Vor drei Monaten hat Norbert Biermann die Challenge von George Lasry gelöst und ist damit der aktuelle Träger des Friedman-Rings. Heute stelle ich Norberts neue Challenge vor. Wer sie löst, wird sein Nachfolger.

English version (translated with DeepL)

Wer das aktuelle Krypto-Rätsel als erstes löst, erstellt das nächste. Nach diesem einfachen Prinzip funktioniert der Friedman-Ring. Dabei handelt es sich um ein Spiel, das nach den Kryptologen William und Elizebeth Friedman benannt ist. Vorbild ist der Iffland-Ring, der bereits seit Jahrhunderten an Schauspieler vergeben wird.

Vor drei Monaten ging die fünfte Runde des Friedman-Ring-Spiels zu Ende. Das bisher letzte Rätsel kam von George Lasry. Norbert Biermann hat es als erster gelöst und wurde damit der neue Träger des Friedman-Rings. Thomas Bosbach hat mit seinen Hinweisen wesentlich zur Lösung des Rätsels beigetragen.

Damit ergibt sich folgende Liste von Trägern:

  1. Frank Schwellinger
  2. Anna Salpingidis und Christoph Tenzer
  3. Armin Krauß
  4. Christoph Tenzer
  5. George Lasry
  6. Norbert Biermann

Es gibt eine Webseite zum bisherigen Verlauf. Der jeweilige Empfänger des Friedman-Rings verpflichtet sich, ein Krypto-Rätsel zu entwickeln und mir zur Verfügung zu stellen. Wer dieses Rätsel als erstes löst, ist der neue Träger.

Bevor es weitergeht, möchte ich noch auf meinen Online-Vortrag am kommenden Sonntag um 18 Uhr (deutsche Zeit) hinweisen. Unter dem nicht ganz ernst gemeinten Titel “How to become a cyber criminal” werde ich einen unterhaltsamen Überblick zum Thema Cybercrime geben. Veranstalter ist wieder die ICCH-Gruppe. Wie immer haben Robert Saltzmann und Tom Perera die Organisation übernommen, wofür ich mich herzlich bedanke. Die Teilnahme ist kostenlos. Der Zugangslink wird über die Cryptocollectors-Mailing-Liste verschickt. Wer diese nicht abonniert hat, kann sich gerne bei mir melden, dann stelle ich den Link zur Verfügung.

 

Norbert Biermanns Challenge

Kommen wir nun zur neuen Friedman-Ring-Challenge, die Norbert mir zugeschickt hat. Hier ist sie:

NIGWMIIMHHLUENGODSLNSLESIETALUATSTADLIEMOFHFRIEEEFHISEOCNNSTDWUEMNRIFEOAMAAONTCUTINDWESEATENABDCYBDHKCLISITTIAAUSTOKHPEGWNEOBHIDWLEESRESREEDDNODTGOMNNOFEFAFOTCTAFHHSREIFANEOTSNOECOEERTNRWMADTAAASRCTUPUHHRYRDSAAINEITLESNFULDSIGOFAOINTGWUHUAODAORTBTEBVAEWRBOETLHLURWREOIPSCDTIHTELEHWWVAAKLWOEFREEIDRRTIPTNKAEIANLRJSATIRHMUTUFAPSSDNNOYTRTEMUHBWOOCTTSEVVNTREEENEMRRAETEI

Quelle/Source: Biermann

Hier ist eine Transkription:

NIGWM IIMHH LUENG ODSLN SLESI
ETALU ATSTA DLIEM OFHFR IEEEF
HISEO CNNST DWUEM NRIFE OAMAA
ONTCU TINDW ESEAT ENABD CYBDH
KCLIS ITTIA AUSTO KHPEG WNEOB
HIDWL EESRE SREED DNODT GOMNN
OFEFA FOTCT AFHHS REIFA NEOTS
NOECO EERTN RWMAD TAAAS RCTUP
UHHRY RDSAA INEIT LESNF ULDSI
GOFAO INTGW UHUAO DAORT BTEBV
AEWRB OETLH LURWR EOIPS CDTIH
TELEH WWVAA KLWOE FREEI DRRTI
PTNKA EIANL RJSAT IRHMU TUFAP
SSDNN OYTRT EMUHB WOOCT TSEVV
NTREE ENEMR RAETE I

Weitere Informationen hat Norbert bisher nicht zur Verfügung gestellt. Ich bin aber sicher, dass er den einen oder anderen Tipp gibt, wenn meine Leser nicht weiterkommen. Vielen Dank auf jeden Fall an Norbert für diese bestimmt sehr interessante Challenge.

