1
Chapter 7: Hill Ciphers
In this chapter we look at block or polygraphic ciphers, where groups of plaintext are
enciphered as units. In particular, we look at the Hill Cipher, which enciphers groups of
two or more plaintext characters using matrix multiplication. In order to understand this
method, we give a brief review of matrices and their operations.
7.1 Matrices
Matrices are used in a variety of applications, and there are entire courses devoted to the
subject. Our goal in this section is to review basic concepts involving matrices so that we
can apply them to cryptology.
7.1.1 Definition and Basic Terminology
A matrix is a rectangular array of numbers (usually real) made up of rows and columns.
The size of a matrix represents its number of rows and number columns, which is written
as (# rows)  (# columns). For example, here are the matrices A, B, c, and d with their
corresponding sizes:
 5 10 0 1
A
 (Size: 2  4)
 3 2  5 1
2 
100

B  1 / 5
 1  (Size: 3  2)
 1  2 / 5
c  3  4 8 1 (Size: 1  4)
0
d  1 (Size: 3  1)
 
4
We will refer to a matrix that contains a single row as a row matrix, and a matrix that
contains a single column as a column matrix.
To indicate an individual entry in a matrix, we use the notation
a ij (represents the element in the i th row and j th column of the matrix A)
 5 10 0 1
Thus, we have for the matrix A  
 , we have the elements a12  10 and
 3 2  5 1
a23  5 and for the matrix C  3  4 8 1 , we have the elements c12  4 and
c14  1 .
2
A matrix A of size m n has the form
 a11
a
A   21
 

a m1
a12
a 22

a m2
 a1n 
 a 2n 
 

 a mn 
A square matrix is a matrix where (# rows) = (# columns) or m = n. When this is case, we
say the matrix is a square matrix of order n. Here are some examples of square matrices:
8 1
19 14 (2  2 square matrix of order 2)


11 6 8 
 0 3 14 (3  3 square matrix of order 3).


24 0 9 
7.1.2 Matrix Operations
Matrices can be combined by addition, subtraction, scalar multiplication, and
multiplication. We describe these operations next.
Matrix Addition and Subtraction
Matrices can only be added and subtracted if they have the same size. To add or subtract
matrices, we add or subtract each corresponding component.
3
 2 1 1
 2 3 4 
Example 1: Given the 2  3 matrices A  
and B  

,
  1  1 4
  3 1  2
determine A  B and A  B .
Solution:
█
1 0
 2 3


Example 2: Given the 2  2 matrix A  
 and the 3 2 matrix C  2 1 ,
1
0


1 1
determine A  C and A  C .
Solution:
█
4
Scalar Multiplication of Matrices
When working with matrices, numbers are referred to as scalars. To multiply a matrix by
a scalar, we multiply each entry of the matrix by the given scalar.
  2 3
Example 3: Given A  
 , compute 3 A .
 1 2
Solution:
.
█
  3 2
0  5 / 2


Example 4: If A   2 1  and B  1
2  , compute 5 A  2B .
 5 0
3
 1 
 3 2 0  5 / 2  15 10 0  5  15 15
Solution: 5 A  2 B  5 2 1  21
2    10 5   2 4    8
1  .
 5 0 3
 1   25 0  6  2  19 2 
█
5
Matrix Multiplication
To understand matrix multiplication, one must first understand how to multiply a row
vector times a column vector. If a  a11 , a12 ,, a1n  is a 1  n row vector and
 b11 
b 
b   21 
  
 
bn1 
is a n  1column vector, then the product of A and B is the scalar produced by multiplying
each corresponding entry of A and B and adding. That is
 b11 
b 
ab  a11, a12 ,  , a1n   21   a11b11  a12 b21    a1n bn1 .
  
 
bn1 
3
  5
Example 5: If a  1  1 0 4 and b    , compute ab.
1
 
  1
Solution:
.
█
Multiplication of matrices in general involves multiple multiplications of rows and
columns. If A is a m n matrix and B is a n  p matrix, the product C = AB is the matrix
where each element c ij is made up of the product of the i th row of the left matrix A
multiplied to the j th column of the right matrix B. That is,
cij  (row i of A)  (column j of B) .
6
Note! For the matrix product AB to exist, the number of columns of the left matrix A
must equal to the number of rows in the right matrix B. The size of the product will be
(the number of rows in A)  (the number of columns in B).
It can be easier to see this by examining the following:
C A

