The Secrets of the Chaocipher Finally Revealed

nickpelling2 writes "In 1918, John F. Byrne invented a truly amazing cipher system, called 'The Chaocipher,' that fit inside a small cigar box, could be operated by a ten-year-old, yet produced practically unbreakable ciphertext (arguably even stronger than the Nazi Enigma machine). But now, thanks to the efforts of Chaocipher fan Moshe Rubin and the generous gift of Byrne's cryptographic effects by his daughter-in-law Pat Byrne to the National Cryptologic Museum, the secrets of the Chaocipher are finally starting to be revealed — it's a great story. To accompany Moshe Rubin's excellent textual description of the Chaocipher, I've posted a 30-second animation of the Chaocipher in action to YouTube, just in case anyone wants to see the most devious cipher of the 20th century in action (sort of)."

The 20th Century?

AES came out in 1998.

Re:The 20th Century?

Except if the century ended in 1999 in which case it was the 19th.

Please do not breed. It would also be appreciated if you do not vote or drive on public roads.

Re:The 20th Century?

[the_enigma_1983]

According to your link, some countries use terms like "the 1900s" to refer to anything between 1900 and 1999. As it says, this is equivalent to English-speakers using the term the "nineteen hundreds". It doesn't mention in any way how someone could refer to the year "1999" as being in the "19th century".

Re:The 20th Century?

[Kr3m3Puff]

So when is this year 0 again? There is no year 0 in the Gregorian Calendar.

Wow

Don't know how the previous cretins managed to extract SCO and APPLE FUD from the article, but after reading the summary, reading the linked articles, and watching the video... looks to me its an easily breakable substitution cipher. Anybody care to fill me in on what I missed?

Re:Wow

[omglolbah]

While a polyalphabetic substitution cipher can be broken I would not call breaking this particular one "simple".
Compared to many other such ciphers it is quite good in that there is a shifting alphabet which has a very large range of values.

Considering it was made in 1918 I suspect it would be a pain in the ass to actually break it.
You cant do much with frequency analysis as the alphabet and thus the substitutions change on every letter.

Much like with Enigma I suspect that this cipher's biggest weakness is in the application. In other words following a set pattern which makes it possible to find "cribs".

Re:Wow

[thms]

Yes, the Enigma algorithm, or actually wiring, was known and Polish and later English Cryptologists worked long and hard to crack it since a lot was at stake. This one as of now relied a lot on security through obscurity. I doubt it would have lasted long in a world war scenario.

Just as the Enigma it might be impossible to de-cypher it manually, but with a machine and Turing-level minds to help you I would think it is solved quickly. But since secure encryption is perceived as a solved problem (still, where is the AES equivalent of a secure hash?) maybe bright minds turn their attention elsewhere nowadays.

Re:Wow

[Randle_Revar]

>(still, where is the AES equivalent of a secure hash?)
here:
http://csrc.nist.gov/groups/ST/hash/timeline.html

Re:Wow

[NightWhistler]

You're basically proposing to use a website as a One time pad. In theory a one-time pad is unbreakable, but that does require that the content of the one time pad would be truly random, which a web-site text is obviously not.

Also, if the text of the site changes, your key breaks, though that may actually be a benefit.

Video link

[Nieriko]

http://www.youtube.com/watch?v=BPI3P-ikWCk

Allow me to spare you the googling :D

Re:Video link

[CarpetShark]

Allow me to spare you the googling :D

And what if we wanted to google it, eh? Did you stop to think of that before posting your own god-damned link?

Re:Video link

[Nieriko]

I don't know what are you complaining about, you can still google it. Here is the link

Probably weaker than Enigma

[Animats]

It's not a particularly strong cypher. It's basically a monoalphabetic substitution with some feedback, but not much. For each letter encyphered, the wheels change, but they don't change by much, and the number of change possibilities is small. So if you have known plaintext anywhere in the message, you can look for it with the usual techniques for monoalphabetic substitution, while considering all of the small number of possible changes to the two alphabets on each cycle. The "permuting" step just consists of shifting half the alphabet by one place left or right.

Once you have an entry into the cypher from some stretch of known text, you can work backwards and forwards until you've recovered the wheels.

There are better pre-computer cyphers. Jefferson's wheel cypher is much stronger, and was used by the US as late as the Vietnam War.

