StartseiteCipherbrain

Die Friedman-Ring-Challenge von George Lasry

Von / 29. Januar 2022 / 63 Kommentare
Mehr
Quelle/Source: Schmeh, Lasry

Vor drei Monaten hat George Lasry die Challenge von Christoph Tenzer gelöst und ist damit der aktuelle Träger des Friedman-Rings. Heute stelle ich Georges neue Challenge vor. Wer sie löst, wird sein Nachfolger.

English version (translated with DeepL)

Wer das aktuelle Krypto-Rätsel als erstes löst, erstellt das nächste. Nach diesem einfachen Prinzip funktioniert der Friedman-Ring. Dabei handelt es sich um ein Spiel, das nach den Kryptologen William und Elizebeth Friedman benannt ist. Vorbild ist der Iffland-Ring, der bereits seit Jahrhunderten an Schauspieler vergeben wird.

Vor drei Monaten endete die vierte Runde des Friedman-Ring-Spiels. Das bisher letzte Rätsel kam von Christoph Tenzer. George Lasry hat es als erster gelöst und wurde damit der neue Träger des Friedman-Rings.

Quelle/Source: Lasry

Damit ergibt sich folgende Liste von Trägern:

  1. Frank Schwellinger
  2. Anna Salpingidis und Christoph Tenzer
  3. Armin Krauß
  4. Christoph Tenzer
  5. George Lasry

Es gibt eine Webseite zum bisherigen Verlauf. Der jeweilige Empfänger des Friedman-Rings verpflichtet sich, ein Krypto-Rätsel zu entwickeln und mir zur Verfügung zu stellen. Wer dieses Rätsel als erstes löst, ist der neue Träger.

 

Die Wheatstone-Scheibe

Heute gibt es die neue Challenge. Dazu möchte ich zunächst kurz erklären, was eine Wheatstone-Scheibe ist. Es handelt sich dabei um ein Verschlüsselungswerkzeug aus dem 19. Jahrhundert:

Quelle/Source: Schmeh

Eine Weatstone-Scheibe besteht aus zwei konzentrischen Buchstaben-Scheiben. Eine Schablone zeigt oben den Klartext- und unten den Geheimtext-Buchstaben an. Nach dem Verschlüsseln eines Buchstabens wird zum nächsten weitergedreht. Die Anzahl der Buchstaben auf der inneren und der äußeren Scheibe sind unterschiedlich, wodurch sich jeweils eine Verschiebung ergibt.

Schauen wir uns ein Beispiel an, das George mir geschickt hat. Gegeben sei eine Wheatstone-Scheibe mit folgender Aufschrift (die Anzahl der Buchstaben beträgt außen 27, innen 26):

  • Plaintext Disk Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ_ – start position: F
  • Ciphertext Disk Alphabet: SYPQVTRMXJCNFKZDUIOHEBWALG – start position: C

Wie man sieht, sind die Buchstaben auf der Klartext-Scheibe alphabetisch geordnet, diejenigen auf der Geheimtext-dagegen Scheibe nicht. Der Klartext sei nun folgender: TO_BE_OR_NOT_TO_BE. Georges Software gibt nun folgendes aus (die Positionen der Scheibe beginnen mit 0):

                              | Plaintext Disk: F ( 5) | 
Cipher Disk: C (10)
Encrypt: T | Moving: 14 Steps | Plaintext Disk: T (19) | 
Cipher Disk: L (24) | T => L
Encrypt: O | Moving: 22 Steps | Plaintext Disk: O (14) | 
Cipher Disk: E (20) | O => E
Encrypt: _ | Moving: 12 Steps | Plaintext Disk: _ (26) | 
Cipher Disk: R ( 6) | _ => R
Encrypt: B | Moving:  2 Steps | Plaintext Disk: B ( 1) | 
Cipher Disk: X ( 8) | B => X
Encrypt: E | Moving:  3 Steps | Plaintext Disk: E ( 4) | 
Cipher Disk: N (11) | E => N
Encrypt: _ | Moving: 22 Steps | Plaintext Disk: _ (26) | 
Cipher Disk: M ( 7) | _ => M
Encrypt: O | Moving: 15 Steps | Plaintext Disk: O (14) | 
Cipher Disk: W (22) | O => W
Encrypt: R | Moving:  3 Steps | Plaintext Disk: R (17) | 
Cipher Disk: G (25) | R => G
Encrypt: _ | Moving:  9 Steps | Plaintext Disk: _ (26) | 
Cipher Disk: X ( 8) | _ => X
Encrypt: N | Moving: 14 Steps | Plaintext Disk: N (13) | 
Cipher Disk: W (22) | N => W
Encrypt: O | Moving:  1 Steps | Plaintext Disk: O (14) | 
Cipher Disk: A (23) | O => A
Encrypt: T | Moving:  5 Steps | Plaintext Disk: T (19) | 
Cipher Disk: P ( 2) | T => P
Encrypt: _ | Moving:  7 Steps | Plaintext Disk: _ (26) | 
Cipher Disk: J ( 9) | _ => J
Encrypt: T | Moving: 20 Steps | Plaintext Disk: T (19) | 
Cipher Disk: Q ( 3) | T => Q
Encrypt: O | Moving: 22 Steps | Plaintext Disk: O (14) | 
Cipher Disk: G (25) | O => G
Encrypt: _ | Moving: 12 Steps | Plaintext Disk: _ (26) | 
Cipher Disk: N (11) | _ => N
Encrypt: B | Moving:  2 Steps | Plaintext Disk: B ( 1) | 
Cipher Disk: K (13) | B => K
Encrypt: E | Moving:  3 Steps | Plaintext Disk: E ( 4) | 
Cipher Disk: U (16) | E => U

Die verschlüsselte Nachricht lautet also: LERXNMWGXWAPJQGNKU

Schauen wir uns ein weiteres Beispiel an. Dieses Mal habe die Scheibe folgende Aufschrift (die Anzahl der Buchstaben beträgt erneut außen 27, innen 26):

  • Plaintext Disk Alphabet: TOJPFGXYZENRUCQKBWMHVID_ALS – start position: G
  • Ciphertext Disk Alphabet: SYPQVTRMXJCNFKZDUIOHEBWALG – start position: C

Die Buchstaben sind also auf beiden Scheiben nicht alphabetisch sortiert. Die Software gibt folgendes aus:

                              | Plaintext Disk: G ( 5) | 
Cipher Disk: C (10)
Encrypt: T | Moving: 22 Steps | Plaintext Disk: T ( 0) |
Cipher Disk: R ( 6) | T => R
Encrypt: O | Moving:  1 Steps | Plaintext Disk: O ( 1) | 
Cipher Disk: M ( 7) | O => M
Encrypt: _ | Moving: 22 Steps | Plaintext Disk: _ (23) | 
Cipher Disk: Q ( 3) | _ => Q
Encrypt: B | Moving: 20 Steps | Plaintext Disk: B (16) | 
Cipher Disk: A (23) | B => A
Encrypt: E | Moving: 20 Steps | Plaintext Disk: E ( 9) | 
Cipher Disk: I (17) | E => I
Encrypt: _ | Moving: 14 Steps | Plaintext Disk: _ (23) | 
Cipher Disk: T ( 5) | _ => T
Encrypt: O | Moving:  5 Steps | Plaintext Disk: O ( 1) | 
Cipher Disk: C (10) | O => C
Encrypt: R | Moving: 10 Steps | Plaintext Disk: R (11) | 
Cipher Disk: E (20) | R => E
Encrypt: _ | Moving: 12 Steps | Plaintext Disk: _ (23) | 
Cipher Disk: R ( 6) | _ => R
Encrypt: N | Moving: 14 Steps | Plaintext Disk: N (10) | 
Cipher Disk: E (20) | N => E
Encrypt: O | Moving: 18 Steps | Plaintext Disk: O ( 1) | 
Cipher Disk: F (12) | O => F
Encrypt: T | Moving: 26 Steps | Plaintext Disk: T ( 0) | 
Cipher Disk: F (12) | T => F
Encrypt: _ | Moving: 23 Steps | Plaintext Disk: _ (23) | 
Cipher Disk: J ( 9) | _ => J
Encrypt: T | Moving:  4 Steps | Plaintext Disk: T ( 0) | 
Cipher Disk: K (13) | T => K
Encrypt: O | Moving:  1 Steps | Plaintext Disk: O ( 1) | 
Cipher Disk: Z (14) | O => Z
Encrypt: _ | Moving: 22 Steps | Plaintext Disk: _ (23) | 
Cipher Disk: C (10) | _ => C
Encrypt: B | Moving: 20 Steps | Plaintext Disk: B (16) | 
Cipher Disk: V ( 4) | B => V
Encrypt: E | Moving: 20 Steps | Plaintext Disk: E ( 9) | 
Cipher Disk: L (24) | E => L

Dieses Mal lautet der verschlüsselte Text: RMQAITCEREFFJKZCVL.

Für alle, die mehr wissen wollen, hat mir George folgende Links geschickt:

 

George Lasrys Kryptogramm

Georges Friedman-Ring-Challenge wurde mit einer Wheatstone-Scheibe verschlüsselt, bei der beide Buchstaben-Ringe nicht alphabetisch geordnet sind. Die Anzahl der Buchstaben beträgt außen 27, innen 26. Hier ist der verschlüsselte Text:

SHCOE NSQQV TZZOI ZNJCZ EMKQR
ETRGW VNKJG JGSIS KXSHD RXZHM
BRADI XASSY PNNQW KBAZQ RRMXI
IBEIZ FKIAC URJAX JPGZI OQURE
QUXAR WOHMJ WDLJB NPNKF QVEIR
MSIGY OMCCN FBBGL BOUIB YZECK
YFKRQ DETAA IMJRG JKKKF

Findet ein Leser die Lösung? Der Friedman-Ring wartet schon darauf, von George an den nächsten Leser übergeben zu werden.

Zugegebenermaßen wäre ich nicht auf die Idee gekommen, eine Challenge auf Basis der Wheatstone-Scheibe zu erstellen, denn eigentlich gilt dieses Verschlüsselungswerkzeug als unsicher. Wenn man allerdings die Reihenfolge der Buchstaben nicht kennt, wird es schwierig. Ich bin daher gespannt, ob ein Leser die Chiffrierung knackt. Hill Climbing, der Super-Algorithmus des Codeknackens, dürfte hier nicht ohne Weiteres funktionieren.

Wie schon öfters erwähnt, gehört es zu den Nachteilen einer solchen Challenge, dass jeder Leserhinweis, der als Kommentar veröffentlicht wird, einem anderen Codeknacker zum Gewinn verhelfen kann. Ich bitte mein Leser daher, nicht ganz so egoistisch zu sein. Wenn im Forum über Lösungswege diskutiert wird, macht das die Sache für alle spannender. Natürlich werde ich jeden Kommentar, der zur Lösung beigetragen hat, entsprechend würdigen.

Das Rennen ist eröffnet!


Further reading: Christoph’s Chaotic Caesar Challenge

Linkedin: https://www.linkedin.com/groups/13501820
Facebook: https://www.facebook.com/groups/763282653806483/

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Stichworte:
Mehr

Kommentare (63)

  1. #1 Bill Briere
    Wyoming, USA
    29. Januar 2022

    Transcript:

    SHCOE NSQQV TZZOI ZNJCZ EMKQR
    ETRGW VNKJG JGSIS KXSHD RXZHM
    BRADI XASSY PNNQW KBAZQ RRMXI
    IBEIZ FKIAC URJAX JPGZI OQURE
    QUXAR WOHMJ WDLJB NPNKF QVEIR
    MSIGY OMCCN FBBGL BOUIB YZECK
    YFKRQ DETAA IMJRG JKKKF

  2. #2 Thomas
    29. Januar 2022

    A hill climbing attack on “cipher clocks” including Wheatstone’s cipher device is implemented in ” Automated ciphertext-only attack on the
    Wheatstone Cryptograph and related devices” by Thomas Kaeding (pdf online). A length of 170 characters might be sufficient.

  3. #3 Klaus Schmeh
    29. Januar 2022

    @Bill: Thanks for the transcript. The ciphertext should be readable now in the article, too.

  4. #4 George Lasry
    29. Januar 2022

    @Thomas: This is indeed a nice paper but this is for the case only the ciphertext disk alphabet is mixed. Both alphabets are mixed in this challenge.

