1
Section 12: Introduction to Cryptography - Shift Ciphers and
Affine Ciphers
HW p. 21 # 1-20 at the end of the notes
Basic Concepts of Cryptography
Cryptography is the art of transmitting information in a secret manner. We next describe
some of the basic terminology we will use involving cryptography.
Plaintext – the actual undisguised message (usually an English message) .
Ciphertext – the secret disguised message that is transmitted.
Encryption (encipherment) – the process of converting plaintext to ciphertext.
Decryption (decipherment) – process of converting ciphertext back to plaintext.
Notation: Recall that Z m represents all possible remainders in a MOD m system, that is,
Z m  {0, 1, 2, , m  2, m  1}
For representing our alphabet, we use a MOD 26 system
Z 26  {0, 1, 2,  , 24, 25}
and perform a one-to-one correspondence between the alphabet letters and this set.
MOD 26 Alphabet Assignment
A0
K  10
B1
L  11
U  20
V  21
C2
M  12
W  22
D3
E4
N  13
O  14
X  23
Y  24
F 5
P  15
Z  25
G6
Q  16
H7
I 8
R  17
S  18
J9
T  19
Monoalphabetic Ciphers
2
Monoalphabetic Ciphers are substitution ciphers in which the correspondents agree on a
rearrangement (permutation) of the alphabet. In this section, we examine 2 basic types of
mathematical monoalphabetic ciphers. Before describing these ciphers, we state the
following basic facts concerning modular arithmetic.
Theorem 1: If y  x (mod m) , then for any integer t ,
1. y  t  x  t (mod m) .
2. yt  xt (mod m)
Proof 1:
Proof 2: Exercise
Shift Ciphers
If x is a numerical plaintext letter, we encipher x by computing the following formula:
Enciphering formula for Shift Ciphers
y  ( x  k ) (mod 26) , where k is in Z 26 .
Here y will be the numerical ciphertext letter.
*Note: k is called the key of the cipher and represents the shift amount.
3
Example 1: The Caesar cipher, developed by Julius Caesar
Figure 1: Julius Caesar
is a shift cipher given by
y  ( x  k ) (mod 26)
Note that the key k = 3. Use the Caesar cipher to create a cipher alphabet. Then use it to
encipher the message “RADFORD”.
Solution: To create the cipher alphabet, we substitute the MOD 26 alphabet assignment
number for each letter into the Caesar shift cipher formula and calculate the
corresponding ciphertext letter number as follows:
A  x  0  y  (0  3) (mod 26)  3 (mod 26)  3  D
B  x  1  y  (1  3) (mod 26)  4 (mod 26)  4  E
C  x  2  y  (2  3) (mod 26)  5 (mod 26)  5  F
D  x  3  y  (3  3) (mod 26)  6 (mod 26)  6  G

W  x  22  y  (22  3) (mod 26)  25 (mod 26)  25  Z
X  x  23  y  (23  3) (mod 26)  26 (mod 26)  0  A
Y  x  24  y  (24  3) (mod 26)  27 (mod 26)  1  B
Z  x  25  y  (25  3) (mod 26)  28 (mod 26)  2  C
This gives the corresponding correspondence between the plain and ciphertext alphabets
Plain
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Cipher D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Using the above table, we can encipher the message “RADFORD” as follows
Plaintext:
R A D F O R D
Ciphertext: U D G I R U G
Hence, the ciphertext is “UDGIRUG”
█
4
Of course, in the last example we did not have to create the entire plain and ciphertext
alphabets to encipher the message. We could instead just used the shift cipher formula
y  ( x  3) (mod 26) directly. We will illustrate this idea more generally in the next
example given below.
The Caesar cipher is just a special case of a shift cipher with a key of k  3 . In a general
shift cipher, the key k can be any value Z 26 , that is, any value in the set
{0, 1, 2, , 24, 25} . The next example illustrates a more general shift cipher.
Example 2: Encipher the message “SEINFELD” using a 12 shift cipher.
Solution:
█
5
Deciphering Shift Ciphers
Given a key k , plaintext letter number x , and ciphertext letter number y , we decipher
as follows:
y  ( x  k ) (mod 26)
y  k  ( x  k  k ) (mod 26)
(subtract k from both sides and simplify)
x  ( y  k ) (mod 26)
(rearrange both sides of the equation)
This gives the
Deciphering formula for shift ciphers
x  ( y  k ) (mod 26)
where y is the numerical ciphertext letter, x is the numerical plaintext letter, and k is the
key of the cipher (the shift amount).
