Go to On Line Documents, Go to Go to Antique Computer home page

The following page is from a NSA phamphlet "The Cryptographic Mathematics of ENIGMA " - scaned, OCRed, HTMLized, ... kindly lent by Dave Lion.



The
Cryptographic
Mathematics
of
ENIGMA

Cover - 84 K bytes

This publication is distributed FREE by the National Security Agency. If you would like additional copies, please submit your request to:

Center for Cryptotogic History
National Security Agency
9800 Savage Road, Suite 6886
Fort George G. Mead, MD 20755-6886

Published by the Center for Crypologic History
First printing: 1996
Second printing: 2001


The Cryptographic Mathematics of Enigma
Dr. A. Ray Miller


The Enigma cipher machine had the confidence of German forces who depended upon its security. This misplaced confidence was due in part to the large key space the machine provided. This paper derives for the first time the exact number of theoretical cryptographic key settings and machine configurations for the Enigma cipher machine. It also calculates the number of practical key settings Allied cryptanalysts were faced with daily throughout World War II. Finally, it shows the relative contribution each component of the Enigma added to the overall strength of the machine.

ULTRA was the greatest secret of World War U after the atom bomb. With the exception of knowledge about that weapon and the probable exception of the time and place of major operations, such as the Normandy invasion, no information was held more tightly .... The security implies ULTRA's significance. ULTRA furnished intelligence better than any in the whole long history of humankind. It was more precise, more trustworthy, more voluminous, more continuous, longer lasting, and available faster, at a higher level, and from more commands than any other form of intelligence - spies or scouts or aerial reconnaissance or prisoner interrogations .... It may be concluded that ULTRA saved the world two years of war, billions of dollars, and millions of lives.
David Kahn, Seizing the Enigma

The Enigma cipher machine is one of the best known cipher machines in the world. Initially broken by Polish cryptanalysts, Enigma decrypts from British and later American efforts were given the covername ULTRA to reflect the value of the information. Today the Enigma stands as a silent sentinel to the folly of those who placed their absolute confidence in its security. But it also stands in renowned tribute to the cryptanalysts who pitted their minds against a problem of seemingly invincible odds and who scaled its lofty heights.

Just how difficult was the Enigma cipher machine? Much has been written in recent years about the attacks against Enigma or the intelligence value of the ULTRA decrypts. However, little has been said about the defenses of the machine itself and why it was so trusted by its German designers. This paper sheds some light on that topic by calculating the incredible number of possible key settings and machine configurations, a number which led German forces to place undeserved confidence in Enigma's security. 1

Exterior view of Enigma showing the front plugboard with cables

Close-up of plugboard with cables removed

Disassembled rotor, twenty-six input contact points wired to twenty-six output contact points on alternate faces of disk

Close up of rotor, twenty-six contact points, notch, and serrations

Close-up of rotors inside of machine. Reflector is to the left

External view of rotors showimg contact points, ratchets, and serrations

Reflector with rotors removed

Initial rotational position of a three rotor enigma

Enigma being used in the field

This is the first time the exact numerical value in all significant digits has been published. Both the theoretical and the practical strength of the machine is calculated. The paper also provides an in- depth discussion of Enigma's construction. An Enigma cipher machine consisted of five variable components:2

  1. a plugboard which could contain from zero to thirteen dual-wired cables

  2. three ordered (left to right) rotors which wired twenty-six input contact points to twenty-six output contact points positioned on alternate faces of a disc

  3. twenty-six serrations around the periphery of the rotors which allowed the operator to specify an initial rotational position for the rotors

  4. a moveable ring on each of the rotors which controlled the rotational behavior of the rotor immediately to the left by means of a notch3

  5. a reflector half-rotor (which did not in fact rotate) to fold inputs and outputs back onto the same face of contact points

Nothing else on the machine which could be used to set the initial state of the cryptologic was variable. Additional necessary equipment included a mechanical system (stepping levers and ratchets) for forcing rotor rotation, a twenty-six-letter keyboard, twenty-six light bulbs for the output letters, and a battery for powering the light bulbs. What we wish to determine is the number of different ways of configuring the variable components in the system which contributed to the cryptographic strength of the machine. Although in practice the Germans did not use Enigma to its fullest potential, Allied cryptanalysts could not a priori rule out any valid theoretical configuration.

