Alan Turing, MarshallHall, and the Alignmentof WW2 JapaneseNaval InterceptsPeter W. Donovan

Marshall Hall Jr. (1910–1990) is de-servedly well remembered for hisrole in constructing the simple groupof order 604800 = 27 × 33 × 52 × 7as well as numerous advances in

combinatorics. A brief autobiography is on pages367–374 of Duran, Askey, and Merzbach [5]. Hallnotes that Howard Engstrom (1902–1962) gavehim much help with his Ph.D. thesis at Yale in1934–1936 and later urged him to work in Naval In-telligence (actually in the foreign communicationsunit Op-20-G).

I was in a research division and got to seework in all areas, from the Japanese codesto the German Enigma machine which AlanTuring had begun to attack in England. Imade significant results on both of theseareas. During 1944 I spent six monthsat the British Headquarters in Bletchley.Here there was a galaxy of mathematicaltalent including Hugh Alexander the chesschampion and Henry Whitehead the eminenttopologist…

Burroughs, Lieberman, and Reeds [2] clarified thework of Op-20-G on the Enigma in a contributionto the obituary of Andrew Gleason (1921–2008).Unfortunately the surviving records scarcely allo-cate credit to individuals. Hall was one of aboutten core members of a team of about thirty not farfrom being another galaxy of mathematical talent.See Christenson [3].

Peter Donovan is retired from the mathematics departmentof the University of New South Wales in Sydney, Australia.His email address is p.donovan@unsw.edu.au.

DOI: http://dx.doi.org/10.1090/noti1090

The statistician Edward Simpson led the JN-25team (“party”) at Bletchley Park from 1943 to 1945.His now declassified general history [12] of thisactivity noted that, in November 1943:

[CDR Howard Engstrom, U.S.N.] gave usthe first news we had heard of a methodof testing the correctness of the relativesetting of two messages using only theproperty of divisibility by three of the codegroups [5-groups is the usage of this paper].The method was known as Hall’s weightsand was a useful insurance policy just incase JN-25 ever became more difficult. Hepromised to send us a write-up of it.

The JN-25 series of ciphers, used by the JapaneseNavy (I.J.N.) from 1939 to 1945, was the mostimportant source of communications intelligenceto the WW2 Allies in the Pacific.

Alan Turing’s Work on Applied ProbabilityThe centenary of the birth of Alan Turing (1912–1954) was extensively publicized in the popular andsemipopular media. His contributions to appliedprobability theory and the central role this playedin WW2 cryptology were substantially overlooked.In fact, Jack Good published two papers ([6] and[7]) which set out the technical aspects of hiswork. Good had been Turing’s assistant for a whilein his Bletchley Park years. Some analysis of theuse made of this work in WW2 cryptology is nowpossible.

The greatest achievement of WW2 Allied cryp-tology was the breaking of the German encryptedteleprinter (teletype, teletypewriter), called Tunnyby the cryptologists. Eventually this was handled

258 Notices of the AMS Volume 61, Number 3

by the celebrated Colossus device, an (almost) elec-tronic machine that replaced the optical punchedtape-based Robinson. Good, Michie, and Timms [8]wrote a detailed account of this achievement in1945. For present purposes the key sentence is:

The fact that Tunny can be broken at alldepends upon the fact that P , χ, Ψ ′, Kand D have marked statistical, periodic orlinguistic characteristics which distinguishthem from random sequences of letters.

This report states elsewhere that the methodinvolved, using logarithmic Bayesian “weights”and Turing’s decibans, originated in the NavalCryptology unit. Hugh Alexander in [1] leaves nodoubt as to who was the dominant figure in workon Naval Enigma at Bletchley.

It is possible, but quite laborious, for anyonewith appropriate skills to extract from [8] the sub-stance of Turing’s work on (Bayesian) probabilitybeing applied to cryptology. However, the recentdeclassification of his working paper [14] (circaAugust 1941) on the subject helps considerably. Auseful commentary on this point has been writtenby Zabell [16].

Andrew Hodges records on page 243 of hiswell-known book [9] that, around December 1942,Gleason and Turing were eating in a Washingtonrestaurant. They discussed:

…statistical problems, such as that of howbest to estimate the total number of taxicabsin a town, having seen a random selectionof their licence numbers.

