Block ciphers

One significant weakness in simple substitution or transposition ciphers is the fact that a
single change in the plaintext only changes a single character in the ciphertext. Ideally,
we would like diffusion whereby a change of character in the plaintext changes several
characters of the ciphertext. This means that frequency statistics of the alphabet are
spread out over many characters in the ciphertext. In consequence this means that
the cryptoanalyst would require much longer ciphertext to do a useful attack based on
frequency analysis.
We would also like the key to be used in such a manner that each element of the ciphertext
depends on several elements of the key, ideally on the entire key. This is the concept
of confusion and means that the cryptoanalyst would need to solve for the entire key
simultaneously rather than element by element.
Block ciphers
One significant weakness in simple substitution or transposition ciphers is the fact that a
single change in the plaintext only changes a single character in the ciphertext. Ideally,
we would like diffusion whereby a change of character in the plaintext changes several
characters of the ciphertext. This means that frequency statistics of the alphabet are
spread out over many characters in the ciphertext. In consequence this means that
the cryptoanalyst would require much longer ciphertext to do a useful attack based on
frequency analysis.
We would also like the key to be used in such a manner that each element of the ciphertext
depends on several elements of the key, ideally on the entire key. This is the concept
of confusion and means that the cryptoanalyst would need to solve for the entire key
simultaneously rather than element by element.
Block ciphers have the ability to provide both these features. Almost all modern ciphers
are of this type and we look at an early, simple example - the Hill cipher (1929). This
has the distinction of being perhaps the first cipher that used algebraic methods (linear
algebra and modular arithmetic) were used in a formal way and such ideas are the
mainstay of modern cryptosystems.
The idea is to break up the plaintext into blocks of n characters and encode each block
separately. We will illustrate the idea with a small blocksize of n = 3. Our plaintext is
once again we eat lunch at noon with the spaces removed (certainly not a necessity
in this situtuation) so we have p = {wee}{atl}{unc}{hat}{noo}{nxx}.
Note again the padding to complete a block.
The idea is to break up the plaintext into blocks of n characters and encode each block
separately. We will illustrate the idea with a small blocksize of n = 3. Our plaintext is
once again we eat lunch at noon with the spaces removed (certainly not a necessity
in this situtuation) so we have p = {wee}{atl}{unc}{hat}{noo}{nxx}.
Note again the padding to complete a block.
We form an n n matrix A, the elements of which form the key.
1 2 3
This could be based on alphabet characters but as we are going to
A = 4 5 6
convert everything to integers (mod 26) we will simply assume
7 0 0
that the entries are of this form. Also, convert the plaintext into a
series of row vectors:
p = [22 4 4], [0 19 11], [20 13 2], [7 0 19], [13 14 14], [13 23 23]
The idea is to break up the plaintext into blocks of n characters and encode each block
separately. We will illustrate the idea with a small blocksize of n = 3. Our plaintext is
once again we eat lunch at noon with the spaces removed (certainly not a necessity
in this situtuation) so we have p = {wee}{atl}{unc}{hat}{noo}{nxx}.
Note again the padding to complete a block.
We form an n n matrix A, the elements of which form the key.
1 2 3
This could be based on alphabet characters but as we are going to
A = 4 5 6
convert everything to integers (mod 26) we will simply assume
7 0 0
that the entries are of this form. Also, convert the plaintext into a
series of row vectors:
p = [22 4 4], [0 19 11], [20 13 2], [7 0 19], [13 14 14], [13 23 23]
Usual matrix-vector multiplication maps column vectors into column vectors but as we
have sets our plaintext out as row vectors we will instead pre-multiply the matrix by the
plaintext vectors to obtain the ciphertext p A = c. Everything is computed (mod 26).
The idea is to break up the plaintext into blocks of n characters and encode each block
separately. We will illustrate the idea with a small blocksize of n = 3. Our plaintext is
once again we eat lunch at noon with the spaces removed (certainly not a necessity
in this situtuation) so we have p = {wee}{atl}{unc}{hat}{noo}{nxx}.
Note again the padding to complete a block.
We form an n n matrix A, the elements of which form the key.
1 2 3
This could be based on alphabet characters but as we are going to
A = 4 5 6
convert everything to integers (mod 26) we will simply assume
7 0 0
that the entries are of this form. Also, convert the plaintext into a
series of row vectors:
p = [22 4 4], [0 19 11], [20 13 2], [7 0 19], [13 14 14], [13 23 23]
Usual matrix-vector multiplication maps column vectors into column vectors but as we
have sets our plaintext out as row vectors we will instead pre-multiply the matrix by the
plaintext vectors to obtain the ciphertext p A = c. Everything is computed (mod 26).
1 2 3
" #
[ 22 4 4] 4 5 6 = [ 14 12 2 ] (mod 26)
7 0 0
so that out first block of ciphertext is [14 12 2] = {o m c}.
We repeat this for each block to obtain the complete ciphertext.
How do we invert the ciphertext to obtain the plaintext?
How do we invert the ciphertext to obtain the plaintext?
Formally, let B = A1 . Then if c = p A then c B = p A B = p A A1 = p.
How do we invert the ciphertext to obtain the plaintext?
Formally, let B = A1 . Then if c = p A then c B = p A B = p A A1 = p.
The usual condition for invertibility of a matrix is that detA 6= 0 but that is not sufficient
here we need detA 6= 0 (mod 26).
How do we invert the ciphertext to obtain the plaintext?
Formally, let B = A1 . Then if c = p A then c B = p A B = p A A1 = p.
The usual condition for invertibility of a matrix is that detA 6= 0 but that is not sufficient
here we need detA 6= 0 (mod 26).
Fortunately, here detA = 21 5 (mod 26) so we are in good shape. We compute
0 0 15 0 0 15
" # " #
B= 24 1 22 and verify that [ 14 12 2 ] 24 1 22 = [ 22 4 4 ] (mod 26)
19 8 15 19 8 15
How do we invert the ciphertext to obtain the plaintext?
Formally, let B = A1 . Then if c = p A then c B = p A B = p A A1 = p.
The usual condition for invertibility of a matrix is that detA 6= 0 but that is not sufficient
here we need detA 6= 0 (mod 26).
Fortunately, here detA = 21 5 (mod 26) so we are in good shape. We compute
0 0 15 0 0 15
" # " #
B= 24 1 22 and verify that [ 14 12 2 ] 24 1 22 = [ 22 4 4 ] (mod 26)
19 8 15 19 8 15

