Enigma Modern Breaking
Enigma Modern Breaking
Enigma Modern Breaking
Abstract “Breaking German Army Ciphers” is the title of a Cryptologia article from 2005,
describing the lucky survival of several hundred authentic Enigma messages of World War II, and
an account of a ciphertext-only cryptanalysis of a large number of these messages, leaving only a
few, mostly short messages, unbroken. After reviewing the work done, and investigating the
reasons for both lucky breaks and close misses, the modern ciphertext-only attack on Enigma
messages is improved, especially on genuine ones with short lengths and/or many garbles. The
difficulties of a proper measure for the candidate’s closeness to a plaintext are clarified. The
influence on the decryption process of an empty plugboard and one with only a few correct plugs is
examined. The method is extended by a partial exhaustion of the plugboard combined with an
optimized hillclimbing strategy. The newly designed software succeeds in breaking formerly
unbroken messages.
Contact Frode Weierud. Email: [email protected]. Address: Bjerkealleen 17, 1385 Asker,
Norway.
1. Introduction
The Cryptologia article “Breaking German Army Ciphers” [18] begins with the words “This is the
first report of an on-going cryptanalytical project.” Indeed, the project carried on and the present
article describes further advances and new results on breaking genuine Enigma ciphertexts. In the
last ten or more years the work has been continued, studying the historical facts, investigating the
characteristics of approximately 500 authentic Enigma messages, and designing several cryptologic
software tools, in order to get a better understanding of the statistics of the Enigma ciphertexts and
the techniques for their cryptanalysis. The aim was to improve the ciphertext-only attack, in order to
eventually break formerly unbroken messages. As the work is still in progress, this article could be
described as the second report of an on-going cryptanalytical project.
2. Historical Background
The electro-mechanical cipher machine Enigma (from Greek αίνιγµα for “riddle”) was the
backbone of the German armed forces’ (Wehrmacht) cipher systems during World War II. It is
operated like a typewriter, entering the plaintext via a keyboard. Each letter of the plaintext is
enciphered individually [12, p. 1]. By pressing a letter key a switch is closed and current from an
internal battery flows over the closed contact through the plugboard (Steckerbrett) into the
cryptographically important “scrambler,” which is formed by Enigma’s rotor set (Walzensatz). Here
the letter is permuted several times by three rotating wheels (Walzen). The current reaches the
reflector (Umkehrwalze in German, abbreviated UKW), which is situated at the leftmost side of the
rotor set. It feeds the current back through the three rotating wheels, which then passes the
plugboard a second time. Finally the current reaches the lampboard and lights up a lamp. The
illuminated lamp indicates the cipher letter that corresponds to the entered plaintext letter.
Enciphered messages were wirelessly transmitted in Morse code and subsequently deciphered by
the intended receiver with the aid of the known secret key, which was changed daily
Postprint: The Version of Record of this manuscript has been published and is available in Cryptologia,
January 2017, http://dx.doi.org/10.1080/01611194.2016.1238423
Modern Breaking of Enigma Ciphertexts 2 Version 5, March 2017
(Tagesschlüssel). The German Army Enigma regulations laid down that no transmitted ciphertext
message was to exceed the length of 250 characters [14, p. 5]. The German key sheets
(Schlüsseltafeln) determined three elements of the daily key, namely wheel order (Walzenlage) – i.e.
arranging three wheels out of a set of five, ring setting (Ringstellung), and plugboard setting
(Steckerverbindungen). The individually chosen start position of the three wheels (Walzenstellung)
for each single message was the fourth element of the key.
The Enigma key space is the product of these four factors. While there are 5×4×3 or 60 possible
wheel orders, out of the 26×26×26 wheel positions 26×26 are redundant, leaving 26×25×26 or
16,900 as relevant [15, p. 80]. Nevertheless, for the sake of convenience, all 263 wheel positions are
considered here, as this eases the design of the software. While the ring setting of the left-hand
wheel is completely irrelevant, and does not enhance the key space, 26×26 or 676 possible ring
settings for the middle and right-hand wheels are possible. However, especially for short messages
mostly no stepping of the left-hand wheel occurs. Hence the ring setting of the middle wheel is
irrelevant and only the remaining 26 possible ring settings of the right-hand wheel have to be
considered. In total, the first three factors of Enigma’s key space give a product of 60×263×26 or
27,418,560 “locations,” as they shall be designated here.
Finally, as the fourth factor, the plugboard with its vast possibilities of connection options plays an
important role, as it creates the lion’s share of the magnitude of the key space. The German key
sheets during the war generally specified ten Stecker cables (jumper cables), thus swapping 20
letters of the alphabet, while leaving the remaining six letters unswapped or “self-steckered.” In
total, for ten Stecker cables there exist 150,738,274,937,250 (more than 150 trillion) different ways
of plugging (e.g., [2, p. 254]). Thus, the fourth factor of Enigma’s key space is more than five
million times as much as the above stated number of the locations.
In the same manner as for enciphering, each Enigma machine can also be used for deciphering. For
that, the ciphertext is simply entered via the keyboard, and the lamps now indicate the
corresponding plaintext [9]. During the war, the wireless German messages were intercepted by the
British Y service, which sent them to the Government Code and Cypher School at Bletchley Park
(BP). There, it was the task of the codebreakers of Hut Six, the organizational unit dealing with the
cryptanalysis of Enigma messages originating from the German Army and German Air Force, to
determine the keys and to recover the plaintexts. The technique used at BP was based on “cribs,” i.e.
known plaintext fragments [19, p. 78]. It was sufficient to break a single message a day for a
specific net. After that, with the then recovered daily key for that net, it was easy to read all the
others, often hundreds of messages of the same day. With the known Tagesschlüssel they could
easily be deciphered in the same way as the intended German receiver did it.
