I forget who told me this story, but at some point the British tried a crazy known-plaintext attack by planting handwritten notes in dead German soldiers’ pockets that contained an “important message” to be sent, and then in the following days they would attempt to decrypt enigma communications against the known plaintext.
> Part of the wider Operation Barclay, Mincemeat was based on the 1939 Trout memo, written by Rear Admiral John Godfrey, the director of the Naval Intelligence Division, and his personal assistant, Lieutenant Commander Ian Fleming
The story of the man[1] whose body was used to fool German intelligence during Operation Mincemeat is quite tragic:
> Michael was born in Aberbargoed in Monmouthshire in South Wales. Before leaving the town, he held part-time jobs as a gardener and labourer. His father Thomas, a coal miner, killed himself when Michael was 15, and his mother died when he was 31. Homeless, friendless, depressed, and with no money, Michael drifted to London where he lived on the streets.
> Michael was found in an abandoned warehouse close to King's Cross, seriously ill from ingesting rat poison that contained phosphorus. Two days later, he died at age 36 in St Pancras Hospital. His death may have been suicide, although he might have simply been hungry, as the poison he ingested was a paste smeared on bread crusts to attract rats.
> After being ingested, phosphide reacts with hydrochloric acid in the stomach, generating phosphine, a highly toxic gas. One of the symptoms of phosphine poisoning is pulmonary oedema, an accumulation of large amounts of liquid in the lungs, which would satisfy the need for a body that appeared to have died by drowning. Purchase explained, "This dose was not sufficient to kill him outright, and its only effect was to so impair the functioning of the liver that he died a little time afterwards". When Purchase obtained Michael's body, it was identified as being in suitable condition for a man who would appear to have floated ashore several days after having died at sea by hypothermia and drowning.
It was more of an allusion than a reference, but expectations in communication ought be acknowledged and accommodated, so I apologize if you misunderstood my point as it wasn’t clear from context. Please see my edit.
(My prior comment referenced Operation Mincemeat at the time of its reply, for those reading after the fact.)
ETA: Note that I appear to have been mistaken about the connection to ENIAC.
Note that it is equally dangerous to send paraphrased messages using the same key (which is called sending messages "in depth"). This was used to crack the Lorenz ("Tunny") cipher. Interestingly Bletchley Park hadn't gotten their hands on a Lorenz machine, they cracked it based on speculation. And it lead to the development of the first tube computer, Collosus (which influenced the ENIAC).
Nowadays we use nonces to avoid sending messages in depth, but nonce reuse can be similarly disastrous for systems like AES-GCM. For example there have been Bitcoin hardware wallets that reused nonces, allowing the private key to be extracted & the Bitcoin stolen. (To be clear, cryptocurrencies and AES-GCM are completely different systems that have this one property in common.)
As an aside does anyone know why it's called "in depth?" I'm guessing that it's related to Bletchley Park's penchant for naming things after fish? But possibly also their techniques that involved arranging messages together and sliding a stencil over them to visually spot patterns (so they're sort of overlayed)? I tried some casual searching but it's a very generic phrase and so difficult to search. It's defined in the The 1944 Bletchley Park Cryptographic Dictionary but it doesn't give an etymology.
I visited Bletchley Park museum this summer when in London. Can recommend and it's also really easy to get there; just a 50 minute train ride from London Euston station, and 5 minute walk to the museum. Entire family enjoyed the museum (have two teenage kids). There is also the "National Museum of Computing" located next to it which contains the Bombe, Collosus and related equipment. As I understand it most (or all?) of the original hardware was destroyed after the war to avoid leaking any information about the British code breaking skills. Thus, the machines on display are replicas, but should be fully working.
The computer museum also exhibits post-war computers all the way to modern machines. I'd say that museum is more for the geeks while the Bletchley Park museum is definitely worth a visit even if you're not into computers.
A personal Bletchley Park anecdote: my grandfather, an electrical engineer, staffed a radio listening station during the war, and every evening a motorcycle dispatch rider would take the day’s intercepts away to a secret location. It was more than 20 years before my grandfather figured out they went to Bletchley.
In the 1980s the Bletchley museum project put out a call for wartime electrical components so they could build their Colossus replica. My grandfather in the 1950s had made a chain of Christmas tree lights from govt issue tiny light lightbulbs he pinched from work. He painstakingly removed the nail polish he had painted them with 30 years earlier, and sent them to Bletchley. They used his family Christmas lightbulbs in the replica that is still there today.
I had the privilege of touring the museum with him in the 1990s. Also on that day I heard my grandmother’s stories of her time in the British Army during the war. That day was incredibly interesting and moving, and is an important memory for me.
At the end of 90-s some parts sent to the Russian Mir space station were found and bought at flea market - these parts had been pinched from work and their production ceased during those years of collapse in USSR/Russia.
I recall from my own visit that the electrical transformers are supposedly original. So, the National Museum of Computing justifies calling its Colossus a rebuild rather than a replica, since it is made with some original parts.
As I point out now and then, Colossus was not a computer. It was a key-tester, like a Bitcoin miner. Here's the block diagram of Colossus.[1]
Before there were general-purpose stored program digital computers, there were many special-purpose computing devices. They checked some, but not all, of those boxes.
