Affine Cipher Mathematics: Complete Guide to Modular Arithmetic & Encryption
Master the mathematics behind the Affine cipher. Learn modular arithmetic, modular inverses, the encryption formula E(x) = (ax + b) mod 26, and how to crack Affine ciphers step by step.
Introduction
The Affine cipher occupies a unique position in the history of cryptography. It sits at the intersection of elementary number theory and practical encryption, making it one of the most instructive classical ciphers to study. While not secure by any modern standard, the Affine cipher encodes within its simple formula a surprising amount of mathematical depth.
At its core, the Affine cipher is a monoalphabetic substitution cipher governed by the formula E(x) = (ax + b) mod 26. This single equation brings together two branches of arithmetic that are foundational to modern cryptographic systems: modular arithmetic and the theory of multiplicative inverses. Understanding how and why this formula works gives you direct insight into the algebraic structures that underpin far more powerful encryption algorithms like RSA and elliptic curve cryptography.
Unlike the Caesar cipher, which merely shifts letters along the alphabet, the Affine cipher applies a linear transformation that both stretches and shifts the alphabet. This non-uniform letter mapping makes frequency analysis harder than with a pure shift cipher, though still far from impossible. The cipher serves as an ideal pedagogical bridge between trivially simple substitution ciphers and the more mathematically demanding ciphers that come later in a cryptography education.
This guide walks through every aspect of the Affine cipher's mathematics: modular arithmetic from first principles, the encryption and decryption formulas with fully worked examples, the constraints that make the cipher function correctly, the theory of modular multiplicative inverses, and the cryptanalytic techniques that break it. By the end, you will have a thorough understanding of not only how the Affine cipher works but why each component of its design is mathematically necessary.
Try our free Affine Cipher Encoder to see the mathematics in action as you read through this guide.
Modular Arithmetic Fundamentals
Modular arithmetic is sometimes called "clock arithmetic" because the most intuitive analogy for it is an ordinary clock face. On a 12-hour clock, if it is 10 o'clock and you add 5 hours, you do not get 15 o'clock — you get 3 o'clock. The numbers wrap around after reaching 12. Mathematically, we say that 10 + 5 = 3 (mod 12), meaning the remainder when 15 is divided by 12 is 3.
The Mod Operation
The expression "a mod n" returns the remainder when the integer a is divided by the positive integer n. More formally, for any integer a and positive integer n, there exist unique integers q (the quotient) and r (the remainder) such that:
a = q × n + r, where 0 ≤ r < n
The value r is what "a mod n" returns.
Some examples with mod 26, which is what the Affine cipher uses:
- 0 mod 26 = 0 (because 0 = 0 × 26 + 0)
- 25 mod 26 = 25 (because 25 = 0 × 26 + 25)
- 26 mod 26 = 0 (because 26 = 1 × 26 + 0)
- 27 mod 26 = 1 (because 27 = 1 × 26 + 1)
- 52 mod 26 = 0 (because 52 = 2 × 26 + 0)
- 53 mod 26 = 1 (because 53 = 2 × 26 + 1)
- 105 mod 26 = 1 (because 105 = 4 × 26 + 1, since 4 × 26 = 104)
The reason mod 26 is relevant to letter ciphers is that the English alphabet has 26 letters. By mapping A=0, B=1, C=2, ..., Z=25 and applying mod 26 to any arithmetic result, we guarantee the output is always a valid letter index between 0 and 25. No matter how large the intermediate calculation grows, the mod operation brings it back into the alphabet range.
Properties of Modular Arithmetic
Modular arithmetic preserves the standard algebraic properties of addition and multiplication:
Closure: The result of any addition or multiplication followed by mod n is always an integer in the range [0, n-1].
Commutativity: (a + b) mod n = (b + a) mod n, and (a × b) mod n = (b × a) mod n.
Associativity: ((a + b) + c) mod n = (a + (b + c)) mod n.
Distributivity: (a × (b + c)) mod n = ((a × b) + (a × c)) mod n.
One property that behaves differently in modular arithmetic compared to ordinary arithmetic is division. In ordinary arithmetic, every non-zero number has a multiplicative inverse (for example, the inverse of 5 is 1/5). In modular arithmetic, a multiplicative inverse does not always exist. This restriction is central to understanding why the Affine cipher imposes constraints on its keys.