The theory needed for this “German tank” problemis Bayesian. One may speculate that this led to theinitiative described by Ruggles and Brodie [10] in1947:

In early 1943 the Economic Warfare Divisionof the American Embassy in London startedto analyse markings and serial numbersobtained from captured German equipmentin order to obtain estimates of German warproduction and strength.

Ruggles and Brodie show that interest in this matterwas developing in the United States independentlyof Turing. Gleason’s role in this matter is notclear. In 1958–1960 I undertook the basic militarytraining then commonly available for Australianboys aged fifteen to seventeen and was fascinatedby the range of information engraved on the WW2rifles used.

The statistician Edward Simpson was transferredto work on JN-25 at Bletchley Park in 1943. In 2010he wrote an account [11] of this work, entitledBayes at Bletchley Park. It explains the role of someof this material in decrypting Enigma traffic also.

The version of the Bayes Theorem needed forassessing whether a potential decryption should

be accepted and also for Hall weights is as follows.Suppose that it is known that exactly one of thetwo hypotheses S and T is valid and independentruns are made of an experiment whose outputis an element of a finite set K. It is known that,if S holds, then for k ∈ K the probability ofthe outcome being k is σk, while if T holds theprobability is τk. Suppose that the experiment isrunN =

∑k nk times with nk occurrences of output

k. Let p0 denote the “prior” probability (before theexperiments) that S holds. Likewise let pN denotethe “posterior” probability (after the results of theexperiments are available) that S holds. Then

logβ (pN/(1− pN))

= logβ (p0/(1− p0))+∑knk logβ (σk/τk) .

Here the logarithms can be taken to any convenientbase β > 1. Once β is chosen, the logβ (σi/τi)terms are known as “weights of evidence” orjust “weights”. Initially Turing advocated usinglogarithms to the base β = 10

√10 and named the

dimensionless unit of weight the “deciban”. Thesewere rounded to the nearest half. Later Goodpointed out that it was easier to take β = 20

√10

and so to work with the half deciban or “hdb”.Another option is to take β = 100

√10 and thus use

the “centiban”. The lack of modern calculatingdevices at the time made some rounding of thelogarithms essential.

In general it is clear from the formula that if p0

is quite small, then quite a lot of strong evidenceis needed to make pN large enough so that S ishighly likely.

Additive Ciphers. The JN-25 SystemsA description of the structure of the JN-25 ciphersystems is needed in any explanation of the taskfaced by those trying to break them. The underlyingalgebraic structure of an abelian group A (hereof order 100,000) and a subset S (here of order33,334 and not invariant under all automorphismsofA) is quite unorthodox.

The word “group” was used in the communica-tions community in the sense of a string of lettersor digits. These had a fixed standard length deter-mined by the context. To avoid confusion, stringsof 5 digits are here called 5-groups. The setA of5-groups has an evident abelian group structurespecified by what was then called “noncarrying” or“false” addition.

There is a natural way to use 5-groups asa reasonably secure communications system. Alist of words and/or phrases intended for use isprepared. A different 5-group, the code 5-group,is allocated to each. A long random table (the“table of additives”) of 50,000 (say) 5-groups isgenerated somehow and copied out on 500 serially

March 2014 Notices of the AMS 259

numbered pages with ten rows each of ten ofthese 5-groups on each page. (This note uses theword “random” loosely. All the underlying samplespaces are finite.) The message is written outin plain language on the first of four lines of asuitable form. The corresponding code 5-groupsare written out on the line immediately below.A starting 5-group in the table of additives israndomly chosen. Consecutive 5-groups from thetable beginning at the chosen 5-group are thenwritten out on a third line, and the noncarryingsums (“code” + “additive”) are then calculatedand written on the fourth line. These were calledGATs, or 5-Groups As Transmitted. The proposedrecipient would need to be able to reverse thisprocess and so needed to be able to recover thestarting point. Information for this purpose wascalled the indicator or indicators and was sentas part of the message encoded, encrypted, orperhaps concealed among the GATs. Better still,two or all three of these methods of keeping theindicator secure would be superimposed.

