![Sample our Computer Science journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5928/TOC-Subject-Sample-2021-Computer-Science.jpg"})
Abstract
The Kryha machine was introduced in 1924 and continued to be marketed into the 1950s. The cryptologic literature surveyed for this article includes descriptions of various models of the machine and methods of attacking it, but relatively little has been written about its operational use. This article reviews both published and archival material, and provides some examples of actual use and cryptanalysis from the period immediately before and during the Second World War.
Acknowledgments
Frode Weierud assisted with initial translations of messages and other materials from their German originals. Frode also generously provided the author with a variety of Kryha materials, including numerous Kryha patents as well as Parker Hitt's memoranda describing his evaluation of the machine, and has agreed to host the author's transcriptions of these and of SSA memoranda on his website. Klaus Schmeh kindly provided the 1925 version of the Kryha operating manual and assisted with its translation from German. Ralph Erskine drew the author's attention to several important references. David Hamer provided the initial photographs on which several of the figures in this article were based, as well as detailed descriptions of the fixed control wheels in the National Cryptologic Museum's Kryha collection. Geoff Sullivan researched and explained the relationship between the tooth and stepping patterns of the early-model machine. Wes Freeman provided additional archival material. The staff of the National Cryptologic Museum was, as always, very helpful in providing the author with access to items in their collection. Government Communications Headquarters (GCHQ) agreed to release selected portions of [Citation3] for inclusion in this and other publications; the assistance of the GCHQ historian is gratefully acknowledged. Éamon de Buitléar provided a copy of Kryha's 1934 marketing brochure.Footnote 67 Thanks are due to all members of the Crypto Simulation Group (Frode Weierud, Ralph Erskine, David Hamer, Geoff Sullivan, and Wes Freeman) for their ever-diligent proofreading and helpful suggestions for improving this article. Responsibility for any errors, including any misinterpretation of materials originally in German or French, rests as always with the author.
Notes
1Germany 434642, effective January 1, 1925; Austria 103203 and Switzerland 114121, both applications dated January 16, 1925; France 591950, application dated January 22, 1925; Great Britain 246307, application dated January 23, 1925; and United States 1744347, application dated February 20, 1925. See [Citation35].
2Private communication from Klaus Schmeh.
3To be precise, 2 hours and 41 minutes, not including a 50-minute lunch break.
4Safford later headed the U.S. Navy's cryptologic organization, OP-20-G.
5The author can attest from examination of machines in the collection of the National Cryptologic Museum at Fort Meade, Maryland, that there is considerable friction in the Kryha's mechanism.
6See French patent applications 618952 and 682338, dated respectively June 28, 1926, and September 26, 1929, and British patent application 345218, dated September 10, 1929, in [Citation35]. The British application was not accepted, and subsequently, it became void. Interestingly, these applications focus far more attention on the electrical and mechanical operations of the machine and on mechanisms to improve the reliability of operation, than they do on cryptographic properties of the design.
7All of the original photographs in this article show examples of the Kryha machine held by the U.S. National Cryptologic Museum in Fort Meade, Maryland.
8Thus, we can date the introduction of the later machine somewhat more precisely than the “sometime before 1950” given in [Citation27]. The details of the Coastguard training problem confirm that it corresponds to the later model machine. The author is not aware of any patents covering the later machine.
9In the electrical version of the early machine the alphabet disks are replaced by commutator-like arrangements providing an electrical pathway between moving inner and fixed outer ring. There is no provision for permuting the alphabets on these rings; the equivalent function is performed by plug-and-socket arrangements for permuting the 26 wires joining the central ciphering unit to the two electrical typewriters (these are visible in Figure of [Citation38]). Of three extant patent applications covering the electrical version, only the earliest mentions this possibility (France 618952, see note 6).
10In the earlier model the inner ring is held in position by three spring-loaded catches, visible in Figure ; in the later model the same function is performed by two knurled screws, visible in Figure . The outer ring (perhaps better described as the outer arc) is held in position from underneath by spring clips.
11The diplomatic machine is described in the Kryha marketing literature as differing from the commercial machine in that both the inner and outer rings moved—each is regulated by a separate control wheel driven by its own clockwork motor, as discussed later in this article.
12The legend “IGFAR” on this wheel probably indicates that it belonged to the German chemical conglomerate I. G. Farben, which is known to have used the Kryha machine. The author is indebted to Frode Weierud for this information.
13Germany 434642, Austria 103203, Switzerland 114121, France 591950, Britain 246306, and United States 1744347 [35]. All of these came into force in 1925 or 1926, except for the U.S. patent which was not issued until January, 1930.
