent</p><p>scrambler arrangement. The sheer cost of building such a battery of</p><p>bombes was �fteen times the Biuro’s entire annual equipment</p><p>budget. The following month the situation worsened when the</p><p>number of plugboard cables increased from six to ten. Instead of</p><p>twelve letters being swapped before entering the scramblers, there</p><p>were now twenty swapped letters. The number of possible keys</p><p>increased to 159,000,000,000,000,000,000.</p><p>In 1938 Polish interceptions and decipherments had been at their</p><p>peak, but by the beginning of 1939 the new scramblers and extra</p><p>plugboard cables stemmed the �ow of intelligence. Rejewski, who</p><p>had pushed forward the boundaries of cryptanalysis in previous</p><p>years, was confounded. He had proved that Enigma was not an</p><p>unbreakable cipher, but without the resources required to check</p><p>every scrambler setting he could not �nd the day key, and</p><p>decipherment was impossible. Under such desperate circumstances</p><p>Langer might have been tempted to hand over the keys that had</p><p>been obtained by Schmidt, but the keys were no longer being</p><p>delivered. Just before the introduction of the new scramblers,</p><p>Schmidt had broken o� contact with agent Rex. For seven years he</p><p>had supplied keys which were super�uous because of Polish</p><p>innovation. Now, just when the Poles needed the keys, they were no</p><p>longer available.</p><p>The new invulnerability of Enigma was a devastating blow to</p><p>Poland, because Enigma was not merely a means of communication,</p><p>it was at the heart of Hitler’s blitzkrieg strategy. The concept of</p><p>blitzkrieg (“lightning war”) involved rapid, intense, coordinated</p><p>attack, which meant that large tank divisions would have to</p><p>communicate with one another and with infantry and artillery.</p><p>Furthermore, land forces would be backed up by air support from</p><p>dive-bombing Stukas, which would rely on e�ective and secure</p><p>communication between the front-line troops and the air�elds. The</p><p>ethos of blitzkrieg was “speed of attack through speed of</p><p>communications.” If the Poles could not break Enigma, they had no</p><p>hope of stopping the German onslaught, which was clearly only a</p><p>matter of months away. Germany already occupied the Sudetenland,</p><p>and on April 27, 1939, it withdrew from its nonaggression treaty</p><p>with Poland. Hitler’s anti-Polish rhetoric became increasingly</p><p>vitriolic. Langer was determined that if Poland was invaded, then its</p><p>cryptanalytic breakthroughs, which had so far been kept secret from</p><p>the Allies, should not be lost. If Poland could not bene�t from</p><p>Rejewski’s work, then at least the Allies should have the chance to</p><p>try and build on it. Perhaps Britain and France, with their extra</p><p>resources, could fully exploit the concept of the bombe.</p><p>Table 10 Possible arrangements with �ve scramblers.</p><p>Figure 43 General Heinz Guderian’s command post vehicle. An Enigma machine can be</p><p>seen in use in the bottom left. (photo credit 4.2)</p><p>On June 30, Major Langer telegraphed his French and British</p><p>counterparts, inviting them to Warsaw to discuss some urgent</p><p>matters concerning Enigma. On July 24, senior French and British</p><p>cryptanalysts arrived at the Biuro’s headquarters, not knowing quite</p><p>what to expect. Langer ushered them into a room in which stood an</p><p>object covered with a black cloth. He pulled away the cloth,</p><p>dramatically revealing one of Rejewski’s bombes. The audience were</p><p>astonished as they heard how Rejewski had been breaking Enigma</p><p>for years. The Poles were a decade ahead of anybody else in the</p><p>world. The French were particularly astonished, because the Polish</p><p>work had been based on the results of French espionage. The French</p><p>had handed the information from Schmidt to the Poles because they</p><p>believed it to be of no value, but the Poles had proved them wrong.</p><p>As a �nal surprise, Langer o�ered the British and French two</p><p>spare Enigma replicas and blueprints for the bombes, which were to</p><p>be shipped in diplomatic bags to Paris. From there, on August 16,</p><p>one of the Enigma machines was forwarded to London. It was</p><p>smuggled across the Channel as part of the baggage of the</p><p>playwright Sacha Guitry and his wife, the actress Yvonne Printemps,</p><p>so as not to arouse the suspicion of German spies who would be</p><p>monitoring the ports. Two weeks later, on September 1, Hitler</p><p>invaded Poland and the war began.</p><p>The Geese that Never Cackled</p><p>For thirteen years the British and the French had assumed that the</p><p>Enigma cipher was unbreakable, but now there was hope. The</p><p>Polish revelations had demonstrated that the Enigma cipher was</p><p>�awed, which boosted the morale of Allied cryptanalysts. Polish</p><p>progress had ground to a halt on the introduction of the new</p><p>scramblers and extra plugboard cables, but the fact remained that</p><p>Enigma was no longer considered a perfect cipher.</p><p>The Polish breakthroughs also demonstrated to the Allies the</p><p>value of employing mathematicians as codebreakers. In Britain,</p><p>Room 40 had always been dominated by linguists and classicists,</p><p>but now there was a concerted e�ort to balance the sta� with</p><p>mathematicians and scientists. They were recruited largely via the</p><p>old-boy network, with those inside Room 40 contacting their former</p><p>Oxford and Cambridge colleges. There was also an old-girl network</p><p>which recruited women undergraduates from places such as</p><p>Newnham College and Girton College, Cambridge.</p><p>The new recruits were not brought to Room 40 in London, but</p><p>instead went to Bletchley Park, Buckinghamshire, the home of the</p><p>Government Code and Cypher School (GC&CS), a newly formed</p><p>codebreaking organization that was taking over from Room 40.</p><p>Bletchley Park could house a much larger sta�, which was</p><p>important because a deluge of encrypted intercepts was expected as</p><p>soon as the war started. During the First World War, Germany had</p><p>transmitted two million words a month, but it was anticipated that</p><p>the greater availability of radios in the Second World War could</p><p>result in the transmission of two million words a day.</p><p>At the center of Bletchley Park was a large Victorian Tudor-Gothic</p><p>mansion built by the nineteenth-century �nancier Sir Herbert Leon.</p><p>The mansion, with its library, dining hall and ornate ballroom,</p><p>provided the central administration for the whole of the Bletchley</p><p>operation. Commander Alastair Denniston, the director of GC&CS,</p><p>had a ground-�oor o�ce overlooking the gardens, a view that was</p><p>soon spoiled by the erection of numerous huts. These makeshift</p><p>wooden buildings housed the various codebreaking activities. For</p><p>example, Hut 6 specialized in attacking the German Army’s Enigma</p><p>communications. Hut 6 passed its decrypts to Hut 3, where</p><p>intelligence operatives translated the messages, and attempted to</p><p>exploit the information. Hut 8 specialized in the naval Enigma, and</p><p>they passed their decrypts to Hut 4 for translation and intelligence</p><p>gathering. Initially, Bletchley Park had a sta� of only two hundred,</p><p>but within �ve years the mansion and the huts would house seven</p><p>thousand men and women.</p><p>Figure 44 In August 1939, Britain’s senior codebreakers visited Bletchley Park to</p><p>assess its suitability as the site for the new Government Code and Cypher School. To</p><p>avoid arousing suspicion from locals, they claimed to be part of Captain Ridley’s</p><p>shooting party. (photo credit 4.3)</p><p>During the autumn of 1939, the scientists and mathematicians at</p><p>Bletchley learned the intricacies of the Enigma</p><p>cipher and rapidly</p><p>mastered the Polish techniques. Bletchley had more sta� and</p><p>resources than the Polish Biuro Szyfrów, and were thus able to cope</p><p>with the larger selection of scramblers and the fact that Enigma was</p><p>now ten times harder to break. Every twenty-four hours the British</p><p>codebreakers went through the same routine. At midnight, German</p><p>Enigma operators would change to a new day key, at which point</p><p>whatever breakthroughs Bletchley had achieved the previous day</p><p>could no longer be used to decipher messages. The codebreakers</p><p>now had to begin the task of trying to identify the new day key. It</p><p>could take several hours, but as soon as they had discovered the</p><p>Enigma settings for that day, the Bletchley sta� could begin to</p><p>decipher the German messages that had already accumulated,</p><p>revealing information that was invaluable to the war e�ort.</p><p>Surprise is an invaluable weapon for a commander to have at his</p><p>disposal. But if Bletchley could break into Enigma, German plans</p><p>would become transparent and the British would be able to read the</p><p>minds of the German High Command. If the British could pick up</p><p>news of an imminent attack, they could send reinforcements or take</p><p>evasive action. If they could decipher German discussions of their</p><p>own weaknesses, the Allies would be able to focus their o�ensives.</p><p>The Bletchley decipherments were of the utmost importance. For</p><p>example, when Germany invaded Denmark and Norway in April</p><p>1940, Bletchley provided a detailed picture of German operations.</p><p>Similarly, during the Battle of Britain, the cryptanalysts were able to</p><p>give advance warning of bombing raids, including times and</p><p>locations. They could also give continual updates on the state of the</p><p>Luftwa�e, such as the number of planes that had been lost and the</p><p>speed with which they were being replaced. Bletchley would send</p><p>all this information to MI6 headquarters, who would forward it to</p><p>the War O�ce, the Air Ministry and the Admiralty.</p><p>In between in�uencing the course of the war, the cryptanalysts</p><p>occasionally found time to relax. According to Malcolm Muggeridge,</p><p>who served in the secret service and visited Bletchley, rounders, a</p><p>version of softball, was a favorite pastime:</p><p>Every day after luncheon when the weather was propitious the cipher crackers played</p><p>rounders on the manor-house lawn, assuming the quasi-serious manner dons a�ect</p><p>when engaged in activities likely to be regarded as frivolous or insigni�cant in</p><p>comparison with their weightier studies. Thus they would dispute some point about</p><p>the game with the same fervor as they might the question of free will or determinism,</p><p>or whether the world began with a big bang or a process of continuing creation.</p><p>Figure 45 Bletchley’s codebreakers relax with a game of rounders.</p><p>Once they had mastered the Polish techniques, the Bletchley</p><p>cryptanalysts began to invent their own shortcuts for �nding the</p><p>Enigma keys. For example, they cottoned on to the fact that the</p><p>German Enigma operators would occasionally choose obvious</p><p>message keys. For each message, the operator was supposed to</p><p>select a di�erent message key, three letters chosen at random.</p><p>However, in the heat of battle, rather than straining their</p><p>imaginations to pick a random key, the overworked operators would</p><p>sometimes pick three consecutive letters from the Enigma keyboard</p><p>(Figure 46), such as QWE or BNM. These predictable message keys</p><p>became known as cillies. Another type of cilly was the repeated use</p><p>of the same message key, perhaps the initials of the operator’s</p><p>girlfriend—indeed, one such set of initials, C.I.L., may have been the</p><p>origin of the term. Before cracking Enigma the hard way, it became</p><p>routine for the cryptanalysts to try out the cillies, and their hunches</p><p>would sometimes pay o�.</p><p>Cillies were not weaknesses of the Enigma machine, rather they</p><p>were weaknesses in the way the machine was being used. Human</p><p>error at more senior levels also compromised the security of the</p><p>Enigma cipher. Those responsible for compiling the codebooks had</p><p>to decide which scramblers would be used each day, and in which</p><p>positions. They tried to ensure that the scrambler settings were</p><p>unpredictable by not allowing any scrambler to remain in the same</p><p>position for two days in a row. So, if we label the scramblers 1, 2, 3,</p><p>4 and 5, then on the �rst day it would be possible to have the</p><p>arrangement 134, and on the second day it would be possible to</p><p>have 215, but not 214, because scrambler number 4 is not allowed</p><p>to remain in the same position for two days in a row. This might</p><p>seem a sensible strategy because the scramblers are constantly</p><p>changing position, but enforcing such a rule actually makes life</p><p>easier for the cryptanalyst. Excluding certain arrangements to avoid</p><p>a scrambler remaining in the same position meant that the codebook</p><p>compilers reduced by half the number of possible scrambler</p><p>arrangements. The Bletchley cryptanalysts realized what was</p><p>happening and made the most of it. Once they identi�ed the</p><p>scrambler arrangement for one day, they could immediately rule out</p><p>half the scrambler arrangements for the next day. Hence, their</p><p>workload was reduced by half.</p><p>Figure 46 Layout of the Enigma keyboard.</p><p>Similarly, there was a rule that the plugboard settings could not</p><p>include a swap between any letter and its neighbor, which meant</p><p>that S could be swapped with any letter except R and T. The theory</p><p>was that such obvious swappings should be deliberately avoided,</p><p>but once again the implementation of a rule drastically reduced the</p><p>number of possible keys.</p><p>This search for new cryptanalytic shortcuts was necessary because</p><p>the Enigma machine continued to evolve during the course of the</p><p>war. The cryptanalysts were continually forced to innovate, to</p><p>redesign and re�ne the bombes, and to devise wholly new</p><p>strategies. Part of the reason for their success was the bizarre</p><p>combination of mathematicians, scientists, linguists, classicists,</p><p>chess grandmasters and crossword addicts within each hut. An</p><p>intractable problem would be passed around the hut until it reached</p><p>someone who had the right mental tools to solve it, or reached</p><p>someone who could at least partially solve it before passing it on</p><p>again. Gordon Welchman, who was in charge of Hut 6, described his</p><p>team as “a pack of hounds trying to pick up the scent.” There were</p><p>many great cryptanalysts and many signi�cant breakthroughs, and</p><p>it would take several large volumes to describe the individual</p><p>contributions in detail. However, if there is one �gure who deserves</p><p>to be singled out, it is Alan Turing, who identi�ed Enigma’s greatest</p><p>weakness and ruthlessly exploited it. Thanks to Turing, it became</p><p>possible to crack the Enigma cipher under even the most di�cult</p><p>circumstances.</p><p>Alan Turing was conceived in the autumn of 1911 in Chatrapur, a</p><p>town near Madras in southern India, where his father Julius Turing</p><p>was a member of the Indian civil service. Julius and his wife Ethel</p><p>were determined that their son should be born in Britain, and</p><p>returned to London, where Alan was born on June 23, 1912. His</p><p>father returned to India soon afterward and his mother followed just</p><p>�fteen months later, leaving Alan in the care of nannies and friends</p><p>until he was old enough to attend boarding school.</p><p>In 1926, at the age of fourteen, Turing became a pupil at</p><p>Sherborne School, in Dorset. The start of his �rst term coincided</p><p>with the General Strike, but Turing was determined to attend the</p><p>�rst day, and he cycled 100 km unaccompanied from Southampton</p><p>to Sherborne, a feat that was reported in the local newspaper. By</p><p>the end of his �rst year at the school he had gained a reputation as a</p><p>shy, awkward boy whose only skills were in the area of science. The</p><p>aim of Sherborne was to turn boys into well-rounded men, �t to rule</p><p>the Empire, but Turing did not share this ambition and had a</p><p>generally unhappy schooling.</p><p>His only real friend at Sherborne was Christopher Morcom, who,</p><p>like Turing, had an interest in science. Together they discussed the</p><p>latest scienti�c news and conducted their own experiments. The</p><p>relationship</p><p>�red Turing’s intellectual curiosity, but, more</p><p>importantly, it also had a profound emotional e�ect on him. Andrew</p><p>Hodges, Turing’s biographer, wrote that “This was �rst love … It</p><p>had that sense of surrender, and a heightened awareness, as of</p><p>brilliant color bursting upon a black and white world.” Their</p><p>friendship lasted four years, but Morcom seems to have been</p><p>unaware of the depth of feeling Turing had for him. Then, during</p><p>their �nal year at Sherborne, Turing lost forever the chance to tell</p><p>him how he felt. On Thursday, February 13, 1930, Christopher</p><p>Morcom suddenly died of tuberculosis.</p><p>Turing was devastated by the loss of the only person he would</p><p>ever truly love. His way of coming to terms with Morcom’s death</p><p>was to focus on his scienti�c studies in an attempt to ful�ll his</p><p>friend’s potential. Morcom, who appeared to be the more gifted of</p><p>the two boys, had already won a scholarship to Cambridge</p><p>University. Turing believed it was his duty also to win a place at</p><p>Cambridge, and then to make the discoveries his friend would</p><p>otherwise have made. He asked Christopher’s mother for a</p><p>photograph, and when it arrived he wrote back to thank her: “He is</p><p>on my table now, encouraging me to work hard.”</p><p>In 1931, Turing gained admission to King’s College, Cambridge.</p><p>He arrived during a period of intense debate about the nature of</p><p>mathematics and logic, and was surrounded by some of the leading</p><p>voices, such as Bertrand Russell, Alfred North Whitehead and</p><p>Ludwig Wittgenstein. At the center of the argument was the issue of</p><p>undecidability, a controversial notion developed by the logician Kurt</p><p>Gödel. It had always been assumed that, in theory at least, all</p><p>mathematical questions could be answered. However, Gödel</p><p>demonstrated that there could exist a minority of questions which</p><p>were beyond the reach of logical proof, so-called undecidable</p><p>questions. Mathematicians were traumatized by the news that</p><p>mathematics was not the all-powerful discipline they had always</p><p>believed it to be. They attempted to salvage their subject by trying</p><p>to �nd a way of identifying the awkward undecidable questions, so</p><p>that they could put them safely to one side. It was this objective that</p><p>eventually inspired Turing to write his most in�uential</p><p>mathematical paper, “On Computable Numbers,” published in 1937.</p><p>In Breaking the Code, Hugh Whitemore’s play about the life of</p><p>Turing, a character asks Turing the meaning of his paper. He replies,</p><p>“It’s about right and wrong. In general terms. It’s a technical paper</p><p>in mathematical logic, but it’s also about the di�culty of telling</p><p>right from wrong. People think—most people think—that in</p><p>mathematics we always know what is right and what is wrong. Not</p><p>so. Not any more.”</p><p>Figure 47 Alan Turing. (photo credit 4.4)</p><p>In his attempt to identify undecidable questions, Turing’s paper</p><p>described an imaginary machine that was designed to perform a</p><p>particular mathematical operation, or algorithm. In other words, the</p><p>machine would be capable of running through a �xed, prescribed</p><p>series of steps which would, for example, multiply two numbers.</p><p>Turing envisaged that the numbers to be multiplied could be fed</p><p>into the machine via a paper tape, rather like the punched tape that</p><p>is used to feed a tune into a Pianola. The answer to the</p><p>multiplication would be output via another tape. Turing imagined a</p><p>whole series of these so-called Turing machines, each specially</p><p>designed to tackle a particular task, such as dividing, squaring or</p><p>factoring. Then Turing took a more radical step.