## Thursday, May 21, 2015

### The effectiveness of Turing's Vigenère cipher breaking technique

In Turing's paper The Applications of Probability to Cryptography he describes a technique for breaking the Vigenère Cipher using Bayes Theorem. The paper was declassified in 2012 and a computer typeset version has been released (Turing used a typewriter and pen to produce the original).

Having used Bayes Theorem quite a few times (for example in POPFile) I was interested to see how it was being applied to Vigenère by Turing. Bayes Theorem is surprisingly powerful even when great simplifications (such as assuming, for example, independence of the occurrence of words or letters in an English sentence: something that's clearly not the case).

Briefly Turing's technique is to use Bayes Theorem to 'weigh the evidence' that each of the 26 letters of the alphabet could be one of the letters in the key and output weights for each letter. His technique outputs weights for each letter in each position in the key and by picking the most likely it's possible to have a good guess at the key.

Turing gives the following example of a Vigenère enciphered text where the key length has been determined to be 10 (there are techniques for doing this see the relevant Wikipedia page).

D K Q H S H Z N M P
R C V X U H T E A Q
X H P U E P P S B K
T W U J A G D Y O J
T H W C Y D Z H G A
P Z K O X O E Y A E
B O K B U B P I K R
W W A C E J P H L P
T U Z Y F H L R Y C

A common way to attack Vigenère once the key length is determined is to look at each column (which corresponds to a single letter in the key) and try out trial decryptions for each letter A to Z. By looking at the resulting letters (and their frequencies) it's possible to make a guess which key letter is most likely by matching the frequencies of the letters against their corresponding frequencies in English.

For example, the first column is DRXTTPBWT. If decrypted with the key C this becomes BPVRRNZUR. The presence of a Z (which is fairly uncommon letter) makes C less likely to be the key. Decrypted with the letter P as the key it becomes OCIEEAMHE which looks more like letters sampled randomly from English text. So P is a possible key for column 1.

That's quite a laborious task across each column and each letter of the alphabet. But Turing essentially automates this by trying out every key letter for each column and producing a weight. Here's Turing's algorithm as Perl code:

The core idea is that for each key letter and for each encrypted letter a weight (called a ban in Turing's terminology) is calculated as (the log of) the likelihood of that letter being right (which is just the frequency of the corresponding plain text letter in English text) divided by the likelihood of getting that letter with some other key.

For example, if D appears in the cipher then the probability that D appears when the key letter is B is calculated as:

The a priori odds of key B are taken as 1/25 (i.e. the letters of the key are random; this may not actually be true).

The same calculation is done for all the letters in the column to obtain a final probability that a specific key letter is correct for that column. Using logs of probabilities means that the calculations change from being large multiplications to a series of additions (which are fast for both humans and machines to do).

To see Turing's algorithm in action I searched the web for an example of Vigenère and came across this sample which shows the classic way of breaking the cipher. The cipher text is

ANYVG YSTYN RPLWH RDTKX RNYPV QTGHP
HZKFE YUMUS AYWVK ZYEZM EZUDL JKTUL
JLKQB JUQVU ECKBN RCTHP KESXM AZOEN
SXGOL PGNLE EBMMT GCSSV MRSEZ MXHLP
KJEJH TUPZU EDWKN NNRWA GEEXS LKZUD
LJKFI XHTKP IAZMX FACWC TQIDU WBRRL
TTKVN AJWVB REAWT NSEZM OECSS VMRSL
JMLEE BMMTG AYVIY GHPEM YFARW AOAEL
UPIUA YYMGE EMJQK SFCGU GYBPJ BPZYP
JASNN FSTUS STYVG YS

And standard methods determine that the key length is most likely six. Feeding this into the Perl code above results in the following output.

\$ perl t.pl ANYVGYSTYNRPLWHRDTKXR
NYPVQTGHPHZKFEYUMUSAYWVKZYEZMEZUD
LJKTULJLKQBJUQVUECKBNRCTHPKESXMAZ
OENSXGOLPGNLEEBMMTGCSSVMRSEZMXHLP
KJEJHTUPZUEDWKNNNRWAGEEXSLKZUDLJK
FIXHTKPIAZMXFACWCTQIDUWBRRLTTKVNA
JWVBREAWTNSEZMOECSSVMRSLJMLEEBMMT
GAYVIYGHPEMYFARWAOAELUPIUAYYMGEEM
JQKSFCGUGYBPJBPZYPJASNNFSTUSSTYVG
YS 6
A:    .    .    .    .  143    .
B:    .    .    .    .    .    .
C:    .    .    .    .    .    .
D:    .    .    .    .    .    .
E:    .    .    .    .    .    .
F:    .    .    .    .    .    .
G:    .    .  132    .    .    .
H:    .    .    .    .    .    .
I:    .  151    .    .    .    .
J:    .    .    .    .    .    .
K:    .    .    .    .    .    .
L:    .    .    .    .    .  116
M:    .    .    .    .    .    .
N:    .    .    .  135    .    .
O:    .    .    .    .    .    .
P:    .    .    .    .    .    .
Q:    .    .    .    .    .    .
R:    .    .    .    .    .    .
S:  101    .    .    .    .    .
T:    .    .   30    .    .    .
U:    .    .    .    .    .    .
V:    .    .    .    .    .    .
W:    .    .    .    .    .    .
X:    .    .    .    .    .    .
Y:    .    .    .    .    .    .
Z:    .    .    .    .    .    .

Which indicates that the most likely key is SI(GT)NAL. Of the G and the T, G is most likely giving a key of SIGNAL. Which is correct.

Turing (and many others) used Bayesian techniques like this to attack other ciphers. See, for example, an old post of mine on the Japanese JN-25 cipher broken at Bletchley Park.