The security of such a cipher system dependsupon the indicators being unbreakable, the tableof additives being replaced reasonably frequently,and the code book being replaced perhaps ratherless often. The frequencies of occurrence of thecommon code 5-groups should be reduced byallocation of alternative code 5-groups to commonwords and/or phrases in use. Ideally there wouldbe calculation of the maximum secure life of thesesystems. In practice, distribution of replacementcipher material presented problems. An army inretreat would sometimes allow its cryptographicmaterial to be captured. Dice or suchlike were littleused in the making of “random” choices, and sothese choices were much less random than theyshould have been.

The allocation of code 5-groups is best donein a patternless or random way. The I.J.N. didnot choose its JN-25 code 5-groups randomly butinstead limited itself to scannable 5-groups. In theU.S.N. jargon of the day, a 5-group was said to bescannable if the sum of its digits was a multipleof three. The subset S ⊂ A of scannable 5-groupshas 33,334 elements. Simpson used the alternativephrase “divisible by three”.

Initially we assume that the indicator systemof the JN-25 cipher under attack can be decoded,decrypted, or located as may be necessary. (Asthis was the case in November 1943, the theory ofHall weights was just an “insurance policy” beingkept in reserve.) It is then possible to have 1,000large pieces of paper (“depth sheets”) printed withfifty reasonably wide columns and perhaps thirtyrows on each. This gives 50,000 columns, one foreach 5-group in the table of additives. Interceptedmessages can then be written out on a line with

each GAT in the appropriate column. The task isnow recovery of the additive involved.

The word “column” was sometimes replacedby “depth”: the intercepted signals were then saidto be “placed in depth”. Confusingly, the word“depth” was also used for the number of differentGATs in a column. A column would thus contain Ndistinct 5-groups x1,x2, . . . ,xN where xk = yk + aand where yk is scannable for 1 ≤ k ≤ N and a isan unknown 5-group. If d denotes the depth, thenN ≤ d. Occasionally duplication (a “hit” or “click”)occurred and then N < d.

A potential decryption is then any 5-group b suchthat xk − b is scannable for each k. Anachronisticlarge-scale random sampling shows that for variousN (line 1 in the table below) the probability UNthat a column with N distinct GATs has a uniquepotential decryption, the average number AN ofpotential decryptions, and the least number LNsuch that 90% of samples have at most LN potentialdecryptions are shown on lines two, three, andfour respectively.

N 7 8 9 10 11 12 16 20UN 0% 0% 1% 3% 6% 11% 42% 68%AN 148 73.2 38.4 21.7 13.3 8.6 2.7 1.6LN 318 164 87 49 30 19 5 2

Hence only 68% of columns with twenty distinctGATs can be deciphered in isolation. However, whatcan be done in attacking a new JN-25 system is toexamine those columns containing sixteen or moredistinct GATs to identify which of these have uniquedecryptions. This gives provisional statistics onthe frequency of occurrence of common code5-groups to the cryptologists, who would havehad some, admittedly imprecise, knowledge of theabove table. Details on how to get started on a newJN-25 system are slurred over here. This phasewould then work on the columns of greater depthto select potential decryptions b for which severalof the “stripped” 5-groups xi − b are common.

Turing’s 1941 exposition [14] on the use ofprobability theory in cryptanalysis compares thegeneral task of finding the correct decryption tolooking for a needle in a haystack. The limitationthat all code 5-groups are scannable reduced thesize of the haystack (if, for example, N = 10,the haystacks average 21.7 potential decryptionsrather than 100,000) and so materially helped withthe logβ (p0/(1− p0)) term in the Bayes formula.

My paper [4] describes how, between August1939 and February 1940, Turing and a few col-leagues assisted in developing a method to discoverpotential decryptions of columns of smaller depththat contain common decrypted 5-groups xi − b.In fact, there is another method which (usually)was more productive. Turing was involved in early1940 in designing the first version of a special

260 Notices of the AMS Volume 61, Number 3

purpose desk calculator for handling the searchfor potential decryptions. By December 1942 theU.S.N. had an elaborate powered version (the “fruitmachine”) being manufactured in Dayton, Ohio.The paper gives a contrived example of one useof such a device. The following text in a report(December 1942) was written by Turing and quotedin [4]:

SUBTRACTOR MACHINE. At Dayton we alsosaw a machine for aiding one in the recoveryof subtractor [5-]groups when messageshave been set in depth. It enables one to setup all the cipher [5-]groups in a column ofthe material, and to add subtractor 5-groupsto them all simultaneously. By having thedigits coloured white, red or blue accordingto the remainders they leave on division bythree it is possible to check quickly whetherthe resulting book [code] [5-]groups havedigits adding up to a multiple of 3 as theyshould with the cipher to which they willapply it most. A rather similar machine wasmade by Letchworth for us in early 1940,and, although not nearly so convenient asthis model, has been used quite a lot Ibelieve.