The first variable component was the plugboard. Twenty-six (for A-Z) dual-holed sockets were on the front panel of Enigma. A dualwired plugboard cable could be inserted making a connection between any pair of letters. Enigma cryptographers had a choice of how many different cables could be inserted (from zero to thirteen) and which letters were connected. The plugboard functioned like an easily modifiable stationary rotor positioned to the right of the three rotating rotors.4

There were three elements which must be considered when calculating the number of possible plugboard connections: the number of cables used, which group of sockets was selected to receive those cables, and the interconnections within that group of sockets (i.e., the specific letter-pairs created by each cable). We will consider socket selection first. There were twenty-six sockets on the plugboard. Each individual cable consumed two sockets (one for each end of the cable). Given the choice of p plugboard cables (O < p < 13) inserted into the plugboard, there were therefore

( 26 / 2p )

different combinations of sockets which could have been, selected.

Having calculated the number of different groups of sockets, we will now determine how many ways in which those p cables could have been inserted into the 2p selected sockets. After the first end of cable #1 was inserted into a socket, the second end of the first cable had 2p - 1 free sockets from which to choose (within that group). After the first end of cable # 2 was inserted into a socket, the second end of the second cable had 2p - 3 free sockets from which to choose. This pattern continues down to cable #p; when its second end needed to be inserted into the plugboard, only one free socket was left open. It should be clear at this point that the total number of ways in which p cables5 could have been inserted into 2p open sockets (with each cable consuming two sockets) is given by the equation (2p-1)X(2p-3)X(2p-5)X... X 1.

Therefore, given p cables inserted into the plugboard, the number of different connections which could have been made by an Enigma operator is given by the combination of the above two elements or

( 26 / 2p )X (2p-1) X (2p -3) X (2p-5) X...X 1 = 26!/((26-p)! X p! X 2p)

The third and final element which must be factored in is the number of cables used, or p. Using the equation just calculated, the number of plugboard combinations for all possible values of p is given in the following table. One interesting characteristic of the machine is that the maximum number of combinations did not occur at 13 as might be expected, but rather when the operators used eleven plugboard cables.6

p combinations p combinations
0 1 7 1,305,093,289,500
1 325 8 10,767,019,638,375
2 44,850 9 53,835,098,191,875
3 3,453,450 10 150,738,274,937,250
4 164,038,875 11 205,552,193,096,250
5 5,019,589,575 12 102,776,096,548,125
6 100,391,791,500 13 7,905,853,580,625

Since the combinations possible for each value of p were mutually exclusive, the total number of possible plugboard combinations is given by the sum of the above numbers, or

The second variable component was the three ordered (left to right) rotors which wired twenty-six input contact points to twenty-six output contact points positioned on alternate faces of a disc. This equation is straightforward. There are of course 26! unique discs which could have been constructed.' Of those 26! any one of them could have been selected by the cryptographers to occupy the leftmost position. The middle position could have been occupied by one of the 26! -1 discs which were left. And the rightmost disc could have been selected from any one of the 26! - 2 discs still remaining. The total number of ways of ordering all possible disc combinations in the machine is therefore 26! X (26! - 1) X (26! - 2) or8 65,592,937,459,144,468,297,405,473,480,371,753,615,896,841,298,988,710, 328,553,805,190,043,271,168,000,000.

The third variable component of Enigma was the initial rotational position of the three rotors containing the wired discs. This was specified by the cryptographers and set by the machine operators by means of twenty-six serrations around the rotor periphery. Since each of the three rotors could be initially set into one of twenty-six different positions, the total number of combinations of rotor key settings was 263 or 17,576.

The fourth variable component of the machine was a moveable ring on each of the rotors; each ring contained a notch in a specific location. The purpose of the notch was to force a rotation of the rotor immediately to the left when the notch was in a particular position. The rightmost rotor rotated every time a key was pressed. The rightmost rotor's notch forced a rotation of the middle rotor once every twenty-six keystrokes. The middle rotor's notch forced a rotation of the leftmost rotor once every 26 X.26 keystrokes. Since there were no more rotors, the leftmost rotor's notch had absolutely no effect whatsoever. (The reflector, positioned to the left of all rotors, did not move.)

Therefore, only two notches contributed to the cryptographic strength of the machine. Since each of them could have been positioned in any one of twenty-six possible locations, 262 or 676 combinations were possible.

