The Scandalous History of the Last Rotor Cipher Machine

How this gadget figured in the shady Rubicon spy case

15 min read
The HX-63 cipher machine

The HX-63 cipher machine is an electromechanical, rotor-based system designed and built by Crypto AG.
The machine uses nine rotors [center right] to encrypt messages. A dual paper-tape printer is at the upper left.


Growing up in New York City, I always wanted to be a spy. But when I graduated from college in January 1968, the Cold War and Vietnam War were raging, and spying seemed like a risky career choice. So I became an electrical engineer, working on real-time spectrum analyzers for a U.S. defense contractor.

In 1976, during a visit to the Polish Army Museum in Warsaw, I saw an Enigma, the famous German World War II cipher machine. I was fascinated. Some years later, I had the good fortune of visiting the huge headquarters of the cipher machine company Crypto AG (CAG), in Steinhausen, Switzerland, and befriending a high-level cryptographer there. My friend gave me an internal history of the company written by its founder, Boris Hagelin. It mentioned a 1963 cipher machine, the HX-63.

Like the Enigma, the HX-63 was an electromechanical cipher system known as a rotor machine. It was the only electromechanical rotor machine ever built by CAG, and it was much more advanced and secure than even the famous Enigmas. In fact, it was arguably the most secure rotor machine ever built. I longed to get my hands on one, but I doubted I ever would.

Fast forward to 2010. I'm in a dingy third subbasement at a French military communications base. Accompanied by two-star generals and communications officers, I enter a secured room filled with ancient military radios and cipher machines. Voilà! I am amazed to see a Crypto AG HX-63, unrecognized for decades and consigned to a dusty, dimly lit shelf.

I carefully extract the 16-kilogram (35-pound) machine. There's a hand crank on the right side, enabling the machine to operate away from mains power. As I cautiously turn it, while typing on the mechanical keyboard, the nine rotors advance, and embossed printing wheels feebly strike a paper tape. I decided on the spot to do everything in my power to find an HX-63 that I could restore to working order.

If you've never heard of the HX-63 until just now, don't feel bad. Most professional cryptographers have never heard of it. Yet it was so secure that its invention alarmed William Friedman, one of the greatest cryptanalysts ever and, in the early 1950s, the first chief cryptologist of the U.S. National Security Agency (NSA). After reading a 1957 Hagelin patent (more on that later), Friedman realized that the HX-63, then under development, was, if anything, more secure than the NSA's own KL-7, then considered unbreakable. During the Cold War, the NSA built thousands of KL-7s, which were used by every U.S. military, diplomatic, and intelligence agency from 1952 to 1968.

The reasons for Friedman's anxiety are easy enough to understand. The HX-63 had about 10600 possible key combinations; in modern terms, that's equivalent to a 2,000-bit binary key. For comparison, the Advanced Encryption Standard, which is used today to protect sensitive information in government, banking, and many other sectors, typically uses a 128- or a 256-bit key.

A photo of the inside of the HX-63. In the center of the cast-aluminum base of the HX-63 cipher machine is a precision Swiss-made direct-current gear motor. Also visible is the power supply [lower right] and the function switch [left], which is used to select the operating mode—for example, encryption or decryption.Peter Adams

A photo of a series of rotors with numbers on them.  A total of 12 different rotors are available for the HX-63, of which nine are used at any one time. Current flows into one of 41 gold-plated contacts on the smaller-diameter side of the rotor, through a conductor inside the rotor, out through a gold-plated contact on the other side, and then into the next rotor. The incrementing of each rotor is programmed by setting pins, which are just visible in the horizontal rotor. Peter Adams

Just as worrisome was that CAG was a privately owned Swiss company, selling to any government, business, or individual. At the NSA, Friedman's job was to ensure that the U.S. government had access to the sensitive, encrypted communications of all governments and threats worldwide. But traffic encrypted by the HX-63 would be unbreakable.

