ETA: Note that I appear to have been mistaken about the connection to ENIAC.
Note that it is equally dangerous to send paraphrased messages using the same key (which is called sending messages "in depth"). This was used to crack the Lorenz ("Tunny") cipher. Interestingly Bletchley Park hadn't gotten their hands on a Lorenz machine, they cracked it based on speculation. And it lead to the development of the first tube computer, Collosus (which influenced the ENIAC).
Nowadays we use nonces to avoid sending messages in depth, but nonce reuse can be similarly disastrous for systems like AES-GCM. For example there have been Bitcoin hardware wallets that reused nonces, allowing the private key to be extracted & the Bitcoin stolen. (To be clear, cryptocurrencies and AES-GCM are completely different systems that have this one property in common.)
As an aside does anyone know why it's called "in depth?" I'm guessing that it's related to Bletchley Park's penchant for naming things after fish? But possibly also their techniques that involved arranging messages together and sliding a stencil over them to visually spot patterns (so they're sort of overlayed)? I tried some casual searching but it's a very generic phrase and so difficult to search. It's defined in the The 1944 Bletchley Park Cryptographic Dictionary but it doesn't give an etymology.
I visited Bletchley Park museum this summer when in London. Can recommend and it's also really easy to get there; just a 50 minute train ride from London Euston station, and 5 minute walk to the museum. Entire family enjoyed the museum (have two teenage kids). There is also the "National Museum of Computing" located next to it which contains the Bombe, Collosus and related equipment. As I understand it most (or all?) of the original hardware was destroyed after the war to avoid leaking any information about the British code breaking skills. Thus, the machines on display are replicas, but should be fully working.
The computer museum also exhibits post-war computers all the way to modern machines. I'd say that museum is more for the geeks while the Bletchley Park museum is definitely worth a visit even if you're not into computers.
trenchpilgrim · 1h ago
If you model the distribution of messages as a tree from sender to recipients, the key's reuse across messages could be measured as "depth" in a structural sense.
Stevvo · 1h ago
An interesting quirk in Ethereum is that a contract address is determined by deployer address + nonce. So, you can send ETH to a contract that does not exist, then later deploy a contract there and recover it.
tripplyons · 36m ago
It is also the same address on many forks of Ethereum, which has led to some strange circumstances when Optimism sent tens of millions of dollars to a smart contract address on the wrong blockchain, and a hacker was able to create a smart contract they controlled using the same address on the blockchain it was accidentally sent to and steal the funds.
onionisafruit · 2h ago
My assumption about “in depth” is that it comes from the idea of giving the adversary a greater depth of material to work with. I don’t have anything to back this up.
philwelch · 44m ago
This is the first I’ve heard of Colossus influencing the ENIAC. I was under the impression that Colossus was so secret that ENIAC was designed independently and (falsely) touted as the first tube computer prior to Colossus’ existence being declassified. I’m not sure if I’m misremembering that though.
maxbond · 19m ago
I think you're right, my mistake. I didn't find anything definitive but given they were developed around the same time by (on cursory inspection) different people and that Colossus was as secret as you say (it wasn't declassified until the 70s), it does seem unlikely. I thought that had been mentioned in a Computerphile/Numberphile video on the topic but I must be mistaken.
xtiansimon · 3h ago
Interesting. I liked the explanations in the accepted answer. This rule especially,“Never repeat in the clear the identical text of a message once sent in cryptographic form, or repeat in cryptographic form the text of a message once sent in the clear.”
As a child I learned about codes from a library book. Fascinated with one-time pads, I convinced a friend to try a correspondence. We exchanged a few messages, and then got bored, because the juice wasn’t worth the squeeze.
Which makes me wonder about people who work in secrets. Encrypted communications seem opposite of scientific communications. Secrets peeps seem prolly aligned to politics.
ludicrousdispla · 3h ago
>> the juice wasn’t worth the squeeze
I recall that Ovaltine goes better with decoded messages.
cbdevidal · 3h ago
A crummy commercial!?
fruitplants · 52m ago
"... two minutes into that Ovaltine thing and I just couldn't take it
anymore."
arccy · 2h ago
i recall squeezing lemons to write invisible messages...
