by A. A. Albert
1. Introduction
The idea of connecting cryptography with mathematics is not new, but it has not been exploited in the literature of either subject to the extent of the present paper. Our topic should be a timely one not only because of the present public interest in anything connected with our war effort, but also because of the current ever increasing use by scientists1 of the concepts of modern abstract algebra.
We shall present here a mathematical formulation of a general theory of cryptology2 with detailed application to cryptography. In this, we shall see that cryptography is more than a subject permitting mathematical formulation, for indeed it would not be an exaggeration to state that abstract cryptography is identical with abstract mathematics.
Our formulation will permit a rapid presentation of the methods of cryptography in common use, and we shall show that all of these methods are very special cases of the so-called algebraic cipher systems. These latter cipher systems are entirely practical in the simple cases, and we hope that our presentation will destroy the belief of many cryptologists that they are “only practical providing a machine is used.”3
2. Cryptography as a theory of non-singular mappings
The function concept has been described frequently as a unifying concept for collegiate mathematics. Elementary functions are usually given by formulas \( y = f(x) \), but this sort of definition is not always possible and only makes sense in an environment in which the necessary additional assumptions are presupposed for all the functions considered. Let us then formulate the concept in complete general terms.
Consider a set \( \mathcal{M} \) consisting of any objects whatever and call these objects the quantities of \( \mathcal{M} \). (They might be numbers or physical objects or even mathematical concepts!) We let \( x \) be a symbol which is permitted, during our discussion, to represent any quantity of \( \mathcal{M} \), so that we call \( x \) a variable whose range is \( \mathcal{M} \). Let \( \mathcal{N} \) be a second set of quantities and set up a correspondence \begin{equation} x \mapsto S(x) \label{eq-01} \end{equation} (read \( x \) goes to \( S(x) \)) whereby every \( x \) in \( \mathcal{M} \) determines a unique \( S(x) \) in \( \mathcal{N} \). Then the symbol \( u = S(x) \) is a second variable, with \( \mathcal{N} \) as its range, and we are accustomed to say that the correspondence defines \( u \) as a function of \( x \).
Thus, a function of \( x \) really consists of two sets \( \mathcal{M} \) and \( \mathcal{N} \) and the correspondence \( S \) given by \eqref{eq-01} of the quantities \( x \) of \( \mathcal{M} \) on their images \( S(x) \) in \( \mathcal{N} \). It will be better for our purposes to describe this situation by simply speaking of \( S \) rather than the function, and we shall call \( S \) a mapping of \( \mathcal{M} \) on \( \mathcal{N} \).
Suppose that there is also a mapping \( T \) given by \begin{equation} u \mapsto T(u) \label{eq-02} \end{equation} on \( \mathcal{N} \) to \( \mathcal{M} \), so that every \( u \) of \( \mathcal{N} \) determines a unique \( T(u) \) in \( \mathcal{M} \). Then we let \( T \) be such that if \( u=S(x) \), the quantity \( T(u) = x \). In this case, the mapping \( S \) is called a non-singular mapping. \( T \) is called its inverse, and we indicate this by writing \( T=S^{-1} \).
Cryptography is the study of all non-singular mappings \( S \) on \( \mathcal{M} \) to \( \mathcal{N} \) where \( \mathcal{M} \) is the set of a messages \( x \) and \( \mathcal{N} \) is the set of all cryptograms \( S(x) \). The mappings are called cipher systems. If a message \( x \) and a cipher system \( S \) are given, the process of the application of \( S \) to \( x \), so as to obtain the cryptogram \( S(x) \), is called the encipherment of \( x \). When \( S \) and \( S(x) \) are given, the process of the application of \( S^{-1} \) to the cryptogram \( S(x) \), so as to obtain the message \( x \), is called the decipherment of \( S(x) \).
There are many mathematical situations in which it is possible to determine a mapping \( S \) on \( \mathcal{M} \) to \( \mathcal{N} \) from a given list of a finite number of quantities \( x \) in \( \mathcal{M} \) and their images \( S(x) \) in \( \mathcal{N} \). However we wish to propose the more difficult problem of determining \( S \) (and hence each \( x \)) from a given finite set of cryptograms \( S(x) \). We use this in the definition of cryptanalysis as the theory of those structural properties of messages, cryptograms, and cipher systems which are required in order to solve all problems (which permit a solution) of the kind above. The solution of such a problem is called the decryptment of its cryptograms, and so cryptanalysis is the study of the methods of decryptment. Cryptology is the subject comprising both cryptography and cryptanalysis. However, we shall be concerned only with the first of these two branches here.
3. Cipher systems on components, and codes
It is clear from what we have said that the most primitive cipher system would be simply a list of all the messages to be used and an adjacent list of corresponding cryptograms. However, some more sophisticated cipher systems are describable, as is the case for some mathematical functions, by formulas. These formulas will express the cryptogram \( S(x) \) in terms of the result of applying the cipher system \( S \) to what we shall call components of the message \( x \), and we shall formulate this new concept.
The term message has not been interpreted thus far but we now conceive of it as any sequence of a finite number of symbols which are either letters, periods, or commas and the like. We now partition the message into blocks of symbols called components. The message \( x \) will then become a sequence of components, each consisting of a group of symbols of the message \( x \). These occur in the component in the same order as in \( x \). Also the order of the components themselves is fixed by the order of the symbols in \( x \). The components may be simply the words of \( x \), or its sentences, or simply blocks of a fixed number of letters. In the latter case the final block may not contain enough letters to satisfy the given definition. Then it will be necessary to adjoin letters, called nulls, to bring up the number of letters to the required amount.
Suppose now that a message \( x \) has been broken up into \( n \) components where \( n \) is a positive integer. Let \( i \) be any integer from 1 to \( n \) and let the symbol \( x_i \) represent the \( i \)-th component of \( x \). Then we may represent this situation by writing \( x \) in the following notation \begin{equation} x = \bigl[x_1, x_2, \dots , x_n\bigr]. \label{eq-03} \end{equation} We wish also to use cipher systems \( S \) which replace \( x \) by sequences \begin{equation} u = S(x) = \bigl[u_1, u_2, \dots , u_m \bigr]. \label{eq-04} \end{equation} Here, the cryptogram \( u \) has been broken up into \( m \) components of some prescribed kind and neither the positive integer \( m \) nor the kind of components \( u_j \) (\( j=1, \dots , m \)) need be the same as for \( x \).
The most primitive formula for a cipher system in terms of \eqref{eq-03} and \eqref{eq-04} is given by \begin{equation} S(x) = \bigl[ T(x_1), T(x_2), \dots , T(x_n)\bigr], \label{eq-05} \end{equation} where \( T \) is a non-singular mapping on the set \( \mathcal{M}_0 \) of the components (of a prescribed kind) of messages to the set \( \mathcal{N}_0 \) of components of cryptograms (also of prescribed kind). The code is such a cipher system. Here, the components of \( x \) are the words, \( \mathcal{M}_0 \) is the set of all words in all the messages which will be used, \( \mathcal{N}_0 \) is the set of all the words in all the resulting cryptograms, \( T \) is a non-singular mapping on \( \mathcal{M}_0 \) to \( \mathcal{N}_0 \).