  5. #5 Thomas
    29. Januar 2022

    @George Lasry
    Oh, I see. Nevertheless, maybe it might serve as a first step to someone (at least the paper contains some drawings at tbe end that might help better understand the system), so here is a link: https://eprint.iacr.org/2020/1492.pdf

  6. #6 Dan Durham
    Olympia
    29. Januar 2022

    Clicking on the link to the Book by William Friedman I got a “404 – Not Found” error. Can someone provide a correct link?

  8. #8 Klaus Schmeh
    29. Januar 2022

    @Dan Durham:
    >I got a “404 – Not Found”
    Sorry for this. I corrected it.

  9. #9 Karl-Heinz
    Graz
    29. Januar 2022

    Mir ist so ein Gedanke durch den Kopf gegangen. Was wäre, wenn ich den Klartext zur Verfügung hätte. Dann müsste man um zukünftige Nachrichten zu entschlüsseln
    folgende Schlüsseln zu bestimmen.
    • Plaintext Disk Alphabet mit start position
    • Ciphertext Disk Alphabet mit start position

    Was wäre wenn der Klartext aus
    9 mal TO_BE_OR_NOT_TO_BE mit 9-1=8 Leerzeichen bestehen würde?
    9*18+8=170 Zeichen

  10. #10 Karl-Heinz
    Graz
    30. Januar 2022

    Als nächstes würde ich den inneren Ring bestimmen. Es werden sicher ein paar Zeichen fehlen. Wo das erste Element vom Ring beginnt lasse ich zunächst offen. Ebenso den Startpunkt.
    Hat schon jemand damit begonnen die Aufgabe zu lösen?
    Did already somebody try to solve the problem.

  11. #11 Thomas
    30. Januar 2022

    I don’t know what it’s worth, but the ciphertext shows isomorphic repetitions (subsequences that contain letter repetitions at the same place) that could be due to identical character sequences in the plaintext at various places: When such sunsequences contain double letters, they are simply visible, here four times the pattern “112344”: QQVTZZ, SSYPNN, RRMXII and CCNFBB. Probably there are more isomorphic repetitions containing no double letters, so that they can only be found either with pencil and paper or an algorithm looking for letter repeats that form certain patterns.

  12. #12 Thomas
    30. Januar 2022

    The pattern repetition hypothesis holds true if George’s Wheatstone variant can be regarded as an autokey cipher. A citation: ” The repetition of a sequence of letters in the plaintext will result in two corresponding isomorphic ciphertext sequences.” (see George Lasry’s recent paper on Major Josse’s cipher in Cryptologia 2022, p. 6).

  13. #13 Karl-Heinz
    Graz
    30. Januar 2022

    Meine Vermutung in #9 ist leider falsch.

  14. #14 Thomas
    30. Januar 2022

    Three patterns can be expanded to subsequences of (at least 17):

    ENSQQVTZZOIZNJCZE

    AZQRRMXIIBEIZFKIA

    YOMCCNFBBGLBOUIBY

    The repetition pairs are at positions:

    1, 17: E,A,Y

    2, 13: N,Z,O

    3,4: Q,R,C

    7,8,12,16 : Z, I, B

    These repetitions cannot be random patterns. A kind of sliding window algorithm might find more or still expanded patterns.

  15. #15 Narga
    30. Januar 2022

    Wow, that’s off to a great start, Thomas! Very likely 3x the same sequence of letters. One thing that I noticed is that double letters in the ciphertext like ZZ correspond to adjacent letters in the plaintext alphabet. So if ciphertext ZZ would be ER in the plaintext, the plaintext alphabet will also have RE somewhere together.

  16. #16 Thomas
    30. Januar 2022

    A guess: Repeated letters in the isomorph sequences should stand for adjacent letters in the plaintext alphabet in reversed order. An example: If the isomorphs would stand for the plaintext sequence WHEATSTONE_CIPHER, the plaintext alphabet would contain the sequences RW (17, 1) and IH (13,2) and TA (5,4 ( in # 14 it must say 4,5 instead of 3,4 for Q,R,C)) and ECNO (16,12,9,8 ( in #14 8,9,12,16 instead of 7,8,12,16 for Z,I,B)).

  17. #17 Norbert
    30. Januar 2022

    @Thomas: Great finding! Also gives away quite a bit about the order of the letters in the cipher ring, if I’m not mistaken: The distance between E and N must be the same (modulo 26) as that between A and Z and between Y and O, right? Likewise [N-S] = [Z-Q] = [O-M] and so on. You can even find some regular sequences: [N-Z] = [Z-I] = [I-E] = [E-A].

  18. #18 Norbert
    31. Januar 2022

    With any luck, we can use this information to reduce the number of possible cipher alphabets to less than 1000. The thing is that once the cipher alphabet is known, you can reduce the whole story to a MASC, if I get it right.

  19. #19 Narga
    31. Januar 2022

    @Norbert: I found the following cipher alphabet that (I hope) suffices the pairwise horizontal constraints from the 3 sequences in post #14:
    EIZNRUPYLBODWQSXTGHKCMVFJA
    Could be very close to the correct one. But there’s always the rotational degeneracy.

  20. #20 Norbert
    31. Januar 2022

    @Narga: I also did some coding, but sadly found more options:

    AEIZN?U?YLBO?RQSXTG?KCMVFJ
    AEIZNXT?G??UKCMVYLBO?FJRQS
    AEIZN??XT?GKCMVU?YLBORQSFJ
    AEIZN?U???GKCMVFJYLBORQSXT
    AEIZN?UKCMVFJRQSXTG??YLBO?
    AEIZN?KCMVURQSFJ??XTG?YLBO
    A?BE?OIU?ZKFNCJXMRTVQ?YSGL
    ALGEB?IOKZ?CNRM?QVUSF?XJYT
    A?LEGBIKOZCRNMQ?VSUFX?JT?Y
    A?LEGBIKOZCRNMQ?VS?UFX?JTY
    AMGEV?IF?ZJYNRL?QBUSOKX?CT
    AVXEUTIRGZQ?NSY?FLKJBC?OM?
    AYXFUELTJKIBGRCZO?QMN??SV?
    AFYUTEJLK?IRBCGZQOM?NS?V?X
    A??RKEY?QCILXSMZBTFVNOGJU?
    AR?K?EQYCXISLMTZFBV?NJOUG?
    ARJKUEQYC?ISLM?ZXBV?NTOFG?
    ACXOUEMT??IVGRYZF?QLNJKSB?
    AUNBTSCE??O?FMIY?RGJVZLXQK
    AFNB?SCEJ?O?XMIYURGTVZL?QK
    ASN?CBJEX??MORITUYV?QZGKLF
    AJNTMLQE??GVBSI?K?UOFZXCYR
    ASN?YV?EX?KLFRITUCBJQZG?MO
    AVNOGRKEYX??QCILTF?SMZB?JU
    AZT?KVBFQEN??CYOJSIXGUML?R
    AZKVQJX?BENCUS?TYOI?MRF?GL
    AZUL?SGCFEN?BRX?MJI?YOQTKV
    AZU?CFLRXEN?GMJBQTI??KVYOS
    AZ??CULRFENXGM?BQJI?TKVYOS
    AZUMJSGYOENKVRX?L?I?CFQT?B
    ABC?FYGZQUTEOM?JLKNS??IRVX
    ABC?XYGZQF?EOMUTLKNSJ?IRV?
    ATQ?B?UZYJMEGSKOXRNL?VI?FC
    A???FTBZMSYEKRUJGONVXLICQ?
    AOKXQL?ZJVGE?CTSBUNRY?IFM?
    A?J?OTVZLSCE?RU?GFNBXMIYQK
    AKQYIMXBNFG?UR?ECSLZVTO?J?
    A?MFI?YRNUBSTC?EGVJZ?LQXKO
    A?QCILXVNOGJURKEYSMZBTF???
    ACF?IV?LNRXOKSGEMJYZU?B?QT
    A?VRI?JSNKLTUMOE?FQZGYX?CB
    AXVRI??SNKLJ?MOETUQZGYF?CB
    AB?TQFC?I?L?XRVKNEOYGSJMUZ
    ASOYVKT?IJQB?MGXNEFRLUC??Z
    ASOYVK??ITQBJMG?NEXRLFC?UZ
    AVKTQOY?IJM?XRB?NEFCGS?LUZ
    ALG?FRM?IOYT?SUCNEB?XJQVKZ
    AR?LMUGXISJOYC??NEQFBVK?TZ
    AUJ?BZMS?FTLICQ??XYEKRGONV
    AOM?GZQJBCUTIRFLK?XE?VY?NS
    ARYCXZFOU?K?ISBVG??EQLMTNJ
    AFLKGZQ?VYUTIROM??XEJBC?NS
    AKQ?LZVTGRUYIMX?O?JECS?BNF
    AKQXLZVJGR?YIMF?O??ECSTBNU
    A?BSKJNLQ?FZYRGVI??TMEUOXC
    A?GFOTN?VBXZ?MLSI?CYQEUKJR
    A?GUOJN?VBFZTMLSIXCYQE?K?R
    A?UJGONVFTBZMSXLICQ?YEKR??
    AX?V?SN?MOQZGCBRI?KLJETUYF
    A?VS??NMQ?OZCRGBIKJTLEUFXY
    A?MO?CBJKLF?YSN?QZGRITUEXV
    ATC?XKOSUBQ?LRNYJZ?FI?VEGM
    AYTJ?XFU?SV?QMNRCZOKIBGEL?
    AY?TJ?XFUSV?QMNRCZOKIBGEL?
    ATYJX?FSUVQ?MRNC?ZKOI?BEGL
    ALGSY?QVTRMXJCNFKZ?UIO?EB?
    AOBLY?GTX??JFSQRUVMCK?NZIE
    A?OBLY??GTXSQRJFVMCKU?NZIE
    ATXSQROBLYJFVMCKG???U?NZIE
    AJFSQROBLY?UVMCKG?TX??NZIE
    ASQRJF?OBLYVMCKU??G?TXNZIE
    AJFVMCK?GTXSQR?OBLY?U?NZIE

    The four question marks in each row must be replaced by the (unused) letters D, H, P, W, for which there are 4! = 24 possibilities. In addition, each alphabet can be rotated, which makes another 26 times the number. If the assumptions of Thomas and me are correct and I didn’t have a bug in my program, this covers all possibilities and we have 72 x 24 x 26 = 44928 possible cipher alphabets.

    Not really under 1000 as hoped, but for a computer of course a cinch. All you have to do is write a program that uses a predetermined cipher alphabet to convert the task into a MASC and solve it, and present the best of the 44928 solutions. Perfect job for you, Narga 🙂

  21. #21 Narga
    31. Januar 2022

    @Norbert: ok, now I’m more interested in how you got a complete list, rather than finding the solution. 🙂 I agree that it sounds solvable this way. But I have to call it a night and unfortunately won’t have much time in the next days.

  22. #22 Norbert
    31. Januar 2022

    @Narga: I might find some time today after work, we’ll see. Of course, everyone else is free to give it a try themselves 🙂

    Come to think on it: rotating the alphabets will not affect the derived MASC, so it’s only 72 x 24 = 1728 alphabets to process. Maybe one can shortlist the MASCs based on the IC.

  23. #23 Thomas
    31. Januar 2022

    The three isomorphs are still longer than I previously thought, now I get a length of 26:

    COENSQQVTZZOIZNJCZEMKQRETR

    KBAZQRRMXIIBEIZFKIACURJAXJ

    IGYOMCCNFBBGLBOUIBYZECKYFK

    The boundaries are C – K – I resp. R – J – K.

    Since a repeated plaintext passage should start and end with word breaks, these boundaries might represent the word break _, so that I guess the first two characters of the ciphertext SH stand for a two letter word (e.g. AS, AT, IN or IT…).

  24. #24 Thomas
    31. Januar 2022

    The cipher appears to be similar to the autokey cipher described by George in his instructive article on Major Josses’s cipher, par. 3.3 “Solution with isomorphs”. The full text is available here: https://www.tandfonline.com/doi/full/10.1080/01611194.2021.1996484 (p. 10-13 in the pdf). Yet I don’t know whether a concatenation of letter pairs shown on p. 10, 11 would work also here.

    Since one plaintext part gets enciphered to multiple (here three) different cipher sequences, this cipher can be regarded as a kind of homophonic cipher (See p. 7 in George’s article). But for a homophonic cipher solver the ciphertext may be too short due to the huge amount of possible homophonic representations.

