Tiny Enigma – the solution

As a warm-up to our ESRC Festival of Social Science mini-series on Enigma, I posed a small series of cryptological challenges – a Tiny Enigma. Within the challenge is a sprinkling of clues, and in this post, I present the solutions to each stage, as well as a little insight into what the various clues meant.

This post is a walk-through of the solution to the Tiny Enigma challenge posted on the en clair Twitter account from the 08th of October 2019 onwards. If you’re coming to this some time in October 2019 and you’re still trying to solve the puzzle, this contains ALL THE SPOILERS. If you’re coming to this weeks or months after November 2019, the original content has probably been removed so many links won’t work any more. To keep the integrity, where possible I’ve copied, pasted, and included original images and whatnot.

Challenge #1: Hail Caesar

The challenge opens with a tweet that reads, simply:


Classic cryptanalysis requires spotting patterns, and something that many people will have noticed in that tweet is this: jhv:kwwsv://zzz.odq. Using your world knowledge, you might guess that this is a web address, and you will also probably know that most web addresses start with www, so instantly, you have one letter cracked. But then if you work backwards you can also guess that many web addresses start with http:// or https://, and in this case, kwwsv has a repeated-W which is probably the repeated T. So, now you have H, P, S, T, and W. From here, you can actually crack this whole cipher just from this if you can derive the key from these five examples:

  • H became V
  • P became S
  • S became V
  • T became W
  • W became Z

The cryptanalyst is always looking for patterns, and the pattern here is that each letter of the plaintext alphabet has shifted forward three letters to produce the cipher alphabet. This is, in fact, a particularly famous (though as you can see, not a very secure!) cipher known as the Caesar Shift Cipher, so named because Caesar made much use of it. He also happened to favour the +3 key, where the cipher alphabet is created by shifting the plain alphabet along three, but of course, you could shift any number up to +25 or -25. In this case, since you now know that your Caesar Shift Cipher key is +3 all you need to do is reverse that process, and shift every letter in your cipher text back by three letters. From your key, you can easily work out the whole cipher alphabet:

Plain  alphabet: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Cipher alphabet: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Thus you can now crack your first message:


Then you just need to reinsert your missing spaces:

Welcome to en clair's tiny enigma. You have 25 days to
solve a series of cryptological challenges:

Oooh, a link! Onto the next challenge.

Challenge #2: Hydra

This link takes us to the next rendezvous point: a page entitled Enigma – Hydra. Because this challenge was launched before the Enigma episodes went out, and because lots of people didn’t know what the miniseries was going to be on, Hydra was in fact a clue about the upcoming topic. Hydra was the name given to the second version (M2) of the Enigma machine (there were many versions) and so this indicating an increasing level of difficulty.

The Enigma – Hydra page is black with green writing that reads as follows:

So far so good, 009, but can you get any further?

And that, it appears, is that.

Or is it?

This page uses the age-old art of steganography, and in particular, “invisible ink”. Just underneath that sentence, in black writing on this black page, is the following:


So what is this all about? Well, it links to a file called, unsurprisingly, triton.png, held at the following address: https://www.lancaster.ac.uk/fass/media/forge/triton.png. If the link is clicked it will probably show a picture that looks something like this:

Note: I AM A REPLICA OF THE ORIGINAL, so I don't work!

Note: I AM A REPLICA OF THE ORIGINAL, so I don’t work!

Depending on your device, the real image at the link might cut off at the error, or it might not show at all. Whether you can see some, all, or none of the image at all, the error is actually deliberate. This is a clue to the third part of the challenge.

Challenge #3: Triton

What is Triton all about, you ask? Well, that’s the name of the next iteration of the Enigma Machine – the M3 and then M4, which upgraded to such high levels of encryption, the resultant Enigma cipher all but defeated the British cryptanalysts during World War II. In other words, if you’ve got to Triton, you’ve hit the hardest part of the challenge so far. So now what do you do?

Well, triton.png is yet another steganographic puzzle. The error in the picture actually indicates that the file itself has been tampered with in some way. (Note: good steganographic images will not give away any indications that they contain extra, hidden information!) But how to get in? There are several solutions. The simplest is to change the file extension and open the file with a different piece of software. In this case, after creating the original .png, I changed the extension to .txt, opened it in a notepad, scrolled down, added in some extra content, saved it, and changed the extension back to .png. The picture was then slightly distorted, but in this case, that’s useful, since most people attempting this will be amateur cryptanalysts and the occasional pointer is useful. I could have modified it in such a way that no distortion showed but that seemed a little cruel.

So to reveal the steganography, you could effectively reverse the process:

  • Save the .png to your computer
  • Change the extension from .png to .txt
  • Open the .txt in some sort of notepad or text editor, scroll down, and see what you find…

There, about two third of the way down the file, after a lot of incomprehensible gibberish, you will suddenly see the following:

nR‘þ“l¦ÉI}é y9k.}lýOÖÏO‘=÷1s¬!atl’÷Š‚öÆO„9­Ü 3Œ*ZŠž´Ä‚
vržÞuôÙßÉDG"\á‑ k—ZçE'°‰"–L„ýûyX DNÖ£dfŒä±–Ã2wÛ6?
Ê£`½;êžó!ºZét%J„lI¼½&¶àâ©¥e¿n±­Ñ“Ò~~¸t‑×½&ÈÞ=ª~ ªöÙqø)
äKuàíüF:a¿Lô h:¢jVáÖËTÎ_¨ŸÂÃcljâfôI—òm$>~ö¯½Šž D‡e`

Well done, 009. You've come so far, but there is one
last challenge ahead.


.--- .-. .... --.. -- .-. .- -


Aha! Now all that remains is this very last step. Of course, you could go straight to the web address given, but then you would be prompted for a password, and after all this, the password isn’t going to be something simple, right?

Hmmm… so what are all those dots and dashes about…

Perhaps you guessed already, but if you didn’t, that’s a visual representation of Morse Code. The easiest solution here is to copy and paste the dots and dashes into an online Morse Code translator and it should produce for you eight letters, thus:


But what are those letters? They are the initials of four extraordinary cryptanalysts: Jerzy Różycki, Henryk Zyglaski, Marian Rejewksi, and Alan Turing. And if you want to know more about them, then listen to the November miniseries of en clair.

Validation protocol

Once inside the final site, you can find the validation protocol – the way to check in and let ECHQ know that you’ve cracked the code, but even this this follows an encryption method so that you can publicly validate your success without simply giving away the validation protocol key to everyone else.

Welcome to ECHQ!