Hill Cipher: Matrix Encryption & Linear Algebra in Cryptography
Master the Hill cipher with step-by-step matrix encryption examples. Learn 2x2 and 3x3 key matrices, modular inverses, and how to break the Hill cipher.
Introduction
Most classical ciphers operate on letters one at a time. The Caesar cipher shifts each letter independently. The Affine cipher applies a linear formula to each letter individually. Even the Vigenere cipher, which uses a multi-character key, still processes the plaintext one letter at a time -- the key just determines which shift to apply at each position.
The Hill cipher broke this pattern. Invented by the mathematician Lester S. Hill in 1929, it was the first practical cipher to encrypt multiple letters simultaneously as a single algebraic unit. Instead of transforming individual letters with scalar arithmetic, the Hill cipher transforms blocks of letters using matrix multiplication. This was a conceptual leap that introduced linear algebra into the toolkit of cryptography and foreshadowed the block cipher designs that dominate modern encryption.
The Hill cipher is not secure by modern standards -- it is vulnerable to known plaintext attacks and provides no protection against an adversary who can obtain even a small amount of corresponding plaintext and ciphertext. But its mathematical elegance and its role as the ancestor of matrix-based cryptographic techniques make it one of the most instructive classical ciphers to study.
Try our free Hill Cipher tool to encrypt and decrypt messages using matrix keys as you follow along with this guide.
Lester S. Hill and the Origins of Polygraphic Encryption
The Mathematician
Lester Sanders Hill (1891-1961) was an American mathematician who spent most of his career at Hunter College in New York City. Hill's academic interests spanned algebra, number theory, and combinatorics, and he brought a mathematician's perspective to a field that had been dominated by linguists, military officers, and amateur enthusiasts.
In the 1920s, Hill became interested in the problem of constructing ciphers that were resistant to frequency analysis -- the centuries-old technique of analyzing letter frequencies in ciphertext to deduce the underlying plaintext. Hill recognized that frequency analysis works because most ciphers process letters individually, preserving the statistical fingerprint of the source language. His solution was to encrypt letters in groups, so that the frequency of individual letters would be obscured by the interaction between multiple letters within each group.
The 1929 Publication
Hill published his cipher in 1929 in the journal The American Mathematical Monthly under the title "Cryptography in an Algebraic Alphabet." The paper presented a complete encryption system based on matrix multiplication modulo 26, including encryption, decryption, and the mathematical conditions required for the key matrix to be valid.
The paper was notable for its mathematical rigor. Where previous cipher inventors had described their systems in procedural terms ("take the first letter, shift it by..."), Hill presented his cipher as a formal algebraic operation on vectors in the ring Z₂₆. This approach was decades ahead of its time and anticipated the algebraic formalization of cryptography that would not become standard until the latter half of the twentieth century.
Practical Attempts
Hill attempted to commercialize his cipher through a machine implementation. He designed a device that could perform the matrix multiplication mechanically using interconnected gears and wheels. However, the machine was complex, expensive, and error-prone, and it never achieved commercial success. The Hill cipher remained primarily a theoretical curiosity until the advent of computers made matrix arithmetic trivial to perform.
Matrix Multiplication Basics for Cryptography
Before working through Hill cipher examples, a brief review of the matrix arithmetic involved is essential.
Vectors and Matrices
A vector is an ordered list of numbers. In the Hill cipher, a plaintext block of n letters is represented as a column vector of n integers, where each integer is the numerical value of a letter (A=0, B=1, ..., Z=25).
A matrix is a rectangular array of numbers. In the Hill cipher, the encryption key is an n x n square matrix of integers.
Matrix-Vector Multiplication
To multiply an n x n matrix by an n x 1 vector, compute the dot product of each row of the matrix with the vector. For a 2x2 example:
| a b | | x | | ax + by |
| c d | × | y | = | cx + dy |
Each element of the resulting vector is the sum of products of corresponding elements from a matrix row and the vector.
Modular Reduction
In the Hill cipher, all arithmetic is performed modulo 26. After computing each element of the result vector, reduce it modulo 26 to obtain a value between 0 and 25, which maps back to a letter.