B
m n      n p
must
equal
Size of
Product
m p
 1 0  2
Example 6: If a  1  3 and B  
 , determine aB.
 1 2 3 
Solution:
.
█
7
 3 0
1  1 0
Example 7: For the matrices, A   1 1 , B  
, compute the products AB


2  5 1

 1 0
and BA
Solution: After observing
A

B
32      23
are
equal
Size of
Product
3 3
that the size of the product is a 3 3 matrix, we obtain the product AB by computing:
 3 0
 (3)(1)  (0)( 2) (3)( 1)  (0)( 5) (3)(0)  (0)(1) 
1  1 0  


AB   1 1 
  (1)(1)  (1)( 2)
(1)( 1)  (1)( 5)
(1)(0)  (1)(1) 

2  5 1
 1 0 
(1)(1)  (0)( 2) (1)( 1)  (0)( 5) (1)(0)  (0)(1)
 3  3 0
  3  6 1
 1 1 0
To compute the product BA , we observe
B

.
A
23      32
are
equal
and compute
Size of
Product
22
 3 0
1  1 0  
   (1)(3)  (1)(1)  (0)( 1) (1)(0)  (1)(1)  (0)(0) 
BA  
1
1



 
2  5 1  1 0 (2)(3)  (5)(1)  (1)( 1) (2)(0)  (5)(1)  (1)(0)
.


 2  1


 0  5
█
8
 3 0
1  1 0 2
Example 8: Given the matrices A  
and B   1 1 , compute the



2  5 1 5
 1 0
products AB and BA.
Solution:
9
The previous two examples illustrate a very important fact when multiplying matrices:
FACT: In general, matrix multiplication is not commutative, that is, given matrices A
and B, it is true in most cases that AB  BA .
7.1.3 Identity and Inverse Matrices
The multiplicative identity matrix, usually referred to just the identity matrix I, is the
n  n matrix defined by
1 0 0  0
0 1 0  0 


I  0 0 1  0  .


     0
0 0 0  1
Note that I has 1’s on the main diagonal and 0’s elsewhere. The following represent
2  2 , 3 3 , and 4  4 identity matrices:
1 0
I2  
,
0 1
22
1 0 0
I 3   0 1 0 ,


0 0 1
33
1
0
I4  
0

0
0 0 0
1 0 0
.
0 1 0

0 0 1
44
Since I serves as the multiplicative identity. If A is a m n matrix, then
AI = IA = A.
Note that I is always a square matrix, that is, the number of rows equals the number of
columns. Of course, the size of I is dependent on the size of A when multiplying on the
left and right as the next example demonstrates.
10
 1 2 0
Example 9: Given the 2  3 matrix A  
 , compute AI and IA .
  1 1 2
Solution: To be multiplicatively compatible, the size of the identity I on the left must be
2  2 and on the right 3 3 . This gives
1 0  1 2 0  1 2 0
IA  


A
0 1  1 1 2  1 1 2
and
1 0 0
 1 2 0 
   1 2 0  A .
AI  
0
1
0



 
 1 1 2 0 0 1  1 1 2


█
Determinants
a
The determinant of a 2  2 matrix A   11
a 21
a12 
is given by
a 22 
det(A)  a11a22  a12 a21 .
 3 1 
Example 10: Find the determinant of the matrix A  
.
 5 2
Solution:
█
11
 2  2
Example 11: Find the determinant of the matrix A  
.
4 3 
Solution:
█
A fact to note is that the determinant of a 1 1 matrix is defined to be the entry of the
matrix. For example, if A  [3] , then det( A)  3 . Another important note to make is that
is possible to take determinants of larger size square matrices (larger than 2  2 ) , which
will be discussed in the Exercises.
Matrix Inverses
The multiplicative inverse , or inverse for short, of a n  n matrix A , if it exists, is
denoted by A1 , and is defined to be the n  n matrix where
AA1  A1 A  I ,
where I is the n  n identity matrix. It can be shown that A1 is unique. Note the
inverse only exists for square matrices where the row and column number are the same.
Note: To show that A1 , we only have to find a matrix B were AB  I . If AB  I , then
it can be shown that BA  I will also be true. Hence, we say A1  B
12
 3 / 5 1 / 5
Example 12: Show that the matrix B  
 is the inverse of the matrix
 2 / 5 1 / 5
1  1
A
,
2 3 
Solution: To show B is the inverse of A, one must show that BA  AB  I . For example,
 3 / 5 1 / 5 1  1  3 / 5  2 / 5  3 / 5  3 / 5 1 0
BA  