> Never repeat in the clear the identical text of a message once sent in cryptographic form, or repeat in cryptographic form the text of a message once sent in the clear
And (more or less) that’s how the Enigma was cracked. Turns out starting weather report with ‘weather’ every single time is not a good idea.
Zeebrommer · 3h ago
Or ending it with the same salute involving the name of the leader, for that matter.
zenmac · 3h ago
Isn't that why we have PFS now?
gruez · 2h ago
No, PFS is to ensure communications aren't compromised even if the server's private keys are compromised afterwards. It has nothing to do with mitigating known plaintext attacks. That's already mitigated with techniques like randomized IVs.
numpad0 · 2h ago
So-called perfect forward secrecy uses temporary keys so that eavesdropped logs can't be decrypted after those keys are discarded. To prevent known-plaintext attacks and/or statistical analysis, data entropy must be equalized so that patterns won't be apparent even before encryption.
cwmma · 3h ago
For people interested in these kinds of things, there is a very interesting military manual on the internet archives which goes though all the various pre computer pen and paper ciphers and how to crack them.
Good find; a great companion to the GCHQ Puzzle Book indeed!
BigJono · 43m ago
> In this process, deletion rather than expansion of the wording of the message is preferable, because if an ordinary message is paraphrased simply by expanding it along its original lines, an expert can easily reduce the paraphrased message to its lowest terms, and the resultant wording will be practically the original message.
This bit has me perplexed. If you had a single message that you wanted to send multiple times in different forms, wouldn't compressing the message exponentially limit possible variation whereas expanding it would exponentially increase it? If you had to send the same message more than a couple of times I'd expect to see accidental duplicates pretty quickly if everyone had been instructed to reduce the message size.
I guess the idea is that if the message has been reduced in two different ways then you have to have removed some information about the original, whereas that's not a guarantee with two different expansions. But what I don't understand is that even if you have a pair of messages, decrypt one, and manage to reconstruct the original message, isn't the other still encrypted expansion still different to the original message? How does that help you decrypt the second one if you don't know which parts of the encrypted message represent the differences?
jonathrg · 4h ago
The term to google for more information about this would be Known plaintext attack.
geor9e · 2h ago
Oh that makes sense. I assumed wrong that it was going to be about prisoners sending secret messages in their letters home, and the guards wanting to scramble those out.
onionisafruit · 2h ago
I clicked thinking it was about avoiding watermarks when exfiltrating data. I enjoyed the cryptography lesson I got instead.
01HNNWZ0MV43FF · 2h ago
And the term for _that_ is steganography
beerws · 38m ago
Ironically, stating this at the beginning of telegram would precisely cause what it seeks to prevent (vulnerability to known plaintext attacks).
Which makes me wonder: how many permutations of this rule could be conceived (and needed) that on the one hand would keep the point clear to the receiver, but on the other hand prevent such attacks?
In any case the best option is to not have (to repeat) this rule inside messages.
vertnerd · 3h ago
This is a familiar concept from reading about WW2 spy stuff (Between Silk and Cyanide, for example, which I highly recommend). But what REALLY intrigues me is the typeface of the letter with its upper-case 'E' used in place of 'e'. What's up with that?
anon_cow1111 · 3h ago
Might be unrelated in this example, but when a message is written in a lazy ROT13-like cypher, the letter e becomes a notorious rat that allows anyone to break the entire thing in very little time.
Randomizing/obfuscating the letter case might buy you a little time, though I think it's something else entirely here.
justsomehnguy · 44m ago
Zvtug oR haeRyngRq va guvf RknzcyR, ohg juRa n zRffntR vf jevggRa va n ynml EBG13-yvxR plcuRe, guR yRggRe R oRpbzRf n abgbevbhf eng gung nyybjf nalbaR gb oeRnx guR RagveR guvat va iRel yvggyR gvzR.
Enaqbzvmvat/boshfpngvat guR yRggRe pnfR zvtug ohl lbh n yvggyR gvzR, gubhtu V guvax vg'f fbzRguvat RyfR RagveRyl uReR.
notherhack · 21m ago
V guvax gur vqRn jnf gb fcyvg guR uvtu seRdhrapl "r" gb gjb qvssReRag flzobyf r naq R ng yRffRe serdhrapvRf. Fvzcyl ercynpvat nyy r'f jvgu R qbrfa'g qb gung.