Friedman and Hagelin were good friends. During World War II, Friedman had helped make Hagelin a very wealthy man by suggesting changes to one of Hagelin's cipher machines, which paved the way for the U.S. Army to license Hagelin's patents. The resulting machine, the M-209-B, became a workhorse during the war, with some 140,000 units fielded. During the 1950s, Friedman and Hagelin's close relationship led to a series of understandings collectively known as a “gentleman's agreement" between U.S. intelligence and the Swiss company. Hagelin agreed not to sell his most secure machines to countries specified by U.S. intelligence, which also got secret access to Crypto's machines, plans, sales records, and other data.

But in 1963, CAG started to market the HX-63, and Friedman became even more alarmed. He convinced Hagelin not to manufacture the new device, even though the machine had taken more than a decade to design and only about 15 had been built, most of them for the French army. However, 1963 was an interesting year in cryptography. Machine encryption was approaching a crossroads; it was starting to become clear that the future belonged to electronic encipherment. Even a great rotor machine like the HX-63 would soon be obsolete.

That was a challenge for CAG, which had never built an electronic cipher machine. Perhaps partly because of this, in 1966, the relationship among CAG, the NSA, and the CIA went to the next level. That year, the NSA delivered to its Swiss partner an electronic enciphering system that became the basis of a CAG machine called the H-460. Introduced in 1970, the machine was a failure. However, there were bigger changes afoot at CAG: That same year, the CIA and the German Federal Intelligence Service secretly acquired CAG for US $5.75 million. (Also in 1970, Hagelin's son Bo, who was the company's sales manager for the Americas and who had opposed the transaction, died in a car crash near Washington, D.C.)

Although the H-460 was a failure, it was succeeded by a machine called the H-4605, of which thousands were sold. The H-4605 was designed with NSA assistance. To generate random numbers, it used multiple shift registers based on the then-emerging technology of CMOS electronics. These numbers were not true random numbers, which never repeat, but rather pseudorandom numbers, which are generated by a mathematical algorithm from an initial “seed."

This mathematical algorithm was created by the NSA, which could therefore decrypt any messages enciphered by the machine. In common parlance, the machines were “backdoored." This was the start of a new era for CAG. From then on, its electronic machines, such as the HC-500 series, were secretly designed by the NSA, sometimes with the help of corporate partners such as Motorola. This U.S.-Swiss operation was code-named Rubicon. The backdooring of all CAG machines continued until 2018, when the company was liquidated.

Photo of a man at a desk with his hands on a cryptology device.

Photo of a man with glasses at a desk with his hands on a cryptology device.  William F. Friedman [top] dominated U.S. cryptology for over 40 years and was the first chief cryptologist of the U.S. National Security Agency. His friend Boris Hagelin [bottom], a brilliant Swedish inventor and entrepreneur, founded Crypto AG in 1952 in Zug, Switzerland, and built it into the world's largest cipher-machine company.TOP, U.S. ARMY; BOTTOM: CRYPTO AG

Parts of this story emerged in leaks by CAG employees before 2018 and, especially, in a subsequent investigation by the Washington Post and a pair of European broadcasters, Zweites Deutsches Fernsehen, in Germany, and Schweizer Radio und Fernsehen, in Switzerland. The Post's article, published on 11 February 2020, touched off firestorms in the fields of cryptology, information security, and intelligence.

The revelations badly damaged the Swiss reputation for discretion and dependability. They triggered civil and criminal litigation and an investigation by the Swiss government and, just this past May, led to the resignation of the Swiss intelligence chief Jean-Philippe Gaudin, who had fallen out with the defense minister over how the revelations had been handled. In fact, there's an interesting parallel to our modern era, in which backdoors are increasingly common and the FBI and other U.S. intelligence and law-enforcement agencies sporadically tussle with smartphone manufacturers over access to encrypted data on the phones.