</p><p>He imagined a machine whose internal workings could be altered</p><p>so that it could perform all the functions of all conceivable Turing</p><p>machines. The alterations would be made by inserting carefully</p><p>selected tapes, which transformed the single �exible machine into a</p><p>dividing machine, a multiplying machine, or any other type of</p><p>machine. Turing called this hypothetical device a universal Turing</p><p>machine because it would be capable of answering any question that</p><p>could logically be answered. Unfortunately, it turned out that it is</p><p>not always logically possible to answer a question about the</p><p>undecidability of another question, and so even the universal Turing</p><p>machine was unable to identify every undecidable question.</p><p>Mathematicians who read Turing’s paper were disappointed that</p><p>Gödel’s monster had not been subdued but, as a consolation prize,</p><p>Turing had given them the blueprint for the modern programmable</p><p>computer. Turing knew of Babbage’s work, and the universal Turing</p><p>machine can be seen as a reincarnation of Di�erence Engine No. 2.</p><p>In fact, Turing had gone much further, and provided computing</p><p>with a solid theoretical basis, imbuing the computer with a hitherto</p><p>unimaginable potential. It was still the 1930s though, and the</p><p>technology did not exist to turn the universal Turing machine into a</p><p>reality. However, Turing was not at all dismayed that his theories</p><p>were ahead of what was technically feasible. He merely wanted</p><p>recognition from within the mathematical community, who indeed</p><p>applauded his paper as one of the most important breakthroughs of</p><p>the century. He was still only twenty-six.</p><p>This was a particularly happy and successful period for Turing.</p><p>During the 1930s he rose through the ranks to become a fellow of</p><p>King’s College, home of the world’s intellectual elite. He led the life</p><p>of an archetypal Cambridge don, mixing pure mathematics with</p><p>more trivial activities. In 1938 he made a point of seeing the �lm</p><p>Snow White and the Seven Dwarfs, containing the memorable scene in</p><p>which the Wicked Witch dunks an apple in poison. Afterward his</p><p>colleagues heard Turing continually repeating the macabre chant,</p><p>“Dip the apple in the brew, Let the sleeping death seep through.”</p><p>Turing cherished his years at Cambridge. In addition to his</p><p>academic success, he found himself in a tolerant and supportive</p><p>environment. Homosexuality was largely accepted within the</p><p>university, which meant that he was free to engage in a series of</p><p>relationships without having to worry about who might �nd out,</p><p>and what others might say. Although he had no serious long-term</p><p>relationships, he seemed to be content with his life. Then, in 1939,</p><p>Turing’s academic career was brought to an abrupt halt. The</p><p>Government Code and Cypher School invited him to become a</p><p>cryptanalyst at Bletchley, and on September 4, 1939, the day after</p><p>Neville Chamberlain declared war on Germany, Turing moved from</p><p>the opulence of the Cambridge quadrangle to the Crown Inn at</p><p>Shenley Brook End.</p><p>Each day he cycled 5 km from Shenley Brook End to Bletchley</p><p>Park, where he spent part of his time in the huts contributing to the</p><p>routine codebreaking e�ort, and part of his time in the Bletchley</p><p>think tank, formerly Sir Herbert Leon’s apple, pear and plum store.</p><p>The think tank was where the cryptanalysts brainstormed their way</p><p>through new problems, or anticipated how to tackle problems that</p><p>might arise in the future. Turing focused on what would happen if</p><p>the German military changed their system of exchanging message</p><p>keys. Bletchley’s early successes relied on Rejewski’s work, which</p><p>exploited the fact that Enigma operators encrypted each message</p><p>key twice (for example, if the message key was YGB, the operator</p><p>would encipher YGBYGB). This repetition was supposed to ensure</p><p>that the receiver did not make a mistake, but it created a chink in</p><p>the security of Enigma. British cryptanalysts guessed it would not be</p><p>long before the Germans noticed that the repeated key was</p><p>compromising the Enigma cipher, at which point the Enigma</p><p>operators would be told to abandon the repetition, thus confounding</p><p>Bletchley’s current codebreaking techniques. It was Turing’s job to</p><p>�nd an alternative way to attack Enigma, one that did not rely on a</p><p>repeated message key.</p><p>As the weeks passed, Turing realized that Bletchley was</p><p>accumulating a vast library of decrypted messages, and he noticed</p><p>that many of them conformed to a rigid structure. By studying old</p><p>decrypted messages, he believed he could sometimes predict part of</p><p>the contents of an undeciphered</p><p>message, based on when it was sent</p><p>and its source. For example, experience showed that the Germans</p><p>sent a regular enciphered weather report shortly after 6 A.M. each</p><p>day. So, an encrypted message intercepted at 6:05 A.M. would be</p><p>almost certain to contain wetter, the German word for “weather.”</p><p>The rigorous protocol used by any military organization meant that</p><p>such messages were highly regimented in style, so Turing could</p><p>even be con�dent about the location of wetter within the encrypted</p><p>message. For example, experience might tell him that the �rst six</p><p>letters of a particular ciphertext corresponded to the plaintext letters</p><p>wetter. When a piece of plaintext can be associated with a piece of</p><p>ciphertext, this combination is known as a crib.</p><p>Turing was sure that he could exploit the cribs to crack Enigma. If</p><p>he had a ciphertext and he knew that a speci�c section of it, say</p><p>ETJWPX, represented wetter, then the challenge was to identify the</p><p>settings of the Enigma machine that would transform wetter into</p><p>ETJWPX. The straightforward, but impractical, way to do this would</p><p>be for the cryptanalyst to take an Enigma machine, type in wetter</p><p>and see if the correct ciphertext emerged. If not, then the</p><p>cryptanalyst would change the settings of the machine, by swapping</p><p>plugboard cables, and swapping or reorienting scramblers, and then</p><p>type in wetter again. If the correct ciphertext did not emerge, the</p><p>cryptanalyst would change the settings again, and again, and again,</p><p>until he found the right one. The only problem with this trial and</p><p>error approach was the fact that there were</p><p>159,000,000,000,000,000,000 possible settings to check, so �nding</p><p>the one that transformed wetter into ETJWPX was a seemingly</p><p>impossible task.</p><p>To simplify the problem, Turing attempted to follow Rejewski’s</p><p>strategy of disentangling the settings. He wanted to divorce the</p><p>problem of �nding the scrambler settings (�nding which scrambler</p><p>is in which slot, and what their respective orientations are) from the</p><p>problem of �nding the plugboard cablings. For example, if he could</p><p>�nd something in the crib that had nothing to do with the</p><p>plugboard cablings, then he could feasibly check each of the</p><p>remaining 1,054,560 possible scrambler combinations (60</p><p>arrangements × 17,576 orientations). Having found the correct</p><p>scrambler settings, he could then deduce the plugboard cablings.</p><p>Eventually, his mind settled on a particular type of crib which</p><p>contained internal loops, similar to the chains exploited by</p><p>Rejewski. Rejewski’s chains linked letters within the repeated</p><p>message key. However, Turing’s loops had nothing to do with the</p><p>message key, as he was working on the assumption that soon the</p><p>Germans would stop sending repeated message keys. Instead,</p><p>Turing’s loops connected plaintext and ciphertext letters within a</p><p>crib. For example, the crib shown in Figure 48 contains a loop.</p><p>Figure 48 One of Turing’s cribs, showing a loop.</p><p>Remember, cribs are only guesses, but if we assume that this crib is</p><p>correct, we can link the letters W→E, e→T, t→W as part of a loop.</p><p>Although we know none of the Enigma machine settings, we can</p><p>label the �rst setting, whatever it is, S. In this �rst setting we know</p><p>that w is encrypted as E. After this encryption, the �rst scrambler</p><p>clicks around one place to setting S+1, and the letter e is</p><p>enciphered as T. The scrambler clicks forward another place and</p><p>encrypts a letter that is not part of the loop, so we ignore this</p><p>encryption. The scrambler clicks forward one more place and, once</p><p>again, we reach a letter that is part of the loop. In setting S+3, we</p><p>know that the letter t is enciphered as W. In summary, we know</p><p>that</p><p>In setting S, Enigma encrypts w as E.</p><p>In setting S+1, Enigma encrypts e as T.</p><p>In setting S+3, Enigma encrypts t as W.</p><p>So far the loop seems like nothing more than a curious pattern, but</p><p>Turing rigorously followed the implications of the relationships</p><p>within the loop, and saw that they provided him with the drastic</p><p>shortcut he needed in order to break Enigma. Instead of working</p><p>with just one Enigma machine to test every setting, Turing began to</p><p>imagine three separate machines, each dealing with the</p><p>encipherment of one element of the loop. The �rst machine would</p><p>try to encipher w into E, the second would try to encipher e into T,</p><p>and the third t into W. The three machines would all have identical</p><p>settings, except that the second would have its scrambler</p><p>orientations moved forward one place with respect to the �rst, a</p><p>setting labeled S+1, and the third would have its scrambler</p><p>orientations moved forward three places with respect to the �rst, a</p><p>setting labeled S+3. Turing then pictured a frenzied cryptanalyst,</p><p>continually changing plugboard cables, swapping scrambler</p><p>arrangements and changing their orientations in order to achieve</p><p>the correct encryptions. Whatever cables were changed in the �rst</p><p>machine would also be changed in the other two. Whatever</p><p>scrambler arrangements were changed in the �rst machine would</p><p>also be changed in the other two. And, crucially, whatever</p><p>scrambler orientation was set in the �rst machine, the second would</p><p>have the same orientation but stepped forward one place, and the</p><p>third would have the same orientation but stepped forward three</p><p>places.</p><p>Turing does not seem to have achieved much. The cryptanalyst</p><p>still has to check all 159,000,000,000,000,000,000 possible settings,</p><p>and, to make matters worse, he now has to do it simultaneously on</p><p>all three machines instead of just one. However, the next stage of</p><p>Turing’s idea transforms the challenge, and vastly simpli�es it. He</p><p>imagined connecting the three machines by running electrical wires</p><p>between the inputs and the outputs of each machine, as shown in</p><p>Figure 49. In e�ect, the loop in the crib is paralleled by the loop of</p><p>the electrical circuit. Turing pictured the machines changing their</p><p>plugboard and scrambler settings, as described above, but only</p><p>when all the settings are correct for all three machines would the</p><p>circuit be completed, allowing a current to �ow through all three</p><p>machines. If Turing incorporated a lightbulb within the circuit, then</p><p>the current would illuminate it, signaling that the correct settings</p><p>had been found. At this point, the three machines still have to check</p><p>up to 159,000,000,000,000,000,000 possible settings in order to</p><p>illuminate the bulb. However, everything done so far has merely</p><p>been preparation for Turing’s �nal logical leap, which would make</p><p>the task over a hundred million million times easier in one fell</p><p>swoop.</p><p>Turing had constructed his electrical circuit in such a way as to</p><p>nullify the e�ect of the plugboard, thereby allowing him to ignore</p><p>the billions of plugboard settings. Figure 49 shows that the �rst</p><p>Enigma has the electric current entering the scramblers and</p><p>emerging at some unknown letter, which we shall call L1. The</p><p>current then �ows through the plugboard, which transforms L1 into</p><p>E. This letter E is connected via a wire to the letter e in the second</p><p>Enigma, and as the current �ows through the second plugboard it is</p><p>transformed back to L1. In other words, the two plugboards cancel</p><p>each other out. Similarly, the current emerging from the scramblers</p><p>in the second Enigma enters the plugboard at L2 before being</p><p>transformed into T. This letter T is connected via a wire to the letter</p><p>t in the third Enigma, and as the current �ows through the third</p><p>plugboard it is transformed back to L2. In short, the plugboards</p><p>cancel themselves out throughout the whole circuit, so Turing could</p><p>ignore them completely.</p><p>Turing needed only to connect the output of the �rst set of</p><p>scramblers, L1, directly to the input of the second set of scramblers,</p><p>also L1, and so on. Unfortunately, he did not know the value of the</p><p>letter L1, so he had to connect all 26 outputs of the �rst set of</p><p>scramblers to all 26 corresponding inputs in the second set of</p><p>scramblers, and so on. In e�ect, there were now 26 electrical loops,</p><p>and each one would have a lightbulb to signal the completion of an</p><p>electrical circuit. The three sets</p><p>of scramblers could then simply</p><p>check each of the 17,576 orientations, with the second set of</p><p>scramblers always one step ahead of the �rst set, and the third set of</p><p>scramblers two steps ahead of the second set. Eventually, when the</p><p>correct scrambler orientations had been found, one of the circuits</p><p>would be completed and the bulb would be illuminated. If the</p><p>scramblers changed orientation every second, it would take just �ve</p><p>hours to check all the orientations.</p><p>Only two problems remained. First, it could be that the three</p><p>machines are running with the wrong scrambler arrangement,</p><p>because the Enigma machine operates with any three of the �ve</p><p>available scramblers, placed in any order, giving sixty possible</p><p>arrangements. Hence, if all 17,576 orientations have been checked,</p><p>and the lamp has not been illuminated, it is then necessary to try</p><p>another of the sixty scrambler arrangements, and to keep on trying</p><p>other arrangements until the circuit is completed. Alternatively, the</p><p>cryptanalyst could have sixty sets of three Enigmas running in</p><p>parallel.</p><p>The second problem involved �nding the plugboard cablings,</p><p>once the scrambler arrangement and orientations had been</p><p>established. This is relatively simple. Using an Enigma machine with</p><p>the correct scrambler arrangement and orientations, the</p><p>cryptanalyst types in the ciphertext and looks at the emerging</p><p>plaintext. If the result is tewwer rather than wetter, then it is clear</p><p>that plugboard cables should be inserted so as to swap w and t.</p><p>Typing in other bits of ciphertext would reveal other plugboard</p><p>cablings.</p><p>The combination of crib, loops and electrically connected</p><p>machines resulted in a remarkable piece of cryptanalysis, and only</p><p>Turing, with his unique background in mathematical machines,</p><p>could ever have come up with it. His musings on the imaginary</p><p>Turing machines were intended to answer esoteric questions about</p><p>mathematical undecidability, but this purely academic research had</p><p>put him in the right frame of mind for designing a practical machine</p><p>capable of solving very real problems.</p><p>Bletchley was able to �nd £100,000 to turn Turing’s idea into</p><p>working devices, which were dubbed bombes because their</p><p>mechanical approach bore a passing resemblance to Rejewski’s</p><p>bombe. Each of Turing’s bombes was to consist of twelve sets of</p><p>electrically linked Enigma scramblers, and would thus be able to</p><p>cope with much longer loops of letters. The complete unit would be</p><p>about two meters tall, two meters long and a meter wide. Turing</p><p>�nalized the design at the beginning of 1940, and the job of</p><p>construction was given to the British Tabulating Machinery factory</p><p>at Letchworth.</p><p>Figure 49 The loop in the crib can be paralleled by an electrical loop. Three Enigma</p><p>machines are set up in identical ways, except that the second one has its �rst scrambler</p><p>moved forward one place (setting S + 1), and the third has its scrambler moved forward</p><p>two further places (setting S + 3). The output of each Enigma is then connected to the</p><p>input of the next one. The three sets of scramblers then click around in unison until the</p><p>circuit is complete and the light illuminates. At this point the correct setting has been</p><p>found. In the diagram above, the circuit is complete, corresponding to the correct setting.</p><p>While waiting for the bombes to be delivered, Turing continued</p><p>his day-to-day work at Bletchley. News of his breakthrough soon</p><p>spread among the other senior cryptanalysts, who recognized that</p><p>he was a singularly gifted codebreaker. According to Peter Hilton, a</p><p>fellow Bletchley codebreaker, “Alan Turing was obviously a genius,</p><p>but he was an approachable, friendly genius. He was always willing</p><p>to take time and trouble to explain his ideas; but he was no narrow</p><p>specialist, so that his versatile thought ranged over a vast area of the</p><p>exact sciences.”</p><p>However, everything at the Government Code and Cypher School</p><p>was top secret, so nobody outside of Bletchley Park was aware of</p><p>Turing’s remarkable achievement. For example, his parents had</p><p>absolutely no idea that Alan was even a codebreaker, let alone</p><p>Britain’s foremost cryptanalyst. He had once told his mother that he</p><p>was involved in some form of military research, but he did not</p><p>elaborate. She was merely disappointed that this had not resulted in</p><p>a more respectable haircut for her scru�y son. Although Bletchley</p><p>was run by the military, they had conceded that they would have to</p><p>tolerate the scru�ness and eccentricities of these “professor types.”</p><p>Turing rarely bothered to shave, his nails were stu�ed with dirt, and</p><p>his clothes were a mass of creases. Whether the military would also</p><p>have tolerated his homosexuality remains unknown. Jack Good, a</p><p>veteran of Bletchley, commented: “Fortunately the authorities did</p><p>not know that Turing was a homosexual. Otherwise we might have</p><p>lost the war.”</p><p>The �rst prototype bombe, christened Victory, arrived at Bletchley</p><p>on March 14, 1940. The machine was put into operation</p><p>immediately, but the initial results were less than satisfactory. The</p><p>machine turned out to be much slower than expected, taking up to a</p><p>week to �nd a particular key. There was a concerted e�ort to</p><p>increase the bombe’s e�ciency, and a modi�ed design was</p><p>submitted a few weeks later. It would take four more months to</p><p>build the upgraded bombe. In the meantime, the cryptanalysts had</p><p>to cope with the calamity they had anticipated. On May 1, 1940, the</p><p>Germans changed their key exchange protocol. They no longer</p><p>repeated the message key, and thereupon the number of successful</p><p>Enigma decipherments dropped dramatically. The information</p><p>blackout lasted until August 8, when the new bombe arrived.</p><p>Christened Agnus Dei, or Agnes for short, this machine was to ful�ll</p><p>all Turing’s expectations.