*Note: In the deciphering shift cipher formula,  k (mod 26) can be converted to its
equivalent positive form by finding a positive reminder.
The next two examples illustrate how to deciphering process works.
6
Example 3: Suppose we received the ciphertext “YLUJLQLD” that was encrypted using
a Caesar cipher (shift k  3 ). Decipher this message.
Solution:
.
█
7
Example 4: Decipher the message “EVZCJZXDFE” that was enciphered using a 17 shift
cipher.
Solution: Using the shift cipher formula
y  ( x  k ) (mod 26) ,
we see that the key k for this cipher must be k  17. Hence the formula becomes
y  ( x  17) (mod 26) .
Recall in this formula that x represents the alphabet assignment number for the plaintext
and y represents the alphabet assignment number for the cipher-text. Since we want to
decipher the above cipher-text, we must solve the above equation for x. Rearranging first
gives:
x  17  y (mod 26)
.
To solve for x, we must subtract 17 from both sides. This gives:
x  ( y  17) (mod 26)
(*)
Note that since  17 (mod 26)  9 (this can be computed simply by taking –17 + 26 = 9),
we can write equation (*) as:
x  ( y  9) (mod 26)
(**)
Either equations (*) or (**) can be used to decipher the message. We will use equation
(**). Taking each letter of the cipher-text “EVZCJZXDFE” and using the MOD 26
alphabet assignment, we obtain:
E  y  4  x  (4  9) (mod 26)  13 (mod 26)  13  N
V  y  21  x  (21  9) (mod 26)  30 (mod 26)  4  E
Z  y  25  x  (25  9) (mod 26)  34 (mod 26)  8  I
C  y  2  x  (2  9) (mod 26)  11 (mod 26)  11  L
J  y  9  x  (9  9) (mod 26)  18 (mod 26)  18  S
ZI
X  y  23  x  (23  9) (mod 26)  32 (mod 26)  6  G
D  y  3  x  x  (3  9) (mod 26)  12 (mod 26)  12  M
F  y  5  x  x  (5  9) (mod 26)  14 (mod 26)  14  O
EN
Hence, the plaintext is “NEIL SIGMON”.
█
8
Cryptanalysis of Shift Ciphers
As the last two examples illustrate, one must know the key k used in a shift cipher when
deciphering a message. This leads to an important question. How can we decipher a
message in a shift cipher if we do not know the key k ? Cryptanalysis is the process of
trying to break a cipher by finding its key. Cryptanalysis in general is not an easy
problem. The more secure a cipher is, the harder it is to cryptanalyze. We will soon see
that a shift cipher is not very secure and is relatively easy to break.
Methods for Breaking a Shift Cipher
1. Knowing x  ( y  k ) (mod 26) , we can test all possibilities for k (there are 26 total
in Z 26  {0, 1, 2, , 24, 25} ) until we recover a message that makes
sense.
2. Frequency analysis: Uses the fact that the most frequently occurring letters in the
ciphertext produced by shift cipher has a good chance of corresponding to the most
frequently occurring letters in the standard English alphabet. The most frequently
occurring letters in English are E, T, A, O, I, N, and T (see the English frequency
on the next page).
We will demonstrate these techniques using a Maple.
9
Letter Frequency Tables
Letter
A
B
C
D
E
F
G
H
I
J
K
L
M
Relative Frequency (%)
8.167
1.492
2.782
4.253
12.702
2.228
2.015
6.094
6.966
0.153
0.772
4.025
2.406
Letter
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Relative Frequency (%)
6.749
7.507
1.929
0.095
5.987
6.327
9.056
2.758
0.978
2.360
0.150
1.974
0.074
Table 1: Relative Frequencies of letters of English Language
Most Common are E, T, A, O, I, N, and R
1. TH
2. ER
3. ON
4. AN
5. RE
6. HE
7. IN
8. ED, ND
9. HA
10. AT, EN, ES, OF, OR
11. NT
12. EA, TI, TO
13. IT, ST
14. IO, LE
15. IS, OU
16. AR, AS, DE, RT, VE
Table 2: Most Common Digraphs in the English Language
(Based on a 2000 letter sample)
1. THE
2. AND
3. THA
4. ENT
5. ION
6. TIO
7. FOR
8. NDE
9. HAS
10. NCE
11. EDT
12. TIS
13. OFT
14. STH
15. MEN
Table 3: Most Common Trigraphs in the English Language
10
Affine Ciphers
In shift ciphers, messages are encrypted by using an additive key. To increase security,
we can, in addition to an additive parameter, encipher messages using a multiplicative
parameter. In affine ciphers, the key used for encipherment involves using both a
multiplicative and additive parameter. Before describing affine ciphers, we give some
necessary mathematics background.