- IBM had electronic arithmetic in test before WWII, but that went on hold during the war. Mechanical arithmetic worked fine, although slowly, and by 1939, Columbia University and IBM had something that looked vaguely like a programmable computer, built from IBM tabulator parts.
- The G.P.O. (the UK's post office and telephony provider) had been fooling around with electronic switching since 1934. That's where Tommy Flowers, who designed the electronics of Colossus, came from.[2]
He had a tough life. After the war, he wanted to get into computers, but couldn't get funding because
he couldn't talk about what he'd done for security reasons.
- Memory was the big problem. Colossus just had some registers, built from tubes. And plugboards, the ROM technology of the 1930s and 1940s. Useful memory devices were all post-war. Needed storage to get to stored program computers.
"Colossus was not a computer. It was a key-tester,"
The original definition of computer was basically a person wot computes (analyzes data and performs arithmetic and so on). That would have mostly involved pencil and paper, fag packets and napkins. IT co-opted the term for their devices, many years later.
What is your issue with Colossus performing automated computations/analysis given some inputs of some sort and hence being described as a computer?
One of the earliest modern day IT related truisms is "garbage in/garbage out" - that dates back to at least getting the clipper out on the cards. Can that notion be applied to Colossus or rather is Colossus the sort of device that gi/go might refer to?
I think the gp was confused with other devices. Colossus was indeed a computer by most definitions. I think the poster winced it up with the Bombe or other systems - not surprising because colossus wasn’t really known for many years. (It was secret into the 1970s iirc)
Other devices would calculate but not store instructions. The common ones you see are the fire directors on naval ships, which were analog “computers”, but single purpose.
If you model the distribution of messages as a tree from sender to recipients, the key's reuse across messages could be measured as "depth" in a structural sense.
An interesting quirk in Ethereum is that a contract address is determined by deployer address + nonce. So, you can send ETH to a contract that does not exist, then later deploy a contract there and recover it.
It is also the same address on many forks of Ethereum, which has led to some strange circumstances when Optimism sent tens of millions of dollars to a smart contract address on the wrong blockchain, and a hacker was able to create a smart contract they controlled using the same address on the blockchain it was accidentally sent to and steal the funds.
I've never seen a corporate announcement whipsaw from technical incident report to tentative job offer to a threat paraphrasing the IRA before but I guess that's because I don't spend time in the cryptoasset community.
My assumption about “in depth” is that it comes from the idea of giving the adversary a greater depth of material to work with. I don’t have anything to back this up.
This is the first I’ve heard of Colossus influencing the ENIAC. I was under the impression that Colossus was so secret that ENIAC was designed independently and (falsely) touted as the first tube computer prior to Colossus’ existence being declassified. I’m not sure if I’m misremembering that though.
The ENIAC seems to be the first general purpose electronic digital computer. It wasn't stored program, though - no good memory devices. Plugboards and lots of rotary switches. Took hours to load a new program. Unrelated to Colossus.
The first machine to have it all was the Manchester Baby.[1] Now this really was sort of a descendant of Colossus, with some of the same people involved. It was mostly a test rig for the Williams Tube memory device.
Once there was something that could do the job of RAM, things took off quickly. Within two years there were quite a number of stored program electronic digital computer projects.
Electronic arithmetic worked fine, but everybody had been stuck on the memory problem.
I think you're right, my mistake. I didn't find anything definitive but given they were developed around the same time by (on cursory inspection) different people and that Colossus was as secret as you say (it wasn't declassified until the 70s), it does seem unlikely. I thought that had been mentioned in a Computerphile/Numberphile video on the topic but I must be mistaken.
Interesting. I liked the explanations in the accepted answer. This rule especially,“Never repeat in the clear the identical text of a message once sent in cryptographic form, or repeat in cryptographic form the text of a message once sent in the clear.”
As a child I learned about codes from a library book. Fascinated with one-time pads, I convinced a friend to try a correspondence. We exchanged a few messages, and then got bored, because the juice wasn’t worth the squeeze.
Which makes me wonder about people who work in secrets. Encrypted communications seem opposite of scientific communications. Secrets peeps seem prolly aligned to politics.
Do you remember the book? I remember loving Alvin's Secret Code, which was on the bookshelf in my fourth-grade classroom where I sat in the back to be near the bookshelf...
Sorry, no. But it would have been a 70s or 80s publication. I recall there were several Cold War code stories, so it might have been on this subject. Like popular history stories, one after the other—you thought that was crazy? Check out this hollow nickel! But all very serious like.
> Never repeat in the clear the identical text of a message once sent in cryptographic form, or repeat in cryptographic form the text of a message once sent in the clear
And (more or less) that’s how the Enigma was cracked. Turns out starting weather report with ‘weather’ every single time is not a good idea.
Standard US cryptographic protocol during the same time period was to begin and end every message with a few random words specifically to thwart such attacks.
Seems like an interesting conundrum. If you encrypt all transmissions, you end up having a lot of boring repetition, like weather and sign offs to just fill space. But if you don't encrypt the boring stuff, then the transmission itself is a nice signal of something interesting about to happen. But if you try to just pad with completely random noise, the other end might worry they've decoded something wrong and ask for a new cipher pad increasing the chance of interception. So maybe they should have tried to find something almost random but with known structure instead of sending the weather? Seems similar to how we now know that choosing a random password from the dictionary adds encoding redundancy without reducing security. Or similar to the goal of getting ordinary people to use Tor for ordinary things?
