Rejewski’s Lost Theorem: Entropic Analysis of

Rejewski’s Attack
J. Andres Montoya
March 18, 2020

Abstract
Work in progress

Rejewski’attack to Enigma code is one of the gems of classical cryptography.

Classical cryptography was, in opposition to the modern science of cryptogra-
phy, a kind of art. We can use the modern ideas of information theory and
algorithmics to understand this gem of cryptanalysis.

1 The Enigma Machine

How did Enigma machine works? Let us begin considering a simpli…ed version
of Enigma. This simpli…ed version has just one rotor, while the real machine
had three rotors.
The simpli…ed machine is well represented by a diagram that is constituted
by two concentric circles (see the …gure below). Each one of those circles is
partitioned into 26 angular sections measuring 226 degrees. We suppose that
each section is labeled with a pair of characters of the English alphabet. In the
initial con…guration those 26 sections are labeled by the pairs (A; A) ; :::; (Z; Z)
(see the …gure).

1
 The circles are connected by 26 wires, each one connecting a label of the outer
circle with a label of the inner circle. In the above …gure we have represented
those wires with curves colored gray. Notice that the disposition of those wires
determines a permutation of the alphabet, in our case the permutation

A B C ::: Y Z
C A I ::: B D

that we denote with the symbol :

The machine was a electromechanical machine, and it was designed in such a
way that the rotor advances clockwise with each transmitted character. The ro-
tor advances exactly 226 degrees with each input letter. Then, after transmitting
the …rst character, the labels of the circles change to (A; B) ; (B; C) ; : : : ; (Z; A)
(see the …gure below).

2
 Notice that the wiring remains the same.
The machine counted with a second wiring connecting the innermost labels
between them. This second wiring de…nes a second permutation, that we de-
note with the symbol r, and which corresponds, in our speci…c example, to the
permutation
A B C ::: Y Z
:
U E Z ::: J C
To encipher a letter with this machine, you locate the letter on the outside
rim, and then follow the path that the current state of the machine indicates.
For example, if the machine is in its initial state, A becomes …rst C, then Z,
then E (see the red path in the …gure below)

When you have done this, the rotor moves, so now the machine looks like
this:

3
 In this state, A becomes B, then successively A; Z; C; D; Z, and …nally Y .
After transmitting Y the rotor moves again, and now A is enciphered by Q.
Suppose that the massage to be transmitted is AAA. This message is then
enchipered and transmitted as EY Q. Now suppose that EY Q is received, the
operator sets the machine in its initial state and carries out the same process,
getting AAA. Thus, the machine was used for enchipering and for dechipering.
If we suppose that the machine is in its initial default state, then the per-
1
mutation computed by it can be expressed as r : After k transmissions
the permutation computed by the machine becomes equal to

!k 1
! k
r !k ! k
;
where ! is the shift that moves each character one position to the right and
sends Z to A:
Do you understand how the simpli…ed machine works? If yes, you can now
consider the machine with three rotors.
Thus, suppose that the machine now has three rotors (diagrammatically
four circles). Each one of those rotors has its own wiring, which implements a
permutation i , i = 1; 2; 3: If we suppose that this machine is in its initial state,
then the permutation computed by it can be expressed as
1 1 1
1 2 3 r 3 2 1

After k transmissions the permutation computed by the machine with three

rotors becomes equal to
1 1 1
!k 1 ! k
2 !k 3 ! k
r !k 3 ! k
2 !k 1 ! k

where ! denotes, once again, the shift that moves each character one position
to the right and sends Z to A:
So far so good: the complicated machine computes a polyalphabetic cipher
of period 26; wich is very easy to break using frequency analysis.

2 The Communication Protocol of German Mil-

itary
However, the code was not easy to break!
The machine was designed to be used in the …eld, and it could be easily
reseted in the …eld. The 26 innermost labels in our diagram corresponded to
26 electrical terminals. Enigma operators counted, within their toolkits, with a
set of 13 wires, which they can use to create perfect matchings covering those
26 terminals. Each perfect matching corresponded to a wiring and to a special
type of permutations that we call re‡ectors.

De…nition 1 A permutation 2 S26 is called a re‡ector, if and only if, it can

be decomposed as a product of disjoint cycles of length 2:

4
 Thus, Enigma operators can easily set any re‡ector r in the …eld. The three
wirings related to the three rotors were not so easy to reset in the …eld, and hence
these three wirings (permutations) were left …xed along the war. Now take into
account that the cryptographic scenario that we are considering corresponds to
a private-key scenario: Alice (a enigma operator) and Bob (a second Enigma
operator) met before the war to construct a common secret. This common secret
is modeled by two random variables:
3
1. X, which is uniformly distributed over the set (S26 ) , and which corre-
sponds to the choice of the three rotor permutations.
N
2. Y , which is uniformly distributed over the set (R26 ) , where R26 is the set
of all re‡ectors and N is a large integer, larger than the expected duration
of the war (in days).
The variable Y corresponds to the choice of a word r1 rN , such that for
all i N the containment ri 2 R26 holds. This word was used as follows:
Each Enigma operator had to set his machine, at 00 : 00 of the i-th day, in
such a way that the re‡ector computed by the innermost wiring was equal to
ri :
The use of Y avoided the possibility of using frequency analysis uniformly
over the set of messages intercepted along the development of war: the polyal-
phabetic code used for encryption changed day by day.
We have to notice that guessing, or computing, the value of Y was completely
unfeasible. However, if one …xes i, and he considers the set Si constituted by
all the cipertexts intercepted along the i-th day, he get that all those cipertexts
were encoded using the same polyalphabetic code of period 26: Then, if the
subset Sin ; constituted by all the messages intercepted before the noon of the
i-th day, was large enough, he can use frequency analysis to decipher all those
messages and the messages intercepted in the remaining of the day.
German military knew all that, and because of this they implemented a
further security measure: each Enigma operator had to randomly choice the
initial con…guration of the machine before transmission.
It happens that the three rotors can be easily rotated (in the …eld), and
each Enigma operator could easily set his machine in an arbitrary con…guration,
which could be described by three pairs of characters
(A; X1 ) ; (A; X2 ) and (A; X3 ) ;
the …rst one indicating which character was now placed below the outermost A,
or equivalently indicating how many degrees the …rst rotor was moved clockwise.
The second and third pairs indicate how many degrees the second and third
rotors were moved.
Notice that this latter security measure avoided the possibility of looking at
Sin as a set of cipertexts produced by the same polyalphabetic code. Moreover,
there were 263 di¤erent polyalphabetic codes that could be used to produce
each one of the cipertexts in Sin . The latter made frequency analysis becomes
unfeasible.

5
3 Computing the Settings of the i-th Day
Now suppose that we are Eve, that is: suppose that we are polish cryptanalists
working at the Chi¤ er Buro, and suppose that it is the noon of the i-th day.
We have full access to the set Sin : what should we do with all those cipertexts?
The goal of the attack is to compute the setting of the machine, that is: we
have to compute the permutations ri ; 1 ; 2 and 3 : Recall that 1 ; 2 and 3
were …xed along the war, and it means that a successful attack at day j reveals
the value of those three permutation for this day and for all the subsequent days.
Can we count with a successful attack performed before day i? The history of
classical cryptography is a history of mathematical ingenuity and espionage.
It happens that 1 ; 2 and 3 were known before the war because the polish
military could capture an Enigma machine. Thus, the goal of the attack reduces
to compute ri :

3.1 The Core of Rejewski’s Attack: Learning 1 0

There was an important ‡aw in the communication protocol employed by Ger-
man military:
Suppose that operator Alice wanted to communicate something to opera-
tor Bob. Alice had to choose a random initial con…guration, which was well
described by a triple of characters, say the triple XY Z: Then, she had to set
her machine in this con…guration before beginning with the transmission of
her important message. However, there was a problem: if Bob wanted to use
his Enigma machine for real-time dechipering (he was in the …eld), he had to
set his machine in the con…guration that was privately chosen by Alice. The
communication protocol stipulated that:
1. Alice had to set the machine in the initial (default) con…guration AAA:
2. Then, she had to transmit the string XXY Y ZZ describing the random
con…guration chosen by her (she had to use a duplication code to avoid
information loss).
3. Finally, she had to set her machine in the con…guration XY Z and begins
with the transmission.
Suppose that the initial con…guration chosen by Alice forces her and Bob to
move the …rst rotor i 226 degrees, the second rotor j 226 degrees and the third rotor
k 226 degrees. Let W be the transmitted message. The …rst six characters of W
constitutes a message header describing the con…guration to be used. Those six
characters are enciphered using the polyalphabetic code that is computed by
the machine in its initial default con…guration. The remaining characters of the
message are enchipered using a second polyalphabetic code that is determined
by the parameters i; j and k : after the transmission of t + 6 characters the
permutation computed by the machine becomes equal to
1 1 1
! t+i 1 ! t j
2 ! t+k 3 ! t
r !t 3 ! t k
2 ! t+j 1 ! t i
:

6
Notation 2 We use the symbol t;i;j;k to denote the above permutation which
may be factored as At r A t .

Suppose that one can compute 0;i;j;k for some triple i; j; k: Recall that
0;i;j;k is de…ned by

1 1 1
!i 1 ! j
2 !k 3 r 3 ! k
2 !j 1 ! i;

and recall that we know the permutations !; 1 ; 2 and 3 : Then, if we compute

0;i;j;k , we can easily compute r, and we get the settings of the day. Thus, from
now on we focus on the following problem:

Problem 3 Computes 0;i;j;k for some triple i; j; k:

Let Sin be equal to

X11 X61 w1 ; :::; X1N X6N wN ;

we notice that this set is the concatenation of two sets, the sets

X11 X61 ; :::; X1N X6N and fw1 ; :::; wN g :

We ask: what can we learn from those two sets?