  25. #25 Thomas
    31. Januar 2022

    @Narga

    I’ve checked the proposed cipher alphabet in your post#19 using the longer isomorphs I posted in #23. Adjacent letters in the three isomorphs should have the same distance in the cipher alphabet. That’s not everywhere the case. I’m sure you know how to fix that:

    10 C O
    10 K B
    10 I G
    —————————–
    10 O E
    10 B A
    10 G Y
    —————————–
    3 E N
    3 A Z
    3 Y O
    —————————–
    11 N S
    11 Z Q
    11 O M
    —————————–
    1 S Q
    9 Q R
    1 M C
    —————————–
    0 Q Q
    0 R R
    0 C C
    —————————–
    9 Q V
    9 R M
    9 C N
    —————————–
    6 V T
    6 M X
    6 N F
    —————————–
    12 T Z
    12 X I
    12 F B
    —————————–
    0 Z Z
    0 I I
    0 B B
    —————————–
    8 Z O
    8 I B
    8 B G
    —————————–
    9 O I
    9 B E
    9 G L
    —————————–
    1 I Z
    1 E I
    1 L B
    —————————–
    1 Z N
    1 I Z
    1 B O
    —————————–
    5 N J
    5 Z F
    5 O U
    —————————–
    4 J C
    4 F K
    4 U I
    —————————–
    8 C Z
    8 K I
    8 I B
    —————————–
    2 Z E
    2 I A
    2 B Y
    —————————–
    5 E M
    5 A C
    5 Y Z
    —————————–
    2 M K
    11 C U
    2 Z E
    —————————–
    6 K Q
    1 U R
    6 E C
    —————————–
    9 Q R
    6 R J
    1 C K
    —————————–
    4 R E
    1 J A
    12 K Y
    —————————–
    10 E T
    10 A X
    10 Y F
    —————————–
    12 T R
    9 X J
    4 F K

  26. #26 Narga
    31. Januar 2022

    @Thomas: how about those?
    ELTJKIBGRCZODQMNWHSVPAYXFU
    NDCBJEXHWMORITUYVPQZGKLFAS

    Upon deciphering, I was expecting to get identical letters for the three isomorphs. But that doesn’t seem to work. Even checking all variations regarding the locations of unconstrained PDHW and all rotations. So I guess there must be a different, correct version of the cipher alphabet that also meets all constraints. Or I’m misunderstanding the significance of the isomorphs.

  27. #27 Norbert
    31. Januar 2022

    @Thomas: Your prolonged isomorphs narrow down my above list to 24 rows:

    a?be?oiu?zkfncjxmrtvq?ysgl
    a?j?otvzlsce?ru?gfnbxmiyqk
    a?mfi?yrnubstc?egvjz?lqxko
    a?obly??gtxsqrjfvmcku?nzie
    a?vs??nmq?ozcrgbikjtleufxy
    ab?tqfc?i?l?xrvkneoygsjmuz
    aeizn?ukcmvfjrqsxtg??ylbo?
    aeiznxt?g??ukcmvylbo?fjrqs
    aflkgzq?vyutirom??xejbc?ns
    afyutejlk?irbcgzqom?ns?v?x
    akqyimxbnfg?ur?ecslzvto?j?
    algsy?qvtrmxjcnfkz?uio?eb?
    amgev?if?zjynrl?qbusokx?ct
    aokxql?zjvge?ctsbunry?ifm?
    ar?lmugxisjoyc??neqfbvk?tz
    asn?cbjex??morituyv?qzgklf
    asqrjf?oblyvmcku??g?txnzie
    atc?xkosubq?lrnyjz?fi?vegm
    auj?bzms?ftlicq??xyekrgonv
    avnogrkeyx??qciltf?smzb?ju
    ax?v?sn?moqzgcbri?kljetuyf
    ayxfueltjkibgrczo?qmn??sv?
    azt?kvbfqen??cyojsixguml?r
    azumjsgyoenkvrx?l?i?cfqt?b

    Narga’s two suggestions are included 🙂
    But I must agree with Narga: For all possible alphabets (24 x 24 = 576 now), converting to a MASC results in the isomorphs not corresponding to the same letters three times.

    It could be therefore that in the isomorphs also different plaintext letters are hidden. Let’s take the German words STALAGMITEN and STALAGTITEN as an example: they could well produce the same pattern, namely if the movement G->M->I and G->T->I on the plaintext ring produce the same number of full rotations. So the plaintext at the corresponding positions could look something like this:

    … _THE_LETTER_A_IS_ …
    … _THE_LETTER_B_IS_ …
    … _THE_LETTER_C_IS_ …

  28. #28 Matthew Brown
    1. Februar 2022

    I’ve been looking into Friedman’s method of finding the point the alphabet has shifted completely back to its original position. This occurs after 26 shifts, however the alphabet only shifts if the next plaintext letter is before the current letter in the mixed plain alphabet. On average this occurs half the time so it will take somewhere around 52 letters to complete a cycle.

    By looking ahead in the ciphertext this many letters (+-10 say) you can try to find the point with the most repeated nearby letters when compared with the text of the previous cycle.

    I don’t have access to my computer at the moment to try all possible positions but found an interesting possible grouping;
    SHCOEN…(42 letter cycle)
    SHDRXZ…(50 letter cycle)
    GZIOQU…(46 letter cycle)
    GLBOUI…

  29. #29 Thomas
    1. Februar 2022

    @Narga
    #26: Both passed my test.

  30. #30 Norbert
    1. Februar 2022

    Let me give it a shot:

    thewh eatst onecr yptog raphd
    evice wasin vente dbysi rchar
    leswh eatst oneth ewhea tston
    ecryp togra phdev iceat tract
    edcon sider ablei ntere stbut
    thewh eatst onecr yptog raphd
    evice isnot verys ecure

  31. #31 Norbert
    1. Februar 2022

    Still can’t figure out the correct cipher alphabet though. @George: Is the shown ciphertext (which actually might be Bill’s transcript) accurate?

  32. #32 Narga
    1. Februar 2022

    Amazing job Norbert! Congratulations! How did you do it? So many repetitions!

    Regarding transcripts: on a Mac or iPhone you can now mark and copy text also in images (in the browser or in the photos app), but it works only if the quality is ok and then there are sometimes still some errors. BUT: There is the free “google” app (also for iOS) that has “google lens” included (click the camera icon on the right side of the search bar next to the microphone). It allows to copy even handwritten text from stored images or the live camera feed. Works very well. Also you can translate (but unfortunately not yet decrypt) the text, with a high quality translation much better than google translate (?!) which is great in foreign countries when you can’t read signs.