The fifth and final variable component of Enigma was the reflector. The reflector had twenty-six contact points like a rotor, but only on one face. Thirteen wires internally connected the twenty-six contact points together in a series of pairs so that a connection coming in to the reflector from the rotors was sent back through the rotors a second time by a different route. The internal wiring could be constructed in the following fashion. When one end of the first wire was connected to contact point #1, the other side of the wire had twenty-five different contact points to which it could be connected. Thus the first wire consumed two contact points and had twenty-five different possibilities. The second wire also consumed two contact points, and had only twenty-three different connection possibilities remaining from the unconsumed contact points. The third wire consumed two more contact points and had twenty-one possibilities for connection. The pattern should be apparent by now: the number of distinct reflectors which could have been placed into Enigma was10

(It is interesting to notice that the number of different reflector combinations is also the same as the number of possible plugboard combinations when p = 13 cables were used. This should not be surprising: in both cases the value represents the number of possible pair-wise combinations which can be made given twenty-six choices and thirteen connecting wires.)

We now have everything we need in order to calculate the theoretical number of possible Enigma configurations. It is simply the product of all five values calculated above. That astounding number is 3,283,883,513,796,974,198,700,882,069,882,752, 878, 379,955,261,095,623,685, 444,055,315,226,006,433,615,627,409, 666,933,182,371,154,802,769,920,000,000,000, which is approximately 3 X 10114. To see just how large that number is, consider that it is estimated that there are only about 108 atoms in the entire observable universe. No wonder the German cryptographers had confidence in their machine!


The three-rotor, single-notched Enigma was by far the most common model in use by German forces. Later in the war, however, the German Navy adopted a variant version of the Enigma cipher machine which used four rotors and rings which contained either a single or a dual notch. Let's recalculate the theoretical number of key settings and machine configurations for a naval Enigma to see how those modifications increased the strength of the machine.

Step 1 is the number of plugboard combinations. Obviously the fourth rotor and the extra notches had absolutely no effect on this value; it is unchanged at 532,985,208,200,576.

Step 2 is the selection and the ordering, left to right, of the wired rotor discs. The previous value calculated was 26! X (26! -1) X (26! - 2). It is tempting to simply add in the factor (26! - 3). However, the new fourth rotor was not interchangeable with the other rotors; it could be placed in only one location." This meant that selection of the fourth rotor was independent, and since there were 26! ways that the rotor's disc wiring could have been constructed, 12 the new equation is given by 26! X (26! -1) X (26! -2) X 26! or 26,453,071,587,484,435,966,565,383,350,966,637,647,029,992, 367,895,564, 609,744,699,959,788,953,452,189,042,702, 687, 102, 042,112,000,000,000,000.

Step 3 is the initial rotational positions of the wired discs. As all four could have been in any one of twenty-six possible positions, the number of combinations is 264 or 456,976.

Step 4 is the initial positions of the moveable notched rings. The German Navy added a second notch to some rings in order to increase the irregularity of the rotational behavior of the rotors. We will therefore calculate all possible combinations of single or dual notched rings in each of the rotor positions. For a ring containing a single notch, we've already seen that the notch could have been placed in one of twenty-six possible orientations. A ring containing two notches, on the other hand, had 26 X 25 possible orientations. Since these two cases were mutually exclusive of each other, the total number of combinations is expressed as the sum of the two values or 26 + (26 X 25) = 262. Now on the three rotor Enigmas, as previously stated, the notch locations mattered only for the rotors placed into the rightmost and middle positions. As it turns out, that is also true for the four-rotor naval Enigmas as well. Since the fourth rotor had no ratchets and the Enigma had no fourth stepping lever, the fourth rotor did not move; once the Enigma operator had set the initial rotational position by hand, it remained constant for the duration of the message.13 So then the total number of possible single or dual notched ring positions on the rightmost and middle two rotors is given by 264 or 456,976.

Step 5 is the reflector wiring. Because of cramped conditions onboard ship, the Germans did not want to add the extra space required for the fourth rotor, thereby making the Enigma wider than it was before. Instead, they made a special half-width reflector so that the machine could continue to fit into the same size space. However, the total number of possible wiring configurations does not change from what we calculated above, or 7,905,853,580,625.14

We now ready to determine the theoretical number of possible naval Enigma configurations assuming four rotors and single or dual notches in the rings. It is the product of all five values calculated above or


The numbers derived thus far are only theoretical values which reflect how many initial cryptographic machine states were possible. In practice, once the war started, Allied cryptanalysts had a much easier job. As a final exercise, we'll calculate the number of possible cryptovariables cryptanalysts were likely to encounter when trying to determine the daily keys. Some information was known by the Allies to be effectively constant.