In describing cipher systems where more of a cipher system is to be given by the formula and less by auxiliary mapping, the nature of the components \( u_j \) of the cryptogram \eqref{eq-04} may depend both on the nature of \( x_i \) in \( x \) and also on its position in the message, which we have indicated by its subscript \( i \). But then a formula describing the cipher system would depend upon the length \( n \) of the message \( x \), and we are studying formulas independent of \( x \). We may achieve our end, however, by the adjunction of new components, which are nulls, to bring up the number of components to a fixed maximum prescribed in advance. It may also be achieved in a somewhat more practical way by the use of \eqref{eq-05} and the fact that each \( x_i \) may itself be regarded as being a message, the set of all messages to considered is now the set \( \mathcal{M}_0 \) or our components, \( T \) is a cipher system. But we may prescribe a partitioning of \( x \). If we then define components for our message so that each component \( x_i \) permits a further subdivision into subcomponents \( x_{i_1}, \dots \), \( x_{i_{\nu}} \), with \( \nu \) the same for each \( i \), the cipher system \( T \) will operate on messages all of the same number of components.
We have now seen how to limit our study to cipher systems on messages \eqref{eq-03} for a fixed \( n \), and we shall do this.
4. Transposition ciphers
A transposition cipher is simply a cipher system given by \eqref{eq-03} and \begin{equation} S(x) = \bigl[ x_{i_1}, x_{i_2}, \dots , x_{i_n} \bigr], \label{eq-06} \end{equation} where \( i_1, \dots, i_n \) is any permutation (i.e., rearrangement) of the integers \( 1,2,\dots , n \). This may be accomplished most effectively in the general case by simply writing the message and the permutation and then reading off the cryptogram in the form: \begin{equation} \begin{array}{r cccc} \textrm{Plain Text} \qquad & x_1 & x_2 & \dots& x_n \cr\cr \smash{\raise-1.5ex\hbox{Cipher System}} \qquad & 1 & 2 & \dots & n \cr & i_i & i_2 & \dots & i_n \cr\cr \textrm{Cryptogram} \qquad & x_{i_1} & x_{i_2} & \dots & x_{i_n} \end{array} \label{eq-07} \end{equation}
To decipher such as message, we read up in the cipher system to obtain its inverse, and then have: \begin{equation} \begin{array}{r cccc} \textrm{Cryptogram}\qquad & u_1 & u_2 & \dots & u_n, \cr\cr \smash{\raise-1.5ex\hbox{Inverse Cipher}}\qquad & 1 & 2 & \dots & n \cr & j_i & j_2 & \dots & j_n \cr\cr \textrm{Message}\qquad & u_{j_1} & u_{j_2} & \dots & u_{j_n} \end{array} \label{eq-08} \end{equation} For example, we may write: \[ \begin{array}{ r rrrrrrrrrrrrrrrr } \textrm{Plain Text}\quad & I & N & T & H & A & T & P & R & E & C & E & D & I & N & G \cr\cr \smash{\raise-1.5ex\hbox{Cipher System}}\quad & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 15 & \cr & 7 & 11 & 5 & 1 & 8 & 13 & 14 & 9 & 15 & 2 & 6 & 10 & 12 & 4 & 3 \cr\cr \textrm{Cryptogram}\quad & P & E & A & I & R & I & N & E & G & N & T & C & D & H & T \cr\cr \smash{\raise-1.5ex\hbox{Inverse System}}\quad & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 15 & \cr & 4 & 10 & 15 & 14 & 3 & 11 & 1 & 5 & 8 & 12 & 2 & 13 & 6 & 7 & 9 \end{array} \] which we apply to obtain the original message.
There are many devices for accomplishing transformations of this kind but none of them can do more than what we have indicated above. They may need to be studied in cryptanalysis but surely are not worthwhile additions to cryptography. It would seem that their only possible value in this latter subject is that they may be relatively easy to remember. However, the most primitive of them are worthless, and the more complicated ones are not as easy to remember as the following device.
Let us memorize any sentence and write it with a number below each letter from 1 to the number \( n \) of letters in the sentence. We then put numbers below those according to the alphabetical order of the letters, giving repeated letters consecutive numbers. The transposition cipher system obtained in this way may be written down rapidly, and is usually much more general in its structure than those special systems in common use. For example, we have \begin{align*} & \begin{array}{ r rr | rrrrrr | rrrrrr } \textrm{Key}\quad & A & N & E & F & F & O & R & T & S & H & O & U & L & D \cr\cr \smash{\raise-1.5ex\hbox{Cipher}} \quad & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 \cr & 1 & 14 & 6 & 9 & 10 & 15 & 17 & 19 & 18 & 11 &16 & 20 & 12 & 4 \end{array} \\ \\ & \begin{array}{ r rr | rrrr} \textrm{Key}\quad & B & E & M & A & D & E \cr\cr \smash{\raise-1.5ex\hbox{Cipher}} \quad & 15 & 16 & 17 & 18 & 19 & 20 \cr & 3 & 7 & 13 & 2 & 5 & 8 \end{array} \end{align*}
5. Products of cipher systems
If \( S \) is a non-singular mapping \( x \mapsto u = S(x) \) on \( \mathcal{M} \) to a set \( \mathcal{N} \) and \( T \) is a non-singular mapping \( u \mapsto T(u) \) on \( \mathcal{N} \) to a set \( \mathcal{L} \) the correspondence \begin{equation} x \longmapsto V(x) = T[ S(x) ] \label{eq-09} \end{equation} is a non-singular mapping \( V \) on \( \mathcal{M} \) to \( \mathcal{L} \). However, it may be more convenient to compute \( V(x) \) by first computing \( u = S(x) \), and then \( T(u) \), rather than \( V(x) \) directly. We shall call \( V \) the product \( ST \) of the mappings \( S \) and \( T \).
In cryptography it is frequently possible to think of cryptograms themselves as being messages, and thus study cipher systems which are non-singular mappings on \( \mathcal{M} \) to \( \mathcal{M} \). But then the product \( ST \) of a cipher system \( S \) by a cipher system \( T \) is another cipher system.
It is also possible frequently to break down a cipher system into a product of simpler ones. This is usually done in analyzing cipher systems, and much of our discussion will be concerned with a description of these simpler systems rather than the more complicated systems derivable from them by the product operation described above.
It should be observed that the operation of product of mappings is associative, that is, \( (ST)U = S(TU) \) for any three mappings \( S \), \( T \), \( U \). Indeed, both of these mappings are the same correspondences \[ x \mapsto U \{ T[ S(x) ] \} .\] However the operation is not commutative and indeed \( TS \) may not even be defined. But even if \( S \) and \( T \) are mappings on \( \mathcal{M} \) to \( \mathcal{M} \), so that \( ST \) and \( TS \) are also mappings on \( \mathcal{M} \) to \( \mathcal{M} \), they may be different. For example, let \( \mathcal{M} \) consist of the symbols \( 1,2,3 \); \( S \) be the correspondence \( 1 \mapsto 2 \), \( 2 \mapsto 3 \), \( 3 \mapsto 1 \); \( T \) be the correspondence \( 1 \mapsto 2 \), \( 2 \mapsto 1 \), \( 3 \mapsto 3 \). Then \( ST \) is given by \( 1 \mapsto 1 \), \( 2 \mapsto 3 \), \( 3 \mapsto 2 \), and \( TS \) by \( 1 \mapsto 3 \), \( 2 \mapsto 2 \), \( 3 \mapsto 1 \).
