The Math Behind Enigma

By Michael Doornbos

January 8, 2026 - 16 minutes read - 3202 words

The Enigma machine fascinates me. It was a genuine marvel of 1920s engineering—entirely mechanical, small enough to fit in a wooden box, and simple enough that a soldier with minimal training could operate it in the field. No computers, no electronics beyond a battery for the indicator lamps. Just gears, rotors, and wires. And yet it produced encryption that no human could crack by hand. For its time, it was revolutionary.

And yet the Allies broke it repeatedly throughout the war. Not because the Germans were stupid—they weren’t. They did the math. The numbers were astronomical. But the codebreakers were smarter.

Let’s dig into those numbers and see what they missed.

Enigma machine

How Enigma Works

Imagine a typewriter, but instead of printing the letter you press, a different letter lights up on a panel. That’s Enigma from the outside. The magic is what happens in between.

You press A. An electrical signal travels through a cable to the plugboard—a patch panel on the front where you can swap pairs of letters with cables. If A is plugged into Q, the signal becomes Q before it goes any further.

Next, the signal enters the rotors—three (or four) spinning wheels with scrambled wiring inside. Each rotor transforms the letter into something else. The signal passes through all of them, one after another.

Then it hits the reflector at the back, which bounces the signal back through all the rotors again—but on a different path. This is why Enigma could use the same settings for both encryption and decryption. It’s also why a letter can never encrypt to itself: press A, and you’ll never get A as the output. Remember this—it becomes important later.

Finally, the signal passes through the plugboard one more time and lights up a lamp. You press A, and maybe M lights up.

Here’s the clever part: every time you press a key, at least one rotor clicks forward like an odometer. Press A again, and this time you might get T. The rotors have moved, so the entire scrambling path has changed.

This is what made Enigma so powerful. The same letter never encrypts the same way twice. Write “HELLO,” and you might get “XQZPM”—no repeated letters even though there are two L’s. To anyone intercepting the message, there’s no obvious pattern to exploit.

The Numbers Game

There were about a dozen Enigma variants during WWII, but we’ll focus on four that show how the complexity evolved over time.

Commercial Enigma (1923)

The original Enigma was built for business communications. Banks and corporations wanted secure messaging, and Enigma offered something that seemed impossible to crack.

The setup was simple:

3 rotors (fixed order)
1 reflector
No plugboard

Here’s where the math starts:

Rotor starting positions: Each rotor can start at any of 26 positions (A-Z), so that’s $26^3 = 17,576$ combinations.

Ring settings: Each rotor has an internal ring with 26 positions. Another $26^3 = 17,576$ combinations.

Rotor arrangement: With 3 rotors in fixed positions, there are $6$ possible arrangements.

Total: $6 \times 17,576 \times 17,576 = 1,853,494,656$

Nearly 2 billion combinations. In the 1920s, that seemed insurmountable for manual cryptanalysis. But the military wanted more.

Wehrmacht Enigma I (1930s)

The German Army looked at the commercial Enigma and decided 2 billion wasn’t enough. Their solution: the plugboard (Steckerbrett).

The plugboard lets you swap pairs of letters before and after the rotor encryption. Connect A to Z, and every A becomes Z (and vice versa) before the rotors even touch it.

With 6 pairs connected:

Choose 12 letters from 26: $\binom{26}{12}$
Pair them up: $\frac{11!!}{6!}$ ways
Plugboard combinations: 139,433,043

Total: $6 \times 17,576 \times 17,576 \times 139,433,043 = 2.58 \times 10^{17}$

That’s 139 million times more complex than the commercial version. You can see why German cryptographers began to feel confident. The Army was happy. The Navy? Not so much.

Navy M3 (1934)

The Kriegsmarine had different requirements. U-boats operating in the Atlantic needed even stronger encryption—if their codes were broken, entire wolf packs could be wiped out. So they added more rotors to choose from.

Instead of 3 fixed rotors, operators could now pick 3 from a set of 5 (labeled I through V). That’s $P(5,3) = 60$ possible arrangements.

They also standardized on 10 plugboard pairs, which gives 150,738,274,937,250 combinations.

Total: $60 \times 17,576 \times 17,576 \times 150,738,274,937,250 = 2.79 \times 10^{24}$

We’re now in the septillions. For a few years, this was enough. Then the war turned serious.

Enigma M4 “Shark” (1942)

By 1942, the Battle of the Atlantic was in full swing. U-boats were Germany’s best weapon against Allied supply lines, and the Navy knew the British were getting suspiciously good at finding their submarines. Time for an upgrade.

The M4 added a fourth rotor. This was the machine that caused the famous 10-month blackout at Bletchley Park—the secret British codebreaking headquarters where thousands of cryptanalysts, linguists, and engineers worked around the clock to crack Axis communications.

