Turingery

Turingery in ''Testery Methods 1942–1944'' or Turing's method (playfully dubbed Turingismus by Peter Ericsson, Peter Hilton and Donald Michie) was a manual codebreaking method devised in July 1942 by the mathematician and cryptanalyst Alan Turing at the British Government Code and Cypher School at Bletchley Park during World War II. It was for use in cryptanalysis of the Lorenz cipher produced by the SZ40 and SZ42 teleprinter rotor stream cipher machines, one of the Germans' ''Geheimschreiber'' (secret writer) machines. The British codenamed non-Morse traffic "Fish", and that from this machine "Tunny" (another word for the tuna fish).

Reading a Tunny message required firstly that the logical structure of the system was known, secondly that the periodically changed pattern of active cams on the wheels was derived, and thirdly that the starting positions of the scrambler wheels for this message—the message key—was established. The logical structure of Tunny had been worked out by William Tutte and colleagues over several months ending in January 1942. Deriving the message key was called "setting" at Bletchley Park, but it was the derivation of the cam patterns—which was known as "wheel breaking"—that was the target of Turingery.

German operator errors in transmitting more than one message with the same key, producing a "depth", allowed the derivation of that key. Turingery was applied to such a key stream to derive the cam settings.

The SZ40 and SZ42

The logical functioning of the Tunny system was worked out well before the Bletchley Park cryptanalysts saw one of the machines—which only happened in 1945, shortly before the allied victory in Europe.

The SZ machines were 12-wheel rotor cipher machines which implemented a Vernam stream cipher. They were attached in-line to standard Lorenz teleprinters. The message characters were encoded in the 5-bit International Telegraphy Alphabet No. 2 (ITA2). The output ciphertext characters were generated by combining a pseudorandom character-by-character key stream with the input characters using the " exclusive or" (XOR) function, symbolised as in mathematical notation. The relationship between the plaintext, ciphertext and cryptographic key is then:

:$\mathrm = \mathrm \oplus \mathrm$

Similarly, for deciphering, the ciphertext was combined with the same key to give the plaintext:

:$\mathrm = \mathrm \oplus \mathrm$

This produces the essential reciprocity to allow the same machine with the same settings to be used for both enciphering and deciphering.

Each of the five bits of the key for each character was generated by the relevant wheels in two parts of the machine. These were termed the ''chi'' ($\chi$) wheels, and the ''psi'' ($\psi$) wheels. The ''chi'' wheels all moved on one position for each character. The ''psi'' wheels also all moved together, but not after each character. Their movement was controlled by the two ''mu'' ($\mu$) or "motor" wheels. in ''German Tunny''

The key stream generated by the SZ machines thus had a ''chi'' component and a ''psi'' component that were combined with the XOR function. So, the key that was combined with the plaintext for enciphering—or with the ciphertext for deciphering—can be represented as follows.

:$\mathrm = \textit\mathrm \oplus \textit\mathrm$

Symbolically:

:$K = \chi \oplus \psi$

The twelve wheels each had a series of cams (or "pins") around them. These cams could be set in a raised or lowered position. In the raised position they generated a "mark" "×" ("1" in binary), in the lowered position they generated a "space" "·" ("0" in binary). The number of cams on each wheel equalled the number of impulses needed to cause them to complete a full rotation. These numbers are all co-prime with each other, giving the longest possible time before the pattern repeated. With a total of 501 cams this equals 2⁵⁰¹ which is approximately 10¹⁵¹, an astronomically large number. However, if the five impulses are considered independently, the numbers are much more manageable. The product of the rotation period of any pair of ''chi'' wheels gives numbers between 41×31=1271 and 26×23=598.

Differencing

Cryptanalysis often involves finding patterns of some sort that provide a way into eliminating a range of key possibilities. At Bletchley Park the XOR combination of the values of two adjacent letters in the key or the ciphertext was called the difference (symbolised by the Greek letter ''delta'' $\Delta$) because XOR is the same as modulo 2 subtraction (without "borrow")—and, incidentally, modulo 2 addition (without "carry"). So, for the characters in the key (K), the difference $\Delta K$ was obtained as follows, where underline indicates the succeeding character:

:$\Delta K = K \oplus \underline$

(Similarly with the plaintext, the ciphertext, and the two components of the key).