</p><p>Within eighteen months there were �fteen more bombes in</p><p>operation, exploiting cribs, checking scrambler settings and</p><p>revealing keys, each one clattering like a million knitting needles. If</p><p>everything was going well, a bombe might �nd an Enigma key</p><p>within an hour. Once the plugboard cablings and the scrambler</p><p>settings (the message key) had been established for a particular</p><p>message, it was easy to deduce the day key. All the other messages</p><p>sent that same day could then be deciphered.</p><p>Even though the bombes represented a vital breakthrough in</p><p>cryptanalysis, decipherment had not become a formality. There</p><p>were many hurdles to overcome before the bombes could even</p><p>begin to look for a key. For example, to operate a bombe you �rst</p><p>needed a crib. The senior codebreakers would give cribs to the</p><p>bombe operators, but there was no guarantee that the codebreakers</p><p>had guessed the correct meaning of the ciphertext. And even if they</p><p>did have the right crib, it might be in the wrong place—the</p><p>cryptanalysts might have guessed that an encrypted message</p><p>contained a certain phrase, but associated that phrase with the</p><p>wrong piece of the ciphertext. However, there was a neat trick for</p><p>checking whether a crib was in the correct position.</p><p>In the following crib, the cryptanalyst is con�dent that the</p><p>plaintext is right, but he is not sure if he has matched it with the</p><p>correct letters in the ciphertext.</p><p>One of the features of the Enigma machine was its inability to</p><p>encipher a letter as itself, which was a consequence of the re�ector.</p><p>The letter a could never be enciphered as A, the letter b could never</p><p>be enciphered as B, and so on. The particular crib above must</p><p>therefore be misaligned, because the �rst e in wetter is matched</p><p>with an E in the ciphertext. To �nd the correct alignment, we simply</p><p>slide the plaintext and the ciphertext relative to each other until no</p><p>letter is paired with itself. If we shift the plaintext one place to the</p><p>left, the match still fails because this time the �rst s in sechs is</p><p>matched with S in the ciphertext. However, if we shift the plaintext</p><p>one place to the right there are no illegal encipherments. This crib is</p><p>therefore likely to be in the right place, and could be used as the</p><p>basis for a bombe decipherment:</p><p>The intelligence gathered at Bletchley was</p><p>passed on to only the</p><p>most senior military �gures and selected members of the war</p><p>cabinet. Winston Churchill was fully aware of the importance of the</p><p>Bletchley decipherments, and on September 6, 1941, he visited the</p><p>codebreakers. On meeting some of the cryptanalysts, he was</p><p>surprised by the bizarre mixture of people who were providing him</p><p>with such valuable information; in addition to the mathematicians</p><p>and linguists, there was an authority on porcelain, a curator from</p><p>the Prague Museum, the British chess champion and numerous</p><p>bridge experts. Churchill muttered to Sir Stewart Menzies, head of</p><p>the Secret Intelligence Service, “I told you to leave no stone</p><p>unturned, but I didn’t expect you to take me so literally.” Despite</p><p>the comment, he had a great fondness for the motley crew, calling</p><p>them “the geese who laid golden eggs and never cackled.”</p><p>Figure 50 A bombe in action. (photo credit 4.5)</p><p>The visit was intended to boost the morale of the codebreakers by</p><p>showing them that their work was appreciated at the very highest</p><p>level. It also had the e�ect of giving Turing and his colleagues the</p><p>con�dence to approach Churchill directly when a crisis loomed. To</p><p>make the most of the bombes, Turing needed more sta�, but his</p><p>requests had been blocked by Commander Edward Travis, who had</p><p>taken over as Director of Bletchley, and who felt that he could not</p><p>justify recruiting more people. On October 21, 1941, the</p><p>cryptanalysts took the insubordinate step of ignoring Travis and</p><p>writing directly to Churchill.</p><p>Dear Prime Minister,</p><p>Some weeks ago you paid us the honor of a visit, and we believe that you regard our</p><p>work as important. You will have seen that, thanks largely to the energy and foresight</p><p>of Commander Travis, we have been well supplied with the “bombes” for the</p><p>breaking of the German Enigma codes. We think, however, that you ought to know</p><p>that this work is being held up, and in some cases is not being done at all, principally</p><p>because we cannot get su�cient sta� to deal with it. Our reason for writing to you</p><p>direct is that for months we have done everything that we possibly can through the</p><p>normal channels, and that we despair of any early improvement without your</p><p>intervention …</p><p>We are, Sir, Your obedient servants,</p><p>A.M. Turing</p><p>W.G. Welchman</p><p>C.H.O’D. Alexander</p><p>P.S. Milner-Barry</p><p>Churchill had no hesitation in responding. He immediately issued a</p><p>memorandum to his principal sta� o�cer:</p><p>ACTION THIS DAY</p><p>Make sure they have all they want on extreme priority and report to me that this has</p><p>been done.</p><p>Figure 51 The Daily Telegraph crossword used as a test to recruit new codebreakers (the</p><p>solution is in Appendix H). (photo credit 4.6)</p><p>Henceforth there were to be no more barriers to recruitment or</p><p>materials. By the end of 1942 there were 49 bombes, and a new</p><p>bombe station was opened at Gayhurst Manor, just north of</p><p>Bletchley. As part of the recruitment drive, the Government Code</p><p>and Cypher School placed a letter in the Daily Telegraph. They issued</p><p>an anonymous challenge to its readers, asking if anybody could</p><p>solve the newspaper’s crossword (Figure 51) in under 12 minutes. It</p><p>was felt that crossword experts might also be good codebreakers,</p><p>complementing the scienti�c minds that were already at Bletchley—</p><p>but of course, none of this was mentioned in the newspaper. The 25</p><p>readers who replied were invited to Fleet Street to take a crossword</p><p>test. Five of them completed the crossword within the allotted time,</p><p>and another had only one word missing when the 12 minutes had</p><p>expired. A few weeks later, all six were interviewed by military</p><p>intelligence and recruited as codebreakers at Bletchley Park.</p><p>Kidnapping Codebooks</p><p>So far in this chapter, the Enigma tra�c has been treated as one</p><p>giant communications system, but in fact there were several distinct</p><p>networks. The German Army in North Africa, for instance, had its</p><p>own separate network, and their Enigma operators had codebooks</p><p>that were di�erent from those used in Europe. Hence, if Bletchley</p><p>succeeded in identifying the North African day key, it would be able</p><p>to decipher all the German messages sent from North Africa that</p><p>day, but the North African day key would be of no use in cracking</p><p>the messages being transmitted in Europe. Similarly, the Luftwa�e</p><p>had its own communications network, and so in order to decipher</p><p>all Luftwa�e tra�c, Bletchley would have to unravel the Luftwa�e</p><p>day key.</p><p>Some networks were harder to break into than others. The</p><p>Kriegsmarine network was the hardest of all, because the German</p><p>Navy operated a more sophisticated version of the Enigma machine.</p><p>For example, the Naval Enigma operators had a choice of eight</p><p>scramblers, not just �ve, which meant that there were almost six</p><p>times as many scrambler arrangements, and therefore almost six</p><p>times as many keys for Bletchley to check. The other di�erence in</p><p>the Naval Enigma concerned the re�ector, which was responsible</p><p>for sending the electrical signal back through the scramblers. In the</p><p>standard Enigma the re�ector was always �xed in one particular</p><p>orientation, but in the Naval Enigma the re�ector could be �xed in</p><p>any one of 26 orientations. Hence the number of possible keys was</p><p>further increased by a factor of 26.</p><p>Cryptanalysis of the Naval Enigma was made even harder by the</p><p>Naval operators, who were careful not to send stereotypical</p><p>messages, thus depriving Bletchley of cribs. Furthermore, the</p><p>Kriegsmarine also instituted a more secure system for selecting and</p><p>transmitting message keys. Extra scramblers, a variable re�ector,</p><p>nonstereotypical messages and a new system for exchanging</p><p>message keys all contributed to making German Naval</p><p>communications impenetrable.</p><p>Bletchley’s failure to crack the Naval Enigma meant that the</p><p>Kriegsmarine were steadily gaining the upper hand in the Battle of</p><p>the Atlantic. Admiral Karl Dönitz had developed a highly e�ective</p><p>two-stage strategy for naval warfare, which began with his U-boats</p><p>spreading out and scouring the Atlantic in search of Allied convoys.</p><p>As soon as one of them spotted a target, it would initiate the next</p><p>stage of the strategy by calling the other U-boats to the scene. The</p><p>attack would commence only when a large pack of U-boats had</p><p>been assembled. For this strategy of coordinated attack to succeed,</p><p>it was essential that the Kriegsmarine had access to secure</p><p>communication. The Naval Enigma provided such communication,</p><p>and the U-boat attacks had a devastating impact on the Allied</p><p>shipping that was supplying Britain with much-needed food and</p><p>armaments.</p><p>As long as U-boat communications remained secure, the Allies</p><p>had no idea of the locations of the U-boats, and could not plan safe</p><p>routes for the convoys. It seemed as if the Admiralty’s only strategy</p><p>for pinpointing the location of U-boats was by looking at the sites of</p><p>sunken British ships. Between June 1940 and June 1941 the Allies</p><p>lost an average of 50 ships each month, and they were in danger of</p><p>not being able to build new ships quickly enough to replace them.</p><p>Besides the intolerable destruction of ships, there was also a terrible</p><p>human cost-50,000 Allied seamen died during the war. Unless these</p><p>losses could be drastically reduced, Britain was in danger of losing</p><p>the Battle of the Atlantic, which would have meant losing the war.</p><p>Churchill would later write, “Amid the torrent of violent events one</p><p>anxiety reigned supreme. Battles might be won or lost, enterprises</p><p>might succeed or miscarry, territories might be gained or quitted,</p><p>but dominating all our power to carry on war, or even keep</p><p>ourselves alive, lay our mastery of the ocean routes and the free</p><p>approach and entry to our ports.”</p><p>The Polish experience and the case of Hans-Thilo Schmidt had</p><p>taught Bletchley Park that if intellectual endeavor fails to break a</p><p>cipher, then it is necessary to rely on espionage, in�ltration and</p><p>theft in order to obtain the enemy keys. Occasionally, Bletchley</p><p>would make a breakthrough against the Naval Enigma, thanks to a</p><p>clever ploy by the RAF. British planes would lay mines in a</p><p>particular location,</p><p>provoking German vessels to send out warnings</p><p>to other craft. These Enigma encrypted warnings would inevitably</p><p>contain a map reference, but crucially this map reference would</p><p>already be known by the British, so it could be used as a crib. In</p><p>other words, Bletchley knew that a particular piece of ciphertext</p><p>represented a particular set of coordinates. Sowing mines to obtain</p><p>cribs, known as “gardening,” required the RAF to �y special</p><p>missions, so this could not be done on a regular basis. Bletchley had</p><p>to �nd another way of breaking the Naval Enigma.</p><p>An alternative strategy for cracking the Naval Enigma depended</p><p>on stealing keys. One of the most intrepid plans for stealing keys</p><p>was concocted by Ian Fleming, creator of James Bond and a member</p><p>of Naval Intelligence during the war. He suggested crashing a</p><p>captured German bomber in the English Channel, close to a German</p><p>ship. The German sailors would then approach the plane to rescue</p><p>their comrades, whereupon the aircrew, British pilots pretending to</p><p>be German, would board the ship and capture its codebooks. These</p><p>German codebooks contained the information that was required for</p><p>establishing the encryption key, and because ships were often away</p><p>from base for long periods, the codebooks would be valid for at least</p><p>a month. By capturing such codebooks, Bletchley would be able to</p><p>decipher the Naval Enigma for an entire month.</p><p>After approving Fleming’s plan, known as Operation Ruthless,</p><p>British Intelligence began preparing a Heinkel bomber for the crash</p><p>landing, and assembled an aircrew of German-speaking Englishmen.</p><p>The plan was scheduled for a date early in the month, so as to</p><p>capture a fresh codebook. Fleming went to Dover to oversee the</p><p>operation, but unfortunately there was no German shipping in the</p><p>area so the plan was postponed inde�nitely. Four days later, Frank</p><p>Birch, who headed the Naval section at Bletchley, recorded the</p><p>reaction of Turing and his colleague Peter Twinn: “Turing and</p><p>Twinn came to me like undertakers cheated of a nice corpse two</p><p>days ago, all in a stew about the cancelation of Operation Ruthless.”</p><p>In due course Operation Ruthless was canceled, but German Naval</p><p>codebooks were eventually captured during a spate of daring raids</p><p>on weather ships and U-boats. These so-called “pinches” gave</p><p>Bletchley the documents it needed to bring an end to the</p><p>intelligence blackout. With the Naval Enigma transparent, Bletchley</p><p>could pinpoint the location of U-boats, and the Battle of the Atlantic</p><p>began to swing in favor of the Allies. Convoys could be steered clear</p><p>of U-boats, and British destroyers could even begin to go on the</p><p>o�ensive, seeking out and sinking U-boats.</p><p>It was vital that the German High Command never suspected that</p><p>the Allies had pinched Enigma codebooks. If the Germans found that</p><p>their security had been compromised, they would upgrade their</p><p>Enigma machines, and Bletchley would be back to square one. As</p><p>with the Zimmermann telegram episode, the British took various</p><p>precautions to avoid arousing suspicion, such as sinking a German</p><p>vessel after pinching its codebooks. This would persuade Admiral</p><p>Dönitz that the cipher material had found its way to the bottom of</p><p>the sea, and not fallen into British hands.</p><p>Once material had been secretly captured, further precautions had</p><p>to be taken before exploiting the resulting intelligence. For example,</p><p>the Enigma decipherments gave the locations of numerous U-boats,</p><p>but it would have been unwise to have attacked every single one of</p><p>them, because a sudden unexplained increase in British success</p><p>would warn Germany that its communications were being</p><p>deciphered. Consequently, the Allies would allow some U-boats to</p><p>escape, and would attack others only when a spotter plane had been</p><p>sent out �rst, thus justifying the approach of a destroyer some hours</p><p>later. Alternatively, the Allies might send fake messages describing</p><p>sightings of U-boats, which likewise provided su�cient explanation</p><p>for the ensuing attack.</p><p>Despite this policy of minimizing telltale signs that Enigma had</p><p>been broken, British actions did sometimes raise concerns among</p><p>Germany’s security experts. On one occasion, Bletchley deciphered</p><p>an Enigma message giving the exact location of a group of German</p><p>tankers and supply ships, nine in total. The Admiralty decided not to</p><p>sink all of the ships in case a clean sweep of targets aroused German</p><p>suspicions. Instead, they informed destroyers of the exact location of</p><p>just seven of the ships, which should have allowed the Gedania and</p><p>the Gonzenheim to escape unharmed. The seven targeted ships were</p><p>indeed sunk, but Royal Navy destroyers accidentally encountered</p><p>the two ships that were supposed to be spared, and also sank them.</p><p>The destroyers did not know about Enigma or the policy of not</p><p>arousing suspicion—they merely believed they were doing their</p><p>duty. Back in Berlin, Admiral Kurt Fricke instigated an investigation</p><p>into this and other similar attacks, exploring the possibility that the</p><p>British had broken Enigma. The report concluded that the numerous</p><p>losses were either the result of natural misfortune, or caused by a</p><p>British spy who had in�ltrated the Kriegsmarine. The breaking of</p><p>Enigma was considered impossible and inconceivable.</p><p>The Anonymous Cryptanalysts</p><p>As well as breaking the German Enigma cipher, Bletchley Park also</p><p>succeeded in deciphering Italian and Japanese messages. The</p><p>intelligence that emerged from these three sources was given the</p><p>codename Ultra, and the Ultra Intelligence �les were responsible for</p><p>giving the Allies a clear advantage in all the major arenas of</p><p>con�ict. In North Africa, Ultra helped to destroy German supply</p><p>lines and informed the Allies of the status of General Rommel’s</p><p>forces, enabling the Eighth Army to �ght back against the German</p><p>advances. Ultra also warned of the German invasion of Greece,</p><p>which allowed British troops to retreat without heavy losses. In fact,</p><p>Ultra provided accurate reports on the enemy’s situation throughout</p><p>the entire Mediterranean. This information was particularly valuable</p><p>when the Allies landed in Italy and Sicily in 1943.</p><p>In 1944, Ultra played a major role in the Allied invasion of</p><p>Europe. For example, in the months prior to D-Day, the Bletchley</p><p>decipherments provided a detailed picture of the German troop</p><p>concentrations along the French coast. Sir Harry Hinsley, o�cial</p><p>historian of British Intelligence during the war, wrote:</p><p>As Ultra accumulated, it administered some unpleasant shocks. In particular, it</p><p>revealed in the second half of May—following earlier disturbing indications that the</p><p>Germans were concluding that the area between Le Havre and Cherbourg was a</p><p>likely, and perhaps even the main, invasion area-that they were sending</p><p>reinforcements to Normandy and the Cherbourg peninsula. But this evidence arrived</p><p>in time to enable the Allies to modify the plans for the landings on and behind the</p><p>Utah beach; and it is a singular fact that before the expedition sailed the Allied</p><p>estimate of the number, identi�cation, and location of the enemy’s divisions in the</p><p>west, �fty-eight in all, was accurate in all but two items that were to be of operational</p><p>importance.</p><p>Throughout the war, the Bletchley codebreakers knew that their</p><p>decipherments were vital, and Churchill’s visit to Bletchley had</p><p>reinforced this point. But the cryptanalysts were never given any</p><p>operational details or told how their decipherments were being</p><p>used. For example, the codebreakers were given no information</p><p>about the date for D-Day, and they arranged a dance for the evening</p><p>before the landings. This worried Commander Travis, the Director of</p><p>Bletchley and the only person on site who was privy to the plans for</p><p>D-Day. He could not tell the Hut 6 Dance Committee to cancel the</p><p>event because this would have been a clear hint that a major</p><p>o�ensive was in the o�ng, and as such a breach of security. The</p><p>dance was allowed to go ahead. As it happened, bad weather</p><p>postponed the landings for twenty-four hours, so the codebreakers</p><p>had time to recover from the frivolities.</p><p>On the day of the landings,</p><p>the French resistance destroyed landlines, forcing the Germans to</p><p>communicate solely by radio, which in turn gave Bletchley the</p><p>opportunity to intercept and decipher even more messages. At the</p><p>turning point of the war, Bletchley was able to provide an even</p><p>more detailed picture of German military operations.