1
Prior to August 1944 this key was called Oberquartiermeister Maschineschlüssel Nr. II.
Modern Breaking of Enigma Ciphertexts 5 Version 5, March 2017
4. Short Messages
A few messages of the HG Nord record nevertheless remained unbroken. This happened for
instance, when only a single ciphertext was available for a specific day. Therefore, we decided to
focus on short messages, i.e. ciphertext of lengths less than 80 letters down to roughly 30 letters.
For that, obviously the existing known ciphertext-only techniques are insufficient and have to be
improved. As a first step, a thorough study of several hundred authentic messages of HG Nord was
performed. Their statistical characteristics were determined, and especially short messages were
investigated.
The message lengths vary. As shown in Figure 1 most of the approximately 500 messages have a
length between 50 and 150 letters. The minimum message length is 15 and the maximum is 322.
The mean message length is 126, the median 103, and the standard variation 55. Eleven messages
or about 2 % violate the ordered maximum message length of 250. Approximately 30 % of the
messages contain less than 80 letters.
As a matter of principle for any substitution cipher, there exists a certain ciphertext length for which
messages shorter than that cannot be broken. This length is called the unicity distance. For example,
a ciphertext, encrypted by a method as simple as the Caesar cipher, is theoretically unbreakable, if
its length is one, i.e. only a single letter had been encrypted. In this case, the security level of a
Caesar cipher is as high as for the theoretically unbreakable One Time Pad (OTP).
An Enigma message which contained only one letter must not be considered, as it surely can be
stated unbreakable. This is true also for slightly longer messages, if they fall short of the unicity
distance. We do not know it exactly for Enigma, but it is probably around 20 letters. As derived by
Shannon [17, p. 660], and e.g. defined in [13, p. 246], the expected unicity distance of a cipher is
approximately H/D, where H is the logarithm of the number of possible keys, and D is the plaintext
redundancy (in bits/character). With H ≈ 72 bits for Enigma (corresponding to its key space of
150,738,274,937,250×26,364,000, assuming no left-wheel turnover) and D ≈ 3.1 bits for HG Nord
texts, this results in a unicity distance of around 23 letters. This is quite similar to the unicity
distance of a monoalphabetic substitution cipher, which is 24 letters [5, p. 54]. The shortest known
plaintexts of HG Nord, with lengths of 18, 22, and 24, contain (slightly garbled) messages as “Give
daily report” (Tagesmmldung funken), “Morning report cancelled” (Morgenmeldung entfaelct), and
“Intermediate report cancelled” (Zwisnenmeldcng entfaellt x), and yield an IC of 4.6 %, 5.6 %, and
5.8 %.
Modern Breaking of Enigma Ciphertexts 6 Version 5, March 2017
These authentic plaintexts show a lower measure than many random texts with lengths between 18
and 24. The latter easily generate an IC as low as 2 % or as high as 8 % simply by accident.
Therefore, the correct plaintexts can barely be perceived as being plaintexts because of their low
ICs. Also the measure of bigrams and trigrams, or other criteria, does not help much. Because of the
short text lengths and moreover because of garbles, virtually every criterion fails to yield a
significantly higher value than for random texts. Assuming a text length of say 26 letters, then as an
average value each letter of the alphabet occurs only once in the ciphertext. That is the reason why
the statistics do not work well for short texts, especially for garbled ones. Thus, even if a complete
exhaustion of the whole key space of Enigma, including all plugs, were possible, and for each
single key the candidate text could be investigated, it would be virtually impossible to perceive the
correct plaintext. Our statement is therefore, that Enigma ciphertexts with a length shorter than 20
letters are virtually unbreakable. This is true, especially when they contain garbles, and, as long as
they are singular texts and no further information, e.g. cribs or the daily key, is given.
Furthermore, most texts with lengths up to say 20 to 30 letters proved to be practically unbreakable.
Experiments with concocted plaintexts and keys showed that the turning point, where some short
messages become breakable, is for a message length of about 24 letters. Of course, this is no general
statement and there is no sharp limit. The breakability always depends on individual characteristics
of both the plaintext and the key. As a test, the artificial plaintext “EinsxEinsxVierxNullxNull” (One,
one, four, zero, zero) was enciphered using the key B432 rit VOR AH BO CG DP FL JQ KS MU
TZ WY. The resulting ciphertext FVKFC DWRII CYFHV SKQOW QTTH (length = 24) was
broken by the authors’ software tool, which exhausted one wheel order in five hours, while running
in eight parallel instances.
One of the shortest authentic messages that could possibly be broken is message no. 128 TZLPT of
8 July 1941 with a length of 27 letters. The ciphertext XPDBQ LJWFT ULSZC DKQPS WIMGB
YS can be broken by the authors’ software tool and the plaintext “Wo Roem Eins Berta Staffel
Frage” is detected. In this case the plaintext is free of garbles. But, as there exist spurious solutions
with a higher trigram count, the solution is overwritten. If needed, this problem can be solved by a
special assessment stage for the candidate texts. This has to evaluate the occurrence of words,
which we know are frequently used by HG Nord, for instance “Berta”, “Eins”, “Frage”, “Roem”,
etc. By this the real solution can be detected and retained in spite of spurious solutions with a higher
trigram score.
The shortest authentic message that proved breakable with our software is AMERI, with a length of
32, and the second shortest authentic message is PFCXY, with a length of 36. The total key space
for the latter had been exhausted in less than three days. Breaking becomes even more feasible, if
the ciphertext length is greater than 40, as can be shown for other authentic messages of HG Nord.