6. The role of the ring in a cipher alphabet
It is frequently desirable in cryptography to use an intermediate set \( \mathcal{N} \) and so construct a cipher system \( S \) as the product \( TUT^{-1} \), where \( T \) is a non-singular mapping on the set \( \mathcal{M} \) of all messages to the intermediate set \( \mathcal{N} \), \( U \) is a non-singular mapping on \( \mathcal{N} \) to \( \mathcal{N} \). Let us then write \[ x = \bigl[ x_1, \dots, x_n \bigr], \] for components \( x_i \) of our messages \( x \), and suppose that \( T \) is such that \begin{equation} u = T(x) = \bigl[ u_1, \dots, u_n \bigr], \qquad u_i = T_0 (x_i). \label{eq-10} \end{equation} Here, \( T_0 \) is a non-singular mapping on the set \( \mathcal{M}_0 \) of all components of messages, to a set \( \mathcal{N}_0 \) whose quantities are at our choice. Then \( u \) is formed as the sequence above and we have \begin{equation} T^{-1} (u) = \bigl[ T_0^{-1} (u_1), \dots , T_0^{-1} (u_n) \bigr]. \label{eq-11} \end{equation} We apply a second transformation \( U \) on \( \mathcal{N} \) to \( \mathcal{N} \) and have \begin{equation} U(u) = \bigl[ v_1, \dots, v_n \bigr], \label{eq-12} \end{equation} so that \begin{equation} S (x) = \bigl[ T_0^{-1} (v_1), \dots, T_0^{-1} (v_n) \bigr]. \label{eq-13} \end{equation} Let us call the set \( \mathcal{N}_0 \), together with the mapping \( T_0 \), a cipher alphabet.
The cipher alphabet is introduced to simplify the description of \( S \). In particular we may use a mathematical number system \( \mathcal{A} \) for the set \( \mathcal{N}_0 \) and so have a set \( \mathcal{N}_0 \) in which addition and multiplication of its quantities are defined. It may then be a very simple matter to give formulas for the mapping \( U \) and to give \( T_0 \) explicitly. However the consequent description of \( S \) in terms of messages alone would usually be extremely complicated.
The only sets \( \mathcal{A} \) of which we shall use are the sets called commutative rings: A ring \( \mathcal{A} \) is a set of quantities for which the sum \( a + b \) and the product \( ab \) of any \( a \) and \( b \) in \( \mathcal{A} \) are quantities of \( \mathcal{A} \) such that \begin{align} & a + b = b + a, \quad (a+b) +c = a + (b + c), \quad a(bc) = (ab)c, \label{eq-14} \\ & a (b + c) = ab + ac, \quad (b+c)a = ba + ca, \label{eq-15} \end{align} for every \( a \), \( b \), and \( c \) of \( \mathcal{A} \). Moreover we assume that for every \( a \) and \( b \) of \( \mathcal{A} \) there is a unique solution \( x \) in \( \mathcal{A} \) of the equation \begin{equation} a + x = b. \label{eq-16} \end{equation} We call \( \mathcal{A} \) a commutative ring if it is also true that \begin{equation} ab = ba \label{eq-17} \end{equation} for every \( a \) and \( b \) of \( \mathcal{A} \).
In every ring, there is a unique zero quantity 0 such that \begin{equation} a + 0 = a, \label{eq-18} \end{equation} for every \( a \) of \( \mathcal{A} \), and a unique quantity \( -{a} \), called the negative of \( a \), such that \begin{equation} a + (-{a}) = 0. \label{eq-19} \end{equation} Then in \eqref{eq-15} we have \( x = b + (-{a}) \). It can be shown that the properties we have assumed imply that \( -{(-{a})} = a \), \( (-{a})b = a(-{b}) = -{(ab)} \), \( (-{a})(-{b}) = ab \) for all quantities \( a \) and \( b \) of \( \mathcal{A} \).
The familiar number systems consisting of all rational numbers, of all real numbers, and of all complex numbers are examples of commutative rings. These rings are all fields, that is, commutative rings \( \mathcal{A} \) with the property that if \( a \) and \( b \) are in \( \mathcal{A} \) and \( a \) is not zero there is a unique solution \( x \) in \( \mathcal{A} \) of the equation \begin{equation} a x = b. \label{eq-20} \end{equation} This quotient \( x \) has a property like the difference \( x = b - a \) which is the solution of \eqref{eq-15}. First there is a unity quantity 1 in \( \mathcal{A} \) such that \begin{equation} 1 a = a 1 = a, \label{eq-21} \end{equation} for every quantity \( a \) of \( \mathcal{A} \). Also every \( a \ne 0 \) has a unique inverse \( a^{-1} \) such that \begin{equation} a a^{-1} = a^{-1} a = 1, \label{eq-22} \end{equation} and then \( x = b a^{-1} \).
The set of all integers, and the set of all polynomials \( f(\lambda) \) in a symbol \( \lambda \) with rational coefficients, are both commutative rings with a unity quality. But they are not fields.
7. Residue class rings in cipher alphabets
Let us now suppose that the components \( x_i \) of a message \( x \) in its representation \eqref{eq-03} as sequence, are letters of the alphabet, and perhaps other similar symbols like periods or commas. Then, the set \( \mathcal{M}_0 \) of all possible components is a finite set and we shall wish to map it on a ring \( \mathcal{N}_0 \), also with a finite number of quantities. Let us then proceed to define certain very simple finite rings.
The quantities of our new rings will not be ordinary integers but classes of integers. The reader is already familiar with the classification of integers into two classes, namely, the class of all even integers, and the class of all odd integers. For these classes we have the rules that \begin{align*} & \text{even} + \text{even} = \text{even},\\ & \text{even} + \text{odd} = \text{odd} + \text{even} = \text{odd},\\ & \text{even} \times \text{odd} =\text{odd}\times\text{even}= \text{even},\\ & \text{odd} \times \text{odd} = \text{odd}. \end{align*} Then we may represent the class of all even integers by 0, the class of all odds by 1, and we have a ring of two elements with the laws \begin{align} & 0 + 0 = 0 = 1 + 1, \qquad 1 + 0 = 0 + 1 = 1, \notag \\ & 0 \cdot 0 = 0 \cdot 1 = 1 \cdot 0 = 0, \qquad 1 \cdot 1 = 1. \label{eq-23} \end{align}
We shall define similarly a ring \[ A_m \] of \( m \) classes of ordinary integers, for every fixed integer \( m > 1 \). If \( a \) is any integer there are integers \( q \) and \( r \) such that \begin{equation} a - q m = r, \label{eq-24} \end{equation} where the remainder \( r \) is one and only one of the integers \begin{equation} 0,1,2,\dots,m-1. \label{eq-25} \end{equation} Let us call two integers \( a \) and \( b \) congruent and write \begin{equation} a \equiv b, \label{eq-26} \end{equation} if the corresponding remainders are the same. Then \( a \equiv 0 \) if and only if \( a \) is a multiple of \( m \), \( a \equiv b \) if and only if \( a - b = 0 \).
