© Dr. Stuart Savory & Brian Hargrave, 2003

Stu Savory is a crypto-geek who is interested in old cipher machines. In fact he has the number one website in German on the subject [ look up "Chiffriergeräte" worldwide in Google]. But we write this review in English, for the international community :-)

Brian Hargrave designed the Pocket Enigma toy reviewed here. He also responded to my original review (see my blog-entry for October 7th 2003). His reply is behind this link. So I have now revised my original review to integrate his comments and am giving this Pocket Enigma® review its own webpage, to make it easier for you to bookmark. The Pocket Enigma® is a toy designed for children from 8 to 80 as you can read below.

Bletchley Park: During WW2 the German armed forces' top secret codes were broken at Bletchley Park (UK), providing the allies with vital information towards their war effort. The link is to their official website. Actually, dear readers, here is a much better website about Codes and Ciphers in the Second World War written by Tony Sale, the original founder and curator of the Bletchley Park Museum. The Enigma was probably the most famous cipher machine and was widely used by the Germans.

Brian Hargrave has designed (in association with The Bletchley Park Trust) a really well thought out toy which is like a single-rotor Enigma machine and beautifully demonstrates one of the three working principles of the Enigma. The toy is fairly well-produced (details below), cheap, well-explained and can be used in a simplified mode by six to ten year-olds. The toy is designed for children from 8 to 80 years of age who have a special interest in secret writing, codes and ciphers.

The Toy is available from the Bletchley Park Shop.
However I ordered mine (for only five pounds sterling (UK) + post and packing) from Mark Baldwin at the address shown:-

Mark Baldwin,
24 High Street, Cleobury Mortimer, KIDDERMINSTER  DY14 8BY, England
phone/fax: 01299 270110 (international +44 1299 270110); 
email: enigma@mbaldwin.free-online.co.uk

The Pocket Enigma® is like a one-rotor Enigma machine in a compact disk case. The stator is a cheap-to-produce compact disk case (photolink). The serious downside of this design is that the "ears" of the disk case will probably break off quite quickly if the toy is actually used by children. Brian remarks : I spent some considerable time trying to find a commercial or heavy duty CD case, but without success. In the end I agreed with Bletchley Park that even if such a thing exists, the ready availability of the standard jewel case as any easy replacement and its very low cost were the overriding factors, particularly the latter.

The rotor is a simple disk (photolink) printed on its two faces with two different "wirings", which you are required to trace through manually. Despite the warnings on the instruction leaflet, some idiot may put the disk into his/her CD-player, DVD or PC CDROM drive ( probably the same US woman who tried to dry her poodle in a microwave oven!). Brian point out : The rotor is made from a matt plastic printed with special ink to give good durability. It is almost impossible to tear and is much more difficult to bend than you might think at first sight.

The instructions supplied explain how to trace through the "wirings". I could code/decode at 20 to 30 characters per minute after some practice, i.e. about half real Enigma speeds.

The instructions (the CD-cover sheet) are really good! They explain how the Pocket Enigma® works (starting with the traditional naming of parts :-) and take the user step-by-step through the processes of coding and decoding. Worked examples and carefully annotated figures illustrate how the Key and Message Setting are used, and there is a trouble-shooting table to help with common errors. Brian remarks : The instruction leaflet took about as long to write as to develop the machine itself, the published edition being about Version 15 or thereabouts. The main problem was that the instructions take up the active width of the printing press to the millimetre, and just one more panel on the leaflet meant a bigger press giving a big step in cost to the extent that the instructions would then have cost more than the wheel.

Stu Savory summarises: All in all, I can recommend this toy! Well done, Brian Hargrave!

Criticism : But now for the caveats.

• The mechanical weaknesses (CD case ears) I mentioned above.
  Used with care (by an adult) these should be no great problem.
• The use of the name Enigma is good marketing by B.P. The toy illustrates only one of the Enigma principles though.
• There is no plugboard (Steckerbrett) and of course no turnover-pawl mechanism for other rotors. There is no "mirror" (Umkehrwalze), Brian says : it slowed down coding speeds and made the toy less enjoyable to use. Stu goes on : you can make your own daily plugboard just by writing a substitution table (=S-Box) on a piece of squared paper, e.g.

  ABCDEFGHIJKLM
  NOPQRSTUVWXYZ
  

  Before enciphering a letter from your plaintext you should substitute it by the letter opposite it (plugboard). As with a real Enigma, no letter represents itself. N.B: That is a pretty bad S-Box shown, because it is so linear. S-Boxes should be as non-linear as possible; but it would be too difficult to teach the design of S-Boxes in this simple review.
• Nor is there a "daily setup" table included in the leaflet. Including this would add to realism, it should state what rotor to use, what daily key to use and the "plugboard" settings for the day. You could make up one of your own. The daily key setting is only used to encipher what the session key for the rest of the message will be.
• The importance of session keys is not well explained. The instruction leaflet should be modified to explain better why they are used, i.e. to reduce the number of messages having the same setup (which would make cryptanalysis easier by displaying more letter pairs at each position). Brian notes : Of all the leaflet sections, the one dealing with the message setting was rewritten more than any other, and in the end I had to accept that this was a toy and so just a simple statement rather than a full explanation (of why Message Settings were used) would have to suffice.
• There is only one (dual sided) rotor included, so sadly the toy has only 52 possible keys. The bright side of this is that I can show a class of schoolchildren how to do a parallel brute-force attack within minutes, even teaching them the concept of unicity distance in the process. At the end of this review I'll explain how to cryptanalyse the device.
• It would be an improvement if BP included 5 rotors instead of just one. The instruction leaflet could then be modified to explain why 5 rotors are provided, and give the historical wirings used. If there is no more room in the instruction leaflet, then maybe it could point to a Pocket Enigma® website, and (failing that) to this web-page (too).
• So the toy is really a single-rotor Hebern machine from the early 1920s.
• The leaflet gives no hints on how to break an Enigma message. I recommend that the leaflet point to Tony Sale's website ( which is in English, my own less-good explanations are in German).
• BP should provide alternative explanatory leaflets in German (at least), Polish, French etc. All these nations had Enigma code-breaking teams and there are crypto-geeks like me in all these countries, let alone thousands of interested children (and adults) too.

