The Secrets of the Chaocipher Finally Revealed

nickpelling2 writes "In 1918, John F. Byrne invented a truly amazing cipher system, called 'The Chaocipher,' that fit inside a small cigar box, could be operated by a ten-year-old, yet produced practically unbreakable ciphertext (arguably even stronger than the Nazi Enigma machine). But now, thanks to the efforts of Chaocipher fan Moshe Rubin and the generous gift of Byrne's cryptographic effects by his daughter-in-law Pat Byrne to the National Cryptologic Museum, the secrets of the Chaocipher are finally starting to be revealed — it's a great story. To accompany Moshe Rubin's excellent textual description of the Chaocipher, I've posted a 30-second animation of the Chaocipher in action to YouTube, just in case anyone wants to see the most devious cipher of the 20th century in action (sort of)."

The 20th Century?

[Anonymous Coward]

AES came out in 1998.

Re:The 20th Century?

[Anonymous Coward]

Except if the century ended in 1999 in which case it was the 19th.

Please do not breed. It would also be appreciated if you do not vote or drive on public roads.

Re:

[the_enigma_1983]

According to your link, some countries use terms like "the 1900s" to refer to anything between 1900 and 1999. As it says, this is equivalent to English-speakers using the term the "nineteen hundreds". It doesn't mention in any way how someone could refer to the year "1999" as being in the "19th century".

Re:

[Troed]

(while thoroughly irrelevant to the original topic .. )

Well, as a native from one of the countries in that link - our way sometimes bleeds through when doing on-the-top-of-your-head translations. In Sweden the correct description of the years 1900-1999 is "nittonhundratalet" - literally translated as "the nineteenth century".

It's quite common, for us, to slip up.
 

Re:

[Gnavpot]

Well, as a native from one of the countries in that link - our way sometimes bleeds through when doing on-the-top-of-your-head translations. In Sweden the correct description of the years 1900-1999 is "nittonhundratalet" - literally translated as "the nineteenth century".

I know enough Swedish to know that this is a very bad translation.

The word "nittonhundratalet" is better translated into "the nineteen hundred age". Note that this says nothing about nittonhundratalet's position in a sequence of centuries in the same way as "the nineteenth century" does.

Re:

[Troed]

Your "enough Swedish" is indeed good enough to require further commentary ;)

To your point, it's possible to deconstruct "nittonhundratalet" into three parts:

nitton = nineteen
hundra = hundred
talet = "the age"

The best translation would then be "the age of the nineteen hundreds". If that was all there was to it, you'd be correct - and the translation would make perfect sense. However, what goes through a swede's mind could instead be described with a deconstruction into two parts:

nitton = nineteen
hundratalet =

Re:

[Low Ranked Craig]

Since there is no year zero, even though years ending in zero are commonly perceived to be the start of decades and centuries, technically, 1901 was the first year of the 20th century, and 2000 was the last year, with 2001 being the first year of the 21st century. This is all based on the Georgian calendar which is what most of the world uses today.

Regardless, even based on popular perception, 1998 is in the 20th century no matter how you slice it. Referring to them as the 1900s is also correct, but the t

Re:

[Jane Q. Public]

Exactly. This was kind of a pet peeve of mine. I got so tired of people asking me what I was going to do on New Year's Eve of the Millennium. I'd say, "Since it's more than a year away, I haven't decided yet." They'd just look at me funny. Of course I went to the celebrations, even though I knew it was a year early. Sometimes it's just not worth fighting the common ignorance.

I lit some fireworks just after midnight, on Jan. 1, 2001.

Re:

[Painted]

My pet peeve is that since some Monk decided on the calendar centuries ago didn't know about 0 decided the system we use today, and get people constantly correcting us when we say that the 1990's ended in 1999, not 2000. Or the Millennium, which really brought calendar nerds out of the woodwork saying how it's not the 21st century due to 2000 being in the 20th.

It was a mistake made in ignorance, and I wish we could all agree on correcting it.

Re:

[Jane Q. Public]

Me too. My big problem was that even after it was explained to them, most people seemed to either actively deny the obvious logic, or just ignored it completely.

Re:

[jesset77]

Me too. My big problem was that even after it was explained to them, most people seemed to either actively deny the obvious logic, or just ignored it completely.