Assume that N is large and recall that all the cipertexts in the set X11 X61 ; :::; X1N X6N
were computed using the same polyalphabetic code. You could be tempted to
use frequency analysis over this set. We have to notice that frequency analy-
sis does not work over this set (in despite of its largeness) because this set is
constituted by enchiperings of random strings.
Let W be a string in Sin and suppose that it is equal to

X1 X2 X6 w:

We know that this string is the enciphering of a string that has the form

Y1 Y1 Y2 Y2 Z3 Z3 u:

Moreover, we know that

0 (Y1 ) = X1 and 1 (Y1 ) = X2 :

We get that:

Proposition 4 The equality ( 1 0 ) (X1 ) = X2 holds.

Proof. Recall that the encodings computed by the machine are self-invertible.
We have that

0 (X1 ) = Y1 and ( 1 0 ) (X1 ) = 1 (Y1 ) = X2 :

The proposition is proved.

We also get that: if the set X11 X61 ; :::; X1N X6N contains enough
headers, we can learn the permutation 1 0:

7
4 The Little Theorem of Rejewski
We want to compute the settings of day i; which are completely encoded by the
re‡ector ri . We can use Rejewski’s Learning Procedure to compute 1 0 : Can
we compute 0 from 1 0 ? Here is the point where one has to use a little bit
of group theory.
A Rejewski equation is an equation X1 X0 = : Given one of those equa-
tions, (learned with the help Rejewski’s Procedure) we want to compute all the
pairs of re‡ectors that satisfy it.
1
De…nition 5 Let X; Y be two permutations, the product X Y X is called
the conjugate of Y by X.
Let be a permutation. We know that this permutation can be decomposed
as product of disjoint cycles. Let c1 ; :::; ck be the cycles in the decomposition of
, let l1 ; :::; lk be the lengths of those cycles, and suppose that l1 lk .
De…nition 6 We say that (l1 ; :::; lk ) is the cyclic shape of :
It is easy to prove the following proposition.
1
Proposition 7 The cyclic shape of f and the cyclic shape of g f g are the
same.
We get the following corollary.
Corollary 8 Conjugates of re‡ectors are re‡ectors.
We get that 0 and 1 are re‡ectors, and we get that the permutation 1 0
is the composition of two re‡ectors. Rejewski asked: what can be said about
the composition of two re‡ectors? He proved a theorem related to this question,
it is The Little Theorem of Rejewski, or: The Theorem that Won the War.
Theorem 9 Let r1 ; r2 be two re‡ectors, and let h be a permutation.
1. If h = r1 r2 , then we have that the cyclic decomposition of h is constituted
by disjoint cycles that can be grouped into pairs of the same length.
2. If h has the above form, then it is the composition of two re‡ectors.
Why is the above theorem useful?
Let f : R26 R26 ! S26 be the function de…ned by
f (r1 ; r2 ) = r1 r2 :
What is the image of f ? The image of f could have been equal to R26 : If the
latter were the case any Rejewski equation would become useless, since it would
have jR26 j solutions on average. The LittleTheorem of Rejewski tells us the
image of f is the set H26 , which is the set constituted by all the permutations
whose cyclic decompositions are similar to the cyclic decomposition of h (the
cycles in those decompositions can be grouped into pairs of the same size). We
2
get that a Rejewski equation has jR 26 j
jH26 j solutions on average.

8
Lemma 10 We have that:
26!
1. jR26 j = 13!213

2. jH26 j = jR26 j 13!

We get that the number of solutions of an equation like X1 X0 = h is, on

26!
average, equal to (13!) 2 13 : Notice that:
2

26!
1. 13!213 7:905 1012 :
26!
2. (13!)2 213
= 1269:6:

Thus, we have that the equations that can be computed using Rejewski’s
Learning Procedure have approximately 1300 solutions. Notice that, on one
hand, one cannot enumerate 1012 re‡ectors to check which one of them can be
suitably used for dechipering. Notice that, on the other hand, it is possible,
and it could feasible, to enumerate the 1300 solutions of a typical Rejewski’s
equation.

5 Listing all the Solutions of a Rejewski’s Equa-

tion
Suppose we are given a Rejewski equation X1 X0 = h, with h 2 H26 . We want
2
to list all the pairs (r; s) 2 (R26 ) that satisfy the above equation.
The Little Theorem of Rejewski tells us that the list that we want to compute
is a short list. Then, there is some hope that this list can be e¢ ciently computed.
Notice that if one computes the latter list, he can easily check which of the
(around 1300 items) in the list is being used for enchipering. The goal of this
section is to present an algorithm that e¢ ciently lists all the solutions of a
Rejewski equation. The algorithm is based on the proof of The Little Theorem
of Rejewski. Can you write down this algorithm?