Re:Probably weaker than Enigma

[CAIMLAS]

Yet, this thing was around in 1918. It was some time before computers, and still reasonably capable. Arguably, I'm not quite sure how it's an inferior cipher compared to the Jefferson cipher - this one appears to allow for slightly more "randomness", as well as creating templates which could arguably be used for single-time pads without the additional transmission of information for an effective cipher. (the Jefferson wheel cipher wasn't used past WWII, from what I can tell).

At any rate, it just goes to show you how effective a relatively simple machine can be, compared to modern electronic and/or computational methods to do the same basic thing (in this case, the enigma). Another good example would be drive/steer-by-wire vs. hydraulic or mechanical steering and acceleration/breaking. I'm sure there are more, but I'm not creative enough to think of any of them in my current alcohol-addled state.

Sometimes, the conceptually simpler method is the better one. This thing apparently still works; how many cryptographic engines of later years no longer do due to the copious mantainance required? Same can be said for more modern vehicle electronics vs. the older and more reliable (despite what the automotive industry says) mechanical means of doing the same: instead of outright replacement its often relatively easy to fix the broken systems on an older car.

Of course, when it comes to things depending on complex mathematics and the ability to be generalized, nothing beats generalized computing. :)

Re:Probably weaker than Enigma

[Lord+Crc]

So if you have known plaintext anywhere in the message, you can look for it with the usual techniques for monoalphabetic substitution, while considering
all of the small number of possible changes to the two alphabets on each cycle.

From what I can gather the "key" in this system is the ordering of the two alphabets, which is not fixed. Doesn't your method assume that you already have the key? If not, how does your method deal with all the possible alphabet permutations?

I'm no crypto guy tho so I might be missing the obvious :)

Re:Probably weaker than Enigma

[IICV]

Well, just think about it: in a substitution cipher, the "key" is a permutation of the alphabet (i.e, a -> q, b -> w, etc). If you used this device without the "twizzling" step, it would be exactly like a plain old sub cipher. I just don't see how that twizzle step injects enough entropy into the system for this to be significantly more secure than even a Vignere cipher with a sufficiently long keyword, and that you can do with pen, paper and a good memory.

Basically, if nobody ever broke the known-plaintext ciphertexts, it's more likely to be because nobody cared enough to reverse-engineer this guy's algorithm than because of any actual cryptographic considerations.

Chalk up another win for security through obscurity!

Re:Probably weaker than Enigma

[IICV]

Well but that's the thing - this cipher can be described as a specific case of "substitution cipher, except you permute the key after every character in deterministic manner 'x'". Note that a Vignere cipher can be described in much the same way, except it's a shift cipher instead of a substitution cipher (the difference is that the key to a substitution cipher is a permutation on the alphabet, whereas a shift cipher's key is just a shift of the alphabet).

The question boils down to: "is substitution cipher with some sort of non-random key permutation worthwhile?" The answer is probably no (and if you allow random key permutations, then it's basically a one-time pad). Indeed, I wouldn't be surprised if this thing is only a little bit more secure than a sort of Vignere cipher hybrid that uses a list of substitution ciphers instead of a list of shift ciphers.

So yeah, while this might have been useful in the roaring twenties, it's peanuts compared to modern cryptography.

Re:Probably weaker than Enigma

[igb]

I think it's somewhat better than you describe, in that it is at least feeding the ciphertext back into the permutation. It would depend on how it was used as to how much benefit that gave.

It's reasonable to assume that in a communications network, there would be a setting for the day or week. If that were used unmodified, identical opening phrases would encrypt identically, and would then diverge at the point the plaintext diverged. As with Enigma or Purple there's weak diffusion: the only thing that affects characters 1..n of the ciphertext are the key setting and characters 1..n of the plaintext (contrast a block cipher, where the two blocks whose plaintext differ only in the last byte will generate ciphertext that potentially differs throughout). Without careful use, which would have been unlikely in 1918 given the Germans screwed this up in the 1940s, stereotypical opening sequences would expose a lot of the key.

If an initial sequence were generated randomly for each message, so that the message itself starts with the alphabets already significantly permuted, that problem goes away. But generation of random initial sequences is hard. Again, the Germans screwed this up, and although it's not performing the same job the Herivel Tip seems relevant for any mechanical system.

