While the Allies couldn't acquire the daily keys we looked at in Part 2.4, they could acquire “sigint” (signals intelligence): the message keys were transmitted by radio, and the Allies could eavesdrop. At first glance, this doesn't seem useful, since the message keys would be encrypted. But there's one more factor: to ensure the message key was received, the Germans sent it twice. This meant that the Allies could determine two different encryptions for the same letter. We now explore how this allowed the Allies to take advantage of the theorem that broke Enigma and won the war.
We will again proceed in several parts, pausing to look at some specific activities along the way.
Figure 19. Bletchley Park mansion, headquarters of the Enigma code breaking effort.
Photograph by Matt Crypto, public domain.
To begin to unravel how having two different encryptions for the same letter helped the Allies break the full Enigma code, we start with our paper Enigma.
Since our paper Enigma has only one keyboard rotor, we only need to specify one initial position, so our message key would consist of a single letter. Suppose this unknown letter is \(\alpha\). This would be encrypted by \(E_{1}\) and again by \(E_{2}\); note that these encryptions would be based on the daily key. Other users would choose other message keys, but again encrypt them using the daily key, and we might accumulate a set of intercepted encrypted message keys, say \[\begin{array}{ccccc}cf &ed &da &ae &fb\end{array}.\]
Let's consider \(cf\). By assumption, this a repetition of our message key \(\alpha\); in other words, it is an encryption, using the daily key, of the “message” \(\alpha\alpha\), in which the first \(\alpha\) is encrypted using \(E_{1}\) and the second \(\alpha\) is encrypted using \(E_{2}\).
Since the first \(\alpha\) is encrypted as \(c\), we know that \(E_{1}(\alpha) = c\); and since \(E_{1}\) is a proper involution—and so it can be expressed as a product of transpositions—we know that \(E_{1}\) includes the transposition \((\alpha c )\). By the same reasoning, we know that \(E_{2}(\alpha) = f\), so \(E_{2}\) must contain the cycle \((\alpha f)\).
Now consider \(E_{2}E_{1}\). Since \(E_{1}\) contains the transposition \((\alpha c)\), and \(E_{2}\) contains the transposition \((\alpha f )\), it follows that \(E_{2}E_{1}(c) = f\).
Note that \(E_{2}E_{1}\) is not an Enigma encryption, so we don't know if it can be written as a product of transpositions. What we do know is part of an orbit of \(E_{2}E_{1}\), namely \(c \rightarrow f\). This means the cycle decomposition of \(E_{2}E_{1}\) contains a cycle of the form \((\ldots cf\ldots)\).
By a similar argument, the intercepted message code \(ed\) means that \(E_{1}(\beta) = e\) and \(E_{2}(\beta) = d\), where \(\beta\) is the unknown message key; consequently, we know part of an orbit of \(E_{2}E_{1}\), \(e\rightarrow d\), so the cycle decomposition of \(E_{2}E_{1}\) contains a cycle of the form \((\ldots ed\ldots)\).
Now consider \(da\). This tells us part of an orbit of \(E_{2}E_{1}\), namely \(d\rightarrow a\). But we already know \(e \rightarrow d\), which means we can extend our orbit. The intercepted \(ae\) tells \(a\rightarrow e\), which closes the orbit: \[e\rightarrow d \rightarrow a\rightarrow e\] and gives us one cycle \((eda)\) in the cycle decomposition of \(E_{2}E_{1}\).
Likewise, the intercepted \(fb\) allows us to extend the other orbit to \[c\rightarrow f \rightarrow a.\] Note that we are assuming a six-letter alphabet, so \(b\) must be mapped back to \(c\), giving us the cycle \((cfb)\); consequently, \(E_{2}E_{1} = (eda)(cfb)\).
To explore these ideas further, continue to the Activities for Part 3.1 (Cycle Decomposition).
Return to the overview of Part 3 (Breaking Enigma).
Skip to the overview of Part 3.2 (Rejewski’s Theorems).
NOTE: In the following, we'll gradually scale our way up towards the full Enigma encryption on 26 letters.
Return to the overview of Part 3.1 (Cycle Decomposition).
Continue to the overview of Part 3.2 (Rejewski's Theorems).
In the activities for Part 3.1, you might have noticed some intriguing patterns when proper involutions are multiplied:
These patterns are in fact real, for Rejewski proved:
Rejewski’s Theorem.The product of two proper involutions on the same elements can be expressed as a product of pairs of cycles of the same length.
