Grill (cryptology)
The grill method, in cryptology, was a method used chiefly early on, before the advent of the cyclometer, by the mathematician-cryptologists of the Polish Cipher Bureau in decrypting German Enigma machine ciphers. The Enigma rotor cipher machine changes plaintext characters into cipher text using a different permutation for each character, and so implements a polyalphabetic substitution cipher.
Background
The German navy started using Enigma machines in 1926; it was called Funkschlüssel C. By 15 July 1928, the German Army had introduced their own version of the Enigma—the Enigma G; a revised Enigma I appeared in June 1930. The Enigma I used by the German military in the 1930s was a 3-rotor machine. Initially, there were only three rotors labeled I, II, and III, but they could be arranged in any order when placed in the machine. Rejewski identified the rotor permutations by,, and ; the encipherment produced by the rotors altered as each character was encrypted. The rightmost permutation changed with each character. In addition, there was a plugboard that did some additional scrambling.The number of possible different rotor wirings is:
The number of possible different reflector wirings is:
The number of possible different plugboard wirings is:
To encrypt or decrypt, the operator made the following machine key settings:
- the rotor order
- the ring settings
- the plugboard connections
- an initial rotor position
The Enigma was used with radio communications, so letters were occasionally corrupted during transmission or reception. If the recipient did not have the correct message key, then the recipient could not decipher the message. The Germans decided to send the three-letter message key twice to guard against transmission errors. Instead of encrypting the message key "YEK" once and sending the encrypted key twice, the Germans doubled the message key to "YEKYEK", encrypted the doubled key with the ground setting, and sent the encrypted doubled key. The recipient could then recognize a garbled message key and still decrypt the message. For example, if the recipient received and decrypted the doubled key as "YEKYEN", then the recipient could try both message keys "YEK" and "YEN"; one would produce the desired message and the other would produce gibberish.
The encrypted doubled key was a huge cryptographic mistake because it allowed cryptanalysts to know two encipherments of the same letter, three places apart, for each of the three letters. The Polish codebreakers exploited this mistake in many ways. Marian Rejewski used the doubled key and some known daily keys obtained by a spy, to determine the wiring of the three rotors and the reflector. In addition, code clerks often did not choose secure random keys, but instead chose weak keys such as "AAA", "ABC", and "SSS". The Poles later used the doubled weak keys to find the unknown daily keys. The grill method was an early exploitation of the doubled key to recover part of the daily settings. The cyclometer and the bomba kryptologiczna were later exploitations of the doubled key.
Example message
Frode Weierud provides the procedure, secret settings, and results that were used in a 1930 German technical manual.
Daily settings :
Wheel Order : II I III
Ringstellung : 24 13 22
Reflector : A
Plugboard : A-M, F-I, N-V, P-S, T-U, W-Z
Grundstellung: 06 15 12
Operator chosen message key : ABL
Enciphered starting with FOL: PKPJXI
Message to send and resulting 5-letter groups of clear text:
Feindliche Infanteriekolonne beobachtet.
Anfang Südausgang Bärwalde.
Ende 3 km ostwärts Neustadt.
FEIND LIQEI NFANT ERIEK
OLONN EBEOB AQTET XANFA
NGSUE DAUSG ANGBA ERWAL
DEXEN DEDRE IKMOS TWAER
TSNEU STADT
Resulting message:
1035 – 90 – 341 –
PKPJX IGCDS EAHUG WTQGR
KVLFG XUCAL XVYMI GMMNM
FDXTG NVHVR MMEVO UYFZS
LRHDR RXFJW CFHUH MUNZE
FRDIS IKBGP MYVXU Z
The first line of the message is not encrypted. The "1035" is the time, "90" is number of characters encrypted under the message key, and "341" is a system indicator that tells the recipient how the message was encrypted. The first six letters in the body are the doubled key encrypted using the daily key settings and starting the encryption at the ground setting/Grundstellung "FOL". The recipient would decipher the first six letters to recover the message key ; he would then set the machine's rotors to "ABL" and decipher the remaining 90 characters. Notice that the Enigma does not have numerals, punctuation, or umlauts. Numbers were spelled out. Most spaces were ignored; an "X" was used for a period. Umlauts used their alternative spelling with a trailing "e". Some abbreviations were used: a "Q" was used for "CH".
When Rejewski started his attack in 1932, he found it obvious that the first six letters were the enciphered doubled key.
