would quickly exhaust the space and exceed the search time of even the greatest comput-

ers. For this reason, matrix ciphers (where the size of the block is reasonably large) are still

used today, and are relatively secure for most purposes.

Of course, these matrix cryptosystems are secret key. The enciphering matrix A is the enci-

phering key, and must be given only to authorized users, since anyone in possession of it

can quickly compute the inverse deciphering matrix A

and decipher messages.

Known Plaintext Attack.

You will notice that the matrix ciphers are vulnerable to

a known plaintext attack, for if a cryptanalyst manages to acquire enough plaintext P = p 1 ,

p 2 , . . . , p m corresponding to known ciphertext C = c 1 , c 2 , . . . , c m , she can compute the

inverse A

of the enciphering matrix A , and the shift vector B , by solving the matrix con-

gruence AP + B C (mod n ) for A and B , or equivalently, by solving the corresponding sys-

tem of congruences

a 1,1 p 1 + a 1,2 p 2 + . . . + a 1, m p m + b 1 c 1 (mod n )

a 2,1 p 1 + a 2,2 p 2 + . . . + a 2, m p m + b 2 c 2 (mod n )

...

a m ,1 p 1 + a m ,2 p 2 + . . . + a m , m p m + b m c m (mod n )

using different plaintext to ciphertext mappings.

E XAMPLE .

Suppose a cryptanalyst knows we are using a matrix cipher of block length 2, with

the ordinary alphabet. She has some ciphertext,

BT GT HM

and its corresponding plaintext

AT TA CK.

The job of the cryptanalyst is to get what she doesn't know, namely A and B . Suppose

she denotes the enciphering matrix A as

ab

cd

and the shift vector B as

s

t

The first mapping takes the pair AT to BT , or

0 a + 19 b + s 1 (mod 26)

0 c + 19 d + t 19 (mod 26)