Depth Attack

Breaking the Tunny was not an easy task. The main problem seemed to be the unknown structure of the machine since nobody has ever seen one of these machines. Thus the codebreakers had to do a lot of guess work. Nevertheless it was possible to recover the whole structure of the Tunny pseudo-random generator from the encrypted messages.

The codebreakers noticed early that Tunny was an additive cipher and sometimes the operators didn't follow the rule of using different wheel settings for different messages. Thus if two messages with the same indicator came in, the codebreakers knew that the same key had been used. Adding these messages modulo two gave the sum of the two cleartext messages modulo two.

Z1 xor Z2 = C1 xor C2
Now it was necessary to reconstruct the messages and the keystream. This was done by trying common German words at suceeding positions in the message. If the addition of such a word to the sum of the plaintexts gave another reasonable word the codebreakers had broken into the message. To find the rest of the message they used new letters appearing at the end of the decrypted words, e.g. if C1 ⊕ C2 is:

C1 xor C2 = DCTNAWSIXU/Y/SR...
and one can decompose this successfully into

it was possible to extend C2/1 by guessing that the first word is 9FLUGZEUG and the last word is KANONE which were common military expressions. Continuining this scheme it was possible to recover the content of the messages and the keystream. The only problem is that one doesn't know which message is which giving two possibilities for the the keystream:


But only one of these keystreams gave correct wheel settings (which can be easily verified by trying to generate the first couple of bits of each wheel pair) resulting in full recovery of the messages and their keystream.

Once, two messages of about the same length of 4000 characters were transmitted with the same indicator HQIBPEXEZMUG. Trying the common German phrase "S P R U C H N U M M E R" gave for the second message "S P R U C H N R" which is an abbriviated form of the first phrase. Thus this was an attempt to transmit the same message twice, but the lengths were different since the operator used abbreviations and different spacings the second time. Using this depth of two it was possible to reconstruct about 4000 characters of the keystream.

W.T. Tutte got this keystream and was able to find repeats by writing it out on different periods. He noticed that he got repeats on a diagonal when writing it out on the period of 575. Thus using a period of 574 he was able to separate the keystream into a sum modulo two of two periodic wheels, χ1 with a period of 41 and ψ1 of a period of 43. After that the whole team of codebreakers was able to work out the structure of the Lorenz SZ40/42 pseudo-random generator.

Using this information it was possible to develop successful methods like the Double-Delta-Attack to break Tunny.