</p><p>Stuart Milner-Barry, one of the Hut 6 cryptanalysts, wrote: “I do</p><p>not imagine that any war since classical times, if ever, has been</p><p>fought in which one side read consistently the main military and</p><p>naval intelligence of the other.” An American report came to a</p><p>similar conclusion: “Ultra created in senior sta�s and at the political</p><p>summit a state of mind which transformed the taking of decisions.</p><p>To feel that you know your enemy is a vastly comforting feeling. It</p><p>grows imperceptibly over time if you regularly and intimately</p><p>observe his thoughts and ways and habits and actions. Knowledge of</p><p>this kind makes your own planning less tentative and more assured,</p><p>less harrowing and more buoyant.”</p><p>It has been argued, albeit controversially, that Bletchley Park’s</p><p>achievements were the decisive factor in the Allied victory. What is</p><p>certain is that the Bletchley codebreakers signi�cantly shortened the</p><p>war. This becomes evident by rerunning the Battle of the Atlantic</p><p>and speculating what might have happened without the bene�t of</p><p>Ultra intelligence. To begin with, more ships and supplies would</p><p>certainly have been lost to the dominant U-boat �eet, which would</p><p>have compromised the vital link to America and forced the Allies to</p><p>divert manpower and resources into the building of new ships.</p><p>Historians have estimated that this would have delayed Allied plans</p><p>by several months, which would have meant postponing the D-Day</p><p>invasion until at least the following year. According to Sir Harry</p><p>Hinsley, “the war, instead of �nishing in 1945, would have ended in</p><p>1948 had the Government Code and Cypher School not been able to</p><p>read the Enigma cyphers and produce the Ultra intelligence.”</p><p>During this period of delay, additional lives would have been lost</p><p>in Europe, and Hitler would have been able to make greater use of</p><p>his V-weapons, in�icting damage throughout southern England. The</p><p>historian David Kahn summarizes the impact of breaking Enigma:</p><p>“It saved lives. Not only Allied and Russian lives but, by shortening</p><p>the war, German, Italian, and Japanese lives as well. Some people</p><p>alive after World War II might not have been but for these solutions.</p><p>That is the debt that the world owes to the codebreakers; that is the</p><p>crowning human value of their triumphs.”</p><p>After the war, Bletchley’s accomplishments remained a closely</p><p>guarded secret. Having successfully deciphered messages during the</p><p>war, Britain wanted to continue its intelligence operations, and was</p><p>reluctant to divulge its capabilities. In fact, Britain had captured</p><p>thousands of Enigma machines, and distributed them among its</p><p>former colonies, who believed that the cipher was as secure as it</p><p>had seemed to the Germans. The British did nothing to disabuse</p><p>them of this belief, and routinely deciphered their secret</p><p>communications in the years that followed.</p><p>Meanwhile, the Government Code and Cypher School at Bletchley</p><p>Park was closed and the thousands of men and women who had</p><p>contributed to the creation of Ultra were disbanded. The bombes</p><p>were dismantled, and every scrap of paper that related to the</p><p>wartime decipherments was either locked away or burned. Britain’s</p><p>codebreaking activities were o�cially transferred to the newly</p><p>formed Government Communications Headquarters (GCHQ) in</p><p>London, which was moved to Cheltenham in 1952. Although some</p><p>of the cryptanalysts moved to GCHQ, most of them returned to their</p><p>civilian lives, sworn to secrecy, unable to reveal their pivotal role in</p><p>the Allied war e�ort. While those who had fought conventional</p><p>battles could talk of their heroic achievements, those who had</p><p>fought intellectual battles of no less signi�cance had to endure the</p><p>embarrassment of having to evade questions about their wartime</p><p>activities. Gordon Welchman recounted how one of the young</p><p>cryptanalysts working with him in Hut 6 had received a scathing</p><p>letter from his old headmaster, accusing him of being a disgrace to</p><p>his school for not being at the front. Derek Taunt, who also worked</p><p>in Hut 6, summed up the true contribution of his colleagues: “Our</p><p>happy band may not have been with King Harry on St. Crispin’s</p><p>Day, but we had certainly not been abed and have no reason to</p><p>think ourselves accurs’t for having been where we were.”</p><p>After three decades of silence, the secrecy over Bletchley Park</p><p>eventually came to an end in the early 1970s. Captain F.W.</p><p>Winterbotham, who had been responsible for distributing the Ultra</p><p>intelligence, began to badger the British Government, arguing that</p><p>the Commonwealth countries had stopped using the Enigma cipher</p><p>and that there was now nothing to be gained by concealing the fact</p><p>that Britain had broken it. The intelligence services reluctantly</p><p>agreed, and permitted him to write a book about the work done at</p><p>Bletchley Park. Published in the summer of 1974, Winterbotham’s</p><p>book The Ultra Secret was the signal that Bletchley personnel were at</p><p>last free to discuss their wartime activities. Gordon Welchman felt</p><p>enormous relief: “After the war I still avoided discussions of wartime</p><p>events for fear that I might reveal information obtained from Ultra</p><p>rather than from some published account … I felt that this turn of</p><p>events released me from my wartime pledge of secrecy.”</p><p>Those who had contributed so much to the war e�ort could now</p><p>receive the recognition they deserved. Possibly the most remarkable</p><p>consequence of Winterbotham’s revelations was that Rejewski</p><p>realized the staggering consequences of his prewar breakthroughs</p><p>against Enigma. After the invasion of Poland, Rejewski had escaped</p><p>to France, and when France was overrun he �ed to Britain. It would</p><p>seem natural that he should have become part of the British Enigma</p><p>e�ort, but instead he was relegated to tackling menial ciphers at a</p><p>minor intelligence unit in Boxmoor, near Hemel Hempstead. It is not</p><p>clear why such a brilliant mind was excluded from Bletchley Park,</p><p>but as a result he was completely unaware of the activities of the</p><p>Government Code and Cypher School. Until the publication of</p><p>Winterbotham’s book, Rejewski had no idea that his ideas had</p><p>provided the foundation for the routine decipherment of Enigma</p><p>throughout the war.</p><p>For some, the publication of Winterbotham’s book came too late.</p><p>Many years after the death of Alastair Denniston, Bletchley’s �rst</p><p>director, his daughter received a letter from one of his colleagues:</p><p>“Your father was a great man in whose debt all English-speaking</p><p>people will remain for a very long time, if not forever. That so few</p><p>should know exactly what he did is the sad part.”</p><p>Alan Turing was another cryptanalyst who did not live long</p><p>enough to receive any public recognition. Instead of being</p><p>acclaimed a hero, he was persecuted for his homosexuality. In 1952,</p><p>while reporting a burglary to the police, he naively revealed that he</p><p>was having a homosexual relationship. The police felt they had no</p><p>option but to arrest and charge him with “Gross Indecency contrary</p><p>to Section 11 of the Criminal Law Amendment Act 1885.” The</p><p>newspapers reported the subsequent trial and conviction, and</p><p>Turing was publicly humiliated.</p><p>Turing’s secret had been exposed, and his sexuality was now</p><p>public knowledge. The British Government withdrew his security</p><p>clearance. He was forbidden to work on research projects relating to</p><p>the development of the computer. He was forced to consult a</p><p>psychiatrist and had to undergo hormone treatment, which made</p><p>him impotent and obese. Over the next two years he became</p><p>severely depressed, and on June 7, 1954, he went to his bedroom,</p><p>carrying with him a jar of cyanide solution and an apple. Twenty</p><p>years earlier he had chanted the rhyme of the Wicked Witch: “Dip</p><p>the apple in the brew, Let the sleeping death seep through.” Now he</p><p>was ready</p><p>to obey her incantation. He dipped the apple in the</p><p>cyanide and took several bites. At the age of just forty-two, one of</p><p>the true geniuses of cryptanalysis committed suicide.</p><p>5 The Language Barrier</p><p>While British codebreakers were breaking the German Enigma</p><p>cipher and altering the course of the war in Europe, American</p><p>codebreakers were having an equally important in�uence on events</p><p>in the Paci�c arena by cracking the Japanese machine cipher known</p><p>as Purple. For example, in June 1942 the Americans deciphered a</p><p>message outlining a Japanese plan to draw U.S. Naval forces to the</p><p>Aleutian Islands by faking an attack, which would allow the</p><p>Japanese Navy to take their real objective, Midway Island. Although</p><p>American ships played along with the plan by leaving Midway, they</p><p>never strayed far away. When American cryptanalysts intercepted</p><p>and deciphered the Japanese order to attack Midway, the ships were</p><p>able to return swiftly and defend the island in one of the most</p><p>important battles of the entire Paci�c war. According to Admiral</p><p>Chester Nimitz, the American victory at Midway “was essentially a</p><p>victory of intelligence. In attempting surprise, the Japanese were</p><p>themselves surprised.”</p><p>Almost a year later, American cryptanalysts identi�ed a message</p><p>that showed the itinerary for a visit to the northern Solomon Islands</p><p>by Admiral Isoruko Yamamoto, Commander-in-Chief of the</p><p>Japanese Fleet. Nimitz decided to send �ghter aircraft to intercept</p><p>Yamamoto’s plane and shoot him down. Yamamoto, renowned for</p><p>being compulsively punctual, approached his destination at exactly</p><p>8:00 A.M., just as stated in the intercepted schedule. There to meet</p><p>him were eighteen American P-38 �ghters. They succeeded in</p><p>killing one of the most in�uential �gures of the Japanese High</p><p>Command.</p><p>Although Purple and Enigma, the Japanese and German ciphers,</p><p>were eventually broken, they did o�er some security when they</p><p>were initially implemented and provided real challenges for</p><p>American and British cryptanalysts. In fact, had the cipher machines</p><p>been used properly—without repeated message keys, without cillies,</p><p>without restrictions on plugboard settings and scrambler</p><p>arrangements, and without stereotypical messages which resulted in</p><p>cribs—it is quite possible that they might never have been broken at</p><p>all.</p><p>The true strength and potential of machine ciphers was</p><p>demonstrated by the Typex (or Type X) cipher machine used by the</p><p>British army and air force, and the SIGABA (or M-143-C) cipher</p><p>machine used by the American military. Both these machines were</p><p>more complex than the Enigma machine and both were used</p><p>properly, and therefore they remained unbroken throughout the</p><p>war. Allied cryptographers were con�dent that complicated</p><p>electromechanical machine ciphers could guarantee secure</p><p>communication. However, complicated machine ciphers are not the</p><p>only way of sending secure messages. Indeed, one of the most secure</p><p>forms of encryption used in the Second World War was also one of</p><p>the simplest.</p><p>During the Paci�c campaign, American commanders began to</p><p>realize that cipher machines, such as SIGABA, had a fundamental</p><p>drawback. Although electromechanical encryption o�ered relatively</p><p>high levels of security, it was painfully slow. Messages had to be</p><p>typed into the machine letter by letter, the output had to be noted</p><p>down letter by letter, and then the completed ciphertext had to be</p><p>transmitted by the radio operator. The radio operator who received</p><p>the enciphered message then had to pass it on to a cipher expert,</p><p>who would carefully select the correct key, and type the ciphertext</p><p>into a cipher machine, to decipher it letter by letter. The time and</p><p>space required for this delicate operation is available at</p><p>headquarters or onboard a ship, but machine encryption was not</p><p>ideally suited to more hostile and intense environments, such as the</p><p>islands of the Paci�c. One war correspondent described the</p><p>di�culties of communication during the heat of jungle battle:</p><p>“When the �ghting became con�ned to a small area, everything had</p><p>to move on a split-second schedule. There was not time for</p><p>enciphering and deciphering. At such times, the King’s English</p><p>became a last resort—the profaner the better.” Unfortunately for the</p><p>Americans, many Japanese soldiers had attended American colleges</p><p>and were �uent in English, including the profanities. Valuable</p><p>information about American strategy and tactics was falling into the</p><p>hands of the enemy.</p><p>One of the �rst to react to this problem was Philip Johnston, an</p><p>engineer based in Los Angeles, who was too old to �ght but still</p><p>wanted to contribute to the war e�ort. At the beginning of 1942 he</p><p>began to formulate an encryption system inspired by his childhood</p><p>experiences. The son of a Protestant missionary, Johnston had</p><p>grown up on the Navajo reservations of Arizona, and as a result he</p><p>had become fully immersed in Navajo culture. He was one of the</p><p>few people outside the tribe who could speak their language</p><p>�uently, which allowed him to act as an interpreter for discussions</p><p>between the Navajo and government agents. His work in this</p><p>capacity culminated in a visit to the White House, when, as a nine-</p><p>year-old, Johnston translated for two Navajos who were appealing</p><p>to President Theodore Roosevelt for fairer treatment for their</p><p>community. Fully aware of how impenetrable the language was for</p><p>those outside the tribe, Johnston was struck by the notion that</p><p>Navajo, or any other Native American language, could act as a</p><p>virtually unbreakable code. If each battalion in the Paci�c employed</p><p>a pair of Native Americans as radio operators, secure</p><p>communication could be guaranteed.</p><p>He took his idea to Lieutenant Colonel James E. Jones, the area</p><p>signal o�cer at Camp Elliott, just outside San Diego. Merely by</p><p>throwing a few Navajo phrases at the bewildered o�cer, Johnston</p><p>was able to persuade him that the idea was worthy of serious</p><p>consideration. A fortnight later he returned with two Navajos, ready</p><p>to conduct a test demonstration in front of senior marine o�cers.</p><p>The Navajos were isolated from each other, and one was given six</p><p>typical messages in English, which he translated into Navajo and</p><p>transmitted to his colleague via a radio. The Navajo receiver</p><p>translated the messages back into English, wrote them down, and</p><p>handed them over to the o�cers, who compared them with the</p><p>originals. The game of Navajo whispers proved to be �awless, and</p><p>the marine o�cers authorized a pilot project and ordered</p><p>recruitment to begin immediately.</p><p>Before recruiting anybody, however, Lieutenant Colonel Jones</p><p>and Philip Johnston had to decide whether to conduct the pilot</p><p>study with the Navajo, or select another tribe. Johnston had used</p><p>Navajo men for his original demonstration because he had personal</p><p>connections with the tribe, but this did not necessarily make them</p><p>the ideal choice. The most important selection criterion was simply</p><p>a question of numbers: the marines needed to �nd a tribe capable of</p><p>supplying a large number of men who were �uent in English and</p><p>literate. The lack of government investment meant that the literacy</p><p>rate was very low on most of the reservations, and attention was</p><p>therefore focused on the four largest tribes: the Navajo, the Sioux,</p><p>the Chippewa and the Pima-Papago.</p><p>The Navajo was the largest tribe, but also the least literate, while</p><p>the Pima-Papago was the most literate but much fewer in number.</p><p>There was little to choose between the four tribes, and ultimately</p><p>the decision rested on another critical factor. According to the</p><p>o�cial report on Johnston’s idea:</p><p>The Navajo is the only tribe in the United States that has not been infested with</p><p>German students during the past twenty years. These Germans, studying the various</p><p>tribal dialects under the guise of art students, anthropologists, etc., have undoubtedly</p><p>attained a good working knowledge of all tribal dialects except Navajo. For this</p><p>reason the Navajo is the only tribe available o�ering complete security for the type of</p><p>work under consideration. It should also be noted that the Navajo tribal dialect</p><p>is</p><p>completely unintelligible to all other tribes and all other people, with the possible</p><p>exception of as many as 28 Americans who have made a study of the dialect. This</p><p>dialect is equivalent to a secret code to the enemy, and admirably suited for rapid,</p><p>secure communication.</p><p>At the time of America’s entry into the Second World War, the</p><p>Navajo were living in harsh conditions and being treated as inferior</p><p>people. Yet their tribal council supported the war e�ort and</p><p>declared their loyalty: “There exists no purer concentration of</p><p>Americanism than among the First Americans.” The Navajos were so</p><p>eager to �ght that some of them lied about their age, or gorged</p><p>themselves on bunches of bananas and swallowed great quantities of</p><p>water in order to reach the minimum weight requirement of 55 kg.</p><p>Similarly, there was no di�culty in �nding suitable candidates to</p><p>serve as Navajo code talkers, as they were to become known. Within</p><p>four months of the bombing of Pearl Harbor, 29 Navajos, some as</p><p>young as �fteen, began an eight-week communications course with</p><p>the Marine Corps.</p><p>Before training could begin, the Marine Corps had to overcome a</p><p>problem that had plagued the only other code to have been based</p><p>on a Native American language. In Northern France during the First</p><p>World War, Captain E.W. Horner of Company D, 141st Infantry,</p><p>ordered that eight men from the Choctaw tribe be employed as</p><p>radio operators. Obviously none of the enemy understood their</p><p>language, so the Choctaw provided secure communications.</p><p>However, this encryption system was fundamentally �awed because</p><p>the Choctaw language had no equivalent for modern military</p><p>jargon. A speci�c technical term in a message might therefore have</p><p>to be translated into a vague Choctaw expression, with the risk that</p><p>this could be misinterpreted by the receiver.</p><p>The same problem would have arisen with the Navajo language,</p><p>but the Marine Corps planned to construct a lexicon of Navajo terms</p><p>to replace otherwise untranslatable English words, thus removing</p><p>any ambiguities. The trainees helped to compile the lexicon, tending</p><p>to choose words describing the natural world to indicate speci�c</p><p>military terms. Thus, the names of birds were used for planes, and</p><p>�sh for ships (Table 11). Commanding o�cers became “war chiefs,”</p><p>platoons were “mud-clans,” forti�cations turned into “cave</p><p>dwellings” and mortars were known as “guns that squat.”</p><p>Even though the complete lexicon contained 274 words, there was</p><p>still the problem of translating less predictable words and the names</p><p>of people and places. The solution was to devise an encoded</p><p>phonetic alphabet for spelling out di�cult words. For example, the</p><p>word “Paci�c” would be spelled out as “pig, ant, cat, ice, fox, ice,</p><p>cat,” which would then be translated into Navajo as bi-sodih, wol-la-</p><p>chee, moasi, tkin, ma-e, tkin, moasi. The complete Navajo alphabet</p><p>is given in Table 12. Within eight weeks, the trainee code talkers</p><p>had learned the entire lexicon and alphabet, thus obviating the need</p><p>for codebooks which might fall into enemy hands. For the Navajos,</p><p>committing everything to memory was trivial because traditionally</p><p>their language had no written script, so they were used to</p><p>memorizing their folk stories and family histories. As William</p><p>McCabe, one of the trainees, said, “In Navajo everything is in the</p><p>memory—songs, prayers, everything. That’s the way we were</p><p>raised.”