The Affine Cipher Formula
The Affine cipher encrypts each letter using the formula:
E(x) = (ax + b) mod 26
Where:
- x is the numerical position of the plaintext letter (A=0, B=1, C=2, ..., Z=25)
- a is the multiplicative key
- b is the additive key
- The result is the numerical position of the ciphertext letter
Step-by-Step: Encrypting "HELLO" with a=5, b=8
Let us work through encrypting the word HELLO using the keys a=5 and b=8.
First, convert each letter to its numerical value:
- H = 7
- E = 4
- L = 11
- L = 11
- O = 14
Now apply E(x) = (5x + 8) mod 26 to each value:
H (7): E(7) = (5 × 7 + 8) mod 26 = (35 + 8) mod 26 = 43 mod 26 = 17 → R
E (4): E(4) = (5 × 4 + 8) mod 26 = (20 + 8) mod 26 = 28 mod 26 = 2 → C
L (11): E(11) = (5 × 11 + 8) mod 26 = (55 + 8) mod 26 = 63 mod 26 = 11 → L
L (11): E(11) = 11 → L (same as above)
O (14): E(14) = (5 × 14 + 8) mod 26 = (70 + 8) mod 26 = 78 mod 26 = 0 → A
The ciphertext is RCLLA.
Notice that the letter L encrypts to itself (L → L). This is not a flaw in this particular example — it happens because with a=5 and b=8, the number 11 satisfies (5 × 11 + 8) mod 26 = 11. In any monoalphabetic cipher, it is possible for some letters to map to themselves; the key requirement is that the mapping is a bijection (one-to-one and onto).
Key Constraints: Why a Must Be Coprime with 26
The Affine cipher does not work with just any value of a. The multiplicative key a must be coprime with 26, meaning the greatest common divisor of a and 26 must equal 1: gcd(a, 26) = 1.
What "Coprime" Means
Two integers are coprime (also called "relatively prime") if they share no common factor other than 1. The number 26 factors as 2 × 13. Therefore, any number that is divisible by 2 or by 13 shares a factor with 26 and is not coprime with it.
The integers from 1 to 25 that are coprime with 26 are: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25.
That gives exactly 12 valid values for a. (This count is given by Euler's totient function φ(26) = φ(2) × φ(13) = 1 × 12 = 12.)
Why Non-Coprime Values Break the Cipher
To understand why a must be coprime with 26, consider what happens when it is not. Take a=2 (which is not coprime with 26 because gcd(2, 26) = 2).
Apply E(x) = (2x + 0) mod 26 to every letter:
- A (0): (2 × 0) mod 26 = 0 → A
- B (1): (2 × 1) mod 26 = 2 → C
- C (2): (2 × 2) mod 26 = 4 → E
- ...
- M (12): (2 × 12) mod 26 = 24 → Y
- N (13): (2 × 13) mod 26 = 26 mod 26 = 0 → A
Both A and N encrypt to A. The mapping is not one-to-one. When two different plaintext letters produce the same ciphertext letter, there is no way to reverse the process — decryption becomes impossible because you cannot determine which original letter was intended.
The coprimality requirement ensures that the encryption function is a bijection on the set {0, 1, ..., 25}, guaranteeing that every ciphertext letter maps back to exactly one plaintext letter.
Complete Table of Valid a Values
| a value | gcd(a, 26) | Valid? |
|---|---|---|
| 1 | 1 | Yes |
| 2 | 2 | No |
| 3 | 1 | Yes |
| 4 | 2 | No |
| 5 | 1 | Yes |
| 6 | 2 | No |
| 7 | 1 | Yes |
| 8 | 2 | No |
| 9 | 1 | Yes |
| 10 | 2 | No |
| 11 | 1 | Yes |
| 12 | 2 | No |
| 13 | 13 | No |
| 14 | 2 | No |
| 15 | 1 | Yes |
| 16 | 2 | No |
| 17 | 1 | Yes |
| 18 | 2 | No |
| 19 | 1 | Yes |
| 20 | 2 | No |
| 21 | 1 | Yes |
| 22 | 2 | No |
| 23 | 1 | Yes |
| 24 | 2 | No |
| 25 | 1 | Yes |
Modular Multiplicative Inverse
The modular multiplicative inverse of a (mod 26) is the integer a⁻¹ such that:
(a × a⁻¹) mod 26 = 1
This is the modular counterpart of the ordinary multiplicative inverse. Just as 5 × (1/5) = 1 in ordinary arithmetic, we need a × a⁻¹ ≡ 1 (mod 26) in modular arithmetic.