The naval facility in Pensacola, Florida, has adisplay (small museum) which has one of thesefruit machines. The words “I believe” here refer towork carried out in Singapore, later Manila, andlater still elsewhere and so not readily accessible toTuring. Yet he was kept informed to some extent.

The admittedly minimal evidence of Turing’sinvolvement is not restricted to this text. The seniorcryptologist John Tiltman (1894–1982), headingthe first team working on JN-25, did write up somereminiscences [13] for the internal use of the NSA.These include:

I have no knowledge of higher mathematicsand my grasp of probability is instinctiveand quite unsound, but I am not too proudto ask for help and, when I have done so,have not often been misled.

Turing’s report shows incidentally that theBletchley Park mathematicians missed the use ofcolored background in speeding up the determina-tion of divisibility by three. The aim is to arrangethings so that the number of reds is congruentmodulo 3 to the number of blues in each sum5-group. This is somewhat reminiscent of the taskof being given a graph drawn on a sphere withthree edges meeting at each node, allocating acolor (either red or blue) to each node so that thenumber of red nodes on the boundary of each faceis congruent modulo 3 to the number of blue nodes.This task is a variant of the four-color theorem!

Ph

oto

by

Jose

ph

Mak

sin

.

“Fruit machine” displayed in Pensacola, Florida.

Breaking a Cipher Piece by PieceTuring’s report [14] discusses in detail the breakingof a cipher piece by piece rather than attempting toget the full solution in one calculation. This is thestrategy implicit in the device mentioned above.It uses pre-existing knowledge of the commoncode 5-groups. The cryptologist would attempt torecover the original code 5-groups by finding theadditive for each column. The task of recoveringthe plain language corresponding to a given code5-group would be carried out one by one.

Passing by the methods of finding reasonablepotential decryptions, the question remains, whenshould a potential decryption of a column of depthd = 10 (say) be accepted? There was considerableurgency at the time. It was accepted that a(hopefully) modest proportion of decryptionswould be wrong, but (hopefully) most of thesewould be corrected when further messages usingthat part of the additive table turned up. Itseems that the clerical staff used simple scoringsystems such as: “For depths of ten, accept anypotential decryption that yields at least threepoints. Here a point is awarded for each of the onehundred most common code 5-groups appearingin the proposed decryption and for each piece ofhorizontal evidence obtained.” In this reasoningthe occasional duplicating GAT in a column isnot disregarded but instead contributes to thecalculated score.

A typical piece of “horizontal” evidence ariseswhen the previous column has been decryptedwith the common code 5-group 12345 being found.It is known that the common code 5-group 45678often follows 12345 in signals. Hence a potentialdecryption in which 45678 occurs immediately tothe right of 12345 is more likely to be correct.

March 2014 Notices of the AMS 261

One could argue that a better scoring systemwould award three points for any decrypted code5-group in the most common twenty, two forany decrypted code group in the next twenty,one for common code 5-groups from forty-oneto one hundred, and two for strong horizontalevidence. The word weight was used for a numberof points in such a system. The threshold “at leastthree points” would then need adjustment. Anyproposed scoring system for depths of (say) tencould be tested on the top ten GATs in columnswith (say) sixteen or more GATs for which thecorrect decryption is known with high reliability.

Turing may well have sought rationality behindsuch scoring systems in 1940 and 1941, eventuallyproducing the extremely important use ([11] and[14]) of Bayesian methods in cryptology. Of courseany reconstruction of the thought processes thatresulted in [14] is totally speculative. Quite inde-pendent work on sequential analysis was goingon elsewhere. For example, Abraham Wald’s 1945paper [15] describes work carried out in 1943 andcontains (page 121) the remarkable paragraph:

Because of the substantial savings in theexpected number of observations effectedby the sequential probability ratio test, andbecause of the simplicity of this test inpractical applications, the National DefenseResearch Committee considered these de-velopments sufficiently useful for the wareffort to make it desirable to keep theseresults out of the reach of the enemy, atleast for a certain period of time. The au-thor was, therefore, requested to submithis report in a restricted report which wasdated September 1943. In this report thesequential probability ratio test is devisedand its mathematical theory is developed.