In modern crypto it’s solved by using random nonce to star with and by using (encrypted) hash of data at the end. Random nonce gives you different cypher text for same inputs, hash tells you if you actually decrypted what was intended.
No, PFS is to ensure communications aren't compromised even if the server's private keys are compromised afterwards. It has nothing to do with mitigating known plaintext attacks. That's already mitigated with techniques like randomized IVs.
So-called perfect forward secrecy uses temporary keys so that eavesdropped logs can't be decrypted after those keys are discarded. To prevent known-plaintext attacks and/or statistical analysis, data entropy must be equalized so that patterns won't be apparent even before encryption.
For people interested in these kinds of things, there is a very interesting military manual on the internet archives which goes though all the various pre computer pen and paper ciphers and how to crack them.
Oh that makes sense. I assumed wrong that it was going to be about prisoners sending secret messages in their letters home, and the guards wanting to scramble those out.
The repeating of the message is how the Allies initially broke the Geheimskreiber a much more secure encryption machine to Enigma that used XOR and rotors:
This is a familiar concept from reading about WW2 spy stuff (Between Silk and Cyanide, for example, which I highly recommend). But what REALLY intrigues me is the typeface of the letter with its upper-case 'E' used in place of 'e'. What's up with that?
The suggestion that it may have been a striker from a bilingual - cyrillic typewriter that was mixed in is an interesting possibility; someone transcribing diplomatic telegrams in WWII may indeed have need of access to Cyrillic typewriters…
Interesting idea, but both the Cyrillic and Greek capital E would be a similar size to the Latin capital E. And in both alphabets the lower case e doesn't look like a smaller capital E. It's е/ε.
Might be unrelated in this example, but when a message is written in a lazy ROT13-like cypher, the letter e becomes a notorious rat that allows anyone to break the entire thing in very little time.
Randomizing/obfuscating the letter case might buy you a little time, though I think it's something else entirely here.
Zvtug oR haeRyngRq va guvf RknzcyR, ohg juRa n zRffntR vf jevggRa va n ynml EBG13-yvxR plcuRe, guR yRggRe R oRpbzRf n abgbevbhf eng gung nyybjf nalbaR gb oeRnx guR RagveR guvat va iRel yvggyR gvzR.
Enaqbzvmvat/boshfpngvat guR yRggRe pnfR zvtug ohl lbh n yvggyR gvzR, gubhtu V guvax vg'f fbzRguvat RyfR RagveRyl uReR.
V guvax gur vqRn jnf gb fcyvg guR uvtu seRdhrapl "r" gb gjb qvssReRag flzobyf r naq R ng yRffRe serdhrapvRf. Fvzcyl ercynpvat nyy r'f jvgu R qbrfa'g qb gung.
2) the teletype machine has unique letter so the machine it was received in is known (and hence which staff received it), reducing the ability to forge messages. Different machines could have had special letters, or all machines handling secrets had that particular "e"??
3) the machine broke and the repair shop only had a small-caps "E" handy.
The document on the picture was for sure typed on a typewriter. Teletype machines would either be all caps or all lower case. Also they wouldn't be able to print a multi column header like on top of the document.
> In this process, deletion rather than expansion of the wording of the message is preferable, because if an ordinary message is paraphrased simply by expanding it along its original lines, an expert can easily reduce the paraphrased message to its lowest terms, and the resultant wording will be practically the original message.
This bit has me perplexed. If you had a single message that you wanted to send multiple times in different forms, wouldn't compressing the message exponentially limit possible variation whereas expanding it would exponentially increase it? If you had to send the same message more than a couple of times I'd expect to see accidental duplicates pretty quickly if everyone had been instructed to reduce the message size.
I guess the idea is that if the message has been reduced in two different ways then you have to have removed some information about the original, whereas that's not a guarantee with two different expansions. But what I don't understand is that even if you have a pair of messages, decrypt one, and manage to reconstruct the original message, isn't the other still encrypted expansion still different to the original message? How does that help you decrypt the second one if you don't know which parts of the encrypted message represent the differences?
It's mostly talking about the case where someone receives an encrypted message which is intended to later be published openly. If it was padded by adding stuff, an attacker can try to reconstruct the original plaintext by removing the flowery adjectives, whereas if things were deleted the attacker doesn't know what to add.
In particular, the length of a message is not encrypted when encrypting the text. So if the encrypted message is shorter, you know exactly how much to remove to get back the original, and then just need to guess what to delete. If the message is longer, it is much harder to guess whether to add flowery adjectives, a new sentence, change a pronoun for a name, or some other change.
Does this also apply if someone were to do the following:
Receive encrypted transmission -> unencrypt it -> need to pass it on, so re-encrypt it and pass it on?
I would imagine that the paraphrasing wouldn't be necessary in this case because it isn't quite as useful to compare two encrypted versions of the text versus an encrypted version and an unencrypted version (also I feel like there is some risk of a game of 'telephone' in that the meaning would change bit by bit to the point of having a different meaning over time, even if not intentionally)
No. As explained in the SO answer, the worry is that the enemy will have been able to decrypt one or the other of your messages, at which point the identical underlying plaintext will help them crack the second cypher.
‘Crack the cipher’ in this case most likely meaning: figure out the daily code word key you are using for that cipher.