8 rotors to choose from (I-VIII) for the main 3 positions
2 thin rotors (Beta or Gamma) for the fourth position
2 thin reflectors
10 plugboard pairs

Total: $336 \times 456,976 \times 456,976 \times 2 \times 150,738,274,937,250 = 1.88 \times 10^{25}$

That’s roughly $2^{76}$ in modern terms. To put this in perspective:

Model	Combinations	vs. Commercial
Commercial (1923)	$1.85 \times 10^{09}$	1x
Wehrmacht I (1930s)	$2.58 \times 10^{17}$	139,000,000x
Navy M3 (1934)	$2.79 \times 10^{24}$	1,500,000,000,000,000x
Navy M4 (1942)	$1.88 \times 10^{25}$	10,000,000,000,000,000x

So Why Did It Fail?

Here’s what the Germans missed: big numbers don’t mean much if your algorithm has patterns.

The Polish Breakthrough

The first people to crack Enigma weren’t the British—they were Polish mathematicians, and they did it in 1932. What Marian Rejewski accomplished borders on miraculous: using only intercepted messages and mathematical analysis, he reconstructed the internal wiring of the rotors.

He’d never seen an Enigma machine. He deduced its secrets from pure pattern analysis.

Think about that for a second. He’d never even seen one.

Rejewski realized he didn’t need to brute-force the entire keyspace. The plugboard was actually the easiest part to ignore—it just swapped letters. The rotors were where the real action happened, and rotor movement followed predictable mechanical patterns that mathematics could unravel.

What Turing Exploited

Alan Turing was a British mathematician who had already made foundational contributions to computer science before the war—his theoretical “Turing machine” defined what computation itself means. At Bletchley Park, he turned that theoretical brilliance toward a practical problem: breaking Enigma.

Turing’s Bombe didn’t try to search $10^{24}$ possibilities. That would have taken longer than the age of the universe. Instead, it exploited weaknesses:

Cribs - The Germans loved routine. Weather reports started with “WETTER” (weather). Military messages had predictable formats. If you could guess part of the plaintext, you had a way in.
The no-self rule - Enigma never encrypted a letter as itself. A never became A. This sounds like a security feature, but it actually eliminated possibilities and gave codebreakers a powerful filter.
Operator laziness - Some operators used the same settings repeatedly. Others chose obvious starting positions like “AAA” or their girlfriend’s initials. (Seriously.)
Captured materials - Codebooks grabbed from sinking U-boats provided cribs and sometimes daily settings.

The Bombe

So how did Turing actually use these weaknesses? He built a machine—and in doing so, helped invent the modern concept of automated computation.

The Bombe was an electromechanical device that tested possible Enigma settings at superhuman speed. Given a crib—a guess that some plaintext corresponded to some ciphertext—the Bombe would work backward to find rotor positions that could produce that relationship.

Here’s the brilliant trick: instead of testing each of the $10^{24}$ settings, the Bombe tested logical contradictions.

Think of it like Sudoku. You don’t solve Sudoku by trying every possible number in every cell—you solve it by noticing that if this cell is a 5, then that cell can’t be a 5, which means this other cell must be a 3, and so on. One assumption ripples through the whole puzzle. If you hit a contradiction, your assumption was wrong.

The Bombe worked the same way. If a rotor setting implied that a letter encrypted to itself—impossible with Enigma, remember?—that setting was wrong. The machine could ripple through the logical consequences of each guess at superhuman speed, eliminating impossibilities until only the answer remained. Turing turned Enigma’s design strength into a fatal weakness.

Gordon Welchman improved the design with his “diagonal board,” which dramatically increased the Bombe’s efficiency. A single Bombe had 36 sets of simulated Enigma rotors spinning in parallel. By war’s end, Bletchley Park had over 200 Bombes running around the clock, operated mostly by WRNS (Women’s Royal Naval Service). Each machine was about 6 feet tall, weighed a ton, and sounded like a room full of knitting needles.

The Bombe didn’t break Enigma through brute force—it broke Enigma by being smarter about what not to try. It was a masterpiece of applied mathematics.

The Codebook Raids

This one deserves its own section because it’s often overlooked. The British Navy conducted secret boardings of U-boats and weather ships, and their primary goal wasn’t to capture Enigma machines—it was to grab the codebooks.

The Germans used several codebooks alongside Enigma:

Kurzsignalheft - A short signal codebook that compressed tactical messages before encryption. “Enemy convoy spotted” might become just “UGKU.” This kept transmissions under 20 seconds to avoid radio direction finding.
Wetterkurzschlüssel - Weather short signal book. Weather reports were gold for codebreakers because they were predictable and sent daily.
Kenngruppenbuch - The K-Book, used to conceal message settings in the indicator groups.