Curiously enough, some of these messages, with lengths between 40 and 80 letters, broke
surprisingly easily, while others were nearly unbreakable. Typical examples for that are YYBRW
(of 21 Aug 1941 with a length of 46 letters without the Kenngruppe), HODSN (6 Sep 1941, 48),
BOTKB (14 Sep 1941, 69), and ABPQX (24 Sep 1941, 76). Unexpectedly the two shorter ones
broke fairly easily, while the two longer ones proved extremely hard. An interesting question, the
answer to which will help improve the attack, is: What is the reason for a failure or a lucky break?
It was detected that for short messages the expected statistical characteristics vary strongly and do
not match the mean values, which are more or less fulfilled for long messages. A prominent
example is the superb criterion, which generally is highly appreciated and proves an excellent
measure for cryptanalytical attacks, namely Friedman’s IC (e.g., [2, p. 77]). It was found that for
short texts of HG Nord the IC varies significantly. While the plaintexts of PFCXY, YYBRW, and
HODSN show a very high IC of 8.25 %, 7.05 %, and 6.91 %, on the other hand ABPQX and
BOTKB yield an IC of only 4.95 % and 4.90 %. For example, the plaintext after deciphering
BOTKB reads “Nachschubdienste x Null Aqt Vier Nulf x Omytscikino x Omytscukino x
Hartjenstein.” Though the plaintext looks typical at a first glance, with a common message text and
the usual garbles, the letter count yields an unexpected smooth histogram containing only 5 E, and 8
Modern Breaking of Enigma Ciphertexts 7 Version 5, March 2017
N, only 2 R, and 4 X, 5 S, and 6 I, resulting in an IC as low as 4.9 %, which is not much higher than
that of a random text (3.8 %) or the ciphertext itself (4.0 %) and far less than that of a typical
message plaintext (6.1 %) or a common German language text (7.6 %). Furthermore, it has to be
considered that the standard variation σ of a random text of 69 letters is 0.4 %, thus its IC
frequently happens to be in the range of 3.8 % ± 0.4 % or even 3.8 % ± 0.8 % when considering 2⋅σ.
This means, it is likely that a random text of 69 letters happens to yield an IC of 4.6 %, which is
very close to 4.9 % and much the same as the IC of the plaintext BOTKB. That is the reason why
the IC is sometimes useless.
Figure 2. Enigma’s plugboard with the usual number of ten plugs, leaving six letters
unswapped or “self-steckered,” offers 150,738,274,937,250 different selection
options for arranging the plugs. (Source: Wikimedia Commons, accessed 5 April
2016, https://commons.wikimedia.org/wiki/File:DDayMuseumEnigmaMach.jpg)
Fortunately, a full exhaustion of the plugboard (Figure 2) is not needed to find the correct plug
arrangement. As in breaking a monoalphabetic substitution cipher, the plugs can be searched via
hillclimbing. For developing an optimal hillclimbing strategy for searching and, if at all possible,
Modern Breaking of Enigma Ciphertexts 8 Version 5, March 2017
finding only correct plugs during the hillclimb, a thorough understanding of the influence of the
plugboard on the candidate texts is essential. Assuming we stand at the correct location (wheel
order, ring settings, and wheel positions), and then decode the ciphertext, a candidate text comes out,
which would be the correct plaintext, if all ten plugs were correct. But, as they are unknown to the
codebreaker, it is a good choice to start with an empty plugboard. The Wehrmacht strangely enough
decided not to use the maximum number of possible plugs, namely 13, for plugging, but settled for
only 10. That is the reason why an empty plugboard fundamentally already holds the six correctly
self-steckered letters. The whole trick is to retain these, if at all possible, which is equivalent to
finding only correct plugs. Incorrect plugs at most make cryptanalysis harder, and they have to be
corrected earlier or later during hillclimbing, while, in rare cases, they might ease a break. Starting
with some random plugs, therefore, is generally not a good idea, because the hillclimbing then starts
with a handicap, and is comparable to a hypothetical case of defeating more than ten plugs.
If the Wehrmacht had used the maximum number of 13 plugs instead of only 10, this would not
have threatened the codebreaking capabilities at BP, because the Bombe was insensitive to the
number of plugs. However, three further plugs affect the modern hillclimbing techniques, because
the added plugs dim the brightness of the IC, as well as other measures for the plaintext. We
therefore have the curious situation that messages with 13 plugs could have been broken during the
war, whereas today, more than 70 years later with modern ciphertext-only techniques and without
cribs, some of them are still hard to break, perhaps seemingly unbreakable.
To verify this statement, some experiments have been performed utilizing authentic ciphertexts and
keys. The known plaintexts served to create modified ciphertexts. For that, the original keys were
used, but now with all 26 letters plugged, including the six originally unplugged letters. For
example, the key of FHPQX left the six letters B, C, F, J, P, and S unsteckered. As an experiment
the authentic key was re-used, but with the additional plugging BC, FJ, and PS. The original
plaintext, including garbles, was then re-enciphered with this new key with 13 plugs. It resulted in a
new ciphertext. As the experiment showed, also the new ciphertext could be broken by the authors’
software. In contrast to ten plugs, however, thirteen plugs need a higher sensitivity of the program.
This results in a lower execution speed. While the authentic ciphertext of FHPQX with 10 plugs
breaks within a time span of approximately ten minutes per wheel order (on a single core of the
authors’ PC), a break of the modified ciphertext with 13 plugs is significantly slower and needs
about six hours per wheel order. If represented by a factor, one could say the break with 13 plugs is
approximately 30 times harder than with 10 plugs.
