Friday, May 22, 2015

Toughening up Jefferson's disks.

Cryptanalysis plays a pivotal role in the latest regency romance/proto steampunk story I'm putting together. There's nothing like enough room to put the background in the book, and unless you're interested in it, it would be dull reading.

I wanted to create a historically plausible cryptosystem that was tough enough to require a concerted effort by the British. Jefferson's disks, Bazeries disks or strip-ciphers are variations on a theme. A theme that was known at the time and would have been dashed difficult for a cryptanalyst of the day to solve.

Every non-perfect cryptosystem leaks information. The aim of the cryptanalyst is to use that leaked information and plausible assumptions about the message to recover the key and thus the message. For example, with mono-alphabetic substitution in a cryptogram the string 'xyz' must be a three letter word. The trouble is, it could be 'the', 'are', 'she',  'our', and about ten more. There is not enough information to go any further. If we can add more information, say 'xyz xqrz' then we can limit the choices. It's still not quite enough for a unique answer, but it's getting close.

The primary key in Jefferson's disks is the set of disks. Each disk has a permuted alphabet on it and that permuted alphabet is very rarely changed. The session key, a key that can be varied with each message, is the order and number of the disks. (The device shown above always used the same number of disks but let you shuffle them around.)  The session key is critical, because someone could steal the device and know the primary key, or at least the current primary key. The session key keeps the unauthorized user from reading the message, or so we hope.

The cipher machine is set up with the disks in a specified order (session key). The disks are turned until the message is on one row, and then some other row (the readout row) is sent as the cipher.

If you know a likely message or 'crib' and have the disks, then you can use the distance along the disk between the message and its encryption to find the disk order. (Wikipedia is clear here so I will defer to that site.)

If you don't know the disks and the messages, then things are tougher. Given enough messages, an attack in depth can be constructed. One uses the incidence of coincidence to find pieces of message that have used the same disks in the same order and same readout row. Then a frequency analysis can be used to guess the permuted alphabets. It's a lot of work, but the German Pers-40 in WW2
managed that against the American M-138 strip ciphers. Since these were only low-level tactical ciphers for things like "bomb the next hill," it didn't help them very much.

There are two composition methods that can greatly increase the security of the system.
  1. Simple crib-based can be prevented by first mono-alphabetically enciphering the message. Then the session key is the disk order, the mono-alphabetic cipher, and the specific readout row. It's basically the same as having a bigger basket of disks to choose from. This is a bit illusory, something like the 'stecker board' on enigma. It makes the attack harder, but doesn't in the end defeat it. Given enough messages in the same mono-alphabetic cipher, the attack in depth will solve it. More importantly, it can make attack in depth easier, since every line in the cipher will come from the same readout row.
  2. Reorder the wheels every time you use them. When you get to the end of the first line of the message, take the disks off and put them on in some other order. The session key is now much longer. This makes it harder to build up enough depth of messages to mount an attack.
The French, in the book, will use both variations. In the story, the hero meets the heroine when he's forced to take leave and rest so that he can continue to work on the ciphers.

Fortunately, I might add, the French didn't use these approaches. They had a sophisticated two-part code that "should" have been secure. Instead they would only encode parts of a message, which let Major Scovall decode them.