Let us now put all integers into a set of residue classes, each of which will be designated by \( \{a\} \). Here \( a \) is any integer of the class, \( \{a\} = \{b\} \) if any only if \( a \equiv b \). It is clear that there are \( m \) classes and that they are precisely the classes \[ \{0\}, \{1\}, \dots , \{ m - 1\}, \] where if \( r \) has any of the values \( 0,1, \dots, m-1 \), the set \( \{r\} \) consists of all integers differing from \( r \) by a multiple of \( m \).
It is a simple matter to verify the identities \begin{align*} (a + c) - ( b + d) &= (a - b) + (c - d), \cr a c - b d &= (a - b) (c - d) + [ d (a - b) + b (c - d) ]. \end{align*} They imply that if \( a \equiv b \) and \( c \equiv d \) then \( a + c \equiv b + d \), \( ac\equiv bd \). But it follows that \( \{a + c \} \) and \( \{ a c \} \) are uniquely determined for every two classes \( \{a \}, \{ c \} \) and we define \[ \{ a \} + \{ c \} = \{ a + c \}, \qquad \{ a \} \{ c \} = \{ a c \}. \] The set \( \mathcal{A}_m \) of our residue classes is now known to be a commutative ring.
In actual use we omit the braces and compute with integers in the normal way but always drop off multiples of \( m \). We need not use \( 0,1,\dots \), \( m - 1 \) as a set of remainders but may choose any other \( m \) integers providing that there is one and only one from each class. For example, let us study \( \mathcal{A}_{26} \).
To facilitate computations we use the table of products \( q \cdot 26 \), \( q = 2,3,\dots \), 25, which is given by \begin{align*} & 52, 78, 104, 130, 156, 182, 208, 234, 260, 286, 312, 338, \\ & 364, 390, 416, 442, 468, 494, 520, 546, 572, 598, 624, 650. \end{align*} To use \( \mathcal{A}_{26} \), we set up a cipher alphabet as a mapping \begin{align} & \begin{array}{ rrrrr c rrrrr c rrrrr} A & B & C & D & E &\ & F & G & H & I & J &\ & K & L & M & N & O \cr 1 & 2 & 3 & 4 & 5 && 6 & 7 & 8 & 9 & 10 && 11 & 12 & 13 & 14 & 15 \end{array} \notag \\ \notag \\ & \begin{array}{rrrrr c rrrrr c r } P & Q & R & S & T &\ & U & V & W & X & Y &\ & Z \cr 16 & 17 & 18 & 19 & 20 && 21 & 22 & 23 & 24 & 25 && 26 \end{array} \label{eq-27} \end{align} We may now add and multiply integers as usual providing neither sum nor product exceeds 26. Then \( 3 + 5 = 9 \), \( 3 \cdot 5 = 15 \). However, \( 15 + 19 = 34 \equiv 8 \), and so if we replace 0 and \( S \) by what we may call their sum, this sum would be \( H \). Similarly \( 15 \cdot 19 = 285 \equiv 25 \) by the table above, and this corresponds to \( Y \).
8. The finite field in the construction of cipher systems
We shall construct cipher systems as in equations \eqref{eq-10}, \eqref{eq-11}, \eqref{eq-12}, \eqref{eq-13}, where the set \( \mathcal{N}_0 \) of components \( u_1 \) will be a finite ring and the mapping \( U \) will be defined by algebraic expressions for the components \( v_1, \dots \), \( v_n \) of \( U(u) \) in terms of the components \( u_1, \dots \), \( u_n \) of \( u \). A special instance of such a cipher system is that where \( \mathcal{N}_0= A_{26} \), \begin{equation} U (u) = \bigl[ a u_1, \dots , a u_n \bigr], \label{eq-28} \end{equation} for any non-zero quantity of \( \mathcal{A}_{26} \). If \( a \) is the class \( \{ 3 \} \) of \( \mathcal{A}_{26} \) our cipher system replaces every letter of our message by a corresponding letter, such that \( \mathrm{A}, \dots, \mathrm{Z} \) correspond, respectively, to \begin{equation} CFILO\ \ RUXAD\ \ GJMPS\ \ VYBEH\ \ KNQTW\ \ Z. \label{eq-29} \end{equation} If we attempted to construct the similar mapping with \( a = \{ 2 \} \) we would replace \( \mathrm{A}, \dots \mathrm{Z} \), respectively, by \begin{equation} BDFHJ\ \ LNPRT\ \ VXZBD\ \ FHJLN\ \ PRTVX\ \ Z, \label{eq-30} \end{equation} and so the mapping would not be non-singular.
The fact that the cipher system just described is singular arises from the property that the mappings \begin{equation} x \mapsto a x \quad (x\text{ in }\mathcal{A}), \label{eq-31} \end{equation} defined for each \( a \ne 0 \) of \( \mathcal{A} \), are singular for some quantities \( a \) of \( \mathcal{A}_{26} \). Such a mapping is non-singular for a given \( a \ne 0 \) if it is true that for every \( b \) of \( \mathcal{A} \), there is a solution \( x \) in \( \mathcal{A} \) of the equation \eqref{eq-20}. But then the mappings \eqref{eq-31} of \( \mathcal{A} \) on \( \mathcal{A} \) are all non-singular for \( a \ne 0 \) of \( \mathcal{A} \) if and only if \( \mathcal{A} \) is a field.