Even before these revelations, I was deeply fascinated by the HX-63, the last of the great rotor machines. So I could scarcely believe my good fortune in 2020 when, after years of negotiations, I took possession of an HX-63 for my research for the Association des Réservistes du Chiffre et de la Sécurité de l'Information, a Paris-based professional organization of cryptographers and information-security specialists. This particular unit, different from the one I had seen a decade before, had been untouched since 1963. I immediately began to plan the restoration of this historically resonant machine.

People have been using codes and ciphers to protect sensitive information for a couple of thousand years. The first ciphers were based on hand calculations and tables. In 1467, a mechanical device that became known as the Alberti cipher wheel was introduced. Then, just after World War I, an enormous breakthrough occurred, one of the greatest in cryptographic history: Edward Hebern in the United States, Hugo Koch in the Netherlands, and Arthur Scherbius in Germany, within months of one another, patented electromechanical machines that used rotors to encipher messages. Thus began the era of the rotor machine. Scherbius's machine became the basis for the famous Enigma used by the German military from the 1930s until the end of WW II.

To understand how a rotor machine works, first recall the basic goal of cryptography: substituting each of the letters in a message, called plaintext, with other letters in order to produce an unreadable message, called ciphertext. It's not enough to make the same substitution every time—replacing every F with a Q, for example, and every K with an H. Such a monoalphabetic cipher would be easily solved.


A simple cipher machine, such as the Enigma machine used by the German Army during World War II, has three rotors, each with 26 positions. Each position corresponds to a letter of the alphabet. Electric current enters at a position on one side of the first rotor, corresponding to a letter, say T. The current travels through two other rotors in the same way and then, finally, exits the third rotor at a position that corresponds to a different letter, say R. So in this case, the letter T has been encrypted as R. The next time the operator strikes a key, one or more of the rotors move with respect to one another, so the next letter is encrypted with an entirely different set of permutations. In the Enigma cipher machines [below] a plugboard added a fixed scramble to the encipherment of the rotors, swapping up to 13 letter pairs.

Chris Philpot; SOURCE: JON D. PAUL

A rotor machine gets around that problem using—you guessed it—rotors. Start with a round disk that's roughly the diameter of a hockey puck, but thinner. On both sides of the disk, spaced evenly around the edge, are 26 metal contacts, each corresponding to a letter of the English alphabet. Inside the disk are wires connecting a contact on one side of the disk to a different one on the other side. The disk is connected electrically to a typewriter-like keyboard. When a user hits a key on the keyboard, say W, electric current flows to the W position on one side of the rotor. The current goes through a wire in the rotor and comes out at another position, say L. However, after that keystroke, the rotor rotates one or more positions. So the next time the user hits the W key, the letter will be encrypted not as L but rather as some other letter.

Though more challenging than simple substitution, such a basic, one-rotor machine would be child's play for a trained cryptanalyst to solve. So rotor machines used multiple rotors. Versions of the Enigma, for example, had either three rotors or four. In operation, each rotor moved at varying intervals with respect to the others: A keystroke could move one rotor or two, or all of them. Operators further complicated the encryption scheme by choosing from an assortment of rotors, each wired differently, to insert in their machine. Military Enigma machines also had a plugboard, which swapped specific pairs of letters both at the keyboard input and at the output lamps.

The rotor-machine era finally ended around 1970, with the advent of electronic and software encryption, although a Soviet rotor machine called Fialka was deployed well into the 1980s.

The HX-63 pushed the envelope of cryptography. For starters it has a bank of nine removable rotors. There's also a “modificator," an array of 41 rotary switches, each with 41 positions, that, like the plugboard on the Enigma, add another layer, an unchanging scramble, to the encryption. The unit I acquired has a cast-aluminum base, a power supply, a motor drive, a mechanical keyboard, and a paper-tape printer designed to display both the input text and either the enciphered or deciphered text. A function-control switch on the base switches among four modes: off, “clear" (test), encryption, and decryption.