Key encryption
The daily key settings and ground setting will permute the message key characters in different ways. That can be shown by encrypting six of the same letter for all 26 letters:
AAAAAA -> PUUJJN
BBBBBB -> TKYWXV
CCCCCC -> KZMVVY
DDDDDD -> XMSRQK
EEEEEE -> RYZOLZ
FFFFFF -> ZXNSTU
GGGGGG -> QRQUNT
HHHHHH -> SSWYYS
IIIIII -> WNOZPL
JJJJJJ -> MQVAAX
KKKKKK -> CBTTSD
LLLLLL -> OWPQEI
MMMMMM -> JDCXUO
NNNNNN -> YIFPGA
OOOOOO -> LPIEZM
PPPPPP -> AOLNIW
QQQQQQ -> GJGLDR
RRRRRR -> EGXDWQ
SSSSSS -> HHDFKH
TTTTTT -> BVKKFG
UUUUUU -> VAAGMF
VVVVVV -> UTJCCB
WWWWWW -> ILHBRP
XXXXXX -> DFRMBJ
YYYYYY -> NEBHHC
ZZZZZZ -> FCEIOE
From this information, the permutations for each of the six message keys can be found. Label each permutation A B C D E F. These permutations are secret: the enemy should not know them.
Notice the permutations are disjoint transpositions. For the A permutation, it not only changes "A" into "P" but it also changes "P" into "A". That allows the machine to both encrypt and decrypt messages.
Augustin-Louis Cauchy introduced two-line notation in 1815 and cycle notation in 1844.
Rejewski's characteristic
Rejewski made an incredible discovery. Without knowing the plugboard settings, the rotor positions, the ring settings, or the ground setting, he could solve for all the daily message keys. All he needed were enough messages and some code clerks using non-random message keys.The message key is three characters long, so the doubled key is six characters long. Rejewski labeled the permutations for the successive message-key characters A B C D E F. He did not know what those permutations were, but he did know that A and D permutations encrypted the same message key letter, that B and E encrypted the same letter, and that C and F encrypted the same letter. If are the plaintext letters of the message key and are the corresponding ciphertext letters, then
The equations can be post multiplied by D, E, and F respectively to simplify the right hand sides:
The plaintext values are unknown, so those terms are just dropped to leave:
The above equations describe a path through the permutations. If is passed through the inverse of, then it produces. If that character passes through, then the result is.
Rejewski also knew that the Enigma permutations were self inverses: Enigma encryption and decryption were identical. That means that where is the identity permutation. Consequently,. Thus:
The above equations show the relationship between the doubled key characters. Although Rejewski did not know the individual permutations A B C D E F, a single message told him how specific characters were permuted by the composed permutations AD, BE, and CF.
From many messages, Rejewski could determine the composed permutations completely. In practice, about 60 messages were needed to determine the permutations.
Rejewski recorded the three permutations with a cyclic notation he called the characteristic. gives an example:
In this notation, the first cycle of permutation would map d to v, v to p, p to f,..., y to o, and o would wrap around to d.
Marks and Weierud give an example from Alan Turing that shows these cycles can be completed when some information is incomplete.
Furthermore, Enigma permutations were simple transpositions, which meant that each permutation A B C D E F only transposed pairs of characters. Those character pairs had to come from different cycles of the same length. Moreover, any one pairing between two cycles determined all the other pairs in those cycles. Consequently, permutations A and D both had to transpose a and s because and are the only cycles of length one and there is only one way to pair them. There are two ways to match and because b must pair with either r or w. Similarly, there are ten ways to match the remaining ten-character cycles. In other words, Rejewski now knew that there were only twenty possibilities for the permutations A and D. Similarly, there were 27 candidates for B and E, and 13 candidates for C and F.
Weak keys
At this point, the Poles would exploit weaknesses in the code clerks' selection of message keys to determine which candidates were the correct ones. If the Poles could correctly guess the key for a particular message, then that guess would anchor two cycles in each of the three characteristics.The Poles intercepted many messages; they would need about 60 messages in the same daily key to determine the characteristic, but they may have many more. Early on, Rejewski had identified the six characters that made up the message key. If the code clerks were choosing random message keys, then one would not expect to see much correlation in the encrypted six characters. However, some code clerks were lazy. What if, out of a hundred messages, there were five messages from five different stations that all used the same message key "PUUJJN"? That they all came up with the same key suggests they used a very simple or very common key. The Poles kept track of different stations and how those stations would choose message keys. Early on, clerks often used simple keys such as "AAA" or "BBB".