14It also envisages control wheels that can be assembled from collections of separate, segment-sized pieces, presumably to allow users to vary the effective control wheel design. It is not clear that these would have been practical and no evidence has been found that they were ever manufactured; the idea may have been superseded by the variable control wheel of the later machine.
15Though [Citation10] equates the two—see p. 152.
16The author is indebted to Geoff Sullivan for explaining this phenomenon. The size of the constant depends on the shape of the gear teeth and the relative diameters of the driving and driven wheels; obviously these factors are fixed for the early model Kryha.
17Konheim [Citation26] gives the value of the constant as 3, and he solves a sample ciphertext based on a 17-segment control wheel for which he provides a diagram showing the tooth pattern. This pattern corresponds exactly with that of a 17-segment wheel mounted in one of the machines at the National Cryptologic Museum, and adding 4 to the tooth count in each segment produces the kick pattern described both in archival materials [Citation32, Citation37] and in more recent publications [Citation7, Citation10] for a 17-segment wheel; it also doubles the period of the machine. In correspondence with the author, Professor Konheim confirmed that his sample problem was produced by a software simulation rather than directly on a Kryha machine.
18The pattern is given in [Citation10] and is included in Figure for convenience. The initial segment of 4 is the step produced as the plunger moves from the hole numbered 1 to the hole numbered 2. The plunger is visible in Figure .
19The Liliput's mechanism was wound using the large knob protruding from the lower right, as viewed in Figure . It was stepped using the button seen protruding from the bottom. The button on the right, opposite the hinge, opens the glass cover.
20Figure shows the later machine with the adjustable control wheel. Arrangements for the earlier machine are similar.
21This property causes some published solutions to be confusing, e.g., [Citation10], [Citation37], [Citation43], since the cipher component is recovered and presented in the reverse of the natural order used to set up the machine.
22Experiments with computer simulations of the Diplomat reveal that long ciphertexts still show marked evidence of periodicity at multiples of the number of segments on the faster-moving control wheel. An examination of the stepping pattern shows that with a window width of three, there is a strong tendency for the slower-moving control wheel to remain stationary for long periods, at least with the English plaintexts used, since it was relatively common for there to be three low-frequency letters adjacent in the plain component set up on the outer alphabet ring (and especially so when the components are based on keywords, leaving standard alphabet sequences such as XYZ unchanged). Increasing the width of the window to five reduces, but does not eliminate this phenomenon, which might well provide a point of entry for the cryptanalyst.
23The example given in [Citation10] either adopts the convention of specifying the plain and cipher components in right-to-left order or has inadvertently recovered the cipher component sequence in reverse order.
24Using, for example, the phi test [Citation29].
25A version of this equation is given independently in [Citation10], as part of a discussion of methods of solving the later model of the machine.
26In Konheim's sample problem, the plain component is set to the standard alphabet, though this fact is only used at the end of his solution to recover the cipher component once the stepping pattern has been determined; the method of recovering the stepping pattern works just as well when the plain component is a mixed alphabet.
27Though continuing solution of some German traffic by the U.S. Army's Signal Security agency was aided by the key-maker's habit of keeping the number of stopping points on the control wheel constant from period to period while varying the stepping pattern only slightly [Citation32]. Successive daily keys were produced by raising just one or two of the grub screws on the control wheel while lowering one or two others.
28Depths are overlapping sequences of ciphertext produced at the same key setting. With enough material a depth can be solved directly by examination of the letter frequencies of its columns (i.e., the letters from corresponding positions in the underlying ciphertexts), perhaps combined with judicious guesswork. Many cipher machines from this period were at risk of producing depths if improperly used.
29By this, we simply mean that successive letters from those components are taken and written out (cyclically) at that interval. For example, if we take the plain component shown in Figure and decimate it at interval 3, the resulting component will be EFVACBKUYSIOLHGMWZPTNDRJQX. Clearly, this operation is only well-defined if the decimation interval is relatively prime to 26.
30This approach works well in conjunction with Konheim's technique—when k is relatively prime to 26, the equations that result from matching columns are all in terms of a single variable: k. No unique solution is possible, but any value of k relatively prime to 26 will produce a valid result.
31The degenerate case where k is a multiple of 13 can be ignored for practical purposes.