Complete 2x2 Encryption Example
Let us encrypt the message "SHORT" using a 2x2 key matrix. With a 2x2 matrix, we process the plaintext two letters at a time.
Step 1: Choose the Key Matrix
Let the key matrix K be:
K = | 3 3 |
| 2 5 |
Before using this matrix, we must verify that it is valid -- more on this in the section on key constraints. For now, we will confirm that det(K) = 3(5) - 3(2) = 15 - 6 = 9, and gcd(9, 26) = 1, so the matrix is invertible mod 26.
Step 2: Convert Plaintext to Numbers
S = 18, H = 7, O = 14, R = 17, T = 19
Since we are using a 2x2 matrix, we group the plaintext into pairs: (S, H), (O, R), (T, ?). The last block is incomplete, so we pad it with a filler letter. Using X (= 23) as padding: (T, X).
Our plaintext vectors are:
P₁ = | 18 | P₂ = | 14 | P₃ = | 19 |
| 7 | | 17 | | 23 |
Step 3: Encrypt Each Block
Block 1: (S, H)
| 3 3 | | 18 | | 3×18 + 3×7 | | 54 + 21 | | 75 |
| 2 5 | × | 7 | = | 2×18 + 5×7 | = | 36 + 35 | = | 71 |
Reduce modulo 26: 75 mod 26 = 23, 71 mod 26 = 19.
Result: 23 = X, 19 = T. First ciphertext pair: XT.
Block 2: (O, R)
| 3 3 | | 14 | | 3×14 + 3×17 | | 42 + 51 | | 93 |
| 2 5 | × | 17 | = | 2×14 + 5×17 | = | 28 + 85 | = | 113 |
Reduce modulo 26: 93 mod 26 = 15, 113 mod 26 = 9.
Result: 15 = P, 9 = J. Second ciphertext pair: PJ.
Block 3: (T, X)
| 3 3 | | 19 | | 3×19 + 3×23 | | 57 + 69 | | 126 |
| 2 5 | × | 23 | = | 2×19 + 5×23 | = | 38 + 115 | = | 153 |
Reduce modulo 26: 126 mod 26 = 22, 153 mod 26 = 23.
Result: 22 = W, 23 = X. Third ciphertext pair: WX.
Final Ciphertext
SHORT encrypts to XTPJWX.
Notice that the two occurrences of the letter T in the plaintext (one in "SHORT" and one in the padding) do not produce the same ciphertext letter. This is the fundamental advantage of polygraphic encryption: the same letter encrypts differently depending on its neighbors.
Complete 3x3 Encryption Example
Larger key matrices provide stronger encryption. Here is an example using a 3x3 matrix.
The Key Matrix
K = | 6 24 1 |
| 13 16 10 |
| 20 17 15 |
The determinant is: 6(16 x 15 - 10 x 17) - 24(13 x 15 - 10 x 20) + 1(13 x 17 - 16 x 20) = 6(240 - 170) - 24(195 - 200) + 1(221 - 320) = 6(70) - 24(-5) + 1(-99) = 420 + 120 - 99 = 441.
441 mod 26 = 441 - 16(26) = 441 - 416 = 25. And gcd(25, 26) = 1, so the matrix is valid.
Encrypting "ACT"
Convert to numbers: A=0, C=2, T=19.
| 6 24 1 | | 0 | | 6×0 + 24×2 + 1×19 | | 0 + 48 + 19 | | 67 |
| 13 16 10 | × | 2 | = | 13×0 + 16×2 + 10×19 | = | 0 + 32 + 190 | = | 222 |
| 20 17 15 | | 19| | 20×0 + 17×2 + 15×19 | = | 0 + 34 + 285 | = | 319 |
Reduce modulo 26: 67 mod 26 = 15, 222 mod 26 = 14, 319 mod 26 = 7.
Result: 15 = P, 14 = O, 7 = H. Ciphertext: POH.
With a 3x3 matrix, each ciphertext letter depends on three plaintext letters, providing even greater diffusion than the 2x2 case.
Finding the Inverse Matrix for Decryption
Decrypting a Hill cipher message requires the inverse of the key matrix, computed in modular arithmetic (mod 26). This is considerably more involved than finding a scalar modular inverse.