Further experiments with other authentic texts showed more or less similar results. The said factor
varies and sometimes, depending on the length of the text and the number of garbles, is significantly
higher, maybe 300. This allows the following conclusion for a fictive scenario of 13 plugs used by
the Wehrmacht. If a ciphertext with ten plugs is broken by a modern hillclimbing software after say
one day of exhaustion time, then the needed time, if 13 plugs had been used, would have been in the
region between one month and one year. In practice, this could make the critical difference, and
could change an easily breakable ciphertext into a seemingly unbreakable one. To the authors’
knowledge, the Wehrmacht, with few exceptions at the very end of the war, almost never used 13
plugs, thus this scenario is a fiction. Fortunately, we have to deal with “only” ten plugs as used by
HG Nord during Operation Barbarossa.
First of all, it is useful to get a thorough understanding of the influence of an empty plugboard
during decryption, as it forms the start for hillclimbing. It is essential to answer the question, what
does a candidate text look like, when the ciphertext is decoded at the correct location but with an
empty plugboard? The scrambler (i.e. the inner part of the Enigma, consisting of the three rotating
wheels and the reflector) now reverses the effect of the same item of the Enigma used for
encryption, and only the influence of the plugboard remains. For that, it is important to consider that
the plugboard affects the text twice. In the first instance, during enciphering a plaintext letter is
permuted by the plugboard, assuming a plug has been set for that specific letter. As usually ten
plugs were inserted, out of the 26 letters of the alphabet 20 were swapped, and six remained
Modern Breaking of Enigma Ciphertexts 9 Version 5, March 2017
unchanged. After that it is substituted by another letter by means of the scrambler and passes the
plugboard a second time. Here it suffices to look at the scrambler as a whole, with its well-known
characteristic of excluding the identity permutation. As a consequence, there exist 25 (and not 26)
possibilities for permuting each of the 26 possible input letters.
In the logical scheme of the scrambler, i.e. the inner part of the Enigma, consisting of the three
rotating wheels and the reflector, (Figure 3) the ciphertext letters enter from the left and the
resulting output letters, forming the candidate text, leave it at the bottom. Here, for the sake of
simplicity, the ten plugs AB, CD, EF, GH, IJ, KL, MN, OP, QR, and ST were assumed, leaving the
six letters U, V, W, X, Y, and Z self-steckered. Because of the well-known characteristic of the
scrambler that no letter ever encrypted to itself (black boxes with o-symbols in the diagonal), only
26 × 25 or 650 different cases have to be considered.
Figure 3. Logical scheme of the scrambler with the ciphertext letters entering from the left
and the resulting output letters, forming the candidate text, leaving at the bottom.
30/650 cases directly yield a plaintext letter (d). (360/23)/650 “accidentally” convert
to a plaintext letter (a fraction of the white cases). 20/650 yield a plaintext letter
because of cross-plugging (c). 120/650 convert to the monoalphabetic substitute (m)
of the plaintext letter.
Assuming the correct location of the scrambler and an empty plugboard, then two scenarios exist
for deciphering a ciphertext letter. Firstly, in the 6 self-steckered cases out of the 26 possible cases
(marked gray in the first column of Figure 3), a ciphertext letter at the input of the plugboard passes
the empty plugboard correctly in the first instance. Afterward it is correctly permuted by the
scrambler, and converted to the correct output letter of the scrambler, avoiding identity to the input
letter. Now, for each of the 6 unsteckered input cases, 25 different output cases have to be
Modern Breaking of Enigma Ciphertexts 10 Version 5, March 2017
considered. When passing the plugboard in the second instance, in 5 out of the 25 output cases, the
output letter of the scrambler passes the plugboard correctly again (marked gray in the last row of
Figure 3), yielding a correct plaintext letter. In the remaining 20 of the 25 output cases the
monoalphabetic substitution of the correct plaintext letter comes out, because the letter is correct
but misses the final permutation of the plugboard. Hereby, the plugs used for encryption give the
involutoric substitution alphabet.
Secondly, in the 20 steckered input cases out of the 26 possible cases, a ciphertext letter passes the
empty plugboard wrongly in the first instance. Afterward, though the scrambler is at its correct
location, the wrongly swapped letter is permuted into a pseudorandom letter, again avoiding the
identity permutation. These output letters then pass the plugboard in the second instance.
To sum up, at the correct location of the scrambler, although the plugboard during deciphering is
empty, a correct plaintext letter can be produced. This happens when the ciphertext letter was self-
steckered and the corresponding plaintext letter was self-steckered too. The chance for it is 30/650
or about 4.6 %. (The number 30 can be verified by counting the boxes marked ‘d’ in Figure 3.)
Furthermore, it can happen that the ciphertext letter was steckered to the plaintext letter. In these
cases, also with an empty plugboard, the correct plaintext letter comes out. The chance for this is
20/650 or approximately 3.1 %. (The number 20 can be verified by counting the boxes marked ‘c’
in Figure 3.) Additionally, because of the arbitrary wirings of the scrambler, and depending on the
specific wirings and the location, a plaintext letter may be produced “accidentally.”
The Enigma is of course perfectly deterministic. Nevertheless sometimes lucky things seem to
happen by accident. For instance, though rather unlikely but not impossible, the following can and
will happen. Assuming the ciphertext letter was plugged, then by deciphering with an empty
plugboard it wrongly passes it unswapped, and the wrong letter reaches the scrambler. Now, with a
probability of 1 in 25 cases, it converts it to the correct plaintext letter “by accident.” Afterward,
during its second pass through the empty plugboard, it remains unchanged and the correct plaintext
letter remains.
