San Diego State University logo

Affine Ciphers

Another simple scheme

We need another way of transforming plain text into cipher text.

    Plain Text a b c d e f g h i j k l m n o p q r s t u v w x y z
    Cipher Text d g j m p s v y b e h k n q t w z c f i l o r u x a

Notice this cipher can't be explained by a shift.

    Plain Cipher Shift
    a=0 d=3 3
    b=1 g=6 5
    c=2 j=9 7
    d=3 m=12 9
Notice that there is no consistent value for shift. The shift values are 3, 5, 7, 9. Thus this cannot be a shift cipher.

Notice too that as we increase the plain text by 1, we always increase the corresponding cipher text by 3.

This is consistent with what's called a "linear mapping". But before addrtessing that, let's continue to see if the pattern holds up.

    Plain Cipher Shift
    e=4 p=15 11
    f=5 s=18 13
    g=6 v=21 15
    h=7 y=24 17
    i=8 b=1 -7
And everything is continuing along swimmingly until we get to i (=8). What we expect is a cipher text of 27 and a shift of 19.

But wait what would a cipher text of 27 mean? Once again we need to do modular arithmetic. The output of a cipher must be a character in the alphabet we've chosen (or how will we decode it?). And 

27 mod 26 = 1
So in fact we DID get the cipher text we were expecting (in modulus 26). But what about the shift of 19 we were expecting. What does -7 have to with that?

The answer is that -7 and 19 are congruent modulo 26 in just the way 1 and 27 are. More modular arithmetic here.

So this encoding schme is consistent with a linear mapping. Next: What's a linear mapping.

Linear
Mapping

A linear mapping used for an encoding would look like this: 

cipher = (m * plain) + b
Here m and b are two integers. These would be the encoding key exactly the way the shift value is the encoding key for a shift cipher. What we have just discovered is that everything has to be done as a mod 26 calculation. So let's write this more carefully. 
cipher = [(m * plain) + b] mod  26

Let's see if given the assumption that our previous encoding scheme was an affine cipher (that it fit this formula), we can figure out what m and b are.

Recall that every time the plain text went up by 1, the cipher text went up by 3. This suggests we are multiplying by 3. Plugging this in we get: 

cipher = [(3 * plain) + b] mod  26
So we have a guess for half our key. To get other half, we plug in an example encoding, say , "a=0" which encode as "d=3": 
3 = [(3 * 0) + b] mod 26
3 = b mod 26
So now we have a guess for our key: (m=3,b=3) or just (3,3). We need to check this.

But so far we've only defined addition mod 26. We need to define multiplication as well. We do so in a completely parallel way. The two definitions: 

a +n b =  (a + b) mod  n
a ×n b =  (a × b) mod  n

Now we check whether the key (3,3) produces the encoding we started with:

    Plain Text a b c d e f g h i j k l m n o p q r s t u v w x y z
    Encoding 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23 0
    Plain X 3 mod 26 0 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23
    (Plain X 3) + 3 mod 26 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23 0
Criteria
for
Coding
Schemes

To be defined: One to oneness.

Notice that there was something a little magical about the fact that our affine cipher encryption scheme worked, namely that we picked an arbitrary mapping to change our 26 codes into something else, and there were never any collisions. No two plain codes were ever mapped to the same cipher codes. A mapping that maps every member of it input set to a distinct member of its output set is called one-to-one.

It's a general requirement on encryption schemes that they be one-to-one mappings. This can best be illustrated with a failure.

Consider the following affine encryption scheme with the key (2,5):

    Plain Text a b c d e f g h i j k l m n o p q r s t u v w x y z
    Encoding 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
    Plain X 2 mod 26 0 2 4 6 8 10 12 14 16 18 20 22 24 0 2 4 6 8 10 12 14 16 18 20 22 24
    (Plain X 2) + 5 mod 26 5 7 9 11 13 15 17 19 21 23 25 1 3 5 7 9 11 13 15 17 19 21 23 25 1 3
    Cipher f h j l n p r t v x z b d f h j l n p r t v x z b d

The following cipher text characters have more than one plain text character as their possible source: 

b <= y l
d <= z m
f <= n a
h <= o b
j <= p c
l <= q d
n <= r e
p <= s f
r <= t g
t <= u h
v <= v i
x <= w j
z <= x k

In fact only thirteen characters can show up in a cipher text, and each of them is ambiguous as to its source. So the problem is, for example, that when we see "r" in in the cipher text, we don't know whether it corresponds to "t" or "g" in the plain text. As a result we can't tell the difference between dogs and dots: 

dog =>  lhr
dot =>  lhr
Relative
primality

Our first affine code worked. Our second didnt.

What was the difference?

Well the key difference was that in one case we were multiplying by 3 and in the other by 13. There is a significant difference between the multiplication tables of 3 and 13 mod 26:

    Multiplication table for 3 modulus 26
      0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
    3 0 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23
Notice that this table has 26 results and each result is different. Multiplying by 3 works us through all 26 possible results, with no duplicates.

Contrast multiplication by 2:

    Multiplication table for 2 modulus 26
      0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
    2 0 2 4 6 8 10 12 14 16 18 20 22 24 0 2 4 6 8 10 12 14 16 18 20 22 24
All the results are distinct up through 12, but from 13 on they begin to repeat earlier results.