The finite rings \( \mathcal{A}_m \) with \( m = s t \) for positive integers \( s > 1 \), \( t > 1 \) are not fields. This follows since \( \{ s \} \{ t \} = \{0 \} \), the existence of a solution \( x \) of \( \{ t \} x = \{ 1 \} \) would imply that \( \{s \} \{ t \} x = \{ s \} = \{ 0 \} x = \{ 0 \} \). The rings \( \mathcal{A}_m \) with \( m \) a prime integer are fields and two instances of such rings important for our use are \begin{equation} A_{29}, A_{31}. \label{eq-32} \end{equation} Let us now set up the cipher alphabet given by \( \mathcal{A}_{29} \) and the correspondence \begin{align} & \begin{array}{ rrrrr c rrrrr c rrrrr} A & B & C & D & E &\ & F & G & H & I & J &\ & K & L & M & N & O \cr 1 & -1 & 2 & -2 & 3 && -3 & 4 & -4 & 5 & -5 && 6 & -6 & 7 & -7 & 8 \end{array} \notag \\ \notag \\ & \begin{array}{rrrrr c rrrrr c rrrr } P & Q & R & S & T &\ & U & V & W & X & Y &\ & Z & , & . & - \cr -8 & 9 & -9 & 10 & -10 && 11 & -11 & 12 & -12 & 13 && -13 & 14 & -14 & 0 \end{array} \label{eq-33} \end{align} We shall use the table of products \( q \cdot 29 \) for \( q = 2, \dots, 14 \), given by \[ 58, 87, 116, 145, 174, 203, 232, 261, 290, 319, 348, 377, 405. \] Then we see that the cipher system defined by the mapping \( x \mapsto \{3\} x \) of \( \mathcal{A} \) on \( \mathcal{A} \) sets up a correspondence of \( \mathrm{A} , \dots, \mathrm{Z} \), respectively, to \begin{equation} EFKLQ\ \ RWX.,\ \ VUPOJ\ \ IDCAB\ \ GHMNS\ \ TYZ- \label{eq-34} \end{equation} Here we have used properties contained in the set of congruences \begin{alignat*}{4} 28 &\equiv -1,&\quad 27 &\equiv -2,&\quad 26 &\equiv -3,&\quad 25&\equiv -4, \\ 24 &\equiv -5,&\quad 23 &\equiv -6,&\quad 22 &\equiv -7,&\quad 21 &\equiv -8, \\ 20 &\equiv -9,&\quad 19 &\equiv -10,&\quad 18 &\equiv -11,&\quad 17 &\equiv -12, \\ 16 &\equiv-13,&\quad 15 &\equiv -14&\quad \rlap{\text{ modulo } 29.} \end{alignat*}
There are also other finite fields obtained from our finite fields \( \mathcal{A}_m \), where \( m \) is a prime. Such fields are the sets of polynomials of the form \[ a_0 + a_1 \alpha + a_2 \alpha^2 + \cdots + a_t \alpha^{t-1} \quad (a_0, \dots, a_t \text{ in }\mathcal{A}_m), \] where \( \alpha \) is a root of an equation \( f(x) = 0 \) of degree \( t \), coefficients in \( \mathcal{A}_m \), and not factoring in \( \mathcal{A}_m \). Then \( \alpha \) is a primitive \( (q - 1) \)-st root of unity, \( q = m^t \) is the number of elements in this field. We designate such fields by \begin{equation} G F (m^t) \label{eq-35} \end{equation} (read \( G \), \( F \), \( m^t \)), and call such a field a Galois field of \( m^t \) quantities. There are no other finite fields.
The fields \( \mathcal{A}_m = GF(m) \), \( t=1 \). Another important example is the field \( GF(3^3) \) of 27 elements. Then its quantities are sums \begin{equation} a_0 + a_1 \alpha + a_2 \alpha^2, \label{eq-37} \end{equation} where \( a_i = \{ 0 \}, \{ 1 \}, \{2 \} \,\text{modulo } 3 \), \begin{equation} \alpha^3 = \alpha + 1. \end{equation}
9. Simple and multiple alphabet substitution ciphers
A substitution cipher is a non-singular mapping \begin{equation} x = \bigl[ x_1, \dots , x_n \bigr] \longmapsto S(x) = \bigl[ u_1, \dots, u_n \bigr], \label{eq-38} \end{equation} where the \( x_i \) are the letters or other symbols of our message, and the \( u_1 \) are the corresponding symbols determined by \( S \). An important type of substitution cipher is a non-singular mapping of the type above in which \begin{equation} S(x) = \bigl[ T_1 (x_1) , \dots , T_n (x_n) \bigr], \label{eq-39} \end{equation} for non-singular mappings \( T_i \) on \( \mathcal{M}_0 \) to \( \mathcal{M}_0 \), where \( \mathcal{M}_0 \) is the set of symbols we are using. Thus the mappings \( T_i = T \) given by \eqref{eq-29}, \eqref{eq-34} define such substitution ciphers. Let us also use any finite ring \( \mathcal{A} \) in a cipher alphabet which is a non-singular mapping \begin{equation} x_i \mapsto y_i, \label{eq-40} \end{equation} on \( \mathcal{M}_0 \) to \( \mathcal{A} \). Then the mappings \begin{equation} T_i: y_i \longmapsto a_i y_i + b_i \quad (i = 1, \dots , n) \label{eq-41} \end{equation} on \( \mathcal{A} \) to \( \mathcal{A} \) are non-singular for every \( b_i \) in \( \mathcal{A} \) and every non-zero \( a_i \) in \( \mathcal{A} \). It follows that the cipher systems defined by \eqref{eq-38}, \eqref{eq-39}, \eqref{eq-40}, \eqref{eq-41} are definable as follows. Replace each letter of our message of \( n \) letters by a corresponding “number” of the ring \( \mathcal{A} \) determined by \eqref{eq-40}. Multiply the \( i \)-th such number by the fixed non-zero number \( a_i \) in \( \mathcal{A} \), add the fixed \( b_i \), and then replace the result by the corresponding letter determined also by \eqref{eq-40}. Such ciphers are usually called multiple alphabet ciphers and are called simple or monoalphabet ciphers if the transformations \eqref{eq-41} are all the same, that is, if \begin{equation} y_i \mapsto a y + b \quad (i = 1, \dots , n). \label{eq-42} \end{equation}
10. Special multiple alphabet substitution ciphers
The so-called Caesar cipher is the case where \eqref{eq-41} is given by \begin{equation} y_i \mapsto y_i + b, \label{eq-43} \end{equation} for \( b \) fixed. If we use \( \mathcal{A}_{26} \) and use \eqref{eq-27} for the mapping \eqref{eq-40} of the Roman letters on the quantities of our ring then \( b \) is a class \( \{ r \} \) defined for \( r = 0, 1, \dots \), 25 and every letter \( x \) is replaced by a letter obtained by shifting it \( r \) units in the sequence \( A, \dots \), \( Z \) of which it is a member.
The Vigenère, Gronsfield, Porta, and Beaufort cipher systems are all variants of our cipher systems determined by \eqref{eq-27}, the use of \( \mathcal{A}_{26} \), and \eqref{eq-41} for \( a_i \ne \pm 1 \). In the original Vigenère, we use the form \begin{equation} y_i \mapsto y_i + b_i \quad (i = 1, \dots , n) \label{eq-44} \end{equation} of \eqref{eq-41}, where \( b_i = \{ r_i \} \) for \( r_i \) one of \( 0, 1, \dots \), 25, and we carry each set of \( n \) letters \( x_i \) of our messages to corresponding letters \( z_1 , \dots \), \( z_n \). Here we obtain the letter \( z_i \) by a shift of \( r_i \) letters in the alphabet on the letter \( x_i \). The amount of shift depends on \( i \). Thus, a key word of \( n \) symbols \( g_1 , \dots \), \( g_n \) may be given, we carry each letter \( g_i \) to a corresponding residue class \( \{ r_i \} \), we use \( \{ 26 \} = \{ 0 \} \), we have \( 0 \leqq r_i < 26 \), and we shift \( r_i \) letters.