With the improvements I suggest above, the toy could advance to be suitable historical instructional material too.

Just to keep things simple, I will use the Pocket Enigma as Brian designed it, and not include a plugboard etc. Furthermore, I will step the rotor uniformly by only 1 position for each letter enciphered. Cryptanalysis would otherwise be slightly harder, and I don't want to cover Kappa-testing here.

Chosen Plaintext Attack : As is usual in the literature, we assume that the rotor wiring is known (i.e. we have captured a Pocket Enigma) and 'merely' need to deduce the key being used. We choose a plaintext, here AAA... and feed it into the device. Let's start off by assuming we have key also A. Then feeding a plaintext of 26 As into the device gives us the ciphertext "CSZBIYYCCIYRCYVCZBXFJDSYYC".

KEY : ABCDEFGHIJKLMNOPQRSTUVWXYZ
CODE: CSZBIYYCCIYRCYVCZBXFJDSYYC

Why did we need to use 3 As as plaintext ? Well, if we had only used one, the keys A, H, I, M, P, and Z would all have given the ciphertext C. To resolve this ambiguity we entered a second plaintext A after the rotor has moved on 1 position. Ciphertext CS tells us the key was A, CI tells us the key was I, CY tells us the key was M, and CZ tells us the key was P. But CC could have been caused by key H or by key Z. So we need a third plaintext A. CCI tells us the key was H, and CCS tells us the key was Z. The number of letters needed on average to decipher uniquely is called the unicity distance as mentioned above.

Now that we know that the key was R we can decipher the original ciphertext : FXNTQAYHGQP as HALLOSAILOR.

Cryptanalysis of an unknown rotor : A slightly harder case presents itself when an unknown rotor is used. We assume in this section that the rotor wiring is NOT known (i.e. we have NOT captured a Pocket Enigma) and need to deduce the rotor-wiring being used. So now I am going to show you a known plaintext attack and use it to deduce the rotor wiring.

Known plaintext attack : We assume that we have a piece of ciphertext (QXWZNIMGVRCPFHNLKYQVXBRFNJ...) and (have somehow captured/acquired/stolen) the equivalent plaintext. It might just be a probable-word or two though.

For this example I'll use a single sentence taken from a notorious contemporary text, translated (in 1943) from the original German into English. "Our whole public life today is like a hothouse for sexual ideas and stimulations". Splitting this into sections of 26 letters in length (because our Pocket Enigma has a 26-letter rotor circumference) we get:

OURWHOLEPUBLICLIFETODAYISL
IKEAHOTHOUSEFORSEXUALIDEAS
ANDSTIMULATIONS

O U R W H O L E P U B L I C L I F E T O D A Y I S L --- Plaintext
Q X W Z N I M G V R C P F H N L K Y Q V X B R F N J --- Ciphertext
0 1 2 3 4 5 6 7 8 910111213121110 9 8 7 6 5 4 3 2 1 --- Sawtooth pattern

Taking the first letter pair, plaintext=O and ciphertext=Q, we can draw this wiring onto the rotor.

After the first letter O has been encoded to Q, the rotor steps forward one position and U is encoded to X. But we need to calculate the wiring in the initial position of the rotor. So we connect not U to X but count back 1 position (this is what the sawtooth number pattern is for in line 3 shown above). So - in the initial rotor position - W is wired to T (and of course T to W, we only need to deduce 13 wiring pairs), as shown here.

Continuing, the next step R-W (sawtooth pattern number 2) gives us the connection P-U. But at the next step W-Z we get the wiring pattern we already had at step 1. These coincidences may crop up several times, but we can ignore them and press on regardless. Stepping through the rest of the letter pairs and counting back (or forward after 13 (=26/2)) as given by the sawtooth-pattern, we can deduce the complete rotor wiring.

And if - at some later stage - this rotor is "captured", we can see that our cryptanalysis of the unknown rotor was right.
So don't use this toy seriously anybody, because I can break all its codes easily ;-)

Now, if you want to learn more (e.g. how to do a ciphertext-only attack), I point you to Aegean Park Press book C-73:-

Cryptanalysis Of The Single Rotor Cipher Machine, Donald A. Dawson
This book is divided into three sections: The Cryptographic Process, 
the Cryptanalytical Process, and The Computer Programs (written in QBASIC). 
Chapters contain numerous problems to be solved by the student, enabling 
the student to learn by doing as he studies the text.
C-73 · , iv + 213pp, Paperback, ISBN: 0-89412-262-2 · $38.80