The Chaocipher Clearing House

Progress Report #12

Moshe Rubin (mosher@mountainvistasoft.com)

A cryptanalytical historical gem: How the US solved the Japanese PURPLE machine

I'm a sucker for cryptographic historical background. I love the technical side of cryptanalysis, but when the technical is coupled with the historical, I usually come away with a greater sense of awe. Real people like you and me, tackling a real system, encountering real problems -- few things can beat that for thrills.

I recently read a fascinating declassified account of how the US successfully cryptanalyzed and solved the highest Japanese diplomatic cipher, codenamed "PURPLE" by the Americans. The document, entitled "Preliminary Historical Report of the Solution of the "B" Machine", was written by William F. Friedman on October 14, 1940, some two weeks after the first solution of the PURPLE machine by Friedman's group. Located on Frode Weierud's prolific CryptoCellar web site, the document is a gripping "inside" account of the trials and tribulations the group passed through till it solved the system.

I cannot recommend reading this document too highly.Written in Friedman's uniquely clear style, it is extremely rich in both technical and human details. Part one is the technical section and will whet anyone's appetite for "how did they do it?". Part two is the credits given to everyone who had a hand in the breakthrough. One can imagine Friedman penning this document soon after cryptanalytic history was made in an attempt to notify his superiors of the tremendous import of the achievement, recording everything for posterity, yet trying to include everyone in, leaving no one out.

Surprising parallels between Chaocipher and the PURPLE cipher machine ("Type B")

I have a reason for mentioning the above document on The Chaocipher Clearing House: there are truly remarkable parallels between working on Chaocipher and problems encountered when working on PURPLE. Judge for yourselves.

Page 4, sections 7 and 8

7. In all, the plain texts for parts of some 15 fairly lengthy messages were obtained by the methods indicated above, and these were subjected to most intensive and exhaustive cryptanalytic studies. To the consternation of the cryptanalysts, it was found that not only was there a complete and absolute absence of any causal repetitions within any single message, no matter how long, or between two messages with different indicators on the same day, but also that when repetitions of three, or occasionally four, cipher letters were found, these never represented the same plain text. In fact, a statistical calculation gave the astonishing result that the number of repetitions actually present in these cryptograms was less than the number to be expected had the letters comprising them been drawn randomly out of a hat! Apparently, the machine had with malicious intent -- but brilliantly -- been constructed to suppress all plain text repetition. Nevertheless, the cryptanalysts had a feeling that this very circumstance would, in the final analysis, prove to be the "undoing" of the system and mechanism. And so it turned out!

8. In all the foregoing studies, several factors stood out. First, the basic law underlying the B-machine was of such character that the ciphering mechanisms seemed to start from certain initial settings and to progress absolutely methodically without cyclic repetition of any sort, straight through to the end of the messages, the longest of which for which plain text had been recovered comprised 1,500 letters. Secondly, two identical plain-text letters in sequence could never be represented by two identical cipher-text letters; nor could two identical plain text letters 26 letters apart be identically enciphered. This phenomenon which was termed "suppression of duplicate encipherments at the 1st and 26th intervals" formed the subject of long and arduous study, fruitless experimentation and much discussion. [...] Fifthly, two messages with different indicators on the same day (same plugboard arrangement) were absolutely different and showed no cryptographic similarities whatsoever. Sixthly, in each line of 26 letters, two identical letters could be identically enciphered except at the 1st interval, that is, identical encipherments could, and often did, occur within a line of 26 letters at all intervals, except at the 1st intervals, although this phenomenon was rare at the 2d, 3d, 4th and 5th intervals.

9. [...] In this long, exhaustive and tedious search for repeated sequences or partially repeated sequences must labor and energy was expended but it was realized that the difficulty was probably due to the paucity of the text, despite the number and length of the individual messages available for study and for which the plain text had been reconstructed. It became apparent that what would be necessary was to obtain, by some manner or other, several messages in the same indicator and on the same day, or else to convert several messages with the same indicator but on different days to the same base, before even the existence of such cyclic sequences could be detected.

When I read these sections I had an overpowering sense of deja-vu: Chaocipher researchers to date have experienced the exact same phenomena! Here's a list of several such points:

Except for one lone case in Exhibit #1, repetitions never represent identical plain text.
Jeff Hill has pointed out that John F. Byrne's overwhelming priority was to suppress repetitions. Hence he was so proud of the fact that 100 repetitions of the same sentence did not yield repeated sequences. The inventors of PURPLE seemed to have the same goal in mind. Suppression of repetitions, apparent in both PURPLE and Chaocipher, may indicate deliberate 'tinkering' with the mechanism to bring that about.
There is no readily discernible cyclic repetition, even for the 13,600+ letters in Exhibit 1.
They experienced the same phenomenon of no successive pt/ct identities (i.e., at a distance of one). Chaocipher shows no pt/ct identities for all interval from one to eight, while PURPLE showed it for 1 and 26. Nonetheless, even with PURPLE pt/ct identities from two to five were rare.

Like the PURPLE group, for whom this point "formed the subject of long and arduous study, fruitless experimentation and much discussion", so too Chaocipher researchers -- this exact point has consumed, and continues to consume, much of their time.

Different Chaocipher messages ("with different indicators") show no similarities or relations.

The conclusion reached by the PURPLE team may be indicative: they needed to obtain, by some manner, several messages in the same indicator. In other words, single, long messages would not enable them to discern the cyclic sequences. Whether this is the same case for Chaocipher is an open question which only time will tell.

I am not proposing that Chaocipher uses the same mechanism as PURPLE. Rather, I am pointing out that the two underlying systems exhibit similar symptoms. Whether the systems have similarities is a tantalizing thought that might help Chaocipher researchers. Interesting questions arise:

Were the Japanese aware of Byrne's system in the 20's or 30's, extracting and using a specific facet of it? Byrne describes how he showed his blueprints to patent lawyers. Could one of the lawyers have shared this information with Japanese clients?
In section 9 Friedman describes how the group examined existing cryptographic mechanisms (e.g., rotating commutators, rotors, M-134) trying to see how the observed phenomena could arise. As far as we know, Byrne never sent Friedman the required number of messages to enable him to evaluate the system. Friedman had knowledge of the Chaocipher (from Byrne's first demonstration). Did Friedman consider that information about the Chaocipher mechanism when examining existing crypto-systems?

Conclusion

Whatever your cup of tea is, I highly recommend you read Friedman's fascinating document. If you're a lover of cryptology you will relive the historic achievement through the document. If you're also a Chaocipher enthusiast, you will have more "grist for the mill".

Like Friedman writes, I have "a feeling that this very circumstance would, in the final analysis, prove to be the "undoing" of the system and mechanism."

Copyright (c) 2009 Moshe Rubin
Created: 13 July 2009
Updated: 8 August 2010