The shift ciphers may be generalized and slightly strengthened as follows. Choose two integers and , with , and consider the function (called an affine function)
For example, let and , so we are working with . Take a plaintext letter such as . It is encrypted to , which is the letter . Using the same function, we obtain
How do we decrypt? If we were working with rational numbers rather than mod 26, we would start with and solve: . But needs to be reinterpreted when we work mod 26. Since , there is a multiplicative inverse for (if this last sentence doesn’t make sense to you, read Section 3.3 now). In fact, , so 3 is the desired inverse and can be used in place of . We therefore have
Let’s try this. The letter is mapped to , which is the letter . Similarly, we see that the ciphertext is decrypted back to affine. For more examples, see Examples 2 and 3 in the Computer Appendices.
Suppose we try to use the function as our encryption function. We obtain
If we alter the input, we obtain
Clearly this function leads to errors. It is impossible to decrypt, since several plaintexts yield the same ciphertext. In particular, we note that encryption must be one-to-one, and this fails in the present case.
What goes wrong in this example? If we solve , we obtain . But does not exist mod 26 since . More generally, it can be shown that is a one-to-one function mod 26 if and only if . In this case, decryption uses , where . So decryption is also accomplished by an affine function.
The key for this encryption method is the pair . There are 12 possible choices for with and there are 26 choices for (since we are working mod 26, we only need to consider and between 0 and 25). Therefore, there are choices for the key.
Let’s look at the possible attacks.
Ciphertext only: An exhaustive search through all 312 keys would take longer than the corresponding search in the case of the shift cipher; however, it would be very easy to do on a computer. When all possibilities for the key are tried, a fairly short ciphertext, say around 20 characters, will probably correspond to only one meaningful plaintext, thus allowing the determination of the key. It would also be possible to use frequency counts, though this would require much longer texts.
Known plaintext: With a little luck, knowing two letters of the plaintext and the corresponding letters of the ciphertext suffices to find the key. In any case, the number of possibilities for the key is greatly reduced and a few more letters should yield the key.
For example, suppose the plaintext starts with if and the corresponding ciphertext is . In numbers, this means that 8 maps to 15 and 5 maps to 16. Therefore, we have the equations
Subtracting yields , which has the unique solution . Using the first equation, we find , which yields .
Suppose instead that the plaintext go corresponds to the ciphertext . We obtain the equations
Subtracting yields . Since , this has two solutions: . The corresponding values of are both 15 (this is not a coincidence; it will always happen this way when the coefficients of in the equations are even). So we have two candidates for the key: and . However, so the second is ruled out. Therefore, the key is .
The preceding procedure works unless the gcd we get is 13 (or 26). In this case, use another letter of the message, if available.
If we know only one letter of plaintext, we still get a relation between and . For example, if we only know that in plaintext corresponds to in ciphertext, then we have . There are 12 possibilities for and each gives one corresponding . Therefore, an exhaustive search through the 12 keys should yield the correct key.
Chosen plaintext: Choose as the plaintext. The first character of the ciphertext will be , and the second will be . Therefore, we can find the key.
Chosen ciphertext: Choose as the ciphertext. This yields the decryption function of the form . We could solve for and obtain the encryption key. But why bother? We have the decryption function, which is what we want.