Multiplicative Inverses
In the real number system, every non-zero number has a multiplicative inverse – the
number you must multiply to a given number to get 1. In other words, every non-zero real
number is a unit.
Example 5: Fill in the ( ) for (2)   1 , (10)   1 , and (a)   1 if we are working in
the real number system.
Solution:
█
11
Note: In some rings, multiplicative inverses (units of elements) in most cases do not
exist.
Example 6: Name the units in the set of integers Z .
Solution:
█
Note: In the modular arithmetic system, a multiplicative inverse may or may not exist,
depending on the following fact involving the greatest common divisor.
Theorem 2: If the gcd( b, m)  1 , then b is a unit in Z m , that is, b 1 (mod m) exists.
Proof:
█
12
Example 7: Does 8 have multiplicative inverse with respect to the modulus 26?
Solution:
█
Example 8: Does 9 have and inverse with respect to the modulus 26?
Solution:
█
Later, we will use the Euclidean Algorithm to compute multiplicative inverses. For now,
since we will work with a MOD 26 system, we will display a table showing the numbers
in a MOD 26 with their multiplicative inverses:
Multiplicative Inverse Table
a
1
a MOD 26
1
1
3
9
5
21
7
15
9
3
11
19
15
7
17
23
Table 4: Multiplicative Inverses MOD 26
19
11
21
5
23
17
25
25
13
Example 9: Use Table 4 to find 7 1 (mod 26)
Solution:
█
Theorem 1 allows us to solve linear equations involving modular arithmetic, as is
demonstrated in the next example.
.
Example 10: Solve 11x  1  5 (mod 26) for x .
Solution:
█
Multiplicative inverses in modular arithmetic can be useful in solving systems of linear
equations, which are useful for cryptanalysis. This next example illustrates this fact.
14
Example 11: Solve the system of equations (congruences).
8a  b
 18 (mod 26)
17a  b  11 (mod 26)
Solution:
█
15
Mathematical Description of Affine Ciphers
Given a and b in Z 26  {0, 1, 2,  , 24, 25} where gcd( a, 26)  1 . We encipher a
plaintext letter x to obtain a ciphertext letter y by computing
y  (ax  b) (mod 26) .
Here, the key is made up of a multiplicative parameter a and an additive parameter b .
The next example illustrates how a message is enciphered.
Example 12: Encipher “RADFORD” using the affine cipher y  (5 x  4) (mod 26)
MOD 26.
Solution:
█
16
Note: Recall that for an affine cipher y  (ax  b) (mod 26) to be defined properly,
gcd( a, 26)  1 . Besides allowing a recipient to decipher a message, the next example
illustrates another reason why this requirement is essential.
Example 13 Use the affine cipher y  (2 x  1) (mod 26) to encipher “AN”.
Solution:
█
Deciphering an Affine Cipher
For an affine cipher y  (ax  b) (mod 26) where gcd( a, 26)  1 , decipherment can be
done uniquely. Given the numerical representation of the plaintext message x and
ciphertext message y , we take
y  (ax  b) (mod 26)
ax  b  y (mod 26)
(Rearrange both sides)
ax  ( y  b) (mod 26)
(Subtract b from both sides)
a 1a x  a 1 ( y  b) (mod 26)
x  a 1 ( y  b) (mod 26)
(Multiply both sides by a 1 )
(Cancel and simplify)
Hence, x  a 1 ( y  b) (mod 26) is the decipherment formula for affine ciphers. We
illustrate this formula with an example.
17
Example 14: Decipher the message “ARMMVKARER” that was encrypted using the
affine cipher
y  (3x  5) (mod 26)
(*)
Solution: Recall here that x is the numerical representation of the plaintext letter and y is
the numerical representation of ciphertext letter. To decipher, we must solve equation (*)
for x. We do this using the following steps:
3x  5  y (mod 26)
(switch both sides of the equation across the “=” mark)
3x  ( y  5) (mod 26)
(subtract 5 from both sides of the equation)
3x  ( y  21) (mod 26)
(use the fact that 5 MOD 26  21)
313x  31 ( y  21) (mod 26) (multiply both sides by the multiplicative inverse of 3.
x  9( y  21) (mod 26)
(use the multiplicative inverse MOD 26 table to see that
31 (mod 26)  9 ).