As you say, locating plaintext within the message is also plausible with a computer or even a Colussus device, although it would be very complex by paper methods: for a conjectured plaintext, you can predict the transformations of the input and output alphabets, and (I suspect) the better attacks would come from conjectured or known plaintext that contains repeated letters.

Re:BS Karma whoring

Yes, but sparing Slashdot readers from having to read TFA is a much greater service than saving them from having to Google.

Re:BS Karma whoring

[pspahn]

You do realize that for someone to find the comment posting the video link, they already waded through a bunch of silly comments and garbage.

Sparing /. readers from /. itself is sometimes the best service.

Re:Starker! Zis is die CHAOCIPHER!

[BazilBBrush]

The European Commission has just announced an agreement whereby English will be the official language of the European Union rather than German, which was the other possibility.

As part of the negotiations, the British Government conceded that English spelling had some room for improvement and has accepted a 5-year phase-in plan that would become known as "Euro-English".

In the first year, "s" will replace the soft "c".

Sertainly, this will make the sivil servants jump with joy.

The hard "c" will be dropped in favour of "k".

This should klear up konfusion, and keyboards kan have one less letter.

There will be growing publik enthusiasm in the sekond year when the troublesome "ph" will be replaced with "f".

This will make words like fotograf 20% shorter.

In the 3rd year, publik akseptanse of the new spelling kan be expected to reach the stage where more komplikated changes are possible.

Governments will enkourage the removal of double letters which have always ben a deterent to akurate speling.

Also, al wil agre that the horibl mes of the silent "e" in the language is disgrasful and it should go away.

By the 4th yer people wil be reseptiv to steps such as replasing "th" with "z" and "w" with "v".

During ze fifz yer, ze unesesary "o" kan be dropd from vords containing "ou" and after ziz fifz yer, ve vil hav a reil sensibl riten styl.

Zer vil be no mor trubl or difikultis and evrivun vil find it ezi tu understand ech oza.

Und efter ze fifz yer, ve vil al be speking German like zey vunted in ze forst plas.

Unt Ze drem vil kum tru.

The really interesting thing about this machine

[VORNAN-20]

is that it can be built by anyone with intermediate carpentry/model-making skills. This is not the case with Enigma, for example, that is in the advanced electromechanical category. Definitely deserves an A for excellent design and first-rate results with minimally advanced technology.

Re:Starker! Zis is die CHAOCIPHER!

An interesting update to Mark Twain's "A Plan for the Improvement of English Spelling". Authorship of that piece is up for debate, of course, but still funny and worth the read.

Posted anonymously because I have modded this discussion.

Re:Its a two wheel enigma, neh?

[Ciggy]

It's not a two wheeled enigma for at least three reasons:

1) A plain text letter can be encrypted as itself (something an enigma machine cannot do due to physical design).
2) In an enigma machine each wheel is wired in a fixed "permutation"; in the Chaocipher "machine" each wheel is "rewired" depending upon the letter just encrypted.
3) In an enigma machine it is necessary to rotate the wheels semi-independently (ie like the wheels in a tape counter, each one causing the next one to rotate one letter each time it makes a complete revolution) whereas in the Chaocipher "machine" the wheels do not actually need to rotate - by rotating the wheels it makes the "rewiring" easier to explain.

The "rewiring" could possibly be seen as the effect of rotating the enigma wheels, but without a closer look at the algorithm than that I have done I cannot definitely say but my gut feeling is that it is not - I am sure a properly devised plain text with 676 (26^2) characters would show that they are not equivalent as after encrypting the 676th character the 2 wheel enigma machine will now be back in the position in which it started and the Chaocipher "machine" will not.

The problem is the one-time key (base setting)

[Kupfernigk]

This is exactly the same as with Enigma. What matters is the initial setting, which is a key. If the base setting is always the same, then the decoding of one message works for all. The difficulty is to find a way of distributing the initial key securely, given that it needs to be changed very frequently. Any system which can be compromised if a station is captured becomes useless until all stations have new key sets - difficult for a spy network in wartime, or even a submarine fleet.

Given the Enigma architecture, it was the capture of a German weathership and later a submarine by the Royal Navy that did most for German Enigma decryption.