Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

6.2 Hill Ciphers

This section is not needed for understanding the rest of the chapter. It is included as an example of a block cipher.

In this section, we discuss the Hill cipher, which is a block cipher invented in 1929 by Lester Hill. It seems never to have been used much in practice. Its significance is that it was perhaps the first time that algebraic methods (linear algebra, modular arithmetic) were used in cryptography in an essential way. As we’ll see in later chapters, algebraic methods now occupy a central position in the subject.

Choose an integer $n$ $n$ , for example $n = 3$ $n = 3$ . The key is an $n \times n$ $n \times n$ matrix $M$ $M$ whose entries are integers mod 26. For example, let

M = (\begin{array}{ccc} 1 & 2 & 3 \\ 4 & 5 & 6 \\ 11 & 9 & 8 \end{array}) .

$M = (\begin{array}{ccc} 1 & 2 & 3 \\ 4 & 5 & 6 \\ 11 & 9 & 8 \end{array}) .$

The message is written as a series of row vectors. For example, if the message is abc, we change this to the single row vector $(0, 1, 2)$ $(0, 1, 2)$ . To encrypt, multiply the vector by the matrix (traditionally, the matrix appears on the right in the multiplication; multiplying on the left would yield a similar theory) and reduce mod 26:

(0, 1, 2) (\begin{matrix} 1 & 2 & 3 \\ 4 & 5 & 6 \\ 11 & 9 & 8 \end{matrix}) \equiv \begin{matrix} (0, 23, 22) & (mod 26) . \end{matrix}

$(0, 1, 2) (\begin{matrix} 1 & 2 & 3 \\ 4 & 5 & 6 \\ 11 & 9 & 8 \end{matrix}) \equiv \begin{matrix} (0, 23, 22) & (mod 26) . \end{matrix}$

Therefore, the ciphertext is AXW. (The fact that the first letter $a$ $a$ remained unchanged is a random occurrence; it is not a defect of the method.)

In order to decrypt, we need the determinant of $M$ $M$ to satisfy

\gcd (\det (M), 26) = 1.

$\gcd (\det (M), 26) = 1.$

This means that there is a matrix $N$ $N$ with integer entries such that $M N \equiv I (mod 26)$ $M N \equiv I (mod 26)$ , where $I$ $I$ is the $n \times n$ $n \times n$ identity matrix.

In our example, $det (M) = - 3$ $det (M) = - 3$ . The inverse of $M$ $M$ is

\frac{- 1}{3} (\begin{array}{ccc} - 14 & 11 & - 3 \\ 34 & - 25 & 6 \\ - 19 & 13 & - 3 \end{array}) .

$\frac{- 1}{3} (\begin{array}{ccc} - 14 & 11 & - 3 \\ 34 & - 25 & 6 \\ - 19 & 13 & - 3 \end{array}) .$

Since 17 is the inverse of $- 3$ $- 3$ mod 26, we replace $- 1 / 3$ $- 1 / 3$ by 17 and reduce mod 26 to obtain

N = (\begin{array}{ccc} 22 & 5 & 1 \\ 6 & 17 & 24 \\ 15 & 13 & 1 \end{array}) .

$N = (\begin{array}{ccc} 22 & 5 & 1 \\ 6 & 17 & 24 \\ 15 & 13 & 1 \end{array}) .$

The reader can check that $M N \equiv I (mod 26)$ $M N \equiv I (mod 26)$ .

For more on finding inverses of matrices mod $n$ $n$ , see Section 3.8. See also Example 15 in the Computer Appendices.

The decryption is accomplished by multiplying by $N$ $N$ , as follows:

(0, 23, 22) (\begin{matrix} 22 & 5 & 1 \\ 6 & 17 & 24 \\ 15 & 13 & 1 \end{matrix}) \equiv \begin{matrix} (0, 1, 2) & (mod 26) \end{matrix}

$(0, 23, 22) (\begin{matrix} 22 & 5 & 1 \\ 6 & 17 & 24 \\ 15 & 13 & 1 \end{matrix}) \equiv \begin{matrix} (0, 1, 2) & (mod 26) \end{matrix}$

In the general method with an $n \times n$ $n \times n$ matrix, break the plaintext into blocks of $n$ $n$ characters and change each block to a vector of $n$ $n$ integers between 0 and 25 using $a = 0, b = 1, \dots, z = 25$ $a = 0, b = 1, \dots, z = 25$ . For example, with the matrix $M$ $M$ as above, suppose our plaintext is

b l o c k c i p h e r .