Such an occasional conversion of a ciphertext letter to a correct plaintext letter happens in about
16/650 cases or 2.4 %. Besides the 30/650 “direct” plain letters and 20/650 “cross” plain letters,
“accidental” plaintext letters can fundamentally only be produced if both the ciphertext and
plaintext letters are steckered. So one has to observe not the whole square with its total size of
26×26 (see Figure 3), but the smaller white-coloured sub-square with the white edges (meaning
plugged letters). Its size is 20×20. From this the 20 impossible identity cases (black boxes in the
diagonal) and the 20 cross-plain cases (marked ‘c’) have to be subtracted, thus leaving
20×20−20−20 or 360 cases as candidates for “accidental” plain letters. The number 360 can be
verified by counting the number of white boxes of the figure. For these 360 cases, the ciphertext
letter is permuted by the scrambler into another letter, with the exception of the identity and the two
letters that were originally exchanged by the scrambler of the enciphering Enigma. (The scramblers
of the enciphering Enigma and the deciphering Enigma here with its empty plugboard are identical
by definition.) Hence, from 26 possible output letters, there are three that are impossible, leaving
26−3 or 23 possible cases. From these 23 possibilities one will “accidentally” occur, yielding a
chance of 1/23 for each of the letters to happen, one of it being a plaintext letter “by accident”. This
results in a probability of 1/23 out of 360 cases to “luckily” produce a plaintext letter, and exactly
360/23 or 15.652... or the said about 16 out of the 650 total cases.
The three different mechanisms for producing a correct plaintext letter though the plugboard is
empty – namely direct plain, cross plain, and accidental plain – sum up to 4.6 % + 3.1 % + 2.4 % or
about 10.1 %. Moreover, in 120/650 or 18.5 % of the cases (the number 120 can be verified by
counting the boxes marked ‘m’ of Figure 3.), a ciphertext letter is correctly converted during its first
passage of the empty plugboard and by the scrambler, but fails to be swapped in the last instance by
the plugboard. Thus it remains the monoalphabetic substitute of the plaintext letter. In the rest of the
cases, i.e. in 100 % − 10.1 % − 18.5 % or 71.4 %, a letter is cryptographically strongly converted to
Modern Breaking of Enigma Ciphertexts 11 Version 5, March 2017
a pseudorandom letter, which is virtually useless for the codebreaker and for hillclimbing, and
figuratively remains in the “mist.” To stress it again, if the Wehrmacht had decided to use 13
instead of 10 plugs, then the “fog” here would have been substantially thicker for our hillclimber.
The following figure (Figure 4) and table (Table 1) illustrate the influence of the plugboard.
Figure 4. Table 1.
Average influence of the number of correct plugs on the percentage of plaintext letters,
monoalphabetic substitutes, and pseudorandom letters of the candidate texts.
The above percentages are valid for an assumed flat histogram of the plaintext, which naturally for
a real plaintext is rough. Therefore, the actual letter histogram has to be additionally considered
when evaluating the specific numbers of plaintext letters for an individual text. As can be seen from
Figure 4, generally, with an empty plugboard (0 plugs), the part of the pseudorandom letters (71 %)
is dominating; leaving only small parts for plaintext (10 %) and monoalphabetic substitutes (19 %).
In other words, the brightness of e.g. the plaintext trigrams is significantly dimmed. Moreover,
because of the individual enciphering of each letter by the Enigma, contiguous trigrams are more
sensitive to wrong plugs and can be easily ruined. On the contrary, a measure for the
monoalphabeticity, such as the IC, is less affected and dimmed to about 19 %. What can be further
seen, is that for 0 to 3 plugs, the monoalphabetic part remains greater than the plaintext part, though
the latter significantly increases. That is the reason why Friedman's IC works so well when
searching the first few plugs, and pure plaintext measures, e.g. a trigram scoring, do not. This
situation obviously changes after the third correct plug has been found. While the mist part is still
dominating, even for 4 correct plugs, it is continuously decreasing. The plain part in the end
exceeds both the monoalphabetic part and the pseudorandom part. After four correct plugs have
been found, the rest is easy.
6. Practical Aspects
For ciphertext-only attack on the unbroken ciphertexts of HG Nord the authors used a specially
designed software algorithm. It is based on the suggestions of Gillogly, also using the IC for
searching the first few Steckers, but with some modifications, especially concerning the
hillclimbing technique. Tests have shown a relationship between the ICs of different plaintexts and
our inability to break their ciphertexts. The messages BOTKB and ABPOX, both having plaintexts
with low ICs, proved nearly unbreakable with the authors’ software. On the contrary YYBRW and
HODSN, in spite of their even shorter message lengths, broke easily. For instance YYBRW breaks
on the authors’ PC, utilizing a single CPU core only, in less than two hours per wheel order.
Modern Breaking of Enigma Ciphertexts 12 Version 5, March 2017
Running the same software in eight instances simultaneously, each dedicated to a different part of
the key space, using hyper-threading and all four cores of the PC, the complete key space of 60
wheel orders is successfully exhausted in approximately 28 hours.
The reason for the relatively easy breaks was found in the accidentally high IC. Naturally, when
using the IC as the principal measure for plaintext recognition, especially for the detection of the
first few Steckers, plaintexts with a high IC will be recovered both faster and easier than plaintexts
with a low IC. An example for the latter is BOTKB, with an IC not much higher than that of the
ciphertext or an arbitrary random text. The outer program loops for exhaustion, i.e. change of wheel
orders, wheel stepping and ring setting, meaning straightforward programming. But the search for
the correct plugboard connections, especially the finding of the first three or four hopefully correct
Steckers, is the really critical part of the algorithm. It is decisive that a suitable technique for an
efficient and mostly error-free plug search is used. Furthermore, the optimization of the plugboard
must be efficient and capable of eliminating possibly wrong plugs.
