![10.14 Cryptography 653
becomes
URPH ZDV QRW EXLOW LQ D GDB
Hill Ciphers A disadvantage of substitution ciphers is that they preserve the frequencies of individual
letters, making it relatively easy to break the code by statistical methods. One way to
overcome this problem is to divide the plaintext into groups of letters and encipher the
plaintext group by group, rather than one letter at a time. A system of cryptography
in which the plaintext is divided into sets of n letters, each of which is replaced by a
set of n cipher letters, is called a polygraphic system. In this section we will study a
class of polygraphic systems based on matrix transformations. [The ciphers that we will
discuss are called Hill ciphers after Lester S. Hill, who introduced them in two papers:
“Cryptography in an Algebraic Alphabet,” American Mathematical Monthly, 36 (June–
July 1929), pp. 306–312; and “Concerning Certain Linear Transformation Apparatus of
Cryptography,” American Mathematical Monthly, 38 (March 1931), pp. 135–154.]
In the discussion to follow, we assume that each plaintext and ciphertext letter except
Z is assigned the numerical value that specifies its position in the standard alphabet
(Table 1). For reasons that will become clear later, Z is assigned a value of zero.
Table 1
A
1
B
2
C
3
D
4
E
5
F
6
G
7
H
8
I
9
J
10
K
11
L
12
M
13
N
14
O
15
P
16
Q
17
R
18
S
19
T
20
U
21
V
22
W
23
X
24
Y
25
Z
0
In the simplest Hill ciphers, successive pairs of plaintext are transformed into cipher-
text by the following procedure:
Step 1. Choose a 2 × 2 matrix with integer entries
A =
!
a11 a12
a21 a22
"
to perform the encoding. Certain additional conditions on A will be imposed
later.
Step 2. Group successive plaintext letters into pairs, adding an arbitrary “dummy” letter
to fill out the last pair if the plaintext has an odd number of letters, and replace
each plaintext letter by its numerical value.
Step 3. Successively convert each plaintext pair p1p2 into a column vector
p =
!
p1
p2
"
and form the product Ap. We will call p a plaintext vector and Ap the corre-
sponding ciphertext vector.
Step 4. Convert each ciphertext vector into its alphabetic equivalent.
EXAMPLE 1 Hill Cipher of a Message
Use the matrix !
1 2
0 3
"
to obtain the Hill cipher for the plaintext message
I AM HIDING](https://image.slidesharecdn.com/27-equivalentundermodulo-27-oct-2020materiali27-oct-2020cryptography-230528183602-969b3f9d/85/27-Equivalent-under-modulo-27-Oct-2020Material_I_27-Oct-2020_Cryptography_-pdf-2-320.jpg)
![660 Chapter 10 Applications of Linear Algebra
Solution From Table 1, the numerical equivalent of the known plaintext is
DE AR
4 5 1 18
and the numerical equivalent of the corresponding ciphertext is
IO SB
9 15 19 2
so the corresponding plaintext and ciphertext vectors are
p1 =
!
4
5
"
↔ c1 =
!
9
15
"
p2 =
!
1
18
"
↔ c2 =
!
19
2
"
We want to reduce
C =
1
cT
1
cT
2
2
=
!
9 15
19 2
"
to I by elementary row operations and simultaneously apply these operations to
P =
1
pT
1
pT
2
2
=
!
4 5
1 18
"
to obtain (A−1
)T
(the transpose of the deciphering matrix). This can be accomplished by
adjoining P to the right of C and applying row operations to the resulting matrix [C | P ]
until the left side is reduced to I. The final matrix will then have the form [I | (A−1
)T
].
The computations can be carried out as follows:
!
9 15 4 5
19 2 1 18
"
We formed the matrix [C | P].
!
1 45 12 15
19 2 1 18
"
We multiplied the first row by 9−1
= 3.
!
1 19 12 15
19 2 1 18
"
We replaced 45 by its residue modulo 26.
!
1 19 12 15
0 −359 −227 −267
"
We added −19 times the first row to the second.
!
1 19 12 15
0 5 7 19
"
We replaced the entries in the second row by their
residues modulo 26.
!
1 19 12 15
0 1 147 399
"
We multiplied the second row by 5−1
= 21.
!