  33. #33 Norbert
    1. Februar 2022

    Must go to work now. I will report in detail this evening. But don’t count your chickens before they hatch: it is a shot, based on the following cipher alphabet
    algsymqvtrpxjcnfkzduiohebw
    This yielded a large part of the plaintext. The rest is guessed. So the cipher alphabet should be close to the right one. Or it actually is the right one, and the given ciphertext is somewhat close … Or I made somewhere a slight mistake, who knows.

  34. #34 Matthew Brown
    1. Februar 2022

    @Norbert I might have misunderstood something, but shouldn’t the plaintext have spaces in it?

  35. #35 George Lasry
    1. Februar 2022

    I am definitely impressed! That was a quick solution.

    The plaintext given by Norbert is fully correct and so are the isomorphs found by Thomas, that provided the required breakthrough as the basis for Norbert’s solution.

    Note that the isomorphs may be extended (2 letters more on the right, and 2 more on the left), which would have reduced even more the number of possible keys.

    While I am a big fan of hillclimbing and other computerized methods, I wanted to create a challenge in which pen-and-paper experts like Thomas could also take part, and solve. Using the method given by Callimahos (and explained in my paper on the French autokey cipher), with long enough isomorphs, and especially in case of a triple repetition, it is possible to recover the ciphertext key with only pen-and-paper means, leaving a simple substitution to solve.

    The ciphertext alphabet proposed by Norbert is 24/26 correct. I am not yet writing here the full solution, to give the opportunity to complete the challenge solution, by providing
    (a) the exact ciphertext alphabet
    (b) the plaintext alphabet.

    Fun fact: I made two mistakes when creating this challenge. The first mistake is that I did not add spaces between words, as Matthew rightly mentioned. The second mistake is quite funny and will be obvious once the full keys are available 🙂

    Anyway, my warmest congratulations!

  36. #36 Nils Kopal
    Krefeld
    1. Februar 2022

    Wow,
    That was fast. I was just having a first peek on the nice challenge George made and Norbert already solved it 🙂
    Great work! Congrats Norbert! And also to the others helping!

  37. #37 Nils Kopal
    Krefeld
    1. Februar 2022

    One question: Does anyone have an isomorph marking algorithm?
    Would be something that could be a nice addition (component) added to CrypTool 2 I think 🙂

  38. #38 Matthew Brown
    1. Februar 2022

    Congratulations Thomas and Norbert!

    I think the M/P need to be swapped in the cipher alphabet. Decrypting gives the following plain alphabet letters;

    ALSTO?P?G?Y?ENRUC??BW?HVID?

  39. #39 Norbert
    1. Februar 2022

    @George: Oh, I see – that’s why I couldn’t figure out the ciphertext alphabet!
    You have made a complete turn of the plaintext ring when it came to a double letter – instead of replacing the second letter by e.g. Q.

    Here is a possible plaintext alphabet:
    TOFPJGKYMENRUCQXBWZHVID_ALS

    F, J, K, M, Q, X, Z and the word separator _ do not appear in the plaintext and are therefore interchangeable.

    The correct ciphertext alphabet:
    ALGSYPQVTRMXJCNFKZDUIOHEBW

    Start position of plaintext alphabet: for example S, then the start position of the ciphertext alphabet is G.

    George’s mistake shows up twice:

    ...attracted...butthe...
    ...ZIOQUREQU...EIRMSI...

    At the double-T places, he counted +27 in the plaintext alphabet for the second T, which gives +1 in the ciphertext alphabet.
    The correct way would have been to modify the plaintext as follows:
    ...atqracted...butqhe...
    or even more correctly applying word separators:
    ...atqracted...but_the...

    These look like small punctual mistakes, but in fact made the conversion to a MASC fail after the first occurence.

  40. #40 George Lasry
    1. Februar 2022

    Norbert, well done, despite my particular interpretation of the cipher.

    The ciphertext alphabet is correct, and the plaintext is also correct while not precisely the one I used since the non-utilized plaintext letters can be swapped without affecting encryption/decryption.

    Again, great work!

    PS: There is another funny thing I did and I am surprised no one caught it yet :-). Hint: The challenge could have been solved in minutes instead of hours/days (which is still very impressive), and it is quite embarrassing…

  41. #41 Norbert
    1. Februar 2022

    OK, it seems that one could have just tried the example key 😉

  42. #42 Thomas
    1. Februar 2022

    @Norbert
    Congrats, great job! I hope you’ll tell something about how you found the solution 🙂

    @George
    Do you think the pencil and paper approach you described in your article on Major Joffe’s cipher would work here as well? The concatenation part is hard stuff!

  43. #43 Klaus Schmeh
    1. Februar 2022

    @Norbert, Thomas and all others:
    Great job, the challenge is solved!

  44. #44 George Lasry
    1. Februar 2022

    @Thomas

    Definitely, there should be very few options left if you use the longest valid isomorphs (the ones you gave, then adding two at the end, and two at the beginning). The concatenation is actually very easy, once you understand the basic principle, which by itself is not complex.

    If the isomorphs are shorter, or if I did not generate a triple repetition, you would have needed a computer to run all the valid options.

    Nevertheless, your breakthrough idea and finding are very impressive.

  45. #45 Klaus Schmeh
    1. Februar 2022

    Edwin Vening via Linked-in:
    Tuned in the right direction, this wheel produces the frequencies to the tune that we all know and love

  46. #46 Karl-Heinz
    Graz
    1. Februar 2022

    the wheatstone cryptograph device was invented by sir charles wheatstone
    the wheatstone cryptograph device attracted considerable interest but
    the wheatstone cryptograph device is not very secure

    Ich danke euch für das schöne Rätsel. Ich hätte nie gedacht, dass man den Text entschlüsseln kann.

  47. #47 Moshe Rubin
    Jerusalem, Israel
    1. Februar 2022

    @Thomas @Norbert @George I just came across this wonderful challenge a few hours ago, and you guys have solved it already. Kudos on the fine solution!