If they have already gained the ability to decrypt today’s messages from station A in cipher A, and can therefore recover the plaintext of those messages; if they then find a message of the same length sent from station B in cipher B they can guess that that might be the same message, reverse engineer the key and maybe then decrypt all the messages being sent from station B in cipher B today.
Bletchley Park employed linguists alongside cryptographers, and the linguists would help permute the messages (substituting German words for common abbreviations, for example) to mount these sorts of attacks.
Ironically, stating this at the beginning of telegram would precisely cause what it seeks to prevent (vulnerability to known plaintext attacks).
Which makes me wonder: how many permutations of this rule could be conceived (and needed) that on the one hand would keep the point clear to the receiver, but on the other hand prevent such attacks?
In any case the best option is to not have (to repeat) this rule inside messages.
It could be sent in the clear, although since the point was to apply it to every encrypted message, that would likely already have been redundant with having originally been encrypted. Just consider it part of the decryption algorithm itself instead: step 1, attach warning text, step 2, initialize decryption state and decrypt.
So it would make sense for the first message in a chain to be very verbose and repetitive to make it easier to modify down the chain. Bureaucrats must've had fun writting those.
In some systems sort of. The esp32 encryption has a bizarre implementation where adjacent blocks in counter mode reuse the same nonce, so knowing the structure of the plaintext can directly reveal the content of some blocks.
It's not only the nonce. The nonce helps to ensure that the message re-encrypted doesn't have the same ciphertext, but the known plaintext can still be used to forge messages. What stops message forgery is the message tag that TLS has (using the AEADs like AES-GCM or ChaCha20Poly1305).
That said, the nonce is still very important to avoid most key recovery attacks
Modern cryptography solves this by using randomness (IVs, nonces, padding, salts) so that even identical plaintexts encrypt to different ciphertexts, eliminating predictable patterns.
Tangentially related — sending everyone in a company a slightly different document can help catch the person leaking confidential documents to the press.
If nothing else it would make a great twist in a fiction setting.
These paraphrasing instructions could be followed. But the paraphrasing could be done using some LLM. A sufficiently advanced adversary manages to invert the model somehow, and as a result can get the original plain text out of the paraphrased message, which lets them do a known-plaintext attack, get the key, and use it on other messages.
Sort of technobabble (is the idea of inverting an LLM nonsense?) but fun.
You add a random number to the encryption key, and also send that random number (seed) as part of the message.
Boiled down to the very essence modern cryptography is: Using a secret seed plus a public seed, generate a long random number (of the same length as the message), then XOR that number with the message.
The hard part is generating that random number in such a way that you can not reverse the process and reclaim the secret seed.
I forget who told me this story, but at some point the British tried a crazy known-plaintext attack by planting handwritten notes in dead German soldiers’ pockets that contained an “important message” to be sent, and then in the following days they would attempt to decrypt enigma communications against the known plaintext.
https://en.m.wikipedia.org/wiki/Operation_Mincemeat
> Part of the wider Operation Barclay, Mincemeat was based on the 1939 Trout memo, written by Rear Admiral John Godfrey, the director of the Naval Intelligence Division, and his personal assistant, Lieutenant Commander Ian Fleming
Wonder if we'll ever see it on a bond movie.
The story of the man[1] whose body was used to fool German intelligence during Operation Mincemeat is quite tragic:
> Michael was born in Aberbargoed in Monmouthshire in South Wales. Before leaving the town, he held part-time jobs as a gardener and labourer. His father Thomas, a coal miner, killed himself when Michael was 15, and his mother died when he was 31. Homeless, friendless, depressed, and with no money, Michael drifted to London where he lived on the streets.
> Michael was found in an abandoned warehouse close to King's Cross, seriously ill from ingesting rat poison that contained phosphorus. Two days later, he died at age 36 in St Pancras Hospital. His death may have been suicide, although he might have simply been hungry, as the poison he ingested was a paste smeared on bread crusts to attract rats.
> After being ingested, phosphide reacts with hydrochloric acid in the stomach, generating phosphine, a highly toxic gas. One of the symptoms of phosphine poisoning is pulmonary oedema, an accumulation of large amounts of liquid in the lungs, which would satisfy the need for a body that appeared to have died by drowning. Purchase explained, "This dose was not sufficient to kill him outright, and its only effect was to so impair the functioning of the liver that he died a little time afterwards". When Purchase obtained Michael's body, it was identified as being in suitable condition for a man who would appear to have floated ashore several days after having died at sea by hypothermia and drowning.
[1] https://en.wikipedia.org/wiki/William_Martin_(Royal_Marines_...
https://en.wikipedia.org/wiki/Gardening_(cryptanalysis)
That's not what gp was talking about.
It was more of an allusion than a reference, but expectations in communication ought be acknowledged and accommodated, so I apologize if you misunderstood my point as it wasn’t clear from context. Please see my edit.
(My prior comment referenced Operation Mincemeat at the time of its reply, for those reading after the fact.)
ETA: Note that I appear to have been mistaken about the connection to ENIAC.