The relationship amongst them applies when they are differenced. For example, as well as:

:$K = \chi \oplus \psi$

It is the case that:
:$\Delta K = \Delta \chi \oplus \Delta \psi$

If the plaintext is represented by P and the cipertext by Z, the following also hold true:

:$\Delta Z = \Delta P \oplus \Delta \chi \oplus \Delta \psi$

And:

:$\Delta P = \Delta Z \oplus \Delta \chi \oplus \Delta \psi$

The reason that differencing provided a way into Tunny was that, although the frequency distribution of characters in the ciphertext could not be distinguished from a random stream, the same was not true for a version of the ciphertext from which the ''chi'' element of the key had been removed. This is because, where the plaintext contained a repeated character and the ''psi'' wheels did not move on, the differenced ''psi'' character ($\Delta \psi$) would be the null character ("·····" or 00000), or, in Bletchley Park terminology, "/". When XOR-ed with any character, this null character has no effect, so in these circumstances, $\Delta \chi = \Delta K$. Repeated characters in the plaintext were more frequent, both because of the characteristics of German (EE, TT, LL and SS are relatively common), and because telegraphists frequently repeated the figures-shift and letters-shift characters as their loss in an ordinary telegraph message could lead to gibberish.

To quote the General Report on Tunny:

Turingery introduced the principle that the key differenced at one, now called $\Delta K$, could yield information unobtainable from ordinary key. This $\Delta$ principle was to be the fundamental basis of nearly all statistical methods of wheel-breaking and setting.

Bit-level differencing

As well as applying differencing to the full 5-bit characters of the ITA2 code, it was also applied to the individual impulses (bits). So, for the first impulse, that was enciphered by wheels $\chi_1$ and $\psi_1$, differenced at one:

:$\Delta K_1 = K_1 \oplus \underline$

And for the second impulse:

:$\Delta K_2 = K_2 \oplus \underline$

And so on.

It is also worth noting that the periodicity of the ''chi'' and ''psi'' wheels for each impulse (41 and 43 respectively for the first one) is reflected in its pattern of $\Delta K$. However, given that the ''psi'' wheels did not advance for every input character, as did the ''chi'' wheels, it was not simply a repetition of the pattern every 41 × 43 = 1763 characters for $\Delta K_1$, but a more complex sequence.

Turing's method

In July 1942 Turing spent a few weeks in the Research Section. He had become interested in the problem of breaking Tunny from the keys that had been obtained from depths. In July, he developed the method of deriving the cam settings from a length of key. It involved an iterative, almost trial-and-error, process. It relied on the fact that when the differenced ''psi'' character is the null character ("·····" or 00000), /, then XOR-ing this with any other character does not change it. Thus the delta key character gives the character of the five ''chi'' wheels (i.e. $\Delta \chi = \Delta K$).

Given that the delta ''psi'' character was the null character half of the time on average, an assumption that $\Delta K = \Delta \chi$ had a 50% chance of being correct. The process started by treating a particular $\Delta K$ character as being the Δ$\chi$ for that position. The resulting putative bit pattern of × and · for each ''chi'' wheel, was recorded on a sheet of paper that contained as many columns as there were characters in the key, and five rows representing the five impulses of the $\Delta \chi$. Given the knowledge from Tutte's work, of the periodicity of each of the wheels, this allowed the propagation of these values at the appropriate positions in the rest of the key.

A set of five sheets, one for each of the ''chi'' wheels, was also prepared. These contained a set of columns corresponding in number to the cams for the appropriate ''chi'' wheel, and were referred to as a 'cage'. So the $\chi_3$ cage had 29 such columns. which reproduces a $\chi_3$ cage from the General Report on Tunny Successive 'guesses' of $\Delta \chi$ values then produced further putative cam state values. These might either agree or disagree with previous assumptions, and a count of agreements and disagreements was made on these sheets. Where disagreements substantially outweighed agreements, the assumption was made that the $\Delta \psi$ character was not the null character "/", so the relevant assumption was discounted. Progressively, all the cam settings of the ''chi'' wheels were deduced, and from them the ''psi'' and motor wheel cam settings.

As experience of the method developed, improvements were made that allowed it to be used with much shorter lengths of key than the original 500 or so characters.

See also

* Banburismus
* Differential cryptanalysis

References and notes

Bibliography

*
*
*
*
* That version is a facsimile copy, but there is a transcript of much of this document in '.pdf' format at: , and a web transcript of Part 1 at:
*
*
*
*
* {{Citation , last = Tutte , first = W. T. , author-link = W. T. Tutte , title = Fish and I , date = 19 June 1998 , url = http://frode.home.cern.ch/frode/crypto/tutte.pdf , accessdate = 7 October 2010 , url-status = dead , archiveurl = https://web.archive.org/web/20070710042331/http://frode.home.cern.ch/frode/crypto/tutte.pdf , archivedate = 10 July 2007 , df = dmy-all Transcript of a lecture given by Prof. Tutte at the University of Waterloo

Bletchley Park
Alan Turing
Cryptographic attacks