Why It Is Necessary for Decryption
Decryption requires "undoing" the multiplication step of the encryption. In ordinary algebra, if you encrypt with y = ax + b, you decrypt by solving for x: x = (y - b) / a. Division by a is equivalent to multiplying by a's inverse.
In modular arithmetic, we cannot divide directly. Instead, we multiply by the modular inverse. The decryption formula is:
D(y) = a⁻¹(y - b) mod 26
The modular inverse a⁻¹ exists if and only if gcd(a, 26) = 1. This is exactly the coprimality requirement — the two constraints are the same requirement from two different angles.
Finding the Modular Inverse Using the Extended Euclidean Algorithm
The extended Euclidean algorithm finds integers s and t such that:
a × s + 26 × t = gcd(a, 26) = 1
When gcd(a, 26) = 1, the value s (taken mod 26 if needed to make it positive) is the modular inverse of a.
Example: Find the inverse of 5 mod 26.
Apply the Euclidean algorithm to 26 and 5:
- 26 = 5 × 5 + 1
Reading off the coefficients: 1 = 26 - 5 × 5.
So 5 × (-5) + 26 × 1 = 1, which means s = -5.
Converting to a positive value mod 26: -5 mod 26 = 21.
Verification: (5 × 21) mod 26 = 105 mod 26 = 1. Correct.
Complete Reference Table: All Modular Inverses for Mod 26
| a | a⁻¹ mod 26 | Verification: (a × a⁻¹) mod 26 |
|---|---|---|
| 1 | 1 | (1 × 1) mod 26 = 1 |
| 3 | 9 | (3 × 9) mod 26 = 27 mod 26 = 1 |
| 5 | 21 | (5 × 21) mod 26 = 105 mod 26 = 1 |
| 7 | 15 | (7 × 15) mod 26 = 105 mod 26 = 1 |
| 9 | 3 | (9 × 3) mod 26 = 27 mod 26 = 1 |
| 11 | 19 | (11 × 19) mod 26 = 209 mod 26 = 1 |
| 15 | 7 | (15 × 7) mod 26 = 105 mod 26 = 1 |
| 17 | 23 | (17 × 23) mod 26 = 391 mod 26 = 1 |
| 19 | 11 | (19 × 11) mod 26 = 209 mod 26 = 1 |
| 21 | 5 | (21 × 5) mod 26 = 105 mod 26 = 1 |
| 23 | 17 | (23 × 17) mod 26 = 391 mod 26 = 1 |
| 25 | 25 | (25 × 25) mod 26 = 625 mod 26 = 1 |
Note that some pairs are mutual inverses of each other: 3 and 9, 5 and 21, 7 and 15, 11 and 19, 17 and 23. The values 1 and 25 are their own inverses (1 × 1 = 1, and 25 × 25 = 625 = 24 × 26 + 1).
Calculate modular inverses with our Affine Calculator
The Decryption Formula
With the modular inverse defined, the full decryption formula is:
D(y) = a⁻¹(y - b) mod 26
Where y is the numerical value of the ciphertext letter, b is the additive key, and a⁻¹ is the modular inverse of the multiplicative key a.
When computing (y - b), the result may be negative. To handle this correctly in modular arithmetic, add 26 to any negative result before applying the inverse multiplication, or equivalently compute ((y - b) mod 26 + 26) mod 26 to ensure a non-negative value.
Step-by-Step: Decrypting "RCLLA" with a=5, b=8
We encrypted HELLO to RCLLA earlier. Now let us reverse the process. With a=5, the modular inverse is a⁻¹ = 21. The decryption formula is D(y) = 21(y - 8) mod 26.
R (17): D(17) = 21 × (17 - 8) mod 26 = 21 × 9 mod 26 = 189 mod 26
189 ÷ 26 = 7 remainder 7, so 189 mod 26 = 7 → H
C (2): D(2) = 21 × (2 - 8) mod 26 = 21 × (-6) mod 26 = -126 mod 26
-126 + 5 × 26 = -126 + 130 = 4, so -126 mod 26 = 4 → E
L (11): D(11) = 21 × (11 - 8) mod 26 = 21 × 3 mod 26 = 63 mod 26
63 = 2 × 26 + 11, so 63 mod 26 = 11 → L
L (11): Same as above → L
A (0): D(0) = 21 × (0 - 8) mod 26 = 21 × (-8) mod 26 = -168 mod 26
-168 + 7 × 26 = -168 + 182 = 14, so -168 mod 26 = 14 → O
The decrypted text is HELLO. The round-trip encryption and decryption works correctly.
