# Can you decipher this cryptogram made with a German WW2 cipher?

In the Second World War, the Germans used a manual cipher, the “double box”. Here’s a double-box cryptogram for my readers to solve.

The Doppelkasten-Schlüssel (double box cipher) was one of the most popular encryption systems of the Second World War. Until 1944, this method served as the standard manual cipher in the German military. When an Enigma machine was too expensive, broken, or too heavy to carry, the double box usually was the substitute.

### The method

The double box is a variant of the Playfair cipher. As will be shown below, it is even simpler and more elegant than its better-known relative.

As has been explained on this blog many times before, the Playfair cipher uses a permutation of the alphabet (without the J) as the key, written in a 5×5 matrix. The double box requires even two matrices of this kind, as in the following example:

```MUEZC  QAKGD
RTBSY  FHVLO
FOHVL  INPWX
PWINX  TBSRY```

Letters are now encrypted pair-wise. Contrary to the Playfair cipher, which is based on three substitution rules, the double box needs only two. In both cases, the first letter of a pair is located in the first matrix, the second letter in the second matrix. For instance, the letter pair TC is mapped to the matrices as follows:

```MUEZC  QAKGD
RTBSY  FHVLO
FOHVL  INPWX
PWINX  TBSRY```

Now, one of the two double-box rules is applied:

Rule 1: If the two letters of a pair are not in the same line, the first one is encrypted to the letter in the second table standing in the same line as the first letter and in the same column as the second letter. The second letter is encrypted to the letter in the first table standing in the same line as the second letter and the same column as the first letter.

As an example, TC is encrypted to VG:

```MUEZC  QAKGD
RTBSY  FHVLO
FOHVL  INPWX
PWINX  TBSRY```

Rule 2: If the two letters are in the same line, the first letter is encrypyted to the right neighbor of the second one and the second one is encrypted to the right neighbor of the first one (the first column of each matrix is considered the right neighbor of the fifth).

As an example, VX is encrypted to IL:

```MUEZC  QAKGD
RTBSY  FHVLO
FOHVL  INPWX
PWINX  TBSRY```

That’s it. Contrary to the Playfair cipher, the double box doesn’t require exception handling for identical digraphs.

To make the guessing of message beginnings more difficult, the Germans sometimes generated the digraphs from the plaintext according to the following rule: (letter1, letter22), (letter2, letter23), (letter3, letter24),… In this article, however, I will employ the most obvious way of generating digraphs from a plaintext: (letter1, letter2), (letter3, letter4), (letter5, letter6), …

### An example

The message TO BE OR NOT TO BE is written in digraphs as follows (the last X is used for padding):

TO BE OR NO TT OB EX

With the two double box matrices introduced above, the following ciphertext is derived:

FB OQ WW YS FW NW DH

To my regret, I don’t know any original double-box messages from the Second World War, nor any original encryption notes. The closest thing I have is a diagram WW2 veteran Jürgen Reinhold created for me when I interviewed him in 2010:

My book Codeknacker gegen Codemacher contains a chapter about the double box and how it was broken by British cryptanalysts in Bletchley Park.

The only software implementation of the double box I am aware of is available in JCRYPTOOL.

### A Challenge

To my knowledge, not much has been published about breaking the double box with modern means. To stimulate research in this area, I have created the following challenge cryptogram:

PW SX SV RM KP IB KL UZ SQ HO KL PV UZ GR ZV PA IV BZ QV SZ HH KI ZT QT MC MT YI HF NV UM IO DZ AA GI UO VV XH RM OT CD ZU LV SF TO QG UV BT CI HF QY

This 100-letter ciphertext is encrypted in the double box-cipher. The plaintext is English. The two key matrices were generated with a random generator, not with a keyword.

I assume that it is possible to break this ciphertext with hill climbing or simulated annealing. One interesting question is whether this is more difficult than deciphering a Playfair cryptogram. My guess is that this is the case.

Can a reader solve this challenge?

Further reading: Can you solve this Playfair cryptogram and set a new world record?

## Kommentare (18)

1. #1 Seth
2. August 2020

The drawing suggests IE would encrypt to EI and not LG, is that correct?

2. #2 Magnus
Borensberg
2. August 2020

The description says “As an example, VX is encrypted to LI:”, but I think it should result in IL.

3. #3 Max Baertl
2. August 2020
4. #4 Klaus Schmeh
2. August 2020

@Magnus: You’re right, I corrected it.

5. #5 Klaus Schmeh
2. August 2020

@Seth and all:
There are different descriptions of the double box. I used the one provided on the German Wikipedia page. This one differs from the one Jürgen Reinhold showed me. Here’s another one on Kryptografie.de (it includes a second encryption step):
https://kryptografie.de/kryptografie/chiffre/doppelkastenschluessel.htm
I will try to find out which one was actually used in WW2. The challenge is, of course, based on the definition provided in this article.