Wie schon öfters erwähnt, gehört es zu den Eigenheiten dieses Spiels, dass jeder Leserhinweis, der als Kommentar veröffentlicht wird, einem anderen Codeknacker zum Gewinn verhelfen kann. Ich bitte meine Leser daher, nicht ganz so egoistisch zu sein. Wenn im Forum über Lösungswege diskutiert wird, macht das die Sache für alle spannender. Natürlich werde ich jeden Kommentar, der zur Lösung beigetragen hat, entsprechend würdigen.

Das Rennen ist eröffnet!


Further reading: Christoph’s Chaotic Caesar Challenge

Linkedin: https://www.linkedin.com/groups/13501820
Facebook: https://www.facebook.com/groups/763282653806483/

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Kommentare (50)

  1. #1 Joachim
    12. Mai 2022

    Ich maße mir nicht an, das lösen zu können.

    Aber wenn ich mit die Häufigkeitsverteilung der Buchstaben anschaue, so kann ich mir Vorstellen, dass nur die Positionen verwürfelt sind.

    Oder das ist eine Falle…

  2. #2 Rossignol
    Paris, France
    12. Mai 2022

    Statistically this cryptogram is the result of a transposition.

    In my opinion, the first incomplete line indicates the method used: La première méthode de M. le colonel Roche.
    Described in Félix Delastelle Traité élémentaire de cryptographie (1902).

    The first description of this method that I know of is in an article by Captain Josse La cryptographie et ses applications à l’art militaire (1885).

    Not easy to break.

  3. #3 Jarl
    Belgium
    12. Mai 2022

    Premiere methode de Mayer?

  4. #4 Doc Cool
    Kryptografie.de
    12. Mai 2022

    Habe jetzt leider nicht die Zeit, mich näher mit der Kryptoanalyse zu beschäftigen, daher nur meine Gedanken dazu.

    Das Chiffrat hat einen Koinzidenzindex von 6,203%

    laut https://kryptografie.de/kryptografie/kryptoanalyse/koinzidenzindex.htm entspricht (am ehesten):

    “deutsch 0.076 7,6%
    französisch 0.078 7,8%
    italienisch 0.076 7,6%
    spanisch 0.075 7,5%
    englisch 0.065 6,5%
    schwedisch 0.063 6,3%
    russisch 0.053 5,3%
    gleichverteilt (“starke” Chiffre) 0.0385 3,85%”

    Sprache ist also wahrscheinlich englisch, oder auch französisch, weil der Hinweis in der Überschrift franz. ist.

    Auf jeden Fall keine polyalphabetische Substitutions- Chiffre, sondern wohl eine monoalphabetische oder eine Transpositionschiffre.

    Der Hinweis “Premiere methode de M…” könnte den Spaltentausch-Chiffre meinen.

    Bei https://kryptografie.de/kryptografie/chiffre/spaltentausch.htm steht auch:

    “Der französische Offizier Émile Victor Théodore Myszkowski beschrieb diese Chiffre 1902 in seinem Werk Cryptographie Indéchiffrable.”

    Myszkowski war Franzose. Das “M” würde dafür passen. Den Hinweis in franz. vielleicht auch nur, weil M. Franzose war. Sprache des Klartextes dann evtl. doch eher englisch.

  5. #5 Thomas
    12. Mai 2022
  6. #6 Matthew Brown
    12. Mai 2022

    If I’m understanding it correctly the method identified by Thomas is a tranposition cipher which works as follows;

    Choose an irrational number to use as the key such as: 1/19 = 0.052631578…

    Use the digits to create a set of ‘compartments’ which to write the plaintext into. For an example 33 letter plaintext;
    …..|..|……|…|.|…..|…….|…. (note the last group is shortened)

    1. Write the first letters of the plaintext into the rightmost positions of each group;
    ….1|.2|…..3|..4|5|….6|……7|…8

    2. Now try to write the next plain text letter to the right of an existing cipher letter position (L to R);
    ….1|9 2|10….3|11.4|5|12…6|13…..7|14..8

    3. Now try to write the next plain text letter to the left of an existing cipher letter position (R to L);
    …20 1|9 2|10…19 3|11 18 4|5|12..17 6|13….16 7|14.15 8

    4. Repeat alternating left and right until all letters have been encrypted.
    33 32 28 20 1|9 2|10 21 29 27 19 3|11 18 4|5|12 22 26 17 6|13 23 30 31 25 16 7|14 24 15 8