We'll omit the proof here, though it can be found in Rejewski’s paper [Rejewski 1980].
Mathematicians tend to honor theoretical results: hence “Rejewski’s Theorem”. However, this theorem played little role in breaking Enigma, as it simply provides a theoretical guarantee for an observed fact. One is reminded of Hardy’s claim that pure mathematics is useless—the abstract algebra tells us nothing we didn’t already know.
The theorem that actually broke Enigma is an (unnamed) consequence of Rejewski’s Theorem; Rejewski called it a corollary, though its proof is a little more involved than one would expect from a corollary. As with the main theorem, the proof can be found in [Rejewski 1980]. We’ll take the opportunity to give it a name worthy of its significance and call it:
The Enigma Theorem. Let \(\sigma, \tau\) be proper involutions on the same elements. If a transposition \((xy)\) appears in exactly one of the involutions, \(x, y\) will be in different cycles of the same length in the product \(\sigma\tau\); and if \((xy)\) appears in both, \(x, y\) will appear as a 1-cycle in the product.
Consequently, any transposition in exactly one of the \(\sigma, \tau\) must have its elements split between two equal-length cycles in the product.
For example, suppose \(E_{1}, E_{2}\) are proper involutions on our six-letter alphabet, and our intercepted message keys allow us to determine \(E_{2}E_{1} = (afe)(bdc)\). The Enigma theorem permits us to rule out certain possibilities for our encryptions. For example, neither \(E_{1}\) nor \(E_{2}\) can be \((af)(bd)(ce)\), because if either included the transposition \((af)\), then \(a\), \(f\) would be split among different cycles in the product \(E_{2}E_{1}\), instead of being in the same cycle.
There are in fact 15 possible proper involutions on six elements, and so 15 possibilities for each of \(E_{1}\) and \(E_{2}\), and 225 possibilities for the pair of involutions. However, knowing \(E_{2}E_{1} = (afe)(bdc)\) means that \(E_{1}\) and \(E_{2}\) must be one of
\[\begin{array}{cccccc}P &= (ab)(fd)(ec) &Q &= (ab)(fc)(ed) &R &= (ad)(fb)(ec)\\S &= (ad)(fc)(eb) &T &= (ac)(fb)(ed) &U &= (ac)(fd)(eb)\end{array}\]
Moreover, by the Enigma Theorem, we know that no transposition appears in both. Thus certain choices can be excluded: For example, \(E_{1} = P\) and \(E_{2} = R\) is ruled out, because both contain \((ec)\). In this way, our 225 possibilities for \(E_{1}\) and \(E_{2}\) reduce to just twelve:
At this point, we can use trial-and-error (some trial-and-error is necessary in any cryptographic problem); we find \(RQ = (afe)(bdc)\), so \(E_{2} = R\), \(E_{1} = Q\).
To explore these ideas further, continue to the Activities for Part 3.2 (Rejewski’s Theorems).
Return to the overview of Part 3 (Breaking Enigma).
Skip to the overview of Part 3.3 (Breaking the Full Enigma).
Return to the overview of Part 3.2 (Rejewski's Theorems.
Continue to the overview of Part 3.3 (Breaking the Full Enigma).
Now let's turn to the full Enigma system. With three rotors, the message key would consist of three letters. Let the unknown letters be \(\alpha\), \(\beta\), \(\gamma\). Using the daily key, these would be encrypted and sent twice. Suppose Allied codebreakers listened in, and found that \(\alpha\beta\gamma\ \alpha\beta\gamma\), encrypted using the daily code, was \(xkr \, bjs\).
Because we know that this is a three-letter sequence sent twice, then \(x\) and \(b\) are different Enigma encryptions of the same (unknown) letter \(\alpha\). Since \(x\) was the first letter of the message, this tells us
\[E_{1}(\alpha)=x\]
Since \(E_{1}(\alpha) = x\), it follows that cycle decomposition of \(E_{1}\) contains the transposition \((\alpha x)\).
Similarly \(b\), the fourth letter of the message, was encrypted using \(E_{4}\), so we know
\[E_{4}(\alpha)=b\]
and so the cycle decomposition of \(E_{4}\) contains the transposition \((\alpha b)\). Consequently, \(E_{4}E_{1}(x) = b\), so \(E_{4}E_{1}\) must include some cycle \((\ldots xb \ldots)\).