The Saint-Cyr cipher is also a true Vigenère cipher and its mechanism need not be described. The Gronsfield ciphers differs only from the Vigenère in that \( r_1 , \dots \), \( r_n \) are given rather than the key word. The so-called true Beaufort is the cipher system determined by \begin{equation} y_i \longmapsto z_i = y_i - b_i \quad (i = 1, \dots , n), \label{eq-45} \end{equation} where \( b_i = \{ r_i \} \), each \( r_i \) lies between 0 and 25, and we shift \( r_i \) letters backward in the alphabet. Mathematically this is identical with the Vigenère but with a different cipher system. The so-called modified Vigenère and Beaufort systems are given by \begin{equation} y_i \longmapsto z_i = -{y_i} + b_1 \quad (i = 1, \dots , n), \label{eq-46} \end{equation} and \begin{equation} y_i \longmapsto z_i = -y_i - b_i \quad (i = 1, \dots , n), \label{eq-47} \end{equation} respectively, and are mathematically identical.
The Porta cipher is fundamentally the Vigenère but with the cipher alphabet given by \begin{align} & \begin{array}{ rrrrr c rrrrr c rrrrr} A & B & C & D & E &\ & F & G & H & I & J &\ & K & L & M & N & O \cr 1 & 2 & 3 & 4 & 5 &\ & 6 & 7 & 8 & 9 & 10 &\ & 11 & 12 & 13 & -1 & -2 \end{array} \notag \\ \notag \\ & \begin{array}{rrrrr c rrrrr c r} P & Q & R & S & T &\ & U & V & W & X & Y &\ & Z \cr -3 & -4 & -5 & -6 & -7 &\ & -8 & -9 & -10 & -11 & -12 &\ & -13 \end{array} \label{eq-48} \end{align}
11. Autoencipherment
A polygram substitution cipher is a cipher system given by the use of a cipher alphabet and non-singular mapping \[ y = \bigl[ y_1, \dots , y_n \bigr] \longmapsto T(y) = \bigl[z_1 , \dots, z_n \bigr] ,\] where each \( z_j \) is a function of all the \( y_i \) rather than a single \( y_i \). A special case of such a system is that given by \begin{equation} z_i = y_i + b_i \quad (i = 1, \dots , s), \label{eq-49} \end{equation} and by \begin{equation} z_i = y_i + y_{i-s} \quad (i = s+1, \dots , n), \label{eq-50} \end{equation} for some fixed \( s < n \). Thus it results from a shift of \( r_i \) units for the first \( s \) letters and is a Vigenère for this part, and by a shift dependent on the message itself for the remaining letters in each group of \( n \) letters.
12. The cipher systems of Hill
Let us suppose that a cipher alphabet involving a finite ring \( \mathcal{A} \) has been prescribed and thus that we may replace any sequence of \( n \) symbols of a message by a sequence \begin{equation} y = \bigl[ y_1, \dots , y_n \bigr] \label{eq-51} \end{equation} of quantities of \( y_i \) of the ring \( \mathcal{A} \). We assume that \( n^2 \) quantities \( a_{ij} \) in \( \mathcal{A} \) are given as well as \( n \) other quantities \( g_1, \dots \), \( g_n \) in \( \mathcal{A} \) and let \( z_j \) be given by \begin{equation} z_j = y_1 a_{1j} + y_2 a_{2j} + \cdots + y_n a_{nj} + g_j \label{eq-52} \end{equation} for \( j = 1, \dots \), \( m \). Then the mapping defined by \begin{equation} y \longmapsto z = \bigl[ z_1, \dots , z_m \bigr] \label{eq-53} \end{equation} is a non-singular mapping if the quantities \( a_{ij} \) are such that it is possible to solve for the \( y_i \) uniquely in terms of the \( z_j \). This occurs if \( m = n \) and there exist quantities \( b_{ji} \) in \( \mathcal{A} \) such that \begin{equation} y_i = z_1 b_{1 i} + \cdots + z_n b_{n i} + h_i \quad (i = 1, \dots , n), \label{eq-54} \end{equation} where \begin{equation} h_i = -( g_1 b_{1 i} + \cdots + g_n b_{n i} ) \quad (i = 1, \dots , n). \label{eq-55} \end{equation}
If \( \mathcal{A} \) is any commutative ring with a unity quantity 1 the elementary theory of systems of linear equations and determinants is applicable. Its results imply that the mapping \eqref{eq-53} is non-singular if and only if the determinant \begin{equation} d = \begin{vmatrix}\mkern5mu a_{11} & a_{12} & \cdots & a_{1 n} \cr a_{21} & a_{22} & \cdots & a_{2 n} \cr \vdots & \vdots & \cdots & \vdots \cr a_{n 1} & a_{n 2} & \cdots & a_{nn} \mkern5mu \end{vmatrix} \label{eq-56} \end{equation} has an inverse \( d^{-1} \) in \( \mathcal{A} \) such that \( d d^{-1} = 1 \). Then it is possible to give explicit formulas for the \( b_{ji} \) in terms of \( d^{-1} \) and the \( n - 1 \) rowed minors of the array of which \( d \) is the determinant. In particular, if \( \mathcal{A} \) is a field, the mapping \eqref{eq-53} is a non-singular if and only if \( d \ne 0 \). Also \eqref{eq-53} is non-singular when \( \mathcal{A} \) is the residue-class ring modulo \( m \) if and only if the residue class \( d = \{ r \} \) for a representative integer \( r \) prime to \( m \).
It must be evident by now that the common substitution ciphers of Sections 10 and 11 are all special cases of the systems given by the use of \eqref{eq-53}, \eqref{eq-52}. The general transposition cipher alphabet is also such a special case, for we use a cipher alphabet with \( \mathcal{A} = \mathcal{A}_{26} \) and thus replace each sequence \( x = [x_1, \dots \), \( x_n] \) of \( n \) letters by a sequence \( y = [ y_1, \dots \), \( y_n ] \) of \( n \) residue classes. We use a permutation \( P \) replacing \( x \) by \( [x_{i_1}, \dots \), \( x_{i_n} ] \) and have our result if we can use \eqref{eq-52} to obtain \( z= [y_{i_1}, \dots \), \( y_{i_n} ] \). This may be accomplished when we take the \( g_i \) all zero, the \( a_{i_j} = \{ 0 \} \) for all values of \( i \) and \( j \) except those where \( i = i_j \) in which case \( a_{i_j} = \{ 1 \} \).
13. The Hill systems in matrix form
A rectangular array \begin{equation} A = \begin{pmatrix} a_{11} & a_{12} & \cdots & a_{1t} \cr a_{21} & a_{22} & \cdots & a_{2t} \cr \vdots & \vdots & \ddots & \vdots \cr a_{s 1} & a_{s 2} & \cdots & a_{st} \end{pmatrix} \label{eq-57} \end{equation} is called an \( s \) by \( t \) matrix. It has \( s \) rows and \( t \) columns of elements in a ring \( \mathcal{A} \) and the element \( a_{ij} \) is that element in its \( i \)-th row and \( j \)-th column. Then we may replace \eqref{eq-57} by the abbreviated notation \begin{equation} A = (a_{ij}) \quad (i = 1, \dots, s; j = 1, \dots, t). \label{eq-58} \end{equation}
For every two \( s \) by \( t \) matrices \( A \) and \begin{equation} B = (b_{ij}) \quad (i = 1, \dots, s; j = 1, \dots, t), \label{eq-59} \end{equation} we define \begin{equation} A + B = (c_{ij}), \quad c_{ij} = a_{ij} + b_{ij} \quad (i = 1, \dots, s; j = 1, \dots, t). \label{eq-60} \end{equation} Similarly \( A - B \) is defined so as to have \( a_{ij} - b_{ij} \) in the \( i \)-th row and \( j \)-th column.
