This article was downloaded by: [National Chiao Tung University 國立交通大學] On: 27 April 2014, At: 16:42
Publisher: Taylor & Francis
Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK
Journal of the Chinese Institute of Engineers
Publication details, including instructions for authors and subscription information: http://www.tandfonline.com/loi/tcie20
Comments on Saeednia's improved scheme for the
hill cipher
Chu‐Hsing Lin a , Chia‐Yin Lee b & Chen‐Yu Lee c a
Department of Computer Science and Information Engineering , Tunghai University , Taichung, Taiwan 407, R.O.C. Phone: 886–4–23590121 ext. 3287 Fax: 886–4–23590121 ext. 3287 E-mail:
b
Department of Computer Science and Information Engineering , Tunghai University , Taichung, Taiwan 407, R.O.C.
c
Department of Computer Science and Information Engineering , National Chiao Tung University , Hsinchu, Taiwan 300, R.O.C.
Published online: 04 Mar 2011.
To cite this article: Chu‐Hsing Lin , Chia‐Yin Lee & Chen‐Yu Lee (2004) Comments on Saeednia's improved scheme for the
hill cipher, Journal of the Chinese Institute of Engineers, 27:5, 743-746, DOI: 10.1080/02533839.2004.9670922
To link to this article: http://dx.doi.org/10.1080/02533839.2004.9670922
PLEASE SCROLL DOWN FOR ARTICLE
Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no
representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and should be independently verified with primary sources of information. Taylor and Francis shall not be liable for any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of the Content.
This article may be used for research, teaching, and private study purposes. Any substantial or systematic reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any
form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http:// www.tandfonline.com/page/terms-and-conditions
Short Paper
COMMENTS ON SAEEDNIA’s IMPROVED SCHEME FOR THE
HILL CIPHER
Chu-Hsing Lin*, Chia-Yin Lee, and Chen-Yu Lee
ABSTRACT
In 2000, Saeednia proposed a new scheme to make the Hill cipher secure. The author makes use of permutations of columns and rows of a matrix to get a different key for encrypting each message. This paper shows that the cipher key Ht can be
obtained by parameter u. Besides, the Saeednia’s scheme costs a lot of time in matrix computation. To overcome the drawbacks of Saeednia’s scheme, a more secure cryptosystem with a one-way hash function is proposed.
Key Words: Hill cipher, known-plaintext attack, cryptosystem, one-way hash function.
*Corresponding author. (Tel: 886-4-23590121 ext. 3287; Fax: 886-4-23591567; Email: chlin@mail.thu.edu.tw)
C. H. Lin and C. Y. Lee are with the Department of Computer Science and Information Engineering, Tunghai University, Taichung, Taiwan 407, R.O.C.
C. Y. Lee is with the Department of Computer Science and In-formation Engineering, National Chiao Tung University, Hsinchu, Taiwan 300, R.O.C.
I. INTRODUCTION
T h e H i l l c i p h e r i s a f a m o u s s y m m e t r i c cryptosystem from the early days, which was invented by Lester S. Hill (1929; 1931). The cryptosystem is a simple linear transformation XH (mod p), where the key is an m×m nonsingular matrix H with hij∈Zp, for
a fixed p>1, and such that gcd(det H (mod p), p)=1, X is a 1×m plaintext message, and p is a selected
posi-tive integer. The plaintext X is encrypted as Y=XH (mod p), and the ciphertext Y is obviously decrypted as X=YH−1
(mod p).
The following example shows how the Hill ci-pher works.
Let p=7, the plaintext message X=[3 5], the ci-pher key H= 4 46 3 and H−1
= 5 5 4 2 . The ciphertext
Y=XH (mod p)=[0 6],
the plaintext message can be decrypted by
X=YH−1
(mod p)=[3 5].
The weakness of the Hill cipher is that the cryptosystem can be broken under the known-plaintext attack (Denning, 1982; Evertse, 1987; Yeh
et al., 1991). An analyzer knows only m pairs of
plaintext-ciphertext, the cipher key H can be deter-mined by solving the equations
H=X−1
Y.
For example, assume the key H= 4 46 3 and let
p=26, if we have two pairs of plaintext-ciphertext,
X1=[2 9], Y1=[10 9] and X2=[3 5], Y2=[16 1], then we
can compute the cipher key H by
X1 X2 – 1 Y1 Y2 (mod p) = 15 25 17 6 10 916 1 (mod 26) = 4 46 3 .
To overcome the weakness, Saeednia (2000) proposed a method, which uses random permutations of columns and rows of the key matrix. But the ma-trix multiplications are used many times in this method; it costs a lot of time to compute the matrix multiplication when the size of the matrix is too large.
744 Journal of the Chinese Institute of Engineers, Vol. 27, No. 5 (2004)
We propose a new scheme that uses a one-way hash function to solve existing problems in Saeednia’s scheme.
