Find the rotor I wiring

Home Page
Hebern's machines
The 5 rotors machine home page

The 1924 Navy Challenge
Cryptograms
Solution
Friedman's methods:
- Rotor V wiring
- Plain text beginning
- Rotor I wiring. This Page.
- Rotor S (II,III,IV) wiring
- Wiring of other rotors
Friedman's report

Introduction

Just knowing the wiring of the rotor in position V (right rotor, fast rotor), alone allows you to decipher several lines of text of 26 letters. Which in turn allows you to find the wiring of the rotor in position I (left rotor, medium rotor). This page describes the method to achieve this. Then, this knowledge accelerates decryption and also makes it possible to reconstruct the stators S equivalent to rotors II, III and IV for a message or part of a message. This knowledge in turn allows almost all cryptograms to be deciphered relatively easily.

Example of reconstruction of rotor I wiring

We start from the following assumptions: for a cryptogram of several hundred letters, we know the cryptogram, the plain text corresponding (or at least between five to ten lines), the input and output permutations (Keyboard and Lampboard), the wiring of the Rotor V as well as the external key (position of the rotors).

If we know the external key, we can cut the cryptogram into slices of 26 letters, each using a stationary R1 rotor. In addition, for the entire part of the cryptogram that we choose, we can have the rotors R2, R3 and R4 stationary (we know when R3 is moving).

Note: to facilitate my reasoning, I did not take a realistic example, but I invented one to be able to be sure of my deductions. The chapter "Find the rotor in position I" (link) whose subject is the search for the rotor which is in position I, the wiring of the rotors being known, follows a realistic example (taken from the book by Deavors & Kruh). These two problems, find the rotor in position I and finding the rotor wiring in position I indeed follow the same approach. On the other hand, searching for the rotor in position I requires much less data.

We create the data (plain text, cryptogram, etc.)

- Here is the plain text:

Note: It corresponds to the reverse permutation of the Keyboard (LFS) repeated several times.

C:\H5_TOOLS> more keyb_inv.pln 
BSXRZTKDNGCHMVOLYQEUPWJAIF
BSXRZTKDNGCHMVOLYQEUPWJAIF
BSXRZTKDNGCHMVOLYQEUPWJAIF
BSXRZTKDNGCHMVOLYQEUPWJAIF

- Here is the cryptogram:

Note: I use the debug mode of my simulator. So I know the details for each plain text letter (p): its value after the input permutation (pK), its encryption by Rotor R1, then the action of the other rotors R2, R3, R4, then the action of the rotor R5, and finally the action of the output permutation, the Lampboard (L). We finally obtain the encrypted letter (c). The program then displays the external key (the left ratchet, the position of the 5 rotors, the right ratchet). We can see that the rotors R2, R3, R4 are not moving forward (position AAA).