Multiplication by 13 also produces repeats:

    Multiplication table for 13 modulus 26
      0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
    13 0 13 0 13 0 13 0 13 0 13 0 13 0 13 0 13 0 13 0 13 0 13 0 13 0 13
Notice the pattern of repetition is more extreme. There are only two possible results.

The general phenomenon here is that modular multiplication will only produce a non repeating multiplication table for multipliers that are relatively prime to the modulus.

Relative Primes
Two numbers are relative primes when the only number that divides both of them evenly is 1.
Illustration

Here we look at all the numbers less than 26 that are NOT relatively prime to 26 and show their multiplication tables all have repeats.

26 has only two factors 2 and 13, so those are the only factors we need to worry about. 13 has no multiples less than 26, so that leaves 2. Any multiple of 2 will fail to be relatively prime to 26. So the complete list of numbers less than 26 that are NOT relatively prime to 26 is: 

2, 4, 6, 8, 10, 12, 13, 14, 16, 18, 20, 22, 24, 26
All of these should have repeats in their multiplication tables: Let's look at 2, which we did before, alongside of 6: Take 6:
    Multiplication table for 2 modulus 26
      0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
    2 0 2 4 6 8 10 12 14 16 18 20 22 24 0 2 4 6 8 10 12 14 16 18 20 22 24
    Multiplication table for 6 modulus 26
      0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
    6 0 6 12 18 24 4 10 16 22 2 8 14 20 0 6 12 18 24 4 10 16 22 2 8 14 20

Notice that in bto cases, the repetition starts at 13. Why? The key observation is this: 

6 = 2 * 3
26 = 2 * 13
Therefore 
6 * 13 = 2 * 3 * 13 = 26 * 13
So 6 * 13 gives a perfect multiple of 26, which means the result of the multiplication is congruent to 0 mod 26 (remainder when dividing by 26 = 0), which means from that point on the multiplication table repeats.
Significance
of Relative
Primality:

More generally if a number k is NOT relatively prime to the modulus n, and if the common factor is p, then for some r and s, we have: 

k = r * p
n = s * p
And therefore, k * s will be a multiple of n: 
k * s = r * p * s = r * (s * p) = r * n
So there will be a second number less than n, besides 0, whose product with k is 0. Therefore there must be repeats in the multiplication table.

This explains why the multiplication table for 13 has a short period between repeats. s is 2. So 13 * 2 is 0 and the repeats begin almost immediately.

So this shows that lack of relative primality guarantees repeats. We havent shown that relative primality guarantees lack of repeats, That is true too, but takes a little more work.

Inverses:
Decryption
keys for
affine
ciphers

A concept that will be important later on the in the course is the concept of an inverse in modular multiplication. The inverse of a number K is the number that multiplied times K gives 1.

There are inverses in ordinary arithmetic. But 1 is the only integer whose inverse is also an integer. For example the inverse of 5 is .2.

In modular arithmetic many integers can have integer inverses. In fact any relative prime of the modulus HAS to have an inverse.

This is easy to see given what we know: Consider again the table for 3 mod 26. 3 is relatively prime to 26 so there are no repeats.

    Multiplication table for 3 modulus 26
      0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
    3 0 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23
26 distinct results less than 26 must be produced, so one of them must be 1. We see by inspecting the table that the inverse of 3 mod 26 is 9: 
3 * 9 = 27
27 mod 26 = 1

Thus the slope of a valid affine cipher is guaranteed to have an inverse. This fact is very convenient when determining our decryption key. The encoding equation is: 

cipher = (m * plain) + b
By definition, the inverse of m times m is 1. So calling that inverse m-1:
    m-1 * cipher = m-1((m * plain) + b)
      = (m-1 * m * plain) + (m-1 * b)
      = (1 * plain) + (m-1 * b)
      = plain + (m-1 * b)
    plain = (m-1 * cipher) - (m-1 * b)
So if (m,b) is the encryption key, then (m-1, - (m-1 * b)) is the decryption key. Once again, the same program that does encryption can do decryption.

Consider the valid affine key (3,3): 

m = 3
m-1 = 9
So the slope of the decryption key is 9. The shift is: 
-(9 * 3) mod 26 = -27 mod 26 = 25
We can check that -27 and 25 really ARE congruent by verifying that the difference between them is a perfect multiple of 26: 
(-27) - 25 = - 52
It is! So the decryption key is (9, 25). We can run the same program for encryption and decryption using the encryption and decryption keys respectively: 
>>> affine_encrypt('attack at dawn', 3, 3)
'diidjh di mdrq'

>>> affine_encrypt('diidjh di mdrq', 9, 25)
'attack at dawn'

More on inverses.

Summarizing affine ciphers

An affine cipher is computed by modular multiplication and addition on encoded characters as follows: 

cipher = (m * plain) + b mod 26
We call m the slope and b the shift. The pair (m,b) is the encryption key.

The slope of an affine cipher must be relatively prime to 26, or the code will not be 1-to-1.

Another way of saying the same thing is that the slope of an affine cipher must have an inverse mod 26.

This observation leads to decryption keys for affine ciphers. If the encryption key is (m,b), the decryption key is: 

(m-1, - (m-1  * b))
where m-1 is the inverse of m mod 26.

We will return to inverses later in the course.