1 19 12 15
0 1 17 9
"
We replaced the entries in the second row by their
residues modulo 26.
!
1 0 −311 −156
0 1 17 9
"
We added −19 times the second row to the first.
!
1 0 1 0
0 1 17 9
"
We replaced the entries in the first row by their
residues modulo 26.
Thus,
(A−1
)T
=
!
1 0
17 9
"](https://image.slidesharecdn.com/27-equivalentundermodulo-27-oct-2020materiali27-oct-2020cryptography-230528183602-969b3f9d/85/27-Equivalent-under-modulo-27-Oct-2020Material_I_27-Oct-2020_Cryptography_-pdf-9-320.jpg)
![662 Chapter 10 Applications of Linear Algebra
Exercise Set 10.14
1. Obtain the Hill cipher of the message
DARK NIGHT
for each of the following enciphering matrices:
(a)
!
1 3
2 1
"
(b)
!
4 3
1 2
"
2. In each part determine whether the matrix is invertible mod-
ulo 26. If so, find its inverse modulo 26 and check your work
by verifying that AA−1
= A−1
A = I (mod 26).
(a) A =
!
9 1
7 2
"
(b) A =
!
3 1
5 3
"
(c) A =
!
8 11
1 9
"
(d) A =
!
2 1
1 7
"
(e) A =
!
3 1
6 2
"
(f) A =
!
1 8
1 3
"
3. Decode the message
SAKNOXAOJX
given that it is a Hill cipher with enciphering matrix
!
4 1
3 2
"
4. A Hill 2-cipher is intercepted that starts with the pairs
SL HK
Find the deciphering and enciphering matrices, given that the
plaintext is known to start with the word ARMY.
5. Decode the following Hill 2-cipher if the last four plaintext
letters are known to be ATOM.
LNGIHGYBVRENJYQO
6. Decode the following Hill 3-cipher if the first nine plaintext
letters are IHAVECOME:
HPAFQGGDUGDDHPGODYNOR
7. All of the results of this section can be generalized to the case
where the plaintext is a binary message; that is, it is a sequence
of 0’s and 1’s. In this case we do all of our modular arithmetic
using modulus 2 rather than modulus 26. Thus, for example,
1 + 1 = 0 (mod 2). Suppose we want to encrypt the message
110101111. Let us first break it into triplets to form the three
vectors
1
1
0
,
1
0
1
,
1
1
1
, and let us take
1 1 0
0 1 1
1 1 1
as our
enciphering matrix.
(a) Find the encoded message.
(b) Find the inverse modulo 2 of the enciphering matrix, and
verify that it decodes your encoded message.
8. If, in addition to the standard alphabet, a period, comma, and
question mark were allowed, then 29 plaintext and ciphertext
symbols would be available and all matrix arithmetic would
be done modulo 29. Under what conditions would a matrix
with entries in Z29 be invertible modulo 29?
9. Show that the modular equation 4x = 1 (mod 26) has no
solution in Z26 by successively substituting the values x =
0, 1, 2, . . . , 25.
10. (a) Let P and C be the matrices in Theorem 10.14.5. Show
that P = C(A−1
)T
.
(b) To prove Theorem 10.14.5, let E1, E2, . . . , En be the ele-
mentary matrices that correspond to the row operations
that reduce C to I, so
En · · · E2E1C = I
Show that
En · · · E2E1P = (A−1
)T
from which it follows that the same sequence of row oper-
ations that reduces C to I converts P to (A−1
)T
.
11. (a) If A is the enciphering matrix of a Hill n-cipher, show that
A−1
= (C−1
P)T
(mod 26)
where C and P are the matrices defined in Theorem
10.14.5.
(b) Instead of using Theorem 10.14.5 as in the text, find the
deciphering matrix A−1
of Example 8 by using the result
in part (a) and Equation (2) to compute C−1
. [Note: Al-
though this method is practical for Hill 2-ciphers, Theo-
rem 10.14.5 is more efficient for Hill n-ciphers with n > 2.]
Working withTechnology
The following exercises are designed to be solved using a technol-
ogy utility. Typically, this will be MATLAB, Mathematica, Maple,
Derive, or Mathcad, but it may also be some other type of linear
algebra software or a scientific calculator with some linear algebra
capabilities. For each exercise you will need to read the relevant
documentation for the particular utility you are using. The goal
of these exercises is to provide you with a basic proficiency with
your technology utility. Once you have mastered the techniques
in these exercises, you will be able to use your technology utility
to solve many of the problems in the regular exercise sets.