The suggestion that it may have been a striker from a bilingual - cyrillic typewriter that was mixed in is an interesting possibility; someone transcribing diplomatic telegrams in WWII may indeed have need of access to Cyrillic typewriters…
No comments yet
ants_everywhere · 2h ago
I had the same question about the upper case E.
Some of the E's look a little curly like epsilons but I'm guessing that may be an optical illusion.
But check out the 3 in "chancE3"
Avshalom · 2h ago
Legibility would be my guess. Can't confuse ᴇ for c.
pbhjpbhj · 1h ago
If we're guessing I have ideas:
1) it's just the typeface,
2) the teletype machine has unique letter so the machine it was received in is known (and hence which staff received it), reducing the ability to forge messages. Different machines could have had special letters, or all machines handling secrets had that particular "e"??
3) the machine broke and the repair shop only had a small-caps "E" handy.
jameshart · 55m ago
I assume this is a typed up decrypt - not raw teletype output. Teletype would be all caps; this has been typed, capitalized, and laid out by a typist.
hiccuphippo · 2h ago
So it would make sense for the first message in a chain to be very verbose and repetitive to make it easier to modify down the chain. Bureaucrats must've had fun writting those.
VoidWhisperer · 3h ago
Does this also apply if someone were to do the following:
Receive encrypted transmission -> unencrypt it -> need to pass it on, so re-encrypt it and pass it on?
I would imagine that the paraphrasing wouldn't be necessary in this case because it isn't quite as useful to compare two encrypted versions of the text versus an encrypted version and an unencrypted version (also I feel like there is some risk of a game of 'telephone' in that the meaning would change bit by bit to the point of having a different meaning over time, even if not intentionally)
eszed · 3h ago
No. As explained in the SO answer, the worry is that the enemy will have been able to decrypt one or the other of your messages, at which point the identical underlying plaintext will help them crack the second cypher.
jameshart · 3h ago
‘Crack the cipher’ in this case most likely meaning: figure out the daily code word key you are using for that cipher.
If they have already gained the ability to decrypt today’s messages from station A in cipher A, and can therefore recover the plaintext of those messages; if they then find a message of the same length sent from station B in cipher B they can guess that that might be the same message, reverse engineer the key and maybe then decrypt all the messages being sent from station B in cipher B today.
maxbond · 2h ago
Bletchley Park employed linguists alongside cryptographers, and the linguists would help permute the messages (substituting German words for common abbreviations, for example) to mount these sorts of attacks.
bombcar · 3h ago
Hasn’t known invariants been used to break modern encryption in TLs, etc? Like a SSH packet will always contain some known info, etc.
drum55 · 3h ago
In some systems sort of. The esp32 encryption has a bizarre implementation where adjacent blocks in counter mode reuse the same nonce, so knowing the structure of the plaintext can directly reveal the content of some blocks.
tlhunter · 2h ago
I'm not sure why drum55's answer is buried but they're correct that the Nonce concept in modern crypto addresses this issue.
conradludgate · 1h ago
It's not only the nonce. The nonce helps to ensure that the message re-encrypted doesn't have the same ciphertext, but the known plaintext can still be used to forge messages. What stops message forgery is the message tag that TLS has (using the AEADs like AES-GCM or ChaCha20Poly1305).
That said, the nonce is still very important to avoid most key recovery attacks
macintux · 2h ago
Probably because that's the user's only comment. I've vouched for it.
electric_mayhem · 4h ago
Knowing the original plaintext is a big leg up in cracking encryption.
gametorch · 3h ago
Tangentially related — sending everyone in a company a slightly different document can help catch the person leaking confidential documents to the press.