  7. #7 Thomas
    12. Mai 2022

    Another source covering Roche’s 1st method: https://gallica.bnf.fr/ark:/12148/bpt6k34572s/f419.item

  8. #8 Geoffrey Caveney
    New York City
    12. Mai 2022

    The plaintext is quite likely in English, since the particular letter frequencies match the typical expected letter frequencies of English text strikingly well:
    E 12.6% (Engl. exp. 12.7%)
    T 9.3% (Engl. exp. 9.1%)
    A 8.2% (Engl. exp. 8.2%)
    O 6.6% (Engl. exp. 7.5%)
    I 6.8% (Engl. exp. 7.0%)
    N 6.8% (Engl. exp. 6.7%)
    S 6.0% (Engl. exp. 6.3%)
    R 6.3% (Engl. exp. 6.0%)
    D 4.6% (Engl. exp. 4.2%)
    L 3.8% (Engl. exp. 4.0%)
    The frequency of H, 4.6%, is a bit low for English text, which could indicate an effort to minimize the use of the word “THE”, but this could also just be coincidental.

  9. #9 Jan
    12. Mai 2022

    Within @Thomas first source of the Roche method it is stated that there is a defect pointed out by Mr. Captain Valério. This might be interesting. Unfortuantely my french isnt that great but here is the text of Valério: 🙂

    https://books.google.at/books?id=nsd9nQEACAAJ&printsec=frontcover&hl=de&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false

  10. #10 Jan
    12. Mai 2022

    And here is the french text of @Thomas first source (#5) for easy translation (e.g. Deepl):

    Première méthode de M. le colonel Roche. – Cette ingénieuse méthode, qui mélange parfaitement les lettres, est enta- chée d’un défaut signalé par M. le capitaine Valério (De la Cryptographie. — Essai sur les méthodes de déchiffrement). Ce défaut sera absolument évité en opérant de la manière suivante: Choisir une série numérique très longue, sinon indéfinie. Les opérations arithmétiques, surtout les extractionsde racines et les fractions irreduelibles. nous fourniront, sous une forme condensée et facile à retenir, les éléments de ces séries. Ainsi la fraction 1/7, convertie en décimales, donnera une série de six chiffres: 1/7 = 0,142857…; 1/49 donnera quarante-deux chiffres, etc. Supposons qu’on ait choisi 1/19 = 0,01578947368421.
    Marquons sur une ligne autant de points que la dépêche contient de lettres: séparons cette ligne en compartiments renfermant chacun le nombre de points indiqué par les chiffres significatifs de la série choisie.
    Soit, par exemple, trente-trois le nombre des lettres du texte, nous aurons :

    –first table–

    le dernier compartiment, qui ne renferme que quatre points, en aurait reçu huit si la dépêche avait eu trente-sept lettres ou plus.
    On commencera par mettre dans chaque compartiment une des premières lettres du texte à cryptographier, en suivant l’ordre naturel de gauche à droite, ou un ordre arbitraire convenu à l’avance.
    Supposons que l’on suive l’ordre naturel et que les huit premières lettres soient placées à la droite dans chaque compartiment; les lettres suivantes du texte seront mises, s’il est possible, à la droite de chacune des huit premières, en allant de gauche à droite: dans le cas actuel, on n’en peut placer que six. A partir de la quinzième, les lettres claires seront posées à la gauche des lettres ou groupes déjà inscrits, en allant de droite à gauche; on reprendra ensuite la marche de gauche à droite et ainsi de suite alternativement.
    Cette opération fournira le tableau ci-dessous:

    — second table —

  11. #11 Thomas
    12. Mai 2022

    Provided the challenge is based on Roche’s first transposition method (certainly a long shot): Since the compartment’s lengths are between 1 and 9, the length median is 5 which yields around 366/5 = 73 compartments. So for the key a rational number with a sufficient length is needed. The digits of the decimal fractions starting with 1/7 could be checked using the assignment method described by Delastelle, Josse and Matthew Brown if that results in readable plaintext. Certainly feasable with a computer.

  12. #12 Jarl
    Belgium
    12. Mai 2022

    I like the idea of “La première méthode de M. le colonel Roche” but the text does not fit the picture. At most 4 or 5 letters do fit.

    It would make sense if a number like pi was used rather than a decimal fraction.