It is essential to choose a criterion for the recognition of the plaintext that works with all authentic
plaintexts, independent of accidental variations of the statistics. As described, because of the
observed fluctuations, the IC is not always a sufficiently reliable criterion. This unfortunately is also
the case for other classical or newly developed criteria, be it the Chi-squared statistic for
monograms or bigrams, the Sinkov statistic for monograms or bigrams, the IC for bigrams, or
others. All of them sometimes work surprisingly well for rather long texts and, depending on the
accidental statistics of the plaintext and the specific characteristics of the key (e.g. was the letter E
steckered or not), sometimes really excellently. But unfortunately this cannot be stated generally.
Often a criterion, which may be very efficient for one ciphertext, is absolutely inefficient for
another, as illustrated by the example of the IC and BOTKB.
The authors found that this is also true for bigram scoring. Especially for short texts and even more
for garbled texts, which occur regularly rather than rarely for authentic messages, accidental
bigrams occur such as EN, ER, or RE, which enhance the bigram score significantly, while the
correspondingly tried Steckers are wrong. This leads to a wrong hillclimbing path and the break
fails. A very reliable criterion for the detection of ungarbled plaintext is hexagrams (6-grams). One
of the authors used these successfully for a cryptanalytical challenge created by Dirk Rijmenants in
2007, the breaking of a transposition cipher called the “Crypto Box Challenge” [3]. In this case the
plaintext was absolutely free of garbles and hexagrams proved very efficient and far superior to
bigrams or trigrams. For transposition ciphers the monograms do not change and their numbers are
identical for both ciphertext and plaintext. That is the reason why all monogram statistics are
useless for decrypting a transposition cipher; also bigrams and trigrams are poor.
In the case of Enigma and the garbled messages of HG Nord hexagrams lose efficiency, because of
the frequent garbles. The number of garbles varies strongly. While one third of the texts are free of
garbles or have only one or two, many ciphertexts contain 5 % to 20 % garbles, some even up to 30 %
or more. So a compromise has to be found between long n-grams, which are very efficient for
detecting pure plaintext but sensitive to garbles and short n-grams, which are less sensitive to
garbles, but also less effective in discriminating plaintext. The compromise was found to be
trigrams.
Because of the described reasons the authors decided not to use the IC or bigrams as a measure for
finding Steckers for short ciphertexts. While the IC proves useful in finding the first few correct
plugs for longer messages (length greater than 80 letters), bigrams are not so reliable, neither for
long nor for short texts and neither in finding the first nor the last plugs. In contrast to that, a
trigram score is always useful in finding the last plugs for both short and long messages, garbled or
not.
The dominant question is, what is a suitable, efficient and reliable criterion for finding the first few
correct Steckers for short messages? The authors’ conclusion is, such a criterion simply does not
exist. For short messages it is impossible to distinguish between a random text, or the original
Modern Breaking of Enigma Ciphertexts 13 Version 5, March 2017
ciphertext, or the candidate text resulting from deciphering the ciphertext with the correct key but
with an empty plugboard, and even with a plugboard with one or two correct plugs. Therefore it is
almost impossible to verify the first few correct plugs. This is mostly true for short messages
(length less than 80 letters), but dramatically changes for longer messages. The longer a message is,
the easier it can be broken, the shorter the harder. As said, even a Caesar’s cipher is unbreakable for
a message of length one.
In 1995 Gillogly detected a possibly correct wheel order and wheel starting position, thus a first
step in breaking an Enigma ciphertext, by the power of the IC, which for long texts is strong enough
to “shine through” the empty plugboard even with wrong ring settings. But this is only true for very
long texts. He used a text length of 647 letters, which is far beyond all observed authentic messages.
Williams was successful with another monogram criterion and a modified technique. She used a
length of 450 letters, which is also beyond the maximum length of 250 as ordered by the German
regulations.
This means E, N, X, and R (in this order) are the most frequent letters in Wehrmacht plaintexts,
while C, P, J, and Y occur rather rarely. Y is the rarest letter with an observed frequency of less than
a quarter percent in our HG Nord text base. That is why checking plugs which contain E, N, X, and
R makes more sense and is more efficient than plugs with C, P, J, or Y. Using this, the above
described “solo” technique with full exhaustion of all first plugs was modified, and instead only a
partial exhaustion of the possible plugs for the most frequent letter E was performed. This technique,
here called the “E-Stecker” method, includes the 25 possible partners of E plus the singular case of
a self-steckered E, in total 26 cases. In this way the effort, compared to the “solo” technique, is
reduced by more than a factor of ten and the speed is correspondingly increased.
An alternative and excellent practical compromise with regard to efficiency and speed is to exhaust
not only all 26 possible plugs (including the self-steckered case) for the most frequent letter E, but
additionally for other frequent letters such as N, X, R and so on. That increases the effort for
exhaustion slightly but it remains less than for the full exhaustion of all 325 first plugs. The here
called “R-Stecker” method exhausts all plugs which contain E, N, or R. The number of cases is
25+24+23+1 or 73. And the here called “I-Stecker” method exhausts all plugs, which contain E, N,
R, X, S, or I. The number of cases is 136.