Bah, humbug. There's nothing "obvious" nor "logical" about it. The Calendar is just notation. It's power is in keeping track of dates, of guaranteeing a consistently understood sequence of events. Bitching about archane confluences just proves that you care more about being pedantic and unhelpful than you do about harmony with your fellow man.

When arbitrary definitions are dischordant with common understanding, it's an order of magnitude easier to alter the definitions to fit the established understanding t

Re:

[Jane Q. Public]

Bah, humbug. There's nothing "obvious" nor "logical" about it. The Calendar is just notation.

A calendar is numbers. Integers, more precisely, arranged in a specific and orderly fashion.

If you have a specific date on which your calendar starts (and we do), figuring out what a century and what a millennium is -- exactly, and without ambiguity -- is elementary math. It isn't a matter of opinion, or fashion. It is simply a matter of adding numbers, in precisely the way they are usually added.

So yes, it is logical, and it is obvious. And those who get it wrong are just... wrong.

Re:

[jesset77]

Well then, I'm glad you said Integers [wikipedia.org] instead of Positive, Natural Numbers [wikipedia.org] because as we all know the integer ordinally preceding one is zero.

If you have a specific date on which your calendar starts (and we do), figuring out what a century and what a millennium is -- exactly, and without ambiguity -- is elementary math. It isn't a matter of opinion, or fashion. It is simply a matter of adding numbers, in precisely the way they are usually added.

You seem pretty sure of yourself there, as well. According to you, Jan 1 2001 is the official beginning of a new millenium because it commemorates precisely 2000 years elapsed after... after what, again?

Oh yes, that's right! Contemporary scholars have found evidence of the date of the Christian Messiah's birth to be inaccurate [wikipedia.org], and now put best estimates at early fall

Re:

[Jane Q. Public]

And before 0, there is -1. But when you start at a single point, a year from then is 1, and a year before then is -1. There is still no year 0.

And we have an agreed-upon date for the start of the calendar. I don't give a damn about what it's supposed to be based on. Or whether China agrees with most of the rest of the world.

Re:

[Gnavpot]

In some countries centuries are actually labelled in that fashion.

I live in one of the three countries mentioned in your Wikepedia link. We use the same sequence numbering of centuries as the rest of the world: the 19th century, the 20th century, etc.

If this is what is meant with "ordinal numbering" in the Wikepedia article, then this part of the article is wrong: "In Swedish, Danish and Finnish centuries are typically not named ordinally".

But we ALSO have another informal way of saying it as described in the link, just as the English speaking do.

Re:

[anomaly256]

If you take the first century as being the years 0-99, or if you take the first century as being the years 1-100.. 1998 is still within the 20th century. Only if you (for some really silly reason) ignore the existence of the first century AD, and call the second set of 100 years after the first set of 100 years AD 'the first century', would 1998 be in the 19th century. Don't try to think about it too long though, you'll only hurt yourself.

Re:

[HungryHobo]

years 0-99 first century.(the first 100 years AD)
years 100-199 second century.(the second 100 years AD)
years 200-299 third century.
.
.
.
years 1800-1899 nineteenth century.
years 1900-1999 twentieth century.
years 2000-2099 twenty-first century.

surprisingly it does not refer to the most significant digits of the date.
it's perfectly logical if you give it a moments thought.

Re:

[Kr3m3Puff]

So when is this year 0 again? There is no year 0 in the Gregorian Calendar.

Re:

[HungryHobo]

Ah you're correct of course.
Silly mistake on my part.
So it goes
years 1-100 first century.(the first 100 years AD)
years 101-200 second century.(the second 100 years AD)
years 201-300 third century.
.
.
.
years 1901-2000 twentieth century.
years 2001-2100 twenty-first century.

Re:

[Twinbee]

Yes, everyone knows the 19th century ended *on* 2000 not at the end of 1999... sigh.

Re:

[knarf]

The naming of centuries is actually sometimes confusing. In the Netherlands the space of time between 1900 and 1999 is called 'de twintigste eeuw' (the twentieth century) while in Sweden they speak about 'nittonhundratalet' ('the nineteenhundreds') but also '20:e århundradet' ('the twentieth century). Our house was built in 1700-something so in Sweden it is a 'sjuttonhundratalsvilla' (seventeenhundreds house) while in Dutch is would be a '18de eeuws huis' (18th century house).