We now let \begin{equation} Y = (y_{k i} ) \quad (k = 1, \dots, r; \,i = 1, \dots, s) \label{eq-61} \end{equation} be any \( r \) by \( s \) matrix. Then we define the product \begin{equation} W = Y \!A = (w_{kj}) \quad (k = 1, \dots, r;\, j = 1, \dots, t) \label{eq-62} \end{equation} to be the \( r \) by \( t \) matrix whose element in the \( k \)-th row and \( j \)-th column is given by \begin{equation} w_{kj} = y_{k1} a_{1 j} + y_{k2} a_{2 j} + \cdots + y_{k s} a_{s j}. \label{eq-63} \end{equation}
Equations \eqref{eq-52} may be written by the use of matrices in a very simple form. The sequences \( y \) in \eqref{eq-51} and \( z \) in \eqref{eq-53} are both one by \( n \) matrices and we write \( g = [g_1, \dots \), \( g_m ] \). Let \( A \) be the \( n \) by \( m \) matrix whose element in the \( i \)-th row and \( j \)-th column is the coefficient \( a_{ij} \) in our equations \eqref{eq-52}. Then \eqref{eq-52} becomes \begin{equation} z = y A + g. \label{eq-64} \end{equation} The identity mapping \( y \mapsto z = y \) has the form \eqref{eq-64} for \( g = [0,\dots \), \( 0] \), \( m = n \), and \( A \) the matrix \( I \) whose elements \( a_{ij} \) are all zero, except that the \( a_{ii} \) are all 1. Then \eqref{eq-54} is given by \begin{equation} y = ( z - g) B, \label{eq-65} \end{equation} where \( AB = I, B \) is the matrix inverse of \( A \).
One may now set up what appears to be a generalization of the equations \eqref{eq-52}. We let \[ y = \bigl[ Y_1, \dots, Y_n \bigr] \] for a set of \( q \) by \( s \) matrices \( Y_i \). Let \( A_{11}, \dots \), \( A_{ij}, \dots \), \( A_{nm} \) be a set of \( s \) by \( t \) matrices, \( C_{11}, \dots \), \( C_{ji}, \dots \), \( C_{mn} \) be a set of \( r \) by \( q \) matrices, \( G_1, \dots \), \( G_m \) be a set of \( r \) by \( t \) matrices. Then each \( C_{ji} Y_i A_{ij} \) is an \( r \) by \( t \) matrix and so are the sums \begin{equation} Z_j = C_{j1} Y_1 A_{1 j} + \cdots + C_{jn} Y_n A_{nj} + G_j \quad (j=1,\dots, m). \label{eq-66} \end{equation} Nevertheless the mapping defined by \eqref{eq-66} is only a pseudogeneralization of \eqref{eq-52} for \( y \) may be regarded as being a sequence of \( nqs \) elements in \( \mathcal{A} \), \( z = [z_1, \dots \), \( z_n] \), as being a sequence of \( m r t \) elements in \( \mathcal{A} \), \eqref{eq-66} can always be expressed in the form \eqref{eq-52}.
However, the form \eqref{eq-66} may be more convenient to use than \eqref{eq-52}. For example, a mapping on a sequence \( [y_1, y_2, y_3, y_4] \) involves the use of a four rowed matrix. However we may write this sequence as a matrix \begin{equation} Y = \biggl(\begin{array}{rr} y_1 & y_2 \cr y_3 & y_4 \end{array}\biggr), \label{eq-67} \end{equation} and then use the mappings defined as in \eqref{eq-66} by the equation \begin{equation} Z = CY\!A + G \label{eq-68} \end{equation} for two rowed square matrices \( C \), \( A \), \( G \). The mapping is non-singular if matrices \( B \) and \( D \) exist such that \( A B = D C = I \), \begin{equation} Y = D (Z - G) B. \label{eq-69} \end{equation} It is not as general as the mapping \eqref{eq-52} but may be quite adequate for actual use.
14. Fractional substitutions
We have now seen how to carry a sequence of letters in a message into a corresponding array of what we may call the numbers of a ring and how to carry each such array into another by the use of a system of linear equations returning to a cryptogram consisting of a corresponding sequence of letters. This may be complicated further by the use of non-linear equations and such substitution cipher systems are known.4 Fractional cipher systems do not differ at all from the substitution cipher systems already considered in respect to the nature of the mappings defined by \eqref{eq-52} but do differ in that a somewhat more complicated cipher alphabet is used. We let \( x = [x_1, \dots \), \( x_s] \) be a message of \( s \) letters and replace each letter by a sequence of \( t \) quantities of a ring \( \mathcal{A} \) and thus \( x \) by \( y = [y_1, \dots \), \( y_n] \) for \( n = s t \), the \( y_i \) in \( \mathcal{A} \). Clearly \eqref{eq-52} replaces \( y \) by a sequence \( z \) in which elements arising from parts of sequences corresponding to different letters may be combined. For example we set up the mapping \[ \begin{array}{ccccccc} A & B & C & D & E & F & G \cr (0,0,0) & (1,0,0) & (2,0,0) & (0,1,0) & (1,1,0) & (2,1,0) & (0,2,0) \cr\cr H & I & J & K & L & M & N \cr (1,2,0) & (2,2,0) & (0,0,1) & (1,0,1) & (2,0,1) & (0,1,1) & (1,1,1) \cr\cr O & P & Q & R & S & T & U \cr (2,1,1) & (0,2,1) & (1,2,1) & (2,2,1) & (0,0,2) & (1,0,2) & (2,0,2) \cr\cr V & W & X & Y & Z & . \cr (0,1,2) & (1,1,2) & (2,1,2) & (0,2,2) & (1,2,2) & (2,2,2) \end{array} \] with elements of our triples in the residue class ring modulo \( S \). Then the word FROM becomes the sequence \[ (2,1,0,2,2,1,2,1,1,0,1,1) ,\] which we group into the set of three sequences \( (2,1,0,2) \), \( (2,1,2,1) \), \( (1,0,1,1) \), and enscribe by the use of \eqref{eq-52} for \( n = 4 \) and \[ d = \begin{vmatrix} & 2 & 1 & 0 & 0 & \cr & 1 & 1 & 0 & 0 & \cr & 0 & 1 & 1 & 2 & \cr & 1 & 0 & 0 & 2 & \end{vmatrix}. \] The result is the sequence \[ (1,0,0,1,0,2,2,0,0,2,1,1) ,\] which yields BTCO. Here we have combined the sequence \( (2,1,0) \) arising from F with the first element in the sequence \( (2,2,1) \) arising from R.