8. Example Decryptions
All the described techniques, beginning with a pure calculation of the IC for the candidate texts
deciphered at all possible wheel orders and start positions with an empty plugboard, as proposed by
Gillogly, over the different methods of hillclimbing and plug exhaustion, up to the extremely slow
Modern Breaking of Enigma Ciphertexts 15 Version 5, March 2017
“quartet” method have been implemented in the authors’ software and compared. A very efficient
technique, which solves many short messages, is “I-Stecker.”
Short messages from the data set HG Nord, which can be broken with our method, are AMERI and
PFCXY with respective lengths of 32 and 36 letters. These cases were not first breaks, because we
already knew the daily keys from breaking longer messages from the same days (27 Aug and 2 Sep
1941). Thus their breaks were not needed. They could simply be decoded with the aid of the given
preamble (Spruchkopf), like how the intended German receiver would read them. Nevertheless, we
were interested to see if they could have been broken without knowledge of the key and therefore
we checked them experimentally. PFCXY broke fairly easy; AMERI was slightly harder but broke
too. Thus both could have been broken in a reasonable time span on the authors’ PC, in the order of
two or three days, by exhausting the whole key space, even if they had been singular messages
without any others from the same days.
An example of a singular and still unbroken short message of HG Nord is CFYZR. It is the only
Enigma message known stemming from 14 July 1941. The keys of some other days of the month
July 1941 are already known, including the key of 13 July, the day before. Knowing keys of
adjacent days is extremely helpful, because the German authorities strangely avoided reusing wheel
orders within a month, and moreover never used a wheel in the same place on two adjacent days
(“non-clashing” rule [18, p. 204]). On 13 July the wheel order was 423. So, it is pretty safe to
assume, that on 14 July, wheel no. 4 was not used as the left-hand wheel, wheel no. 2 was not the
middle wheel, and wheel no. 3 not the right-hand wheel. This immediately reduces the workload
from 60 to only 32 wheel orders. As further 8 wheel orders were known for eight other days of July
1941, only 24 wheel orders remained for exhaustion.
As can be seen in the first line of Figure 6, the message has been sent at 10:05 hours (in the
morning). It is stated to be 77 letters long, including the discriminant CFYZR. The six letters, ULR
AME, are the enciphered message key, which is treated in the following way. With the Enigma
already prepared with the daily key, i.e. correct wheel order, ring setting and plug connections, the
three cipher wheels are set to the basic setting (Grundstellung) ULR. Then the three letters AME
are typed on the keyboard and the letters of the three lit lamps are noted. These three letters make
up the initial or start position for the message and the intended receiver must first set the three
cipher wheels to this position before decoding the message. The codebreaker can also do this, if he
already knows the daily key, but in this case, as it is the only known message of that day, the key
was unknown.
Without the discriminant group the ciphertext of CFYZR is 72 letters long. This message was
broken by the authors’ program, using “I-Stecker,” after less than five days, with each of the four
cores of the PC working in parallel on different wheel orders, needing 28 hours runtime per wheel
order. The key is given in the Appendix, which the reader can use together with a suitable Enigma
simulator, e.g. Dirk Rijmenant’s excellent Enigma simulator [6], to decipher the message,
beginning from its first ciphertext group NFOSO. The emended and translated plaintext of CFYZR
reads, “To Roman One B [Ib is the Chief of Supply] Quartermaster Tank Group Ostrov Ostrov
barracks area” (An Roem Eins Berta x Quartiermeispcr Panz x Gruppe x Ostrow Ostrow x
Kasernengelzenme).
A further advantage of an algorithm that is able to break short texts is that one may split long
Modern Breaking of Enigma Ciphertexts 16 Version 5, March 2017
messages, which are suspected to comprise a stepping of the left-hand wheel. An example for that is
XNRLR (177). Figure 7 shows the authentic message sheet of the Funkspruch. It was received on
9. Conclusion
Based on known methods for ciphertext-only cryptanalysis of Enigma and a data treasure of
approximately 500 genuine radio messages, a thorough investigation of the hillclimbing strategies
and the statistical characteristics of authentic plaintexts was accomplished. The message length, the
number of garbles, the possible occurrence of a left-hand wheel turnover, and the actually used
specific plugs affect a possible breaking success. The influence of an empty plugboard as well as
one with only a few correct plugs was theoretically investigated and experimentally verified. The
results explain the reasons for lucky breaks, close misses, and fatal failures. As a consequence, the
hillclimbing strategy was improved, such that also strongly garbled and short Enigma messages
down to the unicity distance can be successfully attacked. This results in the solution of formerly
unbroken Enigma ciphertexts.
10. Appendix
For additional information, the ciphertexts of all authentic messages mentioned in this paper are
listed here in their order of appearance within this paper. The original ciphertexts from the scans of
the authentic message forms have been transcribed by the authors, and are given together with the
recovered keys. Any suitable Enigma simulator, e.g. the one by Dirk Rijmenants [6] as previously
mentioned, can be used to decipher the texts. Hereby it should be observed that the first 5-letter
group is the discriminant (Kenngruppe) and not part of the ciphertext. Thus the deciphering always
starts with the second group.
Taking the first message FHPQX as an example, the first letters of the ciphertext are FDZCJ.
Before it may be entered into the simulator (or a real Enigma) the cipher machine has to be set to
the correct key. The key here is given with a first group (e.g. ‘B423’) for the rotor set, indicating the
reflector B, and the three rotating wheels, to be inserted from left to right (here using Roman
Modern Breaking of Enigma Ciphertexts 18 Version 5, March 2017
numbers instead of the Arabic 423) wheel IV as the left-hand wheel, wheel II as the middle wheel,
and wheel III as the right-hand wheel. The second group (here ‘gto’) indicates the ring setting
(Ringstellung) for the three rotors. Some machines do not use letters for the rings, but numbers
instead. Here, ‘a’ corresponds to ‘1’, ‘b’ to ‘2’, ‘c’ to ‘3’, and so on until ‘z’ to ‘26’. So, ‘gto’ can be
substituted by ’07 20 15’.