The Decryption Formula
Decryption is the reverse of encryption:
P = K⁻¹ × C (mod 26)
Where K⁻¹ is the modular inverse of the key matrix K.
Computing the 2x2 Inverse
For a 2x2 matrix, the inverse formula is:
K = | a b | K⁻¹ = d⁻¹ × | d -b | (mod 26)
| c d | | -c a |
Where d⁻¹ here refers to the modular multiplicative inverse of det(K) mod 26 (not the matrix element d). The steps are:
- Compute the determinant: det(K) = ad - bc
- Reduce the determinant mod 26
- Find the modular multiplicative inverse of the determinant mod 26
- Construct the adjugate matrix (swap diagonal elements, negate off-diagonal elements)
- Multiply the adjugate by the determinant's inverse, reducing all elements mod 26
Worked Example: Inverting Our 2x2 Key
Our key was K = [[3, 3], [2, 5]].
Step 1: det(K) = 3(5) - 3(2) = 15 - 6 = 9.
Step 2: 9 mod 26 = 9.
Step 3: Find 9⁻¹ mod 26. We need x such that 9x ≡ 1 (mod 26). Testing: 9 x 3 = 27 = 1 mod 26. So 9⁻¹ = 3.
Step 4: The adjugate matrix is:
| 5 -3 |
| -2 3 |
Step 5: Multiply each element by 3 (the determinant's inverse) and reduce mod 26:
| 3×5 3×(-3) | | 15 -9 | | 15 17 |
| 3×(-2) 3×3 | = | -6 9 | = | 20 9 |
(Converting negatives: -9 mod 26 = 17, -6 mod 26 = 20.)
The inverse matrix is:
K⁻¹ = | 15 17 |
| 20 9 |
Verification: Decrypting "XT"
Let us verify by decrypting the first ciphertext block "XT" (X=23, T=19):
| 15 17 | | 23 | | 15×23 + 17×19 | | 345 + 323 | | 668 |
| 20 9 | × | 19 | = | 20×23 + 9×19 | = | 460 + 171 | = | 631 |
668 mod 26 = 668 - 25(26) = 668 - 650 = 18 = S. 631 mod 26 = 631 - 24(26) = 631 - 624 = 7 = H.
We get back SH -- the first pair of the original plaintext "SHORT." The decryption works correctly.
Key Constraints: Why the Determinant Must Be Coprime with 26
The Hill cipher only works when the key matrix has a modular inverse, and a matrix has a modular inverse mod 26 if and only if its determinant is coprime with 26.
The Mathematical Reason
A matrix inverse requires dividing by the determinant. In modular arithmetic, "dividing" means multiplying by the modular multiplicative inverse. The modular inverse of an integer d mod 26 exists only when gcd(d, 26) = 1.
Since 26 = 2 x 13, any determinant that is divisible by 2 or 13 has no modular inverse. This means the following determinant values are invalid: 0, 2, 4, 6, 8, 10, 12, 13, 14, 16, 18, 20, 22, 24 (all even numbers plus 13).
The valid determinant values are: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25 -- exactly the same 12 values that are valid for the multiplicative key in the Affine cipher. This is not a coincidence. Both constraints arise from the same underlying requirement: invertibility in the ring Z₂₆.
What Happens with an Invalid Key
If the determinant is not coprime with 26, the encryption function is not a bijection -- multiple plaintext blocks will map to the same ciphertext block, making decryption impossible. This is the matrix generalization of the same problem that occurs in the Affine cipher when the multiplicative key shares a factor with 26.
Counting Valid 2x2 Keys
How many valid 2x2 key matrices exist for the Hill cipher? Each of the four matrix entries can be any value from 0 to 25 (26 choices each), giving 26⁴ = 456,976 total matrices. Of these, approximately 157,248 have determinants coprime with 26 and are valid Hill cipher keys. This is a vastly larger key space than the Affine cipher's 312 keys or the Caesar cipher's 26 keys.
For 3x3 matrices, the key space grows to approximately 1.6 billion valid keys -- a significant improvement, though still trivial by modern standards.
Breaking the Hill Cipher: Known Plaintext Attack
The Hill cipher's greatest vulnerability is the known plaintext attack. If an attacker knows a sufficient amount of plaintext and its corresponding ciphertext, they can recover the key matrix entirely through linear algebra.