</p><p>Table 11 Navajo codewords for planes and ships.</p><p>At the end of their training, the Navajos were put to the test.</p><p>Senders translated a series of messages from English into Navajo,</p><p>transmitted them, and then receivers translated the messages back</p><p>into English, using the memorized lexicon and alphabet when</p><p>necessary. The results were word-perfect. To check the strength of</p><p>the system, a recording of the transmissions was given to Navy</p><p>Intelligence, the unit that had cracked Purple, the toughest Japanese</p><p>cipher. After three weeks of intense cryptanalysis, the Naval</p><p>codebreakers were still ba�ed by the messages. They called the</p><p>Navajo language a “weird succession of guttural, nasal, tongue-</p><p>twisting sounds … we couldn’t even transcribe it, much less crack</p><p>it.” The Navajo code was judged a success. Two Navajo soldiers,</p><p>John Benally and Johnny Manuelito, were asked to stay and train</p><p>the next batch of recruits, while the other 27 Navajo code talkers</p><p>were assigned to four regiments and sent to the Paci�c.</p><p>Table 12 The Navajo alphabet code.</p><p>Japanese forces had attacked Pearl Harbor on December 7, 1941,</p><p>and not long after they dominated large parts of the western Paci�c.</p><p>Japanese troops overran the American garrison on Guam on</p><p>December 10, they took Guadalcanal, one of the islands in the</p><p>Solomon chain, on December 13, Hong Kong capitulated on</p><p>December 25, and U.S. troops on the Philippines surrendered on</p><p>January 2, 1942. The Japanese planned to consolidate their control</p><p>of the Paci�c the following summer by building an air�eld on</p><p>Guadalcanal, creating a base for bombers which would enable them</p><p>to destroy Allied supply lines, thus making any Allied counterattack</p><p>almost impossible. Admiral Ernest King, Chief of American Naval</p><p>Operations, urged an attack on the island before the air�eld was</p><p>completed, and on August 7, the 1st Marine Division spearheaded</p><p>an invasion of Guadalcanal. The initial landing parties included the</p><p>�rst group of code talkers to see action.</p><p>Although the Navajos were con�dent that their skills would be a</p><p>blessing to the marines, their �rst attempts generated only</p><p>confusion. Many of the regular signal operators were unaware of</p><p>this new code, and they sent panic messages all over the island,</p><p>stating that the Japanese were broadcasting on American</p><p>frequencies. The colonel in charge immediately halted Navajo</p><p>communications until he could convince himself that the system was</p><p>worth pursuing. One of the code talkers recalled how the Navajo</p><p>code was eventually brought back into service:</p><p>Figure 52 The �rst 29 Navajo code talkers pose for a traditional graduation</p><p>photograph. (photo credit 5.1)</p><p>The colonel had an idea. He said he would keep us on one condition: that I could</p><p>outrace his “white code”—a mechanical ticking cylinder thing. We both sent</p><p>messages, by white cylinder and by my voice. Both of us received answers and the</p><p>race was to see who could decode his answer �rst. I was asked, “How long will it take</p><p>you? Two hours?” “More like two minutes,” I answered. The other guy was still</p><p>decoding when I got the roger on my return message in about four and a half</p><p>minutes. I said, “Colonel, when are you going to give up on that cylinder thing?” He</p><p>didn’t say anything. He just lit up his pipe and walked away.</p><p>The code talkers soon proved their worth on the battle�eld.</p><p>During one episode on the island of Saipan, a battalion of marines</p><p>took over positions previously held by Japanese soldiers, who had</p><p>retreated. Suddenly a salvo exploded nearby. They were under</p><p>friendly �re from fellow Americans who were unaware of their</p><p>advance. The marines radioed back in English explaining their</p><p>position, but the salvos continued because the attacking American</p><p>troops suspected that the messages were from Japanese</p><p>impersonators trying to fool them. It was only when a Navajo</p><p>message was sent that the attackers saw their mistake and halted</p><p>the assault. A Navajo message could never be faked, and could</p><p>always be trusted.</p><p>The reputation of the code talkers soon spread, and by the end of</p><p>1942 there was a request for 83 more men. The Navajo were to</p><p>serve in all six Marine Corps divisions, and were sometimes</p><p>borrowed by other American forces. Their war of words soon turned</p><p>the Navajos into heroes. Other soldiers would o�er to carry their</p><p>radios and ri�es, and they were even given personal bodyguards,</p><p>partly to protect them from their own comrades. On at least three</p><p>occasions code talkers were mistaken for Japanese soldiers and</p><p>captured by fellow Americans. They were released only when</p><p>colleagues from their own battalion vouched for them.</p><p>The impenetrability of the Navajo code was all down</p><p>to carry a list of random letters; S, T, S, F,.… Only by rewinding the strip</p><p>around another scytale of the correct diameter will the message reappear.</p><p>The alternative to transposition is substitution. One of the earliest</p><p>descriptions of encryption by substitution appears in the Kāma-</p><p>Sūtra, a text written in the fourth century A.D. by the Brahmin scholar</p><p>Vātsyāyana, but based on manuscripts dating back to the fourth</p><p>century B.C. The Kāma-Sūtra recommends that women should study</p><p>64 arts, such as cooking, dressing, massage and the preparation of</p><p>perfumes. The list also includes some less obvious arts, namely</p><p>conjuring, chess, bookbinding and carpentry. Number 45 on the list</p><p>is mlecchita-vikalpā, the art of secret writing, advocated in order to</p><p>help women conceal the details of their liaisons. One of the</p><p>recommended techniques is to pair letters of the alphabet at</p><p>random, and then substitute each letter in the original message with</p><p>its partner. If we apply the principle to the Roman alphabet, we</p><p>could pair letters as follows:</p><p>Then, instead of meet at midnight, the sender would write CUUZ VZ</p><p>CGXSGIBZ. This form of secret writing is called a substitution cipher</p><p>because each letter in the plaintext is substituted for a di�erent</p><p>letter, thus acting in a complementary way to the transposition</p><p>cipher. In transposition each letter retains its identity but changes</p><p>its position, whereas in substitution each letter changes its identity</p><p>but retains its position.</p><p>The �rst documented use of a substitution cipher for military</p><p>purposes appears in Julius Caesar’s Gallic Wars. Caesar describes</p><p>how he sent a message to Cicero, who was besieged and on the</p><p>verge of surrendering. The substitution replaced Roman letters with</p><p>Greek letters, rendering the message unintelligible to the enemy.</p><p>Caesar described the dramatic delivery of the message:</p><p>The messenger was instructed, if he could not approach, to hurl a spear, with the</p><p>letter fastened to the thong, inside the entrenchment of the camp. Fearing danger, the</p><p>Gaul discharged the spear, as he had been instructed. By chance it stuck fast in the</p><p>tower, and for two days was not sighted by our troops; on the third day it was sighted</p><p>by a soldier, taken down, and delivered to Cicero. He read it through and then recited</p><p>it at a parade of the troops, bringing the greatest rejoicing to all.</p><p>Caesar used secret writing so frequently that Valerius Probus wrote</p><p>an entire treatise on his ciphers, which unfortunately has not</p><p>survived. However, thanks to Suetonius’ Lives of the Caesars LVI,</p><p>written in the second century A.D., we do have a detailed description</p><p>of one of the types of substitution cipher used by Julius Caesar. He</p><p>simply replaced each letter in the message with the letter that is</p><p>three places further down the alphabet. Cryptographers often think</p><p>in terms of the plain alphabet, the alphabet used to write the original</p><p>message, and the cipher alphabet, the letters that are substituted in</p><p>place of the plain letters. When the plain alphabet is placed above</p><p>the cipher alphabet, as shown in Figure 3, it is clear that the cipher</p><p>alphabet has been shifted by three places, and hence this form of</p><p>substitution is often called the Caesar shift cipher, or simply the</p><p>Caesar cipher. A cipher is the name given to any form of</p><p>cryptographic substitution in which each letter is replaced by</p><p>another letter or symbol.</p><p>Figure 3 The Caesar cipher applied to a short message. The Caesar cipher is based on</p><p>a cipher alphabet that is shifted a certain number of places (in this case three),</p><p>relative to the plain alphabet. The convention in cryptography is to write the plain</p><p>alphabet in lower-case letters, and the cipher alphabet in capitals. Similarly, the</p><p>original message, the plaintext, is written in lower case, and the encrypted message,</p><p>the ciphertext, is written in capitals.</p><p>Although Suetonius mentions only a Caesar shift of three places, it</p><p>is clear that by using any shift between 1 and 25 places it is possible</p><p>to generate 25 distinct ciphers. In fact, if we do not restrict</p><p>ourselves to shifting the alphabet and permit the cipher alphabet to</p><p>be any rearrangement of the plain alphabet, then we can generate</p><p>an even greater number of distinct ciphers. There are over</p><p>400,000,000,000,000,000,000,000,000 such rearrangements, and</p><p>therefore the same number of distinct ciphers.</p><p>Each distinct cipher can be considered in terms of a general</p><p>encrypting method, known as the algorithm, and a key, which</p><p>speci�es the exact details of a particular encryption. In this case, the</p><p>algorithm involves substituting each letter in the plain alphabet</p><p>with a letter from a cipher alphabet, and the cipher alphabet is</p><p>allowed to consist of any rearrangement of the plain alphabet. The</p><p>key de�nes the exact cipher alphabet to be used for a particular</p><p>encryption. The relationship between the algorithm and the key is</p><p>illustrated in Figure 4.</p><p>An enemy studying an intercepted scrambled message may have a</p><p>strong suspicion of the algorithm, but would not know the exact</p><p>key. For example, they may well suspect that each letter in the</p><p>plaintext has been replaced by a di�erent letter according to a</p><p>particular cipher alphabet, but they are unlikely to know which</p><p>cipher alphabet has been used. If the cipher alphabet, the key, is</p><p>kept a closely guarded secret between the sender and the receiver,</p><p>then the enemy cannot decipher the intercepted message. The</p><p>signi�cance of the key, as opposed to the algorithm, is an enduring</p><p>principle of cryptography. It was de�nitively stated in 1883 by the</p><p>Dutch linguist Auguste Kerckho�s von Nieuwenhof in his book La</p><p>Cryptographie militaire: “Kerckho�s’ Principle: The security of a</p><p>cryptosystem must not depend on keeping secret the crypto-</p><p>algorithm. The security depends only on keeping secret the key.”</p><p>Figure 4 To encrypt a plaintext message, the sender passes it through an encryption</p><p>algorithm. The algorithm is a general system for encryption, and needs to be</p><p>speci�ed exactly by selecting a key. Applying the key and algorithm together to a</p><p>plaintext generates the encrypted message, or ciphertext. The ciphertext may be</p><p>intercepted by an enemy while it is being transmitted to the receiver, but the enemy</p><p>should not be able to decipher the message. However, the receiver, who knows both</p><p>the key and the algorithm used by the sender, is able to turn the ciphertext back into</p><p>the plaintext message.</p><p>In addition to keeping the key secret, a secure cipher system must</p><p>also have a wide range of potential keys. For example, if the sender</p><p>uses the Caesar shift cipher to encrypt a message, then encryption is</p><p>relatively weak because there are only 25 potential keys. From the</p><p>enemy’s point of view, if they intercept the message and suspect</p><p>that the algorithm being used is the Caesar shift, then they merely</p><p>have to check the 25 possibilities. However, if the sender uses the</p><p>more general substitution algorithm, which permits the cipher</p><p>alphabet to be any rearrangement of the plain alphabet, then there</p><p>are 400,000,000,000,000,000,000,000,000 possible keys from</p><p>which to choose. One such is shown in Figure 5. From the enemy’s</p><p>point of view, if the message is intercepted and the algorithm is</p><p>known, there is still the horrendous task of checking all possible</p><p>keys. If an enemy agent were able to check one of the</p><p>400,000,000,000,000,000,000,000,000 possible keys every second,</p><p>it would take roughly a billion times the lifetime of the universe to</p><p>check all of them and decipher the message.</p><p>Figure 5 An example of the general substitution algorithm, in which each letter in</p><p>the plaintext is substituted with another letter according to a key. The key is de�ned</p><p>by the cipher alphabet, which can be any rearrangement of the plain alphabet.</p><p>The beauty of this type of cipher is that it is easy to implement,</p><p>but provides a high level of security. It is easy for the sender to</p><p>de�ne the key, which consists merely of stating the order of the 26</p><p>letters in the rearranged cipher alphabet, and yet it is e�ectively</p><p>to the fact</p><p>that Navajo belongs to the Na-Dene family of languages, which has</p><p>no link with any Asian or European language. For example, a</p><p>Navajo verb is conjugated not solely according to its subject, but</p><p>also according to its object. The verb ending depends on which</p><p>category the object belongs to: long (e.g., pipe, pencil), slender and</p><p>�exible (e.g., snake, thong), granular (e.g., sugar, salt), bundled</p><p>(e.g., hay), viscous (e.g., mud, feces) and many others. The verb will</p><p>also incorporate adverbs, and will re�ect whether or not the speaker</p><p>has experienced what he or she is talking about, or whether it is</p><p>hearsay. Consequently, a single verb can be equivalent to a whole</p><p>sentence, making it virtually impossible for foreigners to disentangle</p><p>its meaning.</p><p>Despite its strengths, the Navajo code still su�ered from two</p><p>signi�cant �aws. First, words that were neither in the natural</p><p>Navajo vocabulary nor in the list of 274 authorized codewords had</p><p>to be spelled out using the special alphabet. This was time-</p><p>consuming, so it was decided to add another 234 common terms to</p><p>the lexicon. For example, nations were given Navajo nicknames:</p><p>“Rolled Hat” for Australia, “Bounded by Water” for Britain, “Braided</p><p>Hair” for China, “Iron Hat” for Germany, “Floating Land” for the</p><p>Philippines, and “Sheep Pain” for Spain.</p><p>The second problem concerned those words that would still have</p><p>to be spelled out. If it became clear to the Japanese that words were</p><p>being spelled out, they would realize that they could use frequency</p><p>analysis to identify which Navajo words represented which letters. It</p><p>would soon become obvious that the most commonly used word was</p><p>dzeh, which means “elk” and which represents e, the most</p><p>commonly used letter of the English alphabet. Just spelling out the</p><p>name of the island Guadalcanal and repeating the word wol-la-chee</p><p>(ant) four times would be a big clue as to what word represented</p><p>the letter a. The solution was to add more words to act as extra</p><p>substitutes (homophones) for the commonly used letters. Two extra</p><p>words were introduced as alternatives for each of the six commonest</p><p>letters (e, t, a, o, i, n), and one extra word for the six next</p><p>commonest letters (s, h, r, d, l, u). The letter a, for example, could</p><p>now also be substituted by the words be-la-sana (apple) or tse-nihl</p><p>(axe). Thereafter, Guadalcanal could be spelled with only one</p><p>repetition: klizzie, shi-da, wol-la-chee, lha-cha-eh, be-la-sana, dibeh-</p><p>yazzie, moasi, tse-nihl, nesh-chee, tse-nihl, ah-jad (goat, uncle, ant,</p><p>dog, apple, lamb, cat, axe, nut, axe, leg).</p><p>As the war in the Paci�c intensi�ed, and as the Americans</p><p>advanced from the Solomon Islands to Okinawa, the Navajo code</p><p>talkers played an increasingly vital role. During the �rst days of the</p><p>attack on Iwo Jima, more than eight hundred Navajo messages were</p><p>sent, all without error. According to Major General Howard Conner,</p><p>“without the Navajos, the marines would never have taken Iwo</p><p>Jima.” The contribution of the Navajo code talkers is all the more</p><p>remarkable when you consider that, in order to ful�ll their duties,</p><p>they often had to confront and defy their own deeply held spiritual</p><p>fears. The Navajo believe that the spirits of the dead, chindi, will</p><p>seek revenge on the living unless ceremonial rites are performed on</p><p>the body. The war in the Paci�c was particularly bloody, with</p><p>corpses strewn across the battle�elds, and yet the code talkers</p><p>summoned up the courage to carry on regardless of the chindi that</p><p>haunted them. In Doris Paul’s book The Navajo Code Talkers, one of</p><p>the Navajo recounts an incident which typi�es their bravery,</p><p>dedication and composure:</p><p>Figure 53 Corporal Henry Bake, Jr. (left) and Private First Class George H. Kirk using</p><p>the Navajo code in the dense jungles of Bougainville in 1943.</p><p>If you so much as held up your head six inches you were gone, the �re was so intense.</p><p>And then in the wee hours, with no relief on our side or theirs, there was a dead</p><p>standstill. It must have gotten so that this one Japanese couldn’t take it anymore. He</p><p>got up and yelled and screamed at the top of his voice and dashed over our trench,</p><p>swinging a long samurai sword. I imagine he was shot from 25 to 40 times before he</p><p>fell.</p><p>There was a buddy with me in the trench. But that Japanese had cut him across the</p><p>throat, clear through to the cords on the back of his neck. He was still gasping</p><p>through his windpipe. And the sound of him trying to breathe was horrible. He died,</p><p>of course. When the Jap struck, warm blood spattered all over my hand that was</p><p>holding a microphone. I was calling in code for help. They tell me that in spite of</p><p>what happened, every syllable of my message came through.</p><p>Altogether, there were 420 Navajo code talkers. Although their</p><p>bravery as �ghting men was acknowledged, their special role in</p><p>securing communications was classi�ed information. The</p><p>government forbade them to talk about their work, and their unique</p><p>contribution was not made public. Just like Turing and the</p><p>cryptanalysts at Bletchley Park, the Navajo were ignored for</p><p>decades. Eventually, in 1968, the Navajo code was declassi�ed, and</p><p>the following year the code talkers held their �rst reunion. Then, in</p><p>1982, they were honored when the U.S. Government named August</p><p>14 “National Navajo Code Talkers Day.” However, the greatest</p><p>tribute to the work of the Navajo is the simple fact that their code is</p><p>one of very few throughout history that was never broken.</p><p>Lieutenant General Seizo Arisue, the Japanese chief of intelligence,</p><p>admitted that, although they had broken the American Air Force</p><p>code, they had failed to make any impact on the Navajo code.