Cryptology Isomorph Attack, Example

a7Hzq .#5r< kÜ\as TâÆK$ ûj(Ö2 ñw%h: Úk{4R f~`z8 ¤˜Æ+Ô „&¢Dø

The Machine

Lacking a working simulation for the commercial Enigma we use a military Enigma I omitting the plugboard. Further differences with the commercial Enigma D are

• The reflector is mounted in a fixed position. This will facilitate our task slightly compared with a true Enigma D.
• The rotors (including the reflectors) are differently wired. We consider the wiring known.
• The input wiring is from keyboard-A to input-A etc., whereas the commercial Enigma had the contacts wired in the order of the keys, i. e. keyboard-Q to input-A, keyboard-W to input-B and so on. This makes no cryptanalytic difference because it amounts to a known renaming of the standard alphabet.
• The notches that move the rotors are fixed at the alphabet rings allowing a displacement with respect to the rotor contacts, effecting a slight variablity in the stepping of the rotors. We ignore this complication in our example.

The primary rotor alphabets are

   Clear:        A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
   Rotor I:      E K M F L G D Q V Z N T O W Y H X U S P A I B R C J
   Rotor II:     A J D K S I R U X B L H W T M C Q G Z N P Y F V O E
   Rotor III:    B D F H J L C P R T X V Z N Y E I W G A K M U S Q O
   Reflector B:  Y R U H Q S L D P X N G O K M I E B F Z C W V J A T

The cycle decomposition of the reflector is

      (AY)(BR)(CU)(DH)(EQ)(FS)(GL)(IP)(JX)(KN)(MO)(TZ)(VW)

The Ciphertext

Now assume we got the ciphertext:

  NMSHH EZJOU OEAJA IDCWS VVMFY IVZQO QWSYO KCEVE QSTLC YMJKT PFVK

We suspect it to be in Spanish but we won't use this conjecture. However it seems likely that it begins with the probable word GENERAL. Negative pattern search yields no contradiction to this assumed known plaintext. This however excludes only very few of other possible positions.

Searching for Isomorphs

Now we test all three rotors in each possible position in the search for an isomorph. For Rotor I we get 26 pairs of intermediate texts:

Pos A: PBURWXL  Pos B: TNQULJH  Pos C: WRNHVNR  Pos D: JUJMBQY
       XWFPJHW   ===>  FEXJQMI         UTMQRGM         QPWRZNP

Pos E: OHTGVDQ  Pos F: IMANAIF  Pos G: PGSOBCP  Pos H: QNHWTJV
       NMCZOOC         JIWOKWH         TSBKHLB         AZCHDHI

Pos I: YORLYKP  Pos J: NWXHSSU  Pos K: JLREOHV  Pos L: GHWAADN
       SRUDNEJ         HGZNUAR   ===>  RQTUMKG         XWPMBRC

Pos M: CEXKEAS  Pos N: MAPRHWM  Pos O: TKUJUGI  Pos P: LROYZNU
       RQBBLJZ         WVFLRYV         XWIRLIF         POVLQOM

Pos Q: AJKITFY  Pos R: KYWOAUB  Pos S: QIAIBEO  Pos T: KODNJKT
 ===>  UTAQRIE         ONURJNT         KJBJOOD         WVCOIGJ

Pos U: PIQOYEN  Pos V: QNVGUJU  Pos W: IOPLRKV  Pos X: NGWFNCD
 ===>  AZKIELD         DCZEQFI         QPVQUBJ         VUSUXNB

Pos Y: HLXBXHS  Pos Z: DFFNEBO
       POOXKRG         WVYKPUA

The first line of each pair is the plaintext GENERAL encrypted with rotor I alone in the indicated initial position, the second line is the ciphertext NMSHHEZ encrypted in the same way.

We find 4 isomorphs, all with the pattern 1234567. All four yield a contradiction with the involutory property: For position B look at Q that should map to X according to its first appearance, and to L for the second appearance. For position K look at R, for position Q look at T, for position U look at I.