How the Attack Works (2x2 Case)
For a 2x2 Hill cipher, the attacker needs two plaintext-ciphertext block pairs. Suppose the attacker knows:
- Plaintext "TH" encrypts to "LP"
- Plaintext "EX" encrypts to "FQ"
Converting to numbers: T=19, H=7 encrypts to L=11, P=15. E=4, X=23 encrypts to F=5, Q=16.
The encryption equations are:
K × | 19 | = | 11 | (mod 26)
| 7 | | 15 |
K × | 4 | = | 5 | (mod 26)
| 23 | | 16 |
Combining into matrix form:
K × | 19 4 | = | 11 5 | (mod 26)
| 7 23 | | 15 16 |
Let P = [[19, 4], [7, 23]] and C = [[11, 5], [15, 16]].
Then K = C x P⁻¹ (mod 26).
Compute P⁻¹: det(P) = 19(23) - 4(7) = 437 - 28 = 409. 409 mod 26 = 409 - 15(26) = 409 - 390 = 19. And 19⁻¹ mod 26 = 11 (since 19 x 11 = 209 = 8 x 26 + 1).
The adjugate of P is [[23, -4], [-7, 19]], which modulo 26 is [[23, 22], [19, 19]].
P⁻¹ = 11 x [[23, 22], [19, 19]] mod 26 = [[253, 242], [209, 209]] mod 26 = [[19, 8], [1, 1]].
Finally: K = C x P⁻¹ = [[11, 5], [15, 16]] x [[19, 8], [1, 1]] mod 26.
K = | 11×19 + 5×1 11×8 + 5×1 | mod 26
| 15×19 + 16×1 15×8 + 16×1 |
= | 209 + 5 88 + 5 | mod 26
| 285 + 16 120 + 16|
= | 214 93 | mod 26
| 301 136 |
= | 6 15 |
| 15 6 |
The attacker has recovered the complete key matrix from just four known plaintext letters.
Implications for Security
This attack is devastating. In practice, an attacker often knows or can guess portions of a message -- greetings, signatures, dates, common phrases. Even two known words can provide enough plaintext-ciphertext pairs to break a 2x2 Hill cipher. For a 3x3 cipher, three blocks (nine letters) of known plaintext suffice. For an n x n cipher, n blocks (n² letters) are needed.
This vulnerability is fundamental to linear ciphers. The Playfair cipher, which also encrypts digraphs (letter pairs), avoids this specific attack through its non-linear substitution rules, though it has its own weaknesses.
Strengths and Weaknesses
Strengths
Resistance to single-letter frequency analysis. Because the Hill cipher encrypts blocks of letters together, the frequency distribution of individual ciphertext letters does not directly correspond to the frequency distribution of plaintext letters. In a 2x2 Hill cipher, each ciphertext letter depends on two plaintext letters, obscuring the individual letter frequencies. In a 3x3 cipher, the obscuring effect is even stronger.
Large key space. The number of valid key matrices grows rapidly with the matrix size. A 2x2 Hill cipher has over 157,000 valid keys, and a 3x3 cipher has over 1.6 billion. While these numbers are small by modern standards, they represented a significant advance over earlier classical ciphers.
Mathematical elegance. The Hill cipher's algebraic structure makes it amenable to formal analysis and connects naturally to modern mathematical cryptography. It serves as an excellent pedagogical bridge between classical ciphers and modern block ciphers.
Weaknesses
Vulnerable to known plaintext attacks. As demonstrated above, a small amount of known plaintext completely breaks the cipher. This is the Hill cipher's fatal weakness.
Linearity. The encryption function is a linear transformation, meaning it preserves additive relationships. If P₁ + P₂ = P₃ (mod 26) for plaintext vectors, then C₁ + C₂ = C₃ (mod 26) for the corresponding ciphertext vectors. This linearity leaks structural information that a sophisticated attacker can exploit.
Block structure vulnerabilities. Identical plaintext blocks encrypt to identical ciphertext blocks (the same weakness as Electronic Codebook mode in modern block ciphers). This allows an attacker to detect repeated patterns in the plaintext.
