INTRODUCTION TO CRYPTOGRAPHY

Introduction
What is cryptography? Imagine that two parties are exchanging information. In the
old days this would be done by courier or letter, nowadays by e-mail, SMS or phone.
The two parties are usually called ”Alice” and ”Bob”. No matter, which channels they
use to exchange information, there are many ways for a third party (called ”Eve”) to
obtain the information: the phone could be tabbed, a hacker can read the e-mail, letters
can be opened, etc. In other words the communication channels are completely unsafe.
Cryptography tries to provide a safe exchange of information using the following method:
Alice encrypts her message (called the ”plaintext”) using an ”encryption key”. She then
sends the ”ciphertext”, i.e., the encrypted message, to Bob. He posesses the ”decryption
key” to reverse the procedure and decrypts the ciphertext back into the plaintext.
Here is the schematic picture:

plaintext ciphertext plaintext

Alice −→ encryption −→ decryption −→ Bob

Eve may have various goals:

1. She wants to read this particular message.
2. She wants to find the decryption key, so that she can read all messages sent from
Alice to Bob using this key.
3. She wants to change Alice’s message without Bob realizing it.

In order to achieve one of these goals Eve ”attacks” the system. Again, depending on
the information she is able to obtain, Eve can run various attacks:
1. Eve has only the ciphertext (ciphertext only attack).
2. Eve also has a piece of the plaintext (known plaintext attack).
3. Eve is able to temporarily encrypt a message of her choice (chosen plaintext
attack).
4. Eve is able to temporarily use the decryption machine (chosen ciphertext attack).

Typeset by AMS-TEX
1
2

A cryptosystem is only good if it makes all these attacks very hard, and therefore any
new cryptosystem has to undergo extensive testing to find out how good it is responding
to various possible attacks. It should be pointed out that in assessing the security of a
cryptosystem, it is always assumed that Eve knows the method Alice and Bob are using.

The encryption and decryption methods fall into two different categories: Symmetric
Keys and Public Keys. In systems using symmetric keys, both the encryption and the
decryption keys are known to Alice and Bob, and have to be kept secret. All the classical
systems use symmetric keys. Public keys were first introduced in the 1970’s and are based
on the idea that it is possible to use a public encryption key, but that it is (computationally)
impossible to find the decryption key without knowledge known only to Bob.
As an example Bob can choose two large prime numbers p and q. Their product n = pq
is used to encrypt messages and is made public. Decryption, however, depends on the
knowledge of the prime factors of n. Since for large numbers n (”large” here means
”really large”, say 400 digits) there are currenly no algorithms known that factor n in
reasonable time, Bob is the only one who is able to decrypt. The advantage of ”public key
cryptography” is that Alice and Bob can communicate safely without choosing a common
key, which may be hard to do if they are e.g. miles apart. The disadvantage is that the
computations in these algorithms are much more involved, and therefore become expensive
if large amounts of data have to be transferred. In general then public key cryptosystems
are used for the transmission of small amounts of data, e.g. to exchange keys to be used for
a symmetric key system, whereas large amounts of data are transmitted using symmetric
key systems.

1. Classical cryptosystems
We use the following conventions:
Plaintexts are written in lowercase letters and ciphertexts in capital letters. There is
no punctuation and there are no spaces. The letters of the alphabet are transformed into
the numbers 0, 1, · · · , 25 as follows:

a b c d e f g h i j k l m n o p
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

q r s t u v w x y z
16 17 18 19 20 21 22 23 24 25

We use the notations Z = {0, ±1, ±2, · · · } for the integers and N for the positive integers,
i.e., the natural numbers. For reasons, which will (hopefully) become clearer in the next
section, we denote the set of numbers {0, 1, 2, · · · , 25} by Z/26Z:
Z/26Z = {0, 1, 2, · · · , 25}.
On this set we use modular arithmetic: Given two integers a and b between 0 and 25 we
calculate as usual a + b, a − b or ab. The result may no longer be an integer between 0 and
 3

25, but it will differ from a number in Z/26Z by a multiple of 26, hence will be congruent
to a number in Z/26Z. This leads to the following more general
Definition:. Let n > 1 be a natural number. Two integers a and b are congruent
modulo n if they differ by a multiple of n, hence if the difference a − b is a multiple of n.
Notation:
a ≡ b mod n.

Example: 23 + 17 = 40 ≡ 14 mod 26.

We are now considering several classical cryptosystems or ciphers, as they are called,
with increasing level of sophistication.