The same for Rotor II:

Pos A: TPNTALS  Pos B: VRCWPNF  Pos C: YTUFHPG  Pos D: HWHAWSO
       LKVDRFK         AZBRNAM         NMQNFOO         CBIFUKR

Pos E: CFIORBU  Pos F: QAQKZWJ  Pos G: MOWCSKB  Pos H: EKLRYGQ
       UTXUHCA         HGSHWRV   ===>  IHAWOEJ         QPTOBTF

Pos I: TCDEFYL  Pos J: GRSTUNT  Pos K: VENLCAM  Pos L: NTVYEPS
 ===>  WVZBCLX         LKGCKYM         DCVKQZZ   ===>  SRDQFHO

Pos M: ALOZGHZ  Pos N: BYUHJUO  Pos O: JZBNSVW  Pos P: PHQCNDY
       NMFFXNG         VUHXMCT         ONKMHUU         UTTHPJC

Pos Q: ENYUBJA  Pos R: WCAJXYD  Pos S: LUCEPQM  Pos T: GJFMEFH
       BAOPIEI   ===>  QPCIOMX         YXYOVFP         AZQVKLE

Pos U: OEOFRAV  Pos V: HMJLGIR  Pos W: NFXSYBJ  Pos X: ULTHLHY
       CBFKSSZ         FESSUHH   ===>  ONHUWPA         JIZWZRG
Pos Y: JSLPMOL  Pos Z: RHARUDA
       XWMZITN         TSNIDWC

We find 5 isomorphs, all with the pattern 1234567. All five don't fit an involution.

Finally for Rotor III:

Pos A: OAFNPWZ  Pos B: PMSOMIS  Pos C: QNBRJJB  Pos D: TOUOGKC
       XWJRURV         CBQUHOH         FENHRRI   ===>  SRKRWEJ

Pos E: QRDRSNJ  Pos F: TOEETKG  Pos G: GRLOUND  Pos H: QEITVAA
       BAHWZOM         UTTZMTJ         DCUMVWM         EDVVOJZ

Pos I: VOFWWKM  Pos J: YTCJXPN  Pos K: LWOSNSO  Pos L: UJPLZFP
       LKWOXSJ         IHXXYLO         FEYYFUR         CBOFCVE

Pos M: NSQUAOQ  Pos N: WLRVBHR  Pos O: XUSCEQH  Pos P: EVTZBRT
       ONACZCN         POBZWZG         QPCWIWP         RQFIJTQ

Pos Q: BCJWEYU  Pos R: YZVTRVV  Pos S: VWWFBSY  Pos T: HTXGGPV
 ===>  SRCJKFX         TSFKLGU         JISLMHR         VUCMNIO

Pos U: IFAHJBY  Pos V: JGXIWCL  Pos W: KHAJFDV  Pos X: LINKYEA
 ===>  WVHNDJA         XWKDPKB         AZXPQAC   ===>  XWGQRMD

Pos Y: MJXAHFD  Pos Z: CKCMIGQ
       AZZRUNE         NMIUROF

This time we find 4 isomorphs. Only the last one is compatible with an involution. This is the only possible solution. It gives us 7 cycles of the »virtual reflector« = the involution that is produced by the two inner rotors together with the reflector: (AD)(EM)(GN)(IW)(KQ)(LX)(RY), the letters BCFHJOPSTUVZ remaining.

Consulting the Lookup Table

If our assumption on the probable word GENERAL was correct, then the fast rotor is Rotor III with initial position X. Now we use the lookup table for the virtual reflector containing all 2×26² = 1318 possibilities for Rotors I and II in each order and all initial positions. There is exactly one involution that contains the obligatory cycles: The slow rotor 3 is Rotor I in initial position H, and the medium rotor is Rotor II in initial position D. Trying these settings on the online simultion at Enigmaco we obtain the Spanish plaintext

  General Franco llegará a Sevilla en la noche. Notifica al alcalde.

For successful cryptanalyzing the Enigma without plugboard we only needed a short cryptogram (54 letters) and a few letters (only 7) of known plaintext. The attack by isomorphs is quite strong.

Summary

Compared with the attack on a linearly ordered (»straight through«) rotor machine the reflecting rotor reduces the workload because the involutory property excludes most isomorphs. On the other hand stripping off the last rotor is easier with a straight through machine. But in summary the reflecting rotor turns out to be an illusory complication.