[Next] [Up/Previous] [Index]

The Lorenz Schlusselzusatz

The Lorenz SZ-40 and SZ-42 cipher machines were widely used by German forces during World War II. It was primarily to break this machine's cipher that the British devised what is now considered the world's first electronic computing machine, the once-secret COLOSSUS.

It had twelve pinwheels, all of which could have all their pins set by the user. Ten of these pinwheels formed two groups of five, and one wheel from each group inverted its corresponding plaintext bit when a pin was active on it.

The wheels of the first group had sizes 41, 31, 29, 26, and 23. Those of the second group had sizes 43, 47, 51, 53, and 59.

Two additional wheels were of size 37 and 61. The wheels of the first group, and the wheel with 61 positions, advanced one position with every letter enciphered. When the current pin on the 61-position wheel was active, the wheel with 37 positions advanced one space. When the current pin on the 37-position wheel was active, then the wheels of the second group advanced one space.

The following diagram illustrates the workings of the Lorenz Schlusselzusatz:

Although the SZ-40 appears to be a simple design, and a very similar design proposed by Col. Parker Hitt, but without the feature that the stepping of five wheels was irregular, was shown to be insecure, the British found breaking SZ-40 messages to be a more difficult problem than breaking Enigma messages. Some cribs were available that helped them to break into the system; part of the difficulty seems to have come from the limited availability of resources, and another part from the lack of captured equipment and tables: for example, the list giving numbers representing wheel settings was never captured, while the bigram tables for the Enigma were.

The machines used in cracking messages on the Lorenz Schlusselzusatz, known as HEATH ROBINSON and COLOSSUS, have been described to a limited extent in the open literature. A paper by F. L. Carter, in "Cryptography and Coding", the proceedings of the 6th IMA International Conference, from December, 1997, gave significant additional details of how COLOSSUS was used.

HEATH ROBINSON, named after a British cartoonist who, like Rube Goldberg in the U.S., was famous for his drawings of elaborate contraptions (although the styles of the two artists were very different), worked by comparing the holes punched in two paper tapes, one containing an intercepted message, and one containing a reproduction of part of the sequence of bits the pinwheels of an SZ-40 might be expected to generate. The tapes were padded with nulls to make them of relatively-prime length, and HEATH ROBINSON indicated at what point in the motions of both tapes a correlation between the two was found. This required the two tapes to move synchronously, and so the sprocket holes had to be used, which limited the speed at which the tapes could move.

COLOSSUS was built to improve on HEATH ROBINSON by generating the SZ-40 stream cipher output, or the portion thereof used for testing (such as the output of the five always-moving wheels) electronically. This way, the tapes could be moved on pulleys, at very high speeds, without any problems. A glass mask with lens-shaped patterns was used so that the light shining through the round holes on the paper tape would produce an approximation to a square wave. Thus, the paper tape, in addition to supplying input data, actually supplied the clock signal for COLOSSUS' internal logic. Apparently, in generating the pattern which a second paper tape provided on HEATH ROBINSON, COLOSSUS was capable of some sort of conditional branching, on which its claim (having been first installed in December 1943) to being the first electronic computer rests.

The paper by Carter sheds considerable light on the cryptanalytic principles behind COLOSSUS. The 5-level code used for teletypewriters was designed to minimize mechanical wear and tear; hence, the codes for the most frequent letters E and T, as well as the code for the space, consisted of a single 1 bit and four zeroes. This meant that zeroes predominated in the plaintext, and in addition, it meant that for any two characters in succession, corresponding bits in them were more likely than not to be the same. (Of course, this characteristic of the plaintext was weaker than the higher frequency of zeroes.)

Since one set of pinwheels in the SZ-40 did not advance with every character enciphered, this meant that when two succeeding cipher characters had a corresponding bit that changed, then it was likelier than not that the fast pinwheel for that bit was at a point where two adjacent pins were in different positions, and when two succeeding cipher characters had a corresponding bit that stayed the same, then the probability that the fast pinwheel had two similar pins was also increased. (Since the slow pinwheels did move half the time, this correlation was again weakened, but it still existed.)

Because the pin settings for the fast pinwheel were chosen so that like and unlike pairs of pins were as close to being equally likely as possible, it was not possible in practice to correlate a single pinwheel at a time, but correlations involving pairs of pinwheels were easier. (At first, this appears odd, since, the fast wheels all having relatively prime periods, they are independent. However, since all the slow pinwheels either move or not at the same time, a search for correlations in two wheels at once could improve its effectiveness by giving more weight to an observation in one wheel which takes place when another wheel is in the more common change or no-change state for its part of the period of that fast wheel.) An abbreviated notation was used to specify types of tests to be run with COLOSSUS: one test was a simple correlation on two particularly favored pinwheels; other tests searched for common pairs of characters, such as space-figures shift, or figures shift-period. In some messages, doubled letters were quite common, and there was a test that looked for them as well.

There is also a paper by W. T. Tutte, one of the cryptanalysts who worked on messages enciphered by the Schlusselzusatz at Bletchley Park, now available on the site of Frode Weierud that details the early days of the cryptanalysis of the Schlusselzusatz, codenamed Tunny by the British. That source notes the following:

Originally, the machine was used with a 12-letter indicator, which contained initial positions for all twelve pinwheels without encryption (e.g. under a "ground setting"). Each letter stood for an initial position, and the wheels had only 25 positions which a letter could indicate, except, of course, for the wheel with only 23 positions.

The initial analysis which allowed the British to determine the basic principles of the Sclusselzusatz was aided by the reciept of some pairs of messages enciphered with the same starting positions, including one re-encipherment of a long message with changes in word spacing and punctuation with exactly the same indicator.

In 1943, the Germans switched to using a number as an indicator, which was assumed to signify a 12-letter combination from a list. Later, they switched from changing pinwheel settings once a month to changing them each day, and they also modified the machine so that the wheels in the second group, instead of having their irregular motion controlled only by the 37 and 61 pinwheels, had that motion depend on a function of the pinwheels that moved with each character, or on the previous plain text (thus employing the autokey principle). However, the five wheels that stepped with every character continued to do so, and although the five slow wheels were controlled differently, they still either all moved or all stayed still, so the existing cryptanalytic approaches remained valid.


[Next] [Up/Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page