    I wanted to follow up on George’s comment about using indirect symmetry on the isomorphs. Aligning the three 28-character isomorphs (kudos to Thomas for finding them) leads to three different letter chains:

    a-b: [SQRJF] [HWGP] [VMCKU] [OB] [NZIEA] [TX]
    a-c: [HSMZB] [WQCIL] [VNOGRKEY] [TF] [JU]
    b-c: [JKIBGQMN] [WS] [AY] [PRCZO] [XFUEL]

    Selecting b-c for the horizontal, a-c for the vertical, a-b as the NE-to-SW diagonal, and performing the graphical method of indirect symmetry, you will eventually chain all 26 letters together (inserting ‘D’ as the only missing letter) to get a decimation of the true ciphertext alphabet:

    XFUELPRCZOWSVAYTJKIBGQMNDH

    For each possible decimation, and assuming a standard A-Z plaintext alphabet, run the ciphertext through a Wheatstone decrypter and take the I.C. (Index of Coincidence) of the resulting “plaintext”. The highest IC should be the best monoalphabetic decryption. Solve as a simple substitution.

    Great challenge that brought the concept of isomorphs to the fore (George, just read your Josse article online, jolly good article!), and congratulations to the solvers!

    Moshe

  48. #48 Norbert
    2. Februar 2022

    Here comes the long story for anyone interested. Hopefully not getting too long … I will split it into several comments.

    First of all, thanks to George for this nice and cleverly chosen challenge! When it came out, I transferred the principle of the Wheatstone device into a C++ program and tried to find a solution via hillclimber. Honestly, if Thomas hadn’t come up with the isomorphs, I’d still be doing that! But with Thomas’ discovery, I quickly realized that

    – George had built repeated long sequences into the ciphertext on purpose, and

    – he did so because it is the intended and probably the only possible approach to crack the cipher.

    I had written my assumption in the comments: the isomorphs can serve to strongly limit the number of possible ciphertext alphabets. Once the ciphertext alphabet is known, one knows for every letter by how many positions the plaintext alphabet is advanced and can convert the ciphertext into a monoalphabetic cipher (MASC). If there are a huge number of possible ciphertext alphabets, this work must probably be done by a computer, which then solves the resulting MASCs and sorts the results by n-gram scoring, for example.

    My lists of possible ciphertext alphabets (comment #20 and #27) were computer-generated. The used algorithm is a recursive function: It is launched with a fixed initial letter ‘a’ (since the rotation of the alphabet has no influence on the solution path, one position can be set arbitrarily). Then the function decides which letter it will take care of next and moves it to position 2, 3 and so on until the last position. Each time it checks if the conditions defined by the isomorphs are met. If no, the next position is tried. If yes, then the function copies its current state and calls itself to process the next letter on the copy. If there are too few constraining conditions, this program will run for some million years, but beyond a certain limit it goes quite fast, and so it did in this case.

  49. #49 Norbert
    2. Februar 2022

    But then a serious problem arose concerning the possible ciphertext alphabets. Let’s take the first one from my comment #24 with d, h, p, w inserted:

    adbehoiupzkfncjxmrtvqwysgl

    Using this alphabet, the following MASC is derived from the original ciphertext:

    _gpgdmxtsqoedz_cfhfaug_jfrfdkg
    dwtxgwfdmcpubieurkeqbqz_enyutr
    cgfnocur_kgfdbsrmnqtvtohunxtet
    rk_kgetfpardlwmq_yjgntqesbxayz
    hfpscahqhenyutrpfe_adgigbvhakg
    sgelovxltsyhehodzyxy

    which reads at the three isomorphic places made out by Thomas:

    pgdmxtsq...
    cur_kgfd...
    qhenyutr...

    It can be seen that the isomorph conditions are not sufficient to obtain a MASC that has equal symbols at the three positions (which is our crucial assumption!).

    At first, this seemed to be good news: The many candidates for ciphertext alphabets must not only meet condition A (isomorphs), but also condition B (derived MASC must yield identical letters at all three positions). This was going to shorten the list a lot!

    I worked condition B into my program – and now the issue came to light: of all 576 candidates for the ciphertext alphabet resulting from condition A, none could also satisfy condition B at the same time. The shortlist had shrunk to 0 candidates. Narga had apparently encountered the same problem at about the same time.

  50. #50 Norbert
    2. Februar 2022

    My thought now was that maybe the plaintext was not exactly the same in the 3 isomorphic places (see comment #27). Therefore, I tried to gradually loosen the isomorph conditions by taking out letter triples that appeared only once.

    From (see Thomas’ comment #23)

    COENSQQVTZZOIZNJCZEMKQRETR
    KBAZQRRMXIIBEIZFKIACURJAXJ
    IGYOMCCNFBBGLBOUIBYZECKYFK

    I took out S/Q/M, V/M/N, I/E/L, and K/U/E (as one of many tries) and kept J/F/U as the only single:

    COENQQTZZOZNJCZEQRETR
    KBAZRRXIIBIZFKIARJAXJ
    IGYOCCFBBGBOUIBYCKYFK

    This resulted in the impressive number of 14,999,040 possible ciphertext alphabets, of which 14,474 also fulfilled condition B.

    I had the computer sort the resulting 14,474 MASCs in descending order of IC. Thus the following alphabet came on top:

    algsymqvtrpxjcnfkzduiohebw

    with the following derived MASC:

    _siqsix_z_ajimkgc_aekscsvitumi
    qxzujtij_ivpgzukmsxfyizqsix_z_
    fji_siqsix_zu_ihljfbz_djwbruhs
    tqhwz_kxm_ivmajzuvdkxpyiujeiki
    z_pl_vsiqsis_z_ajimkgc_aekxcsv
    itumiuzja_tdkgzimlki

    and an IC of 0.061. This IC seemed too low to me, because my prepared corpus has an IC of 0.073. So I did not pay any further attention to this result and decided to investigate further in the upcoming days, where on earth I could have made my mistake. That was yesterday evening…

  51. #51 Norbert
    2. Februar 2022

    This morning, however, I noticed a detail. The MASC, which I had classified as incorrect, had an unexpected peculiarity: The repetitions of the long sequences seemed to start already from the first position in the text (“_siqsix ... _siqsix ...“), not only from position 3. Like Thomas (see the end of comment #23), I had assumed that the first two letters would not belong to the repeated sequence. Now it dawned to me that this is not necessarily the case, indeed that a repetition right from the beginning is more likely. But if my “wrong” MASC has already incorporated that, then maybe it’s not that wrong? A quick try with CryptoCrack yielded snippets of words that pointed to “Wheatstone”. This was very encouraging, and so I made a pen-and-paper attempt that got this far (and surprised me by the lack of word separators which I hadn’t anticipated at all):

    thewheatstonecryptogrhphdevice
    wasinventedbysircha?leswheatst
    ?nethewheatsite?un??st?n???i?h
    vw??stractedconsid?rableingere
    stbutdhewhehtstonecryptographd
    eviceisnotv?rysecure

    After a short internet research I went for “attracted considerable interest” in the middle part (see here: http://www.jproc.ca/crypto/wheatstone.html) and posted my solution. The rest is known 🙂

  52. #52 Moshe Rubin
    Jerusalem, Israel
    2. Februar 2022

    @Norbert Thank you for the descriptions of your cryptanalytic thought process!