Note that it is equally dangerous to send paraphrased messages using the same key (which is called sending messages "in depth"). This was used to crack the Lorenz ("Tunny") cipher. Interestingly Bletchley Park hadn't gotten their hands on a Lorenz machine, they cracked it based on speculation. And it lead to the development of the first tube computer, Collosus (which influenced the ENIAC). Nowadays we use nonces to avoid sending messages in depth, but nonce reuse can be similarly disastrous for systems like AES-GCM. For example there have been Bitcoin hardware wallets that reused nonces, allowing the private key to be extracted & the Bitcoin stolen. (To be clear, cryptocurrencies and AES-GCM are completely different systems that have this one property in common.)
https://en.wikipedia.org/wiki/Cryptanalysis_of_the_Lorenz_ci...
https://www.youtube.com/watch?v=Ou_9ntYRzzw [Computerphile, 16m]
As an aside does anyone know why it's called "in depth?" I'm guessing that it's related to Bletchley Park's penchant for naming things after fish? But possibly also their techniques that involved arranging messages together and sliding a stencil over them to visually spot patterns (so they're sort of overlayed)? I tried some casual searching but it's a very generic phrase and so difficult to search. It's defined in the The 1944 Bletchley Park Cryptographic Dictionary but it doesn't give an etymology.
https://www.codesandciphers.org.uk/documents/cryptdict/crypt... [Page 28]
I visited Bletchley Park museum this summer when in London. Can recommend and it's also really easy to get there; just a 50 minute train ride from London Euston station, and 5 minute walk to the museum. Entire family enjoyed the museum (have two teenage kids). There is also the "National Museum of Computing" located next to it which contains the Bombe, Collosus and related equipment. As I understand it most (or all?) of the original hardware was destroyed after the war to avoid leaking any information about the British code breaking skills. Thus, the machines on display are replicas, but should be fully working.
The computer museum also exhibits post-war computers all the way to modern machines. I'd say that museum is more for the geeks while the Bletchley Park museum is definitely worth a visit even if you're not into computers.
A personal Bletchley Park anecdote: my grandfather, an electrical engineer, staffed a radio listening station during the war, and every evening a motorcycle dispatch rider would take the day’s intercepts away to a secret location. It was more than 20 years before my grandfather figured out they went to Bletchley.
In the 1980s the Bletchley museum project put out a call for wartime electrical components so they could build their Colossus replica. My grandfather in the 1950s had made a chain of Christmas tree lights from govt issue tiny light lightbulbs he pinched from work. He painstakingly removed the nail polish he had painted them with 30 years earlier, and sent them to Bletchley. They used his family Christmas lightbulbs in the replica that is still there today.
I had the privilege of touring the museum with him in the 1990s. Also on that day I heard my grandmother’s stories of her time in the British Army during the war. That day was incredibly interesting and moving, and is an important memory for me.
What an incredible story, thank you for sharing.
At the end of 90-s some parts sent to the Russian Mir space station were found and bought at flea market - these parts had been pinched from work and their production ceased during those years of collapse in USSR/Russia.
Those parts really belong in a museum somewhere because they are an important part of history, irrespective of politics.
What happened to them?
Oh that’s delightful! I love how contingent these things can be.
I recall from my own visit that the electrical transformers are supposedly original. So, the National Museum of Computing justifies calling its Colossus a rebuild rather than a replica, since it is made with some original parts.
As I point out now and then, Colossus was not a computer. It was a key-tester, like a Bitcoin miner. Here's the block diagram of Colossus.[1]
Before there were general-purpose stored program digital computers, there were many special-purpose computing devices. They checked some, but not all, of those boxes.
- IBM had electronic arithmetic in test before WWII, but that went on hold during the war. Mechanical arithmetic worked fine, although slowly, and by 1939, Columbia University and IBM had something that looked vaguely like a programmable computer, built from IBM tabulator parts.
- The G.P.O. (the UK's post office and telephony provider) had been fooling around with electronic switching since 1934. That's where Tommy Flowers, who designed the electronics of Colossus, came from.[2] He had a tough life. After the war, he wanted to get into computers, but couldn't get funding because he couldn't talk about what he'd done for security reasons.
- Memory was the big problem. Colossus just had some registers, built from tubes. And plugboards, the ROM technology of the 1930s and 1940s. Useful memory devices were all post-war. Needed storage to get to stored program computers.
[1] https://www.researchgate.net/figure/Logical-architecture-of-...
[2] https://en.wikipedia.org/wiki/Tommy_Flowers
"Colossus was not a computer. It was a key-tester,"
The original definition of computer was basically a person wot computes (analyzes data and performs arithmetic and so on). That would have mostly involved pencil and paper, fag packets and napkins. IT co-opted the term for their devices, many years later.
What is your issue with Colossus performing automated computations/analysis given some inputs of some sort and hence being described as a computer?
One of the earliest modern day IT related truisms is "garbage in/garbage out" - that dates back to at least getting the clipper out on the cards. Can that notion be applied to Colossus or rather is Colossus the sort of device that gi/go might refer to?
What exactly is a computer?
I think the gp was confused with other devices. Colossus was indeed a computer by most definitions. I think the poster winced it up with the Bombe or other systems - not surprising because colossus wasn’t really known for many years. (It was secret into the 1970s iirc)
Other devices would calculate but not store instructions. The common ones you see are the fire directors on naval ships, which were analog “computers”, but single purpose.
If you model the distribution of messages as a tree from sender to recipients, the key's reuse across messages could be measured as "depth" in a structural sense.
An interesting quirk in Ethereum is that a contract address is determined by deployer address + nonce. So, you can send ETH to a contract that does not exist, then later deploy a contract there and recover it.