.
 2 / 5 1 / 5 2 3   2 / 5  2 / 5 2 / 5  3 / 5  0 1
 3 / 5 1 / 5
A similar calculation can be shown for AB  I . Hence, A 1  
.
 2 / 5 1 / 5
█
Given a matrix A , how do we know if A1 exists, and if it does, how can we calculate
A1 ? For matrices larger than 2  2 , the recommended method involves a method
involving row reduction. However, for 2  2 matrices, there is a method based upon the
following:
a12 
a
FACT: For a given 2  2 matrix A   11
, the matrix A1 exists only if

a 21 a 22 
det( A)  0 . If this is so, the inverse of the matrix is defined to be:
A 1 
1  a 22
det( A)  a 21
 a12 
.
a11 
Note that the matrix part of the formula for A1 is obtained by switching the main
diagonal elements and negating the back diagonal elements.
13
2 1
Example 13: Given the matrix A  
, determine if A1 exists, and if so, compute.

3 3
Solution:
█
1 2 
Example 14: Given the matrix A  
, determine if A1 exists, and if so, compute.

 2 4
Solution:
█
14
7.1.4 Matrices with Modular Arithmetic
We can extend the mod operation to matrices. For a matrix A with entries aij , we say
A mod m is the matrix where the mod operation is applied to each entry, aij mod m .
31  3
Example 15: Compute the matrix 
 mod 26 .
12 29 
Solution:
█
The concepts of matrix addition, subtraction, and multiplication can be computed using
modular arithmetic. The following two examples illustrate these concepts.
 4 1 1
 2 3 4 
Example 16: Given the 2  3 matrices A  
and B  

,
  1  1 4
  3 1  2
determine A  B and A  B mod 5.
Solution:
█
15
 2 7 
Example 17: Given A  
 , compute 3 A mod 13.
 1 10
Solution:
3 15 
0 4 14
Example 18: For the matrices, A  2 4  , B  
, compute the product AB


2 1 6 

9 20
mod 26.
Solution: After observing that the size of the product AB is a 3 3 matrix, we obtain the
product AB by computing:
 3 15 
 (3)( 0)  (15)( 2) (3)( 4)  (15)(1) (3)(14)  (15)( 6) 
0 4 14 


AB  2 4 
 ( 2)( 0)  ( 4)( 2) ( 2)( 4)  ( 4)(1) ( 2)(14)  ( 4)( 6) 

 2 1 6  

(9)( 0)  ( 20)( 2) (9)( 4)  ( 20)(1) (9)(14)  ( 20)( 6)
9 20
30 27 132 
  8 12 52  mod 26


40 56 246
.
4 1 2
  8 12 0 


14 4 10
█
16
The inverse of a matrix can exist for modular arithmetic modulo m as well. For a square
matrix A with entries in Z m  {0, 1, 2,3 , , m  1} }, the inverse of A modulo m, if it
exists, is a matrix B with entries in Z m and with the property that AB mod m  I . This
inverse, when it exists, is denoted A1 mod m .
Example 19: Consider the following matrices A and B.
11 6 8 
A   0 3 14


24 0 9 
and
 5 16 14
B  16 3 10


 4 18 9 
To see whether B  A1 mod 26 , we compute the following.
11 6 8   5 16 14
AB mod 26   0 3 14 16 3 10 mod 26