Re:

[Alsee]

I always end my centuries on the 97's.

-

Wow

[Anonymous Coward]

Don't know how the previous cretins managed to extract SCO and APPLE FUD from the article, but after reading the summary, reading the linked articles, and watching the video... looks to me its an easily breakable substitution cipher. Anybody care to fill me in on what I missed?

Re:Wow

[omglolbah]

While a polyalphabetic substitution cipher can be broken I would not call breaking this particular one "simple".
Compared to many other such ciphers it is quite good in that there is a shifting alphabet which has a very large range of values.

Considering it was made in 1918 I suspect it would be a pain in the ass to actually break it.
You cant do much with frequency analysis as the alphabet and thus the substitutions change on every letter.

Much like with Enigma I suspect that this cipher's biggest weakness is in the application. In other words following a set pattern which makes it possible to find "cribs".

Re:Wow

[thms]

Yes, the Enigma algorithm, or actually wiring, was known and Polish and later English Cryptologists worked long and hard to crack it since a lot was at stake. This one as of now relied a lot on security through obscurity. I doubt it would have lasted long in a world war scenario.

Just as the Enigma it might be impossible to de-cypher it manually, but with a machine and Turing-level minds to help you I would think it is solved quickly. But since secure encryption is perceived as a solved problem (still, where is the AES equivalent of a secure hash?) maybe bright minds turn their attention elsewhere nowadays.

Re:Wow

[Randle_Revar]

>(still, where is the AES equivalent of a secure hash?)
here:
http://csrc.nist.gov/groups/ST/hash/timeline.html [nist.gov]

Re:

[kestasjk]

Isn't whirlpool an AES-based hashing system?

Re:

[RichiH]

As long as the NIST has not finished its current competition, there is a simple fix:

Use both Whirlpool _and_ SHA-512 (or better: SHA2 in its 512 bit variant). They are long enough to make reasonably sure no one can deduct anything about a potentially secret cleartext any time soon (there is _more_ information about the clear text in the wild, after all) while also making sure that no one will be able to create a matching clear text, both due to their length and based on the fact that they come from totally

Re:

[Jane Q. Public]

That does not necessarily follow. While it seems reasonable and logical, it is quite possible that using the second algorithm would actually serve to undo some of the security of the first. Not at all likely, you understand, but possible. And showing that such interference does not occur is rather difficult to do.

Re:

[RichiH]

That's what I meant by "reasonably sure", yes.

I am not aware of any research in this direction, though.

If you are paranoid, salt both hashes. With different salts.

The problem is the one-time key (base setting)

[Kupfernigk]

This is exactly the same as with Enigma. What matters is the initial setting, which is a key. If the base setting is always the same, then the decoding of one message works for all. The difficulty is to find a way of distributing the initial key securely, given that it needs to be changed very frequently. Any system which can be compromised if a station is captured becomes useless until all stations have new key sets - difficult for a spy network in wartime, or even a submarine fleet.

Given the Enigma architecture, it was the capture of a German weathership and later a submarine by the Royal Navy that did most for German Enigma decryption.

Re:

[KDR_11k]

If you repeat your key (looks like you're going for an OTP) you make it breakable. I'm not sure an OTP based on a public code page is a good idea and if the key used is text in a language that already gives a strong hint for any cracker.

Re:

[NightWhistler]

You're basically proposing to use a website as a One time pad [wikipedia.org]. In theory a one-time pad is unbreakable, but that does require that the content of the one time pad would be truly random, which a web-site text is obviously not.

Also, if the text of the site changes, your key breaks, though that may actually be a benefit.

Re:

[MichaelSmith]

Brings to mind those "OUTGOING" posts we used to see. Could it have been a key distribution system?

Video link

[Nieriko]

http://www.youtube.com/watch?v=BPI3P-ikWCk [youtube.com]

Allow me to spare you the googling :D

Re:Video link

[CarpetShark]

Allow me to spare you the googling :D

And what if we wanted to google it, eh? Did you stop to think of that before posting your own god-damned link?

