Enigma — Volume 13 — Legacy & Lessons for Modern Cryptography

About This Volume

Enigma was broken eighty years ago, and yet it has never stopped teaching. The previous twelve volumes traced the machine itself — its rotors and reflector, its plugboard and procedures — and the long campaign to defeat it. This volume asks a different question: what did the world learn? The answer runs along two tracks that braid together. The first is cryptographic. Enigma is the canonical cautionary tale of modern cryptography, the worked example taught in every first course, because it failed in ways that map cleanly onto principles we now state as laws. The second track is computational. The same wartime establishment that beat Enigma also, in attacking a different and harder German cipher, built the first programmable electronic digital computer — and the theorists who passed through Bletchley Park seeded the science of computing and the science of secrecy alike.

The temptation in telling this story is to flatten it into myth: “Bletchley invented the computer to break Enigma.” That sentence is wrong in almost every clause, and getting it right matters. This volume is careful about the lineage — which machine broke which cipher, what counts as “programmable,” and where the genuine, defensible claims to priority lie. The lessons are more impressive when they are accurate.

The Founding Lesson: Kerckhoffs’s Principle

In 1883 a Dutch-born linguist named Auguste Kerckhoffs published two articles in the Journal des sciences militaires under the title La Cryptographie militaire. Buried among six practical maxims for field ciphers was one that has outlived all the others and become the bedrock of the discipline. A cryptosystem, Kerckhoffs argued, must remain secure even if everything about it — its design, its mechanism, its full description — falls into enemy hands, so long as the key remains secret. As he put it, the system “must not require secrecy, and it must be able to fall into the hands of the enemy without inconvenience.” Claude Shannon, sixty-six years later, would compress the idea into five words: the enemy knows the system.

The opposite stance has an unflattering name: security through obscurity — the hope that keeping a mechanism secret will keep it safe. Cryptographers reject it, not because secrecy is worthless, but because it is brittle. A secret algorithm has been analyzed by exactly the people who built it; a published one is hammered on by the whole world, and only the survivors earn trust. Obscurity may buy time, but it cannot be the foundation, because secrets leak, machines are captured, and designs are reverse-engineered.

Here is the sharp, often-misunderstood point about Enigma. The German failure was not, in the main, a failure of the machine’s design. The wiring was clever; the key space, as Volume 5 laid out in combinatorial detail, was astronomically large — roughly 159 quintillion possible settings (about 1.59 × 10²⁰) once the plugboard is counted. The failure was the belief that this complexity, plus the secrecy of the internal wiring, could substitute for disciplined key management. The Germans treated the machine’s intricacy as if it were the key. It was not. Kerckhoffs’s principle, read backwards, is a diagnosis of exactly this error: when you let the secrecy of the system do the work that only the secrecy of the key can safely do, you have built your fortress on sand.

This connects directly to the combinatorics of Volume 5. A vast key space is necessary but not sufficient. Enigma’s 159 quintillion settings meant nothing once Bletchley could exploit structure, procedure, and habit to slice that space down to something a Bombe could chew through in hours. A large key space resists only brute force; it offers no protection at all against an attacker who finds a shortcut. Modern cryptography internalizes both halves: keys must be large enough to defeat exhaustive search and the algorithm must offer no structure that lets the attacker do better than exhaustive search.

How Enigma Actually Fell: Four Concrete Lessons

Enigma’s defeat was not the cracking of a single brilliant lock. It was the accumulation of many small, exploitable regularities. Each one has hardened into a rule that working cryptographers still recite.

Operator Error and Procedural Shortcuts Are Fatal

The single richest vein at Bletchley was human laziness. German operators, required to choose a random three-letter message key, instead typed AAA, or three adjacent keys like QWE, or the initials of a girlfriend. Bletchley named these guessable keys cillies (after one such recurring choice). Until May 1940 the procedure was worse still: the message key was enciphered twice at the head of each message, a doubling that the Polish cryptanalysts of Volumes 7 and 8 had already turned into the wedge that first opened Enigma. Stereotyped message formats — a weather station that opened every transmission the same way, the nightly KEINE BESONDEREN EREIGNISSE (“nothing to report”) — gave codebreakers predictable text in predictable places.