Then the start position (here ‘SDV’) for the three rotors is given, which afterward can be checked
through the windows of the Enigma. Again, some machines here use numbers instead of letters.
And again the same relation is valid, namely ‘A’ corresponds to ‘1’, ‘B’ to ‘2’, ‘C’ to ‘3’, and so on
until ‘Z’ to ‘26’. Instead of ‘SDV’ then ’19 04 22’ is the start position. Finally, the ten plugs
(Stecker) are defined, here starting with the plug AD (meaning a cross-over plug between the letters
A and D), then EH and so on, until at last the plug UW. Now the ciphertext, beginning with FDZCJ
can be entered, and the plaintext lights up, starting with ANXPA, the first letters of “An Panz.
Gruppe Vier” (To Tank Group 4).
The scans as well as the raw and emended plaintexts, their translation, and more detailed
information will be made available on-line at www.cryptocellar.org.
Acknowledgments
The authors gratefully appreciate the support of Michael van der Meulen, who gave us access to his
collection of authentic German Enigma messages. His generous gift is the very foundation of the
described codebreaking project and without it the project would never have been started. Very
special thanks are due to Bernhard Richt for the always inspiring crypto talks and especially for his
contributions in clarifying the exact number of the “accidental” plaintext letters. As always we are
very grateful to our good friend and fellow researcher, Geoff Sullivan, whom we wanted to have on
board as a co-author but who this time decided to support and rally us from the sideline. We
sincerely thank Ralph Erskine for the thorough review and his most valuable comments.
References
[1] Anon. 1945. History of Hut 6, In Three Volumes. UK National Archives, HW 43/70–72.
[2] Bauer, C. P. 2013. Secret History: The Story of Cryptology. Boca Raton: CRC Press.
[3] “Crypto Box Challenge.” 2007. Crypto Box Challenge by Dirk Rijmenants,
http://users.telenet.be/d.rijmenants/en/boxchallenge.htm (accessed 5 April 2016)
[4] Davies, D. W. 1999. “The Bombe A Remarkable Logic Machine,” Cryptologia, 23(2):108–138.
[5] Deavours, C. A. 1977. “Unicity Points in Cryptanalysis,” Cryptologia, 1(1):46–68.
[6] Enigma Simulator by Dirk Rijmenants,
http://users.telenet.be/d.rijmenants/en/enigmasim.htm (accessed 5 April 2016)
[7] Friedman, W. F. 1920. The Index of Coincidence and Its Applications in Cryptography.
Riverbank Laboratories, Publ. No. 22, Geneva, IL. Reprinted by Aegean Park Press, 1987.
http://math.boisestate.edu/~liljanab/MATH509Spring2012/IndexCoincidence.pdf (accessed 5 April
2016)
[8] Gillogly, J. J. 1995. “Ciphertext-only Cryptanalysis of Enigma,” Cryptologia, 19(4):321–413.
[9] Hamer, D. H., Sullivan, G., and Weierud, F. 1998. “Enigma Variations: An Extended Family of
Machines,” Cryptologia, 22(3):211–229. http://cryptocellar.org/pubs/enigvar.pdf
(accessed 5 April 2016).
[10] Hinsley, F. H. et al. 1981. British intelligence in the Second World War, Vol. 2. London: Her
Modern Breaking of Enigma Ciphertexts 21 Version 5, March 2017
Majesty’s Stationery Office (HMSO).
[11] Jackson, J. ed. 2014. Solving Enigma’s Secrets: The Official History of Bletchley Park’s Hut 6.
Redditch: BookTowerPublishing. (Edited version of [1]).
[12] Kruh, L. and Deavours, C. 2002. “The Commercial Enigma: Beginnings of Machine
Cryptography,” Cryptologia, 26(1):1–16.
[13] Menezes, A. J., van Oorschot, P. C., and Vanstone, S. A. 1996. Handbook of Applied
Cryptography, Boca Raton: CRC Press.
[14] Oberkommando der Wehrmacht. 1940. Schlüsselanleitung zur Schlüsselmaschine Enigma,
H.Dv.g. 14, Reichsdruckerei, Berlin. http://www.ilord.com/enigma-manual1940-german.pdf
(accessed 5 April 2016).
[15] Ostwald, O. and Weierud, F. 2016. “History and Modern Cryptanalysis of Enigma’s Pluggable
Reflector,” Cryptologia, 40(1):70–91.
[16] Rijmenants, D. 2010. “Enigma Message Procedures Used by the Heer, Luftwaffe and
Kriegsmarine,” Cryptologia, 34(4):329–339.
[17] Shannon, C. E. 1949. “Communication Theory of Secrecy Systems,” Bell System Technical
Journal, 28(Oct):656–715. http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf
(accessed 5 April 2016)
[18] Sullivan, G. and Weierud, F. 2005. “Breaking German Army Ciphers,” Cryptologia,
29(3):193–232. http://www.tandf.co.uk/journals/pdf/papers/ucry_06.pdf
(accessed 5 April 2016)
[19] Welchman, G. 1982. The Hut Six Story: Breaking the Enigma Codes, London: Allen Lane.
[20] Williams, H. 2000. “Applying Statistical Language Recognition Techniques in the Ciphertext-
Only Cryptanalysis of Enigma,” Cryptologia, 24(1):4–17.