Note that it is equally dangerous to send paraphrased messages using the same key (which is called sending messages "in depth"). This was used to crack the Lorenz ("Tunny") cipher. Interestingly Bletchley Park hadn't gotten their hands on a Lorenz machine, they cracked it based on speculation. And it lead to the development of the first tube computer, Collosus (which influenced the ENIAC). Nowadays we use nonces to avoid sending messages in depth, but nonce reuse can be similarly disastrous for systems like AES-GCM. For example there have been Bitcoin hardware wallets that reused nonces, allowing the private key to be extracted & the Bitcoin stolen. (To be clear, cryptocurrencies and AES-GCM are completely different systems that have this one property in common.)
https://en.wikipedia.org/wiki/Cryptanalysis_of_the_Lorenz_ci...
https://www.youtube.com/watch?v=Ou_9ntYRzzw [Computerphile, 16m]
As an aside does anyone know why it's called "in depth?" I'm guessing that it's related to Bletchley Park's penchant for naming things after fish? But possibly also their techniques that involved arranging messages together and sliding a stencil over them to visually spot patterns (so they're sort of overlayed)? I tried some casual searching but it's a very generic phrase and so difficult to search. It's defined in the The 1944 Bletchley Park Cryptographic Dictionary but it doesn't give an etymology.
https://www.codesandciphers.org.uk/documents/cryptdict/crypt... [Page 28]
The computer museum also exhibits post-war computers all the way to modern machines. I'd say that museum is more for the geeks while the Bletchley Park museum is definitely worth a visit even if you're not into computers.
As a child I learned about codes from a library book. Fascinated with one-time pads, I convinced a friend to try a correspondence. We exchanged a few messages, and then got bored, because the juice wasn’t worth the squeeze.
Which makes me wonder about people who work in secrets. Encrypted communications seem opposite of scientific communications. Secrets peeps seem prolly aligned to politics.
I recall that Ovaltine goes better with decoded messages.
https://arstechnica.com/information-technology/2017/04/this-...
And (more or less) that’s how the Enigma was cracked. Turns out starting weather report with ‘weather’ every single time is not a good idea.
1. https://archive.org/details/Fm3440.2BasicCryptAnalysis/mode/...
This bit has me perplexed. If you had a single message that you wanted to send multiple times in different forms, wouldn't compressing the message exponentially limit possible variation whereas expanding it would exponentially increase it? If you had to send the same message more than a couple of times I'd expect to see accidental duplicates pretty quickly if everyone had been instructed to reduce the message size.
I guess the idea is that if the message has been reduced in two different ways then you have to have removed some information about the original, whereas that's not a guarantee with two different expansions. But what I don't understand is that even if you have a pair of messages, decrypt one, and manage to reconstruct the original message, isn't the other still encrypted expansion still different to the original message? How does that help you decrypt the second one if you don't know which parts of the encrypted message represent the differences?
Which makes me wonder: how many permutations of this rule could be conceived (and needed) that on the one hand would keep the point clear to the receiver, but on the other hand prevent such attacks?
In any case the best option is to not have (to repeat) this rule inside messages.
Randomizing/obfuscating the letter case might buy you a little time, though I think it's something else entirely here.
Enaqbzvmvat/boshfpngvat guR yRggRe pnfR zvtug ohl lbh n yvggyR gvzR, gubhtu V guvax vg'f fbzRguvat RyfR RagveRyl uReR.
The suggestion that it may have been a striker from a bilingual - cyrillic typewriter that was mixed in is an interesting possibility; someone transcribing diplomatic telegrams in WWII may indeed have need of access to Cyrillic typewriters…
No comments yet
Some of the E's look a little curly like epsilons but I'm guessing that may be an optical illusion.
But check out the 3 in "chancE3"
1) it's just the typeface,
2) the teletype machine has unique letter so the machine it was received in is known (and hence which staff received it), reducing the ability to forge messages. Different machines could have had special letters, or all machines handling secrets had that particular "e"??
3) the machine broke and the repair shop only had a small-caps "E" handy.
I would imagine that the paraphrasing wouldn't be necessary in this case because it isn't quite as useful to compare two encrypted versions of the text versus an encrypted version and an unencrypted version (also I feel like there is some risk of a game of 'telephone' in that the meaning would change bit by bit to the point of having a different meaning over time, even if not intentionally)
If they have already gained the ability to decrypt today’s messages from station A in cipher A, and can therefore recover the plaintext of those messages; if they then find a message of the same length sent from station B in cipher B they can guess that that might be the same message, reverse engineer the key and maybe then decrypt all the messages being sent from station B in cipher B today.
That said, the nonce is still very important to avoid most key recovery attacks