Shift Ciphers:
This goes back to Caesar and is easily described as follows: Choose any number k
between 0 and 25. This will be the encryption key. Encryption is now done by sending an
integer x to x + k mod 26:
x 7→ x + k mod 26.
Caesar used k = 3 and would e.g. encrypt brutus as follows:

brutus = 1 17 20 19 20 18 7→ 4 20 23 22 23 21 = EUXWXV.

Of course decryption is done by sending an integer y to y − k mod 26:

y 7→ y − k mod 26.

We now turn to slighly more general ciphers.

Affine Ciphers:
Here we use the encryption

x 7→ α x + k mod 26,

where α and k are integers between 0 and 25. The encryption key then consists of (α, k).
But of course not all values are suitable for α. If α = 0, then every number is encrypted
as k. Similarly, if α = 13, then

k mod 26 if x is even
α x + k = 13 x + k ≡ .
13 + k mod 26 if x is odd

In both cases encryption is not one-to-one, and we cannot decrypt. We will see in the next
section that the encryption will be one-to-one precisely if α is invertible modulo 26, i.e., if
4

there exists a β ∈ Z/26Z, so that α · β ≡ 1 mod 26. If this is the case, then decryption is
provided by

y 7→ β(y − k) mod 26,

since then

y = α x + k 7→ βα x ≡ x mod 26,
so that in fact decryption reverses the encryption.
Example: We take α = 5 and k = 1, so that

x 7→ 5x + 1.

The plaintext affine is then encrypted as

affine = 1 5 5 8 13 4 7→ 6 0 0 15 14 21 = GAAPOV.

To decrypt we have to find the inverse of 5 modulo 26, hence the integer β between 0
and 25, for which 5 · β ≡ 1 mod 26. Again, we will learn in the next section, how to find β,
but some good guessing shows that 5 · 21 = 105 = 1 + 4 · 26 ≡ 1 mod 26, so that β = 21.

The possible values for α are the numbers between 0 and 25, that are relatively prime
to 26, i.e., have no common divisor with 26 except 1. Since the divisors of 26 are 1,2,13 we
find that α has to be an odd integer between 1 and 25, but different from 13. This gives
12 choices for α. Since there are 26 possible choices for k, the number of possible keys for
an affine cipher is

#keys for an affine cipher = 12 · 26 = 312.

Let us see now how Eve can attack the cipher. If she only has the ciphertext, then her
best bet is to use what is called a Brute Force Attack, namely try all possible keys.
If Eve has in addition a piece of the plaintext, then in fact two letters of the plaintext
will usually suffice to find the key.
Example: Assume we know that he is mapped to NO, hence 7 4 is mapped to 13 14. We
obtain the two equations
13 = α · 7 + k
,
14 = α · 4 + k
from which we obtain
−1 = α · 3,
hence by inverting 3:

α = −9 ≡ 17 mod 26,
 5

and finally k = 24.

If Eve can run a chosen plaintext attack, i.e., if she has temporary access to the encryp-
tion machine, then she would simply feed the letters a b, hence the numbers 0 and 1 into
the machine, which are mapped to k and α + k, respectively, and give the key. Similarly,
she can run a chosen ciphertext attack, if she has temporary access to the decryption
machine, by feeding A and B into the machine to obtain the decryption key.

Affine ciphers are examples of so-called streaming ciphers. These are ciphers, where
encryption and decryption are done letter by letter or number by number, and so the
encryption and decryption machines can be fed by a continuous stream of letters or num-
bers. The next class of ciphers is an example of a block cipher, where a block of letters or
numbers is encrypted or decrypted simultaneously.

Hill ciphers: We choose an integer N ≥ 1 and divide the message into blocks of length
N . Each block is then a N -tuple of numbers with entries from Z/26Z, and we view the
blocks as a row vector x of length N . We now choose a N × N -matrix A and a fixed vector
k of length N with entries from Z/26Z. Encryption is now performed by sending x to
xA + k mod 26:

x 7→ xA + k mod 26.
Note that the matrix A acts on x from the right, since x is a row vector. The encryption
key is given by the pair (A, k).
If A = IN is equal to the N × N -identity matrix, hence encryption is simply done via

x 7→ x + k mod 26,

then we obtain the classical Viginère cipher, which was invented in the 16-th century. If
on the other hand k = 0, hence encryption is done via

x 7→ xA mod 26,

then we obtain the so-called Hill cipher.