</p><p>Deciphering Lost Languages and Ancient Scripts</p><p>The success of the Navajo code was based largely on the simple fact</p><p>that the mother tongue of one person is utterly meaningless to</p><p>anybody unacquainted with it. In many ways, the task that</p><p>confronted Japanese cryptanalysts is similar to that which is faced</p><p>by archaeologists attempting to decipher a long-forgotten language,</p><p>perhaps written in an extinct script. If anything, the archaeological</p><p>challenge is much more severe. For example, while the Japanese</p><p>had a continuous stream of Navajo words which they could attempt</p><p>to identify, the information available to the archaeologist can</p><p>sometimes be just a small collection of clay tablets. Furthermore,</p><p>the archaeological codebreaker often has no idea of the context or</p><p>contents of an ancient text, clues which military codebreakers can</p><p>normally rely on to help them crack a cipher.</p><p>Deciphering ancient texts seems an almost hopeless pursuit, yet</p><p>many men and women have devoted themselves to this arduous</p><p>enterprise. Their obsession is driven by the desire to understand the</p><p>writings of our ancestors, allowing us to speak their words and catch</p><p>a glimpse of their thoughts and lives. Perhaps this appetite for</p><p>cracking ancient scripts is best summarized by Maurice Pope, the</p><p>author of The Story of Decipherment: “Decipherments are by far the</p><p>most glamorous achievements of scholarship. There is a touch of</p><p>magic about unknown writing, especially when it comes from the</p><p>remote past, and a corresponding glory is bound to attach itself to</p><p>the person who �rst solves its mystery.”</p><p>The decipherment of ancient scripts is not part of the ongoing</p><p>evolutionary battle between codemakers and codebreakers, because,</p><p>although there are codebreakers in the shape of archaeologists,</p><p>there are no codemakers. That is to say, in most cases of</p><p>archaeological decipherment there was no deliberate attempt by the</p><p>original scribe to hide the meaning of the text. The remainder of this</p><p>chapter, which is a discussion of archaeological decipherments, is</p><p>therefore a slight detour from the book’s main theme. However, the</p><p>principles of archaeological decipherment are essentially the same</p><p>as those of conventional military cryptanalysis. Indeed, many</p><p>military codebreakers have been attracted by the challenge of</p><p>unraveling an ancient script. This is probably because</p><p>archaeological decipherments make a refreshing change</p><p>impossible for the enemy to check all possible keys by the so-called</p><p>brute-force attack. The simplicity of the key is important, because</p><p>the sender and receiver have to share knowledge of the key, and the</p><p>simpler the key, the less the chance of a misunderstanding.</p><p>In fact, an even simpler key is possible if the sender is prepared to</p><p>accept a slight reduction in the number of potential keys. Instead of</p><p>randomly rearranging the plain alphabet to achieve the cipher</p><p>alphabet, the sender chooses a keyword or keyphrase. For example,</p><p>to use JULIUS CAESAR as a keyphrase, begin by removing any</p><p>spaces and repeated letters (JULISCAER), and then use this as the</p><p>beginning of the jumbled cipher alphabet. The remainder of the</p><p>cipher alphabet is merely the remaining letters of the alphabet, in</p><p>their correct order, starting where the keyphrase ends. Hence, the</p><p>cipher alphabet would read as follows.</p><p>The advantage of building a cipher alphabet in this way is that it is</p><p>easy to memorize the keyword or keyphrase, and hence the cipher</p><p>alphabet. This is important, because if the sender has to keep the</p><p>cipher alphabet on a piece of paper, the enemy can capture the</p><p>paper, discover the key, and read any communications that have</p><p>been encrypted with it. However, if the key can be committed to</p><p>memory it is less likely to fall into enemy hands. Clearly the number</p><p>of cipher alphabets generated by keyphrases is smaller than the</p><p>number of cipher alphabets generated without restriction, but the</p><p>number is still immense, and it would be e�ectively impossible for</p><p>the enemy to unscramble a captured message by testing all possible</p><p>keyphrases.</p><p>This simplicity and strength meant that the substitution cipher</p><p>dominated the art of secret writing throughout the �rst millennium</p><p>A.D. Codemakers had evolved a system for guaranteeing secure</p><p>communication, so there was no need for further development-</p><p>without necessity, there was no need for further invention. The onus</p><p>had fallen upon the codebreakers, those who were attempting to</p><p>crack the substitution cipher. Was there any way for an enemy</p><p>interceptor to unravel an encrypted message? Many ancient scholars</p><p>considered that the substitution cipher was unbreakable, thanks to</p><p>the gigantic number of possible keys, and for centuries this seemed</p><p>to be true. However, codebreakers would eventually �nd a shortcut</p><p>to the process of exhaustively searching all keys. Instead of taking</p><p>billions of years to crack a cipher, the shortcut could reveal the</p><p>message in a matter of minutes. The breakthrough occurred in the</p><p>East, and required a brilliant combination of linguistics, statistics</p><p>and religious devotion.</p><p>The Arab Cryptanalysts</p><p>At the age of about forty, Muhammad began regularly visiting an</p><p>isolated cave on Mount Hira just outside Mecca. This was a retreat,</p><p>a place for prayer, meditation and contemplation. It was during a</p><p>period of deep re�ection, around A.D. 610, that he was visited by the</p><p>archangel Gabriel, who proclaimed that Muhammad was to be the</p><p>messenger of God. This was the �rst of a series of revelations which</p><p>continued until Muhammad died some twenty years later. The</p><p>revelations were recorded by various scribes during the Prophet’s</p><p>life, but only as fragments, and it was left to Abū Bakr, the �rst</p><p>caliph of Islam, to gather them together into a single text. The work</p><p>was continued by Umar, the second caliph, and his daughter Hafsa,</p><p>and was eventually completed by Uthmān, the third caliph. Each</p><p>revelation became one of the 114 chapters of the Koran.</p><p>The ruling caliph was responsible for carrying on the work of the</p><p>Prophet, upholding his teachings and spreading his word. Between</p><p>the appointment of Abū Bakr in 632 to the death of the fourth</p><p>caliph, Alī, in 661, Islam spread until half of the known world was</p><p>under Muslim rule. Then in 750, after a century of consolidation,</p><p>the start of the Abbasid caliphate (or dynasty) heralded the golden</p><p>age of Islamic civilization. The arts and sciences �ourished in equal</p><p>measure. Islamic craftsmen bequeathed us magni�cent paintings,</p><p>ornate carvings, and the most elaborate textiles in history, while the</p><p>legacy of Islamic scientists is evident from the number of Arabic</p><p>words that pepper the lexicon of modern science such as algebra,</p><p>alkaline and zenith.</p><p>The richness of Islamic culture was to a large part the result of a</p><p>wealthy and peaceful society. The Abbasid caliphs were less</p><p>interested than their predecessors in conquest, and instead</p><p>concentrated on establishing an organized and a�uent society.</p><p>Lower taxes encouraged businesses to grow and gave rise to greater</p><p>commerce and industry, while strict laws reduced corruption and</p><p>protected the citizens. All of this relied on an e�ective system of</p><p>administration, and in turn the administrators relied on secure</p><p>communication achieved through the use of encryption. As well as</p><p>encrypting sensitive a�airs of state, it is documented that o�cials</p><p>protected tax records, demonstrating a widespread and routine use</p><p>of cryptography. Further evidence comes from many administrative</p><p>manuals, such as the tenth-century Adab al-Kuttāb (“The Secretaries’</p><p>Manual”), which include sections devoted to cryptography.</p><p>The administrators usually employed a cipher alphabet which was</p><p>simply a rearrangement of the plain alphabet, as described earlier,</p><p>but they also used cipher alphabets that contained other types of</p><p>symbols. For example, a in the plain alphabet might be replaced by</p><p># in the cipher alphabet, b might be replaced by +, and so on. The</p><p>monoalphabetic substitution cipher is the general name given to any</p><p>substitution cipher in which the cipher alphabet consists of either</p><p>letters or symbols, or a mix of both. All the substitution ciphers that</p><p>we have met so far come within this general category.</p><p>Had the Arabs merely been familiar with the use of the</p><p>monoalphabetic substitution cipher, they would not warrant a</p><p>signi�cant mention in any history of cryptography. However, in</p><p>addition to employing ciphers, the Arab scholars were also capable</p><p>of destroying ciphers. They in fact invented cryptanalysis, the science</p><p>of unscrambling a message without knowledge of the key. While the</p><p>cryptographer develops new methods of secret writing, it is the</p><p>cryptanalyst who struggles to �nd weaknesses in these methods in</p><p>order to break into secret messages. Arabian cryptanalysts</p><p>succeeded in �nding a method for breaking the monoalphabetic</p><p>substitution cipher, a cipher that had remained invulnerable for</p><p>several centuries.</p><p>Cryptanalysis could not be invented until a civilization had</p><p>reached a su�ciently sophisticated level of scholarship in several</p><p>disciplines, including mathematics, statistics and linguistics. The</p><p>Muslim civilization provided an ideal cradle for cryptanalysis,</p><p>because Islam demands justice in all spheres of human activity, and</p><p>achieving this requires knowledge, or ilm. Every Muslim is obliged</p><p>to pursue knowledge in all its forms, and the economic success of</p><p>the Abbasid caliphate meant that scholars had the time, money and</p><p>materials required to ful�ll their duty. They endeavored to acquire</p><p>the knowledge of previous civilizations by obtaining Egyptian,</p><p>Babylonian, Indian, Chinese, Farsi, Syriac, Armenian, Hebrew and</p><p>Roman texts and translating them into Arabic. In 815, the Caliph al-</p><p>Ma’mūn established in Baghdad the Bait al-Hikmah (“House of</p><p>Wisdom”), a library and center for translation.</p><p>At the same time as acquiring knowledge, the Islamic civilization</p><p>was able to disperse it, because it had procured the art of</p><p>papermaking from the Chinese. The manufacture of paper gave rise</p><p>to the profession of warraqīn, or “those who handle paper,” human</p><p>photocopying machines who copied manuscripts and supplied the</p><p>burgeoning publishing industry. At its peak, tens of thousands of</p><p>books were published every year, and in just one suburb of Baghdad</p><p>there were over a hundred bookshops. As well as such classics as</p><p>Tales from the Thousand and One Nights, these bookshops also sold</p><p>textbooks on every imaginable subject, and helped to support the</p><p>most literate and learned society in the world.</p><p>In addition to a greater understanding of secular subjects, the</p><p>invention of cryptanalysis also depended on the growth of religious</p><p>scholarship. Major theological schools were established in Basra,</p><p>Kufa and Baghdad, where theologians scrutinized the revelations of</p><p>Muhammad as contained in the Koran. The theologians were</p><p>interested in establishing the chronology of the revelations, which</p><p>they did by counting the frequencies of words contained in each</p><p>revelation. The theory was that certain words had evolved relatively</p><p>recently, and hence if a revelation contained a high number of these</p><p>newer words, this would indicate that it came later in the</p><p>chronology. Theologians also studied the Hadīth, which consists of</p><p>the Prophet’s daily utterances. They tried to demonstrate that each</p><p>statement was indeed attributable to Muhammad. This was done by</p><p>studying the etymology of words and the structure of sentences, to</p><p>test whether particular texts were consistent with the linguistic</p><p>patterns of the Prophet.</p><p>Signi�cantly, the religious scholars did not stop their scrutiny at</p><p>the level of words. They also analyzed individual letters, and in</p><p>particular they discovered that some letters are more common than</p><p>others. The letters a and l are the most common in Arabic, partly</p><p>because of the de�nite article al-, whereas the letter j appears only a</p><p>tenth as frequently. This apparently innocuous observation would</p><p>lead to the �rst great breakthrough in cryptanalysis.</p><p>Although it is not known who �rst realized that the variation in</p><p>the frequencies of letters could be exploited in order to break</p><p>ciphers, the earliest known description of the technique is by the</p><p>ninth-century scientist Abū Yūsūf Ya’qūb ibn Is-hāq ibn as-Sabbāh</p><p>ibn ‘omrān ibn Ismaīl al-Kindī. Known as “the philosopher of the</p><p>Arabs,” al-Kindī was the author of 290 books on medicine,</p><p>astronomy, mathematics, linguistics and music. His greatest treatise,</p><p>which was rediscovered only in 1987 in the Sulaimaniyyah Ottoman</p><p>Archive in Istanbul, is entitled A Manuscript on Deciphering</p><p>Cryptographic Messages; the �rst page is shown in Figure 6. Although</p><p>it contains detailed discussions on statistics, Arabic phonetics and</p><p>Arabic syntax, al-Kindī’s revolutionary system of cryptanalysis is</p><p>encapsulated in two short paragraphs:</p><p>One way to solve an encrypted message, if we know its language, is to �nd a di�erent</p><p>plaintext of the same language long enough to �ll one sheet or so, and then we count</p><p>the occurrences of each letter. We call the most frequently occurring letter the “�rst,”</p><p>the next most occurring letter the “second,” the following most occurring letter the</p><p>“third,” and so on, until we account for all the di�erent letters in the plaintext</p><p>sample.</p><p>Then we look at the ciphertext we want to solve and we also classify its symbols.</p><p>We �nd the most occurring symbol and change it to the form of the “�rst” letter of</p><p>the plaintext sample, the next most common symbol is changed to the form of the</p><p>“second” letter, and the following most common symbol is changed to the form of the</p><p>“third” letter, and so on, until we account for all symbols of the cryptogram we want</p><p>to solve.</p><p>Al-Kindī’s explanation is easier to explain in terms of the English</p><p>alphabet. First of all, it is necessary to study a lengthy piece of</p><p>normal English text, perhaps several, in order to establish the</p><p>frequency of each letter of the alphabet. In English, e is the most</p><p>common letter, followed by t, then a, and so on, as given in Table 1.</p><p>Next, examine the ciphertext in question, and work out the</p><p>frequency of each letter. If the most common letter in the ciphertext</p><p>is, for example, J then it would seem likely that this is a substitute</p><p>for e. And if the second most common letter in the ciphertext is P,</p><p>then this is probably a substitute for t, and so on. Al-Kindī’s</p><p>technique, known as frequency analysis, shows that it is unnecessary</p><p>to check each of the billions of potential keys. Instead, it is possible</p><p>to reveal the contents of a scrambled message simply by analyzing</p><p>the frequency of the characters in the ciphertext.</p><p>Figure 6 The �rst page of al-Kindī’s manuscript On Deciphering Cryptographic</p><p>Messages, containing the oldest known description of cryptanalysis by frequency</p><p>analysis. (photo credit 1.2)</p><p>However, it is not possible to apply al-Kindī’s recipe for</p><p>cryptanalysis unconditionally, because the standard list of</p><p>frequencies in Table 1 is only an average, and it will not correspond</p><p>exactly to the frequencies of every text. For example, a brief</p><p>message discussing the e�ect of the atmosphere on the movement of</p><p>striped quadrupeds in Africa would not yield to straightforward</p><p>frequency analysis: “From Zanzibar to Zambia and Zaire, ozone</p><p>zones make zebras run zany zigzags.” In general, short texts are</p><p>likely to deviate signi�cantly from the standard frequencies, and if</p><p>there are less than a hundred letters, then decipherment will be very</p><p>di�cult. On the other hand, longer texts are more likely to follow</p><p>the standard frequencies, although this is not always the case. In</p><p>1969, the French author Georges Perec wrote La Disparition, a 200-</p><p>page novel that did not use words that contain the letter e. Doubly</p><p>remarkable is the fact that the English novelist and critic Gilbert</p><p>Adair succeeded in translating La Disparition into English, while still</p><p>following Perec’s shunning of the letter e. Entitled A Void, Adair’s</p><p>translation is surprisingly readable (see Appendix A). If the entire</p><p>book were encrypted via a monoalphabetic substitution cipher, then</p><p>a naive attempt to decipher it might be stymied by the complete</p><p>lack of the most frequently occurring letter in the English alphabet.</p><p>Table 1 This table of relative frequencies is based on passages taken from newspapers and</p><p>novels, and the total sample was 100,362 alphabetic characters. The table was compiled by</p><p>H. Beker and F. Piper, and originally published in Cipher Systems: The Protection Of</p><p>Communication.</p><p>Letter Percentage</p><p>a 8.2</p><p>b 1.5</p><p>c 2.8</p><p>d 4.3</p><p>e 12.7</p><p>f 2.2</p><p>g 2.0</p><p>h 6.1</p><p>i 7.0</p><p>j 0.2</p><p>k 0.8</p><p>l 4.0</p><p>m 2.4</p><p>n 6.7</p><p>o 7.5</p><p>p 1.9</p><p>q 0.1</p><p>r 6.0</p><p>s 6.3</p><p>t 9.1</p><p>u 2.8</p><p>v 1.0</p><p>w 2.4</p><p>x 0.2</p><p>y 2.0</p><p>z 0.1</p><p>Having described the �rst tool of cryptanalysis, I shall continue by</p><p>giving an example of how frequency analysis is used to decipher a</p><p>ciphertext. I have avoided peppering the whole book with examples</p><p>of cryptanalysis, but with frequency analysis I make an exception.</p><p>This is partly because frequency analysis is not as di�cult as it</p><p>sounds, and partly because it is the primary cryptanalytic tool.</p><p>Furthermore, the example that follows provides insight into the</p><p>modus operandi of the cryptanalyst. Although frequency analysis</p><p>requires logical thinking, you will see that it also demands guile,</p><p>intuition, �exibility and guesswork.</p><p>Cryptanalyzing a Ciphertext</p><p>PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV</p><p>XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX’XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV</p><p>ZOICJO BYS, KXUYPD: “DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC</p><p>UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC</p><p>AJXNO X IXNCMJ CI UCMJ SXGOKLU?”</p><p>OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLK</p><p>Imagine that we have intercepted this scrambled message. The</p><p>challenge is to decipher it. We know that the text is in English, and</p><p>that it has been scrambled according to a monoalphabetic</p><p>substitution cipher, but we have no idea of the key. Searching all</p><p>possible keys is impractical, so we must apply frequency analysis.</p><p>What follows is a step-by-step guide to cryptanalyzing the</p><p>ciphertext, but if you feel con�dent then you might prefer to ignore</p><p>this and attempt your own independent cryptanalysis.</p><p>The immediate reaction of any cryptanalyst upon seeing such a</p><p>ciphertext is to analyze the frequency of all the letters, which results</p><p>in Table 2. Not surprisingly, the letters vary in their frequency. The</p><p>question is, can we identify</p><p>what any of them represent, based on</p><p>their frequencies? The ciphertext is relatively short, so we cannot</p><p>slavishly apply frequency analysis. It would be naive to assume that</p><p>the commonest letter in the ciphertext, O, represents the commonest</p><p>letter in English, e, or that the eighth most frequent letter in the</p><p>ciphertext, Y, represents the eighth most frequent letter in English,</p><p>h. An unquestioning application of frequency analysis would lead to</p><p>gibberish. For example, the �rst word PCQ would be deciphered as</p><p>aov.