No diffusion across blocks. Each block is encrypted independently, so changing one letter in a block affects only that block's ciphertext. Modern block ciphers use chaining modes (CBC, CTR, etc.) to create dependencies between blocks and prevent this kind of pattern leakage.
The Hill Cipher in Modern Context
Connection to Modern Block Ciphers
The Hill cipher anticipated several ideas that are central to modern block cipher design:
Block encryption. The Hill cipher was the first practical cipher to encrypt fixed-size blocks of plaintext as single units. Every modern block cipher (AES, DES, Blowfish, etc.) operates on blocks, though they use far more complex transformations.
Key-dependent linear transformations. The MixColumns step in AES, which multiplies each column of the state matrix by a fixed matrix in GF(2⁸), is directly analogous to Hill cipher encryption. The difference is that AES combines this linear step with non-linear substitution (the SubBytes step), key mixing (AddRoundKey), and permutation (ShiftRows) across multiple rounds.
Invertibility requirements. Just as the Hill cipher requires an invertible key matrix, AES requires each of its component operations to be invertible so that decryption is possible. The mathematical constraints are different in detail but identical in principle.
Comparison with the Affine Cipher
The Affine cipher can be viewed as a special case of the 1x1 Hill cipher. The Affine formula E(x) = (ax + b) mod 26 is equivalent to multiplying a 1x1 "matrix" [a] by a 1x1 "vector" [x] and adding a 1x1 "vector" [b]. The Hill cipher generalizes this to higher dimensions, but both ciphers share the same mathematical foundation in linear algebra over Z₂₆.
Comparison with the Playfair Cipher
The Playfair cipher also encrypts digraphs (pairs of letters), but it uses a fundamentally different approach. Where the Hill cipher applies a linear matrix transformation, the Playfair cipher uses a geometric lookup in a keyed 5x5 grid with position-dependent rules (same row, same column, rectangle). The Playfair cipher's non-linear substitution makes it resistant to the known plaintext attack that breaks the Hill cipher, but it has a much smaller effective key space and is vulnerable to other forms of analysis.
The Polybius cipher provides another point of comparison: it converts letters to coordinate pairs in a 5x5 grid, but performs no further transformation. The Hill cipher's matrix multiplication can be thought of as a much more thorough scrambling of letter values than the Polybius cipher's simple coordinate representation.
Frequently Asked Questions
What size key matrix should I use for the Hill cipher?
For educational purposes, 2x2 matrices are ideal because the arithmetic is manageable by hand. For somewhat stronger encryption, 3x3 matrices provide better diffusion and a larger key space. In practice, even large Hill cipher matrices do not provide real security due to the known plaintext vulnerability, so the choice is primarily pedagogical.
Can the Hill cipher be broken without any known plaintext?
Yes, but it is more difficult. A ciphertext-only attack on the Hill cipher typically uses digraph or trigraph frequency analysis (analyzing the frequency of letter pairs or triples rather than individual letters) combined with hill-climbing or genetic algorithm optimization. For short ciphertexts, this can be impractical; for longer texts, the statistical patterns become strong enough to guide automated solvers.
Why does the Hill cipher use modulo 26?
The modulus 26 corresponds to the 26 letters of the English alphabet (A=0 through Z=25). Any arithmetic result is reduced modulo 26 to ensure it maps back to a valid letter. For alphabets of different sizes, a different modulus would be used. Some implementations extend the alphabet to include digits and punctuation, using a larger modulus like 37 or 95.
Can the Hill cipher be combined with other techniques for better security?
Yes. Adding a non-linear substitution step before or after the Hill cipher's matrix multiplication significantly strengthens it by neutralizing the known plaintext attack. This is essentially what AES does: it combines a linear mixing step (analogous to Hill) with non-linear substitution, key addition, and permutation. A Hill cipher followed by a simple substitution is much harder to break than either cipher alone.
Who was Lester Hill?
Lester Sanders Hill (1891-1961) was an American mathematician and professor at Hunter College in New York City. He published the Hill cipher in 1929 in The American Mathematical Monthly and spent several years attempting to build a practical machine implementation. While the cipher was not widely adopted during his lifetime, it became a standard topic in cryptography education and is now recognized as a pioneering application of linear algebra to encryption.