T1. Two integers that have no common factors (except 1) are
said to be relatively prime. Given a positive integer n, let Sn =
{a1, a2, a3, . . . , am}, where a1 < a2 < a3 < · · · < am, be the set
of all positive integers less than n and relatively prime to n. For
example, if n = 9, then
S9 = {a1, a2, a3, . . . , a6} = {1, 2, 4, 5, 7, 8}
(a) Construct a table consisting of n and Sn for n = 2, 3, . . . , 15,
and then compute
m
3
k=1
ak and
) m
3
k=1
ak
*
(mod n)](https://image.slidesharecdn.com/27-equivalentundermodulo-27-oct-2020materiali27-oct-2020cryptography-230528183602-969b3f9d/85/27-Equivalent-under-modulo-27-Oct-2020Material_I_27-Oct-2020_Cryptography_-pdf-11-320.jpg)
27-Equivalent under modulo-27-Oct-2020Material_I_27-Oct-2020_Cryptography_.pdf
- 1. 652 Chapter 10 Applications of Linear Algebra Compare your results to the formulas given in Exercise 1, if they apply. What can you conjecture about ! 1 1 1 2 "1 2 !(p) mod p when !(p) is even? T2. The eigenvalues and eigenvectors for the cat map matrix C = ! 1 1 1 2 " are λ1 = 3 + √ 5 2 , λ2 = 3 − √ 5 2 , v1 = 1 1 + √ 5 2 , v2 = 1 1 − √ 5 2 Using these eigenvalues and eigenvectors, we can define D = 3 + √ 5 2 0 0 3 − √ 5 2 and P = 1 1 1 + √ 5 2 1 − √ 5 2 and write C = PDP−1 ; hence, Cn = PDn P −1 . Use a computer to show that Cn = c(n) 11 c(n) 12 c(n) 21 c(n) 22 where c(n) 11 = ) 1 + √ 5 2 √ 5 * ) 3 − √ 5 2 *n − ) 1 − √ 5 2 √ 5 * ) 3 + √ 5 2 *n c(n) 22 = ) 1 + √ 5 2 √ 5 * ) 3 + √ 5 2 *n − ) 1 − √ 5 2 √ 5 * ) 3 − √ 5 2 *n and c(n) 12 = c(n) 21 = 1 √ 5 +) 3 + √ 5 2 *n − ) 3 − √ 5 2 *n, How can you use these results and your conclusions in Exercise T1 to simplify the method for computing !(p)? 10.14 Cryptography In this section we present a method of encoding and decoding messages. We also examine modular arithmetic and show how Gaussian elimination can sometimes be used to break an opponent’s code. PREREQUISITES: Matrices Gaussian Elimination Matrix Operations Linear Independence Linear Transformations (Section 4.9) Ciphers The study of encoding and decoding secret messages is called cryptography. Although secret codes date to the earliest days of written communication, there has been a recent surge of interest in the subject because of the need to maintain the privacy of information transmitted over public lines of communication. In the language of cryptography, codes are called ciphers, uncoded messages are called plaintext, and coded messages are called ciphertext. The process of converting from plaintext to ciphertext is called enciphering, and the reverse process of converting from ciphertext to plaintext is called deciphering. The simplest ciphers, called substitution ciphers, are those that replace each letter of the alphabet by a different letter. For example, in the substitution cipher Plain A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Cipher D E F G H I J K L M N O P Q R S T U V W X Y Z A B C the plaintext letter A is replaced by D, the plaintext letter B by E, and so forth. With this cipher the plaintext message ROME WAS NOT BUILT IN A DAY
- 2. 10.14 Cryptography 653 becomes URPH ZDV QRW EXLOW LQ D GDB Hill Ciphers A disadvantage of substitution ciphers is that they preserve the frequencies of individual letters, making it relatively easy to break the code by statistical methods. One way to overcome this problem is to divide the plaintext into groups of letters and encipher the plaintext group by group, rather than one letter at a time. A system of cryptography in which the plaintext is divided into sets of n letters, each of which is replaced by a set of n cipher letters, is called a polygraphic system. In this section we will study a class of polygraphic systems based on matrix transformations. [The ciphers that we will discuss are called