  53. #53 Gerd
    2. Februar 2022

    Thank you all for this interesting challenge!
    Coming back to #37, I wonder if it would be possible to find the isomorphs by looking at differences between letters in the ciphertext?

  54. #54 Norbert
    2. Februar 2022

    @Nils #37: There are certainly ready-made efficient algorithms out there, but my spontaneous suggestion for a “sliding window” would be to represent an “isomorph” pattern by an array of integer values (in C++ rather a vector), in which the following applies:

    For each letter, the contents of the corresponding cell of the array indicate after how many positions the same letter reappears for the first time.

    If we take the first 15 letters of the challenge as an example, the array would have the value [6, 0, 0, 10, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0]

    [ S H C O  E N S Q Q V T Z Z O I ]
    [ 6 0 0 10 0 0 0 1 0 0 0 1 0 0 0 ]

    If you move the window one position forward, you now only have to do three things in the array: Delete the first position (index 0), whereby all other positions are shifted to the front, insert 0 at the end, and for the newly added letter search backwards for the first occurrence from the end and, if found, enter the distance there as a value:

    S [ H C O  E N S Q Q V T Z Z O I Z ]
    6 [ 0 0 10 0 0 0 1 0 0 0 1 3 0 0 0 ]
    ^                          ^     ^

    To keep track of the places where a specific pattern appears, map offers itself in C++:
    using pattern = std::vector<size_t>;
    std::map<pattern, std::vector<size_t>> pattern_occurences;

    Notes:
    a) The array’s last value is always zero and therefore redundant, so it could be omitted.
    b) The more values in the pattern are non-zero, the more significant it is. If all cells are zero, the pattern is worthless.
    c) Instead of std::vector in C++ std::list might be considered, because there the deletion of the first cell is theoretically more efficient. But since the patterns should not be too long, vector could still be faster – it would depend on a test.

  55. #55 Thomas
    2. Februar 2022

    @Norbert

    Danke für deine interessanten Erläuterungen dazu, wie zur Lösung gelangt bist. Das war ja ein dorniger Weg!

  56. #56 Norbert
    3. Februar 2022

    @Nils Kopal: Ich habe meinen Vorschlag von #54 in C++ implementiert und auf GitHub gestellt:
    https://github.com/NBiermann/cryptohelper-isomorphs

    Vielleicht ist es ja von Nutzen …

  57. #57 Thomas
    4. Februar 2022

    @Norbert

    Grandios!

    Veränderst du die Größe des sliding window, falls ja, von klein nach groß oder umgekehrt? Ab Programmzeile 94 steht “size”, aber weil ich C++ nicht beherrsche, habe ich das nicht verstanden.

    Werden alle sliding window-Inhalte (als Textstellen-Muster-Paare) zwischengespeichert, um sie später auf Wiederholungen zu untersuchen oder werden sofort diejenigen ohne Zeichenwiederholungen aussortiert?

  58. #58 mjw
    4. Februar 2022

    @Norbert
    Top!

  59. #59 Norbert
    4. Februar 2022

    von klein nach groß oder umgekehrt?

    Es war von klein nach groß, aber nachdem ich jetzt drüber nachgedacht habe, habe ich das geändert. Wenn man von groß nach klein geht, kann man nach jedem Durchgang mit Länge n den “clean up” durchführen statt ganz am Schluss, das spart Speicherplatz und vermutlich auch viel Zeit.

    Werden alle sliding window-Inhalte (als Textstellen-Muster-Paare) zwischengespeichert, um sie später auf Wiederholungen zu untersuchen oder werden sofort diejenigen ohne Zeichenwiederholungen aussortiert?

    Bis das sliding window fester Größe einmal durch ist, muss alles zwischengespeichert werden, was interessant sein könnte. Ich habe dafür die “Signifikanz” eingeführt. Muster ohne jede Wiederholung haben Signifikanz 0. Eine einfache Zeichenwiederholung wie AA oder auch ABA, ABCA etc. hat Signifikanz 1. Bei Wheatstone ist ja “AA” alleinstehend noch nicht sehr aussagekräftig: die Klartextbuchstaben zu “A” müssen benachbart sein, aber ob sie bei jedem Auftauchen des Musters auch dieselben sind, ist unklar.
    Daher habe ich als “default” (Vorgabewert, wenn nichts anderes angegeben wird) eine Signifikanz von mindestens 2 programmiert. Alles, was unter dem gewählten Mindestwert liegt, wird gar nicht erst zwischengespeichert.
    “size_t” ist ein Datentyp in C++ (ganzzahlig, ohne Vorzeichen, der Standardtyp für die Indizierung von Arrays, deren Größe man nicht von vorneherein begrenzen möchte).

  60. #60 Klaus Schmeh
    6. Februar 2022

    George Lasry and I have decided to award the ring to both Norbert and Thomas. I will report on this in a blog post soon.

  61. #61 Karl-Heinz
    Graz
    7. Februar 2022

    Congratulations to Norbert and Thomas. Really great job.

  62. #62 Narga
    8. Februar 2022

    I’m seeing similarity to the Wheatstone Cipher characteristics to some extent in this passage, what do you think?
    ...EASTNORTHEAST...
    ...FLRVQQPRNGKSS...

    There are obvious problems, yes, but still… 🙂

  63. #63 mjw
    9. Februar 2022

    @George Lasry | Thanks for Your riddle.
    @Thomas | Auch 1A!
    @Narga | Big As Nut to crack – something big as a Kola-nut.
    @Klaus | thx