  13. #13 Rossignol
    Paris, France
    13. Mai 2022

    Nothing says that the Roche’s transposition applies to the ciphertext as a whole.
    The cryptogram is 366 characters long and 366 = 2 x 3 x 61
    I tried multiple anagramming on 6 x 61. Don’t work 🙂

  14. #14 Geoffrey
    13. Mai 2022

    I’m convinced it must indeed be “La première méthode de M. le colonel Roche”. I agree that the digits of pi would be an elegant choice, but of course there are numerous other possibilities.

    We cannot say that “the text does not fit the picture”, because there are literally an infinite number of possible fractions whose digits could have been chosen as the basis of this first Roche cipher method. To offer just a couple examples of logical choices with rather large denominators, I have tested the fractions with denominator 97, because it is the smallest denominator of a rational fraction whose repeating digits add up to more than 366. I am even testing certain fractions with the denominator 729, since they have period length 81 and thus their digits add up to precisely the range 360 to 369. Although 729 is a rather large number, it is mathematically elegant as 3^6, 9^3, and 27^2, and also it has musical relevance as the frequency ratio of certain musical intervals such as the diminished fifth in Pythagorean tuning, which is 1024/729 (2^10/3^6). Thus, to be thorough, those checking with computer programs should test every rational fraction with denominators up to at least 1,000.

    Further, perhaps the cipher somehow changes the order of the text before entering it into the Roche cipher method. To cite a few simple possibilities, the text could have been entered backwards (IETEAR…), or vertically (NEHOK…), or right-to-left (ISELS…), or taking the first letter of each 5-letter block (NILOS…), or the last letter of each 5-letter block (MHGNI…), or such letters by blocks backwards or vertically or right-to-left as well. If the digits of pi are the basis of the Roche cipher, then a circular or spiraling order of entering the letters of the text would be thematic as well: such an order could be clockwise or counterclockwise, and could spiral inward from a corner or outward from the middle. Another possibility: the text could actually begin in the middle, at the 184th letter, or at some other logical or thematic position other than the apparent beginning of the text. I haven’t even mentioned more obscure possibilities such as a diagonal order of entering letters from the presented array, etc., etc.

    Again, to be thorough, *every* fraction or mathematical constant that is checked would need to be checked with as many of these various plausible orders of entering the letters of the text as possible.

    Finally, 366 is also the number of days in a leap year. Perhaps the basis of the Roche cipher is not the digits of a fraction or constant, but rather the numbers of days in each month of a leap year.

  15. #15 Nils Kopal
    13. Mai 2022

    Hiho,
    I just (for fun) searched through the complete English, French, and German Gutenberg library for a fitting plaintext. Sadly, I did not find a match 😉

  16. #16 Matthew Brown
    13. Mai 2022

    I’ve been trying the following attack;

    1.Brute force through all possible values for the first N digits of the key.
    2.Split the ciphertext into these compartments then read of the last letter of each to give the first N letters of plaintext.
    3.Then also read off letters to the right of these positions to get a continous set of letters from somewhere later in the plaintext.
    4.Take a combined Ngram score from both of these sequences to find best solution.

    No luck so far, I’m not sure if this is because the initial assumptions about how the cipher works are incorrect or if the method is flawed.

  17. #17 Chris
    Vienna
    13. Mai 2022

    I also implemented the algorithm mentioned.

    It seems to work correctly, at least according to the examples in
    https://archive.org/details/8VSUP3207b/page/n33/mode/2up (page 34f.) and
    https://gallica.bnf.fr/ark:/12148/bpt6k34572s/f419.item (page 421f.)

    I ran the given ciphertext with many thousand keys (1/x, square_root(x), pi, e …) – no senseful results until now … hmmm …

  18. #18 Geoffrey
    13. Mai 2022

    When working on decrypting a challenging cipher, I always find it quite helpful to try my hand at encrypting a message using the cipher method as well, in order to better understand how the method works.