24 0 9   4 18 9 
183 338 286
 104 261 156  mod 26


156 546 417
1 0 0 
  0 1 0


0 0 1
Thus, B  A1 mod 26 .
█
17
To find the inverse of a 2  2 matrix in modular arithmetic, we use the same formula as
for the real number system, except that the reciprocal of the determinant is represented by
(det( A)) 1 , which will represent the multiplicative inverse of det( A) mod m .
a12 
a
1
FACT: For a given 2  2 matrix A   11
 , the matrix A exists if and only if
a
a
22 
 21
gcd(det( A), m)  1 . If this is so, the inverse of the matrix is defined to be:
 a12 
a
A1  (det( A)) 1  22
 mod m .
 a21 a11 
With Hill ciphers, all of our calculations will be done modulo 26. For convenience, each
value of det(A) mod 26 for which (det( A)) 1 mod 26 exists is shown along with
(det( A)) 1 mod 26 in Table 1.
det( A)
(det( A)) 1 mod 26
1
1
3
9
5
21
7
15
9
3
11
19
Table 1: Corresponding values of det( A)
15
7
17
23
19
11
21
5
23
17
25
25
and (det( A)) 1 mod 26
2 24
Example 19: Determine if the inverse of the matrix A  
 mod 26 exists, and if
4 3 
so, find the inverse.
Solution:
█
18
23 1
Example 20: Determine if the inverse of A  
 modulo 26 exists, and if so, find
 5 2
the inverse.
Solution:
█
Some Suggested Textbook Exercises for Practice for Section 7.1
p. 242: # 1-12
7.2 A Maplet for Matrix Computations
Some Suggested Textbook Exercises for Practice for Section 7.2
p. 250: # 1-8
19
7.3 Hill Ciphers
The Hill Cipher was developed by Lester Hill of Hunter College in 1929. It involves
breaking the plaintext into blocks whose size depends on the size of a key matrix used for
encipherment. For our examples, we will focus on 2  2 matrices, although the method can
easily be extended to matrices of larger sizes.
The key to our encryption will be a 2  2 invertible matrix A modulo 26. We use
the same mod 26 alphabet assignment introduced back in Chapter 5.
Alphabet Assignment
A0
K  10
B1
L  11
U  20
V  21
C2
M  12
W  22
D3
E4
N  13
O  14
X  23
Y  24
F 5
P  15
Z  25
G6
Q  16
H7
I 8
R  17
S  18
J9
T  19
Suppose x1 , x2 , x3 , x4 ,, xn1 , xn are the numerical equivalents of n plaintext letters (we will
assume n is divisible by the size of the matrix 2, if not, an extra letter can be padded to the plaintext
to make this so). The ciphertext y1 , y 2 , y3 , y 4 ,, y n1 , y n is computed by grouping the plaintext
into row vectors of two elements each and computing the following matrix vector products:
 y1
 y3
 yn 1
y 2   x1
y 4   x3
x2 A mod 26,
x4 A mod 26,

y n   xn 1
.
xn A mod 26
To decipher, we compute the inverse of the key matrix A1 and reverse the process by
computing the following matrix vector products:
x1
x3
x2    y1
y 2 A1 mod 26,
x4    y 3
y 4 A1 mod 26,

xn 1
xn    y n 1
y n A1 mod 26
20
2 5
Example 21: Use the key matrix A  
 to encrypt the message BE HERE AT
1 4 
SEVEN.
Solution:
21
2 5
Example 22: Suppose the key matrix A  
 was used to create the ciphertext
1 4 
message MYBGX HTMTY IU. Decipher the message.
Solution: To decipher, we need the inverse of the key matrix. Noting that
det( A)  (2)( 4)  (5)(1)  3 and (det( A)) 1  31 MOD 26  9 , we find the inverse as follows:
 4  5
 4  5  36  45
10 7 
A 1  (det( A)) 1 
9

MOD 26  




 1 2 
 1 2   9 18 
17 18
We next convert the the ciphertext message into its numerical equivalents in Z 26 .
M
Y
B
G
X
H
T
M
T
Y
I
U
12
24
1
6
23
7
19
12
19
24
8
20
Grouping the ciphertext into groups of column vectors of two elements each, we calculate
the following matrix vector products.
10 7 
12 24 A1  12 24 
  528 516 mod 26  8 22
17 18
1 6 A1  1 6 
10 7 
  112 115 mod 26  8 11
17 18
10 7 
7 A1  23 7 
  349 287 mod 26  11 1
17 18
23
19
10 7 
12 A1  19 12 
  394 349 mod 26  4 11
17 18
19
10 7 
24 A1  19 24 
  598 565 mod 26  0 19
17 18
10 7 
20 A1  8 20 
  420 416 mod 26  4 0
17 18
8
The numerical equivalents of the plaintext and corresponding letters in Z 26 are
8
22
8
11
11
1
4
11
0
19
4
0
I
W
I
L
L
B
E
L
A
T
E
A
Hence, the plaintext is I WILL BE LATE.
█
22
11 6 8 
Example 23: Use the key matrix A   0 3 14 to encrypt the message EAGLES