The lesson is uncomfortable because it is not about mathematics: a cryptosystem is only as strong as the discipline of the people using it. The most elegant cipher in the world is undone by a tired radio operator taking a shortcut at three in the morning. Modern systems respond by designing the human out of the loop wherever possible — keys generated by hardware randomness, nonces managed automatically, protocols that refuse to proceed when used unsafely — precisely because the Enigma operators proved that humans, given a chance to be careless, will take it.

Known-Plaintext Attacks Are Powerful

A crib at Bletchley was a stretch of plaintext the analysts could guess was present in a message — a weather report, a stock phrase, a commander’s title. The Bombe (Volume 10) was, at heart, an engine for exploiting cribs: feed it a guessed plaintext-ciphertext pairing and it would test rotor settings at electromechanical speed, rejecting the contradictions. The whole attack rested on the assumption that the attacker knows, or can guess, some of the plaintext.

The modern formalization is the known-plaintext attack, and its stronger cousin the chosen-plaintext attack, now standard threat models against which every serious cipher must be proven secure. A cipher that leaks under known plaintext is considered broken by definition. Enigma is why this is a baseline requirement and not a paranoid edge case: in real warfare, plaintext is rarely as secret as the people sending it imagine.

Structural Constraints Leak: The Reflector

The cruelest irony of Enigma’s design was a feature added for operator convenience. The reflector (Umkehrwalze) sent the current back through the rotors so the same machine could encipher and decipher — a genuine ergonomic win. But it imposed a mathematical guarantee with a fatal side effect: no letter could ever encipher to itself. An A in the plaintext would never appear as A in the ciphertext.

This sounds like a security property; it was a gift to the codebreakers. To test whether a crib aligned with a stretch of ciphertext, an analyst simply slid the guessed plaintext along and discarded any position where a letter sat above its own match — those alignments were impossible. A single designed-in regularity eliminated vast numbers of candidate positions before a Bombe was even started. The reflector also made the cipher a self-inverse with no fixed points, a structural fingerprint an attacker could lean on.

The lesson is foundational to modern cipher design: a secure cipher must have no exploitable structure — its output must be statistically indistinguishable from random, with no relationship between a plaintext symbol and its ciphertext that an attacker can predict. Designers now actively hunt for and eliminate exactly the kind of regularity the reflector embodied. The very thing that felt like rigor to Enigma’s engineers — a clean, guaranteed property — was the seam the codebreakers pried open.

Reuse and “Depths” Are Deadly

When two messages are enciphered with the same key settings, cryptanalysts call them a depth, and depths are catastrophic. The Polish and British attacks repeatedly exploited days when a network reused settings, or pairs of messages sent on the same indicator. Key reuse collapses the protection a cipher offers, because differences between the two messages expose the underlying plaintext relationship while the key cancels out.

This lesson reached its most spectacular modern form not with Enigma but with the one-time pad: the Soviet reuse of supposedly one-time key material was exactly what let the VENONA project read Soviet traffic for years. The rule that emerged — never reuse keystream, ever — governs stream ciphers, nonces, and initialization vectors to this day. A nonce reused under the same key in a modern authenticated cipher (GCM, ChaCha20-Poly1305) is a security failure of the same family that sank Enigma networks.

The Birth of Modern Computing — Carefully

This is the most consequential legacy, and the one most often mangled. The popular telling — that codebreakers “built the first computer to crack Enigma” — collapses two distinct machines, two distinct ciphers, and two distinct technologies into a single false sentence. The truth is more remarkable for being precise.

The Bombe Was Not a Computer

The Bombe (Volume 10), descended from the Polish bomba, was the workhorse against Enigma. But it was electromechanical — relays and rotating drums — and special-purpose: it did exactly one thing, test Enigma rotor settings against a crib. It did not store a program, did not perform general computation, and was no more a computer than a sophisticated adding machine. It belongs to the prehistory of computing, not its founding.

Colossus Was — and It Broke Lorenz, Not Enigma

The genuine breakthrough came on a different front entirely. Alongside Enigma, the German High Command used the Lorenz SZ40/42, a teleprinter cipher far more sophisticated than Enigma, attached to high-level strategic links between Berlin and the field commands. Bletchley codenamed it Tunny. Breaking Tunny by hand was agonizingly slow, and the statistical method devised by the mathematician Bill Tutte (who had reconstructed the unseen machine’s logic from intercepts alone) cried out for automation faster than any relay could manage.