    Thus, for my own and hopefully others’ benefit, I have encrypted a message of the same length as Norbert Biermann’s Friedman-Ring Challenge cipher. I confirm that I have used the “première méthode de M. le colonel Roche”, as described in Delastelle’s work. I have used the decimal digits of a certain number. I will tell you that the message is written in English. I will also tell you that I have added one small twist to the encryption process; however, it is not a particularly complicated twist, and in my opinion any algorithm that hopes to be able to solve Norbert’s Friedman-Ring Challenge cipher should certainly be capable of solving my test cipher below:

    TTLSG RREII TNTOR AGEOC RWORI
    EEDRN OLHRE INETI RANEA SPHMT
    PIRHF HRETO VFEOO TATIT NYSCN
    ESTSE KSINI STTDI THANA ALTIT
    EEOEN GRMSR DMTNE ECEIF EOHHN
    HTACR FTDUO HCSMS EENOO OOOED
    HOITI CDNRL ANIFM MLUVT APIEO
    RSEDB EOLRE AHETS NBIIE TLHFI
    ELTFL TRMNL ANILW YPLFI DEOOO
    SNSSS TIERW WSHSH ESEEI CHANS
    PERMU OOHTP RCODR JSEFR REGUI
    TOUEH HOVEI DOACN EDNTR ERNGO
    TUEEI EFHHW CTHNA EEEWE MLOHB
    TMELN TEATN TLSCH SRYIN TOUDS
    EDIER NMTFN EATHF I

    Good luck!

  19. #19 Rossignol
    Paris, France
    14. Mai 2022

    Just an idea (probably a stupid one) .
    Statistically the cryptogram seems to be the result of a transposition.
    What if Norbert had used a “stealthy” monoalphabetic substitution (before or after the transposition)?
    i.e. a substitution that only swaps letters of the same frequency (letters of the same clique)
    see: https://archive.org/details/DecryptedSecretsMethodsMaximsOfCryptology4thRevisedExtendedEd./page/n329/mode/2up

    Used alone such a substitution is easily detected but combined with a transposition it is a much more difficult task.

  20. #20 Matthew Brown
    14. Mai 2022

    KEY: 4,3,4,8,6,6,9,2,3,7,2,7,4,9,3,3,7,1,7,5,4,9,3,6,2,5,1,5,9,2,7,4,5,4,7,1,6,6,2,6,3,5,9,1,5,7,9,7,1,7,2,2,7,8,2,1,9,4,7,8,7,5,5,3,6,9,8,7,5,5,8

    WILLIAMFRIEDMANUSEDHISKNOWLEDGEOFROTORMACHINESTODEVELOPSEVERALTHATWEREIMMUNETOHISOWNATTACKSTHEBESTOFTHESEWASTHESIGABAWHICHAFTERIMPROVEMENTSBYFRANKROWLETTANDLAURANCESAFFORDWOULDBECOMETHFEUSSHIGHESTSECURITYCIPHERMACHINEDURINGWORLDWARIIJUSTOVERTENTHOUSANDWEREBUILTAPATENTONSIGABAWASFILEDINLATENINETEENFORTYFOURBUTKEPTSECRETUNTILTWOTHOUSANDANDONELONGAFTERFRIEDMANHADDIED

  21. #21 Matthew Brown
    14. Mai 2022

    KEY:
    4,3,4,8,6,6,9,2,3,7,2,7,4,9,3,3,7,1,7,5,4,9,3,6,2,5,1,5,
    9,2,7,4,5,4,7,1,6,6,2,6,3,5,9,1,5,7,9,7,1,7,2,2,7,8,2,1,
    9,4,7,8,7,5,5,3,6,9,8,7,5,5,8

    WILLIAMFRIEDMANUSEDHISKNOWLEDGEOFROTORMACHINESTODEVELOP
    SEVERALTHATWEREIMMUNETOHISOWNATTACKSTHEBESTOFTHESEWASTH
    ESIGABAWHICHAFTERIMPROVEMENTSBYFRANKROWLETTANDLAURANCES
    AFFORDWOULDBECOMETHFEUSSHIGHESTSECURITYCIPHERMACHINEDUR
    INGWORLDWARIIJUSTOVERTENTHOUSANDWEREBUILTAPATENTONSIGAB
    AWASFILEDINLATENINETEENFORTYFOURBUTKEPTSECRETUNTILTWOTH
    OUSANDANDONELONGAFTERFRIEDMANHADDIED

  22. #22 Matthew Brown
    14. Mai 2022

    The text was encrypted exactly as described by Delastelle.

    One interesting quirk of this system is that a partial key
    allows you to decrypt a partial plaintext. For example if
    you ‘guess’ the first digits of the key [4,3,4,8,6,6,9,2,…]
    you can decrypt to the following;

    WILLIAMFMMUNETOEUSSHIGHESTSILEDINLATLONGAD

    By bruteforce forcing 8 digits at a time I was able to recover
    the key. The correct solution wasn’t always the highest scoring
    so I had to keep a list of the best 100 solutions and then only
    lock the digits I was confident in, and slowly extend the solution.
    Even after the initial finding of WILLIAMF it took a couple of hours
    to extend this out to the full solution.