Hill ciphers after Lester S. Hill, who introduced them in two papers: “Cryptography in an Algebraic Alphabet,” American Mathematical Monthly, 36 (June– July 1929), pp. 306–312; and “Concerning Certain Linear Transformation Apparatus of Cryptography,” American Mathematical Monthly, 38 (March 1931), pp. 135–154.] In the discussion to follow, we assume that each plaintext and ciphertext letter except Z is assigned the numerical value that specifies its position in the standard alphabet (Table 1). For reasons that will become clear later, Z is assigned a value of zero. Table 1 A 1 B 2 C 3 D 4 E 5 F 6 G 7 H 8 I 9 J 10 K 11 L 12 M 13 N 14 O 15 P 16 Q 17 R 18 S 19 T 20 U 21 V 22 W 23 X 24 Y 25 Z 0 In the simplest Hill ciphers, successive pairs of plaintext are transformed into cipher- text by the following procedure: Step 1. Choose a 2 × 2 matrix with integer entries A = ! a11 a12 a21 a22 " to perform the encoding. Certain additional conditions on A will be imposed later. Step 2. Group successive plaintext letters into pairs, adding an arbitrary “dummy” letter to fill out the last pair if the plaintext has an odd number of letters, and replace each plaintext letter by its numerical value. Step 3. Successively convert each plaintext pair p1p2 into a column vector p = ! p1 p2 " and form the product Ap. We will call p a plaintext vector and Ap the corre- sponding ciphertext vector. Step 4. Convert each ciphertext vector into its alphabetic equivalent. EXAMPLE 1 Hill Cipher of a Message Use the matrix ! 1 2 0 3 " to obtain the Hill cipher for the plaintext message I AM HIDING
- 3. 654 Chapter 10 Applications of Linear Algebra Solution If we group the plaintext into pairs and add the dummy letter G to fill out the last pair, we obtain IA MH ID IN GG or, equivalently, from Table 1, 9 1 13 8 9 4 9 14 7 7 To encipher the pair IA, we form the matrix product ! 1 2 0 3 " ! 9 1 " = ! 11 3 " which, from Table 1, yields the ciphertext KC. To encipher the pair MH, we form the product ! 1 2 0 3 " ! 13 8 " = ! 29 24 " (1) However, there is a problem here, because the number 29 has no alphabet equivalent (Table 1). To resolve this problem, we make the following agreement: Whenever an integer greater than 25 occurs, it will be replaced by the remainder that results when this integer is divided by 26. Because the remainder after division by 26 is one of the integers 0, 1, 2, . . . , 25, this procedure will always yield an integer with an alphabet equivalent. Thus, in (1) we replace 29 by 3, which is the remainder after dividing 29 by 26. It now follows from Table 1 that the ciphertext for the pair MH is CX. The computations for the remaining ciphertext vectors are ! 1 2 0 3 " ! 9 4 " = ! 17 12 " ! 1 2 0 3 " ! 9 14 " = ! 37 42 " or ! 11 16 " ! 1 2 0 3 " ! 7 7 " = ! 21 21 " These correspond to the ciphertext pairs QL, KP , and UU, respectively. In summary, the entire ciphertext message is KC CX QL KP UU which would usually be transmitted as a single string without spaces: KCCXQLKPUU Because the plaintext was grouped in pairs and enciphered by a 2 × 2 matrix, the Hill cipher in Example 1 is referred to as a Hill 2-cipher. It is obviously also possible to group the plaintext in triples and encipher by a 3 × 3 matrix with integer entries; this is called a Hill 3-cipher. In general, for a Hill n-cipher, plaintext is grouped into sets of n letters and enciphered by an n × n matrix with integer entries. Modular Arithmetic In Example 1, integers greater than 25 were replaced by their remainders after division by 26. This technique of working with remainders is at the core of a body of mathematics called modular arithmetic. Because of its importance in cryptography, we will digress for a moment to touch on some of the main ideas in this area.