Enter Tommy Flowers, a General Post Office telephone engineer at the Dollis Hill research station. Flowers proposed something the Bletchley establishment thought reckless: a machine built from thermionic valves (vacuum tubes) in their thousands, on the then-controversial bet that valves left running continuously were reliable. He was right. The Colossus Mark 1, with about 1,500 valves, ran at Dollis Hill in late 1943 and was operational at Bletchley by February 1944; the improved Mark 2, with roughly 2,400 valves, was running by 1 June 1944, just in time to feed intelligence into the D-Day deception.

Colossus is properly regarded as the world’s first programmable, electronic, digital computer. Each clause is load-bearing. Electronic — it computed with valves at electronic speed, not mechanical relays. Digital — it operated on discrete binary data. Programmable — its operation could be reconfigured through switches and plugboards to run different logical and counting operations on the intercepted data.

But two careful caveats keep the claim honest. First, Colossus broke Lorenz, not Enigma — it never attacked Enigma at all. Second, it was not a stored-program computer: it was programmed by physical switches and plugs, not by instructions held in memory, and it was special-purpose, built for one class of statistical problem. The leap to a machine that stores its own program — and can therefore be reprogrammed as freely as we reprogram computers today — came after the war.

Turing, the ACE, and the Stored-Program Line

The conceptual foundation predates the hardware. In 1936, before any of this, Alan Turing’s paper On Computable Numbers introduced the abstract universal machine — a single device that, given a description of any other computing machine on its tape, could imitate it. This is the theoretical seed of the general-purpose computer: the idea that one machine, suitably instructed, can do anything any machine can do.

After the war Turing carried that idea into hardware. At the National Physical Laboratory he designed the ACE (Automatic Computing Engine), one of the earliest detailed designs for a stored-program computer; a reduced Pilot ACE ran in 1950. Meanwhile, at Manchester, Freddie Williams, Tom Kilburn, and Geoff Tootill built the Manchester “Baby” (the Small-Scale Experimental Machine), which on 21 June 1948 became the first machine to run a program stored electronically in its own memory — the true ancestor of every computer since. Turing arrived at Manchester later in 1948, after the Baby’s first run, and went on to work on its software and successors; the common claim that he built the Baby is wrong, but his influence on the intellectual climate that produced it was real.

A final caveat for honesty’s sake: across the Atlantic, ENIAC (operational 1945, Pennsylvania) was a contemporaneous electronic computer, and the priority claims among Colossus, ENIAC, and the stored-program machines are genuinely nuanced — they made different trade-offs and excelled on different axes. Colossus was first to be electronic, digital, and programmable; ENIAC was a more general electronic calculator; the Baby was first to be stored-program. The secrecy that shrouded Colossus until the 1970s is the reason its rightful place in the lineage was recognized so late.

The Birth of Modern Signals Intelligence

Enigma’s defeat did not end with the war; it institutionalized. The Government Code and Cypher School (GC&CS) that ran Bletchley Park became, in 1946, the Government Communications Headquarters (GCHQ), Britain’s permanent signals-intelligence agency. Its American counterpart, after a tangled lineage through wartime Army and Navy units, would consolidate in 1952 as the National Security Agency (NSA).

The wartime collaboration was made permanent too. Building on the 1943 BRUSA agreement, the British and Americans signed the UKUSA Agreement in March 1946, binding their intercept networks into a single sharing arrangement. Over the following decade Canada (1948), then Australia and New Zealand (1956), were brought in, creating what the world now knows — from a classification stamp reading “AUS/CAN/NZ/UK/US EYES ONLY” — as Five Eyes. The intimacy of Anglo-American cryptologic cooperation that began with Bletchley analysts and US liaison officers sharing a hut never ended; it simply went institutional and turned its attention to the Soviet Union.

There was also a scramble for the losing side’s secrets. TICOM (the Target Intelligence Committee) was a joint Anglo-American operation that, in 1945, sent teams chasing the collapsing Wehrmacht to seize German cryptologic equipment, documents, and personnel before they could be destroyed or fall to the Soviets. TICOM’s haul — including German assessments of which Allied ciphers they had broken, and advanced equipment for reading Soviet traffic — shaped the opening moves of the Cold War SIGINT contest. It remained one of the war’s last great secrets for decades.

