1

Variable-length Hill Cipher with MDS Key Matrix

Kondwani Magamba †, Solomon Kadaleka †† and Ansley Kasambara ††
magambakho@yahoo.co.uk skadaleka@poly.ac.mw akasambara@poly.ac.mw
†
Department of Mathematics, Catholic University of Malawi, Montfort Campus, Malawi
††
Department of Mathematics and Statistics, Polytechnic College, University of Malawi, Blantyre, Malawi
mostly used is: A = 0, B = 1, . . . , Z = 25. Additionally, an
Summary 𝑚 × 𝑚 matrix 𝐾 with entries from ℤ𝑛 is chosen as the
The Hill Cipher is a classical symmetric cipher which breaks secret key. The encryption and decryption is then given as;
plaintext into blocks of size 𝑚 and then multiplies each block by
an 𝑚 × 𝑚 key matrix to yield ciphertext. However, it is well 𝐶 = 𝐾𝑃 mod 𝑛 𝑃 = 𝐾𝐶 mod 𝑛 (1)
known that the Hill cipher succumbs to cryptanalysis relatively
easily. As a result, there have been efforts to strengthen the
where 𝐶 is the ciphertext. For encryption to be possible 𝑃
cipher through the use of various techniques e.g. permuting rows
and columns of the key matrix to encrypt each plaintext vector is divided into substrings of length 𝑚. If 𝑙, the length of
with a new key matrix. In this paper, we strengthen the security the plaintext, is not divisible by 𝑚 then the plaintext block
of the Hill cipher against a known-plaintext attack by encrypting must be padded with extra characters. Another
each plaintext matrix by a variable-length key matrix obtained complication arises when 𝐾 is not invertible. A necessary
from a Maximum Distance Separable (MDS) master key matrix. and sufficient condition for a matrix 𝐾 over ℤ𝑛 to be
Key words: invertible is that the determinant of 𝐾 be non-zero and co-
Hill cipher, Cryptanalysis, MDS codes prime to 𝑛. See [7] for the size of the keyspace of a Hill
cipher.
1. Introduction
3. Literature Review
The Hill cipher is a classical symmetric cipher based on
matrix transformation. It has several advantages including Several research works have been done with an aim to
its resistance to frequency analysis and simplicity due to improve the security of Hill cipher. For example, a method
the fact that it uses matrix multiplication and inversion for HCM-PT found in [5] tries to make Hill cipher secure by
encryption and decryption. However, it succumbs to the using dynamic key matrix 𝐾𝑡 obtained by random
known-plaintext attack [4] and as such there have been permutations 𝑀𝑡 of columns and rows of the master key
efforts to strengthen the cipher through the use of matrix and transfers an encrypted plaintext and encrypted
various techniques which have improved the security of permutation vector 𝑢 = 𝐾𝑡 to the receiving side. The
the cipher quite significantly [1],[2],[3]. Unlike the number of dynamic keys generated is 𝑚! where 𝑚 refers
original Hill cipher the proposed modifications of the Hill to the size of the key matrix.
cipher have practical applications including image
encryption see for example [6]. HCM-PT Encryption
The method employed in this paper aims at generating
𝐾𝑡 = 𝑀𝑡 𝐾𝑀𝑡−1
dynamic variable-length key matrices from a given shared
MDS master key matrix. With the generated matrices, 𝐶 = 𝐾𝑡 𝑃
each plaintext matrix is encrypted using a different key 𝑢 = 𝐾𝑡
matrix and this renders the ciphertext immune to a known-
plaintext attack. Even though this method thwarts the known-plaintext
The rest of the paper is divided as follows; in Section 2 the attack on the plaintext, it is vulnerable to known-plaintext
basic concept of a Hill cipher is outlined, a literature attack on the permutation vector. This prompted [11] to
review is in Section 3, Sections 4 and 5 present a modify HCM-PT.
discussion on MDS matrices and in Section 6 the proposed
algorithm is described. The modification to HCM-PT called SHC-M found in [11]
works the same way as HCM-PT but does not transfer the
permutation vector, instead both the sender and the
receiver use a pseudo-random permutation generator,
2. Hill Cipher 𝑡 = 𝑃𝑅𝑃𝐺 𝑠𝑒𝑒𝑑, 𝑛 and only the number of the necessary
permutation is transferred to the receiver. The number of
Let us consider a plaintext string 𝑃 of length 𝑙 defined over dynamic keys is the same as HCM-PT.
an alphabet of order 𝑛. Each letter is mapped to an element
of ℤ𝑛 . Often 𝑛 = 26 is used and the correspondence
 2