</p><p>However, we can begin by focusing attention on the only three</p><p>letters that appear more than thirty times in the ciphertext, namely</p><p>O, X and P. It is fairly safe to assume that the commonest letters in</p><p>the ciphertext probably represent the commonest letters in the</p><p>English alphabet, but not necessarily in the right order. In other</p><p>words, we cannot be sure that O = e, X = t, and P = a, but we can</p><p>make the tentative assumption that:</p><p>O = e, t or a, X = e, t or a, P = e, t or a.</p><p>Table 2 Frequency analysis of enciphered message.</p><p>Letter Frequency</p><p>Occurrences Percentage</p><p>A 3 0.9</p><p>B 25 7.4</p><p>C 27 8.0</p><p>D 14 4.1</p><p>E 5 1.5</p><p>F 2 0.6</p><p>G 1 0.3</p><p>H 0 0.0</p><p>I 11 3.3</p><p>J 18 5.3</p><p>K 26 7.7</p><p>L 25 7.4</p><p>M 11 3.3</p><p>N 3 0.9</p><p>O 38 11.2</p><p>P 31 9.2</p><p>Q 2 0.6</p><p>R 6 1.8</p><p>S 7 2.1</p><p>T 0 0.0</p><p>U 6 1.8</p><p>V 18 5.3</p><p>W 1 0.3</p><p>X 34 10.1</p><p>Y 19 5.6</p><p>Z 5 1.5</p><p>In order to proceed with con�dence, and pin down the identity of</p><p>the three most common letters, O, X and P, we need a more subtle</p><p>form of frequency analysis. Instead of simply counting the frequency</p><p>of the three letters, we can focus on how often they appear next to</p><p>all the other letters. For example, does the letter O appear before or</p><p>after several other letters, or does it tend to neighbor just a few</p><p>special letters? Answering this question will be a good indication of</p><p>whether O represents a vowel or a consonant. If O represents a</p><p>vowel it should appear before and after most of the other letters,</p><p>whereas if it represents a consonant, it will tend to avoid many of</p><p>the other letters. For example, the letter e can appear before and</p><p>after virtually every other letter, but the letter t is rarely seen before</p><p>or after b, d, g, j, k, m, q or v.</p><p>The table below takes the three most common letters in the</p><p>ciphertext, O, X and P, and lists how frequently each appears before</p><p>or after every letter. For example, O appears before A on 1 occasion,</p><p>but never appears immediately after it, giving a total of 1 in the �rst</p><p>box. The letter O neighbors the majority of letters, and there are</p><p>only 7 that it avoids completely, represented by the 7 zeros in the O</p><p>row. The letter X is equally sociable, because it too neighbors most</p><p>of the letters, and avoids only 8 of them. However, the letter P is</p><p>much less friendly. It tends to lurk around just a few letters, and</p><p>avoids 15 of them. This evidence suggests that O and X represent</p><p>vowels, while P represents a consonant.</p><p>Now we must ask ourselves which vowels are represented by O and</p><p>X. They are probably e and a, the two most popular vowels in the</p><p>English language, but does O = e and X = a, or does O = a and X</p><p>= e? An interesting feature in the ciphertext is that the combination</p><p>OO appears twice, whereas XX does not appear at all. Since the</p><p>letters ee appear far more often than aa in plaintext English, it is</p><p>likely that O = e and X = a.</p><p>At this point, we have con�dently identi�ed two of the letters in</p><p>the ciphertext. Our conclusion that X = a is supported by the fact</p><p>that X appears on its own in the ciphertext, and a is one of only two</p><p>English words that consist of a single letter. The only other letter</p><p>that appears on its own in the ciphertext is Y, and it seems highly</p><p>likely that this represents the only other one-letter English word,</p><p>which is i. Focusing on words with only one letter is a standard</p><p>cryptanalytic trick, and I have included it among a list of</p><p>cryptanalytic tips in Appendix B. This particular trick works only</p><p>because this ciphertext still has spaces between the words. Often, a</p><p>cryptographer will remove all the spaces to make it harder for an</p><p>enemy interceptor to unscramble the message.</p><p>Although we have spaces between words, the following trick</p><p>would also work where the ciphertext has been merged into a single</p><p>string of characters. The trick allows us to spot the letter h, once we</p><p>have already identi�ed the letter e. In the English language, the</p><p>letter h frequently goes before the letter e (as in the, then, they,</p><p>etc.), but rarely after e. The table below shows how frequently the</p><p>O, which we think represents e, goes before and after all the other</p><p>letters in the ciphertext. The table suggests that B represents h,</p><p>because it appears before 0 on 9 occasions, but it never goes after it.</p><p>No other letter in the table has such an asymmetric relationship</p><p>with O.</p><p>Each letter in the English language has its own unique personality,</p><p>which includes its frequency and its relation to other letters. It is</p><p>this personality that allows us to establish the true identity of a</p><p>letter, even when it has been disguised by monoalphabetic</p><p>substitution.</p><p>We have now con�dently established four letters, O = e, X = a,</p><p>Y = i and B = h, and we can begin to replace some of the letters in</p><p>the ciphertext with their plaintext equivalents. I shall stick to the</p><p>convention of keeping ciphertext letters in upper case, while putting</p><p>plaintext letters in lower case. This will help to distinguish between</p><p>those letters we still have to identify, and those that have already</p><p>been established.</p><p>PCQ VMJiPD LhiK LiSe KhahJaWaV haV ZCJPe EiPD KhahJiUaJ LhJee KCPK. CP Lhe</p><p>LhCMKaPV aPV IiJKL PiDhL, QheP Khe haV ePVeV Lhe LaRe CI Sa’aJMI, Khe JCKe</p><p>aPV EiKKev Lhe DJCMPV ZeICJe h i S, KaUiPD: “DJeaL EiPD, ICJ a LhCMKaPV aPV</p><p>CPe PiDhLK i haNe ZeeP JeACMPLiPD LC UCM Lhe IaZReK CI FaKL aDeK aPV Lhe</p><p>ReDePVK CI aPAiePL EiPDK. SaU i SaEe KC ZCRV aK LC AJaNe a IaNCMJ CI UCMJ</p><p>SaGeKLU?”</p><p>eFiRCDMe, LaReK IJCS Lhe LhCMKaPV aPV CPe PiDhLK</p><p>This simple step helps us to identify several other letters, because</p><p>we can guess some of the words in the ciphertext. For example, the</p><p>most common three-letter words in English are the and and, and</p><p>these are relatively easy to spot-Lhe, which appears six times, and</p><p>aPV, which appears �ve times. Hence, L probably represents t, P</p><p>probably represents n, and V probably represents d. We can now</p><p>replace these letters in the ciphertext with their true values:</p><p>nCQ dMJinD thiK tiSe KhahJaWad had ZCJne EinD KhahJiUaJ thJee KCnK. Cn the</p><p>thCMKand and IiJKt niDht, Qhen Khe had ended the taRe CI Sa’aJMI, Khe JCKe and</p><p>EiKKed the DJCMnd ZeICJe hiS, KaUinD: “DJeat EinD, ICJ a thCMKand and Cne</p><p>niDhtK i haNe Zeen JeACMntinD tC UCM the IaZReK CI FaKt aDeK and the ReDendK</p><p>CI anAient EinDK. SaU i SaEe KC ZCRd aK tC AJaNe a IaNCMJ CI UCMJ SaGeKtU?”</p><p>eFiRCDMe, taReK IJCS the thCMKand and Cne niDhtK</p><p>Once a few letters have been established, cryptanalysis progresses</p><p>very rapidly. For example, the word at the beginning of the second</p><p>sentence is Cn. Every word has a vowel in it, so C must be a vowel.</p><p>There are only two vowels that remain to be identi�ed, u and o; u</p><p>does not �t, so C must represent o. We also have the word Khe,</p><p>which implies that K represents either t or s. But we already know</p><p>that L = t, so it becomes clear that K = s. Having identi�ed these</p><p>two letters, we insert them into the ciphertext, and there appears</p><p>the phrase thoMsand and one niDhts. A sensible guess for this would</p><p>be thousand and one nights, and it seems likely that the �nal line is</p><p>telling us that this is a passage from Tales from the Thousand and One</p><p>Nights. This implies that M = u, I = f, J = r, D = g, R = l, and S</p><p>= m.</p><p>We could continue trying to establish other letters by guessing</p><p>other words, but instead let us have a look at what we know about</p><p>the plain alphabet and cipher alphabet. These two alphabets form</p><p>the key, and they were used by the cryptographer in order to</p><p>perform the substitution that scrambled the message. Already, by</p><p>identifying the true values of letters in the ciphertext, we</p><p>have</p><p>e�ectively been working out the details of the cipher alphabet. A</p><p>summary of our achievements, so far, is given in the plain and</p><p>cipher alphabets below.</p><p>By examining the partial cipher alphabet, we can complete the</p><p>cryptanalysis. The sequence VOIDBY in the cipher alphabet suggests</p><p>that the cryptographer has chosen a keyphrase as the basis for the</p><p>key. Some guesswork is enough to suggest the keyphrase might be A</p><p>VOID BY GEORGES PEREC, which is reduced to AVOID BY GERSPC</p><p>after removing spaces and repetitions. Thereafter, the letters</p><p>continue in alphabetical order, omitting any that have already</p><p>appeared in the keyphrase. In this particular case, the cryptographer</p><p>took the unusual step of not starting the keyphrase at the beginning</p><p>of the cipher alphabet, but rather starting it three letters in. This is</p><p>possibly because the keyphrase begins with the letter A, and the</p><p>cryptographer wanted to avoid encrypting a as A. At last, having</p><p>established the complete cipher alphabet, we can unscramble the</p><p>entire ciphertext, and the cryptanalysis is complete.</p><p>Now during this time Shahrazad had borne King Shahriyar three sons. On the</p><p>thousand and �rst night, when she had ended the tale of Ma’aruf, she rose and kissed</p><p>the ground before him, saying: “Great King, for a thousand and one nights I have</p><p>been recounting to you the fables of past ages and the legends of ancient kings. May I</p><p>make so bold as to crave a favor of your majesty?”</p><p>Epilogue, Tales from the Thousand and One Nights</p><p>Renaissance in the West</p><p>Between A.D. 800 and 1200, Arab scholars enjoyed a vigorous period</p><p>of intellectual achievement. At the same time, Europe was �rmly</p><p>stuck in the Dark Ages. While al-Kindī was describing the invention</p><p>of cryptanalysis, Europeans were still struggling with the basics of</p><p>cryptography. The only European institutions to encourage the</p><p>study of secret writing were the monasteries, where monks would</p><p>study the Bible in search of hidden meanings, a fascination that has</p><p>persisted through to modern times (see Appendix C).</p><p>Medieval monks were intrigued by the fact that the Old</p><p>Testament contained deliberate and obvious examples of</p><p>cryptography. For example, the Old Testament includes pieces of</p><p>text encrypted with atbash, a traditional form of Hebrew</p><p>substitution cipher. Atbash involves taking each letter, noting the</p><p>number of places it is from the beginning of the alphabet, and</p><p>replacing it with a letter that is an equal number of places from the</p><p>end of the alphabet. In English this would mean that a, at the</p><p>beginning of the alphabet, is replaced by Z, at the end of the</p><p>alphabet, b is replaced by Y, and so on. The term atbash itself hints</p><p>at the substitution it describes, because it consists of the �rst letter</p><p>of the Hebrew alphabet, aleph, followed by the last letter taw, and</p><p>then there is the second letter, beth, followed by the second to last</p><p>letter shin. An example of atbash appears in Jeremiah 25: 26 and 51:</p><p>41, where “Babel” is replaced by the word “Sheshach”; the �rst</p><p>letter of Babel is beth, the second letter of the Hebrew alphabet, and</p><p>this is replaced by shin, the second-to-last letter; the second letter of</p><p>Babel is also beth, and so it too is replaced by shin; and the last letter</p><p>of Babel is lamed, the twelfth letter of the Hebrew alphabet, and this</p><p>is replaced by kaph, the twelfth-to-last letter.</p><p>Atbash and other similar biblical ciphers were probably intended</p><p>only to add mystery, rather than to conceal meaning, but they were</p><p>enough to spark an interest in serious cryptography. European</p><p>monks began to rediscover old substitution ciphers, they invented</p><p>new ones, and, in due course, they helped to reintroduce</p><p>cryptography into Western civilization. The �rst known European</p><p>book to describe the use of cryptography was written in the</p><p>thirteenth century by the English Franciscan monk and polymath</p><p>Roger Bacon. Epistle on the Secret Works of Art and the Nullity of</p><p>Magic included seven methods for keeping messages secret, and</p><p>cautioned: “A man is crazy who writes a secret in any other way</p><p>than one which will conceal it from the vulgar.”</p><p>By the fourteenth century the use of cryptography had become</p><p>increasingly widespread, with alchemists and scientists using it to</p><p>keep their discoveries secret. Although better known for his literary</p><p>achievements, Geo�rey Chaucer was also an astronomer and a</p><p>cryptographer, and he is responsible for one of the most famous</p><p>examples of early European encryption. In his Treatise on the</p><p>Astrolabe he provided some additional notes entitled “The Equatorie</p><p>of the Planetis,” which included several encrypted paragraphs.</p><p>Chaucer’s encryption replaced plaintext letters with symbols, for</p><p>example b with . A ciphertext consisting of strange symbols rather</p><p>than letters may at �rst sight seem more complicated, but it is</p><p>essentially equivalent to the traditional letter-for-letter substitution.</p><p>The process of encryption and the level of security are exactly the</p><p>same.</p><p>By the �fteenth century, European cryptography was a</p><p>burgeoning industry. The revival in the arts, sciences and</p><p>scholarship during the Renaissance nurtured the capacity for</p><p>cryptography, while an explosion in political machinations o�ered</p><p>ample motivation for secret communication. Italy, in particular,</p><p>provided the ideal environment for cryptography. As well as being</p><p>at the heart of the Renaissance, it consisted of independent city</p><p>states, each trying to outmaneuver the others. Diplomacy �ourished,</p><p>and each state would send ambassadors to the courts of the others.</p><p>Each ambassador received messages from his respective head of</p><p>state, describing details of the foreign policy he was to implement.</p><p>In response, each ambassador would send back any information that</p><p>he had gleaned. Clearly there was a great incentive to encrypt</p><p>communications in both directions, so each state established a</p><p>cipher o�ce, and each ambassador had a cipher secretary.</p><p>At the same time that cryptography was becoming a routine</p><p>diplomatic tool, the science of cryptanalysis was beginning to</p><p>emerge in the West. Diplomats had only just familiarized themselves</p><p>with the skills required to establish secure communications, and</p><p>already there were individuals attempting to destroy this security. It</p><p>is quite probable that cryptanalysis was independently discovered in</p><p>Europe, but there is also the possibility that it was introduced from</p><p>the Arab world. Islamic discoveries in science and mathematics</p><p>strongly in�uenced the rebirth of science in Europe, and</p><p>cryptanalysis might have been among the imported knowledge.</p><p>Arguably the �rst great European cryptanalyst was Giovanni Soro,</p><p>appointed as Venetian cipher secretary in 1506. Soro’s reputation</p><p>was known throughout Italy, and friendly states would send</p><p>intercepted messages to Venice for cryptanalysis. Even the Vatican,</p><p>probably the second most active center of cryptanalysis, would send</p><p>Soro seemingly impenetrable messages that had fallen into its</p><p>hands. In 1526, Pope Clement VII sent him two encrypted messages,</p><p>and both were returned having been successfully cryptanalyzed.</p><p>And when one of the Pope’s own encrypted messages was captured</p><p>by the Florentines, the Pope sent a copy to Soro in the hope that he</p><p>would be reassured that it was unbreakable. Soro claimed that he</p><p>could not break the Pope’s cipher, implying that the Florentines</p><p>would also be unable to decipher it. However, this may have been a</p><p>ploy to lull the Vatican cryptographers into a false sense of security-</p><p>Soro might have been reluctant to point out the weaknesses of the</p><p>Papal cipher, because this would only have encouraged the Vatican</p><p>to switch to a more secure cipher, one that Soro might not have</p><p>been able to break.</p><p>Elsewhere in Europe, other courts were also beginning to employ</p><p>skilled cryptanalysts, such as Philibert Babou, cryptanalyst to King</p><p>Francis I of France. Babou gained a reputation for being incredibly</p><p>persistent, working day and night and persevering for weeks on end</p><p>in order to crack an intercepted message. Unfortunately for Babou,</p><p>this gave the king</p>
  • MJP Atividade Avaliativa Geografia e História 1 ano_3 BIM
  • Atividade teleaula III Gerenciamento de projetos de software
  • Governo Aberto Transparência e Dados Abertos Exercício Avaliativo - Módulo 2_ Revisão da tentativa
  • Governo Aberto Transparência e Dados Abertos Exercício Avaliativo - Módulo 1_ Revisão da tentativa
  • Higiene ocupacional Exercício avaliativo - Módulo 3_ Revisão da tentativa
  • Higiene ocupacional Exercício avaliativo - Módulo 2_ Revisão da tentativa
  • Higiene ocupacional Exercício avaliativo - Módulo 1_ Revisão da tentativa
  • Governo Aberto Transparência e Dados Abertos Exercício Avaliativo - Módulo 3_ Revisão da tentativa
  • Mapa do Mil 2024 (segundo semestre) (2)
  • AVALIAÇÃO ADAPTADA 1 ANO
  • AVALIACAO_N1_COZINHA_TIPICA_DO_MUNDO_II_-_NOTURNO_-_ANA_GLORIA 2024
  • Unidade_2_-_Parasitologia (1)
  • Avaliação 1_ HISTÓRIA E CULTURA AFRO-BRASILEIRA E INDÍGENA
  • Para as licenciaturas, a pesquisa, o ensino e a extensão são elementos cruciais que se entrelaçam para formar uma base sólida de preparação e aprim...
  • ÍTULO: A APLICAÇÃO DE VETORES E TRANFORMAÇÕES LINEARES NA FÍSICA CONTEXTUALIZAÇÃO Os vetores são de fundamental importância para o estudo e co...
  • Marque a alternativa que melhor define um gene. Escolha uma opção: a. Trecho do RNA que contém sequências de nucleotídeos que são usados para a s...
  • portifolio Pedro Cassio, gestor de pessoas, reúne o seu pessoal em nível de chefia para preparar o anúncio de recrutamento para o cargo de recepcio...
  • Na tirinha, o fato inicial indicado na fala de Haroldo é marcada pela oposição na fala de Calvin. Tal contradição é marcada por um organizador text...
  • Criança: "Eu preciso de ajuda para resolver os problemas de matemática! Às vezes eu acerto, outras eu erro, por isso preciso de alguém para me expl...
  • A autonomia é valiosa tanto na sala de aula quanto no desenvolvimento contínuo como educadores ao longo de suas carreiras. Para Alexandre (2021) a ...
  • Ao buscar aprofundar sobre a característica manifestam em classes sociais e o fenômeno movimento social nos deparamos com o conceito da questão soc...
  • De acordo com seus conhecimentos sobre a Administração por Objetivos, marque a única alternativa correta: Questão 5Escolha uma opção: a. As metas...
  • Ao estudar a vida social huma na a respeito das análises construídas pela sociologia clássica sobre esta relação entre sociedade e indivíduos é cor...
  • O meio que conduz melhor a eletricidade é a(o): Escolha uma opção: a. plástico, pois deriva-se do petróleo, grande fonte de energia. b. ar, devid...
  • Leia o atributo de valor humano abaixo: que se expressa com a convivência com o outro, em grupo; aprendizagem com o outro; assimilação de normas s...
  • Questão 9) - 0,50 ponto(s) As intervenções ergonômicas têm por objetivo modificar uma dada situação de trabalho. Dependendo da ocasião da interven...
  • Sintaxe
  • A2 MÉTODOS E ABORDAGEM DO ENSINO DE LÍNGUA INGLESA