Again, as in the case of affine ciphers (the special case N = 1), there are restrictions for
the choices of the matrix A, because we have to be able to invert A modulo 26, so that
we can decrypt. In other words: We have to be able to find a matrix B with entries in
Z/26Z, so that
AB ≡ IN mod 26.
This means that all the entries in the matrix AB differ from the corresponding entries in
IN by multiples of 26. If such a matrix B exists, then we can decrypt a ciphertext y via

y 7→ (y − k)B mod 26.

6

To obtain a necessary condition for the existence of the matrix B, we look at the determi-
nants:
det(A) · det(B) = det(AB) ≡ det(IN ) = 1 mod 26,
so that det(A) has to be invertible modulo 26. Conversely, if det(A) is invertible modulo
26, then we can use Cramer’s Rule to show that a matrix B with the desired properties
exists:
Recall that Cramer’s Rule expresses the inverse of A as

1
A−1 = adj(A),
det(A)

where the adjoint matrix adj(A) is defined as follows: If we denote the (i, j)-th coefficient
of the transposed matrix adj(A)t by Cij , then

Cij = (−1)i+j · det(Aij ),

where the (N − 1)) × (N − 1)-minor Aij is obtained from A by deleting the i-th row and
the j-th column.
Now all the entries in the matrices Aij are integers, hence their determinants are integers
as well. As a result we see that the adjoint matrix adj(A) of A has integer coefficients.
Cramer’s Rule shows that
A · adj(A) = det(A) · IN .
Now we choose an integer β, so that

det(A) · β ≡ 1 mod 26,

and we define
B = β · adj(A) mod 26.
Then B has the desired properties.

Example: We take N = 3 and consider a Hill cipher with matrix

 
1 2 3
A= 4 5 6.
11 9 8
Here are a few of the coefficents Cij :
 
5 6
A11 = , hence C11 = −14,
9 8
 
4 6
A12 = , hence C12 = 34,
11 8
 7
 
4 5
A13 = , hence C13 = −19.
11 9
We note that
det(A) = 1 · C11 + 2 · C12 + 3 · C13 = −3.
Computing the remaining coefficients Cij we obtain the adjoint matrix
 
−14 11 −3
adj(A) =  34 −25 6.
−19 13 −3
We note that −3 · 17 = −51 ≡ 1 mod 26, hence we can take β = 17 and obtain
   
−14 11 −3 22 5 1
B = 17 ·  34 −25 6  ≡  6 17 24  mod 26.
−19 13 −3 15 13 1
Let us check the answer:

   
79 78 52 1 + 3 · 26 3 · 26 2 · 26
A · B =  208 183 130  =  8 · 26 1 + 7 · 26 5 · 26  ≡ I3 mod 26.
406 312 235 16 · 26 12 · 26 1 + 9 · 26

Assume we know that a Hill cipher is used with a N × N -matrix A as key. In general,
it will suffice to know a plaintext with N 2 letters and the corresponding ciphertext to
determine the key A. Here is an example:

Example: We know that N = 2 and hand is encrypted to FOOT, i.e.,

7 0 | 13 3 7→ 5 14 | 14 19.

We obtain the following equation for A:

   
7 0 5 14
·A= .
13 3 14 19
To solve for A we must be able to invert the matrix
 
7 0
C := mod 26.
13 3

This is in fact possible, since det(C)

 = 21 is invertible modulo 26. We compute the inverse
15 0
of C modulo 26 to be: , and obtain
13 9
     
15 0 5 14 23 2
A≡ · ≡ mod 26.
13 9 14 19 9 15
8

Problems:
1. Caesar wants to meet Marc Anton either at the river or at the arena. He sends the
ciphertext EVIRE to Marc Anton. But Marc Anton does not have the key. Can he find
out, where they are supposed to meet?
2. The ciphertext UCR was encrypted using the affine function 9x + 2 mod 26. Find
the plaintext.
3. Encrypt howareyou using the affine function 5x + 7 mod 26.
4. Smarty thinks he can improve the security of affine ciphers by iteration. He performs
one affine cipher and feeds the result into another one. Is he right?
 
9 13
5. The ciphertext YIFZMA was encrypted by a Hill cipher with matrix . Find
2 3
the plaintext.
6. The ciphertext GEZXDS was encrypted by a Hill cipher with a 2 × 2-matrix. The
plaintext is solved. Find the encryption matrix A.
 
1 2
7. Suppose the matrix is used as encryption matrix. Find two plaintexts that
3 4
encrypt to the same ciphertext.