It is also the same address on many forks of Ethereum, which has led to some strange circumstances when Optimism sent tens of millions of dollars to a smart contract address on the wrong blockchain, and a hacker was able to create a smart contract they controlled using the same address on the blockchain it was accidentally sent to and steal the funds.
Do you have a link to read more about this?
https://gov.optimism.io/t/message-to-optimism-community-from...
I've never seen a corporate announcement whipsaw from technical incident report to tentative job offer to a threat paraphrasing the IRA before but I guess that's because I don't spend time in the cryptoasset community.
Bug or feature. Could it have been a transfer of funds organized to look like a hack?
My assumption about “in depth” is that it comes from the idea of giving the adversary a greater depth of material to work with. I don’t have anything to back this up.
https://en.wikipedia.org/wiki/Cryptanalysis#Depth
This is the first I’ve heard of Colossus influencing the ENIAC. I was under the impression that Colossus was so secret that ENIAC was designed independently and (falsely) touted as the first tube computer prior to Colossus’ existence being declassified. I’m not sure if I’m misremembering that though.
The ENIAC seems to be the first general purpose electronic digital computer. It wasn't stored program, though - no good memory devices. Plugboards and lots of rotary switches. Took hours to load a new program. Unrelated to Colossus.
The first machine to have it all was the Manchester Baby.[1] Now this really was sort of a descendant of Colossus, with some of the same people involved. It was mostly a test rig for the Williams Tube memory device.
Once there was something that could do the job of RAM, things took off quickly. Within two years there were quite a number of stored program electronic digital computer projects. Electronic arithmetic worked fine, but everybody had been stuck on the memory problem.
[1] https://en.wikipedia.org/wiki/Manchester_Baby
Any good books to recommend on computer history?
I think you're right, my mistake. I didn't find anything definitive but given they were developed around the same time by (on cursory inspection) different people and that Colossus was as secret as you say (it wasn't declassified until the 70s), it does seem unlikely. I thought that had been mentioned in a Computerphile/Numberphile video on the topic but I must be mistaken.
Interesting. I liked the explanations in the accepted answer. This rule especially,“Never repeat in the clear the identical text of a message once sent in cryptographic form, or repeat in cryptographic form the text of a message once sent in the clear.”
As a child I learned about codes from a library book. Fascinated with one-time pads, I convinced a friend to try a correspondence. We exchanged a few messages, and then got bored, because the juice wasn’t worth the squeeze.
Which makes me wonder about people who work in secrets. Encrypted communications seem opposite of scientific communications. Secrets peeps seem prolly aligned to politics.
>> the juice wasn’t worth the squeeze
I recall that Ovaltine goes better with decoded messages.
A crummy commercial!?
Son of a bitch!
i recall squeezing lemons to write invisible messages...
https://www.suzannearnold.com/blog/not-worth-the-candle
"... two minutes into that Ovaltine thing and I just couldn't take it anymore."
Do you remember the book? I remember loving Alvin's Secret Code, which was on the bookshelf in my fourth-grade classroom where I sat in the back to be near the bookshelf...
Sorry, no. But it would have been a 70s or 80s publication. I recall there were several Cold War code stories, so it might have been on this subject. Like popular history stories, one after the other—you thought that was crazy? Check out this hollow nickel! But all very serious like.
> the juice wasn’t worth the squeeze
https://arstechnica.com/information-technology/2017/04/this-...
> Never repeat in the clear the identical text of a message once sent in cryptographic form, or repeat in cryptographic form the text of a message once sent in the clear
And (more or less) that’s how the Enigma was cracked. Turns out starting weather report with ‘weather’ every single time is not a good idea.
Or ending it with the same salute involving the name of the leader, for that matter.
Standard US cryptographic protocol during the same time period was to begin and end every message with a few random words specifically to thwart such attacks.
Seems like an interesting conundrum. If you encrypt all transmissions, you end up having a lot of boring repetition, like weather and sign offs to just fill space. But if you don't encrypt the boring stuff, then the transmission itself is a nice signal of something interesting about to happen. But if you try to just pad with completely random noise, the other end might worry they've decoded something wrong and ask for a new cipher pad increasing the chance of interception. So maybe they should have tried to find something almost random but with known structure instead of sending the weather? Seems similar to how we now know that choosing a random password from the dictionary adds encoding redundancy without reducing security. Or similar to the goal of getting ordinary people to use Tor for ordinary things?
In modern crypto it’s solved by using random nonce to star with and by using (encrypted) hash of data at the end. Random nonce gives you different cypher text for same inputs, hash tells you if you actually decrypted what was intended.
Isn't that why we have PFS now?
No, PFS is to ensure communications aren't compromised even if the server's private keys are compromised afterwards. It has nothing to do with mitigating known plaintext attacks. That's already mitigated with techniques like randomized IVs.
So-called perfect forward secrecy uses temporary keys so that eavesdropped logs can't be decrypted after those keys are discarded. To prevent known-plaintext attacks and/or statistical analysis, data entropy must be equalized so that patterns won't be apparent even before encryption.
For people interested in these kinds of things, there is a very interesting military manual on the internet archives which goes though all the various pre computer pen and paper ciphers and how to crack them.
1. https://archive.org/details/Fm3440.2BasicCryptAnalysis/mode/...