The end result was that without knowing the Enigma's plugboard settings, the rotor positions, or the ring settings, Rejewski determined each of the permutations A B C D E F, and hence all of the day's message keys.
Initially, Rejewski used the knowledge of permutations A B C D E F to determine the rotor wirings. After learning the rotor wirings, the Poles used the permutations to determine the rotor order, plugboard connections, and ring settings through further steps of the grill method.
Continuing the 1930 example
Using the daily key in the 1930 technical manual above, then Rejewski could find the following characteristics:Although there are theoretically 7 trillion possibilities for each of the A B C D E F permutations, the characteristics above have narrowed the A and D permutations to just 13 possibilities, B and E to just 30 possibilities, and C and F to just 20 possibilities. The characteristic for CF has two singleton cycles, and . Those singleton cycles must pair in the individual permutations, so the characteristic for CF implies that the "E" and "Z" exchange in both the C and F permutations.
The pairing of "E" and "Z" can be checked in the original permutations given above.
Rejewski would now know that indicators with the pattern "..E..E" were from a message key of "..Z"; similarly an indicator of "..Z..Z" were from a message key of "..E". In the day's traffic, he might find indicators such as "PKZJXZ" or "RYZOLZ"; might one of these indicators be the common message key "EEE"? The characteristic limits the number of possible permutations to a small number, and that allows some simple checks. "PKZJXZ" cannot be "EEE" because it requires "K" and "E" to interchange in B, but both "K" and "E" are part of the same cycle in BE: . Interchanging letters must come from distinct cycles of the same length. The repeating key could also be confirmed because it could uncover other repeating keys.
The indicator "RYZOLZ" is a good candidate for the message key "EEE", and it would immediately determine both permutations A and D. For example, in AD, the assumed message key "EEE" requires that "E" and "R" interchange in A and that "E" and "O" interchange in D.
If "E" interchanges with "R" in A, then the letter following "E" will interchange with the letter preceding "R" .
That can be continued to get all the characters for both permutations.
This characteristic notation is equivalent to the expressions given for the 1930 permutations A and D given above by sorting the cycles so that the earliest letter is first.
The guessed message key of "EEE" producing indicator "RYZOLZ" would also determine the pairing of the 10-long cycles in permutation BE.
That determines most of B and E, and there would only be three possible variations left that pair and . There are still 20 possible variations for C and F. At this point, the Poles could decrypt all of the first and fourth letters of the daily keys; they could also decrypt 20 out 26 of the second and fifth letters. The Poles' belief in these permutations could be checked by looking at other keys and seeing if they were typical keys used by code clerks.
With that information, they could go looking for and find other likely weak message keys that would determine the rest of the A B C D E F permutations. For example, if the Poles had an indicator "TKYWXV", they could decrypt it as "BB.BB."; checking the cycles for CF would reveal that the indicator is consistent with message key "BBB".
Rejewski's model
Rejewski modeled the machine as permutation made from permutations of plugboard, the wiring from the keyboard/lamps to the rotors, the three rotors, and the reflector. The permutation for each position of the doubled key was different, but they were related by a permutation that represented a single step of a rotor. Rejewski assumed that the left and middle rotors did not move while encrypting the doubled key. The six letters of the doubled key consequently see the permutations A B C D E F:Rejewski simplied these equations by creating as a composite reflector made from the real reflector and two leftmost rotors:
Substitution produces:
The result is six equations in four unknowns. Rejewski had a commercial Enigma machine, and he initially thought that would be the same. In other words, Rejewski guessed that
Later, Rejewski realized that guess was wrong. Rejewski then guessed that was just the identity permutation:
That still left three unknowns. Rejewski comments:
Having the daily keys meant that was now known. The known permutations were moved to the left side in the equations by premultiplying and post multiplying.
The leftmost and rightmost permutations on the right-hand side were moved to the left; the results were given the variable names U V W X Y Z:
Rejewski then multiplied each equation with the next:
Next, Rejewski eliminated the common subexpression by substituting its value obtained from the previous product.
The result is a set of four equations in just one unknown:.