C:\H5_TOOLS> python hebern5_tui.py -E ZZAAAZN -D < MSGS\keyb_inv.pln
001: B ->AGUSUK-> Q    AAAAAAO
002: S ->BAIUSQ-> S    AAAAABP
003: X ->CDCXDY-> G    AAAAACQ
004: R ->DBZDAD-> E    AAAAADR
005: Z ->EOLBLD-> E    AAAAAES
006: T ->FCNHCR-> H    AAAAAFT
007: K ->GTMMNL-> V    AAAAAGU
008: D ->HKEWEB-> Y    AAAAAHV
009: N ->INWQTI-> F    AAAAAIW
010: G ->JUGTPV-> R    AAAAAJX
011: C ->KZRNYS-> C    AAAAAKY
012: H ->LXYZZD-> E    AAAAALZ
013: M ->MIPOIY-> G    AAAAAMA
014: V ->NWAPOD-> E    AAAAANB
015: O ->OHDFGW-> Z    AAAAAOC
016: L ->PFKYHD-> E    AAAAAPD
017: Y ->QQHAFE-> U    AAAAAQE
018: Q ->RYBJQF-> M    AAAAARF
019: E ->SJJGWX-> A    AAAAASG
020: U ->TVQVKN-> W    AAAAATH
021: P ->UPFLXH-> D    AAAAAUI
022: W ->VMORJC-> O    AAAAAVJ
023: J ->WETKBP-> N    AAAAAWK
024: A ->XLVERS-> C    AAAAAXL
025: I ->YSSCVT-> I    AAAAAYM
026: F ->ZRXIMJ-> J    AAAAAZN
027: B ->AZRNYE-> U    BBAAAAO
028: S ->BCNHCF-> M    BBAAABP
029: X ->CAIUSI-> F    BBAAACQ
030: R ->DNWQTP-> N    BBAAADR
031: Z ->EBZDAT-> I    BBAAAES
032: T ->FSSCVA-> T    BBAAAFT
033: K ->GJJGWN-> W    BBAAAGU
034: D ->HMORJR-> H    BBAAAHV
035: N ->ITMMNM-> K    BBAAAIW
036: G ->JYBJQD-> E    BBAAAJX
037: C ->KWAPOU-> L    BBAAAKY
038: H ->LHDFGQ-> S    BBAAALZ
039: M ->MVQVKG-> X    BBAAAMA
040: V ->NGUSUJ-> J    BBAAANB
041: O ->OETKBT-> I    BBAAAOC
042: L ->PPFLXG-> X    BBAAAPD
043: Y ->QXYZZR-> H    BBAAAQE
044: Q ->RIPOIV-> R    BBAAARF
045: E ->SUGTPE-> U    BBAAASG
046: U ->TOLBLE-> U    BBAAATH
047: P ->ULVERO-> B    BBAAAUI
048: W ->VDCXDJ-> J    BBAAAVJ
049: J ->WKEWEJ-> J    BBAAAWK
050: A ->XRXIMM-> K    BBAAAXL
051: I ->YQHAFI-> F    BBAAAYM
052: F ->ZFKYHO-> B    BBAAAZN
053: B ->ABZDAF-> M    CCAAAAO
054: S ->BZRNYL-> V    CCAAABP
055: X ->CMORJG-> X    CCAAACQ
056: R ->DAIUSR-> H    CCAAADR
057: Z ->ERXIMU-> L    CCAAAES
058: T ->FIPOIU-> L    CCAAAFT
059: K ->GLVERF-> M    CCAAAGU
060: D ->HSSCVM-> K    CCAAAHV
061: N ->IXYZZO-> B    CCAAAIW
062: G ->JVQVKI-> F    CCAAAJX
063: C ->KGUSUN-> W    CCAAAKY
064: H ->LUGTPU-> L    CCAAALZ
065: M ->MFKYHF-> M    CCAAAMA
066: V ->NDCXDL-> V    CCAAANB
067: O ->OOLBLY-> G    CCAAAOC
068: L ->PWAPOR-> H    CCAAAPD
069: Y ->QHDFGC-> O    CCAAAQE
070: Q ->RTMMNG-> X    CCAAARF
071: E ->SNWQTQ-> S    CCAAASG
072: U ->TKEWES-> C    CCAAATH
073: P ->UCNHCY-> G    CCAAAUI
074: W ->VJJGWG-> X    CCAAAVJ
075: J ->WQHAFU-> L    CCAAAWK
076: A ->XPFLXN-> W    CCAAAXL
077: I ->YETKBO-> B    CCAAAYM
078: F ->ZYBJQI-> F    CCAAAZN
079: B ->AYBJQY-> G    DDAAAAO
080: S ->BLVERC-> O    DDAAABP
081: X ->CZRNYD-> E    DDAAACQ
082: R ->DQHAFZ-> P    DDAAADR
083: Z ->EHDFGK-> Q    DDAAAES
084: T ->FKEWEE-> U    DDAAAFT
085: K ->GRXIMX-> A    DDAAAGU
086: D ->HWAPON-> W    DDAAAHV
087: N ->IUGTPD-> E    DDAAAIW
088: G ->JFKYHP-> N    DDAAAJX
089: C ->KTMMNB-> Y    DDAAAKY
090: H ->LETKBK-> Q    DDAAALZ
091: M ->MCNHCD-> E    DDAAAMA
092: V ->NNWQTA-> T    DDAAANB
093: O ->OVQVKQ-> S    DDAAAOC
094: L ->PGUSUU-> L    DDAAAPD
095: Y ->QSSCVS-> C    DDAAAQE
096: Q ->RMORJO-> B    DDAAARF
097: E ->SJJGWX-> A    DDAAASG
098: U ->TBZDAY-> G    DDAAATH
099: P ->UIPOIZ-> P    DDAAAUI
100: W ->VPFLXI-> F    DDAAAVJ
101: J ->WOLBLA-> T    DDAAAWK
102: A ->XDCXDI-> F    DDAAAXL
103: I ->YXYZZN-> W    DDAAAYM
104: F ->ZAIUSC-> O    DDAAAZN

Show data as lines with rotor I stationary

- We represent the previous data in the form of lines made of 26 letters: Each line of 26 letters in the cryptogram (line “c”) corresponds to a slice of cipher text for which the rotor R1 (here named R) does not advance. On the other hand, when we move to the next line c, rotor R1 has advanced one step (i=0 to 3). For the entire cryptogram, the permutation S (R2.R3.K4) is the same because these rotors do not move forward.

