SIGCUM

SIGCUM, also known as Converter M-228, was a rotor cipher machine used to encrypt teletype traffic by the United States Army. Hastily designed by William Friedman and Frank Rowlett, the system was put into service in January 1943 before any rigorous analysis of its security had taken place. SIGCUM was subsequently discovered to be insecure by Rowlett, and was immediately withdrawn from service. The machine was redesigned to improve its security, reintroduced into service by April 1943, and remained in use until the 1960s.

Development

In 1939, Friedman and Rowlett worked on the problem of creating a secure teleprinter encryption system. They decided against using a tape-based system, such as those proposed by Gilbert Vernam, and instead conceived of the idea of generating a stream of five-bit pulses by use of wired rotors. Because of lack of funds and interest, however, the proposal was not pursued any further at that time. This changed with the United States' entry into World War II in December 1941. Rowlett was assigned to develop a teleprinter encryption system for use between Army command centers in United Kingdom and Australia (and later in North Africa).

Friedman described to Rowlett a concrete design for a teleprinter cipher machine that he had invented. However, Rowlett discovered some flaws in Friedman's proposed circuitry that showed the design to be flawed. Under pressure to report to a superior about the progress of the machine, Friedman responded angrily, accusing Rowlett of trying to destroy his reputation as a cryptanalyst. After Friedman calmed down, Rowlett proposed some designs for a replacement machine based on rotors. They settled on one, and agreed to write up a complete design and have it reviewed by another cryptanalyst by the following day.

The design agreed upon was a special attachment for a standard teleprinter. The attachment used a stack of five 26-contact rotors, the same as those used in the SIGABA, the highly secure US off-line cipher machine. Each time a key character was needed, thirteen inputs to the rotor stack were energized at the input endplate. Passing through the rotor stack, these thirteen inputs were to be scrambled at the output endplate. However, only five live contacts would be used. These five outputs would form five binary impulses, which would form the keystream for the cipher, to be combined with the message itself, encoded in the 5-bit Baudot code.

The rotors advanced odometrically; that is, after each encipherment, the "fast" rotor would advance one step. Once every 26 revolutions of the fast rotor, the "medium" rotor would step once. Similarly, ever 26 revolutions of the medium rotor, the "slow" rotor would step, and so on for the other two rotors. However, which rotor was assigned as the "fast", "medium", "slow" etc rotors was controlled by a set of five multi-switches. This gave a total of $5!\; =\; 120$ different rotor stepping patterns. The machine was equipped with a total of 10 rotors, each of which could be inserted "direct" or in reversed order, yielding $10\; imes\; 9\; imes\; 8\; imes\; 7\; imes\; 6\; imes\; 2^\{5\}\; =\; 967,680$ possible rotor orderings and alignments.

Introduction of the machine

The design for this machine, which was designated the Converter M-228, or SIGCUM, was given to the Teletype Corporation, who were also producing SIGABA. Rowlett recommended that the adoption of the machine be postponed until after a study of its cryptographic security, but SIGCUM was urgently needed by the Army, and the machine was put into production. Rowlett then proposed that the machine used in the Pentagon code room be monitored by connecting a page-printing "spy machine". The output could be then studied to establish whether the machine was resistant to attack. Rowlett's suggestion was implemented at the same time the first M-228 machines were installed at the Pentagon in January 1943, used for the Washington-Algiers link.

The machines worked as planned, and, initially, Rowlett's study of its security, joined by cryptanalyst Robert Ferner, uncovered no signs of cryptographic weakness. However, after a few days, a SIGCUM operator made a serious operating error, retransmitting the same message twice using the same machine settings, producing a depth.

From this, Rowlett was able to deduce the underlying plaintext and keystream used by the machine. By 2 a.m., an analysis of the keystream allowed him to deduce the wiring of the fast and medium rotors, and of the output wiring. SIGCUM was immediately withdrawn from service, and work on a replacement system, SIGTOT — a one-time tape machine designed by Leo Rosen — was given top priority.

Redesign

Meanwhile, M-228 was redesigned to improve its security. Only five inputs, rather than thirteen, were energized. The five output contacts, instead of being used as the five output bits directly, were instead connected by three leads, each connected to different output point. That meant that an output bit could be energized by any of three different outputs from the rotor maze, making analysis of the machine more complex. The reduced number of inputs ensured that the generated key would not be biased.

The rotor stepping was also made more complex. The slowest two rotors, which originally were unlikely to step during the course of an encipherment, were redesigned so that they stepped depending on the output of the previous key output. One rotor, designated that "fast bump" rotor, would step if the fourth and fifth bits of the previous output were both true; and similarly the "slow bump" rotor would do the same for the first, second and third bits.

Certain of the rotor stepping arrangements were discovered to be weaker than others, and so these were ruled out for key lists.

This redesigned version of the M-228 was put into service by April 1943. However, the machine was judged to be secure enough to handle traffic only up to SECRET by landline, and to CONFIDENTIAL by radio. The machine was also shared with the United Kingdom for joint communications.

A further-modified version of the M-228 could be used for the highest level traffic, designated M-228-M, or SIGHUAD.

From that point on, the Army monitored the communications of its high-level systems to ensure that good operational procedure was being followed, even for highly secure devices such as the SIGABA and SIGTOT devices. As a result, poor operator practices, such as transmitting messages in depth, were largely eliminated.

References

* Stephen J. Kelley, "The SIGCUM Story: Cryptographic Failure, Cryptographic Success", in "Cryptologia" 21(4), October 1997, pp289–316.

External links

* [http://www.quadibloc.com/crypto/te0305.htm Converter M-228 or SIGCUM] by John Savard