Navy codebooks were printed in red, water-soluble ink on pink paper so crews could destroy them quickly if captured. (A 1944 Kurzsignalheft sold at auction for £87,000—they expected £7,000.)

The most famous capture came from U-559 in October 1942. Lieutenant Anthony Fasson and Able Seaman Colin Grazier boarded the sinking submarine and retrieved the Wetterkurzschlüssel and Kurzsignalheft. Both drowned when the U-boat sank. They were posthumously awarded the George Cross.

Without those codebooks, Bletchley Park might never have broken the four-rotor M4 Enigma before D-Day. The short signal books provided the cribs needed to crack Shark—the U-boat cipher that had gone dark for ten months.

The M4 Crisis

When the Navy switched to four-rotor Enigma in February 1942, Bletchley Park went dark on U-boat traffic for ten months. Ten months during the worst of the Battle of the Atlantic.

The existing three-rotor Bombes couldn’t handle M4. New machines had to be designed and built. Ships sank while engineers worked.

This is what cryptographic complexity should look like—a change that actually breaks the attack.

But even M4 fell eventually. Here’s why: that fourth rotor was a thin rotor wedged between the reflector and the other three. Unlike the main rotors, it didn’t step with each keypress. Operators would set it once at the start of the day and leave it there.

Why not make it step? Backward compatibility. The Navy needed U-boats to communicate with shore stations and other vessels still using three-rotor M3 machines. The M4 used the exact same stepping mechanism as the M3—only three pawls to advance rotors. They squeezed in a thin fourth rotor and thin reflector without adding a fourth pawl, because they wanted to keep the same housing. So the fourth rotor literally couldn’t move during encryption. Set it at the start, and it stayed put until you changed it manually.

So the fourth rotor was essentially a fixed scrambling layer. It made things harder, but it didn’t add the constantly-changing complexity that made the main rotors so powerful. Once codebreakers figured out the fourth rotor’s position (only 26 possibilities), they were back to cracking a three-rotor machine. The Germans chose operational convenience over maximum security. Sound familiar?

The Modern Comparison

How does Enigma compare to what we use today?

Cipher	Key Space	Status
Enigma M4	$\approx 2^{76}$	Broken (1940s, with cribs)
DES (1970s)	$2^{56}$	Broken (1990s, brute force)
AES-128	$2^{128}$	Secure
AES-256	$2^{256}$	Quantum-resistant
ECC P-256	$2^{128}$ security	Secure (quantum-vulnerable)
Curve25519	$2^{128}$ security	Secure (quantum-vulnerable)
ML-KEM (Kyber)	$2^{128}$+ security	Post-quantum secure
ML-DSA (Dilithium)	$2^{128}$+ security	Post-quantum secure

Enigma’s keyspace was actually larger than DES, which we used for decades. The difference is that DES didn’t have Enigma’s structural weaknesses. (DES had its own problems, but that’s another post.)

Elliptic curve cryptography achieves the same security level as AES-128 with much smaller keys. But like RSA, ECC will fall to quantum computers running Shor’s algorithm.

The post-quantum algorithms NIST standardized in 2024—ML-KEM (formerly Kyber) for key exchange and ML-DSA (formerly Dilithium) for signatures—are based on lattice problems that resist quantum attacks. The tradeoff? Key sizes. A Kyber public key is about 1,500 bytes. The Germans fitting their entire cipher system into a portable wooden box would have been horrified.

What Enigma Teaches Us

Every time I look at an Enigma—whether it’s a museum piece, a replica, or an emulator—I’m struck by how each component represents a design decision that was clever at the time:

The rotors create polyalphabetic substitution. Good idea.
The plugboard adds another layer. Also good.
The reflector makes the machine reversible (same settings for encrypt and decrypt). Convenient, but it’s why no letter encrypts to itself.
The stepping mechanism is purely mechanical. Predictable.

The Germans built a machine optimized for usability in the field. It had to be portable, reliable, and operable by trained soldiers—not mathematicians. Those constraints created the weaknesses that broke it.

What Would Have Saved Them

Here’s what keeps cryptographers up at night: Enigma could have been much harder to break with a few simple changes. None of these required technology the Germans didn’t have.

Remove the reflector. This is the big one. The reflector made Enigma convenient—same settings for encrypt and decrypt—but it guaranteed that no letter ever encrypted to itself. That single property gave codebreakers an incredibly powerful filter when testing cribs. The British Typex machine, based on Enigma, used a non-reciprocal design and was never broken.

Irregular rotor stepping. Enigma’s rotors stepped like an odometer—predictable mechanical movement. The Swiss NEMA machine used irregular stepping controlled by additional notched wheels. Much harder to analyze.

Step all rotors. Only the rightmost rotor stepped with each keypress. The middle and left rotors barely moved during a typical message. If all three (or four) rotors stepped frequently, the mathematical patterns the Poles exploited would have been far harder to find.