Note: In my reasoning, I do not use the pKR lines (the result of the encryption by the rotor R1) nor the value m which corresponds to the index of the offset array. I only used it to check my reasoning. Note that for example the different lines pKR(i) correspond to the values of the Rotor I wiring, as they appear in the encryption table (GADBO...), (ZCANBS...).... The pK lines correspond to the alphabet (ABC...).
We have “c’ = pk + D[m]” which is easy to verify. I don't use the letters (c) of the cryptogram either.

m,(i=0)     0 1 2 3 4 5 6 7 8 910 1 2 3 4 5 6 7 8 920 1 2 3 4 5  
p (plain)   B S X R Z T K D N G C H M V O L Y Q E U P W J A I F
c (cipher)  Q S G E E H V Y F R C E G E Z E U M A W D O N C I J 
pK (Keyb)   A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
pKRS (c’)   U S D A L C N E T P Y Z I O G H F Q W K X J B R V M
pKR (R1(0)) G A D B O C T K N U Z X I W H F Q Y J V P M E L S R

m,(i=1)     1 2 3 4 5 6 7 8 910 1 2 3 4 5 6 7 8 920 1 2 3 4 5 6 
p (plain)   B S X R Z T K D N G C H M V O L Y Q E U P W J A I F
c (cipher)  U M F N I T W H K E L S X J I X H R U U B J J K F B
pK (Keyb)   A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
pKRS (c’)   Y C S T A V W J N Q O G K U B X Z I P L R D E M F H
pKR (R1(1)) Z C A N B S J M T Y W H V G E P X I U O L D K R Q F

m,(i=2)     2 3 4 5 6 7 8 910 1 2 3 4 5 6 7 8 920 1 2 3 4 5 6 7
p (plain)   B S X R Z T K D N G C H M V O L Y Q E U P W J A I F
c (cipher)  M V X H L L M K B F W L M V G H O X S C G X L W B F
pK (Keyb)   A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
pKRS (c’)   A Y J S M I R V Z K U P H D L O G N T E C W F X B Q
pKR (R1(2)) B Z M A R I L S X V G U F D O W H T N K C J Q P E Y

m,(i=3)     3 4 5 6 7 8 910 1 2 3 4 5 6 7 8 920 1 2 3 4 5 6 7 8
p (plain)   B S X R Z T K D N G C H M V O L Y Q E U P W J A I F
c (cipher)  G O E P Q U A W E N Y Q E T S L C B A G P F T F W O
pK (Keyb)   A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
pKRS (c’)   Q R Y F G E M O P H N B C T K U V J W A I X L D Z S
pKR (R1(3)) Y L Z Q H K R W U F T E C N V G S M J B I P O D X A

Let p: plain letter, c: cipher letter, K: keyboard permutation, R1, R2, R3, R4, R5: permutations of rotors, L: lampboard permutation.

Here is the encryption formula (cf. description of the 5 rotors machine):

	p.K.R1(i).R2(j).R3(k).R4(l).R5(m).L = c

If we know the external key, we can cut the cryptogram into slices of 26 letters which use a fixed rotor R1 for each slice. In addition, for the entire part of the cryptogram that we choose, we can have the rotors R2, R3 and R4 stationary. We will be able to simplify the previous formula:

Let c' be the encrypted letter having removed the influence of lampboard and rotor R5 (R5(m).L). Let R be the permutation R1. Let S be the permutation R2(j)R3(k)R4(l), the previous formula simplifies:

	pKR(i)S = c’

Let c’’ be the cipher letter where the influence of S is removed, we obtain:

	pKR(i) = c’’

Although p, K and c' are known, we do not know c’'. On the other hand, if we take several ciphered letters which give the same value of c’, we can arbitrarily fix c’’ which corresponds to c’S_inverse. For example, we can set c’’=c’.

On the other hand, if we apply the following formula (cf. the concept of rotor) which corresponds to the value of the encrypted letter y(i) in relation to the plain letter x(i) and the offset D[m]:

	y(i) = x(i) + D[ x(i) + i ]

We obtain the final formula (in the case where c' has the same value):

	c’ = pK + D[ pk + i ]

1) In the case where c’ == N, we have:

(i=0)   N = G + D[ G + 0 ], 13 =  6 + D[6]    => D[6]  =  7 
(i=1)   N = I + D[ I + 1 ], 13 =  8 + D[8+1]  => D[9]  =  9
(i=2)   N = R + D[ R + 2 ], 13 = 17 + D[17+2] => D[19] = 22
(i=3)   N = K + D[ K + 3 ], 13 = 10 + D[10+3] => D[13] =  3

2) In the case where c’ == O, we have:

(i=0)   O = N + D[ N + 0 ], 14 = 13 + D[13]   => D[13] =  1 
(i=1)   O = K + D[ K + 1 ], 14 = 10 + D[10+1] => D[11] =  4
(i=2)   O = P + D[ P + 2 ], 14 = 15 + D[15+2] => D[17] = 25
(i=3)   O = H + D[ H + 3 ], 14 =  7 + D[7+3]  => D[10] =  7

We still do not know S, but we know two values of its wiring (relatively), if c' == N, then for the value O, c’[N] = c’[O] + 2

We can aggregate the two series of movements by taking the offsets where c’= N as reference:

	D[6]=7, D[9]=9, D[10] = 7+2 = 9, D[11]= 4+2 = 6,
	D[13]=3=1+2, D[15] = 16+2= 18, D[17] ) 25+2 = 1

If we continue with other series where the value of c' is identical, we can reconstruct all the shifts... but in relative terms! We can also reconstruct S but it is simpler to do so after we have finished reconstituting the rotor R1.