- 4. 10.14 Cryptography 655 In modular arithmetic we are given a positive integer m, called the modulus, and any two integers whose difference is an integer multiple of the modulus are regarded as “equal” or “equivalent” with respect to the modulus. More precisely, we make the following definition. DEFINITION 1 If m is a positive integer and a and b are any integers, then we say that a is equivalent to b modulo m, written a = b (mod m) if a − b is an integer multiple of m. EXAMPLE 2 Various Equivalences 7 = 2 (mod 5) 19 = 3 (mod 2) −1 = 25 (mod 26) 12 = 0 (mod 4) For any modulus m it can be proved that every integer a is equivalent, modulo m, to exactly one of the integers 0, 1, 2, . . . , m − 1 We call this integer the residue of a modulo m, and we write Zm = {0, 1, 2, . . . , m − 1} to denote the set of residues modulo m. If a is a nonnegative integer, then its residue modulo m is simply the remainder that results when a is divided by m. For an arbitrary integer a, the residue can be found using the following theorem. THEOREM 10.14.1 For any integer a and modulus m, let R = remainder of |a| m Then the residue r of a modulo m is given by r = R if a ≥ 0 m − R if a < 0 and R %= 0 0 if a < 0 and R = 0 EXAMPLE 3 Residues mod 26 Find the residue modulo 26 of (a) 87, (b) −38, and (c) −26. Solution (a) Dividing |87| = 87 by 26 yields a remainder of R = 9, so r = 9. Thus, 87 = 9 (mod 26) Solution (b) Dividing |−38| = 38 by 26 yields a remainder of R = 12, so r = 26 − 12 = 14. Thus, −38 = 14 (mod 26)
- 5. 656 Chapter 10 Applications of Linear Algebra Solution (c) Dividing |−26| = 26 by 26 yields a remainder of R = 0. Thus, −26 = 0 (mod 26) In ordinary arithmetic every nonzero number a has a reciprocal or multiplicative inverse, denoted by a−1 , such that aa−1 = a−1 a = 1 In modular arithmetic we have the following corresponding concept: DEFINITION 2 If a is a number in Zm, then a number a−1 in Zm is called a reciprocal or multiplicative inverse of a modulo m if aa−1 = a−1 a = 1 (mod m). It can be proved that if a and m have no common prime factors, then a has a unique reciprocal modulo m; conversely, if a and m have a common prime factor, then a has no reciprocal modulo m. EXAMPLE 4 Reciprocal of 3 mod 26 The number 3 has a reciprocal modulo 26 because 3 and 26 have no common prime factors. This reciprocal can be obtained by finding the number x in Z26 that satisfies the modular equation 3x = 1 (mod 26) Although there are general methods for solving such modular equations, it would take us too far afield to study them. However, because 26 is relatively small, this equation can be solved by trying the possible solutions, 0 to 25, one at a time. With this approach we find that x = 9 is the solution, because 3 · 9 = 27 = 1 (mod 26) Thus, 3−1 = 9 (mod 26) EXAMPLE 5 A Number with No Reciprocal mod 26 The number 4 has no reciprocal modulo 26, because 4 and 26 have 2 as a common prime factor (see Exercise 9). For future reference, in Table 2 we provide the following reciprocals modulo 26: Table 2 Reciprocals Modulo 26 a a–1 1 3 5 1 9 7 9 11 21 15 19 23 11 17 25 3 7 5 15 17 19 21 23 25 Deciphering Every useful cipher must have a procedure for decipherment. In the case of a Hill cipher, decipherment uses the inverse (mod 26) of the enciphering matrix. To be precise, if m is a positive integer, then a square matrix A with entries in Zm is said to be invertible modulo m if there is a matrix B with entries in Zm such that AB = BA = I (mod m)
- 6. 10.14 Cryptography 657 Suppose now that A = ! a11 a12 a21 a22 " is invertible modulo 26 and this matrix is used in a Hill 2-cipher. If p = ! p1 p2 " is a plaintext vector, then c = Ap (mod 26) is the corresponding ciphertext vector and p = A−1 c (mod 26) Thus, each plaintext vector can be recovered from the corresponding ciphertext vector by multiplying it on the left by A−1 (mod 26). In cryptography it is important to know which matrices are invertible modulo 26 and how to obtain their inverses. We now investigate these questions. In ordinary arithmetic, a square matrix A is invertible if and only if det(A) %= 0, or, equivalently, if and only if det(A) has a reciprocal. The following theorem is the analog of this result in modular arithmetic. THEOREM 10.14.2 A square matrix A with entries in Zm is invertible modulo m if and only if the residue of det(A) modulo m has a reciprocal modulo m. Because the residue of det(A) modulo m will have a reciprocal modulo m if and only if this residue and m have no common prime factors, we have the following corollary. COROLLARY 10.14.3 A square matrix A with entries in Zm is invertible modulo m if and only if m and the residue of det(A) modulo m have no common prime factors. Because the only prime factors of m = 26 are 2 and 13, we have the following corol- lary, which is useful in cryptography. COROLLARY 10.14.4 A square matrix A with entries in Z26 is invertible modulo 26 if and only if the residue of det(A) modulo 26 is not divisible by 2 or 13. We leave it for you to verify that if A = ! a b c d " has entries in Z26 and the residue of det(A) = ad − bc modulo 26 is not divisible by 2 or 13, then the inverse of A (mod 26) is given by A−1 = (ad − bc)−1 ! d −b −c a " (mod 26) (2) where (ad − bc)−1 is the reciprocal of the residue of ad − bc (mod 26).