In encryption mode, the operator types in the plaintext, and the encrypted message is printed out on the paper tape. Each plaintext letter typed into the keyboard is scrambled according to the many permutations of the rotor bank and modificator to yield the ciphertext letter. In decryption mode, the process is reversed. The user types in the encrypted message, and both the original and decrypted message are printed, character by character and side by side, on the paper tape.

A photo of the paper tape inside the HX-63 machine. While encrypting or decrypting a message, the HX-63 prints both the original and the encrypted message on paper tape. The blue wheels are made of an absorbent foam that soaks up ink and applies it to the embossed print wheels.Peter Adams

A photo of the rotors and the keys numbered 1-9 below it.  Beneath the nine rotors on the HX-63 are nine keys that unlock each rotor to set the initial rotor position before starting a message. That initial position is an important component of the cryptographic key.Peter Adams

To begin encrypting a message, you select nine rotors (out of 12) and set up the rotor pins that determine the stepping motion of the rotors relative to one another. Then you place the rotors in the machine in a specific order from right to left, and set each rotor in a specific starting position. Finally, you set each of the 41 modificator switches to a previously determined position. To decrypt the message, those same rotors and settings, along with those of the modificator, must be re-created in the receiver's identical machine. All of these positions, wirings, and settings of the rotors and of the modificator are collectively known as the key.

The HX-63 includes, in addition to the hand crank, a nickel-cadmium battery to run the rotor circuit and printer if no mains power is available. A 12-volt DC linear power supply runs the motor and printer and charges the battery. The precision 12-volt motor runs continuously, driving the rotors and the printer shaft through a reduction gear and a clutch. Pressing a key on the keyboard releases a mechanical stop, so the gear drive propels the machine through a single cycle, turning the shaft, which advances the rotors and prints a character.

The printer has two embossed alphabet wheels, which rotate on each keystroke and are stopped at the desired letter by four solenoids and ratchet mechanisms. Fed by output from the rotor bank and keyboard, mechanical shaft encoders sense the position of the alphabet printing wheels and stop the rotation at the required letter. Each alphabet wheel has its own encoder. One set prints the input on the left half of the paper tape; the other prints the output on the right side of the tape. After an alphabet wheel is stopped, a cam releases a print hammer, which strikes the paper tape against the embossed letter. At the last step the motor advances the paper tape, completing the cycle, and the machine is ready for the next letter.

As I began restoring the HX-63, I quickly realized the scope of the challenge. The plastic gears and rubber parts had deteriorated, to the point where the mechanical stress of motor-driven operation could easily destroy them. Replacement parts don't exist, so I had to build such parts myself.

After cleaning and lubricating the machine, I struck a few keys on the keyboard. I was delighted to see that all nine cipher rotors turned and the machine printed a few characters on the paper tape. But the printout was intermittently blank and distorted. I replaced the corroded nickel-cadmium battery and rewired the power transformer, then gradually applied AC power. To my amazement, the motor, rotors, and the printer worked for a few keystrokes. But suddenly there was a crash of gnashing gears, and broken plastic bits flew out of the machine. Printing stopped altogether, and my heartbeat nearly did too.

I decided to disassemble the HX-63 into modules: The rotor bank lifted off, then the printer. The base contains the keyboard, power supply, and controls. Deep inside the printer were four plastic “snubbers," which cushion and position the levers that stop the ratchet wheels at the indicated letter. These snubbers had disintegrated. Also, the foam disks that ink the alphabet wheels were decomposing, and gooey bits were clogging the alphabet wheels.

I made some happy, serendipitous finds. To rebuild the broken printer parts, I needed a dense rubber tube. I discovered that a widely available neoprene vacuum hose worked perfectly. Using a drill press and a steel rod as a mandrel, I cut the hose into precise, 10-millimeter sections. But the space deep within the printer, where the plastic snubbers are supposed to be, was blocked by many shafts and levers, which seemed too risky to remove and replace. So I used right-angle long-nosed pliers and dental tools to maneuver the new snubbers under the mechanism. After hours of deft surgery, I managed to install the snubbers.