The above discussion disregards the matterof getting started on a new JN-25 system. Hereanalysis of the initial traffic cannot be carried outpiece by piece. One method is to accumulate depthswhich have unique decryptions and use them toget information on the common code 5-groups. Itis in fact possible to use about seventy columns ofdepths at least thirteen to get an initial impressionof what are the common code 5-groups. Thisdepends upon the frequencies of occurrence beingreasonably close to what happened historically.The details are not given here. Upgrading thestatistics as more and more columns are decryptedmust have been an essential part of the process.

Bayesian Methods in Decrypting JN-25ColumnsIn this section K is the set of 33,334 scannable5-groups. Hypothesis T is “the potential decryption

is incorrect,” and so the τk are all equal; indeedτk = 1/33334 for all k. For the one hundred(or thereabouts) most frequently occurring code5-groups k, the frequency σk is taken to be thatobtained from decryptions already made. For otherscannable 5-groups k the observed frequencywould be a less reliable statistic. It was foundeasiest to just take σk = 1/33334 for such k:at least this avoided the need to calculate withnegative weights.

General reference needs to be made to EdwardSimpson’s 2010 account [11] of work carried out atBletchley Park in 1943–1945 decrypting columnsof JN-25 with depths as low as six. In essence itused the above method of exploiting the availabledata.

The anonymous NARA archive RG0457, entryA1 9032, box 578, file 1391 of March 1945 givesinformation on the success in attacking various JN-25 systems. Code book B was used in conjunctionwith additive table 7 from August 1, 1941, toDecember 3, 1941, that is, in the four monthsleading up to the raid on the Pearl Harbor Naval andAir Force facilities. It is noted that this combination(JN-25B7) received quite heavy use. Joint workbetween the American naval unit “Cast” in thePhilippines and the British unit FECB in Singaporemanaged to recover 35,761 additives out of 50,000.The report notes that some of the 35,761 wouldbe incorrect. The combination JN-25B8 (December4, 1941, to May 27, 1942) had been attacked by theunit at Hawaii as well, and so 47,340 additives hadbeen recovered.

Hall WeightsThe Hall weights originate in the observation that, ifthe characteristic χ(abcde)of the 5-groupabcde isdefined to be a+b+c+d+e interpreted modulo 10,then the proportions qj of scannable 5-groups withcharacteristic j are far from equal. Indeed, carefulcalculation reveals that q9 = q6 = 925/33334,q2 = q3 = 1780/33334, q5 = q0 = 3247/33334,q8 = q7 = 4840/33334, q1 = q4 = 5875/33334. Itis far from clear why Hall or anyone else thoughtthat this was worth examining.

The real-valued function j , qj defined on thecyclic group of order 10 necessarily has a 10-termexpansion in terms of sines and cosines. Thefunctional equation qj = q5−j implies that five ofthese terms are zero. Simple calculation yields thefollowing, which is correct to five decimal places:

qj ≈ .10000− .00007 cos(2πj/5)− .00250 cos(4πj/5)− .00001 sin(πj/5)+ .07808 sin(3πj/5).

The approximate formulaqj≈.100+.078 sin(3πj/5)is too attractive to be left out of this account.

262 Notices of the AMS Volume 61, Number 3

Suppose d is reasonably large, say d > 16;yk, 1 ≤ k ≤ d, are randomly chosen scannable5-groups; and a is a randomly selected 5-group.Then the distribution of values of the χ(yk + a)may be calculated and expanded in terms of sinesand cosines. The coefficients of cos(3πj/5) andsin(3πj/5) may then be used to indicate the mostlikely value(s) of χ(a). One can use a table ofvalues of the inverse tangent function to assist indecryption!