The cipher has the virtue of simplicity and is in fact, for a large blocksize, quite difficult
to break given only the cipher text.
However, it succumbs very easily to a known plaintext attack on the key and these types
of cipher are really not very useable. We give an example:
You know that Alice uses a Hill cipher. Suppose you intercept two messages sent by
Alice, one destined for Fred and the other for Bob. These have the first several characters
of ciphertext:
zjmmrlkavqswef . . . and zjmxbzofsubanj . . .
You know that Alice uses a Hill cipher. Suppose you intercept two messages sent by
Alice, one destined for Fred and the other for Bob. These have the first several characters
of ciphertext:
zjmmrlkavqswef . . . and zjmxbzofsubanj . . .
Notice that the first three characters are the same in each ciphertext. This could be a
coincidence, it could also be the same generic start of a message; perhaps dear fred
and dear bob? Lets go on that lead.
You know that Alice uses a Hill cipher. Suppose you intercept two messages sent by
Alice, one destined for Fred and the other for Bob. These have the first several characters
of ciphertext:
zjmmrlkavqswef . . . and zjmxbzofsubanj . . .
Notice that the first three characters are the same in each ciphertext. This could be a
coincidence, it could also be the same generic start of a message; perhaps dear fred
and dear bob? Lets go on that lead.
What could be the size of the Hill matrix?
It could be n = 2 although that would be rather trivial.
It could certainly be n = 3.
How about n = 4? No, for in that case dear would give the first 4 characters of the
cipher text the same and they are not.
What about n = 5? Unlikely, since then the first 5 charcacters of one plaintext would
be dearf and the other dearb and it would be rather surprising that these would
both map to ciphertexts with the first 3 letters in common. The same for larger n.
You know that Alice uses a Hill cipher. Suppose you intercept two messages sent by
Alice, one destined for Fred and the other for Bob. These have the first several characters
of ciphertext:
zjmmrlkavqswef . . . and zjmxbzofsubanj . . .
Notice that the first three characters are the same in each ciphertext. This could be a
coincidence, it could also be the same generic start of a message; perhaps dear fred
and dear bob? Lets go on that lead.
What could be the size of the Hill matrix?
It could be n = 2 although that would be rather trivial.
It could certainly be n = 3.
How about n = 4? No, for in that case dear would give the first 4 characters of the
cipher text the same and they are not.
What about n = 5? Unlikely, since then the first 5 charcacters of one plaintext would
be dearf and the other dearb and it would be rather surprising that these would
both map to ciphertexts with the first 3 letters in common. The same for larger n.
Then lets assume that n = 3.
You know that Alice uses a Hill cipher. Suppose you intercept two messages sent by
Alice, one destined for Fred and the other for Bob. These have the first several characters
of ciphertext:
zjmmrlkavqswef . . . and zjmxbzofsubanj . . .
Notice that the first three characters are the same in each ciphertext. This could be a
coincidence, it could also be the same generic start of a message; perhaps dear fred
and dear bob? Lets go on that lead.
If our assumptions are all correct then we have the following situation:
[dea] A = [zjm] [rfr] A = [mrl] [rbo] A = [xbz]
which when we convert into numbers means we have the matrix equation P A = C,
3 4 0 25 9 1
" # " #
17 5 17 A= 12 17 11
17 1 14 23 1 25
so that Alices encryption matrix A should be
3 4 0 25 9 1 19 17 22
" #1 " # " #
A= 17 5 17 12 17 11 = 18 22 19
17 1 14 23 1 25 7 2 22
You know that Alice uses a Hill cipher. Suppose you intercept two messages sent by
Alice, one destined for Fred and the other for Bob. These have the first several characters
of ciphertext:
zjmmrlkavqswef . . . and zjmxbzofsubanj . . .
Notice that the first three characters are the same in each ciphertext. This could be a
coincidence, it could also be the same generic start of a message; perhaps dear fred
and dear bob? Lets go on that lead.
If our assumptions are all correct then we have the following situation:
[dea] A = [zjm] [rfr] A = [mrl] [rbo] A = [xbz]
which when we convert into numbers means we have the matrix equation P A = C,
3 4 0 25 9 1
" # " #
17 5 17 A= 12 17 11
17 1 14 23 1 25
so that Alices encryption matrix A should be
3 4 0 25 9 1 19 17 22
" #1 " # " #
A= 17 5 17 12 17 11 = 18 22 19
17 1 14 23 1 25 7 2 22

This turns out to be correct in that it allows us to read the entire messages.