- 7. 658 Chapter 10 Applications of Linear Algebra EXAMPLE 6 Inverse of a Matrix mod 26 Find the inverse of A = ! 5 6 2 3 " modulo 26. Solution det(A) = ad − bc = 5 · 3 − 6 · 2 = 3 so from Table 2, (ad − bc)−1 = 3−1 = 9 (mod 26) Thus, from (2), A−1 = 9 ! 3 −6 −2 5 " = ! 27 −54 −18 45 " = ! 1 24 8 19 " (mod 26) As a check, AA−1 = ! 5 6 2 3 " ! 1 24 8 19 " = ! 53 234 26 105 " = ! 1 0 0 1 " (mod 26) Similarly, A−1 A = I. EXAMPLE 7 Decoding a Hill 2-Cipher Decode the following Hill 2-cipher, which was enciphered by the matrix in Example 6: GTNKGKDUSK Solution From Table 1 the numerical equivalent of this ciphertext is 7 20 14 11 7 11 4 21 19 11 To obtain the plaintext pairs, we multiply each ciphertext vector by the inverse of A (obtained in Example 6): ! 1 24 8 19 " ! 7 20 " = ! 487 436 " = ! 19 20 " (mod 26) ! 1 24 8 19 " ! 14 11 " = ! 278 321 " = ! 18 9 " (mod 26) ! 1 24 8 19 " ! 7 11 " = ! 271 265 " = ! 11 5 " (mod 26) ! 1 24 8 19 " ! 4 21 " = ! 508 431 " = ! 14 15 " (mod 26) ! 1 24 8 19 " ! 19 11 " = ! 283 361 " = ! 23 23 " (mod 26) From Table 1, the alphabet equivalents of these vectors are ST RI KE NO WW which yields the message STRIKE NOW
- 8. 10.14 Cryptography 659 Breaking a Hill Cipher Because the purpose of enciphering messages and information is to prevent “opponents” from learning their contents, cryptographers are concerned with the security of their ciphers—that is, how readily they can be broken (deciphered by their opponents). We will conclude this section by discussing one technique for breaking Hill ciphers. Suppose that you are able to obtain some corresponding plaintext and ciphertext from an opponent’s message. For example, on examining some intercepted ciphertext, youmaybeabletodeducethatthemessageisaletterthatbeginsDEARSIR.Wewillshow that with a small amount of such data, it may be possible to determine the deciphering matrix of a Hill code and consequently obtain access to the rest of the message. It is a basic result in linear algebra that a linear transformation is completely deter- mined by its values at a basis. This principle suggests that if we have a Hill n-cipher, and if p1, p2, . . . , pn are linearly independent plaintext vectors whose corresponding ciphertext vectors Ap1, Ap2, . . . , Apn are known, then there is enough information available to determine the matrix A and hence A−1 (mod m). The following theorem, whose proof is discussed in the exercises, provides a way to do this. THEOREM 10.14.5 Determining the Deciphering Matrix Let p1, p2, . . . , pn be linearly independent plaintext vectors, and let c1, c2, . . . , cn be the corresponding ciphertext vectors in a Hill n-cipher. If P = pT 1 pT 2 . . . pT n is the n × n matrix with row vectors pT 1 , pT 2 , . . . , pT n and if C = cT 1 cT 2 . . . cT n is the n × n matrix with row vectors cT 1 , cT 2 , . . . , cT n , then the sequence of elementary row operations that reduces C to I transforms P to (A−1 )T . This theorem tells us that to find the transpose of the deciphering matrix A−1 , we must find a sequence of row operations that reduces C to I and then perform this same sequence of operations on P . The following example illustrates a simple algorithm for doing this. EXAMPLE 8 UsingTheorem 10.14.5 The following Hill 2-cipher is intercepted: IOSBTGXESPXHOPDE Decipher the message, given that it starts with the word DEAR.
