Zurücktreten 3 Infanterie Regiment beendet wie befohlen. Verluste begrenzt. Umgruppierung in Hermonville vermutlich um 1800 Uhr beendet. Translation: Withdrawal 3th Infantry Regiment finished as ordered. Losses limited. Regrouping in Hermonville probably finished at 1800 hours.
The place name Hermonville is converted into "wqfntckorre" with the first alphabet:
The message, as it is entered in the grid:
zuruecktreten drei inf rgt beendet wie befolen stop verluste begrenzt stop umgruppierung in aa wqfntckorre wqfntckorre ee vermutliq um eins aqt uhr beendet
A random start cell is selected. In our example key sheet below, we select column "ce" and row "bb" and mark these digraphs. The digraphs are also noted on the key sheet. Since this position is a black cell, we take the next empty cell, which is five cells further to the right. We start filling in the message and continue at the top of the grid to enter all 133 letters.
The message key is the column digraph and the row digraph, encoded with a randomly chosen letter in the letter conversion table. We encode "cebb" into "mvxe", but we could just as well encode it into "atne" or into "sibh". This clever method makes it very difficult for the codebreakers to identify messages that are enciphered with the same message keys
Next, the column to start taking the ciphertext is determined. Since the message is sent before October 1944, we use the old procedure. The message time is 1400 and the message contains 133 letters. Thus, 0 + 0 + 1 + 3 + 3 = 7. We start counting from the cell next right of column "ce", as selected above. Thus, the column to start taking the the ciphertext by columns is "ee", with its value 15. We indicate this column by writing a cross in one of its empty cells. After taking the letters from column 15, we take columns 16, 17, 18 and so on. (note that in new start column procedure the column would have been selected randomly and its digraph also converted with the letter conversion table from above and placed after the message key).
Below the RS 44 example, generated with the RS 44 Excel sheet, which is available for download to create your own RS 44 sheets.
The ciphertext is taken from the columns and immediately written in five-letter groups. For the sake of our example, we give the columns and corresponding letters. Notice the irregular length of the columns, caused by the fractioning of the rows.
15 16 17 18 19 20 21 22 23 24 25 ETUEBU BCIVR NVUREEE RNETZP CRKIRIC UNGN QEHPF IOT IHRE RL EMEPG 1 2 3 4 5 6 7 8 9 10 FRRBUN KNRNLN RUQDTA TEM EELEEWESEQ RMAGENUP WUNBOR IZTE DFEGT TOK 11 12 13 14 QDE TTTTTIW OOSEFEUN RSSA
The complete message, arranged in five-letter groups and preceded by the message time, letter count and message key, as it would be taken directly from the grid.
1400 - 133 - MVXE - ETUEB UBCIV RNVUR EEERN ETZPC RKIRI CUNGN QEHPF IOTIH RERLE MEPGF RRBUN KNRNL NRUQD TATEM EELEE WESEQ RMAGE NUPWU NBORI ZTEDF EGTTO KQDET TTTTI WOOSE FEUNR SSA
To decipher this message, the receiving operator decodes the message key "MVXE" with the letter conversion table back into column "ce" and row "bb". He finds the start cell, counts 133 empty cells and draws lines to indicate the area where the ciphertext letters should come. Next, he uses the minutes of the message time and the letter count to calculate the offset value 7. He takes the retrieved column pointer "ce", counts 7 positions further to find the start column and indicates this column. He writes the ciphertext column by column, from top to bottom (but only in the message area cells!). Finally, he reads the original plaintext in normal reading direction, starting from the cell as determined by the digraphs "ce" and "bb".
How strong is RS 44? Let us first calculate all possible variations of the RS 44 key sheet. To do so, we need to take in account all possible ways to set each of its components and multiply the result.
This gives a overall theoretical total of 7,95 x 10280 different ways to construct a RS 44 key sheet, comparable with a 934 bit key. This, however, is a theoretical number. In reality, there are far less combinations, because a codebreaker doesn't care how the columns and rows are labelled, or how the message key is converted. He just needs to know how the letters are actually placed in the 600 cells and how they are taken from the columns. He takes in account the following properties:
The variables above give a total key size of 2.06 x 10185. Unfortunately, the Germans failed to apply this key space on RS-44. They only produced 36 different rods to print the rows. Also, the actual messages were mostly never longer than 60 letters, limiting the numers of rows that were used. With all possible permutations for the transposition key and start positions there's only a practical key space of 2 x 1035, comparible with a 117 bit key. The conversion alphabet for place names is a simple substitution and, although it has 15,511,210,043,330,985,984,000,000 possible combinations, can be solved with simple letter frequency analysis. This, of course, is only possible if the rest of message is already broken successfully and the grid and column order is restored correctly.
A practical key size of 117 bits is huge number, impossible to break by brute force (trying out all combinations) with all present computational power. However, codebreaking is more than trying out all possible keys. In such transposition ciphers, the positions of the letters always follow certain rules. For instance, two consecutive ciphertext letters have a fair chance to have been taken in the same column and it will therefore be unlikely that they are placed next to each other in the plaintext. The fixed number of 10 white cells per row also enables to draw some conclusions on the distance of plaintext letters in the ciphertext and how they transpose. Any rule or assumption is a clue for the codebreaker.
Nevertheless, RS 44 creates a most complex disrupted double transposition: the black cells create a horizontal disrupted fractioning of the message text which is followed by a wide column transposition. The size of the column text segments varies very irregularly, as you have seen in the message example above. Note that the normal double transposition was one of the strongest hand ciphers during the Second World War and it's cryptanalysis was released only a few years ago. Until today, no ciphertext-only cryptanalysis of the RS 44 had been published, if it already exists.