Back to 1930 example
For the 1930 example above,
ABCDEFGHIJKLMNOPQRSTUVWXYZ
A ptkxrzqswmcojylagehbvuidnf
B ukzmyxrsnqbwdipojghvatlfec
C uymsznqwovtpcfilgxdkajhrbe
D jwvrosuyzatqxpenldfkgcbmhi
E jxvqltnypaseugzidwkfmcrbho
F nvykzutslxdioamwrqhgfbpjce
are transformed to the permutations:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
U gkvlysarqxbdptumihfnoczjew
V gnfmycaxtrzsdbvwujliqophek
W uekfbdszrtcyqxvwmigjaopnlh
X jelfbdrvsaxctqyungimphzkow
Y ltgmwycsvqxadzrujohbpiekfn
Z mskpiyuteqcravzdjlbhgnxwfo
and then multiplied to produce the five successive products:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
UV = azoselgjuhnmwiqdtxcbvfkryp =
VW = sxdqlkunjihgfeopatyrmvwzbc =
WX = pbxdefiwgmlonkhztsrajyuqcv =
XY = qwaytmoihlkgbjfpzcvdusnxre =
YZ = rhuaxfkbnjwmpolgqztsdeicyv =
Now the goal is to find the single structure preserving map that transforms UV to VW, VW to WX, WX to XY, and XY to YZ. Found by subscription of cycle notation. When maps to, the map must mate cycles of the same length. That means that
in must map to one of
in. In other words, a
must map to one of opvw
. These can be tried in turn.
UV =
VW =
VW =
WX =
WX =
XY =
XY =
YZ =
But
a
must map the same to o
in each pairing, so other character mappings are also determined:
UV =
VW =
VW =
WX =
WX =
XY =
XY =
YZ =
Consequently, the character maps for
sybxzcdq
, pzvycxqt
, and qzetdyrc
are discovered and consistent. Those mappings can be exploited:
UV =
VW =
VW =
WX =
WX =
XY =
XY =
YZ =
Which determines the rest of the map and consistently subscribes:
UV =
VW =
VW =
WX =
WX =
XY =
XY =
YZ =
The resulting map with successive subscriptions:
resulting map: ABCDEFGHIJKLMNOPQRSTUVWXYZ
ounkpxvtsrqzcaeflihgybdjwm =
UV =
VW =
WX =
XY =
YZ =
The map gives us, but that is also congugate. Consequently, the 26 possible values for are found by subscribing in 26 possible ways.
The model above ignored the right rotor's ring setting and ground setting, both of which were known because Rejewski had the daily keys. The ring setting has the effect of counterrotating the drum by 21; the ground setting advances it by 11. Consequently, the rotor rotation is -10, which is also 16.
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Straight ounkpxvtsrqzcaeflihgybdjwm
Shifted gpsquvbyxwortzmcekdafnljih =
subscribe P in different ways:
* actual rotor wiring
...
rotor * ABCDEFGHIJKLMNOPQRSTUVWXYZ
bdfhjlcprtxvznyeiwgakmusqo
Grill
The physical grill was used to determine both the rightmost rotor, its initial position, and the plugboard settings.Bottom sheet
Rejewsky observed that is close to the identity permutation. He moved everything but to the left side of the equations by premultiplying or postmultiplying. The resulting system of equations is:At his point, is unknown, but it is the same for each equation. Rejewski does not know, but he knows it is one of the rotors, and he knows the wiring for each of those rotors. There were only three rotors and 26 possible initial rotations. Consequently, there are only 84 possible values for. Rejewski can look at each possible value to see if the permutation is consistent. If there were no steckers, then each equation would produce the same.
Consequently, he made one bottom sheet for each possible rotor. Each bottom sheet consisted of 31 lines. Each line contained the stepped permutation of a known rotor. For example, a suitable bottom sheet for rotor III is,
In the early 1930s, the rotor order was the same for a month or more, so the Poles usually knew which rotor was in the rightmost position and only needed to use one bottom sheet. After 1 November 1936, the rotor order changed every day. The Poles could use the clock method to determine the rightmost rotor, so the grill would only need to examine that rotor's bottom sheet.
Top sheet
For the top sheet, Rejewski wrote the six permutations through.
A: abcdefghijklmnopqrstuvwxyz
srwivhnfdolkygjtxbapzecqmu
...
F: abcdefghijklmnopqrstuvwxyz
wxofkduihzevqscymtnrglabpj
There were six slits so the permutations on the bottom sheet would show through at the proper place.
