The M-138 is a low-tech cipher device from the first half of the 20th century. Though being quite simple, the M-138 is hard to break.

The M-138 (also known as CSP-845) is a strip cipher system introduced by the US Armed Forces in the 1930s. The purpose of the M-138 was to provide medium security at low costs. It was used when a cipher machine (for instance the M-209 or the SIGABA) was not available. This happened quite often, as cipher machines were by orders of magnitude more expensive than strip ciphers and harder to transport.

Before and at the beginning of WW2 a great deal of reliance was placed on the M-138 because of the shortage of cipher machines. Later it remained in use as a backup system.


Check here for information about the history of the M-138. Blog reader Karsten Hansky povides an M-138 model kit on his website. The open source software CrypTool 2 contains an M-138 simulator.

The M-138 served its purpose quite well. It was a very cheap tool (consisting only of paper strips and a simple frame), easy to carry and operate. Considering its simplicity, it provided a high security level.

To my knowledge, not much has been published about cryptanalysis of the M-138. Therefore, it is not known how much effort it takes to break an M-138 message and if this effort was realistic for a codebreaking unit in World War 2. In addition, it would be interesting to know whether the M-138 could have been improved without major effort (for instance by putting 30 strips into the frame instead of 25).


How the M-138 works

To explain how the M-138 works, I use a fictive model, which is not compatible with an original M-138 device. An M-138 consists of 100 paper strips, on each of which the alphabet is printed twice in a random order. For encryption, the cipher clerk had to take a maximum of 25 strips from the strip set and put them into the frame. In the following example the strips 66, 11, 52, 55, 04 and 90 of my fictive M-138 version are chosen to encrypt the word CRYPTO.


The key of this encryption procedure is (66, 11, 52, 55, 04, 90 / 11). It consists of the strip numbers used followed by the offset between the cleartext column and the ciphertext column. In this example, the ciphertext is UKLAGW. The number of strips used may not exceed 25 (because only 25 strips fit into the frame). No strip can be put into the frame twice. This means that a key like (20, 12, 20, …) is not allowed.

If the cleartext is longer than 25 letters, it must be divided into 25 letter blocks. In the following example the cleartext THIS TEST MESSAGE CONTAINS NO CONFIDENTIAL INFORMATION is encrypted. It consists of 48 letters. We start with the first 25 letters as the first block. The key is (42, 19, 26, 28, 02, 17, 49, 38, 87, 08, 94, 64, 92, 88, 37, 63, 39, 35, 30, 31, 05, 27, 34, 78, 60 / 6).


Now, the remaining 23 letters are encrypted (the key stays the same).


The ciphertext we get is BYKWH CXGTX DXFBV HHSEC JMAHT LRLUB FCCNJ WKAPJ LVVXO JQQ. It should be clear that using the same key for two blocks considerably weakens the cipher.


The M-138 challenges

In order to encourage research in the M-138, I decided to create a few challenges. So, I produced three M-138 ciphertexts and published them on the crypto puzzle portal MysteryTwister C3 (MTC3). Message #1 was easy to solve, message #2 was more difficult, and message #3 was, in my view, unsolvable (because it consitsted of only one 25 letter block).

Within a few days, several MTC3 users protested, because there was no unique solution of message #3 (this was exactly the reason why I considered it unsolvable). These protests caused me to withdraw the challenges. Together with Bernhard Esslinger and Nils Kopals from the MTC3 team, I designed four new ones. All four challenges use the same key for several 25 letter blocks, which grants that they can be broken. Here they are:

If you don’t know how to start solving an M-138 ciphertext, you should read a paper based on my challenges by Ketki Kulkarni and Pratikshya Mishra from San Jose State University. If you know other publications about M-138 cryptanalysis, please let me know.

Further reading:

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Kommentare (1)

  1. #1 Klaus Schmeh
    19. Februar 2018

    Bart Wenmeckers via Facebook:
    Very good article Klaus. Good to see the examples and the challenges.