The formula χ(x+ a)− χ(y+ a) = χ(x)− χ(y)motivates the calculation of the probability σk ofthe difference χ(x)− χ(y) being k as x and y varyover the 33,3342 possible pairs (x,y). These arerational numbers with denominator 33,3342 givenas the sums

∑j qjqk+j . The functional equation

σk = σ−k is then implied by the earlier qn = q5−n.The values of σk are then given to six decimalplaces in the second column of either table below.In the previous notation S is the hypothesis thattwo intercepts are in alignment, while T is thehypothesis that they are not. The set K is now theset of ten digits and τk = 1/10 for all k in theabove logarithmic Bayes formula.

k= 0 0.130510 2.31288 21, 9 0.090556 -0.86162 -12, 8 0.075352 -2.45808 -23, 7 0.124667 1.91503 24, 6 0.109393 0.77980 15 0.069553 -3.15368 -3

The third column in this table gives the Hall weightslogβ(10σk) in half decibans (so with β = 20

√10),

while the fourth gives rounded values of these.These roundings lose quite a lot of precision.

k=0 0.130510 30.0009 301, 9 0.090556 -11.1762 -112, 8 0.075352 -31.8843 -323, 7 0.124667 24.8403 254, 6 0.109393 10.1148 105 0.069553 -40.9070 -41

In this table β is taken to be exp(3/338). Thethird column in the right-hand table gives instead(338/3) log(10σk), and the rounded values aregiven in the fourth column. Much less precisionis lost. The choice β = exp(3/338) may be moreaesthetic than historical.

Now suppose we are trying to test “the correct-ness of the relative setting of two messages usingonly the property of divisibility by three of the code5-groups.” So here the two messages are writtenout on successive lines of a form, one directlybelow the other. There are two hypotheses: S beingthat the relative setting is correct and T beingthat it is incorrect. If S holds, then the probabilitythat χ

((x+ a)− (y+ a)

)= χ(x)− χ(y) = k is σk,

while otherwise—that is, if T holds—it is just 1/10.At one stage in 1944 it was possible to work outthe page part of the current JN-25 indicators butnot the line or column part. Thus we now assumethat the two messages which are being tested forcorrect alignment were encrypted starting on thesame page of the table of additives. As there was abias towards starting on the left half of the pageand also a bias towards starting on the top half, theinitial p0 in the formula is about 2/100 rather than1/100. Thus the logarithmic prior term is about(338/3) log

((1/50)/(49/50)

)≈ −438, and so the

Hall weight formula has the totally surprisingDiophantine approximation

(338/3) log (pN/(1− pN))≈ −438+ 30n0 − 11(n1 + n9)− 32(n2 + n8)+ 25(n3 + n7)+ 10(n4 + n6)− 41n5.

In practice the staff working with this formulawould be given just a threshold, that is, a minimumacceptable value for the expression 30n0 + . . . −41n5.

The initial deficit of −438 looks somewhatdaunting, but the last paragraph glosses over thetrue situation. The aim is not to set two JN-25messages in alignment, but rather at least sixmessages and hopefully at least seventeen if thedecryption process is ever to get started. Anothercircumstance would be the discovery of two signalswith “double hits”, that is, the same pair of GATsoccurring in each separated by the same number ofother GATs. The Copperhead I device searched fordouble hits, which would make the “correctnessof the relative setting” much more likely. This isnot the place to develop a detailed account of thetheory.

The operators handling JN-25 encryption inWW2 were instructed to tail , that is, to choose thestarting point for the first signal in a new additivetable randomly and then start each subsequentencryption immediately after the previous onefinished. However, not all of them read the in-structions. Once detected, this practice helped thecryptologists both with breaking indicator encryp-tion systems and with getting long concatenationsof intercepts to put in depth.

The reader seeking a challenge may wish towork out the appropriate modifications of thesecalculations if, instead of using only multiples ofthree, the I.J.N. had used only multiples of nine ormultiples of eleven.

The Historical SignificanceThis note has avoided much historical detailabout JN-25. For example, the 1945 report HW43/34 on the system JN-25L53 in the BritishNational Archives has over one hundred pages

March 2014 Notices of the AMS 263

and includes a glossary (of jargon). The authorswere J. W. S. Cassels and E. H. Simpson. It has alsoslurred over the difference between Hall weightsand the associated Shinn weights. However, muchof the more important mathematical aspects arementioned above.