In general, transposition ciphers are solvable by multiple anagramming when several messages with exactly the same transposition are available. With this method, assumptions or clues on the transpositions of letters on one message are tested and verified against as many as possible other messages. For RS 44, the transposition variables for a particular key are the start cell and the start column, the so-called message key. There are 6000 possible different message keys (240 start cells x 25 start columns). A first obstacle for any codebreakers is that the message keys are encoded in a random fashion, making it much harder to find messages that are enciphered with the same transposition. Secondly, it could take several thousands of messages before a particular message key is reused, if the selection of varying message keys is well applied. If compartimentation of keys is applied on radio nets, and a message load of less than 6000 messages for a particular key is anticipated, there is little change that the codebreaker has any messages with identical transposition at his disposal, making it much more difficult to break the messages.
RS 44 proved to be a very secure hand cipher, especially if the number of messages per key was limited. British codebreakers had only limited success and it required a huge 40-letter crib (known plaintext) and about two weeks to make an initial break into the traffic of a given grid. They had a far better success rate with the (by the Germans) highly regarded Enigma machine than with RS 44 (it should be noted that the breaking of high-level Enigma traffic was more valuable and therefore received more resources). The low level RS 44 traffic was generally local tactical information. The time, required to break RS 44 messages, rendered its tactical information outdate before it could be exploited, making RS 44 an ideal hand cipher. Eventually, the codebreakers gave up trying to break the Wehrmacht RS 44 messages and limited their efforts to German police RS 44 enciphered message traffic only. They even considered RS44 as impossible to break if the Germans had not made implementation mistakes.
The German Army however was very reluctant to introduce RS-44. TICOM reports on the interrogation of German cryptologic personnel at the end of the war showed that the German Army often put up fierce resistance against the implementation of new enciphering systems and procedures. The cipher clercks often disliked new cipher systems and resented the efforts, required to get familiar with them. RS-44 what not an exception. Although straightforward and simple from a cryptologists point of view, the cipher clercks found it to be too complex for use at the battle front and continiously made mistakes that jeopardized the cipher's security.
Although already an excellent hand cipher, there was still room for improvement that hardly increased the cipher clerk's work load. A variable number of white cells per row would have increased the combinations considerably. 10 white cell per row give 3,268,760 combinations per row, whereas 9 cells provide 2,042,975 combinations and 11 cells 4,457,400 combinations. A variable 9 to 11 white cells would provide 9,769,135 combinations for a single row (with more than 13 cells, the number of combinations decreases again and transposition quality declines). Also, the use of each of the four sides and front and back of the grid template (as proposed for the Cysquare) would further increase the key size by a factor of 8. Assigning 3 digraphs to each of the 8 template positions would enable the use of a fourth (randomly) encoded message key digraph. The selection of the alphabet for place names could be determined more randomly by using the first letter of the plaintext, taking the alphabet where that letter appears as first. After successful decryption of the overall message, the receiving operator would find that plaintext letter and select the correct alphabet for his place names. Even taking some of the columns from bottom to top instead of top to bottom is feasible.
But even without these improvements, the Rasterschlüssel 44 can be considered as one of the best hand ciphers ever to combine a good level of security with a practical use.
The origins of RS 44 are surprisingly found on British soil. In 1941, Brigadier John H. Tiltman, a Britsh officer and brilliant codebreaker at the Government Communications & Cypher School (GC&CS), proposed his new manual cipher Cysuare to replace the insecure Army Stencil Cipher.
The Cysquare has a grid with 676 (26 x 26) cells. Each row has 10 empty cells for the message text and 16 black cells. However, three rows contained 20 empty cells and three other rows contained only black cells. The daily key consisted of a randomly shuffled alphabet and the numbers from 1 to 26 written underneath them, also in random order. Both random alphabet and numbers are written from left to right at the top of the grid and from bottom to top on the left side of the grid.
The square comes with a list of four-letter indicator groups. Each letter corresponds to the number, found underneath that particular letter in the random alphabet. The first numbers represent the position of the grid, which can be used with each of its four sides at the top. The second and third numbers represent the row and column, of which the coordinate line shows the starting cell.
The message text is written from left to right in the empty cells, starting from the next empty cell after the starting cell. If the text reaches the end of the grid, the text is continued from the top left cell of the grid. Finally, the forth number of the indicator represents the initial read-off column. The final ciphertext is taken, column by column, from top to bottom, in the order of the numbers at the top of the grid, starting and from the initial read-off column. The final message text consists of the indicator, followed by the ciphertext, the number of letters, the indicator repeated, the time and the date.
The system was designed to be used in two versions: the "stencil" card with punched holes to write into the empty fields on a sheet underneath the card. This version even allowed the use of both sides of the grid card, giving eight instead of four grid positions. The pad version was a booklet with 50 identical grids. Despite being both a very secure and practical hand cipher, its implementation proved to be a complete flop. Unfortunately, the instructions encouraged the operators to rub out the message and reuse the same sheet as many times as possible. The Cysquare entered the battlefield in the British Eight Army, operating in North Africa. The cipher clerks refused to use the Cysquare shortly after its introduction because the desert weather and the gum soon turned the white cells on the grid indistinguishable from the black cells.
The Cysquare began an unexpected new career when fieldmarchall Rommel's Afrika Korps overran British units and captured the Cysquare pads with their instructions. German cryptologists recognized it as an excellent hand cipher and decided to develop their own version of the Cysquare. The modified cipher, designated Rasterschlüssel 44 or RS 44, was introduced in March 1944. Later, Brigadier Tiltman, the developer of Cysquare, noted ruefully that the Allies had considerable trouble in breaking RS44 enciphered messages.