    I haven’t yet tried to figure out where the key digits are derived from.

  23. #23 Jarl
    Belgium
    14. Mai 2022

    Solution:

    WILLIAM FRIEDMAN USED HIS KNOWLEDGE OF ROTOR MACHINES
    TO DEVELOP SEVERAL THAT WERE IMMUNE TO HIS OWN ATTACKS
    THE BEST OF THE LOT WAS THE SIGABA WHICH AFTER IMPROVEMENTS
    BY FRANK ROWLETT AND LAURANCE SAFFORD WOULD BECOME THE US’S
    HIGHEST SECURITY CIPHER MACHINE DURING WORLD WAR II JUST
    OVER TEN THOUSAND WERE BUILT A PATENT ON SIGABA WAS FILED
    AT THE END OF NINETEEN FORTY FOUR BUT KEPT SECRET UNTIL
    TWO THOUSAND AND ONE LONG AFTER FRIEDMAN HAD DIED

    It’s Roche. I don’t have a perfect yet because my solver (hill-climber) is still working on it, checking keys length 65 to 85:

    Current key length: 79 Hill climber: 5908/56952/7
    Score: 21529.14 IOC: 0.0620 Multiplicity: 0.0628 Minutes: 29.90
    Repeats: FRIEDMAN THOUS SIGAB ESTO TSEC MACH WERE THE (2) URI

    Key length: 72
    Key: 4,3,4,8,6,6,9,2,3,7,2,7,4,9,3,3,7,1,7,5,4,1,8,3,6,2,5,1,5,9,2,7,4,5,9,9,8,6,3,5,9,1,5,7,9,7,1,7,2,1,1,7,8,3,9,4,7,8,2,5,5,5,3,6,9,8,7,5,5,8,4,7

    WILL I AM FRIED MAN USED HISS KNOWLEDGE OF
    NO MACHINES TO DEVAE LOSEVER ALTR HAT WERE
    IMMUNE TO HIS OWN ATTACK I THE BEST OF THE
    EAS THES I GAB WHICH AFTER IMPROVEMENTS BY
    FANK ROWL PETT AND LAURAW CA AFFORD WOULD
    BECOMETH FE USS HIGHEST SECURITY CTP HER
    MACHOE DURING WORLD WAR I I JUST OVER TEN
    THOUSAND WERE BUILT A PARE FT ON SIGABA WAS
    FILED IN LATE NINETEEN STRTY FOUR BUT KEPT
    SECRET UNTIL TWO THOUS NO IND AND ONE LONG
    A FIER STR FRIED MAN HAD NED ED

  24. #24 Jarl
    Belgium
    14. Mai 2022

    Sorry, didn’t notice that Matthew Brown beat me to it. Congratulations Matthew!

  25. #25 Thomas
    14. Mai 2022

    @Matthew Brown, Jarl:

    Congratulations, great job!

    Apparently Norbert took the plain text from Wikipedia with some modifications to prevent an attack like Nils’s:
    “Friedman used his understanding of rotor machines to develop several that were immune to his own attacks. The best of the lot was the SIGABA—which was destined to become the US’s highest-security cipher machine in World War II after improvements by Frank Rowlett and Laurance Safford. Just over 10,000 were built. A patent on SIGABA was filed at the end of 1944, but kept secret until 2001, long after Friedman had died”

  26. #26 Norbert
    14. Mai 2022

    @Matthew: Congratulations, this is a great achievement and for me definitely counts as breaking the cipher!

    There is only one tiny detail wrong in the key (resulting in a few wrong letters). Fixing this might help to find out what the key sequence is derived from (or vice versa).

    Congratulations also to Rossignol and Thomas for finding independently so quickly the matching chapter in Delastelle’s traité élémentaire! It all went much faster than I expected 🙂

  27. #27 Gerd
    14. Mai 2022

    Congratulations!
    So the key is a random sequence, and not a certain irrational number, and this why Chris’ attack #17 failed?

  28. #28 Geoffrey
    14. Mai 2022

    Congratulations Matthew! (and Jarl!)

    Norbert, thank you so much for rediscovering and unearthing this beautiful cipher method!

    Matthew makes a very good point that one weakness of this system is that “a partial key allows you to decrypt a partial plaintext”. Indeed, this is one reason why Matthew was able to succeed by “bruteforce forcing 8 digits at a time”.

