M-209 (Hagelin C-38)
The US Army's portable WWII pin-and-lug cipher machine
Why This Matters
Boris Hagelin's C-38 design, sold to the US Army as the M-209, became the standard tactical cipher of American forces in WWII. Compact (about the size of a hardcover book), it weighed 2.7 kg and ran without electricity — a clerk operated it by hand, advancing a wheel and reading off ciphertext one letter at a time. Hagelin became the first millionaire in cryptography from this single contract.
Hagelin's family company — Cryptoteknik in Stockholm — had been producing pin-and-lug machines since the 1920s. When Germany invaded Norway in 1940, Hagelin escaped to the United States with the C-38 design rolled up under his arm. The US Signal Corps bought it, mass-produced it as the M-209, and shipped 140,000 units to the front lines. The cipher was known to be vulnerable to skilled cryptanalysis (German B-Dienst broke many M-209 messages), so it was used only for tactical traffic — operational orders meant to be obsolete within hours of being intercepted.
Six pinwheels with co-prime lengths (26, 25, 23, 21, 19, 17) advance one position per letter. Each wheel has tiny pins around its edge, set to "active" or "inactive" by the operator. A bank of 27 lug bars reads which wheels are currently active and produces a number K from 0 to 27 — the key shift for the current letter. Encryption uses a Beaufort transformation:
cipher = (K - plaintext) mod 26Because the wheel lengths are pairwise co-prime, the key sequence has period 26 × 25 × 23 × 21 × 19 × 17 = 101,405,850 letters before repeating.
If an attacker knows or guesses the plaintext of a message (a stereotyped opening, known place name, time stamp), the resulting key stream constrains the lug settings. German cryptanalysts in WWII broke many M-209 messages this way, though it took hours per message.
Because the key is a sum of binary signals modulo 26, certain shift values are over- or under-represented. With enough ciphertext, a statistical attack on the key distribution recovers the lug count for each wheel.
| Concept from M-209 (Hagelin C-38) | Modern Evolution |
|---|---|
| Pin-and-lug as keystream generator | Modern LFSR (linear feedback shift register) stream ciphers |
| Co-prime period maximization | Same trick used in pseudo-random number generators today |
| Beaufort involution | Encryption and decryption use the same operation |
| Exhibit | 45 of 49 |
| Era | World War II · 1940 |
| Security | Strong (tactical) |
| Inventor | Boris Hagelin (Sweden) |
| Year | 1940 (US Army adoption) |
| Production | ~140,000 units (Smith Corona, US) |
| Key Type | 6 pinwheels (lengths 26, 25, 23, 21, 19, 17) + 27 lug bars |
| Period | 101,405,850 letters (LCM of wheel lengths) |
| Modern Lesson | Mechanical key streams need long periods |
The M-209 belongs to the broader Hagelin line (C-36, C-38/BC-38, and M-209). These pin-and-lug pocket machines traded top-tier security for field practicality and became the standard tactical wheel ciphers for multiple armies.
Later Hagelin successors became part of the Crypto AG ecosystem connected to Operation Rubicon, where intelligence services reportedly leveraged supply-chain influence for cryptanalytic advantage.