The Mathematical Turn: Shannon and the Science of Secrecy

If Bletchley was cryptanalysis as craft — intuition, habit, and machinery — the postwar years made cryptography a science. The pivot was Claude Shannon’s Communication Theory of Secrecy Systems, published in the Bell System Technical Journal in 1949 (declassified from a 1945 wartime memorandum). Shannon did for cryptography what his companion paper had done for communication: he gave it a rigorous mathematical foundation, recasting secrecy in the language of information theory.

Three of his ideas still structure the field. He defined the unicity distance — how much ciphertext an attacker needs before the key is, in principle, uniquely determined. He named confusion and diffusion, the two properties a good cipher must combine: confusion to obscure the relationship between key and ciphertext, diffusion to spread the influence of each plaintext symbol across the whole output. And he proved that a perfectly secret cipher must have key material at least as long as the message — the theoretical justification for the one-time pad, and the reason perfect secrecy is impractical for everyday use. It was Shannon, too, who gave Kerckhoffs’s principle its modern phrasing: the enemy knows the system.

The Vindication of Kerckhoffs: Open Algorithms, Secret Keys

The arc that began with Kerckhoffs in 1883 closed, triumphantly, in the 1970s. Cryptography came out into the open. In 1977 the United States adopted the Data Encryption Standard (DES) — a published algorithm, its every detail in the public literature, secure (for its key length) precisely because secrecy lived only in the key. DES was eventually retired for its short 56-bit key, not because publication had weakened it, and was succeeded in 2001 by the Advanced Encryption Standard (AES), chosen through an open international competition in which the world’s cryptographers were invited to attack the candidates. That openness is Kerckhoffs’s principle operationalized as public policy.

The deeper revolution was public-key cryptography. In 1976, Whitfield Diffie and Martin Hellman’s New Directions in Cryptography showed how two parties could agree on a shared secret over a channel an eavesdropper fully controls — the Diffie–Hellman key exchange. In 1977, Ron Rivest, Adi Shamir, and Leonard Adleman gave the world RSA, a system for encryption and digital signatures resting on the difficulty of factoring large numbers. Public-key cryptography is the ultimate vindication of Kerckhoffs: the encryption key can be printed on a billboard, broadcast to the world, with no loss of security, because only the matching private key can decrypt. The system is not merely allowed to be public — half of it is designed to be.

There is a delicious historical irony here, and it leads straight back to the institution that beat Enigma. Inside GCHQ, the heirs of Bletchley had gotten there first — in secret. James Ellis conceived the idea of “non-secret encryption” around 1969–70; Clifford Cocks worked out, in 1973, what amounts to the RSA algorithm; and Malcolm Williamson devised the equivalent of Diffie–Hellman key exchange in 1974. Because the work was classified, none of it could be published, patented, or used openly, and the academic inventors discovered it all independently years later. GCHQ’s priority was revealed only on 18 December 1997, when Cocks delivered a public lecture on the hidden history — weeks after Ellis died, never having received public credit. The agency born from the greatest triumph of secret cryptanalysis had invented the future of open cryptography and then locked it in a safe.

The Canonical Cautionary Tale

Enigma endures in the classroom because it fails so legibly. Every lesson it teaches has a name and a modern descendant: Kerckhoffs’s principle against security through obscurity; the known-plaintext and chosen-plaintext threat models; the demand that ciphers have no exploitable structure, no reflector-like regularity an attacker can seize on; the absolute prohibition on key and keystream reuse; and the recognition that procedure and human discipline are part of the system, not separate from it. A vast key space, Volume 5 showed, was never enough — and Enigma is the proof, walking, of why.

That is why a machine broken eight decades ago is taught to students who will spend their careers protecting traffic Enigma’s designers could not have imagined. The Germans trusted complexity and secrecy to do the work that only key discipline and sound design can do. The codebreakers exploited every gap that trust left open — and, in the doing, helped invent the computer, found the modern intelligence agencies, and clear the ground on which the mathematical science of secrecy was built. Enigma’s final, lasting lesson is the one it was made to disprove and ended up confirming: in cryptography, you must assume the enemy knows the system. Everything rests on the key.

Next — Volume 14: Surviving Machines, Museums & Pop Culture.