Conteúdos escolhidos para você

452 pág.

Grátis

The Big Book of Weekend Woodworking - Wood Tools

FAM

4 pág.

Grátis

SO I LISTEN TO THE RADIO [Exercice from Lesson 02 Double Trouble Is Just Beginning (IFSULDEMINAS 2023.1 - Módulo 3)]
2 pág.
The rooms and stables spacious were and wide, And well we there were eased, and of the best. And briefly, when the sun had gone to rest, So had I spoken with them, every one,

UNICESUMAR

1 pág.
Complete with the correct form of the verbs. Where _____ you ______ this weekend? I ______ to the movies with my boyfriend.
1 pág.
INGLES1ABR2024A 3 How to get there 3 14 Teste seus conhecimentos days of the week

UNIMAR

Perguntas dessa disciplina

Grátis

What is the topic of the 4th meeting of the History of Art course? a. The regularity of the cycles of nature in ancient Egypt.b. The architectur...

Grátis

A Astrologia Egípcia. What is the book about? a) The history of ancient Egypt.b) The Dogon tribe's knowledge of astronomy.c) The technology and...
What was the kingdom of Kush and what was its importance in the history of ancient Egypt?Definition of the kingdom of KushImportance of the kingd...
The main idea of the text is: a) The recent discovery that Nefertiti was not only a queen but also a priest.b) The richness and luxury of the pa...
Compared to the Egyptian and civilization, the Greek civilization has a much larger amount of preserved historical sources, which allowed scholars ...
1 Simon Singh - The code book  the science of secrecy from ancient Egypt to quantum cryptography (2000, Anchor Books) - Inglês (2024)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Ms. Lucile Johns

Last Updated:

Views: 6369

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Ms. Lucile Johns

Birthday: 1999-11-16

Address: Suite 237 56046 Walsh Coves, West Enid, VT 46557

Phone: +59115435987187

Job: Education Supervisor

Hobby: Genealogy, Stone skipping, Skydiving, Nordic skating, Couponing, Coloring, Gardening

Introduction: My name is Ms. Lucile Johns, I am a successful, friendly, friendly, homely, adventurous, handsome, delightful person who loves writing and wants to share my knowledge and understanding with you.