German Cryptanalysis of the M-209

This 1947 document describes a German machine to cryptanalyze the American M-209 mechanical encryption machine. I can't figure out anything about how it works.

EDITED TO ADD (5/14): German attacks on the M-209.

Posted on May 12, 2015 at 4:13 PM • 8 Comments


MatthiasMay 13, 2015 11:29 AM

It'd be interesting to look at the original.
This English translation, not so much.
(I'm German.)

ArneMay 13, 2015 1:07 PM

Found a page about German attacks on M-209:


The TICOM most important document about M-209 is DF-120. It is an English translation of a German document which originates from OKH. Its English title is "REPORT ON THE SOLUTION OF MESSAGES IN DEPTH OF THE AMERICAN CIPHER DEVICE M-209".

The break of a key which results of messages "in depth" is described in detail. We assume a probable word in a message. We move the word at each possible position and visualize decryption corresponding to this position in the second message. If the probable word is located at the right place, there is a piece of plain text in the second message at the same position. By using strips of paper, the German accelerate this method. The cryptanalyst Alfred Pokorn created a stuff to print the strips.

Then, the paper presents a method to find an overlap even when a gap exists (and messages do have different indicators). It was a statistical method based on the supposed presence of frequent trigrams appearing in deciphering when messages were superimposed. This method is better than Friedman's IC (Index of Coincidence) or Turing's Bamburismus, but it is only valid against Hagelin Serie C machines. An overlap of only 50 letters from two messages can be sufficient to find a depth. In comparison, it is necessary to have an overlap of several hundred of letters to do the same thing with IC method.

Z.Lozinski.May 13, 2015 2:58 PM

Christos has a page on what he calls the German bombe, which looks like the same TICOM documents are the source:

He also has link to an interview in Heise (in German) with Reinold Weber, one of the designers of the machine:

From the Heise article it looks like the break is dependent on the way numbers were spelled out in messages, so that in a message of 1000-4000 characters this gives a crib. There is not much more technical detail.

This makes sense of some comments by the German computer scientist Prof. F.L Bauer in his 1996 book "Decrypted Secrets" where he says: " Perhaps as a result of the way the Second World War ended, little has been known about unauthorized decryption from the German side (apart fron Rohrbach's success) but it would be wrong to conclude that there were none. Bauer was better known for work on Algol, and the NATO Software Conference, but he served in the Werhmacht in WW2 and I have the impression that many of the unsourced comments in his book are from personal knowledge.

IanMay 13, 2015 10:06 PM

As I was reading the paper it occurred to me that it was describing a device very much like the Turing designed Bombe machine. The Bombe performed the same function for the German Enigma machines during WWII, using a crib to determine the initial settings and then working through various combinations until reaching a "stop".

It was only after coming to this conclusion that I read the other comments and I, too, agree that is likely to be the German Bombe that Z.Lozinski refers to in his comments.

hermanMay 13, 2015 10:57 PM

Off topic: I'm wondering what new weasel words the NSA will come up with to justify the continuation of their mass snooping, despite the intensions of the new Freedom act.

As far as the NSA is concerned, when they record and store data, they are not actually collecting it. They are merely delaying the data transmission and preventing its decay.

rgaffMay 14, 2015 12:31 AM

@ herman

"preventing its decay" oh I like that one. That's classic. See they're actually performing a great service... :)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.