The decryption and decoding of JN-25B in 1941–1942 undoubtedly turned around the naval war inthe Pacific. Decryption of Enigma was extremelyuseful in the air battle over Britain and later in theBattle of the Atlantic. Also, the 1944 invasion ofNormandy needed confirmation from high-levelencrypted teleprinter traffic that the deceptionactivities had in fact succeeded. Turing’s work onBayesian methods in cryptology permeated all ofthese activities.

Another well-known “insurance” discovery ofthe era did pay off handsomely. In February to April1940 at Bletchley Park the talented mathematicsstudent John Herivel developed a technique torecover likely settings of the Enigma encryptionmachine then used by the German Army and AirForce. This was not needed while an unsoundindicator encryption practice was in use butcame into its own in May 1940. The “bombe”device, designed by Turing and Gordon Welchmanfollowing an earlier Polish version, took over fourmonths later. Meanwhile the Battle of Britain hadto be fought.

The “insurance policy” of Hall weights became“useful” in 1944, and by then the U.S.N. had amassive preponderance on, under, and over thePacific Ocean. Getting back into JN-25 withoutreading the indicators was very slow work. Ingeneral, JN-25 was much less productive as asource of intelligence in 1944–1945. However, Hallweights were an elegant method that did help indetecting alignments. Hall was justified in callingthem a “significant contribution”.

The Recordsearch facility of the NationalArchives of Australia may be used to locateand read online a report entitled Japanese NavalOrder of Battle compiled in June 1944 by the JointIntelligence Center Pacific Ocean Area, a predeces-sor of the NSA based in Hawaii. This documentcontains around ninety-five pages of informationassembled by the center, mostly from interceptedradio communications.

AcknowledgmentThis work depends much on a program of research-ing the communications intelligence aspects of thePacific War jointly with John Mack.

References[1] C. H. O’D. Alexander, Cryptologic History of the Ger-

man Naval Enigma, British National Archives HW 25/7,GC&CS report, 1945.

[2] J. Burroughs, D. Lieberman, and J. Reeds, Thesecret life of Andrew Gleason, Notices of the Amer-ican Mathematical Society 56 (November 2009),1239–1243.

[3] C. Christensen, U.S. Naval cryptologic mathemati-cians during World War II, Cryptologia 35 (3) (2011),267–276.

[4] Peter Donovan, The flaw in the JN-25 series ofciphers, Cryptologia 28 (4) (2004), 325–340.

[5] Peter Duren, Richard Askey, and Uta Merzbach, ACentury of Mathematics in America, Vol. 1, AmericanMathematical Society, Providence, RI, 1989.

[6] I. Jack Good, A. M. Turing’s statistical work in WorldWar II, Biometrika 66 (1979), no. 2, 393–396.

[7] , Turing’s anticipation of empirical Bayes inconnection with the cryptanalysis of the naval Enigma,Journal of Statistical Computation and Stimulation 66(2) (2000), 101–111.

[8] I. Jack Good, Donald Michie, and Geoffrey Timms,General Report on Tunny , British National ArchivesHW 25/4, GC&CS report, 1945.

[9] Andrew Hodges, Alan Turing: The Enigma, Burnett,1983.

[10] Richard Ruggles and H. Brodie, An empirical ap-proach to economic intelligence in WW2, Journal ofthe American Statistical Association 42 (March 1947),72–91.

[11] Edward Simpson, Bayes at Bletchley Park, Significance7 (2) (2010), 76–80.

[12] , History of the Fleet General Purpose System(JN-25) Cryptographic Party , British National ArchivesHW 8/149, GC&CS report, 1945.

[13] John Tiltman, Reminiscences, N.A.R.A. RG0457, entryA1 9032, box 1417, file 4632.

[14] Alan Turing, The Applications of Probability to Cryp-tology , British National Archives HW 25/37, GC&CSreport, 1941.

[15] Abraham Wald, Sequential tests of statistical hy-potheses, Annals of Mathematical Statistics 16 (2)(1945), 117–186.

[16] S. Zabell, Commentary on Alan M. Turing: The appli-cations of probability to cryptography, Cryptologia 36(3) (2012), 191–214.

264 Notices of the AMS Volume 61, Number 3