Good find; a great companion to the GCHQ Puzzle Book indeed!
The term to google for more information about this would be Known plaintext attack.
Oh that makes sense. I assumed wrong that it was going to be about prisoners sending secret messages in their letters home, and the guards wanting to scramble those out.
I clicked thinking it was about avoiding watermarks when exfiltrating data. I enjoyed the cryptography lesson I got instead.
And the term for _that_ is steganography
The repeating of the message is how the Allies initially broke the Geheimskreiber a much more secure encryption machine to Enigma that used XOR and rotors:
https://en.wikipedia.org/wiki/Siemens_and_Halske_T52
This is a familiar concept from reading about WW2 spy stuff (Between Silk and Cyanide, for example, which I highly recommend). But what REALLY intrigues me is the typeface of the letter with its upper-case 'E' used in place of 'e'. What's up with that?
That is peculiar. Brief internet search turned up a Reddit post where someone had a sample of typed text with the same odd typography: https://www.reddit.com/r/typewriters/s/f2CIY0TCm3
The suggestion that it may have been a striker from a bilingual - cyrillic typewriter that was mixed in is an interesting possibility; someone transcribing diplomatic telegrams in WWII may indeed have need of access to Cyrillic typewriters…
Interesting idea, but both the Cyrillic and Greek capital E would be a similar size to the Latin capital E. And in both alphabets the lower case e doesn't look like a smaller capital E. It's е/ε.
Might be unrelated in this example, but when a message is written in a lazy ROT13-like cypher, the letter e becomes a notorious rat that allows anyone to break the entire thing in very little time.
Randomizing/obfuscating the letter case might buy you a little time, though I think it's something else entirely here.
Zvtug oR haeRyngRq va guvf RknzcyR, ohg juRa n zRffntR vf jevggRa va n ynml EBG13-yvxR plcuRe, guR yRggRe R oRpbzRf n abgbevbhf eng gung nyybjf nalbaR gb oeRnx guR RagveR guvat va iRel yvggyR gvzR.
Enaqbzvmvat/boshfpngvat guR yRggRe pnfR zvtug ohl lbh n yvggyR gvzR, gubhtu V guvax vg'f fbzRguvat RyfR RagveRyl uReR.
ChatGPT was able to decrypt this in about 12 seconds with no context, which I found interesting.
V guvax gur vqRn jnf gb fcyvg guR uvtu seRdhrapl "r" gb gjb qvssReRag flzobyf r naq R ng yRffRe serdhrapvRf. Fvzcyl ercynpvat nyy r'f jvgu R qbrfa'g qb gung.
I had the same question about the upper case E.
Some of the E's look a little curly like epsilons but I'm guessing that may be an optical illusion.
But check out the 3 in "chancE3"
Legibility would be my guess. Can't confuse ᴇ for c.
If we're guessing I have ideas:
1) it's just the typeface,
2) the teletype machine has unique letter so the machine it was received in is known (and hence which staff received it), reducing the ability to forge messages. Different machines could have had special letters, or all machines handling secrets had that particular "e"??
3) the machine broke and the repair shop only had a small-caps "E" handy.
I assume this is a typed up decrypt - not raw teletype output. Teletype would be all caps; this has been typed, capitalized, and laid out by a typist.
The document on the picture was for sure typed on a typewriter. Teletype machines would either be all caps or all lower case. Also they wouldn't be able to print a multi column header like on top of the document.
> In this process, deletion rather than expansion of the wording of the message is preferable, because if an ordinary message is paraphrased simply by expanding it along its original lines, an expert can easily reduce the paraphrased message to its lowest terms, and the resultant wording will be practically the original message.
This bit has me perplexed. If you had a single message that you wanted to send multiple times in different forms, wouldn't compressing the message exponentially limit possible variation whereas expanding it would exponentially increase it? If you had to send the same message more than a couple of times I'd expect to see accidental duplicates pretty quickly if everyone had been instructed to reduce the message size.
I guess the idea is that if the message has been reduced in two different ways then you have to have removed some information about the original, whereas that's not a guarantee with two different expansions. But what I don't understand is that even if you have a pair of messages, decrypt one, and manage to reconstruct the original message, isn't the other still encrypted expansion still different to the original message? How does that help you decrypt the second one if you don't know which parts of the encrypted message represent the differences?
It's mostly talking about the case where someone receives an encrypted message which is intended to later be published openly. If it was padded by adding stuff, an attacker can try to reconstruct the original plaintext by removing the flowery adjectives, whereas if things were deleted the attacker doesn't know what to add.
In particular, the length of a message is not encrypted when encrypting the text. So if the encrypted message is shorter, you know exactly how much to remove to get back the original, and then just need to guess what to delete. If the message is longer, it is much harder to guess whether to add flowery adjectives, a new sentence, change a pronoun for a name, or some other change.
I was able to find the 2 earlier manuals mentioned:
RadioNerds-TM 11-485 (PDF) (33.22 MB) 4
Internet Archive-US Army Cryptography Manuals Collection (see "TM_11-485.pdf")
https://radionerds.com/index.php/File:TM_11-485.pdf
https://archive.org/details/US-Army-Cryptography-Manuals
Well, that's one way to make it CPA-secure
As close to the original as possible not using the same phrasing? Obviously?