The top sheet would then be slid through all possible positions of rotor, and the cryptanalyst would look for consistency with some unknown but constant permutation. If there is not a consistent, then the next position is tried.
Here's what the grill would show for the above permutations at its consistent alignment:
A: abcdefghijklmnopqrstuvwxyz
ptkxrzqswmcojylagehbvuidnf
17 fpjtvdbzxkmoqsulyacgeiwhnr
B: abcdefghijklmnopqrstuvwxyz
ukzmyxrsnqbwdipojghvatlfec
18 oisucaywjlnprtkxzbfdhvgmqe
C: abcdefghijklmnopqrstuvwxyz
uymsznqwovtpcfilgxdkajhrbe
19 hrtbzxvikmoqsjwyaecguflpdn
D: abcdefghijklmnopqrstuvwxyz
jwvrosuyzatqxpenldfkgcbmhi
20 qsaywuhjlnprivxzdbftekocmg
E: abcdefghijklmnopqrstuvwxyz
jxvqltnypaseugzidwkfmcrbho
21 rzxvtgikmoqhuwycaesdjnblfp
F: abcdefghijklmnopqrstuvwxyz
nvykzutslxdioamwrqhgfbpjce
22 ywusfhjlnpgtvxbzdrcimakeoq
In permutation, the cryptanalyst knows that
interchange. He can see how rotor III would scramble those letters by looking at the first line and the line visible through the slit. The rotor maps c
into j
and it maps k
into m
. If we ignore steckers for the moment, that means permutation would interchange
. For to be consistent, it must be the same for all six permutations.Look at the grill near permutation to check if its also interchanges
. Through the slit, find the letter j
and look in the same column two lines above it to find h
. That tells us the rotor, when it has advanced three positions, now maps h
into j
. Similarly, the advanced rotor will map y
into m
. Looking at permutation, it interchanges
, so the two tests are consistent.Similarly, in permutation, the
interchange and imply that
interchange in. Looking at permutation,
interchange and also imply that
interchange in.All such tests would be consistent if there were no steckers, but the steckers confuse the issue by hiding such matches. If any of the letters involved in the test is steckered, then it will not look like a match.
The effect of the rotor permutation can be removed to leave the implied by the permutations. The result is:
-: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Q: vyzrilptemqfjsugkdnhoaxwbc
Q: myqvswpontxzaihgcuejrdfkbl
Q: vcbrpmoulxwifzgeydtshakjqn
Q: kyirhulecmagjqstndopfzxwbv
Q: vemgbkdtwufzcxrysoqhjainpl
Q: wvlrpqsmjizchtuefdgnobayxk
Q : vyqrpkstnmfzjiuecdghoaxwbl
Most of the letters in an implied permutation are incorrect. An exchange in an implied permutation is correct if two letters are not steckered. About one half the letters are steckered, so the expectation is only one fourth of the letters in an implied permutation are correct. Several columns show correlations; column
A
has three v
characters, and
interchange in the actual ; column D
has four r
characters, and
interchange in.describes the possibility of writing down the six implied s for all 26 possible rotor positions. Rejewski states, "If permutation actually were the identity, then... for a particular we would obtain the same value for all expressions and in this way we would find the setting of drum. Permutation does exist, however, so for no will the expression be equal to each other, but among them will be a certain similarity for a particular , since permutation does not change all the letters."
Rejewski states that writing down all the possible "would be too laborious", so he developed the grill method. "Next, the grid is moved along the paper on which the drum connections are written until it hits upon a position where some similarities show up among the several expression.... In this way the setting of drum and the changes resulting from permutation are found simultaneously. This process requires considerable concentration since the similarities I mentioned do not always manifest themselves distinctly and can be very easily overlooked." The reference does not describe what techniques were used. Rejewski did state that the grill method required unsteckered pairs of letters.
Permutation has the exchanges
...
. If we assume the exchange
is unsteckered, that implies exchanges
. The other five permutations can be quickly checked for an unsteckered pair that is consistent with interchanging
— essentially checking column F
for other rows with l
without computing the entire table. None are found, so
would have at least one stecker so the assumption it is unsteckered is abandoned. The next pair can be guessed as unsteckered. The exchange
implies exchanges
; that is consistent with
in, but that guess fails to pan out because t
and w
are steckered.