32To give an example from [Citation37], we might find the following sequences at an appropriate interval within the ciphertext: ULWUPDLMLKU; and IALIGYANAUI. We would like to believe they are repeated encipherments of the same plaintext word or phrase. Note that each sequence is delineated by a repeated character; there are no conflicts where the same letter appears in the same place in both sequences (this would be a contradiction, implying both zero and non-zero values for the multiplier m); and there are confirmations within the sequences—L in the first sequence occurs at positions corresponding with A in the second.
33The practice of double- or multiple-stepping of the machine as a security measure is not mentioned in Kryha's 1925 operating instructions, though an example is given of enciphering differing numbers of spacing characters in between words, and indeed of enciphering a spacer before the first word of a message, but without discussing the improved security that would be obtained by stepping the machine some agreed number of times whenever a word-spacer is encountered. The manufacturer's recommendation of the use of such “letters of influence” in their 1951 advertising brochure is mentioned in ([Citation10] p. 162), but in fact the technique is mentioned as early as the marketing materials from 1926 [Citation12].
34Corresponding pairs of plaintext and ciphertext letters.
35“Crib” —a sequence of matched plaintext and ciphertext.
36As with Konheim's solution, complications arise when k is even, since this gives rise to two disjoint sets of columns in the tableau. The same general solution procedure can be followed, but the assumed value of k has to be taken as 2 rather than 1, and a second arbitrary assumption must be made in labeling the first constatation of one of the “odd” columns as belonging to secondary alphabet number 1. Propagating inferences between columns leads to the recovery of a set of “half alphabets” in each of which the sequence of 13 alternately spaced letters is determined. These must be fitted together in a way that produces a consistent solution, requiring the testing of thirteen possible hypotheses for the relative positions of secondary alphabet “0” and secondary alphabet “1.” Each hypothesis yields a different cipher component sequence which can be tested for consistency with the diagonal property of the tableau; only the correct one will survive. Since the British solution described was of traffic using the later model machine, where the true value of k is 23, these considerations did not apply.
37Within GC&CS, at least three different sections worked on Kryha traffic: ISOS—Intelligence Section, Oliver Strachey—responsible for solutions of hand ciphers used by German clandestine services such as the Abwehr [Citation40]; ISK—Intelligence Section, Knox—responsible for solutions of traffic using unsteckered versions of the Enigma machine, including the special Enigma used by the Abwehr [Citation3]; and the Commercial Section, based at Aldford House in London [Citation13].
38The value of 23 for k is suggestive of a fixed precursor of the later adjustable control wheel, especially since the actual sum of the kicks is 179 (the number of teeth on the drive wheel of the later machine), but an examination of the corresponding stepping pattern recovered by Hitt shows that it could not have been produced by any possible setting of the grub screws on the later control wheel.
39[Citation7], [Citation10], and [Citation38] give A. M. Evalenko as the name of purchaser of the North American rights to the machine. Whether “George” and “A. M.” were the same person or were related in some way is not clear.
40See note 37.
41Alphabet strips laid out on some kind of stiff backing, usually cardboard. See [4; 5, Appendix 2; and 9] for descriptions of the use of rods against “unsteckered” Enigma traffic, i.e., traffic where no plugboard was in use. The Kryha rods described in this article function rather differently, but still facilitate rapid manual evaluation of multiple hypotheses based on the development of alphabets.
42Note that the direction of the mapping here is from ciphertext to plaintext, rather than the other way around. The alphabets in the tableau shown in Figure map plaintext into ciphertext.
43The example shown here is constructed from the message given on p. 162 of [Citation10]. The sequence of secondary alphabet numbers for each rod begins 10, 20, 1, 12, 19, 22, where secondary alphabet 0 is the one that maps cipher letter K to plain letter P.
44The Abwehr was the intelligence arm of Germany's military high command; the SD (Sicherheitsdienst) was the intelligence arm of the Nazi party.
45[Citation11] notes the use of Kryha for Berlin-Zagreb traffic between midsummer 1943 and midsummer 1944, but without giving further details, and catalogs the system as GISOS5a. The South American traffic is cataloged as GISK6.
46Information provided by Frode Weierud. The order number was ES-1060 (ES standing for Export Spanien). HISMA is discussed later in this article.
47That is, “unsteckered” machines rather than the plugboard version used by the German armed forces during the Second World War. See [Citation9; 5, pp. 60–63; 9; and 39, p. 42] on the extent of breaking during the Spanish Civil War.
48According to [Citation30], the company's true legal name was Carranza & Bernhardt, Transportes en General. The commercial name is much better known.
49 Rohstoff-Waren-Kompensation Handelsgesellschaft translates approximately as “raw material supply and compensation company.”