15. Involutorial cipher systems
A substitution cipher system defined by a cipher alphabet and a non-singular mapping \( T \) of \eqref{eq-52} is said to be involutorial if \( T^{-1} \) is the same as \( T \). A large class of such transformations may be determined as follows. Let \( A \) be any non-singular \( r \)-rowed square matrix with \( a_{ij} \) in the \( i \)-th row and \( j \)-th column. Assume that \( A \) is symmetric (that is, the \( a_{ij} = a_{ji} \)) or that \( r \) is even and \( A \) is skew (\( a_{ij} = -a_{ji} \)). We carry a message into a cipher alphabet (best taken to be a finite field, say, \( \mathcal{A}_{29} \)) in which the elements \( a_{ij} \) of \( A \) lie, and then break up the message into sets of sequences of \( r \) elements which we use in groups of \( r \) as rows of corresponding matrices \( Y \). Then we form \( A Y^{\prime} A^{-1} \), where the columns of \( Y^{\prime} \) are the rows of \( A \).
16. Special ciphers
Let us use the alphabet given by \( \mathcal{A}_{29} \) in equation \eqref{eq-33}. Consider the message given by \[ \begin{array}{cccccccccccccccc} T & H & E & R & E & - & A & R & E & , & O & F & - & C & O & U \cr -10 & -4 & 3 & -9 & 3 & 0 & 1 & -9 & 3 & 14 & 8 & -3 & 0 & 2 & 8 & 11 \cr\cr R & S & E & , & M & O & R & E &- & E & F & F & E & C & T & I \cr -9 & 10 & 3 & 14 & 7 & 8 & -9 & 3 & 0 & 3 & -3 & -3 & 3 & 2 & -10 & 5 \cr\cr V & E & - & M & E & T & H & O & D & S & . & - \cr -11 & 3 & 0 & 7 & -3 & -10 & -4 & 8 & -2 & 10 & -14 & 0 \end{array} \] and then form the matrices \begin{alignat*}{2} & A_1 = \biggl(\begin{array}{rr} -10 & -4 \cr 3 & -9 \end{array}\biggr), \quad && A_2 = \biggl(\begin{array}{rr} 3 & 0 \cr 1 & -9 \end{array}\biggr),\quad &&A_3 = \biggl(\begin{array}{rr} 3 & 14 \cr 8 & -3 \end{array}\biggr), \cr & A_4 =\biggl(\begin{array}{rr} 0 & 2 \cr 8 & 11 \end{array}\biggr),\quad &&A_5 = \biggl(\begin{array}{rr} -9 & 10 \cr 3 & 14 \end{array}\biggr), \quad && A_6 = \biggl(\begin{array}{rr} 7 & 8 \cr -9 & 3 \end{array}\biggr), \cr &A_7 = \biggl(\begin{array}{rr} 0 & 3 \cr -3 & -3 \end{array}\biggr), \quad && A_8 = \biggl(\begin{array}{rr} 3 & 2 \cr -10 & 5 \end{array}\biggr),\quad &&A_9 = \biggl(\begin{array}{rr} -11 & 3 \cr 0 & 7 \end{array}\biggr), \cr & A_{10} = \biggl(\begin{array}{rr} -3 & -10 \cr -4 & 8 \end{array}\biggr),\quad &&A_{11} = \biggl(\begin{array}{rr} -2 & 10 \cr -14 & 0 \end{array}\biggr). \end{alignat*} Then we compute \( B A_i \), where \[ B = \biggl(\begin{array}{rr} 1 & -1 \cr -1 & 2 \end{array}\biggr), \quad B^{-1} = \biggl(\begin{array}{rr} 2 & 1 \cr 1 & 1 \end{array}\biggr) , \] and the result is enscribed as \begin{align*} & ZIZ.\ \ CQBU\ \ JXYQ\ \ PRZR\ \ XH.Z\ \ IGDE \\ & KLRY\ \ FKOV\ \ HUUM\ \ UVFW\ \ SET. \end{align*} The frequencies in the original message are thereby completely destroyed.
Using the same \( B \) we may also define the \( A_i \) by \begin{alignat*}{2} & A_1 = \biggl(\begin{array}{rr} -10 & -4 \cr -4 & 3 \end{array}\biggr), &\quad & A_2 = \biggl(\begin{array}{rr} -9 & 3 \cr 3 & 0 \end{array}\biggr), \cr &\dots\ , &\quad &A_{15} = \biggl(\begin{array}{rr} -14 & 1 \cr 1 & 3 \end{array}\biggr) \end{alignat*} and then carry our original message of 43 symbols (plus one or two nulls) into one of 60 letters. It might be said that the second \( -4,3 \), etc., in our symmetric matrices \( B_i \) are nulls but they are still really a part of our message.
The two systems above may be combined and thus we write \begin{alignat*}{3} & A_1 = \biggl(\begin{array}{rr} -10 & -4 \cr -4 & 3 \end{array}\biggr), &\quad & A_2 = \biggl(\begin{array}{rr} -9 & 3 \cr 0 & 1 \end{array}\biggr), &\quad & A_4 = \biggl(\begin{array}{rr} -9 & 3 \cr 3 & 14 \end{array}\biggr), \cr &\dots\ , &\quad & A_{12} = \biggl(\begin{array}{rr} -4 & 8 \cr -2 & 10 \end{array}\biggr), &\quad & A_{13} = \biggl(\begin{array}{rr} -14 & 5 \cr 5 & -2 \end{array}\biggr) , \end{alignat*} in which the 5, \( -2 \) are nulls. Then our message is transformed into one of the 52 elements. Yet, each of these systems uses the same matrix for enciphering and could be deciphered by knowing the possibilities with explicit knowledge as to when the encipherer changes from ordinary to symmetric \( A_i \).
There are over 600,000 distinct non-singular two-rowed matrices with elements in \( \mathcal{A}_{29} \), and the particular matrix used as above may be changed at will. For example, in written text it might be agreed that certain four prescribed letters represent the matrix \( A \) used to encipher that paragraph. Or we might write \begin{alignat*}{3} & I = \biggl(\begin{array}{rr} 1 & 0 \cr 0 & 1 \end{array}\biggr), &\quad & A = \biggl(\begin{array}{rr} 3 & 5 \cr -2 & -3 \end{array}\biggr), &\quad & B = \biggl(\begin{array}{rr} 3 & 3 \cr 4 & 5 \end{array}\biggr), \cr && & C = \biggl(\begin{array}{rr} -3 & 7 \cr -1 & 2 \end{array}\biggr), &\quad & D = \biggl(\begin{array}{rr} 1 & 1 \cr 1 & 2 \end{array}\biggr), \end{alignat*} and then use the first four letters of each paragraph to give the matrix used. Thus a paragraph beginning with CIAB would have been enciphered with \[ CAB = \biggl(\begin{array}{rr} -10 & 12 \cr 3 & 1 \end{array}\biggr) . \] However, it might be simpler to prescribe \( A \) and \( B \) as well, as four positions for letters \( d_1\, d_2 \, d_3 \, d_4 \) in a paragraph of a cryptogram, and use the matrix products \[ A \biggl(\begin{array}{rr} d_1 & d_2 \cr d_3 & d_4 \end{array}\biggr) B \] to encipher the paragraph. Of course, other devices than paragraphing to indicate a change in cipher system could be used.