Allow field-rewirable rotors. The internal wiring of each rotor was fixed at the factory. If operators could change the wiring—even just swap the positions of a few contacts—the keyspace would have exploded.

Don’t repeat the message key. Early Enigma procedures had operators encrypt the three-letter message key twice at the start of each transmission. This repetition gave Marian Rejewski the pattern he needed to deduce the rotor wiring. When the Germans finally stopped this practice in 1940, it was too late—the Poles had already handed everything to the British.

The frustrating truth? The procedural fixes would have cost nothing—just enforce better discipline. The mechanical changes would have required redesign, but nothing beyond 1930s engineering. The Germans did make incremental improvements over the years, but they never addressed the fundamental flaws. They were so confident in the astronomical keyspace that when Allied successes happened, they blamed spies and direction-finding rather than cryptanalysis. They had the math right. They just couldn’t imagine anyone building something like the Bombe.

Getting Hands-On

You don’t need to spend six figures on an original Enigma to explore how it works. A working M4 sold for 440,000 USD at Christie’s in 2025, and even three-rotor models fetch 200,000 USD or more. There are better options.

See the Real Thing

If you want to see (and sometimes operate) actual Enigma machines:

Bletchley Park (Milton Keynes, UK) - The obvious pilgrimage. This is where it all happened, and they have the largest collection of Enigma machines in the world. The adjacent National Museum of Computing has a working Enigma you can watch being demonstrated, plus a functioning Bombe replica.

NSA National Cryptologic Museum (Fort Meade, Maryland) - Two Enigma machines you can actually operate yourself. Free admission, and tours are led by retired NSA employees. Reopened in 2022 after renovations.

International Spy Museum (Washington, D.C.) - Has an Enigma among its collection of espionage artifacts.

International Museum of World War II (Natick, Massachusetts) - Seven Enigma machines, including a rare four-rotor U-boat model and one of only three surviving Enigmas with a printer attachment. Two are hands-on.

National WWII Museum (New Orleans) - Has an Enigma on display in their extensive WWII collection.

Other locations include the Science Museum in London, the Polish Army Museum in Warsaw, and the Deutsches Museum in Munich.

Build Your Own: Enigma Touch

I have an Enigma Touch from Obsolescence Guaranteed, and it’s become one of my favorite toys. It’s a fully functional electronic replica—no mechanical parts, but historically accurate encryption compatible with all military Enigma variants.

Enigma touch

The clever bit: it works as a USB keyboard. Type on the capacitive keys, and the encrypted output goes straight into whatever app you’re using. Email, chat, whatever. The plugboard cables are included, so you get the full experience of setting up a day’s cipher configuration.

There’s even a speaker that plays samples of the original mechanical sounds. Unnecessary? Absolutely. Do I love it? Also yes.

Software: Browser Emulators

If you want to try before you buy (or just explore), there are excellent browser-based simulators:

Virtual Enigma - A beautiful 3D simulation that runs in your browser. Supports both the three-rotor Enigma I (Army/Luftwaffe) and the four-rotor M4 (Navy). Released on Alan Turing’s 109th birthday in 2021. This is the one I recommend.

101 Computing Enigma Emulator - Simpler interface, great for education. Replicates the M3 with UKW-B reflector.

Enigma Simulation - JavaScript implementation with support for the Enigma-Uhr attachment when you use 10+ plugboard connections.

Enigma Codebook Tool - Generates authentic-looking code sheets with random daily settings for Wehrmacht, M3, and M4 variants. Want to run your own Enigma network with friends? This creates the monthly key tables you’d need.

Try encrypting a message, then set up the same configuration and decrypt it. That reversibility—the thing that made Enigma practical in the field—is the same property that helped break it.

Appendix: Checking the Math

For those who want to verify:

$$\text{Total} = P(\text{rotors}) \times \text{Positions} \times \text{Rings} \times \text{Reflectors} \times \text{Plugboard}$$

Wehrmacht I (6 pairs):

$$6 \times 17,576 \times 17,576 \times 1 \times 139,433,043 = 2.58 \times 10^{17}$$

Navy M3 (10 pairs):

$$60 \times 17,576 \times 17,576 \times 1 \times 150,738,274,937,250 = 2.79 \times 10^{24}$$

Navy M4 (10 pairs):

$$336 \times 456,976 \times 456,976 \times 2 \times 150,738,274,937,250 = 1.88 \times 10^{25}$$

Key formulas:

Rotor permutations: $\frac{n!}{(n-k)!}$
Position combinations: $26^k$
Plugboard (p pairs): $\binom{26}{2p} \times \frac{(2p-1)!!}{p!}$

The math behind the Enigma machine—why the Germans thought it was unbreakable, and why they were wrong.