50The Mosse code is specifically mentioned in Kryha's 1925 operating instructions in a section discussing the benefits of superenciphering codes, whether secret or public [Citation28].
51The plain and cipher components were based on the codewords “OELTANKSCHIRM” (oil tank cover) and “SCHWARZGELB” (black-yellow) respectively.
52In essence, the approach used was the same as the ISOS “rodding” technique, but expressed in different terms and using pencil and paper rather than rods.
53The source of this information is not given in the document. Possibly it came from GC&CS's Commercial Section, which exploited the same traffic following an initial break by (then) Lieutenant-Colonel John Tiltman in June, 1941 [Citation13]. By May, 1943, the Commercial Section had read some 6000 of these Kryha messages, or about 95% of the available traffic [Citation8].
54In this case, B-2 noted that the traffic was using the letter R as a word-spacer. This distorted the statistics of the plaintext, but in a helpful manner. Other characteristics, such as frequent abbreviations and the use of the letter X to mean “period,” were less helpful.
55In B-2's example, the cipher component was found to be based on the keyword “FALLSCHIRM” (parachute), and the plain component to be based on “BISMARCK.”
56Examples: “PORTUGAL”, “GONDELFAHRT” (gondola trip), “MUSIKANT” (musician), and “VOGELSTRAUZ” (ostrich—the second S must be elided from “Vogelstrausz,” the correct German spelling, when constructing the component).
57The letter J on the outer ring is also assigned the number 15 and/or the punctuation character ”–.” See Figures and .
58 Reichssicherheitshauptamt, Reich security headquarters, which controlled the Gestapo and the SD, and eventually absorbed the Abwehr in 1944.
59The meaning of the code name “Bolivar” is not clear. Initially it may have referred to agents or operations in Chile, since the cipher alphabet of a device used there, and captured in 1944, was found to be the same as the plain component used with the Liliput in Argentina. However, a message sent to Berlin on May 31, 1943, indicated that the codeword “Bolivar” would in future be used to refer to all three Argentinean networks [19, see SRIC 1043].
60Presumably, the same machine used to construct the exercise in [Citation42].
61With 26 of the 52 holes closed, the variable Kryha control wheel has 26 segments, resulting in a total period of 676 steps.
62The natural way to specify plain and cipher components for the Kryha is in sequence from left to right as viewed by the operator of the machine. The generated alphabet sequence as given in [Citation43] and [Citation41] begins with HOUBJPV …, indicating that the Coast Guard machine must have been set up using the reversed standard alphabet as the cipher alphabet. However, the plain and cipher components ultimately recovered by the Coast Guard are given in their natural sequence.
63Again, there is a small discrepancy in the Coast Guard account. With the process described for construction of the secondary alphabet sequence deck, the sequence should begin with A H O U B rather than H O U B as in note 62. Removing a card from the top of the deck would then place the first ciphertext letter of each message in correspondence with alphabet H, consistent with the effects of the German enciphering procedure. Presumably the sequence given in [Citation43] and [Citation41] was recorded after the top card was removed, rather than as it was originally generated and written down.
64The Coast Guard was easily able to follow the evolution of the Liliput's key by reading cryptographic instructions passed on one or other of the various systems used by the Red and Green networks, a rather insecure procedure that was made necessary by the Germans’ resupply difficulties, and only made possible by their use of a shared technical organization.
65To monitor traffic in Latin America, the British Radio Security Service (RSS) maintained intercept units in the USA under the auspices of British Security Coordination (BSC) [Citation22].
66“Bisection” was the Allied name for the practice of cutting the plaintext of a message roughly in half and enciphering the second half before the first—this has the effect of burying the beginning and end of the message, the portions most likely to be stereotyped, somewhere in the middle of the transmitted ciphertext. Once it gained authority over SD cipher security in 1943, OKW/Chi instructed the SD operation in Argentina to adopt a bisection-like procedure when using Enigma [Citation14], which as we have seen ultimately replaced its use of Kryha. The negative consequences of late or ineffective supervision can clearly be seen: the eight SD messages in [Citation41], dating from early 1943, show no sign of either bisection or double-stepping; yet the commercial traffic between Berlin and Madrid adopted double-stepping from late 1941.
67Éamon also possesses a very fine example of the early model Kryha machine that was purchased by his father, then a member of the recently-formed Irish Army, during a visit to Germany in 1938.
68The abbreviation “HCC” denotes the Historic Cryptographic Collection, RG 457, Entry 9032, NARA, College Park, Maryland.