The HX-63 has nine rotors and also uses a technique called reinjection. Each rotor has a set of conductors that connect each and every electrical contact on one side of the rotor with a different contact on the other side. For every rotor the pattern of these connections is unique. When the operator strikes a key on the keyboard, representing one of 26 letters, current travels through the set of nine rotors twice, once in each direction, and then through a separate set of 15 rotor contacts at least two times. This reinjection technique greatly increases the complexity of the cipher.

Illustration of the nine rotors and a detail of the rotor. Chris Philpot; SOURCE: JON D. PAUL

The ink wheels were made of an unusual porous foam. I tested many replacement materials, settling finally on a dense blue foam cylinder. Alas, it had a smooth, closed-cell surface that would not absorb ink, so I abraded the surface with rough sandpaper.

After a few more such fixes, I faced just one more snafu: a bad paper-tape jam. I had loaded a new roll of paper tape, but I did not realize that this roll had a slightly smaller core. The tape seized, tore, and jammed under the alphabet wheels, deeply buried and inaccessible. I was stymied—but then made a wonderful discovery. The HX-63 came with thin stainless-steel strips with serrated edges designed specifically to extract jammed paper tape. I finally cleared the jam, and the restoration was complete.

One of the reasons why the HX-63 was so fiendishly secure was a technique called reinjection, which increased its security exponentially. Rotors typically have a position for each letter of the alphabet they're designed to encrypt. So a typical rotor for English would have 26 positions. But the HX-63's rotors have 41 positions. That's because reinjection (also called reentry) uses extra circuit paths beyond those for the letters of the alphabet. In the HX-63, there are 15 additional paths.

Here's how reinjection worked in the HX-63. In encryption mode, current travels in one direction through all the rotors, each introducing a unique permutation. After exiting the last rotor, the current loops back through that same rotor to travel back through all the rotors in the opposite direction. However, as the current travels back through the rotors, it follows a different route, through the 15 additional circuit paths set aside for this purpose. The exact path depends not only on the wiring of the rotors but also on the positions of the 41 modificators. So the total number of possible circuit configurations is 26! x 15!, which equals about 5.2 x 10 38. And each of the nine rotors' internal connections can be rewired in 26! different ways. In addition, the incrementing of the rotors is controlled by a series of 41 mechanical pins. Put it all together and the total number of different key combinations is around 10600.

Such a complex cipher was not only unbreakable in the 1960s, it would be extremely difficult to crack even today. Reinjection was first used on the NSA's KL-7 rotor machine. The technique was invented during WW II by Albert W. Small, at the U.S. Army's Signal Intelligence Service. It was the subject of a secret patent that Small filed in 1944 and that was finally granted in 1961 (No. 2,984,700).

Meanwhile, in 1953, Hagelin applied for a U.S. patent for the technique, which he intended to use in what became the HX-63. Perhaps surprisingly, given that the technique was already the subject of a patent application by Small, Hagelin was granted his patent in 1957 (No. 2,802,047). Friedman, for his part, had been alarmed all along by Hagelin's use of reinjection, because the technique had been used in a whole series of vitally important U.S. cipher machines, and because it was a great threat to the NSA's ability to listen to government and military message traffic at will.

The series of meetings between Friedman and Hagelin that resulted in the cancellation of the HX-63 was mentioned in a 1977 biography of Friedman, The Man Who Broke Purple, by Ronald Clark, and it was further detailed in 2014 through a disclosure by the NSA's William F. Friedman Collection.