Does this also apply if someone were to do the following: Receive encrypted transmission -> unencrypt it -> need to pass it on, so re-encrypt it and pass it on?
I would imagine that the paraphrasing wouldn't be necessary in this case because it isn't quite as useful to compare two encrypted versions of the text versus an encrypted version and an unencrypted version (also I feel like there is some risk of a game of 'telephone' in that the meaning would change bit by bit to the point of having a different meaning over time, even if not intentionally)
No. As explained in the SO answer, the worry is that the enemy will have been able to decrypt one or the other of your messages, at which point the identical underlying plaintext will help them crack the second cypher.
‘Crack the cipher’ in this case most likely meaning: figure out the daily code word key you are using for that cipher.
If they have already gained the ability to decrypt today’s messages from station A in cipher A, and can therefore recover the plaintext of those messages; if they then find a message of the same length sent from station B in cipher B they can guess that that might be the same message, reverse engineer the key and maybe then decrypt all the messages being sent from station B in cipher B today.
Bletchley Park employed linguists alongside cryptographers, and the linguists would help permute the messages (substituting German words for common abbreviations, for example) to mount these sorts of attacks.
Ironically, stating this at the beginning of telegram would precisely cause what it seeks to prevent (vulnerability to known plaintext attacks).
Which makes me wonder: how many permutations of this rule could be conceived (and needed) that on the one hand would keep the point clear to the receiver, but on the other hand prevent such attacks?
In any case the best option is to not have (to repeat) this rule inside messages.
It could be sent in the clear, although since the point was to apply it to every encrypted message, that would likely already have been redundant with having originally been encrypted. Just consider it part of the decryption algorithm itself instead: step 1, attach warning text, step 2, initialize decryption state and decrypt.
So it would make sense for the first message in a chain to be very verbose and repetitive to make it easier to modify down the chain. Bureaucrats must've had fun writting those.
Repetitive and verbose but make sure you don’t use up all the synonyms for a concept, right? Everything you use is taken from your paraphraser.
Hasn’t known invariants been used to break modern encryption in TLs, etc? Like a SSH packet will always contain some known info, etc.
In some systems sort of. The esp32 encryption has a bizarre implementation where adjacent blocks in counter mode reuse the same nonce, so knowing the structure of the plaintext can directly reveal the content of some blocks.
I'm not sure why drum55's answer is buried but they're correct that the Nonce concept in modern crypto addresses this issue.
It's not only the nonce. The nonce helps to ensure that the message re-encrypted doesn't have the same ciphertext, but the known plaintext can still be used to forge messages. What stops message forgery is the message tag that TLS has (using the AEADs like AES-GCM or ChaCha20Poly1305).
That said, the nonce is still very important to avoid most key recovery attacks
Yeah the real answer here is that this is what AEADs are for.
Probably because that's the user's only comment. I've vouched for it.
“Close” meant secret in the 1940s. A “close secret” was next to “top secret” classification.
See also the use of the word “close” in literature, eg The Lord of the Rings “Gandalf is closer that ever”.
To keep it close or to hold it close meant to keep it secret.
Lowercase E is unusual in the text. Is it a special teletype font?
How is this solved in modern cryptography?
Modern cryptography solves this by using randomness (IVs, nonces, padding, salts) so that even identical plaintexts encrypt to different ciphertexts, eliminating predictable patterns.
This reminds me of similar discussions we've been having about this topic. The key challenge I see is implementation at scale.
I guess CBC and IVs (or similar) weren't invented yet?
Tangentially related — sending everyone in a company a slightly different document can help catch the person leaking confidential documents to the press.
https://en.wikipedia.org/wiki/Canary_trap
Tyrion did that thing in GoT (fictional btw) - https://www.reddit.com/r/gameofthrones/comments/45256e/s2e3_...
Fictional, but based on real approach.
That’s what I thought it was going to be.
Known-plaintext attacks aside, if you're going to compress text, it must be done before encryption.
I don't know if compression offers much protection against plaintext attacks.
This also makes me wonder how helpful AI is in such situations. AI is essential an extremely effective, lossy, compression algorithm.
Compression + encryption can be dangerous if the compression rate is exposed somehow (between messages or within packets of a message).
> we show that it is possible to identify the phrases spoken within encrypted VoIP calls when the audio is encoded using variable bit rate codecs
https://crypto.stackexchange.com/a/2188
See also https://breachattack.com/ when the plaintext is partially attacker-controlled.
If nothing else it would make a great twist in a fiction setting.
These paraphrasing instructions could be followed. But the paraphrasing could be done using some LLM. A sufficiently advanced adversary manages to invert the model somehow, and as a result can get the original plain text out of the paraphrased message, which lets them do a known-plaintext attack, get the key, and use it on other messages.
Sort of technobabble (is the idea of inverting an LLM nonsense?) but fun.
Knowing the original plaintext is a big leg up in cracking encryption.
How come this isnt a problem with modern cryptography? What did we invent?
You add a random number to the encryption key, and also send that random number (seed) as part of the message.
Boiled down to the very essence modern cryptography is: Using a secret seed plus a public seed, generate a long random number (of the same length as the message), then XOR that number with the message.
The hard part is generating that random number in such a way that you can not reverse the process and reclaim the secret seed.
Lookup "initialization vector" for more.
LLMs would be amazing for this
I wouldn't put an LLM in the loop for anything that has security implications.