Professional Documents
Culture Documents
Rejewski’s Attack
J. Andres Montoya
March 18, 2020
Abstract
Work in progress
1
The circles are connected by 26 wires, each one connecting a label of the outer
circle with a label of the inner circle. In the above …gure we have represented
those wires with curves colored gray. Notice that the disposition of those wires
determines a permutation of the alphabet, in our case the permutation
A B C ::: Y Z
C A I ::: B D
2
Notice that the wiring remains the same.
The machine counted with a second wiring connecting the innermost labels
between them. This second wiring de…nes a second permutation, that we de-
note with the symbol r, and which corresponds, in our speci…c example, to the
permutation
A B C ::: Y Z
:
U E Z ::: J C
To encipher a letter with this machine, you locate the letter on the outside
rim, and then follow the path that the current state of the machine indicates.
For example, if the machine is in its initial state, A becomes …rst C, then Z,
then E (see the red path in the …gure below)
When you have done this, the rotor moves, so now the machine looks like
this:
3
In this state, A becomes B, then successively A; Z; C; D; Z, and …nally Y .
After transmitting Y the rotor moves again, and now A is enciphered by Q.
Suppose that the massage to be transmitted is AAA. This message is then
enchipered and transmitted as EY Q. Now suppose that EY Q is received, the
operator sets the machine in its initial state and carries out the same process,
getting AAA. Thus, the machine was used for enchipering and for dechipering.
If we suppose that the machine is in its initial default state, then the per-
1
mutation computed by it can be expressed as r : After k transmissions
the permutation computed by the machine becomes equal to
!k 1
! k
r !k ! k
;
where ! is the shift that moves each character one position to the right and
sends Z to A:
Do you understand how the simpli…ed machine works? If yes, you can now
consider the machine with three rotors.
Thus, suppose that the machine now has three rotors (diagrammatically
four circles). Each one of those rotors has its own wiring, which implements a
permutation i , i = 1; 2; 3: If we suppose that this machine is in its initial state,
then the permutation computed by it can be expressed as
1 1 1
1 2 3 r 3 2 1
where ! denotes, once again, the shift that moves each character one position
to the right and sends Z to A:
So far so good: the complicated machine computes a polyalphabetic cipher
of period 26; wich is very easy to break using frequency analysis.
4
Thus, Enigma operators can easily set any re‡ector r in the …eld. The three
wirings related to the three rotors were not so easy to reset in the …eld, and hence
these three wirings (permutations) were left …xed along the war. Now take into
account that the cryptographic scenario that we are considering corresponds to
a private-key scenario: Alice (a enigma operator) and Bob (a second Enigma
operator) met before the war to construct a common secret. This common secret
is modeled by two random variables:
3
1. X, which is uniformly distributed over the set (S26 ) , and which corre-
sponds to the choice of the three rotor permutations.
N
2. Y , which is uniformly distributed over the set (R26 ) , where R26 is the set
of all re‡ectors and N is a large integer, larger than the expected duration
of the war (in days).
The variable Y corresponds to the choice of a word r1 rN , such that for
all i N the containment ri 2 R26 holds. This word was used as follows:
Each Enigma operator had to set his machine, at 00 : 00 of the i-th day, in
such a way that the re‡ector computed by the innermost wiring was equal to
ri :
The use of Y avoided the possibility of using frequency analysis uniformly
over the set of messages intercepted along the development of war: the polyal-
phabetic code used for encryption changed day by day.
We have to notice that guessing, or computing, the value of Y was completely
unfeasible. However, if one …xes i, and he considers the set Si constituted by
all the cipertexts intercepted along the i-th day, he get that all those cipertexts
were encoded using the same polyalphabetic code of period 26: Then, if the
subset Sin ; constituted by all the messages intercepted before the noon of the
i-th day, was large enough, he can use frequency analysis to decipher all those
messages and the messages intercepted in the remaining of the day.
German military knew all that, and because of this they implemented a
further security measure: each Enigma operator had to randomly choice the
initial con…guration of the machine before transmission.
It happens that the three rotors can be easily rotated (in the …eld), and
each Enigma operator could easily set his machine in an arbitrary con…guration,
which could be described by three pairs of characters
(A; X1 ) ; (A; X2 ) and (A; X3 ) ;
the …rst one indicating which character was now placed below the outermost A,
or equivalently indicating how many degrees the …rst rotor was moved clockwise.
The second and third pairs indicate how many degrees the second and third
rotors were moved.