A: b↔t B: l↔w C: k←t D: x→m E: m→u F: j←x
↓ ↓ ↓ ↓ * ↑ ↑ * ↑ * * ↑
b t l w x t k z z f j k
↓ ↓ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑
Q: p↔g p↔g p↔g p↔g p↔g p↔g
guessing unsteckered in S leads to the guess unsteckered in S
C finds stecker
D finds stecker
E finds stecker
F finds
Following those guesses ultimately leads to a contradiction:
A: f↔z B: m→d C: p←l D: f→s E: p!x F:
↓ ↓ ↑ * * ↑ ↑ * ↑ ↑
u m z y r l u a r k
↓ ↓ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑
Q: e↔q e↔q e↔q e↔q e↔q e↔q
exploit in A leads to exchange in Q
B finds steckered
C finds steckered
D finds steckered
E finds steckered - but p is already steckered to r! failure
The third exchange
implies exchanges
; this time permutation with an unsteckered
would be consistent with exchanging
.
A: c↔k B: C: D: h↔y E: F:
↓ ↓ ↑ ↑
c k i x n j h y u i g u
↓ ↓ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑
Q: j↔m j↔m j↔m j↔m j↔m j↔m
guessing unsteckered in S leads to the guess unsteckered in S
At this point, the guess is that the letters
chky
are unsteckered. From that guess, all the steckers can be solved for this particular problem. The known exchanges in are used to find exchanges in, and those exchanges are used to extend what is known about.Using those unsteckered letters as seeds finds
interchange in and implies
is in ; similarly
interchange in and implies
is in. Examining
in the other permutations finds
is a stecker.
A: B: C: D: E: h↔y F:
↓ ↓
j a o s i v v s h y w e
↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↓ ↓ ↑ ↑
Q: k↔f k↔f k↔f k↔f k↔f k↔f
exploit in E
A: B: C: t←k D: E: F: c↔y
* ↑ ↓ ↓
o l d a u k f w m j c y
↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↓ ↓ ↑ ↑
Q: u↔o u↔o u↔o u↔o u↔o u↔o
exploit in F shows are in S
That adds letters
tu
to the seeds. Those letters were also unknown above, so further information can be gleaned by revisiting: also has
.
A: c↔k B: f→x C: D: h↔y E: t→f F: g←t
↓ ↓ ↑ * ↑ ↑ ↑ * * ↑
c k i x n j h y u i g u
↓ ↓ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑
Q: j↔m j↔m j↔m j↔m j↔m j↔m
knowing in S leads to in S
then in S can be used to find in S
Revisit
in gives more information:
A: B: o←p C: f→n D: n→p E: h↔y F: z→e
* ↑ ↑ * ↑ * ↓ ↓ ↑ *
j a o s i v v s h y w e
↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↓ ↓ ↑ ↑
Q: k↔f k↔f k↔f k↔f k↔f k↔f
exploit in S leads to in S
in S leads to stecker
in S leads to
in S leads to
A: o→l B: C: t←k D: i→z E: F: c↔y
↑ * * ↑ ↑ * ↓ ↓
o l d a u k f w m j c y
↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↓ ↓ ↑ ↑
Q: u↔o u↔o u↔o u↔o u↔o u↔o
exploit in S leads to stecker in S
in S leads to in S
Another revisit fully exploits
:
A: c↔k B: f x C: v→j D: h↔y E: t→f F: g←t
↓ ↓ ↑ * ↑ * ↑ ↑ ↑ * * ↑
c k i x n j h y u i g u
↓ ↓ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑
Q: j↔m j↔m j↔m j↔m j↔m j↔m
knowing in S leads to in S
That addition fills out even more:
A: j→m B: o←p C: f→n D: n→p E: h↔y F: z→e
↑ * * ↑ ↑ * ↑ * ↓ ↓ ↑ *
j a o s i v v s h y w e
↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↓ ↓ ↑ ↑
Q: k↔f k↔f k↔f k↔f k↔f k↔f
exploit in S leads to in S
A: o→l B: d←m C: t←k D: i→z E: a↔j F: c↔y
↑ * * ↑ * ↑ ↑ * ↑ ↑ ↓ ↓
o l d a u k f w m j c y
↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↓ ↓ ↑ ↑
Q: u↔o u↔o u↔o u↔o u↔o u↔o
exploit in S leads to in S
Q =
missing 10 pairings
S =
22 characters so far: missing beqr
have found all 6 steckers, so
All of is now known after examining 3 exchanges in. The rest of can be found easily.