- 9. 660 Chapter 10 Applications of Linear Algebra Solution From Table 1, the numerical equivalent of the known plaintext is DE AR 4 5 1 18 and the numerical equivalent of the corresponding ciphertext is IO SB 9 15 19 2 so the corresponding plaintext and ciphertext vectors are p1 = ! 4 5 " ↔ c1 = ! 9 15 " p2 = ! 1 18 " ↔ c2 = ! 19 2 " We want to reduce C = 1 cT 1 cT 2 2 = ! 9 15 19 2 " to I by elementary row operations and simultaneously apply these operations to P = 1 pT 1 pT 2 2 = ! 4 5 1 18 " to obtain (A−1 )T (the transpose of the deciphering matrix). This can be accomplished by adjoining P to the right of C and applying row operations to the resulting matrix [C | P ] until the left side is reduced to I. The final matrix will then have the form [I | (A−1 )T ]. The computations can be carried out as follows: ! 9 15 4 5 19 2 1 18 " We formed the matrix [C | P]. ! 1 45 12 15 19 2 1 18 " We multiplied the first row by 9−1 = 3. ! 1 19 12 15 19 2 1 18 " We replaced 45 by its residue modulo 26. ! 1 19 12 15 0 −359 −227 −267 " We added −19 times the first row to the second. ! 1 19 12 15 0 5 7 19 " We replaced the entries in the second row by their residues modulo 26. ! 1 19 12 15 0 1 147 399 " We multiplied the second row by 5−1 = 21. ! 1 19 12 15 0 1 17 9 " We replaced the entries in the second row by their residues modulo 26. ! 1 0 −311 −156 0 1 17 9 " We added −19 times the second row to the first. ! 1 0 1 0 0 1 17 9 " We replaced the entries in the first row by their residues modulo 26. Thus, (A−1 )T = ! 1 0 17 9 "
- 10. 10.14 Cryptography 661 so the deciphering matrix is A−1 = ! 1 17 0 9 " To decipher the message, we first group the ciphertext into pairs and find the numerical equivalent of each letter: IO SB TG XE SP XH OP DE 9 15 19 2 20 7 24 5 19 16 24 8 15 16 4 5 Next, we multiply successive ciphertext vectors on the left by A−1 and find the alphabet equivalents of the resulting plaintext pairs: ! 1 17 0 9 " ! 9 15 " = ! 4 5 " D E ! 1 17 0 9 " ! 19 2 " = ! 1 18 " A R ! 1 17 0 9 " ! 20 7 " = ! 9 11 " I K ! 1 17 0 9 " ! 24 5 " = ! 5 19 " E S ! 1 17 0 9 " ! 19 16 " = ! 5 14 " E N ! 1 17 0 9 " ! 24 8 " = ! 4 20 " D T ! 1 17 0 9 " ! 15 16 " = ! 1 14 " A N ! 1 17 0 9 " ! 4 5 " = ! 11 19 " K S (mod 26) Finally, we construct the message from the plaintext pairs: DE AR IK ES EN DT AN KS DEAR IKE SEND TANKS FURTHER READINGS Readers interested in learning more about mathematical cryptography are referred to the following books, the first of which is elementary and the second more advanced. 1. ABRAHAM SINKOV, Elementary Cryptanalysis, a Mathematical Approach (Mathematical Asso- ciation of America, 2009). 2. ALAN G. KONHEIM, Cryptography, a Primer (New York: Wiley-Interscience, 1981).