Notice that this latter security measure avoided the possibility of looking at
Sin as a set of cipertexts produced by the same polyalphabetic code. Moreover,
there were 263 di¤erent polyalphabetic codes that could be used to produce
each one of the cipertexts in Sin . The latter made frequency analysis becomes
unfeasible.
5
3 Computing the Settings of the i-th Day
Now suppose that we are Eve, that is: suppose that we are polish cryptanalists
working at the Chi¤ er Buro, and suppose that it is the noon of the i-th day.
We have full access to the set Sin : what should we do with all those cipertexts?
The goal of the attack is to compute the setting of the machine, that is: we
have to compute the permutations ri ; 1 ; 2 and 3 : Recall that 1 ; 2 and 3
were …xed along the war, and it means that a successful attack at day j reveals
the value of those three permutation for this day and for all the subsequent days.
Can we count with a successful attack performed before day i? The history of
classical cryptography is a history of mathematical ingenuity and espionage.
It happens that 1 ; 2 and 3 were known before the war because the polish
military could capture an Enigma machine. Thus, the goal of the attack reduces
to compute ri :
6
Notation 2 We use the symbol t;i;j;k to denote the above permutation which
may be factored as At r A t .
Suppose that one can compute 0;i;j;k for some triple i; j; k: Recall that
0;i;j;k is de…ned by
1 1 1
!i 1 ! j
2 !k 3 r 3 ! k
2 !j 1 ! i;
we notice that this set is the concatenation of two sets, the sets
X1 X2 X6 w:
We know that this string is the enciphering of a string that has the form
Y1 Y1 Y2 Y2 Z3 Z3 u:
We get that:
Proof. Recall that the encodings computed by the machine are self-invertible.
We have that
7
4 The Little Theorem of Rejewski
We want to compute the settings of day i; which are completely encoded by the
re‡ector ri . We can use Rejewski’s Learning Procedure to compute 1 0 : Can
we compute 0 from 1 0 ? Here is the point where one has to use a little bit
of group theory.
A Rejewski equation is an equation X1 X0 = : Given one of those equa-
tions, (learned with the help Rejewski’s Procedure) we want to compute all the
pairs of re‡ectors that satisfy it.
1
De…nition 5 Let X; Y be two permutations, the product X Y X is called
the conjugate of Y by X.
Let be a permutation. We know that this permutation can be decomposed
as product of disjoint cycles. Let c1 ; :::; ck be the cycles in the decomposition of
, let l1 ; :::; lk be the lengths of those cycles, and suppose that l1 lk .
De…nition 6 We say that (l1 ; :::; lk ) is the cyclic shape of :
It is easy to prove the following proposition.
1
Proposition 7 The cyclic shape of f and the cyclic shape of g f g are the
same.
We get the following corollary.
Corollary 8 Conjugates of re‡ectors are re‡ectors.
We get that 0 and 1 are re‡ectors, and we get that the permutation 1 0
is the composition of two re‡ectors. Rejewski asked: what can be said about
the composition of two re‡ectors? He proved a theorem related to this question,
it is The Little Theorem of Rejewski, or: The Theorem that Won the War.
Theorem 9 Let r1 ; r2 be two re‡ectors, and let h be a permutation.
1. If h = r1 r2 , then we have that the cyclic decomposition of h is constituted
by disjoint cycles that can be grouped into pairs of the same length.
2. If h has the above form, then it is the composition of two re‡ectors.
Why is the above theorem useful?
Let f : R26 R26 ! S26 be the function de…ned by
f (r1 ; r2 ) = r1 r2 :
What is the image of f ? The image of f could have been equal to R26 : If the
latter were the case any Rejewski equation would become useless, since it would
have jR26 j solutions on average. The LittleTheorem of Rejewski tells us the
image of f is the set H26 , which is the set constituted by all the permutations
whose cyclic decompositions are similar to the cyclic decomposition of h (the
cycles in those decompositions can be grouped into pairs of the same size). We
2
get that a Rejewski equation has jR 26 j
jH26 j solutions on average.
8
Lemma 10 We have that:
26!
1. jR26 j = 13!213
26!
1. 13!213 7:905 1012 :
26!
2. (13!)2 213
= 1269:6:
Thus, we have that the equations that can be computed using Rejewski’s
Learning Procedure have approximately 1300 solutions. Notice that, on one
hand, one cannot enumerate 1012 re‡ectors to check which one of them can be
suitably used for dechipering. Notice that, on the other hand, it is possible,
and it could feasible, to enumerate the 1300 solutions of a typical Rejewski’s
equation.