Re:Video link

[Nieriko]

I don't know what are you complaining about, you can still google it. Here is the link [google.com]

Re:

[CarpetShark]

It's not the same. Posting an electronic link is theft, just as if you'd posted it in a shop.

Re:BS Karma whoring

[Anonymous Coward]

Yes, but sparing Slashdot readers from having to read TFA is a much greater service than saving them from having to Google.

Re:

[pspahn]

You do realize that for someone to find the comment posting the video link, they already waded through a bunch of silly comments and garbage.

Sparing /. readers from /. itself is sometimes the best service.

Re:Its a two wheel enigma, neh?

[Ciggy]

It's not a two wheeled enigma for at least three reasons:

1) A plain text letter can be encrypted as itself (something an enigma machine cannot do due to physical design).
2) In an enigma machine each wheel is wired in a fixed "permutation"; in the Chaocipher "machine" each wheel is "rewired" depending upon the letter just encrypted.
3) In an enigma machine it is necessary to rotate the wheels semi-independently (ie like the wheels in a tape counter, each one causing the next one to rotate one letter each time it makes a complete revolution) whereas in the Chaocipher "machine" the wheels do not actually need to rotate - by rotating the wheels it makes the "rewiring" easier to explain.

The "rewiring" could possibly be seen as the effect of rotating the enigma wheels, but without a closer look at the algorithm than that I have done I cannot definitely say but my gut feeling is that it is not - I am sure a properly devised plain text with 676 (26^2) characters would show that they are not equivalent as after encrypting the 676th character the 2 wheel enigma machine will now be back in the position in which it started and the Chaocipher "machine" will not.

Probably weaker than Enigma

[Animats]

It's not a particularly strong cypher. It's basically a monoalphabetic substitution with some feedback, but not much. For each letter encyphered, the wheels change, but they don't change by much, and the number of change possibilities is small. So if you have known plaintext anywhere in the message, you can look for it with the usual techniques for monoalphabetic substitution, while considering all of the small number of possible changes to the two alphabets on each cycle. The "permuting" step just consists of shifting half the alphabet by one place left or right.

Once you have an entry into the cypher from some stretch of known text, you can work backwards and forwards until you've recovered the wheels.

There are better pre-computer cyphers. Jefferson's wheel cypher is much stronger, and was used by the US as late as the Vietnam War.

Re:Probably weaker than Enigma

[CAIMLAS]

Yet, this thing was around in 1918. It was some time before computers, and still reasonably capable. Arguably, I'm not quite sure how it's an inferior cipher compared to the Jefferson cipher - this one appears to allow for slightly more "randomness", as well as creating templates which could arguably be used for single-time pads without the additional transmission of information for an effective cipher. (the Jefferson wheel cipher wasn't used past WWII, from what I can tell).

At any rate, it just goes to show you how effective a relatively simple machine can be, compared to modern electronic and/or computational methods to do the same basic thing (in this case, the enigma). Another good example would be drive/steer-by-wire vs. hydraulic or mechanical steering and acceleration/breaking. I'm sure there are more, but I'm not creative enough to think of any of them in my current alcohol-addled state.

Sometimes, the conceptually simpler method is the better one. This thing apparently still works; how many cryptographic engines of later years no longer do due to the copious mantainance required? Same can be said for more modern vehicle electronics vs. the older and more reliable (despite what the automotive industry says) mechanical means of doing the same: instead of outright replacement its often relatively easy to fix the broken systems on an older car.

Of course, when it comes to things depending on complex mathematics and the ability to be generalized, nothing beats generalized computing. :)

Re:Probably weaker than Enigma

[Lord Crc]

So if you have known plaintext anywhere in the message, you can look for it with the usual techniques for monoalphabetic substitution, while considering
all of the small number of possible changes to the two alphabets on each cycle.

From what I can gather the "key" in this system is the ordering of the two alphabets, which is not fixed. Doesn't your method assume that you already have the key? If not, how does your method deal with all the possible alphabet permutations?