24 0 9 
DARE.
Solution: To encrypt this message, we first convert the plaintext message into its
numerical equivalents in Z 26 .
E
A
G
L
E
S
D
A
R
E
4
0
6
11
4
18
3
0
17
4
Grouping the plaintext into groups of column vectors of three elements each, noting that
we pad the last block with two extra A’s to make it three elements, we calculate the
following matrix vector products.
11 6 8 
4 0 6 A  4 0 6  0 3 14  188 24 86 mod 26  6 24 8
24 0 9 
11 6 8 
11 4 18 A  11 4 18  0 3 14  553 78 306 mod 26  7 0 20
24 0 9 
11 6 8 
3 0 17 A  3 0 17  0 3 14  441 18 177 mod 26  25 18 21
24 0 9 
11 6 8 
4 0 0 A  4 0 0  0 3 14  44 24 32 mod 26  18 24 6
24 0 9 
The numerical equivalents of the ciphertext and corresponding letters in Z 26 are
6
24
8
7
0
20
25
18
21
18
24
6
G
Y
I
H
A
U
Z
S
V
S
Y
G
Hence, the plaintext is GYIHA UZSVS YG.
█
23
11 6 8 
Example 24: Suppose the key matrix A   0 3 14 was used to create the ciphertext


24 0 9 
message CWPQR ATWD. Decipher the message.
█
24
Some Suggested Textbook Exercises for Practice for Section 7.3
p. 259: # 1-3
7.4 A Maplet for Hill Ciphers
Some Suggested Textbook Exercises for Practice for Section 7.4
p. 263: # 1-2
7.5 Cryptanalysis of Hill Ciphers
Having just the ciphertext when trying to cryptanalyze a Hill cipher is considerably more
difficult to break than for a monoalphabetic cipher. The character frequencies are
obscured, as can be seen from the repeating letters in the plaintext message from
Example 21 BE HERE AT SEVENA that was enciphered as WRIXC HRYEI
KLAN. For 2  2 key matrices, since letters are enciphered in two-letter groups, there are
26  26  26 2  676 two-letter blocks possible. Each of these enciphered blocks can be
regarded as a monoalphabetic cipher on a 676 character alphabet. If a large amount of
ciphertext is available, it may be possible to match the most frequently occurring
digraphs in English with the most frequently occurring digraphs in the ciphertext to read
portions of the plaintext. If an adversary suspected that a 2  2 matrix was used, a brute
force approach may cause the adversary to try up to 26 4  456976 different matrices.
However, these methods of attack can be made significantly harder by simply increasing
the size of the key matrix.
However, if the adversary has the ciphertext and a small amount of corresponding
plaintext, then the Hill Cipher is more vulnerable. To demonstrate, suppose the ciphertext
HJGID OZKEJ LPPRA IRBXX DTUWR QYFHA GELFP KPSTF
was produced using a 2  2 key matrix A and it is known that the first four words of the
plaintext is I BEG TO…. The key matrix is used to encipher the plaintext IB as the
ciphertext HJ and the plaintext EG and the ciphertext GI. This says that
25
8 1A mod
26  7 9
and
4
6A mod 26  6 8
Compactly, these two encipherments can be written as the matrix equation
 8 1
7 9 
4 6 A mod 26  6 8




To find the key matrix A, we need to multiply both sides of the equation by the inverse
-1
 8 1
4 6 mod 26 . How its determinant is (8)( 6)  (4)(1)  44 mod 26  18 and


gcd(18, 26)  2  1 . Hence, the inverse does not exist. However, since there is more
known plaintext to work with, we can use the fact that the plaintext TO enciphers as the
ciphertext DO to form with the first pair of letters the equations
8 1A mod
26  7 9
and
19
14A mod 26  3 14 .
Compactly, this can be written as the matrix equation
8 1
7 9 
19 14 A mod 26  3 14




8 1
The matrix 
 is invertible since its determinant is 93 mod 26  15 and
19 14
gcd( 25, 26)  1 . Noting that 151 mod 26  7 , the inverse of the matrix is
-1
 1
8 1
14 25 98 175
20 19
1  14
19 14  ( 15 )  19 8   7  7 8   49 56  mod 26   23 4  .





 



The key matrix A can then be found as follows:
26
-1
-1
8 1 8 1
 8 1  7 9 
19 14 19 14 A  19 14 3 14

 


 

mod 26
20 19 7 9 
IA  

 mod 26
 23 4  3 14
197 446
A 
 mod 26
173 263
15 4
A 

17 3
1 16
The inverse of this key matrix is A1  
 . Using the inverse matrix, it can be
3 5 
shown that the message HJGID OZKEJ LPPRA IRBXX DTUWR QYFHA
GELFP KPSTF deciphers as the plaintext message
I BEG TO DIFFER ON YOUR OPINION ON THIS MATTER SIR
█
Some Suggested Textbook Exercises for Practice for Section 7.5
p. 267: # 1-4
7.6 A Maplet for Cryptanalysis of Hill Ciphers
Some Suggested Textbook Exercises for Practice for Section 7.6
p. 272: # 1-6