If we could obtain enough messages (and the British generally could), we can extend this cycle. For example, suppose we had another encrypted message key \(bha \, ttr\). Again, the first and third letters are the encryptions of the same plaintext, so this tells us \(E_{4}E_{1}(b) = t\), which allows us to extend our orbit; consequently, \(E_{4}E_{1}\) contains a cycle \(\ldots xbt \ldots\).
As a more detailed example, suppose we intercepted the following encrypted message keys:
\[\begin{array}{ccccc}jju\, ltl & \,\,\,\,\,\,\,\,\,\,\,\,\,\,\, &vxk\, ujs & \,\,\,\,\,\,\,\,\,\,\,\,\,\,\, &edi\, mvd & &cvk\, nas\\ iro\, afc & \,\,\,\,\,\,\,\,\,\,\,\,\,\,\, &urq\, wfo & \,\,\,\,\,\,\,\,\,\,\,\,\,\,\, &wgj\, iug & \,\,\,\,\,\,\,\,\,\,\,\,\,\,\, &sfb \,fbj \end{array}\]
The first intercept \(jju\, ltl\) tells us \(E_{4}E_{1}(j) = l\). This tells us \(E_{4}E_{1}\) includes a cycle \((\ldots jl \ldots)\). Unfortunately, no other intercept has \(l\) in the first position, nor \(j\) in the fourth, so we can't extend our knowledge of the cycle.
The second intercept is \(vxk\, ujs\). This tells us \(E_{4}E_{1}(v) = u\). Notice the sixth intercept is \(urq\, wfo\), which tells us \(E_{4}E_{1}(u) = w\).
The seventh intercept is \(wgj\, iug\), which tells us \(E_{4}E_{1}(w) = i\). Then the fifth intercept \(iro\, afc\) tells us \(E_{4}E_{1}(i) = a\). Put together, we see that \(E_{4}E_{1}\) must contain a cycle \((\ldots vuwia \ldots)\).
In this way, while we don't know the permutations \(E_{4}\) or \(E_{1}\) separately, we can recover cycles in their product \(E_{4}E_{1}\). In a similar way, by looking at the second and fifth letters of each message key, we can begin to recover the cycle decomposition of \(E_{5}E_{2}\); and the third and sixth letters of the message keys will allow us to begin to recover the cycle decomposition of \(E_{6}E_{3}\). In general, the Allies were able to intercept enough encrypted message keys to recover the full cycle decomposition of these products; the Enigma Theorem could then be used to limit the possibilities for the \(E_{i}\)s.
For example, suppose we find \(E_{4}E_{1}\) has cycle decomposition
\[E_{4}E_{1} = (xjlr)(pmhk)(aut)(ocd)(sfe)(yvg)(b)(i)(n)(q)(w)(z),\]
where we could again omit the 1-cycles, but we include them for clarity.
Consider the two 4-cycles. The Enigma Theorem guarantees the transpositions that make up \(E_{1}\) and \(E_{4}\) consist of one of \(x\), \(j\), \(l\), \(r\) with one of \(p\), \(m\), \(h\), \(k\): for example, \((xk)\). Thus, while there are 22 ´ 21 ´ 20 ´ 19 = 175,560 possible transpositions \((x\alpha)\), \((j\beta)\), \((l\gamma)\), \((r \delta)\), the Enigma theorem reduces this down to 24 possibilities. We can then use trial-and-error to determine the actual transpositions in \(E_{4}\) and \(E_{1}\). This last part was handled by the first electromechanical computers: first by the Polish bomba kryptologiczna (“cryptologic bomb” in Polish), and later by Turing's “bombe”. In this way, the Poles, and later the Bletchley Park group, were able to determine the internal wirings of the Enigma rotors and subsequently decrypt most German military communications.
Figure 20. Wartime photograph of a Bletchley Park Bombe, 1945.
Photographer unknown. Wikimedia Commons, public domain.
It’s worth pointing out that this analysis is only possible because of the reflector. Because of the reflector, all Enigma permutations are proper involutions. Sigint efforts gave the Allies knowledge of products of Enigma permutations, and the Enigma Theorem allowed those permutations to be “factored” into the individual Enigma permutations.
To explore these ideas further, continue to the Activities for Part 3.3 (Breaking the Full Enigma).
Return to the overview of Part 3 (Breaking Enigma).
Note: If you want to produce your own Enigma encryptions, there are several online Enigma emulators, such as this one.
Return to the overview of Part 3.3 (Breaking the Full Enigma).