$b l o c k c i p h e r .$

This becomes (we add an $x$ $x$ to fill the last space)

1 11 14 2 10 2 8 15 7 4 17 23.

$1 11 14 2 10 2 8 15 7 4 17 23.$

Now multiply each vector by $M$ $M$ , reduce the answer mod 26, and change back to letters:

\begin{array}{l} (1, 11, 14) M & = \begin{matrix} (199, 183, 181) \equiv (17, 1, 25) & (mod 26) = R B Z \end{matrix} \\ (2, 10, 2) M & = \begin{matrix} (64, 72, 82) \equiv (12, 20, 4) & (mod 26) = M U E, \end{matrix} \\ etc . \end{array}

$\begin{array}{l} (1, 11, 14) M & = \begin{matrix} (199, 183, 181) \equiv (17, 1, 25) & (mod 26) = R B Z \end{matrix} \\ (2, 10, 2) M & = \begin{matrix} (64, 72, 82) \equiv (12, 20, 4) & (mod 26) = M U E, \end{matrix} \\ etc . \end{array}$

In our case, the ciphertext is

R B Z M U E P Y O N O M .

$R B Z M U E P Y O N O M .$

It is easy to see that changing one letter of plaintext will usually change $n$ $n$ letters of ciphertext. For example, if $b l o c k$ $b l o c k$ is changed to $c l o c k$ $c l o c k$ , the first three letters of ciphertext change from $R B Z$ $R B Z$ to $S D C$ $S D C$ . This makes frequency counts less effective, though they are not impossible when $n$ $n$ is small. The frequencies of two-letter combinations, called digrams, and three-letter combinations, trigrams, have been computed. Beyond that, the number of combinations becomes too large (though tabulating the results for certain common combinations would not be difficult). Also, the frequencies of combinations are so low that it is hard to get meaningful data without a very large amount of text.

Now that we have the ciphertext, how do we decrypt? Simply break the ciphertext into blocks of length $n$ $n$ , change each to a vector, and multiply on the right by the inverse matrix $N$ $N$ . In our example, we have

R B Z = (17, 1, 25) \mapsto (17, 1, 25) N = (755, 427, 66) \equiv (1, 11, 14) = b l o,

$R B Z = (17, 1, 25) \mapsto (17, 1, 25) N = (755, 427, 66) \equiv (1, 11, 14) = b l o,$

and similarly for the remainder of the ciphertext.

For another example, see Example 21 in the Computer Appendices.

The Hill cipher is difficult to decrypt using only the ciphertext, but it succumbs easily to a known plaintext attack. If we do not know $n$ $n$ , we can try various values until we find the right one. So suppose $n$ $n$ is known. If we have $n$ $n$ of the blocks of plaintext of size $n$ $n$ , then we can use the plaintext and the corresponding ciphertext to obtain a matrix equation for $M$ $M$ (or for $N$ $N$ , which might be more useful). For example, suppose we know that $n = 2$ $n = 2$ and we have the plaintext

\begin{array}{rcl} h o w a r e y o u t o d a y = \\ 7 14 22 0 17 4 24 14 20 19 14 3 0 24 \end{array}

$\begin{array}{rcl} h o w a r e y o u t o d a y = \\ 7 14 22 0 17 4 24 14 20 19 14 3 0 24 \end{array}$

corresponding to the ciphertext

\begin{array}{rcl} Z W S E N I U S P L J V E U = \\ 25 22 18 4 13 8 20 18 15 11 9 21 4 20 \end{array}

$\begin{array}{rcl} Z W S E N I U S P L J V E U = \\ 25 22 18 4 13 8 20 18 15 11 9 21 4 20 \end{array}$