    As I was encrypting my own test Roche cipher (#18 above), I realized that the beginning of the message was by far the most weakly encrypted part. Now I will disclose that my “twist” was to combat this weakness by encrypting the plaintext backwards, with Roche/Delastelle’s “1” position filled by the last letter of the plaintext rather than the first, the “2” position by the 2nd to last letter, and so on. Thus the only partial decrypt one can find is the end of the message written backwards, a rather more difficult challenge than the beginning of the message written normally.

  29. #29 Matthew Brown
    14. Mai 2022

    Thanks everyone!

    @Jarl It must have been a photo finish!

    @Geoffrey Ah, I wondered why I couldn’t solve yours 🙂

    I’m stumped recovering the source for the original key, the fraction 1/22995544 is heading in the right direction but the pattern seems to break down after that.

  30. #30 Geoffrey
    14. Mai 2022

    At first the key number sequence looks like it might be sums and differences of pairs of digits of pi, but then the pattern breaks down:
    3+1=4, 4-1=3, 5-9=-4, 2+6=8, but then we can’t get 6 out of 5 and 3.

    I looked at the lengths of the words of the text in the Delastelle book section about the Roche cipher, but I didn’t find any sequences of words with lengths 4,3,4,8,6,6, etc. The source could be any text with a sequence of words with such lengths, but I wouldn’t know where to begin to look for such a text.

  31. #31 Nils kopal
    14. Mai 2022

    Ah. Nice… Wikipedia was on my todo list to search through but had no time to download it and execute the search . Well done guys!

  32. #32 Jarl
    Belgium
    14. Mai 2022

    @Geoffrey: Article 7: Benjamin Franklin to the Federal Convention

  33. #33 Geoffrey
    14. Mai 2022

    Well done Jarl! The message ends “…INTHEWRONG”, so it shows up in the beginning of the partial decrypt as “GNORWEHTNI….” And the key number sequence is…?

    Now here is another challenge: a double Roche cipher! Just as a double columnar transposition is encrypted with two consecutive columnar transpositions, so the following message has been encrypted with two consecutive Roche ciphers:

    HEIUF EANOI OWFEO ISTAE IAYUR
    ETHYY YMWTT YRLAT MKIAT TANRN
    SRALR MTEHC WOHHR LNAIW DTMTN
    UOYFO SONON MEODY ILJNO NSETZ
    SOCAO THFDN ABGHM OROAD EENES
    EUNBR ACFAD HAUOO TYNDI RSA

    Good luck!

  34. #34 Jarl
    Belgium
    14. Mai 2022

    @Geoffrey: Rochefort? 😀

  35. #35 David Vierra
    14. Mai 2022

    Good work, everyone.

    I had made a comment responding to Matthew’s comment #16 describing the partial decryption you can get using a partial key, but it looks like my comment never got posted. I hope this can get fixed so I can participate in the next one…

  36. #36 Norbert
    14. Mai 2022

    Congratulations also to Jarl! Sorry, last time your posts had not yet shown up. That was really a photo finish.

    I had tried to create a puzzle where pencil-and-paper solvers might stand a chance as well. Manual solving is possible with the Roche cipher imho, once you get a foot in the door. The idea was that from the starting point “William” and “mmunet” (you can expand the latter to “immunet” using the last letter of the ciphertext and from there easily to “immune to”), you get to Friedman and the Wikipedia page and work your way from there. But in fact “William” was hard to find, so the programmers had the better cards in the end 🙂

    In a first version I had included the years and “10,000” as digits, but then had decided that this would give away too much information.

    By the way, still one letter in the plaintext is wrongly placed and the key not given correctly 🙂

  37. #37 Geoffrey
    14. Mai 2022

    Thank you again Norbert for the puzzle and for your comments. Imho the best chance for a pencil and paper solver such as myself is to somehow correctly guess a clever but guessable source of the key number sequence. Yet that is the one part of the puzzle that still hasn’t been figured out by anyone yet!

  38. #38 Armin Krauß
    14. Mai 2022

    Congratulations, Matthew!

    Splitting the 3 on position 9 of the key into 2 and 1 moves the misplaced F of “THFE” between William and Friedman, and we get William F. Friedman.

    So the key would then be:

    4,3,4,8,6,6,9,2,2,1,7,2,7,4,9,3,3,7,1,7,5,4,9,3,6,2,5,1,5,
    9,2,7,4,5,4,7,1,6,6,2,6,3,5,9,1,5,7,9,7,1,7,2,2,7,8,2,1,9,
    4,7,8,7,5,5,3,6,9,8,7,5,5,8

  39. #39 Chris
    Vienna
    15. Mai 2022

    Guys, you are just awesome!
    Congrats to Matthew!