In step 1, the plugboard, the most common value of p used was 10. Since the number of cables was known, all that needed to be determined daily was which twenty letters had a cable patch inserted and the ten pairs created by those twenty letters. This is already given in the table under p = 10 as the value 150,738,274,937,250.

In step 2, the selection and ordering of the rotor discs, things changed over time. Initially only three rotor discs were created for general-purpose use. (Special-purpose machines, as previously stated, had their own set of wirings.) Later, two additional rotor discs were introduced, making a total of five. The German Navy added an additional three rotor discs, bringing their total to eight. And finally, one and then two extra fourth rotor discs (without rotation ratchets) were added by the Navy, giving them ten possible discs.

We will assume the general-purpose case of five discs and further assume the wiring of each of the discs is known. We will also assume this is an Enigma machine with three rotors. What Allied cryptanalysts had to determine was which three of the .five possible discs were chosen and in which order they were placed into the machine. This is simply

In step 3, the initial rotational position of the rotors was an unknown key setting for which there were 263 or 17,576 possible values.

In step 4, the position of the notched rings, we will assume single notches on all of the rings. (Dual notched rings were not introduced until the Navy added their extra three rotor discs.) This is 262 or 676.15

In step 5 we will assume the operators are using a single reflector in which the wiring is already known so the number of combinations here is simply 1.

Thus the possible cryptovariable space Allied cryptanalysts were typically faced with during the Second World War when attempting to read Enigma traffic is the product of the above five values, or 107,458,687,327,250,619,360,000, which is approximately 1 X 1023 or, stated another way, about one hundred thousand billion billion.16 Although that value is much smaller than the total number of atoms in the entire observable universe, it is still quite an impressive number! This is all the more true considering Allied cryptanalysts were faced with continually changing message keys at least daily - for every different radio network the Germans constructed.

With such daunting odds facing any cryptanalyst, it is not surprising that the German cryptographers felt secure using the Enigma. The strength of the large numbers, numbers so vast they are really beyond true comprehension, led the Germans to have absolute and complete confidence in the integrity of the Enigma cipher machine. And in that misplaced confidence, the Germans were absolutely, completely, and fatally wrong.