The 312 Key Combinations
The total number of valid key combinations in the Affine cipher is:
12 valid values of a × 26 valid values of b = 312 key combinations
What This Means for Security
To put 312 keys in perspective:
- Caesar cipher: 26 keys (only the additive shift b, with a fixed at 1)
- Affine cipher: 312 keys (12 choices for a, 26 choices for b)
- Simple substitution cipher: 26! ≈ 4 × 10^26 possible permutations
- Vigenère cipher (length-n key): 26^n keys
- AES-128: 2^128 ≈ 3.4 × 10^38 keys
A modern computer can test all 312 Affine cipher keys in well under one millisecond. This means the cipher offers essentially no security against automated attacks. The comparison with AES-128 illustrates just how vast the gap is between classical and modern encryption: AES has approximately 10^36 times more keys than the Affine cipher.
The Affine cipher does represent a genuine improvement over the Caesar cipher — it has 12 times more keys and its letter mapping is non-uniform, making pure frequency analysis slightly less straightforward. But neither of these improvements comes close to making it cryptographically secure.
Breaking the Affine Cipher
Despite its mathematical elegance, the Affine cipher is easy to break using several techniques.
Method 1: Brute Force
Since there are only 312 key combinations, the most direct attack is to simply try all of them. For each of the 12 valid values of a and each of the 26 values of b, apply the decryption formula to the ciphertext and examine the result. Score each candidate plaintext using English letter frequency analysis and rank the results. The correct decryption will score near the top.
This approach requires no knowledge of the plaintext and can be implemented in a few lines of code. On any modern device, the entire process completes in milliseconds.
Crack ciphertexts with our Affine Decoder
Method 2: Frequency Analysis
The Affine cipher is a monoalphabetic substitution cipher, meaning each plaintext letter always maps to the same ciphertext letter. This property makes it vulnerable to frequency analysis.
In English text, certain letters appear far more frequently than others. The most common letter is E (approximately 12.7% of letters), followed by T (9.1%), A (8.2%), O (7.5%), and I (7.0%). The least common letters are Z, Q, X, and J.
To attack the Affine cipher with frequency analysis, count the frequency of each letter in the ciphertext. The most frequent ciphertext letter is likely to be the encryption of E. The second most frequent is likely T. With two known plaintext-ciphertext pairs, you can solve algebraically for both keys a and b (see Method 3 below).
Method 3: Known Plaintext Attack
If you know two plaintext-ciphertext letter pairs (x₁, y₁) and (x₂, y₂), you can write two simultaneous equations:
- y₁ ≡ ax₁ + b (mod 26)
- y₂ ≡ ax₂ + b (mod 26)
Subtracting the second equation from the first:
y₁ - y₂ ≡ a(x₁ - x₂) (mod 26)
From this, solve for a by multiplying both sides by the modular inverse of (x₁ - x₂), provided gcd(x₁ - x₂, 26) = 1. Once a is known, substitute back to find b.
Worked example: Suppose you know that plaintext E (x=4) maps to ciphertext L (y=11) and plaintext T (x=19) maps to ciphertext H (y=7).
From the two equations:
- 11 ≡ 4a + b (mod 26)
- 7 ≡ 19a + b (mod 26)
Subtracting: 11 - 7 ≡ 4a - 19a (mod 26), so 4 ≡ -15a (mod 26), or equivalently 4 ≡ 11a (mod 26).
Multiply both sides by the inverse of 11 mod 26, which is 19: a ≡ 19 × 4 (mod 26) = 76 mod 26 = 24... this example would need gcd(11, 26) = 1, which holds, so proceed: 19 × 4 = 76, and 76 mod 26 = 76 - 2×26 = 24.
Check: but 24 is not a valid value of a (gcd(24, 26) = 2). This means either the assumed plaintext-ciphertext pairs are incorrect, or the cipher is not an Affine cipher with a=24. This illustrates how a known plaintext attack both recovers keys and validates assumptions about the cipher structure.
Affine Cipher Family
The Affine cipher is not an isolated cipher — it belongs to a family of linear ciphers, and understanding its relationships to other ciphers reveals the mathematical structure underlying classical cryptography.
Caesar Cipher: a = 1
When the multiplicative key is set to a = 1, the Affine formula becomes:
E(x) = (1 × x + b) mod 26 = (x + b) mod 26
This is precisely the Caesar cipher formula. The Caesar cipher is the degenerate case of the Affine cipher where no multiplication occurs. Setting a=1 means every letter shifts by the same constant b, producing a uniform shift across the entire alphabet.