    (And with the correct key even my implementation works 😉

  40. #40 Norbert
    15. Mai 2022

    @Armin: Perfect! (That extra F was a bit mean. Apologies to everyone!)

    @Chris:

    with many thousand keys (1/x, square_root(x), pi, e …)

    Maybe you would have succeeded with many million tries 😉

  41. #41 Thomas
    15. Mai 2022

    @Norbert

    Thank you for this awesome challenge! It appears France was the cryptological superpower back then.

    Just one question: Since you wrote “… what the key sequence is derived from” I guess there remains a last puzzle, right?

  42. #42 Matthew Brown
    15. Mai 2022

    Ah, sqrt(18910924)

  43. #43 Thomas
    15. Mai 2022

    So the square root of William F. Friedman’s birth date!

  44. #44 Geoffrey
    15. Mai 2022

    Wow Matthew, you are solving everything. Looking forward to your own Friedman-Ring Challenge cipher next!

    By the way, in hindsight the origin of the number sequence could have been solved even with the not completely correct sequences given in the first solutions above: Simply calculating the square of the decimal 0.434866923… still yields the value 0.18910924…, and if one thinks to connect those digits 1891… to a year and date, knowing the William F. Friedman theme, the answer is right there already. In fact, I know I had this number 0.18910924… on my calculator screen yesterday, but I simply didn’t think to connect it to a year, a date, or Friedman! Ah well.

  45. #45 Norbert
    15. Mai 2022

    Matthew and Thomas revealed the last remaining secrets of my challenge. Now go and solve Geoffrey’s Double Roche puzzle! 😉

    One more little note about the method: I think one drawback is that it is quite error-prone. I tried twice to verify the ciphertext output of my program by also manually encrypting. Both times I messed up somewhere in the middle and realized too late, so I gave up on it in the end …

  46. #46 Norbert
    15. Mai 2022

    @Jan #9

    it is stated that there is a defect pointed out by Mr. Captain Valério.

    In the version originally proposed by colonel Roche, the last “compartment” is to be filled with padding characters. Thus the total length of the ciphertext is limited to certain distinct values. If one collects enough messages of different length encrypted with the same key, one can conclude the length of the compartments. This is the “defect” Valério had pointed out.

    Delastelle solves the problem by avoiding padding characters and instead truncating the last compartment to the appropriate length. He also suggests to use very long key sequences, for example by calculating the root of a given number (which I imagine was quite exhausting in times before Wolfram Alpha).

  47. #47 Geoffrey
    15. Mai 2022

    I have been able to successfully perform manual encryption and decryption of the Roche cipher by using a table with 9 numbered columns. First, using the key number sequence, I place an “x” in every place that will not be filled with a letter. For example, to encrypt Norbert’s cipher, I would place x’s in the 5th through 9th columns of the first row, the 4th through 9th columns of the second row, etc.
    Now it seemed to me it is not too hard to enter the plaintext: First top to bottom in the rightmost place in each row without an “x”. Then, skipping the very first place in the first row, top to bottom again in each unfilled place in the 1st column. Next, bottom to top in the rightmost unfilled place in each row. If one loses one’s place, one can find it again by noting that completed rows in this step have 3 letters in them while uncompleted rows in this step have only 2 letters in them.
    Then one simply repeats this process: next top to bottom in the 2nd column, again skipping the first row, and then bottom to top in the rightmost unfilled place in each row. (Now completed rows in this step have 5 letters in them, while uncompleted rows have only 4 letters.)

  48. #48 Geoffrey
    16. Mai 2022

    One more comment about Norbert’s cipher method: The source of the key number sequence is so obscure, both hard to guess and hard to find by brute force methods, that it could be the basis of many cipher methods as an effectively pseudo-random number string. For example, here is an extremely simple one, very easy to encrypt and decrypt with the key number sequence, but virtually impossible to crack without knowing the key number sequence:

    NEZZD UIUIK AGSWZ UVLSW VIBWX TXEYE …

  49. #49 Doc Cool
    Kryptografie.de
    17. Mai 2022

    My congratulations to the solvers Matthew Brown and Jarl too. That was not an easy one. You have done very well!

  50. #50 Klaus Schmeh
    17. Mai 2022

    Matthew: Congratulations! Thank you to you and all the others who contributed!
    I will write a blog post once I have worked through all the comments.