Notes

  1. For example, after analysis of this very topic one German cryptographer wrote, "From a mathematical standpoint we cannot speak of a theoretically absolute unsolvability of a cryptogram, but due to the special procedures performed by the Enigma machine, the solvability is so far removed from practical possibility that the cipher system of the machine, when the distribution of keys is correctly handled, must be regarded as virtually incapable of solution."
  2. Additional detailed descriptions on Enigma internals can be found in some of the references at the end of the article. See also the attached diagram and photos.
  3. Subsequent naval Enigmas contained four rotors and up to two notches per ring.
  4. If a letter's plugboard socket was left unconnected, e.g., the letter A, then A on the keyboard was wired directly to the A input position feeding the rotors. On output a wire coming from the rotors' output A position was wired directly to the light bulb A. If, on the other hand, A was plugged to X, then on input the A key was fed to the rotors as X, the X key was fed to the rotors as A, and on output what would have normally illuminated the A light bulb now connected to the X light bulb, and what before would have gone to X instead lit up as A.
  5. The boundary condition of p = 0 has one interconnection possibility.
  6. The Germans used a variety of connections. In 1940, for example, keys were recovered that used from 6 to 11 plugboard cables. In 1941 they standardized on 10 plugboard cables for all traffic.
  7. 26!= 403,291,461,126,605,635,584,000,000. Since the rotor discs were hardwired, such a vast number would have been impossible to construct in practice. Indeed, only a very small handful of rotor discs was ever constructed since they were limited to what troops could physically carry with them. Also the Germans never changed the disc wirings during the war. They did, however, create several different groups of rotor disc wirings for special-purpose machines. (For example, the High Command had specially wired Enigmas to communicate with Hitler's headquarters.) Additionally, even if the practical rotor disc wirings were compromised, the rotor ordering was still an unknown, although of course the equation is much smaller under those conditions. Furthermore, German cryptographers knew attacking cryptanalysts would have to initially sift through all possible combinations. Finally, they could have deployed "pluggable rotor discs" which could have been changed by the operators in the field and thus would have restored the number of practical combinations back to the number of theoretical combinations. ("Pluggable reflectors" were in fact deployed later in the war.) See the final section of the paper for a practical and not a theoretical example.
  8. It was known that the German troops carried individually numbered and unique sets of rotors. Hence selecting a rotor reduced the number of possibilities by one. So 26!3 is not the correct value.
  9. The ring also held the A-Z indicators specified by the cryptographers as part of the key setting. The operators used this as a guide when setting the rotor in step 3. Moving the notched ring against the wired disc also had the secondary effect of moving the A-Z indicators against the disc as well. This technically linked the rotational position in step 3 with the notch position in step 4. However, since it was possible to place the internal wired disc in any one of the twenty-six positions and the notched ring separately in any one of the twenty-six positions, these were, in fact, independent variables when counting initial cryptographic machine states.
  10. In practice the operators did not frequently change the reflector in the Enigma. Only a handful of hardwired reflectors ever saw service. Additionally, reflectors were created that also had different internal wiring for the special-purpose Enigmas. However, just as with the rotors, German cryptographers knew that initially Allied cryptanalysts would have to sift through all possible combinations. It was not until later that some four-rotor naval machines gained easily selectable interchangeable reflectors. Even later, German cryptographers developed and deployed pluggable reflectors which could be rewired by the operators in the field. This restored the number of practical reflector combinations to the theoretical value.
  11. The Germans did not want to retool their equipment and change the internal mechanics of the Enigma. Hence there was no fourth stepping lever to cause rotation of that rotor during a message. Since no stepping lever was present, the ratchets the lever interacted with were not added to the fourth rotor. This meant the fourth rotor (positioned on the extreme left next to the reflector) was incompatible and could not be used in the other three rotor locations. An additional reason for disallowing fourth rotor rotation was for backward compatability. In one specific position, the Naval fourth rotor and reflector combined had the same effective wiring as a three-rotor Enigma's reflector acting alone. Movement of that fourth rotor would prevent a four-rotor Naval Enigma from communicating with a three-rotor Army Enigma, for example.
  12. In practice, the Navy initially deployed only one new fourth rotor disc. Later they added a second disc. But as before, Allied cryptanalysts were initially faced with determining which wiring configuration was used from all possible combinations.
  13. This had a nice side effect, however. In practice, the fourth rotor and its new reflector had wiring chosen such that in one particular orientation the combination had exactly the same effective wiring as reflectors built for three-rotor Enigmas. This gave the four-rotor machines the ability to still communicate with the older three-rotor machines.
  14. In practice, the Navy introduced just one half-width reflector at the same time they introduced their first fourth rotor. A second half-width interchangeable reflector was released at the same time their second fourth rotor was released. Pluggable reflectors followed all of these events.
  15. Some may choose to add another factor of 26 at this point, since the daily key was formally given by three positions for the rings (step 4) followed by rotational orientation of the three rotors (step 3). As previously stated, moving the rings containing the notches had the side effect of moving the indicators used as a guide by the operators used in step 3. So although the notch was unimportant in the leftmost rotor due to the reflector, the ring position was very important to ensure the disc wiring was oriented correctly given an indicator for step 3. However, since there are twenty-six ways to specify the combination of ring position and indicator selection which will yield the exact same disc wiring orientation in the leftmost rotor, we can factor the twenty-six back out of the equation again.
  16. Billion is to be understood in the American and not in the European sense.

References

Dedicated to the memory of the Allied Polish
cryptanalysts

Marian Rejewski
Jerzy Rozycki
Henryk Zygalski

Dr. A. Ray Miller received a B.S. in computer science from the University of Central Florida in 1979. He received an M.S. and a Ph.D. in computer science from the University of Illinois in 1984 and 1987, respectively. While in school, he worked at the Naval Experimental Computer Simulation Laboratory, the Department of Computer Science at the University of Illinois, and the Center for Supercomputing Research and t' Development. Dr. Miller has been employed at the National Security Agency since 1987 and has taken a tour at the Supercomputing Research Center. He has received several awards and commendations, including the Meritorious Civilian Service Award and the 1991 Computer and Information Sciences Institute Award for Excellence, NSA's highest award in computer science. Dr. Miller is the author of several papers.