Multiplicative Cipher: b = 0
When the additive key is set to b = 0, the Affine formula becomes:
E(x) = (ax + 0) mod 26 = ax mod 26
This is the multiplicative cipher. It uses only the multiplicative component, producing a non-uniform letter mapping but without any shift. The multiplicative cipher is rarely discussed on its own because it always maps A (x=0) to A (E(0) = 0), which is an obvious weakness.
Hill Cipher: Matrix Generalization
The Hill cipher can be viewed as a generalization of the Affine cipher to multiple letters at once. Instead of encrypting one letter at a time using scalar multiplication, the Hill cipher encrypts blocks of n letters using matrix multiplication:
E(x) = (Ax + b) mod 26
Where A is an n×n invertible matrix and x and b are n-dimensional vectors. The 1×1 case of the Hill cipher with a scalar matrix [a] and vector [b] is exactly the Affine cipher. The key insight is the same: the matrix A must be invertible mod 26, which is the matrix analogue of the coprimality requirement.
Connection to Modern Cryptography
Understanding the Affine cipher's structure prepares you for modern cryptographic concepts in several ways:
The requirement that a be coprime with 26 is an instance of the broader principle that encryption functions must be invertible. In RSA, the public exponent e must be coprime with φ(n) for the same fundamental reason.
The modular inverse calculation using the extended Euclidean algorithm is the same algorithm used to find the RSA private key from the public key parameters.
The concept of a linear map over a modular ring (which is what the Affine cipher implements on Z₂₆) generalizes directly to the field arithmetic used in AES and other block ciphers.
Frequently Asked Questions
What happens if a is not coprime with 26?
If a is not coprime with 26, the encryption function is not a bijection. Multiple plaintext letters will map to the same ciphertext letter, making it impossible to uniquely reverse the encryption. The cipher becomes non-invertible and therefore unusable. For example, with a=2, both A (0) and N (13) encrypt to A because (2 × 0) mod 26 = 0 and (2 × 13) mod 26 = 0. Any message containing either A or N would be irrecoverably ambiguous after encryption.
Can the Affine cipher encrypt numbers and special characters?
In its standard form, the Affine cipher only encrypts the 26 letters of the English alphabet. Numbers, spaces, punctuation, and other special characters are typically passed through unchanged. Some implementations extend the cipher to larger alphabets (for example, mod 95 for all printable ASCII characters), but the standard definition uses mod 26 and operates only on letters.
What is the strongest Affine cipher key combination?
No Affine cipher key combination provides meaningful security, but from a purely theoretical perspective, keys with a values far from 1 (such as a=7 or a=17) produce alphabets that look more scrambled than keys close to 1. The "strongest" key is subjective in a cipher with only 312 combinations — all are equally trivial to break by brute force.
How does the Affine cipher compare to modern encryption?
The comparison is stark. The Affine cipher has 312 key combinations; AES-128 has 2^128 ≈ 3.4 × 10^38 combinations. Modern ciphers also use multiple rounds of non-linear substitution and permutation that make them resistant to algebraic attacks, frequency analysis, and differential cryptanalysis. The Affine cipher, as a linear monoalphabetic cipher, is vulnerable to all of these attack vectors simultaneously. It should never be used to protect real information.
Can you use the Affine cipher with alphabets other than English?
Yes, with modifications. For an alphabet of size m, the formula becomes E(x) = (ax + b) mod m, where a must be coprime with m. For example, for the 28-letter Arabic alphabet you would use mod 28, and the valid values of a would be those coprime with 28. The modular inverse table changes accordingly. The same mathematical principles apply regardless of the alphabet size; only the specific valid key values change.
Summary
The Affine cipher demonstrates that even a simple linear transformation applied with modular arithmetic requires careful mathematical constraints to function correctly. The requirement that a be coprime with 26, the need for modular multiplicative inverses in decryption, and the structure of the 312-key space are all direct consequences of the underlying number theory.
Studying the Affine cipher gives you hands-on experience with modular arithmetic, the extended Euclidean algorithm, linear equations over modular rings, and cryptanalytic thinking — all concepts that recur in more advanced cryptographic contexts.
For practical use:
- Try our free Affine Cipher Encoder to encrypt and decrypt messages interactively
- Crack ciphertexts with our Affine Decoder to see brute-force analysis in action
- Calculate modular inverses with our Affine Calculator to explore the key mathematics