- 11. 662 Chapter 10 Applications of Linear Algebra Exercise Set 10.14 1. Obtain the Hill cipher of the message DARK NIGHT for each of the following enciphering matrices: (a) ! 1 3 2 1 " (b) ! 4 3 1 2 " 2. In each part determine whether the matrix is invertible mod- ulo 26. If so, find its inverse modulo 26 and check your work by verifying that AA−1 = A−1 A = I (mod 26). (a) A = ! 9 1 7 2 " (b) A = ! 3 1 5 3 " (c) A = ! 8 11 1 9 " (d) A = ! 2 1 1 7 " (e) A = ! 3 1 6 2 " (f) A = ! 1 8 1 3 " 3. Decode the message SAKNOXAOJX given that it is a Hill cipher with enciphering matrix ! 4 1 3 2 " 4. A Hill 2-cipher is intercepted that starts with the pairs SL HK Find the deciphering and enciphering matrices, given that the plaintext is known to start with the word ARMY. 5. Decode the following Hill 2-cipher if the last four plaintext letters are known to be ATOM. LNGIHGYBVRENJYQO 6. Decode the following Hill 3-cipher if the first nine plaintext letters are IHAVECOME: HPAFQGGDUGDDHPGODYNOR 7. All of the results of this section can be generalized to the case where the plaintext is a binary message; that is, it is a sequence of 0’s and 1’s. In this case we do all of our modular arithmetic using modulus 2 rather than modulus 26. Thus, for example, 1 + 1 = 0 (mod 2). Suppose we want to encrypt the message 110101111. Let us first break it into triplets to form the three vectors 1 1 0 , 1 0 1 , 1 1 1 , and let us take 1 1 0 0 1 1 1 1 1 as our enciphering matrix. (a) Find the encoded message. (b) Find the inverse modulo 2 of the enciphering matrix, and verify that it decodes your encoded message. 8. If, in addition to the standard alphabet, a period, comma, and question mark were allowed, then 29 plaintext and ciphertext symbols would be available and all matrix arithmetic would be done modulo 29. Under what conditions would a matrix with entries in Z29 be invertible modulo 29? 9. Show that the modular equation 4x = 1 (mod 26) has no solution in Z26 by successively substituting the values x = 0, 1, 2, . . . , 25. 10. (a) Let P and C be the matrices in Theorem 10.14.5. Show that P = C(A−1 )T . (b) To prove Theorem 10.14.5, let E1, E2, . . . , En be the ele- mentary matrices that correspond to the row operations that reduce C to I, so En · · · E2E1C = I Show that En · · · E2E1P = (A−1 )T from which it follows that the same sequence of row oper- ations that reduces C to I converts P to (A−1 )T . 11. (a) If A is the enciphering matrix of a Hill n-cipher, show that A−1 = (C−1 P)T (mod 26) where C and P are the matrices defined in Theorem 10.14.5. (b) Instead of using Theorem 10.14.5 as in the text, find the deciphering matrix A−1 of Example 8 by using the result in part (a) and Equation (2) to compute C−1 . [Note: Al- though this method is practical for Hill 2-ciphers, Theo- rem 10.14.5 is more efficient for Hill n-ciphers with n > 2.] Working withTechnology The following exercises are designed to be solved using a technol- ogy utility. Typically, this will be MATLAB, Mathematica, Maple, Derive, or Mathcad, but it may also be some other type of linear algebra software or a scientific calculator with some linear algebra capabilities. For each exercise you will need to read the relevant documentation for the particular utility you are using. The goal of these exercises is to provide you with a basic proficiency with your technology utility. Once you have mastered the techniques in these exercises, you will be able to use your technology utility to solve many of the problems in the regular exercise sets. T1. Two integers that have no common factors (except 1) are said to be relatively prime. Given a positive integer n, let Sn = {a1, a2, a3, . . . , am}, where a1 < a2 < a3 < · · · < am, be the set of all positive integers less than n and relatively prime to n. For example, if n = 9, then S9 = {a1, a2, a3, . . . , a6} = {1, 2, 4, 5, 7, 8} (a) Construct a table consisting of n and Sn for n = 2, 3, . . . , 15, and then compute m 3 k=1 ak and ) m 3 k=1 ak * (mod n)