SHC-M Encryption 6. Variable-Length Hill Cipher

1. Sender, S, selects a number, 𝑛
2. calculates 𝑡 = 𝑃𝑅𝑃𝐺 𝑠𝑒𝑒𝑑, 𝑛 As pointed out earlier SHC-M has a dynamic key space
3. S → R: C, 𝑛 xor 𝑆𝐸𝐸𝐷 (NDK) of 𝑚! but in this section we show that by requiring
4. Proceed as in HCM − PT that the key matrix be MDS we increase the key space of
SHC-M. We also develop a way of encrypting variable-
Another modification to the Hill cipher is found in [6] length plaintext blocks.
which tries to improve the security of Hill cipher by using
a one-time-one key matrix to encrypt each plaintext block. 6.1 Enlarging the Key space
This unique key is computed by multiplying the current
key with a secret Initial Vector (IV). However, [10] shows We will work as follows; suppose the secret shared MDS
that the method is prone to a known-plain text attack. matrix 𝐾 is of size 𝑚 × 𝑚 where 𝑚 ≥ 3. The cases
The method presented here works the same way as 𝑚 = 1, 2 are trivial. Then for each of the 𝑚! permutations
SHC-M but our method requires that the master key matrix of the columns of 𝐾we can form 𝑗 × 𝑗 invertible
be MDS. With an MDS master key, the key space is bigger submatrices where 𝑗 ∈ 2. . 𝑚 . Each of these matrices can
than that of SHC-M and our method can be used to encrypt be used for encryption in our method. This can be done by
plaintext blocks of variable length. As far as we know this choosing columns of a required length from any of the
is the first instance of a variable length Hill cipher. permutations.
Alternatively, we can start by choosing 𝑗 columns from a
total of 𝑚 columns. We then form 𝑗 × 𝑗 invertible
4. MDS Matrices
submatrices from the 𝑚𝑗 columns. Each possible
Let 𝐶 be a linear code of length 𝑛, dimension 𝑘, and submatrix is then permuted to give 𝑗! permuted
distance 𝑑 with parameters 𝑛, 𝑘, 𝑑 . A generator matrix 𝐺 submatrices. We do this for all possible matrix lengths
for a linear 𝐶 is a 𝑘 × 𝑛 matrix whose rows form a basis 𝑗 ∈ 2. . 𝑚 . It is not difficult to see that the total number of
for 𝐶. Linear codes obey the Singleton bound, dynamic matrices (NDK) is;
𝑑 ≤ 𝑛 − 𝑘 + 1. If a linear code meets the Singleton bound, 𝑚 𝑚 2
𝑑 = 𝑛 − 𝑘 + 1, then it is called a Maximum Distance NDK = 𝑗!
𝑗 =2 𝑗
Separable code or MDS code. Also, an 𝑛, 𝑘, 𝑑 -error Obviously, this number gets bigger as 𝑚 increases. AS fra
correcting code with generator matrix 𝐺 = 𝐼𝑘 ×𝑘 |𝐴 where as we know, the number of dynamic keys found here is the
𝐼𝑘×𝑘 is the 𝑘 × 𝑘 identity matrix, and 𝐴 is a 𝑘 × 𝑛 − 𝑘 best of all the known modifications of the Hill cipher. The
matrix, is MDS if and only if every square submatrix of 𝐴 best thing with this method is that it applies to any Hill
is nonsingular [8]. In most applications e.g. [12] the code cipher modification which proposes dynamic matrix keys.
𝐶 is taken as a linear code with parameters
[2𝑘, 𝑘, 𝑘 + 1]and generator matrix 𝐺 = 𝐼𝑘 ×𝑘 |𝐴𝑘×𝑘 . We illustrate the method with an example. Let
When we take a generator matrix of a linear MDS code
with parameters [2𝑘, 𝑘, 𝑘 + 1] as 𝐺 = 𝐼𝑘 ×𝑘 |𝐴𝑘×𝑘 , the 𝑘11 𝑘12 𝑘13
𝑘 × 𝑘 matrix 𝐴 is the matrix we call MDS matrix. MDS 𝐾 = 𝑘21 𝑘22 𝑘23
matrices are an important building block adopted by 𝑘31 𝑘32 𝑘33
different block ciphers as they guarantee fast and effective
diffusion in a small number of rounds. See for example be a 3 × 3 MDS secret key matrix. Then applying the
[12]. In this paper MDS matrices are used as key matrices formula above we have 18 matrices of order 2 × 2 and 6
for a Hill cipher. This modification increases the key space
matrices of order 3 × 3 giving a total of 24dynamic
of SHC-M because in an MDS matrix every square
matrices. We now show how to generate all the 24
submatrix is non-singular which is the requirement for a
matrices.
key matrix of a Hill cipher.
We begin by choosing 2 columns from 𝐾. We get the
5. Generating MDS Matrices following matrices,
𝑘11 𝑘12
,
𝑘11 𝑘13
and
𝑘12 𝑘13
.
𝑘21 𝑘22 𝑘21 𝑘23 𝑘22 𝑘23
𝑘31 𝑘32 𝑘31 𝑘33 𝑘32 𝑘33
There are different methods of generating MDS matrices From these matrices we form 2 × 2 matrices e.g from
e.g. using Cauchy and Hadamard matrices. MDS matrices
𝑘11 𝑘12 𝑘11 𝑘12 𝑘11 𝑘12 𝑘21 𝑘22
can also be generated exhaustively but probably the most 𝑘21 𝑘22 we get , and and
𝑘21 𝑘22 𝑘31 𝑘32 𝑘31 𝑘32
popular method is to use Reed Solomon Codes. 𝑘31 𝑘32
column-permuted versions of these matrices. Continuing
 3