I'm no crypto guy tho so I might be missing the obvious :)

Re:

[IICV]

Well, just think about it: in a substitution cipher, the "key" is a permutation of the alphabet (i.e, a -> q, b -> w, etc). If you used this device without the "twizzling" step, it would be exactly like a plain old sub cipher. I just don't see how that twizzle step injects enough entropy into the system for this to be significantly more secure than even a Vignere cipher with a sufficiently long keyword, and that you can do with pen, paper and a good memory.

Basically, if nobody ever broke the known-pla

Re:

[Lord Crc]

Well, just think about it: in a substitution cipher, the "key" is a permutation of the alphabet (i.e, a -> q, b -> w, etc). If you used this device without the "twizzling" step, it would be exactly like a plain old sub cipher. I just don't see how that twizzle step injects enough entropy into the system for this to be significantly more secure than even a Vignere cipher with a sufficiently long keyword, and that you can do with pen, paper and a good memory.

Well, a substitution cipher only has one "scrambled" alphabet. However the two alphabets in the Chaocipher are "twizzled" differently, so I don't think you can treat it as if you only got one "scrambled" alphabet, and must also consider the possible permutations of the two alphabets. I agree that if the alphabets were "twizzled" in the same way it wouldn't be much different from the plain substitution cipher.

Again, I might be missing the big picture here :)

Re:

[IICV]

Well but that's the thing - this cipher can be described as a specific case of "substitution cipher, except you permute the key after every character in deterministic manner 'x'". Note that a Vignere cipher can be described in much the same way, except it's a shift cipher instead of a substitution cipher (the difference is that the key to a substitution cipher is a permutation on the alphabet, whereas a shift cipher's key is just a shift of the alphabet).

The question boils down to: "is substitution cipher w

Re:

[dredwerker]

I love this "twizzling" with regards to ciphers it makes me smile. It should be a registered word in the cracker's arsenal. There is an interesting idea a register of known industry standard words for each area.

Re:

[igb]

I think it's somewhat better than you describe, in that it is at least feeding the ciphertext back into the permutation. It would depend on how it was used as to how much benefit that gave.

It's reasonable to assume that in a communications network, there would be a setting for the day or week. If that were used unmodified, identical opening phrases would encrypt identically, and would then diverge at the point the plaintext diverged. As with Enigma or Purple there's weak diffusion: the only thing that af

Re:

[DamnStupidElf]

It looked a lot like RC4 at first glance. E.g. in a cipher feedback mode where the ciphertext letter of the last operation is the plaintext input to the next operation, its output may be more secure as a stream cipher than its intended usage.

Re:

[synth7]

I've been reading The Codebreakers (the original 1967 printing) and this particular device would rank in the "possible, though time-consuming to solve" category, as a shifting monalphabetic cypher. And, no, most people aren't going to be up to the challenge of breaking it themselves since a good deal of practice and a lot of time is needed to crack apart a given encryption of this kind... more or less time depending upon the volume of traffic and the nature of the data encrypted. (Knowing that a message w

Starker! Zis is die CHAOCIPHER!

[grcumb]

"Starker! Zis is die CAOCIPHER! The CAOCIPHER doesn't go 'PHTHHHHBBBBTTT!!!'"

"But Siegfried, look. See, right here betveen ze CHGFYTTSSXHS und ze KJHJHLRUUIGE."

"Ah. Yes. Vell zen, carry on."

[It's funnier when you say it out loud. Trust me. Your workmates will love you for it.]

Re:

[AJWM]

Wouldn't that be the KAOSYPHER?

Re:

[KDR_11k]

No, a German would likely mispronounce the CH there. Different people would likely pick different pronunciations [wikipedia.org].

Re:Starker! Zis is die CHAOCIPHER!

[BazilBBrush]

The European Commission has just announced an agreement whereby English will be the official language of the European Union rather than German, which was the other possibility.

As part of the negotiations, the British Government conceded that English spelling had some room for improvement and has accepted a 5-year phase-in plan that would become known as "Euro-English".

In the first year, "s" will replace the soft "c".

Sertainly, this will make the sivil servants jump with joy.

The hard "c" will be dropped in favour of "k".

This should klear up konfusion, and keyboards kan have one less letter.

There will be growing publik enthusiasm in the sekond year when the troublesome "ph" will be replaced with "f".

This will make words like fotograf 20% shorter.