II. SAEEDNIA’S SCHEME
When Alice and Bob want to communicate securely, first, they share an m×m nonsingular
ma-trix H as the cipher key with hij∈Zp, for a fixed p>1,
and such that gcd(det H (mod p), p)=1.
If Alice wants to encrypt a plaintext message X, she chooses a vector t (ti∈Zp) at random and using a
predetermined permutation algorithm performs simul-taneous permutations of the rows and columns of H, according to t, to produce the new key Ht (that may
be seen as Ht=Pt
– 1
HPt, where Pt is the m×m
permu-tation matrix associated to t). Using the key Ht to
encrypt the message X as
Y=HtX (mod p),
besides, computing a parameter u by
u=Ht (mod p),
then sends the pair (Y, u) to Bob.
In order to decrypt the ciphertext, Bob starts to compute the permutation vector t by
t=H−1
u (mod p), and uses t to obtain (H−1
)t form H−1. Then he can
recover the plaintext message X by computing
X=(H−1
)tY (mod p).
It is easy to see that (H−1
)t=(Ht)−1, because
(Ht)−1 is existent. Here we would note that since Ht=
Pt – 1 HPt, we have (Ht)−1=(Pt – 1 HPt)−1=Pt – 1 H−1 Pt (1)
on the other hand,
(H−1
)t=Pt
– 1
H−1
Pt (2)
from (1) and (2), we can see that (Ht)−1=(H−1)t.
III. TWO COMMENTS ON SAEEDNIA’S SCHEME
In the following, two comments on Saeednia’s scheme are presented. The first comment shows that Saeednia’s scheme has a weakness of the parameter u. The second comment shows that Saeednia’s scheme is not efficient enough.
Comment 1
F r o m t h e p a r a m e t e r u = H t ( m o d p ) , a cryptanalyst is able to determine the matrix H with known-plaintext attack. This is the same problem as in the original Hill’s method. By collecting m pairs of (t, u), a cryptanalyst can obtain the key H. Further, the cryptanalyst can obtain the permutation matrix Pt
associated to t. Therefore, he can compute the ci-pher key Ht by
Ht=Pt
– 1
HPt.
If t can not be obtained, then the cryptanalyst can collect m pairs of (X, Y) to obtain Ht, where
Y=HtX (mod p). Besides, the cryptanalyst knows that
u=Ht (mod p) and Ht=Pt
– 1
HPt, so he can obtain the
following relations:
H=[U][T]−1
, where [U]=[u1 u2 ... um] and
[T]=[t1 t2 ... tm] are m×m matrices (3) Ht=Pt – 1 HPt⇔H=PtHtPt – 1 (4)
from (3) and (4), the equations can be rewritten as
[U][T]– 1= Pt1Ht1Pt1 – 1 [U][T]– 1= Pt2Ht2Pt2 – 1 [U][T]– 1= PtmHtmPtm – 1
Assume that the predefined function t⇒Pt is
known and [T]−1
exists, and then the parameter t can be obtained by solving the above m equations. It means that the cryptanalyst can collect m pairs of pa-rameters to solve the equations [U][T]−1
=PtmH tmPtm
– 1
and m pairs to obtain each Ht from Y=HtX (mod p).
Finally, we can obtain the key H by m2
know-plaintext pairs (u, X, Y).
Comment 2
Saeednia uses many matrix multiplications to encrypt and to decrypt a message in his scheme; like the cipher key Ht is produced by Ht=Pt
– 1
HPt. When
the size of matrix H is too large, it requires a lot of time to compute the matrix multiplication and inversion. We will analyze the complexity in Sec-tion VI.
IV. THE PROPOSED SCHEME
To overcome the weakness of Saeednia’s
scheme, we use two encryption parameters (hij, V) in
the proposed scheme, where hij is picked up in
random, and V is generated from hij with a one-way
hash function.
Suppose that two people, Alice and Bob, want to communicate securely. First, they share a com-mon cipher key H, which is a m×m nonsingular
ma-trix with hij∈Zp, for a fixed p>1, and satisfies gcd
(det H (mod p), p)=1. In order to encrypt a plaintext message X, X=[x1 x2 ... xm], Alice chooses a random
integer a let 0<a<p, and uses a one-way hash func-tion f(x), e.g. SHA (FIPS 180-2, 2002), to computes the parameter b by b=f(a||h11||h12||...||hij||...||hmm),
where h11, h12, ..., hij, ..., hmm are the elements of H.