6. #6 Magnus
Borensberg
4. August 2020

Does anyone know what the effective key space is for this cipher?

7. #7 George Lasry
5. August 2020

25! x 25! / 25

The division by 25 is because you can rotate both squares horizontally (5 options) and/or vertically (5 options) but the rotated keys (5 x 5 = 25 rotating options) will be cryptographically equivalent.

8. #8 Norbert
Berlin
5. August 2020

I would rather say that you can independently rotate key 1 and key 2 horizontally (i. e., preserving the columns), but vertically (preserving the rows) they can be permuted as long as you do so with both keys at the same time. This gives 5 x 5 x 5! equivalent states. So my guess for the keyspace is

25! x 25! / 25 / 5!

9. #9 Frode Weierud
Oslo, Norway
5. August 2020

With this new interest in the Doppelkastenschlüssel, DoKa, I thought some of you might be interested in seeing and perhaps trying to decipher some of the original German Police (Ordnungspolizei) traffic from the Second World War. I have therefore prepared a file with some such messages and with explanatory notes. The PDF file can be downloaded here: https://drive.google.com/file/d/1VMlZgTP41d6XlLCGZz7bf7ylC_V-71Cc/view?usp=sharing

10. #10 Magnus Ekhall
Borensberg
5. August 2020

@George and Norbert: Thanks for the keyspace discussion.
@Frode: That is very interesting!

Is there a good source of a German military telegram corpus which can be used to build n-gram statistics from? One could perhaps “telegramify” regular German texts from Gutenberg but then it would help to understand what the writing convention was on these networks.

11. #11 Richard Bean
Brisbane
6. August 2020

Jim Gillogly wrote a challenge once where nobody solved the 162 letter “double Playfair” part. (So that was doubly enciphered, and going right, whereas Klaus’s is singly enciphered, and going left – and they did both single/double – see 41751899079107 document).

After the contest he wrote

“The Double Playfair turned out to be too hard for this kind of a contest. My excuse is that I had thought when first creating the contest that Double Playfair was the same as two-square with a little extra wrinkle, and that much information have been enough to solve it. However, just before the contest went up I visited the National Archives in D.C. and discovered some recently declassified docs from Bletchley Park (in the NSA Open Door collection) that had some material on Double Playfair, including a paper with a bunch of German intercepts. I did a quick revision, added a big clue (i.e. one of the keywords), and hoped that would be enough to make it accessible. However, the British typically needed quite a lot more material to begin reconstructing the squares… mea culpa.”

I don’t think I’ve seen that paper … I’ve seen Currer-Briggs (1987), Schick (1987), F. L. Bauer, David (1994/95/96), Wobst (2007), the Bletchley park cryptographic dictionary (1944), and Salomon (2003, where I think the description I think is just wrong). And the different descriptions really have all the kinds of variations, single/double enciphering, going left/right, widths 13/17/21 etc.

I have read a redacted copy of “SRH-124” via Proquest. The redactions made it useless for historical purposes. There is an unredacted copy of “SRH-124” at NARA but in January when I asked them for a copy they said it would be about \$420 to copy it.

Anyway, comment too long already! Have fun!

12. #12 Norbert
Berlin
7. August 2020

@Magnus: For example, you could use the plaintexts from the enigma-break-projects’ websites out there, but I doubt it’s that simple. The army, air force, navy and police each may have used their own conventions and abbreviations.
That said, it might be a good start to modify some Gutenberg text using the hint from Jürgen Reinhold (“j = ii”) and those mentioned in the NSA-paper:
– “They placed an X before and after all numbers, proper names, place names, sentences, within abbreviations, and at the end of plain texts having an odd number of letters”
– “zwei (two) was changed to zwo”
– “ch (…) was changed to q”

If I get it right, numbers were written like this: 1942 = “xeinsxneunxvierxzwox”

13. #13 Norbert
Berlin
7. August 2020

I have written a program that easily breaks ciphertext down to 150 characters with quadgram scoring (only 1-pass encrypted text). With 6-gram scoring it is also able to decipher 100 characters. But not with Klaus’ challenge. So I give up at this point. Has anyone had similar experiences?

14. #14 Narga
7. August 2020

@Norbert: Same here, I wrote a simulated annealing solver for this that breaks messages with less than 100 characters quite well…

15. #15 George Lasry
7. August 2020

Same experience

16. #16 Magnus Ekhall
Borensberg
7. August 2020

I have not been able to anneal a solution either.

17. #17 Richard Bean
Brisbane
8. August 2020

I also couldn’t do it. Without the seriation step and only one enciphering step, it seems like a variation of two-square.

18. #18 Klaus Schmeh
9. August 2020

@Narga, Richard, George, Magnus:
Thanks for trying to solve this challenge. After so many solvers had failed, I was worried that there was a mistake in the encryption process. Meanwhile I have consulted with Norbert and he has confirmed that everything is correct.
Apparently, breaking a 100-letter message encrypted with the double-box variant introduced here is a major challenge.