When a match is found, then the cryptanalyst would learn both the initial rotation of and the plugboard permutation.
Recovering absolute rotor positions for the message key
At this point, the rotor positions for the permutation is not known. That is, the initial positions of rotors and are not known. The Poles applied brute force by trying all possible initial positions of the two rotors. With three rotors, knowing which rotor was at position meant there were only two possible ways to load the other two rotors.Later, the Poles developed a catalog of all the permutations. The catalog was not large: there were six possible combinations of two left rotors with initial settings, so the catalog had 4,056 entries. After using the grill, the Poles would look up in the catalog to learn the order and initial positions of the other two rotors.
Initially, the Germans changed the rotor order infrequently, so the Poles would often know the rotor order before they began working. The rotor order changed every quarter until 1 February 1936. Then it changed every month until 1 November 1936, when it was changed daily.
Recovering the ring setting
The cryptanalyst now knew the plugboard, the rotor order, and the absolute setting of the rotors for the doubled key, but he did not know the ring setting. He also knew what the message key setting should be, but that setting was useless without knowing the ring setting. The ring setting could be anything, and that meant the Poles did know how to position the rotors for the message body. All the work up to this point had focussed on exploiting the doubled key. To determine the ring setting, the attention now shifted to the actual message.Here, the Germans had made another mistake. Each message usually started with the text "ANX", which was German an meaning "to:" with the "X" meaning space. The Poles applied brute force here, too. They would go through up to settings to find settings that produced "ANX". Once found, the cryptanalyst would use the absolute setting of the rotors to determine the ring setting. The entire daily key was thus recovered.
Later, the Poles refined the brute force search technique. By examining some messages, they could determine the position of the rightmost rotor; consequently, only 676 rotor positions would have to be tried. Rejewski no longer remembers how this trick worked.
Decline
The grill method is described by Marian Rejewski as being "manual and tedious" and, like the later cryptologic bomb, as being "based... on the fact that the plug connections did not change all the letters." Unlike the bomb, however, "the grill method required unchanged pairs of letters only unchanged letters."Initially, the plugboard only swapped six pairs of letters. That left more than half of the alphabet unaffected by permutation. The number of steckers changed 1 August 1936; then it could be from five to eight pairs of letters were swapped. The extra swapped characters reduced the effectiveness of the grid method, so the Poles started looking for other methods. The result was the cyclometer and corresponding card catalog; that method was immune to steckers.
The grill method found application as late as December 1938 in working out the wiring in two Enigma rotors newly introduced by the Germans.
On 15 September 1938, most German nets stopped encrypting the doubled key with a common setting. The Poles had been able to take advantage of all messages in a net using the same machine settings to encrypt the doubled key. Now most nets stopped doing that; instead, the operator would choose his own ground setting and send it in the clear to the recipient. This change frustrated the grill method and the cyclometer card catalog. One net, the Sicherheitsdienst net, continued to use a common ground setting, and that net was used to reverse engineer new rotors that were introduced. The SD net traffic was doubly encoded, so the ANX method would not work. The grill method would sometimes fail after the Germans increased the number of plugboard connections to ten on 1 January 1939. When the SD net switched to the new message-key protocol on 1 July 1939, the grill method were no longer useful.
Here's an example of the new message procedure for a message on 21 September 1938.
2109 -1750 - 3 TLE - FRX FRX - 1TL -172=
HCALN UQKRQ AXPWT WUQTZ KFXZO MJFOY RHYZW VBXYS IWMMV WBLEB
DMWUW BTVHM RFLKS DCCEX IYPAH RMPZI OVBBR VLNHZ UPOSY EIPWJ
TUGYO SLAOX RHKVC HQOSV DTRBP DJEUK SBBXH TYGVH GFICA CVGUV
OQFAQ WBKXZ JSQJF ZPEVJ RO -
The "3 TLE" says it is a 3-part message; the "1TL" says this is the first part; the "172" says there are 172 characters in the message. For this message, the ground setting "FRX" is transmitted twice in the clear; the ground setting would/should be different for every message on net. Consequently, the Poles could not find the needed sixty message keys encrypted under the same ground setting. Without the same-key message volume, they could not determine the characteristic, so they could not determine the permutations A B C D E F or use the grill. For this message, the daily settings were used with "FRX" to decrypt the first six characters to obtain the doubled message key.
To decrypt these messages, the Poles used other techniques to exploit the doubled message key.