Using the decipherment formula x  9( y  21) (mod 26) , we can decipher the message
using the following repetitive steps:
A  y  0  x  9(0  21) (mod 26)  9(21) (mod 26)  189 (mod 26)  7  H
R  y  17  x  9(17  21) (mod 26)  9(38) (mod 26)  342 (mod 26)  4  E
M  y  12  x  9(12  21) (mod 26)  9(33) (mod 26)  297 (mod 26)  11  L
M L
V  y  21  x  9(21  21) (mod 26)  9(42) (mod 26)  378 (mod 26)  14  O
K  y  10  x  9(10  21) (mod 26)  9(31) (mod 26)  279 MOD 26  19  T
A H
RE
E  y  4  x  9(4  21) (mod 26)  9(25) (mod 26)  225 (mod 26)  17  R
RE
Hence, the message is “HELLO THERE”.
█
18
Cryptanalysis of Affine Ciphers
For an affine cipher y  (ax  b) (mod 26) , an enemy must know the multiplicative
parameter a and additive parameter b in order to decipher and break a message. Once a
and b are known, x  a 1 ( y  b) (mod 26) can be computed and the message broken.
Two methods of attack can be used to attempt to break an affine cipher.
Methods for Breaking and Affine Cipher
1. Exhaustion. Note there are 12 possible multiplicative parameters a where
gcd( a, 26)  1 and 26 possible additive parameters b . This gives 12  26  312 total
(a, b) pairs to test.
2. Frequency analysis. Quicker way which involves matching to highly frequently
occurring ciphertext letters with two highly frequently occurring plaintext letters.
Involves solving a system of equations MOD 26.
The next example illustrates method 2.
19
Example 15: Suppose we receive a ciphertext that was enciphered using an affine cipher.
After running a frequency analysis on the ciphertext, we find out that the most highly
frequently occurring letters in the ciphertext are W and H. Assuming that these letters
correspond to E and T respectively, find the parameters a and b that were used in the
affine cipher.
Solution: Recall that for an affine cipher y  (ax  b) (mod 26) , x is the numerical
representation of the plaintext letter and y is the numerical representation of the
ciphertext letter. Hence, using the MOD 26 alphabet assignment and the equation
y  (ax  b) mod 26 , we see that
Plaintext E  x  4 corresponds to the ciphertext W  y  22 which gives the
equation (1) 22  (a  4  b) (mod 26)
Plaintext T  x  19 corresponds to the ciphertext H  y  7 which gives the equation
(2) 7  (a  19  b) (mod 26)
Rearranging and putting these equations together gives
4a  b  22 (mod 26)
19a  b  7 (mod 26)
(1)
(2)
To find a , we must solve this system of equations.
To eliminate the parameter b, we subtract equation (2) from equation (1):
4a  b  22 (mod 26)
19a  b  7 (mod 26)
 15a 
15 (mod 26)

Since  15 (mod 26)  11 , we can write the resulting equation from the subtraction as:
11a  15 (mod 26) .
We next solve this result by multiplying both sides by 111 (mod 26) :
111  11 a  111  15 (mod 26) .
Noting from the MOD 26 multiplicative inverse table that 111 (mod 26)  19 , we obtain
a  19  15 (mod 26)  285 (mod 26)  25
20
Hence a  25 . We can substitute a  25 into either equation (1) or (2) to find b.
Choosing equation (1) 4a  b  22 mod 26 , we obtain:
4(25)  b  22 (mod 26)
or
100  b  22 (mod 26) .
Subtracting 100 from both sides gives
b  (22  100) (mod 26)
or
b  78 (mod 26)  0 .
Hence a  25 and b  0 solves the above system of equations. Hence, the affine cipher
y  (25 x  0) (mod 26)
or
y  25x (mod 26) .
was used to encrypt the message.
█
21
Exercises
1. Solve the following modular equations for x.
a. x  8  7 (mod 12)
b. x  13  2 (mod 19)
c. x  19  24 (mod 26)
d. x  23  9 (mod 26)
2. Solve the following modular equations for x.
a. 3x  5  2 (mod 26)
b. 17 x  13  2 (mod 26)
c. 25 x  19  25 (mod 26)
d. 2 x  3  10 (mod 26)
3. Solve the following systems of modular equations for a and b.
a.
b.
c.
17a  b  18 (mod 26)
6a  b
8a  b
 14 (mod 26)
 12 (mod 26)
19a  b 
5 (mod 26)
8a  b  8 (mod 26)
25a  b  17 (mod 26)
4. Use Caesar's cipher to encrypt the plaintext message COWARDS DIE MANY TIMES
BEFORE THEIR ACTUAL DEATHS1.