We obtain the following displacements for permutation R (that of Rotor I). For information, we indicate the shifts deduced from the GADBO rotor wiring... (grs = genuine Rotor shifts). We can see that there is a gap of 6 between the two series.

m    0  1  2  3  4  5  6  7  8  9 10 11 12
R    0 19 21 18  4 17  7 23 25  5  9  6 16
grs  6 25  1 24 10 23 13  3  5 11 15 12 22

m   13 14 15 16 17 18 19 20 21 22 23 24 25
R    3 13 10 20  1 11 22 15 11  2  8 14 12
grs  9 19 16  0  7 17  2 21 17  8 14 20 18

From the formula PI[x] = x + D[x] (cf. The concept of rotor), we can reconstruct the wiring for both series:

R   A U X V I W N E H O T R C Q B Z K S D P J G Y F M L
grs G A D B O C T K N U Z X I W H F Q Y J V P M E L S R

Note: The grs line gives us the rotor wiring and the R line corresponds to the G line of the encryption table for column U. We also notice that the pKR lines correspond to the first lines of the following encryption table:

  A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A G A D B O C T K N U Z X I W H F Q Y J V P M E L S R
B Z C A N B S J M T Y W H V G E P X I U O L D K R Q F
C B Z M A R I L S X V G U F D O W H T N K C J Q P E Y
D Y L Z Q H K R W U F T E C N V G S M J B I P O D X A
E K Y P G J Q V T E S D B M U F R L I A H O N C W Z X
F X O F I P U S D R C A L T E Q K H Z G N M B V Y W J
G N E H O T R C Q B Z K S D P J G Y F M L A U X V I W
H D G N S Q B P A Y J R C O I F X E L K Z T W U H V M
I F M R P A O Z X I Q B N H E W D K J Y S V T G U L C
J L Q O Z N Y W H P A M G D V C J I X R U S F T K B E
K P N Y M X V G O Z L F C U B I H W Q T R E S J A D K
L M X L W U F N Y K E B T A H G V P S Q D R I Z C J O
M W K V T E M X J D A S Z G F U O R P C Q H Y B I N L
N J U S D L W I C Z R Y F E T N Q O B P G X A H M K V
O T R C K V H B Y Q X E D S M P N A O F W Z G L J U I
P Q B J U G A X P W D C R L O M Z N E V Y F K I T H S
Q A I T F Z W O V C B Q K N L Y M D U X E J H S G R P
R H S E Y V N U B A P J M K X L C T W D I G R F Q O Z
S R D X U M T A Z O I L J W K B S V C H F Q E P N Y G
T C W T L S Z Y N H K I V J A R U B G E P D O M X F Q
U V S K R Y X M G J H U I Z Q T A F D O C N L W E P B
V R J Q X W L F I G T H Y P S Z E C N B M K V D O A U
W I P W V K E H F S G X O R Y D B M A L J U C N Z T Q
X O V U J D G E R F W N Q X C A L Z K I T B M Y S P H
Y U T I C F D Q E V M P W B Z K Y J H S A L X R O G N
Z S H B E C P D U L O V A Y J X I G R Z K W Q N F M T

Conclusion

We can see that it is possible, after having reconstituted the rotor which is in position V, to reconstitute the Rotor which is in position I. On the other hand, many lines of 26 letters are required for which the plain text and the cipher text are known, between five and ten lines.

Note: in the example, four lines may be enough to reconstruct the wiring of the rotor in position I. In fact, each line contains all the letters of the alphabet. But in ordinary text, this is not the case. Indeed, for ordinary plain text certain letters (E,T,A,O,N) are very frequent and others are completely absent.

Web Links

ANALYSIS OF A MECHANICO-ELECTRICAL CRYPTOGRAPH, PART I, TECHNICAL PAPER, BY WILLIAM F. FRIEDMAN Cryptanalyst, Chief of Signal Intelligence Section UNITED STATES GOVERNMENT PRINTING OFFICE, WASHINGTON: 1934, Secret.
NSA - Friedman's Original Worksheets of Hebern Solution, 11 Nov 1936 - ID A4126886 - (PDF)
Note: The solution dates from 1924.