The first two blocks yield the matrix equation

(\begin{array}{cc} 7 & 14 \\ 22 & 0 \end{array}) (\begin{array}{cc} a & b \\ c & d \end{array}) \equiv \begin{matrix} (\begin{array}{cc} 25 & 22 \\ 18 & 4 \end{array}) & (mod 26) . \end{matrix}

$(\begin{array}{cc} 7 & 14 \\ 22 & 0 \end{array}) (\begin{array}{cc} a & b \\ c & d \end{array}) \equiv \begin{matrix} (\begin{array}{cc} 25 & 22 \\ 18 & 4 \end{array}) & (mod 26) . \end{matrix}$

Unfortunately, the matrix $(\begin{array}{cc} 7 & 14 \\ 22 & 0 \end{array})$ $(\begin{array}{cc} 7 & 14 \\ 22 & 0 \end{array})$ has determinant $- 308$ $- 308$ , which is not invertible mod 26 (though this matrix could be used to reduce greatly the number of choices for the encryption matrix). Therefore, we replace the last row of the equation, for example, by the fifth block to obtain

(\begin{array}{cc} 7 & 14 \\ 20 & 19 \end{array}) (\begin{array}{cc} a & b \\ c & d \end{array}) \equiv \begin{matrix} (\begin{array}{cc} 25 & 22 \\ 15 & 11 \end{array}) & (mod 26) . \end{matrix}

$(\begin{array}{cc} 7 & 14 \\ 20 & 19 \end{array}) (\begin{array}{cc} a & b \\ c & d \end{array}) \equiv \begin{matrix} (\begin{array}{cc} 25 & 22 \\ 15 & 11 \end{array}) & (mod 26) . \end{matrix}$

In this case, the matrix $(\begin{array}{cc} 7 & 14 \\ 20 & 19 \end{array})$ $(\begin{array}{cc} 7 & 14 \\ 20 & 19 \end{array})$ is invertible mod 26:

{(\begin{array}{cc} 7 & 14 \\ 20 & 19 \end{array})}^{- 1} \equiv \begin{matrix} (\begin{array}{cc} 5 & 10 \\ 18 & 21 \end{array}) & (mod 26) . \end{matrix}

${(\begin{array}{cc} 7 & 14 \\ 20 & 19 \end{array})}^{- 1} \equiv \begin{matrix} (\begin{array}{cc} 5 & 10 \\ 18 & 21 \end{array}) & (mod 26) . \end{matrix}$

We obtain

M \equiv (\begin{array}{cc} 5 & 10 \\ 18 & 21 \end{array}) (\begin{array}{cc} 25 & 22 \\ 15 & 11 \end{array}) \equiv \begin{matrix} (\begin{array}{cc} 15 & 12 \\ 11 & 3 \end{array}) & (mod 26) . \end{matrix}

$M \equiv (\begin{array}{cc} 5 & 10 \\ 18 & 21 \end{array}) (\begin{array}{cc} 25 & 22 \\ 15 & 11 \end{array}) \equiv \begin{matrix} (\begin{array}{cc} 15 & 12 \\ 11 & 3 \end{array}) & (mod 26) . \end{matrix}$

Because the Hill cipher is vulnerable to this attack, it cannot be regarded as being very strong.

A chosen plaintext attack proceeds by the same strategy, but is a little faster. Again, if you do not know $n$ $n$ , try various possibilities until one works. So suppose $n$ $n$ is known. Choose the first block of plaintext to be $b a a a \dots = 1000 \dots$ $b a a a \dots = 1000 \dots$ , the second to be $a b a a \dots = 0100 \dots$ $a b a a \dots = 0100 \dots$ , and continue through the $n th$ $n th$ block being $\dots a a a b = \dots 0001$ $\dots a a a b = \dots 0001$ . The blocks of ciphertext will be the rows of the matrix $M$ $M$ .

For a chosen ciphertext attack, use the same strategy as for chosen plaintext, where the choices now represent ciphertext. The resulting plaintext will be the rows of the inverse matrix $N$ $N$ .

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 6.2 Hill Ciphers

Create new playlist

Sign In

Sign Up

Table of Contents for
6.2 Hill Ciphers