in the same fashion and considering the 6 permutations of Calculate 𝑀𝑡 ; Calculate 𝐾𝑡 = 𝑀𝑡 𝐾𝑀𝑡−1
𝐾 we get all 24 dynamic matrices. Get 𝑚 from control key
It can be seen that the key space of SHC-M is now Obtain 𝐾𝑚 from 𝐾𝑡
𝑚 𝑚
2 Decrypt using 𝑃𝑚 = 𝐾𝑚−1 𝐶𝑚
𝑗=2 𝑗! which is a significant increase from 𝑚!. This
𝑗 end
number doubles when we permute the dynamic matrices in
a row wise manner. The key space can also be increased From the encryption algorithm one easily sees that the
by using 𝑗 × 𝑗 matrices to form 2𝑗 × 2𝑗 matrices for sender and receiver need to find a way of obtaining a
encryption. For example, if we have the 4 𝑗 × 𝑗 matrices length 𝑚 encryption matrix 𝐾𝑚 from 𝐾𝑡 . One way could
𝐾1 , 𝐾2 , 𝐾3 and 𝐾4 we may, 𝑤𝑙𝑜𝑔, form a new matrix; be to take matrices in a left-right then top-bottom manner.
𝐾1 𝐾2 It is worth noting that there are different ways of choosing
𝐾∗ = variable-length matrices from 𝐾𝑡 and this strengthens the
𝐾3 𝐾4
proposed algorithm even more.
6.2. Encryption and Decryption