5. Decrypt the ciphertext message FDHVD UGLHG EBDVV DVVLQ DWLRQ that was
encrypted using Caesar's cipher.
6. Use a 13 shift cipher to encrypt the plaintext message A WOMAN WORRIES ABOUT
THE FUTURE UNTIL SHE GETS A HUSBAND.
7. Decrypt the ciphertext message NZNAA RIREJ BEEVR FNOBH GGURS HGHER
HAGVY URTRG FNJVS R that was encrypted using a 13 shift cipher.
8. Use a 18 shift cipher to encipher the plaintext message HALLOWEEN AND FRIDAY
THE THIRTEENTH.
1
Julius Caesar (100 BC - 44 BC), quote.
22
9. Decrypt the ciphertext message GCWBU YFGSY LMUHX DUMIH PIILB YYM that
was encrypted with a 20 shift cipher.
10. Use the affine cipher y  (5 x  2) (mod 26) to encrypt the plaintext message GONE
TO LUNCH.
11. Use the affine cipher y  (21x  18) (mod 26) to encrypt the plaintext message HELLO
DARLING.
12. Decipher the ciphertext message DVJWP TDQPO LA, which has been encrypted using
the affine cipher y  (21x  3) (mod 26) .
13. Decipher the ciphertext message YBSMT DUISK TKGIZ SUC, which has been
encrypted using the affine cipher y  (25 x  6) (mod 26) .
14. For the following ciphertexts, a correspondence between two plaintext letters and two
ciphertext letters are given. Use the information to determine the encipherment formula
and decipherment formula. Then decipher the message.
a. Plaintext letter I enciphers as ciphertext letter C and plaintext letter H enciphers as
the ciphertext letter N for the ciphertext LNUWN CZCZY CWMWQ MHIKO
PCU.
b. Plaintext letter E enciphers as ciphertext letter S and plaintext letter T enciphers as
the ciphertext letter Z for the ciphertext ZJSUO TGSZJ SSNOF YGCZG CEXCO
CYEFK.
15. The ciphertext CSHWO PCDCS NHDA has the following frequency letter count:
Letter
Count
A B C D
1 0 3 2
E
0
F G H I
0 0 2 0
J
0
K L
0 0
M N
0 1
O P Q R S
1 1 0 0 2
T
0
U V W X Y Z
0 0 1 0 0 0
Use this information to cryptanalyze and decipher this message.
16. Decipher the ciphertext GYJHL GSPVI HBJFV PSJB that was encrypted using an
affine cipher.
17. If y  x (mod m) , then show yt  xt (mod m) for any integer t .
23
18. Sometimes when attempting to solve a system of equations to recover the affine cipher
keys a and b, the solutions for a and b are not unique. For example, consider the system
of equations
10a  b  18 (mod 26)
6a  b
 16 (mod 26)
If we subtract these two equations to eliminate the parameter b, we get the equation
4a  2 (mod 26)
Since gcd( 4, 26)  2  1 , 4 1 (mod 26) does not exist and a solution for a cannot be
determined uniquely. However, we can determine two solutions to a by trial and error,
namely, a = 7 and a = 20 are solutions. Since a = 7 is the only solution that satisfies
the affine cipher requirement that gcd( a, 26)  1 , it is likely this would be the correct
choice in the cryptanalysis of the affine cipher. Using a = 7, a solution of b = 0 can
then be found to complete this solution of the system.
Suppose for the ciphertext text AGSZD EIDUI OEZMO GSRX it is known that the
plaintext letter U enciphers as the ciphertext letter S and the plaintext letter O enciphers
as the ciphertext letter G. Cryptanalyze this ciphertext message by setting up the system
of equations, determining the encipherment formula used in the affine cipher, and
recover the plaintext.
19. Suppose that a plaintext P is encrypted, yielding ciphertext C1 , and then C1 is
encrypted, yielding a new ciphertext C 2 . The encryption of C1 is called a
superencryption} of P. If a plaintext P was first encrypted with a shift cipher, would
superencrypting P with another shift cipher increase the mathematical security in the
final ciphertext? Completely explain your answer, and be as specific as possible.
20. If a plaintext P was first encrypted with a affine cipher, would superencrypting P (see
Exercise 17 for an explanation of superencryption) with another affine cipher increase
the mathematical security in the final ciphertext? Completely explain your answer, and
be as specific as possible.