Using b to pick up the ijth
element hij from H
(that may be seen as i=( b – 1m (mod m))+1, j=b−
b – 1
m ×m, where m is the dimension of the matrix
H). Then she uses hij to generate an element of
vec-tor V=[v1 v2 ... vm] for m times, where the elements
are
v1=f(hij) (mod p)
v2=f(v1) (mod p)=f2(hij) (mod p)
v3=f(v2) (mod p)=f3(hij) (mod p).
vm=f(vm−1) (mod p)=fm(hij) (mod p).
Then, she encrypts the plaintext message X as Y=hijXH+V (mod p), where p is a prime number,
and sends the pair (Y, a) to Bob.
In order to decrypt the ciphertext Y, Bob first computes b by b=f(a||h11||h12||...||hij||...||hmm), and uses
b to pick up the ijth
element hij from H. He also
gen-erates each element vk (1≤k≤m) of V from hij the same
way as in the encryption scheme.
Finally, he can recover the plaintext message by computing X=hij – 1 H−1 (Y+V) (mod p). V. ANALYSIS OF KNOWN-PLAINTEXT ATTACK
In the original Hill cipher, an analyzer can use
known-plaintext attack to obtain the cipher key H. However, in our system, it is hard to use known-plaintext attack for the following reason:
Due to the ciphertext Y=(CXH+V) (mod p), where the parameters Ci=(hij)i described in previous
section, the equations can be written as
Y1=C1X1H+V1 (mod p)
Y2=C2X2H+V2 (mod p)
Ym=CmXmH+Vm (mod p).
Although the analyzer knows m pairs of (Xi, Yi)
(1≤i≤m), the cipher key H and two encryption
param-eters C and V are unknown. It means that m equa-tions can’t be used to solve an m×m nonsingular
ma-trix H and 2m unknown parameters. Therefore, the analyzer can’t use the known-plaintext attack to break our scheme.
VI. PERFORMANCE ANALYSIS
We define some notations as follows.
TMUL : the time for the scalar modular
multiplica-tion.
TADD : the time for the scalar modular addition.
TM_INV : the time for the modular inversion of a m×m
matrix.
Thash : the time taken by the hash function f(x)
We use an m×m nonsingular matrix as the
ci-phering key and obtain the results shown in Table 1. In Table 1, those operations of the modular inversion of a m×m matrix, which are equal to (2m3
) times the scalar modular multiplication and (2m3−
2m2
) times the scalar modular addition (Using the Gaussian elimination method). On the other hand, we know that operations of the one-way hash function are much faster than modular matrix inversion, so our scheme is more efficient.
VII. CONCLUSION
The Hill cipher is a famous cryptosystem, which is efficient and easy to implement. However, it is easy to break by known-plaintext attack. In this paper, we have presented an improved scheme to
Table 1 The time comparison of the cryptosystem
Saeednia’s scheme Our scheme
Encryption 1TM_INV+2(m3+m2)TMUL+2(m3−m)TADD (m3+m)TMUL+(m3-m2+m)TADD+(m+1)Thash
Decryption 2TM_INV+2(m3+m2)TMUL+2(m3−m)TADD 1TM_INV+(m3+m)TMUL+(m3−m2+m)TADD+(m+1)Thash
746 Journal of the Chinese Institute of Engineers, Vol. 27, No. 5 (2004)
make the Hill cipher secure. The characteristics of our scheme are more security and efficiency than Saeednia’s scheme.
NOMENCLATURE a||b the concatenation of a and b det H the determinant of a matrix H SHA secure hash algorithm
Zp the set of positive integers: {0, 1, 2, ..., p−1}
REFERENCES
Denning, D. E., 1982, Cryptography and Data
Security, Addison-Wesley, MA, USA.
Evertse, J. H., 1987, “Linear Structures in Block-ciphers,” Advances in Cryptology − EUROCRYPT ’87, Lecture Notes in Computer Science (LNCS)
Vol. 304, Springer-Verlag, pp. 249-266, The Netherlands.
Federal Information Processing Standard (FIPS)
180-2, 2002, “Secure Hash Standard,” NIST, U. S. Department of Commerce.
Hill, L. S., 1929, “Cryptography in an Algebraic Alphabet,” American Mathematical Monthly, Vol. 36, No. 6, pp. 306-312.
Hill, L. S., 1931, “Concerning Certain Linear Trans-formation Apparatus of Cryptography,” American
Mathematical Monthly, Vol. 38, No. 3, pp.
135-154.
Saeednia, S., 2000, “How to Make the Hill Cipher Secure,” Cryptologia, Vol. 24, No. 4, pp. 353-360.
Yeh, Y. S., Wu, T. C., Chang, C. C., and Yang, W. C., 1991, “A New Cryptosystem Using Matrix Transformation,” Proceedings of 25th Annual IEEE
International Carnahan Conference, Taiwan, pp.
131-138.
Manuscript Received: Dec. 27, 2002 Revision Received: Oct. 17, 2003 and Accepted: Nov. 12, 2003