A man stading front of shelves filled with electronic devices. After a career as an electrical engineer and inventor, author Jon D. Paul now researches, writes, and lectures on the history of digital technology, especially encryption. In the 1970s he began collecting vintage electronic instruments, such as the Tektronix oscilloscopes and Hewlett-Packard spectrum analyzers seen here. Peter Adams

The revelation of Crypto AG's secret deals with U.S. intelligence may have caused a bitter scandal, but viewed from another angle, Rubicon was also one of the most successful espionage operations in history—and a forerunner of modern backdoors. Nowadays, it's not just intelligence agencies that are exploiting backdoors and eavesdropping on “secure" messages and transactions. Windows 10's “telemetry" function continuously monitors a user's activity and data. Nor are Apple Macs safe. Malware that allowed attackers to take control of a Mac has circulated from time to time; a notable example was Backdoor.MAC.Eleanor, around 2016. And in late 2020, the cybersecurity company FireEye disclosed that malware had opened up a backdoor in the SolarWinds Orion platform, used in supply-chain and government servers. The malware, called SUNBURST, was the first of a series of malware attacks on Orion. The full extent of the damage is still unknown.

The HX-63 machine I restored now works about as well as it did in 1963. I have yet to tire of the teletype-like motor sound and the clack-clack of the keyboard. Although I never realized my adolescent dream of being a secret agent, I am delighted by this little glimmer of that long-ago, glamorous world.

And there's even a postscript. I recently discovered that my contact at Crypto AG, whom I'll call “C," was also a security officer at the Swiss intelligence agencies. And so for decades, while working at the top levels of Crypto AG, “C" was a back channel to the CIA and Swiss intelligence agencies, and even had a CIA code name. My wry old Swiss friend had known everything all along!

This article appears in the September 2021 print issue as “The Last Rotor Machine."

To Probe Further

The Crypto AG affair was described in a pair of Swedish books. One of them was Borisprojektet : århundradets största spionkupp : NSA och ett svensk snille lurade en hel värld [translation: The Boris Project: The Biggest Spy Coup of the Century: NSA and a Swedish genius cheated an entire world], 2016, Sixten Svensson, Vaktelförlag, ISBN 978-91-982180-8-4.

Also, in 2020, Swiss editor and author Res Strehle published Verschlüsselt: Der Fall Hans Bühler [translation: Encrypted: The Hans Bühler Case], and later Operation Crypto. Die Schweiz im Dienst von CIA und BND [Operation Crypto: Switzerland in the Service of the CIA and BND].

The Conversation (2)
Rafael De Souza 01 Sep, 2021

Incredible article; somehow spy/cold war era technology is absolutely fascinating.

Oliver Huf 03 Sep, 2021

So now that the HX-63 and the KL-7 have beef declassified, is it possible to actually buy the machines??

Charging Rooms Can Power Devices Without Wires

New wireless charging technique can scale down to toolboxes, scale up to factories

3 min read
The University of Tokyo and Nature Electronics

Wireless power holds the promise of freeing devices from batteries and cables, but commercial systems are usually limited to charging stations. Now scientists have developed a way they say can safely charge devices anywhere in a room.

Moreover, "this approach could scale down to charging toolboxes and up to wireless charging warehouses," says study lead author Takuya Sasatani, an electrical and computer engineer at the University of Tokyo. In the future, it could also power implanted medical devices, "which currently have critical challenges in their power supply," he adds.

Keep Reading ↓ Show less

DARPA SubT Finals: Meet the Teams

How the eight Systems Track teams are approaching the final event

10 min read

This is it! This week, we're at the DARPA SubTerranean Challenge Finals in Louisville KY, where more than two dozen Systems Track and Virtual Track teams will compete for millions of dollars in prize money and being able to say "we won a DARPA challenge," which is of course priceless.

We've been following SubT for years, from Tunnel Circuit to Urban Circuit to Cave (non-) Circuit. For a recent recap, have a look at this post-cave pre-final article that includes an interview with SubT Program Manager Tim Chung, but if you don't have time for that, the TLDR is that this week we're looking at both a Virtual Track as well as a Systems Track with physical robots on a real course. The Systems Track teams spent Monday checking in at the Louisville Mega Cavern competition site, and we asked each team to tell us about how they've been preparing, what they think will be most challenging, and what makes them unique.

Keep Reading ↓ Show less

Trending Stories

The most-read stories on IEEE Spectrum right now