Encryption is the same as SHC-M but we require that we 7. Security Analysis

choose a control key (preferably binary) to govern
The main limitation with Hill Cipher is that it is prone to
encryption, see [13]. This key determines the length of
a known plaintext attack, that is, if an attacker has 𝑚
block to encrypt i.e. when to encrypt a 2 × 2 block, a
distinct plaintext and ciphertext pairs then they can
3 × 3 block and so on. To avoid having too many secret
retrieve the key by solving 𝐾 = 𝑃−1 𝐶 or 𝐾 = 𝐶𝑃 −1
keys we can use the seed as the control key but a problem
depending on the encryption equation used [6]. If 𝑃 is not
may arise when we have to expand the seed due to a long
invertible, then other sets of 𝑚 plaintext-ciphertext pairs
plaintext. Once we have the binary control key we set up a
have to be tried. By encrypting variable-length blocks of
correspondence between binary strings and block lengths.
plaintext the proposed method is safe from known
For example, if 𝑚 = 4 then the possible lengths of
plaintext attacks. Also the proposed method inherits
subkeys are 2, 3 and 4 therefore we can have the following
immunity from a cipher-text only attack from the original
set up;
Hill cipher. The proposed method does not, however,
01 → 2, 10 → 3 and 11 → 4.
introduce sufficient confusion and diffusion to be ranked
among the best and efficient symmetric key
This means we read the control key two bits at a time and
cryptosystems. It is worth pointing out that the proposed
encrypt block lengths accordingly. It is therefore very
algorithm relies on many matrix transformations and this
important that the control key be random to prevent
slows down the algorithm.
attacks. We now give a full description of the proposed
method:
Algorithm 1: Encryption 8. Conclusion
Data: Plaintext P, K, SEED, Control Key
Result: Cipher Text, C We have presented a variable-length Hill cipher which is a
begin modification of the original Hill cipher. It is also based on
𝑟 ← block number SHC-M which is itself also a modification of the Hill
𝑡 = PRPG(SEED, 𝑟) ← a permutation order cipher. Our method strengthens the Hill cipher against
𝑀𝑡 ← a permutation from 𝑡 known-plaintext and ciphertext only attacks. The former is
𝐾𝑡 = 𝑀𝑡 𝐾𝑀𝑡−1 ← encryption matrix due to the use of dynamically changing key matrices. Our
Determine block length 𝑚 from control key method is better than the methods found in the review in
Obtain a length 𝑚 encryption matrix 𝐾𝑚 from 𝐾𝑡 that it has a larger key space. On the downside our method
Get plaintext of length 𝑚, 𝑃𝑚 , from P is not efficient due to the use of many matrix operations.
Encrypt using 𝐶 = 𝐾𝑚 𝑃𝑚
Send C, r xor SEED
end

Algorithm 2: Decryption
Data: Ciphertext C, K, SEED, Control Key
Result: Plaintext, P
begin
Calculate 𝑡 from SEED and 𝑟
 4

References
[1] V. U. K. Sastry, D. S. R. Murthy, S. Durga Bhavani, “A
Block Cipher Involving a Key Applied on Both the Sides of
the Plain Text,” International Journal of Computer and
Network Security (IJCNS), Vol. 1, No. 1, pp. 27 -30, Oct.
2009.
[2] V. U. K. Sastry, V. Janaki, “A Modified Hill Cipher with
Multiple Keys”, International Journal of
Computational Science, Vol. 2, No. 6, 815-826, Dec. 2008.
[3] Bhibhudendra Acharya, Girija Sankar Rath, and Sarat
Kumar Patra, “Novel Modified Hill Cipher Algorithm,”
Proceedings of ICTAETS, pp. 126-130, 2008
[4] D.R. Stinson, “Cryptography Theory and Practice,” 3rd
edition, Chapman and Hall/CRC, pp.13-37, 2006.
[5] Shahrokh Saeednia, “How to Make Hill cipher Secure,”
Cryp- tologia 24:4, pp. 353-360, Oct 2000.
[6] Ismail I A, Amin Mohammed, Diab Hossam, “How to
Repair the Hill Cipher,” Journal of Zhejiang University
Science, 7(12), pp. 2022-2030, 2006.
[7] Overbey, J., Traves, W., and Wojdylo, J., “On the keyspace
of the Hill cipher,” Cryptologia, 29(l), pp. 59-72, 2005.
[8] F. J. McWilliams and N. J. A. Sloane, “The Theory of Error
Correcting Codes,” Amsterdam, The Netherlands, North
Holland, 1977.
[9] Sriram Ramanujam and Marimuthu Karuppiah, “Designing
an algorithm with high Avalanche Effect,” IJCSNS
International Journal of Computer Science and Network
Security, VOL.11, No.1, 106-111 January 2011.
[10] Romero, Y. R. Garcia, R. V. et al., “Comments on How to
Repair the Hill Cipher,” J. Zhejiang Univ. Sci. A 9(2): pp.
211-214, 2008.
[11] Chefranov, A. G., “Secure Hill Cipher Modification,”
Proc. Of the First International Conference on Security of
Information and Network (SIN2007) 7-10 May 2007,
Gazimagusa (TRNC) North Cyprus, Elci, A., Ors, B., and
Preneel, B (Eds) Trafford Publishing, Canada, 2008: pp 34-
37, 2007.
[12] Daemen, J., Rijmen, V.,The Design of Rijndael: “AES –
The Advanced Encryption Standard.” Springer, 2002.
[13] Monem, A.M., Rahma1 and Yacob, B.Z.,”The Dynamic
Dual Key Encryption Algorithm Based on joint Galois
Fields,” IJCSNS International Journal of Computer Science
and Network Security, VOL.11, No.8, August 2011.