In the 3rd year, publik akseptanse of the new spelling kan be expected to reach the stage where more komplikated changes are possible.

Governments will enkourage the removal of double letters which have always ben a deterent to akurate speling.

Also, al wil agre that the horibl mes of the silent "e" in the language is disgrasful and it should go away.

By the 4th yer people wil be reseptiv to steps such as replasing "th" with "z" and "w" with "v".

During ze fifz yer, ze unesesary "o" kan be dropd from vords containing "ou" and after ziz fifz yer, ve vil hav a reil sensibl riten styl.

Zer vil be no mor trubl or difikultis and evrivun vil find it ezi tu understand ech oza.

Und efter ze fifz yer, ve vil al be speking German like zey vunted in ze forst plas.

Unt Ze drem vil kum tru.

Re:Starker! Zis is die CHAOCIPHER!

[Anonymous Coward]

An interesting update to Mark Twain's "A Plan for the Improvement of English Spelling" [netfunny.com]. Authorship of that piece is up for debate, of course, but still funny and worth the read.

Posted anonymously because I have modded this discussion.

Re:

[Teun]

A British nazi?

Because from a continental European's point of view the main problem with English is the oddball pronunciation of the vowels, not the Latin origin consonants.

Re:

[Chih]

This still makes me laugh :)

Re:

[Teun]

Typical for someone who's mother tongue is English

The main problem for continental Europeans with the pronunciation of English is that weird thing called The Great Vowel Shift [wikipedia.org] .
We are all fairly accustomed to the English' Latin-style spelling of the consonants and pronouncing a hard 'c' as a 'k' or the 'ph' as an 'f' is not too hard to do on the fly.

But the change away from the original Germanic and even Latin pronunciation of the vowels yet leaving the spelling in tact is really weird.

Re:

[JSG]

Thanks for the link.

I notice by reading down to the bottom, that at least German and Dutch also underwent a Great Vowel Shift of some sort. Also I notice that one of the reasons for the English one is given as becoming more French.

Now without being an expert in linguistics, and allowing for the fact there are rather a lot of other European languages than those I mention above, what is your beef with English exactly with respect to some sort of idealized vowel pronunciation?

From what I can see, our methods

Re:

[Jane Q. Public]

A geordie is a guy who works in engineering and wears part of an automotive air filter over his eyes.

Re:

[Teun]

I have no beef with the English pronunciation, be it regional or 'Standard' :)

I was just commenting on the implied 'wish of continentals' worded in the old joke.

Yes continental Europeans do initially have a problem with the English pronunciation but that's not with the consonants which seem to be the main subject of the joke.

Indeed, seen from an international perspective there is no such thing as a 'correct' pronunciation (or spelling!), yet we Europeans all use the Latin alphabet and I don't think it's f

Re:

[TangoMargarine]

Typical for someone whose mother tongue is English

FTFY.

Re:

[Genrou]

Zer vil be no mor trubl or difikultis and evrivun vil find it ezi tu understand ech oza.

Yu mispeld "evriun".

Since this is /.

[Dracos]

YYWVOXWTHYZIYTOJYJWAVNVFIZHE

Re:

[MobileTatsu-NJG]

YYWVOXWTHYZIYTOJYJWAVNVFIZHE

Wait.. wait.. I can translate this:

Yo mama... sleeps.. with.. her dog?

Hey!

The really interesting thing about this machine

[VORNAN-20]

is that it can be built by anyone with intermediate carpentry/model-making skills. This is not the case with Enigma, for example, that is in the advanced electromechanical category. Definitely deserves an A for excellent design and first-rate results with minimally advanced technology.

Why it wasn't broken

[DerekLyons]

It looks to me like the code was never broken mostly due to the lack of sufficient ciphered material to analyze, not due to any significant property of the machine. To break polyalphabetic systems like this, you need a lot of ciphered material to analyze.

Chaocipher and chaos theory post...

[nickpelling2]

I've just put up a follow-up Chaocipher post [ciphermysteries.com] which discusses the parallels between Byrne's cryptography and chaos theory, if you're interested. :-)

Re:

[omglolbah]

+5 for effort :p

Re:

[buckeyeguy]

Now that Slashdot has been taken over by 4chan, the least they could do is change the logo at the top of the page.